[thirdparty/systemd.git] / src / basic / audit-util.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include "alloc-util.h"
#include "audit-util.h"
#include "fileio.h"
#include "parse-util.h"
#include "pidref.h"
#include "process-util.h"
#include "stat-util.h"
#include "user-util.h"
#include "virt.h"

static int audit_read_field(const PidRef *pid, const char *field, char **ret) {
        int r;

        assert(field);
        assert(ret);

        if (!pidref_is_set(pid))
                return -ESRCH;

        /* Auditing is currently not virtualized for containers. Let's hence not use the audit session ID or
         * login UID for now, it will be leaked in from the host */
        if (detect_container() > 0)
                return -ENODATA;

        const char *p = procfs_file_alloca(pid->pid, field);

        _cleanup_free_ char *s = NULL;
        bool enoent = false;
        r = read_full_virtual_file(p, &s, /* ret_size= */ NULL);
        if (r == -ENOENT) {
                if (proc_mounted() == 0)
                        return -ENOSYS;
                enoent = true;
        } else if (r < 0)
                return r;

        r = pidref_verify(pid);
        if (r < 0)
                return r;

        if (enoent) /* We got ENOENT, but /proc/ was mounted and the PID still valid? In that case it appears
                     * auditing is not supported by the kernel. */
                return -ENODATA;

        delete_trailing_chars(s, NEWLINE);

        *ret = TAKE_PTR(s);
        return 0;
}

int audit_session_from_pid(const PidRef *pid, uint32_t *ret_id) {
        _cleanup_free_ char *s = NULL;
        int r;

        r = audit_read_field(pid, "sessionid", &s);
        if (r < 0)
                return r;

        uint32_t u;
        r = safe_atou32(s, &u);
        if (r < 0)
                return r;

        if (!audit_session_is_valid(u))
                return -ENODATA;

        if (ret_id)
                *ret_id = u;

        return 0;
}

int audit_loginuid_from_pid(const PidRef *pid, uid_t *ret_uid) {
        _cleanup_free_ char *s = NULL;
        int r;

        r = audit_read_field(pid, "loginuid", &s);
        if (r < 0)
                return r;

        if (streq(s, "4294967295")) /* loginuid as 4294967295 means not part of any session. */
                return -ENODATA;

        return parse_uid(s, ret_uid);
}
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
d7832d2c	2
b5efdb8a	3	#include "alloc-util.h"
430f0182	4	#include "audit-util.h"
a5c32cff	5	#include "fileio.h"
6bedfcbb	6	#include "parse-util.h"
0c15577a	7	#include "pidref.h"
3ffd4af2	8	#include "process-util.h"
7e02ee98	9	#include "stat-util.h"
b1d4f8e1	10	#include "user-util.h"
7e02ee98	11	#include "virt.h"
d7832d2c	12
7e02ee98	13	static int audit_read_field(const PidRef pid, const char field, char **ret) {
d7832d2c KS	14	int r;
d7832d2c KS	15
7e02ee98 LP	16	assert(field);
7e02ee98 LP	17	assert(ret);
d7832d2c	18
7e02ee98 LP	19	if (!pidref_is_set(pid))
7e02ee98 LP	20	return -ESRCH;
d7e46e01	21
7e02ee98 LP	22	/* Auditing is currently not virtualized for containers. Let's hence not use the audit session ID or
	23	* login UID for now, it will be leaked in from the host */
	24	if (detect_container() > 0)
	25	return -ENODATA;
d7832d2c	26
7e02ee98 LP	27	const char *p = procfs_file_alloca(pid->pid, field);
	28
	29	_cleanup_free_ char *s = NULL;
	30	bool enoent = false;
e0c4b80f	31	r = read_full_virtual_file(p, &s, /* ret_size= */ NULL);
7e02ee98 LP	32	if (r == -ENOENT) {
	33	if (proc_mounted() == 0)
	34	return -ENOSYS;
	35	enoent = true;
	36	} else if (r < 0)
d7832d2c KS	37	return r;
d7832d2c KS	38
7e02ee98	39	r = pidref_verify(pid);
d7832d2c KS	40	if (r < 0)
	41	return r;
	42
7e02ee98 LP	43	if (enoent) /* We got ENOENT, but /proc/ was mounted and the PID still valid? In that case it appears
7e02ee98 LP	44	* auditing is not supported by the kernel. */
d7e46e01	45	return -ENODATA;
d7832d2c	46
7e02ee98 LP	47	delete_trailing_chars(s, NEWLINE);
	48
	49	*ret = TAKE_PTR(s);
d7832d2c KS	50	return 0;
	51	}
	52
7e02ee98	53	int audit_session_from_pid(const PidRef pid, uint32_t ret_id) {
5b12334d	54	_cleanup_free_ char *s = NULL;
d7832d2c KS	55	int r;
d7832d2c KS	56
7e02ee98 LP	57	r = audit_read_field(pid, "sessionid", &s);
	58	if (r < 0)
	59	return r;
d7832d2c	60
7e02ee98 LP	61	uint32_t u;
7e02ee98 LP	62	r = safe_atou32(s, &u);
d7832d2c KS	63	if (r < 0)
	64	return r;
	65
7e02ee98	66	if (!audit_session_is_valid(u))
d7e46e01	67	return -ENODATA;
7e02ee98 LP	68
	69	if (ret_id)
	70	*ret_id = u;
	71
	72	return 0;
	73	}
	74
	75	int audit_loginuid_from_pid(const PidRef pid, uid_t ret_uid) {
	76	_cleanup_free_ char *s = NULL;
	77	int r;
	78
	79	r = audit_read_field(pid, "loginuid", &s);
d7832d2c KS	80	if (r < 0)
	81	return r;
	82
7e02ee98 LP	83	if (streq(s, "4294967295")) /* loginuid as 4294967295 means not part of any session. */
	84	return -ENODATA;
	85
	86	return parse_uid(s, ret_uid);
d7832d2c	87	}