From 83d85563c51fa39cb61b836302a8c26fe0e2ace6 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 19 Nov 2014 13:33:22 -0800
Subject: [PATCH] logd: throttle SELinux denials to 20/sec
Impose a limit of 20 selinux denials per second. Denials beyond
that point don't add any value, and have the potential to cause
crashes or denial of service attacks.
Do some other misc cleanup while I'm here.
Bug: 18341932
(cherry picked from commit c234a1b879d9c9d8e1a797c5dcf3098249945748)
Change-Id: Ic5c96003db82e504baf301e87be5c8c539c73c2a
---
logd/LogAudit.cpp | 2 +-
logd/libaudit.c | 24 +++++++++++-------------
logd/libaudit.h | 9 +--------
3 files changed, 13 insertions(+), 22 deletions(-)
diff --git a/logd/LogAudit.cpp b/logd/LogAudit.cpp
index 51feff396f..ee2f32d24e 100644
--- a/logd/LogAudit.cpp
+++ b/logd/LogAudit.cpp
@@ -248,7 +248,7 @@ int LogAudit::getLogSocket() {
if (fd < 0) {
return fd;
}
- if (audit_set_pid(fd, getpid(), WAIT_YES) < 0) {
+ if (audit_setup(fd, getpid()) < 0) {
audit_close(fd);
fd = -1;
}
diff --git a/logd/libaudit.c b/logd/libaudit.c
index ca88d1b224..d00d579594 100644
--- a/logd/libaudit.c
+++ b/logd/libaudit.c
@@ -162,7 +162,7 @@ out:
return rc;
}
-int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode)
+int audit_setup(int fd, uint32_t pid)
{
int rc;
struct audit_message rep;
@@ -176,7 +176,8 @@ int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode)
* and the the mask set to AUDIT_STATUS_PID
*/
status.pid = pid;
- status.mask = AUDIT_STATUS_PID;
+ status.mask = AUDIT_STATUS_PID | AUDIT_STATUS_RATE_LIMIT;
+ status.rate_limit = 20; // audit entries per second
/* Let the kernel know this pid will be registering for audit events */
rc = audit_send(fd, AUDIT_SET, &status, sizeof(status));
@@ -188,24 +189,21 @@ int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode)
/*
* In a request where we need to wait for a response, wait for the message
* and discard it. This message confirms and sync's us with the kernel.
- * This daemon is now registered as the audit logger. Only wait if the
- * wmode is != WAIT_NO
+ * This daemon is now registered as the audit logger.
+ *
+ * TODO
+ * If the daemon dies and restarts the message didn't come back,
+ * so I went to non-blocking and it seemed to fix the bug.
+ * Need to investigate further.
*/
- if (wmode != WAIT_NO) {
- /* TODO
- * If the daemon dies and restarts the message didn't come back,
- * so I went to non-blocking and it seemed to fix the bug.
- * Need to investigate further.
- */
- audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
- }
+ audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
return 0;
}
int audit_open()
{
- return socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
+ return socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT);
}
int audit_get_reply(int fd, struct audit_message *rep, reply_t block, int peek)
diff --git a/logd/libaudit.h b/logd/libaudit.h
index cb114f91d7..b9e330d97c 100644
--- a/logd/libaudit.h
+++ b/logd/libaudit.h
@@ -37,11 +37,6 @@ typedef enum {
GET_REPLY_NONBLOCKING
} reply_t;
-typedef enum {
- WAIT_NO,
- WAIT_YES
-} rep_wait_t;
-
/* type == AUDIT_SIGNAL_INFO */
struct audit_sig_info {
uid_t uid;
@@ -92,12 +87,10 @@ extern int audit_get_reply(int fd, struct audit_message *rep, reply_t block,
* The fd returned by a call to audit_open()
* @param pid
* The pid whom to set as the reciever of audit messages
- * @param wmode
- * Whether or not to block on the underlying socket io calls.
* @return
* This function returns 0 on success, -errno on error.
*/
-extern int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode);
+extern int audit_setup(int fd, uint32_t pid);
__END_DECLS
--
GitLab