Merge pull request #26225 from qdeslandes/fix_delegate_cgroup_logs_filtering

Fix delegate cgroup logs filtering
author: Luca Boccassi <bluca@debian.org> 2023-02-08 19:36:21 +0000
committer: GitHub <noreply@github.com> 2023-02-08 19:36:21 +0000
commit: 777440f11092eef6009476a3aefe3bf835423126 (patch)
tree: 6be2cf7d32042844f2382615c7fdd68f6eebeaa8
parent: 667578bb119cd4a9148ce8502fd428079cea874d (diff)
parent: 41b7fcc5e8a66709ad5d6c7cdba1375539f7693d (diff)
download: systemd-777440f11092eef6009476a3aefe3bf835423126.tar.gz
8 files changed, 97 insertions, 5 deletions
diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
index a8e4a1bb2d..feda596939 100644
--- a/src/basic/cgroup-util.c
+++ b/src/basic/cgroup-util.c
@@ -1198,6 +1198,28 @@ int cg_path_get_unit(const char *path, char **ret) {
         return 0;
 }
 
+int cg_path_get_unit_path(const char *path, char **ret) {
+        _cleanup_free_ char *path_copy = NULL;
+        char *unit_name;
+
+        assert(path);
+        assert(ret);
+
+        path_copy = strdup(path);
+        if (!path_copy)
+                return -ENOMEM;
+
+        unit_name = (char *)skip_slices(path_copy);
+        unit_name[strcspn(unit_name, "/")] = 0;
+
+        if (!unit_name_is_valid(cg_unescape(unit_name), UNIT_NAME_PLAIN|UNIT_NAME_INSTANCE))
+                return -ENXIO;
+
+        *ret = TAKE_PTR(path_copy);
+
+        return 0;
+}
+
 int cg_pid_get_unit(pid_t pid, char **unit) {
         _cleanup_free_ char *cgroup = NULL;
         int r;
diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h
index c9aae5abf6..b69f1683db 100644
--- a/src/basic/cgroup-util.h
+++ b/src/basic/cgroup-util.h
@@ -261,6 +261,7 @@ int cg_path_get_cgroupid(const char *path, uint64_t *ret);
 int cg_path_get_session(const char *path, char **session);
 int cg_path_get_owner_uid(const char *path, uid_t *uid);
 int cg_path_get_unit(const char *path, char **unit);
+int cg_path_get_unit_path(const char *path, char **unit);
 int cg_path_get_user_unit(const char *path, char **unit);
 int cg_path_get_machine_name(const char *path, char **machine);
 int cg_path_get_slice(const char *path, char **slice);
diff --git a/src/journal/journald-client.c b/src/journal/journald-client.c
index 22090aa93c..5aedf4e5b6 100644
--- a/src/journal/journald-client.c
+++ b/src/journal/journald-client.c
@@ -46,16 +46,20 @@ static int client_parse_log_filter_nulstr(const char *nulstr, size_t len, Set **
 
 int client_context_read_log_filter_patterns(ClientContext *c, const char *cgroup) {
         char *deny_list_xattr, *xattr_end;
-        _cleanup_free_ char *xattr = NULL;
+        _cleanup_free_ char *xattr = NULL, *unit_cgroup = NULL;
         _cleanup_set_free_ Set *allow_list = NULL, *deny_list = NULL;
         int r;
 
         assert(c);
 
-        r = cg_get_xattr_malloc(SYSTEMD_CGROUP_CONTROLLER, cgroup, "user.journald_log_filter_patterns", &xattr);
+        r = cg_path_get_unit_path(cgroup, &unit_cgroup);
+        if (r < 0)
+                return log_debug_errno(r, "Failed to get the unit's cgroup path for %s: %m", cgroup);
+
+        r = cg_get_xattr_malloc(SYSTEMD_CGROUP_CONTROLLER, unit_cgroup, "user.journald_log_filter_patterns", &xattr);
         if (r < 0) {
                 if (!ERRNO_IS_XATTR_ABSENT(r))
-                        return log_debug_errno(r, "Failed to get user.journald_log_filter_patterns xattr for %s: %m", cgroup);
+                        return log_debug_errno(r, "Failed to get user.journald_log_filter_patterns xattr for %s: %m", unit_cgroup);
 
                 client_set_filtering_patterns(c, NULL, NULL);
                 return 0;
diff --git a/src/test/test-cgroup-util.c b/src/test/test-cgroup-util.c
index 0b286ed8e4..cdf911926c 100644
--- a/src/test/test-cgroup-util.c
+++ b/src/test/test-cgroup-util.c
@@ -63,6 +63,33 @@ TEST(path_get_unit) {
         check_p_g_u("/user.slice/user-1000.slice/user@.service/server.service", -ENXIO, NULL);
 }
 
