--- /dev/null
+/*-
+ * Copyright (c) 2008-2009 Apple Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/kernel.h>
+#include <sys/event.h>
+#include <sys/kauth.h>
+#include <sys/queue.h>
+#include <sys/syscall.h>
+#include <sys/sysent.h>
+#include <sys/sysproto.h>
+#include <sys/systm.h>
+#include <sys/ucred.h>
+
+#include <libkern/OSAtomic.h>
+
+#include <bsm/audit.h>
+#include <security/audit/audit.h>
+#include <security/audit/audit_bsd.h>
+#include <security/audit/audit_private.h>
+
+#include <vm/vm_protos.h>
+#include <kern/audit_sessionport.h>
+
+kern_return_t ipc_object_copyin(ipc_space_t, mach_port_name_t,
+ mach_msg_type_name_t, ipc_port_t *);
+void ipc_port_release_send(ipc_port_t);
+
+/*
+ * The default auditinfo_addr entry for ucred.
+ */
+struct auditinfo_addr audit_default_aia = {
+ .ai_auid = AU_DEFAUDITID,
+ .ai_asid = AU_DEFAUDITSID,
+ .ai_termid = { .at_type = AU_IPv4, },
+};
+
+#if CONFIG_AUDIT
+
+/*
+ * Currently the hash table is a fixed size.
+ */
+#define HASH_TABLE_SIZE 97
+#define HASH_ASID(asid) (audit_session_hash(asid) % HASH_TABLE_SIZE)
+
+/*
+ * Audit Session Entry. This is treated as an object with public and private
+ * data. The se_auinfo field is the only information that is public and
+ * needs to be the first entry.
+ */
+struct au_sentry {
+ auditinfo_addr_t se_auinfo; /* Public audit session data. */
+#define se_asid se_auinfo.ai_asid
+#define se_auid se_auinfo.ai_auid
+#define se_mask se_auinfo.ai_mask
+#define se_termid se_auinfo.ai_termid
+#define se_flags se_auinfo.ai_flags
+
+ long se_refcnt; /* Reference count. */
+ long se_procnt; /* Processes in session. */
+ ipc_port_t se_port; /* Session port. */
+ struct klist se_klist; /* Knotes for session */
+ struct mtx se_klist_mtx; /* se_klist mutex */
+ LIST_ENTRY(au_sentry) se_link; /* Hash bucket link list (1) */
+};
+typedef struct au_sentry au_sentry_t;
+
+#define AU_SENTRY_PTR(aia_p) ((au_sentry_t *)(aia_p))
+
+static struct rwlock se_entry_lck; /* (1) lock for se_link above */
+
+LIST_HEAD(au_sentry_head, au_sentry);
+static struct au_sentry_head *au_sentry_bucket = NULL;
+
+/*
+ * Audit Propagation Knote List is a list of kevent knotes that are assosiated
+ * with an any ASID knote. If the any ASID gets modified or deleted these are
+ * modified or deleted as well.
+ */
+struct au_plist {
+ struct knote *pl_knote; /* ptr to per-session knote */
+ LIST_ENTRY(au_plist) pl_link; /* list link (2) */
+};
+typedef struct au_plist au_plist_t;
+
+struct au_plisthead {
+ struct rlck ph_rlck; /* (2) lock for pl_link list */
+ LIST_HEAD(au_plhead, au_plist) ph_head; /* list head */
+};
+typedef struct au_plisthead au_plisthead_t;
+
+#define EV_ANY_ASID EV_FLAG0
+
+MALLOC_DEFINE(M_AU_SESSION, "audit_session", "Audit session data");
+MALLOC_DEFINE(M_AU_EV_PLIST, "audit_ev_plist", "Audit session event plist");
+
+/*
+ * Kevent filters.
+ */
+static int audit_filt_sessionattach(struct knote *kn);
+static void audit_filt_sessiondetach(struct knote *kn);
+static void audit_filt_sessiontouch(struct knote *kn,
+ struct kevent64_s *kev, long type);
+static int audit_filt_session(struct knote *kn, long hint);
+
+static void audit_register_kevents(uint32_t asid, uint32_t auid);
+
+struct filterops audit_session_filtops = {
+ .f_attach = audit_filt_sessionattach,
+ .f_detach = audit_filt_sessiondetach,
+ .f_touch = audit_filt_sessiontouch,
+ .f_event = audit_filt_session,
+};
+
+/*
+ * The klist for consumers that are interested in any session (ASID). This list
+ * is not associated with any data structure but is used for registering
+ * new kevents when sessions are created. This klist is lock by
+ * anyas_klist_mtx.
