]>
Commit | Line | Data |
---|---|---|
b0d623f7 | 1 | /*- |
f427ee49 | 2 | * Copyright (c) 1999-2020 Apple Inc. |
b0d623f7 A |
3 | * Copyright (c) 2006-2007 Robert N. M. Watson |
4 | * All rights reserved. | |
5 | * | |
6 | * Redistribution and use in source and binary forms, with or without | |
7 | * modification, are permitted provided that the following conditions | |
8 | * are met: | |
9 | * 1. Redistributions of source code must retain the above copyright | |
10 | * notice, this list of conditions and the following disclaimer. | |
11 | * 2. Redistributions in binary form must reproduce the above copyright | |
12 | * notice, this list of conditions and the following disclaimer in the | |
13 | * documentation and/or other materials provided with the distribution. | |
14 | * 3. Neither the name of Apple Inc. ("Apple") nor the names of | |
15 | * its contributors may be used to endorse or promote products derived | |
16 | * from this software without specific prior written permission. | |
17 | * | |
18 | * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND | |
19 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
21 | * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR | |
22 | * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
23 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
24 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
25 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
26 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING | |
27 | * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
28 | * POSSIBILITY OF SUCH DAMAGE. | |
29 | * | |
30 | */ | |
31 | /* | |
32 | * NOTICE: This file was modified by McAfee Research in 2004 to introduce | |
33 | * support for mandatory and extensible security protections. This notice | |
34 | * is included in support of clause 2.2 (b) of the Apple Public License, | |
35 | * Version 2.0. | |
36 | */ | |
37 | ||
38 | #include <sys/param.h> | |
39 | #include <sys/fcntl.h> | |
40 | #include <sys/kernel.h> | |
41 | #include <sys/lock.h> | |
42 | #include <sys/namei.h> | |
43 | #include <sys/proc_internal.h> | |
44 | #include <sys/kauth.h> | |
45 | #include <sys/queue.h> | |
46 | #include <sys/systm.h> | |
47 | #include <sys/time.h> | |
48 | #include <sys/ucred.h> | |
49 | #include <sys/uio.h> | |
50 | #include <sys/unistd.h> | |
51 | #include <sys/file_internal.h> | |
52 | #include <sys/vnode_internal.h> | |
53 | #include <sys/user.h> | |
54 | #include <sys/syscall.h> | |
55 | #include <sys/malloc.h> | |
56 | #include <sys/un.h> | |
57 | #include <sys/sysent.h> | |
58 | #include <sys/sysproto.h> | |
59 | #include <sys/vfs_context.h> | |
60 | #include <sys/domain.h> | |
61 | #include <sys/protosw.h> | |
62 | #include <sys/socketvar.h> | |
63 | ||
64 | #include <bsm/audit.h> | |
65 | #include <bsm/audit_internal.h> | |
66 | #include <bsm/audit_kevents.h> | |
67 | ||
68 | #include <security/audit/audit.h> | |
69 | #include <security/audit/audit_bsd.h> | |
70 | #include <security/audit/audit_private.h> | |
71 | ||
72 | #include <mach/host_priv.h> | |
73 | #include <mach/host_special_ports.h> | |
74 | #include <mach/audit_triggers_server.h> | |
75 | ||
76 | #include <kern/host.h> | |
b0d623f7 | 77 | #include <kern/zalloc.h> |
b0d623f7 A |
78 | #include <kern/sched_prim.h> |
79 | ||
80 | #include <net/route.h> | |
81 | ||
82 | #include <netinet/in.h> | |
83 | #include <netinet/in_pcb.h> | |
84 | ||
85 | #if CONFIG_AUDIT | |
86 | MALLOC_DEFINE(M_AUDITDATA, "audit_data", "Audit data storage"); | |
87 | MALLOC_DEFINE(M_AUDITPATH, "audit_path", "Audit path storage"); | |
88 | MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage"); | |
f427ee49 | 89 | KALLOC_HEAP_DEFINE(KHEAP_AUDIT, "Audit", KHEAP_ID_DEFAULT); |
b0d623f7 A |
90 | |
91 | /* | |
92 | * Audit control settings that are set/read by system calls and are hence | |
93 | * non-static. | |
94 | * | |
95 | * Define the audit control flags. | |
96 | */ | |
0a7de745 A |
97 | int audit_enabled; |
98 | int audit_suspended; | |
b0d623f7 | 99 | |
0a7de745 A |
100 | int audit_syscalls; |
101 | au_class_t audit_kevent_mask; | |
b0d623f7 | 102 | |
d9a64523 A |
103 | /* |
104 | * The audit control mode is used to ensure configuration settings are only | |
105 | * accepted from appropriate sources based on the current mode. | |
106 | */ | |
107 | au_ctlmode_t audit_ctl_mode; | |
108 | au_expire_after_t audit_expire_after; | |
109 | ||
b0d623f7 A |
110 | /* |
111 | * Flags controlling behavior in low storage situations. Should we panic if | |
112 | * a write fails? Should we fail stop if we're out of disk space? | |
113 | */ | |
