audit.c revision 176690 
1139790Simp/*
2118933Smarcel * Copyright (c) 1999-2005 Apple Computer, Inc.
3118933Smarcel * Copyright (c) 2006-2007 Robert N. M. Watson
4118933Smarcel * All rights reserved.
5118933Smarcel *
6118933Smarcel * Redistribution and use in source and binary forms, with or without
7118933Smarcel * modification, are permitted provided that the following conditions
8118933Smarcel * are met:
9118933Smarcel * 1.  Redistributions of source code must retain the above copyright
10118933Smarcel *     notice, this list of conditions and the following disclaimer.
11118933Smarcel * 2.  Redistributions in binary form must reproduce the above copyright
12118933Smarcel *     notice, this list of conditions and the following disclaimer in the
13118933Smarcel *     documentation and/or other materials provided with the distribution.
14118933Smarcel * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
15118933Smarcel *     its contributors may be used to endorse or promote products derived
16118933Smarcel *     from this software without specific prior written permission.
17118933Smarcel *
18118933Smarcel * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
19118933Smarcel * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20118933Smarcel * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21118933Smarcel * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
22118933Smarcel * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23118933Smarcel * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24118933Smarcel * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25118933Smarcel * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26118933Smarcel * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
27118933Smarcel * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28118933Smarcel * POSSIBILITY OF SUCH DAMAGE.
29118933Smarcel *
30118933Smarcel * $FreeBSD: head/sys/security/audit/audit.c 176690 2008-03-01 11:40:49Z rwatson $
31118933Smarcel */
32118933Smarcel
33118933Smarcel#include <sys/param.h>
34118933Smarcel#include <sys/condvar.h>
35118933Smarcel#include <sys/conf.h>
36118933Smarcel#include <sys/file.h>
37118933Smarcel#include <sys/filedesc.h>
38118933Smarcel#include <sys/fcntl.h>
39118933Smarcel#include <sys/ipc.h>
40118933Smarcel#include <sys/kernel.h>
41118933Smarcel#include <sys/kthread.h>
42118933Smarcel#include <sys/malloc.h>
43118981Smarcel#include <sys/mount.h>
44118981Smarcel#include <sys/namei.h>
45118981Smarcel#include <sys/priv.h>
46118933Smarcel#include <sys/proc.h>
47118933Smarcel#include <sys/queue.h>
48118981Smarcel#include <sys/socket.h>
49121635Smarcel#include <sys/socketvar.h>
50121635Smarcel#include <sys/protosw.h>
51118933Smarcel#include <sys/domain.h>
52118981Smarcel#include <sys/sysctl.h>
53118933Smarcel#include <sys/sysproto.h>
54118933Smarcel#include <sys/sysent.h>
55118981Smarcel#include <sys/systm.h>
56121635Smarcel#include <sys/ucred.h>
57121635Smarcel#include <sys/uio.h>
58118933Smarcel#include <sys/un.h>
59118981Smarcel#include <sys/unistd.h>
60118933Smarcel#include <sys/vnode.h>
61118933Smarcel
62118933Smarcel#include <bsm/audit.h>
63118933Smarcel#include <bsm/audit_internal.h>
64118933Smarcel#include <bsm/audit_kevents.h>
65
66#include <netinet/in.h>
67#include <netinet/in_pcb.h>
68
69#include <security/audit/audit.h>
70#include <security/audit/audit_private.h>
71
72#include <vm/uma.h>
73
74static uma_zone_t	audit_record_zone;
75static MALLOC_DEFINE(M_AUDITCRED, "audit_cred", "Audit cred storage");
76MALLOC_DEFINE(M_AUDITDATA, "audit_data", "Audit data storage");
77MALLOC_DEFINE(M_AUDITPATH, "audit_path", "Audit path storage");
78MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage");
79
80SYSCTL_NODE(_security, OID_AUTO, audit, CTLFLAG_RW, 0,
81    "TrustedBSD audit controls");
82
83/*
84 * Audit control settings that are set/read by system calls and are hence
85 * non-static.
86 *
87 * Define the audit control flags.
88 */
89int			audit_enabled;
90int			audit_suspended;
91
92/*
93 * Flags controlling behavior in low storage situations.  Should we panic if
94 * a write fails?  Should we fail stop if we're out of disk space?
95 */
96int			audit_panic_on_write_fail;
97int			audit_fail_stop;
98int			audit_argv;
99int			audit_arge;
100
101/*
102 * Are we currently "failing stop" due to out of disk space?
103 */
104int			audit_in_failure;
105
106/*
107 * Global audit statistics.