+ */
+static struct klist anyas_klist;
+struct mtx anyas_klist_mtx;
+
+#define AUDIT_ANYAS_KLIST_LOCK_INIT() mtx_init(&anyas_klist_mtx, \
+ "audit anyas_klist_mtx", NULL, MTX_DEF)
+#define AUDIT_ANYAS_KLIST_LOCK() mtx_lock(&anyas_klist_mtx)
+#define AUDIT_ANYAS_KLIST_UNLOCK() mtx_unlock(&anyas_klist_mtx)
+#define AUDIT_ANYAS_KLIST_LOCK_ASSERT() mtx_assert(&anyas_klist_mtx, MA_OWNED)
+
+#define AUDIT_SENTRY_RWLOCK_INIT() rw_init(&se_entry_lck, \
+ "audit se_entry_lck")
+#define AUDIT_SENTRY_RLOCK() rw_rlock(&se_entry_lck)
+#define AUDIT_SENTRY_WLOCK() rw_wlock(&se_entry_lck)
+#define AUDIT_SENTRY_RWLOCK_ASSERT() rw_assert(&se_entry_lck, RA_LOCKED)
+#define AUDIT_SENTRY_RUNLOCK() rw_runlock(&se_entry_lck)
+#define AUDIT_SENTRY_WUNLOCK() rw_wunlock(&se_entry_lck)
+
+#define AUDIT_SE_KLIST_LOCK_INIT(se, n) mtx_init(&(se)->se_klist_mtx, \
+ n, NULL, MTX_DEF)
+#define AUDIT_SE_KLIST_LOCK(se) mtx_lock(&(se)->se_klist_mtx)
+#define AUDIT_SE_KLIST_UNLOCK(se) mtx_unlock(&(se)->se_klist_mtx)
+#define AUDIT_SE_KLIST_LOCK_DESTROY(se) mtx_destroy(&(se)->se_klist_mtx)
+#define AUDIT_SE_KLIST_LOCK_ASSERT(se) mtx_assert(&(se)->se_klist_mtx, \
+ MA_OWNED)
+
+#define AUDIT_PLIST_LOCK_INIT(pl) rlck_init(&(pl)->ph_rlck, \
+ "audit ph_rlck")
+#define AUDIT_PLIST_LOCK(pl) rlck_lock(&(pl)->ph_rlck)
+#define AUDIT_PLIST_UNLOCK(pl) rlck_unlock(&(pl)->ph_rlck)
+#define AUDIT_PLIST_LOCK_DESTROY(pl) rlck_destroy(&(pl)->ph_rlck)
+
+#if AUDIT_SESSION_DEBUG
+#include <kern/kalloc.h>
+
+struct au_sentry_debug {
+ auditinfo_addr_t se_auinfo;
+ long se_refcnt;
+ long se_procnt;
+};
+typedef struct au_sentry_debug au_sentry_debug_t;
+
+static int audit_sysctl_session_debug(struct sysctl_oid *oidp, void *arg1,
+ int arg2, struct sysctl_req *req);
+
+SYSCTL_PROC(_kern, OID_AUTO, audit_session_debug, CTLFLAG_RD, NULL, 0,
+ audit_sysctl_session_debug, "S,audit_session_debug",
+ "Current session debug info for auditing.");
+
+/*
+ * Copy out the session debug info via the sysctl interface. The userland code
+ * is something like the following:
+ *
+ * error = sysctlbyname("kern.audit_session_debug", buffer_ptr, &buffer_len,
+ * NULL, 0);
+ */
+static int
+audit_sysctl_session_debug(__unused struct sysctl_oid *oidp,
+ __unused void *arg1, __unused int arg2, struct sysctl_req *req)
+{
+ au_sentry_t *se;
+ au_sentry_debug_t *sed_tab, *next_sed;
+ int i, entry_cnt = 0;
+ size_t sz;
+ int err = 0;
+
+ /*
+ * This provides a read-only node.
+ */
+ if (req->newptr != USER_ADDR_NULL)
+ return (EPERM);
+
+ /*
+ * Walk the audit session hash table to determine the size.
+ */
+ AUDIT_SENTRY_RLOCK();
+ for(i = 0; i < HASH_TABLE_SIZE; i++)
+ LIST_FOREACH(se, &au_sentry_bucket[i], se_link)
+ if (se != NULL)
+ entry_cnt++;
+
+ /*
+ * If just querying then return the space required. There is an
+ * obvious race condition here so we just fudge this by 3 in case
+ * the audit session table grows.
+ */
+ if (req->oldptr == USER_ADDR_NULL) {
+ req->oldidx = (entry_cnt + 3) * sizeof(au_sentry_debug_t);
+ AUDIT_SENTRY_RUNLOCK();
+ return (0);
+ }
+
+ /*
+ * Alloc a temporary buffer.
+ */
+ if (req->oldlen < (entry_cnt * sizeof(au_sentry_debug_t))) {
+ AUDIT_SENTRY_RUNLOCK();
+ return (ENOMEM);
+ }
+ /*
+ * We hold the lock over the alloc since we don't want the table to
+ * grow on us. Therefore, use the non-blocking version of kalloc().
+ */
+ sed_tab = (au_sentry_debug_t *)kalloc_noblock(entry_cnt *
+ sizeof(au_sentry_debug_t));
+ if (sed_tab == NULL) {
+ AUDIT_SENTRY_RUNLOCK();
+ return (ENOMEM);
+ }
+ bzero(sed_tab, entry_cnt * sizeof(au_sentry_debug_t));
+
+ /*
+ * Walk the audit session hash table and build the record array.
+ */
+ sz = 0;
+ next_sed = sed_tab;
+ for(i = 0; i < HASH_TABLE_SIZE; i++) {
+ LIST_FOREACH(se, &au_sentry_bucket[i], se_link) {
+ if (se != NULL) {
+ bcopy(se, next_sed, sizeof(next_sed));
+ next_sed++;
+ sz += sizeof(au_sentry_debug_t);
+ }
+ }
+ }
+ AUDIT_SENTRY_RUNLOCK();
+
+ req->oldlen = sz;
+ err = SYSCTL_OUT(req, sed_tab, sz);
+ kfree(sed_tab, entry_cnt * sizeof(au_sentry_debug_t));
+
+ return (err);
+}
+
+#endif /* AUDIT_SESSION_DEBUG */
+
+/*
+ * Hash the audit session ID using a simple 32-bit mix.
+ */
+static inline uint32_t
+audit_session_hash(au_asid_t asid)
+{
+ uint32_t a = (uint32_t) asid;
+
+ a = (a - (a << 6)) ^ (a >> 17);
+ a = (a - (a << 9)) ^ (a << 4);
+ a = (a - (a << 3)) ^ (a << 10);
+ a = a ^ (a >> 15);
+
+ return (a);
+}
+
+/*
+ * Do an hash lookup and find the session entry for a given ASID. Return NULL
+ * if not found.
