bsd/security/audit/audit_mac.c

   1 /*-
   2  * Copyright (c) 1999-2008 Apple Inc.
   3  * All rights reserved.
   4  *
   5  * @APPLE_BSD_LICENSE_HEADER_START@
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted provided that the following conditions
   9  * are met:
  10  * 1.  Redistributions of source code must retain the above copyright
  11  *     notice, this list of conditions and the following disclaimer.
  12  * 2.  Redistributions in binary form must reproduce the above copyright
  13  *     notice, this list of conditions and the following disclaimer in the
  14  *     documentation and/or other materials provided with the distribution.
  15  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
  16  *     its contributors may be used to endorse or promote products derived
  17  *     from this software without specific prior written permission.
  18  *
  19  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
  20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  22  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
  23  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  27  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
  28  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  29  * POSSIBILITY OF SUCH DAMAGE.
  30  *
  31  * @APPLE_BSD_LICENSE_HEADER_END@
  32  */
  33 /*
  34  * NOTICE: This file was modified by McAfee Research in 2004 to introduce
  35  * support for mandatory and extensible security protections.  This notice
  36  * is included in support of clause 2.2 (b) of the Apple Public License,
  37  * Version 2.0.
  38  */
  39
  40 #include <sys/kernel.h>
  41 #include <sys/proc.h>
  42 #include <sys/kauth.h>
  43 #include <sys/queue.h>
  44 #include <sys/systm.h>
  45
  46 #include <bsm/audit.h>
  47 #include <bsm/audit_internal.h>
  48 #include <bsm/audit_kevents.h>
  49
  50 #include <security/audit/audit.h>
  51 #include <security/audit/audit_private.h>
  52
  53 #include <mach/host_priv.h>
  54 #include <mach/host_special_ports.h>
  55 #include <mach/audit_triggers_server.h>
  56
  57 #include <kern/host.h>
  58 #include <kern/kalloc.h>
  59 #include <kern/zalloc.h>
  60 #include <kern/lock.h>
  61 #include <kern/wait_queue.h>
  62 #include <kern/sched_prim.h>
  63
  64 #if CONFIG_AUDIT
  65
  66 #if CONFIG_MACF
  67 #include <bsm/audit_record.h>
  68 #include <security/mac.h>
  69 #include <security/mac_framework.h>
  70 #include <security/mac_policy.h>
  71 #define MAC_ARG_PREFIX "arg: "
  72 #define MAC_ARG_PREFIX_LEN 5
  73
  74 zone_t          audit_mac_label_zone;
  75 extern zone_t   mac_audit_data_zone;
  76
  77 void
  78 audit_mac_init(void)
  79 {
  80         /* Assume 3 MAC labels for each audit record: two for vnodes,
  81          * one for creds.
  82          */
  83         audit_mac_label_zone = zinit(MAC_AUDIT_LABEL_LEN,
  84             AQ_HIWATER * 3*MAC_AUDIT_LABEL_LEN, 8192, "audit_mac_label_zone");
  85 }
  86
  87 int
  88 audit_mac_new(proc_t p, struct kaudit_record *ar)
  89 {
  90         struct mac mac;
  91
  92         /*
  93          * Retrieve the MAC labels for the process.
  94          */
  95         ar->k_ar.ar_cred_mac_labels = (char *)zalloc(audit_mac_label_zone);
  96         if (ar->k_ar.ar_cred_mac_labels == NULL)
  97                 return (1);
  98         mac.m_buflen = MAC_AUDIT_LABEL_LEN;
  99         mac.m_string = ar->k_ar.ar_cred_mac_labels;
 100         mac_cred_label_externalize_audit(p, &mac);
 101
 102         /*
 103          * grab space for the reconds.
 104          */
 105         ar->k_ar.ar_mac_records = (struct mac_audit_record_list_t *)
 106             kalloc(sizeof(*ar->k_ar.ar_mac_records));
 107         if (ar->k_ar.ar_mac_records == NULL) {
 108                 zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels);
 109                 return (1);
 110         }
 111         LIST_INIT(ar->k_ar.ar_mac_records);
 112         ar->k_ar.ar_forced_by_mac = 0;
 113
 114         return (0);
 115 }
 116
 117 void
 118 audit_mac_free(struct kaudit_record *ar)
 119 {
 120         struct mac_audit_record *head, *next;
 121
 122         if (ar->k_ar.ar_vnode1_mac_labels != NULL)
 123                 zfree(audit_mac_label_zone, ar->k_ar.ar_vnode1_mac_labels);
 124         if (ar->k_ar.ar_vnode2_mac_labels != NULL)
 125                 zfree(audit_mac_label_zone, ar->k_ar.ar_vnode2_mac_labels);
 126         if (ar->k_ar.ar_cred_mac_labels != NULL)
 127                 zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels);
 128         if (ar->k_ar.ar_arg_mac_string != NULL)
 129                 kfree(ar->k_ar.ar_arg_mac_string,
 130                     MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);
 131
 132         /*
 133          * Free the audit data from the MAC policies.
