]>
Commit | Line | Data |
---|---|---|
1 | /*- | |
2 | * Copyright (c) 1999-2009 Apple Inc. | |
3 | * Copyright (c) 2006-2007 Robert N. M. Watson | |
4 | * All rights reserved. | |
5 | * | |
6 | * Redistribution and use in source and binary forms, with or without | |
7 | * modification, are permitted provided that the following conditions | |
8 | * are met: | |
9 | * 1. Redistributions of source code must retain the above copyright | |
10 | * notice, this list of conditions and the following disclaimer. | |
11 | * 2. Redistributions in binary form must reproduce the above copyright | |
12 | * notice, this list of conditions and the following disclaimer in the | |
13 | * documentation and/or other materials provided with the distribution. | |
14 | * 3. Neither the name of Apple Inc. ("Apple") nor the names of | |
15 | * its contributors may be used to endorse or promote products derived | |
16 | * from this software without specific prior written permission. | |
17 | * | |
18 | * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND | |
19 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
21 | * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR | |
22 | * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
23 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
24 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
25 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
26 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING | |
27 | * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
28 | * POSSIBILITY OF SUCH DAMAGE. | |
29 | * | |
30 | */ | |
31 | /* | |
32 | * NOTICE: This file was modified by McAfee Research in 2004 to introduce | |
33 | * support for mandatory and extensible security protections. This notice | |
34 | * is included in support of clause 2.2 (b) of the Apple Public License, | |
35 | * Version 2.0. | |
36 | */ | |
37 | ||
38 | #include <sys/param.h> | |
39 | #include <sys/fcntl.h> | |
40 | #include <sys/kernel.h> | |
41 | #include <sys/lock.h> | |
42 | #include <sys/namei.h> | |
43 | #include <sys/proc_internal.h> | |
44 | #include <sys/kauth.h> | |
45 | #include <sys/queue.h> | |
46 | #include <sys/systm.h> | |
47 | #include <sys/time.h> | |
48 | #include <sys/ucred.h> | |
49 | #include <sys/uio.h> | |
50 | #include <sys/unistd.h> | |
51 | #include <sys/file_internal.h> | |
52 | #include <sys/vnode_internal.h> | |
53 | #include <sys/user.h> | |
54 | #include <sys/syscall.h> | |
55 | #include <sys/malloc.h> | |
56 | #include <sys/un.h> | |
57 | #include <sys/sysent.h> | |
58 | #include <sys/sysproto.h> | |
59 | #include <sys/vfs_context.h> | |
60 | #include <sys/domain.h> | |
61 | #include <sys/protosw.h> | |
62 | #include <sys/socketvar.h> | |
63 | ||
64 | #include <bsm/audit.h> | |
65 | #include <bsm/audit_internal.h> | |
66 | #include <bsm/audit_kevents.h> | |
67 | ||
68 | #include <security/audit/audit.h> | |
69 | #include <security/audit/audit_bsd.h> | |
70 | #include <security/audit/audit_private.h> | |
71 | ||
72 | #include <mach/host_priv.h> | |
73 | #include <mach/host_special_ports.h> | |
74 | #include <mach/audit_triggers_server.h> | |
75 | ||
76 | #include <kern/host.h> | |
77 | #include <kern/kalloc.h> | |
78 | #include <kern/zalloc.h> | |
79 | #include <kern/sched_prim.h> | |
80 | ||
81 | #include <net/route.h> | |
82 | ||
83 | #include <netinet/in.h> | |
84 | #include <netinet/in_pcb.h> | |
85 | ||
86 | #if CONFIG_AUDIT | |
87 | MALLOC_DEFINE(M_AUDITDATA, "audit_data", "Audit data storage"); | |
88 | MALLOC_DEFINE(M_AUDITPATH, "audit_path", "Audit path storage"); | |
89 | MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage"); | |
90 | ||
91 | /* | |
92 | * Audit control settings that are set/read by system calls and are hence | |
93 | * non-static. | |
94 | * | |
95 | * Define the audit control flags. | |
