3 * Copyright (c) 2012-2020 Samsung Electronics Co., Ltd
5 * Permission is hereby granted, free of charge, to any person obtaining a copy
6 * of this software and associated documentation files (the "Software"), to deal
7 * in the Software without restriction, including without limitation the rights
8 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 * copies of the Software, and to permit persons to whom the Software is furnished
10 * to do so, subject to the following conditions:
12 * The above copyright notice and this permission notice shall be included in all
13 * copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
38 #include "deduplicate.h"
39 #include <dynamic_config.h>
41 #include <logcommon.h>
42 #include "logconfig.h"
43 #include "loglimiter.h"
45 #define DEFAULT_CONFIG_LIMITER false
46 #define DEFAULT_CONFIG_PLOG true
47 #define DEFAULT_CONFIG_DEBUGMODE 0
48 #define DEFAULT_CONFIG_LIMITER_APPLY_TO_ALL_BUFFERS 0
51 * @brief Points to a function which writes a log message
52 * @details The function pointed to depends on the backend used
53 * @param[in] log_id ID of the buffer to log to. Belongs to (LOG_ID_INVALID, LOG_ID_MAX) non-inclusive
54 * @param[in] prio Priority of the message.
55 * @param[in] tag The message tag, identifies the sender.
56 * @param[in] msg The contents of the message.
57 * @return Returns the number of bytes written on success and a negative error value on error.
58 * @see __dlog_init_backend
60 int (*write_to_log)(log_id_t log_id, log_priority prio, const char *tag, const char *msg, struct timespec *tp_mono) = NULL;
61 void (*destroy_backend)(void);
63 int (*stash_failed_log)(log_id_t log_id, log_priority prio, const char *tag, const char *msg) = NULL;
65 static int stash_critical(log_id_t log_id, log_priority prio, const char *tag, const char *msg);
68 pthread_rwlock_t log_limiter_lock = PTHREAD_RWLOCK_INITIALIZER;
69 static pthread_mutex_t log_construction_lock = PTHREAD_MUTEX_INITIALIZER;
70 static bool is_initialized = false;
72 extern void __dlog_init_pipe(const struct log_config *conf);
73 extern void __dlog_init_android(const struct log_config *conf);
76 static bool dynamic_config;
77 static bool plog[LOG_ID_MAX];
78 static bool plog_default_values[LOG_ID_MAX];
79 static bool enable_secure_logs = true;
80 static bool enable_critical = true;
83 static int fatal_assert;
84 static int limiter_apply_to_all_buffers;
85 static _Atomic log_priority priority_filter_level = DLOG_VERBOSE;
87 static void __configure_limiter(struct log_config *config)
94 limiter = __log_limiter_create(config);
97 static int __configure_backend(struct log_config *config)
101 const char *const backend = log_config_get(config, "backend");
105 if (!strcmp(backend, "pipe"))
106 __dlog_init_pipe(config);
107 else if (!strcmp(backend, "logger"))
108 __dlog_init_android(config);
115 static void __set_plog_default_values(void)
117 for (size_t i = 0; i < NELEMS(plog); ++i)
118 plog_default_values[i] = plog[i];
121 static void __initialize_plog(const struct log_config *config)
125 const bool plog_default = log_config_get_boolean(config, "plog", DEFAULT_CONFIG_PLOG);
126 for (size_t i = 0; i < NELEMS(plog); ++i)
127 plog[i] = plog_default;
128 plog[LOG_ID_APPS] = true; // the default does not apply here for backward compatibility reasons.
