]> git.saurik.com Git - apple/xnu.git/blob - bsd/security/audit/audit_bsd.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-6153.141.1.tar.gz
[apple/xnu.git] / bsd / security / audit / audit_bsd.c
1 /*-
2 * Copyright (c) 2008-2010 Apple Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
15 * its contributors may be used to endorse or promote products derived
16 * from this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
19 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
22 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
25 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 */
29
30 #include <string.h>
31
32 #include <sys/kernel.h>
33 #include <sys/proc.h>
34 #include <sys/systm.h>
35
36 #include <kern/host.h>
37 #include <kern/kalloc.h>
38 #include <kern/locks.h>
39 #include <kern/sched_prim.h>
40
41 #include <libkern/OSAtomic.h>
42
43 #include <bsm/audit.h>
44 #include <bsm/audit_internal.h>
45
46 #include <security/audit/audit_bsd.h>
47 #include <security/audit/audit.h>
48 #include <security/audit/audit_private.h>
49
50 #include <mach/host_priv.h>
51 #include <mach/host_special_ports.h>
52 #include <mach/audit_triggers_server.h>
53
54 #include <os/overflow.h>
55
56 extern void ipc_port_release_send(ipc_port_t port);
57
58 #if CONFIG_AUDIT
59 struct mhdr {
60 size_t mh_size;
61 au_malloc_type_t *mh_type;
62 u_long mh_magic;
63 char mh_data[0];
64 };
65
66 /*
67 * The lock group for the audit subsystem.
68 */
69 static lck_grp_t *audit_lck_grp = NULL;
70
71 #define AUDIT_MHMAGIC 0x4D656C53
72
73 #if AUDIT_MALLOC_DEBUG
74 #define AU_MAX_SHORTDESC 20
75 #define AU_MAX_LASTCALLER 20
76 struct au_malloc_debug_info {
77 SInt64 md_size;
78 SInt64 md_maxsize;
79 SInt32 md_inuse;
80 SInt32 md_maxused;
81 unsigned md_type;
82 unsigned md_magic;
83 char md_shortdesc[AU_MAX_SHORTDESC];
84 char md_lastcaller[AU_MAX_LASTCALLER];
85 };
86 typedef struct au_malloc_debug_info au_malloc_debug_info_t;
87
88 au_malloc_type_t *audit_malloc_types[NUM_MALLOC_TYPES];
89
90 static int audit_sysctl_malloc_debug(struct sysctl_oid *oidp, void *arg1,
91 int arg2, struct sysctl_req *req);
92
93 SYSCTL_PROC(_kern, OID_AUTO, audit_malloc_debug, CTLFLAG_RD, NULL, 0,
94 audit_sysctl_malloc_debug, "S,audit_malloc_debug",
95 "Current malloc debug info for auditing.");
96
97 #define AU_MALLOC_DBINFO_SZ \
98 (NUM_MALLOC_TYPES * sizeof(au_malloc_debug_info_t))
99
100 /*
101 * Copy out the malloc debug info via the sysctl interface. The userland code
102 * is something like the following:
103 *
104 * error = sysctlbyname("kern.audit_malloc_debug", buffer_ptr, &buffer_len,
105 * NULL, 0);
106 */
107 static int
108 audit_sysctl_malloc_debug(__unused struct sysctl_oid *oidp, __unused void *arg1,
109 __unused int arg2, struct sysctl_req *req)
110 {
111 int i;
112 size_t sz;
113 au_malloc_debug_info_t *amdi_ptr, *nxt_ptr;
114 int err;
115
116 /*
117 * This provides a read-only node.
118 */
119 if (req->newptr != USER_ADDR_NULL) {
120 return EPERM;
121 }
122
123 /*
124 * If just querying then return the space required.
125 */
126 if (req->oldptr == USER_ADDR_NULL) {
127 req->oldidx = AU_MALLOC_DBINFO_SZ;
128 return 0;
129 }
130
131 /*
132 * Alloc a temporary buffer.
133 */
134 if (req->oldlen < AU_MALLOC_DBINFO_SZ) {
135 return ENOMEM;
136 }
137 amdi_ptr = (au_malloc_debug_info_t *)kalloc(AU_MALLOC_DBINFO_SZ);
138 if (amdi_ptr == NULL) {
139 return ENOMEM;
140 }
141 bzero(amdi_ptr, AU_MALLOC_DBINFO_SZ);
142
143 /*
144 * Build the record array.
