• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 2012, Samsung Telecommunications of America
3  * Copyright (C) 2014 The Android Open Source Project
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  *     http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  * Written by William Roberts <w.roberts@sta.samsung.com>
18  *
19  */
20 
21 #include <errno.h>
22 #include <string.h>
23 #include <unistd.h>
24 
25 #define LOG_TAG "libaudit"
26 #include <log/log.h>
27 
28 #include "libaudit.h"
29 
30 /**
31  * Waits for an ack from the kernel
32  * @param fd
33  *  The netlink socket fd
34  * @param seq
35  *  The current sequence number were acking on
36  * @return
37  *  This function returns 0 on success, else -errno.
38  */
get_ack(int fd,int16_t seq)39 static int get_ack(int fd, int16_t seq)
40 {
41     int rc;
42     struct audit_message rep;
43 
44     /* Sanity check, this is an internal interface this shouldn't happen */
45     if (fd < 0) {
46         return -EINVAL;
47     }
48 
49     rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, MSG_PEEK);
50     if (rc < 0) {
51         return rc;
52     }
53 
54     if (rep.nlh.nlmsg_type == NLMSG_ERROR) {
55         audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
56         rc = ((struct nlmsgerr *)rep.data)->error;
57         if (rc) {
58             return -rc;
59         }
60     }
61 
62     if ((int16_t)rep.nlh.nlmsg_seq != seq) {
63         SLOGW("Expected sequence number between user space and kernel space is out of skew, "
64           "expected %u got %u", seq, rep.nlh.nlmsg_seq);
65     }
66 
67     return 0;
68 }
69 
70 /**
71  *
72  * @param fd
73  *  The netlink socket fd
74  * @param type
75  *  The type of netlink message
76  * @param data
77  *  The data to send
78  * @param size
79  *  The length of the data in bytes
80  * @return
81  *  This function returns a positive sequence number on success, else -errno.
82  */
audit_send(int fd,int type,const void * data,size_t size)83 static int audit_send(int fd, int type, const void *data, size_t size)
84 {
85     int rc;
86     static int16_t sequence = 0;
87     struct audit_message req;
88     struct sockaddr_nl addr;
89 
90     memset(&req, 0, sizeof(req));
91     memset(&addr, 0, sizeof(addr));
92 
93     /* We always send netlink messaged */
94     addr.nl_family = AF_NETLINK;
95 
96     /* Set up the netlink headers */
97     req.nlh.nlmsg_type = type;
98     req.nlh.nlmsg_len = NLMSG_SPACE(size);
99     req.nlh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
100 
101     /*
102      * Check for a valid fd, even though sendto would catch this, its easier
103      * to always blindly increment the sequence number
104      */
105     if (fd < 0) {
106         return -EBADF;
107     }
108 
109     /* Ensure the message is not too big */
110     if (NLMSG_SPACE(size) > MAX_AUDIT_MESSAGE_LENGTH) {
111         SLOGE("netlink message is too large");
112         return -EINVAL;
113     }
114 
115     /* Only memcpy in the data if it was specified */
116     if (size && data) {
117         memcpy(NLMSG_DATA(&req.nlh), data, size);
118     }
119 
120     /*
121      * Only increment the sequence number on a guarantee
122      * you will send it to the kernel.
123      *
124      * Also, the sequence is defined as a u32 in the kernel
125      * struct. Using an int here might not work on 32/64 bit splits. A
126      * signed 64 bit value can overflow a u32..but a u32
127      * might not fit in the response, so we need to use s32.
128      * Which is still kind of hackish since int could be 16 bits
129      * in size. The only safe type to use here is a signed 16
130      * bit value.
