William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 1 | /* |
| 2 | * Copyright 2012, Samsung Telecommunications of America |
| 3 | * Copyright (C) 2014 The Android Open Source Project |
| 4 | * |
| 5 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | * you may not use this file except in compliance with the License. |
| 7 | * You may obtain a copy of the License at |
| 8 | * |
| 9 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | * |
| 11 | * Unless required by applicable law or agreed to in writing, software |
| 12 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | * See the License for the specific language governing permissions and |
| 15 | * limitations under the License. |
| 16 | * |
| 17 | * Written by William Roberts <w.roberts@sta.samsung.com> |
| 18 | * |
| 19 | */ |
| 20 | |
| 21 | #include <errno.h> |
| 22 | #include <string.h> |
| 23 | #include <unistd.h> |
| 24 | |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 25 | #include "libaudit.h" |
| 26 | |
| 27 | /** |
| 28 | * Waits for an ack from the kernel |
| 29 | * @param fd |
| 30 | * The netlink socket fd |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 31 | * @return |
| 32 | * This function returns 0 on success, else -errno. |
| 33 | */ |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 34 | static int get_ack(int fd) { |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 35 | int rc; |
| 36 | struct audit_message rep; |
| 37 | |
| 38 | /* Sanity check, this is an internal interface this shouldn't happen */ |
| 39 | if (fd < 0) { |
| 40 | return -EINVAL; |
| 41 | } |
| 42 | |
| 43 | rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, MSG_PEEK); |
| 44 | if (rc < 0) { |
| 45 | return rc; |
| 46 | } |
| 47 | |
| 48 | if (rep.nlh.nlmsg_type == NLMSG_ERROR) { |
| 49 | audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0); |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 50 | rc = ((struct nlmsgerr*)rep.data)->error; |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 51 | if (rc) { |
| 52 | return -rc; |
| 53 | } |
| 54 | } |
| 55 | |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 56 | return 0; |
| 57 | } |
| 58 | |
| 59 | /** |
| 60 | * |
| 61 | * @param fd |
| 62 | * The netlink socket fd |
| 63 | * @param type |
| 64 | * The type of netlink message |
| 65 | * @param data |
| 66 | * The data to send |
| 67 | * @param size |
| 68 | * The length of the data in bytes |
| 69 | * @return |
| 70 | * This function returns a positive sequence number on success, else -errno. |
| 71 | */ |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 72 | static int audit_send(int fd, int type, const void* data, size_t size) { |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 73 | int rc; |
| 74 | static int16_t sequence = 0; |
| 75 | struct audit_message req; |
| 76 | struct sockaddr_nl addr; |
| 77 | |
| 78 | memset(&req, 0, sizeof(req)); |
| 79 | memset(&addr, 0, sizeof(addr)); |
| 80 | |
| 81 | /* We always send netlink messaged */ |
| 82 | addr.nl_family = AF_NETLINK; |
| 83 | |
| 84 | /* Set up the netlink headers */ |
| 85 | req.nlh.nlmsg_type = type; |
| 86 | req.nlh.nlmsg_len = NLMSG_SPACE(size); |
| 87 | req.nlh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; |
| 88 | |
| 89 | /* |
| 90 | * Check for a valid fd, even though sendto would catch this, its easier |
| 91 | * to always blindly increment the sequence number |
| 92 | */ |
| 93 | if (fd < 0) { |
| 94 | return -EBADF; |
| 95 | } |
| 96 | |
| 97 | /* Ensure the message is not too big */ |
| 98 | if (NLMSG_SPACE(size) > MAX_AUDIT_MESSAGE_LENGTH) { |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 99 | return -EINVAL; |
| 100 | } |
| 101 | |
| 102 | /* Only memcpy in the data if it was specified */ |
| 103 | if (size && data) { |
| 104 | memcpy(NLMSG_DATA(&req.nlh), data, size); |
| 105 | } |
| 106 | |
| 107 | /* |
| 108 | * Only increment the sequence number on a guarantee |
| 109 | * you will send it to the kernel. |
| 110 | * |
| 111 | * Also, the sequence is defined as a u32 in the kernel |
| 112 | * struct. Using an int here might not work on 32/64 bit splits. A |
| 113 | * signed 64 bit value can overflow a u32..but a u32 |
| 114 | * might not fit in the response, so we need to use s32. |
| 115 | * Which is still kind of hackish since int could be 16 bits |
| 116 | * in size. The only safe type to use here is a signed 16 |
| 117 | * bit value. |
| 118 | */ |
| 119 | req.nlh.nlmsg_seq = ++sequence; |
| 120 | |
| 121 | /* While failing and its due to interrupts */ |
| 122 | |
| 123 | rc = TEMP_FAILURE_RETRY(sendto(fd, &req, req.nlh.nlmsg_len, 0, |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 124 | (struct sockaddr*)&addr, sizeof(addr))); |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 125 | |
| 126 | /* Not all the bytes were sent */ |
| 127 | if (rc < 0) { |
| 128 | rc = -errno; |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 129 | goto out; |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 130 | } else if ((uint32_t)rc != req.nlh.nlmsg_len) { |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 131 | rc = -EPROTO; |
| 132 | goto out; |
| 133 | } |
| 134 | |
| 135 | /* We sent all the bytes, get the ack */ |