0a7de745 A |
114 | int audit_panic_on_write_fail; |
115 | int audit_fail_stop; | |
116 | int audit_argv; | |
117 | int audit_arge; | |
b0d623f7 A |
118 | |
119 | /* | |
120 | * Are we currently "failing stop" due to out of disk space? | |
121 | */ | |
0a7de745 | 122 | int audit_in_failure; |
b0d623f7 A |
123 | |
124 | /* | |
125 | * Global audit statistics. | |
126 | */ | |
0a7de745 | 127 | struct audit_fstat audit_fstat; |
b0d623f7 A |
128 | |
129 | /* | |
130 | * Preselection mask for non-attributable events. | |
131 | */ | |
0a7de745 | 132 | struct au_mask audit_nae_mask; |
b0d623f7 A |
133 | |
134 | /* | |
135 | * Mutex to protect global variables shared between various threads and | |
136 | * processes. | |
137 | */ | |
0a7de745 | 138 | struct mtx audit_mtx; |
b0d623f7 A |
139 | |
140 | /* | |
141 | * Queue of audit records ready for delivery to disk. We insert new records | |
142 | * at the tail, and remove records from the head. Also, a count of the | |
143 | * number of records used for checking queue depth. In addition, a counter | |
144 | * of records that we have allocated but are not yet in the queue, which is | |
145 | * needed to estimate the total size of the combined set of records | |
146 | * outstanding in the system. | |
147 | */ | |
0a7de745 A |
148 | struct kaudit_queue audit_q; |
149 | int audit_q_len; | |
150 | int audit_pre_q_len; | |
b0d623f7 A |
151 | |
152 | /* | |
153 | * Audit queue control settings (minimum free, low/high water marks, etc.) | |
154 | */ | |
0a7de745 | 155 | struct au_qctrl audit_qctrl; |
b0d623f7 A |
156 | |
157 | /* | |
158 | * Condition variable to signal to the worker that it has work to do: either | |
159 | * new records are in the queue, or a log replacement is taking place. | |
160 | */ | |
0a7de745 | 161 | struct cv audit_worker_cv; |
b0d623f7 A |
162 | |
163 | /* | |
164 | * Condition variable to signal when the worker is done draining the audit | |
165 | * queue. | |
166 | */ | |
0a7de745 | 167 | struct cv audit_drain_cv; |
b0d623f7 A |
168 | |
169 | /* | |
170 | * Condition variable to flag when crossing the low watermark, meaning that | |
171 | * threads blocked due to hitting the high watermark can wake up and continue | |
172 | * to commit records. | |
173 | */ | |
0a7de745 | 174 | struct cv audit_watermark_cv; |
b0d623f7 A |
175 | |
176 | /* | |
177 | * Condition variable for auditing threads wait on when in fail-stop mode. | |
178 | * Threads wait on this CV forever (and ever), never seeing the light of day | |
179 | * again. | |
180 | */ | |
0a7de745 | 181 | static struct cv audit_fail_cv; |
b0d623f7 | 182 | |
f427ee49 A |
183 | static ZONE_DECLARE(audit_record_zone, "audit_zone", |
184 | sizeof(struct kaudit_record), ZC_NONE); | |
b0d623f7 A |
185 | |
186 | /* | |
187 | * Kernel audit information. This will store the current audit address | |
188 | * or host information that the kernel will use when it's generating | |
189 | * audit records. This data is modified by the A_GET{SET}KAUDIT auditon(2) | |
190 | * command. | |
191 | */ | |
0a7de745 A |
192 | static struct auditinfo_addr audit_kinfo; |
193 | static struct rwlock audit_kinfo_lock; | |
b0d623f7 | 194 | |
0a7de745 A |
195 | #define KINFO_LOCK_INIT() rw_init(&audit_kinfo_lock, \ |
196 | "audit_kinfo_lock") | |
197 | #define KINFO_RLOCK() rw_rlock(&audit_kinfo_lock) | |
198 | #define KINFO_WLOCK() rw_wlock(&audit_kinfo_lock) | |
199 | #define KINFO_RUNLOCK() rw_runlock(&audit_kinfo_lock) | |
200 | #define KINFO_WUNLOCK() rw_wunlock(&audit_kinfo_lock) | |
b0d623f7 A |
201 | |
202 | void | |
203 | audit_set_kinfo(struct auditinfo_addr *ak) | |
204 | { | |
b0d623f7 A |
205 | KASSERT(ak->ai_termid.at_type == AU_IPv4 || |
206 | ak->ai_termid.at_type == AU_IPv6, | |
207 | ("audit_set_kinfo: invalid address type")); | |
208 | ||
209 | KINFO_WLOCK(); | |
210 | bcopy(ak, &audit_kinfo, sizeof(audit_kinfo)); | |
211 | KINFO_WUNLOCK(); | |
212 | } | |
213 | ||
214 | void | |
215 | audit_get_kinfo(struct auditinfo_addr *ak) | |
216 | { | |
b0d623f7 A |
217 | KASSERT(audit_kinfo.ai_termid.at_type == AU_IPv4 || |
218 | audit_kinfo.ai_termid.at_type == AU_IPv6, | |
219 | ("audit_set_kinfo: invalid address type")); | |
220 | ||
221 | KINFO_RLOCK(); | |
222 | bcopy(&audit_kinfo, ak, sizeof(*ak)); | |
223 | KINFO_RUNLOCK(); | |
224 | } | |
225 | ||
226 | /* | |
227 | * Construct an audit record for the passed thread. | |
228 | */ | |
229 | static void | |
230 | audit_record_ctor(proc_t p, struct kaudit_record *ar) | |
231 | { | |
232 | kauth_cred_t cred; | |
233 | ||
234 | bzero(ar, sizeof(*ar)); | |
235 | ar->k_ar.ar_magic = AUDIT_RECORD_MAGIC; | |
