Blame - logd/LogAudit.cpp - android_system_core

blob: c7c024995dbacb3c66fe9a88683876e3151bfc83 [file] [log] [blame]

William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	1	/*
				2	* Copyright (C) 2014 The Android Open Source Project
				3	*
				4	* Licensed under the Apache License, Version 2.0 (the "License");
				5	* you may not use this file except in compliance with the License.
				6	* You may obtain a copy of the License at
				7	*
				8	* http://www.apache.org/licenses/LICENSE-2.0
				9	*
				10	* Unless required by applicable law or agreed to in writing, software
				11	* distributed under the License is distributed on an "AS IS" BASIS,
				12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				13	* See the License for the specific language governing permissions and
				14	* limitations under the License.
				15	*/
				16
				17	#include <ctype.h>
				18	#include <errno.h>
Mark Salyzyn	e0fa291	2014-04-28 16:39:04 -0700	[diff] [blame]	19	#include <limits.h>
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	20	#include <stdarg.h>
				21	#include <stdlib.h>
Mark Salyzyn	8daa9af	2014-04-28 14:07:23 -0700	[diff] [blame]	22	#include <sys/prctl.h>
Mark Salyzyn	e9bebd0	2014-04-03 09:55:26 -0700	[diff] [blame]	23	#include <sys/uio.h>
Mark Salyzyn	7ee2aef	2014-09-28 14:41:50 -0700	[diff] [blame]	24	#include <syslog.h>
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	25
				26	#include "libaudit.h"
				27	#include "LogAudit.h"
				28
Mark Salyzyn	7ee2aef	2014-09-28 14:41:50 -0700	[diff] [blame]	29	#define KMSG_PRIORITY(PRI) \
				30	'<', \
				31	'0' + (LOG_AUTH \| (PRI)) / 10, \
				32	'0' + (LOG_AUTH \| (PRI)) % 10, \
				33	'>'
				34
Mark Salyzyn	eb06de7	2014-10-13 09:59:37 -0700	[diff] [blame^]	35	LogAudit::LogAudit(LogBuffer buf, LogReader reader, int fdDmesg)
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	36	: SocketListener(getLogSocket(), false)
				37	, logbuf(buf)
Mark Salyzyn	e9bebd0	2014-04-03 09:55:26 -0700	[diff] [blame]	38	, reader(reader)
Mark Salyzyn	eb06de7	2014-10-13 09:59:37 -0700	[diff] [blame^]	39	, fdDmesg(fdDmesg)
				40	, initialized(false) {
Mark Salyzyn	7ee2aef	2014-09-28 14:41:50 -0700	[diff] [blame]	41	static const char auditd_message[] = { KMSG_PRIORITY(LOG_INFO),
				42	'l', 'o', 'g', 'd', '.', 'a', 'u', 'd', 'i', 't', 'd', ':',
				43	' ', 's', 't', 'a', 'r', 't', '\n' };
Mark Salyzyn	eb06de7	2014-10-13 09:59:37 -0700	[diff] [blame^]	44	write(fdDmesg, auditd_message, sizeof(auditd_message));
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	45	}
				46
				47	bool LogAudit::onDataAvailable(SocketClient *cli) {
Mark Salyzyn	eb06de7	2014-10-13 09:59:37 -0700	[diff] [blame^]	48	if (!initialized) {
				49	prctl(PR_SET_NAME, "logd.auditd");
				50	initialized = true;
				51	}
Mark Salyzyn	8daa9af	2014-04-28 14:07:23 -0700	[diff] [blame]	52
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	53	struct audit_message rep;
				54
Mark Salyzyn	e0fa291	2014-04-28 16:39:04 -0700	[diff] [blame]	55	rep.nlh.nlmsg_type = 0;
				56	rep.nlh.nlmsg_len = 0;
				57	rep.data[0] = '\0';
				58
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	59	if (audit_get_reply(cli->getSocket(), &rep, GET_REPLY_BLOCKING, 0) < 0) {
				60	SLOGE("Failed on audit_get_reply with error: %s", strerror(errno));
				61	return false;
				62	}
				63
Mark Salyzyn	eb06de7	2014-10-13 09:59:37 -0700	[diff] [blame^]	64	logPrint("type=%d %.*s",
				65	rep.nlh.nlmsg_type, rep.nlh.nlmsg_len, rep.data);
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	66