108 */
109struct audit_fstat	audit_fstat;
110
111/*
112 * Preselection mask for non-attributable events.
113 */
114struct au_mask		audit_nae_mask;
115
116/*
117 * Mutex to protect global variables shared between various threads and
118 * processes.
119 */
120struct mtx		audit_mtx;
121
122/*
123 * Queue of audit records ready for delivery to disk.  We insert new records
124 * at the tail, and remove records from the head.  Also, a count of the
125 * number of records used for checking queue depth.  In addition, a counter
126 * of records that we have allocated but are not yet in the queue, which is
127 * needed to estimate the total size of the combined set of records
128 * outstanding in the system.
129 */
130struct kaudit_queue	audit_q;
131int			audit_q_len;
132int			audit_pre_q_len;
133
134/*
135 * Audit queue control settings (minimum free, low/high water marks, etc.)
136 */
137struct au_qctrl		audit_qctrl;
138
139/*
140 * Condition variable to signal to the worker that it has work to do: either
141 * new records are in the queue, or a log replacement is taking place.
142 */
143struct cv		audit_worker_cv;
144
145/*
146 * Condition variable to flag when crossing the low watermark, meaning that
147 * threads blocked due to hitting the high watermark can wake up and continue
148 * to commit records.
149 */
150struct cv		audit_watermark_cv;
151
152/*
153 * Condition variable for  auditing threads wait on when in fail-stop mode.
154 * Threads wait on this CV forever (and ever), never seeing the light of day
155 * again.
156 */
157static struct cv	audit_fail_cv;
158
159/*
160 * Construct an audit record for the passed thread.
161 */
162static int
163audit_record_ctor(void *mem, int size, void *arg, int flags)
164{
165	struct kaudit_record *ar;
166	struct thread *td;
167
168	KASSERT(sizeof(*ar) == size, ("audit_record_ctor: wrong size"));
169
170	td = arg;
171	ar = mem;
172	bzero(ar, sizeof(*ar));
173	ar->k_ar.ar_magic = AUDIT_RECORD_MAGIC;
174	nanotime(&ar->k_ar.ar_starttime);
175
176	/*
177	 * Export the subject credential.
178	 */
179	cru2x(td->td_ucred, &ar->k_ar.ar_subj_cred);
180	ar->k_ar.ar_subj_ruid = td->td_ucred->cr_ruid;
181	ar->k_ar.ar_subj_rgid = td->td_ucred->cr_rgid;
182	ar->k_ar.ar_subj_egid = td->td_ucred->cr_groups[0];
183	ar->k_ar.ar_subj_auid = td->td_ucred->cr_audit.ai_auid;
184	ar->k_ar.ar_subj_asid = td->td_ucred->cr_audit.ai_asid;
185	ar->k_ar.ar_subj_pid = td->td_proc->p_pid;
186	ar->k_ar.ar_subj_amask = td->td_ucred->cr_audit.ai_mask;
187	ar->k_ar.ar_subj_term_addr = td->td_ucred->cr_audit.ai_termid;
188	return (0);
189}
190
191static void
192audit_record_dtor(void *mem, int size, void *arg)
193{
194	struct kaudit_record *ar;
195
196	KASSERT(sizeof(*ar) == size, ("audit_record_dtor: wrong size"));
197
198	ar = mem;
199	if (ar->k_ar.ar_arg_upath1 != NULL)
200		free(ar->k_ar.ar_arg_upath1, M_AUDITPATH);
201	if (ar->k_ar.ar_arg_upath2 != NULL)
202		free(ar->k_ar.ar_arg_upath2, M_AUDITPATH);
203	if (ar->k_ar.ar_arg_text != NULL)
204		free(ar->k_ar.ar_arg_text, M_AUDITTEXT);
205	if (ar->k_udata != NULL)
206		free(ar->k_udata, M_AUDITDATA);
207	if (ar->k_ar.ar_arg_argv != NULL)
208		free(ar->k_ar.ar_arg_argv, M_AUDITTEXT);
209	if (ar->k_ar.ar_arg_envv != NULL)
210		free(ar->k_ar.ar_arg_envv, M_AUDITTEXT);
211}
212
213/*
214 * Initialize the Audit subsystem: configuration state, work queue,
215 * synchronization primitives, worker thread, and trigger device node.  Also
216 * call into the BSM assembly code to initialize it.
