blob: 92d957fb1b9478b09f0f37f01afdc343b9e21643 [file] [log] [blame]
William Roberts29d238d2013-02-08 09:45:26 +09001/*
2 * Copyright (C) 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include <ctype.h>
Mark Salyzyn29eb5702015-03-03 16:21:27 -080018#include <endian.h>
William Roberts29d238d2013-02-08 09:45:26 +090019#include <errno.h>
Mark Salyzyne0fa2912014-04-28 16:39:04 -070020#include <limits.h>
William Roberts29d238d2013-02-08 09:45:26 +090021#include <stdarg.h>
22#include <stdlib.h>
Mark Salyzyn317bfb92016-02-23 08:55:43 -080023#include <string.h>
Mark Salyzyn8daa9af2014-04-28 14:07:23 -070024#include <sys/prctl.h>
Mark Salyzyne9bebd02014-04-03 09:55:26 -070025#include <sys/uio.h>
Mark Salyzyn7ee2aef2014-09-28 14:41:50 -070026#include <syslog.h>
William Roberts29d238d2013-02-08 09:45:26 +090027
Mark Salyzync8d31942016-11-03 10:29:23 -070028#include <android-base/macros.h>
Mark Salyzyne3aeeee2015-03-17 07:56:32 -070029#include <private/android_filesystem_config.h>
Mark Salyzyn29eb5702015-03-03 16:21:27 -080030#include <private/android_logger.h>
31
William Roberts29d238d2013-02-08 09:45:26 +090032#include "libaudit.h"
33#include "LogAudit.h"
Mark Salyzyn317bfb92016-02-23 08:55:43 -080034#include "LogBuffer.h"
Mark Salyzynae4d9282014-10-15 08:49:39 -070035#include "LogKlog.h"
Mark Salyzyn317bfb92016-02-23 08:55:43 -080036#include "LogReader.h"
Mark Salyzyna2c02222016-12-13 10:31:29 -080037#include "LogUtils.h"
William Roberts29d238d2013-02-08 09:45:26 +090038
Mark Salyzynccbadc62015-03-12 12:25:35 -070039#define KMSG_PRIORITY(PRI) \
40 '<', \
41 '0' + LOG_MAKEPRI(LOG_AUTH, LOG_PRI(PRI)) / 10, \
42 '0' + LOG_MAKEPRI(LOG_AUTH, LOG_PRI(PRI)) % 10, \
Mark Salyzyn7ee2aef2014-09-28 14:41:50 -070043 '>'
44
Mark Salyzyn77187782015-05-12 15:21:31 -070045LogAudit::LogAudit(LogBuffer *buf, LogReader *reader, int fdDmesg) :
Mark Salyzyn247d6822017-01-03 14:00:19 -080046 SocketListener(mSock = getLogSocket(), false),
Mark Salyzyn77187782015-05-12 15:21:31 -070047 logbuf(buf),
48 reader(reader),
49 fdDmesg(fdDmesg),
Mark Salyzynce80da32016-12-29 15:16:06 -080050 main(__android_logger_property_get_bool("ro.logd.auditd.main",
51 BOOL_DEFAULT_TRUE)),
52 events(__android_logger_property_get_bool("ro.logd.auditd.events",
53 BOOL_DEFAULT_TRUE)),
Mark Salyzyn247d6822017-01-03 14:00:19 -080054 initialized(false),
55 tooFast(false) {
Sami Tolvanena742d102016-06-14 18:04:43 +000056 static const char auditd_message[] = { KMSG_PRIORITY(LOG_INFO),
57 'l', 'o', 'g', 'd', '.', 'a', 'u', 'd', 'i', 't', 'd', ':',
58 ' ', 's', 't', 'a', 'r', 't', '\n' };
59 write(fdDmesg, auditd_message, sizeof(auditd_message));
William Roberts29d238d2013-02-08 09:45:26 +090060}
61
Mark Salyzyn247d6822017-01-03 14:00:19 -080062void LogAudit::checkRateLimit() {
63
64 // trim list for AUDIT_RATE_LIMIT_BURST_DURATION of history
65 log_time oldest(AUDIT_RATE_LIMIT_BURST_DURATION, 0);
66 bucket.emplace(android_log_clockid());
67 oldest = bucket.back() - oldest;
68 while (bucket.front() < oldest) bucket.pop();
69
70 static const size_t upperThreshold =
71 ((AUDIT_RATE_LIMIT_BURST_DURATION *
72 (AUDIT_RATE_LIMIT_DEFAULT + AUDIT_RATE_LIMIT_MAX)) + 1) /
73 2;
74 if (bucket.size() >= upperThreshold) {
75 // Hit peak, slow down source
76 if (!tooFast) {
77 tooFast = true;
78 audit_rate_limit(mSock, AUDIT_RATE_LIMIT_MAX);
79 }
80
81 // We do not need to hold on to the full set of timing data history,
82 // let's ensure it does not grow without bounds. This also ensures
83 // that std::dequeue underneath behaves almost like a ring buffer.