236 | nanotime(&ar->k_ar.ar_starttime); | |
237 | ||
6d2010ae A |
238 | if (PROC_NULL != p) { |
239 | cred = kauth_cred_proc_ref(p); | |
b0d623f7 | 240 | |
6d2010ae | 241 | /* |
0a7de745 A |
242 | * Export the subject credential. |
243 | */ | |
6d2010ae A |
244 | cru2x(cred, &ar->k_ar.ar_subj_cred); |
245 | ar->k_ar.ar_subj_ruid = kauth_cred_getruid(cred); | |
246 | ar->k_ar.ar_subj_rgid = kauth_cred_getrgid(cred); | |
247 | ar->k_ar.ar_subj_egid = kauth_cred_getgid(cred); | |
248 | ar->k_ar.ar_subj_pid = p->p_pid; | |
249 | ar->k_ar.ar_subj_auid = cred->cr_audit.as_aia_p->ai_auid; | |
250 | ar->k_ar.ar_subj_asid = cred->cr_audit.as_aia_p->ai_asid; | |
251 | bcopy(&cred->cr_audit.as_mask, &ar->k_ar.ar_subj_amask, | |
0a7de745 | 252 | sizeof(struct au_mask)); |
6d2010ae A |
253 | bcopy(&cred->cr_audit.as_aia_p->ai_termid, |
254 | &ar->k_ar.ar_subj_term_addr, sizeof(struct au_tid_addr)); | |
255 | kauth_cred_unref(&cred); | |
256 | } | |
b0d623f7 A |
257 | } |
258 | ||
259 | static void | |
260 | audit_record_dtor(struct kaudit_record *ar) | |
261 | { | |
0a7de745 | 262 | if (ar->k_ar.ar_arg_upath1 != NULL) { |
b0d623f7 | 263 | free(ar->k_ar.ar_arg_upath1, M_AUDITPATH); |
0a7de745 A |
264 | } |
265 | if (ar->k_ar.ar_arg_upath2 != NULL) { | |
b0d623f7 | 266 | free(ar->k_ar.ar_arg_upath2, M_AUDITPATH); |
0a7de745 A |
267 | } |
268 | if (ar->k_ar.ar_arg_kpath1 != NULL) { | |
b0d623f7 | 269 | free(ar->k_ar.ar_arg_kpath1, M_AUDITPATH); |
0a7de745 A |
270 | } |
271 | if (ar->k_ar.ar_arg_kpath2 != NULL) { | |
b0d623f7 | 272 | free(ar->k_ar.ar_arg_kpath2, M_AUDITPATH); |
0a7de745 A |
273 | } |
274 | if (ar->k_ar.ar_arg_text != NULL) { | |
b0d623f7 | 275 | free(ar->k_ar.ar_arg_text, M_AUDITTEXT); |
0a7de745 A |
276 | } |
277 | if (ar->k_ar.ar_arg_opaque != NULL) { | |
b0d623f7 | 278 | free(ar->k_ar.ar_arg_opaque, M_AUDITDATA); |
0a7de745 A |
279 | } |
280 | if (ar->k_ar.ar_arg_data != NULL) { | |
b0d623f7 | 281 | free(ar->k_ar.ar_arg_data, M_AUDITDATA); |
0a7de745 A |
282 | } |
283 | if (ar->k_udata != NULL) { | |
b0d623f7 | 284 | free(ar->k_udata, M_AUDITDATA); |
0a7de745 A |
285 | } |
286 | if (ar->k_ar.ar_arg_argv != NULL) { | |
b0d623f7 | 287 | free(ar->k_ar.ar_arg_argv, M_AUDITTEXT); |
0a7de745 A |
288 | } |
289 | if (ar->k_ar.ar_arg_envv != NULL) { | |
b0d623f7 | 290 | free(ar->k_ar.ar_arg_envv, M_AUDITTEXT); |
0a7de745 | 291 | } |
d9a64523 | 292 | audit_identity_info_destruct(&ar->k_ar.ar_arg_identity); |
b0d623f7 A |
293 | } |
294 | ||
295 | /* | |
296 | * Initialize the Audit subsystem: configuration state, work queue, | |
297 | * synchronization primitives, worker thread, and trigger device node. Also | |
298 | * call into the BSM assembly code to initialize it. | |
299 | */ | |
300 | void | |
301 | audit_init(void) | |
302 | { | |
b0d623f7 A |
303 | audit_enabled = 0; |
304 | audit_syscalls = 0; | |
305 | audit_kevent_mask = 0; | |
306 | audit_suspended = 0; | |
307 | audit_panic_on_write_fail = 0; | |
308 | audit_fail_stop = 0; | |
309 | audit_in_failure = 0; | |
310 | audit_argv = 0; | |
311 | audit_arge = 0; | |
d9a64523 A |
312 | audit_ctl_mode = AUDIT_CTLMODE_NORMAL; |
313 | audit_expire_after.age = 0; | |
314 | audit_expire_after.size = 0; | |
315 | audit_expire_after.op_type = AUDIT_EXPIRE_OP_AND; | |
b0d623f7 | 316 | |
0a7de745 | 317 | audit_fstat.af_filesz = 0; /* '0' means unset, unbounded. */ |
b0d623f7 A |
318 | audit_fstat.af_currsz = 0; |
319 | audit_nae_mask.am_success = 0; | |
320 | audit_nae_mask.am_failure = 0; | |
321 | ||
322 | TAILQ_INIT(&audit_q); | |
323 | audit_q_len = 0; | |
324 | audit_pre_q_len = 0; | |
325 | audit_qctrl.aq_hiwater = AQ_HIWATER; | |
326 | audit_qctrl.aq_lowater = AQ_LOWATER; | |
327 | audit_qctrl.aq_bufsz = AQ_BUFSZ; | |
328 | audit_qctrl.aq_minfree = AU_FS_MINFREE; | |
329 | ||
330 | audit_kinfo.ai_termid.at_type = AU_IPv4; | |
331 | audit_kinfo.ai_termid.at_addr[0] = INADDR_ANY; | |
332 | ||
333 | mtx_init(&audit_mtx, "audit_mtx", NULL, MTX_DEF); | |
334 | KINFO_LOCK_INIT(); | |
335 | cv_init(&audit_worker_cv, "audit_worker_cv"); | |
336 | cv_init(&audit_drain_cv, "audit_drain_cv"); | |
337 | cv_init(&audit_watermark_cv, "audit_watermark_cv"); | |
338 | cv_init(&audit_fail_cv, "audit_fail_cv"); | |
339 | ||
b0d623f7 A |
340 | /* Init audit session subsystem. */ |
341 | audit_session_init(); | |
342 | ||
343 | /* Initialize the BSM audit subsystem. */ | |
344 | kau_init(); | |
345 | ||
346 | /* audit_trigger_init(); */ | |
347 | ||
348 | /* Start audit worker thread. */ | |
349 | (void) audit_pipe_init(); | |
350 | ||
351 | /* Start audit worker thread. */ | |
352 | audit_worker_init(); | |