131      */
132     req.nlh.nlmsg_seq = ++sequence;
133 
134     /* While failing and its due to interrupts */
135 
136     rc = TEMP_FAILURE_RETRY(sendto(fd, &req, req.nlh.nlmsg_len, 0,
137                                    (struct sockaddr*) &addr, sizeof(addr)));
138 
139     /* Not all the bytes were sent */
140     if (rc < 0) {
141         rc = -errno;
142         SLOGE("Error sending data over the netlink socket: %s", strerror(-errno));
143         goto out;
144     } else if ((uint32_t) rc != req.nlh.nlmsg_len) {
145         rc = -EPROTO;
146         goto out;
147     }
148 
149     /* We sent all the bytes, get the ack */
150     rc = get_ack(fd, sequence);
151 
152     /* If the ack failed, return the error, else return the sequence number */
153     rc = (rc == 0) ? (int) sequence : rc;
154 
155 out:
156     /* Don't let sequence roll to negative */
157     if (sequence < 0) {
158         SLOGW("Auditd to Kernel sequence number has rolled over");
159         sequence = 0;
160     }
161 
162     return rc;
163 }
164 
audit_set_pid(int fd,uint32_t pid,rep_wait_t wmode)165 int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode)
166 {
167     int rc;
168     struct audit_message rep;
169     struct audit_status status;
170 
171     memset(&status, 0, sizeof(status));
172 
173     /*
174      * In order to set the auditd PID we send an audit message over the netlink
175      * socket with the pid field of the status struct set to our current pid,
176      * and the the mask set to AUDIT_STATUS_PID
177      */
178     status.pid = pid;
179     status.mask = AUDIT_STATUS_PID;
180 
181     /* Let the kernel know this pid will be registering for audit events */
182     rc = audit_send(fd, AUDIT_SET, &status, sizeof(status));
183     if (rc < 0) {
184         SLOGE("Could net set pid for audit events, error: %s", strerror(-rc));
185         return rc;
186     }
187 
188     /*
189      * In a request where we need to wait for a response, wait for the message
190      * and discard it. This message confirms and sync's us with the kernel.
191      * This daemon is now registered as the audit logger. Only wait if the
192      * wmode is != WAIT_NO
193      */
194     if (wmode != WAIT_NO) {
195         /* TODO
196          * If the daemon dies and restarts the message didn't come back,
197          * so I went to non-blocking and it seemed to fix the bug.
198          * Need to investigate further.
199          */
200         audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
201     }
202 
203     return 0;
204 }
205 
audit_open()206 int audit_open()
207 {
208     return socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
209 }
210 
audit_get_reply(int fd,struct audit_message * rep,reply_t block,int peek)211 int audit_get_reply(int fd, struct audit_message *rep, reply_t block, int peek)
212 {
213     ssize_t len;
214     int flags;
215     int rc = 0;
216 
217     struct sockaddr_nl nladdr;
218     socklen_t nladdrlen = sizeof(nladdr);
219 
220     if (fd < 0) {
221         return -EBADF;
222     }
223 
224     /* Set up the flags for recv from */
225     flags = (block == GET_REPLY_NONBLOCKING) ? MSG_DONTWAIT : 0;
226     flags |= peek;
227 
228     /*
229      * Get the data from the netlink socket but on error we need to be carefull,
230      * the interface shows that EINTR can never be returned, other errors,
231      * however, can be returned.
232      */
233     len = TEMP_FAILURE_RETRY(recvfrom(fd, rep, sizeof(*rep), flags,
234                                       (struct sockaddr*) &nladdr, &nladdrlen));
235 
236     /*
237      * EAGAIN should be re-tried until success or another error manifests.
238      */
239     if (len < 0) {
240         rc = -errno;
241         if (block == GET_REPLY_NONBLOCKING && rc == -EAGAIN) {
242             /* If request is non blocking and errno is EAGAIN, just return 0 */
243             return 0;
244         }
245         SLOGE("Error receiving from netlink socket, error: %s", strerror(-rc));
246         return rc;
247     }
248 
249     if (nladdrlen != sizeof(nladdr)) {
250         SLOGE("Protocol fault, error: %s", strerror(EPROTO));
251         return -EPROTO;
252     }
253 
254     /* Make sure the netlink message was not spoof'd */
255     if (nladdr.nl_pid) {
256         SLOGE("Invalid netlink pid received, expected 0 got: %d", nladdr.nl_pid);
257         return -EINVAL;
258     }
259 
260     /* Check if the reply from the kernel was ok */
261     if (!NLMSG_OK(&rep->nlh, (size_t)len)) {
262         rc = (len == sizeof(*rep)) ? -EFBIG : -EBADE;
263         SLOGE("Bad kernel response %s", strerror(-rc));
264     }
265 
266     return rc;
267 }
268 
audit_close(int fd)269 void audit_close(int fd)
270 {
271     int rc = close(fd);
272     if (rc < 0) {
273         SLOGE("Attempting to close invalid fd %d, error: %s", fd, strerror(errno));
274     }
275     return;
276 }
277