tequilaOS/platform_system_core
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_core/logd/libaudit.h
Nick Kralevich be5e446791 introduce auditctl and use it to configure SELinux throttling 
In an effort to ensure that our development community does not
introduce new code without corresponding SELinux changes, Android
closely monitors the number of SELinux denials which occur during
boot. This monitoring occurs both in treehugger, as well as various
dashboards. If SELinux denials are dropped during early boot, this
could result in non-determinism for the various SELinux treehugger
tests.

Introduce /system/bin/auditctl. This tool, model after
https://linux.die.net/man/8/auditctl , allows for configuring the
throttling rate for the kernel auditing system.

Remove any throttling from early boot. This will hopefully reduce
treehugger flakiness by making denial generation more predictible
during early boot.

Reapply the throttling at boot complete, to avoid denial of service
attacks against the auditing subsystem.

Delete pre-existing unittests for logd / SELinux integration. It's
intended that all throttling decisions be made in the kernel, and
shouldn't be a concern of logd.

Bug: 118815957
Test: Perform an operation which generates lots of SELinux denials,
      and count how many occur before and after the time period.
Change-Id: I6c787dbdd4a28208dc854b543e1727ae92e5eeed
2019-04-09 13:19:08 -07:00

106 lines
2.7 KiB
C
Raw Blame History

/*
* Copyright 2012, Samsung Telecommunications of America
* Copyright (C) 2014 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Written by William Roberts <w.roberts@sta.samsung.com>
*/
#ifndef _LIBAUDIT_H_
#define _LIBAUDIT_H_
#include <stdint.h>
#include <sys/cdefs.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <linux/audit.h>
#include <linux/netlink.h>
__BEGIN_DECLS
#define MAX_AUDIT_MESSAGE_LENGTH 8970
typedef enum { GET_REPLY_BLOCKING = 0, GET_REPLY_NONBLOCKING } reply_t;
/* type == AUDIT_SIGNAL_INFO */
struct audit_sig_info {
uid_t uid;
pid_t pid;
char ctx[0];
};
struct audit_message {
struct nlmsghdr nlh;
char data[MAX_AUDIT_MESSAGE_LENGTH];
};
/**
* Opens a connection to the Audit netlink socket
* @return
* A valid fd on success or < 0 on error with errno set.
* Returns the same errors as man 2 socket.
*/
extern int audit_open(void);
/**
* Closes the fd returned from audit_open()
* @param fd
* The fd to close
*/
extern void audit_close(int fd);
/**
*
* @param fd
* The fd returned by a call to audit_open()
* @param rep
* The response struct to store the response in.
* @param block
* Whether or not to block on IO
* @param peek
* Whether or not we are to remove the message from
* the queue when we do a read on the netlink socket.
* @return
* This function returns 0 on success, else -errno.
*/
extern int audit_get_reply(int fd, struct audit_message* rep, reply_t block,
int peek);
/**
* Sets a pid to receive audit netlink events from the kernel
* @param fd
* The fd returned by a call to audit_open()
* @param pid
* The pid whom to set as the receiver of audit messages
* @return
* This function returns 0 on success, -errno on error.
*/
extern int audit_setup(int fd, pid_t pid);
/**
* Throttle kernel messages at the provided rate
* @param fd
* The fd returned by a call to audit_open()
* @param rate
* The rate, in messages per second, above which the kernel
* should drop audit messages.
* @return
* This function returns 0 on success, -errno on error.
*/
extern int audit_rate_limit(int fd, uint32_t limit);
__END_DECLS
#endif
Reference in a new issue View git blame Copy permalink