Revert "authpolicy: Add debug flags for logging, turn off by default"
This reverts commit d6e9f81b6f9ca641202c250f1761ea1f4122c0e1.
Revert to fix build package failure.
BUG=chromium:725856
TEST=None
Change-Id: Ic757dee4a5bfb9ffdfae004191884688062c469a
Reviewed-on: https://chromium-review.googlesource.com/513396
Reviewed-by: Wei-Ning Huang <wnhuang@chromium.org>
Commit-Queue: Wei-Ning Huang <wnhuang@chromium.org>
Tested-by: Wei-Ning Huang <wnhuang@chromium.org>
diff --git a/authpolicy/authpolicy.cc b/authpolicy/authpolicy.cc
index 6e1fcf5..5ae4396 100644
--- a/authpolicy/authpolicy.cc
+++ b/authpolicy/authpolicy.cc
@@ -222,6 +222,7 @@
}
const char* const method = GetSessionManagerStoreMethod(is_user_policy);
+ LOG(INFO) << "Calling Session Manager D-Bus method " << method;
dbus::MethodCall method_call(login_manager::kSessionManagerInterface, method);
dbus::MessageWriter writer(&method_call);
if (account_id_key)
diff --git a/authpolicy/authpolicy.gyp b/authpolicy/authpolicy.gyp
index b4c9629..2d467c2 100644
--- a/authpolicy/authpolicy.gyp
+++ b/authpolicy/authpolicy.gyp
@@ -87,7 +87,6 @@
'sources': [
'<(gen_src_in_dir)/policy_constants.cc',
'authpolicy.cc',
- 'authpolicy_flags.cc',
'authpolicy_metrics.cc',
'constants.cc',
'jail_helper.cc',
@@ -184,7 +183,6 @@
],
},
'sources': [
- 'authpolicy_flags_unittest.cc',
'authpolicy_testrunner.cc',
'authpolicy_unittest.cc',
'policy/device_policy_encoder_unittest.cc',
diff --git a/authpolicy/authpolicy_flags.cc b/authpolicy/authpolicy_flags.cc
deleted file mode 100644
index b0a5ac0..0000000
--- a/authpolicy/authpolicy_flags.cc
+++ /dev/null
@@ -1,226 +0,0 @@
-// Copyright 2017 The Chromium OS Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "authpolicy/authpolicy_flags.h"
-
-#include <algorithm>
-#include <memory>
-
-#include <base/base64.h>
-#include <base/files/file_path.h>
-#include <base/files/file_util.h>
-#include <base/json/json_reader.h>
-#include <base/strings/string_number_conversions.h>
-#include <base/strings/string_split.h>
-#include <base/values.h>
-
-namespace authpolicy {
-namespace {
-
-// Size for alignment of Dump() output.
-const size_t kAlignSize = 30;
-
-// Gets a string with kAlignSize - strlen(str) spaces (at least 1).
-std::string Align(const char* str) {
- return std::string(kAlignSize - std::min(kAlignSize - 1, strlen(str)), ' ');
-}
-
-// Removes the value with the key |name| from |dict|, checks |type| and returns
-// the value if the type matches. Prints an error message otherwise.
-// TODO(ljusten): Remove |type_name| and use base::Value::GetTypeName once it's
-// available.
-std::unique_ptr<base::Value> GetValueOfType(base::DictionaryValue* dict,
- const char* name,
- base::Value::Type type,
- const char* type_name) {
- std::unique_ptr<base::Value> value;
- if (!dict->Remove(name, &value))
- return nullptr;
- if (!value->IsType(type)) {
- LOG(ERROR) << name << " must be a " << type_name;
- return nullptr;
- }
- return value;
-}
-
-// Metadata used for defining a bool-type flag.
-class BoolFlag {
- public:
- using Setter = void (protos::DebugFlags::*)(bool);
- using Getter = bool (protos::DebugFlags::*)() const;
- constexpr BoolFlag(const char* name, Setter setter, Getter getter)
- : name_(name), setter_(setter), getter_(getter) {}
-
- // Remove the value with key |name_| from |dict| and puts it into |flags|.
- void Handle(protos::DebugFlags* flags, base::DictionaryValue* dict) const {
- std::unique_ptr<base::Value> value =
- GetValueOfType(dict, name_, base::Value::TYPE_BOOLEAN, "boolean");
- if (value) {
- bool bool_value;
- DCHECK(value->GetAsBoolean(&bool_value));
- (flags->*setter_)(bool_value);
- }
- }
-
- // Prints out the value of this flag.
- void Log(const protos::DebugFlags* flags) const {
- LOG(INFO) << " " << name_ << Align(name_)
- << ((flags->*getter_)() ? "ON" : "OFF");
- }
-
- private:
- const char* name_;
- Setter setter_;
- Getter getter_;
-};
-
-// Metadata used for defining a string-type flag.
-class StringFlag {
- public:
- using Setter = void (protos::DebugFlags::*)(const std::string&);
- using Getter = const std::string& (protos::DebugFlags::*)() const;
- constexpr StringFlag(const char* name, Setter setter, Getter getter)
- : name_(name), setter_(setter), getter_(getter) {}
-
- // Remove the value with key |name_| from |dict| and puts it into |flags|.
- void Handle(protos::DebugFlags* flags, base::DictionaryValue* dict) const {
- std::unique_ptr<base::Value> value =
- GetValueOfType(dict, name_, base::Value::TYPE_STRING, "string");
- if (value) {
- std::string string_value;
- DCHECK(value->GetAsString(&string_value));
- (flags->*setter_)(string_value);
- }
- }
-
- // Prints out the value of this flag.
- void Log(const protos::DebugFlags* flags) const {
- LOG(INFO) << " " << name_ << Align(name_) << (flags->*getter_)();
- }
-
- private:
- const char* name_;
- Setter setter_;
- Getter getter_;
-};
-
-#define DEFINE_FLAG(name) \
- { #name, &protos::DebugFlags::set_##name, &protos::DebugFlags::name }
-
-// Bool flags.
-constexpr BoolFlag kBoolFlags[] = {
- DEFINE_FLAG(disable_seccomp),
- DEFINE_FLAG(log_seccomp),
- DEFINE_FLAG(trace_kinit),
- DEFINE_FLAG(log_policy_values),
- DEFINE_FLAG(log_commands),
- DEFINE_FLAG(log_command_output),
- DEFINE_FLAG(log_command_output_on_error),
- DEFINE_FLAG(log_gpo),
- DEFINE_FLAG(log_config),
-};
-
-// String flags.
-constexpr StringFlag kStringFlags[] = {
- DEFINE_FLAG(net_log_level),
-};
-
-#undef DEFINE_FLAG
-
-} // namespace
-
-// static
-std::string SerializeFlags(const protos::DebugFlags& flags) {
- std::string proto_blob, proto_encoded;
- DCHECK(flags.SerializeToString(&proto_blob));
- base::Base64Encode(proto_blob, &proto_encoded);
- return proto_encoded;
-}
-
-// static
-bool DeserializeFlags(const std::string& proto_encoded,
- protos::DebugFlags* flags) {
- std::string proto_blob;
- return base::Base64Decode(proto_encoded, &proto_blob) &&
- flags->ParseFromString(proto_blob);
-}
-
-void AuthPolicyFlags::SetDefaults(DefaultLevel default_level) {
- // Wipe all flags.
- flags_ = protos::DebugFlags();
-
- // Set defaults depending on level.
- switch (default_level) {
- case kQuiet:
- break;
- case kTaciturn:
- flags_.set_log_policy_values(true);
- flags_.set_log_commands(true);
- flags_.set_log_gpo(true);
- flags_.set_log_config(true);
- break;
- case kChatty:
- flags_.set_log_policy_values(true);
- flags_.set_log_commands(true);
- flags_.set_log_command_output_on_error(true);
- flags_.set_log_gpo(true);
- flags_.set_log_config(true);
- flags_.set_net_log_level("3");
- break;
- case kVerbose:
- flags_.set_trace_kinit(true);
- flags_.set_log_policy_values(true);
- flags_.set_log_commands(true);
- flags_.set_log_command_output(true);
- flags_.set_log_gpo(true);
- flags_.set_log_config(true);
- flags_.set_net_log_level("10");
- break;
- }
-}
-
-bool AuthPolicyFlags::LoadFromJsonFile(const base::FilePath& path) {
- std::string flags_json;
- if (!base::ReadFileToString(path, &flags_json))
- return false;
- LoadFromJsonString(flags_json);
- return true;
-}
-
-void AuthPolicyFlags::LoadFromJsonString(const std::string& flags_json) {
- std::string error_message;
- std::unique_ptr<base::Value> root =
- base::JSONReader::ReadAndReturnError(flags_json,
- base::JSON_ALLOW_TRAILING_COMMAS,
- nullptr /* error_code_out */,
- &error_message);
- base::DictionaryValue* dict = nullptr;
- if (!root || !root->GetAsDictionary(&dict)) {
- LOG(ERROR) << "Fail to parse flags: "
- << (error_message.empty() ? "Invalid JSON" : error_message);
- return;
- }
-
- // Check bool flags.
- for (const BoolFlag& bool_flag : kBoolFlags)
- bool_flag.Handle(&flags_, dict);
-
- // Check string flags.
- for (const StringFlag& string_flag : kStringFlags)
- string_flag.Handle(&flags_, dict);
-
- // Print warnings for other parameters.