217 */
218static void
219audit_init(void)
220{
221
222	audit_enabled = 0;
223	audit_suspended = 0;
224	audit_panic_on_write_fail = 0;
225	audit_fail_stop = 0;
226	audit_in_failure = 0;
227	audit_argv = 0;
228	audit_arge = 0;
229
230	audit_fstat.af_filesz = 0;	/* '0' means unset, unbounded. */
231	audit_fstat.af_currsz = 0;
232	audit_nae_mask.am_success = 0;
233	audit_nae_mask.am_failure = 0;
234
235	TAILQ_INIT(&audit_q);
236	audit_q_len = 0;
237	audit_pre_q_len = 0;
238	audit_qctrl.aq_hiwater = AQ_HIWATER;
239	audit_qctrl.aq_lowater = AQ_LOWATER;
240	audit_qctrl.aq_bufsz = AQ_BUFSZ;
241	audit_qctrl.aq_minfree = AU_FS_MINFREE;
242
243	mtx_init(&audit_mtx, "audit_mtx", NULL, MTX_DEF);
244	cv_init(&audit_worker_cv, "audit_worker_cv");
245	cv_init(&audit_watermark_cv, "audit_watermark_cv");
246	cv_init(&audit_fail_cv, "audit_fail_cv");
247
248	audit_record_zone = uma_zcreate("audit_record",
249	    sizeof(struct kaudit_record), audit_record_ctor,
250	    audit_record_dtor, NULL, NULL, UMA_ALIGN_PTR, 0);
251
252	/* Initialize the BSM audit subsystem. */
253	kau_init();
254
255	audit_trigger_init();
256
257	/* Register shutdown handler. */
258	EVENTHANDLER_REGISTER(shutdown_pre_sync, audit_shutdown, NULL,
259	    SHUTDOWN_PRI_FIRST);
260
261	/* Start audit worker thread. */
262	audit_worker_init();
263}
264
265SYSINIT(audit_init, SI_SUB_AUDIT, SI_ORDER_FIRST, audit_init, NULL)
266
267/*
268 * Drain the audit queue and close the log at shutdown.  Note that this can
269 * be called both from the system shutdown path and also from audit
270 * configuration syscalls, so 'arg' and 'howto' are ignored.
271 */
272void
273audit_shutdown(void *arg, int howto)
274{
275
276	audit_rotate_vnode(NULL, NULL);
277}
278
279/*
280 * Return the current thread's audit record, if any.
281 */
282struct kaudit_record *
283currecord(void)
284{
285
286	return (curthread->td_ar);
287}
288
289/*
290 * XXXAUDIT: There are a number of races present in the code below due to
291 * release and re-grab of the mutex.  The code should be revised to become
292 * slightly less racy.
293 *
294 * XXXAUDIT: Shouldn't there be logic here to sleep waiting on available
295 * pre_q space, suspending the system call until there is room?
296 */
297struct kaudit_record *
298audit_new(int event, struct thread *td)
299{
300	struct kaudit_record *ar;
301	int no_record;
302
303	mtx_lock(&audit_mtx);
304	no_record = (audit_suspended || !audit_enabled);
305	mtx_unlock(&audit_mtx);
306	if (no_record)
307		return (NULL);
308
309	/*
310	 * Note: the number of outstanding uncommitted audit records is
311	 * limited to the number of concurrent threads servicing system calls
312	 * in the kernel.
313	 */
314	ar = uma_zalloc_arg(audit_record_zone, td, M_WAITOK);
315	ar->k_ar.ar_event = event;
316
317	mtx_lock(&audit_mtx);
318	audit_pre_q_len++;
319	mtx_unlock(&audit_mtx);
320
321	return (ar);
322}
323
324void
325audit_free(struct kaudit_record *ar)
326{
327
328	uma_zfree(audit_record_zone, ar);
329}
330
331void
332audit_commit(struct kaudit_record *ar, int error, int retval)
333{
334	au_event_t event;
335	au_class_t class;
336	au_id_t auid;
337	int sorf;
338	struct au_mask *aumask;
339
340	if (ar == NULL)
341		return;
342
343	/*
344	 * Decide whether to commit the audit record by checking the error
345	 * value from the system call and using the appropriate audit mask.
346	 */
347	if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID)
348		aumask = &audit_nae_mask;
349	else
350		aumask = &ar->k_ar.ar_subj_amask;
351
352	if (error)
353		sorf = AU_PRS_FAILURE;
354	else
355		sorf = AU_PRS_SUCCESS;
356
357	switch(ar->k_ar.ar_event) {
358	case AUE_OPEN_RWTC:
359		/*
360		 * The open syscall always writes a AUE_OPEN_RWTC event;
361		 * change it to the proper type of event based on the flags
362		 * and the error value.
