blob: 9d9a857422ad45734c25d57956f153a3bdc64e6b [file] [log] [blame]
William Roberts29d238d2013-02-08 09:45:26 +09001/*
2 * Copyright 2012, Samsung Telecommunications of America
3 * Copyright (C) 2014 The Android Open Source Project
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 * Written by William Roberts <w.roberts@sta.samsung.com>
18 *
19 */
20
21#include <errno.h>
22#include <string.h>
23#include <unistd.h>
24
William Roberts29d238d2013-02-08 09:45:26 +090025#include "libaudit.h"
26
27/**
28 * Waits for an ack from the kernel
29 * @param fd
30 * The netlink socket fd
William Roberts29d238d2013-02-08 09:45:26 +090031 * @return
32 * This function returns 0 on success, else -errno.
33 */
Mark Salyzyn501c3732017-03-10 14:31:54 -080034static int get_ack(int fd) {
William Roberts29d238d2013-02-08 09:45:26 +090035 int rc;
36 struct audit_message rep;
37
38 /* Sanity check, this is an internal interface this shouldn't happen */
39 if (fd < 0) {
40 return -EINVAL;
41 }
42
43 rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, MSG_PEEK);
44 if (rc < 0) {
45 return rc;
46 }
47
48 if (rep.nlh.nlmsg_type == NLMSG_ERROR) {
49 audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
Mark Salyzyn501c3732017-03-10 14:31:54 -080050 rc = ((struct nlmsgerr*)rep.data)->error;
William Roberts29d238d2013-02-08 09:45:26 +090051 if (rc) {
52 return -rc;
53 }
54 }
55
William Roberts29d238d2013-02-08 09:45:26 +090056 return 0;
57}
58
59/**
60 *
61 * @param fd
62 * The netlink socket fd
63 * @param type
64 * The type of netlink message
65 * @param data
66 * The data to send
67 * @param size
68 * The length of the data in bytes
69 * @return
70 * This function returns a positive sequence number on success, else -errno.
71 */
Mark Salyzyn501c3732017-03-10 14:31:54 -080072static int audit_send(int fd, int type, const void* data, size_t size) {
William Roberts29d238d2013-02-08 09:45:26 +090073 int rc;
74 static int16_t sequence = 0;
75 struct audit_message req;
76 struct sockaddr_nl addr;
77
78 memset(&req, 0, sizeof(req));
79 memset(&addr, 0, sizeof(addr));
80
81 /* We always send netlink messaged */
82 addr.nl_family = AF_NETLINK;
83
84 /* Set up the netlink headers */
85 req.nlh.nlmsg_type = type;
86 req.nlh.nlmsg_len = NLMSG_SPACE(size);
87 req.nlh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
88
89 /*
90 * Check for a valid fd, even though sendto would catch this, its easier
91 * to always blindly increment the sequence number
92 */
93 if (fd < 0) {
94 return -EBADF;
95 }
96
97 /* Ensure the message is not too big */
98 if (NLMSG_SPACE(size) > MAX_AUDIT_MESSAGE_LENGTH) {
William Roberts29d238d2013-02-08 09:45:26 +090099 return -EINVAL;
100 }
101
102 /* Only memcpy in the data if it was specified */
103 if (size && data) {
104 memcpy(NLMSG_DATA(&req.nlh), data, size);
105 }
106
107 /*
108 * Only increment the sequence number on a guarantee
109 * you will send it to the kernel.
110 *
111 * Also, the sequence is defined as a u32 in the kernel
112 * struct. Using an int here might not work on 32/64 bit splits. A
113 * signed 64 bit value can overflow a u32..but a u32
114 * might not fit in the response, so we need to use s32.
115 * Which is still kind of hackish since int could be 16 bits
116 * in size. The only safe type to use here is a signed 16
117 * bit value.