- for (base::DictionaryValue::Iterator it(*dict); !it.IsAtEnd(); it.Advance())
- LOG(WARNING) << "Unhandled flag " << it.key();
-}
-
-void AuthPolicyFlags::Dump() const {
- LOG(INFO) << "Debug flags:";
- for (const BoolFlag& flag : kBoolFlags)
- flag.Log(&flags_);
- for (const StringFlag& flag : kStringFlags)
- flag.Log(&flags_);
-}
-
-} // namespace authpolicy
diff --git a/authpolicy/authpolicy_flags.h b/authpolicy/authpolicy_flags.h
deleted file mode 100644
index b558e02..0000000
--- a/authpolicy/authpolicy_flags.h
+++ /dev/null
@@ -1,72 +0,0 @@
-// Copyright 2017 The Chromium OS Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef AUTHPOLICY_AUTHPOLICY_FLAGS_H_
-#define AUTHPOLICY_AUTHPOLICY_FLAGS_H_
-
-#include <string>
-
-#include "bindings/authpolicy_containers.pb.h"
-
-namespace base {
-class FilePath;
-}
-
-namespace authpolicy {
-
-// Serializes |flags| to a base 64 string.
-std::string SerializeFlags(const protos::DebugFlags& flags);
-
-// Deserializes |flags| from a base 64 string |proto_encoded|.
-bool DeserializeFlags(const std::string& proto_encoded,
- protos::DebugFlags* flags);
-
-// Simple class for managing debug flags. See protos::DebugFlags for a
-// description of available flags.
-//
-// Flags are loaded from a JSON file at /etc/authpolicyd_flags (see
-// Path::DEBUG_FLAGS).
-//
-// Example:
-// echo '{"log_commands":true,"log_command_output":true,"net_log_level":"10"}' \
-// > /etc/authpolicyd_flags
-// turns on verbose logging of net commands.
-class AuthPolicyFlags {
- public:
- // Defines 4 sets of flag levels for SetDefaults().
- enum DefaultLevel {
- kQuiet, // All flags off (default).
- kTaciturn, // A few logs only with important stats.
- kChatty, // More verbose logs, low debug level.
- kVerbose, // Log everything except seccomp, high debug level. Seccomp
- // failure logging whitelists a few syscalls and hence has a
- // negative impact on security.
- };
-
- // Applies defaults according to |default_level|.
- void SetDefaults(DefaultLevel default_level);
-
- // Loads flags from the JSON file at |path|. Returns false if the file does
- // not exist. Prints warnings and errors. Misspelled/unknown settings are
- // ignored. Malformed files (invalid JSON) are ignored altogether.
- bool LoadFromJsonFile(const base::FilePath& path);
-
- // Loads flags from the JSON string |flags_json|. Prints warnings and errors.
- // Misspelled/unknown settings are ignored. Malformed strings (invalid JSON)
- // are ignored altogether.
- void LoadFromJsonString(const std::string& flags_json);
-
- // Prints out all flags.
- void Dump() const;
-
- // Gets the underlying protobuf with all flags.
- const protos::DebugFlags& Get() const { return flags_; }
-
- private:
- protos::DebugFlags flags_;
-};
-
-} // namespace authpolicy
-
-#endif // AUTHPOLICY_AUTHPOLICY_FLAGS_H_
diff --git a/authpolicy/authpolicy_flags_unittest.cc b/authpolicy/authpolicy_flags_unittest.cc
deleted file mode 100644
index 6649e4e..0000000
--- a/authpolicy/authpolicy_flags_unittest.cc
+++ /dev/null
@@ -1,88 +0,0 @@
-// Copyright 2016 The Chromium OS Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <base/macros.h>
-#include <gmock/gmock.h>
-#include <gtest/gtest.h>
-
-#include <authpolicy/authpolicy_flags.h>
-
-namespace authpolicy {
-
-class AuthPolicyFlagsTest : public ::testing::Test {
- public:
- AuthPolicyFlagsTest() {}
- ~AuthPolicyFlagsTest() override {}
-
- private:
- DISALLOW_COPY_AND_ASSIGN(AuthPolicyFlagsTest);
-};
-
-// By default, all debug flags should be off.
-TEST_F(AuthPolicyFlagsTest, TestAllFlagsOff) {
- AuthPolicyFlags flags_container;
- const protos::DebugFlags& flags = flags_container.Get();
-
- EXPECT_FALSE(flags.disable_seccomp());
- EXPECT_FALSE(flags.log_seccomp());
- EXPECT_FALSE(flags.trace_kinit());
- EXPECT_FALSE(flags.log_policy_values());
- EXPECT_FALSE(flags.log_commands());
- EXPECT_FALSE(flags.log_command_output());
- EXPECT_FALSE(flags.log_command_output_on_error());
- EXPECT_FALSE(flags.log_gpo());
- EXPECT_FALSE(flags.log_config());
- EXPECT_EQ("0", flags.net_log_level());
-}
-
-// Check whether parsing the flags data works as expected.
-TEST_F(AuthPolicyFlagsTest, TestAllFlagsOn) {
- AuthPolicyFlags flags_container;
- flags_container.LoadFromJsonString(R"!!!(
- { "disable_seccomp":true,
- "log_seccomp":true,
- "trace_kinit":true,
- "log_policy_values":true,
- "log_commands":true,
- "log_command_output":true,
- "log_command_output_on_error":true,
- "log_gpo":true,
- "log_config":true,
- "net_log_level":"10" })!!!");
- const protos::DebugFlags& flags = flags_container.Get();
-
- EXPECT_TRUE(flags.disable_seccomp());
- EXPECT_TRUE(flags.log_seccomp());
- EXPECT_TRUE(flags.trace_kinit());
- EXPECT_TRUE(flags.log_policy_values());
- EXPECT_TRUE(flags.log_commands());
- EXPECT_TRUE(flags.log_command_output());
- EXPECT_TRUE(flags.log_command_output_on_error());
- EXPECT_TRUE(flags.log_gpo());
- EXPECT_TRUE(flags.log_config());
- EXPECT_EQ("10", flags.net_log_level());
-}
-
-TEST_F(AuthPolicyFlagsTest, FlagsSerialization) {
- protos::DebugFlags flags;
- flags.set_log_config(true);
- flags.set_net_log_level("5");
- std::string flags_encoded = SerializeFlags(flags);
- EXPECT_FALSE(flags_encoded.empty());
- protos::DebugFlags flags2;
- EXPECT_TRUE(DeserializeFlags(flags_encoded, &flags2));
-
- // Same as EXPECT_EQ(flags, flags2), except that that's not supported.
- std::string flags_str, flags_str2;
- flags.SerializeToString(&flags_str);
- flags2.SerializeToString(&flags_str2);
- EXPECT_EQ(flags_str, flags_str2);
-}
-
-TEST_F(AuthPolicyFlagsTest, FlagsDeserializationFailsBadString) {
- protos::DebugFlags flags;
- EXPECT_FALSE(DeserializeFlags("!@#$%bogus", &flags));
-}
-
-} // namespace authpolicy
diff --git a/authpolicy/authpolicy_parser_main.cc b/authpolicy/authpolicy_parser_main.cc
index 95ec2de..9f90f17 100644
--- a/authpolicy/authpolicy_parser_main.cc
+++ b/authpolicy/authpolicy_parser_main.cc
@@ -8,7 +8,7 @@
// since parsing the output is considered insecure.
//
// Usage:
-// authpolicy_parser <command> <serialized_debug_flags>
+// authpolicy_parser <command>
// For a list of commands see constants.h.
// Each command reads additional arguments from stdin. See code for details.
//
@@ -26,8 +26,8 @@
#include <base/strings/string_util.h>
#include <brillo/syslog_logging.h>
-#include "authpolicy/authpolicy_flags.h"
#include "authpolicy/constants.h"
+#include "authpolicy/log_level.h"
#include "authpolicy/platform_helper.h"
#include "authpolicy/policy/preg_policy_encoder.h"
#include "authpolicy/proto_bindings/active_directory_info.pb.h"
@@ -88,11 +88,11 @@
}
void Log() const {
- LOG(INFO) << " Name: " << name;
- LOG(INFO) << " Filesyspath: " << filesyspath;
- LOG(INFO) << " Version: " << version_user << " (user) "
- << version_machine << " (machine)";
- LOG(INFO) << " GPFLags: " << gp_flags;
+ LOG_IF(INFO, kLogGpo) << " Name: " << name;
+ LOG_IF(INFO, kLogGpo) << " Filesyspath: " << filesyspath;
+ LOG_IF(INFO, kLogGpo) << " Version: " << version_user << " (user) "
+ << version_machine << " (machine)";
+ LOG_IF(INFO, kLogGpo) << " GPFLags: " << gp_flags;
}
std::string name;
@@ -104,13 +104,12 @@
void PushGpo(const GpoEntry& gpo,
PolicyScope scope,
- std::vector<GpoEntry>* gpo_list,
- const protos::DebugFlags& flags) {
+ std::vector<GpoEntry>* gpo_list) {
if (gpo.IsEmpty())
return;
- if (!gpo.IsValid() && flags.log_gpo()) {
- LOG(INFO) << "Ignoring invalid GPO";
+ if (!gpo.IsValid()) {
+ LOG_IF(INFO, kLogGpo) << "Ignoring invalid GPO";
gpo.Log();
return;
}
@@ -133,11 +132,11 @@
filter_reason = "machine disabled flag is set";
break;
}
- if (!filter_reason) {
- gpo_list->push_back(gpo);
- } else if (flags.log_gpo()) {
- LOG(INFO) << "Filtered out GPO (" << filter_reason << ")";
+ if (filter_reason) {
+ LOG_IF(INFO, kLogGpo) << "Filtered out GPO (" << filter_reason << ")";
gpo.Log();
+ } else {
+ gpo_list->push_back(gpo);
}
}
@@ -246,21 +245,18 @@
// Parses the output of net ads gpo list to get the list of GPOs. Prints out a
// serialized GpoList blob to stdout.
-int ParseGpoList(const std::string& net_out,
- PolicyScope scope,
- const protos::DebugFlags& flags) {
+int ParseGpoList(const std::string& net_out, PolicyScope scope) {
// Parse net output.
