audit_bsm_klib.c revision 155192 
1218822Sdim/*
233965Sjdp * Copyright (c) 1999-2005 Apple Computer, Inc.
3218822Sdim * Copyright (c) 2005 Robert N. M. Watson
4218822Sdim * All rights reserved.
5218822Sdim *
638889Sjdp * Redistribution and use in source and binary forms, with or without
7218822Sdim * modification, are permitted provided that the following conditions
8218822Sdim * are met:
9218822Sdim * 1.  Redistributions of source code must retain the above copyright
1038889Sjdp *     notice, this list of conditions and the following disclaimer.
11218822Sdim * 2.  Redistributions in binary form must reproduce the above copyright
12218822Sdim *     notice, this list of conditions and the following disclaimer in the
1333965Sjdp *     documentation and/or other materials provided with the distribution.
14218822Sdim * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
15218822Sdim *     its contributors may be used to endorse or promote products derived
16218822Sdim *     from this software without specific prior written permission.
1733965Sjdp *
18218822Sdim * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
19218822Sdim * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20218822Sdim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
2133965Sjdp * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
22218822Sdim * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23218822Sdim * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24218822Sdim * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
2533965Sjdp * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26218822Sdim * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
27218822Sdim * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28218822Sdim * POSSIBILITY OF SUCH DAMAGE.
2960484Sobrien *
30218822Sdim * $FreeBSD: head/sys/security/audit/audit_bsm_klib.c 155192 2006-02-01 20:01:18Z rwatson $
31218822Sdim */
32218822Sdim
3360484Sobrien#include <sys/param.h>
34218822Sdim#include <sys/fcntl.h>
35218822Sdim#include <sys/filedesc.h>
36218822Sdim#include <sys/libkern.h>
3760484Sobrien#include <sys/malloc.h>
38218822Sdim#include <sys/mount.h>
39218822Sdim#include <sys/proc.h>
40218822Sdim#include <sys/sem.h>
4160484Sobrien#include <sys/syscall.h>
42218822Sdim#include <sys/sysctl.h>
43218822Sdim#include <sys/sysent.h>
44218822Sdim#include <sys/vnode.h>
4560484Sobrien
46218822Sdim#include <bsm/audit.h>
47218822Sdim#include <bsm/audit_kevents.h>
48218822Sdim#include <security/audit/audit.h>
4933965Sjdp#include <security/audit/audit_private.h>
50218822Sdim
51218822Sdim/*
52218822Sdim * Hash table functions for the audit event number to event class mask
5333965Sjdp * mapping.
54218822Sdim */
55218822Sdim#define EVCLASSMAP_HASH_TABLE_SIZE 251
56218822Sdimstruct evclass_elem {
5733965Sjdp	au_event_t event;
58218822Sdim	au_class_t class;
59218822Sdim	LIST_ENTRY(evclass_elem) entry;
60218822Sdim};
6133965Sjdpstruct evclass_list {
62218822Sdim	LIST_HEAD(, evclass_elem) head;
63218822Sdim};
64218822Sdim
6533965Sjdpstatic MALLOC_DEFINE(M_AUDITEVCLASS, "audit_evclass", "Audit event class");
66218822Sdimstatic struct mtx evclass_mtx;
67218822Sdimstatic struct evclass_list evclass_hash[EVCLASSMAP_HASH_TABLE_SIZE];
68218822Sdim
69218822Sdim/*
7033965Sjdp * Look up the class for an audit event in the class mapping table.
7133965Sjdp */
72218822Sdimau_class_t
73218822Sdimau_event_class(au_event_t event)
74218822Sdim{
75218822Sdim	struct evclass_list *evcl;
7638889Sjdp	struct evclass_elem *evc;
7738889Sjdp	au_class_t class;
78218822Sdim
79218822Sdim	mtx_lock(&evclass_mtx);
80218822Sdim	evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
81218822Sdim	class = AU_NULL;
82130561Sobrien	LIST_FOREACH(evc, &evcl->head, entry) {
83130561Sobrien		if (evc->event == event) {
84218822Sdim			class = evc->class;
85130561Sobrien			goto out;
86130561Sobrien		}
87218822Sdim	}
88130561Sobrienout:
89130561Sobrien	mtx_unlock(&evclass_mtx);
90218822Sdim	return (class);
91130561Sobrien}
92130561Sobrien
93218822Sdim/*
9460484Sobrien * Insert a event to class mapping. If the event already exists in the
9560484Sobrien * mapping, then replace the mapping with the new one.
