audit.c revision 161813 
1/*
2 * Copyright (c) 1999-2005 Apple Computer, Inc.
3 * Copyright (c) 2006 Robert N. M. Watson
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1.  Redistributions of source code must retain the above copyright
10 *     notice, this list of conditions and the following disclaimer.
11 * 2.  Redistributions in binary form must reproduce the above copyright
12 *     notice, this list of conditions and the following disclaimer in the
13 *     documentation and/or other materials provided with the distribution.
14 * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
15 *     its contributors may be used to endorse or promote products derived
16 *     from this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 *
30 * $FreeBSD: head/sys/security/audit/audit.c 161813 2006-09-01 11:45:40Z wsalamon $
31 */
32
33#include <sys/param.h>
34#include <sys/condvar.h>
35#include <sys/conf.h>
36#include <sys/file.h>
37#include <sys/filedesc.h>
38#include <sys/fcntl.h>
39#include <sys/ipc.h>
40#include <sys/kernel.h>
41#include <sys/kthread.h>
42#include <sys/malloc.h>
43#include <sys/mount.h>
44#include <sys/namei.h>
45#include <sys/proc.h>
46#include <sys/queue.h>
47#include <sys/socket.h>
48#include <sys/socketvar.h>
49#include <sys/protosw.h>
50#include <sys/domain.h>
51#include <sys/sysproto.h>
52#include <sys/sysent.h>
53#include <sys/systm.h>
54#include <sys/ucred.h>
55#include <sys/uio.h>
56#include <sys/un.h>
57#include <sys/unistd.h>
58#include <sys/vnode.h>
59
60#include <bsm/audit.h>
61#include <bsm/audit_internal.h>
62#include <bsm/audit_kevents.h>
63
64#include <netinet/in.h>
65#include <netinet/in_pcb.h>
66
67#include <security/audit/audit.h>
68#include <security/audit/audit_private.h>
69
70#include <vm/uma.h>
71
72static uma_zone_t	audit_record_zone;
73static MALLOC_DEFINE(M_AUDITPROC, "audit_proc", "Audit process storage");
74MALLOC_DEFINE(M_AUDITDATA, "audit_data", "Audit data storage");
75MALLOC_DEFINE(M_AUDITPATH, "audit_path", "Audit path storage");
76MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage");
77
78/*
79 * Audit control settings that are set/read by system calls and are
80 * hence non-static.
81 */
82/*
83 * Define the audit control flags.
84 */
85int			audit_enabled;
86int			audit_suspended;
87
88/*
89 * Flags controlling behavior in low storage situations.
90 * Should we panic if a write fails?  Should we fail stop
91 * if we're out of disk space?
92 */
93int			audit_panic_on_write_fail;
94int			audit_fail_stop;
95int			audit_argv;
96int			audit_arge;
97
98/*
99 * Are we currently "failing stop" due to out of disk space?
100 */
101int			audit_in_failure;
102
103/*
104 * Global audit statistiscs.
105 */
106struct audit_fstat	audit_fstat;
107
108/*
109 * Preselection mask for non-attributable events.
110 */
111struct au_mask		audit_nae_mask;
112
113/*
114 * Mutex to protect global variables shared between various threads and
115 * processes.
116 */
117struct mtx		audit_mtx;
118
119/*
120 * Queue of audit records ready for delivery to disk.  We insert new
121 * records at the tail, and remove records from the head.  Also,
122 * a count of the number of records used for checking queue depth.
123 * In addition, a counter of records that we have allocated but are
124 * not yet in the queue, which is needed to estimate the total
125 * size of the combined set of records outstanding in the system.
126 */
127struct kaudit_queue	audit_q;
128int			audit_q_len;
129int			audit_pre_q_len;
130
131/*
132 * Audit queue control settings (minimum free, low/high water marks, etc.)
133 */
134struct au_qctrl		audit_qctrl;
135
136/*
137 * Condition variable to signal to the worker that it has work to do:
138 * either new records are in the queue, or a log replacement is taking
139 * place.
140 */
141struct cv		audit_worker_cv;
142
143/*
144 * Condition variable to flag when crossing the low watermark, meaning that
145 * threads blocked due to hitting the high watermark can wake up and continue
146 * to commit records.
147 */
148struct cv		audit_watermark_cv;
149
150/*
151 * Condition variable for  auditing threads wait on when in fail-stop mode.
152 * Threads wait on this CV forever (and ever), never seeing the light of
153 * day again.
154 */
155static struct cv	audit_fail_cv;
156
157/*
158 * Construct an audit record for the passed thread.