GpoEntry current_gpo;
std::vector<GpoEntry> gpo_list;
std::vector<std::string> lines = base::SplitString(
net_out, "\n", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY);
- LOG_IF(INFO, flags.log_gpo())
- << "Parsing GPO list (" << lines.size() << " lines)";
+ LOG_IF(INFO, kLogGpo) << "Parsing GPO list (" << lines.size() << " lines)";
bool found_separator = false;
for (const std::string& line : lines) {
if (line.find(kGpoToken_Separator) == 0) {
// Separator between entries. Process last gpo if any.
- PushGpo(current_gpo, scope, &gpo_list, flags);
+ PushGpo(current_gpo, scope, &gpo_list);
current_gpo.Clear();
found_separator = true;
continue;
@@ -312,7 +308,7 @@
}
// Just in case there's no separator in the end.
- PushGpo(current_gpo, scope, &gpo_list, flags);
+ PushGpo(current_gpo, scope, &gpo_list);
if (!found_separator) {
// This usually happens when something went wrong, e.g. connection error.
@@ -321,7 +317,7 @@
return EXIT_CODE_PARSE_INPUT_FAILED;
}
- if (flags.log_gpo() && LOG_IS_ON(INFO)) {
+ if (authpolicy::kLogGpo && LOG_IS_ON(INFO)) {
LOG(INFO) << "Found " << gpo_list.size() << " GPOs.";
for (size_t n = 0; n < gpo_list.size(); ++n) {
LOG(INFO) << n + 1 << ")";
@@ -369,9 +365,7 @@
// Parses a set of GPO files and assembles a user or device policy proto. Writes
// the serialized policy blob to stdout. |gpo_file_paths_blob| is expected to be
// a serialized |protos::FilePathList| proto blob.
-int ParsePreg(const std::string& gpo_file_paths_blob,
- PolicyScope scope,
- const protos::DebugFlags& flags) {
+int ParsePreg(const std::string& gpo_file_paths_blob, PolicyScope scope) {
// Parse FilePathList proto blob.
protos::FilePathList gpo_file_paths_proto;
if (!gpo_file_paths_proto.ParseFromString(gpo_file_paths_blob)) {
@@ -389,8 +383,7 @@
case PolicyScope::USER: {
// Parse files into a user policy proto.
em::CloudPolicySettings policy;
- if (!policy::ParsePRegFilesIntoUserPolicy(
- gpo_file_paths, &policy, flags.log_policy_values()))
+ if (!policy::ParsePRegFilesIntoUserPolicy(gpo_file_paths, &policy))
return EXIT_CODE_PARSE_INPUT_FAILED;
// Serialize user policy proto to string.
@@ -401,8 +394,7 @@
case PolicyScope::MACHINE: {
// Parse files into a device policy proto.
em::ChromeDeviceSettingsProto policy;
- if (!policy::ParsePRegFilesIntoDevicePolicy(
- gpo_file_paths, &policy, flags.log_policy_values()))
+ if (!policy::ParsePRegFilesIntoDevicePolicy(gpo_file_paths, &policy))
return EXIT_CODE_PARSE_INPUT_FAILED;
// Serialize policy proto to string.
@@ -466,9 +458,7 @@
return EXIT_CODE_PARSE_INPUT_FAILED;
}
-int HandleCommand(const std::string& cmd,
- const std::string& arg,
- const protos::DebugFlags& flags) {
+int HandleCommand(const std::string& cmd, const std::string& arg) {
if (cmd == kCmdParseRealmInfo)
return ParseRealmInfo(arg);
if (cmd == kCmdParseWorkgroup)
@@ -476,13 +466,13 @@
if (cmd == kCmdParseAccountInfo)
return ParseAccountInfo(arg);
if (cmd == kCmdParseUserGpoList)
- return ParseGpoList(arg, PolicyScope::USER, flags);
+ return ParseGpoList(arg, PolicyScope::USER);
if (cmd == kCmdParseDeviceGpoList)
- return ParseGpoList(arg, PolicyScope::MACHINE, flags);
+ return ParseGpoList(arg, PolicyScope::MACHINE);
if (cmd == kCmdParseUserPreg)
- return ParsePreg(arg, PolicyScope::USER, flags);
+ return ParsePreg(arg, PolicyScope::USER);
if (cmd == kCmdParseDevicePreg)
- return ParsePreg(arg, PolicyScope::MACHINE, flags);
+ return ParsePreg(arg, PolicyScope::MACHINE);
if (cmd == kCmdParseTgtLifetime)
return ParseTgtLifetime(arg);
@@ -508,13 +498,6 @@
}
const char* cmd = argv[1];
- // Load debug flags from argv[2] if present.
- authpolicy::protos::DebugFlags flags;
- if (argc > 2 && !authpolicy::DeserializeFlags(argv[2], &flags)) {
- LOG(ERROR) << "Failed to deserialize flags";
- return authpolicy::EXIT_CODE_BAD_COMMAND;
- }
-
// All commands take additional arguments via stdin.
std::string stdin;
if (!authpolicy::ReadPipeToString(STDIN_FILENO, &stdin)) {
@@ -522,5 +505,5 @@
return authpolicy::EXIT_CODE_READ_INPUT_FAILED;
}
- return authpolicy::HandleCommand(cmd, stdin, flags);
+ return authpolicy::HandleCommand(cmd, stdin);
}
diff --git a/authpolicy/jail_helper.cc b/authpolicy/jail_helper.cc
index e850854..b268e97 100644
--- a/authpolicy/jail_helper.cc
+++ b/authpolicy/jail_helper.cc
@@ -8,36 +8,28 @@
#include "authpolicy/platform_helper.h"
#include "authpolicy/process_executor.h"
-#include "bindings/authpolicy_containers.pb.h"
namespace authpolicy {
-class AuthPolicyFlags;
-class PathService;
-
-JailHelper::JailHelper(const PathService* path_service,
- const protos::DebugFlags* flags)
- : paths_(path_service), flags_(flags) {}
+JailHelper::JailHelper(const PathService* path_service)
+ : paths_(path_service) {}
bool JailHelper::SetupJailAndRun(ProcessExecutor* cmd,
Path seccomp_path_key,
TimerType timer_type) const {
// Limit the system calls that the process can do.
DCHECK(cmd);
- if (!flags_->disable_seccomp()) {
- cmd->LogSeccompFilterFailures(flags_->log_seccomp());
+ if (!disable_seccomp_filters_) {
+ if (log_seccomp_filters_)
+ cmd->LogSeccompFilterFailures();
cmd->SetSeccompFilter(paths_->Get(seccomp_path_key));
}
- // Toggle logging.
- cmd->LogCommand(flags_->log_commands());
- cmd->LogOutput(flags_->log_command_output());
-
// Required since we don't have the caps to wipe supplementary groups.
- cmd->KeepSupplementaryGroups(true);
+ cmd->KeepSupplementaryGroups();
// Allows us to drop setgroups, setresgid and setresuid from seccomp filters.
- cmd->SetNoNewPrivs(true);
+ cmd->SetNoNewPrivs();
// Execute as authpolicyd exec user. Don't use minijail to switch user. This
// would force us to run without preload library since saved UIDs are wiped by
@@ -53,4 +45,10 @@
return cmd->Execute();
}
+void JailHelper::SetDebugFlags(bool disable_seccomp_filters,
+ bool log_seccomp_filters) {
+ disable_seccomp_filters_ = disable_seccomp_filters;
+ log_seccomp_filters_ = log_seccomp_filters;
+}
+
} // namespace authpolicy
diff --git a/authpolicy/jail_helper.h b/authpolicy/jail_helper.h
index b25e63b..069e36f 100644
--- a/authpolicy/jail_helper.h
+++ b/authpolicy/jail_helper.h
@@ -12,16 +12,12 @@
namespace authpolicy {
-namespace protos {
-class DebugFlags;
-}
-
class ProcessExecutor;
// Helper class for setting up a minijail and running a process.
class JailHelper {
public:
- JailHelper(const PathService* path_service, const protos::DebugFlags* flags);
+ explicit JailHelper(const PathService* path_service);
// Sets up minijail and executes |cmd|. |seccomp_path_key| specifies the path
// of the seccomp filter to use. |timer_type| is the UMA timer metric to
@@ -31,12 +27,16 @@
Path seccomp_path_key,
TimerType timer_type) const;
+ // Sets debug flags. By default, all debug flags are turned off.
+ void SetDebugFlags(bool disable_seccomp_filters, bool log_seccomp_filters);
+
private:
// File paths, not owned.
- const PathService* paths_ = nullptr;
+ const PathService* paths_;
- // Debug flags, not owned.
- const protos::DebugFlags* flags_ = nullptr;
+ // Debug flags.
+ bool disable_seccomp_filters_ = false;
+ bool log_seccomp_filters_ = false;
DISALLOW_COPY_AND_ASSIGN(JailHelper);
};
diff --git a/authpolicy/log_level.h b/authpolicy/log_level.h
new file mode 100644
index 0000000..468ff98
--- /dev/null
+++ b/authpolicy/log_level.h
@@ -0,0 +1,34 @@
+// Copyright 2017 The Chromium OS Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef AUTHPOLICY_LOG_LEVEL_H_
+#define AUTHPOLICY_LOG_LEVEL_H_
+
+#include "base/logging.h"
+
+namespace authpolicy {
+
+// TODO(ljusten): Set to logging::LOG_INFO after TT. https://crbug.com/666691
+
+// Log level for Samba net commands, only shown if executor output is logged as
+// well, see |kLogExecutorOutput|.
+const char kNetLogLevel[] = "10";
+
+//
+// Switches for debug logs of various systems.
+//
+
+// Policy encoder.
+const bool kLogEncoder = true; // Policy values.
+
+// ProcessExecutor.
+const bool kLogExecutorCommand = true; // Command line and exit code.