145 */
146 sz = 0;
147 nxt_ptr = amdi_ptr;
148 for (i = 0; i < NUM_MALLOC_TYPES; i++) {
149 if (audit_malloc_types[i] == NULL) {
150 continue;
151 }
152 if (audit_malloc_types[i]->mt_magic != M_MAGIC) {
153 nxt_ptr->md_magic = audit_malloc_types[i]->mt_magic;
154 continue;
155 }
156 nxt_ptr->md_magic = audit_malloc_types[i]->mt_magic;
157 nxt_ptr->md_size = audit_malloc_types[i]->mt_size;
158 nxt_ptr->md_maxsize = audit_malloc_types[i]->mt_maxsize;
159 nxt_ptr->md_inuse = (int)audit_malloc_types[i]->mt_inuse;
160 nxt_ptr->md_maxused = (int)audit_malloc_types[i]->mt_maxused;
161 strlcpy(nxt_ptr->md_shortdesc,
162 audit_malloc_types[i]->mt_shortdesc, AU_MAX_SHORTDESC - 1);
163 strlcpy(nxt_ptr->md_lastcaller,
164 audit_malloc_types[i]->mt_lastcaller, AU_MAX_LASTCALLER - 1);
165 sz += sizeof(au_malloc_debug_info_t);
166 nxt_ptr++;
167 }
168
169 req->oldlen = sz;
170 err = SYSCTL_OUT(req, amdi_ptr, sz);
171 kfree(amdi_ptr, AU_MALLOC_DBINFO_SZ);
172
173 return err;
174 }
175 #endif /* AUDIT_MALLOC_DEBUG */
176
177 /*
178 * BSD malloc()
179 *
180 * If the M_NOWAIT flag is set then it may not block and return NULL.
181 * If the M_ZERO flag is set then zero out the buffer.
182 */
183 void *
184 #if AUDIT_MALLOC_DEBUG
185 _audit_malloc(size_t size, au_malloc_type_t *type, int flags, const char *fn)
186 #else
187 _audit_malloc(size_t size, au_malloc_type_t * type, int flags)
188 #endif
189 {
190 struct mhdr *hdr;
191 size_t memsize;
192 if (os_add_overflow(sizeof(*hdr), size, &memsize)) {
193 return NULL;
194 }
195
196 if (size == 0) {
197 return NULL;
198 }
199 if (flags & M_NOWAIT) {
200 hdr = (void *)kalloc_noblock(memsize);
201 } else {
202 hdr = (void *)kalloc(memsize);
203 if (hdr == NULL) {
204 panic("_audit_malloc: kernel memory exhausted");
205 }
206 }
207 if (hdr == NULL) {
208 return NULL;
209 }
210 hdr->mh_size = memsize;
211 hdr->mh_type = type;
212 hdr->mh_magic = AUDIT_MHMAGIC;
213 if (flags & M_ZERO) {
214 memset(hdr->mh_data, 0, size);
215 }
216 #if AUDIT_MALLOC_DEBUG
217 if (type != NULL && type->mt_type < NUM_MALLOC_TYPES) {
218 OSAddAtomic64(memsize, &type->mt_size);
219 type->mt_maxsize = max(type->mt_size, type->mt_maxsize);
220 OSAddAtomic(1, &type->mt_inuse);
221 type->mt_maxused = max(type->mt_inuse, type->mt_maxused);
222 type->mt_lastcaller = fn;
223 audit_malloc_types[type->mt_type] = type;
224 }
225 #endif /* AUDIT_MALLOC_DEBUG */
226 return hdr->mh_data;
227 }
228
229 /*
230 * BSD free()
231 */
232 void
233 #if AUDIT_MALLOC_DEBUG
234 _audit_free(void *addr, au_malloc_type_t *type)
235 #else
236 _audit_free(void *addr, __unused au_malloc_type_t *type)
237 #endif
238 {
239 struct mhdr *hdr;
240
241 if (addr == NULL) {
242 return;
243 }
244 hdr = addr; hdr--;
245
246 if (hdr->mh_magic != AUDIT_MHMAGIC) {
247 panic("_audit_free(): hdr->mh_magic (%lx) != AUDIT_MHMAGIC", hdr->mh_magic);
248 }
249
250 #if AUDIT_MALLOC_DEBUG
251 if (type != NULL) {
252 OSAddAtomic64(-hdr->mh_size, &type->mt_size);
253 OSAddAtomic(-1, &type->mt_inuse);
254 }
255 #endif /* AUDIT_MALLOC_DEBUG */
256 kfree(hdr, hdr->mh_size);
257 }
258
259 /*
260 * Initialize a condition variable. Must be called before use.
