[thirdparty/systemd.git] / src / journal / journald-audit.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <malloc.h>

#include "alloc-util.h"
#include "audit-type.h"
#include "errno-util.h"
#include "fd-util.h"
#include "hexdecoct.h"
#include "iovec-util.h"
#include "journal-internal.h"
#include "journald-audit.h"
#include "missing_audit.h"
#include "string-util.h"

typedef struct MapField {
        const char *audit_field;
        const char *journal_field;
        int (*map)(const char *field, const char **p, struct iovec *iovec, size_t *n);
} MapField;

static int map_simple_field(
                const char *field,
                const char **p,
                struct iovec *iovec,
                size_t *n) {

        _cleanup_free_ char *c = NULL;
        size_t l = 0;
        const char *e;

        assert(field);
        assert(p);
        assert(iovec);
        assert(n);

        l = strlen(field);
        c = malloc(l + 1);
        if (!c)
                return -ENOMEM;

        memcpy(c, field, l);
        for (e = *p; !IN_SET(*e, 0, ' '); e++) {
                if (!GREEDY_REALLOC(c, l+2))
                        return -ENOMEM;

                c[l++] = *e;
        }

        c[l] = 0;

        iovec[(*n)++] = IOVEC_MAKE(c, l);

        *p = e;
        c = NULL;

        return 1;
}

static int map_string_field_internal(
                const char *field,
                const char **p,
                struct iovec *iovec,
                size_t *n,
                bool filter_printable) {

        _cleanup_free_ char *c = NULL;
        const char *s, *e;
        size_t l;

        assert(field);
        assert(p);
        assert(iovec);
        assert(n);

        /* The kernel formats string fields in one of two formats. */

        if (**p == '"') {
                /* Normal quoted syntax */
                s = *p + 1;
                e = strchr(s, '"');
                if (!e)
                        return 0;

                l = strlen(field) + (e - s);
                c = malloc(l+1);
                if (!c)
                        return -ENOMEM;

                *((char*) mempcpy(stpcpy(c, field), s, e - s)) = 0;

                e += 1;

        } else if (unhexchar(**p) >= 0) {
                /* Hexadecimal escaping */
                l = strlen(field);
                c = malloc(l + 2);
                if (!c)
                        return -ENOMEM;

                memcpy(c, field, l);
                for (e = *p; !IN_SET(*e, 0, ' '); e += 2) {
                        int a, b;
                        uint8_t x;

                        a = unhexchar(e[0]);
                        if (a < 0)
                                return 0;

                        b = unhexchar(e[1]);
                        if (b < 0)
                                return 0;

                        x = ((uint8_t) a << 4 | (uint8_t) b);

                        if (filter_printable && x < (uint8_t) ' ')
                                x = (uint8_t) ' ';

                        if (!GREEDY_REALLOC(c, l+2))
                                return -ENOMEM;

                        c[l++] = (char) x;
                }

                c[l] = 0;
        } else
                return 0;

        iovec[(*n)++] = IOVEC_MAKE(c, l);

        *p = e;
        c = NULL;

        return 1;
}

static int map_string_field(const char *field, const char **p, struct iovec *iovec, size_t *n) {
        return map_string_field_internal(field, p, iovec, n, false);
}

static int map_string_field_printable(const char *field, const char **p, struct iovec *iovec, size_t *n) {
        return map_string_field_internal(field, p, iovec, n, true);
}

static int map_generic_field(
                const char *prefix,
                const char **p,
                struct iovec *iovec,
                size_t *n) {

        const char *e, *f;
        char *c, *t;
        int r;

        /* Implements fallback mappings for all fields we don't know */

        for (e = *p; e < *p + 16; e++) {

                if (IN_SET(*e, 0, ' '))
                        return 0;

                if (*e == '=')
                        break;

                if (!(ascii_isalpha(*e) ||
                      ascii_isdigit(*e) ||
                      IN_SET(*e, '_', '-')))
                        return 0;
        }

        if (e <= *p || e >= *p + 16)
                return 0;

        c = newa(char, strlen(prefix) + (e - *p) + 2);

        t = stpcpy(c, prefix);
        for (f = *p; f < e; f++) {
                char x;

                if (*f >= 'a' && *f <= 'z')
                        x = (*f - 'a') + 'A'; /* uppercase */
                else if (*f == '-')
                        x = '_'; /* dashes → underscores */
                else
                        x = *f;

                *(t++) = x;
        }
        strcpy(t, "=");

        e++;

        r = map_simple_field(c, &e, iovec, n);
        if (r < 0)
                return r;

        *p = e;
        return r;
}

/* Kernel fields are those occurring in the audit string before
 * msg='. All of these fields are trusted, hence carry the "_" prefix.
 * We try to translate the fields we know into our native names. The
 * other's are generically mapped to _AUDIT_FIELD_XYZ= */
static const MapField map_fields_kernel[] = {

