bsd/security/audit/audit_mac.c

   1 /*-
   2  * Copyright (c) 1999-2020 Apple Inc.
   3  * All rights reserved.
   4  *
   5  * @APPLE_BSD_LICENSE_HEADER_START@
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted provided that the following conditions
   9  * are met:
  10  * 1.  Redistributions of source code must retain the above copyright
  11  *     notice, this list of conditions and the following disclaimer.
  12  * 2.  Redistributions in binary form must reproduce the above copyright
  13  *     notice, this list of conditions and the following disclaimer in the
  14  *     documentation and/or other materials provided with the distribution.
  15  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
  16  *     its contributors may be used to endorse or promote products derived
  17  *     from this software without specific prior written permission.
  18  *
  19  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
  20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  22  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
  23  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  27  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
  28  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  29  * POSSIBILITY OF SUCH DAMAGE.
  30  *
  31  * @APPLE_BSD_LICENSE_HEADER_END@
  32  */
  33 /*
  34  * NOTICE: This file was modified by McAfee Research in 2004 to introduce
  35  * support for mandatory and extensible security protections.  This notice
  36  * is included in support of clause 2.2 (b) of the Apple Public License,
  37  * Version 2.0.
  38  */
  39
  40 #include <sys/kernel.h>
  41 #include <sys/proc.h>
  42 #include <sys/kauth.h>
  43 #include <sys/queue.h>
  44 #include <sys/systm.h>
  45
  46 #include <bsm/audit.h>
  47 #include <bsm/audit_internal.h>
  48 #include <bsm/audit_kevents.h>
  49
  50 #include <security/audit/audit.h>
  51 #include <security/audit/audit_private.h>
  52
  53 #include <mach/host_priv.h>
  54 #include <mach/host_special_ports.h>
  55 #include <mach/audit_triggers_server.h>
  56
  57 #include <kern/host.h>
  58 #include <kern/zalloc.h>
  59 #include <kern/sched_prim.h>
  60
  61 #if CONFIG_AUDIT
  62
  63 #if CONFIG_MACF
  64 #include <bsm/audit_record.h>
  65 #include <security/mac.h>
  66 #include <security/mac_framework.h>
  67 #include <security/mac_policy.h>
  68 #define MAC_ARG_PREFIX "arg: "
  69 #define MAC_ARG_PREFIX_LEN 5
  70
  71 ZONE_DECLARE(audit_mac_label_zone, "audit_mac_label_zone",
  72     MAC_AUDIT_LABEL_LEN, ZC_NONE);
  73
  74 int
  75 audit_mac_new(proc_t p, struct kaudit_record *ar)
  76 {
  77         struct mac mac;
  78
  79         /*
  80          * Retrieve the MAC labels for the process.
  81          */
  82         ar->k_ar.ar_cred_mac_labels = (char *)zalloc(audit_mac_label_zone);
  83         if (ar->k_ar.ar_cred_mac_labels == NULL) {
  84                 return 1;
  85         }
  86         mac.m_buflen = MAC_AUDIT_LABEL_LEN;
  87         mac.m_string = ar->k_ar.ar_cred_mac_labels;
  88         if (mac_cred_label_externalize_audit(p, &mac)) {
  89                 zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels);
  90                 return 1;
  91         }
  92
  93         /*
  94          * grab space for the reconds.
  95          */
  96         ar->k_ar.ar_mac_records = (struct mac_audit_record_list_t *)
  97             kheap_alloc(KHEAP_AUDIT, sizeof(*ar->k_ar.ar_mac_records), Z_WAITOK);
  98         if (ar->k_ar.ar_mac_records == NULL) {
  99                 zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels);
 100                 return 1;
 101         }
 102         LIST_INIT(ar->k_ar.ar_mac_records);
 103         ar->k_ar.ar_forced_by_mac = 0;
 104
 105         return 0;
 106 }
 107
 108 void
 109 audit_mac_free(struct kaudit_record *ar)
 110 {
 111         struct mac_audit_record *head, *next;
 112
 113         if (ar->k_ar.ar_vnode1_mac_labels != NULL) {
 114                 zfree(audit_mac_label_zone, ar->k_ar.ar_vnode1_mac_labels);
 115         }
 116         if (ar->k_ar.ar_vnode2_mac_labels != NULL) {
 117                 zfree(audit_mac_label_zone, ar->k_ar.ar_vnode2_mac_labels);
 118         }
 119         if (ar->k_ar.ar_cred_mac_labels != NULL) {
 120                 zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels);
 121         }
 122         if (ar->k_ar.ar_arg_mac_string != NULL) {
 123                 kheap_free(KHEAP_AUDIT, ar->k_ar.ar_arg_mac_string,
 124                     MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);
 125         }
 126
 127         /*
 128          * Free the audit data from the MAC policies.