96218822Sdim * XXX There is currently no constraints placed on the number of mappings.
9733965Sjdp *     May want to either limit to a number, or in terms of memory usage.
9833965Sjdp */
99218822Sdimvoid
10060484Sobrienau_evclassmap_insert(au_event_t event, au_class_t class)
10160484Sobrien{
102218822Sdim	struct evclass_list *evcl;
103218822Sdim	struct evclass_elem *evc, *evc_new;
10433965Sjdp
105218822Sdim	/*
106218822Sdim	 * Pessimistically, always allocate storage before acquiring mutex.
10733965Sjdp	 * Free if there is already a mapping for this event.
108218822Sdim	 */
109218822Sdim	evc_new = malloc(sizeof(*evc), M_AUDITEVCLASS, M_WAITOK);
11060484Sobrien
111218822Sdim	mtx_lock(&evclass_mtx);
112218822Sdim	evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
11360484Sobrien	LIST_FOREACH(evc, &evcl->head, entry) {
114218822Sdim		if (evc->event == event) {
115218822Sdim			evc->class = class;
11660484Sobrien			mtx_unlock(&evclass_mtx);
117218822Sdim			free(evc_new, M_AUDITEVCLASS);
118218822Sdim			return;
11933965Sjdp		}
120218822Sdim	}
121218822Sdim	evc = evc_new;
12260484Sobrien	evc->event = event;
123218822Sdim	evc->class = class;
124218822Sdim	LIST_INSERT_HEAD(&evcl->head, evc, entry);
12560484Sobrien	mtx_unlock(&evclass_mtx);
126218822Sdim}
127218822Sdim
12860484Sobrienvoid
129218822Sdimau_evclassmap_init(void)
130218822Sdim{
13160484Sobrien	int i;
132218822Sdim
133218822Sdim	mtx_init(&evclass_mtx, "evclass_mtx", NULL, MTX_DEF);
134130561Sobrien	for (i = 0; i < EVCLASSMAP_HASH_TABLE_SIZE; i++)
135218822Sdim		LIST_INIT(&evclass_hash[i].head);
136218822Sdim
13733965Sjdp	/*
138218822Sdim	 * Set up the initial event to class mapping for system calls.
139218822Sdim	 *
14060484Sobrien	 * XXXRW: Really, this should walk all possible audit events, not all
141218822Sdim	 * native ABI system calls, as there may be audit events reachable
142218822Sdim	 * only through non-native system calls.  It also seems a shame to
14360484Sobrien	 * frob the mutex this early.
144218822Sdim	 */
145218822Sdim	for (i = 0; i < SYS_MAXSYSCALL; i++) {
14633965Sjdp		if (sysent[i].sy_auevent != AUE_NULL)
147218822Sdim			au_evclassmap_insert(sysent[i].sy_auevent, AU_NULL);
148218822Sdim	}
14960484Sobrien}
150218822Sdim
151218822Sdim/*
15260484Sobrien * Check whether an event is aditable by comparing the mask of classes this
153218822Sdim * event is part of against the given mask.
154218822Sdim */
15560484Sobrienint
156218822Sdimau_preselect(au_event_t event, au_mask_t *mask_p, int sorf)
157218822Sdim{
15860484Sobrien	au_class_t effmask = 0;
159218822Sdim	au_class_t ae_class;
160218822Sdim
16160484Sobrien	if (mask_p == NULL)
162218822Sdim		return (-1);
163218822Sdim
164218822Sdim	ae_class = au_event_class(event);
165218822Sdim
166218822Sdim	/*
167218822Sdim	 * Perform the actual check of the masks against the event.
