Loading logd/Android.mk +0 −4 Original line number Original line Diff line number Diff line Loading @@ -42,10 +42,6 @@ event_flag := -DAUDITD_LOG_TAG=1003 -DLOGD_LOG_TAG=1004 LOCAL_CFLAGS := -Werror $(event_flag) LOCAL_CFLAGS := -Werror $(event_flag) ifeq ($(TARGET_BUILD_VARIANT),user) LOCAL_CFLAGS += -DAUDITD_ENFORCE_INTEGRITY=true endif include $(BUILD_EXECUTABLE) include $(BUILD_EXECUTABLE) include $(call first-makefiles-under,$(LOCAL_PATH)) include $(call first-makefiles-under,$(LOCAL_PATH)) logd/LogAudit.cpp +5 −80 Original line number Original line Diff line number Diff line Loading @@ -25,9 +25,6 @@ #include <sys/uio.h> #include <sys/uio.h> #include <syslog.h> #include <syslog.h> #include <string> #include <cutils/properties.h> #include <log/logger.h> #include <log/logger.h> #include <private/android_filesystem_config.h> #include <private/android_filesystem_config.h> #include <private/android_logger.h> #include <private/android_logger.h> Loading @@ -38,10 +35,6 @@ #include "LogKlog.h" #include "LogKlog.h" #include "LogReader.h" #include "LogReader.h" #ifndef AUDITD_ENFORCE_INTEGRITY #define AUDITD_ENFORCE_INTEGRITY false #endif #define KMSG_PRIORITY(PRI) \ #define KMSG_PRIORITY(PRI) \ '<', \ '<', \ '0' + LOG_MAKEPRI(LOG_AUTH, LOG_PRI(PRI)) / 10, \ '0' + LOG_MAKEPRI(LOG_AUTH, LOG_PRI(PRI)) / 10, \ Loading @@ -53,10 +46,11 @@ LogAudit::LogAudit(LogBuffer *buf, LogReader *reader, int fdDmesg) : logbuf(buf), logbuf(buf), reader(reader), reader(reader), fdDmesg(fdDmesg), fdDmesg(fdDmesg), policyLoaded(false), rebootToSafeMode(false), initialized(false) { initialized(false) { logToDmesg("start"); static const char auditd_message[] = { KMSG_PRIORITY(LOG_INFO), 'l', 'o', 'g', 'd', '.', 'a', 'u', 'd', 'i', 't', 'd', ':', ' ', 's', 't', 'a', 'r', 't', '\n' }; write(fdDmesg, auditd_message, sizeof(auditd_message)); } } bool LogAudit::onDataAvailable(SocketClient *cli) { bool LogAudit::onDataAvailable(SocketClient *cli) { Loading @@ -82,55 +76,6 @@ bool LogAudit::onDataAvailable(SocketClient *cli) { return true; return true; } } void LogAudit::logToDmesg(const std::string& str) { static const char prefix[] = { KMSG_PRIORITY(LOG_INFO), 'l', 'o', 'g', 'd', '.', 'a', 'u', 'd', 'i', 't', 'd', ':', ' ', '\0' }; std::string message = prefix + str + "\n"; write(fdDmesg, message.c_str(), message.length()); } std::string LogAudit::getProperty(const std::string& name) { char value[PROP_VALUE_MAX] = {0}; property_get(name.c_str(), value, ""); return value; } void LogAudit::enforceIntegrity() { static bool loggedOnce; bool once = loggedOnce; loggedOnce = true; if (!AUDITD_ENFORCE_INTEGRITY) { if (!once) { logToDmesg("integrity enforcement suppressed; not rebooting"); } } else if (rebootToSafeMode) { if (getProperty("persist.sys.safemode") == "1") { if (!once) { logToDmesg("integrity enforcement suppressed; in safe mode"); } return; } logToDmesg("enforcing integrity; rebooting to safe mode"); property_set("persist.sys.safemode", "1"); std::string buildDate = getProperty("ro.build.date.utc"); if (!buildDate.empty()) { property_set("persist.sys.audit_safemode", buildDate.c_str()); } property_set("sys.powerctl", "reboot"); } else { logToDmesg("enforcing integrity: rebooting to recovery"); property_set("sys.powerctl", "reboot,recovery"); } } int LogAudit::logPrint(const char *fmt, ...) { int LogAudit::logPrint(const char *fmt, ...) { if (fmt == NULL) { if (fmt == NULL) { return -EINVAL; return -EINVAL; Loading @@ -152,27 +97,7 @@ int LogAudit::logPrint(const char *fmt, ...) { memmove(cp, cp + 1, strlen(cp + 1) + 1); memmove(cp, cp + 1, strlen(cp + 1) + 1); } } bool loaded = strstr(str, " policy loaded "); bool info = strstr(str, " permissive=1") || strstr(str, " policy loaded "); if (loaded) { if (policyLoaded) { // SELinux policy changes are not allowed enforceIntegrity(); } else { logToDmesg("policy loaded"); policyLoaded = true; } } bool permissive = strstr(str, " enforcing=0") || strstr(str, " permissive=1"); if (permissive) { // SELinux in permissive mode is not allowed enforceIntegrity(); } bool info = loaded || permissive; if ((fdDmesg >= 0) && initialized) { if ((fdDmesg >= 0) && initialized) { struct iovec iov[3]; struct iovec iov[3]; static const char log_info[] = { KMSG_PRIORITY(LOG_INFO) }; static const char log_info[] = { KMSG_PRIORITY(LOG_INFO) }; Loading logd/LogAudit.h +0 −6 Original line number Original line Diff line number Diff line Loading @@ -27,15 +27,12 @@ class LogAudit : public SocketListener { LogBuffer *logbuf; LogBuffer *logbuf; LogReader *reader; LogReader *reader; int fdDmesg; int fdDmesg; bool policyLoaded; bool rebootToSafeMode; bool initialized; bool initialized; public: public: LogAudit(LogBuffer *buf, LogReader *reader, int fdDmesg); LogAudit(LogBuffer *buf, LogReader *reader, int fdDmesg); int log(char *buf, size_t len); int log(char *buf, size_t len); bool isMonotonic() { return logbuf->isMonotonic(); } bool isMonotonic() { return logbuf->isMonotonic(); } void allowSafeMode(bool allow = true) { rebootToSafeMode = allow; } protected: protected: virtual bool onDataAvailable(SocketClient *cli); virtual bool onDataAvailable(SocketClient *cli); Loading @@ -44,9 +41,6 @@ private: static int getLogSocket(); static int getLogSocket(); int logPrint(const char *fmt, ...) int logPrint(const char *fmt, ...) __attribute__ ((__format__ (__printf__, 2, 3))); __attribute__ ((__format__ (__printf__, 2, 3))); void logToDmesg(const std::string& str); std::string getProperty(const std::string& name); void enforceIntegrity(); }; }; #endif #endif logd/README.property +1 −0 Original line number Original line Diff line number Diff line The properties that logd responds to are: The properties that logd responds to are: name type default description name type default description ro.logd.auditd bool true Enable selinux audit daemon ro.logd.auditd.dmesg bool true selinux audit messages duplicated and ro.logd.auditd.dmesg bool true selinux audit messages duplicated and sent on to dmesg log sent on to dmesg log persist.logd.security bool false Enable security buffer. persist.logd.security bool false Enable security buffer. Loading logd/main.cpp +16 −16 Original line number Original line Diff line number Diff line Loading @@ -223,7 +223,6 @@ static char *name; static sem_t reinit; static sem_t reinit; static bool reinit_running = false; static bool reinit_running = false; static LogBuffer *logBuf = NULL; static LogBuffer *logBuf = NULL; static LogAudit *logAudit = NULL; static bool package_list_parser_cb(pkg_info *info, void * /* userdata */) { static bool package_list_parser_cb(pkg_info *info, void * /* userdata */) { Loading Loading @@ -274,10 +273,6 @@ static void *reinit_thread_start(void * /*obj*/) { logBuf->init(); logBuf->init(); logBuf->initPrune(NULL); logBuf->initPrune(NULL); } } if (logAudit) { logAudit->allowSafeMode(); } } } return NULL; return NULL; Loading Loading @@ -498,19 +493,25 @@ int main(int argc, char *argv[]) { // initiated log messages. New log entries are added to LogBuffer // initiated log messages. New log entries are added to LogBuffer // and LogReader is notified to send updates to connected clients. // and LogReader is notified to send updates to connected clients. logAudit = new LogAudit(logBuf, reader, bool auditd = property_get_bool("logd.auditd", BOOL_DEFAULT_TRUE | BOOL_DEFAULT_FLAG_PERSIST); LogAudit *al = NULL; if (auditd) { al = new LogAudit(logBuf, reader, property_get_bool("logd.auditd.dmesg", property_get_bool("logd.auditd.dmesg", BOOL_DEFAULT_TRUE | BOOL_DEFAULT_TRUE | BOOL_DEFAULT_FLAG_PERSIST) BOOL_DEFAULT_FLAG_PERSIST) ? fdDmesg ? fdDmesg : -1); : -1); } LogKlog *kl = NULL; LogKlog *kl = NULL; if (klogd) { if (klogd) { kl = new LogKlog(logBuf, reader, fdDmesg, fdPmesg, logAudit != NULL); kl = new LogKlog(logBuf, reader, fdDmesg, fdPmesg, al != NULL); } } readDmesg(logAudit, kl); readDmesg(al, kl); // failure is an option ... messages are in dmesg (required by standard) // failure is an option ... messages are in dmesg (required by standard) Loading @@ -518,9 +519,8 @@ int main(int argc, char *argv[]) { delete kl; delete kl; } } if (logAudit && logAudit->startListener()) { if (al && al->startListener()) { delete logAudit; delete al; logAudit = NULL; } } TEMP_FAILURE_RETRY(pause()); TEMP_FAILURE_RETRY(pause()); Loading Loading
logd/Android.mk +0 −4 Original line number Original line Diff line number Diff line Loading @@ -42,10 +42,6 @@ event_flag := -DAUDITD_LOG_TAG=1003 -DLOGD_LOG_TAG=1004 LOCAL_CFLAGS := -Werror $(event_flag) LOCAL_CFLAGS := -Werror $(event_flag) ifeq ($(TARGET_BUILD_VARIANT),user) LOCAL_CFLAGS += -DAUDITD_ENFORCE_INTEGRITY=true endif include $(BUILD_EXECUTABLE) include $(BUILD_EXECUTABLE) include $(call first-makefiles-under,$(LOCAL_PATH)) include $(call first-makefiles-under,$(LOCAL_PATH))
logd/LogAudit.cpp +5 −80 Original line number Original line Diff line number Diff line Loading @@ -25,9 +25,6 @@ #include <sys/uio.h> #include <sys/uio.h> #include <syslog.h> #include <syslog.h> #include <string> #include <cutils/properties.h> #include <log/logger.h> #include <log/logger.h> #include <private/android_filesystem_config.h> #include <private/android_filesystem_config.h> #include <private/android_logger.h> #include <private/android_logger.h> Loading @@ -38,10 +35,6 @@ #include "LogKlog.h" #include "LogKlog.h" #include "LogReader.h" #include "LogReader.h" #ifndef AUDITD_ENFORCE_INTEGRITY #define AUDITD_ENFORCE_INTEGRITY false #endif #define KMSG_PRIORITY(PRI) \ #define KMSG_PRIORITY(PRI) \ '<', \ '<', \ '0' + LOG_MAKEPRI(LOG_AUTH, LOG_PRI(PRI)) / 10, \ '0' + LOG_MAKEPRI(LOG_AUTH, LOG_PRI(PRI)) / 10, \ Loading @@ -53,10 +46,11 @@ LogAudit::LogAudit(LogBuffer *buf, LogReader *reader, int fdDmesg) : logbuf(buf), logbuf(buf), reader(reader), reader(reader), fdDmesg(fdDmesg), fdDmesg(fdDmesg), policyLoaded(false), rebootToSafeMode(false), initialized(false) { initialized(false) { logToDmesg("start"); static const char