[apple/xnu.git] / bsd / security / audit / audit_mac.c

/*-
 * Copyright (c) 1999-2008 Apple Inc.
 * All rights reserved.
 *
 * @APPLE_BSD_LICENSE_HEADER_START@
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1.  Redistributions of source code must retain the above copyright
 *     notice, this list of conditions and the following disclaimer.
 * 2.  Redistributions in binary form must reproduce the above copyright
 *     notice, this list of conditions and the following disclaimer in the
 *     documentation and/or other materials provided with the distribution.
 * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
 *     its contributors may be used to endorse or promote products derived
 *     from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
 * @APPLE_BSD_LICENSE_HEADER_END@
 */
/*
 * NOTICE: This file was modified by McAfee Research in 2004 to introduce
 * support for mandatory and extensible security protections.  This notice
 * is included in support of clause 2.2 (b) of the Apple Public License,
 * Version 2.0.
 */

#include <sys/kernel.h>
#include <sys/proc.h>
#include <sys/kauth.h>
#include <sys/queue.h>
#include <sys/systm.h>

#include <bsm/audit.h>
#include <bsm/audit_internal.h>
#include <bsm/audit_kevents.h>

#include <security/audit/audit.h>
#include <security/audit/audit_private.h>

#include <mach/host_priv.h>
#include <mach/host_special_ports.h>
#include <mach/audit_triggers_server.h>

#include <kern/host.h>
#include <kern/kalloc.h>
#include <kern/zalloc.h>
#include <kern/sched_prim.h>

#if CONFIG_AUDIT

#if CONFIG_MACF
#include <bsm/audit_record.h>
#include <security/mac.h>
#include <security/mac_framework.h>
#include <security/mac_policy.h>
#define MAC_ARG_PREFIX "arg: "
#define MAC_ARG_PREFIX_LEN 5

zone_t          audit_mac_label_zone;
extern zone_t   mac_audit_data_zone;

void
audit_mac_init(void)
{
	/* Assume 3 MAC labels for each audit record: two for vnodes,
	 * one for creds.
	 */
	audit_mac_label_zone = zinit(MAC_AUDIT_LABEL_LEN,
	    AQ_HIWATER * 3 * MAC_AUDIT_LABEL_LEN, 8192, "audit_mac_label_zone");
}

int
audit_mac_new(proc_t p, struct kaudit_record *ar)
{
	struct mac mac;

	/*
	 * Retrieve the MAC labels for the process.
	 */
	ar->k_ar.ar_cred_mac_labels = (char *)zalloc(audit_mac_label_zone);
	if (ar->k_ar.ar_cred_mac_labels == NULL) {
		return 1;
	}
	mac.m_buflen = MAC_AUDIT_LABEL_LEN;
	mac.m_string = ar->k_ar.ar_cred_mac_labels;
	mac_cred_label_externalize_audit(p, &mac);

	/*
	 * grab space for the reconds.
	 */
	ar->k_ar.ar_mac_records = (struct mac_audit_record_list_t *)
	    kalloc(sizeof(*ar->k_ar.ar_mac_records));
	if (ar->k_ar.ar_mac_records == NULL) {
		zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels);
		return 1;
	}
	LIST_INIT(ar->k_ar.ar_mac_records);
	ar->k_ar.ar_forced_by_mac = 0;

	return 0;
}

void
audit_mac_free(struct kaudit_record *ar)
{
	struct mac_audit_record *head, *next;

	if (ar->k_ar.ar_vnode1_mac_labels != NULL) {
		zfree(audit_mac_label_zone, ar->k_ar.ar_vnode1_mac_labels);
	}
	if (ar->k_ar.ar_vnode2_mac_labels != NULL) {
		zfree(audit_mac_label_zone, ar->k_ar.ar_vnode2_mac_labels);
	}
	if (ar->k_ar.ar_cred_mac_labels != NULL) {
		zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels);
	}
	if (ar->k_ar.ar_arg_mac_string != NULL) {
		kfree(ar->k_ar.ar_arg_mac_string,
		    MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);
	}