96 | */ | |
97 | int audit_enabled; | |
98 | int audit_suspended; | |
99 | ||
100 | int audit_syscalls; | |
101 | au_class_t audit_kevent_mask; | |
102 | ||
103 | /* | |
104 | * Flags controlling behavior in low storage situations. Should we panic if | |
105 | * a write fails? Should we fail stop if we're out of disk space? | |
106 | */ | |
107 | int audit_panic_on_write_fail; | |
108 | int audit_fail_stop; | |
109 | int audit_argv; | |
110 | int audit_arge; | |
111 | ||
112 | /* | |
113 | * Are we currently "failing stop" due to out of disk space? | |
114 | */ | |
115 | int audit_in_failure; | |
116 | ||
117 | /* | |
118 | * Global audit statistics. | |
119 | */ | |
120 | struct audit_fstat audit_fstat; | |
121 | ||
122 | /* | |
123 | * Preselection mask for non-attributable events. | |
124 | */ | |
125 | struct au_mask audit_nae_mask; | |
126 | ||
127 | /* | |
128 | * Mutex to protect global variables shared between various threads and | |
129 | * processes. | |
130 | */ | |
131 | struct mtx audit_mtx; | |
132 | ||
133 | /* | |
134 | * Queue of audit records ready for delivery to disk. We insert new records | |
135 | * at the tail, and remove records from the head. Also, a count of the | |
136 | * number of records used for checking queue depth. In addition, a counter | |
137 | * of records that we have allocated but are not yet in the queue, which is | |
138 | * needed to estimate the total size of the combined set of records | |
139 | * outstanding in the system. | |
140 | */ | |
141 | struct kaudit_queue audit_q; | |
142 | int audit_q_len; | |
143 | int audit_pre_q_len; | |
144 | ||
145 | /* | |
146 | * Audit queue control settings (minimum free, low/high water marks, etc.) | |
147 | */ | |
148 | struct au_qctrl audit_qctrl; | |
149 | ||
150 | /* | |
151 | * Condition variable to signal to the worker that it has work to do: either | |
152 | * new records are in the queue, or a log replacement is taking place. | |
153 | */ | |
154 | struct cv audit_worker_cv; | |
155 | ||
156 | /* | |
157 | * Condition variable to signal when the worker is done draining the audit | |
158 | * queue. | |
159 | */ | |
160 | struct cv audit_drain_cv; | |
161 | ||
162 | /* | |
163 | * Condition variable to flag when crossing the low watermark, meaning that | |
164 | * threads blocked due to hitting the high watermark can wake up and continue | |
165 | * to commit records. | |
166 | */ | |
167 | struct cv audit_watermark_cv; | |
168 | ||
169 | /* | |
170 | * Condition variable for auditing threads wait on when in fail-stop mode. | |
171 | * Threads wait on this CV forever (and ever), never seeing the light of day | |
172 | * again. | |
173 | */ | |
174 | static struct cv audit_fail_cv; | |
175 | ||
176 | static zone_t audit_record_zone; | |
177 | ||
178 | /* | |
179 | * Kernel audit information. This will store the current audit address | |
180 | * or host information that the kernel will use when it's generating | |
181 | * audit records. This data is modified by the A_GET{SET}KAUDIT auditon(2) | |
182 | * command. | |
183 | */ | |
184 | static struct auditinfo_addr audit_kinfo; | |
185 | static struct rwlock audit_kinfo_lock; | |
186 | ||
187 | #define KINFO_LOCK_INIT() rw_init(&audit_kinfo_lock, \ | |
188 | "audit_kinfo_lock") | |
189 | #define KINFO_RLOCK() rw_rlock(&audit_kinfo_lock) | |
190 | #define KINFO_WLOCK() rw_wlock(&audit_kinfo_lock) | |
191 | #define KINFO_RUNLOCK() rw_runlock(&audit_kinfo_lock) | |
192 | #define KINFO_WUNLOCK() rw_wunlock(&audit_kinfo_lock) | |
193 | ||
194 | void | |
195 | audit_set_kinfo(struct auditinfo_addr *ak) | |
196 | { | |
197 | ||
198 | KASSERT(ak->ai_termid.at_type == AU_IPv4 || | |
199 | ak->ai_termid.at_type == AU_IPv6, | |
200 | ("audit_set_kinfo: invalid address type")); | |
201 | ||
202 | KINFO_WLOCK(); | |