+ */
+static au_sentry_t *
+audit_session_find(au_asid_t asid)
+{
+ uint32_t hkey;
+ au_sentry_t *found_se;
+
+ AUDIT_SENTRY_RWLOCK_ASSERT();
+
+ hkey = HASH_ASID(asid);
+
+ LIST_FOREACH(found_se, &au_sentry_bucket[hkey], se_link)
+ if (found_se->se_asid == asid)
+ return (found_se);
+ return (NULL);
+}
+
+/*
+ * Call kqueue knote while holding the session entry klist lock.
+ */
+static void
+audit_session_knote(au_sentry_t *se, long hint)
+{
+
+ AUDIT_SE_KLIST_LOCK(se);
+ KNOTE(&se->se_klist, hint);
+ AUDIT_SE_KLIST_UNLOCK(se);
+}
+
+/*
+ * Remove the given audit_session entry from the hash table.
+ */
+static void
+audit_session_remove(au_sentry_t *se)
+{
+ uint32_t hkey;
+ au_sentry_t *found_se, *tmp_se;
+
+ KASSERT(se->se_refcnt == 0, ("audit_session_remove: ref count != 0"));
+
+ hkey = HASH_ASID(se->se_asid);
+
+ AUDIT_SENTRY_WLOCK();
+ LIST_FOREACH_SAFE(found_se, &au_sentry_bucket[hkey], se_link, tmp_se) {
+ if (found_se == se) {
+
+ audit_session_knote(found_se, NOTE_AS_CLOSE);
+
+ LIST_REMOVE(found_se, se_link);
+ AUDIT_SENTRY_WUNLOCK();
+ AUDIT_SE_KLIST_LOCK_DESTROY(found_se);
+ found_se->se_refcnt = 0;
+ free(found_se, M_AU_SESSION);
+
+ return;
+ }
+ }
+ AUDIT_SENTRY_WUNLOCK();
+}
+
+/*
+ * Reference the session by incrementing the sentry ref count.
+ */
+static void
+audit_ref_session(au_sentry_t *se)
+{
+ long old_val;
+
+ old_val = OSAddAtomicLong(1, &se->se_refcnt);
+ KASSERT(old_val < 100000,
+ ("audit_ref_session: Too many references on session."));
+}
+
+/*
+ * Decrement the sentry ref count and remove the session entry if last one.
+ */
+static void
+audit_unref_session(au_sentry_t *se)
+{
+ long old_val;
+
+ old_val = OSAddAtomicLong(-1, &se->se_refcnt);
+ if (old_val == 1)
+ audit_session_remove(se);
+ KASSERT(old_val > 0,
+ ("audit_unref_session: Too few references on session."));
+}
+
+/*
+ * Increment the process count in the session.
+ */
+static void
+audit_inc_procount(au_sentry_t *se)
+{
+ long old_val;
+
+ old_val = OSAddAtomicLong(1, &se->se_procnt);
+ KASSERT(old_val <= PID_MAX,
+ ("audit_inc_procount: proc count > PID_MAX"));
+}
+
+/*
+ * Decrement the process count and add a knote if it is the last process
+ * to exit the session.
+ */
+static void
+audit_dec_procount(au_sentry_t *se)
+{
+ long old_val;
+
+ old_val = OSAddAtomicLong(-1, &se->se_procnt);
+ if (old_val == 1)
+ audit_session_knote(se, NOTE_AS_END);
+ KASSERT(old_val >= 1,
+ ("audit_dec_procount: proc count < 0"));
+}
+
+/*
+ * Update the session entry and check to see if anything was updated.
+ * Returns:
+ * 0 Nothing was updated (We don't care about process preselection masks)
+ * 1 Something was updated.
+ */
+static int
+audit_update_sentry(au_sentry_t *se, auditinfo_addr_t *new_aia)
+{
+ auditinfo_addr_t *aia = &se->se_auinfo;
+ int update;
+
+ KASSERT(new_aia != &audit_default_aia,
+ ("audit_update_sentry: Trying to update the default aia."));
+
+ update = (aia->ai_auid != new_aia->ai_auid ||
+ bcmp(&aia->ai_termid, &new_aia->ai_termid,
+ sizeof(new_aia->ai_termid)) ||
+ aia->ai_flags != new_aia->ai_flags);
+
+ if (update)
+ bcopy(new_aia, aia, sizeof(*aia));
+
+ return (update);
+}
+
+/*
+ * Return the next session ID. The range of kernel generated audit session IDs
+ * is ASSIGNED_ASID_MIN to ASSIGNED_ASID_MAX.
+ */
+static uint32_t
+audit_session_nextid(void)
+{
+ static uint32_t next_asid = ASSIGNED_ASID_MIN;
+
+ AUDIT_SENTRY_RWLOCK_ASSERT();
+
+ if (next_asid > ASSIGNED_ASID_MAX)
+ next_asid = ASSIGNED_ASID_MIN;
+
+ return (next_asid++);
+}
+
+/*
+ * Allocated a new audit_session entry and add it to the hash table. If the
+ * given ASID is set to AU_ASSIGN_ASID then audit_session_new() will pick an
+ * audit session ID. Otherwise, it attempts use the one given. It creates a
+ * reference to the entry that must be unref'ed.
+ */
+static auditinfo_addr_t *
+audit_session_new(auditinfo_addr_t *new_aia, int newprocess)
+{
+ au_asid_t asid;
+ au_sentry_t *se = NULL;
+ auditinfo_addr_t *aia = NULL;
+ char nm[LOCK_MAX_NAME];
+
+ KASSERT(new_aia != NULL, ("audit_session_new: new_aia == NULL"));
+
+ asid = new_aia->ai_asid;
+
+#if 0 /* XXX this assertion is currently broken by securityd/LoginWindow */
+ KASSERT((asid != AU_ASSIGN_ASID && asid <= PID_MAX),
+ ("audit_session_new: illegal ASID value: %d", asid));
+#endif
+
+ /*
+ * Alloc a new session entry now so we don't wait holding the lock.
