Blame - logd/LogAudit.cpp - SHIFTPHONES/android_system_core

blob: 9988178829788d754af2fb4dbfe09e0f3bd6ea00 [file] [log] [blame]

William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	1	/*
				2	* Copyright (C) 2014 The Android Open Source Project
				3	*
				4	* Licensed under the Apache License, Version 2.0 (the "License");
				5	* you may not use this file except in compliance with the License.
				6	* You may obtain a copy of the License at
				7	*
				8	* http://www.apache.org/licenses/LICENSE-2.0
				9	*
				10	* Unless required by applicable law or agreed to in writing, software
				11	* distributed under the License is distributed on an "AS IS" BASIS,
				12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				13	* See the License for the specific language governing permissions and
				14	* limitations under the License.
				15	*/
				16
				17	#include <ctype.h>
				18	#include <errno.h>
Mark Salyzyn	e0fa291	2014-04-28 16:39:04 -0700	[diff] [blame]	19	#include <limits.h>
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	20	#include <stdarg.h>
				21	#include <stdlib.h>
				22	#include <sys/klog.h>
Mark Salyzyn	8daa9af	2014-04-28 14:07:23 -0700	[diff] [blame]	23	#include <sys/prctl.h>
Mark Salyzyn	e9bebd0	2014-04-03 09:55:26 -0700	[diff] [blame]	24	#include <sys/uio.h>
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	25
				26	#include "libaudit.h"
				27	#include "LogAudit.h"
				28
Mark Salyzyn	e9bebd0	2014-04-03 09:55:26 -0700	[diff] [blame]	29	LogAudit::LogAudit(LogBuffer buf, LogReader reader, int fdDmsg)
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	30	: SocketListener(getLogSocket(), false)
				31	, logbuf(buf)
Mark Salyzyn	e9bebd0	2014-04-03 09:55:26 -0700	[diff] [blame]	32	, reader(reader)
				33	, fdDmesg(-1) {
Mark Salyzyn	6bdeee0	2014-09-19 11:59:42 -0700	[diff] [blame^]	34	static const char auditd_message[] = "<6>logd.auditd: start\n";
				35	write(fdDmsg, auditd_message, sizeof(auditd_message));
Mark Salyzyn	e9bebd0	2014-04-03 09:55:26 -0700	[diff] [blame]	36	logDmesg();
				37	fdDmesg = fdDmsg;
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	38	}
				39
				40	bool LogAudit::onDataAvailable(SocketClient *cli) {
Mark Salyzyn	8daa9af	2014-04-28 14:07:23 -0700	[diff] [blame]	41	prctl(PR_SET_NAME, "logd.auditd");
				42
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	43	struct audit_message rep;
				44
Mark Salyzyn	e0fa291	2014-04-28 16:39:04 -0700	[diff] [blame]	45	rep.nlh.nlmsg_type = 0;
				46	rep.nlh.nlmsg_len = 0;
				47	rep.data[0] = '\0';
				48
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	49	if (audit_get_reply(cli->getSocket(), &rep, GET_REPLY_BLOCKING, 0) < 0) {
				50	SLOGE("Failed on audit_get_reply with error: %s", strerror(errno));
				51	return false;
				52	}
				53
				54	logPrint("type=%d %.*s", rep.nlh.nlmsg_type, rep.nlh.nlmsg_len, rep.data);
				55
				56	return true;
				57	}
				58
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	59	int LogAudit::logPrint(const char *fmt, ...) {
				60	if (fmt == NULL) {
				61	return -EINVAL;
				62	}
				63
				64	va_list args;
				65
				66	char *str = NULL;
				67	va_start(args, fmt);
