]>
Commit | Line | Data |
---|---|---|
1 | /*- | |
2 | * Copyright (c) 1999-2009 Apple Inc. | |
3 | * Copyright (c) 2006-2007 Robert N. M. Watson | |
4 | * All rights reserved. | |
5 | * | |
6 | * Redistribution and use in source and binary forms, with or without | |
7 | * modification, are permitted provided that the following conditions | |
8 | * are met: | |
9 | * 1. Redistributions of source code must retain the above copyright | |
10 | * notice, this list of conditions and the following disclaimer. | |
11 | * 2. Redistributions in binary form must reproduce the above copyright | |
12 | * notice, this list of conditions and the following disclaimer in the | |
13 | * documentation and/or other materials provided with the distribution. | |
14 | * 3. Neither the name of Apple Inc. ("Apple") nor the names of | |
15 | * its contributors may be used to endorse or promote products derived | |
16 | * from this software without specific prior written permission. | |
17 | * | |
18 | * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND | |
19 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
21 | * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR | |
22 | * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
23 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
24 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
25 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
26 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING | |
27 | * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
28 | * POSSIBILITY OF SUCH DAMAGE. | |
29 | * | |
30 | */ | |
31 | /* | |
32 | * NOTICE: This file was modified by McAfee Research in 2004 to introduce | |
33 | * support for mandatory and extensible security protections. This notice | |
34 | * is included in support of clause 2.2 (b) of the Apple Public License, | |
35 | * Version 2.0. | |
36 | */ | |
37 | ||
38 | #include <sys/param.h> | |
39 | #include <sys/fcntl.h> | |
40 | #include <sys/kernel.h> | |
41 | #include <sys/lock.h> | |
42 | #include <sys/namei.h> | |
43 | #include <sys/proc_internal.h> | |
44 | #include <sys/kauth.h> | |
45 | #include <sys/queue.h> | |
46 | #include <sys/systm.h> | |
47 | #include <sys/time.h> | |
48 | #include <sys/ucred.h> | |
49 | #include <sys/uio.h> | |
50 | #include <sys/unistd.h> | |
51 | #include <sys/file_internal.h> | |
52 | #include <sys/vnode_internal.h> | |
53 | #include <sys/user.h> | |
54 | #include <sys/syscall.h> | |
55 | #include <sys/malloc.h> | |
56 | #include <sys/un.h> | |
57 | #include <sys/sysent.h> | |
58 | #include <sys/sysproto.h> | |
59 | #include <sys/vfs_context.h> | |
60 | #include <sys/domain.h> | |
61 | #include <sys/protosw.h> | |
62 | #include <sys/socketvar.h> | |
63 | ||
64 | #include <bsm/audit.h> | |
65 | #include <bsm/audit_internal.h> | |
66 | #include <bsm/audit_kevents.h> | |
67 | ||
68 | #include <security/audit/audit.h> | |
69 | #include <security/audit/audit_bsd.h> | |
70 | #include <security/audit/audit_private.h> | |
71 | ||
72 | #include <mach/host_priv.h> | |
73 | #include <mach/host_special_ports.h> | |
74 | #include <mach/audit_triggers_server.h> | |
75 | ||
76 | #include <kern/host.h> | |
77 | #include <kern/kalloc.h> | |
78 | #include <kern/zalloc.h> | |
79 | #include <kern/lock.h> | |
80 | #include <kern/wait_queue.h> | |
81 | #include <kern/sched_prim.h> | |
82 | ||
83 | #include <net/route.h> | |
84 | ||
85 | #include <netinet/in.h> | |
86 | #include <netinet/in_pcb.h> | |
87 | ||
88 | #if CONFIG_AUDIT | |
89 | MALLOC_DEFINE(M_AUDITDATA, "audit_data", "Audit data storage"); | |
