src/basic/audit-util.c

   1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
   2
   3 #include "alloc-util.h"
   4 #include "audit-util.h"
   5 #include "fileio.h"
   6 #include "parse-util.h"
   7 #include "pidref.h"
   8 #include "process-util.h"
   9 #include "stat-util.h"
  10 #include "user-util.h"
  11 #include "virt.h"
  12
  13 static int audit_read_field(const PidRef *pid, const char *field, char **ret) {
  14         int r;
  15
  16         assert(field);
  17         assert(ret);
  18
  19         if (!pidref_is_set(pid))
  20                 return -ESRCH;
  21
  22         /* Auditing is currently not virtualized for containers. Let's hence not use the audit session ID or
  23          * login UID for now, it will be leaked in from the host */
  24         if (detect_container() > 0)
  25                 return -ENODATA;
  26
  27         const char *p = procfs_file_alloca(pid->pid, field);
  28
  29         _cleanup_free_ char *s = NULL;
  30         bool enoent = false;
  31         r = read_full_virtual_file(p, &s, /* ret_size= */ NULL);
  32         if (r == -ENOENT) {
  33                 if (proc_mounted() == 0)
  34                         return -ENOSYS;
  35                 enoent = true;
  36         } else if (r < 0)
  37                 return r;
  38
  39         r = pidref_verify(pid);
  40         if (r < 0)
  41                 return r;
  42
  43         if (enoent) /* We got ENOENT, but /proc/ was mounted and the PID still valid? In that case it appears
  44                      * auditing is not supported by the kernel. */
  45                 return -ENODATA;
  46
  47         delete_trailing_chars(s, NEWLINE);
  48
  49         *ret = TAKE_PTR(s);
  50         return 0;
  51 }
  52
  53 int audit_session_from_pid(const PidRef *pid, uint32_t *ret_id) {
  54         _cleanup_free_ char *s = NULL;
  55         int r;
  56
  57         r = audit_read_field(pid, "sessionid", &s);
  58         if (r < 0)
  59                 return r;
  60
  61         uint32_t u;
  62         r = safe_atou32(s, &u);
  63         if (r < 0)
  64                 return r;
  65
  66         if (!audit_session_is_valid(u))
  67                 return -ENODATA;
  68
  69         if (ret_id)
  70                 *ret_id = u;
  71
  72         return 0;
  73 }
  74
  75 int audit_loginuid_from_pid(const PidRef *pid, uid_t *ret_uid) {
  76         _cleanup_free_ char *s = NULL;
  77         int r;
  78
  79         r = audit_read_field(pid, "loginuid", &s);
  80         if (r < 0)
  81                 return r;
  82
  83         if (streq(s, "4294967295")) /* loginuid as 4294967295 means not part of any session. */
  84                 return -ENODATA;
  85
  86         return parse_uid(s, ret_uid);
  87 }