Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / core / f9b7f7fdba6f62309372fee7c619de1edd8aa389 / . / logd / LogAudit.cpp
blob: 9124bfdfc75eec3520cf289edc7d84ff6b0d8b82 [file] [log] [blame]
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]1/*
2 * Copyright (C) 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include <ctype.h>
Mark Salyzyn29eb5702015-03-03 16:21:27 -0800[diff] [blame]18#include <endian.h>
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]19#include <errno.h>
Mark Salyzyne0fa2912014-04-28 16:39:04 -0700[diff] [blame]20#include <limits.h>
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]21#include <stdarg.h>
22#include <stdlib.h>
Mark Salyzyn317bfb92016-02-23 08:55:43 -0800[diff] [blame]23#include <string.h>
Mark Salyzyn8daa9af2014-04-28 14:07:23 -0700[diff] [blame]24#include <sys/prctl.h>
Mark Salyzyne9bebd02014-04-03 09:55:26 -0700[diff] [blame]25#include <sys/uio.h>
Mark Salyzyn7ee2aef2014-09-28 14:41:50 -0700[diff] [blame]26#include <syslog.h>
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]27
Mark Salyzyn317bfb92016-02-23 08:55:43 -0800[diff] [blame]28#include <string>
29
Sami Tolvanen0bdad0f2016-02-05 14:27:52 -0800[diff] [blame]30#include <cutils/properties.h>
Mark Salyzynddda2122015-10-02 09:22:52 -0700[diff] [blame]31#include <log/logger.h>
Mark Salyzyne3aeeee2015-03-17 07:56:32 -0700[diff] [blame]32#include <private/android_filesystem_config.h>
Mark Salyzyn29eb5702015-03-03 16:21:27 -0800[diff] [blame]33#include <private/android_logger.h>
34
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]35#include "libaudit.h"
36#include "LogAudit.h"
Mark Salyzyn317bfb92016-02-23 08:55:43 -0800[diff] [blame]37#include "LogBuffer.h"
Mark Salyzynae4d9282014-10-15 08:49:39 -0700[diff] [blame]38#include "LogKlog.h"
Mark Salyzyn317bfb92016-02-23 08:55:43 -0800[diff] [blame]39#include "LogReader.h"
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]40
Sami Tolvanen0bdad0f2016-02-05 14:27:52 -0800[diff] [blame]41#ifndef AUDITD_ENFORCE_INTEGRITY
42#define AUDITD_ENFORCE_INTEGRITY false
43#endif
44
Mark Salyzynccbadc62015-03-12 12:25:35 -0700[diff] [blame]45#define KMSG_PRIORITY(PRI) \
46 '<', \
47 '0' + LOG_MAKEPRI(LOG_AUTH, LOG_PRI(PRI)) / 10, \
48 '0' + LOG_MAKEPRI(LOG_AUTH, LOG_PRI(PRI)) % 10, \
Mark Salyzyn7ee2aef2014-09-28 14:41:50 -0700[diff] [blame]49 '>'
50
Mark Salyzyn77187782015-05-12 15:21:31 -0700[diff] [blame]51LogAudit::LogAudit(LogBuffer *buf, LogReader *reader, int fdDmesg) :
52 SocketListener(getLogSocket(), false),
53 logbuf(buf),
54 reader(reader),
55 fdDmesg(fdDmesg),
Sami Tolvanen0bdad0f2016-02-05 14:27:52 -0800[diff] [blame]56 policyLoaded(false),
57 rebootToSafeMode(false),
Mark Salyzyn77187782015-05-12 15:21:31 -0700[diff] [blame]58 initialized(false) {
Sami Tolvanen0bdad0f2016-02-05 14:27:52 -0800[diff] [blame]59 logToDmesg("start");
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]60}
61
62bool LogAudit::onDataAvailable(SocketClient *cli) {
Mark Salyzyneb06de72014-10-13 09:59:37 -0700[diff] [blame]63 if (!initialized) {
64 prctl(PR_SET_NAME, "logd.auditd");
65 initialized = true;
66 }
Mark Salyzyn8daa9af2014-04-28 14:07:23 -0700[diff] [blame]67
