audit_bsm_klib.c revision 170196 
1/*
2 * Copyright (c) 1999-2005 Apple Computer, Inc.
3 * Copyright (c) 2005 Robert N. M. Watson
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1.  Redistributions of source code must retain the above copyright
10 *     notice, this list of conditions and the following disclaimer.
11 * 2.  Redistributions in binary form must reproduce the above copyright
12 *     notice, this list of conditions and the following disclaimer in the
13 *     documentation and/or other materials provided with the distribution.
14 * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
15 *     its contributors may be used to endorse or promote products derived
16 *     from this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 *
30 * $FreeBSD: head/sys/security/audit/audit_bsm_klib.c 170196 2007-06-01 21:58:59Z rwatson $
31 */
32
33#include <sys/param.h>
34#include <sys/fcntl.h>
35#include <sys/filedesc.h>
36#include <sys/libkern.h>
37#include <sys/malloc.h>
38#include <sys/mount.h>
39#include <sys/proc.h>
40#include <sys/sem.h>
41#include <sys/syscall.h>
42#include <sys/sysctl.h>
43#include <sys/sysent.h>
44#include <sys/vnode.h>
45
46#include <bsm/audit.h>
47#include <bsm/audit_kevents.h>
48#include <security/audit/audit.h>
49#include <security/audit/audit_private.h>
50
51/*
52 * Hash table functions for the audit event number to event class mask
53 * mapping.
54 */
55#define EVCLASSMAP_HASH_TABLE_SIZE 251
56struct evclass_elem {
57	au_event_t event;
58	au_class_t class;
59	LIST_ENTRY(evclass_elem) entry;
60};
61struct evclass_list {
62	LIST_HEAD(, evclass_elem) head;
63};
64
65static MALLOC_DEFINE(M_AUDITEVCLASS, "audit_evclass", "Audit event class");
66static struct mtx		evclass_mtx;
67static struct evclass_list	evclass_hash[EVCLASSMAP_HASH_TABLE_SIZE];
68
69/*
70 * Look up the class for an audit event in the class mapping table.
71 */
72au_class_t
73au_event_class(au_event_t event)
74{
75	struct evclass_list *evcl;
76	struct evclass_elem *evc;
77	au_class_t class;
78
79	mtx_lock(&evclass_mtx);
80	evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
81	class = AU_NULL;
82	LIST_FOREACH(evc, &evcl->head, entry) {
83		if (evc->event == event) {
84			class = evc->class;
85			goto out;
86		}
87	}
88out:
89	mtx_unlock(&evclass_mtx);
90	return (class);
91}
92
93/*
94 * Insert a event to class mapping. If the event already exists in the
95 * mapping, then replace the mapping with the new one.
96 *
97 * XXX There is currently no constraints placed on the number of mappings.
98 * May want to either limit to a number, or in terms of memory usage.
99 */
100void
101au_evclassmap_insert(au_event_t event, au_class_t class)
102{
103	struct evclass_list *evcl;
104	struct evclass_elem *evc, *evc_new;
105
106	/*
107	 * Pessimistically, always allocate storage before acquiring mutex.
108	 * Free if there is already a mapping for this event.
109	 */
110	evc_new = malloc(sizeof(*evc), M_AUDITEVCLASS, M_WAITOK);
111
112	mtx_lock(&evclass_mtx);
113	evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
114	LIST_FOREACH(evc, &evcl->head, entry) {
115		if (evc->event == event) {
116			evc->class = class;
117			mtx_unlock(&evclass_mtx);
118			free(evc_new, M_AUDITEVCLASS);
119			return;
120		}
121	}
122	evc = evc_new;
123	evc->event = event;
124	evc->class = class;
125	LIST_INSERT_HEAD(&evcl->head, evc, entry);
126	mtx_unlock(&evclass_mtx);
127}
128
129void
130au_evclassmap_init(void)
131{
132	int i;
133
134	mtx_init(&evclass_mtx, "evclass_mtx", NULL, MTX_DEF);
135	for (i = 0; i < EVCLASSMAP_HASH_TABLE_SIZE; i++)
136		LIST_INIT(&evclass_hash[i].head);
137
138	/*
139	 * Set up the initial event to class mapping for system calls.
