[PATCH ghau51/ghau40 v5 6/6] libaudit: add support to get the task audit container identifier
Add the audit_get_containerid() call analogous to audit_getloginuid()
and audit_get_session() calls to get our own audit container identifier.
This is intended as a debug patch, not to be upstreamed.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
docs/Makefile.am | 2 +-
docs/audit_get_containerid.3 | 25 +++++++++++++++++++++++++
lib/libaudit.c | 29 +++++++++++++++++++++++++++++
lib/libaudit.h | 1 +
4 files changed, 56 insertions(+), 1 deletion(-)
create mode 100644 docs/audit_get_containerid.3
diff --git a/docs/Makefile.am b/docs/Makefile.am
index 8fb030c6e5e4..209789bb2051 100644
--- a/docs/Makefile.am
+++ b/docs/Makefile.am
@@ -28,7 +28,7 @@ man_MANS = audit_add_rule_data.3 audit_add_watch.3 auditctl.8 auditd.8
\
auditd.conf.5 auditd-plugins.5 \
audit_delete_rule_data.3 audit_detect_machine.3 \
audit_encode_nv_string.3 audit_getloginuid.3 \
-audit_get_reply.3 audit_get_session.3 \
+audit_get_reply.3 audit_get_session.3 audit_get_containerid.3 \
audit_log_acct_message.3 audit_log_user_avc_message.3 \
audit_log_user_command.3 audit_log_user_comm_message.3 \
audit_log_user_message.3 audit_log_semanage_message.3 \
diff --git a/docs/audit_get_containerid.3 b/docs/audit_get_containerid.3
new file mode 100644
index 000000000000..7d11b9fa747b
--- /dev/null
+++ b/docs/audit_get_containerid.3
@@ -0,0 +1,25 @@
+.TH "AUDIT_GET_CONTAINERID" "3" "Feb 2018" "Red
Hat" "Linux Audit API"
+.SH NAME
+audit_get_containerid \- Get a program's container id value
+.SH SYNOPSIS
+.B #include <libaudit.h>
+.sp
+uin32_t audit_get_containerid(void);
+
+.SH DESCRIPTION
+This function returns the task's audit container identifier attribute.
+
+.SH "RETURN VALUE"
+
+This function returns the audit container identifier value if it was set. It will return
a \-1 if the audit container identifier is unset. However, since uint64_t is an unsigned
type, you will see the converted value instead of \-1.
+
+.SH "ERRORS"
+
+This function returns \-2 on failure. Additionally, in the event of a real error, errno
would be set. The function can set errno based on failures of open, read, or strtoul.
+
+.SH "SEE ALSO"
+
+.BR audit_getloginuid (3).
+
+.SH AUTHOR
+Steve Grubb
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 5df5ddf85430..a1727f1a321a 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -931,6 +931,35 @@ uint32_t audit_get_session(void)
return ses;
}
+/*
+ * This function will retrieve the audit container identifier or -2 if
+ * there is an error.
+ */
+uint64_t audit_get_containerid(void)
+{
+ uint64_t containerid;
+ int len, in;
+ char buf[32];
+
+ errno = 0;
+ in = open("/proc/self/audit_containerid", O_NOFOLLOW|O_RDONLY);
+ if (in < 0)
+ return -2;
+ do {
+ len = read(in, buf, sizeof(buf));
+ } while (len < 0 && errno == EINTR);
+ close(in);
+ if (len < 0 || len >= sizeof(buf))
+ return -2;
+ buf[len] = 0;
+ errno = 0;
+ containerid = strtoull(buf, 0, 10);
+ if (errno)
+ return -2;
+ else
+ return containerid;
+}
+
int audit_rule_syscall_data(struct audit_rule_data *rule, int scall)
{
int word = AUDIT_WORD(scall);
diff --git a/lib/libaudit.h b/lib/libaudit.h
index e7256a328c45..348b50b525be 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -575,6 +575,7 @@ extern int audit_get_reply(int fd, struct audit_reply *rep, reply_t
block,
extern uid_t audit_getloginuid(void);
extern int audit_setloginuid(uid_t uid);
extern uint32_t audit_get_session(void);
+extern uint64_t audit_get_containerid(void);
extern int audit_detect_machine(void);
extern int audit_determine_machine(const char *arch);
--
1.8.3.1