203 | bcopy(ak, &audit_kinfo, sizeof(audit_kinfo)); | |
204 | KINFO_WUNLOCK(); | |
205 | } | |
206 | ||
207 | void | |
208 | audit_get_kinfo(struct auditinfo_addr *ak) | |
209 | { | |
210 | ||
211 | KASSERT(audit_kinfo.ai_termid.at_type == AU_IPv4 || | |
212 | audit_kinfo.ai_termid.at_type == AU_IPv6, | |
213 | ("audit_set_kinfo: invalid address type")); | |
214 | ||
215 | KINFO_RLOCK(); | |
216 | bcopy(&audit_kinfo, ak, sizeof(*ak)); | |
217 | KINFO_RUNLOCK(); | |
218 | } | |
219 | ||
220 | /* | |
221 | * Construct an audit record for the passed thread. | |
222 | */ | |
223 | static void | |
224 | audit_record_ctor(proc_t p, struct kaudit_record *ar) | |
225 | { | |
226 | kauth_cred_t cred; | |
227 | ||
228 | bzero(ar, sizeof(*ar)); | |
229 | ar->k_ar.ar_magic = AUDIT_RECORD_MAGIC; | |
230 | nanotime(&ar->k_ar.ar_starttime); | |
231 | ||
232 | if (PROC_NULL != p) { | |
233 | cred = kauth_cred_proc_ref(p); | |
234 | ||
235 | /* | |
236 | * Export the subject credential. | |
237 | */ | |
238 | cru2x(cred, &ar->k_ar.ar_subj_cred); | |
239 | ar->k_ar.ar_subj_ruid = kauth_cred_getruid(cred); | |
240 | ar->k_ar.ar_subj_rgid = kauth_cred_getrgid(cred); | |
241 | ar->k_ar.ar_subj_egid = kauth_cred_getgid(cred); | |
242 | ar->k_ar.ar_subj_pid = p->p_pid; | |
243 | ar->k_ar.ar_subj_auid = cred->cr_audit.as_aia_p->ai_auid; | |
244 | ar->k_ar.ar_subj_asid = cred->cr_audit.as_aia_p->ai_asid; | |
245 | bcopy(&cred->cr_audit.as_mask, &ar->k_ar.ar_subj_amask, | |
246 | sizeof(struct au_mask)); | |
247 | bcopy(&cred->cr_audit.as_aia_p->ai_termid, | |
248 | &ar->k_ar.ar_subj_term_addr, sizeof(struct au_tid_addr)); | |
249 | kauth_cred_unref(&cred); | |
250 | } | |
251 | } | |
252 | ||
253 | static void | |
254 | audit_record_dtor(struct kaudit_record *ar) | |
255 | { | |
256 | ||
257 | if (ar->k_ar.ar_arg_upath1 != NULL) | |
258 | free(ar->k_ar.ar_arg_upath1, M_AUDITPATH); | |
259 | if (ar->k_ar.ar_arg_upath2 != NULL) | |
260 | free(ar->k_ar.ar_arg_upath2, M_AUDITPATH); | |
261 | if (ar->k_ar.ar_arg_kpath1 != NULL) | |
262 | free(ar->k_ar.ar_arg_kpath1, M_AUDITPATH); | |
263 | if (ar->k_ar.ar_arg_kpath2 != NULL) | |
264 | free(ar->k_ar.ar_arg_kpath2, M_AUDITPATH); | |
265 | if (ar->k_ar.ar_arg_text != NULL) | |
266 | free(ar->k_ar.ar_arg_text, M_AUDITTEXT); | |
267 | if (ar->k_ar.ar_arg_opaque != NULL) | |
268 | free(ar->k_ar.ar_arg_opaque, M_AUDITDATA); | |
269 | if (ar->k_ar.ar_arg_data != NULL) | |
270 | free(ar->k_ar.ar_arg_data, M_AUDITDATA); | |
271 | if (ar->k_udata != NULL) | |
272 | free(ar->k_udata, M_AUDITDATA); | |
273 | if (ar->k_ar.ar_arg_argv != NULL) | |
274 | free(ar->k_ar.ar_arg_argv, M_AUDITTEXT); | |
275 | if (ar->k_ar.ar_arg_envv != NULL) | |
276 | free(ar->k_ar.ar_arg_envv, M_AUDITTEXT); | |
277 | } | |
278 | ||
279 | /* | |
280 | * Initialize the Audit subsystem: configuration state, work queue, | |
281 | * synchronization primitives, worker thread, and trigger device node. Also | |
282 | * call into the BSM assembly code to initialize it. | |
283 | */ | |
284 | void | |
285 | audit_init(void) | |
286 | { | |
287 | ||
288 | audit_enabled = 0; | |
289 | audit_syscalls = 0; | |
290 | audit_kevent_mask = 0; | |
291 | audit_suspended = 0; | |
292 | audit_panic_on_write_fail = 0; | |
293 | audit_fail_stop = 0; | |
294 | audit_in_failure = 0; | |
295 | audit_argv = 0; | |
296 | audit_arge = 0; | |
297 | ||
298 | audit_fstat.af_filesz = 0; /* '0' means unset, unbounded. */ | |
299 | audit_fstat.af_currsz = 0; | |
300 | audit_nae_mask.am_success = 0; | |
301 | audit_nae_mask.am_failure = 0; | |
302 | ||
303 | TAILQ_INIT(&audit_q); | |
304 | audit_q_len = 0; | |
305 | audit_pre_q_len = 0; | |
306 | audit_qctrl.aq_hiwater = AQ_HIWATER; | |
307 | audit_qctrl.aq_lowater = AQ_LOWATER; | |
308 | audit_qctrl.aq_bufsz = AQ_BUFSZ; | |
