1 /*
2  * Copyright 2012, Samsung Telecommunications of America
3  * Copyright (C) 2014 The Android Open Source Project
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  *     http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  * Written by William Roberts <w.roberts@sta.samsung.com>
18  *
19  */
20 
21 #include <errno.h>
22 #include <string.h>
23 #include <unistd.h>
24 
25 #include "libaudit.h"
26 
27 /**
28  * Waits for an ack from the kernel
29  * @param fd
30  *  The netlink socket fd
31  * @return
32  *  This function returns 0 on success, else -errno.
33  */
get_ack(int fd)34 static int get_ack(int fd) {
35     int rc;
36     struct audit_message rep;
37 
38     /* Sanity check, this is an internal interface this shouldn't happen */
39     if (fd < 0) {
40         return -EINVAL;
41     }
42 
43     rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, MSG_PEEK);
44     if (rc < 0) {
45         return rc;
46     }
47 
48     if (rep.nlh.nlmsg_type == NLMSG_ERROR) {
49         audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
50         rc = ((struct nlmsgerr*)rep.data)->error;
51         if (rc) {
52             return -rc;
53         }
54     }
55 
56     return 0;
57 }
58 
59 /**
60  *
61  * @param fd
62  *  The netlink socket fd
63  * @param type
64  *  The type of netlink message
65  * @param data
66  *  The data to send
67  * @param size
68  *  The length of the data in bytes
69  * @return
70  *  This function returns a positive sequence number on success, else -errno.
71  */
audit_send(int fd,int type,const void * data,size_t size)72 static int audit_send(int fd, int type, const void* data, size_t size) {
73     int rc;
74     static int16_t sequence = 0;
75     struct audit_message req;
76     struct sockaddr_nl addr;
77 
78     memset(&req, 0, sizeof(req));
79     memset(&addr, 0, sizeof(addr));
80 
81     /* We always send netlink messaged */
82     addr.nl_family = AF_NETLINK;
83 
84     /* Set up the netlink headers */
85     req.nlh.nlmsg_type = type;
86     req.nlh.nlmsg_len = NLMSG_SPACE(size);
87     req.nlh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
88 
89     /*
90      * Check for a valid fd, even though sendto would catch this, its easier
91      * to always blindly increment the sequence number
92      */
93     if (fd < 0) {
94         return -EBADF;
95     }
96 
97     /* Ensure the message is not too big */
98     if (NLMSG_SPACE(size) > MAX_AUDIT_MESSAGE_LENGTH) {
99         return -EINVAL;
100     }
101 
102     /* Only memcpy in the data if it was specified */
103     if (size && data) {
104         memcpy(NLMSG_DATA(&req.nlh), data, size);
105     }
106 
107     /*
108      * Only increment the sequence number on a guarantee
109      * you will send it to the kernel.
110      *
111      * Also, the sequence is defined as a u32 in the kernel
112      * struct. Using an int here might not work on 32/64 bit splits. A
113      * signed 64 bit value can overflow a u32..but a u32
114      * might not fit in the response, so we need to use s32.
115      * Which is still kind of hackish since int could be 16 bits
116      * in size. The only safe type to use here is a signed 16
117      * bit value.