90 | MALLOC_DEFINE(M_AUDITPATH, "audit_path", "Audit path storage"); | |
91 | MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage"); | |
92 | ||
93 | /* | |
94 | * Audit control settings that are set/read by system calls and are hence | |
95 | * non-static. | |
96 | * | |
97 | * Define the audit control flags. | |
98 | */ | |
99 | int audit_enabled; | |
100 | int audit_suspended; | |
101 | ||
102 | int audit_syscalls; | |
103 | au_class_t audit_kevent_mask; | |
104 | ||
105 | /* | |
106 | * Flags controlling behavior in low storage situations. Should we panic if | |
107 | * a write fails? Should we fail stop if we're out of disk space? | |
108 | */ | |
109 | int audit_panic_on_write_fail; | |
110 | int audit_fail_stop; | |
111 | int audit_argv; | |
112 | int audit_arge; | |
113 | ||
114 | /* | |
115 | * Are we currently "failing stop" due to out of disk space? | |
116 | */ | |
117 | int audit_in_failure; | |
118 | ||
119 | /* | |
120 | * Global audit statistics. | |
121 | */ | |
122 | struct audit_fstat audit_fstat; | |
123 | ||
124 | /* | |
125 | * Preselection mask for non-attributable events. | |
126 | */ | |
127 | struct au_mask audit_nae_mask; | |
128 | ||
129 | /* | |
130 | * Mutex to protect global variables shared between various threads and | |
131 | * processes. | |
132 | */ | |
133 | struct mtx audit_mtx; | |
134 | ||
135 | /* | |
136 | * Queue of audit records ready for delivery to disk. We insert new records | |
137 | * at the tail, and remove records from the head. Also, a count of the | |
138 | * number of records used for checking queue depth. In addition, a counter | |
139 | * of records that we have allocated but are not yet in the queue, which is | |
140 | * needed to estimate the total size of the combined set of records | |
141 | * outstanding in the system. | |
142 | */ | |
143 | struct kaudit_queue audit_q; | |
144 | int audit_q_len; | |
145 | int audit_pre_q_len; | |
146 | ||
147 | /* | |
148 | * Audit queue control settings (minimum free, low/high water marks, etc.) | |
149 | */ | |
150 | struct au_qctrl audit_qctrl; | |
151 | ||
152 | /* | |
153 | * Condition variable to signal to the worker that it has work to do: either | |
154 | * new records are in the queue, or a log replacement is taking place. | |
155 | */ | |
156 | struct cv audit_worker_cv; | |
157 | ||
158 | /* | |
159 | * Condition variable to signal when the worker is done draining the audit | |
160 | * queue. | |
161 | */ | |
162 | struct cv audit_drain_cv; | |
163 | ||
164 | /* | |
165 | * Condition variable to flag when crossing the low watermark, meaning that | |
166 | * threads blocked due to hitting the high watermark can wake up and continue | |
167 | * to commit records. | |
168 | */ | |
169 | struct cv audit_watermark_cv; | |
170 | ||
171 | /* | |
172 | * Condition variable for auditing threads wait on when in fail-stop mode. | |
173 | * Threads wait on this CV forever (and ever), never seeing the light of day | |
174 | * again. | |
175 | */ | |
176 | static struct cv audit_fail_cv; | |
177 | ||
178 | static zone_t audit_record_zone; | |
179 | ||
180 | /* | |
181 | * Kernel audit information. This will store the current audit address | |
182 | * or host information that the kernel will use when it's generating | |
183 | * audit records. This data is modified by the A_GET{SET}KAUDIT auditon(2) | |
184 | * command. | |
185 | */ | |
186 | static struct auditinfo_addr audit_kinfo; | |
187 | static struct rwlock audit_kinfo_lock; | |
188 | ||
189 | #define KINFO_LOCK_INIT() rw_init(&audit_kinfo_lock, \ | |