309 | audit_qctrl.aq_minfree = AU_FS_MINFREE; | |
310 | ||
311 | audit_kinfo.ai_termid.at_type = AU_IPv4; | |
312 | audit_kinfo.ai_termid.at_addr[0] = INADDR_ANY; | |
313 | ||
314 | _audit_lck_grp_init(); | |
315 | mtx_init(&audit_mtx, "audit_mtx", NULL, MTX_DEF); | |
316 | KINFO_LOCK_INIT(); | |
317 | cv_init(&audit_worker_cv, "audit_worker_cv"); | |
318 | cv_init(&audit_drain_cv, "audit_drain_cv"); | |
319 | cv_init(&audit_watermark_cv, "audit_watermark_cv"); | |
320 | cv_init(&audit_fail_cv, "audit_fail_cv"); | |
321 | ||
322 | audit_record_zone = zinit(sizeof(struct kaudit_record), | |
323 | AQ_HIWATER*sizeof(struct kaudit_record), 8192, "audit_zone"); | |
324 | #if CONFIG_MACF | |
325 | audit_mac_init(); | |
326 | #endif | |
327 | /* Init audit session subsystem. */ | |
328 | audit_session_init(); | |
329 | ||
330 | /* Initialize the BSM audit subsystem. */ | |
331 | kau_init(); | |
332 | ||
333 | /* audit_trigger_init(); */ | |
334 | ||
335 | /* Start audit worker thread. */ | |
336 | (void) audit_pipe_init(); | |
337 | ||
338 | /* Start audit worker thread. */ | |
339 | audit_worker_init(); | |
340 | } | |
341 | ||
342 | /* | |
343 | * Drain the audit queue and close the log at shutdown. Note that this can | |
344 | * be called both from the system shutdown path and also from audit | |
345 | * configuration syscalls, so 'arg' and 'howto' are ignored. | |
346 | */ | |
347 | void | |
348 | audit_shutdown(void) | |
349 | { | |
350 | ||
351 | audit_rotate_vnode(NULL, NULL); | |
352 | } | |
353 | ||
354 | /* | |
355 | * Return the current thread's audit record, if any. | |
356 | */ | |
357 | struct kaudit_record * | |
358 | currecord(void) | |
359 | { | |
360 | ||
361 | return (curthread()->uu_ar); | |
362 | } | |
363 | ||
364 | /* | |
365 | * XXXAUDIT: There are a number of races present in the code below due to | |
366 | * release and re-grab of the mutex. The code should be revised to become | |
367 | * slightly less racy. | |
368 | * | |
369 | * XXXAUDIT: Shouldn't there be logic here to sleep waiting on available | |
370 | * pre_q space, suspending the system call until there is room? | |
371 | */ | |
372 | struct kaudit_record * | |
373 | audit_new(int event, proc_t p, __unused struct uthread *uthread) | |
374 | { | |
375 | struct kaudit_record *ar; | |
376 | int no_record; | |
377 | int audit_override; | |
378 | ||
379 | /* | |
380 | * Override the audit_suspended and audit_enabled if it always | |
381 | * audits session events. | |
382 | * | |
383 | * XXXss - This really needs to be a generalized call to a filter | |
384 | * interface so if other things that use the audit subsystem in the | |
385 | * future can simply plugged in. | |
386 | */ | |
387 | audit_override = (AUE_SESSION_START == event || | |
388 | AUE_SESSION_UPDATE == event || AUE_SESSION_END == event || | |
389 | AUE_SESSION_CLOSE == event); | |
390 | ||
391 | mtx_lock(&audit_mtx); | |
392 | no_record = (audit_suspended || !audit_enabled); | |
393 | mtx_unlock(&audit_mtx); | |
394 | if (!audit_override && no_record) | |
395 | return (NULL); | |
396 | ||
397 | /* | |
398 | * Initialize the audit record header. | |
399 | * XXX: We may want to fail-stop if allocation fails. | |
400 | * | |
401 | * Note: the number of outstanding uncommitted audit records is | |
402 | * limited to the number of concurrent threads servicing system calls | |
403 | * in the kernel. | |
404 | */ | |
405 | ar = zalloc(audit_record_zone); | |
406 | if (ar == NULL) | |
407 | return NULL; | |
408 | audit_record_ctor(p, ar); | |
409 | ar->k_ar.ar_event = event; | |
410 | ||
411 | #if CONFIG_MACF | |
412 | if (PROC_NULL != p) { | |
413 | if (audit_mac_new(p, ar) != 0) { | |
414 | zfree(audit_record_zone, ar); | |
415 | return (NULL); | |
416 | } | |
417 | } else | |
418 | ar->k_ar.ar_mac_records = NULL; | |