        /* First, we map certain well-known audit fields into native
         * well-known fields */
        { "pid=",       "_PID=",              map_simple_field },
        { "ppid=",      "_PPID=",             map_simple_field },
        { "uid=",       "_UID=",              map_simple_field },
        { "euid=",      "_EUID=",             map_simple_field },
        { "fsuid=",     "_FSUID=",            map_simple_field },
        { "gid=",       "_GID=",              map_simple_field },
        { "egid=",      "_EGID=",             map_simple_field },
        { "fsgid=",     "_FSGID=",            map_simple_field },
        { "tty=",       "_TTY=",              map_simple_field },
        { "ses=",       "_AUDIT_SESSION=",    map_simple_field },
        { "auid=",      "_AUDIT_LOGINUID=",   map_simple_field },
        { "subj=",      "_SELINUX_CONTEXT=",  map_simple_field },
        { "comm=",      "_COMM=",             map_string_field },
        { "exe=",       "_EXE=",              map_string_field },
        { "proctitle=", "_CMDLINE=",          map_string_field_printable },

        /* Some fields don't map to native well-known fields. However,
         * we know that they are string fields, hence let's undo
         * string field escaping for them, though we stick to the
         * generic field names. */
        { "path=",      "_AUDIT_FIELD_PATH=", map_string_field },
        { "dev=",       "_AUDIT_FIELD_DEV=",  map_string_field },
        { "name=",      "_AUDIT_FIELD_NAME=", map_string_field },
        {}
};

/* Userspace fields are those occurring in the audit string after
 * msg='. All of these fields are untrusted, hence carry no "_"
 * prefix. We map the fields we don't know to AUDIT_FIELD_XYZ= */
static const MapField map_fields_userspace[] = {
        { "cwd=",       "AUDIT_FIELD_CWD=",   map_string_field },
        { "cmd=",       "AUDIT_FIELD_CMD=",   map_string_field },
        { "acct=",      "AUDIT_FIELD_ACCT=",  map_string_field },
        { "exe=",       "AUDIT_FIELD_EXE=",   map_string_field },
        { "comm=",      "AUDIT_FIELD_COMM=",  map_string_field },
        {}
};

static int map_all_fields(
                const char *p,
                const MapField map_fields[],
                const char *prefix,
                bool handle_msg,
                struct iovec *iovec,
                size_t *n,
                size_t m) {

        int r;

        assert(p);
        assert(iovec);
        assert(n);

        for (;;) {
                bool mapped = false;
                const MapField *mf;
                const char *v;

                if (*n >= m) {
                        log_debug(
                                "More fields in audit message than audit field limit (%i), skipping remaining fields",
                                N_IOVEC_AUDIT_FIELDS);
                        return 0;
                }

                p += strspn(p, WHITESPACE);

                if (*p == 0)
                        return 0;

                if (handle_msg) {
                        v = startswith(p, "msg='");
                        if (v) {
                                _cleanup_free_ char *c = NULL;
                                const char *e;

                                /* Userspace message. It's enclosed in
                                   simple quotation marks, is not
                                   escaped, but the last field in the
                                   line, hence let's remove the
                                   quotation mark, and apply the
                                   userspace mapping instead of the
                                   kernel mapping. */

                                e = endswith(v, "'");
                                if (!e)
                                        return 0; /* don't continue splitting up if the final quotation mark is missing */

                                c = strndup(v, e - v);
                                if (!c)
                                        return -ENOMEM;

                                return map_all_fields(c, map_fields_userspace, "AUDIT_FIELD_", false, iovec, n, m);
                        }
                }

                /* Try to map the kernel fields to our own names */
                for (mf = map_fields; mf->audit_field; mf++) {
                        v = startswith(p, mf->audit_field);
                        if (!v)
                                continue;

                        r = mf->map(mf->journal_field, &v, iovec, n);
                        if (r < 0)
                                return log_debug_errno(r, "Failed to parse audit array: %m");

                        if (r > 0) {
                                mapped = true;
                                p = v;
                                break;
                        }
                }

                if (!mapped) {
                        r = map_generic_field(prefix, &p, iovec, n);
                        if (r < 0)
                                return log_debug_errno(r, "Failed to parse audit array: %m");

                        if (r == 0)
                                /* Couldn't process as generic field, let's just skip over it */
                                p += strcspn(p, WHITESPACE);
                }
        }
}

void process_audit_string(Server *s, int type, const char *data, size_t size) {
        size_t n = 0, z;
        uint64_t seconds, msec, id;
        const char *p, *type_name;
        char id_field[STRLEN("_AUDIT_ID=") + DECIMAL_STR_MAX(uint64_t)],
                type_field[STRLEN("_AUDIT_TYPE=") + DECIMAL_STR_MAX(int)];
        struct iovec iovec[N_IOVEC_META_FIELDS + 7 + N_IOVEC_AUDIT_FIELDS];
        char *m, *type_field_name;
        int k;

        assert(s);

        if (size <= 0)
                return;

        if (!data)
                return;

