bsd/security/audit/audit_mac.c

   1 /*-
   2  * Copyright (c) 1999-2008 Apple Inc.
   3  * All rights reserved.
   4  *
   5  * @APPLE_BSD_LICENSE_HEADER_START@
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted provided that the following conditions
   9  * are met:
  10  * 1.  Redistributions of source code must retain the above copyright
  11  *     notice, this list of conditions and the following disclaimer.
  12  * 2.  Redistributions in binary form must reproduce the above copyright
  13  *     notice, this list of conditions and the following disclaimer in the
  14  *     documentation and/or other materials provided with the distribution.
  15  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
  16  *     its contributors may be used to endorse or promote products derived
  17  *     from this software without specific prior written permission.
  18  *
  19  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
  20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  22  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
  23  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  27  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
  28  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  29  * POSSIBILITY OF SUCH DAMAGE.
  30  *
  31  * @APPLE_BSD_LICENSE_HEADER_END@
  32  */
  33 /*
  34  * NOTICE: This file was modified by McAfee Research in 2004 to introduce
  35  * support for mandatory and extensible security protections.  This notice
  36  * is included in support of clause 2.2 (b) of the Apple Public License,
  37  * Version 2.0.
  38  */
  39
  40 #include <sys/kernel.h>
  41 #include <sys/proc.h>
  42 #include <sys/kauth.h>
  43 #include <sys/queue.h>
  44 #include <sys/systm.h>
  45
  46 #include <bsm/audit.h>
  47 #include <bsm/audit_internal.h>
  48 #include <bsm/audit_kevents.h>
  49
  50 #include <security/audit/audit.h>
  51 #include <security/audit/audit_private.h>
  52
  53 #include <mach/host_priv.h>
  54 #include <mach/host_special_ports.h>
  55 #include <mach/audit_triggers_server.h>
  56
  57 #include <kern/host.h>
  58 #include <kern/kalloc.h>
  59 #include <kern/zalloc.h>
  60 #include <kern/wait_queue.h>
  61 #include <kern/sched_prim.h>
  62
  63 #if CONFIG_AUDIT
  64
  65 #if CONFIG_MACF
  66 #include <bsm/audit_record.h>
  67 #include <security/mac.h>
  68 #include <security/mac_framework.h>
  69 #include <security/mac_policy.h>
  70 #define MAC_ARG_PREFIX "arg: "
  71 #define MAC_ARG_PREFIX_LEN 5
  72
  73 zone_t          audit_mac_label_zone;
  74 extern zone_t   mac_audit_data_zone;
  75
  76 void
  77 audit_mac_init(void)
  78 {
  79         /* Assume 3 MAC labels for each audit record: two for vnodes,
  80          * one for creds.
  81          */
  82         audit_mac_label_zone = zinit(MAC_AUDIT_LABEL_LEN,
  83             AQ_HIWATER * 3*MAC_AUDIT_LABEL_LEN, 8192, "audit_mac_label_zone");
  84 }
  85
  86 int
  87 audit_mac_new(proc_t p, struct kaudit_record *ar)
  88 {
  89         struct mac mac;
  90
  91         /*
  92          * Retrieve the MAC labels for the process.
  93          */
  94         ar->k_ar.ar_cred_mac_labels = (char *)zalloc(audit_mac_label_zone);
  95         if (ar->k_ar.ar_cred_mac_labels == NULL)
  96                 return (1);
  97         mac.m_buflen = MAC_AUDIT_LABEL_LEN;
  98         mac.m_string = ar->k_ar.ar_cred_mac_labels;
  99         mac_cred_label_externalize_audit(p, &mac);
 100
 101         /*
 102          * grab space for the reconds.
 103          */
 104         ar->k_ar.ar_mac_records = (struct mac_audit_record_list_t *)
 105             kalloc(sizeof(*ar->k_ar.ar_mac_records));
 106         if (ar->k_ar.ar_mac_records == NULL) {
 107                 zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels);
 108                 return (1);
 109         }
 110         LIST_INIT(ar->k_ar.ar_mac_records);
 111         ar->k_ar.ar_forced_by_mac = 0;
 112
 113         return (0);
 114 }
 115
 116 void
 117 audit_mac_free(struct kaudit_record *ar)
 118 {
 119         struct mac_audit_record *head, *next;
 120
 121         if (ar->k_ar.ar_vnode1_mac_labels != NULL)
 122                 zfree(audit_mac_label_zone, ar->k_ar.ar_vnode1_mac_labels);
 123         if (ar->k_ar.ar_vnode2_mac_labels != NULL)
 124                 zfree(audit_mac_label_zone, ar->k_ar.ar_vnode2_mac_labels);
 125         if (ar->k_ar.ar_cred_mac_labels != NULL)
 126                 zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels);
 127         if (ar->k_ar.ar_arg_mac_string != NULL)
 128                 kfree(ar->k_ar.ar_arg_mac_string,
 129                     MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);
 130
 131         /*
 132          * Free the audit data from the MAC policies.