+const bool kLogExecutorOutput = true; // Stdout and stderr.
+
+// GPO parsing.
+const bool kLogGpo = true; // List of filtered, broken and valid GPOs.
+
+} // namespace authpolicy
+
+#endif // AUTHPOLICY_LOG_LEVEL_H_
diff --git a/authpolicy/path_service.cc b/authpolicy/path_service.cc
index 63f03d5..aaea1cd 100644
--- a/authpolicy/path_service.cc
+++ b/authpolicy/path_service.cc
@@ -24,21 +24,25 @@
const char kGpoCacheDir[] = "/gpo_cache";
// Configuration files.
-const char kConfig[] = "/config.dat";
-const char kSmbConf[] = "/smb.conf";
+const char kConfigPath[] = "/config.dat";
+const char kSmbConfPath[] = "/smb.conf";
-// Kerberos configuration.
-const char kUserKrb5Conf[] = "/krb5_user.conf";
-const char kDeviceKrb5Conf[] = "/krb5_device.conf";
+// Kerberos configuration paths.
+const char kUserKrb5ConfPath[] = "/krb5_user.conf";
+const char kDeviceKrb5ConfPath[] = "/krb5_device.conf";
-// Credential caches.
+// Credential cache paths.
const char kUserCredentialCache[] = "/krb5cc_user";
const char kDeviceCredentialCache[] = "/krb5cc_device";
// Machine keytab.
-const char kMachineKeyTab[] = "/krb5_machine.keytab";
+const char kMachineKeyTabPath[] = "/krb5_machine.keytab";
+// Debug flags.
+const char kDebugFlagsPath[] = "/etc/authpolicyd_flags";
+// kinit trace logs.
+const char kKrb5TracePath[] = "/krb5_trace";
-// Executables.
+// Executable paths.
const char kKInitPath[] = "/usr/bin/kinit";
const char kKListPath[] = "/usr/bin/klist";
const char kNetPath[] = "/usr/bin/net";
@@ -46,30 +50,28 @@
const char kSmbClientPath[] = "/usr/bin/smbclient";
// Seccomp filters.
-const char kKInitSeccompFilterPath[] = "/usr/share/policy/kinit-seccomp.policy";
-const char kKListSeccompFilterPath[] = "/usr/share/policy/klist-seccomp.policy";
-const char kNetAdsSeccompFilterPath[] =
+const char kKInitSeccompFilter[] =
+ "/usr/share/policy/kinit-seccomp.policy";
+const char kKListSeccompFilter[] = "/usr/share/policy/klist-seccomp.policy";
+const char kNetAdsSeccompFilter[] =
"/usr/share/policy/net_ads-seccomp.policy";
-const char kParserSeccompFilterPath[] =
+const char kParserSeccompFilter[] =
"/usr/share/policy/authpolicy_parser-seccomp.policy";
-const char kSmbClientSeccompFilterPath[] =
+const char kSmbClientSeccompFilter[] =
"/usr/share/policy/smbclient-seccomp.policy";
-// Debug flags.
-const char kDebugFlagsPath[] = "/etc/authpolicyd_flags";
-// kinit trace logs.
-const char kKrb5Trace[] = "/krb5_trace";
-
} // namespace
-PathService::PathService() : PathService(true) {}
+PathService::PathService() : PathService(true) {
+}
PathService::PathService(bool initialize) {
if (initialize)
Initialize();
}
-PathService::~PathService() {}
+PathService::~PathService() {
+}
void PathService::Initialize() {
// Set paths. Note: Won't override paths that are already set by a more
@@ -86,19 +88,18 @@
Insert(Path::SAMBA_PRIVATE_DIR, temp_dir + kSambaDir + kPrivateDir);
Insert(Path::GPO_LOCAL_DIR, temp_dir + kSambaDir + kCacheDir + kGpoCacheDir);
- Insert(Path::CONFIG_DAT, state_dir + kConfig);
- Insert(Path::SMB_CONF, temp_dir + kSmbConf);
+ Insert(Path::CONFIG_DAT, state_dir + kConfigPath);
+ Insert(Path::SMB_CONF, temp_dir + kSmbConfPath);
- Insert(Path::USER_KRB5_CONF, temp_dir + kUserKrb5Conf);
- Insert(Path::DEVICE_KRB5_CONF, temp_dir + kDeviceKrb5Conf);
+ Insert(Path::USER_KRB5_CONF, temp_dir + kUserKrb5ConfPath);
+ Insert(Path::DEVICE_KRB5_CONF, temp_dir + kDeviceKrb5ConfPath);
- // Credential caches have to be in a place writable for authpolicyd-exec!
const std::string& samba_dir = Get(Path::SAMBA_DIR);
Insert(Path::USER_CREDENTIAL_CACHE, samba_dir + kUserCredentialCache);
Insert(Path::DEVICE_CREDENTIAL_CACHE, samba_dir + kDeviceCredentialCache);
- Insert(Path::MACHINE_KT_STATE, state_dir + kMachineKeyTab);
- Insert(Path::MACHINE_KT_TEMP, samba_dir + kMachineKeyTab);
+ Insert(Path::MACHINE_KT_STATE, state_dir + kMachineKeyTabPath);
+ Insert(Path::MACHINE_KT_TEMP, samba_dir + kMachineKeyTabPath);
Insert(Path::KINIT, kKInitPath);
Insert(Path::KLIST, kKListPath);
@@ -106,15 +107,14 @@
Insert(Path::PARSER, kParserPath);
Insert(Path::SMBCLIENT, kSmbClientPath);
- Insert(Path::KINIT_SECCOMP, kKInitSeccompFilterPath);
- Insert(Path::KLIST_SECCOMP, kKListSeccompFilterPath);
- Insert(Path::NET_ADS_SECCOMP, kNetAdsSeccompFilterPath);
- Insert(Path::PARSER_SECCOMP, kParserSeccompFilterPath);
- Insert(Path::SMBCLIENT_SECCOMP, kSmbClientSeccompFilterPath);
+ Insert(Path::KINIT_SECCOMP, kKInitSeccompFilter);
+ Insert(Path::KLIST_SECCOMP, kKListSeccompFilter);
+ Insert(Path::NET_ADS_SECCOMP, kNetAdsSeccompFilter);
+ Insert(Path::PARSER_SECCOMP, kParserSeccompFilter);
+ Insert(Path::SMBCLIENT_SECCOMP, kSmbClientSeccompFilter);
Insert(Path::DEBUG_FLAGS, kDebugFlagsPath);
- // Trace has to be in a place writable for authpolicyd-exec!
- Insert(Path::KRB5_TRACE, samba_dir + kKrb5Trace);
+ Insert(Path::KRB5_TRACE, temp_dir + kKrb5TracePath);
}
const std::string& PathService::Get(Path path_key) const {
diff --git a/authpolicy/path_service.h b/authpolicy/path_service.h
index 87da1fc..3199d62 100644
--- a/authpolicy/path_service.h
+++ b/authpolicy/path_service.h
@@ -59,7 +59,7 @@
SMBCLIENT_SECCOMP,
// Misc.
- DEBUG_FLAGS, // File with debug flags, see AuthPolicyFlags.
+ DEBUG_FLAGS, // File with debug flags.
KRB5_TRACE, // kinit trace log.
};
diff --git a/authpolicy/policy/device_policy_encoder.cc b/authpolicy/policy/device_policy_encoder.cc
index 8fc3278..0aa7760 100644
--- a/authpolicy/policy/device_policy_encoder.cc
+++ b/authpolicy/policy/device_policy_encoder.cc
@@ -12,6 +12,7 @@
#include <components/policy/core/common/registry_dict.h>
#include <dbus/shill/dbus-constants.h>
+#include "authpolicy/log_level.h"
#include "authpolicy/policy/policy_encoder_helper.h"
#include "bindings/chrome_device_policy.pb.h"
#include "bindings/policy_constants.h"
@@ -77,7 +78,7 @@
std::unique_ptr<base::DictionaryValue> dict_value =
base::DictionaryValue::From(std::move(root));
if (!dict_value)
- *error = "JSON is not a dictionary: '" + json + "'";
+ *error = "Json is not a dictionary: '" + json + "'";
return dict_value;
}
@@ -483,7 +484,7 @@
return;
}
- LOG_IF(INFO, log_policy_values_)
+ LOG_IF(INFO, authpolicy::kLogEncoder)
<< " bool " << policy_name << " = " << (bool_value ? "true" : "false");
// Create proto and set value.
@@ -504,7 +505,7 @@
return;
}
- LOG_IF(INFO, log_policy_values_)
+ LOG_IF(INFO, authpolicy::kLogEncoder)
<< " int " << policy_name << " = " << int_value;
// Create proto and set value.
@@ -525,7 +526,7 @@
return;
}
- LOG_IF(INFO, log_policy_values_)
+ LOG_IF(INFO, authpolicy::kLogEncoder)
<< " str " << policy_name << " = " << string_value;
// Create proto and set value.
@@ -556,7 +557,7 @@
string_values.push_back(string_value);
}
- if (log_policy_values_ && LOG_IS_ON(INFO)) {
+ if (authpolicy::kLogEncoder && LOG_IS_ON(INFO)) {
LOG(INFO) << " strlist " << policy_name;
for (const std::string& value : string_values)
LOG(INFO) << " " << value;
@@ -572,7 +573,7 @@
if (!value)
return;
- LOG_IF(INFO, log_policy_values_)
+ LOG_IF(INFO, authpolicy::kLogEncoder)
<< "Ignoring unsupported policy '" << policy_name << "'.";
}
diff --git a/authpolicy/policy/device_policy_encoder.h b/authpolicy/policy/device_policy_encoder.h
index d24a292..5457083 100644
--- a/authpolicy/policy/device_policy_encoder.h
+++ b/authpolicy/policy/device_policy_encoder.h
@@ -31,9 +31,6 @@
public:
explicit DevicePolicyEncoder(const RegistryDict* dict) : dict_(dict) {}
- // Toggles logging of policy values.
