audit_bsm_klib.c revision 182090
1/* 2 * Copyright (c) 1999-2005 Apple Inc. 3 * Copyright (c) 2005 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 15 * its contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31#include <sys/cdefs.h> 32__FBSDID("$FreeBSD: head/sys/security/audit/audit_bsm_klib.c 182090 2008-08-24 03:12:17Z csjp $"); 33 34#include <sys/param.h> 35#include <sys/fcntl.h> 36#include <sys/filedesc.h> 37#include <sys/libkern.h> 38#include <sys/malloc.h> 39#include <sys/mount.h> 40#include <sys/proc.h> 41#include <sys/sem.h> 42#include <sys/sbuf.h> 43#include <sys/syscall.h> 44#include <sys/sysctl.h> 45#include <sys/sysent.h> 46#include <sys/vnode.h> 47 48#include <bsm/audit.h> 49#include <bsm/audit_kevents.h> 50#include <security/audit/audit.h> 51#include <security/audit/audit_private.h> 52 53/* 54 * Hash table functions for the audit event number to event class mask 55 * mapping. 56 */ 57#define EVCLASSMAP_HASH_TABLE_SIZE 251 58struct evclass_elem { 59 au_event_t event; 60 au_class_t class; 61 LIST_ENTRY(evclass_elem) entry; 62}; 63struct evclass_list { 64 LIST_HEAD(, evclass_elem) head; 65}; 66 67static MALLOC_DEFINE(M_AUDITEVCLASS, "audit_evclass", "Audit event class"); 68static struct mtx evclass_mtx; 69static struct evclass_list evclass_hash[EVCLASSMAP_HASH_TABLE_SIZE]; 70 71/* 72 * Look up the class for an audit event in the class mapping table. 73 */ 74au_class_t 75au_event_class(au_event_t event) 76{ 77 struct evclass_list *evcl; 78 struct evclass_elem *evc; 79 au_class_t class; 80 81 mtx_lock(&evclass_mtx); 82 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE]; 83 class = 0; 84 LIST_FOREACH(evc, &evcl->head, entry) { 85 if (evc->event == event) { 86 class = evc->class; 87 goto out; 88 } 89 } 90out: 91 mtx_unlock(&evclass_mtx); 92 return (class); 93} 94 95/* 96 * Insert a event to class mapping. If the event already exists in the 97 * mapping, then replace the mapping with the new one. 98 * 99 * XXX There is currently no constraints placed on the number of mappings. 100 * May want to either limit to a number, or in terms of memory usage. 101 */ 102void 103au_evclassmap_insert(au_event_t event, au_class_t class) 104{ 105 struct evclass_list *evcl; 106 struct evclass_elem *evc, *evc_new; 107 108 /* 109 * Pessimistically, always allocate storage before acquiring mutex. 110 * Free if there is already a mapping for this event. 111 */ 112 evc_new = malloc(sizeof(*evc), M_AUDITEVCLASS, M_WAITOK); 113 114 mtx_lock(&evclass_mtx); 115 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE]; 116 LIST_FOREACH(evc, &evcl->head, entry) { 117 if (evc->event == event) { 118 evc->class = class; 119 mtx_unlock(&evclass_mtx); 120 free(evc_new, M_AUDITEVCLASS); 121 return; 122 } 123 } 124 evc = evc_new; 125 evc->event = event; 126 evc->class = class; 127 LIST_INSERT_HEAD(&evcl->head, evc, entry); 128 mtx_unlock(&evclass_mtx); 129} 130 131void 132au_evclassmap_init(void) 133{ 134 int i; 135 136 mtx_init(&evclass_mtx, "evclass_mtx", NULL, MTX_DEF); 137 for (i = 0; i < EVCLASSMAP_HASH_TABLE_SIZE; i++) 138 LIST_INIT(&evclass_hash[i].head); 139 140 /* 141 * Set up the initial event to class mapping for system calls. 142 * 143 * XXXRW: Really, this should walk all possible audit events, not all 144 * native ABI system calls, as there may be audit events reachable 145 * only through non-native system calls. It also seems a shame to 146 * frob the mutex this early. 