        /* Note that the input buffer is NUL terminated, but let's
         * check whether there is a spurious NUL byte */
        if (memchr(data, 0, size))
                return;

        p = startswith(data, "audit");
        if (!p)
                return;

        k = 0;
        if (sscanf(p, "(%" PRIu64 ".%" PRIu64 ":%" PRIu64 "):%n",
                   &seconds,
                   &msec,
                   &id,
                   &k) != 3 || k == 0)
                return;

        p += k;
        p += strspn(p, WHITESPACE);

        if (isempty(p))
                return;

        iovec[n++] = IOVEC_MAKE_STRING("_TRANSPORT=audit");

        xsprintf(type_field, "_AUDIT_TYPE=%i", type);
        iovec[n++] = IOVEC_MAKE_STRING(type_field);

        xsprintf(id_field, "_AUDIT_ID=%" PRIu64, id);
        iovec[n++] = IOVEC_MAKE_STRING(id_field);

        assert_cc(4 == LOG_FAC(LOG_AUTH));
        iovec[n++] = IOVEC_MAKE_STRING("SYSLOG_FACILITY=4");
        iovec[n++] = IOVEC_MAKE_STRING("SYSLOG_IDENTIFIER=audit");

        type_name = audit_type_name_alloca(type);

        type_field_name = strjoina("_AUDIT_TYPE_NAME=", type_name);
        iovec[n++] = IOVEC_MAKE_STRING(type_field_name);

        m = strjoina("MESSAGE=", type_name, " ", p);
        iovec[n++] = IOVEC_MAKE_STRING(m);

        z = n;

        map_all_fields(p, map_fields_kernel, "_AUDIT_FIELD_", true, iovec, &n, n + N_IOVEC_AUDIT_FIELDS);

        server_dispatch_message(s, iovec, n, ELEMENTSOF(iovec), NULL,
                                TIMEVAL_STORE((usec_t) seconds * USEC_PER_SEC + (usec_t) msec * USEC_PER_MSEC),
                                LOG_NOTICE, 0);

        /* free() all entries that map_all_fields() added. All others
         * are allocated on the stack or are constant. */

        for (; z < n; z++)
                free(iovec[z].iov_base);
}

void server_process_audit_message(
                Server *s,
                const void *buffer,
                size_t buffer_size,
                const struct ucred *ucred,
                const union sockaddr_union *sa,
                socklen_t salen) {

        const struct nlmsghdr *nl = buffer;

        assert(s);

        if (buffer_size < ALIGN(sizeof(struct nlmsghdr)))
                return;

        assert(buffer);

        /* Filter out fake data */
        if (!sa ||
            salen != sizeof(struct sockaddr_nl) ||
            sa->nl.nl_family != AF_NETLINK ||
            sa->nl.nl_pid != 0) {
                log_debug("Audit netlink message from invalid sender.");
                return;
        }

        if (!ucred || ucred->pid != 0) {
                log_debug("Audit netlink message with invalid credentials.");
                return;
        }

        if (!NLMSG_OK(nl, buffer_size)) {
                log_ratelimit_error(JOURNAL_LOG_RATELIMIT, "Audit netlink message truncated.");
                return;
        }

        /* Ignore special Netlink messages */
        if (IN_SET(nl->nlmsg_type, NLMSG_NOOP, NLMSG_ERROR))
                return;

        /* Except AUDIT_USER, all messages below AUDIT_FIRST_USER_MSG are control messages, let's ignore those */
        if (nl->nlmsg_type < AUDIT_FIRST_USER_MSG && nl->nlmsg_type != AUDIT_USER)
                return;

        process_audit_string(s, nl->nlmsg_type, NLMSG_DATA(nl), nl->nlmsg_len - ALIGN(sizeof(struct nlmsghdr)));
}

static int enable_audit(int fd, bool b) {
        struct {
                union {
                        struct nlmsghdr header;
                        uint8_t header_space[NLMSG_HDRLEN];
                };
                struct audit_status body;
        } _packed_ request = {
                .header.nlmsg_len = NLMSG_LENGTH(sizeof(struct audit_status)),
                .header.nlmsg_type = AUDIT_SET,
                .header.nlmsg_flags = NLM_F_REQUEST,
                .header.nlmsg_seq = 1,
                .header.nlmsg_pid = 0,
                .body.mask = AUDIT_STATUS_ENABLED,
                .body.enabled = b,
        };
        union sockaddr_union sa = {
                .nl.nl_family = AF_NETLINK,
                .nl.nl_pid = 0,
        };
        struct iovec iovec = {
                .iov_base = &request,
                .iov_len = NLMSG_LENGTH(sizeof(struct audit_status)),
        };
        struct msghdr mh = {
                .msg_iov = &iovec,
                .msg_iovlen = 1,
                .msg_name = &sa.sa,
                .msg_namelen = sizeof(sa.nl),
        };

        ssize_t n;

        n = sendmsg(fd, &mh, MSG_NOSIGNAL);
        if (n < 0)
                return -errno;
        if (n != NLMSG_LENGTH(sizeof(struct audit_status)))
                return -EIO;