261 */
262 void
263 _audit_cv_init(struct cv *cvp, const char *desc)
264 {
265 if (desc == NULL) {
266 cvp->cv_description = "UNKNOWN";
267 } else {
268 cvp->cv_description = desc;
269 }
270 cvp->cv_waiters = 0;
271 }
272
273 /*
274 * Destory a condition variable.
275 */
276 void
277 _audit_cv_destroy(struct cv *cvp)
278 {
279 cvp->cv_description = NULL;
280 cvp->cv_waiters = 0;
281 }
282
283 /*
284 * Signal a condition variable, wakes up one waiting thread.
285 */
286 void
287 _audit_cv_signal(struct cv *cvp)
288 {
289 if (cvp->cv_waiters > 0) {
290 wakeup_one((caddr_t)cvp);
291 cvp->cv_waiters--;
292 }
293 }
294
295 /*
296 * Broadcast a signal to a condition variable.
297 */
298 void
299 _audit_cv_broadcast(struct cv *cvp)
300 {
301 if (cvp->cv_waiters > 0) {
302 wakeup((caddr_t)cvp);
303 cvp->cv_waiters = 0;
304 }
305 }
306
307 /*
308 * Wait on a condition variable. A cv_signal or cv_broadcast on the same
309 * condition variable will resume the thread. It is recommended that the mutex
310 * be held when cv_signal or cv_broadcast are called.
311 */
312 void
313 _audit_cv_wait(struct cv *cvp, lck_mtx_t *mp, const char *desc)
314 {
315 cvp->cv_waiters++;
316 (void) msleep(cvp, mp, PZERO, desc, 0);
317 }
318
319 /*
320 * Wait on a condition variable, allowing interruption by signals. Return 0
321 * if the thread was resumed with cv_signal or cv_broadcast, EINTR or
322 * ERESTART if a signal was caught. If ERESTART is returned the system call
323 * should be restarted if possible.
324 */
325 int
326 _audit_cv_wait_sig(struct cv *cvp, lck_mtx_t *mp, const char *desc)
327 {
328 cvp->cv_waiters++;
329 return msleep(cvp, mp, PSOCK | PCATCH, desc, 0);
330 }
331
332 /*
333 * BSD Mutexes.
334 */
335 void
336 #if DIAGNOSTIC
337 _audit_mtx_init(struct mtx *mp, const char *lckname)
338 #else
339 _audit_mtx_init(struct mtx *mp, __unused const char *lckname)
340 #endif
341 {
342 mp->mtx_lock = lck_mtx_alloc_init(audit_lck_grp, LCK_ATTR_NULL);
343 KASSERT(mp->mtx_lock != NULL,
344 ("_audit_mtx_init: Could not allocate a mutex."));
345 #if DIAGNOSTIC
346 strlcpy(mp->mtx_name, lckname, AU_MAX_LCK_NAME);
347 #endif
348 }
349
350 void
351 _audit_mtx_destroy(struct mtx *mp)
352 {
353 if (mp->mtx_lock) {
354 lck_mtx_free(mp->mtx_lock, audit_lck_grp);
355 mp->mtx_lock = NULL;
356 }
357 }
358
359 /*
360 * BSD rw locks.
361 */
362 void
363 #if DIAGNOSTIC
364 _audit_rw_init(struct rwlock *lp, const char *lckname)
365 #else
366 _audit_rw_init(struct rwlock *lp, __unused const char *lckname)
367 #endif
368 {
369 lp->rw_lock = lck_rw_alloc_init(audit_lck_grp, LCK_ATTR_NULL);
370 KASSERT(lp->rw_lock != NULL,
371 ("_audit_rw_init: Could not allocate a rw lock."));
372 #if DIAGNOSTIC
373 strlcpy(lp->rw_name, lckname, AU_MAX_LCK_NAME);
374 #endif
375 }
376
377 void
378 _audit_rw_destroy(struct rwlock *lp)
379 {
380 if (lp->rw_lock) {
381 lck_rw_free(lp->rw_lock, audit_lck_grp);
382 lp->rw_lock = NULL;
383 }
384 }
385 /*
386 * Wait on a condition variable in a continuation (i.e. yield kernel stack).
387 * A cv_signal or cv_broadcast on the same condition variable will cause
388 * the thread to be scheduled.
389 */
390 int
391 _audit_cv_wait_continuation(struct cv *cvp, lck_mtx_t *mp, thread_continue_t function)
392 {
393 int status = KERN_SUCCESS;
394
395 cvp->cv_waiters++;
396 assert_wait(cvp, THREAD_UNINT);
397 lck_mtx_unlock(mp);
398
399 status = thread_block(function);
400
401 /* should not be reached, but just in case, re-lock */
402 lck_mtx_lock(mp);
403
404 return status;
405 }
406
407 /*
408 * Simple recursive lock.