147 */ 148 for (i = 0; i < SYS_MAXSYSCALL; i++) { 149 if (sysent[i].sy_auevent != AUE_NULL) 150 au_evclassmap_insert(sysent[i].sy_auevent, 0); 151 } 152} 153 154/* 155 * Check whether an event is aditable by comparing the mask of classes this 156 * event is part of against the given mask. 157 */ 158int 159au_preselect(au_event_t event, au_class_t class, au_mask_t *mask_p, int sorf) 160{ 161 au_class_t effmask = 0; 162 163 if (mask_p == NULL) 164 return (-1); 165 166 /* 167 * Perform the actual check of the masks against the event. 168 */ 169 if (sorf & AU_PRS_SUCCESS) 170 effmask |= (mask_p->am_success & class); 171 172 if (sorf & AU_PRS_FAILURE) 173 effmask |= (mask_p->am_failure & class); 174 175 if (effmask) 176 return (1); 177 else 178 return (0); 179} 180 181/* 182 * Convert sysctl names and present arguments to events. 183 */ 184au_event_t 185audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg) 186{ 187 188 /* can't parse it - so return the worst case */ 189 if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != (ARG_CTLNAME | ARG_LEN)) 190 return (AUE_SYSCTL); 191 192 switch (name[0]) { 193 /* non-admin "lookups" treat them special */ 194 case KERN_OSTYPE: 195 case KERN_OSRELEASE: 196 case KERN_OSREV: 197 case KERN_VERSION: 198 case KERN_ARGMAX: 199 case KERN_CLOCKRATE: 200 case KERN_BOOTTIME: 201 case KERN_POSIX1: 202 case KERN_NGROUPS: 203 case KERN_JOB_CONTROL: 204 case KERN_SAVED_IDS: 205 case KERN_OSRELDATE: 206 case KERN_DUMMY: 207 return (AUE_SYSCTL_NONADMIN); 208 209 /* only treat the changeable controls as admin */ 210 case KERN_MAXVNODES: 211 case KERN_MAXPROC: 212 case KERN_MAXFILES: 213 case KERN_MAXPROCPERUID: 214 case KERN_MAXFILESPERPROC: 215 case KERN_HOSTID: 216 case KERN_SECURELVL: 217 case KERN_HOSTNAME: 218 case KERN_VNODE: 219 case KERN_PROC: 220 case KERN_FILE: 221 case KERN_PROF: 222 case KERN_NISDOMAINNAME: 223 case KERN_UPDATEINTERVAL: 224 case KERN_NTP_PLL: 225 case KERN_BOOTFILE: 226 case KERN_DUMPDEV: 227 case KERN_IPC: 228 case KERN_PS_STRINGS: 229 case KERN_USRSTACK: 230 case KERN_LOGSIGEXIT: 231 case KERN_IOV_MAX: 232 case KERN_MAXID: 233 return ((valid_arg & ARG_VALUE) ? 234 AUE_SYSCTL : AUE_SYSCTL_NONADMIN); 235 236 default: 237 return (AUE_SYSCTL); 238 } 239 /* NOTREACHED */ 240} 241 242/* 243 * Convert an open flags specifier into a specific type of open event for 244 * auditing purposes. 245 */ 246au_event_t 247audit_flags_and_error_to_openevent(int oflags, int error) 248{ 249 au_event_t aevent; 250 251 /* 252 * Need to check only those flags we care about. 253 */ 254 oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY); 255 256 /* 257 * These checks determine what flags are on with the condition that 258 * ONLY that combination is on, and no other flags are on. 259 */ 260 switch (oflags) { 261 case O_RDONLY: 262 aevent = AUE_OPEN_R; 263 break; 264 265 case (O_RDONLY | O_CREAT): 266 aevent = AUE_OPEN_RC; 267 break; 268 269 case (O_RDONLY | O_CREAT | O_TRUNC): 270 aevent = AUE_OPEN_RTC; 271 break; 272 273 case (O_RDONLY | O_TRUNC): 274 aevent = AUE_OPEN_RT; 275 break; 276 277 case O_RDWR: 278 aevent = AUE_OPEN_RW; 279 break; 280 281 case (O_RDWR | O_CREAT): 282 aevent = AUE_OPEN_RWC; 283 break; 284 285 case (O_RDWR | O_CREAT | O_TRUNC): 286 aevent = AUE_OPEN_RWTC; 287 break; 288 289 case (O_RDWR | O_TRUNC): 290 aevent = AUE_OPEN_RWT; 291 break; 292 293 case O_WRONLY: 294 aevent = AUE_OPEN_W; 295 break; 296 297 case (O_WRONLY | O_CREAT): 298 aevent = AUE_OPEN_WC; 299 break; 300 301 case (O_WRONLY | O_CREAT | O_TRUNC): 302 aevent = AUE_OPEN_WTC; 303 break; 304 305 case (O_WRONLY | O_TRUNC): 306 aevent = AUE_OPEN_WT; 307 break; 308 309 default: 310 aevent = AUE_OPEN; 311 break; 312 } 313 314#if 0 315 /* 316 * Convert chatty errors to better matching events. Failures to 317 * find a file are really just attribute events -- so recast them as 318 * such. 319 * 320 * XXXAUDIT: Solaris defines that AUE_OPEN will never be returned, it 321 * is just a placeholder. However, in Darwin we return that in 322 * preference to other events. For now, comment this out as we don't 323 * have a BSM conversion routine for AUE_OPEN. 324 */ 325 switch (aevent) { 326 case AUE_OPEN_R: 327 case AUE_OPEN_RT: 328 case AUE_OPEN_RW: 329 case AUE_OPEN_RWT: 330 case AUE_OPEN_W: 331 case AUE_OPEN_WT: 332 if (error == ENOENT) 333 aevent = AUE_OPEN; 334 } 335#endif 336 return (aevent); 337} 338 339/* 340 * Convert a MSGCTL command to a specific event. 341 */ 342int 343audit_msgctl_to_event(int cmd) 344{ 345 346 switch (cmd) { 347 case IPC_RMID: 348 return (AUE_MSGCTL_RMID); 349 350 case IPC_SET: 351 return (AUE_MSGCTL_SET); 352 353 case IPC_STAT: 354 return (AUE_MSGCTL_STAT); 355 356 default: 357 /* We will audit a bad command. */ 358 return (AUE_MSGCTL); 359 } 360} 361 362/* 363 * Convert a SEMCTL command to a specific event. 364 */ 365int 366audit_semctl_to_event(int cmd) 367{ 368 369 switch (cmd) { 370 case GETALL: 371 return (AUE_SEMCTL_GETALL); 372 373 case GETNCNT: 374 return (AUE_SEMCTL_GETNCNT); 375 376 case GETPID: 377 return (AUE_SEMCTL_GETPID); 378 379 case GETVAL: 380 return (AUE_SEMCTL_GETVAL); 381 382 case GETZCNT: 383 return (AUE_SEMCTL_GETZCNT); 384 385 case IPC_RMID: 386 return (AUE_SEMCTL_RMID); 387 388 case IPC_SET: 389 return (AUE_SEMCTL_SET); 390 391 case SETALL: 392 return (AUE_SEMCTL_SETALL); 393 394 case SETVAL: 395 return (AUE_SEMCTL_SETVAL); 396 397 case IPC_STAT: 398 return (AUE_SEMCTL_STAT); 399 400 default: 401 /* We will audit a bad command. */ 402 return (AUE_SEMCTL); 403 } 404} 405 406/* 407 * Convert a command for the auditon() system call to a audit event. 408 */ 409int 410auditon_command_event(int cmd) 411{ 412 413 switch(cmd) { 414 case A_GETPOLICY: 415 return (AUE_AUDITON_GPOLICY); 416 417 case A_SETPOLICY: 418 return (AUE_AUDITON_SPOLICY); 419 420 case A_GETKMASK: 421 return (AUE_AUDITON_GETKMASK); 422 423 case A_SETKMASK: 424 return (AUE_AUDITON_SETKMASK); 425 426 case A_GETQCTRL: 427 return (AUE_AUDITON_GQCTRL); 428 429 case A_SETQCTRL: 430 return (AUE_AUDITON_SQCTRL); 431 432 case A_GETCWD: 433 return (AUE_AUDITON_GETCWD); 434 435 case A_GETCAR: 436 return (AUE_AUDITON_GETCAR); 437 438 case A_GETSTAT: 439 return (AUE_AUDITON_GETSTAT); 440 441 case A_SETSTAT: 442 return (AUE_AUDITON_SETSTAT); 443 444 case A_SETUMASK: 445 return (AUE_AUDITON_SETUMASK); 446 447 case A_SETSMASK: 448 return (AUE_AUDITON_SETSMASK); 449 450 case A_GETCOND: 451 return (AUE_AUDITON_GETCOND); 452 453 case A_SETCOND: 454 return (AUE_AUDITON_SETCOND); 455 456 case A_GETCLASS: 457 return (AUE_AUDITON_GETCLASS); 458 459 case A_SETCLASS: 460 return (AUE_AUDITON_SETCLASS); 461 462 case A_GETPINFO: 463 case A_SETPMASK: 464 case A_SETFSIZE: 465 case A_GETFSIZE: 466 case A_GETPINFO_ADDR: 467 case A_GETKAUDIT: 468 case A_SETKAUDIT: 469 default: 470 return (AUE_AUDITON); /* No special record */ 471 } 472} 473 474/* 