[thirdparty/systemd.git] / src / journal / journald-audit.c

/* SPDX-License-Identifier: LGPL-2.1+ */

#include "alloc-util.h"
#include "audit-type.h"
#include "fd-util.h"
#include "hexdecoct.h"
#include "io-util.h"
#include "journald-audit.h"
#include "missing_audit.h"
#include "string-util.h"

typedef struct MapField {
        const char *audit_field;
        const char *journal_field;
        int (*map)(const char *field, const char **p, struct iovec **iov, size_t *n_iov_allocated, size_t *n_iov);
} MapField;

static int map_simple_field(const char *field, const char **p, struct iovec **iov, size_t *n_iov_allocated, size_t *n_iov) {
        _cleanup_free_ char *c = NULL;
        size_t l = 0, allocated = 0;
        const char *e;

        assert(field);
        assert(p);
        assert(iov);
        assert(n_iov);

        l = strlen(field);
        allocated = l + 1;
        c = malloc(allocated);
        if (!c)
                return -ENOMEM;

        memcpy(c, field, l);
        for (e = *p; !IN_SET(*e, 0, ' '); e++) {
                if (!GREEDY_REALLOC(c, allocated, l+2))
                        return -ENOMEM;

                c[l++] = *e;
        }

        c[l] = 0;

        if (!GREEDY_REALLOC(*iov, *n_iov_allocated, *n_iov + 1))
                return -ENOMEM;

        (*iov)[(*n_iov)++] = IOVEC_MAKE(c, l);

        *p = e;
        c = NULL;

        return 1;
}

static int map_string_field_internal(const char *field, const char **p, struct iovec **iov, size_t *n_iov_allocated, size_t *n_iov, bool filter_printable) {
        _cleanup_free_ char *c = NULL;
        const char *s, *e;
        size_t l;

        assert(field);
        assert(p);
        assert(iov);
        assert(n_iov);

        /* The kernel formats string fields in one of two formats. */

        if (**p == '"') {
                /* Normal quoted syntax */
                s = *p + 1;
                e = strchr(s, '"');
                if (!e)
                        return 0;

                l = strlen(field) + (e - s);
                c = malloc(l+1);
                if (!c)
                        return -ENOMEM;

                *((char*) mempcpy(stpcpy(c, field), s, e - s)) = 0;

                e += 1;

        } else if (unhexchar(**p) >= 0) {
                /* Hexadecimal escaping */
                size_t allocated = 0;

                l = strlen(field);
                allocated = l + 2;
                c = malloc(allocated);
                if (!c)
                        return -ENOMEM;

                memcpy(c, field, l);
                for (e = *p; !IN_SET(*e, 0, ' '); e += 2) {
                        int a, b;
                        uint8_t x;

                        a = unhexchar(e[0]);
                        if (a < 0)
                                return 0;

                        b = unhexchar(e[1]);
                        if (b < 0)
                                return 0;

                        x = ((uint8_t) a << 4 | (uint8_t) b);

                        if (filter_printable && x < (uint8_t) ' ')
                                x = (uint8_t) ' ';

                        if (!GREEDY_REALLOC(c, allocated, l+2))
                                return -ENOMEM;

                        c[l++] = (char) x;
                }

                c[l] = 0;
        } else
                return 0;

        if (!GREEDY_REALLOC(*iov, *n_iov_allocated, *n_iov + 1))
                return -ENOMEM;

        (*iov)[(*n_iov)++] = IOVEC_MAKE(c, l);

        *p = e;
        c = NULL;

        return 1;
}

static int map_string_field(const char *field, const char **p, struct iovec **iov, size_t *n_iov_allocated, size_t *n_iov) {
        return map_string_field_internal(field, p, iov, n_iov_allocated, n_iov, false);
}

static int map_string_field_printable(const char *field, const char **p, struct iovec **iov, size_t *n_iov_allocated, size_t *n_iov) {
        return map_string_field_internal(field, p, iov, n_iov_allocated, n_iov, true);
}

static int map_generic_field(const char *prefix, const char **p, struct iovec **iov, size_t *n_iov_allocated, size_t *n_iov) {
        const char *e, *f;
        char *c, *t;
        int r;

        /* Implements fallback mappings for all fields we don't know */

        for (e = *p; e < *p + 16; e++) {

                if (IN_SET(*e, 0, ' '))
                        return 0;

                if (*e == '=')
                        break;

                if (!((*e >= 'a' && *e <= 'z') ||
                      (*e >= 'A' && *e <= 'Z') ||
                      (*e >= '0' && *e <= '9') ||
                      IN_SET(*e, '_', '-')))
                        return 0;
        }

        if (e <= *p || e >= *p + 16)
                return 0;

        c = newa(char, strlen(prefix) + (e - *p) + 2);

        t = stpcpy(c, prefix);
        for (f = *p; f < e; f++) {
                char x;

                if (*f >= 'a' && *f <= 'z')
                        x = (*f - 'a') + 'A'; /* uppercase */
                else if (*f == '-')
                        x = '_'; /* dashes → underscores */
                else
                        x = *f;

                *(t++) = x;
        }
        strcpy(t, "=");

        e++;

        r = map_simple_field(c, &e, iov, n_iov_allocated, n_iov);
        if (r < 0)
                return r;