140	 *
141	 * XXXRW: Really, this should walk all possible audit events, not all
142	 * native ABI system calls, as there may be audit events reachable
143	 * only through non-native system calls.  It also seems a shame to
144	 * frob the mutex this early.
145	 */
146	for (i = 0; i < SYS_MAXSYSCALL; i++) {
147		if (sysent[i].sy_auevent != AUE_NULL)
148			au_evclassmap_insert(sysent[i].sy_auevent, AU_NULL);
149	}
150}
151
152/*
153 * Check whether an event is aditable by comparing the mask of classes this
154 * event is part of against the given mask.
155 */
156int
157au_preselect(au_event_t event, au_class_t class, au_mask_t *mask_p, int sorf)
158{
159	au_class_t effmask = 0;
160
161	if (mask_p == NULL)
162		return (-1);
163
164	/*
165	 * Perform the actual check of the masks against the event.
166	 */
167	if (sorf & AU_PRS_SUCCESS)
168		effmask |= (mask_p->am_success & class);
169
170	if (sorf & AU_PRS_FAILURE)
171		effmask |= (mask_p->am_failure & class);
172
173	if (effmask)
174		return (1);
175	else
176		return (0);
177}
178
179/*
180 * Convert sysctl names and present arguments to events.
181 */
182au_event_t
183ctlname_to_sysctlevent(int name[], uint64_t valid_arg)
184{
185
186	/* can't parse it - so return the worst case */
187	if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != (ARG_CTLNAME | ARG_LEN))
188		return (AUE_SYSCTL);
189
190	switch (name[0]) {
191	/* non-admin "lookups" treat them special */
192	case KERN_OSTYPE:
193	case KERN_OSRELEASE:
194	case KERN_OSREV:
195	case KERN_VERSION:
196	case KERN_ARGMAX:
197	case KERN_CLOCKRATE:
198	case KERN_BOOTTIME:
199	case KERN_POSIX1:
200	case KERN_NGROUPS:
201	case KERN_JOB_CONTROL:
202	case KERN_SAVED_IDS:
203	case KERN_OSRELDATE:
204	case KERN_DUMMY:
205		return (AUE_SYSCTL_NONADMIN);
206
207	/* only treat the changeable controls as admin */
208	case KERN_MAXVNODES:
209	case KERN_MAXPROC:
210	case KERN_MAXFILES:
211	case KERN_MAXPROCPERUID:
212	case KERN_MAXFILESPERPROC:
213	case KERN_HOSTID:
214	case KERN_SECURELVL:
215	case KERN_HOSTNAME:
216	case KERN_VNODE:
217	case KERN_PROC:
218	case KERN_FILE:
219	case KERN_PROF:
220	case KERN_NISDOMAINNAME:
221	case KERN_UPDATEINTERVAL:
222	case KERN_NTP_PLL:
223	case KERN_BOOTFILE:
224	case KERN_DUMPDEV:
225	case KERN_IPC:
226	case KERN_PS_STRINGS:
227	case KERN_USRSTACK:
228	case KERN_LOGSIGEXIT:
229	case KERN_IOV_MAX:
230	case KERN_MAXID:
231		return ((valid_arg & ARG_VALUE) ?
232			AUE_SYSCTL : AUE_SYSCTL_NONADMIN);
233
234	default:
235		return (AUE_SYSCTL);
236	}
237	/* NOTREACHED */
238}
239
240/*
241 * Convert an open flags specifier into a specific type of open event for
242 * auditing purposes.
243 */
244au_event_t
245flags_and_error_to_openevent(int oflags, int error)
246{
247	au_event_t aevent;
248
249	/*
250	 * Need to check only those flags we care about.
251	 */
252	oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
253
254	/*
255	 * These checks determine what flags are on with the condition that
256	 * ONLY that combination is on, and no other flags are on.