353 | } | |
354 | ||
355 | /* | |
356 | * Drain the audit queue and close the log at shutdown. Note that this can | |
357 | * be called both from the system shutdown path and also from audit | |
358 | * configuration syscalls, so 'arg' and 'howto' are ignored. | |
359 | */ | |
360 | void | |
361 | audit_shutdown(void) | |
362 | { | |
b0d623f7 A |
363 | audit_rotate_vnode(NULL, NULL); |
364 | } | |
365 | ||
366 | /* | |
367 | * Return the current thread's audit record, if any. | |
368 | */ | |
6d2010ae | 369 | struct kaudit_record * |
b0d623f7 A |
370 | currecord(void) |
371 | { | |
0a7de745 | 372 | return curthread()->uu_ar; |
b0d623f7 A |
373 | } |
374 | ||
375 | /* | |
376 | * XXXAUDIT: There are a number of races present in the code below due to | |
377 | * release and re-grab of the mutex. The code should be revised to become | |
378 | * slightly less racy. | |
379 | * | |
380 | * XXXAUDIT: Shouldn't there be logic here to sleep waiting on available | |
381 | * pre_q space, suspending the system call until there is room? | |
382 | */ | |
383 | struct kaudit_record * | |
384 | audit_new(int event, proc_t p, __unused struct uthread *uthread) | |
385 | { | |
386 | struct kaudit_record *ar; | |
387 | int no_record; | |
6d2010ae | 388 | int audit_override; |
b0d623f7 | 389 | |
6d2010ae A |
390 | /* |
391 | * Override the audit_suspended and audit_enabled if it always | |
392 | * audits session events. | |
393 | * | |
394 | * XXXss - This really needs to be a generalized call to a filter | |
395 | * interface so if other things that use the audit subsystem in the | |
396 | * future can simply plugged in. | |
397 | */ | |
398 | audit_override = (AUE_SESSION_START == event || | |
399 | AUE_SESSION_UPDATE == event || AUE_SESSION_END == event || | |
400 | AUE_SESSION_CLOSE == event); | |
0a7de745 | 401 | |
b0d623f7 A |
402 | mtx_lock(&audit_mtx); |
403 | no_record = (audit_suspended || !audit_enabled); | |
404 | mtx_unlock(&audit_mtx); | |
0a7de745 A |
405 | if (!audit_override && no_record) { |
406 | return NULL; | |
407 | } | |
b0d623f7 A |
408 | |
409 | /* | |
410 | * Initialize the audit record header. | |
411 | * XXX: We may want to fail-stop if allocation fails. | |
412 | * | |
413 | * Note: the number of outstanding uncommitted audit records is | |
414 | * limited to the number of concurrent threads servicing system calls | |
415 | * in the kernel. | |
416 | */ | |
417 | ar = zalloc(audit_record_zone); | |
0a7de745 | 418 | if (ar == NULL) { |
b0d623f7 | 419 | return NULL; |
0a7de745 | 420 | } |
b0d623f7 A |
421 | audit_record_ctor(p, ar); |
422 | ar->k_ar.ar_event = event; | |
423 | ||
424 | #if CONFIG_MACF | |
6d2010ae A |
425 | if (PROC_NULL != p) { |
426 | if (audit_mac_new(p, ar) != 0) { | |
427 | zfree(audit_record_zone, ar); | |
0a7de745 | 428 | return NULL; |
6d2010ae | 429 | } |
0a7de745 | 430 | } else { |
6d2010ae | 431 | ar->k_ar.ar_mac_records = NULL; |
0a7de745 | 432 | } |
b0d623f7 A |
433 | #endif |
434 | ||
435 | mtx_lock(&audit_mtx); | |
436 | audit_pre_q_len++; | |
437 | mtx_unlock(&audit_mtx); | |
438 | ||
0a7de745 | 439 | return ar; |
b0d623f7 A |
440 | } |
441 | ||
442 | void | |
443 | audit_free(struct kaudit_record *ar) | |
444 | { | |
b0d623f7 A |
445 | audit_record_dtor(ar); |
446 | #if CONFIG_MACF | |
0a7de745 | 447 | if (NULL != ar->k_ar.ar_mac_records) { |
6d2010ae | 448 | audit_mac_free(ar); |
0a7de745 | 449 | } |
b0d623f7 A |
450 | #endif |
451 | zfree(audit_record_zone, ar); | |
452 | } | |
453 | ||
454 | void | |
455 | audit_commit(struct kaudit_record *ar, int error, int retval) | |
456 | { | |
457 | au_event_t event; | |
458 | au_class_t class; | |
459 | au_id_t auid; | |
460 | int sorf; | |
461 | struct au_mask *aumask; | |
6d2010ae | 462 | int audit_override; |
b0d623f7 | 463 | |
0a7de745 | 464 | if (ar == NULL) { |
b0d623f7 | 465 | return; |
0a7de745 | 466 | } |
b0d623f7 A |
467 | |
468 | /* | |
469 | * Decide whether to commit the audit record by checking the error | |
470 | * value from the system call and using the appropriate audit mask. | |
471 | */ | |
0a7de745 | 472 | if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID) { |
b0d623f7 | 473 | aumask = &audit_nae_mask; |
0a7de745 | 474 | } else { |
b0d623f7 | 475 | aumask = &ar->k_ar.ar_subj_amask; |
0a7de745 | 476 | } |
b0d623f7 | 477 | |
0a7de745 | 478 | if (error) { |
b0d623f7 | 479 | sorf = AU_PRS_FAILURE; |
0a7de745 | 480 | } else { |
b0d623f7 | 481 | sorf = AU_PRS_SUCCESS; |
0a7de745 | 482 | } |
b0d623f7 | 483 | |
0a7de745 | 484 | switch (ar->k_ar.ar_event) { |
b0d623f7 A |
485 | case AUE_OPEN_RWTC: |
486 | /* | |
