[apple/xnu.git] / bsd / security / audit / audit_mac.c

/*-
 * Copyright (c) 1999-2008 Apple Inc.
 * All rights reserved.
 *
 * @APPLE_BSD_LICENSE_HEADER_START@
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1.  Redistributions of source code must retain the above copyright
 *     notice, this list of conditions and the following disclaimer.
 * 2.  Redistributions in binary form must reproduce the above copyright
 *     notice, this list of conditions and the following disclaimer in the
 *     documentation and/or other materials provided with the distribution.
 * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
 *     its contributors may be used to endorse or promote products derived
 *     from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
 * @APPLE_BSD_LICENSE_HEADER_END@
 */
/*
 * NOTICE: This file was modified by McAfee Research in 2004 to introduce
 * support for mandatory and extensible security protections.  This notice
 * is included in support of clause 2.2 (b) of the Apple Public License,
 * Version 2.0.
 */

#include <sys/kernel.h>
#include <sys/proc.h>
#include <sys/kauth.h>
#include <sys/queue.h>
#include <sys/systm.h>

#include <bsm/audit.h>
#include <bsm/audit_internal.h>
#include <bsm/audit_kevents.h>

#include <security/audit/audit.h>
#include <security/audit/audit_private.h>

#include <mach/host_priv.h>
#include <mach/host_special_ports.h>
#include <mach/audit_triggers_server.h>

#include <kern/host.h>
#include <kern/kalloc.h>
#include <kern/zalloc.h>
#include <kern/sched_prim.h>

#if CONFIG_AUDIT

#if CONFIG_MACF
#include <bsm/audit_record.h>
#include <security/mac.h>
#include <security/mac_framework.h>
#include <security/mac_policy.h>
#define MAC_ARG_PREFIX "arg: "
#define MAC_ARG_PREFIX_LEN 5

zone_t		audit_mac_label_zone;
extern zone_t	mac_audit_data_zone;

void
audit_mac_init(void)
{
	/* Assume 3 MAC labels for each audit record: two for vnodes,
	 * one for creds.
	 */
	audit_mac_label_zone = zinit(MAC_AUDIT_LABEL_LEN,
	    AQ_HIWATER * 3*MAC_AUDIT_LABEL_LEN, 8192, "audit_mac_label_zone");
}

int
audit_mac_new(proc_t p, struct kaudit_record *ar)
{
	struct mac mac;

	/* 
	 * Retrieve the MAC labels for the process.
	 */
	ar->k_ar.ar_cred_mac_labels = (char *)zalloc(audit_mac_label_zone);
	if (ar->k_ar.ar_cred_mac_labels == NULL)
		return (1);
	mac.m_buflen = MAC_AUDIT_LABEL_LEN;
	mac.m_string = ar->k_ar.ar_cred_mac_labels;
	mac_cred_label_externalize_audit(p, &mac);

	/*
	 * grab space for the reconds.
	 */
	ar->k_ar.ar_mac_records = (struct mac_audit_record_list_t *)
	    kalloc(sizeof(*ar->k_ar.ar_mac_records));
	if (ar->k_ar.ar_mac_records == NULL) {
		zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels);
		return (1);
	}
	LIST_INIT(ar->k_ar.ar_mac_records);
	ar->k_ar.ar_forced_by_mac = 0;
	
	return (0);
}

void
audit_mac_free(struct kaudit_record *ar)
{
	struct mac_audit_record *head, *next;

	if (ar->k_ar.ar_vnode1_mac_labels != NULL)
		zfree(audit_mac_label_zone, ar->k_ar.ar_vnode1_mac_labels);
	if (ar->k_ar.ar_vnode2_mac_labels != NULL)
		zfree(audit_mac_label_zone, ar->k_ar.ar_vnode2_mac_labels);
	if (ar->k_ar.ar_cred_mac_labels != NULL)
		zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels);
	if (ar->k_ar.ar_arg_mac_string != NULL)
		kfree(ar->k_ar.ar_arg_mac_string,
		    MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);

