]> git.saurik.com Git - apple/xnu.git/blob - bsd/security/audit/audit_mac.c
xnu-1504.15.3.tar.gz
[apple/xnu.git] / bsd / security / audit / audit_mac.c
1 /*-
2 * Copyright (c) 1999-2008 Apple Inc.
3 * All rights reserved.
4 *
5 * @APPLE_BSD_LICENSE_HEADER_START@
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
16 * its contributors may be used to endorse or promote products derived
17 * from this software without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
23 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
27 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
28 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
30 *
31 * @APPLE_BSD_LICENSE_HEADER_END@
32 */
33 /*
34 * NOTICE: This file was modified by McAfee Research in 2004 to introduce
35 * support for mandatory and extensible security protections. This notice
36 * is included in support of clause 2.2 (b) of the Apple Public License,
37 * Version 2.0.
38 */
39
40 #include <sys/kernel.h>
41 #include <sys/proc.h>
42 #include <sys/kauth.h>
43 #include <sys/queue.h>
44 #include <sys/systm.h>
45
46 #include <bsm/audit.h>
47 #include <bsm/audit_internal.h>
48 #include <bsm/audit_kevents.h>
49
50 #include <security/audit/audit.h>
51 #include <security/audit/audit_private.h>
52
53 #include <mach/host_priv.h>
54 #include <mach/host_special_ports.h>
55 #include <mach/audit_triggers_server.h>
56
57 #include <kern/host.h>
58 #include <kern/kalloc.h>
59 #include <kern/zalloc.h>
60 #include <kern/lock.h>
61 #include <kern/wait_queue.h>
62 #include <kern/sched_prim.h>
63
64 #if CONFIG_AUDIT
65
66 #if CONFIG_MACF
67 #include <bsm/audit_record.h>
68 #include <security/mac.h>
69 #include <security/mac_framework.h>
70 #include <security/mac_policy.h>
71 #define MAC_ARG_PREFIX "arg: "
72 #define MAC_ARG_PREFIX_LEN 5
73
74 zone_t audit_mac_label_zone;
75 extern zone_t mac_audit_data_zone;
76
77 void
78 audit_mac_init(void)
79 {
80 /* Assume 3 MAC labels for each audit record: two for vnodes,
81 * one for creds.
82 */
83 audit_mac_label_zone = zinit(MAC_AUDIT_LABEL_LEN,
84 AQ_HIWATER * 3*MAC_AUDIT_LABEL_LEN, 8192, "audit_mac_label_zone");
85 }
86
87 int
88 audit_mac_new(proc_t p, struct kaudit_record *ar)
89 {
90 struct mac mac;
91
92 /*
93 * Retrieve the MAC labels for the process.
94 */
95 ar->k_ar.ar_cred_mac_labels = (char *)zalloc(audit_mac_label_zone);
96 if (ar->k_ar.ar_cred_mac_labels == NULL)
97 return (1);
98 mac.m_buflen = MAC_AUDIT_LABEL_LEN;
99 mac.m_string = ar->k_ar.ar_cred_mac_labels;
100 mac_cred_label_externalize_audit(p, &mac);
101
102 /*
103 * grab space for the reconds.
104 */
105 ar->k_ar.ar_mac_records = (struct mac_audit_record_list_t *)
106 kalloc(sizeof(*ar->k_ar.ar_mac_records));
107 if (ar->k_ar.ar_mac_records == NULL) {
108 zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels);
109 return (1);
110 }
111 LIST_INIT(ar->k_ar.ar_mac_records);
112 ar->k_ar.ar_forced_by_mac = 0;
113
114 return (0);
115 }
116
117 void
118 audit_mac_free(struct kaudit_record *ar)
119 {
120 struct mac_audit_record *head, *next;
121
122 if (ar->k_ar.ar_vnode1_mac_labels != NULL)
123 zfree(audit_mac_label_zone, ar->k_ar.ar_vnode1_mac_labels);
124 if (ar->k_ar.ar_vnode2_mac_labels != NULL)
125 zfree(audit_mac_label_zone, ar->k_ar.ar_vnode2_mac_labels);
126 if (ar->k_ar.ar_cred_mac_labels != NULL)
127 zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels);
128 if (ar->k_ar.ar_arg_mac_string != NULL)
129 kfree(ar->k_ar.ar_arg_mac_string,
130 MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);
131
132 /*
133 * Free the audit data from the MAC policies.
