audit_bsm_klib.c revision 155192
1218822Sdim/* 233965Sjdp * Copyright (c) 1999-2005 Apple Computer, Inc. 3218822Sdim * Copyright (c) 2005 Robert N. M. Watson 4218822Sdim * All rights reserved. 5218822Sdim * 638889Sjdp * Redistribution and use in source and binary forms, with or without 7218822Sdim * modification, are permitted provided that the following conditions 8218822Sdim * are met: 9218822Sdim * 1. Redistributions of source code must retain the above copyright 1038889Sjdp * notice, this list of conditions and the following disclaimer. 11218822Sdim * 2. Redistributions in binary form must reproduce the above copyright 12218822Sdim * notice, this list of conditions and the following disclaimer in the 1333965Sjdp * documentation and/or other materials provided with the distribution. 14218822Sdim * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 15218822Sdim * its contributors may be used to endorse or promote products derived 16218822Sdim * from this software without specific prior written permission. 1733965Sjdp * 18218822Sdim * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 19218822Sdim * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20218822Sdim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2133965Sjdp * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 22218822Sdim * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23218822Sdim * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24218822Sdim * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2533965Sjdp * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 26218822Sdim * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 27218822Sdim * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28218822Sdim * POSSIBILITY OF SUCH DAMAGE. 2960484Sobrien * 30218822Sdim * $FreeBSD: head/sys/security/audit/audit_bsm_klib.c 155192 2006-02-01 20:01:18Z rwatson $ 31218822Sdim */ 32218822Sdim 3360484Sobrien#include <sys/param.h> 34218822Sdim#include <sys/fcntl.h> 35218822Sdim#include <sys/filedesc.h> 36218822Sdim#include <sys/libkern.h> 3760484Sobrien#include <sys/malloc.h> 38218822Sdim#include <sys/mount.h> 39218822Sdim#include <sys/proc.h> 40218822Sdim#include <sys/sem.h> 4160484Sobrien#include <sys/syscall.h> 42218822Sdim#include <sys/sysctl.h> 43218822Sdim#include <sys/sysent.h> 44218822Sdim#include <sys/vnode.h> 4560484Sobrien 46218822Sdim#include <bsm/audit.h> 47218822Sdim#include <bsm/audit_kevents.h> 48218822Sdim#include <security/audit/audit.h> 4933965Sjdp#include <security/audit/audit_private.h> 50218822Sdim 51218822Sdim/* 52218822Sdim * Hash table functions for the audit event number to event class mask 5333965Sjdp * mapping. 54218822Sdim */ 55218822Sdim#define EVCLASSMAP_HASH_TABLE_SIZE 251 56218822Sdimstruct evclass_elem { 5733965Sjdp au_event_t event; 58218822Sdim au_class_t class; 59218822Sdim LIST_ENTRY(evclass_elem) entry; 60218822Sdim}; 6133965Sjdpstruct evclass_list { 62218822Sdim LIST_HEAD(, evclass_elem) head; 63218822Sdim}; 64218822Sdim 6533965Sjdpstatic MALLOC_DEFINE(M_AUDITEVCLASS, "audit_evclass", "Audit event class"); 66218822Sdimstatic struct mtx evclass_mtx; 67218822Sdimstatic struct evclass_list evclass_hash[EVCLASSMAP_HASH_TABLE_SIZE]; 68218822Sdim 69218822Sdim/* 7033965Sjdp * Look up the class for an audit event in the class mapping table. 