363		 */
364		ar->k_ar.ar_event = audit_flags_and_error_to_openevent(
365		    ar->k_ar.ar_arg_fflags, error);
366		break;
367
368	case AUE_SYSCTL:
369		ar->k_ar.ar_event = audit_ctlname_to_sysctlevent(
370		    ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg);
371		break;
372
373	case AUE_AUDITON:
374		/* Convert the auditon() command to an event. */
375		ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd);
376		break;
377	}
378
379	auid = ar->k_ar.ar_subj_auid;
380	event = ar->k_ar.ar_event;
381	class = au_event_class(event);
382
383	ar->k_ar_commit |= AR_COMMIT_KERNEL;
384	if (au_preselect(event, class, aumask, sorf) != 0)
385		ar->k_ar_commit |= AR_PRESELECT_TRAIL;
386	if (audit_pipe_preselect(auid, event, class, sorf,
387	    ar->k_ar_commit & AR_PRESELECT_TRAIL) != 0)
388		ar->k_ar_commit |= AR_PRESELECT_PIPE;
389	if ((ar->k_ar_commit & (AR_PRESELECT_TRAIL | AR_PRESELECT_PIPE |
390	    AR_PRESELECT_USER_TRAIL | AR_PRESELECT_USER_PIPE)) == 0) {
391		mtx_lock(&audit_mtx);
392		audit_pre_q_len--;
393		mtx_unlock(&audit_mtx);
394		audit_free(ar);
395		return;
396	}
397
398	ar->k_ar.ar_errno = error;
399	ar->k_ar.ar_retval = retval;
400	nanotime(&ar->k_ar.ar_endtime);
401
402	/*
403	 * Note: it could be that some records initiated while audit was
404	 * enabled should still be committed?
405	 */
406	mtx_lock(&audit_mtx);
407	if (audit_suspended || !audit_enabled) {
408		audit_pre_q_len--;
409		mtx_unlock(&audit_mtx);
410		audit_free(ar);
411		return;
412	}
413
414	/*
415	 * Constrain the number of committed audit records based on the
416	 * configurable parameter.
417	 */
418	while (audit_q_len >= audit_qctrl.aq_hiwater)
419		cv_wait(&audit_watermark_cv, &audit_mtx);
420
421	TAILQ_INSERT_TAIL(&audit_q, ar, k_q);
422	audit_q_len++;
423	audit_pre_q_len--;
424	cv_signal(&audit_worker_cv);
425	mtx_unlock(&audit_mtx);
426}
427
428/*
429 * audit_syscall_enter() is called on entry to each system call.  It is
430 * responsible for deciding whether or not to audit the call (preselection),
431 * and if so, allocating a per-thread audit record.  audit_new() will fill in
432 * basic thread/credential properties.
433 */
434void
435audit_syscall_enter(unsigned short code, struct thread *td)
436{
437	struct au_mask *aumask;
438	au_class_t class;
439	au_event_t event;
440	au_id_t auid;
441
442	KASSERT(td->td_ar == NULL, ("audit_syscall_enter: td->td_ar != NULL"));
443
444	/*
445	 * In FreeBSD, each ABI has its own system call table, and hence
446	 * mapping of system call codes to audit events.  Convert the code to
447	 * an audit event identifier using the process system call table
448	 * reference.  In Darwin, there's only one, so we use the global
449	 * symbol for the system call table.  No audit record is generated
450	 * for bad system calls, as no operation has been performed.
451	 */
452	if (code >= td->td_proc->p_sysent->sv_size)
453		return;
454
455	event = td->td_proc->p_sysent->sv_table[code].sy_auevent;
456	if (event == AUE_NULL)
457		return;
458
459	/*
460	 * Check which audit mask to use; either the kernel non-attributable
461	 * event mask or the process audit mask.
462	 */
463	auid = td->td_ucred->cr_audit.ai_auid;
464	if (auid == AU_DEFAUDITID)
465		aumask = &audit_nae_mask;
466	else
467		aumask = &td->td_ucred->cr_audit.ai_mask;
468
469	/*
470	 * Allocate an audit record, if preselection allows it, and store in
471	 * the thread for later use.
472	 */
473	class = au_event_class(event);
474	if (au_preselect(event, class, aumask, AU_PRS_BOTH)) {
475		/*
476		 * If we're out of space and need to suspend unprivileged
477		 * processes, do that here rather than trying to allocate
478		 * another audit record.