487 | * The open syscall always writes a AUE_OPEN_RWTC event; | |
488 | * change it to the proper type of event based on the flags | |
489 | * and the error value. | |
490 | */ | |
491 | ar->k_ar.ar_event = audit_flags_and_error_to_openevent( | |
0a7de745 | 492 | ar->k_ar.ar_arg_fflags, error); |
b0d623f7 A |
493 | break; |
494 | ||
495 | case AUE_OPEN_EXTENDED_RWTC: | |
496 | /* | |
497 | * The open_extended syscall always writes a | |
498 | * AUE_OPEN_EXTENDEDRWTC event; change it to the proper type of | |
499 | * event based on the flags and the error value. | |
500 | */ | |
501 | ar->k_ar.ar_event = audit_flags_and_error_to_openextendedevent( | |
0a7de745 | 502 | ar->k_ar.ar_arg_fflags, error); |
b0d623f7 A |
503 | break; |
504 | ||
fe8ab488 A |
505 | case AUE_OPENAT_RWTC: |
506 | /* | |
507 | * The openat syscall always writes a | |
508 | * AUE_OPENAT_RWTC event; change it to the proper type of | |
509 | * event based on the flags and the error value. | |
510 | */ | |
511 | ar->k_ar.ar_event = audit_flags_and_error_to_openatevent( | |
0a7de745 | 512 | ar->k_ar.ar_arg_fflags, error); |
fe8ab488 A |
513 | break; |
514 | ||
515 | case AUE_OPENBYID_RWT: | |
516 | /* | |
517 | * The openbyid syscall always writes a | |
518 | * AUE_OPENBYID_RWT event; change it to the proper type of | |
519 | * event based on the flags and the error value. | |
520 | */ | |
521 | ar->k_ar.ar_event = audit_flags_and_error_to_openbyidevent( | |
0a7de745 | 522 | ar->k_ar.ar_arg_fflags, error); |
fe8ab488 A |
523 | break; |
524 | ||
b0d623f7 A |
525 | case AUE_SYSCTL: |
526 | ar->k_ar.ar_event = audit_ctlname_to_sysctlevent( | |
0a7de745 | 527 | ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg); |
b0d623f7 A |
528 | break; |
529 | ||
530 | case AUE_AUDITON: | |
531 | /* Convert the auditon() command to an event. */ | |
532 | ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd); | |
533 | break; | |
534 | ||
535 | case AUE_FCNTL: | |
536 | /* Convert some fcntl() commands to their own events. */ | |
537 | ar->k_ar.ar_event = audit_fcntl_command_event( | |
0a7de745 | 538 | ar->k_ar.ar_arg_cmd, ar->k_ar.ar_arg_fflags, error); |
b0d623f7 A |
539 | break; |
540 | } | |
541 | ||
542 | auid = ar->k_ar.ar_subj_auid; | |
543 | event = ar->k_ar.ar_event; | |
544 | class = au_event_class(event); | |
545 | ||
6d2010ae A |
546 | /* |
547 | * See if we need to override the audit_suspend and audit_enabled | |
548 | * flags. | |
549 | * | |
550 | * XXXss - This check needs to be generalized so new filters can | |
551 | * easily be added. | |
552 | */ | |
553 | audit_override = (AUE_SESSION_START == event || | |
554 | AUE_SESSION_UPDATE == event || AUE_SESSION_END == event || | |
555 | AUE_SESSION_CLOSE == event); | |
556 | ||
b0d623f7 | 557 | ar->k_ar_commit |= AR_COMMIT_KERNEL; |
0a7de745 | 558 | if (au_preselect(event, class, aumask, sorf) != 0) { |
b0d623f7 | 559 | ar->k_ar_commit |= AR_PRESELECT_TRAIL; |
0a7de745 | 560 | } |
b0d623f7 | 561 | if (audit_pipe_preselect(auid, event, class, sorf, |
0a7de745 | 562 | ar->k_ar_commit & AR_PRESELECT_TRAIL) != 0) { |
b0d623f7 | 563 | ar->k_ar_commit |= AR_PRESELECT_PIPE; |
0a7de745 | 564 | } |
b0d623f7 | 565 | if ((ar->k_ar_commit & (AR_PRESELECT_TRAIL | AR_PRESELECT_PIPE | |
6d2010ae A |
566 | AR_PRESELECT_USER_TRAIL | AR_PRESELECT_USER_PIPE | |
567 | AR_PRESELECT_FILTER)) == 0) { | |
b0d623f7 A |
568 | mtx_lock(&audit_mtx); |
569 | audit_pre_q_len--; | |
570 | mtx_unlock(&audit_mtx); | |
571 | audit_free(ar); | |
572 | return; | |
573 | } | |
574 | ||
575 | ar->k_ar.ar_errno = error; | |
576 | ar->k_ar.ar_retval = retval; | |
577 | nanotime(&ar->k_ar.ar_endtime); | |
578 | ||
579 | /* | |
580 | * Note: it could be that some records initiated while audit was | |
581 | * enabled should still be committed? | |
582 | */ | |
583 | mtx_lock(&audit_mtx); | |
6d2010ae | 584 | if (!audit_override && (audit_suspended || !audit_enabled)) { |
b0d623f7 A |
585 | audit_pre_q_len--; |
586 | mtx_unlock(&audit_mtx); | |
587 | audit_free(ar); | |
588 | return; | |
589 | } | |
590 | ||
591 | /* | |
592 | * Constrain the number of committed audit records based on the | |
593 | * configurable parameter. | |
594 | */ | |
0a7de745 | 595 | while (audit_q_len >= audit_qctrl.aq_hiwater) { |
b0d623f7 | 596 | cv_wait(&audit_watermark_cv, &audit_mtx); |
0a7de745 | 597 | } |
b0d623f7 A |
598 | |
599 | TAILQ_INSERT_TAIL(&audit_q, ar, k_q); | |
600 | audit_q_len++; | |
601 | audit_pre_q_len--; | |
602 | cv_signal(&audit_worker_cv); | |
603 | mtx_unlock(&audit_mtx); | |
604 | } | |
605 | ||
606 | /* | |
607 | * audit_syscall_enter() is called on entry to each system call. It is | |