190 | "audit_kinfo_lock") | |
191 | #define KINFO_RLOCK() rw_rlock(&audit_kinfo_lock) | |
192 | #define KINFO_WLOCK() rw_wlock(&audit_kinfo_lock) | |
193 | #define KINFO_RUNLOCK() rw_runlock(&audit_kinfo_lock) | |
194 | #define KINFO_WUNLOCK() rw_wunlock(&audit_kinfo_lock) | |
195 | ||
196 | void | |
197 | audit_set_kinfo(struct auditinfo_addr *ak) | |
198 | { | |
199 | ||
200 | KASSERT(ak->ai_termid.at_type == AU_IPv4 || | |
201 | ak->ai_termid.at_type == AU_IPv6, | |
202 | ("audit_set_kinfo: invalid address type")); | |
203 | ||
204 | KINFO_WLOCK(); | |
205 | bcopy(ak, &audit_kinfo, sizeof(audit_kinfo)); | |
206 | KINFO_WUNLOCK(); | |
207 | } | |
208 | ||
209 | void | |
210 | audit_get_kinfo(struct auditinfo_addr *ak) | |
211 | { | |
212 | ||
213 | KASSERT(audit_kinfo.ai_termid.at_type == AU_IPv4 || | |
214 | audit_kinfo.ai_termid.at_type == AU_IPv6, | |
215 | ("audit_set_kinfo: invalid address type")); | |
216 | ||
217 | KINFO_RLOCK(); | |
218 | bcopy(&audit_kinfo, ak, sizeof(*ak)); | |
219 | KINFO_RUNLOCK(); | |
220 | } | |
221 | ||
222 | /* | |
223 | * Construct an audit record for the passed thread. | |
224 | */ | |
225 | static void | |
226 | audit_record_ctor(proc_t p, struct kaudit_record *ar) | |
227 | { | |
228 | kauth_cred_t cred; | |
229 | ||
230 | bzero(ar, sizeof(*ar)); | |
231 | ar->k_ar.ar_magic = AUDIT_RECORD_MAGIC; | |
232 | nanotime(&ar->k_ar.ar_starttime); | |
233 | ||
234 | cred = kauth_cred_proc_ref(p); | |
235 | ||
236 | /* | |
237 | * Export the subject credential. | |
238 | */ | |
239 | cru2x(cred, &ar->k_ar.ar_subj_cred); | |
240 | ar->k_ar.ar_subj_ruid = cred->cr_ruid; | |
241 | ar->k_ar.ar_subj_rgid = cred->cr_rgid; | |
242 | ar->k_ar.ar_subj_egid = cred->cr_groups[0]; | |
243 | ar->k_ar.ar_subj_pid = p->p_pid; | |
244 | ar->k_ar.ar_subj_auid = cred->cr_audit.as_aia_p->ai_auid; | |
245 | ar->k_ar.ar_subj_asid = cred->cr_audit.as_aia_p->ai_asid; | |
246 | bcopy(&cred->cr_audit.as_mask, &ar->k_ar.ar_subj_amask, | |
247 | sizeof(struct au_mask)); | |
248 | bcopy(&cred->cr_audit.as_aia_p->ai_termid, &ar->k_ar.ar_subj_term_addr, | |
249 | sizeof(struct au_tid_addr)); | |
250 | kauth_cred_unref(&cred); | |
251 | } | |
252 | ||
253 | static void | |
254 | audit_record_dtor(struct kaudit_record *ar) | |
255 | { | |
256 | ||
257 | if (ar->k_ar.ar_arg_upath1 != NULL) | |
258 | free(ar->k_ar.ar_arg_upath1, M_AUDITPATH); | |
259 | if (ar->k_ar.ar_arg_upath2 != NULL) | |
260 | free(ar->k_ar.ar_arg_upath2, M_AUDITPATH); | |
261 | if (ar->k_ar.ar_arg_kpath1 != NULL) | |
262 | free(ar->k_ar.ar_arg_kpath1, M_AUDITPATH); | |
263 | if (ar->k_ar.ar_arg_kpath2 != NULL) | |
264 | free(ar->k_ar.ar_arg_kpath2, M_AUDITPATH); | |
265 | if (ar->k_ar.ar_arg_text != NULL) | |
266 | free(ar->k_ar.ar_arg_text, M_AUDITTEXT); | |
267 | if (ar->k_ar.ar_arg_opaque != NULL) | |
268 | free(ar->k_ar.ar_arg_opaque, M_AUDITDATA); | |
269 | if (ar->k_ar.ar_arg_data != NULL) | |
270 | free(ar->k_ar.ar_arg_data, M_AUDITDATA); | |
271 | if (ar->k_udata != NULL) | |
272 | free(ar->k_udata, M_AUDITDATA); | |
273 | if (ar->k_ar.ar_arg_argv != NULL) | |
274 | free(ar->k_ar.ar_arg_argv, M_AUDITTEXT); | |
275 | if (ar->k_ar.ar_arg_envv != NULL) | |
276 | free(ar->k_ar.ar_arg_envv, M_AUDITTEXT); | |
277 | } | |
278 | ||
279 | /* | |
280 | * Initialize the Audit subsystem: configuration state, work queue, | |
281 | * synchronization primitives, worker thread, and trigger device node. Also | |
282 | * call into the BSM assembly code to initialize it. | |
283 | */ | |
284 | void | |
285 | audit_init(void) | |
