auditd_darwin.c revision 293161
1/*- 2 * Copyright (c) 2004-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 15 * its contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 19 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 22 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30#include <sys/types.h> 31 32#include <config/config.h> 33 34#include <errno.h> 35#include <stdarg.h> 36#include <stdlib.h> 37#include <unistd.h> 38 39#include <bsm/audit.h> 40#include <bsm/audit_uevents.h> 41#include <bsm/auditd_lib.h> 42#include <bsm/libbsm.h> 43 44#include <asl.h> 45#include <launch.h> 46#include <notify.h> 47#include <mach/port.h> 48#include <mach/mach_error.h> 49#include <mach/mach_traps.h> 50#include <mach/mach.h> 51#include <mach/host_special_ports.h> 52 53#include "auditd.h" 54 55#include "auditd_controlServer.h" 56#include "audit_triggersServer.h" 57 58/* 59 * Apple System Logger Handles. 60 */ 61static aslmsg au_aslmsg = NULL; 62static aslclient au_aslclient = NULL; 63 64static mach_port_t control_port = MACH_PORT_NULL; 65static mach_port_t signal_port = MACH_PORT_NULL; 66static mach_port_t port_set = MACH_PORT_NULL; 67 68/* 69 * Current auditing state (cache). 70 */ 71static int auditing_state = AUD_STATE_INIT; 72 73/* 74 * Maximum idle time before auditd terminates under launchd. 75 * If it is zero then auditd does not timeout while idle. 76 */ 77static int max_idletime = 0; 78 79#ifndef __BSM_INTERNAL_NOTIFY_KEY 80#define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change" 81#endif /* __BSM_INTERNAL_NOTIFY_KEY */ 82 83#ifndef __AUDIT_LAUNCHD_LABEL 84#define __AUDIT_LAUNCHD_LABEL "com.apple.auditd" 85#endif /* __AUDIT_LAUNCHD_LABEL */ 86 87#define MAX_MSG_SIZE 4096 88 89/* 90 * Open and set up system logging. 91 */ 92void 93auditd_openlog(int debug, gid_t gid) 94{ 95 uint32_t opt = 0; 96 char *cp = NULL; 97 98 if (debug) 99 opt = ASL_OPT_STDERR; 100 101 au_aslclient = asl_open("auditd", "com.apple.auditd", opt); 102 au_aslmsg = asl_new(ASL_TYPE_MSG); 103 104#ifdef ASL_KEY_READ_UID 105 /* 106 * Make it only so the audit administrator and members of the audit 107 * review group (if used) have access to the auditd system log messages. 108 */ 109 asl_set(au_aslmsg, ASL_KEY_READ_UID, "0"); 110 asprintf(&cp, "%u", gid); 111 if (cp != NULL) { 112#ifdef ASL_KEY_READ_GID 113 asl_set(au_aslmsg, ASL_KEY_READ_GID, cp); 114#endif 115 free(cp); 116 } 117#endif 118 119 /* 120 * Set the client-side system log filtering. 121 */ 122 if (debug) 123 asl_set_filter(au_aslclient, 124 ASL_FILTER_MASK_UPTO(ASL_LEVEL_DEBUG)); 125 else 126 asl_set_filter(au_aslclient, 127 ASL_FILTER_MASK_UPTO(ASL_LEVEL_INFO)); 128} 129 130/* 131 * Log messages at different priority levels. 132 */ 133void 134auditd_log_err(const char *fmt, ...) 135{ 136 va_list ap; 137 138 va_start(ap, fmt); 139 asl_vlog(au_aslclient, au_aslmsg, ASL_LEVEL_ERR, fmt, ap); 140 va_end(ap); 141} 142 143void 144auditd_log_notice(const char *fmt, ...) 145{ 146 va_list ap; 147 148 va_start(ap, fmt); 149 asl_vlog(au_aslclient, au_aslmsg, ASL_LEVEL_NOTICE, fmt, ap); 150 va_end(ap); 151} 152 153void 154auditd_log_info(const char *fmt, ...) 155{ 156 va_list ap; 157 158 va_start(ap, fmt); 159 asl_vlog(au_aslclient, au_aslmsg, ASL_LEVEL_INFO, fmt, ap); 160 va_end(ap); 161} 162 163void 164auditd_log_debug(const char *fmt, ...) 165{ 166 va_list ap; 167 168 va_start(ap, fmt); 169 asl_vlog(au_aslclient, au_aslmsg, ASL_LEVEL_DEBUG, fmt, ap); 170 va_end(ap); 171} 172 173/* 174 * Get the auditing state from the kernel and cache it. 175 */ 176static void 177init_audit_state(void) 178{ 179 int au_cond; 180 181 if (audit_get_cond(&au_cond) < 0) { 182 if (errno != ENOSYS) { 183 auditd_log_err("Audit status check failed (%s)", 184 strerror(errno)); 185 } 186 auditing_state = AUD_STATE_DISABLED; 187 } else 188 if (au_cond == AUC_NOAUDIT || au_cond == AUC_DISABLED) 189 auditing_state = AUD_STATE_DISABLED; 190 else 191 auditing_state = AUD_STATE_ENABLED; 192} 193 194/* 195 * Update the cached auditing state. Let other tasks that may be caching it 196 * as well to update their state via notify(3). 