409 */
410 void
411 #if DIAGNOSTIC
412 _audit_rlck_init(struct rlck *lp, const char *lckname)
413 #else
414 _audit_rlck_init(struct rlck *lp, __unused const char *lckname)
415 #endif
416 {
417 lp->rl_mtx = lck_mtx_alloc_init(audit_lck_grp, LCK_ATTR_NULL);
418 KASSERT(lp->rl_mtx != NULL,
419 ("_audit_rlck_init: Could not allocate a recursive lock."));
420 #if DIAGNOSTIC
421 strlcpy(lp->rl_name, lckname, AU_MAX_LCK_NAME);
422 #endif
423 lp->rl_thread = 0;
424 lp->rl_recurse = 0;
425 }
426
427 /*
428 * Recursive lock. Allow same thread to recursively lock the same lock.
429 */
430 void
431 _audit_rlck_lock(struct rlck *lp)
432 {
433 if (lp->rl_thread == current_thread()) {
434 OSAddAtomic(1, &lp->rl_recurse);
435 KASSERT(lp->rl_recurse < 10000,
436 ("_audit_rlck_lock: lock nested too deep."));
437 } else {
438 lck_mtx_lock(lp->rl_mtx);
439 lp->rl_thread = current_thread();
440 lp->rl_recurse = 1;
441 }
442 }
443
444 /*
445 * Recursive unlock. It should be the same thread that does the unlock.
446 */
447 void
448 _audit_rlck_unlock(struct rlck *lp)
449 {
450 KASSERT(lp->rl_thread == current_thread(),
451 ("_audit_rlck_unlock(): Don't own lock."));
452
453 /* Note: OSAddAtomic returns old value. */
454 if (OSAddAtomic(-1, &lp->rl_recurse) == 1) {
455 lp->rl_thread = 0;
456 lck_mtx_unlock(lp->rl_mtx);
457 }
458 }
459
460 void
461 _audit_rlck_destroy(struct rlck *lp)
462 {
463 if (lp->rl_mtx) {
464 lck_mtx_free(lp->rl_mtx, audit_lck_grp);
465 lp->rl_mtx = NULL;
466 }
467 }
468
469 /*
470 * Recursive lock assert.
471 */
472 void
473 _audit_rlck_assert(struct rlck *lp, u_int assert)
474 {
475 thread_t cthd = current_thread();
476
477 if (assert == LCK_MTX_ASSERT_OWNED && lp->rl_thread == cthd) {
478 panic("recursive lock (%p) not held by this thread (%p).",
479 lp, cthd);
480 }
481 if (assert == LCK_MTX_ASSERT_NOTOWNED && lp->rl_thread != 0) {
482 panic("recursive lock (%p) held by thread (%p).",
483 lp, cthd);
484 }
485 }
486
487 /*
488 * Simple sleep lock.
489 */
490 void
491 #if DIAGNOSTIC
492 _audit_slck_init(struct slck *lp, const char *lckname)
493 #else
494 _audit_slck_init(struct slck *lp, __unused const char *lckname)
495 #endif
496 {
497 lp->sl_mtx = lck_mtx_alloc_init(audit_lck_grp, LCK_ATTR_NULL);
498 KASSERT(lp->sl_mtx != NULL,
499 ("_audit_slck_init: Could not allocate a sleep lock."));
500 #if DIAGNOSTIC
501 strlcpy(lp->sl_name, lckname, AU_MAX_LCK_NAME);
502 #endif
503 lp->sl_locked = 0;
504 lp->sl_waiting = 0;
505 }
506
507 /*
508 * Sleep lock lock. The 'intr' flag determines if the lock is interruptible.
509 * If 'intr' is true then signals or other events can interrupt the sleep lock.
510 */
511 wait_result_t
512 _audit_slck_lock(struct slck *lp, int intr)
513 {
514 wait_result_t res = THREAD_AWAKENED;
515
516 lck_mtx_lock(lp->sl_mtx);
517 while (lp->sl_locked && res == THREAD_AWAKENED) {
518 lp->sl_waiting = 1;
519 res = lck_mtx_sleep(lp->sl_mtx, LCK_SLEEP_DEFAULT,
520 (event_t) lp, (intr) ? THREAD_INTERRUPTIBLE : THREAD_UNINT);
521 }
522 if (res == THREAD_AWAKENED) {
523 lp->sl_locked = 1;
524 }
525 lck_mtx_unlock(lp->sl_mtx);
526
527 return res;
528 }
529
530 /*
531 * Sleep lock unlock. Wake up all the threads waiting for this lock.