159 */
160static int
161audit_record_ctor(void *mem, int size, void *arg, int flags)
162{
163	struct kaudit_record *ar;
164	struct thread *td;
165
166	KASSERT(sizeof(*ar) == size, ("audit_record_ctor: wrong size"));
167
168	td = arg;
169	ar = mem;
170	bzero(ar, sizeof(*ar));
171	ar->k_ar.ar_magic = AUDIT_RECORD_MAGIC;
172	nanotime(&ar->k_ar.ar_starttime);
173
174	/*
175	 * Export the subject credential.
176	 */
177	cru2x(td->td_ucred, &ar->k_ar.ar_subj_cred);
178	ar->k_ar.ar_subj_ruid = td->td_ucred->cr_ruid;
179	ar->k_ar.ar_subj_rgid = td->td_ucred->cr_rgid;
180	ar->k_ar.ar_subj_egid = td->td_ucred->cr_groups[0];
181	PROC_LOCK(td->td_proc);
182	ar->k_ar.ar_subj_auid = td->td_proc->p_au->ai_auid;
183	ar->k_ar.ar_subj_asid = td->td_proc->p_au->ai_asid;
184	ar->k_ar.ar_subj_pid = td->td_proc->p_pid;
185	ar->k_ar.ar_subj_amask = td->td_proc->p_au->ai_mask;
186	ar->k_ar.ar_subj_term = td->td_proc->p_au->ai_termid;
187	bcopy(td->td_proc->p_comm, ar->k_ar.ar_subj_comm, MAXCOMLEN);
188	PROC_UNLOCK(td->td_proc);
189
190	return (0);
191}
192
193static void
194audit_record_dtor(void *mem, int size, void *arg)
195{
196	struct kaudit_record *ar;
197
198	KASSERT(sizeof(*ar) == size, ("audit_record_dtor: wrong size"));
199
200	ar = mem;
201	if (ar->k_ar.ar_arg_upath1 != NULL)
202		free(ar->k_ar.ar_arg_upath1, M_AUDITPATH);
203	if (ar->k_ar.ar_arg_upath2 != NULL)
204		free(ar->k_ar.ar_arg_upath2, M_AUDITPATH);
205	if (ar->k_ar.ar_arg_text != NULL)
206		free(ar->k_ar.ar_arg_text, M_AUDITTEXT);
207	if (ar->k_udata != NULL)
208		free(ar->k_udata, M_AUDITDATA);
209	if (ar->k_ar.ar_arg_argv != NULL)
210		free(ar->k_ar.ar_arg_argv, M_AUDITTEXT);
211	if (ar->k_ar.ar_arg_envv != NULL)
212		free(ar->k_ar.ar_arg_envv, M_AUDITTEXT);
213}
214
215/*
216 * Initialize the Audit subsystem: configuration state, work queue,
217 * synchronization primitives, worker thread, and trigger device node.  Also
218 * call into the BSM assembly code to initialize it.
219 */
220static void
221audit_init(void)
222{
223
224	printf("Security auditing service present\n");
225	audit_enabled = 0;
226	audit_suspended = 0;
227	audit_panic_on_write_fail = 0;
228	audit_fail_stop = 0;
229	audit_in_failure = 0;
230	audit_argv = 0;
231	audit_arge = 0;
232
233	audit_fstat.af_filesz = 0;	/* '0' means unset, unbounded */
234	audit_fstat.af_currsz = 0;
235	audit_nae_mask.am_success = AU_NULL;
236	audit_nae_mask.am_failure = AU_NULL;
237
238	TAILQ_INIT(&audit_q);
239	audit_q_len = 0;
240	audit_pre_q_len = 0;
241	audit_qctrl.aq_hiwater = AQ_HIWATER;
242	audit_qctrl.aq_lowater = AQ_LOWATER;
243	audit_qctrl.aq_bufsz = AQ_BUFSZ;
244	audit_qctrl.aq_minfree = AU_FS_MINFREE;
245
246	mtx_init(&audit_mtx, "audit_mtx", NULL, MTX_DEF);
247	cv_init(&audit_worker_cv, "audit_worker_cv");
248	cv_init(&audit_watermark_cv, "audit_watermark_cv");
249	cv_init(&audit_fail_cv, "audit_fail_cv");
250
251	audit_record_zone = uma_zcreate("audit_record",
252	    sizeof(struct kaudit_record), audit_record_ctor,
253	    audit_record_dtor, NULL, NULL, UMA_ALIGN_PTR, 0);
254
255	/* Initialize the BSM audit subsystem. */
256	kau_init();
257
258	audit_trigger_init();
259
260	/* Register shutdown handler. */
261	EVENTHANDLER_REGISTER(shutdown_pre_sync, audit_shutdown, NULL,
262	    SHUTDOWN_PRI_FIRST);
263
264	/* Start audit worker thread. */
265	audit_worker_init();
266}
267
268SYSINIT(audit_init, SI_SUB_AUDIT, SI_ORDER_FIRST, audit_init, NULL)
269
270/*
271 * Drain the audit queue and close the log at shutdown.  Note that this can
272 * be called both from the system shutdown path and also from audit
273 * configuration syscalls, so 'arg' and 'howto' are ignored.
