New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Partial fix for systemdunitproperty probe #1533
Conversation
The get_all_properties_by_unit_path is called only at single place. Callback is property_callback is used only at a single place. Therefore, it isn't necessary to use a callback, but we can transform it to a normal function call. Hopefully it will help code orientation.
All Unit objects implement the generic org.freedesktop.systemd1.Unit interface. But, depending on the unit type they also implement one unit-type-specific interface. The list of unit types and interfaces can be found at: https://www.freedesktop.org/wiki/Software/systemd/dbus/ We will decide which interface to query based on the second part of the unit name (after the dot).
The byte can represent an invalid character which isn't UTF-8. That can cause creating invalid result XMLs.
This is consistent with `systemctl show` because `systemctl show` displays bool values as `yes` or `no`.
First of all, the definition from OVAL is absurd: ...For more information see the output generated by systemctl show $unit.... There is no information about what version of Anyhow, the OVAL asks us to, mm-hmm, look at Other way around it might be in fixing the OVAL definition to declare exactly how DBus signatures should be interpreted by the probe. And how the probe should handle container types (nested structures). Most of the tests in OVAL just forbid querying for containers (save simple arrays of scalars). My opinions in case we would want to do exactly what definition requires us to do:
It might help if we could answer this question: 'the output generated by systemctl show $unit' is all strings or there are some actual types to work with? In reality, I would say that we should: keep 1), replace comma with semicolon in 2), don't add description and return We will be the only users of that probe, we will know what the OVAL entities would mean. |
@evgenyz Thanks for excellent analysis. It seems that at the moment when the specification was created the systemd didn't use the complex types and the approved specification was good enough, but unfortunately, it evolved. I agree with your proposal, it's the cheapest thing that we can do at this moment. |
DBus variant type is handled by the previous branch.
How about proposing an update for this test? We could use record/field result as in |
Yes, we could. |
This is an attempt to fix systemdunitproperty probe. This probe produces incomplete results. Some unit properties are not collected at all. The results are inconsistent with
systemctl show <unit>
command. It is reported in https://bugzilla.redhat.com/show_bug.cgi?id=1819773. This PR somehow improves the situation, but it doesn't make the results on par withsystemctl show
output.I have identified 4 main problems in the probe:
All systemd unit objects implement the generic
org.freedesktop.systemd1.Unit
interface. But, depending on the unit type they also implement one unit-type-specific interface. For example, services implementorg.freedesktop.systemd1.Unit
andorg.freedesktop.systemd1.Service
interface. More on that on https://www.freedesktop.org/wiki/Software/systemd/dbus/ where you can find all the interfaces for all systemd unit types. However, our probe queries only theorg.freedesktop.systemd1.Unit
interface, which means that properties specific only for a certain unit type are not retrieved.The code that converts the received dbus messages (function
dbus_value_to_string
) doesn't account for container types and complex types, s.a. structures or nested arrays. But some unit properties that are useful are complex. For example,ExecStart
service property has a dbus signaturea(sasbttttuii)
which means it's an array of structures where each structure contain string, array, string, boolean, 4 64-bit unsigned integers, 1 32-bit unsigned integer and 2 32-bit unsigned integers. The dbus spec https://dbus.freedesktop.org/doc/dbus-specification.html has a lot of data types. If our code can't process them it skips the property and the property doesn't appear in results.Our probe gets "raw' data from dbus and populate them into OVAL items directly, without any processing, because it doesn't know anything about their meaning. That's a difference from
systemctl show
command that analyzes data from dbus and knows their meaning. In the aforementioned example ofExecStart
service property, thesystemctl show
command when it recieves the aforementioned array of structures, it knows which member of structure means what, so it can add descriptions for the data. Then, it looks like this:ExecStart={ path=/sbin/auditd ; argv[]=/sbin/auditd ; ignore_errors=no ; start_time=[Wed 2020-05-20 06:55:41 CEST] ; stop_time=[Wed 2020-05-20 06:55:41 CEST] ; pid=3319 ; code=exited ; status=0 }
This is possible because systemctl has a special code for presenting values of this property nicely instead of bumping raw data from dbus. For example here: https://github.com/systemd/systemd/blob/766507972b2e8ae1616a6db39231e19e4663f873/src/systemctl/systemctl.c#L5061We don't care about special values - infinity, undefined, timestamps and we collect them in raw form as they are retreived from dbus.
I tried to address ad:
We can easily query also the type-specific interface. I have added a code that detects the unit type and then calls
GetAll
on both Unit and type-specific interface.I have extended the code in
dbus_value_to_string
to recurse into container types. I'm not sure how to transform them tovalue
elements because we don't have nested structures within OVAL items. So at this moment it keeps using the original mechanism of creating a single string of comma separated items, which means flattening of the structures. Hopefully that's acceptable.I haven't fixed this and I have no idea how to fix that without having specific code and hard-coded values for many properties. That would effectively be copying a lot of code from systemd and in turn terrible to maintain.
I have only changed the boolean values format to be consistent with systemctl. We use "true" and "false" but
systemctl
displays it as "yes" and "no". Other things are harder. For example, you have to know the meaning of the property that a property is a timestamp, because there isn't a dedicated signature for timestamps and it's all integers.For more details please see the commit message of each commit and comments in code.
Any thoughts?