608 | * responsible for deciding whether or not to audit the call (preselection), | |
609 | * and if so, allocating a per-thread audit record. audit_new() will fill in | |
610 | * basic thread/credential properties. | |
611 | */ | |
612 | void | |
613 | audit_syscall_enter(unsigned int code, proc_t proc, struct uthread *uthread) | |
614 | { | |
615 | struct au_mask *aumask; | |
616 | au_class_t class; | |
617 | au_event_t event; | |
618 | au_id_t auid; | |
619 | kauth_cred_t cred; | |
620 | ||
621 | /* | |
622 | * In FreeBSD, each ABI has its own system call table, and hence | |
623 | * mapping of system call codes to audit events. Convert the code to | |
624 | * an audit event identifier using the process system call table | |
625 | * reference. In Darwin, there's only one, so we use the global | |
626 | * symbol for the system call table. No audit record is generated | |
627 | * for bad system calls, as no operation has been performed. | |
628 | * | |
629 | * In Mac OS X, the audit events are stored in a table seperate from | |
630 | * the syscall table(s). This table is generated by makesyscalls.sh | |
631 | * from syscalls.master and stored in audit_kevents.c. | |
632 | */ | |
0a7de745 | 633 | if (code >= nsysent) { |
b0d623f7 | 634 | return; |
0a7de745 | 635 | } |
b0d623f7 | 636 | event = sys_au_event[code]; |
0a7de745 | 637 | if (event == AUE_NULL) { |
b0d623f7 | 638 | return; |
0a7de745 | 639 | } |
b0d623f7 A |
640 | |
641 | KASSERT(uthread->uu_ar == NULL, | |
642 | ("audit_syscall_enter: uthread->uu_ar != NULL")); | |
643 | ||
644 | /* | |
645 | * Check which audit mask to use; either the kernel non-attributable | |
646 | * event mask or the process audit mask. | |
647 | */ | |
648 | cred = kauth_cred_proc_ref(proc); | |
649 | auid = cred->cr_audit.as_aia_p->ai_auid; | |
0a7de745 | 650 | if (auid == AU_DEFAUDITID) { |
b0d623f7 | 651 | aumask = &audit_nae_mask; |
0a7de745 | 652 | } else { |
b0d623f7 | 653 | aumask = &cred->cr_audit.as_mask; |
0a7de745 | 654 | } |
b0d623f7 A |
655 | |
656 | /* | |
657 | * Allocate an audit record, if preselection allows it, and store in | |
658 | * the thread for later use. | |
659 | */ | |
660 | class = au_event_class(event); | |
661 | #if CONFIG_MACF | |
662 | /* | |
663 | * Note: audit_mac_syscall_enter() may call audit_new() and allocate | |
664 | * memory for the audit record (uu_ar). | |
665 | */ | |
0a7de745 | 666 | if (audit_mac_syscall_enter(code, proc, uthread, cred, event) == 0) { |
b0d623f7 | 667 | goto out; |
0a7de745 | 668 | } |
b0d623f7 A |
669 | #endif |
670 | if (au_preselect(event, class, aumask, AU_PRS_BOTH)) { | |
671 | /* | |
672 | * If we're out of space and need to suspend unprivileged | |
673 | * processes, do that here rather than trying to allocate | |
674 | * another audit record. | |
675 | * | |
676 | * Note: we might wish to be able to continue here in the | |
677 | * future, if the system recovers. That should be possible | |
678 | * by means of checking the condition in a loop around | |
679 | * cv_wait(). It might be desirable to reevaluate whether an | |
680 | * audit record is still required for this event by | |
681 | * re-calling au_preselect(). | |
682 | */ | |
683 | if (audit_in_failure && | |
684 | suser(cred, &proc->p_acflag) != 0) { | |
685 | cv_wait(&audit_fail_cv, &audit_mtx); | |
686 | panic("audit_failing_stop: thread continued"); | |
687 | } | |
0a7de745 | 688 | if (uthread->uu_ar == NULL) { |
b0d623f7 | 689 | uthread->uu_ar = audit_new(event, proc, uthread); |
0a7de745 | 690 | } |
b0d623f7 | 691 | } else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0)) { |
0a7de745 | 692 | if (uthread->uu_ar == NULL) { |
b0d623f7 | 693 | uthread->uu_ar = audit_new(event, proc, uthread); |
0a7de745 A |
694 | } |
695 | } | |
b0d623f7 | 696 | |
d9a64523 A |
697 | /* |
698 | * All audited events will contain an identity | |
699 | * | |
700 | * Note: Identity should be obtained prior to the syscall implementation | |
701 | * being called to handle cases like execve(2) where the process changes | |
702 | */ | |
703 | AUDIT_ARG(identity); | |
704 | ||
b0d623f7 A |
705 | out: |
706 | kauth_cred_unref(&cred); | |
707 | } | |
708 | ||
709 | /* | |
710 | * audit_syscall_exit() is called from the return of every system call, or in | |
711 | * the event of exit1(), during the execution of exit1(). It is responsible | |
712 | * for committing the audit record, if any, along with return condition. | |
713 | * | |
714 | * Note: The audit_syscall_exit() parameter list was modified to support | |
715 | * mac_audit_check_postselect(), which requires the syscall number. | |
716 | */ | |
