Add audit module (standalone version)

Change-Id: I6d41e4a703630b62f384cb82b1f622866f3c9d98
Signed-off-by: Paweł Szewczyk <p.szewczyk@samsung.com>

diff --git a/Makefile.am b/Makefile.am
index 249425bdf9f403b22d9c61812b8cb8db82eb7822..f19d8937f639be320668ae5b528a8c6754e126bd 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -27,5 +27,5 @@ SED_PROCESS = \
        $(SED_PROCESS)
 
 sbin_PROGRAMS = faultd
-faultd_SOURCES = src/faultd.c
-faultd_LDADD = $(LIBSYSTEMD_LIBS)
+faultd_SOURCES = src/faultd.c src/audit.c
+faultd_LDADD = $(LIBSYSTEMD_LIBS) ${AUDIT_LIBS}

diff --git a/configure.ac b/configure.ac
index 84bc88ddd3a431b599190022226cd708fe0c0b20..b20969e941398116e685d8ae117778abb78c2cd1 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -5,6 +5,7 @@ AC_INIT([faultd],
         [faultd],
         [http://review.tizen.org/git/])
 AC_CONFIG_SRCDIR([src/faultd.c])
+AC_CONFIG_SRCDIR([src/audit.c])
 AC_CONFIG_AUX_DIR([build-aux])
 AM_INIT_AUTOMAKE([
        check-news
@@ -35,6 +36,13 @@ PKG_CHECK_MODULES(LIBSYSTEMD,
 AS_IF([test "x$have_libsystemd" = "xno"],
       AC_MSG_ERROR([libsystemd version 221 or newer not found]))
 
+PKG_CHECK_MODULES(AUDIT,
+        [audit],
+        have_audit=yes,
+        have_audit=no)
+AS_IF([test "x$have_audit" = "xno"],
+      AC_MSG_ERROR([audit not found]))
+
 AC_CHECK_FUNCS([ \
        printf\
 ])

diff --git a/src/audit.c b/src/audit.c
new file mode 100644 (file)
index 0000000..108309f
--- /dev/null
+++ b/src/audit.c
@@ -0,0 +1,87 @@
+#include <libaudit.h>
+#include <systemd/sd-event.h>
+#include <errno.h>
+#include <stdio.h>
+#include <unistd.h>
+#include "audit.h"
+
+static struct audit_rule_data rule_data = {
+       .flags = AUDIT_FILTER_EXIT, /* trigger on exit from syscall */
+       .action = AUDIT_ALWAYS, /* always catch matching syscall */
+       .field_count = 1,
+       .fields = {AUDIT_EXIT}, /* watch exit code */
+       .values = {-EMFILE},
+       .fieldflags = {AUDIT_EQUAL}, /* trigger if equal to value*/
+};
+
+static int audit_handler(sd_event_source *s, int fd, uint32_t revents, void *userdata)
+{
+       struct audit_reply reply;
+       int ret;
+
+       ret = audit_get_reply(fd, &reply, GET_REPLY_NONBLOCKING, 0);
+       if (ret < 0) {
+               fprintf(stderr, "Could not get reply\n");
+               return ret;
+       }
+
+       if (reply.type == AUDIT_SYSCALL)
+               printf("syscall: data = %.*s\n", reply.len, (char *)reply.message);
+
+       return 0;
+}
+
+int faultd_audit_init(sd_event *event)
+{
+       int fd;
+       int ret;
+
+       fd = audit_open();
+       if (fd < 0) {
+               fprintf(stderr, "Could not open audit socket (%d)\n", fd);
+               return fd;
+       }
+
+       ret = audit_set_pid(fd, getpid(), WAIT_YES);
+       if (ret < 0) {
+               fprintf(stderr, "Could not set pid (%d)\n", ret);
+               return ret;
+       }
+
+       ret = sd_event_add_io(event, NULL, fd, EPOLLIN, audit_handler, NULL);
+       if (ret < 0) {
+               fprintf(stderr, "Could not add event io (%d)\n", ret);
+               return ret;
+       }
+
+       /* TODO: select only relevant syscalls */
+       audit_rule_syscallbyname_data(&rule_data, "all");
+
+       ret = audit_add_rule_data(fd, &rule_data, AUDIT_FILTER_EXIT, AUDIT_ALWAYS);
+       if (ret < 0 && ret != -EEXIST) {
+               fprintf(stderr, "Could not add rule: %d\n", ret);
+               return ret;
+       }
+
+       return fd;
+}
+
+int faultd_audit_close(int fd)
+{
+       int ret;
+
+       ret = audit_delete_rule_data(fd, &rule_data, AUDIT_FILTER_EXIT, AUDIT_ALWAYS);
+       if (ret < 0 && ret != -EEXIST) {
+               fprintf(stderr, "Could not add rule: %d\n", ret);
+               return ret;
+       }
+
+       ret = audit_set_pid(fd, 0, WAIT_YES);
+       if (ret < 0) {
+               fprintf(stderr, "Could not set pid (%d)\n", ret);
+               return ret;
+       }
+
+       audit_close(fd);
+       return 0;
+}

