audit_bsm_klib.c revision 182090 
1/*
2 * Copyright (c) 1999-2005 Apple Inc.
3 * Copyright (c) 2005 Robert N. M. Watson
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1.  Redistributions of source code must retain the above copyright
10 *     notice, this list of conditions and the following disclaimer.
11 * 2.  Redistributions in binary form must reproduce the above copyright
12 *     notice, this list of conditions and the following disclaimer in the
13 *     documentation and/or other materials provided with the distribution.
14 * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
15 *     its contributors may be used to endorse or promote products derived
16 *     from this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 */
30
31#include <sys/cdefs.h>
32__FBSDID("$FreeBSD: head/sys/security/audit/audit_bsm_klib.c 182090 2008-08-24 03:12:17Z csjp $");
33
34#include <sys/param.h>
35#include <sys/fcntl.h>
36#include <sys/filedesc.h>
37#include <sys/libkern.h>
38#include <sys/malloc.h>
39#include <sys/mount.h>
40#include <sys/proc.h>
41#include <sys/sem.h>
42#include <sys/sbuf.h>
43#include <sys/syscall.h>
44#include <sys/sysctl.h>
45#include <sys/sysent.h>
46#include <sys/vnode.h>
47
48#include <bsm/audit.h>
49#include <bsm/audit_kevents.h>
50#include <security/audit/audit.h>
51#include <security/audit/audit_private.h>
52
53/*
54 * Hash table functions for the audit event number to event class mask
55 * mapping.
56 */
57#define	EVCLASSMAP_HASH_TABLE_SIZE	251
58struct evclass_elem {
59	au_event_t event;
60	au_class_t class;
61	LIST_ENTRY(evclass_elem) entry;
62};
63struct evclass_list {
64	LIST_HEAD(, evclass_elem) head;
65};
66
67static MALLOC_DEFINE(M_AUDITEVCLASS, "audit_evclass", "Audit event class");
68static struct mtx		evclass_mtx;
69static struct evclass_list	evclass_hash[EVCLASSMAP_HASH_TABLE_SIZE];
70
71/*
72 * Look up the class for an audit event in the class mapping table.
73 */
74au_class_t
75au_event_class(au_event_t event)
76{
77	struct evclass_list *evcl;
78	struct evclass_elem *evc;
79	au_class_t class;
80
81	mtx_lock(&evclass_mtx);
82	evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
83	class = 0;
84	LIST_FOREACH(evc, &evcl->head, entry) {
85		if (evc->event == event) {
86			class = evc->class;
87			goto out;
88		}
89	}
90out:
91	mtx_unlock(&evclass_mtx);
92	return (class);
93}
94
95/*
96 * Insert a event to class mapping. If the event already exists in the
97 * mapping, then replace the mapping with the new one.
98 *
99 * XXX There is currently no constraints placed on the number of mappings.
100 * May want to either limit to a number, or in terms of memory usage.
101 */
102void
103au_evclassmap_insert(au_event_t event, au_class_t class)
104{
105	struct evclass_list *evcl;
106	struct evclass_elem *evc, *evc_new;
107
108	/*
109	 * Pessimistically, always allocate storage before acquiring mutex.
110	 * Free if there is already a mapping for this event.
111	 */
112	evc_new = malloc(sizeof(*evc), M_AUDITEVCLASS, M_WAITOK);
113
114	mtx_lock(&evclass_mtx);
115	evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
116	LIST_FOREACH(evc, &evcl->head, entry) {
117		if (evc->event == event) {
118			evc->class = class;
119			mtx_unlock(&evclass_mtx);
120			free(evc_new, M_AUDITEVCLASS);
121			return;
122		}
123	}
124	evc = evc_new;
125	evc->event = event;
126	evc->class = class;
127	LIST_INSERT_HEAD(&evcl->head, evc, entry);
128	mtx_unlock(&evclass_mtx);
129}
130
131void
132au_evclassmap_init(void)
133{
134	int i;
135
136	mtx_init(&evclass_mtx, "evclass_mtx", NULL, MTX_DEF);
137	for (i = 0; i < EVCLASSMAP_HASH_TABLE_SIZE; i++)
138		LIST_INIT(&evclass_hash[i].head);
139
140	/*
141	 * Set up the initial event to class mapping for system calls.
142	 *
143	 * XXXRW: Really, this should walk all possible audit events, not all
144	 * native ABI system calls, as there may be audit events reachable
145	 * only through non-native system calls.  It also seems a shame to
146	 * frob the mutex this early.
