blob: 288a052d87e45a7da9ae9f426085537e536c4f67 [file] [log] [blame]
William Roberts29d238d2013-02-08 09:45:26 +09001/*
2 * Copyright 2012, Samsung Telecommunications of America
3 * Copyright (C) 2014 The Android Open Source Project
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 * Written by William Roberts <w.roberts@sta.samsung.com>
18 *
19 */
20
Mark Salyzyn0dd44312016-09-28 15:54:45 -070021#define LOG_TAG "libaudit"
22
William Roberts29d238d2013-02-08 09:45:26 +090023#include <errno.h>
24#include <string.h>
25#include <unistd.h>
26
Mark Salyzyn0dd44312016-09-28 15:54:45 -070027#include <android/log.h>
William Roberts29d238d2013-02-08 09:45:26 +090028
29#include "libaudit.h"
30
31/**
32 * Waits for an ack from the kernel
33 * @param fd
34 * The netlink socket fd
35 * @param seq
36 * The current sequence number were acking on
37 * @return
38 * This function returns 0 on success, else -errno.
39 */
40static int get_ack(int fd, int16_t seq)
41{
42 int rc;
43 struct audit_message rep;
44
45 /* Sanity check, this is an internal interface this shouldn't happen */
46 if (fd < 0) {
47 return -EINVAL;
48 }
49
50 rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, MSG_PEEK);
51 if (rc < 0) {
52 return rc;
53 }
54
55 if (rep.nlh.nlmsg_type == NLMSG_ERROR) {
56 audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
57 rc = ((struct nlmsgerr *)rep.data)->error;
58 if (rc) {
59 return -rc;
60 }
61 }
62
63 if ((int16_t)rep.nlh.nlmsg_seq != seq) {
64 SLOGW("Expected sequence number between user space and kernel space is out of skew, "
65 "expected %u got %u", seq, rep.nlh.nlmsg_seq);
66 }
67
68 return 0;
69}
70
71/**
72 *
73 * @param fd
74 * The netlink socket fd
75 * @param type
76 * The type of netlink message
77 * @param data
78 * The data to send
79 * @param size
80 * The length of the data in bytes
81 * @return
82 * This function returns a positive sequence number on success, else -errno.
83 */
84static int audit_send(int fd, int type, const void *data, size_t size)
85{
86 int rc;
87 static int16_t sequence = 0;
88 struct audit_message req;
89 struct sockaddr_nl addr;
90
91 memset(&req, 0, sizeof(req));
92 memset(&addr, 0, sizeof(addr));
93
94 /* We always send netlink messaged */
95 addr.nl_family = AF_NETLINK;
96
97 /* Set up the netlink headers */
98 req.nlh.nlmsg_type = type;
99 req.nlh.nlmsg_len = NLMSG_SPACE(size);
100 req.nlh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
101
102 /*
103 * Check for a valid fd, even though sendto would catch this, its easier
104 * to always blindly increment the sequence number
105 */
106 if (fd < 0) {
107 return -EBADF;
108 }
109
110 /* Ensure the message is not too big */
111 if (NLMSG_SPACE(size) > MAX_AUDIT_MESSAGE_LENGTH) {
112 SLOGE("netlink message is too large");
113 return -EINVAL;
114 }
115
116 /* Only memcpy in the data if it was specified */
117 if (size && data) {
118 memcpy(NLMSG_DATA(&req.nlh), data, size);
119 }
120
121 /*
122 * Only increment the sequence number on a guarantee
123 * you will send it to the kernel.
124 *
125 * Also, the sequence is defined as a u32 in the kernel
126 * struct. Using an int here might not work on 32/64 bit splits. A
127 * signed 64 bit value can overflow a u32..but a u32
128 * might not fit in the response, so we need to use s32.
129 * Which is still kind of hackish since int could be 16 bits
130 * in size. The only safe type to use here is a signed 16
131 * bit value.