84 do {
85 bucket.pop();
86 } while (bucket.size() >= upperThreshold);
87 return;
88 }
89
90 if (!tooFast) return;
91
92 static const size_t lowerThreshold = AUDIT_RATE_LIMIT_BURST_DURATION *
93 AUDIT_RATE_LIMIT_MAX;
94
95 if (bucket.size() >= lowerThreshold) return;
96
97 tooFast = false;
98 // Went below max sustained rate, allow source to speed up
99 audit_rate_limit(mSock, AUDIT_RATE_LIMIT_DEFAULT);
100}
101
William Roberts29d238d2013-02-08 09:45:26 +0900102bool LogAudit::onDataAvailable(SocketClient *cli) {
Mark Salyzyneb06de72014-10-13 09:59:37 -0700103 if (!initialized) {
104 prctl(PR_SET_NAME, "logd.auditd");
105 initialized = true;
106 }
Mark Salyzyn8daa9af2014-04-28 14:07:23 -0700107
Mark Salyzyn247d6822017-01-03 14:00:19 -0800108 checkRateLimit();
109
William Roberts29d238d2013-02-08 09:45:26 +0900110 struct audit_message rep;
111
Mark Salyzyne0fa2912014-04-28 16:39:04 -0700112 rep.nlh.nlmsg_type = 0;
113 rep.nlh.nlmsg_len = 0;
114 rep.data[0] = '\0';
115
William Roberts29d238d2013-02-08 09:45:26 +0900116 if (audit_get_reply(cli->getSocket(), &rep, GET_REPLY_BLOCKING, 0) < 0) {
117 SLOGE("Failed on audit_get_reply with error: %s", strerror(errno));
118 return false;
119 }
120
Mark Salyzyn247d6822017-01-03 14:00:19 -0800121 logPrint("type=%d %.*s", rep.nlh.nlmsg_type, rep.nlh.nlmsg_len, rep.data);
William Roberts29d238d2013-02-08 09:45:26 +0900122
123 return true;
124}
125
William Roberts29d238d2013-02-08 09:45:26 +0900126int LogAudit::logPrint(const char *fmt, ...) {
127 if (fmt == NULL) {
128 return -EINVAL;
129 }
130
131 va_list args;
132
133 char *str = NULL;
134 va_start(args, fmt);
135 int rc = vasprintf(&str, fmt, args);
136 va_end(args);
137
138 if (rc < 0) {
139 return rc;
140 }
141
Mark Salyzyne4369d62014-05-27 10:06:34 -0700142 char *cp;
Nick Kralevich2e588672017-01-03 10:35:34 -0800143 // Work around kernels missing
144 // https://github.com/torvalds/linux/commit/b8f89caafeb55fba75b74bea25adc4e4cd91be67
145 // Such kernels improperly add newlines inside audit messages.
146 while ((cp = strchr(str, '\n'))) {
147 *cp = ' ';
148 }
149
Mark Salyzyne4369d62014-05-27 10:06:34 -0700150 while ((cp = strstr(str, " "))) {
151 memmove(cp, cp + 1, strlen(cp + 1) + 1);
152 }
153
Sami Tolvanena742d102016-06-14 18:04:43 +0000154 bool info = strstr(str, " permissive=1") || strstr(str, " policy loaded ");
Mark Salyzyneb06de72014-10-13 09:59:37 -0700155 if ((fdDmesg >= 0) && initialized) {
Mark Salyzyn6bdeee02014-09-19 11:59:42 -0700156 struct iovec iov[3];
Mark Salyzyn7ee2aef2014-09-28 14:41:50 -0700157 static const char log_info[] = { KMSG_PRIORITY(LOG_INFO) };
158 static const char log_warning[] = { KMSG_PRIORITY(LOG_WARNING) };
Mark Salyzyn4d205f82016-07-15 15:45:58 -0700159 static const char newline[] = "\n";
Mark Salyzyne9bebd02014-04-03 09:55:26 -0700160
Mark Salyzyn4d205f82016-07-15 15:45:58 -0700161 // Dedupe messages, checking for identical messages starting with avc:
162 static unsigned count;
163 static char *last_str;
164 static bool last_info;
Mark Salyzyne9bebd02014-04-03 09:55:26 -0700165
Mark Salyzyn4d205f82016-07-15 15:45:58 -0700166 if (last_str != NULL) {
167 static const char avc[] = "): avc: ";
168 char *avcl = strstr(last_str, avc);
169 bool skip = false;
170
171 if (avcl) {
172 char *avcr = strstr(str, avc);
173
Mark Salyzyna2c02222016-12-13 10:31:29 -0800174 skip = avcr && !fastcmp<strcmp>(avcl + strlen(avc),
175 avcr + strlen(avc));
Mark Salyzyn4d205f82016-07-15 15:45:58 -0700176 if (skip) {
177 ++count;
178 free(last_str);
179 last_str = strdup(str);
180 last_info = info;
181 }
182 }
183 if (!skip) {
184 static const char resume[] = " duplicate messages suppressed\n";
185
186 iov[0].iov_base = last_info ?
