blob: 216f1a18c940c3ca4d849db5bdf49e031351d15f [file] [log] [blame]
William Roberts29d238d2013-02-08 09:45:26 +09001/*
2 * Copyright 2012, Samsung Telecommunications of America
3 * Copyright (C) 2014 The Android Open Source Project
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 * Written by William Roberts <w.roberts@sta.samsung.com>
18 *
19 */
20
21#include <errno.h>
22#include <string.h>
23#include <unistd.h>
24
William Roberts29d238d2013-02-08 09:45:26 +090025#include "libaudit.h"
26
27/**
28 * Waits for an ack from the kernel
29 * @param fd
30 * The netlink socket fd
William Roberts29d238d2013-02-08 09:45:26 +090031 * @return
32 * This function returns 0 on success, else -errno.
33 */
Mark Salyzyncfd5b082016-10-17 14:28:00 -070034static int get_ack(int fd)
William Roberts29d238d2013-02-08 09:45:26 +090035{
36 int rc;
37 struct audit_message rep;
38
39 /* Sanity check, this is an internal interface this shouldn't happen */
40 if (fd < 0) {
41 return -EINVAL;
42 }
43
44 rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, MSG_PEEK);
45 if (rc < 0) {
46 return rc;
47 }
48
49 if (rep.nlh.nlmsg_type == NLMSG_ERROR) {
50 audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
51 rc = ((struct nlmsgerr *)rep.data)->error;
52 if (rc) {
53 return -rc;
54 }
55 }
56
William Roberts29d238d2013-02-08 09:45:26 +090057 return 0;
58}
59
60/**
61 *
62 * @param fd
63 * The netlink socket fd
64 * @param type
65 * The type of netlink message
66 * @param data
67 * The data to send
68 * @param size
69 * The length of the data in bytes
70 * @return
71 * This function returns a positive sequence number on success, else -errno.
72 */
73static int audit_send(int fd, int type, const void *data, size_t size)
74{
75 int rc;
76 static int16_t sequence = 0;
77 struct audit_message req;
78 struct sockaddr_nl addr;
79
80 memset(&req, 0, sizeof(req));
81 memset(&addr, 0, sizeof(addr));
82
83 /* We always send netlink messaged */
84 addr.nl_family = AF_NETLINK;
85
86 /* Set up the netlink headers */
87 req.nlh.nlmsg_type = type;
88 req.nlh.nlmsg_len = NLMSG_SPACE(size);
89 req.nlh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
90
91 /*
92 * Check for a valid fd, even though sendto would catch this, its easier
93 * to always blindly increment the sequence number
94 */
95 if (fd < 0) {
96 return -EBADF;
97 }
98
99 /* Ensure the message is not too big */
100 if (NLMSG_SPACE(size) > MAX_AUDIT_MESSAGE_LENGTH) {
William Roberts29d238d2013-02-08 09:45:26 +0900101 return -EINVAL;
102 }
103
104 /* Only memcpy in the data if it was specified */
105 if (size && data) {
106 memcpy(NLMSG_DATA(&req.nlh), data, size);
107 }
108
109 /*
110 * Only increment the sequence number on a guarantee
111 * you will send it to the kernel.
112 *
113 * Also, the sequence is defined as a u32 in the kernel
114 * struct. Using an int here might not work on 32/64 bit splits. A
115 * signed 64 bit value can overflow a u32..but a u32
116 * might not fit in the response, so we need to use s32.
117 * Which is still kind of hackish since int could be 16 bits
118 * in size. The only safe type to use here is a signed 16
119 * bit value.
120 */
121 req.nlh.nlmsg_seq = ++sequence;
122
123 /* While failing and its due to interrupts */
124
125 rc = TEMP_FAILURE_RETRY(sendto(fd, &req, req.nlh.nlmsg_len, 0,
126 (struct sockaddr*) &addr, sizeof(addr)));
127
128 /* Not all the bytes were sent */
129 if (rc < 0) {
130 rc = -errno;
William Roberts29d238d2013-02-08 09:45:26 +0900131 goto out;
132 } else if ((uint32_t) rc != req.nlh.nlmsg_len) {
133 rc = -EPROTO;
134 goto out;
135 }
136
137 /* We sent all the bytes, get the ack */
Mark Salyzyncfd5b082016-10-17 14:28:00 -0700138 rc = get_ack(fd);
William Roberts29d238d2013-02-08 09:45:26 +0900139
140 /* If the ack failed, return the error, else return the sequence number */
141 rc = (rc == 0) ? (int) sequence : rc;
142
143out:
144 /* Don't let sequence roll to negative */
145 if (sequence < 0) {
William Roberts29d238d2013-02-08 09:45:26 +0900146 sequence = 0;
147 }
148
149 return rc;
150}
151
Mark Salyzyn247d6822017-01-03 14:00:19 -0800152int audit_setup(int fd, pid_t pid)
William Roberts29d238d2013-02-08 09:45:26 +0900153{
154 int rc;
155 struct audit_message rep;
156 struct audit_status status;
157
158 memset(&status, 0, sizeof(status));
159
160 /*
161 * In order to set the auditd PID we send an audit message over the netlink
162 * socket with the pid field of the status struct set to our current pid,
163 * and the the mask set to AUDIT_STATUS_PID
164 */
165 status.pid = pid;
Mark Salyzyn247d6822017-01-03 14:00:19 -0800166 status.mask = AUDIT_STATUS_PID;
William Roberts29d238d2013-02-08 09:45:26 +0900167
168 /* Let the kernel know this pid will be registering for audit events */
169 rc = audit_send(fd, AUDIT_SET, &status, sizeof(status));
170 if (rc < 0) {
William Roberts29d238d2013-02-08 09:45:26 +0900171 return rc;
172 }
173
174 /*
175 * In a request where we need to wait for a response, wait for the message
176 * and discard it. This message confirms and sync's us with the kernel.