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]68 struct audit_message rep;
69
Mark Salyzyne0fa2912014-04-28 16:39:04 -0700[diff] [blame]70 rep.nlh.nlmsg_type = 0;
71 rep.nlh.nlmsg_len = 0;
72 rep.data[0] = '\0';
73
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]74 if (audit_get_reply(cli->getSocket(), &rep, GET_REPLY_BLOCKING, 0) < 0) {
75 SLOGE("Failed on audit_get_reply with error: %s", strerror(errno));
76 return false;
77 }
78
Mark Salyzyneb06de72014-10-13 09:59:37 -0700[diff] [blame]79 logPrint("type=%d %.*s",
80 rep.nlh.nlmsg_type, rep.nlh.nlmsg_len, rep.data);
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]81
82 return true;
83}
84
Sami Tolvanen0bdad0f2016-02-05 14:27:52 -0800[diff] [blame]85void LogAudit::logToDmesg(const std::string& str)
86{
87 static const char prefix[] = { KMSG_PRIORITY(LOG_INFO),
88 'l', 'o', 'g', 'd', '.', 'a', 'u', 'd', 'i', 't', 'd', ':',
89 ' ', '\0' };
90 std::string message = prefix + str + "\n";
91 write(fdDmesg, message.c_str(), message.length());
92}
93
94std::string LogAudit::getProperty(const std::string& name)
95{
96 char value[PROP_VALUE_MAX] = {0};
97 property_get(name.c_str(), value, "");
98 return value;
99}
100
101void LogAudit::enforceIntegrity() {
Sami Tolvanen89e04292016-02-29 09:07:46 -0800[diff] [blame]102 static bool loggedOnce;
103 bool once = loggedOnce;
104
105 loggedOnce = true;
106
Sami Tolvanen0bdad0f2016-02-05 14:27:52 -0800[diff] [blame]107 if (!AUDITD_ENFORCE_INTEGRITY) {
Sami Tolvanen89e04292016-02-29 09:07:46 -0800[diff] [blame]108 if (!once) {
109 logToDmesg("integrity enforcement suppressed; not rebooting");
110 }
Sami Tolvanen0bdad0f2016-02-05 14:27:52 -0800[diff] [blame]111 } else if (rebootToSafeMode) {
112 if (getProperty("persist.sys.safemode") == "1") {
Sami Tolvanen89e04292016-02-29 09:07:46 -0800[diff] [blame]113 if (!once) {
114 logToDmesg("integrity enforcement suppressed; in safe mode");
115 }
Sami Tolvanen0bdad0f2016-02-05 14:27:52 -0800[diff] [blame]116 return;
117 }
118
119 logToDmesg("enforcing integrity; rebooting to safe mode");
120 property_set("persist.sys.safemode", "1");
121
122 std::string buildDate = getProperty("ro.build.date.utc");
123 if (!buildDate.empty()) {
124 property_set("persist.sys.audit_safemode", buildDate.c_str());
125 }
126
127 property_set("sys.powerctl", "reboot");
128 } else {
129 logToDmesg("enforcing integrity: rebooting to recovery");
130 property_set("sys.powerctl", "reboot,recovery");
131 }
132}
133
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]134int LogAudit::logPrint(const char *fmt, ...) {
135 if (fmt == NULL) {
136 return -EINVAL;
137 }
138
139 va_list args;
140
141 char *str = NULL;
142 va_start(args, fmt);
143 int rc = vasprintf(&str, fmt, args);
144 va_end(args);
145
146 if (rc < 0) {
147 return rc;
148 }
149
Mark Salyzyne4369d62014-05-27 10:06:34 -0700[diff] [blame]150 char *cp;
151 while ((cp = strstr(str, " "))) {
152 memmove(cp, cp + 1, strlen(cp + 1) + 1);
153 }
154
Sami Tolvanen0bdad0f2016-02-05 14:27:52 -0800[diff] [blame]155 bool loaded = strstr(str, " policy loaded ");
156
157 if (loaded) {
158 if (policyLoaded) {
159 // SELinux policy changes are not allowed