197 */ 198void 199auditd_set_state(int state) 200{ 201 int old_auditing_state = auditing_state; 202 203 if (state == AUD_STATE_INIT) 204 init_audit_state(); 205 else 206 auditing_state = state; 207 208 if (auditing_state != old_auditing_state) { 209 notify_post(__BSM_INTERNAL_NOTIFY_KEY); 210 211 if (auditing_state == AUD_STATE_ENABLED) 212 auditd_log_notice("Auditing enabled"); 213 if (auditing_state == AUD_STATE_DISABLED) 214 auditd_log_notice("Auditing disabled"); 215 } 216} 217 218/* 219 * Get the cached auditing state. 220 */ 221int 222auditd_get_state(void) 223{ 224 225 if (auditing_state == AUD_STATE_INIT) { 226 init_audit_state(); 227 notify_post(__BSM_INTERNAL_NOTIFY_KEY); 228 } 229 230 return (auditing_state); 231} 232 233/* 234 * Lookup the audit mach port in the launchd dictionary. 235 */ 236static mach_port_t 237lookup_machport(const char *label) 238{ 239 launch_data_t msg, msd, ld, cdict, to; 240 mach_port_t mp = MACH_PORT_NULL; 241 242 msg = launch_data_new_string(LAUNCH_KEY_CHECKIN); 243 244 cdict = launch_msg(msg); 245 if (cdict == NULL) { 246 auditd_log_err("launch_msg(\"" LAUNCH_KEY_CHECKIN 247 "\") IPC failure: %m"); 248 return (MACH_PORT_NULL); 249 } 250 251 if (launch_data_get_type(cdict) == LAUNCH_DATA_ERRNO) { 252 errno = launch_data_get_errno(cdict); 253 auditd_log_err("launch_data_get_type() can't get dict: %m"); 254 return (MACH_PORT_NULL); 255 } 256 257 to = launch_data_dict_lookup(cdict, LAUNCH_JOBKEY_TIMEOUT); 258 if (to) { 259 max_idletime = launch_data_get_integer(to); 260 auditd_log_debug("launchd timeout set to %d", max_idletime); 261 } else { 262 auditd_log_debug("launchd timeout not set, setting to 60"); 263 max_idletime = 60; 264 } 265 266 msd = launch_data_dict_lookup(cdict, LAUNCH_JOBKEY_MACHSERVICES); 267 if (msd == NULL) { 268 auditd_log_err( 269 "launch_data_dict_lookup() can't get mach services"); 270 return (MACH_PORT_NULL); 271 } 272 273 ld = launch_data_dict_lookup(msd, label); 274 if (ld == NULL) { 275 auditd_log_err("launch_data_dict_lookup can't find %s", label); 276 return (MACH_PORT_NULL); 277 } 278 279 mp = launch_data_get_machport(ld); 280 281 return (mp); 282} 283 284static int 285mach_setup(int launchd_flag) 286{ 287 mach_msg_type_name_t poly; 288 289 /* 290 * Allocate a port set. 291 */ 292 if (mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_PORT_SET, 293 &port_set) != KERN_SUCCESS) { 294 auditd_log_err("Allocation of port set failed"); 295 return (-1); 296 } 297 298 299 /* 300 * Allocate a signal reflection port. 301 */ 302 if (mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, 303 &signal_port) != KERN_SUCCESS || 304 mach_port_move_member(mach_task_self(), signal_port, port_set) != 305 KERN_SUCCESS) { 306 auditd_log_err("Allocation of signal port failed"); 307 return (-1); 308 } 309 310 /* 311 * Allocate a trigger port. 312 */ 313 if (launchd_flag) { 314 /* 315 * If started under launchd, lookup port in launchd dictionary. 316 */ 317 if ((control_port = lookup_machport(__AUDIT_LAUNCHD_LABEL)) == 318 MACH_PORT_NULL || mach_port_move_member(mach_task_self(), 319 control_port, port_set) != KERN_SUCCESS) { 320 auditd_log_err("Cannot get Mach control port" 321 " via launchd"); 322 return (-1); 323 } else 324 auditd_log_debug("Mach control port registered" 325 " via launchd"); 326 } else { 327 /* 328 * If not started under launchd, allocate port and register. 