134 */
135 head = LIST_FIRST(ar->k_ar.ar_mac_records);
136 while (head != NULL) {
137 next = LIST_NEXT(head, records);
138 zfree(mac_audit_data_zone, head->data);
139 kfree(head, sizeof(*head));
140 head = next;
141 }
142 kfree(ar->k_ar.ar_mac_records, sizeof(*ar->k_ar.ar_mac_records));
143 }
144
145 int
146 audit_mac_syscall_enter(unsigned short code, proc_t p, struct uthread *uthread,
147 kauth_cred_t my_cred, au_event_t event)
148 {
149 int error;
150
151 error = mac_audit_check_preselect(my_cred, code,
152 (void *)uthread->uu_arg);
153 if (error == MAC_AUDIT_YES) {
154 uthread->uu_ar = audit_new(event, p, uthread);
155 uthread->uu_ar->k_ar.ar_forced_by_mac = 1;
156 au_to_text("Forced by a MAC policy");
157 return (1);
158 } else if (error == MAC_AUDIT_NO) {
159 return (0);
160 } else if (error == MAC_AUDIT_DEFAULT) {
161 return (1);
162 }
163
164 return (0);
165 }
166
167 int
168 audit_mac_syscall_exit(unsigned short code, struct uthread *uthread, int error,
169 int retval)
170 {
171 int mac_error;
172
173 if (uthread->uu_ar == NULL) /* syscall wasn't audited */
174 return (1);
175
176 /*
177 * Note, no other postselect mechanism exists. If
178 * mac_audit_check_postselect returns MAC_AUDIT_NO, the record will be
179 * suppressed. Other values at this point result in the audit record
180 * being committed. This suppression behavior will probably go away in
181 * the port to 10.3.4.
182 */
183 mac_error = mac_audit_check_postselect(kauth_cred_get(), code,
184 (void *) uthread->uu_arg, error, retval,
185 uthread->uu_ar->k_ar.ar_forced_by_mac);
186
187 if (mac_error == MAC_AUDIT_YES)
188 uthread->uu_ar->k_ar_commit |= AR_COMMIT_KERNEL;
189 else if (mac_error == MAC_AUDIT_NO) {
190 audit_free(uthread->uu_ar);
191 return (1);
192 }
193 return (0);
194 }
195
196 /*
197 * This function is called by the MAC Framework to add audit data
198 * from a policy to the current audit record.
199 */
200 int
201 audit_mac_data(int type, int len, u_char *data) {
202 struct kaudit_record *cur;
203 struct mac_audit_record *record;
204
205 if (audit_enabled == 0) {
206 kfree(data, len);
207 return (ENOTSUP);
208 }
209
210 cur = currecord();
211 if (cur == NULL) {
212 kfree(data, len);
213 return (ENOTSUP);
214 }
215
216 /*
217 * XXX: Note that we silently drop the audit data if this
218 * allocation fails - this is consistent with the rest of the
219 * audit implementation.
220 */
221 record = kalloc(sizeof(*record));
222 if (record == NULL) {
223 kfree(data, len);
224 return (0);
225 }
226
227 record->type = type;
228 record->length = len;
229 record->data = data;
230 LIST_INSERT_HEAD(cur->k_ar.ar_mac_records, record, records);
231
232 return (0);
233 }
234
235 void
236 audit_arg_mac_string(struct kaudit_record *ar, char *string)
237 {
238
239 if (ar->k_ar.ar_arg_mac_string == NULL)
240 ar->k_ar.ar_arg_mac_string =
241 kalloc(MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);
242
243 /*
244 * XXX This should be a rare event. If kalloc() returns NULL,
245 * the system is low on kernel virtual memory. To be
246 * consistent with the rest of audit, just return
247 * (may need to panic if required to for audit).
248 */
249 if (ar->k_ar.ar_arg_mac_string == NULL)
250 if (ar->k_ar.ar_arg_mac_string == NULL)
251 return;
252
253 strncpy(ar->k_ar.ar_arg_mac_string, MAC_ARG_PREFIX,
254 MAC_ARG_PREFIX_LEN);
255 strncpy(ar->k_ar.ar_arg_mac_string + MAC_ARG_PREFIX_LEN, string,
256 MAC_MAX_LABEL_BUF_LEN);
257 ARG_SET_VALID(ar, ARG_MAC_STRING);
258 }
259 #endif /* MAC */
260
261 #endif /* CONFIG_AUDIT */