        /* We don't wait for the result here, we can't do anything
         * about it anyway */

        return 0;
}

int server_open_audit(Server *s) {
        int r;

        if (s->audit_fd < 0) {
                static const union sockaddr_union sa = {
                        .nl.nl_family = AF_NETLINK,
                        .nl.nl_pid    = 0,
                        .nl.nl_groups = AUDIT_NLGRP_READLOG,
                };

                s->audit_fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT);
                if (s->audit_fd < 0) {
                        if (ERRNO_IS_NOT_SUPPORTED(errno))
                                log_debug("Audit not supported in the kernel.");
                        else
                                log_warning_errno(errno, "Failed to create audit socket, ignoring: %m");

                        return 0;
                }

                if (bind(s->audit_fd, &sa.sa, sizeof(sa.nl)) < 0) {
                        log_warning_errno(errno,
                                          "Failed to join audit multicast group. "
                                          "The kernel is probably too old or multicast reading is not supported. "
                                          "Ignoring: %m");
                        s->audit_fd = safe_close(s->audit_fd);
                        return 0;
                }
        } else
                (void) fd_nonblock(s->audit_fd, true);

        r = setsockopt_int(s->audit_fd, SOL_SOCKET, SO_PASSCRED, true);
        if (r < 0)
                return log_error_errno(r, "Failed to set SO_PASSCRED on audit socket: %m");

        r = sd_event_add_io(s->event, &s->audit_event_source, s->audit_fd, EPOLLIN, server_process_datagram, s);
        if (r < 0)
                return log_error_errno(r, "Failed to add audit fd to event loop: %m");

        if (s->set_audit >= 0) {
                /* We are listening now, try to enable audit if configured so */
                r = enable_audit(s->audit_fd, s->set_audit);
                if (r < 0)
                        log_warning_errno(r, "Failed to issue audit enable call: %m");
                else if (s->set_audit > 0)
                        log_debug("Auditing in kernel turned on.");
                else
                        log_debug("Auditing in kernel turned off.");
        }