129 __set_plog_default_values();
132 static void __configure_parameters(struct log_config *config)
136 __initialize_plog(config);
137 __update_plog(config);
138 __set_plog_default_values();
140 enable_secure_logs = log_config_get_boolean(config, "enable_secure_logs", enable_secure_logs);
141 enable_critical = log_config_get_boolean(config, "enable_critical", enable_critical);
142 debugmode = log_config_get_int(config, "debugmode", DEFAULT_CONFIG_DEBUGMODE);
143 fatal_assert = access(DEBUGMODE_FILE, F_OK) != -1;
144 limiter = log_config_get_boolean(config, "limiter", DEFAULT_CONFIG_LIMITER);
145 limiter_apply_to_all_buffers = log_config_get_int(config,
146 "limiter_apply_to_all_buffers",
147 DEFAULT_CONFIG_LIMITER_APPLY_TO_ALL_BUFFERS);
149 const char *stash_failed_log_method = log_config_get(config, "stash_failed_log_method");
150 if (stash_failed_log_method) {
152 if (strcmp(stash_failed_log_method, "critical") == 0)
153 stash_failed_log = stash_critical;
158 void __update_plog(const struct log_config *conf)
162 for (size_t i = 0; i < NELEMS(plog); ++i) {
163 char key[MAX_CONF_KEY_LEN];
164 const int r = snprintf(key, sizeof key, "enable_%s", log_name_by_id((log_id_t)i));
167 plog[i] = log_config_get_boolean(conf, key, plog_default_values[i]);
172 * @brief Configure the library
173 * @details Reads relevant config values
174 * @remarks This is more or less a constructor, but there are some obstacles
175 * to using it as such (i.e. with attribute constructor):
177 * - some important pieces of the system link to dlog, they start very early
178 * such that dlog can't properly initialize (which lasts for program lifetime)
179 * but don't actually log anything until later on and would be fine under lazy
180 * initialisation. The way to do it "properly" would be to expose this function
181 * into the API so that people can manually call it when they're ready, but
182 * one of the design goals of the current API is that it requires absolutely no
183 * other calls than `dlog_print`. Changing it would require somebody with a
184 * bird's eye view of the system to produce a design so I wouldn't count on it.
186 * - the constructor would need to have as high of a priority as possible (so as
187 * to minimize the risk of another library's constructor using uninitialized data)
188 * but at the same time others might want some room to wrap functions before
189 * dlog uses them (think mprobe/mcheck). This would also require a design pass.
194 bool __configure(void)
196 __attribute__((cleanup(log_config_free))) struct log_config config;
198 if (log_config_read(&config) < 0)
201 dynamic_config = __dynamic_config_create(&config);
203 __configure_parameters(&config);
205 if (!__configure_backend(&config)) {
206 __dynamic_config_destroy();
207 dynamic_config = false;
211 __configure_deduplicate(&config);
212 __configure_limiter(&config);
216 static void __attribute__((constructor(101))) __install_pipe_handler(void)
218 /* We mask SIGPIPE signal because most applications do not install their
219 * own SIGPIPE handler. Default behaviour in SIGPIPE case is to abort the
220 * process. SIGPIPE occurs when e.g. dlog daemon closes read pipe endpoint.
222 * We do this in the library constructor (at maximum priority) and not
223 * during regular (lazy) initialisation so as to prevent overwriting the
224 * program's actual signal handler, if it has one.
226 * In theory this is not required for the Android logger backend; however,
227 * this early we don't yet know the backend and also it is good to behave
228 * consistently in this regard anyway.
