fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-01-06 21:20:20 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
NetworkManager/src/core/nm-audit-manager.c
Thomas Haller fdf9614ba7
build: move "libnm-core/" to "src/" and split it 
"libnm-core/" is rather complicated. It provides a static library that
is linked into libnm.so and NetworkManager. It also contains public
headers (like "nm-setting.h") which are part of public libnm API.

Then we have helper libraries ("libnm-core/nm-libnm-core-*/") which
only rely on public API of libnm-core, but are themself static
libraries that can be used by anybody who uses libnm-core. And
"libnm-core/nm-libnm-core-intern" is used by libnm-core itself.

Move "libnm-core/" to "src/". But also split it in different
directories so that they have a clearer purpose.

The goal is to have a flat directory hierarchy. The "src/libnm-core*/"
directories correspond to the different modules (static libraries and set
of headers that we have). We have different kinds of such modules because
of how we combine various code together. The directory layout now reflects
this.
2021-02-18 19:46:51 +01:00

450 lines
14 KiB
C
Raw Blame History

/* SPDX-License-Identifier: GPL-2.0-or-later */
/*
* Copyright (C) 2015 Red Hat, Inc.
*/
#include "src/core/nm-default-daemon.h"
#include "nm-audit-manager.h"
#if HAVE_LIBAUDIT
#include <libaudit.h>
#endif
#include "libnm-core-aux-intern/nm-auth-subject.h"
#include "nm-config.h"
#include "nm-dbus-manager.h"
#include "settings/nm-settings-connection.h"
/*****************************************************************************/
typedef enum {
BACKEND_LOG = (1 << 0),
BACKEND_AUDITD = (1 << 1),
_BACKEND_LAST,
BACKEND_ALL = ((_BACKEND_LAST - 1) << 1) - 1,
} AuditBackend;
typedef struct {
const char * name;
GValue value;
gboolean need_encoding;
AuditBackend backends;
} AuditField;
/*****************************************************************************/
typedef struct {
NMConfig *config;
int auditd_fd;
} NMAuditManagerPrivate;
struct _NMAuditManager {
GObject parent;
#if HAVE_LIBAUDIT
NMAuditManagerPrivate _priv;
#endif
};
struct _NMAuditManagerClass {
GObjectClass parent;
};
G_DEFINE_TYPE(NMAuditManager, nm_audit_manager, G_TYPE_OBJECT)
#define NM_AUDIT_MANAGER_GET_PRIVATE(self) \
_NM_GET_PRIVATE(self, NMAuditManager, NM_IS_AUDIT_MANAGER)
/*****************************************************************************/
#define AUDIT_LOG_LEVEL LOGL_INFO
#define _NMLOG_PREFIX_NAME "audit"
#define _NMLOG(level, domain, ...) \
G_STMT_START \
{ \
nm_log((level), \
(domain), \
NULL, \
NULL, \
"%s" _NM_UTILS_MACRO_FIRST(__VA_ARGS__), \
_NMLOG_PREFIX_NAME ": " _NM_UTILS_MACRO_REST(__VA_ARGS__)); \
} \
G_STMT_END
/*****************************************************************************/
NM_DEFINE_SINGLETON_GETTER(NMAuditManager, nm_audit_manager_get, NM_TYPE_AUDIT_MANAGER);
/*****************************************************************************/
static void
_audit_field_init_string(AuditField * field,
const char * name,
const char * str,
gboolean need_encoding,
AuditBackend backends)
{
field->name = name;
field->need_encoding = need_encoding;
field->backends = backends;
g_value_init(&field->value, G_TYPE_STRING);
g_value_set_static_string(&field->value, str);
}
static void
_audit_field_init_uint(AuditField *field, const char *name, uint val, AuditBackend backends)
{
field->name = name;
field->backends = backends;
g_value_init(&field->value, G_TYPE_UINT);
g_value_set_uint(&field->value, val);
}
static char *
build_message(GPtrArray *fields, AuditBackend backend)
{
GString * string;
AuditField *field;
gboolean first = TRUE;
guint i;
string = g_string_new(NULL);
for (i = 0; i < fields->len; i++) {
field = fields->pdata[i];
if (!NM_FLAGS_ANY(field->backends, backend))
continue;
if (first)
first = FALSE;
else
g_string_append_c(string, ' ');