187 const_cast<char *>(log_info) :
188 const_cast<char *>(log_warning);
189 iov[0].iov_len = last_info ?
190 sizeof(log_info) :
191 sizeof(log_warning);
192 iov[1].iov_base = last_str;
193 iov[1].iov_len = strlen(last_str);
194 if (count > 1) {
195 iov[2].iov_base = const_cast<char *>(resume);
196 iov[2].iov_len = strlen(resume);
197 } else {
198 iov[2].iov_base = const_cast<char *>(newline);
199 iov[2].iov_len = strlen(newline);
200 }
201
Mark Salyzync8d31942016-11-03 10:29:23 -0700202 writev(fdDmesg, iov, arraysize(iov));
Mark Salyzyn4d205f82016-07-15 15:45:58 -0700203 free(last_str);
204 last_str = NULL;
205 }
206 }
207 if (last_str == NULL) {
208 count = 0;
209 last_str = strdup(str);
210 last_info = info;
211 }
212 if (count == 0) {
213 iov[0].iov_base = info ?
214 const_cast<char *>(log_info) :
215 const_cast<char *>(log_warning);
216 iov[0].iov_len = info ?
217 sizeof(log_info) :
218 sizeof(log_warning);
219 iov[1].iov_base = str;
220 iov[1].iov_len = strlen(str);
221 iov[2].iov_base = const_cast<char *>(newline);
222 iov[2].iov_len = strlen(newline);
223
Mark Salyzync8d31942016-11-03 10:29:23 -0700224 writev(fdDmesg, iov, arraysize(iov));
Mark Salyzyn4d205f82016-07-15 15:45:58 -0700225 }
Mark Salyzyne9bebd02014-04-03 09:55:26 -0700226 }
227
Mark Salyzynce80da32016-12-29 15:16:06 -0800228 if (!main && !events) {
229 free(str);
230 return 0;
231 }
232
William Roberts29d238d2013-02-08 09:45:26 +0900233 pid_t pid = getpid();
234 pid_t tid = gettid();
Mark Salyzyne3aeeee2015-03-17 07:56:32 -0700235 uid_t uid = AID_LOGD;
William Roberts29d238d2013-02-08 09:45:26 +0900236 log_time now;
237
238 static const char audit_str[] = " audit(";
239 char *timeptr = strstr(str, audit_str);
William Roberts29d238d2013-02-08 09:45:26 +0900240 if (timeptr
241 && ((cp = now.strptime(timeptr + sizeof(audit_str) - 1, "%s.%q")))
242 && (*cp == ':')) {
243 memcpy(timeptr + sizeof(audit_str) - 1, "0.0", 3);
Mark Salyzyne4369d62014-05-27 10:06:34 -0700244 memmove(timeptr + sizeof(audit_str) - 1 + 3, cp, strlen(cp) + 1);
Mark Salyzynb6bee332015-09-08 08:56:32 -0700245 if (!isMonotonic()) {
246 if (android::isMonotonic(now)) {
247 LogKlog::convertMonotonicToReal(now);
248 }
249 } else {
250 if (!android::isMonotonic(now)) {
251 LogKlog::convertRealToMonotonic(now);
252 }
Mark Salyzynae4d9282014-10-15 08:49:39 -0700253 }
Mark Salyzynb6bee332015-09-08 08:56:32 -0700254 } else if (isMonotonic()) {
255 now = log_time(CLOCK_MONOTONIC);
William Roberts29d238d2013-02-08 09:45:26 +0900256 } else {
Mark Salyzynb6bee332015-09-08 08:56:32 -0700257 now = log_time(CLOCK_REALTIME);
William Roberts29d238d2013-02-08 09:45:26 +0900258 }
259
260 static const char pid_str[] = " pid=";
261 char *pidptr = strstr(str, pid_str);
262 if (pidptr && isdigit(pidptr[sizeof(pid_str) - 1])) {
263 cp = pidptr + sizeof(pid_str) - 1;
264 pid = 0;
265 while (isdigit(*cp)) {
