Home | History | Annotate | Download | only in logd 
      1 /*
      2  * Copyright 2012, Samsung Telecommunications of America
      3  * Copyright (C) 2014 The Android Open Source Project
      4  *
      5  * Licensed under the Apache License, Version 2.0 (the "License");
      6  * you may not use this file except in compliance with the License.
      7  * You may obtain a copy of the License at
      8  *
      9  *     http://www.apache.org/licenses/LICENSE-2.0
     10  *
     11  * Unless required by applicable law or agreed to in writing, software
     12  * distributed under the License is distributed on an "AS IS" BASIS,
     13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     14  * See the License for the specific language governing permissions and
     15  * limitations under the License.
     16  *
     17  * Written by William Roberts <w.roberts (at) sta.samsung.com>
     18  *
     19  */
     20 
     21 #include <errno.h>
     22 #include <string.h>
     23 #include <unistd.h>
     24 
     25 #include "libaudit.h"
     26 
     27 /**
     28  * Waits for an ack from the kernel
     29  * @param fd
     30  *  The netlink socket fd
     31  * @return
     32  *  This function returns 0 on success, else -errno.
     33  */
     34 static int get_ack(int fd) {
     35     int rc;
     36     struct audit_message rep;
     37 
     38     /* Sanity check, this is an internal interface this shouldn't happen */
     39     if (fd < 0) {
     40         return -EINVAL;
     41     }
     42 
     43     rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, MSG_PEEK);
     44     if (rc < 0) {
     45         return rc;
     46     }
     47 
     48     if (rep.nlh.nlmsg_type == NLMSG_ERROR) {
     49         audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
     50         rc = ((struct nlmsgerr*)rep.data)->error;
     51         if (rc) {
     52             return -rc;
     53         }
     54     }
     55 
     56     return 0;
     57 }
     58 
     59 /**
     60  *
     61  * @param fd
     62  *  The netlink socket fd
     63  * @param type
     64  *  The type of netlink message
     65  * @param data
     66  *  The data to send
     67  * @param size
     68  *  The length of the data in bytes
     69  * @return
     70  *  This function returns a positive sequence number on success, else -errno.
     71  */
     72 static int audit_send(int fd, int type, const void* data, size_t size) {
     73     int rc;
     74     static int16_t sequence = 0;
     75     struct audit_message req;
     76     struct sockaddr_nl addr;
     77 
     78     memset(&req, 0, sizeof(req));
     79     memset(&addr, 0, sizeof(addr));
     80 
     81     /* We always send netlink messaged */
     82     addr.nl_family = AF_NETLINK;
     83 
     84     /* Set up the netlink headers */
     85     req.nlh.nlmsg_type = type;
     86     req.nlh.nlmsg_len = NLMSG_SPACE(size);
     87     req.nlh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
     88 
     89     /*
     90      * Check for a valid fd, even though sendto would catch this, its easier
     91      * to always blindly increment the sequence number
     92      */
     93     if (fd < 0) {
     94         return -EBADF;
     95     }
     96 
     97     /* Ensure the message is not too big */
     98     if (NLMSG_SPACE(size) > MAX_AUDIT_MESSAGE_LENGTH) {
     99         return -EINVAL;
    100     }
    101 
    102     /* Only memcpy in the data if it was specified */
    103     if (size && data) {
    104         memcpy(NLMSG_DATA(&req.nlh), data, size);
    105     }
    106 
    107     /*
    108      * Only increment the sequence number on a guarantee
    109      * you will send it to the kernel.
    110      *
    111      * Also, the sequence is defined as a u32 in the kernel
    112      * struct. Using an int here might not work on 32/64 bit splits. A
    113      * signed 64 bit value can overflow a u32..but a u32
    114      * might not fit in the response, so we need to use s32.
    115      * Which is still kind of hackish since int could be 16 bits
    116      * in size. The only safe type to use here is a signed 16
    117      * bit value.