if (G_VALUE_HOLDS_STRING(&field->value)) {
const char *str = g_value_get_string(&field->value);
#if HAVE_LIBAUDIT
if (backend == BACKEND_AUDITD) {
if (field->need_encoding) {
char *value;
value = audit_encode_nv_string(field->name, str, 0);
g_string_append(string, value);
g_free(value);
} else
g_string_append_printf(string, "%s=%s", field->name, str);
continue;
}
#endif /* HAVE_LIBAUDIT */
g_string_append_printf(string, "%s=\"%s\"", field->name, str);
} else if (G_VALUE_HOLDS_UINT(&field->value)) {
g_string_append_printf(string, "%s=%u", field->name, g_value_get_uint(&field->value));
} else
g_assert_not_reached();
}
return g_string_free(string, FALSE);
}
static void
nm_audit_log(NMAuditManager *self,
GPtrArray * fields,
const char * file,
guint line,
const char * func,
gboolean success)
{
#if HAVE_LIBAUDIT
NMAuditManagerPrivate *priv;
#endif
char *msg;
g_return_if_fail(NM_IS_AUDIT_MANAGER(self));
#if HAVE_LIBAUDIT
priv = NM_AUDIT_MANAGER_GET_PRIVATE(self);
if (priv->auditd_fd >= 0) {
msg = build_message(fields, BACKEND_AUDITD);
audit_log_user_message(priv->auditd_fd, AUDIT_USYS_CONFIG, msg, NULL, NULL, NULL, success);
g_free(msg);
}
#endif
if (nm_logging_enabled(AUDIT_LOG_LEVEL, LOGD_AUDIT)) {
msg = build_message(fields, BACKEND_LOG);
_NMLOG(AUDIT_LOG_LEVEL, LOGD_AUDIT, "%s", msg);
g_free(msg);
}
}
static void
_audit_log_helper(NMAuditManager *self,
GPtrArray * fields,
const char * file,
guint line,
const char * func,
const char * op,
gboolean result,
gpointer subject_context,
const char * reason)
{
AuditField op_field = {}, pid_field = {}, uid_field = {};
AuditField result_field = {}, reason_field = {};
gulong pid, uid;
NMAuthSubject * subject = NULL;
gs_unref_object NMAuthSubject *subject_free = NULL;
_audit_field_init_string(&op_field, "op", op, FALSE, BACKEND_ALL);
g_ptr_array_insert(fields, 0, &op_field);
if (subject_context) {
if (NM_IS_AUTH_SUBJECT(subject_context))
subject = subject_context;
else if (G_IS_DBUS_METHOD_INVOCATION(subject_context)) {
GDBusMethodInvocation *context = subject_context;
subject = subject_free = nm_dbus_manager_new_auth_subject_from_context(context);
} else
g_warn_if_reached();
}
if (subject && nm_auth_subject_get_subject_type(subject) == NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS) {
pid = nm_auth_subject_get_unix_process_pid(subject);
uid = nm_auth_subject_get_unix_process_uid(subject);
if (pid != G_MAXULONG) {
_audit_field_init_uint(&pid_field, "pid", pid, BACKEND_ALL);
g_ptr_array_add(fields, &pid_field);
}
if (uid != G_MAXULONG) {
_audit_field_init_uint(&uid_field, "uid", uid, BACKEND_ALL);
g_ptr_array_add(fields, &uid_field);
}
}
_audit_field_init_string(&result_field,
"result",
result ? "success" : "fail",
FALSE,
BACKEND_ALL);
g_ptr_array_add(fields, &result_field);
if (reason) {
_audit_field_init_string(&reason_field, "reason", reason, FALSE, BACKEND_LOG);
g_ptr_array_add(fields, &reason_field);
}
nm_audit_log(self, fields, file, line, func, result);
}
gboolean
nm_audit_manager_audit_enabled(NMAuditManager *self)
{
#if HAVE_LIBAUDIT
NMAuditManagerPrivate *priv = NM_AUDIT_MANAGER_GET_PRIVATE(self);
if (priv->auditd_fd >= 0)
return TRUE;
#endif
return nm_logging_enabled(AUDIT_LOG_LEVEL, LOGD_AUDIT);
}
void
_nm_audit_manager_log_connection_op(NMAuditManager * self,
const char * file,
guint line,
const char * func,
const char * op,
NMSettingsConnection *connection,
gboolean result,
const char * args,
gpointer subject_context,
const char * reason)
{
gs_unref_ptrarray GPtrArray *fields = NULL;
AuditField uuid_field = {}, name_field = {}, args_field = {};
g_return_if_fail(op);
fields = g_ptr_array_new();
if (connection) {
_audit_field_init_string(&uuid_field,
"uuid",
nm_settings_connection_get_uuid(connection),
FALSE,
BACKEND_ALL);
g_ptr_array_add(fields, &uuid_field);
_audit_field_init_string(&name_field,
"name",
nm_settings_connection_get_id(connection),
