<refname>sd_bus_creds_get_cmdline</refname>
<refname>sd_bus_creds_get_cgroup</refname>
<refname>sd_bus_creds_get_unit</refname>
- <refname>sd_bus_creds_get_user_unit</refname>
<refname>sd_bus_creds_get_slice</refname>
+ <refname>sd_bus_creds_get_user_unit</refname>
+ <refname>sd_bus_creds_get_user_slice</refname>
<refname>sd_bus_creds_get_session</refname>
<refname>sd_bus_creds_get_owner_uid</refname>
<refname>sd_bus_creds_has_effective_cap</refname>
</funcprototype>
<funcprototype>
+ <funcdef>int <function>sd_bus_creds_get_slice</function></funcdef>
+ <paramdef>sd_bus_creds *<parameter>c</parameter></paramdef>
+ <paramdef>const char **<parameter>slice</parameter></paramdef>
+ </funcprototype>
+
+ <funcprototype>
<funcdef>int <function>sd_bus_creds_get_user_unit</function></funcdef>
<paramdef>sd_bus_creds *<parameter>c</parameter></paramdef>
<paramdef>const char **<parameter>unit</parameter></paramdef>
</funcprototype>
<funcprototype>
- <funcdef>int <function>sd_bus_creds_get_slice</function></funcdef>
+ <funcdef>int <function>sd_bus_creds_get_user_slice</function></funcdef>
<paramdef>sd_bus_creds *<parameter>c</parameter></paramdef>
<paramdef>const char **<parameter>slice</parameter></paramdef>
</funcprototype>
<refsect1>
<title>Description</title>
- <para>These functions return information from an
- <parameter>sd_bus_creds</parameter> credential object. Credential
- objects may be created with
+ <para>These functions return credential information from an
+ <parameter>sd_bus_creds</parameter> object. Credential objects may
+ be created with
<citerefentry><refentrytitle>sd_bus_creds_new_from_pid</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
in which case they describe the credentials of the process
identified by the specified PID, with
in which case they describe the credentials of the creator of a
bus, or with
<citerefentry><refentrytitle>sd_bus_message_get_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- in which case they describe the credentials of the sender of the message.</para>
+ in which case they describe the credentials of the sender of the
+ message.</para>
+
+ <para>Not all credential fields are part of every
+ <literal>sd_bus_creds</literal> object. Use
+ <citerefentry><refentrytitle>sd_bus_creds_get_mask</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+ to determine the mask of fields available.</para>
<para><function>sd_bus_creds_get_pid()</function> will retrieve
the PID (process identifier). Similar,
<para><function>sd_bus_creds_get_slice()</function> will retrieve
the systemd slice (a unit in the system instance of systemd) that
the process is part of. See
- <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>. Similar,
+ <function>sd_bus_creds_get_user_slice()</function> retrieves the
+ systemd slice of the process, in the user instance of systemd.
</para>
<para><function>sd_bus_creds_get_session()</function> will
- retrieve the logind session that the process is part of. See
+ retrieve the identifier of the login session that the process is
+ part of. See
<citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>. For
processes that are not part of a session returns -ENXIO.
</para>
<para><function>sd_bus_creds_get_owner_uid()</function> will
retrieve the numeric UID (user identifier) of the user who owns
- the session that the process is part of. See
- <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ the login session that the process is part of. See
+ <citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
For processes that are not part of a session returns -ENXIO.