257	 */
258	switch (oflags) {
259	case O_RDONLY:
260		aevent = AUE_OPEN_R;
261		break;
262
263	case (O_RDONLY | O_CREAT):
264		aevent = AUE_OPEN_RC;
265		break;
266
267	case (O_RDONLY | O_CREAT | O_TRUNC):
268		aevent = AUE_OPEN_RTC;
269		break;
270
271	case (O_RDONLY | O_TRUNC):
272		aevent = AUE_OPEN_RT;
273		break;
274
275	case O_RDWR:
276		aevent = AUE_OPEN_RW;
277		break;
278
279	case (O_RDWR | O_CREAT):
280		aevent = AUE_OPEN_RWC;
281		break;
282
283	case (O_RDWR | O_CREAT | O_TRUNC):
284		aevent = AUE_OPEN_RWTC;
285		break;
286
287	case (O_RDWR | O_TRUNC):
288		aevent = AUE_OPEN_RWT;
289		break;
290
291	case O_WRONLY:
292		aevent = AUE_OPEN_W;
293		break;
294
295	case (O_WRONLY | O_CREAT):
296		aevent = AUE_OPEN_WC;
297		break;
298
299	case (O_WRONLY | O_CREAT | O_TRUNC):
300		aevent = AUE_OPEN_WTC;
301		break;
302
303	case (O_WRONLY | O_TRUNC):
304		aevent = AUE_OPEN_WT;
305		break;
306
307	default:
308		aevent = AUE_OPEN;
309		break;
310	}
311
312#if 0
313	/*
314	 * Convert chatty errors to better matching events.  Failures to
315	 * find a file are really just attribute events -- so recast them as
316	 * such.
317	 *
318	 * XXXAUDIT: Solaris defines that AUE_OPEN will never be returned, it
319	 * is just a placeholder.  However, in Darwin we return that in
320	 * preference to other events.  For now, comment this out as we don't
321	 * have a BSM conversion routine for AUE_OPEN.
322	 */
323	switch (aevent) {
324	case AUE_OPEN_R:
325	case AUE_OPEN_RT:
326	case AUE_OPEN_RW:
327	case AUE_OPEN_RWT:
328	case AUE_OPEN_W:
329	case AUE_OPEN_WT:
330		if (error == ENOENT)
331			aevent = AUE_OPEN;
332	}
333#endif
334	return (aevent);
335}
336
337/*
338 * Convert a MSGCTL command to a specific event.
339 */
340int
341msgctl_to_event(int cmd)
342{
343
344	switch (cmd) {
345	case IPC_RMID:
346		return (AUE_MSGCTL_RMID);
347
348	case IPC_SET:
349		return (AUE_MSGCTL_SET);
350
351	case IPC_STAT:
352		return (AUE_MSGCTL_STAT);
353
354	default:
355		/* We will audit a bad command. */
356		return (AUE_MSGCTL);
357	}
358}
359
360/*
361 * Convert a SEMCTL command to a specific event.
362 */
363int
364semctl_to_event(int cmd)
365{
366
367	switch (cmd) {
368	case GETALL:
369		return (AUE_SEMCTL_GETALL);
370
371	case GETNCNT:
372		return (AUE_SEMCTL_GETNCNT);
373
374	case GETPID:
375		return (AUE_SEMCTL_GETPID);
376
377	case GETVAL:
378		return (AUE_SEMCTL_GETVAL);
379
380	case GETZCNT:
381		return (AUE_SEMCTL_GETZCNT);
382
383	case IPC_RMID:
384		return (AUE_SEMCTL_RMID);
385
386	case IPC_SET:
387		return (AUE_SEMCTL_SET);
388
389	case SETALL:
390		return (AUE_SEMCTL_SETALL);
391
392	case SETVAL:
393		return (AUE_SEMCTL_SETVAL);
394
395	case IPC_STAT:
396		return (AUE_SEMCTL_STAT);
397
398	default:
399		/* We will audit a bad command */
400		return (AUE_SEMCTL);
401	}
402}
403
404/*
405 * Convert a command for the auditon() system call to a audit event.