132 */
133 req.nlh.nlmsg_seq = ++sequence;
134
135 /* While failing and its due to interrupts */
136
137 rc = TEMP_FAILURE_RETRY(sendto(fd, &req, req.nlh.nlmsg_len, 0,
138 (struct sockaddr*) &addr, sizeof(addr)));
139
140 /* Not all the bytes were sent */
141 if (rc < 0) {
142 rc = -errno;
143 SLOGE("Error sending data over the netlink socket: %s", strerror(-errno));
144 goto out;
145 } else if ((uint32_t) rc != req.nlh.nlmsg_len) {
146 rc = -EPROTO;
147 goto out;
148 }
149
150 /* We sent all the bytes, get the ack */
151 rc = get_ack(fd, sequence);
152
153 /* If the ack failed, return the error, else return the sequence number */
154 rc = (rc == 0) ? (int) sequence : rc;
155
156out:
157 /* Don't let sequence roll to negative */
158 if (sequence < 0) {
159 SLOGW("Auditd to Kernel sequence number has rolled over");
160 sequence = 0;
161 }
162
163 return rc;
164}
165
Nick Kralevichc234a1b2014-11-19 13:33:22 -0800166int audit_setup(int fd, uint32_t pid)
William Roberts29d238d2013-02-08 09:45:26 +0900167{
168 int rc;
169 struct audit_message rep;
170 struct audit_status status;
171
172 memset(&status, 0, sizeof(status));
173
174 /*
175 * In order to set the auditd PID we send an audit message over the netlink
176 * socket with the pid field of the status struct set to our current pid,
177 * and the the mask set to AUDIT_STATUS_PID
178 */
179 status.pid = pid;
Nick Kralevichc234a1b2014-11-19 13:33:22 -0800180 status.mask = AUDIT_STATUS_PID | AUDIT_STATUS_RATE_LIMIT;
Nick Kralevich9667a662015-05-09 12:36:18 -0700181 status.rate_limit = 20; // audit entries per second
William Roberts29d238d2013-02-08 09:45:26 +0900182
183 /* Let the kernel know this pid will be registering for audit events */
184 rc = audit_send(fd, AUDIT_SET, &status, sizeof(status));
185 if (rc < 0) {
186 SLOGE("Could net set pid for audit events, error: %s", strerror(-rc));
187 return rc;
188 }
189
190 /*
191 * In a request where we need to wait for a response, wait for the message
192 * and discard it. This message confirms and sync's us with the kernel.
Nick Kralevichc234a1b2014-11-19 13:33:22 -0800193 * This daemon is now registered as the audit logger.
194 *
195 * TODO
196 * If the daemon dies and restarts the message didn't come back,
197 * so I went to non-blocking and it seemed to fix the bug.
198 * Need to investigate further.
William Roberts29d238d2013-02-08 09:45:26 +0900199 */
Nick Kralevichc234a1b2014-11-19 13:33:22 -0800200 audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
William Roberts29d238d2013-02-08 09:45:26 +0900201
202 return 0;
203}
204
205int audit_open()
206{
Nick Kralevichc234a1b2014-11-19 13:33:22 -0800207 return socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT);
William Roberts29d238d2013-02-08 09:45:26 +0900208}
209
210int audit_get_reply(int fd, struct audit_message *rep, reply_t block, int peek)
211{
212 ssize_t len;
213 int flags;
214 int rc = 0;
215
216 struct sockaddr_nl nladdr;
217 socklen_t nladdrlen = sizeof(nladdr);
218
219 if (fd < 0) {
220 return -EBADF;
221 }
222
223 /* Set up the flags for recv from */
224 flags = (block == GET_REPLY_NONBLOCKING) ? MSG_DONTWAIT : 0;
225 flags |= peek;
226
227 /*
228 * Get the data from the netlink socket but on error we need to be carefull,
229 * the interface shows that EINTR can never be returned, other errors,
230 * however, can be returned.
231 */
232 len = TEMP_FAILURE_RETRY(recvfrom(fd, rep, sizeof(*rep), flags,
233 (struct sockaddr*) &nladdr, &nladdrlen));
234
235 /*
236 * EAGAIN should be re-tried until success or another error manifests.
237 */
238 if (len < 0) {
239 rc = -errno;
240 if (block == GET_REPLY_NONBLOCKING && rc == -EAGAIN) {
241 /* If request is non blocking and errno is EAGAIN, just return 0 */
242 return 0;
243 }
244 SLOGE("Error receiving from netlink socket, error: %s", strerror(-rc));
245 return rc;
246 }
247
248 if (nladdrlen != sizeof(nladdr)) {
249 SLOGE("Protocol fault, error: %s", strerror(EPROTO));
250 return -EPROTO;
251 }
252
253 /* Make sure the netlink message was not spoof'd */
254 if (nladdr.nl_pid) {
255 SLOGE("Invalid netlink pid received, expected 0 got: %d", nladdr.nl_pid);
256 return -EINVAL;
257 }
258
259 /* Check if the reply from the kernel was ok */
260 if (!NLMSG_OK(&rep->nlh, (size_t)len)) {
261 rc = (len == sizeof(*rep)) ? -EFBIG : -EBADE;
262 SLOGE("Bad kernel response %s", strerror(-rc));
263 }
264
265 return rc;
266}
267
268void audit_close(int fd)
269{
270 int rc = close(fd);
271 if (rc < 0) {
272 SLOGE("Attempting to close invalid fd %d, error: %s", fd, strerror(errno));
273 }
274 return;
275}