 129          */
 130         head = LIST_FIRST(ar->k_ar.ar_mac_records);
 131         while (head != NULL) {
 132                 next = LIST_NEXT(head, records);
 133                 zfree(mac_audit_data_zone, head->data);
 134                 kheap_free(KHEAP_AUDIT, head, sizeof(*head));
 135                 head = next;
 136         }
 137         kheap_free(KHEAP_AUDIT, ar->k_ar.ar_mac_records,
 138             sizeof(*ar->k_ar.ar_mac_records));
 139 }
 140
 141 int
 142 audit_mac_syscall_enter(unsigned short code, proc_t p, struct uthread *uthread,
 143     kauth_cred_t my_cred, au_event_t event)
 144 {
 145         int error;
 146
 147         error = mac_audit_check_preselect(my_cred, code,
 148             (void *)uthread->uu_arg);
 149         if (error == MAC_AUDIT_YES) {
 150                 uthread->uu_ar = audit_new(event, p, uthread);
 151                 if (uthread->uu_ar) {
 152                         uthread->uu_ar->k_ar.ar_forced_by_mac = 1;
 153                 }
 154                 return 1;
 155         } else if (error == MAC_AUDIT_NO) {
 156                 return 0;
 157         } else if (error == MAC_AUDIT_DEFAULT) {
 158                 return 1;
 159         }
 160
 161         return 0;
 162 }
 163
 164 int
 165 audit_mac_syscall_exit(unsigned short code, struct uthread *uthread, int error,
 166     int retval)
 167 {
 168         int mac_error;
 169
 170         if (uthread->uu_ar == NULL) { /* syscall wasn't audited */
 171                 return 1;
 172         }
 173
 174         /*
 175          * Note, no other postselect mechanism exists.  If
 176          * mac_audit_check_postselect returns MAC_AUDIT_NO, the record will be
 177          * suppressed.  Other values at this point result in the audit record
 178          * being committed.  This suppression behavior will probably go away in
 179          * the port to 10.3.4.
 180          */
 181         mac_error = mac_audit_check_postselect(kauth_cred_get(), code,
 182             (void *) uthread->uu_arg, error, retval,
 183             uthread->uu_ar->k_ar.ar_forced_by_mac);
 184
 185         if (mac_error == MAC_AUDIT_YES) {
 186                 uthread->uu_ar->k_ar_commit |= AR_COMMIT_KERNEL;
 187         } else if (mac_error == MAC_AUDIT_NO) {
 188                 audit_free(uthread->uu_ar);
 189                 return 1;
 190         }
 191         return 0;
 192 }
 193
 194 /*
 195  * This function is called by the MAC Framework to add audit data
 196  * from a policy to the current audit record.
 197  */
 198 int
 199 audit_mac_data(int type, int len, u_char *data)
 200 {
 201         struct kaudit_record *cur;
 202         struct mac_audit_record *record;
 203
 204         if (audit_enabled == 0) {
 205                 zfree(mac_audit_data_zone, data);
 206                 return ENOTSUP;
 207         }
 208
 209         cur = currecord();
 210         if (cur == NULL) {
 211                 zfree(mac_audit_data_zone, data);
 212                 return ENOTSUP;
 213         }
 214
 215         /*
 216          * XXX: Note that we silently drop the audit data if this
 217          * allocation fails - this is consistent with the rest of the
 218          * audit implementation.
 219          */
 220         record = kheap_alloc(KHEAP_AUDIT, sizeof(*record), Z_WAITOK);
 221         if (record == NULL) {
 222                 zfree(mac_audit_data_zone, data);
 223                 return 0;
 224         }
 225
 226         record->type = type;
 227         record->length = len;
 228         record->data = data;
 229         LIST_INSERT_HEAD(cur->k_ar.ar_mac_records, record, records);
 230
 231         return 0;
 232 }
 233
 234 void
 235 audit_arg_mac_string(struct kaudit_record *ar, char *string)
 236 {
 237         if (ar->k_ar.ar_arg_mac_string == NULL) {
 238                 ar->k_ar.ar_arg_mac_string = kheap_alloc(KHEAP_AUDIT,
 239                     MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN, Z_WAITOK);
 240         }
 241
 242         /*
 243          * XXX This should be a rare event. If kheap_alloc() returns NULL,
 244          * the system is low on kernel virtual memory. To be
 245          * consistent with the rest of audit, just return
 246          * (may need to panic if required to for audit).
 247          */
 248         if (ar->k_ar.ar_arg_mac_string == NULL) {
 249                 if (ar->k_ar.ar_arg_mac_string == NULL) {
 250                         return;
 251                 }
 252         }
 253
 254         strlcpy(ar->k_ar.ar_arg_mac_string, MAC_ARG_PREFIX,
 255             MAC_ARG_PREFIX_LEN);
 256         strlcpy(ar->k_ar.ar_arg_mac_string + MAC_ARG_PREFIX_LEN, string,
 257             MAC_MAX_LABEL_BUF_LEN);
 258         ARG_SET_VALID(ar, ARG_MAC_STRING);
 259 }
 260 #endif  /* MAC */
 261
 262 #endif /* CONFIG_AUDIT */