auditevents.cpp   [plain text]

/*
 * Copyright (c) 2009-2010 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */


//
// auditevents - monitor and act upon audit subsystem events
//
#include <os/log.h>
#include "auditevents.h"
#include "dtrace.h"
#include <security_utilities/logging.h>
#include "self.h"

using namespace UnixPlusPlus;
using namespace MachPlusPlus;


AuditMonitor::AuditMonitor(Port relay)
	: Thread("AuditMonitor"), mRelay(relay)
{
}

AuditMonitor::~AuditMonitor()
{
}


//
// Endlessly retrieve session events and dispatch them.
// (The current version of MachServer cannot receive FileDesc-based events,
// so we need a monitor thread for this.)
//
void AuditMonitor::threadAction()
{
    au_sdev_handle_t *dev;
	int event;
	auditinfo_addr_t aia;

    // This retries forever since securityd can't functions correctly without getting audit sessions events
    while (1) {
        dev = au_sdev_open(AU_SDEVF_ALLSESSIONS);
        if (NULL == dev) {
            os_log_fault(OS_LOG_DEFAULT, "auditevents count not open audit device: %d, retrying in a bit", errno);
            sleep(10);
            continue;
        }

        for (;;) {
            if (0 != au_sdev_read_aia(dev, &event, &aia)) {
                secerror("au_sdev_read_aia failed: %d\n", errno);
                break;
            }
            secinfo("SecServer", "%p session notify %d %d %d", this, aia.ai_asid, event, aia.ai_auid);
            if (kern_return_t rc = self_client_handleSession(mRelay, event, aia.ai_asid)) {
                secerror("self-send failed (mach error %d)", rc);
            }
        }
        au_sdev_close(dev);
    }
}