• Home
  • History
  • Annotate
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2014 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <ctype.h>
18 #include <errno.h>
19 #include <limits.h>
20 #include <stdarg.h>
21 #include <stdlib.h>
22 #include <sys/klog.h>
23 #include <sys/prctl.h>
24 #include <sys/uio.h>
25 #include <syslog.h>
26 
27 #include "libaudit.h"
28 #include "LogAudit.h"
29 
30 #define KMSG_PRIORITY(PRI)         \
31     '<',                           \
32     '0' + (LOG_AUTH | (PRI)) / 10, \
33     '0' + (LOG_AUTH | (PRI)) % 10, \
34     '>'
35 
LogAudit(LogBuffer * buf,LogReader * reader,int fdDmsg)36 LogAudit::LogAudit(LogBuffer *buf, LogReader *reader, int fdDmsg)
37         : SocketListener(getLogSocket(), false)
38         , logbuf(buf)
39         , reader(reader)
40         , fdDmesg(-1) {
41     static const char auditd_message[] = { KMSG_PRIORITY(LOG_INFO),
42         'l', 'o', 'g', 'd', '.', 'a', 'u', 'd', 'i', 't', 'd', ':',
43         ' ', 's', 't', 'a', 'r', 't', '\n' };
44     write(fdDmsg, auditd_message, sizeof(auditd_message));
45     logDmesg();
46     fdDmesg = fdDmsg;
47 }
48 
onDataAvailable(SocketClient * cli)49 bool LogAudit::onDataAvailable(SocketClient *cli) {
50     prctl(PR_SET_NAME, "logd.auditd");
51 
52     struct audit_message rep;
53 
54     rep.nlh.nlmsg_type = 0;
55     rep.nlh.nlmsg_len = 0;
56     rep.data[0] = '\0';
57 
58     if (audit_get_reply(cli->getSocket(), &rep, GET_REPLY_BLOCKING, 0) < 0) {
59         SLOGE("Failed on audit_get_reply with error: %s", strerror(errno));
60         return false;
61     }
62 
63     logPrint("type=%d %.*s", rep.nlh.nlmsg_type, rep.nlh.nlmsg_len, rep.data);
64 
65     return true;
66 }
67 
logPrint(const char * fmt,...)68 int LogAudit::logPrint(const char *fmt, ...) {
69     if (fmt == NULL) {
70         return -EINVAL;
71     }
72 
73     va_list args;
74 
75     char *str = NULL;
76     va_start(args, fmt);
77     int rc = vasprintf(&str, fmt, args);
78     va_end(args);
79 
80     if (rc < 0) {
81         return rc;
82     }
83 
84     char *cp;
85     while ((cp = strstr(str, "  "))) {
86         memmove(cp, cp + 1, strlen(cp + 1) + 1);
87     }
88 
89     bool info = strstr(str, " permissive=1") || strstr(str, " policy loaded ");
90     if (fdDmesg >= 0) {
91         struct iovec iov[3];
92         static const char log_info[] = { KMSG_PRIORITY(LOG_INFO) };
93         static const char log_warning[] = { KMSG_PRIORITY(LOG_WARNING) };
94 
95         iov[0].iov_base = info ? const_cast<char *>(log_info)
96                                : const_cast<char *>(log_warning);
97         iov[0].iov_len = info ? sizeof(log_info) : sizeof(log_warning);
98         iov[1].iov_base = str;
99         iov[1].iov_len = strlen(str);
100         iov[2].iov_base = const_cast<char *>("\n");
101         iov[2].iov_len = 1;
102 
103         writev(fdDmesg, iov, sizeof(iov) / sizeof(iov[0]));
104     }
105 
106     pid_t pid = getpid();
107     pid_t tid = gettid();
108     uid_t uid = getuid();
109     log_time now;
110 
111     static const char audit_str[] = " audit(";
112     char *timeptr = strstr(str, audit_str);
113     if (timeptr
114             && ((cp = now.strptime(timeptr + sizeof(audit_str) - 1, "%s.%q")))
115             && (*cp == ':')) {
116         memcpy(timeptr + sizeof(audit_str) - 1, "0.0", 3);
117         memmove(timeptr + sizeof(audit_str) - 1 + 3, cp, strlen(cp) + 1);
118     } else {
119         now.strptime("", ""); // side effect of setting CLOCK_REALTIME
120     }
121 
122     static const char pid_str[] = " pid=";
123     char *pidptr = strstr(str, pid_str);
124     if (pidptr && isdigit(pidptr[sizeof(pid_str) - 1])) {