	/*
	 * Free the audit data from the MAC policies.
	 */
	head = LIST_FIRST(ar->k_ar.ar_mac_records);
	while (head != NULL) {
		next = LIST_NEXT(head, records);
		zfree(mac_audit_data_zone, head->data);
		kfree(head, sizeof(*head));
		head = next;
	}
	kfree(ar->k_ar.ar_mac_records, sizeof(*ar->k_ar.ar_mac_records));
}

int
audit_mac_syscall_enter(unsigned short code, proc_t p, struct uthread *uthread,
    kauth_cred_t my_cred, au_event_t event)
{
	int error;

	error = mac_audit_check_preselect(my_cred, code,
	     (void *)uthread->uu_arg);
	if (error == MAC_AUDIT_YES) {
		uthread->uu_ar = audit_new(event, p, uthread);
		uthread->uu_ar->k_ar.ar_forced_by_mac = 1;
		au_to_text("Forced by a MAC policy");
		return (1);
	} else if (error == MAC_AUDIT_NO) {
		return (0);
	} else if (error == MAC_AUDIT_DEFAULT) {
		return (1);
	}

	return (0);
}

int
audit_mac_syscall_exit(unsigned short code, struct uthread *uthread, int error,
    int retval)
{
	int mac_error;

	if (uthread->uu_ar == NULL)  /* syscall wasn't audited */
		return (1);

	/*
	 * Note, no other postselect mechanism exists.  If 
	 * mac_audit_check_postselect returns MAC_AUDIT_NO, the record will be
	 * suppressed.  Other values at this point result in the audit record
	 * being committed.  This suppression behavior will probably go away in
	 * the port to 10.3.4.
	 */
	mac_error = mac_audit_check_postselect(kauth_cred_get(), code,
	    (void *) uthread->uu_arg, error, retval,
	    uthread->uu_ar->k_ar.ar_forced_by_mac);

	if (mac_error == MAC_AUDIT_YES)
		uthread->uu_ar->k_ar_commit |= AR_COMMIT_KERNEL;
	else if (mac_error == MAC_AUDIT_NO) {
		audit_free(uthread->uu_ar);
		return (1);	
	}
	return (0);
}

/*
 * This function is called by the MAC Framework to add audit data
 * from a policy to the current audit record.
 */
int
audit_mac_data(int type, int len, u_char *data) {
	struct kaudit_record *cur;
	struct mac_audit_record *record;

	if (audit_enabled == 0) {
		kfree(data, len);
		return (ENOTSUP);
	}

	cur = currecord();
	if (cur == NULL) {
		kfree(data, len);
		return (ENOTSUP);
	}

	/*
	 * XXX: Note that we silently drop the audit data if this
	 * allocation fails - this is consistent with the rest of the
	 * audit implementation.
	 */
	record = kalloc(sizeof(*record));
	if (record == NULL) {
		kfree(data, len);
		return (0);
	}

	record->type = type;
	record->length = len;
	record->data = data;
	LIST_INSERT_HEAD(cur->k_ar.ar_mac_records, record, records);

	return (0);
}

void
audit_arg_mac_string(struct kaudit_record *ar, char *string)
{

	if (ar->k_ar.ar_arg_mac_string == NULL)
		ar->k_ar.ar_arg_mac_string =
			kalloc(MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);

	/*
	 * XXX This should be a rare event. If kalloc() returns NULL,
	 * the system is low on kernel virtual memory. To be
	 * consistent with the rest of audit, just return
	 * (may need to panic if required to for audit).
	 */
	if (ar->k_ar.ar_arg_mac_string == NULL)
		if (ar->k_ar.ar_arg_mac_string == NULL)
			return;

	strncpy(ar->k_ar.ar_arg_mac_string, MAC_ARG_PREFIX,
	    MAC_ARG_PREFIX_LEN);
	strncpy(ar->k_ar.ar_arg_mac_string + MAC_ARG_PREFIX_LEN, string,
	    MAC_MAX_LABEL_BUF_LEN);
	ARG_SET_VALID(ar, ARG_MAC_STRING);
}
#endif  /* MAC */