7133965Sjdp */ 72218822Sdimau_class_t 73218822Sdimau_event_class(au_event_t event) 74218822Sdim{ 75218822Sdim struct evclass_list *evcl; 7638889Sjdp struct evclass_elem *evc; 7738889Sjdp au_class_t class; 78218822Sdim 79218822Sdim mtx_lock(&evclass_mtx); 80218822Sdim evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE]; 81218822Sdim class = AU_NULL; 82130561Sobrien LIST_FOREACH(evc, &evcl->head, entry) { 83130561Sobrien if (evc->event == event) { 84218822Sdim class = evc->class; 85130561Sobrien goto out; 86130561Sobrien } 87218822Sdim } 88130561Sobrienout: 89130561Sobrien mtx_unlock(&evclass_mtx); 90218822Sdim return (class); 91130561Sobrien} 92130561Sobrien 93218822Sdim/* 9460484Sobrien * Insert a event to class mapping. If the event already exists in the 9560484Sobrien * mapping, then replace the mapping with the new one. 96218822Sdim * XXX There is currently no constraints placed on the number of mappings. 9733965Sjdp * May want to either limit to a number, or in terms of memory usage. 9833965Sjdp */ 99218822Sdimvoid 10060484Sobrienau_evclassmap_insert(au_event_t event, au_class_t class) 10160484Sobrien{ 102218822Sdim struct evclass_list *evcl; 103218822Sdim struct evclass_elem *evc, *evc_new; 10433965Sjdp 105218822Sdim /* 106218822Sdim * Pessimistically, always allocate storage before acquiring mutex. 10733965Sjdp * Free if there is already a mapping for this event. 108218822Sdim */ 109218822Sdim evc_new = malloc(sizeof(*evc), M_AUDITEVCLASS, M_WAITOK); 11060484Sobrien 111218822Sdim mtx_lock(&evclass_mtx); 112218822Sdim evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE]; 11360484Sobrien LIST_FOREACH(evc, &evcl->head, entry) { 114218822Sdim if (evc->event == event) { 115218822Sdim evc->class = class; 11660484Sobrien mtx_unlock(&evclass_mtx); 117218822Sdim free(evc_new, M_AUDITEVCLASS); 118218822Sdim return; 11933965Sjdp } 120218822Sdim } 121218822Sdim evc = evc_new; 12260484Sobrien evc->event = event; 123218822Sdim evc->class = class; 124218822Sdim LIST_INSERT_HEAD(&evcl->head, evc, entry); 12560484Sobrien mtx_unlock(&evclass_mtx); 126218822Sdim} 127218822Sdim 12860484Sobrienvoid 129218822Sdimau_evclassmap_init(void) 130218822Sdim{ 13160484Sobrien int i; 132218822Sdim 133218822Sdim mtx_init(&evclass_mtx, "evclass_mtx", NULL, MTX_DEF); 134130561Sobrien for (i = 0; i < EVCLASSMAP_HASH_TABLE_SIZE; i++) 135218822Sdim LIST_INIT(&evclass_hash[i].head); 136218822Sdim 13733965Sjdp /* 138218822Sdim * Set up the initial event to class mapping for system calls. 139218822Sdim * 14060484Sobrien * XXXRW: Really, this should walk all possible audit events, not all 141218822Sdim * native ABI system calls, as there may be audit events reachable 142218822Sdim * only through non-native system calls. It also seems a shame to 14360484Sobrien * frob the mutex this early. 