479		 *
480		 * Note: we might wish to be able to continue here in the
481		 * future, if the system recovers.  That should be possible
482		 * by means of checking the condition in a loop around
483		 * cv_wait().  It might be desirable to reevaluate whether an
484		 * audit record is still required for this event by
485		 * re-calling au_preselect().
486		 */
487		if (audit_in_failure &&
488		    priv_check(td, PRIV_AUDIT_FAILSTOP) != 0) {
489			cv_wait(&audit_fail_cv, &audit_mtx);
490			panic("audit_failing_stop: thread continued");
491		}
492		td->td_ar = audit_new(event, td);
493	} else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0))
494		td->td_ar = audit_new(event, td);
495	else
496		td->td_ar = NULL;
497}
498
499/*
500 * audit_syscall_exit() is called from the return of every system call, or in
501 * the event of exit1(), during the execution of exit1().  It is responsible
502 * for committing the audit record, if any, along with return condition.
503 */
504void
505audit_syscall_exit(int error, struct thread *td)
506{
507	int retval;
508
509	/*
510	 * Commit the audit record as desired; once we pass the record into
511	 * audit_commit(), the memory is owned by the audit subsystem.  The
512	 * return value from the system call is stored on the user thread.
513	 * If there was an error, the return value is set to -1, imitating
514	 * the behavior of the cerror routine.
515	 */
516	if (error)
517		retval = -1;
518	else
519		retval = td->td_retval[0];
520
521	audit_commit(td->td_ar, error, retval);
522	td->td_ar = NULL;
523}
524
525void
526audit_cred_copy(struct ucred *src, struct ucred *dest)
527{
528
529	bcopy(&src->cr_audit, &dest->cr_audit, sizeof(dest->cr_audit));
530}
531
532void
533audit_cred_destroy(struct ucred *cred)
534{
535
536}
537
538void
539audit_cred_init(struct ucred *cred)
540{
541
542	bzero(&cred->cr_audit, sizeof(cred->cr_audit));
543}
544
545/*
546 * Initialize audit information for the first kernel process (proc 0) and for
547 * the first user process (init).
548 */
549void
550audit_cred_kproc0(struct ucred *cred)
551{
552
553	cred->cr_audit.ai_auid = AU_DEFAUDITID;
554	cred->cr_audit.ai_termid.at_type = AU_IPv4;
555}
556
557void
558audit_cred_proc1(struct ucred *cred)
559{
560
561	cred->cr_audit.ai_auid = AU_DEFAUDITID;
562	cred->cr_audit.ai_termid.at_type = AU_IPv4;
563}
564
565void
566audit_thread_alloc(struct thread *td)
567{
568
569	td->td_ar = NULL;
570}
571
572void
573audit_thread_free(struct thread *td)
574{
575
576	KASSERT(td->td_ar == NULL, ("audit_thread_free: td_ar != NULL"));
577}
578
579void
580audit_proc_coredump(struct thread *td, char *path, int errcode)
581{
582	struct kaudit_record *ar;
583	struct au_mask *aumask;
584	au_class_t class;
585	int ret, sorf;
586	char **pathp;
587	au_id_t auid;
588
589	ret = 0;
590
591	/*
592	 * Make sure we are using the correct preselection mask.
593	 */
594	auid = td->td_ucred->cr_audit.ai_auid;
595	if (auid == AU_DEFAUDITID)
596		aumask = &audit_nae_mask;
597	else
598		aumask = &td->td_ucred->cr_audit.ai_mask;
599	/*
600	 * It's possible for coredump(9) generation to fail.  Make sure that
601	 * we handle this case correctly for preselection.
602	 */
603	if (errcode != 0)
604		sorf = AU_PRS_FAILURE;
605	else
606		sorf = AU_PRS_SUCCESS;
607	class = au_event_class(AUE_CORE);
608	if (au_preselect(AUE_CORE, class, aumask, sorf) == 0)
609		return;
610	/*
611	 * If we are interested in seeing this audit record, allocate it.
612	 * Where possible coredump records should contain a pathname and arg32
613	 * (signal) tokens.
614	 */
615	ar = audit_new(AUE_CORE, td);
616	if (path != NULL) {
617		pathp = &ar->k_ar.ar_arg_upath1;
618		*pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK);
619		audit_canon_path(td, path, *pathp);
620		ARG_SET_VALID(ar, ARG_UPATH1);
621	}
622	ar->k_ar.ar_arg_signum = td->td_proc->p_sig;
623	ARG_SET_VALID(ar, ARG_SIGNUM);
624	if (errcode != 0)
625		ret = 1;
626	audit_commit(ar, errcode, ret);
627}
628