        return 0;
}
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
875c2e22	2
319a4f4b LP	3	#include <malloc.h>
319a4f4b LP	4
b5efdb8a	5	#include "alloc-util.h"
07630cea	6	#include "audit-type.h"
0648f9be	7	#include "errno-util.h"
3ffd4af2	8	#include "fd-util.h"
afc5dbf3	9	#include "hexdecoct.h"
bd1ae178	10	#include "iovec-util.h"
d9799ea2	11	#include "journal-internal.h"
3ffd4af2	12	#include "journald-audit.h"
f5947a5e	13	#include "missing_audit.h"
07630cea	14	#include "string-util.h"
875c2e22 LP	15
	16	typedef struct MapField {
	17	const char *audit_field;
	18	const char *journal_field;
66e2bb28	19	int (map)(const char field, const char *p, struct iovec iovec, size_t *n);
875c2e22 LP	20	} MapField;
875c2e22 LP	21
319a4f4b LP	22	static int map_simple_field(
	23	const char *field,
	24	const char **p,
66e2bb28	25	struct iovec *iovec,
4cdb970b	26	size_t *n) {
319a4f4b	27
875c2e22	28	_cleanup_free_ char *c = NULL;
319a4f4b	29	size_t l = 0;
875c2e22 LP	30	const char *e;
	31
	32	assert(field);
	33	assert(p);
4cdb970b DDM	34	assert(iovec);
4cdb970b DDM	35	assert(n);
875c2e22 LP	36
875c2e22 LP	37	l = strlen(field);
319a4f4b	38	c = malloc(l + 1);
875c2e22 LP	39	if (!c)
	40	return -ENOMEM;
	41
	42	memcpy(c, field, l);
4c701096	43	for (e = p; !IN_SET(e, 0, ' '); e++) {
319a4f4b	44	if (!GREEDY_REALLOC(c, l+2))
875c2e22 LP	45	return -ENOMEM;
	46
	47	c[l++] = *e;
	48	}
	49
	50	c[l] = 0;
	51
66e2bb28	52	iovec[(*n)++] = IOVEC_MAKE(c, l);
875c2e22 LP	53
	54	*p = e;
	55	c = NULL;
	56
	57	return 1;
	58	}
	59
319a4f4b LP	60	static int map_string_field_internal(
	61	const char *field,
	62	const char **p,
66e2bb28	63	struct iovec *iovec,
4cdb970b	64	size_t *n,
319a4f4b LP	65	bool filter_printable) {
319a4f4b LP	66
875c2e22 LP	67	_cleanup_free_ char *c = NULL;
	68	const char s, e;
	69	size_t l;
	70
	71	assert(field);
	72	assert(p);
4cdb970b DDM	73	assert(iovec);
4cdb970b DDM	74	assert(n);
875c2e22 LP	75
	76	/* The kernel formats string fields in one of two formats. */
	77
	78	if (**p == '"') {
	79	/* Normal quoted syntax */
	80	s = *p + 1;
	81	e = strchr(s, '"');
	82	if (!e)
	83	return 0;
	84
	85	l = strlen(field) + (e - s);
	86	c = malloc(l+1);
	87	if (!c)
	88	return -ENOMEM;
	89
	90	((char) mempcpy(stpcpy(c, field), s, e - s)) = 0;
	91
	92	e += 1;
	93
	94	} else if (unhexchar(**p) >= 0) {
	95	/* Hexadecimal escaping */
875c2e22	96	l = strlen(field);
319a4f4b	97	c = malloc(l + 2);
875c2e22 LP	98	if (!c)
	99	return -ENOMEM;
	100
	101	memcpy(c, field, l);
4c701096	102	for (e = p; !IN_SET(e, 0, ' '); e += 2) {
875c2e22	103	int a, b;
78fe420f	104	uint8_t x;
875c2e22 LP	105
	106	a = unhexchar(e[0]);
	107	if (a < 0)
	108	return 0;
	109
	110	b = unhexchar(e[1]);
	111	if (b < 0)
	112	return 0;
	113
78fe420f LP	114	x = ((uint8_t) a << 4 \| (uint8_t) b);
	115
	116	if (filter_printable && x < (uint8_t) ' ')
	117	x = (uint8_t) ' ';
	118
319a4f4b	119	if (!GREEDY_REALLOC(c, l+2))
875c2e22 LP	120	return -ENOMEM;
875c2e22 LP	121
78fe420f	122	c[l++] = (char) x;
875c2e22 LP	123	}
	124
	125	c[l] = 0;
	126	} else
	127	return 0;
	128
66e2bb28	129	iovec[(*n)++] = IOVEC_MAKE(c, l);
875c2e22 LP	130
	131	*p = e;
	132	c = NULL;
	133
	134	return 1;
	135	}
	136
66e2bb28	137	static int map_string_field(const char field, const char p, struct iovec iovec, size_t *n) {
4cdb970b	138	return map_string_field_internal(field, p, iovec, n, false);
78fe420f LP	139	}
78fe420f LP	140
66e2bb28	141	static int map_string_field_printable(const char field, const char p, struct iovec iovec, size_t *n) {
4cdb970b	142	return map_string_field_internal(field, p, iovec, n, true);
78fe420f LP	143	}
78fe420f LP	144
319a4f4b LP	145	static int map_generic_field(
	146	const char *prefix,
	147	const char **p,
66e2bb28	148	struct iovec *iovec,
4cdb970b	149	size_t *n) {
319a4f4b	150
875c2e22 LP	151	const char e, f;
	152	char c, t;
	153	int r;
	154
	155	/* Implements fallback mappings for all fields we don't know */
	156
	157	for (e = p; e < p + 16; e++) {
	158
4c701096	159	if (IN_SET(*e, 0, ' '))
875c2e22 LP	160	return 0;
	161
	162	if (*e == '=')
	163	break;
	164
ff25d338 LP	165	if (!(ascii_isalpha(*e) \|\|
ff25d338 LP	166	ascii_isdigit(*e) \|\|