168218822Sdim	 */
16933965Sjdp	if (sorf & AU_PRS_SUCCESS)
17033965Sjdp		effmask |= (mask_p->am_success & ae_class);
171218822Sdim
172218822Sdim	if (sorf & AU_PRS_FAILURE)
173218822Sdim		effmask |= (mask_p->am_failure & ae_class);
174218822Sdim
17533965Sjdp	if (effmask)
17633965Sjdp		return (1);
177218822Sdim	else
178218822Sdim		return (0);
179218822Sdim}
180218822Sdim
18133965Sjdp/*
18233965Sjdp * Convert sysctl names and present arguments to events
183218822Sdim */
184218822Sdimau_event_t
18533965Sjdpctlname_to_sysctlevent(int name[], uint64_t valid_arg)
186218822Sdim{
187218822Sdim
188218822Sdim	/* can't parse it - so return the worst case */
189218822Sdim	if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) !=
190218822Sdim	                 (ARG_CTLNAME | ARG_LEN))
191218822Sdim		return (AUE_SYSCTL);
192218822Sdim
193218822Sdim	switch (name[0]) {
19460484Sobrien	/* non-admin "lookups" treat them special */
19560484Sobrien	case KERN_OSTYPE:
196218822Sdim	case KERN_OSRELEASE:
19733965Sjdp	case KERN_OSREV:
19833965Sjdp	case KERN_VERSION:
199218822Sdim	case KERN_ARGMAX:
200218822Sdim	case KERN_CLOCKRATE:
20160484Sobrien	case KERN_BOOTTIME:
20260484Sobrien	case KERN_POSIX1:
203218822Sdim	case KERN_NGROUPS:
20460484Sobrien	case KERN_JOB_CONTROL:
20560484Sobrien	case KERN_SAVED_IDS:
206218822Sdim	case KERN_OSRELDATE:
207218822Sdim	case KERN_DUMMY:
208218822Sdim		return (AUE_SYSCTL_NONADMIN);
209218822Sdim
21033965Sjdp	/* only treat the changeable controls as admin */
21133965Sjdp	case KERN_MAXVNODES:
212218822Sdim	case KERN_MAXPROC:
213218822Sdim	case KERN_MAXFILES:
214218822Sdim	case KERN_MAXPROCPERUID:
215218822Sdim	case KERN_MAXFILESPERPROC:
21633965Sjdp	case KERN_HOSTID:
21733965Sjdp	case KERN_SECURELVL:
218218822Sdim	case KERN_HOSTNAME:
21933965Sjdp	case KERN_VNODE:
22060484Sobrien	case KERN_PROC:
221218822Sdim	case KERN_FILE:
222218822Sdim	case KERN_PROF:
22360484Sobrien	case KERN_NISDOMAINNAME:
224218822Sdim	case KERN_UPDATEINTERVAL:
225218822Sdim	case KERN_NTP_PLL:
226218822Sdim	case KERN_BOOTFILE:
227218822Sdim	case KERN_DUMPDEV:
22860484Sobrien	case KERN_IPC:
22960484Sobrien	case KERN_PS_STRINGS:
23060484Sobrien	case KERN_USRSTACK:
231218822Sdim	case KERN_LOGSIGEXIT:
232218822Sdim	case KERN_IOV_MAX:
23360484Sobrien	case KERN_MAXID:
234218822Sdim		return ((valid_arg & ARG_VALUE) ?
235218822Sdim			AUE_SYSCTL : AUE_SYSCTL_NONADMIN);
23660484Sobrien
237218822Sdim	default:
238218822Sdim		return (AUE_SYSCTL);
23960484Sobrien	}
240218822Sdim	/* NOTREACHED */
241218822Sdim}
24260484Sobrien
243218822Sdim/*
244218822Sdim * Convert an open flags specifier into a specific type of open event for
24560484Sobrien * auditing purposes.
246218822Sdim */
247218822Sdimau_event_t
248130561Sobrienflags_and_error_to_openevent(int oflags, int error) {
249218822Sdim	au_event_t aevent;
250218822Sdim
251218822Sdim	/* Need to check only those flags we care about. */
252218822Sdim	oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
253130561Sobrien
254130561Sobrien	/*
255218822Sdim	 * These checks determine what flags are on with the condition that
256218822Sdim	 * ONLY that combination is on, and no other flags are on.