532 */
533 void
534 _audit_slck_unlock(struct slck *lp)
535 {
536 lck_mtx_lock(lp->sl_mtx);
537 lp->sl_locked = 0;
538 if (lp->sl_waiting) {
539 lp->sl_waiting = 0;
540
541 /* Wake up *all* sleeping threads. */
542 wakeup((event_t) lp);
543 }
544 lck_mtx_unlock(lp->sl_mtx);
545 }
546
547 /*
548 * Sleep lock try. Don't sleep if it doesn't get the lock.
549 */
550 int
551 _audit_slck_trylock(struct slck *lp)
552 {
553 int result;
554
555 lck_mtx_lock(lp->sl_mtx);
556 result = !lp->sl_locked;
557 if (result) {
558 lp->sl_locked = 1;
559 }
560 lck_mtx_unlock(lp->sl_mtx);
561
562 return result;
563 }
564
565 /*
566 * Sleep lock assert.
567 */
568 void
569 _audit_slck_assert(struct slck *lp, u_int assert)
570 {
571 if (assert == LCK_MTX_ASSERT_OWNED && lp->sl_locked == 0) {
572 panic("sleep lock (%p) not held.", lp);
573 }
574 if (assert == LCK_MTX_ASSERT_NOTOWNED && lp->sl_locked == 1) {
575 panic("sleep lock (%p) held.", lp);
576 }
577 }
578
579 void
580 _audit_slck_destroy(struct slck *lp)
581 {
582 if (lp->sl_mtx) {
583 lck_mtx_free(lp->sl_mtx, audit_lck_grp);
584 lp->sl_mtx = NULL;
585 }
586 }
587
588 /*
589 * XXXss - This code was taken from bsd/netinet6/icmp6.c. Maybe ppsratecheck()
590 * should be made global in icmp6.c.
591 */
592 #ifndef timersub
593 #define timersub(tvp, uvp, vvp) \
594 do { \
595 (vvp)->tv_sec = (tvp)->tv_sec - (uvp)->tv_sec; \
596 (vvp)->tv_usec = (tvp)->tv_usec - (uvp)->tv_usec; \
597 if ((vvp)->tv_usec < 0) { \
598 (vvp)->tv_sec--; \
599 (vvp)->tv_usec += 1000000; \
600 } \
601 } while (0)
602 #endif
603
604 /*
605 * Packets (or events) per second limitation.
606 */
607 int
608 _audit_ppsratecheck(struct timeval *lasttime, int *curpps, int maxpps)
609 {
610 struct timeval tv, delta;
611 int rv;
612
613 microtime(&tv);
614
615 timersub(&tv, lasttime, &delta);
616
617 /*
618 * Check for 0,0 so that the message will be seen at least once.
619 * If more than one second has passed since the last update of
620 * lasttime, reset the counter.
621 *
622 * we do increment *curpps even in *curpps < maxpps case, as some may
623 * try to use *curpps for stat purposes as well.
624 */
625 if ((lasttime->tv_sec == 0 && lasttime->tv_usec == 0) ||
626 delta.tv_sec >= 1) {
627 *lasttime = tv;
628 *curpps = 0;
629 rv = 1;
630 } else if (maxpps < 0) {
631 rv = 1;
632 } else if (*curpps < maxpps) {
633 rv = 1;
634 } else {
635 rv = 0;
636 }
637 if (*curpps + 1 > 0) {
638 *curpps = *curpps + 1;
639 }
640
641 return rv;
642 }
643
644 /*
645 * Initialize lock group for audit related locks/mutexes.
646 */
647 void
648 _audit_lck_grp_init(void)
649 {
650 audit_lck_grp = lck_grp_alloc_init("Audit", LCK_GRP_ATTR_NULL);
651
652 KASSERT(audit_lck_grp != NULL,
653 ("audit_get_lck_grp: Could not allocate the audit lock group."));
654 }
655
656 int
657 audit_send_trigger(unsigned int trigger)
658 {
659 mach_port_t audit_port;
660 int error;
661
662 error = host_get_audit_control_port(host_priv_self(), &audit_port);
663 if (error == KERN_SUCCESS && audit_port != MACH_PORT_NULL) {
664 (void)audit_triggers(audit_port, trigger);
665 ipc_port_release_send(audit_port);
666 return 0;
667 } else {
668 printf("Cannot get audit control port\n");
669 return error;
670 }
671 }
672 #endif /* CONFIG_AUDIT */
mirror of XNU