- void LogPolicyValues(bool enabled) { log_policy_values_ = enabled; }
-
// Extracts all supported device policies from |dict| and puts them into
// |policy|.
void EncodePolicy(
@@ -83,8 +80,7 @@
void HandleUnsupported(const char* policy_name) const;
private:
- const RegistryDict* dict_ = nullptr;
- bool log_policy_values_ = false;
+ const RegistryDict* dict_;
};
} // namespace policy
diff --git a/authpolicy/policy/device_policy_encoder_unittest.cc b/authpolicy/policy/device_policy_encoder_unittest.cc
index 5203b8e..06275e9 100644
--- a/authpolicy/policy/device_policy_encoder_unittest.cc
+++ b/authpolicy/policy/device_policy_encoder_unittest.cc
@@ -159,7 +159,7 @@
EncodeBoolean(&policy, key::kDeviceDataRoamingEnabled, kBool);
EXPECT_EQ(kBool, policy.data_roaming_enabled().data_roaming_enabled());
- // The encoder of this policy converts a JSON string to separate values.
+ // The encoder of this policy converts a json string to separate values.
EncodeString(&policy,
key::kNetworkThrottlingEnabled,
"{\"enabled\":true,"
@@ -341,7 +341,7 @@
EXPECT_EQ(em::DisplayRotationDefaultProto::ROTATE_180,
policy.display_rotation_default().display_rotation_default());
- // The encoder of this policy converts a JSON string to separate values.
+ // The encoder of this policy converts a json string to separate values.
EncodeStringList(&policy,
key::kUsbDetachableWhitelist,
{"{\"vendor_id\":123, \"product_id\":234}",
diff --git a/authpolicy/policy/preg_policy_encoder.cc b/authpolicy/policy/preg_policy_encoder.cc
index 665dd32..836d94b 100644
--- a/authpolicy/policy/preg_policy_encoder.cc
+++ b/authpolicy/policy/preg_policy_encoder.cc
@@ -25,8 +25,7 @@
namespace policy {
bool ParsePRegFilesIntoUserPolicy(const std::vector<base::FilePath>& preg_files,
- em::CloudPolicySettings* policy,
- bool log_policy_values) {
+ em::CloudPolicySettings* policy) {
DCHECK(policy);
RegistryDict mandatory_dict;
@@ -44,13 +43,11 @@
// mandatory, it will be overwritten to be mandatory below.
if (recommended_dict) {
UserPolicyEncoder enc(recommended_dict.get(), POLICY_LEVEL_RECOMMENDED);
- enc.LogPolicyValues(log_policy_values);
enc.EncodePolicy(policy);
}
{
UserPolicyEncoder enc(&mandatory_dict, POLICY_LEVEL_MANDATORY);
- enc.LogPolicyValues(log_policy_values);
enc.EncodePolicy(policy);
}
@@ -59,8 +56,7 @@
bool ParsePRegFilesIntoDevicePolicy(
const std::vector<base::FilePath>& preg_files,
- em::ChromeDeviceSettingsProto* policy,
- bool log_policy_values) {
+ em::ChromeDeviceSettingsProto* policy) {
DCHECK(policy);
RegistryDict policy_dict;
@@ -70,7 +66,6 @@
}
DevicePolicyEncoder encoder(&policy_dict);
- encoder.LogPolicyValues(log_policy_values);
encoder.EncodePolicy(policy);
return true;
diff --git a/authpolicy/policy/preg_policy_encoder.h b/authpolicy/policy/preg_policy_encoder.h
index 1dcf3a7..ec55b9d 100644
--- a/authpolicy/policy/preg_policy_encoder.h
+++ b/authpolicy/policy/preg_policy_encoder.h
@@ -27,21 +27,17 @@
// - Mandatory policies always overwrite recommended policies.
// Thus, a mandatory policy in f1 will overwrite a recommended policy in f3,
// even though f3 has the higher index.
-// |log_policy_values| toggles debug logging of policy values.
bool ParsePRegFilesIntoUserPolicy(
const std::vector<base::FilePath>& preg_files,
- enterprise_management::CloudPolicySettings* policy,
- bool log_policy_values);
+ enterprise_management::CloudPolicySettings* policy);
// Loads the given set of |preg_files| and encodes all device policies into the
// given |policy| blob. If multiple files f1,...,fN are passed in, policies
// are merged with following rule:
// - Policies in fn overwrite policies in fm if n > m.
-// |log_policy_values| toggles debug logging of policy values.
bool ParsePRegFilesIntoDevicePolicy(
const std::vector<base::FilePath>& preg_files,
- enterprise_management::ChromeDeviceSettingsProto* policy,
- bool log_policy_values);
+ enterprise_management::ChromeDeviceSettingsProto* policy);
} // namespace policy
diff --git a/authpolicy/policy/preg_policy_encoder_unittest.cc b/authpolicy/policy/preg_policy_encoder_unittest.cc
index dbafa9a..929b041 100644
--- a/authpolicy/policy/preg_policy_encoder_unittest.cc
+++ b/authpolicy/policy/preg_policy_encoder_unittest.cc
@@ -89,8 +89,8 @@
// Encode to policy.
em::CloudPolicySettings policy;
- EXPECT_TRUE(ParsePRegFilesIntoUserPolicy(
- {preg_1_path_, preg_2_path_}, &policy, false /* log_policy_values */));
+ EXPECT_TRUE(
+ ParsePRegFilesIntoUserPolicy({preg_1_path_, preg_2_path_}, &policy));
bool win_bool = (who_wins == FIRST_WINS ? kOtherPolicyBool : kPolicyBool);
int win_int = (who_wins == FIRST_WINS ? kPolicyInt : kOtherPolicyInt);
@@ -149,8 +149,7 @@
// Encode preg file into policy.
em::CloudPolicySettings policy;
- EXPECT_TRUE(ParsePRegFilesIntoUserPolicy(
- {preg_1_path_}, &policy, false /* log_policy_values */));
+ EXPECT_TRUE(ParsePRegFilesIntoUserPolicy({preg_1_path_}, &policy));
// Check that policy has the same values as we wrote to the file.
EXPECT_EQ(kPolicyBool, policy.searchsuggestenabled().value());
@@ -201,8 +200,7 @@
// Encode preg file into policy.
em::ChromeDeviceSettingsProto policy;
- EXPECT_TRUE(ParsePRegFilesIntoDevicePolicy(
- {preg_1_path_}, &policy, false /* log_policy_values */));
+ EXPECT_TRUE(ParsePRegFilesIntoDevicePolicy({preg_1_path_}, &policy));
// Check that policy has the same values as we wrote to the file.
EXPECT_EQ(kPolicyBool, policy.guest_mode_enabled().guest_mode_enabled());
@@ -238,8 +236,8 @@
// Encode to policy.
em::ChromeDeviceSettingsProto policy;
- EXPECT_TRUE(ParsePRegFilesIntoDevicePolicy(
- {preg_1_path_, preg_2_path_}, &policy, false /* log_policy_values */));
+ EXPECT_TRUE(
+ ParsePRegFilesIntoDevicePolicy({preg_1_path_, preg_2_path_}, &policy));
// Check that the values from file 2 prevailed.
EXPECT_EQ(kPolicyBool, policy.guest_mode_enabled().guest_mode_enabled());
diff --git a/authpolicy/policy/user_policy_encoder.cc b/authpolicy/policy/user_policy_encoder.cc
index 13c2dfe..bc7e0fa 100644
--- a/authpolicy/policy/user_policy_encoder.cc
+++ b/authpolicy/policy/user_policy_encoder.cc
@@ -11,6 +11,7 @@
#include <base/values.h>
#include <components/policy/core/common/registry_dict.h>
+#include "authpolicy/log_level.h"
#include "authpolicy/policy/policy_encoder_helper.h"
#include "bindings/cloud_policy.pb.h"
#include "bindings/policy_constants.h"
@@ -57,8 +58,9 @@
return;
}
- LOG_IF(INFO, log_policy_values_) << GetLevelStr() << " bool " << policy_name
- << " = " << (bool_value ? "true" : "false");
+ LOG_IF(INFO, authpolicy::kLogEncoder)
+ << GetLevelStr() << " bool " << policy_name << " = "
+ << (bool_value ? "true" : "false");
// Create proto and set value.
em::BooleanPolicyProto* proto = (policy->*access->mutable_proto_ptr)();
@@ -82,7 +84,7 @@
return;
}
- LOG_IF(INFO, log_policy_values_)
+ LOG_IF(INFO, authpolicy::kLogEncoder)
<< GetLevelStr() << " int " << policy_name << " = " << int_value;
// Create proto and set value.
@@ -107,7 +109,7 @@
return;
}
- LOG_IF(INFO, log_policy_values_)
+ LOG_IF(INFO, authpolicy::kLogEncoder)
<< GetLevelStr() << " str " << policy_name << " = " << string_value;
// Create proto and set value.
@@ -143,7 +145,7 @@
string_values.push_back(string_value);
}
- if (log_policy_values_ && LOG_IS_ON(INFO)) {
+ if (authpolicy::kLogEncoder && LOG_IS_ON(INFO)) {
LOG(INFO) << GetLevelStr() << " strlist " << policy_name;
for (const std::string& value : string_values)
LOG(INFO) << " " << value;
diff --git a/authpolicy/policy/user_policy_encoder.h b/authpolicy/policy/user_policy_encoder.h
index 9998f57..a5251b3 100644
--- a/authpolicy/policy/user_policy_encoder.h
+++ b/authpolicy/policy/user_policy_encoder.h
@@ -34,9 +34,6 @@
public:
UserPolicyEncoder(const RegistryDict* dict, PolicyLevel level);
- // Toggles logging of policy values.
