1 /*
2  * Copyright 2012, Samsung Telecommunications of America
3  * Copyright (C) 2014 The Android Open Source Project
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  *     http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  * Written by William Roberts <w.roberts@sta.samsung.com>
18  *
19  */
20 
21 #include "libaudit.h"
22 
23 #include <errno.h>
24 #include <string.h>
25 #include <unistd.h>
26 
27 #include <limits>
28 
29 /**
30  * Waits for an ack from the kernel
31  * @param fd
32  *  The netlink socket fd
33  * @return
34  *  This function returns 0 on success, else -errno.
35  */
get_ack(int fd)36 static int get_ack(int fd) {
37     struct audit_message rep = {};
38     int rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, MSG_PEEK);
39     if (rc < 0) {
40         return rc;
41     }
42 
43     if (rep.nlh.nlmsg_type == NLMSG_ERROR) {
44         audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
45         rc = reinterpret_cast<struct nlmsgerr*>(rep.data)->error;
46         if (rc) {
47             return -rc;
48         }
49     }
50 
51     return 0;
52 }
53 
54 /**
55  *
56  * @param fd
57  *  The netlink socket fd
58  * @param type
59  *  The type of netlink message
60  * @param data
61  *  The data to send
62  * @param size
63  *  The length of the data in bytes
64  * @return
65  *  This function returns a positive sequence number on success, else -errno.
66  */
audit_send(int fd,int type,const void * data,size_t size)67 static int audit_send(int fd, int type, const void* data, size_t size) {
68     struct sockaddr_nl addr = {.nl_family = AF_NETLINK};
69 
70     /* Set up the netlink headers */
71     struct audit_message req = {};
72     req.nlh.nlmsg_type = static_cast<uint16_t>(type);
73     req.nlh.nlmsg_len = NLMSG_SPACE(size);
74     req.nlh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
75 
76     /*
77      * Check for a valid fd, even though sendto would catch this, its easier
78      * to always blindly increment the sequence number
79      */
80     if (fd < 0) {
81         return -EBADF;
82     }
83 
84     /* Ensure the message is not too big */
85     if (NLMSG_SPACE(size) > MAX_AUDIT_MESSAGE_LENGTH) {
86         return -EINVAL;
87     }
88 
89     /* Only memcpy in the data if it was specified */
90     if (size && data) {
91         memcpy(NLMSG_DATA(&req.nlh), data, size);
92     }
93 
94     /*
95      * Only increment the sequence number on a guarantee
96      * you will send it to the kernel.
97      */
98     static uint32_t sequence = 0;
99     if (sequence == std::numeric_limits<uint32_t>::max()) {
100         sequence = 1;
101     } else {
102         sequence++;
103     }
104     req.nlh.nlmsg_seq = sequence;
105 
106     ssize_t rc = TEMP_FAILURE_RETRY(
107             sendto(fd, &req, req.nlh.nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)));
108 
109     /* Not all the bytes were sent */
110     if (rc < 0) {
111         return -errno;
112     } else if ((uint32_t)rc != req.nlh.nlmsg_len) {
113         return -EPROTO;
114     }
115 
116     /* We sent all the bytes, get the ack */
117     rc = get_ack(fd);
118 
119     /* If the ack failed, return the error, else return the sequence number */
120     rc = (rc == 0) ? (int)sequence : rc;
121 
122     return rc;
123 }
124 
audit_setup(int fd,pid_t pid)125 int audit_setup(int fd, pid_t pid) {
126     /*
127      * In order to set the auditd PID we send an audit message over the netlink
128      * socket with the pid field of the status struct set to our current pid,
129      * and the the mask set to AUDIT_STATUS_PID
130      */
131     struct audit_status status = {
132             .mask = AUDIT_STATUS_PID,
133             .pid = static_cast<uint32_t>(pid),
134     };
135 
136     /* Let the kernel know this pid will be registering for audit events */
137     int rc = audit_send(fd, AUDIT_SET, &status, sizeof(status));
138     if (rc < 0) {
139         return rc;
140     }
141 
142     /*
143      * In a request where we need to wait for a response, wait for the message
144      * and discard it. This message confirms and sync's us with the kernel.
145      * This daemon is now registered as the audit logger.
146      *
147      * TODO
148      * If the daemon dies and restarts the message didn't come back,
149      * so I went to non-blocking and it seemed to fix the bug.
150      * Need to investigate further.
151      */
152     struct audit_message rep = {};
153     audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
154 
155     return 0;
156 }
157 
audit_open()158 int audit_open() {
159     return socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT);
160 }
161 
audit_rate_limit(int fd,uint32_t limit)162 int audit_rate_limit(int fd, uint32_t limit) {
163     struct audit_status status = {
164             .mask = AUDIT_STATUS_RATE_LIMIT, .rate_limit = limit, /* audit entries per second */
165     };
166     return audit_send(fd, AUDIT_SET, &status, sizeof(status));
167 }
168 
audit_get_reply(int fd,struct audit_message * rep,reply_t block,int peek)169 int audit_get_reply(int fd, struct audit_message* rep, reply_t block, int peek) {
170     if (fd < 0) {
171         return -EBADF;
172     }
173 
174     int flags = (block == GET_REPLY_NONBLOCKING) ? MSG_DONTWAIT : 0;
175     flags |= peek;
176 
177     /*
178      * Get the data from the netlink socket but on error we need to be carefull,
179      * the interface shows that EINTR can never be returned, other errors,
180      * however, can be returned.
181      */
182     struct sockaddr_nl nladdr;
183     socklen_t nladdrlen = sizeof(nladdr);
184     ssize_t len = TEMP_FAILURE_RETRY(
185             recvfrom(fd, rep, sizeof(*rep), flags, (struct sockaddr*)&nladdr, &nladdrlen));
186 
187     /*
188      * EAGAIN should be re-tried until success or another error manifests.
189      */
190     if (len < 0) {
191         if (block == GET_REPLY_NONBLOCKING && errno == EAGAIN) {
192             /* If request is non blocking and errno is EAGAIN, just return 0 */
193             return 0;
194         }
195         return -errno;
196     }
197 
198     if (nladdrlen != sizeof(nladdr)) {
199         return -EPROTO;
200     }
201 
202     /* Make sure the netlink message was not spoof'd */
203     if (nladdr.nl_pid) {
204         return -EINVAL;
205     }
206 
207     /* Check if the reply from the kernel was ok */
208     if (!NLMSG_OK(&rep->nlh, (size_t)len)) {
209         return len == sizeof(*rep) ? -EFBIG : -EBADE;
210     }
211 
212     return 0;
213 }
214 
audit_close(int fd)215 void audit_close(int fd) {
216     close(fd);
217 }
218