+static void check_p_g_u_p(const char *path, int code, const char *result) {
+        _cleanup_free_ char *unit_path = NULL;
+        int r;
+
+        r = cg_path_get_unit_path(path, &unit_path);
+        printf("%s: %s → %s %d expected %s %d\n", __func__, path, unit_path, r, strnull(result), code);
+        assert_se(r == code);
+        assert_se(streq_ptr(unit_path, result));
+}
+
+TEST(path_get_unit_path) {
+        check_p_g_u_p("/system.slice/foobar.service/sdfdsaf", 0, "/system.slice/foobar.service");
+        check_p_g_u_p("/system.slice/getty@tty5.service", 0, "/system.slice/getty@tty5.service");
+        check_p_g_u_p("/system.slice/getty@tty5.service/aaa/bbb", 0, "/system.slice/getty@tty5.service");
+        check_p_g_u_p("/system.slice/getty@tty5.service/", 0, "/system.slice/getty@tty5.service");
+        check_p_g_u_p("/system.slice/getty@tty6.service/tty5", 0, "/system.slice/getty@tty6.service");
+        check_p_g_u_p("sadfdsafsda", -ENXIO, NULL);
+        check_p_g_u_p("/system.slice/getty####@tty6.service/xxx", -ENXIO, NULL);
+        check_p_g_u_p("/system.slice/system-waldo.slice/foobar.service/sdfdsaf", 0, "/system.slice/system-waldo.slice/foobar.service");
+        check_p_g_u_p("/system.slice/system-waldo.slice/_cpu.service/sdfdsaf", 0, "/system.slice/system-waldo.slice/_cpu.service");
+        check_p_g_u_p("/system.slice/system-waldo.slice/_cpu.service", 0, "/system.slice/system-waldo.slice/_cpu.service");
+        check_p_g_u_p("/user.slice/user-1000.slice/user@1000.service/server.service", 0, "/user.slice/user-1000.slice/user@1000.service");
+        check_p_g_u_p("/user.slice/user-1000.slice/user@.service/server.service", -ENXIO, NULL);
+        check_p_g_u_p("/user.slice/_user-1000.slice/user@1000.service/foobar.slice/foobar@pie.service", 0, "/user.slice/_user-1000.slice/user@1000.service");
+        check_p_g_u_p("/_session-2.scope/_foobar@pie.service/pa/po", 0, "/_session-2.scope");
+}
+
 static void check_p_g_u_u(const char *path, int code, const char *result) {
         _cleanup_free_ char *unit = NULL;
         int r;
diff --git a/test/testsuite-04.units/delegated-cgroup-filtering.service b/test/testsuite-04.units/delegated-cgroup-filtering.service
new file mode 100644
index 0000000000..2c4201a27b
--- /dev/null
+++ b/test/testsuite-04.units/delegated-cgroup-filtering.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Test service for delegated logs filtering
+
+[Service]
+Type=simple
+ExecStart=/usr/lib/systemd/tests/testdata/units/delegated_cgroup_filtering_payload.sh
+Delegate=yes
+SyslogLevel=notice
diff --git a/test/units/delegated_cgroup_filtering_payload.sh b/test/units/delegated_cgroup_filtering_payload.sh
new file mode 100755
index 0000000000..50d01a5d4a
--- /dev/null
+++ b/test/units/delegated_cgroup_filtering_payload.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+mkdir /sys/fs/cgroup/system.slice/delegated-cgroup-filtering.service/the_child
+/bin/sh /usr/lib/systemd/tests/testdata/units/delegated_cgroup_filtering_payload_child.sh &
+
+while true
+do
+	echo "parent_process: hello, world!"
+	echo "parent_process: hello, people!"
+    sleep .15
+done
diff --git a/test/units/delegated_cgroup_filtering_payload_child.sh b/test/units/delegated_cgroup_filtering_payload_child.sh
new file mode 100755
index 0000000000..b5635b58e5
--- /dev/null
+++ b/test/units/delegated_cgroup_filtering_payload_child.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+echo $$ >/sys/fs/cgroup/system.slice/delegated-cgroup-filtering.service/the_child/cgroup.procs
+
+while true
+do
+	echo "child_process: hello, world!"
+	echo "child_process: hello, people!"
+    sleep .15
+done
diff --git a/test/units/testsuite-04.sh b/test/units/testsuite-04.sh
index d10a9afbf7..bab2bdc24e 100755
--- a/test/units/testsuite-04.sh
+++ b/test/units/testsuite-04.sh
@@ -185,8 +185,8 @@ function add_logs_filtering_override() {
     LOG_FILTER=${3:-""}
 
     mkdir -p /etc/systemd/system/"$UNIT".d/
-    echo "[Service]" >/etc/systemd/system/logs-filtering.service.d/"${OVERRIDE_NAME}".conf
-    echo "LogFilterPatterns=$LOG_FILTER" >>/etc/systemd/system/logs-filtering.service.d/"${OVERRIDE_NAME}".conf
+    echo "[Service]" >/etc/systemd/system/"$UNIT".d/"${OVERRIDE_NAME}".conf
+    echo "LogFilterPatterns=$LOG_FILTER" >>/etc/systemd/system/"$UNIT".d/"${OVERRIDE_NAME}".conf
     systemctl daemon-reload
 }
 
@@ -256,7 +256,14 @@ if is_xattr_supported; then
     add_logs_filtering_override "logs-filtering.service" "10-allow-with-escape-char" "\x7emore~"
     [[ -n $(run_service_and_fetch_logs "logs-filtering.service") ]]
 
+    add_logs_filtering_override "delegated-cgroup-filtering.service" "00-allow-all" ".*"
+    [[ -n $(run_service_and_fetch_logs "delegated-cgroup-filtering.service") ]]
+
+    add_logs_filtering_override "delegated-cgroup-filtering.service" "01-discard-hello" "~hello"
+    [[ -z $(run_service_and_fetch_logs "delegated-cgroup-filtering.service") ]]
+
     rm -rf /etc/systemd/system/logs-filtering.service.d
+    rm -rf /etc/systemd/system/delegated-cgroup-filtering.service.d
 fi
 
 touch /testok
author	Luca Boccassi <bluca@debian.org>	2023-02-08 19:36:21 +0000
committer	GitHub <noreply@github.com>	2023-02-08 19:36:21 +0000
commit	777440f11092eef6009476a3aefe3bf835423126 (patch)
tree	6be2cf7d32042844f2382615c7fdd68f6eebeaa8
parent	667578bb119cd4a9148ce8502fd428079cea874d (diff)
parent	41b7fcc5e8a66709ad5d6c7cdba1375539f7693d (diff)
download	systemd-777440f11092eef6009476a3aefe3bf835423126.tar.gz