auditd_message[] = { KMSG_PRIORITY(LOG_INFO), 'l', 'o', 'g', 'd', '.', 'a', 'u', 'd', 'i', 't', 'd', ':', ' ', 's', 't', 'a', 'r', 't', '\n' }; write(fdDmesg, auditd_message, sizeof(auditd_message)); } } bool LogAudit::onDataAvailable(SocketClient *cli) { bool LogAudit::onDataAvailable(SocketClient *cli) { Loading @@ -82,55 +76,6 @@ bool LogAudit::onDataAvailable(SocketClient *cli) { return true; return true; } } void LogAudit::logToDmesg(const std::string& str) { static const char prefix[] = { KMSG_PRIORITY(LOG_INFO), 'l', 'o', 'g', 'd', '.', 'a', 'u', 'd', 'i', 't', 'd', ':', ' ', '\0' }; std::string message = prefix + str + "\n"; write(fdDmesg, message.c_str(), message.length()); } std::string LogAudit::getProperty(const std::string& name) { char value[PROP_VALUE_MAX] = {0}; property_get(name.c_str(), value, ""); return value; } void LogAudit::enforceIntegrity() { static bool loggedOnce; bool once = loggedOnce; loggedOnce = true; if (!AUDITD_ENFORCE_INTEGRITY) { if (!once) { logToDmesg("integrity enforcement suppressed; not rebooting"); } } else if (rebootToSafeMode) { if (getProperty("persist.sys.safemode") == "1") { if (!once) { logToDmesg("integrity enforcement suppressed; in safe mode"); } return; } logToDmesg("enforcing integrity; rebooting to safe mode"); property_set("persist.sys.safemode", "1"); std::string buildDate = getProperty("ro.build.date.utc"); if (!buildDate.empty()) { property_set("persist.sys.audit_safemode", buildDate.c_str()); } property_set("sys.powerctl", "reboot"); } else { logToDmesg("enforcing integrity: rebooting to recovery"); property_set("sys.powerctl", "reboot,recovery"); } } int LogAudit::logPrint(const char *fmt, ...) { int LogAudit::logPrint(const char *fmt, ...) { if (fmt == NULL) { if (fmt == NULL) { return -EINVAL; return -EINVAL; Loading @@ -152,27 +97,7 @@ int LogAudit::logPrint(const char *fmt, ...) { memmove(cp, cp + 1, strlen(cp + 1) + 1); memmove(cp, cp + 1, strlen(cp + 1) + 1); } } bool loaded = strstr(str, " policy loaded "); bool info = strstr(str, " permissive=1") || strstr(str, " policy loaded "); if (loaded) { if (policyLoaded) { // SELinux policy changes are not allowed enforceIntegrity(); } else { logToDmesg("policy loaded"); policyLoaded = true; } } bool permissive = strstr(str, " enforcing=0") || strstr(str, " permissive=1"); if (permissive) { // SELinux in permissive mode is not allowed enforceIntegrity(); } bool info = loaded || permissive; if ((fdDmesg >= 0) && initialized) { if ((fdDmesg >= 0) && initialized) { struct iovec iov[3]; struct iovec iov[3]; static const char log_info[] = { KMSG_PRIORITY(LOG_INFO) }; static const char log_info[] = { KMSG_PRIORITY(LOG_INFO) }; Loading
logd/LogAudit.h +0 −6 Original line number Original line Diff line number Diff line Loading @@ -27,15 +27,12 @@ class LogAudit : public SocketListener { LogBuffer *logbuf; LogBuffer *logbuf; LogReader *reader; LogReader *reader; int fdDmesg; int fdDmesg; bool policyLoaded; bool rebootToSafeMode; bool initialized; bool initialized; public: public: LogAudit(LogBuffer *buf, LogReader *reader, int fdDmesg); LogAudit(LogBuffer *buf, LogReader *reader, int fdDmesg); int log(char *buf, size_t len); int log(char *buf, size_t len); bool isMonotonic() { return logbuf->isMonotonic(); } bool isMonotonic() { return logbuf->isMonotonic(); } void allowSafeMode(bool