4c701096	167	IN_SET(*e, '_', '-')))
875c2e22 LP	168	return 0;
	169	}
	170
	171	if (e <= p \|\| e >= p + 16)
	172	return 0;
	173
6e9417f5	174	c = newa(char, strlen(prefix) + (e - *p) + 2);
875c2e22 LP	175
875c2e22 LP	176	t = stpcpy(c, prefix);
9833a66c LP	177	for (f = *p; f < e; f++) {
	178	char x;
	179
	180	if (f >= 'a' && f <= 'z')
	181	x = (f - 'a') + 'A'; / uppercase */
	182	else if (*f == '-')
	183	x = '_'; /* dashes → underscores */
	184	else
	185	x = *f;
	186
	187	*(t++) = x;
	188	}
875c2e22 LP	189	strcpy(t, "=");
875c2e22 LP	190
313cefa1	191	e++;
875c2e22	192
4cdb970b	193	r = map_simple_field(c, &e, iovec, n);
875c2e22 LP	194	if (r < 0)
	195	return r;
	196
	197	*p = e;
	198	return r;
	199	}
	200
f131770b	201	/* Kernel fields are those occurring in the audit string before
875c2e22 LP	202	* msg='. All of these fields are trusted, hence carry the "_" prefix.
	203	* We try to translate the fields we know into our native names. The
	204	* other's are generically mapped to _AUDIT_FIELD_XYZ= */
	205	static const MapField map_fields_kernel[] = {
	206
	207	/* First, we map certain well-known audit fields into native
	208	* well-known fields */
500cbc4e LP	209	{ "pid=", "_PID=", map_simple_field },
	210	{ "ppid=", "_PPID=", map_simple_field },
	211	{ "uid=", "_UID=", map_simple_field },
	212	{ "euid=", "_EUID=", map_simple_field },
	213	{ "fsuid=", "_FSUID=", map_simple_field },
	214	{ "gid=", "_GID=", map_simple_field },
	215	{ "egid=", "_EGID=", map_simple_field },
	216	{ "fsgid=", "_FSGID=", map_simple_field },
	217	{ "tty=", "_TTY=", map_simple_field },
	218	{ "ses=", "_AUDIT_SESSION=", map_simple_field },
	219	{ "auid=", "_AUDIT_LOGINUID=", map_simple_field },
	220	{ "subj=", "_SELINUX_CONTEXT=", map_simple_field },
	221	{ "comm=", "_COMM=", map_string_field },
	222	{ "exe=", "_EXE=", map_string_field },
	223	{ "proctitle=", "_CMDLINE=", map_string_field_printable },
875c2e22 LP	224
	225	/* Some fields don't map to native well-known fields. However,
	226	* we know that they are string fields, hence let's undo
	227	* string field escaping for them, though we stick to the
	228	* generic field names. */
500cbc4e LP	229	{ "path=", "_AUDIT_FIELD_PATH=", map_string_field },
	230	{ "dev=", "_AUDIT_FIELD_DEV=", map_string_field },
	231	{ "name=", "_AUDIT_FIELD_NAME=", map_string_field },
875c2e22 LP	232	{}
	233	};
	234
f131770b	235	/* Userspace fields are those occurring in the audit string after
875c2e22 LP	236	* msg='. All of these fields are untrusted, hence carry no "_"
	237	* prefix. We map the fields we don't know to AUDIT_FIELD_XYZ= */
	238	static const MapField map_fields_userspace[] = {
500cbc4e LP	239	{ "cwd=", "AUDIT_FIELD_CWD=", map_string_field },
	240	{ "cmd=", "AUDIT_FIELD_CMD=", map_string_field },
	241	{ "acct=", "AUDIT_FIELD_ACCT=", map_string_field },
	242	{ "exe=", "AUDIT_FIELD_EXE=", map_string_field },
	243	{ "comm=", "AUDIT_FIELD_COMM=", map_string_field },
875c2e22 LP	244	{}
	245	};
	246
	247	static int map_all_fields(
	248	const char *p,
	249	const MapField map_fields[],
	250	const char *prefix,
	251	bool handle_msg,
66e2bb28 DDM	252	struct iovec *iovec,
	253	size_t *n,
	254	size_t m) {
875c2e22 LP	255
	256	int r;
	257
	258	assert(p);
4cdb970b DDM	259	assert(iovec);
4cdb970b DDM	260	assert(n);
875c2e22 LP	261
	262	for (;;) {
	263	bool mapped = false;
ceb4192d	264	const MapField *mf;
875c2e22 LP	265	const char *v;
875c2e22 LP	266
66e2bb28	267	if (*n >= m) {
f9fbac8b	268	log_debug(
66e2bb28 DDM	269	"More fields in audit message than audit field limit (%i), skipping remaining fields",
	270	N_IOVEC_AUDIT_FIELDS);
	271	return 0;
	272	}
	273
875c2e22 LP	274	p += strspn(p, WHITESPACE);
	275
	276	if (*p == 0)
	277	return 0;
	278
	279	if (handle_msg) {
	280	v = startswith(p, "msg='");
	281	if (v) {
6d946490	282	_cleanup_free_ char *c = NULL;
875c2e22	283	const char *e;
875c2e22 LP	284
	285	/* Userspace message. It's enclosed in
	286	simple quotation marks, is not
	287	escaped, but the last field in the
	288	line, hence let's remove the
	289	quotation mark, and apply the
	290	userspace mapping instead of the
	291	kernel mapping. */
	292
	293	e = endswith(v, "'");
	294	if (!e)