- void LogPolicyValues(bool enabled) { log_policy_values_ = enabled; }
-
// Extracts all user policies from |dict_| and puts them into |policy|.
void EncodePolicy(enterprise_management::CloudPolicySettings* policy) const;
@@ -81,9 +78,8 @@
const T_Access* access,
Encoder<T_Access> encode) const;
- const RegistryDict* dict_ = nullptr;
- PolicyLevel level_ = POLICY_LEVEL_MANDATORY;
- bool log_policy_values_ = false;
+ const RegistryDict* dict_;
+ PolicyLevel level_;
};
} // namespace policy
diff --git a/authpolicy/process_executor.cc b/authpolicy/process_executor.cc
index bb97ee8..0f7e226 100644
--- a/authpolicy/process_executor.cc
+++ b/authpolicy/process_executor.cc
@@ -16,10 +16,31 @@
#include <libminijail.h>
#include <scoped_minijail.h>
+#include "authpolicy/log_level.h"
#include "authpolicy/platform_helper.h"
-#include "authpolicy/samba_helper.h"
namespace authpolicy {
+namespace {
+
+// Splits string into lines and logs the lines. This works around a restriction
+// of syslog of 8kb per log and fixes unreadable logs where \n is replaced by
+// #012.
+void LogLongString(const char* header, const std::string& str) {
+ if (!(kLogExecutorOutput && LOG_IS_ON(INFO)))
+ return;
+
+ std::vector<std::string> lines = base::SplitString(
+ str, "\n", base::KEEP_WHITESPACE, base::SPLIT_WANT_NONEMPTY);
+ if (lines.size() <= 1) {
+ LOG(INFO) << header << str;
+ } else {
+ LOG(INFO) << header;
+ for (const std::string& line : lines)
+ LOG(INFO) << line;
+ }
+}
+
+} // namespace
ProcessExecutor::ProcessExecutor(std::vector<std::string> args)
: args_(std::move(args)) {}
@@ -40,28 +61,16 @@
seccomp_policy_file_ = policy_file;
}
-void ProcessExecutor::LogSeccompFilterFailures(bool enabled) {
- log_seccomp_failures_ = enabled;
+void ProcessExecutor::LogSeccompFilterFailures() {
+ log_seccomp_failures_ = true;
}
-void ProcessExecutor::SetNoNewPrivs(bool enabled) {
- no_new_privs_ = enabled;
+void ProcessExecutor::SetNoNewPrivs() {
+ no_new_privs_ = true;
}
-void ProcessExecutor::KeepSupplementaryGroups(bool enabled) {
- keep_supplementary_flags_ = enabled;
-}
-
-void ProcessExecutor::LogCommand(bool enabled) {
- log_command_ = enabled;
-}
-
-void ProcessExecutor::LogOutput(bool enabled) {
- log_output_ = enabled;
-}
-
-void ProcessExecutor::LogOutputOnError(bool enabled) {
- log_output_on_error_ = enabled;
+void ProcessExecutor::KeepSupplementaryGroups() {
+ keep_supplementary_flags_ = true;
}
bool ProcessExecutor::Execute() {
@@ -75,7 +84,7 @@
return false;
}
- if (log_command_ && LOG_IS_ON(INFO)) {
+ if (kLogExecutorCommand && LOG_IS_ON(INFO)) {
std::string cmd = args_[0];
for (size_t n = 1; n < args_.size(); ++n)
cmd += base::StringPrintf(" '%s'", args_[n].c_str());
@@ -163,11 +172,9 @@
return false;
}
- if (log_output_ || (log_output_on_error_ && exit_code_ != 0)) {
- LogLongString("Stdout: ", out_data_);
- LogLongString("Stderr: ", err_data_);
- }
- LOG_IF(INFO, log_command_) << "Exit code: " << exit_code_;
+ LogLongString("Stdout: ", out_data_);
+ LogLongString("Stderr: ", err_data_);
+ LOG_IF(INFO, kLogExecutorCommand) << "Exit code: " << exit_code_;
return exit_code_ == 0;
}
diff --git a/authpolicy/process_executor.h b/authpolicy/process_executor.h
index 9488345..6a77d20 100644
--- a/authpolicy/process_executor.h
+++ b/authpolicy/process_executor.h
@@ -38,23 +38,14 @@
// Sets a seccomp filter by parsing the given file.
void SetSeccompFilter(const std::string& policy_file);
- // Toggles logging of syscalls blocked by seccomp filters.
- void LogSeccompFilterFailures(bool enabled);
+ // Logs syscalls blocked by seccomp filters.
+ void LogSeccompFilterFailures();
- // Toggles a flag that prevents execve from gaining new privileges.
- void SetNoNewPrivs(bool enabled);
+ // Set a flag that prevents execve from gaining new privileges.
+ void SetNoNewPrivs();
- // Toggles a flag that prevents that supplementary groups are wiped.
- void KeepSupplementaryGroups(bool enabled);
-
- // Toggles logging of command line and the exit code.
- void LogCommand(bool enabled);
-
- // Toggles logging of the command output.
- void LogOutput(bool enabled);
-
- // Toggles logging of the command output if the command failed.
- void LogOutputOnError(bool enabled);
+ // Set a flag that prevents that supplementary groups are wiped.
+ void KeepSupplementaryGroups();
// Execute the command. Returns true if the command executed and returned with
// exit code 0. Also returns true if no args were passed to the constructor.
@@ -81,16 +72,12 @@
std::map<std::string, std::string> env_map_;
int input_fd_ = -1;
std::string input_str_;
- std::string out_data_;
- std::string err_data_;
+ std::string out_data_, err_data_;
int exit_code_ = 0;
std::string seccomp_policy_file_;
bool log_seccomp_failures_ = false;
bool no_new_privs_ = false;
bool keep_supplementary_flags_ = false;
- bool log_command_ = false;
- bool log_output_ = false;
- bool log_output_on_error_ = false;
// We better not copy/assign because of |input_fd_|.
DISALLOW_COPY_AND_ASSIGN(ProcessExecutor);
diff --git a/authpolicy/proto/authpolicy_containers.proto b/authpolicy/proto/authpolicy_containers.proto
index eb66cb7..7ddfda8 100644
--- a/authpolicy/proto/authpolicy_containers.proto
+++ b/authpolicy/proto/authpolicy_containers.proto
@@ -54,29 +54,3 @@
// still happen within the validity lifetime.
optional int64 renewal_seconds = 2;
}
-
-// Debug flags.
-message DebugFlags {
- // Disable seccomp filters.
- optional bool disable_seccomp = 1;
- // Log seccomp filter failures.
- optional bool log_seccomp = 2;
- // Enable kinit trace logs. Only shown if log_command_output is set as well.
- optional bool trace_kinit = 3;
- // Log policy values read from GPO.
- optional bool log_policy_values = 4;
- // Log command line and exit code in ProcessExecutor.
- optional bool log_commands = 5;
- // Log stdout and stderr in ProcessExecutor no matter whether the command
- // succeeded or not.
- optional bool log_command_output = 6;
- // Log stdout and stderr in ProcessExecutor if the command failed.
- optional bool log_command_output_on_error = 7;
- // Log list of filtered, broken and valid GPOs.
- optional bool log_gpo = 8;
- // Log configuration data (netbios name, kdc ip etc.).
- optional bool log_config = 9;
- // Log level for Samba net commands. Only shown if log_command_output is set
- // as well.
- optional string net_log_level = 10 [default = "0"];
-}
diff --git a/authpolicy/samba_helper.cc b/authpolicy/samba_helper.cc
index 9882dcc..3905d28 100644
--- a/authpolicy/samba_helper.cc
+++ b/authpolicy/samba_helper.cc
@@ -128,19 +128,4 @@
return octet_str;
}
-void LogLongString(const char* header, const std::string& str) {
- if (!LOG_IS_ON(INFO))
- return;
-
- std::vector<std::string> lines = base::SplitString(
- str, "\n", base::KEEP_WHITESPACE, base::SPLIT_WANT_NONEMPTY);
- if (lines.size() <= 1) {
- LOG(INFO) << header << str;
- } else {
- LOG(INFO) << header;
- for (const std::string& line : lines)
- LOG(INFO) << line;
- }
-}
-
} // namespace authpolicy
diff --git a/authpolicy/samba_helper.h b/authpolicy/samba_helper.h
index fb5b4c8..fcd15ea 100644
--- a/authpolicy/samba_helper.h
+++ b/authpolicy/samba_helper.h
@@ -53,11 +53,6 @@
// Returns an empty string on error.
std::string GuidToOctetString(const std::string& guid);
-// Splits string into lines and logs the lines. This works around a restriction
-// of syslog of 8kb per log and fixes unreadable logs where \n is replaced by
-// #012.
-void LogLongString(const char* header, const std::string& str);
-
} // namespace authpolicy
#endif // AUTHPOLICY_SAMBA_HELPER_H_
diff --git a/authpolicy/samba_interface.cc b/authpolicy/samba_interface.cc
index a864955..ee27135 100644
--- a/authpolicy/samba_interface.cc
+++ b/authpolicy/samba_interface.cc
@@ -18,11 +18,10 @@
#include <base/strings/string_split.h>
#include <base/strings/string_util.h>
#include <base/strings/stringprintf.h>
-#include <base/sys_info.h>
#include <base/threading/platform_thread.h>
#include <base/time/time.h>
-#include "authpolicy/authpolicy_flags.h"
+#include "authpolicy/log_level.h"
#include "authpolicy/platform_helper.h"
#include "authpolicy/process_executor.h"
#include "bindings/authpolicy_containers.pb.h"
@@ -79,6 +78,11 @@
const char kPRegDeviceDir[] = "Machine";
const char kPRegFileName[] = "registry.pol";
+// Flags. Write kFlag* strings to the Path::DEBUG_FLAGS file to toggle flags.
