} else if (name == "path") {
instance.object.name = value;
instance.object.type = AuditSystemLog::FileObject;
- } else if (name == "path") {
- instance.object.name = value;
- instance.object.type = AuditSystemLog::FileObject;
- } else if (name == "inode") {
+ } else if (name == "ino") {
instance.object.inode = std::stoul(value);
instance.object.type = AuditSystemLog::FileObject;
}
instance.object.gid = std::stoul(value);
}
}
- instance.object.type = AuditSystemLog::FileObject;
+
+ if (instance.object.type != AuditSystemLog::SocketObject)
+ instance.object.type = AuditSystemLog::FileObject;
}
break;
case AUDIT_OBJ_PID:
instance.object.type = AuditSystemLog::ProcessObject;
}
break;
+ case AUDIT_SOCKADDR:
+ {
+ std::stringstream tok(log);
+ while(!tok.eof()) {
+ auto pair = getNameValuePair(tok);
+ const auto &name = pair.first;
+ const auto &value = pair.second;
+
+ if (name == "saddr")
+ instance.object.socketAddr = value;
+ }
+ instance.object.type = AuditSystemLog::SocketObject;
+ }
+ break;
default:
break;
}
* limitations under the License
*/
#include <cstring>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
#include "debug.h"
#include "system-log.h"
return *reinterpret_cast<SystemLog*>(handle);
}
+static std::string HexToString(const std::string& hexString)
+{
+ int hexLen = hexString.length();
+ std::string retString;
+
+ for (int i = 0; i < hexLen; i+=2) {
+ std::string subStr = hexString.substr(i, 2);
+ char tempChr = static_cast<char>(std::strtol(subStr.c_str(), NULL, 16));
+ retString.push_back(tempChr);
+ }
+
+ return retString;
+}
+
int audit_system_log_get_time(audit_system_log_h handle,
time_t *time, unsigned short *ms)
{
}
int audit_system_log_get_subject_name(audit_system_log_h handle,
- const char **name)
+ char **name)
{
RET_ON_FAILURE(handle, AUDIT_TRAIL_ERROR_INVALID_PARAMETER);
}
int audit_system_log_get_subject_smack_label(audit_system_log_h handle,
- const char **label)
+ char **label)
{
RET_ON_FAILURE(handle, AUDIT_TRAIL_ERROR_INVALID_PARAMETER);
RET_ON_FAILURE(label, AUDIT_TRAIL_ERROR_INVALID_PARAMETER);
return AUDIT_TRAIL_ERROR_NONE;
}
-int audit_system_log_get_object_smack_label(audit_system_log_h handle, const char **label)
+int audit_system_log_get_object_smack_label(audit_system_log_h handle, char **label)
{
RET_ON_FAILURE(handle, AUDIT_TRAIL_ERROR_INVALID_PARAMETER);
RET_ON_FAILURE(label, AUDIT_TRAIL_ERROR_INVALID_PARAMETER);
return AUDIT_TRAIL_ERROR_NONE;
}
-int audit_system_log_get_object_name(audit_system_log_h handle, const char **name)
+int audit_system_log_get_object_name(audit_system_log_h handle, char **name)
{
RET_ON_FAILURE(handle, AUDIT_TRAIL_ERROR_INVALID_PARAMETER);
RET_ON_FAILURE(name, AUDIT_TRAIL_ERROR_INVALID_PARAMETER);
return AUDIT_TRAIL_ERROR_NONE;
}
-int audit_system_log_object_sockaddr(audit_system_log_h handle, const char **socketaddr)
+int audit_system_log_get_object_sockaddr(audit_system_log_h handle, struct sockaddr *addr, int *family)
{
RET_ON_FAILURE(handle, AUDIT_TRAIL_ERROR_INVALID_PARAMETER);
- RET_ON_FAILURE(socketaddr, AUDIT_TRAIL_ERROR_INVALID_PARAMETER);
+ RET_ON_FAILURE(family, AUDIT_TRAIL_ERROR_INVALID_PARAMETER);
const auto &log = GetSystemLog(handle).log;
- *socketaddr = ::strdup(log.object.socketAddr.c_str());
+ const std::string addrString = HexToString(log.object.socketAddr);
+ const struct sockaddr *saddr = reinterpret_cast<const struct sockaddr *>(addrString.c_str());
+
+ if (addr == NULL) {
+ *family = saddr->sa_family;
+ return AUDIT_TRAIL_ERROR_NONE;
+ }
+
+ RET_ON_FAILURE(addr, AUDIT_TRAIL_ERROR_INVALID_PARAMETER);
+ if (saddr->sa_family == AF_UNIX) {
+ if (*family != AF_UNIX)
+ return AUDIT_TRAIL_ERROR_INVALID_PARAMETER;
+ struct sockaddr_un *un = reinterpret_cast<struct sockaddr_un *>(addr);
+ ::memcpy(un, reinterpret_cast<const struct sockaddr_un *>(saddr), sizeof(struct sockaddr_un));
+ } else if (saddr->sa_family == AF_INET) {
+ if (*family != AF_INET)
+ return AUDIT_TRAIL_ERROR_INVALID_PARAMETER;
+ struct sockaddr_in *in = reinterpret_cast<struct sockaddr_in *>(addr);
+ in->sin_family = AF_INET;
+ in->sin_port = ntohs(std::stoul(log.object.socketAddr.substr(4, 4).c_str(), NULL, 16));
+ in->sin_addr.s_addr = ntohl(std::stoul(log.object.socketAddr.substr(8, 8).c_str(), NULL, 16));
+ } else {
+ return AUDIT_TRAIL_ERROR_NOT_SUPPORTED;
+ }
return AUDIT_TRAIL_ERROR_NONE;
}
* @post The subject name must not be freed.