        *p = e;
        return r;
}

/* Kernel fields are those occurring in the audit string before
 * msg='. All of these fields are trusted, hence carry the "_" prefix.
 * We try to translate the fields we know into our native names. The
 * other's are generically mapped to _AUDIT_FIELD_XYZ= */
static const MapField map_fields_kernel[] = {

        /* First, we map certain well-known audit fields into native
         * well-known fields */
        { "pid=",       "_PID=",              map_simple_field },
        { "ppid=",      "_PPID=",             map_simple_field },
        { "uid=",       "_UID=",              map_simple_field },
        { "euid=",      "_EUID=",             map_simple_field },
        { "fsuid=",     "_FSUID=",            map_simple_field },
        { "gid=",       "_GID=",              map_simple_field },
        { "egid=",      "_EGID=",             map_simple_field },
        { "fsgid=",     "_FSGID=",            map_simple_field },
        { "tty=",       "_TTY=",              map_simple_field },
        { "ses=",       "_AUDIT_SESSION=",    map_simple_field },
        { "auid=",      "_AUDIT_LOGINUID=",   map_simple_field },
        { "subj=",      "_SELINUX_CONTEXT=",  map_simple_field },
        { "comm=",      "_COMM=",             map_string_field },
        { "exe=",       "_EXE=",              map_string_field },
        { "proctitle=", "_CMDLINE=",          map_string_field_printable },

        /* Some fields don't map to native well-known fields. However,
         * we know that they are string fields, hence let's undo
         * string field escaping for them, though we stick to the
         * generic field names. */
        { "path=",      "_AUDIT_FIELD_PATH=", map_string_field },
        { "dev=",       "_AUDIT_FIELD_DEV=",  map_string_field },
        { "name=",      "_AUDIT_FIELD_NAME=", map_string_field },
        {}
};

/* Userspace fields are those occurring in the audit string after
 * msg='. All of these fields are untrusted, hence carry no "_"
 * prefix. We map the fields we don't know to AUDIT_FIELD_XYZ= */
static const MapField map_fields_userspace[] = {
        { "cwd=",       "AUDIT_FIELD_CWD=",   map_string_field },
        { "cmd=",       "AUDIT_FIELD_CMD=",   map_string_field },
        { "acct=",      "AUDIT_FIELD_ACCT=",  map_string_field },
        { "exe=",       "AUDIT_FIELD_EXE=",   map_string_field },
        { "comm=",      "AUDIT_FIELD_COMM=",  map_string_field },
        {}
};

static int map_all_fields(
                const char *p,
                const MapField map_fields[],
                const char *prefix,
                bool handle_msg,
                struct iovec **iov,
                size_t *n_iov_allocated,
                size_t *n_iov) {

        int r;

        assert(p);
        assert(iov);
        assert(n_iov_allocated);
        assert(n_iov);

        for (;;) {
                bool mapped = false;
                const MapField *m;
                const char *v;

                p += strspn(p, WHITESPACE);

                if (*p == 0)
                        return 0;

                if (handle_msg) {
                        v = startswith(p, "msg='");
                        if (v) {
                                _cleanup_free_ char *c = NULL;
                                const char *e;

                                /* Userspace message. It's enclosed in
                                   simple quotation marks, is not
                                   escaped, but the last field in the
                                   line, hence let's remove the
                                   quotation mark, and apply the
                                   userspace mapping instead of the
                                   kernel mapping. */

                                e = endswith(v, "'");
                                if (!e)
                                        return 0; /* don't continue splitting up if the final quotation mark is missing */

                                c = strndup(v, e - v);
                                if (!c)
                                        return -ENOMEM;

                                return map_all_fields(c, map_fields_userspace, "AUDIT_FIELD_", false, iov, n_iov_allocated, n_iov);
                        }
                }

                /* Try to map the kernel fields to our own names */
                for (m = map_fields; m->audit_field; m++) {
                        v = startswith(p, m->audit_field);
                        if (!v)
                                continue;

                        r = m->map(m->journal_field, &v, iov, n_iov_allocated, n_iov);
                        if (r < 0)
                                return log_debug_errno(r, "Failed to parse audit array: %m");

                        if (r > 0) {
                                mapped = true;
                                p = v;
                                break;
                        }
                }

                if (!mapped) {
                        r = map_generic_field(prefix, &p, iov, n_iov_allocated, n_iov);
                        if (r < 0)
                                return log_debug_errno(r, "Failed to parse audit array: %m");

                        if (r == 0)
                                /* Couldn't process as generic field, let's just skip over it */
                                p += strcspn(p, WHITESPACE);
                }
        }
}

void process_audit_string(Server *s, int type, const char *data, size_t size) {
        size_t n_iov_allocated = 0, n_iov = 0, z;
        _cleanup_free_ struct iovec *iov = NULL;
        uint64_t seconds, msec, id;
        const char *p, *type_name;
        char id_field[sizeof("_AUDIT_ID=") + DECIMAL_STR_MAX(uint64_t)],
             type_field[sizeof("_AUDIT_TYPE=") + DECIMAL_STR_MAX(int)],
             source_time_field[sizeof("_SOURCE_REALTIME_TIMESTAMP=") + DECIMAL_STR_MAX(usec_t)];
        char *m, *type_field_name;
        int k;

        assert(s);

        if (size <= 0)
                return;

        if (!data)
                return;

