]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/audit-util.c
a94378f6121858c3e4298861ef3a466e7908762d
[thirdparty/systemd.git] / src / basic / audit-util.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include "alloc-util.h"
4 #include "audit-util.h"
5 #include "fileio.h"
6 #include "parse-util.h"
7 #include "pidref.h"
8 #include "process-util.h"
9 #include "stat-util.h"
10 #include "user-util.h"
11 #include "virt.h"
12
13 static int audit_read_field(const PidRef *pid, const char *field, char **ret) {
14 int r;
15
16 assert(field);
17 assert(ret);
18
19 if (!pidref_is_set(pid))
20 return -ESRCH;
21
22 /* Auditing is currently not virtualized for containers. Let's hence not use the audit session ID or
23 * login UID for now, it will be leaked in from the host */
24 if (detect_container() > 0)
25 return -ENODATA;
26
27 const char *p = procfs_file_alloca(pid->pid, field);
28
29 _cleanup_free_ char *s = NULL;
30 bool enoent = false;
31 r = read_full_virtual_file(p, &s, /* ret_size= */ NULL);
32 if (r == -ENOENT) {
33 if (proc_mounted() == 0)
34 return -ENOSYS;
35 enoent = true;
36 } else if (r < 0)
37 return r;
38
39 r = pidref_verify(pid);
40 if (r < 0)
41 return r;
42
43 if (enoent) /* We got ENOENT, but /proc/ was mounted and the PID still valid? In that case it appears
44 * auditing is not supported by the kernel. */
45 return -ENODATA;
46
47 delete_trailing_chars(s, NEWLINE);
48
49 *ret = TAKE_PTR(s);
50 return 0;
51 }
52
53 int audit_session_from_pid(const PidRef *pid, uint32_t *ret_id) {
54 _cleanup_free_ char *s = NULL;
55 int r;
56
57 r = audit_read_field(pid, "sessionid", &s);
58 if (r < 0)
59 return r;
60
61 uint32_t u;
62 r = safe_atou32(s, &u);
63 if (r < 0)
64 return r;
65
66 if (!audit_session_is_valid(u))
67 return -ENODATA;
68
69 if (ret_id)
70 *ret_id = u;
71
72 return 0;
73 }
74
75 int audit_loginuid_from_pid(const PidRef *pid, uid_t *ret_uid) {
76 _cleanup_free_ char *s = NULL;
77 int r;
78
79 r = audit_read_field(pid, "loginuid", &s);
80 if (r < 0)
81 return r;
82
83 if (streq(s, "4294967295")) /* loginuid as 4294967295 means not part of any session. */
84 return -ENODATA;
85
86 return parse_uid(s, ret_uid);
87 }