1 /* 2 * Copyright 2012, Samsung Telecommunications of America 3 * Copyright (C) 2014 The Android Open Source Project 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 * Written by William Roberts <w.roberts (at) sta.samsung.com> 18 * 19 */ 20 21 #include <errno.h> 22 #include <string.h> 23 #include <unistd.h> 24 25 #include "libaudit.h" 26 27 /** 28 * Waits for an ack from the kernel 29 * @param fd 30 * The netlink socket fd 31 * @return 32 * This function returns 0 on success, else -errno. 33 */ 34 static int get_ack(int fd) { 35 int rc; 36 struct audit_message rep; 37 38 /* Sanity check, this is an internal interface this shouldn't happen */ 39 if (fd < 0) { 40 return -EINVAL; 41 } 42 43 rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, MSG_PEEK); 44 if (rc < 0) { 45 return rc; 46 } 47 48 if (rep.nlh.nlmsg_type == NLMSG_ERROR) { 49 audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0); 50 rc = ((struct nlmsgerr*)rep.data)->error; 51 if (rc) { 52 return -rc; 53 } 54 } 55 56 return 0; 57 } 58 59 /** 60 * 61 * @param fd 62 * The netlink socket fd 63 * @param type 64 * The type of netlink message 65 * @param data 66 * The data to send 67 * @param size 68 * The length of the data in bytes 69 * @return 70 * This function returns a positive sequence number on success, else -errno. 71 */ 72 static int audit_send(int fd, int type, const void* data, size_t size) { 73 int rc; 74 static int16_t sequence = 0; 75 struct audit_message req; 76 struct sockaddr_nl addr; 77 78 memset(&req, 0, sizeof(req)); 79 memset(&addr, 0, sizeof(addr)); 80 81 /* We always send netlink messaged */ 82 addr.nl_family = AF_NETLINK; 83 84 /* Set up the netlink headers */ 85 req.nlh.nlmsg_type = type; 86 req.nlh.nlmsg_len = NLMSG_SPACE(size); 87 req.nlh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; 88 89 /* 90 * Check for a valid fd, even though sendto would catch this, its easier 91 * to always blindly increment the sequence number 92 */ 93 if (fd < 0) { 94 return -EBADF; 95 } 96 97 /* Ensure the message is not too big */ 98 if (NLMSG_SPACE(size) > MAX_AUDIT_MESSAGE_LENGTH) { 99 return -EINVAL; 100 } 101 102 /* Only memcpy in the data if it was specified */ 103 if (size && data) { 104 memcpy(NLMSG_DATA(&req.nlh), data, size); 105 } 106 107 /* 108 * Only increment the sequence number on a guarantee 109 * you will send it to the kernel. 110 * 111 * Also, the sequence is defined as a u32 in the kernel 112 * struct. Using an int here might not work on 32/64 bit splits. A 113 * signed 64 bit value can overflow a u32..but a u32 114 * might not fit in the response, so we need to use s32. 115 * Which is still kind of hackish since int could be 16 bits 116 * in size. The only safe type to use here is a signed 16 117 * bit value. 118 */ 119 req.nlh.nlmsg_seq = ++sequence; 120 121 /* While failing and its due to interrupts */ 122 123 rc = TEMP_FAILURE_RETRY(sendto(fd, &req, req.nlh.nlmsg_len, 0, 124 (struct sockaddr*)&addr, sizeof(addr))); 125 126 /* Not all the bytes were sent */ 127 if (rc < 0) { 128 rc = -errno; 129 goto out; 130 } else if ((uint32_t)rc != req.nlh.nlmsg_len) { 131 rc = -EPROTO; 132 goto out; 133 } 134 135 /* We sent all the bytes, get the ack */ 136 rc = get_ack(fd); 137 138 /* If the ack failed, return the error, else return the sequence number */ 139 rc = (rc == 0) ? (int)sequence : rc; 140 141 out: 142 /* Don't let sequence roll to negative */ 143 if (sequence < 0) { 144 sequence = 0; 145 } 146 147 return rc; 148 } 149 150 int audit_setup(int fd, pid_t pid) { 151 int rc; 152 struct audit_message rep; 153 struct audit_status status; 154 155 memset(&status, 0, sizeof(status)); 156 157 /* 158 * In order to set the auditd PID we send an audit message over the netlink 159 * socket with the pid field of the status struct set to our current pid, 160 * and the the mask set to AUDIT_STATUS_PID 161 */ 162 status.pid = pid; 163 status.mask = AUDIT_STATUS_PID; 164 165 /* Let the kernel know this pid will be registering for audit events */ 166 rc = audit_send(fd, AUDIT_SET, &status, sizeof(status)); 167 if (rc < 0) { 168 return rc; 169 } 170 171 /* 172 * In a request where we need to wait for a response, wait for the message 173 * and discard it. This message confirms and sync's us with the kernel. 174 * This daemon is now registered as the audit logger. 175 * 176 * TODO 177 * If the daemon dies and restarts the message didn't come back, 178 * so I went to non-blocking and it seemed to fix the bug. 179 * Need to investigate further. 180 */ 181 audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0); 182 183 return 0; 184 } 185 186 int audit_rate_limit(int fd, unsigned rate_limit) { 187 int rc; 188 struct audit_message rep; 189 struct audit_status status; 190 191 memset(&status, 0, sizeof(status)); 192 193 status.mask = AUDIT_STATUS_RATE_LIMIT; 194 status.rate_limit = rate_limit; /* audit entries per second */ 195 196 rc = audit_send(fd, AUDIT_SET, &status, sizeof(status)); 197 if (rc < 0) { 198 return rc; 199 } 200 201 audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0); 202 203 return 0; 204 } 205 206 int audit_open() { 207 return socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT); 208 } 209 210 int audit_get_reply(int fd, struct audit_message* rep, reply_t block, int peek) { 211 ssize_t len; 212 int flags; 213 int rc = 0; 214 215 struct sockaddr_nl nladdr; 216 socklen_t nladdrlen = sizeof(nladdr); 217 218 if (fd < 0) { 219 return -EBADF; 220 } 221 222 /* Set up the flags for recv from */ 223 flags = (block == GET_REPLY_NONBLOCKING) ? MSG_DONTWAIT : 0; 224 flags |= peek; 225 226 /* 227 * Get the data from the netlink socket but on error we need to be carefull, 228 * the interface shows that EINTR can never be returned, other errors, 229 * however, can be returned. 230 */ 231 len = TEMP_FAILURE_RETRY(recvfrom(fd, rep, sizeof(*rep), flags, 232 (struct sockaddr*)&nladdr, &nladdrlen)); 233 234 /* 235 * EAGAIN should be re-tried until success or another error manifests. 236 */ 237 if (len < 0) { 238 rc = -errno; 239 if (block == GET_REPLY_NONBLOCKING && rc == -EAGAIN) { 240 /* If request is non blocking and errno is EAGAIN, just return 0 */ 241 return 0; 242 } 243 return rc; 244 } 245 246 if (nladdrlen != sizeof(nladdr)) { 247 return -EPROTO; 248 } 249 250 /* Make sure the netlink message was not spoof'd */ 251 if (nladdr.nl_pid) { 252 return -EINVAL; 253 } 254 255 /* Check if the reply from the kernel was ok */ 256 if (!NLMSG_OK(&rep->nlh, (size_t)len)) { 257 rc = (len == sizeof(*rep)) ? -EFBIG : -EBADE; 258 } 259 260 return rc; 261 } 262 263 void audit_close(int fd) { 264 close(fd); 265 } 266