*/
AUDIT_TRAIL_API int audit_system_log_get_subject_name(audit_system_log_h handle,
- const char **name);
+ char **name);
/**
* @brief Get subject owner's user and group ID from the system audit log
* @retval #AUDIT_TRAIL_ERROR_NONE Successful
* @retval #AUDIT_TRAIL_ERROR_TIMED_OUT Time out
* @retval #AUDIT_TRAIL_ERROR_INVALID_PARAMETER Invalid parameter
+ * @post The subject label must not be freed.
*/
AUDIT_TRAIL_API int audit_system_log_get_subject_smack_label(audit_system_log_h handle,
- const char **label);
+ char **label);
/**
* @brief Get the object type (Process, File, Socket, FD pair, capset) from the system audit log
* @retval #AUDIT_TRAIL_ERROR_NONE Successful
* @retval #AUDIT_TRAIL_ERROR_TIMED_OUT Time out
* @retval #AUDIT_TRAIL_ERROR_INVALID_PARAMETER Invalid parameter
+ * @post The object label must not be freed.
*/
-AUDIT_TRAIL_API int audit_system_log_get_object_smack_label(audit_system_log_h handle, const char **label);
+AUDIT_TRAIL_API int audit_system_log_get_object_smack_label(audit_system_log_h handle, char **label);
/**
* @brief Get the object name from the system audit log
* @retval #AUDIT_TRAIL_ERROR_NONE Successful
* @retval #AUDIT_TRAIL_ERROR_TIMED_OUT Time out
* @retval #AUDIT_TRAIL_ERROR_INVALID_PARAMETER Invalid parameter
+ * @post The object name must not be freed.
*/
-AUDIT_TRAIL_API int audit_system_log_get_object_name(audit_system_log_h handle, const char **name);
+AUDIT_TRAIL_API int audit_system_log_get_object_name(audit_system_log_h handle, char **name);
/**
* @brief Get the object process ID from the system audit log
* each system audit logs.
* @since_tizen 5.0
* @param[in] handle The system audit log handle
- * @param[out] socketaddr The object socket address
+ * @param[out] addr The object socket address
+ * @param[out] family The object socket family
* @return #AUDIT_TRAIL_ERROR_NONE on success, otherwise a negative value
* @retval #AUDIT_TRAIL_ERROR_NONE Successful
* @retval #AUDIT_TRAIL_ERROR_TIMED_OUT Time out
* @retval #AUDIT_TRAIL_ERROR_INVALID_PARAMETER Invalid parameter
+ * @retval #AUDIT_TRAIL_ERROR_NOT_SUPPORTED socket family not supported
*/
-AUDIT_TRAIL_API int audit_system_log_object_sockaddr(audit_system_log_h handle, const char **socketaddr);
+AUDIT_TRAIL_API int audit_system_log_get_object_sockaddr(audit_system_log_h handle, struct sockaddr *addr, int *family);
/**
* @brief Get which systemcalls made the system log
return AUDIT_TRAIL_ERROR_NONE;
}
-int audit_user_log_get_text(audit_user_log_h handle, const char **text)
+int audit_user_log_get_text(audit_user_log_h handle, char **text)
{
RET_ON_FAILURE(handle, AUDIT_TRAIL_ERROR_INVALID_PARAMETER);
RET_ON_FAILURE(text, AUDIT_TRAIL_ERROR_INVALID_PARAMETER);
* @retval #AUDIT_TRAIL_ERROR_INVALID_PARAMETER Invalid parameter
* @post text should be freed by free()
*/
-AUDIT_TRAIL_API int audit_user_log_get_text(audit_user_log_h handle, const char **text);
+AUDIT_TRAIL_API int audit_user_log_get_text(audit_user_log_h handle, char **text);
/**
* @brief Called to get a audit logs from user processes as an array.