160 enforceIntegrity();
161 } else {
162 logToDmesg("policy loaded");
163 policyLoaded = true;
164 }
165 }
166
Nick Kralevich99fb01e2016-02-27 08:19:01 -0800[diff] [blame]167 bool permissive = strstr(str, " enforcing=0") ||
168 strstr(str, " permissive=1");
Sami Tolvanen0bdad0f2016-02-05 14:27:52 -0800[diff] [blame]169
Nick Kralevich99fb01e2016-02-27 08:19:01 -0800[diff] [blame]170 if (permissive) {
Sami Tolvanen0bdad0f2016-02-05 14:27:52 -0800[diff] [blame]171 // SELinux in permissive mode is not allowed
172 enforceIntegrity();
173 }
174
Nick Kralevich99fb01e2016-02-27 08:19:01 -0800[diff] [blame]175 bool info = loaded || permissive;
Mark Salyzyneb06de72014-10-13 09:59:37 -0700[diff] [blame]176 if ((fdDmesg >= 0) && initialized) {
Mark Salyzyn6bdeee02014-09-19 11:59:42 -0700[diff] [blame]177 struct iovec iov[3];
Mark Salyzyn7ee2aef2014-09-28 14:41:50 -0700[diff] [blame]178 static const char log_info[] = { KMSG_PRIORITY(LOG_INFO) };
179 static const char log_warning[] = { KMSG_PRIORITY(LOG_WARNING) };
Mark Salyzyne9bebd02014-04-03 09:55:26 -0700[diff] [blame]180
Mark Salyzyn7ee2aef2014-09-28 14:41:50 -0700[diff] [blame]181 iov[0].iov_base = info ? const_cast<char *>(log_info)
182 : const_cast<char *>(log_warning);
183 iov[0].iov_len = info ? sizeof(log_info) : sizeof(log_warning);
Mark Salyzyn6bdeee02014-09-19 11:59:42 -0700[diff] [blame]184 iov[1].iov_base = str;
185 iov[1].iov_len = strlen(str);
186 iov[2].iov_base = const_cast<char *>("\n");
187 iov[2].iov_len = 1;
Mark Salyzyne9bebd02014-04-03 09:55:26 -0700[diff] [blame]188
189 writev(fdDmesg, iov, sizeof(iov) / sizeof(iov[0]));
190 }
191
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]192 pid_t pid = getpid();
193 pid_t tid = gettid();
Mark Salyzyne3aeeee2015-03-17 07:56:32 -0700[diff] [blame]194 uid_t uid = AID_LOGD;
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]195 log_time now;
196
197 static const char audit_str[] = " audit(";
198 char *timeptr = strstr(str, audit_str);
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]199 if (timeptr
200 && ((cp = now.strptime(timeptr + sizeof(audit_str) - 1, "%s.%q")))
201 && (*cp == ':')) {
202 memcpy(timeptr + sizeof(audit_str) - 1, "0.0", 3);
Mark Salyzyne4369d62014-05-27 10:06:34 -0700[diff] [blame]203 memmove(timeptr + sizeof(audit_str) - 1 + 3, cp, strlen(cp) + 1);
Mark Salyzynb6bee332015-09-08 08:56:32 -0700[diff] [blame]204 if (!isMonotonic()) {
205 if (android::isMonotonic(now)) {
206 LogKlog::convertMonotonicToReal(now);
207 }
208 } else {
209 if (!android::isMonotonic(now)) {
210 LogKlog::convertRealToMonotonic(now);
211 }
Mark Salyzynae4d9282014-10-15 08:49:39 -0700[diff] [blame]212 }
Mark Salyzynb6bee332015-09-08 08:56:32 -0700[diff] [blame]213 } else if (isMonotonic()) {
214 now = log_time(CLOCK_MONOTONIC);
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]215 } else {
Mark Salyzynb6bee332015-09-08 08:56:32 -0700[diff] [blame]216 now = log_time(CLOCK_REALTIME);
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]217 }
218
219 static const char pid_str[] = " pid=";
220 char *pidptr = strstr(str, pid_str);
221 if (pidptr && isdigit(pidptr[sizeof(pid_str) - 1])) {