	/*
	 * Free the audit data from the MAC policies.
	 */
	head = LIST_FIRST(ar->k_ar.ar_mac_records);
	while (head != NULL) {
		next = LIST_NEXT(head, records);
		zfree(mac_audit_data_zone, head->data);
		kfree(head, sizeof(*head));
		head = next;
	}
	kfree(ar->k_ar.ar_mac_records, sizeof(*ar->k_ar.ar_mac_records));
}

int
audit_mac_syscall_enter(unsigned short code, proc_t p, struct uthread *uthread,
    kauth_cred_t my_cred, au_event_t event)
{
	int error;

	error = mac_audit_check_preselect(my_cred, code,
	    (void *)uthread->uu_arg);
	if (error == MAC_AUDIT_YES) {
		uthread->uu_ar = audit_new(event, p, uthread);
		uthread->uu_ar->k_ar.ar_forced_by_mac = 1;
		au_to_text("Forced by a MAC policy");
		return 1;
	} else if (error == MAC_AUDIT_NO) {
		return 0;
	} else if (error == MAC_AUDIT_DEFAULT) {
		return 1;
	}

	return 0;
}

int
audit_mac_syscall_exit(unsigned short code, struct uthread *uthread, int error,
    int retval)
{
	int mac_error;

	if (uthread->uu_ar == NULL) { /* syscall wasn't audited */
		return 1;
	}

	/*
	 * Note, no other postselect mechanism exists.  If
	 * mac_audit_check_postselect returns MAC_AUDIT_NO, the record will be
	 * suppressed.  Other values at this point result in the audit record
	 * being committed.  This suppression behavior will probably go away in
	 * the port to 10.3.4.
	 */
	mac_error = mac_audit_check_postselect(kauth_cred_get(), code,
	    (void *) uthread->uu_arg, error, retval,
	    uthread->uu_ar->k_ar.ar_forced_by_mac);

	if (mac_error == MAC_AUDIT_YES) {
		uthread->uu_ar->k_ar_commit |= AR_COMMIT_KERNEL;
	} else if (mac_error == MAC_AUDIT_NO) {
		audit_free(uthread->uu_ar);
		return 1;
	}
	return 0;
}

/*
 * This function is called by the MAC Framework to add audit data
 * from a policy to the current audit record.
 */
int
audit_mac_data(int type, int len, u_char *data)
{
	struct kaudit_record *cur;
	struct mac_audit_record *record;

	if (audit_enabled == 0) {
		kfree(data, len);
		return ENOTSUP;
	}

	cur = currecord();
	if (cur == NULL) {
		kfree(data, len);
		return ENOTSUP;
	}

	/*
	 * XXX: Note that we silently drop the audit data if this
	 * allocation fails - this is consistent with the rest of the
	 * audit implementation.
	 */
	record = kalloc(sizeof(*record));
	if (record == NULL) {
		kfree(data, len);
		return 0;
	}

	record->type = type;
	record->length = len;
	record->data = data;
	LIST_INSERT_HEAD(cur->k_ar.ar_mac_records, record, records);

	return 0;
}

void
audit_arg_mac_string(struct kaudit_record *ar, char *string)
{
	if (ar->k_ar.ar_arg_mac_string == NULL) {
		ar->k_ar.ar_arg_mac_string =
		    kalloc(MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);
	}

	/*
	 * XXX This should be a rare event. If kalloc() returns NULL,
	 * the system is low on kernel virtual memory. To be
	 * consistent with the rest of audit, just return
	 * (may need to panic if required to for audit).
	 */
	if (ar->k_ar.ar_arg_mac_string == NULL) {
		if (ar->k_ar.ar_arg_mac_string == NULL) {
			return;
		}
	}

	strncpy(ar->k_ar.ar_arg_mac_string, MAC_ARG_PREFIX,
	    MAC_ARG_PREFIX_LEN);
	strncpy(ar->k_ar.ar_arg_mac_string + MAC_ARG_PREFIX_LEN, string,
	    MAC_MAX_LABEL_BUF_LEN);
	ARG_SET_VALID(ar, ARG_MAC_STRING);
}
#endif  /* MAC */