25760484Sobrien	 */
258218822Sdim	switch (oflags) {
259218822Sdim	case O_RDONLY:
26060484Sobrien		aevent = AUE_OPEN_R;
261218822Sdim		break;
262218822Sdim
26360484Sobrien	case (O_RDONLY | O_CREAT):
264218822Sdim		aevent = AUE_OPEN_RC;
265218822Sdim		break;
26660484Sobrien
267218822Sdim	case (O_RDONLY | O_CREAT | O_TRUNC):
268218822Sdim		aevent = AUE_OPEN_RTC;
26960484Sobrien		break;
270218822Sdim
271218822Sdim	case (O_RDONLY | O_TRUNC):
27260484Sobrien		aevent = AUE_OPEN_RT;
273218822Sdim		break;
274218822Sdim
27599461Sobrien	case O_RDWR:
27660484Sobrien		aevent = AUE_OPEN_RW;
27760484Sobrien		break;
27860484Sobrien
279218822Sdim	case (O_RDWR | O_CREAT):
280218822Sdim		aevent = AUE_OPEN_RWC;
281130561Sobrien		break;
28260484Sobrien
28360484Sobrien	case (O_RDWR | O_CREAT | O_TRUNC):
28460484Sobrien		aevent = AUE_OPEN_RWTC;
285218822Sdim		break;
286218822Sdim
287218822Sdim	case (O_RDWR | O_TRUNC):
288218822Sdim		aevent = AUE_OPEN_RWT;
289218822Sdim		break;
290218822Sdim
291218822Sdim	case O_WRONLY:
292218822Sdim		aevent = AUE_OPEN_W;
293218822Sdim		break;
294218822Sdim
295	case (O_WRONLY | O_CREAT):
296		aevent = AUE_OPEN_WC;
297		break;
298
299	case (O_WRONLY | O_CREAT | O_TRUNC):
300		aevent = AUE_OPEN_WTC;
301		break;
302
303	case (O_WRONLY | O_TRUNC):
304		aevent = AUE_OPEN_WT;
305		break;
306
307	default:
308		aevent = AUE_OPEN;
309		break;
310	}
311
312#if 0
313	/*
314	 * Convert chatty errors to better matching events.
315	 * Failures to find a file are really just attribute
316	 * events - so recast them as such.
317	 *
318	 * XXXAUDIT: Solaris defines that AUE_OPEN will never be returned, it
319	 * is just a placeholder.  However, in Darwin we return that in
320	 * preference to other events.  For now, comment this out as we don't
321	 * have a BSM conversion routine for AUE_OPEN.
322	 */
323	switch (aevent) {
324	case AUE_OPEN_R:
325	case AUE_OPEN_RT:
326	case AUE_OPEN_RW:
327	case AUE_OPEN_RWT:
328	case AUE_OPEN_W:
329	case AUE_OPEN_WT:
330		if (error == ENOENT)
331			aevent = AUE_OPEN;
332	}
333#endif
334	return (aevent);
335}
336
337/*
338 * Convert a MSGCTL command to a specific event.
339 */
340int
341msgctl_to_event(int cmd)
342{
343
344	switch (cmd) {
345	case IPC_RMID:
346		return (AUE_MSGCTL_RMID);
347
348	case IPC_SET:
349		return (AUE_MSGCTL_SET);
350
351	case IPC_STAT:
352		return (AUE_MSGCTL_STAT);
353
354	default:
355		/* We will audit a bad command */
356		return (AUE_MSGCTL);
357	}
358}
359
360/*
361 * Convert a SEMCTL command to a specific event.
362 */
363int
364semctl_to_event(int cmd)
365{
366
367	switch (cmd) {
368	case GETALL:
369		return (AUE_SEMCTL_GETALL);
370
371	case GETNCNT:
372		return (AUE_SEMCTL_GETNCNT);
373
374	case GETPID:
375		return (AUE_SEMCTL_GETPID);
376
377	case GETVAL:
378		return (AUE_SEMCTL_GETVAL);
379
380	case GETZCNT:
381		return (AUE_SEMCTL_GETZCNT);
382
383	case IPC_RMID:
384		return (AUE_SEMCTL_RMID);
385
386	case IPC_SET:
387		return (AUE_SEMCTL_SET);
388
389	case SETALL:
390		return (AUE_SEMCTL_SETALL);
391
392	case SETVAL:
393		return (AUE_SEMCTL_SETVAL);
394
395	case IPC_STAT:
396		return (AUE_SEMCTL_STAT);
397
398	default:
399		/* We will audit a bad command */
400		return (AUE_SEMCTL);
401	}
402}
403
404/*
405 * Convert a command for the auditon() system call to a audit event.