				67	return true;
				68	}
				69
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	70	int LogAudit::logPrint(const char *fmt, ...) {
				71	if (fmt == NULL) {
				72	return -EINVAL;
				73	}
				74
				75	va_list args;
				76
				77	char *str = NULL;
				78	va_start(args, fmt);
				79	int rc = vasprintf(&str, fmt, args);
				80	va_end(args);
				81
				82	if (rc < 0) {
				83	return rc;
				84	}
				85
Mark Salyzyn	e4369d6	2014-05-27 10:06:34 -0700	[diff] [blame]	86	char *cp;
				87	while ((cp = strstr(str, " "))) {
				88	memmove(cp, cp + 1, strlen(cp + 1) + 1);
				89	}
				90
Mark Salyzyn	6bdeee0	2014-09-19 11:59:42 -0700	[diff] [blame]	91	bool info = strstr(str, " permissive=1") \|\| strstr(str, " policy loaded ");
Mark Salyzyn	eb06de7	2014-10-13 09:59:37 -0700	[diff] [blame^]	92	if ((fdDmesg >= 0) && initialized) {
Mark Salyzyn	6bdeee0	2014-09-19 11:59:42 -0700	[diff] [blame]	93	struct iovec iov[3];
Mark Salyzyn	7ee2aef	2014-09-28 14:41:50 -0700	[diff] [blame]	94	static const char log_info[] = { KMSG_PRIORITY(LOG_INFO) };
				95	static const char log_warning[] = { KMSG_PRIORITY(LOG_WARNING) };
Mark Salyzyn	e9bebd0	2014-04-03 09:55:26 -0700	[diff] [blame]	96
Mark Salyzyn	7ee2aef	2014-09-28 14:41:50 -0700	[diff] [blame]	97	iov[0].iov_base = info ? const_cast<char *>(log_info)
				98	: const_cast<char *>(log_warning);
				99	iov[0].iov_len = info ? sizeof(log_info) : sizeof(log_warning);
Mark Salyzyn	6bdeee0	2014-09-19 11:59:42 -0700	[diff] [blame]	100	iov[1].iov_base = str;
				101	iov[1].iov_len = strlen(str);
				102	iov[2].iov_base = const_cast<char *>("\n");
				103	iov[2].iov_len = 1;
Mark Salyzyn	e9bebd0	2014-04-03 09:55:26 -0700	[diff] [blame]	104
				105	writev(fdDmesg, iov, sizeof(iov) / sizeof(iov[0]));
				106	}
				107
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	108	pid_t pid = getpid();
				109	pid_t tid = gettid();
				110	uid_t uid = getuid();
				111	log_time now;
				112
				113	static const char audit_str[] = " audit(";
				114	char *timeptr = strstr(str, audit_str);
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	115	if (timeptr
				116	&& ((cp = now.strptime(timeptr + sizeof(audit_str) - 1, "%s.%q")))
				117	&& (*cp == ':')) {
				118	memcpy(timeptr + sizeof(audit_str) - 1, "0.0", 3);
Mark Salyzyn	e4369d6	2014-05-27 10:06:34 -0700	[diff] [blame]	119	memmove(timeptr + sizeof(audit_str) - 1 + 3, cp, strlen(cp) + 1);
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	120	} else {
				121	now.strptime("", ""); // side effect of setting CLOCK_REALTIME
				122	}
				123
				124	static const char pid_str[] = " pid=";
				125	char *pidptr = strstr(str, pid_str);
				126	if (pidptr && isdigit(pidptr[sizeof(pid_str) - 1])) {
				127	cp = pidptr + sizeof(pid_str) - 1;
				128	pid = 0;
				129	while (isdigit(*cp)) {
				130	pid = (pid * 10) + (*cp - '0');
				131	++cp;
				132	}
				133	tid = pid;
				134	uid = logbuf->pidToUid(pid);
Mark Salyzyn	e4369d6	2014-05-27 10:06:34 -0700	[diff] [blame]	135	memmove(pidptr, cp, strlen(cp) + 1);
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	136	}
				137
Mark Salyzyn	e4369d6	2014-05-27 10:06:34 -0700	[diff] [blame]	138	// log to events
				139
				140	size_t l = strlen(str);
				141	size_t n = l + sizeof(uint32_t) + sizeof(uint8_t) + sizeof(uint32_t);
				142
				143	bool notify = false;
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	144
				145	char newstr = reinterpret_cast<char >(malloc(n));
				146	if (!newstr) {
Mark Salyzyn	e4369d6	2014-05-27 10:06:34 -0700	[diff] [blame]	147	rc = -ENOMEM;