419 | #endif | |
420 | ||
421 | mtx_lock(&audit_mtx); | |
422 | audit_pre_q_len++; | |
423 | mtx_unlock(&audit_mtx); | |
424 | ||
425 | return (ar); | |
426 | } | |
427 | ||
428 | void | |
429 | audit_free(struct kaudit_record *ar) | |
430 | { | |
431 | ||
432 | audit_record_dtor(ar); | |
433 | #if CONFIG_MACF | |
434 | if (NULL != ar->k_ar.ar_mac_records) | |
435 | audit_mac_free(ar); | |
436 | #endif | |
437 | zfree(audit_record_zone, ar); | |
438 | } | |
439 | ||
440 | void | |
441 | audit_commit(struct kaudit_record *ar, int error, int retval) | |
442 | { | |
443 | au_event_t event; | |
444 | au_class_t class; | |
445 | au_id_t auid; | |
446 | int sorf; | |
447 | struct au_mask *aumask; | |
448 | int audit_override; | |
449 | ||
450 | if (ar == NULL) | |
451 | return; | |
452 | ||
453 | /* | |
454 | * Decide whether to commit the audit record by checking the error | |
455 | * value from the system call and using the appropriate audit mask. | |
456 | */ | |
457 | if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID) | |
458 | aumask = &audit_nae_mask; | |
459 | else | |
460 | aumask = &ar->k_ar.ar_subj_amask; | |
461 | ||
462 | if (error) | |
463 | sorf = AU_PRS_FAILURE; | |
464 | else | |
465 | sorf = AU_PRS_SUCCESS; | |
466 | ||
467 | switch(ar->k_ar.ar_event) { | |
468 | case AUE_OPEN_RWTC: | |
469 | /* | |
470 | * The open syscall always writes a AUE_OPEN_RWTC event; | |
471 | * change it to the proper type of event based on the flags | |
472 | * and the error value. | |
473 | */ | |
474 | ar->k_ar.ar_event = audit_flags_and_error_to_openevent( | |
475 | ar->k_ar.ar_arg_fflags, error); | |
476 | break; | |
477 | ||
478 | case AUE_OPEN_EXTENDED_RWTC: | |
479 | /* | |
480 | * The open_extended syscall always writes a | |
481 | * AUE_OPEN_EXTENDEDRWTC event; change it to the proper type of | |
482 | * event based on the flags and the error value. | |
483 | */ | |
484 | ar->k_ar.ar_event = audit_flags_and_error_to_openextendedevent( | |
485 | ar->k_ar.ar_arg_fflags, error); | |
486 | break; | |
487 | ||
488 | case AUE_OPENAT_RWTC: | |
489 | /* | |
490 | * The openat syscall always writes a | |
491 | * AUE_OPENAT_RWTC event; change it to the proper type of | |
492 | * event based on the flags and the error value. | |
493 | */ | |
494 | ar->k_ar.ar_event = audit_flags_and_error_to_openatevent( | |
495 | ar->k_ar.ar_arg_fflags, error); | |
496 | break; | |
497 | ||
498 | case AUE_OPENBYID_RWT: | |
499 | /* | |
500 | * The openbyid syscall always writes a | |
501 | * AUE_OPENBYID_RWT event; change it to the proper type of | |
502 | * event based on the flags and the error value. | |
503 | */ | |
504 | ar->k_ar.ar_event = audit_flags_and_error_to_openbyidevent( | |
505 | ar->k_ar.ar_arg_fflags, error); | |
506 | break; | |
507 | ||
508 | case AUE_SYSCTL: | |
509 | ar->k_ar.ar_event = audit_ctlname_to_sysctlevent( | |
510 | ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg); | |
511 | break; | |
512 | ||
513 | case AUE_AUDITON: | |
514 | /* Convert the auditon() command to an event. */ | |
515 | ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd); | |
516 | break; | |
517 | ||
518 | case AUE_FCNTL: | |
519 | /* Convert some fcntl() commands to their own events. */ | |
520 | ar->k_ar.ar_event = audit_fcntl_command_event( | |
521 | ar->k_ar.ar_arg_cmd, ar->k_ar.ar_arg_fflags, error); | |
522 | break; | |
523 | } | |
524 | ||
525 | auid = ar->k_ar.ar_subj_auid; | |
526 | event = ar->k_ar.ar_event; | |
527 | class = au_event_class(event); | |
528 | ||
529 | /* | |
530 | * See if we need to override the audit_suspend and audit_enabled | |
531 | * flags. | |
532 | * | |
533 | * XXXss - This check needs to be generalized so new filters can | |
534 | * easily be added. | |
535 | */ | |
536 | audit_override = (AUE_SESSION_START == event || | |
