Home | History | Annotate | Download | only in logd
      1 /*
      2  * Copyright 2012, Samsung Telecommunications of America
      3  * Copyright (C) 2014 The Android Open Source Project
      4  *
      5  * Licensed under the Apache License, Version 2.0 (the "License");
      6  * you may not use this file except in compliance with the License.
      7  * You may obtain a copy of the License at
      8  *
      9  *     http://www.apache.org/licenses/LICENSE-2.0
     10  *
     11  * Unless required by applicable law or agreed to in writing, software
     12  * distributed under the License is distributed on an "AS IS" BASIS,
     13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     14  * See the License for the specific language governing permissions and
     15  * limitations under the License.
     16  *
     17  * Written by William Roberts <w.roberts (at) sta.samsung.com>
     18  *
     19  */
     20 
     21 #include <errno.h>
     22 #include <string.h>
     23 #include <unistd.h>
     24 
     25 #define LOG_TAG "libaudit"
     26 #include <log/log.h>
     27 
     28 #include "libaudit.h"
     29 
     30 /**
     31  * Waits for an ack from the kernel
     32  * @param fd
     33  *  The netlink socket fd
     34  * @param seq
     35  *  The current sequence number were acking on
     36  * @return
     37  *  This function returns 0 on success, else -errno.
     38  */
     39 static int get_ack(int fd, int16_t seq)
     40 {
     41     int rc;
     42     struct audit_message rep;
     43 
     44     /* Sanity check, this is an internal interface this shouldn't happen */
     45     if (fd < 0) {
     46         return -EINVAL;
     47     }
     48 
     49     rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, MSG_PEEK);
     50     if (rc < 0) {
     51         return rc;
     52     }
     53 
     54     if (rep.nlh.nlmsg_type == NLMSG_ERROR) {
     55         audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
     56         rc = ((struct nlmsgerr *)rep.data)->error;
     57         if (rc) {
     58             return -rc;
     59         }
     60     }
     61 
     62     if ((int16_t)rep.nlh.nlmsg_seq != seq) {
     63         SLOGW("Expected sequence number between user space and kernel space is out of skew, "
     64           "expected %u got %u", seq, rep.nlh.nlmsg_seq);
     65     }
     66 
     67     return 0;
     68 }
     69 
     70 /**
     71  *
     72  * @param fd
     73  *  The netlink socket fd
     74  * @param type
     75  *  The type of netlink message
     76  * @param data
     77  *  The data to send
     78  * @param size
     79  *  The length of the data in bytes
     80  * @return
     81  *  This function returns a positive sequence number on success, else -errno.
     82  */
     83 static int audit_send(int fd, int type, const void *data, size_t size)
     84 {
     85     int rc;
     86     static int16_t sequence = 0;
     87     struct audit_message req;
     88     struct sockaddr_nl addr;
     89 
     90     memset(&req, 0, sizeof(req));
     91     memset(&addr, 0, sizeof(addr));
     92 
     93     /* We always send netlink messaged */
     94     addr.nl_family = AF_NETLINK;
     95 
     96     /* Set up the netlink headers */
     97     req.nlh.nlmsg_type = type;
     98     req.nlh.nlmsg_len = NLMSG_SPACE(size);
     99     req.nlh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
    100 
    101     /*
    102      * Check for a valid fd, even though sendto would catch this, its easier
    103      * to always blindly increment the sequence number
    104      */
    105     if (fd < 0) {
    106         return -EBADF;
    107     }
    108 
    109     /* Ensure the message is not too big */
    110     if (NLMSG_SPACE(size) > MAX_AUDIT_MESSAGE_LENGTH) {
    111         SLOGE("netlink message is too large");
    112         return -EINVAL;
    113     }
    114 
    115     /* Only memcpy in the data if it was specified */
    116     if (size && data) {
    117         memcpy(NLMSG_DATA(&req.nlh), data, size);
    118     }
    119 
    120     /*
    121      * Only increment the sequence number on a guarantee
    122      * you will send it to the kernel.
    123      *
    124      * Also, the sequence is defined as a u32 in the kernel
    125      * struct. Using an int here might not work on 32/64 bit splits. A
    126      * signed 64 bit value can overflow a u32..but a u32
    127      * might not fit in the response, so we need to use s32.
    128      * Which is still kind of hackish since int could be 16 bits
    129      * in size. The only safe type to use here is a signed 16
    130      * bit value.