266 pid = (pid * 10) + (*cp - '0');
267 ++cp;
268 }
269 tid = pid;
Mark Salyzyned777e92015-06-24 16:22:54 -0700270 logbuf->lock();
William Roberts29d238d2013-02-08 09:45:26 +0900271 uid = logbuf->pidToUid(pid);
Mark Salyzyned777e92015-06-24 16:22:54 -0700272 logbuf->unlock();
Mark Salyzyne4369d62014-05-27 10:06:34 -0700273 memmove(pidptr, cp, strlen(cp) + 1);
William Roberts29d238d2013-02-08 09:45:26 +0900274 }
275
Mark Salyzyne4369d62014-05-27 10:06:34 -0700276 // log to events
277
Mark Salyzynddda2122015-10-02 09:22:52 -0700278 size_t l = strnlen(str, LOGGER_ENTRY_MAX_PAYLOAD);
Mark Salyzyn29eb5702015-03-03 16:21:27 -0800279 size_t n = l + sizeof(android_log_event_string_t);
Mark Salyzyne4369d62014-05-27 10:06:34 -0700280
281 bool notify = false;
William Roberts29d238d2013-02-08 09:45:26 +0900282
Mark Salyzynce80da32016-12-29 15:16:06 -0800283 if (events) { // begin scope for event buffer
Mark Salyzynddda2122015-10-02 09:22:52 -0700284 uint32_t buffer[(n + sizeof(uint32_t) - 1) / sizeof(uint32_t)];
285
286 android_log_event_string_t *event
287 = reinterpret_cast<android_log_event_string_t *>(buffer);
Mark Salyzyn29eb5702015-03-03 16:21:27 -0800288 event->header.tag = htole32(AUDITD_LOG_TAG);
Nick Kralevich58ba58a2015-04-07 01:25:43 -0700289 event->type = EVENT_TYPE_STRING;
290 event->length = htole32(l);
291 memcpy(event->data, str, l);
Mark Salyzyne4369d62014-05-27 10:06:34 -0700292
Mark Salyzyn202e1532015-02-09 08:21:05 -0800293 rc = logbuf->log(LOG_ID_EVENTS, now, uid, pid, tid,
294 reinterpret_cast<char *>(event),
295 (n <= USHRT_MAX) ? (unsigned short) n : USHRT_MAX);
Mark Salyzyn202e1532015-02-09 08:21:05 -0800296 if (rc >= 0) {
297 notify = true;
298 }
Mark Salyzynddda2122015-10-02 09:22:52 -0700299 // end scope for event buffer
William Roberts29d238d2013-02-08 09:45:26 +0900300 }
301
Mark Salyzyne4369d62014-05-27 10:06:34 -0700302 // log to main
303
304 static const char comm_str[] = " comm=\"";
305 const char *comm = strstr(str, comm_str);
306 const char *estr = str + strlen(str);
Mark Salyzyn758058f2015-08-21 16:44:30 -0700307 const char *commfree = NULL;
Mark Salyzyne4369d62014-05-27 10:06:34 -0700308 if (comm) {
309 estr = comm;
310 comm += sizeof(comm_str) - 1;
311 } else if (pid == getpid()) {
312 pid = tid;
313 comm = "auditd";
Mark Salyzyned777e92015-06-24 16:22:54 -0700314 } else {
315 logbuf->lock();
316 comm = commfree = logbuf->pidToName(pid);
317 logbuf->unlock();
318 if (!comm) {
319 comm = "unknown";
320 }
Mark Salyzyne4369d62014-05-27 10:06:34 -0700321 }
322
323 const char *ecomm = strchr(comm, '"');
324 if (ecomm) {
325 ++ecomm;
326 l = ecomm - comm;
327 } else {
328 l = strlen(comm) + 1;
329 ecomm = "";
330 }
Mark Salyzynddda2122015-10-02 09:22:52 -0700331 size_t b = estr - str;
332 if (b > LOGGER_ENTRY_MAX_PAYLOAD) {
333 b = LOGGER_ENTRY_MAX_PAYLOAD;
334 }
335 size_t e = strnlen(ecomm, LOGGER_ENTRY_MAX_PAYLOAD - b);