 133          */
 134         head = LIST_FIRST(ar->k_ar.ar_mac_records);
 135         while (head != NULL) {
 136                 next = LIST_NEXT(head, records);
 137                 zfree(mac_audit_data_zone, head->data);
 138                 kfree(head, sizeof(*head));
 139                 head = next;
 140         }
 141         kfree(ar->k_ar.ar_mac_records, sizeof(*ar->k_ar.ar_mac_records));
 142 }
 143
 144 int
 145 audit_mac_syscall_enter(unsigned short code, proc_t p, struct uthread *uthread,
 146     kauth_cred_t my_cred, au_event_t event)
 147 {
 148         int error;
 149
 150         error = mac_audit_check_preselect(my_cred, code,
 151              (void *)uthread->uu_arg);
 152         if (error == MAC_AUDIT_YES) {
 153                 uthread->uu_ar = audit_new(event, p, uthread);
 154                 uthread->uu_ar->k_ar.ar_forced_by_mac = 1;
 155                 au_to_text("Forced by a MAC policy");
 156                 return (1);
 157         } else if (error == MAC_AUDIT_NO) {
 158                 return (0);
 159         } else if (error == MAC_AUDIT_DEFAULT) {
 160                 return (1);
 161         }
 162
 163         return (0);
 164 }
 165
 166 int
 167 audit_mac_syscall_exit(unsigned short code, struct uthread *uthread, int error,
 168     int retval)
 169 {
 170         int mac_error;
 171
 172         if (uthread->uu_ar == NULL)  /* syscall wasn't audited */
 173                 return (1);
 174
 175         /*
 176          * Note, no other postselect mechanism exists.  If
 177          * mac_audit_check_postselect returns MAC_AUDIT_NO, the record will be
 178          * suppressed.  Other values at this point result in the audit record
 179          * being committed.  This suppression behavior will probably go away in
 180          * the port to 10.3.4.
 181          */
 182         mac_error = mac_audit_check_postselect(kauth_cred_get(), code,
 183             (void *) uthread->uu_arg, error, retval,
 184             uthread->uu_ar->k_ar.ar_forced_by_mac);
 185
 186         if (mac_error == MAC_AUDIT_YES)
 187                 uthread->uu_ar->k_ar_commit |= AR_COMMIT_KERNEL;
 188         else if (mac_error == MAC_AUDIT_NO) {
 189                 audit_free(uthread->uu_ar);
 190                 return (1);
 191         }
 192         return (0);
 193 }
 194
 195 /*
 196  * This function is called by the MAC Framework to add audit data
 197  * from a policy to the current audit record.
 198  */
 199 int
 200 audit_mac_data(int type, int len, u_char *data) {
 201         struct kaudit_record *cur;
 202         struct mac_audit_record *record;
 203
 204         if (audit_enabled == 0) {
 205                 kfree(data, len);
 206                 return (ENOTSUP);
 207         }
 208
 209         cur = currecord();
 210         if (cur == NULL) {
 211                 kfree(data, len);
 212                 return (ENOTSUP);
 213         }
 214
 215         /*
 216          * XXX: Note that we silently drop the audit data if this
 217          * allocation fails - this is consistent with the rest of the
 218          * audit implementation.
 219          */
 220         record = kalloc(sizeof(*record));
 221         if (record == NULL) {
 222                 kfree(data, len);
 223                 return (0);
 224         }
 225
 226         record->type = type;
 227         record->length = len;
 228         record->data = data;
 229         LIST_INSERT_HEAD(cur->k_ar.ar_mac_records, record, records);
 230
 231         return (0);
 232 }
 233
 234 void
 235 audit_arg_mac_string(struct kaudit_record *ar, char *string)
 236 {
 237
 238         if (ar->k_ar.ar_arg_mac_string == NULL)
 239                 ar->k_ar.ar_arg_mac_string =
 240                         kalloc(MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);
 241
 242         /*
 243          * XXX This should be a rare event. If kalloc() returns NULL,
 244          * the system is low on kernel virtual memory. To be
 245          * consistent with the rest of audit, just return
 246          * (may need to panic if required to for audit).
 247          */
 248         if (ar->k_ar.ar_arg_mac_string == NULL)
 249                 if (ar->k_ar.ar_arg_mac_string == NULL)
 250                         return;
 251
 252         strncpy(ar->k_ar.ar_arg_mac_string, MAC_ARG_PREFIX,
 253             MAC_ARG_PREFIX_LEN);
 254         strncpy(ar->k_ar.ar_arg_mac_string + MAC_ARG_PREFIX_LEN, string,
 255             MAC_MAX_LABEL_BUF_LEN);
 256         ARG_SET_VALID(ar, ARG_MAC_STRING);
 257 }
 258 #endif  /* MAC */
 259
 260 #endif /* CONFIG_AUDIT */