#endif /* CONFIG_AUDIT */
Commit	Line	Data
b0d623f7 A	1	/*-
	2	* Copyright (c) 1999-2008 Apple Inc.
	3	* All rights reserved.
	4	*
	5	* @APPLE_BSD_LICENSE_HEADER_START@
	6	*
	7	* Redistribution and use in source and binary forms, with or without
	8	* modification, are permitted provided that the following conditions
	9	* are met:
	10	* 1. Redistributions of source code must retain the above copyright
	11	* notice, this list of conditions and the following disclaimer.
	12	* 2. Redistributions in binary form must reproduce the above copyright
	13	* notice, this list of conditions and the following disclaimer in the
	14	* documentation and/or other materials provided with the distribution.
	15	* 3. Neither the name of Apple Inc. ("Apple") nor the names of
	16	* its contributors may be used to endorse or promote products derived
	17	* from this software without specific prior written permission.
	18	*
	19	* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
	20	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	21	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	22	* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
	23	* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	24	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	25	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	26	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	27	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
	28	* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
	29	* POSSIBILITY OF SUCH DAMAGE.
	30	*
	31	* @APPLE_BSD_LICENSE_HEADER_END@
	32	*/
	33	/*
	34	* NOTICE: This file was modified by McAfee Research in 2004 to introduce
	35	* support for mandatory and extensible security protections. This notice
	36	* is included in support of clause 2.2 (b) of the Apple Public License,
	37	* Version 2.0.
	38	*/
	39
	40	#include <sys/kernel.h>
	41	#include <sys/proc.h>
	42	#include <sys/kauth.h>
	43	#include <sys/queue.h>
	44	#include <sys/systm.h>
	45
	46	#include <bsm/audit.h>
	47	#include <bsm/audit_internal.h>
	48	#include <bsm/audit_kevents.h>
	49
	50	#include <security/audit/audit.h>
	51	#include <security/audit/audit_private.h>
	52
	53	#include <mach/host_priv.h>
	54	#include <mach/host_special_ports.h>
	55	#include <mach/audit_triggers_server.h>
	56
	57	#include <kern/host.h>
	58	#include <kern/kalloc.h>
	59	#include <kern/zalloc.h>
b0d623f7 A	60	#include <kern/sched_prim.h>
	61
	62	#if CONFIG_AUDIT
	63
	64	#if CONFIG_MACF
	65	#include <bsm/audit_record.h>
	66	#include <security/mac.h>
	67	#include <security/mac_framework.h>
	68	#include <security/mac_policy.h>
	69	#define MAC_ARG_PREFIX "arg: "
	70	#define MAC_ARG_PREFIX_LEN 5
	71
0a7de745 A	72	zone_t audit_mac_label_zone;
0a7de745 A	73	extern zone_t mac_audit_data_zone;
b0d623f7 A	74
	75	void
	76	audit_mac_init(void)
	77	{
	78	/* Assume 3 MAC labels for each audit record: two for vnodes,
	79	* one for creds.
	80	*/
	81	audit_mac_label_zone = zinit(MAC_AUDIT_LABEL_LEN,