        /* Note that the input buffer is NUL terminated, but let's
         * check whether there is a spurious NUL byte */
        if (memchr(data, 0, size))
                return;

        p = startswith(data, "audit");
        if (!p)
                return;

        k = 0;
        if (sscanf(p, "(%" PRIu64 ".%" PRIu64 ":%" PRIu64 "):%n",
                   &seconds,
                   &msec,
                   &id,
                   &k) != 3 || k == 0)
                return;

        p += k;
        p += strspn(p, WHITESPACE);

        if (isempty(p))
                return;

        n_iov_allocated = N_IOVEC_META_FIELDS + 8;
        iov = new(struct iovec, n_iov_allocated);
        if (!iov) {
                log_oom();
                return;
        }

        iov[n_iov++] = IOVEC_MAKE_STRING("_TRANSPORT=audit");

        sprintf(source_time_field, "_SOURCE_REALTIME_TIMESTAMP=%" PRIu64,
                (usec_t) seconds * USEC_PER_SEC + (usec_t) msec * USEC_PER_MSEC);
        iov[n_iov++] = IOVEC_MAKE_STRING(source_time_field);

        sprintf(type_field, "_AUDIT_TYPE=%i", type);
        iov[n_iov++] = IOVEC_MAKE_STRING(type_field);

        sprintf(id_field, "_AUDIT_ID=%" PRIu64, id);
        iov[n_iov++] = IOVEC_MAKE_STRING(id_field);

        assert_cc(4 == LOG_FAC(LOG_AUTH));
        iov[n_iov++] = IOVEC_MAKE_STRING("SYSLOG_FACILITY=4");
        iov[n_iov++] = IOVEC_MAKE_STRING("SYSLOG_IDENTIFIER=audit");

        type_name = audit_type_name_alloca(type);

        type_field_name = strjoina("_AUDIT_TYPE_NAME=", type_name);
        iov[n_iov++] = IOVEC_MAKE_STRING(type_field_name);

        m = strjoina("MESSAGE=", type_name, " ", p);
        iov[n_iov++] = IOVEC_MAKE_STRING(m);

        z = n_iov;

        map_all_fields(p, map_fields_kernel, "_AUDIT_FIELD_", true, &iov, &n_iov_allocated, &n_iov);

        if (!GREEDY_REALLOC(iov, n_iov_allocated, n_iov + N_IOVEC_META_FIELDS)) {
                log_oom();
                goto finish;
        }

        server_dispatch_message(s, iov, n_iov, n_iov_allocated, NULL, NULL, LOG_NOTICE, 0);

finish:
        /* free() all entries that map_all_fields() added. All others
         * are allocated on the stack or are constant. */

        for (; z < n_iov; z++)
                free(iov[z].iov_base);
}

void server_process_audit_message(
                Server *s,
                const void *buffer,
                size_t buffer_size,
                const struct ucred *ucred,
                const union sockaddr_union *sa,
                socklen_t salen) {

        const struct nlmsghdr *nl = buffer;

        assert(s);

        if (buffer_size < ALIGN(sizeof(struct nlmsghdr)))
                return;

        assert(buffer);

        /* Filter out fake data */
        if (!sa ||
            salen != sizeof(struct sockaddr_nl) ||
            sa->nl.nl_family != AF_NETLINK ||
            sa->nl.nl_pid != 0) {
                log_debug("Audit netlink message from invalid sender.");
                return;
        }

        if (!ucred || ucred->pid != 0) {
                log_debug("Audit netlink message with invalid credentials.");
                return;
        }

        if (!NLMSG_OK(nl, buffer_size)) {
                log_error("Audit netlink message truncated.");
                return;
        }

        /* Ignore special Netlink messages */
        if (IN_SET(nl->nlmsg_type, NLMSG_NOOP, NLMSG_ERROR))
                return;

        /* Except AUDIT_USER, all messages below AUDIT_FIRST_USER_MSG are control messages, let's ignore those */
        if (nl->nlmsg_type < AUDIT_FIRST_USER_MSG && nl->nlmsg_type != AUDIT_USER)
                return;

        process_audit_string(s, nl->nlmsg_type, NLMSG_DATA(nl), nl->nlmsg_len - ALIGN(sizeof(struct nlmsghdr)));
}

static int enable_audit(int fd, bool b) {
        struct {
                union {
                        struct nlmsghdr header;
                        uint8_t header_space[NLMSG_HDRLEN];
                };
                struct audit_status body;
        } _packed_ request = {
                .header.nlmsg_len = NLMSG_LENGTH(sizeof(struct audit_status)),
                .header.nlmsg_type = AUDIT_SET,
                .header.nlmsg_flags = NLM_F_REQUEST,
                .header.nlmsg_seq = 1,
                .header.nlmsg_pid = 0,
                .body.mask = AUDIT_STATUS_ENABLED,
                .body.enabled = b,
        };
        union sockaddr_union sa = {
                .nl.nl_family = AF_NETLINK,
                .nl.nl_pid = 0,
        };
        struct iovec iovec = {
                .iov_base = &request,
                .iov_len = NLMSG_LENGTH(sizeof(struct audit_status)),
        };
        struct msghdr mh = {
                .msg_iov = &iovec,
                .msg_iovlen = 1,
                .msg_name = &sa.sa,
                .msg_namelen = sizeof(sa.nl),
        };

        ssize_t n;

        n = sendmsg(fd, &mh, MSG_NOSIGNAL);
        if (n < 0)
                return -errno;
        if (n != NLMSG_LENGTH(sizeof(struct audit_status)))
                return -EIO;