230 * We don't revert this in a destructor because Unix signals are bonkers
231 * and we have no way to do this cleanly. Most libdlog users don't use
232 * runtime linking so this would mostly done at program exit either way. */
233 signal(SIGPIPE, SIG_IGN);
236 static void __attribute__((constructor(102))) __set_output_buffering(void)
238 /* If stdout and/or stderr is redirected to dlog (service, driver)
239 * it is best if we buffer lines, otherwise the following can happen:
240 * - no buffering: service/driver recives every single byte (precisely
241 * every single write*(2) call), causing it to either buffer the data
242 * anyway (service), or print logs at random places (driver)
243 * - full buffering: service/driver receives several hundred lines,
244 * which results in one giant entry being added (driver) or long delays
245 * before logs appear (service) */
246 if (getenv(DLOG_ENV_STDOUT_LINE_BUFFERED))
249 if (getenv(DLOG_ENV_STDERR_LINE_BUFFERED))
253 static bool first = true;
254 static bool initialize(void)
259 /* The mutex acts as a barrier, but otherwise the C language's
260 * machine abstraction is single-threaded. This means that the
261 * compiler is free to rearrange calls inside the mutex according
262 * to the as-if rule because it doesn't care if another thread can
263 * access it in parallel. In particular, `is_initialized = true`
264 * directly after `__configure()` could be rearranged to go in
265 * front of it because it is not touched inside that function
266 * if the compiler thinks it helps somehow (not unlikely: since
267 * it is checked before the mutex, it is very probable for it to
268 * still be in the CPU register or something like that). On top
269 * of that, some architectures (in particular, armv7l) don't have
270 * strict memory guarantees and can reorder actual memory stores
271 * on their own, even if the compiler didn't do anything fancy
272 * when creating machine code. For more info about the issue,
273 * see https://www.aristeia.com/Papers/DDJ_Jul_Aug_2004_revised.pdf
275 * Ultimately this means that there needs to be some sort of
276 * barrier between `__configure` and `is_initialized = true`,
277 * and the simplest way to achieve that is to just wait until
278 * the second entry into the mutex. */
281 pthread_mutex_lock(&log_construction_lock);
283 first = !__configure();
285 is_initialized = true;
287 pthread_mutex_unlock(&log_construction_lock);
292 * @brief Fatal assertion
293 * @details Conditionally crash the sucka who sent the log
294 * @param[in] prio Priority of the log
296 static void __dlog_fatal_assert(int prio)
298 assert(!fatal_assert || (prio != DLOG_FATAL));
302 * @brief Check log validity
303 * @details Checks whether the log is valid and eligible for printing
304 * @param[in] log_id The target buffer ID
305 * @param[in] prio The log's priority
306 * @param[in] tag The log's tag
307 * @return DLOG_ERROR_NONE on success, else an error code.
308 * @retval DLOG_ERROR_INVALID_PARAMETER Invalid parameter
310 static int dlog_check_validity(log_id_t log_id, int prio, const char *tag)
314 return DLOG_ERROR_INVALID_PARAMETER;
316 if (log_id <= LOG_ID_INVALID || LOG_ID_MAX <= log_id)
317 return DLOG_ERROR_INVALID_PARAMETER;
319 return DLOG_ERROR_NONE;
323 * @brief Check log against limiter rules
324 * @details Checks whether the log passes current limiter rules
325 * @param[in] log_id The target buffer ID
326 * @param[in] prio The log's priority
327 * @param[in] tag The log's tag
328 * @return DLOG_ERROR_NONE on success, else an error code.
329 * @retval DLOG_ERROR_NOT_PERMITTED Not permitted
331 static int dlog_check_limiter(log_id_t log_id, int prio, const char *tag)
333 if (!debugmode && prio <= DLOG_DEBUG)
334 return DLOG_ERROR_NOT_PERMITTED;
337 __dynamic_config_update();
340 struct pass_log_result should_log = { .decision = DECISION_DENIED };
341 if (!pthread_rwlock_rdlock(&log_limiter_lock)) {
