sd_bus_creds_get_pid, sd_bus_creds_get_ppid, sd_bus_creds_get_tid, sd_bus_creds_get_uid, sd_bus_creds_get_euid, sd_bus_creds_get_suid, sd_bus_creds_get_fsuid, sd_bus_creds_get_gid, sd_bus_creds_get_egid, sd_bus_creds_get_sgid, sd_bus_creds_get_fsgid, sd_bus_creds_get_supplementary_gids, sd_bus_creds_get_comm, sd_bus_creds_get_tid_comm, sd_bus_creds_get_exe, sd_bus_creds_get_cmdline, sd_bus_creds_get_cgroup, sd_bus_creds_get_unit, sd_bus_creds_get_slice, sd_bus_creds_get_user_unit, sd_bus_creds_get_user_slice, sd_bus_creds_get_session, sd_bus_creds_get_owner_uid, sd_bus_creds_has_effective_cap, sd_bus_creds_has_permitted_cap, sd_bus_creds_has_inheritable_cap, sd_bus_creds_has_bounding_cap, sd_bus_creds_get_selinux_context, sd_bus_creds_get_audit_session_id, sd_bus_creds_get_audit_login_uid, sd_bus_creds_get_tty, sd_bus_creds_get_unique_name, sd_bus_creds_get_well_known_names, sd_bus_creds_get_description — Retrieve fields from a credentials object
#include <systemd/sd-bus.h>
int sd_bus_creds_get_pid( | sd_bus_creds *c, |
pid_t *pid) ; |
int sd_bus_creds_get_ppid( | sd_bus_creds *c, |
pid_t *ppid) ; |
int sd_bus_creds_get_tid( | sd_bus_creds *c, |
pid_t *tid) ; |
int sd_bus_creds_get_uid( | sd_bus_creds *c, |
uid_t *uid) ; |
int sd_bus_creds_get_euid( | sd_bus_creds *c, |
uid_t *uid) ; |
int sd_bus_creds_get_suid( | sd_bus_creds *c, |
uid_t *uid) ; |
int sd_bus_creds_get_fsuid( | sd_bus_creds *c, |
uid_t *uid) ; |
int sd_bus_creds_get_gid( | sd_bus_creds *c, |
gid_t *gid) ; |
int sd_bus_creds_get_egid( | sd_bus_creds *c, |
gid_t *gid) ; |
int sd_bus_creds_get_sgid( | sd_bus_creds *c, |
gid_t *gid) ; |
int sd_bus_creds_get_fsgid( | sd_bus_creds *c, |
gid_t *gid) ; |
int sd_bus_creds_get_supplementary_gids( | sd_bus_creds *c, |
const gid_t **gids) ; |
int sd_bus_creds_get_comm( | sd_bus_creds *c, |
const char **comm) ; |
int sd_bus_creds_get_tid_comm( | sd_bus_creds *c, |
const char **comm) ; |
int sd_bus_creds_get_exe( | sd_bus_creds *c, |
const char **exe) ; |
int sd_bus_creds_get_cmdline( | sd_bus_creds *c, |
char ***cmdline) ; |
int sd_bus_creds_get_cgroup( | sd_bus_creds *c, |
const char **cgroup) ; |
int sd_bus_creds_get_unit( | sd_bus_creds *c, |
const char **unit) ; |
int sd_bus_creds_get_slice( | sd_bus_creds *c, |
const char **slice) ; |
int sd_bus_creds_get_user_unit( | sd_bus_creds *c, |
const char **unit) ; |
int sd_bus_creds_get_user_slice( | sd_bus_creds *c, |
const char **slice) ; |
int sd_bus_creds_get_session( | sd_bus_creds *c, |
const char **slice) ; |
int sd_bus_creds_get_owner_uid( | sd_bus_creds *c, |
uid_t *uid) ; |
int sd_bus_creds_has_effective_cap( | sd_bus_creds *c, |
int capability) ; |
int sd_bus_creds_has_permitted_cap( | sd_bus_creds *c, |
int capability) ; |
int sd_bus_creds_has_inheritable_cap( | sd_bus_creds *c, |
int capability) ; |
int sd_bus_creds_has_bounding_cap( | sd_bus_creds *c, |
int capability) ; |
int sd_bus_creds_get_selinux_context( | sd_bus_creds *c, |
const char **context) ; |
int sd_bus_creds_get_audit_session_id( | sd_bus_creds *c, |
uint32_t *sessionid) ; |
int sd_bus_creds_get_audit_login_uid( | sd_bus_creds *c, |
uid_t *loginuid) ; |
int sd_bus_creds_get_tty( | sd_bus_creds *c, |
const char **tty) ; |
int sd_bus_creds_get_unique_name( | sd_bus_creds *c, |
const char **name) ; |
int sd_bus_creds_get_well_known_names( | sd_bus_creds *c, |
char ***name) ; |
int sd_bus_creds_get_description( | sd_bus_creds *c, |
const char **name) ; |
These functions return credential information from an
sd_bus_creds
object. Credential objects may
be created with
sd_bus_creds_new_from_pid(3),
in which case they describe the credentials of the process
identified by the specified PID, with
sd_bus_get_name_creds(3),
in which case they describe the credentials of a bus peer
identified by the specified bus name, with
sd_bus_get_owner_creds(3),
in which case they describe the credentials of the creator of a
bus, or with
sd_bus_message_get_creds(3),
in which case they describe the credentials of the sender of the
message.