274 */
275void
276audit_shutdown(void *arg, int howto)
277{
278
279	audit_rotate_vnode(NULL, NULL);
280}
281
282/*
283 * Return the current thread's audit record, if any.
284 */
285__inline__ struct kaudit_record *
286currecord(void)
287{
288
289	return (curthread->td_ar);
290}
291
292/*
293 * MPSAFE
294 *
295 * XXXAUDIT: There are a number of races present in the code below due to
296 * release and re-grab of the mutex.  The code should be revised to become
297 * slightly less racy.
298 *
299 * XXXAUDIT: Shouldn't there be logic here to sleep waiting on available
300 * pre_q space, suspending the system call until there is room?
301 */
302struct kaudit_record *
303audit_new(int event, struct thread *td)
304{
305	struct kaudit_record *ar;
306	int no_record;
307
308	mtx_lock(&audit_mtx);
309	no_record = (audit_suspended || !audit_enabled);
310	mtx_unlock(&audit_mtx);
311	if (no_record)
312		return (NULL);
313
314	/*
315	 * XXX: The number of outstanding uncommitted audit records is
316	 * limited to the number of concurrent threads servicing system
317	 * calls in the kernel.
318	 */
319	ar = uma_zalloc_arg(audit_record_zone, td, M_WAITOK);
320	ar->k_ar.ar_event = event;
321
322	mtx_lock(&audit_mtx);
323	audit_pre_q_len++;
324	mtx_unlock(&audit_mtx);
325
326	return (ar);
327}
328
329void
330audit_free(struct kaudit_record *ar)
331{
332
333	uma_zfree(audit_record_zone, ar);
334}
335
336/*
337 * MPSAFE
338 */
339void
340audit_commit(struct kaudit_record *ar, int error, int retval)
341{
342	au_event_t event;
343	au_class_t class;
344	au_id_t auid;
345	int sorf;
346	struct au_mask *aumask;
347
348	if (ar == NULL)
349		return;
350
351	/*
352	 * Decide whether to commit the audit record by checking the
353	 * error value from the system call and using the appropriate
354	 * audit mask.
355	 *
356	 * XXXAUDIT: Synchronize access to audit_nae_mask?
357	 */
358	if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID)
359		aumask = &audit_nae_mask;
360	else
361		aumask = &ar->k_ar.ar_subj_amask;
362
363	if (error)
364		sorf = AU_PRS_FAILURE;
365	else
366		sorf = AU_PRS_SUCCESS;
367
368	switch(ar->k_ar.ar_event) {
369
370	case AUE_OPEN_RWTC:
371		/* The open syscall always writes a AUE_OPEN_RWTC event; change
372		 * it to the proper type of event based on the flags and the
373		 * error value.
374		 */
375		ar->k_ar.ar_event = flags_and_error_to_openevent(
376		    ar->k_ar.ar_arg_fflags, error);
377		break;
378
379	case AUE_SYSCTL:
380		ar->k_ar.ar_event = ctlname_to_sysctlevent(
381		    ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg);
382		break;
383
384	case AUE_AUDITON:
385		/* Convert the auditon() command to an event */
386		ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd);
387		break;
388	}
389
390	auid = ar->k_ar.ar_subj_auid;
391	event = ar->k_ar.ar_event;
392	class = au_event_class(event);
393
394	ar->k_ar_commit |= AR_COMMIT_KERNEL;
395	if (au_preselect(event, class, aumask, sorf) != 0)
396		ar->k_ar_commit |= AR_PRESELECT_TRAIL;
397	if (audit_pipe_preselect(auid, event, class, sorf,
398	    ar->k_ar_commit & AR_PRESELECT_TRAIL) != 0)
399		ar->k_ar_commit |= AR_PRESELECT_PIPE;
400	if ((ar->k_ar_commit & (AR_PRESELECT_TRAIL | AR_PRESELECT_PIPE)) ==
401	    0) {
402		mtx_lock(&audit_mtx);
403		audit_pre_q_len--;
404		mtx_unlock(&audit_mtx);
405		audit_free(ar);
406		return;
407	}
408
409	ar->k_ar.ar_errno = error;
410	ar->k_ar.ar_retval = retval;
411
412	/*
413	 * We might want to do some system-wide post-filtering
414	 * here at some point.