342 should_log = __log_limiter_pass_log(tag, prio);
343 pthread_rwlock_unlock(&log_limiter_lock);
346 switch (should_log.decision) {
347 case DECISION_DENIED:
348 return DLOG_ERROR_NOT_PERMITTED;
350 case DECISION_TAG_LIMIT_EXCEEDED_MESSAGE:
351 case DECISION_PID_LIMIT_EXCEEDED_MESSAGE: {
353 int result = clock_gettime(CLOCK_MONOTONIC, &tp);
355 return DLOG_ERROR_NOT_PERMITTED;
357 snprintf(buf, sizeof(buf),
358 "Your log has been blocked due to per-%s limit of %d logs per %d seconds.",
359 should_log.decision == DECISION_TAG_LIMIT_EXCEEDED_MESSAGE ? "tag" : "PID",
360 should_log.logs_per_period, should_log.period_s);
361 write_to_log(log_id, prio, tag, buf, &tp);
362 return DLOG_ERROR_NOT_PERMITTED;
365 case DECISION_ALLOWED:
370 /* This can change due to __dynamic_config_update(), but is atomic and its
371 * value implies nothing else so does not need to be under a lock. */
373 return DLOG_ERROR_NOT_PERMITTED;
375 return DLOG_ERROR_NONE;
378 static int __write_to_log_critical_section(log_id_t log_id, int prio, const char *tag, const char *fmt, va_list ap, bool check_should_log)
380 if (check_should_log && prio < priority_filter_level)
381 return DLOG_ERROR_NONE;
383 if ((check_should_log || limiter_apply_to_all_buffers) && (dlog_check_limiter(log_id, prio, tag) < 0))
384 return DLOG_ERROR_NONE;
386 char buf[LOG_MAX_PAYLOAD_SIZE];
387 int len = vsnprintf(buf, sizeof buf, fmt, ap);
389 return DLOG_ERROR_NONE;
390 else if (len >= sizeof buf)
391 len = sizeof buf - 1;
395 if (deduplicate_func && !clock_gettime(CLOCK_MONOTONIC, &tp)) {
396 dlog_deduplicate_e ret = deduplicate_func(buf, len, &tp);
397 if (ret == DLOG_DEDUPLICATE)
398 return DLOG_ERROR_NONE;
399 else if (ret == DLOG_DO_NOT_DEDUPLICATE_BUT_WARN)
400 deduplicate_warn(buf, sizeof buf, len);
401 r = write_to_log(log_id, prio, tag, buf, &tp);
403 r = write_to_log(log_id, prio, tag, buf, NULL);
405 if (r < 0 && stash_failed_log)
406 r = stash_failed_log(log_id, prio, tag, buf);
411 static int __write_to_log(log_id_t log_id, int prio, const char *tag, const char *fmt, va_list ap, bool check_should_log, bool secure_log)
413 int ret = dlog_check_validity(log_id, prio, tag);
417 /* Threads can be cancelled before they give up a lock.
418 * Therefore cancellation is temporarily disabled.
419 * This solution is comparatively simple and cheap.
420 * The other solutions (cleanup handlers, robust mutexes)
421 * would be much more complicated and also inflict larger
422 * runtime costs. The downside of disabling cancellation
423 * is not a problem in our case because it is temporary
424 * and very brief so we don't keep an obsolete thread
425 * for much longer than we otherwise would. */
426 int old_cancel_state;
427 pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &old_cancel_state);
429 /* The only thing that needs to be protected here is `write_to_log` since
430 * all other resources already have their own specific locks (and even the
431 * pointer could be made to point at a null handler instead of a true NULL)
432 * but giving this guarantee makes everything a lot simpler as it removes
433 * the risk of something suddenly becoming NULL during processing. */
434 if (!initialize() || !write_to_log)
435 // TODO: We could consider stashing the failed log here
436 ret = DLOG_ERROR_NOT_PERMITTED;
437 else if (secure_log && !enable_secure_logs)
440 ret = __write_to_log_critical_section(log_id, prio, tag, fmt, ap, check_should_log);
442 pthread_setcancelstate(old_cancel_state, NULL);
447 int __critical_log_append_timestamp(char *buf, size_t buflen)
449 /* NB: the timestamp may slightly differ from the one that gets
450 * added onto the copy that goes into the regular buffer, and
451 * timestamp acquisition is duplicated. This would ideally be
452 * solved, but timestamps are currently added fairly deep in
453 * backend-specific functions so for now this will have to do.