406 */
407int
408auditon_command_event(int cmd)
409{
410
411	switch(cmd) {
412	case A_GETPOLICY:
413		return (AUE_AUDITON_GPOLICY);
414
415	case A_SETPOLICY:
416		return (AUE_AUDITON_SPOLICY);
417
418	case A_GETKMASK:
419		return (AUE_AUDITON_GETKMASK);
420
421	case A_SETKMASK:
422		return (AUE_AUDITON_SETKMASK);
423
424	case A_GETQCTRL:
425		return (AUE_AUDITON_GQCTRL);
426
427	case A_SETQCTRL:
428		return (AUE_AUDITON_SQCTRL);
429
430	case A_GETCWD:
431		return (AUE_AUDITON_GETCWD);
432
433	case A_GETCAR:
434		return (AUE_AUDITON_GETCAR);
435
436	case A_GETSTAT:
437		return (AUE_AUDITON_GETSTAT);
438
439	case A_SETSTAT:
440		return (AUE_AUDITON_SETSTAT);
441
442	case A_SETUMASK:
443		return (AUE_AUDITON_SETUMASK);
444
445	case A_SETSMASK:
446		return (AUE_AUDITON_SETSMASK);
447
448	case A_GETCOND:
449		return (AUE_AUDITON_GETCOND);
450
451	case A_SETCOND:
452		return (AUE_AUDITON_SETCOND);
453
454	case A_GETCLASS:
455		return (AUE_AUDITON_GETCLASS);
456
457	case A_SETCLASS:
458		return (AUE_AUDITON_SETCLASS);
459
460	case A_GETPINFO:
461	case A_SETPMASK:
462	case A_SETFSIZE:
463	case A_GETFSIZE:
464	case A_GETPINFO_ADDR:
465	case A_GETKAUDIT:
466	case A_SETKAUDIT:
467	default:
468		return (AUE_AUDITON);	/* No special record */
469	}
470}
471
472/*
473 * Create a canonical path from given path by prefixing either the
474 * root directory, or the current working directory.
475 * If the process working directory is NULL, we could use 'rootvnode'
476 * to obtain the root directoty, but this results in a volfs name
477 * written to the audit log. So we will leave the filename starting
478 * with '/' in the audit log in this case.
479 *
480 * XXXRW: Since we combine two paths here, ideally a buffer of size
481 * MAXPATHLEN * 2 would be passed in.
482 */
483void
484canon_path(struct thread *td, char *path, char *cpath)
485{
486	char *bufp;
487	char *retbuf, *freebuf;
488	struct vnode *vnp;
489	struct filedesc *fdp;
490	int error, vfslocked;
491
492	fdp = td->td_proc->p_fd;
493	bufp = path;
494	FILEDESC_LOCK(fdp);
495	if (*(path) == '/') {
496		while (*(bufp) == '/')
497			bufp++;			/* skip leading '/'s	     */
498		/* If no process root, or it is the same as the system root,
499		 * audit the path as passed in with a single '/'.
500		 */
501		if ((fdp->fd_rdir == NULL) ||
502		    (fdp->fd_rdir == rootvnode)) {
503			vnp = NULL;
504			bufp--;			/* restore one '/'	     */
505		} else {
506			vnp = fdp->fd_rdir;	/* use process root	     */
507			vref(vnp);
508		}
509	} else {
510		vnp = fdp->fd_cdir;	/* prepend the current dir  */
511		vref(vnp);
512		bufp = path;
513	}
514	FILEDESC_UNLOCK(fdp);
515	if (vnp != NULL) {
516		/*
517		 * XXX: vn_fullpath() on FreeBSD is "less reliable"
518		 * than vn_getpath() on Darwin, so this will need more
519		 * attention in the future.  Also, the question and
520		 * string bounding here seems a bit questionable and
521		 * will also require attention.
522		 */
523		vfslocked = VFS_LOCK_GIANT(vnp->v_mount);
524		vn_lock(vnp, LK_EXCLUSIVE | LK_RETRY, td);
525		error = vn_fullpath(td, vnp, &retbuf, &freebuf);
526		if (error == 0) {
527			/* Copy and free buffer allocated by vn_fullpath() */
528			snprintf(cpath, MAXPATHLEN, "%s/%s", retbuf, bufp);
529			free(freebuf, M_TEMP);
530		} else {
531			cpath[0] = '\0';
532		}
533		vput(vnp);
534		VFS_UNLOCK_GIANT(vfslocked);
535	} else {
536		strlcpy(cpath, bufp, MAXPATHLEN);
537	}
538}
539