From fa65cf8e7b7bed8e3b1f2800fed953401bfc8822 Mon Sep 17 00:00:00 2001 From: themylogin Date: Mon, 16 Dec 2024 13:31:21 +0100 Subject: [PATCH] Do not log private method calls initialized by systemd --- src/freenas/usr/local/sbin/hactl | 2 +- .../api/base/server/ws_handler/rpc.py | 15 +++++++++++++-- src/middlewared/middlewared/utils/origin.py | 16 ++++++++++++++++ 3 files changed, 30 insertions(+), 3 deletions(-) diff --git a/src/freenas/usr/local/sbin/hactl b/src/freenas/usr/local/sbin/hactl index 8856d10bfd824..0ebdb5405027c 100755 --- a/src/freenas/usr/local/sbin/hactl +++ b/src/freenas/usr/local/sbin/hactl @@ -26,7 +26,7 @@ class StatusEnum(enum.Enum): def get_client(): try: - return Client() + return Client(private_methods=True) except Exception as e: print_msg_and_exit(f'Unexpected failure enumerating websocket client: {e}') diff --git a/src/middlewared/middlewared/api/base/server/ws_handler/rpc.py b/src/middlewared/middlewared/api/base/server/ws_handler/rpc.py index a4540c35d425e..f7c18d82dceca 100644 --- a/src/middlewared/middlewared/api/base/server/ws_handler/rpc.py +++ b/src/middlewared/middlewared/api/base/server/ws_handler/rpc.py @@ -273,13 +273,24 @@ async def process_message(self, app: RpcWebSocketApp, message: Any): if method is None: app.send_error(id_, JSONRPCError.METHOD_NOT_FOUND.value, "Method does not exist") return - if not app.private_methods and method.private: + if not app.private_methods and method.private and not self._can_call_private_methods(app): # FIXME: Eventually, prohibit this - self.middleware.logger.warning("Private method %r called on a connection without private_methods " + self.middleware.logger.warning("Private method %r called on a connection without private_methods " "enabled", method.name) asyncio.ensure_future(self.process_method_call(app, id_, method, message.get("params", []))) + def _can_call_private_methods(self, app: RpcWebSocketApp): + if app.origin.uid == 33: + # Proxied HexOS calls + return False + + if app.origin.loginuid() is None: + # System-initiated calls to `midclt` + return True + + return False + async def process_method_call(self, app: RpcWebSocketApp, id_: Any, method: Method, params: list): try: async with app.softhardsemaphore: diff --git a/src/middlewared/middlewared/utils/origin.py b/src/middlewared/middlewared/utils/origin.py index dbe039318d0a2..8ccaeb7eb91ef 100644 --- a/src/middlewared/middlewared/utils/origin.py +++ b/src/middlewared/middlewared/utils/origin.py @@ -1,4 +1,5 @@ from dataclasses import dataclass +from functools import cached_property from socket import AF_INET, AF_INET6, AF_UNIX, SO_PEERCRED, SOL_SOCKET from struct import calcsize, unpack @@ -97,6 +98,21 @@ def is_ha_connection(self) -> bool: self.rem_addr and self.rem_addr in HA_HEARTBEAT_IPS ) + def loginuid(self) -> int | None: + if self.pid is None: + return None + + try: + with open(f"/proc/{self.pid}/loginuid") as f: + loginuid = int(f.read()) + except (FileNotFoundError, ValueError): + return None + + if loginuid == 4294967295: + return None + + return loginuid + def get_tcp_ip_info(sock, request) -> tuple: # All API connections are terminated by nginx reverse