286 | { | |
287 | ||
288 | audit_enabled = 0; | |
289 | audit_syscalls = 0; | |
290 | audit_kevent_mask = 0; | |
291 | audit_suspended = 0; | |
292 | audit_panic_on_write_fail = 0; | |
293 | audit_fail_stop = 0; | |
294 | audit_in_failure = 0; | |
295 | audit_argv = 0; | |
296 | audit_arge = 0; | |
297 | ||
298 | audit_fstat.af_filesz = 0; /* '0' means unset, unbounded. */ | |
299 | audit_fstat.af_currsz = 0; | |
300 | audit_nae_mask.am_success = 0; | |
301 | audit_nae_mask.am_failure = 0; | |
302 | ||
303 | TAILQ_INIT(&audit_q); | |
304 | audit_q_len = 0; | |
305 | audit_pre_q_len = 0; | |
306 | audit_qctrl.aq_hiwater = AQ_HIWATER; | |
307 | audit_qctrl.aq_lowater = AQ_LOWATER; | |
308 | audit_qctrl.aq_bufsz = AQ_BUFSZ; | |
309 | audit_qctrl.aq_minfree = AU_FS_MINFREE; | |
310 | ||
311 | audit_kinfo.ai_termid.at_type = AU_IPv4; | |
312 | audit_kinfo.ai_termid.at_addr[0] = INADDR_ANY; | |
313 | ||
314 | mtx_init(&audit_mtx, "audit_mtx", NULL, MTX_DEF); | |
315 | KINFO_LOCK_INIT(); | |
316 | cv_init(&audit_worker_cv, "audit_worker_cv"); | |
317 | cv_init(&audit_drain_cv, "audit_drain_cv"); | |
318 | cv_init(&audit_watermark_cv, "audit_watermark_cv"); | |
319 | cv_init(&audit_fail_cv, "audit_fail_cv"); | |
320 | ||
321 | audit_record_zone = zinit(sizeof(struct kaudit_record), | |
322 | AQ_HIWATER*sizeof(struct kaudit_record), 8192, "audit_zone"); | |
323 | #if CONFIG_MACF | |
324 | audit_mac_init(); | |
325 | #endif | |
326 | /* Init audit session subsystem. */ | |
327 | audit_session_init(); | |
328 | ||
329 | /* Initialize the BSM audit subsystem. */ | |
330 | kau_init(); | |
331 | ||
332 | /* audit_trigger_init(); */ | |
333 | ||
334 | /* Start audit worker thread. */ | |
335 | (void) audit_pipe_init(); | |
336 | ||
337 | /* Start audit worker thread. */ | |
338 | audit_worker_init(); | |
339 | } | |
340 | ||
341 | /* | |
342 | * Drain the audit queue and close the log at shutdown. Note that this can | |
343 | * be called both from the system shutdown path and also from audit | |
344 | * configuration syscalls, so 'arg' and 'howto' are ignored. | |
345 | */ | |
346 | void | |
347 | audit_shutdown(void) | |
348 | { | |
349 | ||
350 | audit_rotate_vnode(NULL, NULL); | |
351 | } | |
352 | ||
353 | /* | |
354 | * Return the current thread's audit record, if any. | |
355 | */ | |
356 | __inline__ struct kaudit_record * | |
357 | currecord(void) | |
358 | { | |
359 | ||
360 | return (curthread()->uu_ar); | |
361 | } | |
362 | ||
363 | /* | |
364 | * XXXAUDIT: There are a number of races present in the code below due to | |
365 | * release and re-grab of the mutex. The code should be revised to become | |
366 | * slightly less racy. | |
367 | * | |
368 | * XXXAUDIT: Shouldn't there be logic here to sleep waiting on available | |
369 | * pre_q space, suspending the system call until there is room? | |
370 | */ | |
371 | struct kaudit_record * | |
372 | audit_new(int event, proc_t p, __unused struct uthread *uthread) | |
373 | { | |
374 | struct kaudit_record *ar; | |
375 | int no_record; | |
376 | ||
377 | mtx_lock(&audit_mtx); | |
378 | no_record = (audit_suspended || !audit_enabled); | |
379 | mtx_unlock(&audit_mtx); | |
380 | if (no_record) | |
381 | return (NULL); | |
382 | ||
383 | /* | |
384 | * Initialize the audit record header. | |
385 | * XXX: We may want to fail-stop if allocation fails. | |
386 | * | |
387 | * Note: the number of outstanding uncommitted audit records is | |
388 | * limited to the number of concurrent threads servicing system calls | |
389 | * in the kernel. | |