+const char kFlagDisableSeccomp[] = "disable_seccomp";
+const char kFlagLogSeccomp[] = "log_seccomp";
+const char kFlagTraceKinit[] = "trace_kinit";
+
// Size limit when loading the config file (256 kb).
const size_t kConfigSizeLimit = 256 * 1024;
@@ -103,10 +107,6 @@
const char kKeyObjectNameNotFound[] =
"NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file ";
-const char kChromeOSReleaseTrack[] = "CHROMEOS_RELEASE_TRACK";
-const char kBetaChannel[] = "beta-channel";
-const char kStableChannel[] = "stable-channel";
-
ErrorType GetNetError(const ProcessExecutor& executor,
const std::string& net_command) {
const std::string& net_out = executor.GetStdout();
@@ -201,36 +201,23 @@
const PathService* path_service)
: metrics_(metrics),
paths_(path_service),
- jail_helper_(paths_, &flags_),
+ jail_helper_(paths_),
user_tgt_manager_(task_runner,
paths_,
metrics_,
- &flags_,
&jail_helper_,
Path::USER_KRB5_CONF,
Path::USER_CREDENTIAL_CACHE),
device_tgt_manager_(task_runner,
paths_,
metrics_,
- &flags_,
&jail_helper_,
Path::DEVICE_KRB5_CONF,
Path::DEVICE_CREDENTIAL_CACHE) {
DCHECK(paths_);
-
- // Set a good debug flag level depending on the channel.
- std::string channel;
- flags_default_level_ = AuthPolicyFlags::kQuiet;
- if (!base::SysInfo::GetLsbReleaseValue(kChromeOSReleaseTrack, &channel)) {
- LOG(WARNING) << "Failed to retrieve release track from sys info.";
- } else if (channel != kBetaChannel && channel != kStableChannel) {
- flags_default_level_ = AuthPolicyFlags::kVerbose;
- }
}
ErrorType SambaInterface::Initialize(bool expect_config) {
- ReloadDebugFlags();
-
ErrorType error = ERROR_NONE;
for (const auto& dir_and_mode : kDirsAndMode) {
const base::FilePath dir(paths_->Get(dir_and_mode.first));
@@ -249,6 +236,32 @@
return error;
}
+ // Load debug flags from file.
+ bool disable_seccomp_filters = false;
+ bool log_seccomp_filters = false;
+ bool trace_kinit = false;
+ std::string flags;
+ const std::string& flags_path = paths_->Get(Path::DEBUG_FLAGS);
+ if (base::ReadFileToString(base::FilePath(flags_path), &flags)) {
+ if (Contains(flags, kFlagDisableSeccomp)) {
+ LOG(WARNING) << "Seccomp filters disabled";
+ disable_seccomp_filters = true;
+ }
+ if (Contains(flags, kFlagLogSeccomp)) {
+ LOG(WARNING) << "Logging seccomp filter failures";
+ log_seccomp_filters = true;
+ }
+ if (Contains(flags, kFlagTraceKinit)) {
+ LOG(WARNING) << "Trace kinit";
+ trace_kinit = true;
+ }
+ }
+
+ // Set debug flags.
+ jail_helper_.SetDebugFlags(disable_seccomp_filters, log_seccomp_filters);
+ user_tgt_manager_.SetKinitTraceEnabled(trace_kinit);
+ device_tgt_manager_.SetKinitTraceEnabled(trace_kinit);
+
return ERROR_NONE;
}
@@ -271,15 +284,12 @@
const std::string& account_id,
int password_fd,
ActiveDirectoryAccountInfo* account_info) {
- ReloadDebugFlags();
-
// Split user_principal_name into parts and normalize.
std::string user_name, realm, workgroup, normalized_upn;
if (!ParseUserPrincipalName(
user_principal_name, &user_name, &realm, &normalized_upn)) {
return ERROR_PARSE_UPN_FAILED;
}
- LOG_IF(INFO, flags_.log_config()) << "UPN = '" << normalized_upn << "'";
// Write Samba configuration file.
ErrorType error = EnsureWorkgroupAndWriteSmbConf();
@@ -323,8 +333,6 @@
ErrorType SambaInterface::GetUserStatus(
const std::string& account_id, ActiveDirectoryUserStatus* user_status) {
- ReloadDebugFlags();
-
// Write Samba configuration file.
ErrorType error = EnsureWorkgroupAndWriteSmbConf();
if (error != ERROR_NONE)
@@ -361,15 +369,12 @@
ErrorType SambaInterface::JoinMachine(const std::string& machine_name,
const std::string& user_principal_name,
int password_fd) {
- ReloadDebugFlags();
-
// Split user principal name into parts.
std::string user_name, realm, normalized_upn;
if (!ParseUserPrincipalName(
user_principal_name, &user_name, &realm, &normalized_upn)) {
return ERROR_PARSE_UPN_FAILED;
}
- LOG_IF(INFO, flags_.log_config()) << "UPN = '" << normalized_upn << "'";
// Wipe and (re-)create config. Note that all session data is wiped to make
// testing easier.
@@ -394,7 +399,7 @@
"-s",
paths_->Get(Path::SMB_CONF),
"-d",
- flags_.net_log_level()});
+ kNetLogLevel});
net_cmd.SetInputFile(password_fd);
net_cmd.SetEnv(kKrb5KTEnvKey, // Machine keytab file path.
kFilePrefix + paths_->Get(Path::MACHINE_KT_TEMP));
@@ -425,8 +430,6 @@
ErrorType SambaInterface::FetchUserGpos(const std::string& account_id_key,
std::string* policy_blob) {
- ReloadDebugFlags();
-
// Get sAMAccountName from account id key (must be logged in to fetch user
// policy).
auto iter = user_id_name_map_.find(account_id_key);
@@ -472,8 +475,6 @@
}
ErrorType SambaInterface::FetchDeviceGpos(std::string* policy_blob) {
- ReloadDebugFlags();
-
// Write Samba configuration file.
ErrorType error = EnsureWorkgroupAndWriteSmbConf();
if (error != ERROR_NONE)
@@ -530,7 +531,7 @@
"-s",
paths_->Get(Path::SMB_CONF),
"-d",
- flags_.net_log_level()});
+ kNetLogLevel});
if (!jail_helper_.SetupJailAndRun(
&net_cmd, Path::NET_ADS_SECCOMP, TIMER_NET_ADS_INFO)) {
return GetNetError(net_cmd, "info");
@@ -539,8 +540,7 @@
// Parse the output to find the domain controller name. Enclose in a sandbox
// for security considerations.
- ProcessExecutor parse_cmd(
- {paths_->Get(Path::PARSER), kCmdParseRealmInfo, SerializeFlags(flags_)});
+ ProcessExecutor parse_cmd({paths_->Get(Path::PARSER), kCmdParseRealmInfo});
parse_cmd.SetInputString(net_out);
if (!jail_helper_.SetupJailAndRun(
&parse_cmd, Path::PARSER_SECCOMP, TIMER_NONE)) {
@@ -552,11 +552,9 @@
LOG(ERROR) << "Failed to parse realm info from string";
return ERROR_PARSE_FAILED;
}
- if (flags_.log_config()) {
- LOG(INFO) << "DC name = '" << realm_info->dc_name() << "'";
- LOG(INFO) << "KDC IP = '" << realm_info->kdc_ip() << "'";
- }
+ LOG(INFO) << "Found DC name = '" << realm_info->dc_name() << "'";
+ LOG(INFO) << "Found KDC IP = '" << realm_info->kdc_ip() << "'";
return ERROR_NONE;
}
@@ -594,7 +592,7 @@
"-s",
paths_->Get(Path::SMB_CONF),
"-d",
- flags_.net_log_level()});
+ kNetLogLevel});
if (!jail_helper_.SetupJailAndRun(
&net_cmd, Path::NET_ADS_SECCOMP, TIMER_NET_ADS_WORKGROUP)) {
return GetNetError(net_cmd, "workgroup");
@@ -603,8 +601,7 @@
// Parse the output to find the workgroup. Enclose in a sandbox for security
// considerations.
- ProcessExecutor parse_cmd(
- {paths_->Get(Path::PARSER), kCmdParseWorkgroup, SerializeFlags(flags_)});
+ ProcessExecutor parse_cmd({paths_->Get(Path::PARSER), kCmdParseWorkgroup});
parse_cmd.SetInputString(net_out);
if (!jail_helper_.SetupJailAndRun(
&parse_cmd, Path::PARSER_SECCOMP, TIMER_NONE)) {
@@ -613,7 +610,6 @@
return ERROR_PARSE_FAILED;
}
workgroup_ = parse_cmd.GetStdout();
- LOG_IF(INFO, flags_.log_config()) << "Workgroup = '" << workgroup_ << "'";
return ERROR_NONE;
}
@@ -718,10 +714,6 @@
config_ = std::move(config);
LOG(INFO) << "Read configuration file '" << config_path.value() << "'";
- if (flags_.log_config()) {
- LOG(INFO) << "Machine name = '" << config_->machine_name() << "'";
- LOG(INFO) << "Realm = '" << config_->realm() << "'";
- }
return ERROR_NONE;
}
@@ -835,7 +827,7 @@
"-s",
paths_->Get(Path::SMB_CONF),
"-d",
- flags_.net_log_level()});
+ kNetLogLevel});
// Use the machine TGT to query the account info.
net_cmd.SetEnv(kKrb5CCEnvKey,
paths_->Get(device_tgt_manager_.GetCredentialCachePath()));
@@ -847,9 +839,7 @@
// Parse the output to find the account info proto blob. Enclose in a sandbox
// for security considerations.