+ */
+ se = malloc(sizeof(au_sentry_t), M_AU_SESSION, M_WAITOK | M_ZERO);
+
+ snprintf(nm, sizeof(nm), "audit se_klist_mtx %d", asid);
+ AUDIT_SE_KLIST_LOCK_INIT(se, nm);
+
+ /*
+ * Find an unique session ID, if desired.
+ */
+ AUDIT_SENTRY_WLOCK();
+ if (asid == AU_ASSIGN_ASID) {
+ do {
+ asid = (au_asid_t)audit_session_nextid();
+ } while(audit_session_find(asid) != NULL);
+ } else {
+ au_sentry_t *found_se = NULL;
+
+ /*
+ * Check to see if the requested ASID is already in the
+ * hash table. If so, update it with the new auditinfo.
+ */
+ if ((found_se = audit_session_find(asid)) != NULL) {
+ int updated;
+
+ updated = audit_update_sentry(found_se, new_aia);
+ audit_ref_session(found_se);
+
+ AUDIT_SENTRY_WUNLOCK();
+ AUDIT_SE_KLIST_LOCK_DESTROY(se);
+ free(se, M_AU_SESSION);
+
+ if (updated)
+ audit_session_knote(found_se, NOTE_AS_UPDATE);
+
+ /*
+ * If this is a new process joining this session then
+ * we need to update the proc count.
+ */
+ if (newprocess)
+ audit_inc_procount(found_se);
+
+ return (&found_se->se_auinfo);
+ }
+ }
+
+ /*
+ * Start the reference and proc count at 1 to account for the process
+ * that invoked this via setaudit_addr() (or friends).
+ */
+ se->se_refcnt = se->se_procnt = 1;
+
+ /*
+ * Populate the new session entry. Note that process masks are stored
+ * in kauth ucred so just zero them here.
+ */
+ se->se_port = IPC_PORT_NULL;
+ aia = &se->se_auinfo;
+ aia->ai_asid = asid;
+ aia->ai_auid = new_aia->ai_auid;
+ bzero(&new_aia->ai_mask, sizeof(new_aia->ai_mask));
+ bcopy(&new_aia->ai_termid, &aia->ai_termid, sizeof(aia->ai_termid));
+ aia->ai_flags = new_aia->ai_flags;
+
+ /*
+ * Add it to the hash table.
+ */
+ LIST_INSERT_HEAD(&au_sentry_bucket[HASH_ASID(asid)], se, se_link);
+ AUDIT_SENTRY_WUNLOCK();
+
+ /*
+ * Register kevents for consumers wanting events for any ASID
+ * and knote the event.
+ */
+ audit_register_kevents(se->se_asid, se->se_auid);
+ audit_session_knote(se, NOTE_AS_START);
+
+ return (aia);
+}
+
+/*
+ * Lookup an existing session. A copy of the audit session info for a given
+ * ASID is returned in ret_aia. Returns 0 on success.
+ */
+int
+audit_session_lookup(au_asid_t asid, auditinfo_addr_t *ret_aia)
+{
+ au_sentry_t *se = NULL;
+
+ if ((uint32_t)asid > ASSIGNED_ASID_MAX)
+ return (-1);
+ AUDIT_SENTRY_RLOCK();
+ if ((se = audit_session_find(asid)) == NULL) {
+ AUDIT_SENTRY_RUNLOCK();
+ return (1);
+ }
+ if (ret_aia != NULL)
+ bcopy(&se->se_auinfo, ret_aia, sizeof(*ret_aia));
+ AUDIT_SENTRY_RUNLOCK();
+
+ return (0);
+}
+
+/*
+ * Add a reference to the session entry.
+ */
+void
+audit_session_ref(kauth_cred_t cred)
+{
+ auditinfo_addr_t *aia_p;
+
+ KASSERT(IS_VALID_CRED(cred),
+ ("audit_session_ref: Invalid kauth_cred."));
+
+ aia_p = cred->cr_audit.as_aia_p;
+
+ if (IS_VALID_SESSION(aia_p))
+ audit_ref_session(AU_SENTRY_PTR(aia_p));
+}
+
+/*
+ * Remove a reference to the session entry.
+ */
+void
+audit_session_unref(kauth_cred_t cred)
+{
+ auditinfo_addr_t *aia_p;
+
+ KASSERT(IS_VALID_CRED(cred),
+ ("audit_session_unref: Invalid kauth_cred."));
+
+ aia_p = cred->cr_audit.as_aia_p;
+
+ if (IS_VALID_SESSION(aia_p))
+ audit_unref_session(AU_SENTRY_PTR(aia_p));
+}
+
+void
+audit_session_procnew(kauth_cred_t cred)
+{
+ auditinfo_addr_t *aia_p;
+
+ KASSERT(IS_VALID_CRED(cred),
+ ("audit_session_procnew: Invalid kauth_cred."));
+
+ aia_p = cred->cr_audit.as_aia_p;
+
+ if (IS_VALID_SESSION(aia_p))
+ audit_inc_procount(AU_SENTRY_PTR(aia_p));
+}
+
+void
+audit_session_procexit(kauth_cred_t cred)
+{
+ auditinfo_addr_t *aia_p;
+
+ KASSERT(IS_VALID_CRED(cred),
+ ("audit_session_procexit: Invalid kauth_cred."));
+
+ aia_p = cred->cr_audit.as_aia_p;
+
+ if (IS_VALID_SESSION(aia_p))
+ audit_dec_procount(AU_SENTRY_PTR(aia_p));
+}
+
+/*
+ * Init the audit session code.
+ */
+void
+audit_session_init(void)
+{
+ int i;
+
+ KASSERT((ASSIGNED_ASID_MAX - ASSIGNED_ASID_MIN) > PID_MAX,
+ ("audit_session_init: ASSIGNED_ASID_MAX is not large enough."));
+
+ AUDIT_SENTRY_RWLOCK_INIT();
+ AUDIT_ANYAS_KLIST_LOCK_INIT();
+
+ au_sentry_bucket = malloc( sizeof(struct au_sentry) *
+ HASH_TABLE_SIZE, M_AU_SESSION, M_WAITOK | M_ZERO);
+
+ for (i = 0; i < HASH_TABLE_SIZE; i++)
+ LIST_INIT(&au_sentry_bucket[i]);
+}
+
+/*
+ * Allocate a new kevent propagation list (plist).