        /* We don't wait for the result here, we can't do anything
         * about it anyway */

        return 0;
}

int server_open_audit(Server *s) {
        int r;

        if (s->audit_fd < 0) {
                static const union sockaddr_union sa = {
                        .nl.nl_family = AF_NETLINK,
                        .nl.nl_pid    = 0,
                        .nl.nl_groups = AUDIT_NLGRP_READLOG,
                };

                s->audit_fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT);
                if (s->audit_fd < 0) {
                        if (IN_SET(errno, EAFNOSUPPORT, EPROTONOSUPPORT))
                                log_debug("Audit not supported in the kernel.");
                        else
                                log_warning_errno(errno, "Failed to create audit socket, ignoring: %m");

                        return 0;
                }

                if (bind(s->audit_fd, &sa.sa, sizeof(sa.nl)) < 0) {
                        log_warning_errno(errno,
                                          "Failed to join audit multicast group. "
                                          "The kernel is probably too old or multicast reading is not supported. "
                                          "Ignoring: %m");
                        s->audit_fd = safe_close(s->audit_fd);
                        return 0;
                }
        } else
                (void) fd_nonblock(s->audit_fd, true);

        r = setsockopt_int(s->audit_fd, SOL_SOCKET, SO_PASSCRED, true);
        if (r < 0)
                return log_error_errno(r, "Failed to set SO_PASSCRED on audit socket: %m");

        r = sd_event_add_io(s->event, &s->audit_event_source, s->audit_fd, EPOLLIN, server_process_datagram, s);
        if (r < 0)
                return log_error_errno(r, "Failed to add audit fd to event loop: %m");

        /* We are listening now, try to enable audit */
        r = enable_audit(s->audit_fd, true);
        if (r < 0)
                log_warning_errno(r, "Failed to issue audit enable call: %m");