454 * Also, since we're the sender, there is just this one set of
455 * timestamps, i.e. the send timestamp! The usual alternative
456 * set of receive timestamps will never have the opportunity
457 * to get added to the entry since this log is supposed to end
458 * up straight in the file (there's potentially the trusted
459 * writer binary but we're trying to keep the set of actions
460 * it needs to do to the minimum and those timestamps would
461 * in practice be the same anyway). */
464 clock_gettime(CLOCK_REALTIME, &ts);
465 const time_t tt = ts.tv_sec;
466 const long int real_millisec = ts.tv_nsec / 1000000;
467 clock_gettime(CLOCK_MONOTONIC, &ts);
469 struct tm *const ptm = localtime_r(&tt, &tmBuf);
470 assert(ptm); // we're in a short lived fork so asserts are fine and make things simple
472 int len = strftime(buf, buflen, "%m-%d %H:%M:%S", ptm);
475 int tmp_len = snprintf(buf + len, buflen - len, ".%03ld", real_millisec);
477 assert(tmp_len < buflen - len);
480 tmp_len = strftime(buf + len, buflen - len, "%z ", ptm);
481 assert(tmp_len != 0);
484 tmp_len = snprintf(buf + len, buflen - len, "%5lu.%03ld", ts.tv_sec, ts.tv_nsec / 1000000);
486 assert(tmp_len < buflen - len);
492 int __critical_log_build_msg(char *buf, size_t buflen, pid_t main_pid, pid_t main_tid, log_id_t log_id, int prio, const char *tag, const char *fmt, va_list ap)
494 int len = __critical_log_append_timestamp(buf, buflen);
495 const int metadata_len = snprintf(buf + len, buflen - len, " P%5d T%5d B%-6s %c/%-8s: ",
498 log_name_by_id(log_id),
499 filter_pri_to_char(prio),
500 tag ?: "CRITICAL_NO_TAG");
501 assert(metadata_len > 0);
502 if (metadata_len >= buflen - len)
503 return buflen - 1; // can genuinely happen with an exceedingly large tag
506 const int content_len = vsnprintf(buf + len, buflen - len, fmt, ap);
507 assert(content_len >= 0); // 0 is legit with format == ""
508 if (content_len >= buflen - len)
516 __attribute__ ((noreturn))
518 void __critical_log_child(pid_t main_pid, pid_t main_tid, log_id_t log_id, int prio, const char *tag, const char *fmt, va_list ap)
520 char buf[LOG_MAX_PAYLOAD_SIZE + 128]; // extra space for some metadata
521 const int len = __critical_log_build_msg(buf, sizeof buf - 1, main_pid, main_tid, log_id, prio, tag, fmt, ap);
525 static const char *const path = "/usr/libexec/dlog-log-critical";
526 execl(path, path /* argv[0] convention */, buf, (char *) NULL);
529 /* Compilers are sometimes smart enough to recognize _exit's
530 * noreturn attribute, even if we wrap it with something that
531 * returns. This causes it to behave in unexpected ways, for
532 * example it can blow up the program regardless or it can
533 * optimize some conditionals out (and incorrectly enter them
534 * after the exit call fails to actually exit). This makes it
535 * unsuitable for tests. */
537 _exit(1); // not the regular `exit` so as not to trigger any `atexit` handlers prematurely
541 #ifndef UNIT_TEST // contains forks and exits, these don't work well with wrapping (see above)
542 void __critical_log(log_id_t log_id, int prio, const char *tag, const char *fmt, va_list ap)
544 /* Critical log functionality is mostly done in a separate binary
545 * to handle security correctly (else every process would have to
546 * possess the necessary privilege to write onto that file, which
547 * would be opening a fairly nasty can of worms from the security
548 * point of view). Our use of exec() is why a simple thread would
549 * not suffice and we're resorting to a fork.
551 * The double fork, much like a double barreled 12 gauge shotgun,
552 * is an elegant solution designed to stop a zombie army. We'd be
553 * creating zombie processes if we didn't wait() for the children
554 * we spawn, but we don't really want to do that since it results
555 * in a needless delay. Instead, the writer process is actually a
556 * grandchild, with our direct child exiting immediately just for
557 * us to have something to wait on that is guaranteed not to take
558 * too long. The orphaned grandchild is adopted by init, who will
559 * take care to reap it when it dies. In addition to avoiding the
560 * delay, the client will not have any unexpected children (which
561 * could ruin logic in its own waits).