0a7de745	82	AQ_HIWATER * 3 * MAC_AUDIT_LABEL_LEN, 8192, "audit_mac_label_zone");
b0d623f7 A	83	}
	84
	85	int
	86	audit_mac_new(proc_t p, struct kaudit_record *ar)
	87	{
	88	struct mac mac;
	89
0a7de745	90	/*
b0d623f7 A	91	* Retrieve the MAC labels for the process.
	92	*/
	93	ar->k_ar.ar_cred_mac_labels = (char *)zalloc(audit_mac_label_zone);
0a7de745 A	94	if (ar->k_ar.ar_cred_mac_labels == NULL) {
	95	return 1;
	96	}
b0d623f7 A	97	mac.m_buflen = MAC_AUDIT_LABEL_LEN;
	98	mac.m_string = ar->k_ar.ar_cred_mac_labels;
	99	mac_cred_label_externalize_audit(p, &mac);
	100
	101	/*
	102	* grab space for the reconds.
	103	*/
	104	ar->k_ar.ar_mac_records = (struct mac_audit_record_list_t *)
	105	kalloc(sizeof(*ar->k_ar.ar_mac_records));
	106	if (ar->k_ar.ar_mac_records == NULL) {
	107	zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels);
0a7de745	108	return 1;
b0d623f7 A	109	}
	110	LIST_INIT(ar->k_ar.ar_mac_records);
	111	ar->k_ar.ar_forced_by_mac = 0;
0a7de745 A	112
0a7de745 A	113	return 0;
b0d623f7 A	114	}
	115
	116	void
	117	audit_mac_free(struct kaudit_record *ar)
	118	{
	119	struct mac_audit_record head, next;
	120
0a7de745	121	if (ar->k_ar.ar_vnode1_mac_labels != NULL) {
b0d623f7	122	zfree(audit_mac_label_zone, ar->k_ar.ar_vnode1_mac_labels);
0a7de745 A	123	}
0a7de745 A	124	if (ar->k_ar.ar_vnode2_mac_labels != NULL) {
b0d623f7	125	zfree(audit_mac_label_zone, ar->k_ar.ar_vnode2_mac_labels);
0a7de745 A	126	}
0a7de745 A	127	if (ar->k_ar.ar_cred_mac_labels != NULL) {
b0d623f7	128	zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels);
0a7de745 A	129	}
0a7de745 A	130	if (ar->k_ar.ar_arg_mac_string != NULL) {
b0d623f7 A	131	kfree(ar->k_ar.ar_arg_mac_string,
b0d623f7 A	132	MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);
0a7de745	133	}
b0d623f7 A	134
	135	/*
	136	* Free the audit data from the MAC policies.
	137	*/
	138	head = LIST_FIRST(ar->k_ar.ar_mac_records);
	139	while (head != NULL) {
	140	next = LIST_NEXT(head, records);
	141	zfree(mac_audit_data_zone, head->data);
	142	kfree(head, sizeof(*head));
	143	head = next;
	144	}
	145	kfree(ar->k_ar.ar_mac_records, sizeof(*ar->k_ar.ar_mac_records));
	146	}
	147
	148	int
	149	audit_mac_syscall_enter(unsigned short code, proc_t p, struct uthread *uthread,
	150	kauth_cred_t my_cred, au_event_t event)
	151	{
	152	int error;
	153
	154	error = mac_audit_check_preselect(my_cred, code,
0a7de745	155	(void *)uthread->uu_arg);
b0d623f7 A	156	if (error == MAC_AUDIT_YES) {
	157	uthread->uu_ar = audit_new(event, p, uthread);
	158	uthread->uu_ar->k_ar.ar_forced_by_mac = 1;
	159	au_to_text("Forced by a MAC policy");
0a7de745	160	return 1;
b0d623f7	161	} else if (error == MAC_AUDIT_NO) {
0a7de745	162	return 0;
b0d623f7	163	} else if (error == MAC_AUDIT_DEFAULT) {
0a7de745	164	return 1;
b0d623f7 A	165	}
b0d623f7 A	166
0a7de745	167	return 0;
b0d623f7 A	168	}
	169
	170	int
	171	audit_mac_syscall_exit(unsigned short code, struct uthread *uthread, int error,
	172	int retval)
	173	{