        return 0;
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
875c2e22	2
b5efdb8a	3	#include "alloc-util.h"
07630cea	4	#include "audit-type.h"
3ffd4af2	5	#include "fd-util.h"
afc5dbf3 LP	6	#include "hexdecoct.h"
afc5dbf3 LP	7	#include "io-util.h"
3ffd4af2	8	#include "journald-audit.h"
f5947a5e	9	#include "missing_audit.h"
07630cea	10	#include "string-util.h"
875c2e22 LP	11
	12	typedef struct MapField {
	13	const char *audit_field;
	14	const char *journal_field;
d3070fbd	15	int (map)(const char field, const char p, struct iovec iov, size_t n_iov_allocated, size_t n_iov);
875c2e22 LP	16	} MapField;
875c2e22 LP	17
d3070fbd	18	static int map_simple_field(const char field, const char p, struct iovec iov, size_t n_iov_allocated, size_t *n_iov) {
875c2e22 LP	19	_cleanup_free_ char *c = NULL;
	20	size_t l = 0, allocated = 0;
	21	const char *e;
	22
	23	assert(field);
	24	assert(p);
	25	assert(iov);
	26	assert(n_iov);
	27
	28	l = strlen(field);
	29	allocated = l + 1;
	30	c = malloc(allocated);
	31	if (!c)
	32	return -ENOMEM;
	33
	34	memcpy(c, field, l);
4c701096	35	for (e = p; !IN_SET(e, 0, ' '); e++) {
875c2e22 LP	36	if (!GREEDY_REALLOC(c, allocated, l+2))
	37	return -ENOMEM;
	38
	39	c[l++] = *e;
	40	}
	41
	42	c[l] = 0;
	43
	44	if (!GREEDY_REALLOC(iov, n_iov_allocated, *n_iov + 1))
	45	return -ENOMEM;
	46
dde26374	47	(iov)[(n_iov)++] = IOVEC_MAKE(c, l);
875c2e22 LP	48
	49	*p = e;
	50	c = NULL;
	51
	52	return 1;
	53	}
	54
d3070fbd	55	static int map_string_field_internal(const char field, const char p, struct iovec iov, size_t n_iov_allocated, size_t *n_iov, bool filter_printable) {
875c2e22 LP	56	_cleanup_free_ char *c = NULL;
	57	const char s, e;
	58	size_t l;
	59
	60	assert(field);
	61	assert(p);
	62	assert(iov);
	63	assert(n_iov);
	64
	65	/* The kernel formats string fields in one of two formats. */
	66
	67	if (**p == '"') {
	68	/* Normal quoted syntax */
	69	s = *p + 1;
	70	e = strchr(s, '"');
	71	if (!e)
	72	return 0;
	73
	74	l = strlen(field) + (e - s);
	75	c = malloc(l+1);
	76	if (!c)
	77	return -ENOMEM;
	78
	79	((char) mempcpy(stpcpy(c, field), s, e - s)) = 0;
	80
	81	e += 1;
	82
	83	} else if (unhexchar(**p) >= 0) {
	84	/* Hexadecimal escaping */
	85	size_t allocated = 0;
	86
	87	l = strlen(field);
	88	allocated = l + 2;
	89	c = malloc(allocated);
	90	if (!c)
	91	return -ENOMEM;
	92
	93	memcpy(c, field, l);
4c701096	94	for (e = p; !IN_SET(e, 0, ' '); e += 2) {
875c2e22	95	int a, b;
78fe420f	96	uint8_t x;
875c2e22 LP	97
	98	a = unhexchar(e[0]);
	99	if (a < 0)
	100	return 0;
	101
	102	b = unhexchar(e[1]);
	103	if (b < 0)
	104	return 0;
	105
78fe420f LP	106	x = ((uint8_t) a << 4 \| (uint8_t) b);
	107
	108	if (filter_printable && x < (uint8_t) ' ')
	109	x = (uint8_t) ' ';
	110
875c2e22 LP	111	if (!GREEDY_REALLOC(c, allocated, l+2))
	112	return -ENOMEM;
	113
78fe420f	114	c[l++] = (char) x;
875c2e22 LP	115	}
	116
	117	c[l] = 0;
	118	} else
	119	return 0;
	120
	121	if (!GREEDY_REALLOC(iov, n_iov_allocated, *n_iov + 1))
	122	return -ENOMEM;
	123
dde26374	124	(iov)[(n_iov)++] = IOVEC_MAKE(c, l);
875c2e22 LP	125
	126	*p = e;
	127	c = NULL;
	128
	129	return 1;
	130	}
	131
d3070fbd	132	static int map_string_field(const char field, const char p, struct iovec iov, size_t n_iov_allocated, size_t *n_iov) {
78fe420f LP	133	return map_string_field_internal(field, p, iov, n_iov_allocated, n_iov, false);
	134	}
	135
d3070fbd	136	static int map_string_field_printable(const char field, const char p, struct iovec iov, size_t n_iov_allocated, size_t *n_iov) {
78fe420f LP	137	return map_string_field_internal(field, p, iov, n_iov_allocated, n_iov, true);
	138	}
	139
d3070fbd	140	static int map_generic_field(const char prefix, const char p, struct iovec iov, size_t n_iov_allocated, size_t *n_iov) {
875c2e22 LP	141	const char e, f;
	142	char c, t;
	143	int r;
	144
	145	/* Implements fallback mappings for all fields we don't know */
	146
	147	for (e = p; e < p + 16; e++) {
	148
4c701096	149	if (IN_SET(*e, 0, ' '))
875c2e22 LP	150	return 0;
	151
	152	if (*e == '=')
	153	break;
	154
	155	if (!((e >= 'a' && e <= 'z') \|\|
	156	(e >= 'A' && e <= 'Z') \|\|
	157	(e >= '0' && e <= '9') \|\|