	295	return 0; /* don't continue splitting up if the final quotation mark is missing */
	296
6d946490 YW	297	c = strndup(v, e - v);
	298	if (!c)
	299	return -ENOMEM;
	300
66e2bb28	301	return map_all_fields(c, map_fields_userspace, "AUDIT_FIELD_", false, iovec, n, m);
875c2e22 LP	302	}
	303	}
	304
	305	/* Try to map the kernel fields to our own names */
ceb4192d DDM	306	for (mf = map_fields; mf->audit_field; mf++) {
ceb4192d DDM	307	v = startswith(p, mf->audit_field);
875c2e22 LP	308	if (!v)
	309	continue;
	310
ceb4192d	311	r = mf->map(mf->journal_field, &v, iovec, n);
23bbb0de	312	if (r < 0)
f9fbac8b	313	return log_debug_errno(r, "Failed to parse audit array: %m");
875c2e22 LP	314
	315	if (r > 0) {
	316	mapped = true;
	317	p = v;
	318	break;
	319	}
	320	}
	321
	322	if (!mapped) {
4cdb970b	323	r = map_generic_field(prefix, &p, iovec, n);
23bbb0de	324	if (r < 0)
f9fbac8b	325	return log_debug_errno(r, "Failed to parse audit array: %m");
875c2e22	326
ece174c5	327	if (r == 0)
875c2e22 LP	328	/* Couldn't process as generic field, let's just skip over it */
875c2e22 LP	329	p += strcspn(p, WHITESPACE);
875c2e22 LP	330	}
	331	}
	332	}
	333
090a20cf	334	void process_audit_string(Server s, int type, const char data, size_t size) {
4cdb970b	335	size_t n = 0, z;
875c2e22	336	uint64_t seconds, msec, id;
8bb3626d	337	const char p, type_name;
fbecb1fd YW	338	char id_field[STRLEN("_AUDIT_ID=") + DECIMAL_STR_MAX(uint64_t)],
fbecb1fd YW	339	type_field[STRLEN("_AUDIT_TYPE=") + DECIMAL_STR_MAX(int)];
3cd7783e	340	struct iovec iovec[N_IOVEC_META_FIELDS + 7 + N_IOVEC_AUDIT_FIELDS];
14c1abcc	341	char m, type_field_name;
d3070fbd	342	int k;
875c2e22 LP	343
	344	assert(s);
	345
	346	if (size <= 0)
	347	return;
	348
	349	if (!data)
	350	return;
	351
	352	/* Note that the input buffer is NUL terminated, but let's
	353	* check whether there is a spurious NUL byte */
	354	if (memchr(data, 0, size))
	355	return;
	356
	357	p = startswith(data, "audit");
	358	if (!p)
	359	return;
	360
1dab14ab	361	k = 0;
1fa2f38f	362	if (sscanf(p, "(%" PRIu64 ".%" PRIu64 ":%" PRIu64 "):%n",
875c2e22 LP	363	&seconds,
	364	&msec,
	365	&id,
1dab14ab	366	&k) != 3 \|\| k == 0)
875c2e22 LP	367	return;
	368
	369	p += k;
5034c7bc LP	370	p += strspn(p, WHITESPACE);
	371
	372	if (isempty(p))
	373	return;
875c2e22	374
4cdb970b	375	iovec[n++] = IOVEC_MAKE_STRING("_TRANSPORT=audit");
875c2e22	376
fbecb1fd	377	xsprintf(type_field, "_AUDIT_TYPE=%i", type);
4cdb970b	378	iovec[n++] = IOVEC_MAKE_STRING(type_field);
875c2e22	379
fbecb1fd	380	xsprintf(id_field, "_AUDIT_ID=%" PRIu64, id);
4cdb970b	381	iovec[n++] = IOVEC_MAKE_STRING(id_field);
875c2e22	382
d6f4302b	383	assert_cc(4 == LOG_FAC(LOG_AUTH));
4cdb970b DDM	384	iovec[n++] = IOVEC_MAKE_STRING("SYSLOG_FACILITY=4");
4cdb970b DDM	385	iovec[n++] = IOVEC_MAKE_STRING("SYSLOG_IDENTIFIER=audit");
cd556b6c	386
8bb3626d ZJS	387	type_name = audit_type_name_alloca(type);
8bb3626d ZJS	388
14c1abcc	389	type_field_name = strjoina("_AUDIT_TYPE_NAME=", type_name);
4cdb970b	390	iovec[n++] = IOVEC_MAKE_STRING(type_field_name);
14c1abcc	391
8bb3626d	392	m = strjoina("MESSAGE=", type_name, " ", p);
4cdb970b	393	iovec[n++] = IOVEC_MAKE_STRING(m);
875c2e22	394
4cdb970b	395	z = n;
875c2e22	396
df4ec48f	397	map_all_fields(p, map_fields_kernel, "_AUDIT_FIELD_", true, iovec, &n, n + N_IOVEC_AUDIT_FIELDS);
875c2e22	398
3cd7783e YW	399	server_dispatch_message(s, iovec, n, ELEMENTSOF(iovec), NULL,
	400	TIMEVAL_STORE((usec_t) seconds * USEC_PER_SEC + (usec_t) msec * USEC_PER_MSEC),
	401	LOG_NOTICE, 0);
875c2e22	402
875c2e22 LP	403	/* free() all entries that map_all_fields() added. All others
	404	* are allocated on the stack or are constant. */
	405
4cdb970b DDM	406	for (; z < n; z++)
4cdb970b DDM	407	free(iovec[z].iov_base);
875c2e22 LP	408	}
	409
	410	void server_process_audit_message(
	411	Server *s,
	412	const void *buffer,
	413	size_t buffer_size,
	414	const struct ucred *ucred,
875c2e22 LP	415	const union sockaddr_union *sa,
	416	socklen_t salen) {
	417
	418	const struct nlmsghdr *nl = buffer;
	419
	420	assert(s);
	421
	422	if (buffer_size < ALIGN(sizeof(struct nlmsghdr)))
	423	return;
	424
	425	assert(buffer);
	426
	427	/* Filter out fake data */