allow = true) { rebootToSafeMode = allow; } protected: protected: virtual bool onDataAvailable(SocketClient *cli); virtual bool onDataAvailable(SocketClient *cli); Loading @@ -44,9 +41,6 @@ private: static int getLogSocket(); static int getLogSocket(); int logPrint(const char *fmt, ...) int logPrint(const char *fmt, ...) __attribute__ ((__format__ (__printf__, 2, 3))); __attribute__ ((__format__ (__printf__, 2, 3))); void logToDmesg(const std::string& str); std::string getProperty(const std::string& name); void enforceIntegrity(); }; }; #endif #endif
logd/README.property +1 −0 Original line number Original line Diff line number Diff line The properties that logd responds to are: The properties that logd responds to are: name type default description name type default description ro.logd.auditd bool true Enable selinux audit daemon ro.logd.auditd.dmesg bool true selinux audit messages duplicated and ro.logd.auditd.dmesg bool true selinux audit messages duplicated and sent on to dmesg log sent on to dmesg log persist.logd.security bool false Enable security buffer. persist.logd.security bool false Enable security buffer. Loading
logd/main.cpp +16 −16 Original line number Original line Diff line number Diff line Loading @@ -223,7 +223,6 @@ static char *name; static sem_t reinit; static sem_t reinit; static bool reinit_running = false; static bool reinit_running = false; static LogBuffer *logBuf = NULL; static LogBuffer *logBuf = NULL; static LogAudit *logAudit = NULL; static bool package_list_parser_cb(pkg_info *info, void * /* userdata */) { static bool package_list_parser_cb(pkg_info *info, void * /* userdata */) { Loading Loading @@ -274,10 +273,6 @@ static void *reinit_thread_start(void * /*obj*/) { logBuf->init(); logBuf->init(); logBuf->initPrune(NULL); logBuf->initPrune(NULL); } } if (logAudit) { logAudit->allowSafeMode(); } } } return NULL; return NULL; Loading Loading @@ -498,19 +493,25 @@ int main(int argc, char *argv[]) { // initiated log messages. New log entries are added to LogBuffer // initiated log messages. New log entries are added to LogBuffer // and LogReader is notified to send updates to connected clients. // and LogReader is notified to send updates to connected clients. logAudit = new LogAudit(logBuf, reader, bool auditd = property_get_bool("logd.auditd", BOOL_DEFAULT_TRUE | BOOL_DEFAULT_FLAG_PERSIST); LogAudit *al = NULL; if (auditd) { al = new LogAudit(logBuf, reader, property_get_bool("logd.auditd.dmesg", property_get_bool("logd.auditd.dmesg", BOOL_DEFAULT_TRUE | BOOL_DEFAULT_TRUE | BOOL_DEFAULT_FLAG_PERSIST) BOOL_DEFAULT_FLAG_PERSIST) ? fdDmesg ? fdDmesg : -1); : -1); } LogKlog *kl = NULL; LogKlog *kl = NULL; if (klogd) { if (klogd) { kl = new LogKlog(logBuf, reader, fdDmesg, fdPmesg, logAudit != NULL); kl = new LogKlog(logBuf, reader, fdDmesg, fdPmesg, al != NULL); } } readDmesg(logAudit, kl); readDmesg(al, kl); // failure is an option ... messages are in dmesg (required by standard) // failure is an option ... messages are in dmesg (required by standard) Loading @@ -518,9 +519,8 @@ int main(int argc, char *argv[]) { delete kl; delete kl; } } if (logAudit && logAudit->startListener()) { if (al && al->startListener()) { delete logAudit; delete al; logAudit = NULL; } } TEMP_FAILURE_RETRY(pause()); TEMP_FAILURE_RETRY(pause()); Loading