222 cp = pidptr + sizeof(pid_str) - 1;
223 pid = 0;
224 while (isdigit(*cp)) {
225 pid = (pid * 10) + (*cp - '0');
226 ++cp;
227 }
228 tid = pid;
Mark Salyzyned777e92015-06-24 16:22:54 -0700[diff] [blame]229 logbuf->lock();
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]230 uid = logbuf->pidToUid(pid);
Mark Salyzyned777e92015-06-24 16:22:54 -0700[diff] [blame]231 logbuf->unlock();
Mark Salyzyne4369d62014-05-27 10:06:34 -0700[diff] [blame]232 memmove(pidptr, cp, strlen(cp) + 1);
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]233 }
234
Mark Salyzyne4369d62014-05-27 10:06:34 -0700[diff] [blame]235 // log to events
236
Mark Salyzynddda2122015-10-02 09:22:52 -0700[diff] [blame]237 size_t l = strnlen(str, LOGGER_ENTRY_MAX_PAYLOAD);
Mark Salyzyn29eb5702015-03-03 16:21:27 -0800[diff] [blame]238 size_t n = l + sizeof(android_log_event_string_t);
Mark Salyzyne4369d62014-05-27 10:06:34 -0700[diff] [blame]239
240 bool notify = false;
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]241
Mark Salyzynddda2122015-10-02 09:22:52 -0700[diff] [blame]242 { // begin scope for event buffer
243 uint32_t buffer[(n + sizeof(uint32_t) - 1) / sizeof(uint32_t)];
244
245 android_log_event_string_t *event
246 = reinterpret_cast<android_log_event_string_t *>(buffer);
Mark Salyzyn29eb5702015-03-03 16:21:27 -0800[diff] [blame]247 event->header.tag = htole32(AUDITD_LOG_TAG);
Nick Kralevich58ba58a2015-04-07 01:25:43 -0700[diff] [blame]248 event->type = EVENT_TYPE_STRING;
249 event->length = htole32(l);
250 memcpy(event->data, str, l);
Mark Salyzyne4369d62014-05-27 10:06:34 -0700[diff] [blame]251
Mark Salyzyn202e1532015-02-09 08:21:05 -0800[diff] [blame]252 rc = logbuf->log(LOG_ID_EVENTS, now, uid, pid, tid,
253 reinterpret_cast<char *>(event),
254 (n <= USHRT_MAX) ? (unsigned short) n : USHRT_MAX);
Mark Salyzyn202e1532015-02-09 08:21:05 -0800[diff] [blame]255 if (rc >= 0) {
256 notify = true;
257 }
Mark Salyzynddda2122015-10-02 09:22:52 -0700[diff] [blame]258 // end scope for event buffer
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]259 }
260
Mark Salyzyne4369d62014-05-27 10:06:34 -0700[diff] [blame]261 // log to main
262
263 static const char comm_str[] = " comm=\"";
264 const char *comm = strstr(str, comm_str);
265 const char *estr = str + strlen(str);
Mark Salyzyn758058f2015-08-21 16:44:30 -0700[diff] [blame]266 const char *commfree = NULL;
Mark Salyzyne4369d62014-05-27 10:06:34 -0700[diff] [blame]267 if (comm) {
268 estr = comm;
269 comm += sizeof(comm_str) - 1;
270 } else if (pid == getpid()) {
271 pid = tid;
272 comm = "auditd";
Mark Salyzyned777e92015-06-24 16:22:54 -0700[diff] [blame]273 } else {
274 logbuf->lock();
275 comm = commfree = logbuf->pidToName(pid);
276 logbuf->unlock();
277 if (!comm) {
278 comm = "unknown";
279 }
Mark Salyzyne4369d62014-05-27 10:06:34 -0700[diff] [blame]280 }
281
282 const char *ecomm = strchr(comm, '"');
283 if (ecomm) {
284 ++ecomm;
285 l = ecomm - comm;
286 } else {
287 l = strlen(comm) + 1;
288 ecomm = "";
289 }
Mark Salyzynddda2122015-10-02 09:22:52 -0700[diff] [blame]290 size_t b = estr - str;
291 if (b > LOGGER_ENTRY_MAX_PAYLOAD) {
292 b = LOGGER_ENTRY_MAX_PAYLOAD;