Not all credential fields are part of every
"sd_bus_creds
" object. Use
sd_bus_creds_get_mask(3)
to determine the mask of fields available.
sd_bus_creds_get_pid()
will retrieve
the PID (process identifier). Similarly,
sd_bus_creds_get_ppid()
will retrieve the
parent PID. Note that PID 1 has no parent process, in which case
-ENXIO is returned.
sd_bus_creds_get_tid()
will retrieve the
TID (thread identifier).
sd_bus_creds_get_uid()
will retrieve
the numeric UID (user identifier). Similarly,
sd_bus_creds_get_euid()
returns the effective
UID, sd_bus_creds_get_suid()
the saved UID
and sd_bus_creds_get_fsuid()
the file system
UID.
sd_bus_creds_get_gid()
will retrieve the
numeric GID (group identifier). Similarly,
sd_bus_creds_get_egid()
returns the effective
GID, sd_bus_creds_get_sgid()
the saved GID
and sd_bus_creds_get_fsgid()
the file system
GID.
sd_bus_creds_get_supplementary_gids()
will retrieve the supplementary GIDs list.
sd_bus_creds_get_comm()
will retrieve the
comm field (truncated name of the executable, as stored in
/proc/
).
pid
/comm
sd_bus_creds_get_tid_comm()
will retrieve
the comm field of the thread (as stored in
/proc/
).
pid
/task/tid
/comm
sd_bus_creds_get_exe()
will retrieve the path to the program executable (as
stored in the /proc/
link, but with the "pid
/exe
(deleted)
" suffix removed). Note that kernel threads do not have an executable path, in which
case -ENXIO is returned. Note that this property should not be used for more than explanatory
information, in particular it should not be used for security-relevant decisions. That's because the
executable might have been replaced or removed by the time the value can be processed. Moreover, the
kernel exports this information in an ambiguous way (i.e. a deleted executable cannot be safely
distinguished from one whose name suffix is " (deleted)
").
sd_bus_creds_get_cmdline()
will
retrieve an array of command line arguments (as stored in
/proc/
). Note
that kernel threads do not have a command line, in which case
-ENXIO is returned.pid
/cmdline
sd_bus_creds_get_cgroup()
will retrieve the control group path. See Control Groups v2.
sd_bus_creds_get_unit()
will retrieve
the systemd unit name (in the system instance of systemd) that the
process is a part of. See
systemd.unit(5). For
processes that are not part of a unit, returns -ENXIO.
sd_bus_creds_get_user_unit()
will
retrieve the systemd unit name (in the user instance of systemd)
that the process is a part of. See
systemd.unit(5). For
processes that are not part of a user unit, returns -ENXIO.
sd_bus_creds_get_slice()
will retrieve
the systemd slice (a unit in the system instance of systemd) that
the process is a part of. See
systemd.slice(5). Similarly,
sd_bus_creds_get_user_slice()
retrieves the
systemd slice of the process, in the user instance of systemd.
sd_bus_creds_get_session()
will
retrieve the identifier of the login session that the process is
a part of. Please note the login session may be limited to a stub
process or two. User processes may instead be started from their
systemd user manager, e.g. GUI applications started using DBus
activation, as well as service processes which are shared between
multiple logins of the same user. For processes that are not part
of a session, returns -ENXIO.
sd_bus_creds_get_owner_uid()
will
retrieve the numeric UID (user identifier) of the user who owns
the user unit or login session that the process is a part of. See
systemd-logind.service(8).