329 */ 330 if (mach_port_allocate(mach_task_self(), 331 MACH_PORT_RIGHT_RECEIVE, &control_port) != KERN_SUCCESS || 332 mach_port_move_member(mach_task_self(), control_port, 333 port_set) != KERN_SUCCESS) 334 auditd_log_err("Allocation of trigger port failed"); 335 336 /* 337 * Create a send right on our trigger port. 338 */ 339 mach_port_extract_right(mach_task_self(), control_port, 340 MACH_MSG_TYPE_MAKE_SEND, &control_port, &poly); 341 342 /* 343 * Register the trigger port with the kernel. 344 */ 345 if (host_set_audit_control_port(mach_host_self(), 346 control_port) != KERN_SUCCESS) { 347 auditd_log_err("Cannot set Mach control port"); 348 return (-1); 349 } else 350 auditd_log_debug("Mach control port registered"); 351 } 352 353 return (0); 354} 355 356/* 357 * Open the trigger messaging mechanism. 358 */ 359int 360auditd_open_trigger(int launchd_flag) 361{ 362 363 return (mach_setup(launchd_flag)); 364} 365 366/* 367 * Close the trigger messaging mechanism. 368 */ 369int 370auditd_close_trigger(void) 371{ 372 373 return (0); 374} 375 376/* 377 * Combined server handler. Called by the mach message loop when there is 378 * a trigger or signal message. 379 */ 380static boolean_t 381auditd_combined_server(mach_msg_header_t *InHeadP, mach_msg_header_t *OutHeadP) 382{ 383 mach_port_t local_port = InHeadP->msgh_local_port; 384 385 /* Reset the idle time alarm, if used. */ 386 if (max_idletime) 387 alarm(max_idletime); 388 389 if (local_port == signal_port) { 390 int signo = InHeadP->msgh_id; 391 392 switch(signo) { 393 case SIGTERM: 394 case SIGALRM: 395 auditd_terminate(); 396 /* Not reached. */ 397 398 case SIGCHLD: 399 auditd_reap_children(); 400 return (TRUE); 401 402 case SIGHUP: 403 auditd_config_controls(); 404 return (TRUE); 405 406 default: 407 auditd_log_info("Received signal %d", signo); 408 return (TRUE); 409 } 410 } else if (local_port == control_port) { 411 boolean_t result; 412 413 result = audit_triggers_server(InHeadP, OutHeadP); 414 if (!result) 415 result = auditd_control_server(InHeadP, OutHeadP); 416 return (result); 417 } 418 auditd_log_info("Recevied msg on bad port 0x%x.", local_port); 419 return (FALSE); 420} 421 422/* 423 * The main event loop. Wait for trigger messages or signals and handle them. 424 * It should not return unless there is a problem. 425 */ 426void 427auditd_wait_for_events(void) 428{ 429 kern_return_t result; 430 431 /* 432 * Call the mach messaging server loop. 433 */ 434 result = mach_msg_server(auditd_combined_server, MAX_MSG_SIZE, 435 port_set, MACH_MSG_OPTION_NONE); 436} 437 438/* 439 * Implementation of the audit_triggers() MIG simpleroutine. Simply a 440 * wrapper function. This handles input from the kernel on the host 441 * special mach port. 442 */ 443kern_return_t 444audit_triggers(mach_port_t __unused audit_port, int trigger) 445{ 446 447 auditd_handle_trigger(trigger); 448 449 return (KERN_SUCCESS); 450} 451 452/* 453 * Implementation of the auditd_control() MIG simpleroutine. Simply a 454 * wrapper function. This handles input from the audit(1) tool. 455 */ 456kern_return_t 457auditd_control(mach_port_t __unused auditd_port, int trigger) 458{ 459 460 auditd_handle_trigger(trigger); 461 462 return (KERN_SUCCESS); 463} 464 465/* 466 * When we get a signal, we are often not at a clean point. So, little can 467 * be done in the signal handler itself. Instead, we send a message to the 468 * main servicing loop to do proper handling from a non-signal-handler 469 * context. 470 */ 471void 472auditd_relay_signal(int signal) 473{ 474 mach_msg_empty_send_t msg; 475 476 msg.header.msgh_id = signal; 477 msg.header.msgh_remote_port = signal_port; 478 msg.header.msgh_local_port = MACH_PORT_NULL; 479 msg.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0); 480 mach_msg(&(msg.header), MACH_SEND_MSG|MACH_SEND_TIMEOUT, sizeof(msg), 481 0, MACH_PORT_NULL, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL); 482} 483