    131      */
    132     req.nlh.nlmsg_seq = ++sequence;
    133 
    134     /* While failing and its due to interrupts */
    135 
    136     rc = TEMP_FAILURE_RETRY(sendto(fd, &req, req.nlh.nlmsg_len, 0,
    137                                    (struct sockaddr*) &addr, sizeof(addr)));
    138 
    139     /* Not all the bytes were sent */
    140     if (rc < 0) {
    141         rc = -errno;
    142         SLOGE("Error sending data over the netlink socket: %s", strerror(-errno));
    143         goto out;
    144     } else if ((uint32_t) rc != req.nlh.nlmsg_len) {
    145         rc = -EPROTO;
    146         goto out;
    147     }
    148 
    149     /* We sent all the bytes, get the ack */
    150     rc = get_ack(fd, sequence);
    151 
    152     /* If the ack failed, return the error, else return the sequence number */
    153     rc = (rc == 0) ? (int) sequence : rc;
    154 
    155 out:
    156     /* Don't let sequence roll to negative */
    157     if (sequence < 0) {
    158         SLOGW("Auditd to Kernel sequence number has rolled over");
    159         sequence = 0;
    160     }
    161 
    162     return rc;
    163 }
    164 
    165 int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode)
    166 {
    167     int rc;
    168     struct audit_message rep;
    169     struct audit_status status;
    170 
    171     memset(&status, 0, sizeof(status));
    172 
    173     /*
    174      * In order to set the auditd PID we send an audit message over the netlink
    175      * socket with the pid field of the status struct set to our current pid,
    176      * and the the mask set to AUDIT_STATUS_PID
    177      */
    178     status.pid = pid;
    179     status.mask = AUDIT_STATUS_PID;
    180 
    181     /* Let the kernel know this pid will be registering for audit events */
    182     rc = audit_send(fd, AUDIT_SET, &status, sizeof(status));
    183     if (rc < 0) {
    184         SLOGE("Could net set pid for audit events, error: %s", strerror(-rc));
    185         return rc;
    186     }
    187 
    188     /*
    189      * In a request where we need to wait for a response, wait for the message
    190      * and discard it. This message confirms and sync's us with the kernel.
    191      * This daemon is now registered as the audit logger. Only wait if the
    192      * wmode is != WAIT_NO
    193      */
    194     if (wmode != WAIT_NO) {
    195         /* TODO
    196          * If the daemon dies and restarts the message didn't come back,
    197          * so I went to non-blocking and it seemed to fix the bug.
    198          * Need to investigate further.
    199          */
    200         audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
    201     }
    202 
    203     return 0;
    204 }
    205 
    206 int audit_open()
    207 {
    208     return socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
    209 }
    210 
    211 int audit_get_reply(int fd, struct audit_message *rep, reply_t block, int peek)
    212 {
    213     ssize_t len;
    214     int flags;
    215     int rc = 0;
    216 
    217     struct sockaddr_nl nladdr;
    218     socklen_t nladdrlen = sizeof(nladdr);
    219 
    220     if (fd < 0) {
    221         return -EBADF;
    222     }
    223 
    224     /* Set up the flags for recv from */
    225     flags = (block == GET_REPLY_NONBLOCKING) ? MSG_DONTWAIT : 0;
    226     flags |= peek;
    227 
    228     /*
    229      * Get the data from the netlink socket but on error we need to be carefull,
    230      * the interface shows that EINTR can never be returned, other errors,
    231      * however, can be returned.
    232      */
    233     len = TEMP_FAILURE_RETRY(recvfrom(fd, rep, sizeof(*rep), flags,
    234                                       (struct sockaddr*) &nladdr, &nladdrlen));
    235 
    236     /*
    237      * EAGAIN should be re-tried until success or another error manifests.
    238      */
    239     if (len < 0) {
    240         rc = -errno;
    241         if (block == GET_REPLY_NONBLOCKING && rc == -EAGAIN) {
    242             /* If request is non blocking and errno is EAGAIN, just return 0 */
    243             return 0;
    244         }
    245         SLOGE("Error receiving from netlink socket, error: %s", strerror(-rc));
    246         return rc;
    247     }
    248 
    249     if (nladdrlen != sizeof(nladdr)) {
    250         SLOGE("Protocol fault, error: %s", strerror(EPROTO));
    251         return -EPROTO;
    252     }
    253 
    254     /* Make sure the netlink message was not spoof'd */
    255     if (nladdr.nl_pid) {
    256         SLOGE("Invalid netlink pid received, expected 0 got: %d", nladdr.nl_pid);
    257         return -EINVAL;
    258     }
    259 
    260     /* Check if the reply from the kernel was ok */
    261     if (!NLMSG_OK(&rep->nlh, (size_t)len)) {
    262         rc = (len == sizeof(*rep)) ? -EFBIG : -EBADE;
    263         SLOGE("Bad kernel response %s", strerror(-rc));
    264     }
    265 
    266     return rc;
    267 }
    268 
    269 void audit_close(int fd)
    270 {
    271     int rc = close(fd);
    272     if (rc < 0) {
    273         SLOGE("Attempting to close invalid fd %d, error: %s", fd, strerror(errno));
    274     }
    275     return;
    276 }
    277