390 | */ | |
391 | ar = zalloc(audit_record_zone); | |
392 | if (ar == NULL) | |
393 | return NULL; | |
394 | audit_record_ctor(p, ar); | |
395 | ar->k_ar.ar_event = event; | |
396 | ||
397 | #if CONFIG_MACF | |
398 | if (audit_mac_new(p, ar) != 0) { | |
399 | zfree(audit_record_zone, ar); | |
400 | return (NULL); | |
401 | } | |
402 | #endif | |
403 | ||
404 | mtx_lock(&audit_mtx); | |
405 | audit_pre_q_len++; | |
406 | mtx_unlock(&audit_mtx); | |
407 | ||
408 | return (ar); | |
409 | } | |
410 | ||
411 | void | |
412 | audit_free(struct kaudit_record *ar) | |
413 | { | |
414 | ||
415 | audit_record_dtor(ar); | |
416 | #if CONFIG_MACF | |
417 | audit_mac_free(ar); | |
418 | #endif | |
419 | zfree(audit_record_zone, ar); | |
420 | } | |
421 | ||
422 | void | |
423 | audit_commit(struct kaudit_record *ar, int error, int retval) | |
424 | { | |
425 | au_event_t event; | |
426 | au_class_t class; | |
427 | au_id_t auid; | |
428 | int sorf; | |
429 | struct au_mask *aumask; | |
430 | ||
431 | if (ar == NULL) | |
432 | return; | |
433 | ||
434 | /* | |
435 | * Decide whether to commit the audit record by checking the error | |
436 | * value from the system call and using the appropriate audit mask. | |
437 | */ | |
438 | if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID) | |
439 | aumask = &audit_nae_mask; | |
440 | else | |
441 | aumask = &ar->k_ar.ar_subj_amask; | |
442 | ||
443 | if (error) | |
444 | sorf = AU_PRS_FAILURE; | |
445 | else | |
446 | sorf = AU_PRS_SUCCESS; | |
447 | ||
448 | switch(ar->k_ar.ar_event) { | |
449 | case AUE_OPEN_RWTC: | |
450 | /* | |
451 | * The open syscall always writes a AUE_OPEN_RWTC event; | |
452 | * change it to the proper type of event based on the flags | |
453 | * and the error value. | |
454 | */ | |
455 | ar->k_ar.ar_event = audit_flags_and_error_to_openevent( | |
456 | ar->k_ar.ar_arg_fflags, error); | |
457 | break; | |
458 | ||
459 | case AUE_OPEN_EXTENDED_RWTC: | |
460 | /* | |
461 | * The open_extended syscall always writes a | |
462 | * AUE_OPEN_EXTENDEDRWTC event; change it to the proper type of | |
463 | * event based on the flags and the error value. | |
464 | */ | |
465 | ar->k_ar.ar_event = audit_flags_and_error_to_openextendedevent( | |
466 | ar->k_ar.ar_arg_fflags, error); | |
467 | break; | |
468 | ||
469 | case AUE_SYSCTL: | |
470 | ar->k_ar.ar_event = audit_ctlname_to_sysctlevent( | |
471 | ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg); | |
472 | break; | |
473 | ||
474 | case AUE_AUDITON: | |
475 | /* Convert the auditon() command to an event. */ | |
476 | ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd); | |
477 | break; | |
478 | ||
479 | case AUE_FCNTL: | |
480 | /* Convert some fcntl() commands to their own events. */ | |
481 | ar->k_ar.ar_event = audit_fcntl_command_event( | |
482 | ar->k_ar.ar_arg_cmd, ar->k_ar.ar_arg_fflags, error); | |
483 | break; | |
484 | } | |
485 | ||
486 | auid = ar->k_ar.ar_subj_auid; | |
487 | event = ar->k_ar.ar_event; | |
488 | class = au_event_class(event); | |
489 | ||
490 | ar->k_ar_commit |= AR_COMMIT_KERNEL; | |
491 | if (au_preselect(event, class, aumask, sorf) != 0) | |
492 | ar->k_ar_commit |= AR_PRESELECT_TRAIL; | |
493 | if (audit_pipe_preselect(auid, event, class, sorf, | |
494 | ar->k_ar_commit & AR_PRESELECT_TRAIL) != 0) | |
495 | ar->k_ar_commit |= AR_PRESELECT_PIPE; | |
496 | if ((ar->k_ar_commit & (AR_PRESELECT_TRAIL | AR_PRESELECT_PIPE | | |
497 | AR_PRESELECT_USER_TRAIL | AR_PRESELECT_USER_PIPE)) == 0) { | |
498 | mtx_lock(&audit_mtx); | |
499 | audit_pre_q_len--; | |
