static void
log_callback (const char *fmt, ...)
{
va_list ap;
va_start(ap, fmt);
#ifdef HAVE_LIBAUDIT
if (audit_fd >= 0)
{
capng_get_caps_process();
if (capng_have_capability(CAPNG_EFFECTIVE, CAP_AUDIT_WRITE))
{
char buf[PATH_MAX*2];
/* FIXME: need to change this to show real user */
vsnprintf(buf, sizeof(buf), fmt, ap);
audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
NULL, getuid());
return;
}
}
#endif /* HAVE_LIBAUDIT */
vsyslog (LOG_USER | LOG_INFO, fmt, ap);
va_end(ap);
}
/*
libselinux uses this callback when access gets denied or other
events happen. If audit is turned on, messages will be reported
using audit netlink, otherwise they will be logged using the usual
channels.
Code copied from dbus and modified.
*/
_printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
va_list ap;
#ifdef HAVE_AUDIT
int fd;
fd = get_audit_fd();
if (fd >= 0) {
_cleanup_free_ char *buf = NULL;
int r;
va_start(ap, fmt);
r = vasprintf(&buf, fmt, ap);
va_end(ap);
if (r >= 0) {
audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
return 0;
}
}
#endif
va_start(ap, fmt);
log_internalv(LOG_AUTH | callback_type_to_priority(type),
0, __FILE__, __LINE__, __FUNCTION__, fmt, ap);
va_end(ap);
return 0;
}
/* When an avc denial occurs, log it to audit system */
static void
log_callback (const char *fmt, ...)
{
if (audit_fd >= 0)
{
va_list ap;
va_start (ap, fmt);
char *buf;
int e = vasprintf (&buf, fmt, ap);
if (e < 0)
{
buf = alloca (BUFSIZ);
vsnprintf (buf, BUFSIZ, fmt, ap);
}
/* FIXME: need to attribute this to real user, using getuid for now */
audit_log_user_avc_message (audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
NULL, getuid ());
if (e >= 0)
free (buf);
va_end (ap);
}
}
/*
Any time an access gets denied this callback will be called
code copied from dbus. If audit is turned on the messages will go as
user_avc's into the /var/log/audit/audit.log, otherwise they will be
sent to syslog.
*/
static int log_callback(int type, const char *fmt, ...) {
va_list ap;
va_start(ap, fmt);
#ifdef HAVE_AUDIT
if (get_audit_fd() >= 0) {
_cleanup_free_ char *buf = NULL;
int r;
r = vasprintf(&buf, fmt, ap);
va_end(ap);
if (r >= 0) {
audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
return 0;
}
va_start(ap, fmt);
}
#endif
log_metav(LOG_USER | LOG_INFO, __FILE__, __LINE__, __FUNCTION__, fmt, ap);
va_end(ap);
return 0;
}
/*
libselinux uses this callback when access gets denied or other
events happen. If audit is turned on, messages will be reported
using audit netlink, otherwise they will be logged using the usual
channels.
Code copied from dbus and modified.
*/
_printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
va_list ap;
const char *fmt2;
#if HAVE_AUDIT
int fd;
fd = get_audit_fd();
if (fd >= 0) {
_cleanup_free_ char *buf = NULL;
int r;
va_start(ap, fmt);
r = vasprintf(&buf, fmt, ap);
va_end(ap);
if (r >= 0) {
if (type == SELINUX_AVC)
audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
else if (type == SELINUX_ERROR)
audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, 0);
return 0;
}
}
#endif
fmt2 = strjoina("selinux: ", fmt);
va_start(ap, fmt);
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wformat-nonliteral"
log_internalv(LOG_AUTH | callback_type_to_priority(type),
0, __FILE__, __LINE__, __FUNCTION__,
fmt2, ap);
#pragma GCC diagnostic pop
va_end(ap);
return 0;
}
static void
log_message (dbus_bool_t allow, const char *op, DBusString *data)
{
const char *mstr;
#ifdef HAVE_LIBAUDIT
int audit_fd;
#endif
if (allow)
mstr = "ALLOWED";
else
mstr = "DENIED";
#ifdef HAVE_LIBAUDIT
audit_fd = bus_audit_get_fd ();
if (audit_fd >= 0)
{
DBusString avc;
if (!_dbus_string_init (&avc))
goto syslog;
if (!_dbus_string_append_printf (&avc,
"apparmor=\"%s\" operation=\"dbus_%s\" %s\n",
mstr, op, _dbus_string_get_const_data (data)))
{
_dbus_string_free (&avc);
goto syslog;
}
/* FIXME: need to change this to show real user */
audit_log_user_avc_message (audit_fd, AUDIT_USER_AVC,
_dbus_string_get_const_data (&avc),
NULL, NULL, NULL, getuid ());
_dbus_string_free (&avc);
return;
}
syslog:
#endif /* HAVE_LIBAUDIT */
syslog (LOG_USER | LOG_NOTICE, "apparmor=\"%s\" operation=\"dbus_%s\" %s\n",
mstr, op, _dbus_string_get_const_data (data));
}
/*
Any time an access gets denied this callback will be called
code copied from dbus. If audit is turned on the messages will go as
user_avc's into the /var/log/audit/audit.log, otherwise they will be
sent to syslog.
*/
static int log_callback(int type, const char *fmt, ...) {
va_list ap;
va_start(ap, fmt);
#ifdef HAVE_AUDIT
if (get_audit_fd() >= 0) {
char buf[LINE_MAX];
vsnprintf(buf, sizeof(buf), fmt, ap);
audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
va_end(ap);
return 0;
}
#endif
log_metav(LOG_USER | LOG_INFO, __FILE__, __LINE__, __FUNCTION__, fmt, ap);
va_end(ap);
return 0;
}
static void
log_callback (const char *fmt, ...)
{
va_list ap;
#ifdef HAVE_LIBAUDIT
int audit_fd;
#endif
va_start(ap, fmt);
#ifdef HAVE_LIBAUDIT
audit_fd = bus_audit_get_fd ();
if (audit_fd >= 0)
{
/* This should really be a DBusString, but DBusString allocates
* memory dynamically; before switching it, we need to check with
* SELinux people that it would be OK for this to fall back to
* syslog if OOM, like the equivalent AppArmor code does. */
char buf[PATH_MAX*2];
/* FIXME: need to change this to show real user */
vsnprintf(buf, sizeof(buf), fmt, ap);
audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
NULL, getuid());
goto out;
}
#endif /* HAVE_LIBAUDIT */
vsyslog (LOG_USER | LOG_INFO, fmt, ap);
#ifdef HAVE_LIBAUDIT
out:
#endif
va_end(ap);
}