537 | AUE_SESSION_UPDATE == event || AUE_SESSION_END == event || | |
538 | AUE_SESSION_CLOSE == event); | |
539 | ||
540 | ar->k_ar_commit |= AR_COMMIT_KERNEL; | |
541 | if (au_preselect(event, class, aumask, sorf) != 0) | |
542 | ar->k_ar_commit |= AR_PRESELECT_TRAIL; | |
543 | if (audit_pipe_preselect(auid, event, class, sorf, | |
544 | ar->k_ar_commit & AR_PRESELECT_TRAIL) != 0) | |
545 | ar->k_ar_commit |= AR_PRESELECT_PIPE; | |
546 | if ((ar->k_ar_commit & (AR_PRESELECT_TRAIL | AR_PRESELECT_PIPE | | |
547 | AR_PRESELECT_USER_TRAIL | AR_PRESELECT_USER_PIPE | | |
548 | AR_PRESELECT_FILTER)) == 0) { | |
549 | mtx_lock(&audit_mtx); | |
550 | audit_pre_q_len--; | |
551 | mtx_unlock(&audit_mtx); | |
552 | audit_free(ar); | |
553 | return; | |
554 | } | |
555 | ||
556 | ar->k_ar.ar_errno = error; | |
557 | ar->k_ar.ar_retval = retval; | |
558 | nanotime(&ar->k_ar.ar_endtime); | |
559 | ||
560 | /* | |
561 | * Note: it could be that some records initiated while audit was | |
562 | * enabled should still be committed? | |
563 | */ | |
564 | mtx_lock(&audit_mtx); | |
565 | if (!audit_override && (audit_suspended || !audit_enabled)) { | |
566 | audit_pre_q_len--; | |
567 | mtx_unlock(&audit_mtx); | |
568 | audit_free(ar); | |
569 | return; | |
570 | } | |
571 | ||
572 | /* | |
573 | * Constrain the number of committed audit records based on the | |
574 | * configurable parameter. | |
575 | */ | |
576 | while (audit_q_len >= audit_qctrl.aq_hiwater) | |
577 | cv_wait(&audit_watermark_cv, &audit_mtx); | |
578 | ||
579 | TAILQ_INSERT_TAIL(&audit_q, ar, k_q); | |
580 | audit_q_len++; | |
581 | audit_pre_q_len--; | |
582 | cv_signal(&audit_worker_cv); | |
583 | mtx_unlock(&audit_mtx); | |
584 | } | |
585 | ||
586 | /* | |
587 | * audit_syscall_enter() is called on entry to each system call. It is | |
588 | * responsible for deciding whether or not to audit the call (preselection), | |
589 | * and if so, allocating a per-thread audit record. audit_new() will fill in | |
590 | * basic thread/credential properties. | |
591 | */ | |
592 | void | |
593 | audit_syscall_enter(unsigned int code, proc_t proc, struct uthread *uthread) | |
594 | { | |
595 | struct au_mask *aumask; | |
596 | au_class_t class; | |
597 | au_event_t event; | |
598 | au_id_t auid; | |
599 | kauth_cred_t cred; | |
600 | ||
601 | /* | |
602 | * In FreeBSD, each ABI has its own system call table, and hence | |
603 | * mapping of system call codes to audit events. Convert the code to | |
604 | * an audit event identifier using the process system call table | |
605 | * reference. In Darwin, there's only one, so we use the global | |
606 | * symbol for the system call table. No audit record is generated | |
607 | * for bad system calls, as no operation has been performed. | |
608 | * | |
609 | * In Mac OS X, the audit events are stored in a table seperate from | |
610 | * the syscall table(s). This table is generated by makesyscalls.sh | |
611 | * from syscalls.master and stored in audit_kevents.c. | |
612 | */ | |
613 | if (code > nsysent) | |
614 | return; | |
615 | event = sys_au_event[code]; | |
616 | if (event == AUE_NULL) | |
617 | return; | |
618 | ||
619 | KASSERT(uthread->uu_ar == NULL, | |
620 | ("audit_syscall_enter: uthread->uu_ar != NULL")); | |
621 | ||
622 | /* | |
623 | * Check which audit mask to use; either the kernel non-attributable | |
624 | * event mask or the process audit mask. | |
625 | */ | |
626 | cred = kauth_cred_proc_ref(proc); | |
627 | auid = cred->cr_audit.as_aia_p->ai_auid; | |
628 | if (auid == AU_DEFAUDITID) | |
629 | aumask = &audit_nae_mask; | |
630 | else | |
631 | aumask = &cred->cr_audit.as_mask; | |
632 | ||
633 | /* | |
634 | * Allocate an audit record, if preselection allows it, and store in | |
635 | * the thread for later use. | |
636 | */ | |