415	 */
416
417	/*
418	 * Timestamp system call end.
419	 */
420	nanotime(&ar->k_ar.ar_endtime);
421
422	mtx_lock(&audit_mtx);
423
424	/*
425	 * Note: it could be that some records initiated while audit was
426	 * enabled should still be committed?
427	 */
428	if (audit_suspended || !audit_enabled) {
429		audit_pre_q_len--;
430		mtx_unlock(&audit_mtx);
431		audit_free(ar);
432		return;
433	}
434
435	/*
436	 * Constrain the number of committed audit records based on
437	 * the configurable parameter.
438	 */
439	while (audit_q_len >= audit_qctrl.aq_hiwater) {
440		AUDIT_PRINTF(("audit_commit: sleeping to wait for "
441		   "audit queue to drain below high water mark\n"));
442		cv_wait(&audit_watermark_cv, &audit_mtx);
443		AUDIT_PRINTF(("audit_commit: woke up waiting for "
444		   "audit queue draining\n"));
445	}
446
447	TAILQ_INSERT_TAIL(&audit_q, ar, k_q);
448	audit_q_len++;
449	audit_pre_q_len--;
450	cv_signal(&audit_worker_cv);
451	mtx_unlock(&audit_mtx);
452}
453
454/*
455 * audit_syscall_enter() is called on entry to each system call.  It is
456 * responsible for deciding whether or not to audit the call (preselection),
457 * and if so, allocating a per-thread audit record.  audit_new() will fill in
458 * basic thread/credential properties.
459 */
460void
461audit_syscall_enter(unsigned short code, struct thread *td)
462{
463	struct au_mask *aumask;
464	au_class_t class;
465	au_event_t event;
466	au_id_t auid;
467
468	KASSERT(td->td_ar == NULL, ("audit_syscall_enter: td->td_ar != NULL"));
469
470	/*
471	 * In FreeBSD, each ABI has its own system call table, and hence
472	 * mapping of system call codes to audit events.  Convert the code to
473	 * an audit event identifier using the process system call table
474	 * reference.  In Darwin, there's only one, so we use the global
475	 * symbol for the system call table.
476	 *
477	 * XXXAUDIT: Should we audit that a bad system call was made, and if
478	 * so, how?
479	 */
480	if (code >= td->td_proc->p_sysent->sv_size)
481		return;
482
483	event = td->td_proc->p_sysent->sv_table[code].sy_auevent;
484	if (event == AUE_NULL)
485		return;
486
487	/*
488	 * Check which audit mask to use; either the kernel non-attributable
489	 * event mask or the process audit mask.
490	 */
491	auid = td->td_proc->p_au->ai_auid;
492	if (auid == AU_DEFAUDITID)
493		aumask = &audit_nae_mask;
494	else
495		aumask = &td->td_proc->p_au->ai_mask;
496
497	/*
498	 * Allocate an audit record, if preselection allows it, and store
499	 * in the thread for later use.
500	 */
501	class = au_event_class(event);
502	if (au_preselect(event, class, aumask, AU_PRS_BOTH)) {
503		/*
504		 * If we're out of space and need to suspend unprivileged
505		 * processes, do that here rather than trying to allocate
506		 * another audit record.
507		 *
508		 * XXXRW: We might wish to be able to continue here in the
509		 * future, if the system recovers.  That should be possible
510		 * by means of checking the condition in a loop around
511		 * cv_wait().  It might be desirable to reevaluate whether an
512		 * audit record is still required for this event by
513		 * re-calling au_preselect().
514		 */
515		if (audit_in_failure && suser(td) != 0) {
516			cv_wait(&audit_fail_cv, &audit_mtx);
517			panic("audit_failing_stop: thread continued");
518		}
519		td->td_ar = audit_new(event, td);
520	} else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0))
521		td->td_ar = audit_new(event, td);
522	else
523		td->td_ar = NULL;
524}
525
526/*
527 * audit_syscall_exit() is called from the return of every system call, or in
528 * the event of exit1(), during the execution of exit1().  It is responsible
529 * for committing the audit record, if any, along with return condition.