	174	int mac_error;
	175
0a7de745 A	176	if (uthread->uu_ar == NULL) { /* syscall wasn't audited */
	177	return 1;
	178	}
b0d623f7 A	179
b0d623f7 A	180	/*
0a7de745	181	* Note, no other postselect mechanism exists. If
b0d623f7 A	182	* mac_audit_check_postselect returns MAC_AUDIT_NO, the record will be
	183	* suppressed. Other values at this point result in the audit record
	184	* being committed. This suppression behavior will probably go away in
	185	* the port to 10.3.4.
	186	*/
	187	mac_error = mac_audit_check_postselect(kauth_cred_get(), code,
	188	(void *) uthread->uu_arg, error, retval,
	189	uthread->uu_ar->k_ar.ar_forced_by_mac);
	190
0a7de745	191	if (mac_error == MAC_AUDIT_YES) {
b0d623f7	192	uthread->uu_ar->k_ar_commit \|= AR_COMMIT_KERNEL;
0a7de745	193	} else if (mac_error == MAC_AUDIT_NO) {
b0d623f7	194	audit_free(uthread->uu_ar);
0a7de745	195	return 1;
b0d623f7	196	}
0a7de745	197	return 0;
b0d623f7 A	198	}
	199
	200	/*
	201	* This function is called by the MAC Framework to add audit data
	202	* from a policy to the current audit record.
	203	*/
	204	int
0a7de745 A	205	audit_mac_data(int type, int len, u_char *data)
0a7de745 A	206	{
b0d623f7 A	207	struct kaudit_record *cur;
	208	struct mac_audit_record *record;
	209
	210	if (audit_enabled == 0) {
	211	kfree(data, len);
0a7de745	212	return ENOTSUP;
b0d623f7 A	213	}
	214
	215	cur = currecord();
	216	if (cur == NULL) {
	217	kfree(data, len);
0a7de745	218	return ENOTSUP;
b0d623f7 A	219	}
	220
	221	/*
	222	* XXX: Note that we silently drop the audit data if this
	223	* allocation fails - this is consistent with the rest of the
	224	* audit implementation.
	225	*/
	226	record = kalloc(sizeof(*record));
	227	if (record == NULL) {
	228	kfree(data, len);
0a7de745	229	return 0;
b0d623f7 A	230	}
	231
	232	record->type = type;
	233	record->length = len;
	234	record->data = data;
	235	LIST_INSERT_HEAD(cur->k_ar.ar_mac_records, record, records);
	236
0a7de745	237	return 0;
b0d623f7 A	238	}
	239
	240	void
	241	audit_arg_mac_string(struct kaudit_record ar, char string)
	242	{
0a7de745	243	if (ar->k_ar.ar_arg_mac_string == NULL) {
b0d623f7	244	ar->k_ar.ar_arg_mac_string =
0a7de745 A	245	kalloc(MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);
0a7de745 A	246	}
b0d623f7 A	247
	248	/*
	249	* XXX This should be a rare event. If kalloc() returns NULL,
	250	* the system is low on kernel virtual memory. To be
	251	* consistent with the rest of audit, just return
	252	* (may need to panic if required to for audit).
	253	*/
0a7de745 A	254	if (ar->k_ar.ar_arg_mac_string == NULL) {
0a7de745 A	255	if (ar->k_ar.ar_arg_mac_string == NULL) {
b0d623f7	256	return;
0a7de745 A	257	}
0a7de745 A	258	}
b0d623f7 A	259
	260	strncpy(ar->k_ar.ar_arg_mac_string, MAC_ARG_PREFIX,
	261	MAC_ARG_PREFIX_LEN);
	262	strncpy(ar->k_ar.ar_arg_mac_string + MAC_ARG_PREFIX_LEN, string,
	263	MAC_MAX_LABEL_BUF_LEN);
	264	ARG_SET_VALID(ar, ARG_MAC_STRING);
	265	}
	266	#endif /* MAC */
	267
	268	#endif /* CONFIG_AUDIT */