406 */
407int
408auditon_command_event(int cmd)
409{
410
411	switch(cmd) {
412	case A_GETPOLICY:
413		return (AUE_AUDITON_GPOLICY);
414
415	case A_SETPOLICY:
416		return (AUE_AUDITON_SPOLICY);
417
418	case A_GETKMASK:
419		return (AUE_AUDITON_GETKMASK);
420
421	case A_SETKMASK:
422		return (AUE_AUDITON_SETKMASK);
423
424	case A_GETQCTRL:
425		return (AUE_AUDITON_GQCTRL);
426
427	case A_SETQCTRL:
428		return (AUE_AUDITON_SQCTRL);
429
430	case A_GETCWD:
431		return (AUE_AUDITON_GETCWD);
432
433	case A_GETCAR:
434		return (AUE_AUDITON_GETCAR);
435
436	case A_GETSTAT:
437		return (AUE_AUDITON_GETSTAT);
438
439	case A_SETSTAT:
440		return (AUE_AUDITON_SETSTAT);
441
442	case A_SETUMASK:
443		return (AUE_AUDITON_SETUMASK);
444
445	case A_SETSMASK:
446		return (AUE_AUDITON_SETSMASK);
447
448	case A_GETCOND:
449		return (AUE_AUDITON_GETCOND);
450
451	case A_SETCOND:
452		return (AUE_AUDITON_SETCOND);
453
454	case A_GETCLASS:
455		return (AUE_AUDITON_GETCLASS);
456
457	case A_SETCLASS:
458		return (AUE_AUDITON_SETCLASS);
459
460	case A_GETPINFO:
461	case A_SETPMASK:
462	case A_SETFSIZE:
463	case A_GETFSIZE:
464	case A_GETPINFO_ADDR:
465	case A_GETKAUDIT:
466	case A_SETKAUDIT:
467	default:
468		return (AUE_AUDITON);	/* No special record */
469	}
470}
471
472/*
473 * Create a canonical path from given path by prefixing either the root
474 * directory, or the current working directory.  If the process working
475 * directory is NULL, we could use 'rootvnode' to obtain the root directory,
476 * but this results in a volfs name written to the audit log. So we will
477 * leave the filename starting with '/' in the audit log in this case.
478 *
479 * XXXRW: Since we combine two paths here, ideally a buffer of size
480 * MAXPATHLEN * 2 would be passed in.
481 */
482void
483canon_path(struct thread *td, char *path, char *cpath)
484{
485	char *bufp;
486	char *retbuf, *freebuf;
487	struct vnode *vnp;
488	struct filedesc *fdp;
489	int cisr, error, vfslocked;
490
491	WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
492	    "canon_path() at %s:%d", __FILE__, __LINE__);
493
494	fdp = td->td_proc->p_fd;
495	bufp = path;
496	cisr = 0;
497	FILEDESC_SLOCK(fdp);
498	if (*(path) == '/') {
499		while (*(bufp) == '/')
500			bufp++;			/* Skip leading '/'s. */
501		/*
502		 * If no process root, or it is the same as the system root,
503		 * audit the path as passed in with a single '/'.
504		 */
505		if ((fdp->fd_rdir == NULL) ||
506		    (fdp->fd_rdir == rootvnode)) {
507			vnp = NULL;
508			bufp--;			/* Restore one '/'. */
509		} else {
510			vnp = fdp->fd_rdir;	/* Use process root. */
511			vref(vnp);
512		}
513	} else {
514		vnp = fdp->fd_cdir;	/* Prepend the current dir. */
515		cisr = (fdp->fd_rdir == fdp->fd_cdir);
516		vref(vnp);
517		bufp = path;
518	}
519	FILEDESC_SUNLOCK(fdp);
520	if (vnp != NULL) {
521		/*
522		 * XXX: vn_fullpath() on FreeBSD is "less reliable" than
523		 * vn_getpath() on Darwin, so this will need more attention
524		 * in the future.  Also, the question and string bounding
525		 * here seems a bit questionable and will also require
526		 * attention.
527		 */
528		vfslocked = VFS_LOCK_GIANT(vnp->v_mount);
529		vn_lock(vnp, LK_EXCLUSIVE | LK_RETRY, td);
530		error = vn_fullpath(td, vnp, &retbuf, &freebuf);
531		if (error == 0) {
532			/* Copy and free buffer allocated by vn_fullpath().
533			 * If the current working directory was the same as
534			 * the root directory, and the path was a relative
535			 * pathname, do not separate the two components with
536			 * the '/' character.
537			 */
538			snprintf(cpath, MAXPATHLEN, "%s%s%s", retbuf,
539			    cisr ? "" : "/", bufp);
540			free(freebuf, M_TEMP);
541		} else
542			cpath[0] = '\0';
543		vput(vnp);
544		VFS_UNLOCK_GIANT(vfslocked);
545	} else
546		strlcpy(cpath, bufp, MAXPATHLEN);
547}
548