varlink: avoid logging content of message if it contains sensitive data

This is important now that creds are sent via varlink systemd-creds[463]: varlink-3: Sending message: {"parameters":{"data":"Zm9vYmFyCg=="}} systemd-creds[462]: varlink-3: New incoming message: {"method":"io.systemd.Credentials.Encrypt","parameters":{"data":"Zm9vYmFyCg=="}}
2026-04-15 00:47:10 +09:00 · 2023-12-22 01:57:39 +01:00
parent fa9a6db478
commit 2e3414660c
1 changed files with 8 additions and 7 deletions
--- a/src/shared/varlink.c
+++ b/src/shared/varlink.c
@@ -961,10 +961,6 @@ static int varlink_parse_message(Varlink *v) {

        sz = e - begin + 1;

-        varlink_log(v, "New incoming message: %s", begin); /* FIXME: should we output the whole message here before validation?
-                                                            * This may produce a non-printable journal entry if the message
-                                                            * is invalid. We may also expose privileged information. */
-
        r = json_parse(begin, 0, &v->current, NULL, NULL);
        if (r < 0) {
                /* If we encounter a parse failure flush all data. We cannot possibly recover from this,
@@ -1768,12 +1764,17 @@ Varlink* varlink_flush_close_unref(Varlink *v) {

 static int varlink_format_json(Varlink *v, JsonVariant *m) {
        _cleanup_(erase_and_freep) char *text = NULL;
+        bool sensitive = false;
        int r;

        assert(v);
        assert(m);

-        r = json_variant_format(m, 0, &text);
+        r = json_variant_format(m, JSON_FORMAT_REFUSE_SENSITIVE, &text);
+        if (r == -EPERM) {
+                sensitive = true;
+                r = json_variant_format(m, /* flags= */ 0, &text);
+        }
        if (r < 0)
                return r;
        assert(text[r] == '\0');
@@ -1781,7 +1782,7 @@ static int varlink_format_json(Varlink *v, JsonVariant *m) {
        if (v->output_buffer_size + r + 1 > VARLINK_BUFFER_MAX)
                return -ENOBUFS;

-        varlink_log(v, "Sending message: %s", text);
+        varlink_log(v, "Sending message: %s", sensitive ? "<sensitive data>" : text);

        if (v->output_buffer_size == 0) {

@@ -1812,7 +1813,7 @@ static int varlink_format_json(Varlink *v, JsonVariant *m) {
                v->output_buffer_index = 0;
        }

-        if (json_variant_is_sensitive(m))
+        if (sensitive)
                v->output_buffer_sensitive = true; /* Propagate sensitive flag */
        else
                text = mfree(text); /* No point in the erase_and_free() destructor declared above */