				68	int rc = vasprintf(&str, fmt, args);
				69	va_end(args);
				70
				71	if (rc < 0) {
				72	return rc;
				73	}
				74
Mark Salyzyn	e4369d6	2014-05-27 10:06:34 -0700	[diff] [blame]	75	char *cp;
				76	while ((cp = strstr(str, " "))) {
				77	memmove(cp, cp + 1, strlen(cp + 1) + 1);
				78	}
				79
Mark Salyzyn	6bdeee0	2014-09-19 11:59:42 -0700	[diff] [blame^]	80	bool info = strstr(str, " permissive=1") \|\| strstr(str, " policy loaded ");
Mark Salyzyn	e9bebd0	2014-04-03 09:55:26 -0700	[diff] [blame]	81	if (fdDmesg >= 0) {
Mark Salyzyn	6bdeee0	2014-09-19 11:59:42 -0700	[diff] [blame^]	82	struct iovec iov[3];
Mark Salyzyn	e9bebd0	2014-04-03 09:55:26 -0700	[diff] [blame]	83
Mark Salyzyn	6bdeee0	2014-09-19 11:59:42 -0700	[diff] [blame^]	84	iov[0].iov_base = info ? const_cast<char *>("<6>")
				85	: const_cast<char *>("<4>");
				86	iov[0].iov_len = 3;
				87	iov[1].iov_base = str;
				88	iov[1].iov_len = strlen(str);
				89	iov[2].iov_base = const_cast<char *>("\n");
				90	iov[2].iov_len = 1;
Mark Salyzyn	e9bebd0	2014-04-03 09:55:26 -0700	[diff] [blame]	91
				92	writev(fdDmesg, iov, sizeof(iov) / sizeof(iov[0]));
				93	}
				94
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	95	pid_t pid = getpid();
				96	pid_t tid = gettid();
				97	uid_t uid = getuid();
				98	log_time now;
				99
				100	static const char audit_str[] = " audit(";
				101	char *timeptr = strstr(str, audit_str);
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	102	if (timeptr
				103	&& ((cp = now.strptime(timeptr + sizeof(audit_str) - 1, "%s.%q")))
				104	&& (*cp == ':')) {
				105	memcpy(timeptr + sizeof(audit_str) - 1, "0.0", 3);
Mark Salyzyn	e4369d6	2014-05-27 10:06:34 -0700	[diff] [blame]	106	memmove(timeptr + sizeof(audit_str) - 1 + 3, cp, strlen(cp) + 1);
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	107	} else {
				108	now.strptime("", ""); // side effect of setting CLOCK_REALTIME
				109	}
				110
				111	static const char pid_str[] = " pid=";
				112	char *pidptr = strstr(str, pid_str);
				113	if (pidptr && isdigit(pidptr[sizeof(pid_str) - 1])) {
				114	cp = pidptr + sizeof(pid_str) - 1;
				115	pid = 0;
				116	while (isdigit(*cp)) {
				117	pid = (pid * 10) + (*cp - '0');
				118	++cp;
				119	}
				120	tid = pid;
				121	uid = logbuf->pidToUid(pid);
Mark Salyzyn	e4369d6	2014-05-27 10:06:34 -0700	[diff] [blame]	122	memmove(pidptr, cp, strlen(cp) + 1);
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	123	}
				124
Mark Salyzyn	e4369d6	2014-05-27 10:06:34 -0700	[diff] [blame]	125	// log to events
				126
				127	size_t l = strlen(str);
				128	size_t n = l + sizeof(uint32_t) + sizeof(uint8_t) + sizeof(uint32_t);
				129
				130	bool notify = false;
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	131
				132	char newstr = reinterpret_cast<char >(malloc(n));
				133	if (!newstr) {
Mark Salyzyn	e4369d6	2014-05-27 10:06:34 -0700	[diff] [blame]	134	rc = -ENOMEM;
				135	} else {
				136	cp = newstr;
				137	*cp++ = AUDITD_LOG_TAG & 0xFF;
				138	*cp++ = (AUDITD_LOG_TAG >> 8) & 0xFF;
				139	*cp++ = (AUDITD_LOG_TAG >> 16) & 0xFF;
				140	*cp++ = (AUDITD_LOG_TAG >> 24) & 0xFF;
				141	*cp++ = EVENT_TYPE_STRING;