+ */
+static caddr_t
+audit_new_plist(void)
+{
+ au_plisthead_t *plhead;
+
+ plhead = malloc(sizeof(au_plisthead_t), M_AU_EV_PLIST, M_WAITOK |
+ M_ZERO);
+
+ LIST_INIT(&plhead->ph_head);
+ AUDIT_PLIST_LOCK_INIT(plhead);
+
+ return ((caddr_t) plhead);
+}
+
+/*
+ * Destroy a kevent propagation list (plist). The anyas_klist_mtx mutex must be
+ * held by the caller.
+ */
+static void
+audit_destroy_plist(struct knote *anyas_kn)
+{
+ au_plisthead_t *plhead;
+ au_plist_t *plentry, *ple_tmp;
+ struct kevent64_s kev;
+
+ KASSERT(anyas_kn != NULL, ("audit_destroy_plist: anyas = NULL"));
+ plhead = (au_plisthead_t *)anyas_kn->kn_hook;
+ KASSERT(plhead != NULL, ("audit_destroy_plist: plhead = NULL"));
+
+ /*
+ * Delete everything in the propagation list.
+ */
+ AUDIT_PLIST_LOCK(plhead);
+ LIST_FOREACH_SAFE(plentry, &plhead->ph_head, pl_link, ple_tmp) {
+ struct kqueue *kq = plentry->pl_knote->kn_kq;
+
+ kev.ident = plentry->pl_knote->kn_id;
+ kev.filter = EVFILT_SESSION;
+ kev.flags = EV_DELETE;
+
+ /*
+ * The plist entry gets removed in rm_from_plist() which is
+ * called indirectly by kevent_register().
+ */
+ kevent_register(kq, &kev, NULL);
+ }
+ AUDIT_PLIST_UNLOCK(plhead);
+
+ /*
+ * Remove the head.
+ */
+ AUDIT_PLIST_LOCK_DESTROY(plhead);
+ free(plhead, M_AU_EV_PLIST);
+}
+
+/*
+ * Add a knote pointer entry to the kevent propagation list.
+ */
+static void
+audit_add_to_plist(struct knote *anyas_kn, struct knote *kn)
+{
+ au_plisthead_t *plhead;
+ au_plist_t *plentry;
+
+ KASSERT(anyas_kn != NULL, ("audit_add_to_plist: anyas = NULL"));
+ plhead = (au_plisthead_t *)anyas_kn->kn_hook;
+ KASSERT(plhead != NULL, ("audit_add_to_plist: plhead = NULL"));
+
+ plentry = malloc(sizeof(au_plist_t), M_AU_EV_PLIST, M_WAITOK | M_ZERO);
+
+ plentry->pl_knote = kn;
+ AUDIT_PLIST_LOCK(plhead);
+ LIST_INSERT_HEAD(&plhead->ph_head, plentry, pl_link);
+ AUDIT_PLIST_UNLOCK(plhead);
+}
+
+/*
+ * Remote a knote pointer entry from the kevent propagation list. The lock
+ * on the plist may already be head (by audit_destroy_plist() above) so we use
+ * a recursive lock.
+ */
+static void
+audit_rm_from_plist(struct knote *kn)
+{
+ struct knote *anyas_kn;
+ au_plisthead_t *plhd;
+ au_plist_t *plentry, *ple_tmp;
+
+ KASSERT(kn != NULL, ("audit_rm_from_plist: kn = NULL"));
+ anyas_kn = (struct knote *)kn->kn_hook;
+ KASSERT(anyas_kn != NULL, ("audit_rm_to_plist: anyas = NULL"));
+ plhd = (au_plisthead_t *)anyas_kn->kn_hook;
+
+ AUDIT_PLIST_LOCK(plhd);
+ LIST_FOREACH_SAFE(plentry, &plhd->ph_head, pl_link, ple_tmp) {
+ if (plentry->pl_knote == kn) {
+ LIST_REMOVE(plentry, pl_link);
+ free(plentry, M_AU_EV_PLIST);
+ AUDIT_PLIST_UNLOCK(plhd);
+ return;
+ }
+ }
+ AUDIT_PLIST_UNLOCK(plhd);
+}
+
+/*
+ * The attach filter for EVFILT_SESSION.
+ */
+static int
+audit_filt_sessionattach(struct knote *kn)
+{
+ au_sentry_t *se = NULL;
+
+ /*
+ * Check flags for the events we currently support.
+ */
+ if ((kn->kn_sfflags & (NOTE_AS_START | NOTE_AS_END | NOTE_AS_CLOSE
+ | NOTE_AS_UPDATE | NOTE_AS_ERR)) == 0)
+ return (ENOTSUP);
+
+ /*
+ * If the interest is in any session then add to the any ASID knote
+ * list. Otherwise, add it to the knote list assosiated with the
+ * given session.
+ */
+ if (kn->kn_id == AS_ANY_ASID) {
+
+ kn->kn_flags |= EV_CLEAR;
+ kn->kn_ptr.p_se = NULL;
+
+ /*
+ * Attach a kevent propagation list for any kevents that get
+ * added.
+ */
+ kn->kn_hook = audit_new_plist();
+
+ AUDIT_ANYAS_KLIST_LOCK();
+ KNOTE_ATTACH(&anyas_klist, kn);
+ AUDIT_ANYAS_KLIST_UNLOCK();
+
+ return (0);
+ } else {
+
+ /*
+ * NOTE: The anyas klist lock will be held in this
+ * part of the code when indirectly called from
+ * audit_register_kevents() below.