For processes that are not part of a user unit or session, returns
-ENXIO.
sd_bus_creds_has_effective_cap()
will check whether the capability specified by
capability
was set in the effective capabilities mask. A positive return value means that it
was set, zero means that it was not set, and a negative return value indicates an error. See capabilities(7) and the
AmbientCapabilities=
and CapabilityBoundingSet=
settings in
systemd.exec(5).
sd_bus_creds_has_permitted_cap()
is
similar to sd_bus_creds_has_effective_cap()
,
but will check the permitted capabilities mask.
sd_bus_creds_has_inheritable_cap()
is
similar to sd_bus_creds_has_effective_cap()
,
but will check the inheritable capabilities mask.
sd_bus_creds_has_bounding_cap()
is
similar to sd_bus_creds_has_effective_cap()
,
but will check the bounding capabilities mask.
sd_bus_creds_get_selinux_context()
will
retrieve the SELinux security context (label) of the process.
sd_bus_creds_get_audit_session_id()
will retrieve the audit session identifier of the process. Returns
-ENXIO for processes that are not part of an audit session.
sd_bus_creds_get_audit_login_uid()
will
retrieve the audit user login identifier (the identifier of the
user who is "responsible" for the session). Returns -ENXIO for
processes that are not part of an audit session.
sd_bus_creds_get_tty()
will retrieve
the controlling TTY, without the prefixing "/dev/". Returns -ENXIO
for processes that have no controlling TTY.
sd_bus_creds_get_unique_name()
will
retrieve the D-Bus unique name. See The
D-Bus specification.
sd_bus_creds_get_well_known_names()
will
retrieve the set of D-Bus well-known names. See The
D-Bus specification.
sd_bus_creds_get_description()
will
retrieve a descriptive name of the bus connection of the
peer. This name is useful to discern multiple bus connections by
the same peer, and may be altered by the peer with the
sd_bus_set_description(3)
call.
All functions that take a const
char**
parameter will store the answer there as an
address of a NUL
-terminated string. It will be valid as long as
c
remains valid, and should not be freed or
modified by the caller.
All functions that take a char***
parameter will store the answer there as an address of an array
of strings. Each individual string is NUL
-terminated, and the
array is NULL
-terminated as a whole. It will be valid as long as
c
remains valid, and should not be freed or
modified by the caller.
On success, these calls return 0 or a positive integer. On failure, these calls return a negative errno-style error code.
Returned errors may indicate the following problems:
-ENODATA
¶The given field is not available in the credentials object
c
.
-ENXIO
¶The given field is not specified for the described process or peer. This will be
returned by sd_bus_creds_get_unit()
,
sd_bus_creds_get_slice()
, sd_bus_creds_get_user_unit()
,
sd_bus_creds_get_user_slice()
, and
sd_bus_creds_get_session()
if the process is not part of a systemd system
unit, systemd user unit, systemd slice, or logind session. It will be returned by
sd_bus_creds_get_owner_uid()
if the process is not part of a systemd user unit
or logind session. It will also be returned by sd_bus_creds_get_exe()
and
sd_bus_creds_get_cmdline()
for kernel threads (since these are not started
from an executable binary, nor have a command line), and by
sd_bus_creds_get_audit_session_id()
and
sd_bus_creds_get_audit_login_uid()
when the process is not part of an audit
session, and sd_bus_creds_get_tty()
if the process has no controlling
TTY.
-EINVAL
¶Specified pointer parameter is NULL
.
-ENOMEM
¶Memory allocation failed.
Functions described here are available as a shared
library, which can be compiled against and linked to with the
libsystemd
pkg-config(1)
file.
The code described here uses
getenv(3),
which is declared to be not multi-thread-safe. This means that the code calling the functions described
here must not call
setenv(3)
from a parallel thread. It is recommended to only do calls to setenv()
from an early phase of the program when no other threads have been started.