	428	if (!sa \|\|
	429	salen != sizeof(struct sockaddr_nl) \|\|
	430	sa->nl.nl_family != AF_NETLINK \|\|
	431	sa->nl.nl_pid != 0) {
f9fbac8b	432	log_debug("Audit netlink message from invalid sender.");
875c2e22 LP	433	return;
	434	}
	435
	436	if (!ucred \|\| ucred->pid != 0) {
f9fbac8b	437	log_debug("Audit netlink message with invalid credentials.");
875c2e22 LP	438	return;
	439	}
	440
	441	if (!NLMSG_OK(nl, buffer_size)) {
d9799ea2	442	log_ratelimit_error(JOURNAL_LOG_RATELIMIT, "Audit netlink message truncated.");
875c2e22 LP	443	return;
	444	}
	445
	446	/* Ignore special Netlink messages */
	447	if (IN_SET(nl->nlmsg_type, NLMSG_NOOP, NLMSG_ERROR))
	448	return;
	449
5238e957	450	/* Except AUDIT_USER, all messages below AUDIT_FIRST_USER_MSG are control messages, let's ignore those */
ed563b60	451	if (nl->nlmsg_type < AUDIT_FIRST_USER_MSG && nl->nlmsg_type != AUDIT_USER)
875c2e22 LP	452	return;
875c2e22 LP	453
0b97208d	454	process_audit_string(s, nl->nlmsg_type, NLMSG_DATA(nl), nl->nlmsg_len - ALIGN(sizeof(struct nlmsghdr)));
875c2e22 LP	455	}
875c2e22 LP	456
4d9ced99 LP	457	static int enable_audit(int fd, bool b) {
	458	struct {
	459	union {
	460	struct nlmsghdr header;
	461	uint8_t header_space[NLMSG_HDRLEN];
	462	};
	463	struct audit_status body;
	464	} _packed_ request = {
	465	.header.nlmsg_len = NLMSG_LENGTH(sizeof(struct audit_status)),
	466	.header.nlmsg_type = AUDIT_SET,
	467	.header.nlmsg_flags = NLM_F_REQUEST,
	468	.header.nlmsg_seq = 1,
	469	.header.nlmsg_pid = 0,
	470	.body.mask = AUDIT_STATUS_ENABLED,
	471	.body.enabled = b,
	472	};
	473	union sockaddr_union sa = {
	474	.nl.nl_family = AF_NETLINK,
	475	.nl.nl_pid = 0,
	476	};
	477	struct iovec iovec = {
	478	.iov_base = &request,
	479	.iov_len = NLMSG_LENGTH(sizeof(struct audit_status)),
	480	};
	481	struct msghdr mh = {
	482	.msg_iov = &iovec,
	483	.msg_iovlen = 1,
	484	.msg_name = &sa.sa,
	485	.msg_namelen = sizeof(sa.nl),
	486	};
	487
	488	ssize_t n;
	489
	490	n = sendmsg(fd, &mh, MSG_NOSIGNAL);
	491	if (n < 0)
	492	return -errno;
	493	if (n != NLMSG_LENGTH(sizeof(struct audit_status)))
	494	return -EIO;
	495
	496	/* We don't wait for the result here, we can't do anything
	497	* about it anyway */
	498
	499	return 0;
	500	}
	501
875c2e22	502	int server_open_audit(Server *s) {
875c2e22 LP	503	int r;
	504
	505	if (s->audit_fd < 0) {
	506	static const union sockaddr_union sa = {
	507	.nl.nl_family = AF_NETLINK,
	508	.nl.nl_pid = 0,
	509	.nl.nl_groups = AUDIT_NLGRP_READLOG,
	510	};
	511
	512	s->audit_fd = socket(AF_NETLINK, SOCK_RAW\|SOCK_CLOEXEC\|SOCK_NONBLOCK, NETLINK_AUDIT);
	513	if (s->audit_fd < 0) {
0648f9be	514	if (ERRNO_IS_NOT_SUPPORTED(errno))
875c2e22 LP	515	log_debug("Audit not supported in the kernel.");
875c2e22 LP	516	else
56f64d95	517	log_warning_errno(errno, "Failed to create audit socket, ignoring: %m");
875c2e22 LP	518
	519	return 0;
	520	}
	521
417a7fdc LP	522	if (bind(s->audit_fd, &sa.sa, sizeof(sa.nl)) < 0) {
	523	log_warning_errno(errno,
	524	"Failed to join audit multicast group. "
	525	"The kernel is probably too old or multicast reading is not supported. "
	526	"Ignoring: %m");
	527	s->audit_fd = safe_close(s->audit_fd);
	528	return 0;
	529	}
875c2e22	530	} else
48440643	531	(void) fd_nonblock(s->audit_fd, true);
875c2e22	532
2ff48e98	533	r = setsockopt_int(s->audit_fd, SOL_SOCKET, SO_PASSCRED, true);
4a62c710	534	if (r < 0)
2ff48e98	535	return log_error_errno(r, "Failed to set SO_PASSCRED on audit socket: %m");
875c2e22	536
8531ae70	537	r = sd_event_add_io(s->event, &s->audit_event_source, s->audit_fd, EPOLLIN, server_process_datagram, s);
23bbb0de MS	538	if (r < 0)
23bbb0de MS	539	return log_error_errno(r, "Failed to add audit fd to event loop: %m");
875c2e22	540
511e03a3 LP	541	if (s->set_audit >= 0) {
	542	/* We are listening now, try to enable audit if configured so */
	543	r = enable_audit(s->audit_fd, s->set_audit);
	544	if (r < 0)
	545	log_warning_errno(r, "Failed to issue audit enable call: %m");
	546	else if (s->set_audit > 0)
	547	log_debug("Auditing in kernel turned on.");
	548	else
	549	log_debug("Auditing in kernel turned off.");
	550	}
4d9ced99	551
875c2e22 LP	552	return 0;
875c2e22 LP	553	}