</para>
<parameter>capability</parameter> was set in the effective
capabilities mask. A positive return value means that is was
set, zero means that it was not set, and a negative return
- value signifies an error. See
+ value indicates an error. See
<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
and <varname>Capabilities=</varname> and
<varname>CapabilityBoundingSet=</varname> settings in
processes that are not part of an audit session.</para>
<para><function>sd_bus_creds_get_tty()</function> will retrieve
- the controlling TTY. Returns -ENXIO for processes that have no
- controlling TTY.</para>
+ the controlling TTY, without the prefixing "/dev/". Returns -ENXIO
+ for processes that have no controlling TTY.</para>
<para><function>sd_bus_creds_get_unique_name()</function> will
retrieve the D-Bus unique name. See <ulink
<listitem><para>Given field is not specified for the described
process or peer. This will be returned by
<function>sd_bus_get_unit()</function>,
- <function>sd_bus_get_user_unit()</function>,
<function>sd_bus_get_slice()</function>,
+ <function>sd_bus_get_user_unit()</function>,
+ <function>sd_bus_get_user_slice()</function>,
<function>sd_bus_get_session()</function>, and
<function>sd_bus_get_owner_uid()</function> if the process is
not part of a systemd system unit, systemd user unit, systemd
<refsect1>
<title>Notes</title>
- <para><function>sd_bus_open_user()</function> and other functions
- described here are available as a shared library, which can be
- compiled and linked to with the
- <constant>libsystemd</constant> <citerefentry project='die-net'><refentrytitle>pkg-config</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ <para><function>sd_bus_creds_get_pid()</function> and the other
+ functions described here are available as a shared library, which
+ can be compiled and linked to with the
+ <constant>libsystemd</constant> <citerefentry
+ project='die-net'><refentrytitle>pkg-config</refentrytitle><manvolnum>1</manvolnum></citerefentry>
file.</para>
</refsect1>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>fork</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>sd_bus_creds_new_from_pid</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>fork</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
<citerefentry project='man-pages'><refentrytitle>credentials</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
<citerefentry project='man-pages'><refentrytitle>free</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
<citerefentry project='man-pages'><refentrytitle>proc</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<refnamediv>
<refname>sd_bus_creds_new_from_pid</refname>
<refname>sd_bus_creds_get_mask</refname>
+ <refname>sd_bus_creds_get_augmented_mask</refname>
<refname>sd_bus_creds_ref</refname>
<refname>sd_bus_creds_unref</refname>
</funcprototype>
<funcprototype>
+ <funcdef>uint64_t <function>sd_bus_creds_get_augmented_mask</function></funcdef>
+ <paramdef>const sd_bus_creds *<parameter>c</parameter></paramdef>
+ </funcprototype>
+
+ <funcprototype>
<funcdef>sd_bus_creds *<function>sd_bus_creds_ref</function></funcdef>
<paramdef>sd_bus_creds *<parameter>c</parameter></paramdef>
</funcprototype>
<para>
<constant>SD_BUS_CREDS_PID</constant>,
+ <constant>SD_BUS_CREDS_PPID</constant>,
<constant>SD_BUS_CREDS_TID</constant>,
<constant>SD_BUS_CREDS_UID</constant>,
+ <constant>SD_BUS_CREDS_EUID</constant>,
+ <constant>SD_BUS_CREDS_SUID</constant>,
+ <constant>SD_BUS_CREDS_FSUID</constant>,
<constant>SD_BUS_CREDS_GID</constant>,
+ <constant>SD_BUS_CREDS_EGID</constant>,
+ <constant>SD_BUS_CREDS_SGID</constant>,
+ <constant>SD_BUS_CREDS_FSGID</constant>,
+ <constant>SD_BUS_CREDS_SUPPLEMENTARY_GIDS</constant>,
<constant>SD_BUS_CREDS_COMM</constant>,
<constant>SD_BUS_CREDS_TID_COMM</constant>,
<constant>SD_BUS_CREDS_EXE</constant>,
<constant>SD_BUS_CREDS_CMDLINE</constant>,
<constant>SD_BUS_CREDS_CGROUP</constant>,
<constant>SD_BUS_CREDS_UNIT</constant>,
- <constant>SD_BUS_CREDS_USER_UNIT</constant>,
<constant>SD_BUS_CREDS_SLICE</constant>,
+ <constant>SD_BUS_CREDS_USER_UNIT</constant>,
+ <constant>SD_BUS_CREDS_USER_SLICE</constant>,