500 | mtx_unlock(&audit_mtx); | |
501 | audit_free(ar); | |
502 | return; | |
503 | } | |
504 | ||
505 | ar->k_ar.ar_errno = error; | |
506 | ar->k_ar.ar_retval = retval; | |
507 | nanotime(&ar->k_ar.ar_endtime); | |
508 | ||
509 | /* | |
510 | * Note: it could be that some records initiated while audit was | |
511 | * enabled should still be committed? | |
512 | */ | |
513 | mtx_lock(&audit_mtx); | |
514 | if (audit_suspended || !audit_enabled) { | |
515 | audit_pre_q_len--; | |
516 | mtx_unlock(&audit_mtx); | |
517 | audit_free(ar); | |
518 | return; | |
519 | } | |
520 | ||
521 | /* | |
522 | * Constrain the number of committed audit records based on the | |
523 | * configurable parameter. | |
524 | */ | |
525 | while (audit_q_len >= audit_qctrl.aq_hiwater) | |
526 | cv_wait(&audit_watermark_cv, &audit_mtx); | |
527 | ||
528 | TAILQ_INSERT_TAIL(&audit_q, ar, k_q); | |
529 | audit_q_len++; | |
530 | audit_pre_q_len--; | |
531 | cv_signal(&audit_worker_cv); | |
532 | mtx_unlock(&audit_mtx); | |
533 | } | |
534 | ||
535 | /* | |
536 | * audit_syscall_enter() is called on entry to each system call. It is | |
537 | * responsible for deciding whether or not to audit the call (preselection), | |
538 | * and if so, allocating a per-thread audit record. audit_new() will fill in | |
539 | * basic thread/credential properties. | |
540 | */ | |
541 | void | |
542 | audit_syscall_enter(unsigned int code, proc_t proc, struct uthread *uthread) | |
543 | { | |
544 | struct au_mask *aumask; | |
545 | au_class_t class; | |
546 | au_event_t event; | |
547 | au_id_t auid; | |
548 | kauth_cred_t cred; | |
549 | ||
550 | /* | |
551 | * In FreeBSD, each ABI has its own system call table, and hence | |
552 | * mapping of system call codes to audit events. Convert the code to | |
553 | * an audit event identifier using the process system call table | |
554 | * reference. In Darwin, there's only one, so we use the global | |
555 | * symbol for the system call table. No audit record is generated | |
556 | * for bad system calls, as no operation has been performed. | |
557 | * | |
558 | * In Mac OS X, the audit events are stored in a table seperate from | |
559 | * the syscall table(s). This table is generated by makesyscalls.sh | |
560 | * from syscalls.master and stored in audit_kevents.c. | |
561 | */ | |
562 | if (code > NUM_SYSENT) | |
563 | return; | |
564 | event = sys_au_event[code]; | |
565 | if (event == AUE_NULL) | |
566 | return; | |
567 | ||
568 | KASSERT(uthread->uu_ar == NULL, | |
569 | ("audit_syscall_enter: uthread->uu_ar != NULL")); | |
570 | ||
571 | /* | |
572 | * Check which audit mask to use; either the kernel non-attributable | |
573 | * event mask or the process audit mask. | |
574 | */ | |
575 | cred = kauth_cred_proc_ref(proc); | |
576 | auid = cred->cr_audit.as_aia_p->ai_auid; | |
577 | if (auid == AU_DEFAUDITID) | |
578 | aumask = &audit_nae_mask; | |
579 | else | |
580 | aumask = &cred->cr_audit.as_mask; | |
581 | ||
582 | /* | |
583 | * Allocate an audit record, if preselection allows it, and store in | |
584 | * the thread for later use. | |
585 | */ | |
586 | class = au_event_class(event); | |
587 | #if CONFIG_MACF | |
588 | /* | |
589 | * Note: audit_mac_syscall_enter() may call audit_new() and allocate | |
590 | * memory for the audit record (uu_ar). | |
591 | */ | |
592 | if (audit_mac_syscall_enter(code, proc, uthread, cred, event) == 0) | |
593 | goto out; | |
594 | #endif | |
595 | if (au_preselect(event, class, aumask, AU_PRS_BOTH)) { | |
596 | /* | |
597 | * If we're out of space and need to suspend unprivileged | |