564 * ┌───────┐ ┌─────────┐ ┌─────────────┐ ┌────────┐
565 * │ pid 1 ├──>│ libdlog ├──>│ immediately ├──>│ execs │
566 * │ init │ │ client │ │ exits │ │ writer │
567 * └───────┘ └─────────┘ └─────────────┘ └────────┘
569 * Afterwards, libdlog has no children:
570 * ┌───────┐ ┌─────────┐ ┌────────┐
571 * │ pid 1 ├──>│ libdlog │ ┌─────────>│ writer │
572 * │ init ├─┐ │ client │ │ │ binary │
573 * └───────┘ │ └─────────┘ │ └────────┘
574 * └──────────────────────┘
579 if (!enable_critical)
582 const pid_t main_pid = getpid();
583 const pid_t main_tid = gettid();
585 const int temporary_exiter_pid = fork();
586 if (temporary_exiter_pid < 0)
588 if (temporary_exiter_pid != 0) {
589 waitpid(temporary_exiter_pid, NULL, 0);
593 const int child_pid = fork();
599 __critical_log_child(main_pid, main_tid, log_id, prio, tag, fmt, ap);
602 static void stash_critical_inner(log_id_t log_id, log_priority prio, const char *tag, const char *fmt, ...)
607 __critical_log(log_id, prio, tag, fmt, ap);
611 static int stash_critical(log_id_t log_id, log_priority prio, const char *tag, const char *msg)
613 stash_critical_inner(log_id, prio, tag, "FAILED TO LOG: %s", msg);
617 EXPORT_API int __dlog_critical_print(log_id_t log_id, int prio, const char *tag, const char *fmt, ...)
622 __critical_log(log_id, prio, tag, fmt, ap);
626 int ret = __dlog_vprint(log_id, prio, tag, fmt, ap);
633 EXPORT_API int dlog_set_minimum_priority(int priority)
635 if (priority < DLOG_DEFAULT || priority > DLOG_PRIO_MAX)
636 return DLOG_ERROR_INVALID_PARAMETER;
638 priority_filter_level = priority;
639 return DLOG_ERROR_NONE;
644 * @details Print a log line
645 * @param[in] log_id The target buffer ID
646 * @param[in] prio Priority
648 * @param[in] fmt Format (same as printf)
649 * @param[in] ap Argument list
650 * @return Bytes written, or negative error
652 EXPORT_API int __dlog_vprint(log_id_t log_id, int prio, const char *tag, const char *fmt, va_list ap)
654 int ret = __write_to_log(log_id, prio, tag, fmt, ap, true, false);
655 __dlog_fatal_assert(prio);
662 * @details Print a log line
663 * @param[in] log_id The target buffer ID
664 * @param[in] prio Priority
666 * @param[in] fmt Format (same as printf)
667 * @return Bytes written, or negative error
669 EXPORT_API int __dlog_print(log_id_t log_id, int prio, const char *tag, const char *fmt, ...)
674 int ret = __dlog_vprint(log_id, prio, tag, fmt, ap);
682 * @details Print a log line
683 * @param[in] log_id The target buffer ID
684 * @param[in] prio Priority
686 * @param[in] fmt Format (same as printf)
687 * @return Bytes written, or negative error
689 EXPORT_API int __dlog_sec_print(log_id_t log_id, int prio, const char *tag, const char *fmt, ...)
691 if (!enable_secure_logs)
697 int ret = __write_to_log(log_id, prio, tag, fmt, ap, true, true);
698 __dlog_fatal_assert(prio);
704 EXPORT_API int dlog_vprint(log_priority prio, const char *tag, const char *fmt, va_list ap)
706 return __write_to_log(LOG_ID_APPS, prio, tag, fmt, ap, false, false);
709 EXPORT_API int dlog_print(log_priority prio, const char *tag, const char *fmt, ...)
714 int ret = dlog_vprint(prio, tag, fmt, ap);
721 * @brief Finalize DLog
722 * @details Finalizes and deallocates the library
723 * @notes Used directly in tests; brings back the pre-init state
725 void __dlog_fini(void)
727 if (destroy_backend) {
729 destroy_backend = NULL;
732 is_initialized = false;
735 enable_secure_logs = true;
736 enable_critical = false;
737 __deduplicate_destroy();
738 __log_limiter_destroy();
739 __dynamic_config_destroy();