4c701096	158	IN_SET(*e, '_', '-')))
875c2e22 LP	159	return 0;
	160	}
	161
	162	if (e <= p \|\| e >= p + 16)
	163	return 0;
	164
6e9417f5	165	c = newa(char, strlen(prefix) + (e - *p) + 2);
875c2e22 LP	166
875c2e22 LP	167	t = stpcpy(c, prefix);
9833a66c LP	168	for (f = *p; f < e; f++) {
	169	char x;
	170
	171	if (f >= 'a' && f <= 'z')
	172	x = (f - 'a') + 'A'; / uppercase */
	173	else if (*f == '-')
	174	x = '_'; /* dashes → underscores */
	175	else
	176	x = *f;
	177
	178	*(t++) = x;
	179	}
875c2e22 LP	180	strcpy(t, "=");
875c2e22 LP	181
313cefa1	182	e++;
875c2e22 LP	183
	184	r = map_simple_field(c, &e, iov, n_iov_allocated, n_iov);
	185	if (r < 0)
	186	return r;
	187
	188	*p = e;
	189	return r;
	190	}
	191
f131770b	192	/* Kernel fields are those occurring in the audit string before
875c2e22 LP	193	* msg='. All of these fields are trusted, hence carry the "_" prefix.
	194	* We try to translate the fields we know into our native names. The
	195	* other's are generically mapped to _AUDIT_FIELD_XYZ= */
	196	static const MapField map_fields_kernel[] = {
	197
	198	/* First, we map certain well-known audit fields into native
	199	* well-known fields */
500cbc4e LP	200	{ "pid=", "_PID=", map_simple_field },
	201	{ "ppid=", "_PPID=", map_simple_field },
	202	{ "uid=", "_UID=", map_simple_field },
	203	{ "euid=", "_EUID=", map_simple_field },
	204	{ "fsuid=", "_FSUID=", map_simple_field },
	205	{ "gid=", "_GID=", map_simple_field },
	206	{ "egid=", "_EGID=", map_simple_field },
	207	{ "fsgid=", "_FSGID=", map_simple_field },
	208	{ "tty=", "_TTY=", map_simple_field },
	209	{ "ses=", "_AUDIT_SESSION=", map_simple_field },
	210	{ "auid=", "_AUDIT_LOGINUID=", map_simple_field },
	211	{ "subj=", "_SELINUX_CONTEXT=", map_simple_field },
	212	{ "comm=", "_COMM=", map_string_field },
	213	{ "exe=", "_EXE=", map_string_field },
	214	{ "proctitle=", "_CMDLINE=", map_string_field_printable },
875c2e22 LP	215
	216	/* Some fields don't map to native well-known fields. However,
	217	* we know that they are string fields, hence let's undo
	218	* string field escaping for them, though we stick to the
	219	* generic field names. */
500cbc4e LP	220	{ "path=", "_AUDIT_FIELD_PATH=", map_string_field },
	221	{ "dev=", "_AUDIT_FIELD_DEV=", map_string_field },
	222	{ "name=", "_AUDIT_FIELD_NAME=", map_string_field },
875c2e22 LP	223	{}
	224	};
	225
f131770b	226	/* Userspace fields are those occurring in the audit string after
875c2e22 LP	227	* msg='. All of these fields are untrusted, hence carry no "_"
	228	* prefix. We map the fields we don't know to AUDIT_FIELD_XYZ= */
	229	static const MapField map_fields_userspace[] = {
500cbc4e LP	230	{ "cwd=", "AUDIT_FIELD_CWD=", map_string_field },
	231	{ "cmd=", "AUDIT_FIELD_CMD=", map_string_field },
	232	{ "acct=", "AUDIT_FIELD_ACCT=", map_string_field },
	233	{ "exe=", "AUDIT_FIELD_EXE=", map_string_field },
	234	{ "comm=", "AUDIT_FIELD_COMM=", map_string_field },
875c2e22 LP	235	{}
	236	};
	237
	238	static int map_all_fields(
	239	const char *p,
	240	const MapField map_fields[],
	241	const char *prefix,
	242	bool handle_msg,
	243	struct iovec **iov,
	244	size_t *n_iov_allocated,
d3070fbd	245	size_t *n_iov) {
875c2e22 LP	246
	247	int r;
	248
	249	assert(p);
	250	assert(iov);
	251	assert(n_iov_allocated);
	252	assert(n_iov);
	253
	254	for (;;) {
	255	bool mapped = false;
	256	const MapField *m;
	257	const char *v;
	258
	259	p += strspn(p, WHITESPACE);
	260
	261	if (*p == 0)
	262	return 0;
	263
	264	if (handle_msg) {
	265	v = startswith(p, "msg='");
	266	if (v) {
6d946490	267	_cleanup_free_ char *c = NULL;
875c2e22	268	const char *e;
875c2e22 LP	269
	270	/* Userspace message. It's enclosed in
	271	simple quotation marks, is not
	272	escaped, but the last field in the
	273	line, hence let's remove the
	274	quotation mark, and apply the
	275	userspace mapping instead of the
	276	kernel mapping. */
	277
	278	e = endswith(v, "'");
	279	if (!e)
	280	return 0; /* don't continue splitting up if the final quotation mark is missing */
	281
6d946490 YW	282	c = strndup(v, e - v);
	283	if (!c)
	284	return -ENOMEM;
	285
875c2e22 LP	286	return map_all_fields(c, map_fields_userspace, "AUDIT_FIELD_", false, iov, n_iov_allocated, n_iov);
