Re: libaudit: android support
On Wed, Oct 15, 2025, 09:15 Jean-Jacques Pitrolle <
jean-jacques.pitrolle(a)sysgo.com> wrote:
Hi,
I don't know if you forget to add the list as CC so i answer you
directly and send it to the list if you are okay.
Oops, yeah all re-add the list.
On 14/10/2025 19:52, William Roberts wrote:
> On Tue, Oct 14, 2025 at 12:09 PM Jean-Jacques Pitrolle
> <jean-jacques.pitrolle(a)sysgo.com> wrote:
>>
>> Hi Bill
>>
>> On 14/10/2025 18:54, William Roberts wrote:
>>> I did a rewrite of libaudit for Android and it was merged into logd.
>>> It's been a long time since I have looked at it,
>>> but AFAIK, the logs should be available via logcat. None of this will
>>> be part of the ndk if you want to build against it,
>>> it's really a system only level thing.
>>>
>>> Here is where that libaudit code lives now:
>>>
https://cs.android.com/android/platform/superproject/main/+/main:system/
>>> logging/logd/libaudit/libaudit.cpp
>>
>> Thanks for your quick answer.
>>
>> Okay at least something exists for libaudit. I need to take a look on it
>> to see how i can use it.
>
> Ultimately you need permissions to the netlink socket that the audit
> subsystem uses,
> and that is not available to typical android applications, you would
> need to build your
> own custom Android that exposes that. However, that would violate the
> required CTS
> for Android branding IIRC.
I think at the end it is a *problem* to build my own Android to access
the netlink socket.
My purpose is to stick as much as possible to a vanilla Android: so
avoid as much as possible specific modification.
Yeah so you want to write an application for Android.
>
>>
>> And what about libauparse?
>
> I don't believe that is there.
>
>> Should i consider to build it myself with Android build environment?
>
> You can grab and build anything, code is code, but the biggest part of
> the way Android containers
> work is, "Will I have permissions to get at the resource". If you just
> want to look at the messages,
> it's in logcat, and you can build an application that has the
> permission READ_LOGS IIRC, in the
> Android Manifest to look at logcat and then look for selinux/audit
messages.
Hmm i'm not very familiar with Android execution environment.
I want to create a C/C++ application (not Kotlin/Java..) an i don't know
if a manifest is required.
I need to do my 'Android architecture' homework before to have a clear
understanding of the pre-requisite for my use case.
Yeah this jargon is just part of the steps to create an application. Just a
quick
look, there is an open source Android logcat reader application:
- https://github.com/darshanparajuli/LogcatReader
You could probably just modify that.
I believe the Android NDK allows pure native applications, but ultimately
in Android now,
even Java/Kotlin gets reduced to native ELF binaries through OAT which is a
play on AOT
which is Ahead of Time Compilation. Essentially the byte code gets
translated into a shared
library loaded up by a framework and executed IIUC/IIRC.
I would recommend just using Kotlin because of the support, and you can
call any native
functions, like things from libauparse, from Kotlin. When I used to Android
it was all Java
and JNI, I would imagine it's essentially JNI for Kotlin too, but don't
quote me.
>
> More about your ultimate goal would help me understand and formulate a
> better response if you
> can share that?
My ultimate goal is to read audit/log events from various daemons like
auditd, syslogd, .. and transform those events to a format closed to
Qualified Security Event defined by AUTOSAR[1].
On a GNU/Linux distribution the services are "well" defined and known
(at least by myself ^^)
On an Android it seems that *everything* is logged by logd/logcat.
Yeah logcat is the central logger, so create an application that listens to
logcat, then look for
the events you care about and reformat them as needed calling libauparse.
Thanks.
Regards
[1]:
https://www.autosar.org/fileadmin/standards/R22-11/FO/AUTOSAR_PRS_Intrusi...
>>
>> Regards.
Attachments:
- attachment.html (text/html — 6.2 KB)