Mark Salyzyn | cfd5b08 | 2016-10-17 14:28:00 -0700 | [diff] [blame] | 136 | rc = get_ack(fd); |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 137 | |
| 138 | /* If the ack failed, return the error, else return the sequence number */ |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 139 | rc = (rc == 0) ? (int)sequence : rc; |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 140 | |
| 141 | out: |
| 142 | /* Don't let sequence roll to negative */ |
| 143 | if (sequence < 0) { |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 144 | sequence = 0; |
| 145 | } |
| 146 | |
| 147 | return rc; |
| 148 | } |
| 149 | |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 150 | int audit_setup(int fd, pid_t pid) { |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 151 | int rc; |
| 152 | struct audit_message rep; |
| 153 | struct audit_status status; |
| 154 | |
| 155 | memset(&status, 0, sizeof(status)); |
| 156 | |
| 157 | /* |
| 158 | * In order to set the auditd PID we send an audit message over the netlink |
| 159 | * socket with the pid field of the status struct set to our current pid, |
| 160 | * and the the mask set to AUDIT_STATUS_PID |
| 161 | */ |
| 162 | status.pid = pid; |
Jeff Vander Stoep | 54c7a5f | 2018-01-03 11:04:26 -0800 | [diff] [blame^] | 163 | status.mask = AUDIT_STATUS_PID | AUDIT_STATUS_RATE_LIMIT; |
| 164 | status.rate_limit = AUDIT_RATE_LIMIT; /* audit entries per second */ |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 165 | |
| 166 | /* Let the kernel know this pid will be registering for audit events */ |
| 167 | rc = audit_send(fd, AUDIT_SET, &status, sizeof(status)); |
| 168 | if (rc < 0) { |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 169 | return rc; |
| 170 | } |
| 171 | |
| 172 | /* |
| 173 | * In a request where we need to wait for a response, wait for the message |
| 174 | * and discard it. This message confirms and sync's us with the kernel. |
Nick Kralevich | c234a1b | 2014-11-19 13:33:22 -0800 | [diff] [blame] | 175 | * This daemon is now registered as the audit logger. |
| 176 | * |
| 177 | * TODO |
| 178 | * If the daemon dies and restarts the message didn't come back, |
| 179 | * so I went to non-blocking and it seemed to fix the bug. |
| 180 | * Need to investigate further. |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 181 | */ |
Nick Kralevich | c234a1b | 2014-11-19 13:33:22 -0800 | [diff] [blame] | 182 | audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0); |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 183 | |
| 184 | return 0; |
| 185 | } |
| 186 | |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 187 | int audit_open() { |
Nick Kralevich | c234a1b | 2014-11-19 13:33:22 -0800 | [diff] [blame] | 188 | return socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT); |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 189 | } |
| 190 | |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 191 | int audit_get_reply(int fd, struct audit_message* rep, reply_t block, int peek) { |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 192 | ssize_t len; |
| 193 | int flags; |
| 194 | int rc = 0; |
| 195 | |
| 196 | struct sockaddr_nl nladdr; |
| 197 | socklen_t nladdrlen = sizeof(nladdr); |
| 198 | |
| 199 | if (fd < 0) { |
| 200 | return -EBADF; |
| 201 | } |
| 202 | |
| 203 | /* Set up the flags for recv from */ |
| 204 | flags = (block == GET_REPLY_NONBLOCKING) ? MSG_DONTWAIT : 0; |
| 205 | flags |= peek; |
| 206 | |
| 207 | /* |
| 208 | * Get the data from the netlink socket but on error we need to be carefull, |
| 209 | * the interface shows that EINTR can never be returned, other errors, |
| 210 | * however, can be returned. |
| 211 | */ |
| 212 | len = TEMP_FAILURE_RETRY(recvfrom(fd, rep, sizeof(*rep), flags, |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 213 | (struct sockaddr*)&nladdr, &nladdrlen)); |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 214 | |
| 215 | /* |
| 216 | * EAGAIN should be re-tried until success or another error manifests. |
| 217 | */ |
| 218 | if (len < 0) { |
| 219 | rc = -errno; |
| 220 | if (block == GET_REPLY_NONBLOCKING && rc == -EAGAIN) { |
| 221 | /* If request is non blocking and errno is EAGAIN, just return 0 */ |
| 222 | return 0; |
| 223 | } |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 224 | return rc; |
| 225 | } |
| 226 | |
| 227 | if (nladdrlen != sizeof(nladdr)) { |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 228 | return -EPROTO; |
| 229 | } |
| 230 | |
| 231 | /* Make sure the netlink message was not spoof'd */ |
| 232 | if (nladdr.nl_pid) { |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 233 | return -EINVAL; |
| 234 | } |
| 235 | |
| 236 | /* Check if the reply from the kernel was ok */ |
| 237 | if (!NLMSG_OK(&rep->nlh, (size_t)len)) { |
| 238 | rc = (len == sizeof(*rep)) ? -EFBIG : -EBADE; |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 239 | } |
| 240 | |
| 241 | return rc; |
| 242 | } |
| 243 | |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 244 | void audit_close(int fd) { |
Mark Salyzyn | cfd5b08 | 2016-10-17 14:28:00 -0700 | [diff] [blame] | 245 | close(fd); |
William Roberts | 29d238d | 2013-02-08 09:45:26 +0900 | [diff] [blame] | 246 | } |