#include <sstream>
#include <iostream>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
#include <audit-trail/rule.h>
#include <audit-trail/user-log.h>
#include <audit-trail/system-log.h>
OBJECT_TYPE_SOCKET,
};
+#define CONVERT_OCT(x) std::oct << x << std::dec
+#define CONVERT_HEX(x) std::hex << x << std::dec
+
GMainLoop *gmainloop = NULL;
extern char** environ;
str << "},log={";
{
- const char *text;
+ char *text;
pid_t pid;
int type;
audit_user_log_get_text(log, &text);
str << ",text=" << text;
+
+ ::free(text);
}
str << "}";
str << "},subject={";
{
- const char *sub_name, *sub_label;
+ char *sub_name, *sub_label;
uid_t sub_uid, sub_euid;
gid_t sub_gid, sub_egid;
pid_t sub_pid;
str << ",label=" << sub_label;
audit_system_log_get_subject_owner(log, &sub_uid, &sub_gid);
- str << ",uid=" << sub_uid << ",pid=" << sub_pid;
+ str << ",uid=" << sub_uid << ",gid=" << sub_gid;
audit_system_log_get_subject_effective_owner(log, &sub_euid, &sub_egid);
str << ",euid=" << sub_euid << ",egid=" << sub_egid;
audit_system_log_get_subject_pid(log, &sub_pid);
str << ",pid=" << sub_pid;
+
+ ::free(sub_name);
+ ::free(sub_label);
}
str << "},object={";
{
- int obj_type;
+ int obj_type, sock_family;
uid_t obj_uid, obj_euid;
gid_t obj_gid, obj_egid;
mode_t obj_mode;
- const char *obj_label, *obj_name;
+ char *obj_label, *obj_name;
pid_t obj_pid;
ino_t obj_inode;
+ struct sockaddr_un addr_un;
+ struct sockaddr_in addr_in;
audit_system_log_get_object_type(log, &obj_type);
audit_system_log_get_object_name(log, &obj_name);
audit_system_log_get_object_permission(log, &obj_mode);
audit_system_log_get_object_inode(log, &obj_inode);
+ audit_system_log_get_object_sockaddr(log, NULL, &sock_family);
+ if (sock_family == AF_UNIX) {
+ audit_system_log_get_object_sockaddr(log, reinterpret_cast<struct sockaddr *>(&addr_un), &sock_family);
+ } else if (sock_family == AF_INET) {
+ audit_system_log_get_object_sockaddr(log, reinterpret_cast<struct sockaddr *>(&addr_in), &sock_family);
+ }
+
switch(obj_type) {
case OBJECT_TYPE_NOOBJECT:
str << "type=no";
break;
case OBJECT_TYPE_FILE:
str << "type=file" << ",name=" << obj_name << ",label=" << obj_label
- << ",inode=" << obj_inode << ",mode=" << std::oct << obj_mode
+ << ",inode=" << obj_inode << ",mode=" << CONVERT_OCT(obj_mode)
<< ",uid=" << obj_uid << ",gid=" << obj_gid;
break;
case OBJECT_TYPE_SOCKET:
+ {
+ if (sock_family == AF_UNIX) {
+ str << "type=sockaddr" << ",sock_family=" << addr_un.sun_family
+ << ",sock_path=" << addr_un.sun_path << ",name=" << obj_name
+ << ",label=" << obj_label << ",inode=" << obj_inode
+ << ",mode=" << CONVERT_OCT(obj_mode) << ",uid=" << obj_uid << ",gid=" << obj_gid;
+ } else if (sock_family == AF_INET) {
+ str << "type=sockaddr" << ",sock_family=" << addr_in.sin_family
+ << ",sock_port=" << ntohs(addr_in.sin_port) << ",sock_addr=" << inet_ntoa(addr_in.sin_addr)<< ",name=" << obj_name
+ << ",label=" << obj_label << ",inode=" << obj_inode
+ << ",mode=" << CONVERT_OCT(obj_mode) << ",uid=" << obj_uid << ",gid=" << obj_gid;
+ } else {
+ str << "type=sockaddr, not supported";
+ }
+ }
default:
break;
}
+
+ ::free(obj_label);
+ ::free(obj_name);
}
str << "},action={";
str << "systemcall=" << systemcall;
audit_system_log_get_action_arguments(log, &syscall_args);
- str << ",a0=" << std::hex << syscall_args[0] << ",a1=" << std::hex << syscall_args[1]
- << ",a2=" << std::hex << syscall_args[2] << ",a3=" << std::hex << syscall_args[3];
+ str << ",a0=" << CONVERT_HEX(syscall_args[0]) << ",a1=" << CONVERT_HEX(syscall_args[1])
+ << ",a2=" << CONVERT_HEX(syscall_args[2]) << ",a3=" << CONVERT_HEX(syscall_args[3]);
audit_system_log_get_action_exitcode(log, &exitcode);
str << ",exitcode=" << exitcode;
projects / platform / core / security / audit-trail.git / commitdiff