				148	} else {
				149	cp = newstr;
				150	*cp++ = AUDITD_LOG_TAG & 0xFF;
				151	*cp++ = (AUDITD_LOG_TAG >> 8) & 0xFF;
				152	*cp++ = (AUDITD_LOG_TAG >> 16) & 0xFF;
				153	*cp++ = (AUDITD_LOG_TAG >> 24) & 0xFF;
				154	*cp++ = EVENT_TYPE_STRING;
				155	*cp++ = l & 0xFF;
				156	*cp++ = (l >> 8) & 0xFF;
				157	*cp++ = (l >> 16) & 0xFF;
				158	*cp++ = (l >> 24) & 0xFF;
				159	memcpy(cp, str, l);
				160
				161	logbuf->log(LOG_ID_EVENTS, now, uid, pid, tid, newstr,
				162	(n <= USHRT_MAX) ? (unsigned short) n : USHRT_MAX);
				163	free(newstr);
				164
				165	notify = true;
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	166	}
				167
Mark Salyzyn	e4369d6	2014-05-27 10:06:34 -0700	[diff] [blame]	168	// log to main
				169
				170	static const char comm_str[] = " comm=\"";
				171	const char *comm = strstr(str, comm_str);
				172	const char *estr = str + strlen(str);
				173	if (comm) {
				174	estr = comm;
				175	comm += sizeof(comm_str) - 1;
				176	} else if (pid == getpid()) {
				177	pid = tid;
				178	comm = "auditd";
				179	} else if (!(comm = logbuf->pidToName(pid))) {
				180	comm = "unknown";
				181	}
				182
				183	const char *ecomm = strchr(comm, '"');
				184	if (ecomm) {
				185	++ecomm;
				186	l = ecomm - comm;
				187	} else {
				188	l = strlen(comm) + 1;
				189	ecomm = "";
				190	}
				191	n = (estr - str) + strlen(ecomm) + l + 2;
				192
				193	newstr = reinterpret_cast<char *>(malloc(n));
				194	if (!newstr) {
				195	rc = -ENOMEM;
				196	} else {
Mark Salyzyn	6bdeee0	2014-09-19 11:59:42 -0700	[diff] [blame]	197	*newstr = info ? ANDROID_LOG_INFO : ANDROID_LOG_WARN;
Mark Salyzyn	e4369d6	2014-05-27 10:06:34 -0700	[diff] [blame]	198	strlcpy(newstr + 1, comm, l);
				199	strncpy(newstr + 1 + l, str, estr - str);
				200	strcpy(newstr + 1 + l + (estr - str), ecomm);
				201
				202	logbuf->log(LOG_ID_MAIN, now, uid, pid, tid, newstr,
				203	(n <= USHRT_MAX) ? (unsigned short) n : USHRT_MAX);
				204	free(newstr);
				205
				206	notify = true;
				207	}
				208
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	209	free(str);
				210
Mark Salyzyn	e4369d6	2014-05-27 10:06:34 -0700	[diff] [blame]	211	if (notify) {
				212	reader->notifyNewLog();
				213	}
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	214
				215	return rc;
				216	}
				217
Mark Salyzyn	eb06de7	2014-10-13 09:59:37 -0700	[diff] [blame^]	218	int LogAudit::log(char *buf) {
				219	char *audit = strstr(buf, " audit(");
				220	if (!audit) {
				221	return 0;
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	222	}
				223
Mark Salyzyn	eb06de7	2014-10-13 09:59:37 -0700	[diff] [blame^]	224	*audit = '\0';
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	225
Mark Salyzyn	eb06de7	2014-10-13 09:59:37 -0700	[diff] [blame^]	226	int rc;
				227	char *type = strstr(buf, "type=");
				228	if (type) {
				229	rc = logPrint("%s %s", type, audit + 1);
				230	} else {
				231	rc = logPrint("%s", audit + 1);
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	232	}
Mark Salyzyn	eb06de7	2014-10-13 09:59:37 -0700	[diff] [blame^]	233	*audit = ' ';
				234	return rc;
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	235	}
				236
				237	int LogAudit::getLogSocket() {
				238	int fd = audit_open();
				239	if (fd < 0) {
				240	return fd;
				241	}
Nick Kralevich	c234a1b	2014-11-19 13:33:22 -0800	[diff] [blame]	242	if (audit_setup(fd, getpid()) < 0) {
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	243	audit_close(fd);
				244	fd = -1;
				245	}
				246	return fd;
				247	}