598 | * processes, do that here rather than trying to allocate | |
599 | * another audit record. | |
600 | * | |
601 | * Note: we might wish to be able to continue here in the | |
602 | * future, if the system recovers. That should be possible | |
603 | * by means of checking the condition in a loop around | |
604 | * cv_wait(). It might be desirable to reevaluate whether an | |
605 | * audit record is still required for this event by | |
606 | * re-calling au_preselect(). | |
607 | */ | |
608 | if (audit_in_failure && | |
609 | suser(cred, &proc->p_acflag) != 0) { | |
610 | cv_wait(&audit_fail_cv, &audit_mtx); | |
611 | panic("audit_failing_stop: thread continued"); | |
612 | } | |
613 | if (uthread->uu_ar == NULL) | |
614 | uthread->uu_ar = audit_new(event, proc, uthread); | |
615 | } else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0)) { | |
616 | if (uthread->uu_ar == NULL) | |
617 | uthread->uu_ar = audit_new(event, proc, uthread); | |
618 | } | |
619 | ||
620 | out: | |
621 | kauth_cred_unref(&cred); | |
622 | } | |
623 | ||
624 | /* | |
625 | * audit_syscall_exit() is called from the return of every system call, or in | |
626 | * the event of exit1(), during the execution of exit1(). It is responsible | |
627 | * for committing the audit record, if any, along with return condition. | |
628 | * | |
629 | * Note: The audit_syscall_exit() parameter list was modified to support | |
630 | * mac_audit_check_postselect(), which requires the syscall number. | |
631 | */ | |
632 | #if CONFIG_MACF | |
633 | void | |
634 | audit_syscall_exit(unsigned int code, int error, __unused proc_t proc, | |
635 | struct uthread *uthread) | |
636 | #else | |
637 | void | |
638 | audit_syscall_exit(int error, __unsed proc_t proc, struct uthread *uthread) | |
639 | #endif | |
640 | { | |
641 | int retval; | |
642 | ||
643 | /* | |
644 | * Commit the audit record as desired; once we pass the record into | |
645 | * audit_commit(), the memory is owned by the audit subsystem. The | |
646 | * return value from the system call is stored on the user thread. | |
647 | * If there was an error, the return value is set to -1, imitating | |
648 | * the behavior of the cerror routine. | |
649 | */ | |
650 | if (error) | |
651 | retval = -1; | |
652 | else | |
653 | retval = uthread->uu_rval[0]; | |
654 | ||
655 | #if CONFIG_MACF | |
656 | if (audit_mac_syscall_exit(code, uthread, error, retval) != 0) | |
657 | goto out; | |
658 | #endif | |
659 | audit_commit(uthread->uu_ar, error, retval); | |
660 | ||
661 | out: | |
662 | uthread->uu_ar = NULL; | |
663 | } | |
664 | ||
665 | /* | |
666 | * Calls to set up and tear down audit structures used during Mach system | |
667 | * calls. | |
668 | */ | |
669 | void | |
670 | audit_mach_syscall_enter(unsigned short event) | |
671 | { | |
672 | struct uthread *uthread; | |
673 | proc_t proc; | |
674 | struct au_mask *aumask; | |
675 | kauth_cred_t cred; | |
676 | au_class_t class; | |
677 | au_id_t auid; | |
678 | ||
679 | if (event == AUE_NULL) | |
680 | return; | |
681 | ||
682 | uthread = curthread(); | |
683 | if (uthread == NULL) | |
684 | return; | |
685 | ||
686 | proc = current_proc(); | |
687 | if (proc == NULL) | |
688 | return; | |
689 | ||
690 | KASSERT(uthread->uu_ar == NULL, | |
691 | ("audit_mach_syscall_enter: uthread->uu_ar != NULL")); | |
692 | ||
693 | cred = kauth_cred_proc_ref(proc); | |
694 | auid = cred->cr_audit.as_aia_p->ai_auid; | |
695 | ||
696 | /* | |
697 | * Check which audit mask to use; either the kernel non-attributable | |