- ProcessExecutor parse_cmd({paths_->Get(Path::PARSER),
- kCmdParseAccountInfo,
- SerializeFlags(flags_)});
+ ProcessExecutor parse_cmd({paths_->Get(Path::PARSER), kCmdParseAccountInfo});
parse_cmd.SetInputString(net_out);
if (!jail_helper_.SetupJailAndRun(
&parse_cmd, Path::PARSER_SECCOMP, TIMER_NONE)) {
@@ -876,8 +866,7 @@
PolicyScope scope,
protos::GpoList* gpo_list) const {
DCHECK(gpo_list);
- LOG(INFO) << "Getting " << (scope == PolicyScope::USER ? "user" : "device")
- << " GPO list";
+ LOG(INFO) << "Getting GPO list for " << user_or_machine_name;
// Machine names are names ending with $, anything else is a user name.
authpolicy::ProcessExecutor net_cmd({paths_->Get(Path::NET),
@@ -888,7 +877,7 @@
"-s",
paths_->Get(Path::SMB_CONF),
"-d",
- flags_.net_log_level()});
+ kNetLogLevel});
const TgtManager& tgt_manager =
scope == PolicyScope::USER ? user_tgt_manager_ : device_tgt_manager_;
net_cmd.SetEnv(kKrb5CCEnvKey,
@@ -904,8 +893,7 @@
// Parse the GPO list. Enclose in a sandbox for security considerations.
const char* cmd = scope == PolicyScope::USER ? kCmdParseUserGpoList
: kCmdParseDeviceGpoList;
- ProcessExecutor parse_cmd(
- {paths_->Get(Path::PARSER), cmd, SerializeFlags(flags_)});
+ ProcessExecutor parse_cmd({paths_->Get(Path::PARSER), cmd});
parse_cmd.SetInputString(net_out);
if (!jail_helper_.SetupJailAndRun(
&parse_cmd, Path::PARSER_SECCOMP, TIMER_NONE)) {
@@ -1101,8 +1089,7 @@
}
// Load GPOs into protobuf. Enclose in a sandbox for security considerations.
- ProcessExecutor parse_cmd(
- {paths_->Get(Path::PARSER), parser_cmd_string, SerializeFlags(flags_)});
+ ProcessExecutor parse_cmd({paths_->Get(Path::PARSER), parser_cmd_string});
parse_cmd.SetInputString(gpo_file_paths_blob);
if (!jail_helper_.SetupJailAndRun(
&parse_cmd, Path::PARSER_SECCOMP, TIMER_NONE)) {
@@ -1120,14 +1107,4 @@
retry_machine_kinit_ = false;
}
-void SambaInterface::ReloadDebugFlags() {
- // First set defaults, then load file on top.
- AuthPolicyFlags flags_container;
- flags_container.SetDefaults(flags_default_level_);
- const base::FilePath path(paths_->Get(Path::DEBUG_FLAGS));
- if (flags_container.LoadFromJsonFile(path))
- flags_container.Dump();
- flags_ = flags_container.Get();
-}
-
} // namespace authpolicy
diff --git a/authpolicy/samba_interface.h b/authpolicy/samba_interface.h
index 8e27510..b7c3373 100644
--- a/authpolicy/samba_interface.h
+++ b/authpolicy/samba_interface.h
@@ -15,7 +15,6 @@
#include <base/memory/ref_counted.h>
#include <dbus/authpolicy/dbus-constants.h>
-#include "authpolicy/authpolicy_flags.h"
#include "authpolicy/authpolicy_metrics.h"
#include "authpolicy/constants.h"
#include "authpolicy/jail_helper.h"
@@ -179,12 +178,6 @@
// user data.
void Reset();
- // Reloads debug flags. Should be done on every public method called from
- // D-Bus, so that authpolicyd doesn't have to be restarted if the flags
- // change. Note that this is cheap in a production environment where the flags
- // file does not exist, so this is no performance concern.
- void ReloadDebugFlags();
-
// Maps the account id key ("a-" + user object GUID) to sAMAccountName.
std::unordered_map<std::string, std::string> user_id_name_map_;
std::unique_ptr<protos::ActiveDirectoryConfig> config_;
@@ -199,10 +192,6 @@
// Lookup for file paths, not owned.
const PathService* paths_;
- // Debug flags, loaded from Path::DEBUG_FLAGS.
- protos::DebugFlags flags_;
- AuthPolicyFlags::DefaultLevel flags_default_level_ = AuthPolicyFlags::kQuiet;
-
// Helper to setup and run minijailed processes.
JailHelper jail_helper_;
diff --git a/authpolicy/tgt_manager.cc b/authpolicy/tgt_manager.cc
index 7f2618a..370df33 100644
--- a/authpolicy/tgt_manager.cc
+++ b/authpolicy/tgt_manager.cc
@@ -12,7 +12,6 @@
#include <base/strings/stringprintf.h>
#include <base/threading/platform_thread.h>
-#include "authpolicy/authpolicy_flags.h"
#include "authpolicy/authpolicy_metrics.h"
#include "authpolicy/constants.h"
#include "authpolicy/jail_helper.h"
@@ -188,14 +187,12 @@
TgtManager::TgtManager(scoped_refptr<base::SingleThreadTaskRunner> task_runner,
const PathService* path_service,
AuthPolicyMetrics* metrics,
- const protos::DebugFlags* flags,
const JailHelper* jail_helper,
Path config_path,
Path credential_cache_path)
: task_runner_(task_runner),
paths_(path_service),
metrics_(metrics),
- flags_(flags),
jail_helper_(jail_helper),
config_path_(config_path),
credential_cache_path_(credential_cache_path) {}
@@ -319,9 +316,8 @@
// Parse the output to find the lifetime. Enclose in a sandbox for security
// considerations.
- ProcessExecutor parse_cmd({paths_->Get(Path::PARSER),
- kCmdParseTgtLifetime,
- SerializeFlags(*flags_)});
+ ProcessExecutor parse_cmd(
+ {paths_->Get(Path::PARSER), kCmdParseTgtLifetime});
parse_cmd.SetInputString(klist_cmd.GetStdout());
if (!jail_helper_->SetupJailAndRun(
&parse_cmd, Path::PARSER_SECCOMP, TIMER_NONE)) {
@@ -393,7 +389,7 @@
}
void TgtManager::SetupKinitTrace(ProcessExecutor* kinit_cmd) const {
- if (!flags_->trace_kinit())
+ if (!trace_kinit_)
return;
const std::string& trace_path = paths_->Get(Path::KRB5_TRACE);
{
@@ -407,17 +403,16 @@
}
void TgtManager::OutputKinitTrace() const {
- if (!flags_->trace_kinit())
+ if (!trace_kinit_)
return;
const std::string& trace_path = paths_->Get(Path::KRB5_TRACE);
std::string trace;
{
// Read kinit trace file (must be done as authpolicyd-exec).
ScopedSwitchToSavedUid switch_scope;
- if (!base::ReadFileToString(base::FilePath(trace_path), &trace))
- trace = "<failed to read>";
+ base::ReadFileToString(base::FilePath(trace_path), &trace);
}
- LogLongString("Kinit trace: ", trace);
+ LOG(INFO) << "Kinit trace:\n" << trace;
}
void TgtManager::UpdateTgtAutoRenewal() {
diff --git a/authpolicy/tgt_manager.h b/authpolicy/tgt_manager.h
index 2abf591..d184658 100644
--- a/authpolicy/tgt_manager.h
+++ b/authpolicy/tgt_manager.h
@@ -18,7 +18,6 @@
namespace protos {
class TgtLifetime;
-class DebugFlags;
} // namespace protos
class AuthPolicyMetrics;
@@ -35,7 +34,6 @@
TgtManager(scoped_refptr<base::SingleThreadTaskRunner> task_runner,
const PathService* path_service,
AuthPolicyMetrics* metrics,
- const protos::DebugFlags* flags,
const JailHelper* jail_helper,
Path config_path,
Path credential_cache_path);
@@ -78,6 +76,9 @@
// Returns the lifetime of a TGT.
ErrorType GetTgtLifetime(protos::TgtLifetime* lifetime);
+ // Toggles debug logging.
+ void SetKinitTraceEnabled(bool enabled) { trace_kinit_ = enabled; }
+
// Returns the file path of the Kerberos configuration file.
Path GetConfigPath() const { return config_path_; }
@@ -97,10 +98,10 @@
// Writes the krb5 configuration file.
ErrorType WriteKrb5Conf() const;
- // Turns on kinit trace logging if |flags_->TraceKinit()| is enabled.
+ // Turns on kinit trace logging if |trace_kinit_| is enabled.
void SetupKinitTrace(ProcessExecutor* kinit_cmd) const;
- // Logs the kinit trace if |flags_->TraceKinit()| is enabled.
+ // Logs the kinit trace if |trace_kinit_| is enabled.
void OutputKinitTrace() const;
// Cancels |tgt_renewal_callback_|. If |tgt_autorenewal_enabled_| is true and
@@ -113,12 +114,12 @@
void AutoRenewTgt();
scoped_refptr<base::SingleThreadTaskRunner> task_runner_;
- const PathService* paths_ = nullptr; // File paths, not owned.
- AuthPolicyMetrics* metrics_ = nullptr; // UMA statistics, not owned.
- const protos::DebugFlags* flags_ = nullptr; // Debug flags, not owned.
- const JailHelper* jail_helper_ = nullptr; // Minijail related, not owned.
+ const PathService* paths_ = nullptr; // File paths, not owned.
+ AuthPolicyMetrics* metrics_ = nullptr; // UMA statistics, not owned.
+ const JailHelper* jail_helper_ = nullptr; // Minijail related, not owned.
Path config_path_ = Path::INVALID;
Path credential_cache_path_ = Path::INVALID;
+ bool trace_kinit_ = false;
// Realm and key distribution center (KDC) IP address written to the Kerberos
// configuration file. |kdc_ip_| is optional, if empty, it is not written.