147	 */
148	for (i = 0; i < SYS_MAXSYSCALL; i++) {
149		if (sysent[i].sy_auevent != AUE_NULL)
150			au_evclassmap_insert(sysent[i].sy_auevent, 0);
151	}
152}
153
154/*
155 * Check whether an event is aditable by comparing the mask of classes this
156 * event is part of against the given mask.
157 */
158int
159au_preselect(au_event_t event, au_class_t class, au_mask_t *mask_p, int sorf)
160{
161	au_class_t effmask = 0;
162
163	if (mask_p == NULL)
164		return (-1);
165
166	/*
167	 * Perform the actual check of the masks against the event.
168	 */
169	if (sorf & AU_PRS_SUCCESS)
170		effmask |= (mask_p->am_success & class);
171
172	if (sorf & AU_PRS_FAILURE)
173		effmask |= (mask_p->am_failure & class);
174
175	if (effmask)
176		return (1);
177	else
178		return (0);
179}
180
181/*
182 * Convert sysctl names and present arguments to events.
183 */
184au_event_t
185audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg)
186{
187
188	/* can't parse it - so return the worst case */
189	if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != (ARG_CTLNAME | ARG_LEN))
190		return (AUE_SYSCTL);
191
192	switch (name[0]) {
193	/* non-admin "lookups" treat them special */
194	case KERN_OSTYPE:
195	case KERN_OSRELEASE:
196	case KERN_OSREV:
197	case KERN_VERSION:
198	case KERN_ARGMAX:
199	case KERN_CLOCKRATE:
200	case KERN_BOOTTIME:
201	case KERN_POSIX1:
202	case KERN_NGROUPS:
203	case KERN_JOB_CONTROL:
204	case KERN_SAVED_IDS:
205	case KERN_OSRELDATE:
206	case KERN_DUMMY:
207		return (AUE_SYSCTL_NONADMIN);
208
209	/* only treat the changeable controls as admin */
210	case KERN_MAXVNODES:
211	case KERN_MAXPROC:
212	case KERN_MAXFILES:
213	case KERN_MAXPROCPERUID:
214	case KERN_MAXFILESPERPROC:
215	case KERN_HOSTID:
216	case KERN_SECURELVL:
217	case KERN_HOSTNAME:
218	case KERN_VNODE:
219	case KERN_PROC:
220	case KERN_FILE:
221	case KERN_PROF:
222	case KERN_NISDOMAINNAME:
223	case KERN_UPDATEINTERVAL:
224	case KERN_NTP_PLL:
225	case KERN_BOOTFILE:
226	case KERN_DUMPDEV:
227	case KERN_IPC:
228	case KERN_PS_STRINGS:
229	case KERN_USRSTACK:
230	case KERN_LOGSIGEXIT:
231	case KERN_IOV_MAX:
232	case KERN_MAXID:
233		return ((valid_arg & ARG_VALUE) ?
234		    AUE_SYSCTL : AUE_SYSCTL_NONADMIN);
235
236	default:
237		return (AUE_SYSCTL);
238	}
239	/* NOTREACHED */
240}
241
242/*
243 * Convert an open flags specifier into a specific type of open event for
244 * auditing purposes.
245 */
246au_event_t
247audit_flags_and_error_to_openevent(int oflags, int error)
248{
249	au_event_t aevent;
250
251	/*
252	 * Need to check only those flags we care about.
253	 */
254	oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
255
256	/*
257	 * These checks determine what flags are on with the condition that
258	 * ONLY that combination is on, and no other flags are on.
259	 */
260	switch (oflags) {
261	case O_RDONLY:
262		aevent = AUE_OPEN_R;
263		break;
264
265	case (O_RDONLY | O_CREAT):
266		aevent = AUE_OPEN_RC;
267		break;
268
269	case (O_RDONLY | O_CREAT | O_TRUNC):
270		aevent = AUE_OPEN_RTC;
271		break;
272
273	case (O_RDONLY | O_TRUNC):
274		aevent = AUE_OPEN_RT;
275		break;
276
277	case O_RDWR:
278		aevent = AUE_OPEN_RW;
279		break;
280
281	case (O_RDWR | O_CREAT):
282		aevent = AUE_OPEN_RWC;
283		break;
284
285	case (O_RDWR | O_CREAT | O_TRUNC):
286		aevent = AUE_OPEN_RWTC;
287		break;
288
289	case (O_RDWR | O_TRUNC):
290		aevent = AUE_OPEN_RWT;
291		break;
292
293	case O_WRONLY:
294		aevent = AUE_OPEN_W;
295		break;
296
297	case (O_WRONLY | O_CREAT):
298		aevent = AUE_OPEN_WC;
299		break;
300
301	case (O_WRONLY | O_CREAT | O_TRUNC):
302		aevent = AUE_OPEN_WTC;
303		break;
304
305	case (O_WRONLY | O_TRUNC):
306		aevent = AUE_OPEN_WT;
307		break;
308
309	default:
310		aevent = AUE_OPEN;
311		break;
312	}
313
314#if 0
315	/*
316	 * Convert chatty errors to better matching events.  Failures to
317	 * find a file are really just attribute events -- so recast them as
318	 * such.