698 | * event mask or the process audit mask. | |
699 | */ | |
700 | if (auid == AU_DEFAUDITID) | |
701 | aumask = &audit_nae_mask; | |
702 | else | |
703 | aumask = &cred->cr_audit.as_mask; | |
704 | ||
705 | /* | |
706 | * Allocate an audit record, if desired, and store in the BSD thread | |
707 | * for later use. | |
708 | */ | |
709 | class = au_event_class(event); | |
710 | if (au_preselect(event, class, aumask, AU_PRS_BOTH)) | |
711 | uthread->uu_ar = audit_new(event, proc, uthread); | |
712 | else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0)) | |
713 | uthread->uu_ar = audit_new(event, proc, uthread); | |
714 | else | |
715 | uthread->uu_ar = NULL; | |
716 | ||
717 | kauth_cred_unref(&cred); | |
718 | } | |
719 | ||
720 | void | |
721 | audit_mach_syscall_exit(int retval, struct uthread *uthread) | |
722 | { | |
723 | /* | |
724 | * The error code from Mach system calls is the same as the | |
725 | * return value | |
726 | */ | |
727 | /* XXX Is the above statement always true? */ | |
728 | audit_commit(uthread->uu_ar, retval, retval); | |
729 | uthread->uu_ar = NULL; | |
730 | } | |
731 | ||
732 | /* | |
733 | * kau_will_audit can be used by a security policy to determine | |
734 | * if an audit record will be stored, reducing wasted memory allocation | |
735 | * and string handling. | |
736 | */ | |
737 | int | |
738 | kau_will_audit(void) | |
739 | { | |
740 | ||
741 | return (audit_enabled && currecord() != NULL); | |
742 | } | |
743 | ||
744 | void | |
745 | audit_proc_coredump(proc_t proc, char *path, int errcode) | |
746 | { | |
747 | struct kaudit_record *ar; | |
748 | struct au_mask *aumask; | |
749 | au_class_t class; | |
750 | int ret, sorf; | |
751 | char **pathp; | |
752 | au_id_t auid; | |
753 | kauth_cred_t my_cred; | |
754 | struct uthread *uthread; | |
755 | ||
756 | ret = 0; | |
757 | ||
758 | /* | |
759 | * Make sure we are using the correct preselection mask. | |
760 | */ | |
761 | my_cred = kauth_cred_proc_ref(proc); | |
762 | auid = my_cred->cr_audit.as_aia_p->ai_auid; | |
763 | if (auid == AU_DEFAUDITID) | |
764 | aumask = &audit_nae_mask; | |
765 | else | |
766 | aumask = &my_cred->cr_audit.as_mask; | |
767 | kauth_cred_unref(&my_cred); | |
768 | /* | |
769 | * It's possible for coredump(9) generation to fail. Make sure that | |
770 | * we handle this case correctly for preselection. | |
771 | */ | |
772 | if (errcode != 0) | |
773 | sorf = AU_PRS_FAILURE; | |
774 | else | |
775 | sorf = AU_PRS_SUCCESS; | |
776 | class = au_event_class(AUE_CORE); | |
777 | if (au_preselect(AUE_CORE, class, aumask, sorf) == 0 && | |
778 | audit_pipe_preselect(auid, AUE_CORE, class, sorf, 0) == 0) | |
779 | return; | |
780 | /* | |
781 | * If we are interested in seeing this audit record, allocate it. | |
782 | * Where possible coredump records should contain a pathname and arg32 | |
783 | * (signal) tokens. | |
784 | */ | |
785 | uthread = curthread(); | |
786 | ar = audit_new(AUE_CORE, proc, uthread); | |
787 | if (path != NULL) { | |
788 | pathp = &ar->k_ar.ar_arg_upath1; | |
789 | *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK); | |
790 | if (audit_canon_path(vfs_context_cwd(vfs_context_current()), path, | |
791 | *pathp)) | |
792 | free(*pathp, M_AUDITPATH); | |
793 | else | |
794 | ARG_SET_VALID(ar, ARG_UPATH1); | |
795 | } | |
796 | ar->k_ar.ar_arg_signum = proc->p_sigacts->ps_sig; | |
797 | ARG_SET_VALID(ar, ARG_SIGNUM); | |
798 | if (errcode != 0) | |
799 | ret = 1; | |
800 | audit_commit(ar, errcode, ret); | |
801 | } | |
802 | #endif /* CONFIG_AUDIT */ |