125         cp = pidptr + sizeof(pid_str) - 1;
126         pid = 0;
127         while (isdigit(*cp)) {
128             pid = (pid * 10) + (*cp - '0');
129             ++cp;
130         }
131         tid = pid;
132         uid = logbuf->pidToUid(pid);
133         memmove(pidptr, cp, strlen(cp) + 1);
134     }
135 
136     // log to events
137 
138     size_t l = strlen(str);
139     size_t n = l + sizeof(uint32_t) + sizeof(uint8_t) + sizeof(uint32_t);
140 
141     bool notify = false;
142 
143     char *newstr = reinterpret_cast<char *>(malloc(n));
144     if (!newstr) {
145         rc = -ENOMEM;
146     } else {
147         cp = newstr;
148         *cp++ = AUDITD_LOG_TAG & 0xFF;
149         *cp++ = (AUDITD_LOG_TAG >> 8) & 0xFF;
150         *cp++ = (AUDITD_LOG_TAG >> 16) & 0xFF;
151         *cp++ = (AUDITD_LOG_TAG >> 24) & 0xFF;
152         *cp++ = EVENT_TYPE_STRING;
153         *cp++ = l & 0xFF;
154         *cp++ = (l >> 8) & 0xFF;
155         *cp++ = (l >> 16) & 0xFF;
156         *cp++ = (l >> 24) & 0xFF;
157         memcpy(cp, str, l);
158 
159         logbuf->log(LOG_ID_EVENTS, now, uid, pid, tid, newstr,
160                     (n <= USHRT_MAX) ? (unsigned short) n : USHRT_MAX);
161         free(newstr);
162 
163         notify = true;
164     }
165 
166     // log to main
167 
168     static const char comm_str[] = " comm=\"";
169     const char *comm = strstr(str, comm_str);
170     const char *estr = str + strlen(str);
171     if (comm) {
172         estr = comm;
173         comm += sizeof(comm_str) - 1;
174     } else if (pid == getpid()) {
175         pid = tid;
176         comm = "auditd";
177     } else if (!(comm = logbuf->pidToName(pid))) {
178         comm = "unknown";
179     }
180 
181     const char *ecomm = strchr(comm, '"');
182     if (ecomm) {
183         ++ecomm;
184         l = ecomm - comm;
185     } else {
186         l = strlen(comm) + 1;
187         ecomm = "";
188     }
189     n = (estr - str) + strlen(ecomm) + l + 2;
190 
191     newstr = reinterpret_cast<char *>(malloc(n));
192     if (!newstr) {
193         rc = -ENOMEM;
194     } else {
195         *newstr = info ? ANDROID_LOG_INFO : ANDROID_LOG_WARN;
196         strlcpy(newstr + 1, comm, l);
197         strncpy(newstr + 1 + l, str, estr - str);
198         strcpy(newstr + 1 + l + (estr - str), ecomm);
199 
200         logbuf->log(LOG_ID_MAIN, now, uid, pid, tid, newstr,
201                     (n <= USHRT_MAX) ? (unsigned short) n : USHRT_MAX);
202         free(newstr);
203 
204         notify = true;
205     }
206 
207     free(str);
208 
209     if (notify) {
210         reader->notifyNewLog();
211     }
212 
213     return rc;
214 }
215 
logDmesg()216 void LogAudit::logDmesg() {
217     int len = klogctl(KLOG_SIZE_BUFFER, NULL, 0);
218     if (len <= 0) {
219         return;
220     }
221 
222     len++;
223     char buf[len];
224 
225     int rc = klogctl(KLOG_READ_ALL, buf, len);
226 
227     buf[len - 1] = '\0';
228 
229     for(char *tok = buf; (rc >= 0) && ((tok = strtok(tok, "\r\n"))); tok = NULL) {
230         char *audit = strstr(tok, " audit(");
231         if (!audit) {
232             continue;
233         }
234 
235         *audit++ = '\0';
236 
237         char *type = strstr(tok, "type=");
238         if (type) {
239             rc = logPrint("%s %s", type, audit);
240         } else {
241             rc = logPrint("%s", audit);
242         }
243     }
244 }
245 
getLogSocket()246 int LogAudit::getLogSocket() {
247     int fd = audit_open();
248     if (fd < 0) {
249         return fd;
250     }
251     if (audit_setup(fd, getpid()) < 0) {
252         audit_close(fd);
253         fd = -1;
254     }
255     return fd;
256 }
257