<constant>SD_BUS_CREDS_SESSION</constant>,
<constant>SD_BUS_CREDS_OWNER_UID</constant>,
<constant>SD_BUS_CREDS_EFFECTIVE_CAPS</constant>,
<constant>SD_BUS_CREDS_SELINUX_CONTEXT</constant>,
<constant>SD_BUS_CREDS_AUDIT_SESSION_ID</constant>,
<constant>SD_BUS_CREDS_AUDIT_LOGIN_UID</constant>,
+ <constant>SD_BUS_CREDS_TTY</constant>,
<constant>SD_BUS_CREDS_UNIQUE_NAME</constant>,
<constant>SD_BUS_CREDS_WELL_KNOWN_NAMES</constant>,
+ <constant>SD_BUS_CREDS_DESCRIPTION</constant>,
+ <constant>SD_BUS_CREDS_AUGMENT</constant>,
<constant>_SD_BUS_CREDS_ALL</constant>
</para>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
- <para><function>sd_bus_creds_new_from_pid()</function> creates a new
- credentials object and fills it with information about the process
- <parameter>pid</parameter>. This pointer to this object will
- be stored in <parameter>ret</parameter> pointer.</para>
+ <para><function>sd_bus_creds_new_from_pid()</function> creates a
+ new credentials object and fills it with information about the
+ process <parameter>pid</parameter>. The pointer to this object
+ will be stored in <parameter>ret</parameter> pointer. Note that
+ credential objects may also be created and retrieved via
+ <citerefentry><refentrytitle>sd_bus_get_name_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>sd_bus_get_owner_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+ and
+ <citerefentry><refentrytitle>sd_bus_message_get_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>.</para>
<para>The information that will be stored is determined by
<parameter>creds_mask</parameter>. It may contain a subset of ORed
constants <constant>SD_BUS_CREDS_PID</constant>,
+ <constant>SD_BUS_CREDS_PPID</constant>,
<constant>SD_BUS_CREDS_TID</constant>,
<constant>SD_BUS_CREDS_UID</constant>,
+ <constant>SD_BUS_CREDS_EUID</constant>,
+ <constant>SD_BUS_CREDS_SUID</constant>,
+ <constant>SD_BUS_CREDS_FSUID</constant>,
<constant>SD_BUS_CREDS_GID</constant>,
+ <constant>SD_BUS_CREDS_EGID</constant>,
+ <constant>SD_BUS_CREDS_SGID</constant>,
+ <constant>SD_BUS_CREDS_FSGID</constant>,
+ <constant>SD_BUS_CREDS_SUPPLEMENTARY_GIDS</constant>,
<constant>SD_BUS_CREDS_COMM</constant>,
<constant>SD_BUS_CREDS_TID_COMM</constant>,
<constant>SD_BUS_CREDS_EXE</constant>,
<constant>SD_BUS_CREDS_CMDLINE</constant>,
<constant>SD_BUS_CREDS_CGROUP</constant>,
<constant>SD_BUS_CREDS_UNIT</constant>,
- <constant>SD_BUS_CREDS_USER_UNIT</constant>,
<constant>SD_BUS_CREDS_SLICE</constant>,
+ <constant>SD_BUS_CREDS_USER_UNIT</constant>,
+ <constant>SD_BUS_CREDS_USER_SLICE</constant>,
<constant>SD_BUS_CREDS_SESSION</constant>,
<constant>SD_BUS_CREDS_OWNER_UID</constant>,
<constant>SD_BUS_CREDS_EFFECTIVE_CAPS</constant>,
<constant>SD_BUS_CREDS_SELINUX_CONTEXT</constant>,
<constant>SD_BUS_CREDS_AUDIT_SESSION_ID</constant>,
<constant>SD_BUS_CREDS_AUDIT_LOGIN_UID</constant>,
+ <constant>SD_BUS_CREDS_TTY</constant>,
<constant>SD_BUS_CREDS_UNIQUE_NAME</constant>,
<constant>SD_BUS_CREDS_WELL_KNOWN_NAMES</constant>,
- or <constant>_SD_BUS_CREDS_ALL</constant> to indicate
- all known fields.</para>
+ <constant>SD_BUS_CREDS_DESCRIPTION</constant>. Use the special
+ value <constant>_SD_BUS_CREDS_ALL</constant> to request all
+ supported fields. The <constant>SD_BUS_CREDS_AUGMENT</constant>
+ may not be ORed into the mask for invocations of
+ <function>sd_bus_creds_new_from_pid()</function>.</para>
<para>Fields can be retrieved from the credentials object using
<citerefentry><refentrytitle>sd_bus_creds_get_pid</refentrytitle><manvolnum>3</manvolnum></citerefentry>
and other functions which correspond directly to the constants
listed above.</para>
- <para>A mask of fields which were actually successfully set
- (acquired from <filename>/proc</filename>, etc.) can be retrieved
- with <function>sd_bus_creds_get_mask()</function>. If the
- credentials object was created with
+ <para>A mask of fields which were actually successfully retrieved
+ can be retrieved with
+ <function>sd_bus_creds_get_mask()</function>. If the credentials
+ object was created with
<function>sd_bus_creds_new_from_pid()</function>, this will be a
subset of fields requested in <parameter>creds_mask</parameter>.