475 * Create a canonical path from given path by prefixing either the root 476 * directory, or the current working directory. If the process working 477 * directory is NULL, we could use 'rootvnode' to obtain the root directory, 478 * but this results in a volfs name written to the audit log. So we will 479 * leave the filename starting with '/' in the audit log in this case. 480 */ 481void 482audit_canon_path(struct thread *td, char *path, char *cpath) 483{ 484 struct vnode *cvnp, *rvnp; 485 char *rbuf, *fbuf, *copy; 486 struct filedesc *fdp; 487 struct sbuf sbf; 488 int error, cwir, locked; 489 490 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "%s: at %s:%d", 491 __func__, __FILE__, __LINE__); 492 493 copy = path; 494 rvnp = cvnp = NULL; 495 fdp = td->td_proc->p_fd; 496 FILEDESC_SLOCK(fdp); 497 /* 498 * Make sure that we handle the chroot(2) case. If there is an 499 * alternate root directory, prepend it to the audited pathname. 500 */ 501 if (fdp->fd_rdir != NULL && fdp->fd_rdir != rootvnode) { 502 rvnp = fdp->fd_rdir; 503 vhold(rvnp); 504 } 505 /* 506 * If the supplied path is relative, make sure we capture the current 507 * working directory so we can prepend it to the supplied relative 508 * path. 509 */ 510 if (*path != '/') { 511 cvnp = fdp->fd_cdir; 512 vhold(cvnp); 513 } 514 cwir = (fdp->fd_rdir == fdp->fd_cdir); 515 FILEDESC_SUNLOCK(fdp); 516 /* 517 * NB: We require that the supplied array be at least MAXPATHLEN bytes 518 * long. If this is not the case, then we can run into serious trouble. 519 */ 520 (void) sbuf_new(&sbf, cpath, MAXPATHLEN, SBUF_FIXEDLEN); 521 /* 522 * Strip leading forward slashes. 523 */ 524 while (*copy == '/') 525 copy++; 526 /* 527 * Make sure we handle chroot(2) and prepend the global path to these 528 * environments. 529 * 530 * NB: vn_fullpath(9) on FreeBSD is less reliable than vn_getpath(9) 531 * on Darwin. As a result, this may need some additional attention 532 * in the future. 533 */ 534 if (rvnp != NULL) { 535 /* 536 * Although unlikely, it is possible for filesystems to define 537 * their own VOP_LOCK, so strictly speaking, we need to 538 * conditionally pickup Giant around calls to vn_lock(9) 539 */ 540 locked = VFS_LOCK_GIANT(rvnp->v_mount); 541 vn_lock(rvnp, LK_EXCLUSIVE | LK_RETRY); 542 vdrop(rvnp); 543 error = vn_fullpath_global(td, rvnp, &rbuf, &fbuf); 544 VOP_UNLOCK(rvnp, 0); 545 VFS_UNLOCK_GIANT(locked); 546 if (error) { 547 cpath[0] = '\0'; 548 if (cvnp != NULL) 549 vdrop(cvnp); 550 return; 551 } 552 (void) sbuf_cat(&sbf, rbuf); 553 free(fbuf, M_TEMP); 554 } 555 if (cvnp != NULL) { 556 locked = VFS_LOCK_GIANT(cvnp->v_mount); 557 vn_lock(cvnp, LK_EXCLUSIVE | LK_RETRY); 558 vdrop(cvnp); 559 error = vn_fullpath(td, cvnp, &rbuf, &fbuf); 560 VOP_UNLOCK(cvnp, 0); 561 VFS_UNLOCK_GIANT(locked); 562 if (error) { 563 cpath[0] = '\0'; 564 return; 565 } 566 (void) sbuf_cat(&sbf, rbuf); 567 free(fbuf, M_TEMP); 568 } 569 if (cwir == 0 || (cwir != 0 && cvnp == NULL)) 570 (void) sbuf_putc(&sbf, '/'); 571 /* 572 * Now that we have processed any alternate root and relative path 573 * names, add the supplied pathname. 574 */ 575 (void) sbuf_cat(&sbf, copy); 576 /* 577 * One or more of the previous sbuf operations could have resulted in 578 * the supplied buffer being overflowed. Check to see if this is the 579 * case. 580 */ 581 if (sbuf_overflowed(&sbf) != 0) { 582 cpath[0] = '\0'; 583 return; 584 } 585 sbuf_finish(&sbf); 586} 587