diff --git a/src/audit.h b/src/audit.h
new file mode 100644 (file)
index 0000000..3e46812
--- /dev/null
+++ b/src/audit.h
@@ -0,0 +1,11 @@
+#ifndef FAULTD_AUDIT_H
+#define FAULTD_AUDIT_H
+
+/** Initialize communication with audit and set the rules
+ * @return audit fd */
+int faultd_audit_init(sd_event *event);
+
+/** Close audit and remove added rules */
+int faultd_audit_close(int fd);
+
+#endif /* FAULT_AUDIT_H */

diff --git a/src/faultd.c b/src/faultd.c
index 1b767d8588a66601e00b5bc27ead568d3817015c..11325eed35155d88bf1adf586e6c3dfd83eb51b7 100644 (file)
--- a/src/faultd.c
+++ b/src/faultd.c
@@ -18,6 +18,19 @@
 
 #include <stdio.h>
 #include <systemd/sd-bus.h>
+#include <systemd/sd-event.h>
+#include <signal.h>
+#include "audit.h"
+
+static int terminate = 0;
+
+int sigint_handler(sd_event_source *s,
+               const struct signalfd_siginfo *si,
+               void *userdata)
+{
+       terminate = 1;
+       return 0;
+}
 
 int dbus_handler(sd_event_source *s, int fd, uint32_t revents, void *userdata);
 
@@ -75,7 +88,8 @@ int main(int ac, char* av[])
   sd_bus *bus = NULL;
   /* const char *path; */
   int rc;
-
+  int aufd;
+  sigset_t ss;
 
   rc = sd_bus_new(&bus);
   if (rc < 0) {
@@ -113,7 +127,14 @@ int main(int ac, char* av[])
     return -1;
   }
 
-  sd_event_add_io(loop, NULL,   sd_bus_get_fd(bus), EPOLLIN | EPOLLOUT, dbus_handler, (void*)bus);
+  sigemptyset(&ss);
+  sigaddset(&ss, SIGINT);
+  rc = sigprocmask(SIG_BLOCK, &ss, NULL);
+  rc = sd_event_add_signal(loop, NULL, SIGINT, sigint_handler, NULL);
+
+
+//  sd_event_add_io(loop, NULL,   sd_bus_get_fd(bus), EPOLLIN | EPOLLOUT, dbus_handler, (void*)bus);
+  aufd = faultd_audit_init(loop);
 
   printf("Hello world!\n");
   for (;;) {
@@ -122,7 +143,13 @@ int main(int ac, char* av[])
       fprintf(stderr, "Failed to wait on the bus.\n");
       break;
     }
+
+    if (terminate) {
+           printf("Closing...\n");
+           break;
+    }
   }
   sd_bus_close(bus);
+  faultd_audit_close(aufd);
   return 0;
 }