+ */
+
+ /*
+ * Check to make sure it is a valid ASID.
+ */
+ if (kn->kn_id > ASSIGNED_ASID_MAX)
+ return (EINVAL);
+
+ AUDIT_SENTRY_RLOCK();
+ se = audit_session_find(kn->kn_id);
+ AUDIT_SENTRY_RUNLOCK();
+ if (se == NULL)
+ return (EINVAL);
+
+ AUDIT_SE_KLIST_LOCK(se);
+ kn->kn_flags |= EV_CLEAR;
+ kn->kn_ptr.p_se = se;
+
+ /*
+ * If this attach is the result of an "any ASID" (pseudo)
+ * kevent then attach the any session knote ptr to this knote.
+ * Also, add this knote to the its propagation list.
+ */
+ if (kn->kn_flags & EV_ANY_ASID) {
+ struct knote *anyas_kn =
+ (struct knote *)((uintptr_t)kn->kn_kevent.ext[0]);
+ kn->kn_hook = (caddr_t) anyas_kn;
+ kn->kn_flags &= ~EV_ANY_ASID;
+ audit_add_to_plist(anyas_kn, kn);
+ } else
+ kn->kn_hook = NULL;
+ KNOTE_ATTACH(&se->se_klist, kn);
+ AUDIT_SE_KLIST_UNLOCK(se);
+
+ return (0);
+ }
+}
+
+/*
+ * The detach filter for EVFILT_SESSION.
+ */
+static void
+audit_filt_sessiondetach(struct knote *kn)
+{
+ au_sentry_t *se = NULL;
+
+ if (kn->kn_id == AS_ANY_ASID) {
+
+ AUDIT_ANYAS_KLIST_LOCK();
+ audit_destroy_plist(kn);
+ KNOTE_DETACH(&anyas_klist, kn);
+ AUDIT_ANYAS_KLIST_UNLOCK();
+
+ } else {
+ /*
+ * If this knote was created by any ASID kevent then remove
+ * from kevent propagation list.
+ */
+ if (kn->kn_hook != NULL) {
+ audit_rm_from_plist(kn);
+ kn->kn_hook = NULL;
+ }
+
+ /*
+ * Check to see if already detached.
+ */
+ se = kn->kn_ptr.p_se;
+ if (se != NULL) {
+ AUDIT_SE_KLIST_LOCK(se);
+ kn->kn_ptr.p_se = NULL;
+ KNOTE_DETACH(&se->se_klist, kn);
+ AUDIT_SE_KLIST_UNLOCK(se);
+ }
+ }
+}
+
+/*
+ * The touch filter for EVFILT_SESSION. Check for any ASID kevent updates and
+ * propagate the change.
+ */
+static void
+audit_filt_sessiontouch(struct knote *kn, struct kevent64_s *kev, long type)
+{
+ struct knote *ple_kn;
+ struct kqueue *kq;
+ au_sentry_t *se;
+ au_plisthead_t *plhead;
+ au_plist_t *plentry;
+ struct kevent64_s newkev;
+
+ switch (type) {
+ case EVENT_REGISTER:
+ kn->kn_sfflags = kev->fflags;
+ kn->kn_sdata = kev->data;
+ /*
+ * If an any ASID kevent was updated then we may need to
+ * propagate the update.
+ */
+ if (kev->ident == AS_ANY_ASID && kn->kn_hook != NULL) {
+
+ /*
+ * Propagate the change to each of the session kevents
+ * that were created by this any ASID kevent.
+ */
+ plhead = (au_plisthead_t *)kn->kn_hook;
+ AUDIT_PLIST_LOCK(plhead);
+ LIST_FOREACH(plentry, &plhead->ph_head, pl_link) {
+
+ if ((ple_kn = plentry->pl_knote) == NULL)
+ continue;
+ if ((se = ple_kn->kn_ptr.p_se) == NULL)
+ continue;
+ if ((kq = ple_kn->kn_kq) == NULL)
+ continue;
+
+ newkev.ident = plentry->pl_knote->kn_id;
+ newkev.filter = EVFILT_SESSION;
+ newkev.flags = kev->flags;
+ newkev.fflags = kev->fflags;
+ newkev.data = kev->data;
+ newkev.udata = kev->udata;
+ kevent_register(kq, &newkev, NULL);
+ }
+ AUDIT_PLIST_UNLOCK(plhead);
+ }
+ break;
+
+ case EVENT_PROCESS:
+ *kev = kn->kn_kevent;
+ if (kn->kn_flags & EV_CLEAR) {
+ kn->kn_data = 0;
+ kn->kn_fflags = 0;
+ }
+ break;
+
+ default:
+ KASSERT((type == EVENT_REGISTER || type == EVENT_PROCESS),
+ ("filt_sessiontouch(): invalid type (%ld)", type));
+ break;
+ }
+}
+
+/*
+ * Event filter for EVFILT_SESSION. The AUDIT_SE_KLIST_LOCK should be held
+ * by audit_session_knote().
+ */
+static int
+audit_filt_session(struct knote *kn, long hint)
+{
+ int events = (int)hint;
+ au_sentry_t *se = kn->kn_ptr.p_se;
+
+ if (hint != 0 && se != NULL) {
+
+ if (kn->kn_sfflags & events) {
+ kn->kn_fflags |= events;
+ kn->kn_data = se->se_auid;
+ }
+
+ /*
+ * If this is the last possible event for the knote,
+ * detach the knote from the audit session before the
+ * session goes away.
+ */
+ if (events & NOTE_AS_CLOSE) {
+
+ /*
+ * If created by any ASID kevent then remove from
+ * propagation list.