				142	*cp++ = l & 0xFF;
				143	*cp++ = (l >> 8) & 0xFF;
				144	*cp++ = (l >> 16) & 0xFF;
				145	*cp++ = (l >> 24) & 0xFF;
				146	memcpy(cp, str, l);
				147
				148	logbuf->log(LOG_ID_EVENTS, now, uid, pid, tid, newstr,
				149	(n <= USHRT_MAX) ? (unsigned short) n : USHRT_MAX);
				150	free(newstr);
				151
				152	notify = true;
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	153	}
				154
Mark Salyzyn	e4369d6	2014-05-27 10:06:34 -0700	[diff] [blame]	155	// log to main
				156
				157	static const char comm_str[] = " comm=\"";
				158	const char *comm = strstr(str, comm_str);
				159	const char *estr = str + strlen(str);
				160	if (comm) {
				161	estr = comm;
				162	comm += sizeof(comm_str) - 1;
				163	} else if (pid == getpid()) {
				164	pid = tid;
				165	comm = "auditd";
				166	} else if (!(comm = logbuf->pidToName(pid))) {
				167	comm = "unknown";
				168	}
				169
				170	const char *ecomm = strchr(comm, '"');
				171	if (ecomm) {
				172	++ecomm;
				173	l = ecomm - comm;
				174	} else {
				175	l = strlen(comm) + 1;
				176	ecomm = "";
				177	}
				178	n = (estr - str) + strlen(ecomm) + l + 2;
				179
				180	newstr = reinterpret_cast<char *>(malloc(n));
				181	if (!newstr) {
				182	rc = -ENOMEM;
				183	} else {
Mark Salyzyn	6bdeee0	2014-09-19 11:59:42 -0700	[diff] [blame^]	184	*newstr = info ? ANDROID_LOG_INFO : ANDROID_LOG_WARN;
Mark Salyzyn	e4369d6	2014-05-27 10:06:34 -0700	[diff] [blame]	185	strlcpy(newstr + 1, comm, l);
				186	strncpy(newstr + 1 + l, str, estr - str);
				187	strcpy(newstr + 1 + l + (estr - str), ecomm);
				188
				189	logbuf->log(LOG_ID_MAIN, now, uid, pid, tid, newstr,
				190	(n <= USHRT_MAX) ? (unsigned short) n : USHRT_MAX);
				191	free(newstr);
				192
				193	notify = true;
				194	}
				195
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	196	free(str);
				197
Mark Salyzyn	e4369d6	2014-05-27 10:06:34 -0700	[diff] [blame]	198	if (notify) {
				199	reader->notifyNewLog();
				200	}
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	201
				202	return rc;
				203	}
				204
Mark Salyzyn	e9bebd0	2014-04-03 09:55:26 -0700	[diff] [blame]	205	void LogAudit::logDmesg() {
William Roberts	29d238d	2013-02-08 09:45:26 +0900	[diff] [blame]	206	int len = klogctl(KLOG_SIZE_BUFFER, NULL, 0);
				207	if (len <= 0) {
				208	return;
				209	}
				210
				211	len++;
				212	char buf[len];
				213
				214	int rc = klogctl(KLOG_READ_ALL, buf, len);
				215
				216	buf[len - 1] = '\0';
				217
				218	for(char *tok = buf; (rc >= 0) && ((tok = strtok(tok, "\r\n"))); tok = NULL) {
				219	char *audit = strstr(tok, " audit(");
				220	if (!audit) {
				221	continue;
				222	}
				223
				224	*audit++ = '\0';
				225
				226	char *type = strstr(tok, "type=");
				227	if (type) {
				228	rc = logPrint("%s %s", type, audit);
				229	} else {
				230	rc = logPrint("%s", audit);
				231	}
				232	}
				233	}
				234
				235	int LogAudit::getLogSocket() {
				236	int fd = audit_open();
				237	if (fd < 0) {
				238	return fd;
				239	}
				240	if (audit_set_pid(fd, getpid(), WAIT_YES) < 0) {
				241	audit_close(fd);
				242	fd = -1;
				243	}
				244	return fd;
				245	}