a ÖâÏhÆ;ã@sgd¢ZddlmZddlmZddlZddlZddlZddlZddlZ ddl Z ddl m Z ddl Z ddlZddlmZddlmZddlTddlTddlTzeed ƒWneyÂd e_Yn0ee ¡d ƒZd d „ZGdd„deƒZGdd„de jƒZdS))ÚAuditSocketReceiverThreadÚAuditRecordReceiverÚ verify_avcé)Ústr)ÚobjectN)Ú_thread)Ú cmp_to_key)Ú get_config)Ú*Ú AUDIT_EOEi(écCsp|jjdks|jjdkrdStj|jjkrlt tjdt|jf¡t tjd|j ¡¡ddl}|  d¡dS)NFzUsetroubleshoot generated AVC, exiting to avoid recursion, context=%s, AVC scontext=%szaudit event %srT) ZscontextÚtypeZtcontextÚ my_contextÚsyslogÚLOG_ERRÚ audit_eventÚformatÚsysÚexit)Úavcr©rúÔóz1AuditRecordReceiver.flush_cache..)Úkeyéÿÿÿÿ) r"rr%ÚlistÚkeysr2Úsortrr7Úcache_time_to_live)rÚ threshold_ageZ event_idsr'rrrrÚ flush_cache»s"      zAuditRecordReceiver.flush_cacheccs4| |¡d|_t|jƒdkr0|j ¡}|VqdSr$)rCrr"rÚpop)rrBrrrrÚflushÝs   zAuditRecordReceiver.flushccs| d¡D] }|Vq dS)z{Emit every event in the cache irrespective of its timestamp. This means we're done, nothing should remain buffered.rN)rEr5rrrÚcloseäszAuditRecordReceiver.closeccsf|jd7_|jdvr"| |¡|j|jkrB| ¡D] }|Vq6t|jƒdkrb|j ¡}|VqBdS)z9Accept a new audit record into the system for processing.r )ZAVCZAVC_PATHZSYSCALLZCWDÚPATHr-Z1400Z1107rN)rr1r3rrEr"rrDr(rrrÚfeedës     zAuditRecordReceiver.feed)N)N)r0Ú __module__Ú __qualname__Ú__doc__rAr r#rr*r,r3r6r2rCrErFrHrrrrrFsH  " rc@s<eZdZdd„Zdd„Zdd„Zdd„Zd d „Zd d „Zd S)rcCsFtj |¡||_||_tƒ|_tddtƒ|_ |  ¡d|_ d|_ dS)NÚauditÚretry_intervaléF) Ú threadingÚThreadr ÚqueueÚreport_receiverrÚrecord_receiverr ÚintrMÚget_socket_pathsÚtimeout_intervalÚ has_audit_eoe)rrQrRrrrr s z"AuditSocketReceiverThread.__init__cCs6g|_tddƒ}|j |¡tddƒ}|j |¡dS)NrLZtext_protocol_socket_pathZbinary_protocol_socket_path)Úaudit_socket_pathsr Úappend)rÚaudit_socket_pathrrrrU s    z*AuditSocketReceiverThread.get_socket_pathsc Csˆzì|jD]Æ|_|jdurzpt|jƒ}t|ƒ|_t tjtj¡|_ t   |j   ¡t j t j ¡|j  |j¡|j  ¡|_td|jƒWWdStjyÌ}z*t|ƒ\}}td|j|fƒWYd}~qd}~00qtdd |j¡|jfƒWnˆtjy6}z.t|ƒ\}}td|j||jfƒWYd}~nHd}~0tyt}z&td|j|d|jfƒWYd}~n d}~00t |j¡qdS)Nzaudit socket (%s) connectedz4attempt to open audit socket (%s) failed, error='%s'z:could not open any audit sockets (%s), retry in %d secondsz, z9audit socket (%s) failed, error='%s', retry in %d secondsr )rXrZZderive_record_formatZAuditRecordReaderÚ record_readerÚSocketÚsocketZAF_UNIXZ SOCK_STREAMÚ audit_socketÚfcntlÚfilenoZF_SETFDZ FD_CLOEXECÚconnectZmakefileÚaudit_socket_fdr.ÚerrorZget_error_from_socket_exceptionÚjoinrMÚOSErrorÚtimeÚsleep)rZ record_formatÚeÚerrnoÚstrerrorrrrras,       * *0z!AuditSocketReceiverThread.connectcCs8t|||||ƒ}| ¡|j |¡D]}| |¡q$dS)z"called to enter a new audit recordN)Z AuditRecordZaudispd_rectifyrSrHÚnew_audit_event_handler)rr1r'Ú body_textÚfieldsÚ line_numberZ audit_recordrrrrÚnew_audit_record_handler1sz2AuditSocketReceiverThread.new_audit_record_handlercCsL| ¡rH| ¡sH| ¡dkrHt|ƒ}|D]}t|ƒr(|j ||jf¡q(dSr$)Zis_avcZ is_grantedZ num_recordsZ compute_avcsrrQZputrR)rrZavcsrrrrrk9s z1AuditSocketReceiverThread.new_audit_event_handlerc CsÞ| ¡|j}t |jggg|¡\}}}zÜ|j|vrÈddl}| |j ¡d¡}|dkrhtdƒ| ¡n^td|j   ¡ƒ|j s†|j}|j   |¡D]2\}}} } } |dkr²d|_ d}| ||| | | ¡q’n:|j  t ¡|j¡D]} | | ¡qÞ|j   ¡dkrd}WqtyB} z$td|jjƒt ¡WYd} ~ qd} ~ 0ty~} z$td |jjƒt ¡WYd} ~ qd} ~ 0tyÖ} z@ddl}t| ¡ƒt tjd | jjt| ƒf¡WYd} ~ dSd} ~ 00qdS) NriÚzaudit socket connection droppedzcached audit event count = %dr-Tz!KeyboardInterrupt exception in %szSystemExit exception in %szexception %s: %s)rarVÚselectr^ÚosÚreadrbr`r.rSr#rWr[rHrorErfrkÚKeyboardInterruptr/r0rÚinterrupt_mainÚ SystemExitÚ ExceptionÚ tracebackZ syslog_traceÚ format_excrrr)rÚtimeoutZinListZoutListZerrListrrZnew_datar1r'rlrmrnrrhrxrrrÚrun@sB    zAuditSocketReceiverThread.runN) r0rIrJr rUrarorkr{rrrrrþs   r) Ú__all__ÚbuiltinsrrrrLrqZselinuxr]r\r_Z six.movesrrOrfÚ functoolsrZsetroubleshoot.configr Zsetroubleshoot.errcodeZsetroubleshoot.utilZsetroubleshoot.audit_dataÚgetattrÚAttributeErrorr Z AvcContextZgetconrrrrPrrrrrÚs2       9