+ */
+ if (kn->kn_hook != NULL) {
+ audit_rm_from_plist(kn);
+ kn->kn_hook = NULL;
+ }
+ kn->kn_flags |= (EV_EOF | EV_ONESHOT);
+ kn->kn_ptr.p_se = NULL;
+ AUDIT_SE_KLIST_LOCK_ASSERT(se);
+ KNOTE_DETACH(&se->se_klist, kn);
+
+ return (1);
+ }
+ }
+ return (kn->kn_fflags != 0);
+}
+
+/*
+ * For all the consumers wanting events for all sessions, register new
+ * kevents associated with the session for the given ASID. The actual
+ * attachment is done by the EVFILT_SESSION attach filter above.
+ */
+static void
+audit_register_kevents(uint32_t asid, uint32_t auid)
+{
+ struct knote *kn;
+
+ AUDIT_ANYAS_KLIST_LOCK();
+ SLIST_FOREACH(kn, &anyas_klist, kn_selnext) {
+ struct kqueue *kq = kn->kn_kq;
+ struct kevent64_s kev;
+ int err;
+
+ kev.ident = asid;
+ kev.filter = EVFILT_SESSION;
+ kev.flags = kn->kn_flags | EV_ADD | EV_ENABLE | EV_ANY_ASID;
+ kev.fflags = kn->kn_sfflags;
+ kev.data = auid;
+ kev.udata = kn->kn_kevent.udata;
+
+ /*
+ * Save the knote ptr for this "any ASID" knote for the attach
+ * filter.
+ */
+ kev.ext[0] = (uint64_t)((uintptr_t)kn);
+
+ /*
+ * XXX kevent_register() may block here alloc'ing a new knote.
+ * We may want to think about using a lockless linked list or
+ * at least a sleep rwlock for the anyas_klist.
+ */
+ err = kevent_register(kq, &kev, NULL);
+ if (err)
+ kn->kn_fflags |= NOTE_AS_ERR;
+ }
+ AUDIT_ANYAS_KLIST_UNLOCK();
+}
+
+/*
+ * Safely update kauth cred of the given process with new the given audit info.
+ * If the newprocess flag is set then we need to account for this process in
+ * the proc count.
+ */
+int
+audit_session_setaia(proc_t p, auditinfo_addr_t *aia_p, int newprocess)
+{
+ kauth_cred_t my_cred, my_new_cred;
+ struct au_session as;
+ struct au_session tmp_as;
+ auditinfo_addr_t caia;
+
+ /*
+ * If this is going to modify an existing session then do some
+ * immutable checks.
+ */
+ if (audit_session_lookup(aia_p->ai_asid, &caia) == 0) {
+
+ /*
+ * If the current audit ID is not the default then it is
+ * immutable.
+ */
+ if (caia.ai_auid != AU_DEFAUDITID &&
+ caia.ai_auid != aia_p->ai_auid)
+ return (EINVAL);
+
+ /*
+ * If the current termid is not the default then it is
+ * immutable.
+ */
+ if ((caia.ai_termid.at_type != AU_IPv4 ||
+ caia.ai_termid.at_port != 0 ||
+ caia.ai_termid.at_addr[0] != 0) &&
+ (caia.ai_termid.at_port != aia_p->ai_termid.at_port ||
+ caia.ai_termid.at_type != aia_p->ai_termid.at_type ||
+ bcmp(&caia.ai_termid.at_addr, &aia_p->ai_termid.at_addr,
+ sizeof (caia.ai_termid.at_addr) )) )
+ return (EINVAL);
+
+ /* The audit flags are immutable. */
+ if (caia.ai_flags != aia_p->ai_flags)
+ return (EINVAL);
+
+ /* The audit masks are mutable. */
+ }
+
+ my_cred = kauth_cred_proc_ref(p);
+ bcopy(&aia_p->ai_mask, &as.as_mask, sizeof(as.as_mask));
+ as.as_aia_p = audit_session_new(aia_p, newprocess);
+
+ /*
+ * We are modifying the audit info in a credential so we need a new
+ * credential (or take another reference on an existing credential that
+ * matches our new one). We must do this because the audit info in the
+ * credential is used as part of our hash key. Get current credential
+ * in the target process and take a reference while we muck with it.
+ */
+ for (;;) {
+
+ /*
+ * Set the credential with new info. If there is no change,
+ * we get back the same credential we passed in; if there is
+ * a change, we drop the reference on the credential we
+ * passed in. The subsequent compare is safe, because it is
+ * a pointer compare rather than a contents compare.
+ */
+ bcopy(&as, &tmp_as, sizeof(tmp_as));
+ my_new_cred = kauth_cred_setauditinfo(my_cred, &tmp_as);
+
+ if (my_cred != my_new_cred) {
+ proc_lock(p);
+ /* Need to protect for a race where another thread also
+ * changed the credential after we took our reference.
+ * If p_ucred has changed then we should restart this
+ * again with the new cred.
+ */
+ if (p->p_ucred != my_cred) {
+ proc_unlock(p);
+ audit_session_unref(my_new_cred);
+ kauth_cred_unref(&my_new_cred);
+ /* try again */
+ my_cred = kauth_cred_proc_ref(p);
+ continue;
+ }
+ p->p_ucred = my_new_cred;
+ proc_unlock(p);
+ }
+ /*
+ * Drop old proc reference or our extra reference.
+ */
+ kauth_cred_unref(&my_cred);
+ break;
+ }
+ audit_session_unref(my_new_cred);
+
+ /*
+ * Propagate the change from the process to the Mach task.
+ */
+ set_security_token(p);
+
+ return (0);
+}
+
+/*
+ * audit_session_self (system call)
+ *
+ * Description: Obtain a Mach send right for the current session.
+ *
+ * Parameters: p Process calling audit_session_self().
+ *
+ * Returns: *ret_port Named Mach send right, which may be
+ * MACH_PORT_NULL in the failure case.
+ *
+ * Errno: 0 Success
+ * EINVAL The calling process' session has not be set.
+ * ESRCH Bad process, can't get valid cred for process.
+ * ENOMEM Port allocation failed due to no free memory.