	287	}
	288	}
	289
	290	/* Try to map the kernel fields to our own names */
	291	for (m = map_fields; m->audit_field; m++) {
	292	v = startswith(p, m->audit_field);
	293	if (!v)
	294	continue;
	295
	296	r = m->map(m->journal_field, &v, iov, n_iov_allocated, n_iov);
23bbb0de MS	297	if (r < 0)
23bbb0de MS	298	return log_debug_errno(r, "Failed to parse audit array: %m");
875c2e22 LP	299
	300	if (r > 0) {
	301	mapped = true;
	302	p = v;
	303	break;
	304	}
	305	}
	306
	307	if (!mapped) {
	308	r = map_generic_field(prefix, &p, iov, n_iov_allocated, n_iov);
23bbb0de MS	309	if (r < 0)
23bbb0de MS	310	return log_debug_errno(r, "Failed to parse audit array: %m");
875c2e22	311
ece174c5	312	if (r == 0)
875c2e22 LP	313	/* Couldn't process as generic field, let's just skip over it */
875c2e22 LP	314	p += strcspn(p, WHITESPACE);
875c2e22 LP	315	}
	316	}
	317	}
	318
090a20cf	319	void process_audit_string(Server s, int type, const char data, size_t size) {
d3070fbd	320	size_t n_iov_allocated = 0, n_iov = 0, z;
875c2e22	321	_cleanup_free_ struct iovec *iov = NULL;
875c2e22	322	uint64_t seconds, msec, id;
8bb3626d	323	const char p, type_name;
875c2e22 LP	324	char id_field[sizeof("_AUDIT_ID=") + DECIMAL_STR_MAX(uint64_t)],
	325	type_field[sizeof("_AUDIT_TYPE=") + DECIMAL_STR_MAX(int)],
	326	source_time_field[sizeof("_SOURCE_REALTIME_TIMESTAMP=") + DECIMAL_STR_MAX(usec_t)];
14c1abcc	327	char m, type_field_name;
d3070fbd	328	int k;
875c2e22 LP	329
	330	assert(s);
	331
	332	if (size <= 0)
	333	return;
	334
	335	if (!data)
	336	return;
	337
	338	/* Note that the input buffer is NUL terminated, but let's
	339	* check whether there is a spurious NUL byte */
	340	if (memchr(data, 0, size))
	341	return;
	342
	343	p = startswith(data, "audit");
	344	if (!p)
	345	return;
	346
1dab14ab	347	k = 0;
1fa2f38f	348	if (sscanf(p, "(%" PRIu64 ".%" PRIu64 ":%" PRIu64 "):%n",
875c2e22 LP	349	&seconds,
	350	&msec,
	351	&id,
1dab14ab	352	&k) != 3 \|\| k == 0)
875c2e22 LP	353	return;
	354
	355	p += k;
5034c7bc LP	356	p += strspn(p, WHITESPACE);
	357
	358	if (isempty(p))
	359	return;
875c2e22	360
14c1abcc	361	n_iov_allocated = N_IOVEC_META_FIELDS + 8;
875c2e22 LP	362	iov = new(struct iovec, n_iov_allocated);
	363	if (!iov) {
	364	log_oom();
	365	return;
	366	}
	367
e6a7ec4b	368	iov[n_iov++] = IOVEC_MAKE_STRING("_TRANSPORT=audit");
875c2e22 LP	369
	370	sprintf(source_time_field, "_SOURCE_REALTIME_TIMESTAMP=%" PRIu64,
	371	(usec_t) seconds * USEC_PER_SEC + (usec_t) msec * USEC_PER_MSEC);
e6a7ec4b	372	iov[n_iov++] = IOVEC_MAKE_STRING(source_time_field);
875c2e22 LP	373
875c2e22 LP	374	sprintf(type_field, "_AUDIT_TYPE=%i", type);
e6a7ec4b	375	iov[n_iov++] = IOVEC_MAKE_STRING(type_field);
875c2e22 LP	376
875c2e22 LP	377	sprintf(id_field, "_AUDIT_ID=%" PRIu64, id);
e6a7ec4b	378	iov[n_iov++] = IOVEC_MAKE_STRING(id_field);
875c2e22	379
d6f4302b	380	assert_cc(4 == LOG_FAC(LOG_AUTH));
e6a7ec4b LP	381	iov[n_iov++] = IOVEC_MAKE_STRING("SYSLOG_FACILITY=4");
e6a7ec4b LP	382	iov[n_iov++] = IOVEC_MAKE_STRING("SYSLOG_IDENTIFIER=audit");
cd556b6c	383
8bb3626d ZJS	384	type_name = audit_type_name_alloca(type);
8bb3626d ZJS	385
14c1abcc JR	386	type_field_name = strjoina("_AUDIT_TYPE_NAME=", type_name);
	387	iov[n_iov++] = IOVEC_MAKE_STRING(type_field_name);
	388
8bb3626d	389	m = strjoina("MESSAGE=", type_name, " ", p);
e6a7ec4b	390	iov[n_iov++] = IOVEC_MAKE_STRING(m);
875c2e22 LP	391
	392	z = n_iov;
	393
	394	map_all_fields(p, map_fields_kernel, "_AUDIT_FIELD_", true, &iov, &n_iov_allocated, &n_iov);
	395
	396	if (!GREEDY_REALLOC(iov, n_iov_allocated, n_iov + N_IOVEC_META_FIELDS)) {
	397	log_oom();
	398	goto finish;
	399	}
	400
22e3a02b	401	server_dispatch_message(s, iov, n_iov, n_iov_allocated, NULL, NULL, LOG_NOTICE, 0);
875c2e22 LP	402
	403	finish:
	404	/* free() all entries that map_all_fields() added. All others
	405	* are allocated on the stack or are constant. */
	406
	407	for (; z < n_iov; z++)
	408	free(iov[z].iov_base);
	409	}
	410
	411	void server_process_audit_message(
	412	Server *s,
	413	const void *buffer,
	414	size_t buffer_size,
	415	const struct ucred *ucred,