319	 *
320	 * XXXAUDIT: Solaris defines that AUE_OPEN will never be returned, it
321	 * is just a placeholder.  However, in Darwin we return that in
322	 * preference to other events.  For now, comment this out as we don't
323	 * have a BSM conversion routine for AUE_OPEN.
324	 */
325	switch (aevent) {
326	case AUE_OPEN_R:
327	case AUE_OPEN_RT:
328	case AUE_OPEN_RW:
329	case AUE_OPEN_RWT:
330	case AUE_OPEN_W:
331	case AUE_OPEN_WT:
332		if (error == ENOENT)
333			aevent = AUE_OPEN;
334	}
335#endif
336	return (aevent);
337}
338
339/*
340 * Convert a MSGCTL command to a specific event.
341 */
342int
343audit_msgctl_to_event(int cmd)
344{
345
346	switch (cmd) {
347	case IPC_RMID:
348		return (AUE_MSGCTL_RMID);
349
350	case IPC_SET:
351		return (AUE_MSGCTL_SET);
352
353	case IPC_STAT:
354		return (AUE_MSGCTL_STAT);
355
356	default:
357		/* We will audit a bad command. */
358		return (AUE_MSGCTL);
359	}
360}
361
362/*
363 * Convert a SEMCTL command to a specific event.
364 */
365int
366audit_semctl_to_event(int cmd)
367{
368
369	switch (cmd) {
370	case GETALL:
371		return (AUE_SEMCTL_GETALL);
372
373	case GETNCNT:
374		return (AUE_SEMCTL_GETNCNT);
375
376	case GETPID:
377		return (AUE_SEMCTL_GETPID);
378
379	case GETVAL:
380		return (AUE_SEMCTL_GETVAL);
381
382	case GETZCNT:
383		return (AUE_SEMCTL_GETZCNT);
384
385	case IPC_RMID:
386		return (AUE_SEMCTL_RMID);
387
388	case IPC_SET:
389		return (AUE_SEMCTL_SET);
390
391	case SETALL:
392		return (AUE_SEMCTL_SETALL);
393
394	case SETVAL:
395		return (AUE_SEMCTL_SETVAL);
396
397	case IPC_STAT:
398		return (AUE_SEMCTL_STAT);
399
400	default:
401		/* We will audit a bad command. */
402		return (AUE_SEMCTL);
403	}
404}
405
406/*
407 * Convert a command for the auditon() system call to a audit event.
408 */
409int
410auditon_command_event(int cmd)
411{
412
413	switch(cmd) {
414	case A_GETPOLICY:
415		return (AUE_AUDITON_GPOLICY);
416
417	case A_SETPOLICY:
418		return (AUE_AUDITON_SPOLICY);
419
420	case A_GETKMASK:
421		return (AUE_AUDITON_GETKMASK);
422
423	case A_SETKMASK:
424		return (AUE_AUDITON_SETKMASK);
425
426	case A_GETQCTRL:
427		return (AUE_AUDITON_GQCTRL);
428
429	case A_SETQCTRL:
430		return (AUE_AUDITON_SQCTRL);
431
432	case A_GETCWD:
433		return (AUE_AUDITON_GETCWD);
434
435	case A_GETCAR:
436		return (AUE_AUDITON_GETCAR);
437
438	case A_GETSTAT:
439		return (AUE_AUDITON_GETSTAT);
440
441	case A_SETSTAT:
442		return (AUE_AUDITON_SETSTAT);
443
444	case A_SETUMASK:
445		return (AUE_AUDITON_SETUMASK);
446
447	case A_SETSMASK:
448		return (AUE_AUDITON_SETSMASK);
449
450	case A_GETCOND:
451		return (AUE_AUDITON_GETCOND);
452
453	case A_SETCOND:
454		return (AUE_AUDITON_SETCOND);
455
456	case A_GETCLASS:
457		return (AUE_AUDITON_GETCLASS);
458
459	case A_SETCLASS:
460		return (AUE_AUDITON_SETCLASS);
461
462	case A_GETPINFO:
463	case A_SETPMASK:
464	case A_SETFSIZE:
465	case A_GETFSIZE:
466	case A_GETPINFO_ADDR:
467	case A_GETKAUDIT:
468	case A_SETKAUDIT:
469	default:
470		return (AUE_AUDITON);	/* No special record */
471	}
472}
473
474/*
475 * Create a canonical path from given path by prefixing either the root
476 * directory, or the current working directory.  If the process working
477 * directory is NULL, we could use 'rootvnode' to obtain the root directory,
478 * but this results in a volfs name written to the audit log. So we will
479 * leave the filename starting with '/' in the audit log in this case.