118 */
119 req.nlh.nlmsg_seq = ++sequence;
120
121 /* While failing and its due to interrupts */
122
123 rc = TEMP_FAILURE_RETRY(sendto(fd, &req, req.nlh.nlmsg_len, 0,
Mark Salyzyn501c3732017-03-10 14:31:54 -0800124 (struct sockaddr*)&addr, sizeof(addr)));
William Roberts29d238d2013-02-08 09:45:26 +0900125
126 /* Not all the bytes were sent */
127 if (rc < 0) {
128 rc = -errno;
William Roberts29d238d2013-02-08 09:45:26 +0900129 goto out;
Mark Salyzyn501c3732017-03-10 14:31:54 -0800130 } else if ((uint32_t)rc != req.nlh.nlmsg_len) {
William Roberts29d238d2013-02-08 09:45:26 +0900131 rc = -EPROTO;
132 goto out;
133 }
134
135 /* We sent all the bytes, get the ack */
Mark Salyzyncfd5b082016-10-17 14:28:00 -0700136 rc = get_ack(fd);
William Roberts29d238d2013-02-08 09:45:26 +0900137
138 /* If the ack failed, return the error, else return the sequence number */
Mark Salyzyn501c3732017-03-10 14:31:54 -0800139 rc = (rc == 0) ? (int)sequence : rc;
William Roberts29d238d2013-02-08 09:45:26 +0900140
141out:
142 /* Don't let sequence roll to negative */
143 if (sequence < 0) {
William Roberts29d238d2013-02-08 09:45:26 +0900144 sequence = 0;
145 }
146
147 return rc;
148}
149
Mark Salyzyn501c3732017-03-10 14:31:54 -0800150int audit_setup(int fd, pid_t pid) {
William Roberts29d238d2013-02-08 09:45:26 +0900151 int rc;
152 struct audit_message rep;
153 struct audit_status status;
154
155 memset(&status, 0, sizeof(status));
156
157 /*
158 * In order to set the auditd PID we send an audit message over the netlink
159 * socket with the pid field of the status struct set to our current pid,
160 * and the the mask set to AUDIT_STATUS_PID
161 */
162 status.pid = pid;
Jeff Vander Stoep54c7a5f2018-01-03 11:04:26 -0800163 status.mask = AUDIT_STATUS_PID | AUDIT_STATUS_RATE_LIMIT;
164 status.rate_limit = AUDIT_RATE_LIMIT; /* audit entries per second */
William Roberts29d238d2013-02-08 09:45:26 +0900165
166 /* Let the kernel know this pid will be registering for audit events */
167 rc = audit_send(fd, AUDIT_SET, &status, sizeof(status));
168 if (rc < 0) {
William Roberts29d238d2013-02-08 09:45:26 +0900169 return rc;
170 }
171
172 /*
173 * In a request where we need to wait for a response, wait for the message
174 * and discard it. This message confirms and sync's us with the kernel.
Nick Kralevichc234a1b2014-11-19 13:33:22 -0800175 * This daemon is now registered as the audit logger.
176 *
177 * TODO
178 * If the daemon dies and restarts the message didn't come back,
179 * so I went to non-blocking and it seemed to fix the bug.
180 * Need to investigate further.
William Roberts29d238d2013-02-08 09:45:26 +0900181 */
Nick Kralevichc234a1b2014-11-19 13:33:22 -0800182 audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
William Roberts29d238d2013-02-08 09:45:26 +0900183
184 return 0;
185}
186
Mark Salyzyn501c3732017-03-10 14:31:54 -0800187int audit_open() {
Nick Kralevichc234a1b2014-11-19 13:33:22 -0800188 return socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT);
William Roberts29d238d2013-02-08 09:45:26 +0900189}
190
Mark Salyzyn501c3732017-03-10 14:31:54 -0800191int audit_get_reply(int fd, struct audit_message* rep, reply_t block, int peek) {
William Roberts29d238d2013-02-08 09:45:26 +0900192 ssize_t len;
193 int flags;
194 int rc = 0;
195
196 struct sockaddr_nl nladdr;
197 socklen_t nladdrlen = sizeof(nladdr);
198
199 if (fd < 0) {
200 return -EBADF;
201 }
202
203 /* Set up the flags for recv from */
204 flags = (block == GET_REPLY_NONBLOCKING) ? MSG_DONTWAIT : 0;
205 flags |= peek;
206
207 /*
208 * Get the data from the netlink socket but on error we need to be carefull,
209 * the interface shows that EINTR can never be returned, other errors,
210 * however, can be returned.
211 */
212 len = TEMP_FAILURE_RETRY(recvfrom(fd, rep, sizeof(*rep), flags,
Mark Salyzyn501c3732017-03-10 14:31:54 -0800213 (struct sockaddr*)&nladdr, &nladdrlen));
William Roberts29d238d2013-02-08 09:45:26 +0900214
215 /*
216 * EAGAIN should be re-tried until success or another error manifests.
217 */
218 if (len < 0) {
219 rc = -errno;
220 if (block == GET_REPLY_NONBLOCKING && rc == -EAGAIN) {
221 /* If request is non blocking and errno is EAGAIN, just return 0 */
222 return 0;
223 }
William Roberts29d238d2013-02-08 09:45:26 +0900224 return rc;
225 }
226
227 if (nladdrlen != sizeof(nladdr)) {
William Roberts29d238d2013-02-08 09:45:26 +0900228 return -EPROTO;
229 }
230
231 /* Make sure the netlink message was not spoof'd */
232 if (nladdr.nl_pid) {
William Roberts29d238d2013-02-08 09:45:26 +0900233 return -EINVAL;
234 }
235
236 /* Check if the reply from the kernel was ok */
237 if (!NLMSG_OK(&rep->nlh, (size_t)len)) {
238 rc = (len == sizeof(*rep)) ? -EFBIG : -EBADE;
William Roberts29d238d2013-02-08 09:45:26 +0900239 }
240
241 return rc;
242}
243
Mark Salyzyn501c3732017-03-10 14:31:54 -0800244void audit_close(int fd) {
Mark Salyzyncfd5b082016-10-17 14:28:00 -0700245 close(fd);
William Roberts29d238d2013-02-08 09:45:26 +0900246}