TRUE,
BACKEND_ALL);
g_ptr_array_add(fields, &name_field);
}
if (args) {
_audit_field_init_string(&args_field, "args", args, FALSE, BACKEND_ALL);
g_ptr_array_add(fields, &args_field);
}
_audit_log_helper(self, fields, file, line, func, op, result, subject_context, reason);
}
void
_nm_audit_manager_log_generic_op(NMAuditManager *self,
const char * file,
guint line,
const char * func,
const char * op,
const char * arg,
gboolean result,
gpointer subject_context,
const char * reason)
{
gs_unref_ptrarray GPtrArray *fields = NULL;
AuditField arg_field = {};
g_return_if_fail(op);
g_return_if_fail(arg);
fields = g_ptr_array_new();
_audit_field_init_string(&arg_field, "arg", arg, TRUE, BACKEND_ALL);
g_ptr_array_add(fields, &arg_field);
_audit_log_helper(self, fields, file, line, func, op, result, subject_context, reason);
}
void
_nm_audit_manager_log_device_op(NMAuditManager *self,
const char * file,
guint line,
const char * func,
const char * op,
NMDevice * device,
gboolean result,
const char * args,
gpointer subject_context,
const char * reason)
{
gs_unref_ptrarray GPtrArray *fields = NULL;
AuditField interface_field = {}, ifindex_field = {}, args_field = {};
int ifindex;
g_return_if_fail(op);
g_return_if_fail(device);
fields = g_ptr_array_new();
_audit_field_init_string(&interface_field,
"interface",
nm_device_get_ip_iface(device),
TRUE,
BACKEND_ALL);
g_ptr_array_add(fields, &interface_field);
ifindex = nm_device_get_ip_ifindex(device);
if (ifindex > 0) {
_audit_field_init_uint(&ifindex_field, "ifindex", ifindex, BACKEND_ALL);
g_ptr_array_add(fields, &ifindex_field);
}
if (args) {
_audit_field_init_string(&args_field, "args", args, FALSE, BACKEND_ALL);
g_ptr_array_add(fields, &args_field);
}
_audit_log_helper(self, fields, file, line, func, op, result, subject_context, reason);
}
#if HAVE_LIBAUDIT
static void
init_auditd(NMAuditManager *self)
{
NMAuditManagerPrivate *priv = NM_AUDIT_MANAGER_GET_PRIVATE(self);
NMConfigData * data = nm_config_get_data(priv->config);
int errsv;
if (nm_config_data_get_value_boolean(data,
NM_CONFIG_KEYFILE_GROUP_LOGGING,
NM_CONFIG_KEYFILE_KEY_LOGGING_AUDIT,
NM_CONFIG_DEFAULT_LOGGING_AUDIT_BOOL)) {
if (priv->auditd_fd < 0) {
priv->auditd_fd = audit_open();
if (priv->auditd_fd < 0) {
errsv = errno;
_LOGE(LOGD_CORE, "failed to open auditd socket: %s", nm_strerror_native(errsv));
} else
_LOGD(LOGD_CORE, "socket created");
}
} else {
if (priv->auditd_fd >= 0) {
audit_close(priv->auditd_fd);
priv->auditd_fd = -1;
_LOGD(LOGD_CORE, "socket closed");
}
}
}
static void
config_changed_cb(NMConfig * config,
NMConfigData * config_data,
NMConfigChangeFlags changes,
NMConfigData * old_data,
NMAuditManager * self)
{
if (NM_FLAGS_HAS(changes, NM_CONFIG_CHANGE_VALUES))
init_auditd(self);
}
#endif
/*****************************************************************************/
static void
nm_audit_manager_init(NMAuditManager *self)
{
#if HAVE_LIBAUDIT
NMAuditManagerPrivate *priv = NM_AUDIT_MANAGER_GET_PRIVATE(self);
priv->config = g_object_ref(nm_config_get());
g_signal_connect(G_OBJECT(priv->config),
NM_CONFIG_SIGNAL_CONFIG_CHANGED,
G_CALLBACK(config_changed_cb),
self);
priv->auditd_fd = -1;
init_auditd(self);
#endif
}
static void
dispose(GObject *object)
{
#if HAVE_LIBAUDIT
NMAuditManager * self = NM_AUDIT_MANAGER(object);
NMAuditManagerPrivate *priv = NM_AUDIT_MANAGER_GET_PRIVATE(self);
if (priv->config) {
g_signal_handlers_disconnect_by_func(priv->config, config_changed_cb, self);
g_clear_object(&priv->config);
}
if (priv->auditd_fd >= 0) {
audit_close(priv->auditd_fd);
priv->auditd_fd = -1;
}
#endif
G_OBJECT_CLASS(nm_audit_manager_parent_class)->dispose(object);
}
static void
nm_audit_manager_class_init(NMAuditManagerClass *klass)
{
GObjectClass *object_class = G_OBJECT_CLASS(klass);
object_class->dispose = dispose;
}
Reference in a new issue View git blame Copy permalink