480 */
481void
482audit_canon_path(struct thread *td, char *path, char *cpath)
483{
484	struct vnode *cvnp, *rvnp;
485	char *rbuf, *fbuf, *copy;
486	struct filedesc *fdp;
487	struct sbuf sbf;
488	int error, cwir, locked;
489
490	WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "%s: at %s:%d",
491	    __func__,  __FILE__, __LINE__);
492
493	copy = path;
494	rvnp = cvnp = NULL;
495	fdp = td->td_proc->p_fd;
496	FILEDESC_SLOCK(fdp);
497	/*
498	 * Make sure that we handle the chroot(2) case.  If there is an
499	 * alternate root directory, prepend it to the audited pathname.
500	 */
501	if (fdp->fd_rdir != NULL && fdp->fd_rdir != rootvnode) {
502		rvnp = fdp->fd_rdir;
503		vhold(rvnp);
504	}
505	/*
506	 * If the supplied path is relative, make sure we capture the current
507	 * working directory so we can prepend it to the supplied relative
508	 * path.
509	 */
510	if (*path != '/') {
511		cvnp = fdp->fd_cdir;
512		vhold(cvnp);
513	}
514	cwir = (fdp->fd_rdir == fdp->fd_cdir);
515	FILEDESC_SUNLOCK(fdp);
516	/*
517	 * NB: We require that the supplied array be at least MAXPATHLEN bytes
518	 * long.  If this is not the case, then we can run into serious trouble.
519	 */
520	(void) sbuf_new(&sbf, cpath, MAXPATHLEN, SBUF_FIXEDLEN);
521	/*
522	 * Strip leading forward slashes.
523	 */
524	while (*copy == '/')
525		copy++;
526	/*
527	 * Make sure we handle chroot(2) and prepend the global path to these
528	 * environments.
529	 *
530	 * NB: vn_fullpath(9) on FreeBSD is less reliable than vn_getpath(9)
531	 * on Darwin.  As a result, this may need some additional attention
532	 * in the future.
533	 */
534	if (rvnp != NULL) {
535		/*
536		 * Although unlikely, it is possible for filesystems to define
537		 * their own VOP_LOCK, so strictly speaking, we need to
538		 * conditionally pickup Giant around calls to vn_lock(9)
539		 */
540		locked = VFS_LOCK_GIANT(rvnp->v_mount);
541		vn_lock(rvnp, LK_EXCLUSIVE | LK_RETRY);
542		vdrop(rvnp);
543		error = vn_fullpath_global(td, rvnp, &rbuf, &fbuf);
544		VOP_UNLOCK(rvnp, 0);
545		VFS_UNLOCK_GIANT(locked);
546		if (error) {
547			cpath[0] = '\0';
548			if (cvnp != NULL)
549				vdrop(cvnp);
550			return;
551		}
552		(void) sbuf_cat(&sbf, rbuf);
553		free(fbuf, M_TEMP);
554	}
555	if (cvnp != NULL) {
556		locked = VFS_LOCK_GIANT(cvnp->v_mount);
557		vn_lock(cvnp, LK_EXCLUSIVE | LK_RETRY);
558		vdrop(cvnp);
559		error = vn_fullpath(td, cvnp, &rbuf, &fbuf);
560		VOP_UNLOCK(cvnp, 0);
561		VFS_UNLOCK_GIANT(locked);
562		if (error) {
563			cpath[0] = '\0';
564			return;
565		}
566		(void) sbuf_cat(&sbf, rbuf);
567		free(fbuf, M_TEMP);
568	}
569	if (cwir == 0 || (cwir != 0 && cvnp == NULL))
570		(void) sbuf_putc(&sbf, '/');
571	/*
572	 * Now that we have processed any alternate root and relative path
573	 * names, add the supplied pathname.
574	 */
575        (void) sbuf_cat(&sbf, copy);
576	/*
577	 * One or more of the previous sbuf operations could have resulted in
578	 * the supplied buffer being overflowed.  Check to see if this is the
579	 * case.
580	 */
581	if (sbuf_overflowed(&sbf) != 0) {
582		cpath[0] = '\0';
583		return;
584	}
585	sbuf_finish(&sbf);
586}
587