637 | class = au_event_class(event); | |
638 | #if CONFIG_MACF | |
639 | /* | |
640 | * Note: audit_mac_syscall_enter() may call audit_new() and allocate | |
641 | * memory for the audit record (uu_ar). | |
642 | */ | |
643 | if (audit_mac_syscall_enter(code, proc, uthread, cred, event) == 0) | |
644 | goto out; | |
645 | #endif | |
646 | if (au_preselect(event, class, aumask, AU_PRS_BOTH)) { | |
647 | /* | |
648 | * If we're out of space and need to suspend unprivileged | |
649 | * processes, do that here rather than trying to allocate | |
650 | * another audit record. | |
651 | * | |
652 | * Note: we might wish to be able to continue here in the | |
653 | * future, if the system recovers. That should be possible | |
654 | * by means of checking the condition in a loop around | |
655 | * cv_wait(). It might be desirable to reevaluate whether an | |
656 | * audit record is still required for this event by | |
657 | * re-calling au_preselect(). | |
658 | */ | |
659 | if (audit_in_failure && | |
660 | suser(cred, &proc->p_acflag) != 0) { | |
661 | cv_wait(&audit_fail_cv, &audit_mtx); | |
662 | panic("audit_failing_stop: thread continued"); | |
663 | } | |
664 | if (uthread->uu_ar == NULL) | |
665 | uthread->uu_ar = audit_new(event, proc, uthread); | |
666 | } else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0)) { | |
667 | if (uthread->uu_ar == NULL) | |
668 | uthread->uu_ar = audit_new(event, proc, uthread); | |
669 | } | |
670 | ||
671 | out: | |
672 | kauth_cred_unref(&cred); | |
673 | } | |
674 | ||
675 | /* | |
676 | * audit_syscall_exit() is called from the return of every system call, or in | |
677 | * the event of exit1(), during the execution of exit1(). It is responsible | |
678 | * for committing the audit record, if any, along with return condition. | |
679 | * | |
680 | * Note: The audit_syscall_exit() parameter list was modified to support | |
681 | * mac_audit_check_postselect(), which requires the syscall number. | |
682 | */ | |
683 | #if CONFIG_MACF | |
684 | void | |
685 | audit_syscall_exit(unsigned int code, int error, __unused proc_t proc, | |
686 | struct uthread *uthread) | |
687 | #else | |
688 | void | |
689 | audit_syscall_exit(int error, __unsed proc_t proc, struct uthread *uthread) | |
690 | #endif | |
691 | { | |
692 | int retval; | |
693 | ||
694 | /* | |
695 | * Commit the audit record as desired; once we pass the record into | |
696 | * audit_commit(), the memory is owned by the audit subsystem. The | |
697 | * return value from the system call is stored on the user thread. | |
698 | * If there was an error, the return value is set to -1, imitating | |
699 | * the behavior of the cerror routine. | |
700 | */ | |
701 | if (error) | |
702 | retval = -1; | |
703 | else | |
704 | retval = uthread->uu_rval[0]; | |
705 | ||
706 | #if CONFIG_MACF | |
707 | if (audit_mac_syscall_exit(code, uthread, error, retval) != 0) | |
708 | goto out; | |
709 | #endif | |
710 | audit_commit(uthread->uu_ar, error, retval); | |
711 | ||
712 | out: | |
713 | uthread->uu_ar = NULL; | |
714 | } | |
715 | ||
716 | /* | |
717 | * Calls to set up and tear down audit structures used during Mach system | |
718 | * calls. | |
719 | */ | |
720 | void | |
721 | audit_mach_syscall_enter(unsigned short event) | |
722 | { | |
723 | struct uthread *uthread; | |
724 | proc_t proc; | |
725 | struct au_mask *aumask; | |
726 | kauth_cred_t cred; | |
727 | au_class_t class; | |
728 | au_id_t auid; | |
729 | ||
730 | if (event == AUE_NULL) | |
731 | return; | |
732 | ||
733 | uthread = curthread(); | |
734 | if (uthread == NULL) | |
735 | return; | |
736 | ||
737 | proc = current_proc(); | |
738 | if (proc == NULL) | |
739 | return; | |
740 | ||
741 | KASSERT(uthread->uu_ar == NULL, | |
742 | ("audit_mach_syscall_enter: uthread->uu_ar != NULL")); | |
743 | ||