#endif /* CONFIG_AUDIT */
Commit	Line	Data
b0d623f7 A	1	/*-
	2	* Copyright (c) 1999-2008 Apple Inc.
	3	* All rights reserved.
	4	*
	5	* @APPLE_BSD_LICENSE_HEADER_START@
	6	*
	7	* Redistribution and use in source and binary forms, with or without
	8	* modification, are permitted provided that the following conditions
	9	* are met:
	10	* 1. Redistributions of source code must retain the above copyright
	11	* notice, this list of conditions and the following disclaimer.
	12	* 2. Redistributions in binary form must reproduce the above copyright
	13	* notice, this list of conditions and the following disclaimer in the
	14	* documentation and/or other materials provided with the distribution.
	15	* 3. Neither the name of Apple Inc. ("Apple") nor the names of
	16	* its contributors may be used to endorse or promote products derived
	17	* from this software without specific prior written permission.
	18	*
	19	* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
	20	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	21	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	22	* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
	23	* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	24	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	25	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	26	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	27	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
	28	* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
	29	* POSSIBILITY OF SUCH DAMAGE.
	30	*
	31	* @APPLE_BSD_LICENSE_HEADER_END@
	32	*/
	33	/*
	34	* NOTICE: This file was modified by McAfee Research in 2004 to introduce
	35	* support for mandatory and extensible security protections. This notice
	36	* is included in support of clause 2.2 (b) of the Apple Public License,
	37	* Version 2.0.
	38	*/
	39
	40	#include <sys/kernel.h>
	41	#include <sys/proc.h>
	42	#include <sys/kauth.h>
	43	#include <sys/queue.h>
	44	#include <sys/systm.h>
	45
	46	#include <bsm/audit.h>
	47	#include <bsm/audit_internal.h>
	48	#include <bsm/audit_kevents.h>
	49
	50	#include <security/audit/audit.h>
	51	#include <security/audit/audit_private.h>
	52
	53	#include <mach/host_priv.h>
	54	#include <mach/host_special_ports.h>
	55	#include <mach/audit_triggers_server.h>
	56
	57	#include <kern/host.h>
	58	#include <kern/kalloc.h>
	59	#include <kern/zalloc.h>
b0d623f7 A	60	#include <kern/sched_prim.h>
	61
	62	#if CONFIG_AUDIT
	63
	64	#if CONFIG_MACF
	65	#include <bsm/audit_record.h>
	66	#include <security/mac.h>
	67	#include <security/mac_framework.h>
	68	#include <security/mac_policy.h>
	69	#define MAC_ARG_PREFIX "arg: "
	70	#define MAC_ARG_PREFIX_LEN 5
	71
	72	zone_t audit_mac_label_zone;
	73	extern zone_t mac_audit_data_zone;
	74
	75	void
	76	audit_mac_init(void)
	77	{
	78	/* Assume 3 MAC labels for each audit record: two for vnodes,
	79	* one for creds.
	80	*/
	81	audit_mac_label_zone = zinit(MAC_AUDIT_LABEL_LEN,
	82	AQ_HIWATER * 3*MAC_AUDIT_LABEL_LEN, 8192, "audit_mac_label_zone");
	83	}
	84
	85	int
	86	audit_mac_new(proc_t p, struct kaudit_record *ar)
	87	{
	88	struct mac mac;
	89
	90	/*
	91	* Retrieve the MAC labels for the process.
	92	*/
	93	ar->k_ar.ar_cred_mac_labels = (char *)zalloc(audit_mac_label_zone);
	94	if (ar->k_ar.ar_cred_mac_labels == NULL)
	95	return (1);
	96	mac.m_buflen = MAC_AUDIT_LABEL_LEN;
	97	mac.m_string = ar->k_ar.ar_cred_mac_labels;
	98	mac_cred_label_externalize_audit(p, &mac);
	99
	100	/*
	101	* grab space for the reconds.
	102	*/
	103	ar->k_ar.ar_mac_records = (struct mac_audit_record_list_t *)
	104	kalloc(sizeof(*ar->k_ar.ar_mac_records));
	105	if (ar->k_ar.ar_mac_records == NULL) {
	106	zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels);
	107	return (1);
	108	}
	109	LIST_INIT(ar->k_ar.ar_mac_records);
	110	ar->k_ar.ar_forced_by_mac = 0;
	111
	112	return (0);
	113	}
	114
	115	void
	116	audit_mac_free(struct kaudit_record *ar)
	117	{
	118	struct mac_audit_record head, next;
	119
	120	if (ar->k_ar.ar_vnode1_mac_labels != NULL)
