bsd/security/audit/audit_mac.c

   1 /*-
   2  * Copyright (c) 1999-2008 Apple Inc.
   3  * All rights reserved.
   4  *
   5  * @APPLE_BSD_LICENSE_HEADER_START@
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted provided that the following conditions
   9  * are met:
  10  * 1.  Redistributions of source code must retain the above copyright
  11  *     notice, this list of conditions and the following disclaimer.
  12  * 2.  Redistributions in binary form must reproduce the above copyright
  13  *     notice, this list of conditions and the following disclaimer in the
  14  *     documentation and/or other materials provided with the distribution.
  15  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
  16  *     its contributors may be used to endorse or promote products derived
  17  *     from this software without specific prior written permission.
  18  *
  19  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
  20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  22  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
  23  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  27  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
  28  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  29  * POSSIBILITY OF SUCH DAMAGE.
  30  *
  31  * @APPLE_BSD_LICENSE_HEADER_END@
  32  */
  33 /*
  34  * NOTICE: This file was modified by McAfee Research in 2004 to introduce
  35  * support for mandatory and extensible security protections.  This notice
  36  * is included in support of clause 2.2 (b) of the Apple Public License,
  37  * Version 2.0.
  38  */
  39
  40 #include <sys/kernel.h>
  41 #include <sys/proc.h>
  42 #include <sys/kauth.h>
  43 #include <sys/queue.h>
  44 #include <sys/systm.h>
  45
  46 #include <bsm/audit.h>
  47 #include <bsm/audit_internal.h>
  48 #include <bsm/audit_kevents.h>
  49
  50 #include <security/audit/audit.h>
  51 #include <security/audit/audit_private.h>
  52
  53 #include <mach/host_priv.h>
  54 #include <mach/host_special_ports.h>
  55 #include <mach/audit_triggers_server.h>
  56
  57 #include <kern/host.h>
  58 #include <kern/kalloc.h>
  59 #include <kern/zalloc.h>
  60 #include <kern/sched_prim.h>
  61
  62 #if CONFIG_AUDIT
  63
  64 #if CONFIG_MACF
  65 #include <bsm/audit_record.h>
  66 #include <security/mac.h>
  67 #include <security/mac_framework.h>
  68 #include <security/mac_policy.h>
  69 #define MAC_ARG_PREFIX "arg: "
  70 #define MAC_ARG_PREFIX_LEN 5
  71
  72 zone_t          audit_mac_label_zone;
  73 extern zone_t   mac_audit_data_zone;
  74
  75 void
  76 audit_mac_init(void)
  77 {
  78         /* Assume 3 MAC labels for each audit record: two for vnodes,
  79          * one for creds.
  80          */
  81         audit_mac_label_zone = zinit(MAC_AUDIT_LABEL_LEN,
  82             AQ_HIWATER * 3 * MAC_AUDIT_LABEL_LEN, 8192, "audit_mac_label_zone");
  83 }
  84
  85 int
  86 audit_mac_new(proc_t p, struct kaudit_record *ar)
  87 {
  88         struct mac mac;
  89
  90         /*
  91          * Retrieve the MAC labels for the process.
  92          */
  93         ar->k_ar.ar_cred_mac_labels = (char *)zalloc(audit_mac_label_zone);
  94         if (ar->k_ar.ar_cred_mac_labels == NULL) {
  95                 return 1;
  96         }
  97         mac.m_buflen = MAC_AUDIT_LABEL_LEN;
  98         mac.m_string = ar->k_ar.ar_cred_mac_labels;
  99         mac_cred_label_externalize_audit(p, &mac);
 100
 101         /*
 102          * grab space for the reconds.
 103          */
 104         ar->k_ar.ar_mac_records = (struct mac_audit_record_list_t *)
 105             kalloc(sizeof(*ar->k_ar.ar_mac_records));
 106         if (ar->k_ar.ar_mac_records == NULL) {
 107                 zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels);
 108                 return 1;
 109         }
 110         LIST_INIT(ar->k_ar.ar_mac_records);
 111         ar->k_ar.ar_forced_by_mac = 0;
 112
 113         return 0;
 114 }
 115
 116 void
 117 audit_mac_free(struct kaudit_record *ar)
 118 {
 119         struct mac_audit_record *head, *next;
 120
 121         if (ar->k_ar.ar_vnode1_mac_labels != NULL) {
 122                 zfree(audit_mac_label_zone, ar->k_ar.ar_vnode1_mac_labels);
 123         }
 124         if (ar->k_ar.ar_vnode2_mac_labels != NULL) {
 125                 zfree(audit_mac_label_zone, ar->k_ar.ar_vnode2_mac_labels);
 126         }
 127         if (ar->k_ar.ar_cred_mac_labels != NULL) {
 128                 zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels);
 129         }
 130         if (ar->k_ar.ar_arg_mac_string != NULL) {
 131                 kfree(ar->k_ar.ar_arg_mac_string,
 132                     MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);
 133         }
 134
 135         /*
 136          * Free the audit data from the MAC policies.
