[thirdparty/systemd.git] / src / basic / audit-util.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include "alloc-util.h"
#include "audit-util.h"
#include "fileio.h"
#include "parse-util.h"
#include "pidref.h"
#include "process-util.h"
#include "stat-util.h"
#include "user-util.h"
#include "virt.h"

static int audit_read_field(const PidRef *pid, const char *field, char **ret) {
        int r;

        assert(field);
        assert(ret);

        if (!pidref_is_set(pid))
                return -ESRCH;

        /* Auditing is currently not virtualized for containers. Let's hence not use the audit session ID or
         * login UID for now, it will be leaked in from the host */
        if (detect_container() > 0)
                return -ENODATA;

        const char *p = procfs_file_alloca(pid->pid, field);

        _cleanup_free_ char *s = NULL;
        bool enoent = false;
        r = read_full_virtual_file(p, &s, /* ret_size= */ NULL);
        if (r == -ENOENT) {
                if (proc_mounted() == 0)
                        return -ENOSYS;
                enoent = true;
        } else if (r < 0)
                return r;

        r = pidref_verify(pid);
        if (r < 0)
                return r;

        if (enoent) /* We got ENOENT, but /proc/ was mounted and the PID still valid? In that case it appears
                     * auditing is not supported by the kernel. */
                return -ENODATA;

        delete_trailing_chars(s, NEWLINE);

        *ret = TAKE_PTR(s);
        return 0;
}

int audit_session_from_pid(const PidRef *pid, uint32_t *ret_id) {
        _cleanup_free_ char *s = NULL;
        int r;

        r = audit_read_field(pid, "sessionid", &s);
        if (r < 0)
                return r;

        uint32_t u;
        r = safe_atou32(s, &u);
        if (r < 0)
                return r;

        if (!audit_session_is_valid(u))
                return -ENODATA;

        if (ret_id)
                *ret_id = u;

        return 0;
}

int audit_loginuid_from_pid(const PidRef *pid, uid_t *ret_uid) {
        _cleanup_free_ char *s = NULL;
        int r;

        r = audit_read_field(pid, "loginuid", &s);
        if (r < 0)
                return r;

        if (streq(s, "4294967295")) /* loginuid as 4294967295 means not part of any session. */
                return -ENODATA;

        return parse_uid(s, ret_uid);
}
Commit	Line	Data
	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
	2
	3	#include "alloc-util.h"
	4	#include "audit-util.h"
	5	#include "fileio.h"
	6	#include "parse-util.h"
	7	#include "pidref.h"
	8	#include "process-util.h"
	9	#include "stat-util.h"
	10	#include "user-util.h"
	11	#include "virt.h"
	12
	13	static int audit_read_field(const PidRef pid, const char field, char **ret) {
	14	int r;
	15
	16	assert(field);
	17	assert(ret);
	18
	19	if (!pidref_is_set(pid))
	20	return -ESRCH;
	21
	22	/* Auditing is currently not virtualized for containers. Let's hence not use the audit session ID or
	23	* login UID for now, it will be leaked in from the host */
	24	if (detect_container() > 0)
	25	return -ENODATA;
	26
	27	const char *p = procfs_file_alloca(pid->pid, field);
	28
	29	_cleanup_free_ char *s = NULL;
	30	bool enoent = false;
	31	r = read_full_virtual_file(p, &s, /* ret_size= */ NULL);
	32	if (r == -ENOENT) {
	33	if (proc_mounted() == 0)
	34	return -ENOSYS;
	35	enoent = true;
	36	} else if (r < 0)
	37	return r;
	38
	39	r = pidref_verify(pid);
	40	if (r < 0)
	41	return r;
	42
	43	if (enoent) /* We got ENOENT, but /proc/ was mounted and the PID still valid? In that case it appears
	44	* auditing is not supported by the kernel. */
	45	return -ENODATA;
	46
	47	delete_trailing_chars(s, NEWLINE);
	48
	49	*ret = TAKE_PTR(s);
	50	return 0;
	51	}
	52
	53	int audit_session_from_pid(const PidRef pid, uint32_t ret_id) {
	54	_cleanup_free_ char *s = NULL;
	55	int r;
	56
	57	r = audit_read_field(pid, "sessionid", &s);
	58	if (r < 0)
	59	return r;
	60
	61	uint32_t u;
	62	r = safe_atou32(s, &u);
	63	if (r < 0)
	64	return r;
	65
	66	if (!audit_session_is_valid(u))
	67	return -ENODATA;
	68
	69	if (ret_id)
	70	*ret_id = u;
	71
	72	return 0;
	73	}
	74
	75	int audit_loginuid_from_pid(const PidRef pid, uid_t ret_uid) {
	76	_cleanup_free_ char *s = NULL;
	77	int r;
	78
	79	r = audit_read_field(pid, "loginuid", &s);
	80	if (r < 0)
	81	return r;
	82
	83	if (streq(s, "4294967295")) /* loginuid as 4294967295 means not part of any session. */
	84	return -ENODATA;
	85
	86	return parse_uid(s, ret_uid);
	87	}