717 | #if CONFIG_MACF | |
718 | void | |
719 | audit_syscall_exit(unsigned int code, int error, __unused proc_t proc, | |
720 | struct uthread *uthread) | |
721 | #else | |
722 | void | |
723 | audit_syscall_exit(int error, __unsed proc_t proc, struct uthread *uthread) | |
724 | #endif | |
725 | { | |
726 | int retval; | |
727 | ||
728 | /* | |
729 | * Commit the audit record as desired; once we pass the record into | |
730 | * audit_commit(), the memory is owned by the audit subsystem. The | |
731 | * return value from the system call is stored on the user thread. | |
732 | * If there was an error, the return value is set to -1, imitating | |
733 | * the behavior of the cerror routine. | |
734 | */ | |
0a7de745 | 735 | if (error) { |
b0d623f7 | 736 | retval = -1; |
0a7de745 | 737 | } else { |
b0d623f7 | 738 | retval = uthread->uu_rval[0]; |
0a7de745 | 739 | } |
b0d623f7 A |
740 | |
741 | #if CONFIG_MACF | |
0a7de745 | 742 | if (audit_mac_syscall_exit(code, uthread, error, retval) != 0) { |
b0d623f7 | 743 | goto out; |
0a7de745 | 744 | } |
b0d623f7 A |
745 | #endif |
746 | audit_commit(uthread->uu_ar, error, retval); | |
747 | ||
748 | out: | |
749 | uthread->uu_ar = NULL; | |
750 | } | |
751 | ||
94ff46dc A |
752 | /* |
753 | * For system calls such as posix_spawn(2) the sub operations (i.e., file actions | |
754 | * and port actions) need to be audited as their own events. Like with system | |
755 | * calls we need to determine if the sub operation needs to be audited by | |
756 | * examining preselection masks. | |
757 | */ | |
758 | void | |
759 | audit_subcall_enter(au_event_t event, proc_t proc, struct uthread *uthread) | |
760 | { | |
761 | struct au_mask *aumask; | |
762 | au_class_t class; | |
763 | au_id_t auid; | |
764 | kauth_cred_t cred; | |
765 | ||
766 | /* | |
767 | * Check which audit mask to use; either the kernel non-attributable | |
768 | * event mask or the process audit mask. | |
769 | */ | |
770 | cred = kauth_cred_proc_ref(proc); | |
771 | auid = cred->cr_audit.as_aia_p->ai_auid; | |
772 | if (auid == AU_DEFAUDITID) { | |
773 | aumask = &audit_nae_mask; | |
774 | } else { | |
775 | aumask = &cred->cr_audit.as_mask; | |
776 | } | |
777 | ||
778 | /* | |
779 | * Allocate an audit record, if preselection allows it, and store in | |
780 | * the thread for later use. | |
781 | */ | |
782 | class = au_event_class(event); | |
783 | ||
784 | if (au_preselect(event, class, aumask, AU_PRS_BOTH)) { | |
785 | /* | |
786 | * If we're out of space and need to suspend unprivileged | |
787 | * processes, do that here rather than trying to allocate | |
788 | * another audit record. | |
789 | * | |
790 | * Note: we might wish to be able to continue here in the | |
791 | * future, if the system recovers. That should be possible | |
792 | * by means of checking the condition in a loop around | |
793 | * cv_wait(). It might be desirable to reevaluate whether an | |
794 | * audit record is still required for this event by | |
795 | * re-calling au_preselect(). | |
796 | */ | |
797 | if (audit_in_failure && | |
798 | suser(cred, &proc->p_acflag) != 0) { | |
799 | cv_wait(&audit_fail_cv, &audit_mtx); | |
800 | panic("audit_failing_stop: thread continued"); | |
801 | } | |
802 | if (uthread->uu_ar == NULL) { | |
803 | uthread->uu_ar = audit_new(event, proc, uthread); | |
804 | } | |
805 | } else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0)) { | |
806 | if (uthread->uu_ar == NULL) { | |
807 | uthread->uu_ar = audit_new(event, proc, uthread); | |
808 | } | |
809 | } | |
810 | ||
811 | kauth_cred_unref(&cred); | |
812 | } | |
813 | ||
814 | void | |
815 | audit_subcall_exit(int error, struct uthread *uthread) | |
816 | { | |
817 | /* A subcall doesn't have a return value so always zero. */ | |
818 | audit_commit(uthread->uu_ar, error, 0 /* retval */); | |
819 | ||
820 | uthread->uu_ar = NULL; | |
821 | } | |
822 | ||
b0d623f7 A |
823 | /* |
824 | * Calls to set up and tear down audit structures used during Mach system | |
825 | * calls. | |
826 | */ | |
827 | void | |
828 | audit_mach_syscall_enter(unsigned short event) | |
829 | { | |
830 | struct uthread *uthread; | |
831 | proc_t proc; | |
832 | struct au_mask *aumask; | |
833 | kauth_cred_t cred; | |
834 | au_class_t class; | |
835 | au_id_t auid; | |
836 | ||
0a7de745 | 837 | if (event == AUE_NULL) { |
b0d623f7 | 838 | return; |
0a7de745 | 839 | } |
b0d623f7 A |
840 | |
841 | uthread = curthread(); | |
0a7de745 | 842 | if (uthread == NULL) { |
b0d623f7 | 843 | return; |
0a7de745 | 844 | } |
b0d623f7 A |
845 | |
846 | proc = current_proc(); | |
0a7de745 | 847 | if (proc == NULL) { |