    118      */
    119     req.nlh.nlmsg_seq = ++sequence;
    120 
    121     /* While failing and its due to interrupts */
    122 
    123     rc = TEMP_FAILURE_RETRY(sendto(fd, &req, req.nlh.nlmsg_len, 0,
    124                                    (struct sockaddr*)&addr, sizeof(addr)));
    125 
    126     /* Not all the bytes were sent */
    127     if (rc < 0) {
    128         rc = -errno;
    129         goto out;
    130     } else if ((uint32_t)rc != req.nlh.nlmsg_len) {
    131         rc = -EPROTO;
    132         goto out;
    133     }
    134 
    135     /* We sent all the bytes, get the ack */
    136     rc = get_ack(fd);
    137 
    138     /* If the ack failed, return the error, else return the sequence number */
    139     rc = (rc == 0) ? (int)sequence : rc;
    140 
    141 out:
    142     /* Don't let sequence roll to negative */
    143     if (sequence < 0) {
    144         sequence = 0;
    145     }
    146 
    147     return rc;
    148 }
    149 
    150 int audit_setup(int fd, pid_t pid) {
    151     int rc;
    152     struct audit_message rep;
    153     struct audit_status status;
    154 
    155     memset(&status, 0, sizeof(status));
    156 
    157     /*
    158      * In order to set the auditd PID we send an audit message over the netlink
    159      * socket with the pid field of the status struct set to our current pid,
    160      * and the the mask set to AUDIT_STATUS_PID
    161      */
    162     status.pid = pid;
    163     status.mask = AUDIT_STATUS_PID | AUDIT_STATUS_RATE_LIMIT;
    164     status.rate_limit = AUDIT_RATE_LIMIT; /* audit entries per second */
    165 
    166     /* Let the kernel know this pid will be registering for audit events */
    167     rc = audit_send(fd, AUDIT_SET, &status, sizeof(status));
    168     if (rc < 0) {
    169         return rc;
    170     }
    171 
    172     /*
    173      * In a request where we need to wait for a response, wait for the message
    174      * and discard it. This message confirms and sync's us with the kernel.
    175      * This daemon is now registered as the audit logger.
    176      *
    177      * TODO
    178      * If the daemon dies and restarts the message didn't come back,
    179      * so I went to non-blocking and it seemed to fix the bug.
    180      * Need to investigate further.
    181      */
    182     audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
    183 
    184     return 0;
    185 }
    186 
    187 int audit_open() {
    188     return socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT);
    189 }
    190 
    191 int audit_get_reply(int fd, struct audit_message* rep, reply_t block, int peek) {
    192     ssize_t len;
    193     int flags;
    194     int rc = 0;
    195 
    196     struct sockaddr_nl nladdr;
    197     socklen_t nladdrlen = sizeof(nladdr);
    198 
    199     if (fd < 0) {
    200         return -EBADF;
    201     }
    202 
    203     /* Set up the flags for recv from */
    204     flags = (block == GET_REPLY_NONBLOCKING) ? MSG_DONTWAIT : 0;
    205     flags |= peek;
    206 
    207     /*
    208      * Get the data from the netlink socket but on error we need to be carefull,
    209      * the interface shows that EINTR can never be returned, other errors,
    210      * however, can be returned.
    211      */
    212     len = TEMP_FAILURE_RETRY(recvfrom(fd, rep, sizeof(*rep), flags,
    213                                       (struct sockaddr*)&nladdr, &nladdrlen));
    214 
    215     /*
    216      * EAGAIN should be re-tried until success or another error manifests.
    217      */
    218     if (len < 0) {
    219         rc = -errno;
    220         if (block == GET_REPLY_NONBLOCKING && rc == -EAGAIN) {
    221             /* If request is non blocking and errno is EAGAIN, just return 0 */
    222             return 0;
    223         }
    224         return rc;
    225     }
    226 
    227     if (nladdrlen != sizeof(nladdr)) {
    228         return -EPROTO;
    229     }
    230 
    231     /* Make sure the netlink message was not spoof'd */
    232     if (nladdr.nl_pid) {
    233         return -EINVAL;
    234     }
    235 
    236     /* Check if the reply from the kernel was ok */
    237     if (!NLMSG_OK(&rep->nlh, (size_t)len)) {
    238         rc = (len == sizeof(*rep)) ? -EFBIG : -EBADE;
    239     }
    240 
    241     return rc;
    242 }
    243 
    244 void audit_close(int fd) {
    245     close(fd);
    246 }
    247