+ */
+int
+audit_session_self(proc_t p, __unused struct audit_session_self_args *uap,
+ mach_port_name_t *ret_port)
+{
+ ipc_port_t sendport = IPC_PORT_NULL;
+ kauth_cred_t cred = NULL;
+ auditinfo_addr_t *aia_p;
+ au_sentry_t *se;
+ int err = 0;
+
+ cred = kauth_cred_proc_ref(p);
+ if (!IS_VALID_CRED(cred)) {
+ err = ESRCH;
+ goto done;
+ }
+
+ aia_p = cred->cr_audit.as_aia_p;
+ if (!IS_VALID_SESSION(aia_p)) {
+ err = EINVAL;
+ goto done;
+ }
+
+ se = AU_SENTRY_PTR(aia_p);
+
+ /*
+ * Processes that join using this mach port will inherit this process'
+ * pre-selection masks.
+ */
+ if (se->se_port == IPC_PORT_NULL)
+ bcopy(&cred->cr_audit.as_mask, &se->se_mask,
+ sizeof(se->se_mask));
+
+ if ((sendport = audit_session_mksend(aia_p, &se->se_port)) == NULL) {
+ /* failed to alloc new port */
+ err = ENOMEM;
+ goto done;
+ }
+
+ /*
+ * This reference on the session is unref'ed in
+ * audit_session_port_destory(). This reference is needed so the
+ * session doesn't get dropped until the session join is done.
+ */
+ audit_ref_session(se);
+
+
+done:
+ if (cred != NULL)
+ kauth_cred_unref(&cred);
+ if (err == 0)
+ *ret_port = ipc_port_copyout_send(sendport,
+ get_task_ipcspace(p->task));
+ else
+ *ret_port = MACH_PORT_NULL;
+
+ return (err);
+}
+
+void
+audit_session_portaiadestroy(struct auditinfo_addr *port_aia_p)
+{
+ au_sentry_t *se;
+
+ KASSERT(port_aia_p != NULL,
+ ("audit_session_infodestroy: port_aia_p = NULL"));
+
+ se = AU_SENTRY_PTR(port_aia_p);
+
+ /*
+ * Drop the reference added in audit_session_self().
+ */
+ if (se != NULL) {
+ se->se_port = IPC_PORT_NULL;
+ audit_unref_session(se);
+ }
+
+}
+
+static int
+audit_session_join_internal(proc_t p, ipc_port_t port, au_asid_t *new_asid)
+{
+ auditinfo_addr_t *port_aia_p, *old_aia_p;
+ kauth_cred_t cred = NULL;
+ au_asid_t old_asid;
+ int err = 0;
+
+ *new_asid = AU_DEFAUDITSID;
+
+ if ((port_aia_p = audit_session_porttoaia(port)) == NULL) {
+ err = EINVAL;
+ goto done;
+ }
+ *new_asid = port_aia_p->ai_asid;
+
+ cred = kauth_cred_proc_ref(p);
+ if (!IS_VALID_CRED(cred)) {
+ kauth_cred_unref(&cred);
+ err = ESRCH;
+ goto done;
+ }
+ old_aia_p = cred->cr_audit.as_aia_p;
+ old_asid = old_aia_p->ai_asid;
+
+ /*
+ * Add process in if not already in the session.
+ */
+ if (*new_asid != old_asid) {
+ audit_session_setaia(p, port_aia_p, 1);
+ /*
+ * If this process was in a valid session before then we
+ * need to decrement the process count of the session it
+ * came from.
+ */
+ if (IS_VALID_SESSION(old_aia_p))
+ audit_dec_procount(AU_SENTRY_PTR(old_aia_p));
+ }
+ kauth_cred_unref(&cred);
+
+done:
+ if (port != IPC_PORT_NULL)
+ ipc_port_release_send(port);
+
+ return (err);
+}
+
+/*
+ * audit_session_spawnjoin
+ *
+ * Description: posix_spawn() interface to audit_session_join_internal().
+ *
+ * Returns: 0 Success
+ * EINVAL Invalid Mach port name.
+ * ESRCH Invalid calling process/cred.
+ */
+int
+audit_session_spawnjoin(proc_t p, ipc_port_t port)
+{
+ au_asid_t new_asid;
+
+ return (audit_session_join_internal(p, port, &new_asid));
+}
+
+/*
+ * audit_session_join (system call)
+ *
+ * Description: Join the session for a given Mach port send right.
+ *
+ * Parameters: p Process calling session join.
+ * uap->port A Mach send right.
+ *
+ * Returns: *ret_asid Audit session ID of new session, which may
+ * be AU_DEFAUDITSID in the failure case.
+ *
+ * Errno: 0 Success
+ * EINVAL Invalid Mach port name.
+ * ESRCH Invalid calling process/cred.
+ */
+int
+audit_session_join(proc_t p, struct audit_session_join_args *uap,
+ au_asid_t *ret_asid)
+{
+ ipc_port_t port = IPC_PORT_NULL;
+ mach_port_name_t send = uap->port;
+ int err = 0;
+
+
+ if (ipc_object_copyin(get_task_ipcspace(p->task), send,
+ MACH_MSG_TYPE_COPY_SEND, &port) != KERN_SUCCESS) {
+ *ret_asid = AU_DEFAUDITSID;
+ err = EINVAL;
+ } else
+ err = audit_session_join_internal(p, port, ret_asid);
+
+ return (err);
+}
+
+#else
+
+int
+audit_session_self(proc_t p, struct audit_session_self_args *uap,
+ mach_port_name_t *ret_port)
+{
+#pragma unused(p, uap, ret_port)
+
+ return (ENOSYS);
+}
+
+int
+audit_session_join(proc_t p, struct audit_session_join_args *uap,
+ au_asid_t *ret_asid)
+{
+#pragma unused(p, uap, ret_asid)
+
+ return (ENOSYS);
+}
+
+#endif /* CONFIG_AUDIT */
projects / apple / xnu.git / blobdiff