	121	zfree(audit_mac_label_zone, ar->k_ar.ar_vnode1_mac_labels);
	122	if (ar->k_ar.ar_vnode2_mac_labels != NULL)
	123	zfree(audit_mac_label_zone, ar->k_ar.ar_vnode2_mac_labels);
124	if (ar->k_ar.ar_cred_mac_labels != NULL)
125	zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels);
126	if (ar->k_ar.ar_arg_mac_string != NULL)
127	kfree(ar->k_ar.ar_arg_mac_string,
128	MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);
129
130	/*
131	* Free the audit data from the MAC policies.
132	*/
133	head = LIST_FIRST(ar->k_ar.ar_mac_records);
134	while (head != NULL) {
135	next = LIST_NEXT(head, records);
136	zfree(mac_audit_data_zone, head->data);
137	kfree(head, sizeof(*head));
138	head = next;
139	}
140	kfree(ar->k_ar.ar_mac_records, sizeof(*ar->k_ar.ar_mac_records));
141	}
142
143	int
144	audit_mac_syscall_enter(unsigned short code, proc_t p, struct uthread *uthread,
145	kauth_cred_t my_cred, au_event_t event)
146	{
147	int error;
148
149	error = mac_audit_check_preselect(my_cred, code,
150	(void *)uthread->uu_arg);
151	if (error == MAC_AUDIT_YES) {
152	uthread->uu_ar = audit_new(event, p, uthread);
153	uthread->uu_ar->k_ar.ar_forced_by_mac = 1;
154	au_to_text("Forced by a MAC policy");
155	return (1);
156	} else if (error == MAC_AUDIT_NO) {
157	return (0);
158	} else if (error == MAC_AUDIT_DEFAULT) {
159	return (1);
160	}
161
162	return (0);
163	}
164
165	int
166	audit_mac_syscall_exit(unsigned short code, struct uthread *uthread, int error,
167	int retval)
168	{
169	int mac_error;
170
171	if (uthread->uu_ar == NULL) /* syscall wasn't audited */
172	return (1);
173
174	/*
175	* Note, no other postselect mechanism exists. If
176	* mac_audit_check_postselect returns MAC_AUDIT_NO, the record will be
177	* suppressed. Other values at this point result in the audit record
178	* being committed. This suppression behavior will probably go away in
179	* the port to 10.3.4.
180	*/
181	mac_error = mac_audit_check_postselect(kauth_cred_get(), code,
182	(void *) uthread->uu_arg, error, retval,
183	uthread->uu_ar->k_ar.ar_forced_by_mac);
184
185	if (mac_error == MAC_AUDIT_YES)
186	uthread->uu_ar->k_ar_commit \|= AR_COMMIT_KERNEL;
187	else if (mac_error == MAC_AUDIT_NO) {
188	audit_free(uthread->uu_ar);
189	return (1);
190	}
191	return (0);
192	}
193
194	/*
195	* This function is called by the MAC Framework to add audit data
196	* from a policy to the current audit record.
197	*/
198	int
199	audit_mac_data(int type, int len, u_char *data) {
200	struct kaudit_record *cur;
201	struct mac_audit_record *record;
202
203	if (audit_enabled == 0) {
204	kfree(data, len);
205	return (ENOTSUP);
206	}
207
208	cur = currecord();
209	if (cur == NULL) {
210	kfree(data, len);
211	return (ENOTSUP);
212	}
213
214	/*
215	* XXX: Note that we silently drop the audit data if this
216	* allocation fails - this is consistent with the rest of the
217	* audit implementation.
218	*/
219	record = kalloc(sizeof(*record));
220	if (record == NULL) {
221	kfree(data, len);
222	return (0);
223	}
224
225	record->type = type;
226	record->length = len;
227	record->data = data;
228	LIST_INSERT_HEAD(cur->k_ar.ar_mac_records, record, records);
229
230	return (0);
231	}
232
233	void
234	audit_arg_mac_string(struct kaudit_record ar, char string)
235	{
236
237	if (ar->k_ar.ar_arg_mac_string == NULL)
238	ar->k_ar.ar_arg_mac_string =
239	kalloc(MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);
240
241	/*
242	* XXX This should be a rare event. If kalloc() returns NULL,
243	* the system is low on kernel virtual memory. To be
244	* consistent with the rest of audit, just return
245	* (may need to panic if required to for audit).
246	*/
247	if (ar->k_ar.ar_arg_mac_string == NULL)
248	if (ar->k_ar.ar_arg_mac_string == NULL)
249	return;
250
251	strncpy(ar->k_ar.ar_arg_mac_string, MAC_ARG_PREFIX,
252	MAC_ARG_PREFIX_LEN);
253	strncpy(ar->k_ar.ar_arg_mac_string + MAC_ARG_PREFIX_LEN, string,
254	MAC_MAX_LABEL_BUF_LEN);
255	ARG_SET_VALID(ar, ARG_MAC_STRING);
256	}
257	#endif /* MAC */
258
259	#endif /* CONFIG_AUDIT */