Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cf8546a2 authored by Nick Kralevich's avatar Nick Kralevich Committed by android-build-merger
Browse files

Merge "introduce auditctl and use it to configure SELinux throttling" 

am: 3458bb6c

Change-Id: I8620e93c25bc9a7e7b54e1c08182bb668f415b32
parents dd0ffe29 3458bb6c

logd/Android.bp

+18 −0
Original line number Diff line number Diff line
@@ -80,6 +80,24 @@ cc_binary { 
    cflags: ["-Werror"],

}



cc_binary {

    name: "auditctl",



    srcs: ["auditctl.cpp"],



    static_libs: [

        "liblogd",

    ],



    shared_libs: ["libbase"],



    cflags: [

        "-Wall",

        "-Wextra",

        "-Werror",

        "-Wconversion"

    ],

}



prebuilt_etc {

    name: "logtagd.rc",

logd/auditctl.cpp

0 → 100644
+74 −0
Original line number Diff line number Diff line 
/*

 * Copyright (C) 2019 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */



#include <android-base/parseint.h>

#include <error.h>

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

#include "libaudit.h"



static void usage(const char* cmdline) {

    fprintf(stderr, "Usage: %s [-r rate]\n", cmdline);

}



static void do_update_rate(uint32_t rate) {

    int fd = audit_open();

    if (fd == -1) {

        error(EXIT_FAILURE, errno, "Unable to open audit socket");

    }

    int result = audit_rate_limit(fd, rate);

    close(fd);

    if (result < 0) {

        fprintf(stderr, "Can't update audit rate limit: %d\n", result);

        exit(EXIT_FAILURE);

    }

}



int main(int argc, char* argv[]) {

    uint32_t rate = 0;

    bool update_rate = false;

    int opt;



    while ((opt = getopt(argc, argv, "r:")) != -1) {

        switch (opt) {

            case 'r':

                if (!android::base::ParseUint<uint32_t>(optarg, &rate)) {

                    error(EXIT_FAILURE, errno, "Invalid Rate");

                }

                update_rate = true;

                break;

            default: /* '?' */

                usage(argv[0]);

                exit(EXIT_FAILURE);

        }

    }



    // In the future, we may add other options to auditctl

    // so this if statement will expand.

    // if (!update_rate && !update_backlog && !update_whatever) ...

    if (!update_rate) {

        fprintf(stderr, "Nothing to do\n");

        usage(argv[0]);

        exit(EXIT_FAILURE);

    }



    if (update_rate) {

        do_update_rate(rate);

    }



    return 0;

}

logd/libaudit.c

+9 −2
Original line number Diff line number Diff line
@@ -160,8 +160,7 @@ int audit_setup(int fd, pid_t pid) { 
     * and the the mask set to AUDIT_STATUS_PID

     */

    status.pid = pid;

    status.mask = AUDIT_STATUS_PID | AUDIT_STATUS_RATE_LIMIT;

    status.rate_limit = AUDIT_RATE_LIMIT; /* audit entries per second */

    status.mask = AUDIT_STATUS_PID;



    /* Let the kernel know this pid will be registering for audit events */

    rc = audit_send(fd, AUDIT_SET, &status, sizeof(status));
@@ -188,6 +187,14 @@ int audit_open() { 
    return socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT);

}



int audit_rate_limit(int fd, uint32_t limit) {

    struct audit_status status;

    memset(&status, 0, sizeof(status));

    status.mask = AUDIT_STATUS_RATE_LIMIT;

    status.rate_limit = limit; /* audit entries per second */

    return audit_send(fd, AUDIT_SET, &status, sizeof(status));

}



int audit_get_reply(int fd, struct audit_message* rep, reply_t block, int peek) {

    ssize_t len;

    int flags;

logd/libaudit.h

+11 −2
Original line number Diff line number Diff line
@@ -89,8 +89,17 @@ extern int audit_get_reply(int fd, struct audit_message* rep, reply_t block, 
 */

extern int audit_setup(int fd, pid_t pid);



/* Max audit messages per second  */

#define AUDIT_RATE_LIMIT 5

/**

 * Throttle kernel messages at the provided rate

 * @param fd

 *  The fd returned by a call to audit_open()

 * @param rate

 *  The rate, in messages per second, above which the kernel

 *  should drop audit messages.

 * @return

 *  This function returns 0 on success, -errno on error.

 */

extern int audit_rate_limit(int fd, uint32_t limit);



__END_DECLS

logd/logd.rc

+11 −0
Original line number Diff line number Diff line
@@ -16,8 +16,19 @@ service logd-reinit /system/bin/logd --reinit 
    group logd

    writepid /dev/cpuset/system-background/tasks



# Limit SELinux denial generation to 5/second

service logd-auditctl /system/bin/auditctl -r 5

    oneshot

    disabled

    user logd

    group logd

    capabilities AUDIT_CONTROL



on fs

    write /dev/event-log-tags "# content owned by logd

"

    chown logd logd /dev/event-log-tags

    chmod 0644 /dev/event-log-tags



on property:sys.boot_completed=1

    start logd-auditctl