118      */
119     req.nlh.nlmsg_seq = ++sequence;
120 
121     /* While failing and its due to interrupts */
122 
123     rc = TEMP_FAILURE_RETRY(sendto(fd, &req, req.nlh.nlmsg_len, 0,
124                                    (struct sockaddr*)&addr, sizeof(addr)));
125 
126     /* Not all the bytes were sent */
127     if (rc < 0) {
128         rc = -errno;
129         goto out;
130     } else if ((uint32_t)rc != req.nlh.nlmsg_len) {
131         rc = -EPROTO;
132         goto out;
133     }
134 
135     /* We sent all the bytes, get the ack */
136     rc = get_ack(fd);
137 
138     /* If the ack failed, return the error, else return the sequence number */
139     rc = (rc == 0) ? (int)sequence : rc;
140 
141 out:
142     /* Don't let sequence roll to negative */
143     if (sequence < 0) {
144         sequence = 0;
145     }
146 
147     return rc;
148 }
149 
audit_setup(int fd,pid_t pid)150 int audit_setup(int fd, pid_t pid) {
151     int rc;
152     struct audit_message rep;
153     struct audit_status status;
154 
155     memset(&status, 0, sizeof(status));
156 
157     /*
158      * In order to set the auditd PID we send an audit message over the netlink
159      * socket with the pid field of the status struct set to our current pid,
160      * and the the mask set to AUDIT_STATUS_PID
161      */
162     status.pid = pid;
163     status.mask = AUDIT_STATUS_PID;
164 
165     /* Let the kernel know this pid will be registering for audit events */
166     rc = audit_send(fd, AUDIT_SET, &status, sizeof(status));
167     if (rc < 0) {
168         return rc;
169     }
170 
171     /*
172      * In a request where we need to wait for a response, wait for the message
173      * and discard it. This message confirms and sync's us with the kernel.
174      * This daemon is now registered as the audit logger.
175      *
176      * TODO
177      * If the daemon dies and restarts the message didn't come back,
178      * so I went to non-blocking and it seemed to fix the bug.
179      * Need to investigate further.
180      */
181     audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
182 
183     return 0;
184 }
185 
audit_rate_limit(int fd,unsigned rate_limit)186 int audit_rate_limit(int fd, unsigned rate_limit) {
187     int rc;
188     struct audit_message rep;
189     struct audit_status status;
190 
191     memset(&status, 0, sizeof(status));
192 
193     status.mask = AUDIT_STATUS_RATE_LIMIT;
194     status.rate_limit = rate_limit; /* audit entries per second */
195 
196     rc = audit_send(fd, AUDIT_SET, &status, sizeof(status));
197     if (rc < 0) {
198         return rc;
199     }
200 
201     audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
202 
203     return 0;
204 }
205 
audit_open()206 int audit_open() {
207     return socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT);
208 }
209 
audit_get_reply(int fd,struct audit_message * rep,reply_t block,int peek)210 int audit_get_reply(int fd, struct audit_message* rep, reply_t block, int peek) {
211     ssize_t len;
212     int flags;
213     int rc = 0;
214 
215     struct sockaddr_nl nladdr;
216     socklen_t nladdrlen = sizeof(nladdr);
217 
218     if (fd < 0) {
219         return -EBADF;
220     }
221 
222     /* Set up the flags for recv from */
223     flags = (block == GET_REPLY_NONBLOCKING) ? MSG_DONTWAIT : 0;
224     flags |= peek;
225 
226     /*
227      * Get the data from the netlink socket but on error we need to be carefull,
228      * the interface shows that EINTR can never be returned, other errors,
229      * however, can be returned.
230      */
231     len = TEMP_FAILURE_RETRY(recvfrom(fd, rep, sizeof(*rep), flags,
232                                       (struct sockaddr*)&nladdr, &nladdrlen));
233 
234     /*
235      * EAGAIN should be re-tried until success or another error manifests.
236      */
237     if (len < 0) {
238         rc = -errno;
239         if (block == GET_REPLY_NONBLOCKING && rc == -EAGAIN) {
240             /* If request is non blocking and errno is EAGAIN, just return 0 */
241             return 0;
242         }
243         return rc;
244     }
245 
246     if (nladdrlen != sizeof(nladdr)) {
247         return -EPROTO;
248     }
249 
250     /* Make sure the netlink message was not spoof'd */
251     if (nladdr.nl_pid) {
252         return -EINVAL;
253     }
254 
255     /* Check if the reply from the kernel was ok */
256     if (!NLMSG_OK(&rep->nlh, (size_t)len)) {
257         rc = (len == sizeof(*rep)) ? -EFBIG : -EBADE;
258     }
259 
260     return rc;
261 }
262 
audit_close(int fd)263 void audit_close(int fd) {
264     close(fd);
265 }
266