Nick Kralevichc234a1b2014-11-19 13:33:22 -0800177 * This daemon is now registered as the audit logger.
178 *
179 * TODO
180 * If the daemon dies and restarts the message didn't come back,
181 * so I went to non-blocking and it seemed to fix the bug.
182 * Need to investigate further.
William Roberts29d238d2013-02-08 09:45:26 +0900183 */
Nick Kralevichc234a1b2014-11-19 13:33:22 -0800184 audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
William Roberts29d238d2013-02-08 09:45:26 +0900185
186 return 0;
187}
188
Mark Salyzyn247d6822017-01-03 14:00:19 -0800189int audit_rate_limit(int fd, unsigned rate_limit)
190{
191 int rc;
192 struct audit_message rep;
193 struct audit_status status;
194
195 memset(&status, 0, sizeof(status));
196
197 status.mask = AUDIT_STATUS_RATE_LIMIT;
198 status.rate_limit = rate_limit; /* audit entries per second */
199
200 rc = audit_send(fd, AUDIT_SET, &status, sizeof(status));
201 if (rc < 0) {
202 return rc;
203 }
204
205 audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
206
207 return 0;
208}
209
William Roberts29d238d2013-02-08 09:45:26 +0900210int audit_open()
211{
Nick Kralevichc234a1b2014-11-19 13:33:22 -0800212 return socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT);
William Roberts29d238d2013-02-08 09:45:26 +0900213}
214
215int audit_get_reply(int fd, struct audit_message *rep, reply_t block, int peek)
216{
217 ssize_t len;
218 int flags;
219 int rc = 0;
220
221 struct sockaddr_nl nladdr;
222 socklen_t nladdrlen = sizeof(nladdr);
223
224 if (fd < 0) {
225 return -EBADF;
226 }
227
228 /* Set up the flags for recv from */
229 flags = (block == GET_REPLY_NONBLOCKING) ? MSG_DONTWAIT : 0;
230 flags |= peek;
231
232 /*
233 * Get the data from the netlink socket but on error we need to be carefull,
234 * the interface shows that EINTR can never be returned, other errors,
235 * however, can be returned.
236 */
237 len = TEMP_FAILURE_RETRY(recvfrom(fd, rep, sizeof(*rep), flags,
238 (struct sockaddr*) &nladdr, &nladdrlen));
239
240 /*
241 * EAGAIN should be re-tried until success or another error manifests.
242 */
243 if (len < 0) {
244 rc = -errno;
245 if (block == GET_REPLY_NONBLOCKING && rc == -EAGAIN) {
246 /* If request is non blocking and errno is EAGAIN, just return 0 */
247 return 0;
248 }
William Roberts29d238d2013-02-08 09:45:26 +0900249 return rc;
250 }
251
252 if (nladdrlen != sizeof(nladdr)) {
William Roberts29d238d2013-02-08 09:45:26 +0900253 return -EPROTO;
254 }
255
256 /* Make sure the netlink message was not spoof'd */
257 if (nladdr.nl_pid) {
William Roberts29d238d2013-02-08 09:45:26 +0900258 return -EINVAL;
259 }
260
261 /* Check if the reply from the kernel was ok */
262 if (!NLMSG_OK(&rep->nlh, (size_t)len)) {
263 rc = (len == sizeof(*rep)) ? -EFBIG : -EBADE;
William Roberts29d238d2013-02-08 09:45:26 +0900264 }
265
266 return rc;
267}
268
269void audit_close(int fd)
270{
Mark Salyzyncfd5b082016-10-17 14:28:00 -0700271 close(fd);
William Roberts29d238d2013-02-08 09:45:26 +0900272}