336 n = b + e + l + 2;
Mark Salyzyne4369d62014-05-27 10:06:34 -0700337
Mark Salyzynce80da32016-12-29 15:16:06 -0800338 if (main) { // begin scope for main buffer
Mark Salyzynddda2122015-10-02 09:22:52 -0700339 char newstr[n];
340
Mark Salyzyn6bdeee02014-09-19 11:59:42 -0700341 *newstr = info ? ANDROID_LOG_INFO : ANDROID_LOG_WARN;
Mark Salyzyne4369d62014-05-27 10:06:34 -0700342 strlcpy(newstr + 1, comm, l);
Mark Salyzynddda2122015-10-02 09:22:52 -0700343 strncpy(newstr + 1 + l, str, b);
344 strncpy(newstr + 1 + l + b, ecomm, e);
Mark Salyzyne4369d62014-05-27 10:06:34 -0700345
Mark Salyzyn202e1532015-02-09 08:21:05 -0800346 rc = logbuf->log(LOG_ID_MAIN, now, uid, pid, tid, newstr,
347 (n <= USHRT_MAX) ? (unsigned short) n : USHRT_MAX);
Mark Salyzyne4369d62014-05-27 10:06:34 -0700348
Mark Salyzyn202e1532015-02-09 08:21:05 -0800349 if (rc >= 0) {
350 notify = true;
351 }
Mark Salyzynddda2122015-10-02 09:22:52 -0700352 // end scope for main buffer
Mark Salyzyne4369d62014-05-27 10:06:34 -0700353 }
354
Mark Salyzyn758058f2015-08-21 16:44:30 -0700355 free(const_cast<char *>(commfree));
William Roberts29d238d2013-02-08 09:45:26 +0900356 free(str);
357
Mark Salyzyne4369d62014-05-27 10:06:34 -0700358 if (notify) {
359 reader->notifyNewLog();
Mark Salyzyn202e1532015-02-09 08:21:05 -0800360 if (rc < 0) {
361 rc = n;
362 }
Mark Salyzyne4369d62014-05-27 10:06:34 -0700363 }
William Roberts29d238d2013-02-08 09:45:26 +0900364
365 return rc;
366}
367
Mark Salyzyn151beac2015-09-04 11:37:42 -0700368int LogAudit::log(char *buf, size_t len) {
Mark Salyzyneb06de72014-10-13 09:59:37 -0700369 char *audit = strstr(buf, " audit(");
Mark Salyzyn151beac2015-09-04 11:37:42 -0700370 if (!audit || (audit >= &buf[len])) {
Mark Salyzynae4d9282014-10-15 08:49:39 -0700371 return 0;
William Roberts29d238d2013-02-08 09:45:26 +0900372 }
373
Mark Salyzyneb06de72014-10-13 09:59:37 -0700374 *audit = '\0';
William Roberts29d238d2013-02-08 09:45:26 +0900375
Mark Salyzyneb06de72014-10-13 09:59:37 -0700376 int rc;
377 char *type = strstr(buf, "type=");
Mark Salyzyn151beac2015-09-04 11:37:42 -0700378 if (type && (type < &buf[len])) {
Mark Salyzyneb06de72014-10-13 09:59:37 -0700379 rc = logPrint("%s %s", type, audit + 1);
380 } else {
381 rc = logPrint("%s", audit + 1);
William Roberts29d238d2013-02-08 09:45:26 +0900382 }
Mark Salyzyneb06de72014-10-13 09:59:37 -0700383 *audit = ' ';
384 return rc;
William Roberts29d238d2013-02-08 09:45:26 +0900385}
386
387int LogAudit::getLogSocket() {
388 int fd = audit_open();
389 if (fd < 0) {
390 return fd;
391 }
Nick Kralevichc234a1b2014-11-19 13:33:22 -0800392 if (audit_setup(fd, getpid()) < 0) {
William Roberts29d238d2013-02-08 09:45:26 +0900393 audit_close(fd);
394 fd = -1;
395 }
Mark Salyzyn247d6822017-01-03 14:00:19 -0800396 (void)audit_rate_limit(fd, AUDIT_RATE_LIMIT_DEFAULT);
William Roberts29d238d2013-02-08 09:45:26 +0900397 return fd;
398}