293 }
294 size_t e = strnlen(ecomm, LOGGER_ENTRY_MAX_PAYLOAD - b);
295 n = b + e + l + 2;
Mark Salyzyne4369d62014-05-27 10:06:34 -0700[diff] [blame]296
Mark Salyzynddda2122015-10-02 09:22:52 -0700[diff] [blame]297 { // begin scope for main buffer
298 char newstr[n];
299
Mark Salyzyn6bdeee02014-09-19 11:59:42 -0700[diff] [blame]300 *newstr = info ? ANDROID_LOG_INFO : ANDROID_LOG_WARN;
Mark Salyzyne4369d62014-05-27 10:06:34 -0700[diff] [blame]301 strlcpy(newstr + 1, comm, l);
Mark Salyzynddda2122015-10-02 09:22:52 -0700[diff] [blame]302 strncpy(newstr + 1 + l, str, b);
303 strncpy(newstr + 1 + l + b, ecomm, e);
Mark Salyzyne4369d62014-05-27 10:06:34 -0700[diff] [blame]304
Mark Salyzyn202e1532015-02-09 08:21:05 -0800[diff] [blame]305 rc = logbuf->log(LOG_ID_MAIN, now, uid, pid, tid, newstr,
306 (n <= USHRT_MAX) ? (unsigned short) n : USHRT_MAX);
Mark Salyzyne4369d62014-05-27 10:06:34 -0700[diff] [blame]307
Mark Salyzyn202e1532015-02-09 08:21:05 -0800[diff] [blame]308 if (rc >= 0) {
309 notify = true;
310 }
Mark Salyzynddda2122015-10-02 09:22:52 -0700[diff] [blame]311 // end scope for main buffer
Mark Salyzyne4369d62014-05-27 10:06:34 -0700[diff] [blame]312 }
313
Mark Salyzyn758058f2015-08-21 16:44:30 -0700[diff] [blame]314 free(const_cast<char *>(commfree));
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]315 free(str);
316
Mark Salyzyne4369d62014-05-27 10:06:34 -0700[diff] [blame]317 if (notify) {
318 reader->notifyNewLog();
Mark Salyzyn202e1532015-02-09 08:21:05 -0800[diff] [blame]319 if (rc < 0) {
320 rc = n;
321 }
Mark Salyzyne4369d62014-05-27 10:06:34 -0700[diff] [blame]322 }
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]323
324 return rc;
325}
326
Mark Salyzyn151beac2015-09-04 11:37:42 -0700[diff] [blame]327int LogAudit::log(char *buf, size_t len) {
Mark Salyzyneb06de72014-10-13 09:59:37 -0700[diff] [blame]328 char *audit = strstr(buf, " audit(");
Mark Salyzyn151beac2015-09-04 11:37:42 -0700[diff] [blame]329 if (!audit || (audit >= &buf[len])) {
Mark Salyzynae4d9282014-10-15 08:49:39 -0700[diff] [blame]330 return 0;
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]331 }
332
Mark Salyzyneb06de72014-10-13 09:59:37 -0700[diff] [blame]333 *audit = '\0';
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]334
Mark Salyzyneb06de72014-10-13 09:59:37 -0700[diff] [blame]335 int rc;
336 char *type = strstr(buf, "type=");
Mark Salyzyn151beac2015-09-04 11:37:42 -0700[diff] [blame]337 if (type && (type < &buf[len])) {
Mark Salyzyneb06de72014-10-13 09:59:37 -0700[diff] [blame]338 rc = logPrint("%s %s", type, audit + 1);
339 } else {
340 rc = logPrint("%s", audit + 1);
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]341 }
Mark Salyzyneb06de72014-10-13 09:59:37 -0700[diff] [blame]342 *audit = ' ';
343 return rc;
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]344}
345
346int LogAudit::getLogSocket() {
347 int fd = audit_open();
348 if (fd < 0) {
349 return fd;
350 }
Nick Kralevichc234a1b2014-11-19 13:33:22 -0800[diff] [blame]351 if (audit_setup(fd, getpid()) < 0) {
William Roberts29d238d2013-02-08 09:45:26 +0900[diff] [blame]352 audit_close(fd);
353 fd = -1;
354 }
355 return fd;
356}