530 */
531void
532audit_syscall_exit(int error, struct thread *td)
533{
534	int retval;
535
536	/*
537	 * Commit the audit record as desired; once we pass the record
538	 * into audit_commit(), the memory is owned by the audit
539	 * subsystem.
540	 * The return value from the system call is stored on the user
541	 * thread. If there was an error, the return value is set to -1,
542	 * imitating the behavior of the cerror routine.
543	 */
544	if (error)
545		retval = -1;
546	else
547		retval = td->td_retval[0];
548
549	audit_commit(td->td_ar, error, retval);
550	if (td->td_ar != NULL)
551		AUDIT_PRINTF(("audit record committed by pid %d\n",
552			td->td_proc->p_pid));
553	td->td_ar = NULL;
554
555}
556
557/*
558 * Allocate storage for a new process (init, or otherwise).
559 */
560void
561audit_proc_alloc(struct proc *p)
562{
563
564	KASSERT(p->p_au == NULL, ("audit_proc_alloc: p->p_au != NULL (%d)",
565	    p->p_pid));
566	p->p_au = malloc(sizeof(*(p->p_au)), M_AUDITPROC, M_WAITOK);
567	/* XXXAUDIT: Zero?  Slab allocate? */
568	//printf("audit_proc_alloc: pid %d p_au %p\n", p->p_pid, p->p_au);
569}
570
571/*
572 * Allocate storage for a new thread.
573 */
574void
575audit_thread_alloc(struct thread *td)
576{
577
578	td->td_ar = NULL;
579}
580
581/*
582 * Thread destruction.
583 */
584void
585audit_thread_free(struct thread *td)
586{
587
588	KASSERT(td->td_ar == NULL, ("audit_thread_free: td_ar != NULL"));
589}
590
591/*
592 * Initialize the audit information for the a process, presumably the first
593 * process in the system.
594 * XXX It is not clear what the initial values should be for audit ID,
595 * session ID, etc.
596 */
597void
598audit_proc_kproc0(struct proc *p)
599{
600
601	KASSERT(p->p_au != NULL, ("audit_proc_kproc0: p->p_au == NULL (%d)",
602	    p->p_pid));
603	//printf("audit_proc_kproc0: pid %d p_au %p\n", p->p_pid, p->p_au);
604	bzero(p->p_au, sizeof(*(p)->p_au));
605}
606
607void
608audit_proc_init(struct proc *p)
609{
610
611	KASSERT(p->p_au != NULL, ("audit_proc_init: p->p_au == NULL (%d)",
612	    p->p_pid));
613	//printf("audit_proc_init: pid %d p_au %p\n", p->p_pid, p->p_au);
614	bzero(p->p_au, sizeof(*(p)->p_au));
615	p->p_au->ai_auid = AU_DEFAUDITID;
616}
617
618/*
619 * Copy the audit info from the parent process to the child process when
620 * a fork takes place.
621 */
622void
623audit_proc_fork(struct proc *parent, struct proc *child)
624{
625
626	PROC_LOCK_ASSERT(parent, MA_OWNED);
627	PROC_LOCK_ASSERT(child, MA_OWNED);
628	KASSERT(parent->p_au != NULL,
629	    ("audit_proc_fork: parent->p_au == NULL (%d)", parent->p_pid));
630	KASSERT(child->p_au != NULL,
631	    ("audit_proc_fork: child->p_au == NULL (%d)", child->p_pid));
632	//printf("audit_proc_fork: parent pid %d p_au %p\n", parent->p_pid,
633	//    parent->p_au);
634	//printf("audit_proc_fork: child pid %d p_au %p\n", child->p_pid,
635	//    child->p_au);
636	bcopy(parent->p_au, child->p_au, sizeof(*child->p_au));
637	/*
638	 * XXXAUDIT: Zero pointers to external memory, or assert they are
639	 * zero?
640	 */
641}
642
643/*
644 * Free the auditing structure for the process.
645 */
646void
647audit_proc_free(struct proc *p)
648{
649
650	KASSERT(p->p_au != NULL, ("p->p_au == NULL (%d)", p->p_pid));
651	//printf("audit_proc_free: pid %d p_au %p\n", p->p_pid, p->p_au);
652	/*
653	 * XXXAUDIT: Assert that external memory pointers are NULL?
654	 */
655	free(p->p_au, M_AUDITPROC);
656	p->p_au = NULL;
657}
658