b0d623f7 | 848 | return; |
0a7de745 | 849 | } |
b0d623f7 A |
850 | |
851 | KASSERT(uthread->uu_ar == NULL, | |
852 | ("audit_mach_syscall_enter: uthread->uu_ar != NULL")); | |
853 | ||
854 | cred = kauth_cred_proc_ref(proc); | |
855 | auid = cred->cr_audit.as_aia_p->ai_auid; | |
856 | ||
857 | /* | |
858 | * Check which audit mask to use; either the kernel non-attributable | |
859 | * event mask or the process audit mask. | |
860 | */ | |
0a7de745 | 861 | if (auid == AU_DEFAUDITID) { |
b0d623f7 | 862 | aumask = &audit_nae_mask; |
0a7de745 | 863 | } else { |
b0d623f7 | 864 | aumask = &cred->cr_audit.as_mask; |
0a7de745 | 865 | } |
b0d623f7 A |
866 | |
867 | /* | |
868 | * Allocate an audit record, if desired, and store in the BSD thread | |
869 | * for later use. | |
870 | */ | |
871 | class = au_event_class(event); | |
0a7de745 | 872 | if (au_preselect(event, class, aumask, AU_PRS_BOTH)) { |
b0d623f7 | 873 | uthread->uu_ar = audit_new(event, proc, uthread); |
0a7de745 | 874 | } else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0)) { |
b0d623f7 | 875 | uthread->uu_ar = audit_new(event, proc, uthread); |
0a7de745 | 876 | } else { |
b0d623f7 | 877 | uthread->uu_ar = NULL; |
0a7de745 | 878 | } |
b0d623f7 A |
879 | |
880 | kauth_cred_unref(&cred); | |
881 | } | |
882 | ||
883 | void | |
884 | audit_mach_syscall_exit(int retval, struct uthread *uthread) | |
885 | { | |
886 | /* | |
887 | * The error code from Mach system calls is the same as the | |
888 | * return value | |
889 | */ | |
890 | /* XXX Is the above statement always true? */ | |
891 | audit_commit(uthread->uu_ar, retval, retval); | |
892 | uthread->uu_ar = NULL; | |
893 | } | |
894 | ||
895 | /* | |
896 | * kau_will_audit can be used by a security policy to determine | |
897 | * if an audit record will be stored, reducing wasted memory allocation | |
898 | * and string handling. | |
899 | */ | |
900 | int | |
901 | kau_will_audit(void) | |
902 | { | |
0a7de745 | 903 | return audit_enabled && currecord() != NULL; |
b0d623f7 A |
904 | } |
905 | ||
39037602 | 906 | #if CONFIG_COREDUMP |
b0d623f7 A |
907 | void |
908 | audit_proc_coredump(proc_t proc, char *path, int errcode) | |
909 | { | |
910 | struct kaudit_record *ar; | |
911 | struct au_mask *aumask; | |
912 | au_class_t class; | |
913 | int ret, sorf; | |
914 | char **pathp; | |
915 | au_id_t auid; | |
916 | kauth_cred_t my_cred; | |
917 | struct uthread *uthread; | |
918 | ||
919 | ret = 0; | |
920 | ||
921 | /* | |
922 | * Make sure we are using the correct preselection mask. | |
923 | */ | |
924 | my_cred = kauth_cred_proc_ref(proc); | |
925 | auid = my_cred->cr_audit.as_aia_p->ai_auid; | |
0a7de745 | 926 | if (auid == AU_DEFAUDITID) { |
b0d623f7 | 927 | aumask = &audit_nae_mask; |
0a7de745 | 928 | } else { |
b0d623f7 | 929 | aumask = &my_cred->cr_audit.as_mask; |
0a7de745 | 930 | } |
b0d623f7 A |
931 | kauth_cred_unref(&my_cred); |
932 | /* | |
933 | * It's possible for coredump(9) generation to fail. Make sure that | |
934 | * we handle this case correctly for preselection. | |
935 | */ | |
0a7de745 | 936 | if (errcode != 0) { |
b0d623f7 | 937 | sorf = AU_PRS_FAILURE; |
0a7de745 | 938 | } else { |
b0d623f7 | 939 | sorf = AU_PRS_SUCCESS; |
0a7de745 | 940 | } |
b0d623f7 A |
941 | class = au_event_class(AUE_CORE); |
942 | if (au_preselect(AUE_CORE, class, aumask, sorf) == 0 && | |
0a7de745 | 943 | audit_pipe_preselect(auid, AUE_CORE, class, sorf, 0) == 0) { |
b0d623f7 | 944 | return; |
0a7de745 | 945 | } |
b0d623f7 A |
946 | /* |
947 | * If we are interested in seeing this audit record, allocate it. | |
948 | * Where possible coredump records should contain a pathname and arg32 | |
949 | * (signal) tokens. | |
950 | */ | |
951 | uthread = curthread(); | |
952 | ar = audit_new(AUE_CORE, proc, uthread); | |
f427ee49 A |
953 | if (ar == NULL) { |
954 | return; | |
955 | } | |
b0d623f7 A |
956 | if (path != NULL) { |
957 | pathp = &ar->k_ar.ar_arg_upath1; | |
958 | *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK); | |
959 | if (audit_canon_path(vfs_context_cwd(vfs_context_current()), path, | |
0a7de745 | 960 | *pathp)) { |
b0d623f7 | 961 | free(*pathp, M_AUDITPATH); |
0a7de745 | 962 | } else { |
b0d623f7 | 963 | ARG_SET_VALID(ar, ARG_UPATH1); |
0a7de745 | 964 | } |
b0d623f7 A |
965 | } |
966 | ar->k_ar.ar_arg_signum = proc->p_sigacts->ps_sig; | |
967 | ARG_SET_VALID(ar, ARG_SIGNUM); | |
0a7de745 | 968 | if (errcode != 0) { |
b0d623f7 | 969 | ret = 1; |
0a7de745 | 970 | } |
b0d623f7 A |
971 | audit_commit(ar, errcode, ret); |
972 | } | |
39037602 | 973 | #endif /* CONFIG_COREDUMP */ |
b0d623f7 | 974 | #endif /* CONFIG_AUDIT */ |