1 /* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*-
2 * audit.c - libaudit integration for SELinux and AppArmor
4 * Based on apparmor.c, selinux.c
6 * Copyright © 2014-2015 Canonical, Ltd.
7 * Copyright © 2015 Collabora Ltd.
9 * Licensed under the Academic Free License version 2.1
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
39 #include <dbus/dbus-internals.h>
41 #include <dbus/dbus-userdb.h>
45 static int audit_fd = -1;
49 * Open the libaudit fd if appropriate.
52 bus_audit_init (BusContext *context)
55 audit_fd = audit_open ();
61 /* If kernel doesn't support audit, bail out */
62 if (e == EINVAL || e == EPROTONOSUPPORT || e == EAFNOSUPPORT)
65 /* If user bus, bail out */
66 if (e == EPERM && getuid () != 0)
69 bus_context_log (context, DBUS_SYSTEM_LOG_WARNING,
70 "Failed to open connection to the audit subsystem: %s",
73 #endif /* HAVE_LIBAUDIT */
77 * If libaudit is in use and it would be appropriate to write audit records,
78 * return the libaudit fd. Otherwise return -1.
81 bus_audit_get_fd (void)
86 capng_get_caps_process ();
88 if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_AUDIT_WRITE))
99 * Close the libaudit fd.
102 bus_audit_shutdown (void)
105 audit_close (audit_fd);
106 #endif /* HAVE_LIBAUDIT */
109 /* The !HAVE_LIBAUDIT case lives in dbus-sysdeps-util-unix.c */
112 * Changes the user and group the bus is running as.
114 * @param user the user to become
115 * @param error return location for errors
116 * @returns #FALSE on failure
119 _dbus_change_to_daemon_user (const char *user,
126 _dbus_string_init_const (&u, user);
128 if (!_dbus_get_user_id_and_primary_group (&u, &uid, &gid))
130 dbus_set_error (error, DBUS_ERROR_FAILED,
131 "User '%s' does not appear to exist?",
136 /* If we were root */
137 if (_dbus_geteuid () == 0)
140 int have_audit_write;
142 have_audit_write = capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE);
143 capng_clear (CAPNG_SELECT_BOTH);
144 /* Only attempt to retain CAP_AUDIT_WRITE if we had it when
146 * https://bugs.freedesktop.org/show_bug.cgi?id=49062#c9
148 if (have_audit_write)
149 capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
151 rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP);
156 dbus_set_error (error, DBUS_ERROR_FAILED,
157 "Failed to drop capabilities: %s\n",
158 _dbus_strerror (errno));
161 dbus_set_error (error, _dbus_error_from_errno (errno),
162 "Failed to set GID to %lu: %s", gid,
163 _dbus_strerror (errno));
166 _dbus_warn ("Failed to drop supplementary groups: %s\n",
167 _dbus_strerror (errno));
170 dbus_set_error (error, _dbus_error_from_errno (errno),
171 "Failed to set UID to %lu: %s", uid,
172 _dbus_strerror (errno));
175 dbus_set_error (error, _dbus_error_from_errno (errno),
176 "Failed to unset keep-capabilities: %s\n",
177 _dbus_strerror (errno));