</para>
- <para><function>sd_bus_creds_ref</function> creates a new
+ <para>Similar to <function>sd_bus_creds_get_mask()</function> the
+ function <function>sd_bus_creds_get_augmented_mask()</function>
+ returns a bitmask of field constants. The mask indicates which
+ credential fields have been retrieved in a non-atomic fashion. For
+ credential objects created via
+ <function>sd_bus_creds_new_from_pid()</function> this mask will be
+ identical to the mask returned by
+ <function>sd_bus_creds_get_mask()</function>. However, for
+ credential objects retrieved via
+ <function>sd_bus_get_name_creds()</function> this mask will be set
+ for the credential fields that could not be determined atomically
+ at peer connection time, and which were later added by reading
+ augmenting credential data from
+ <filename>/proc</filename>. Similar, for credential objects
+ retrieved via <function>sd_bus_get_owner_creds()</function> the
+ mask is set for the fields that could not be determined atomically
+ at bus creation time, but have been augmented. Similar, for
+ credential objects retrieved via
+ <function>sd_bus_message_get_creds()</function> the mask is set
+ for the fields that could not be determined atomically at message
+ send time, but have been augmented. The mask returned by
+ <function>sd_bus_creds_get_augmented_mask()</function> is always a
+ subset of (or identical to) the mask returned by
+ <function>sd_bus_creds_get_mask()</function> for the same
+ object. The latter call hence returns all credential fields
+ available in the credential object, the former then marks the
+ subset of those that have been augmented. Note that augmented
+ fields are unsuitable for authorization decisions as they may be
+ retrieved at different times, thus being subject to races. Hence
+ augmented fields should be used exclusively for informational
+ purposes.
+ </para>
+
+ <para><function>sd_bus_creds_ref()</function> creates a new
reference to the credentials object <parameter>c</parameter>. This
object will not be destroyed until
- <function>sd_bus_creds_unref</function> has been called as many
+ <function>sd_bus_creds_unref()</function> has been called as many
times plus once more. Once the reference count has dropped to zero,
<parameter>c</parameter> cannot be used anymore, so further
calls to <function>sd_bus_creds_ref(c)</function> or
<function>sd_bus_creds_unref(c)</function> are illegal.</para>
- <para><function>sd_bus_creds_unref</function> destroys a reference
+ <para><function>sd_bus_creds_unref()</function> destroys a reference
to <parameter>c</parameter>.</para>
</refsect1>
<para><function>sd_bus_creds_get_mask()</function> returns the
mask of successfully acquired fields.</para>
- <para><function>sd_bus_creds_ref</function> always returns the
+ <para><function>sd_bus_creds_get_augmented_mask()</function>
+ returns the mask of fields that have been augmented from data in
+ <filename>/proc</filename>, and are thus not suitable for
+ authorization decisions.</para>
+
+ <para><function>sd_bus_creds_ref()</function> always returns the
argument.</para>
- <para><function>sd_bus_creds_unref</function> always returns
+ <para><function>sd_bus_creds_unref()</function> always returns
<constant>NULL</constant>.</para>
</refsect1>
<listitem><para>Memory allocation failed.</para></listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><constant>-EOPNOTSUPP</constant></term>
+
+ <listitem><para>One of the requested fields is unknown to the local system.</para></listitem>
+ </varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Notes</title>
- <para><function>sd_bus_creds_new_from_pid()</function> is
- available as a shared library, which can be compiled and linked to
- with the
- <constant>libsystemd</constant> <citerefentry project='die-net'><refentrytitle>pkg-config</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ <para><function>sd_bus_creds_new_from_pid()</function> and the
+ other calls described here are available as a shared library,
+ which can be compiled and linked to with the
+ <constant>libsystemd</constant> <citerefentry
+ project='die-net'><refentrytitle>pkg-config</refentrytitle><manvolnum>1</manvolnum></citerefentry>
file.</para>
</refsect1>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_ref</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_unref</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
<citerefentry><refentrytitle>sd_bus_creds_get_pid</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_get_tid</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_get_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_get_gid</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_get_comm</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_get_tid_comm</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_get_exe</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_get_cmdline</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_get_cgroup</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_get_unit</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_get_user_unit</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_get_slice</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_get_session</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_get_owner_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_has_effective_cap</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_has_permitted_cap</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_has_inheritable_cap</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_has_bounding_cap</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_get_selinux_context</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_get_audit_session_id</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_get_audit_login_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_get_unique_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd_bus_creds_get_well_known_names</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>sd_bus_get_name_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>sd_bus_get_owner_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>sd_bus_message_get_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>
</para>
</refsect1>
projects / platform / upstream / systemd.git / commitdiff