744 | cred = kauth_cred_proc_ref(proc); | |
745 | auid = cred->cr_audit.as_aia_p->ai_auid; | |
746 | ||
747 | /* | |
748 | * Check which audit mask to use; either the kernel non-attributable | |
749 | * event mask or the process audit mask. | |
750 | */ | |
751 | if (auid == AU_DEFAUDITID) | |
752 | aumask = &audit_nae_mask; | |
753 | else | |
754 | aumask = &cred->cr_audit.as_mask; | |
755 | ||
756 | /* | |
757 | * Allocate an audit record, if desired, and store in the BSD thread | |
758 | * for later use. | |
759 | */ | |
760 | class = au_event_class(event); | |
761 | if (au_preselect(event, class, aumask, AU_PRS_BOTH)) | |
762 | uthread->uu_ar = audit_new(event, proc, uthread); | |
763 | else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0)) | |
764 | uthread->uu_ar = audit_new(event, proc, uthread); | |
765 | else | |
766 | uthread->uu_ar = NULL; | |
767 | ||
768 | kauth_cred_unref(&cred); | |
769 | } | |
770 | ||
771 | void | |
772 | audit_mach_syscall_exit(int retval, struct uthread *uthread) | |
773 | { | |
774 | /* | |
775 | * The error code from Mach system calls is the same as the | |
776 | * return value | |
777 | */ | |
778 | /* XXX Is the above statement always true? */ | |
779 | audit_commit(uthread->uu_ar, retval, retval); | |
780 | uthread->uu_ar = NULL; | |
781 | } | |
782 | ||
783 | /* | |
784 | * kau_will_audit can be used by a security policy to determine | |
785 | * if an audit record will be stored, reducing wasted memory allocation | |
786 | * and string handling. | |
787 | */ | |
788 | int | |
789 | kau_will_audit(void) | |
790 | { | |
791 | ||
792 | return (audit_enabled && currecord() != NULL); | |
793 | } | |
794 | ||
795 | #if CONFIG_COREDUMP | |
796 | void | |
797 | audit_proc_coredump(proc_t proc, char *path, int errcode) | |
798 | { | |
799 | struct kaudit_record *ar; | |
800 | struct au_mask *aumask; | |
801 | au_class_t class; | |
802 | int ret, sorf; | |
803 | char **pathp; | |
804 | au_id_t auid; | |
805 | kauth_cred_t my_cred; | |
806 | struct uthread *uthread; | |
807 | ||
808 | ret = 0; | |
809 | ||
810 | /* | |
811 | * Make sure we are using the correct preselection mask. | |
812 | */ | |
813 | my_cred = kauth_cred_proc_ref(proc); | |
814 | auid = my_cred->cr_audit.as_aia_p->ai_auid; | |
815 | if (auid == AU_DEFAUDITID) | |
816 | aumask = &audit_nae_mask; | |
817 | else | |
818 | aumask = &my_cred->cr_audit.as_mask; | |
819 | kauth_cred_unref(&my_cred); | |
820 | /* | |
821 | * It's possible for coredump(9) generation to fail. Make sure that | |
822 | * we handle this case correctly for preselection. | |
823 | */ | |
824 | if (errcode != 0) | |
825 | sorf = AU_PRS_FAILURE; | |
826 | else | |
827 | sorf = AU_PRS_SUCCESS; | |
828 | class = au_event_class(AUE_CORE); | |
829 | if (au_preselect(AUE_CORE, class, aumask, sorf) == 0 && | |
830 | audit_pipe_preselect(auid, AUE_CORE, class, sorf, 0) == 0) | |
831 | return; | |
832 | /* | |
833 | * If we are interested in seeing this audit record, allocate it. | |
834 | * Where possible coredump records should contain a pathname and arg32 | |
835 | * (signal) tokens. | |
836 | */ | |
837 | uthread = curthread(); | |
838 | ar = audit_new(AUE_CORE, proc, uthread); | |
839 | if (path != NULL) { | |
840 | pathp = &ar->k_ar.ar_arg_upath1; | |
841 | *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK); | |
842 | if (audit_canon_path(vfs_context_cwd(vfs_context_current()), path, | |
843 | *pathp)) | |
844 | free(*pathp, M_AUDITPATH); | |
845 | else | |
846 | ARG_SET_VALID(ar, ARG_UPATH1); | |
847 | } | |
848 | ar->k_ar.ar_arg_signum = proc->p_sigacts->ps_sig; | |
849 | ARG_SET_VALID(ar, ARG_SIGNUM); | |
850 | if (errcode != 0) | |
851 | ret = 1; | |
852 | audit_commit(ar, errcode, ret); | |
853 | } | |
854 | #endif /* CONFIG_COREDUMP */ | |
855 | #endif /* CONFIG_AUDIT */ |