 137          */
 138         head = LIST_FIRST(ar->k_ar.ar_mac_records);
 139         while (head != NULL) {
 140                 next = LIST_NEXT(head, records);
 141                 zfree(mac_audit_data_zone, head->data);
 142                 kfree(head, sizeof(*head));
 143                 head = next;
 144         }
 145         kfree(ar->k_ar.ar_mac_records, sizeof(*ar->k_ar.ar_mac_records));
 146 }
 147
 148 int
 149 audit_mac_syscall_enter(unsigned short code, proc_t p, struct uthread *uthread,
 150     kauth_cred_t my_cred, au_event_t event)
 151 {
 152         int error;
 153
 154         error = mac_audit_check_preselect(my_cred, code,
 155             (void *)uthread->uu_arg);
 156         if (error == MAC_AUDIT_YES) {
 157                 uthread->uu_ar = audit_new(event, p, uthread);
 158                 uthread->uu_ar->k_ar.ar_forced_by_mac = 1;
 159                 au_to_text("Forced by a MAC policy");
 160                 return 1;
 161         } else if (error == MAC_AUDIT_NO) {
 162                 return 0;
 163         } else if (error == MAC_AUDIT_DEFAULT) {
 164                 return 1;
 165         }
 166
 167         return 0;
 168 }
 169
 170 int
 171 audit_mac_syscall_exit(unsigned short code, struct uthread *uthread, int error,
 172     int retval)
 173 {
 174         int mac_error;
 175
 176         if (uthread->uu_ar == NULL) { /* syscall wasn't audited */
 177                 return 1;
 178         }
 179
 180         /*
 181          * Note, no other postselect mechanism exists.  If
 182          * mac_audit_check_postselect returns MAC_AUDIT_NO, the record will be
 183          * suppressed.  Other values at this point result in the audit record
 184          * being committed.  This suppression behavior will probably go away in
 185          * the port to 10.3.4.
 186          */
 187         mac_error = mac_audit_check_postselect(kauth_cred_get(), code,
 188             (void *) uthread->uu_arg, error, retval,
 189             uthread->uu_ar->k_ar.ar_forced_by_mac);
 190
 191         if (mac_error == MAC_AUDIT_YES) {
 192                 uthread->uu_ar->k_ar_commit |= AR_COMMIT_KERNEL;
 193         } else if (mac_error == MAC_AUDIT_NO) {
 194                 audit_free(uthread->uu_ar);
 195                 return 1;
 196         }
 197         return 0;
 198 }
 199
 200 /*
 201  * This function is called by the MAC Framework to add audit data
 202  * from a policy to the current audit record.
 203  */
 204 int
 205 audit_mac_data(int type, int len, u_char *data)
 206 {
 207         struct kaudit_record *cur;
 208         struct mac_audit_record *record;
 209
 210         if (audit_enabled == 0) {
 211                 kfree(data, len);
 212                 return ENOTSUP;
 213         }
 214
 215         cur = currecord();
 216         if (cur == NULL) {
 217                 kfree(data, len);
 218                 return ENOTSUP;
 219         }
 220
 221         /*
 222          * XXX: Note that we silently drop the audit data if this
 223          * allocation fails - this is consistent with the rest of the
 224          * audit implementation.
 225          */
 226         record = kalloc(sizeof(*record));
 227         if (record == NULL) {
 228                 kfree(data, len);
 229                 return 0;
 230         }
 231
 232         record->type = type;
 233         record->length = len;
 234         record->data = data;
 235         LIST_INSERT_HEAD(cur->k_ar.ar_mac_records, record, records);
 236
 237         return 0;
 238 }
 239
 240 void
 241 audit_arg_mac_string(struct kaudit_record *ar, char *string)
 242 {
 243         if (ar->k_ar.ar_arg_mac_string == NULL) {
 244                 ar->k_ar.ar_arg_mac_string =
 245                     kalloc(MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);
 246         }
 247
 248         /*
 249          * XXX This should be a rare event. If kalloc() returns NULL,
 250          * the system is low on kernel virtual memory. To be
 251          * consistent with the rest of audit, just return
 252          * (may need to panic if required to for audit).
 253          */
 254         if (ar->k_ar.ar_arg_mac_string == NULL) {
 255                 if (ar->k_ar.ar_arg_mac_string == NULL) {
 256                         return;
 257                 }
 258         }
 259
 260         strncpy(ar->k_ar.ar_arg_mac_string, MAC_ARG_PREFIX,
 261             MAC_ARG_PREFIX_LEN);
 262         strncpy(ar->k_ar.ar_arg_mac_string + MAC_ARG_PREFIX_LEN, string,
 263             MAC_MAX_LABEL_BUF_LEN);
 264         ARG_SET_VALID(ar, ARG_MAC_STRING);
 265 }
 266 #endif  /* MAC */
 267
 268 #endif /* CONFIG_AUDIT */