875c2e22 LP	416	const union sockaddr_union *sa,
	417	socklen_t salen) {
	418
	419	const struct nlmsghdr *nl = buffer;
	420
	421	assert(s);
	422
	423	if (buffer_size < ALIGN(sizeof(struct nlmsghdr)))
	424	return;
	425
	426	assert(buffer);
	427
	428	/* Filter out fake data */
	429	if (!sa \|\|
	430	salen != sizeof(struct sockaddr_nl) \|\|
	431	sa->nl.nl_family != AF_NETLINK \|\|
	432	sa->nl.nl_pid != 0) {
	433	log_debug("Audit netlink message from invalid sender.");
	434	return;
	435	}
	436
	437	if (!ucred \|\| ucred->pid != 0) {
	438	log_debug("Audit netlink message with invalid credentials.");
	439	return;
	440	}
	441
	442	if (!NLMSG_OK(nl, buffer_size)) {
	443	log_error("Audit netlink message truncated.");
	444	return;
	445	}
	446
	447	/* Ignore special Netlink messages */
	448	if (IN_SET(nl->nlmsg_type, NLMSG_NOOP, NLMSG_ERROR))
	449	return;
	450
5238e957	451	/* Except AUDIT_USER, all messages below AUDIT_FIRST_USER_MSG are control messages, let's ignore those */
ed563b60	452	if (nl->nlmsg_type < AUDIT_FIRST_USER_MSG && nl->nlmsg_type != AUDIT_USER)
875c2e22 LP	453	return;
875c2e22 LP	454
0b97208d	455	process_audit_string(s, nl->nlmsg_type, NLMSG_DATA(nl), nl->nlmsg_len - ALIGN(sizeof(struct nlmsghdr)));
875c2e22 LP	456	}
875c2e22 LP	457
4d9ced99 LP	458	static int enable_audit(int fd, bool b) {
	459	struct {
	460	union {
	461	struct nlmsghdr header;
	462	uint8_t header_space[NLMSG_HDRLEN];
	463	};
	464	struct audit_status body;
	465	} _packed_ request = {
	466	.header.nlmsg_len = NLMSG_LENGTH(sizeof(struct audit_status)),
	467	.header.nlmsg_type = AUDIT_SET,
	468	.header.nlmsg_flags = NLM_F_REQUEST,
	469	.header.nlmsg_seq = 1,
	470	.header.nlmsg_pid = 0,
	471	.body.mask = AUDIT_STATUS_ENABLED,
	472	.body.enabled = b,
	473	};
	474	union sockaddr_union sa = {
	475	.nl.nl_family = AF_NETLINK,
	476	.nl.nl_pid = 0,
	477	};
	478	struct iovec iovec = {
	479	.iov_base = &request,
	480	.iov_len = NLMSG_LENGTH(sizeof(struct audit_status)),
	481	};
	482	struct msghdr mh = {
	483	.msg_iov = &iovec,
	484	.msg_iovlen = 1,
	485	.msg_name = &sa.sa,
	486	.msg_namelen = sizeof(sa.nl),
	487	};
	488
	489	ssize_t n;
	490
	491	n = sendmsg(fd, &mh, MSG_NOSIGNAL);
	492	if (n < 0)
	493	return -errno;
	494	if (n != NLMSG_LENGTH(sizeof(struct audit_status)))
	495	return -EIO;
	496
	497	/* We don't wait for the result here, we can't do anything
	498	* about it anyway */
	499
	500	return 0;
	501	}
	502
875c2e22	503	int server_open_audit(Server *s) {
875c2e22 LP	504	int r;
	505
	506	if (s->audit_fd < 0) {
	507	static const union sockaddr_union sa = {
	508	.nl.nl_family = AF_NETLINK,
	509	.nl.nl_pid = 0,
	510	.nl.nl_groups = AUDIT_NLGRP_READLOG,
	511	};
	512
	513	s->audit_fd = socket(AF_NETLINK, SOCK_RAW\|SOCK_CLOEXEC\|SOCK_NONBLOCK, NETLINK_AUDIT);
	514	if (s->audit_fd < 0) {
3742095b	515	if (IN_SET(errno, EAFNOSUPPORT, EPROTONOSUPPORT))
875c2e22 LP	516	log_debug("Audit not supported in the kernel.");
875c2e22 LP	517	else
56f64d95	518	log_warning_errno(errno, "Failed to create audit socket, ignoring: %m");
875c2e22 LP	519
	520	return 0;
	521	}
	522
417a7fdc LP	523	if (bind(s->audit_fd, &sa.sa, sizeof(sa.nl)) < 0) {
	524	log_warning_errno(errno,
	525	"Failed to join audit multicast group. "
	526	"The kernel is probably too old or multicast reading is not supported. "
	527	"Ignoring: %m");
	528	s->audit_fd = safe_close(s->audit_fd);
	529	return 0;
	530	}
875c2e22	531	} else
48440643	532	(void) fd_nonblock(s->audit_fd, true);
875c2e22	533
2ff48e98	534	r = setsockopt_int(s->audit_fd, SOL_SOCKET, SO_PASSCRED, true);
4a62c710	535	if (r < 0)
2ff48e98	536	return log_error_errno(r, "Failed to set SO_PASSCRED on audit socket: %m");
875c2e22	537
8531ae70	538	r = sd_event_add_io(s->event, &s->audit_event_source, s->audit_fd, EPOLLIN, server_process_datagram, s);
23bbb0de MS	539	if (r < 0)
23bbb0de MS	540	return log_error_errno(r, "Failed to add audit fd to event loop: %m");
875c2e22	541
4d9ced99 LP	542	/* We are listening now, try to enable audit */
	543	r = enable_audit(s->audit_fd, true);
	544	if (r < 0)
da927ba9	545	log_warning_errno(r, "Failed to issue audit enable call: %m");
4d9ced99	546
875c2e22 LP	547	return 0;
875c2e22 LP	548	}