 134          */
 135         head = LIST_FIRST(ar->k_ar.ar_mac_records);
 136         while (head != NULL) {
 137                 next = LIST_NEXT(head, records);
 138                 zfree(mac_audit_data_zone, head->data);
 139                 kfree(head, sizeof(*head));
 140                 head = next;
 141         }
 142         kfree(ar->k_ar.ar_mac_records, sizeof(*ar->k_ar.ar_mac_records));
 143 }
 144
 145 int
 146 audit_mac_syscall_enter(unsigned short code, proc_t p, struct uthread *uthread,
 147     kauth_cred_t my_cred, au_event_t event)
 148 {
 149         int error;
 150
 151         error = mac_audit_check_preselect(my_cred, code,
 152              (void *)uthread->uu_arg);
 153         if (error == MAC_AUDIT_YES) {
 154                 uthread->uu_ar = audit_new(event, p, uthread);
 155                 uthread->uu_ar->k_ar.ar_forced_by_mac = 1;
 156                 au_to_text("Forced by a MAC policy");
 157                 return (1);
 158         } else if (error == MAC_AUDIT_NO) {
 159                 return (0);
 160         } else if (error == MAC_AUDIT_DEFAULT) {
 161                 return (1);
 162         }
 163
 164         return (0);
 165 }
 166
 167 int
 168 audit_mac_syscall_exit(unsigned short code, struct uthread *uthread, int error,
 169     int retval)
 170 {
 171         int mac_error;
 172
 173         if (uthread->uu_ar == NULL)  /* syscall wasn't audited */
 174                 return (1);
 175
 176         /*
 177          * Note, no other postselect mechanism exists.  If
 178          * mac_audit_check_postselect returns MAC_AUDIT_NO, the record will be
 179          * suppressed.  Other values at this point result in the audit record
 180          * being committed.  This suppression behavior will probably go away in
 181          * the port to 10.3.4.
 182          */
 183         mac_error = mac_audit_check_postselect(kauth_cred_get(), code,
 184             (void *) uthread->uu_arg, error, retval,
 185             uthread->uu_ar->k_ar.ar_forced_by_mac);
 186
 187         if (mac_error == MAC_AUDIT_YES)
 188                 uthread->uu_ar->k_ar_commit |= AR_COMMIT_KERNEL;
 189         else if (mac_error == MAC_AUDIT_NO) {
 190                 audit_free(uthread->uu_ar);
 191                 return (1);
 192         }
 193         return (0);
 194 }
 195
 196 /*
 197  * This function is called by the MAC Framework to add audit data
 198  * from a policy to the current audit record.
 199  */
 200 int
 201 audit_mac_data(int type, int len, u_char *data) {
 202         struct kaudit_record *cur;
 203         struct mac_audit_record *record;
 204
 205         if (audit_enabled == 0) {
 206                 kfree(data, len);
 207                 return (ENOTSUP);
 208         }
 209
 210         cur = currecord();
 211         if (cur == NULL) {
 212                 kfree(data, len);
 213                 return (ENOTSUP);
 214         }
 215
 216         /*
 217          * XXX: Note that we silently drop the audit data if this
 218          * allocation fails - this is consistent with the rest of the
 219          * audit implementation.
 220          */
 221         record = kalloc(sizeof(*record));
 222         if (record == NULL) {
 223                 kfree(data, len);
 224                 return (0);
 225         }
 226
 227         record->type = type;
 228         record->length = len;
 229         record->data = data;
 230         LIST_INSERT_HEAD(cur->k_ar.ar_mac_records, record, records);
 231
 232         return (0);
 233 }
 234
 235 void
 236 audit_arg_mac_string(struct kaudit_record *ar, char *string)
 237 {
 238
 239         if (ar->k_ar.ar_arg_mac_string == NULL)
 240                 ar->k_ar.ar_arg_mac_string =
 241                         kalloc(MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);
 242
 243         /*
 244          * XXX This should be a rare event. If kalloc() returns NULL,
 245          * the system is low on kernel virtual memory. To be
 246          * consistent with the rest of audit, just return
 247          * (may need to panic if required to for audit).
 248          */
 249         if (ar->k_ar.ar_arg_mac_string == NULL)
 250                 if (ar->k_ar.ar_arg_mac_string == NULL)
 251                         return;
 252
 253         strncpy(ar->k_ar.ar_arg_mac_string, MAC_ARG_PREFIX,
 254             MAC_ARG_PREFIX_LEN);
 255         strncpy(ar->k_ar.ar_arg_mac_string + MAC_ARG_PREFIX_LEN, string,
 256             MAC_MAX_LABEL_BUF_LEN);
 257         ARG_SET_VALID(ar, ARG_MAC_STRING);
 258 }
 259 #endif  /* MAC */
 260
 261 #endif /* CONFIG_AUDIT */