144218822Sdim */ 145218822Sdim for (i = 0; i < SYS_MAXSYSCALL; i++) { 14633965Sjdp if (sysent[i].sy_auevent != AUE_NULL) 147218822Sdim au_evclassmap_insert(sysent[i].sy_auevent, AU_NULL); 148218822Sdim } 14960484Sobrien} 150218822Sdim 151218822Sdim/* 15260484Sobrien * Check whether an event is aditable by comparing the mask of classes this 153218822Sdim * event is part of against the given mask. 154218822Sdim */ 15560484Sobrienint 156218822Sdimau_preselect(au_event_t event, au_mask_t *mask_p, int sorf) 157218822Sdim{ 15860484Sobrien au_class_t effmask = 0; 159218822Sdim au_class_t ae_class; 160218822Sdim 16160484Sobrien if (mask_p == NULL) 162218822Sdim return (-1); 163218822Sdim 164218822Sdim ae_class = au_event_class(event); 165218822Sdim 166218822Sdim /* 167218822Sdim * Perform the actual check of the masks against the event. 168218822Sdim */ 16933965Sjdp if (sorf & AU_PRS_SUCCESS) 17033965Sjdp effmask |= (mask_p->am_success & ae_class); 171218822Sdim 172218822Sdim if (sorf & AU_PRS_FAILURE) 173218822Sdim effmask |= (mask_p->am_failure & ae_class); 174218822Sdim 17533965Sjdp if (effmask) 17633965Sjdp return (1); 177218822Sdim else 178218822Sdim return (0); 179218822Sdim} 180218822Sdim 18133965Sjdp/* 18233965Sjdp * Convert sysctl names and present arguments to events 183218822Sdim */ 184218822Sdimau_event_t 18533965Sjdpctlname_to_sysctlevent(int name[], uint64_t valid_arg) 186218822Sdim{ 187218822Sdim 188218822Sdim /* can't parse it - so return the worst case */ 189218822Sdim if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != 190218822Sdim (ARG_CTLNAME | ARG_LEN)) 191218822Sdim return (AUE_SYSCTL); 192218822Sdim 193218822Sdim switch (name[0]) { 19460484Sobrien /* non-admin "lookups" treat them special */ 19560484Sobrien case KERN_OSTYPE: 196218822Sdim case KERN_OSRELEASE: 19733965Sjdp case KERN_OSREV: 19833965Sjdp case KERN_VERSION: 199218822Sdim case KERN_ARGMAX: 200218822Sdim case KERN_CLOCKRATE: 20160484Sobrien case KERN_BOOTTIME: 20260484Sobrien case KERN_POSIX1: 203218822Sdim case KERN_NGROUPS: 20460484Sobrien case KERN_JOB_CONTROL: 20560484Sobrien case KERN_SAVED_IDS: 206218822Sdim case KERN_OSRELDATE: 207218822Sdim case KERN_DUMMY: 208218822Sdim return (AUE_SYSCTL_NONADMIN); 209218822Sdim 21033965Sjdp /* only treat the changeable controls as admin */ 21133965Sjdp case KERN_MAXVNODES: 212218822Sdim case KERN_MAXPROC: 213218822Sdim case KERN_MAXFILES: 214218822Sdim case KERN_MAXPROCPERUID: 215218822Sdim case KERN_MAXFILESPERPROC: 21633965Sjdp case KERN_HOSTID: 21733965Sjdp case KERN_SECURELVL: 218218822Sdim case KERN_HOSTNAME: 21933965Sjdp case KERN_VNODE: 22060484Sobrien case KERN_PROC: 221218822Sdim case KERN_FILE: 222218822Sdim case KERN_PROF: 22360484Sobrien case KERN_NISDOMAINNAME: 224218822Sdim case KERN_UPDATEINTERVAL: 225218822Sdim case KERN_NTP_PLL: 226218822Sdim case KERN_BOOTFILE: 227218822Sdim case KERN_DUMPDEV: 22860484Sobrien case KERN_IPC: 22960484Sobrien case KERN_PS_STRINGS: 23060484Sobrien case KERN_USRSTACK: 231218822Sdim case KERN_LOGSIGEXIT: 232218822Sdim case KERN_IOV_MAX: 23360484Sobrien case KERN_MAXID: 234218822Sdim return ((valid_arg & ARG_VALUE) ? 235218822Sdim AUE_SYSCTL : AUE_SYSCTL_NONADMIN); 23660484Sobrien 237218822Sdim default: 238218822Sdim return (AUE_SYSCTL); 23960484Sobrien } 240218822Sdim /* NOTREACHED */ 241218822Sdim} 24260484Sobrien 243218822Sdim/* 244218822Sdim * Convert an open flags specifier into a specific type of open event for 24560484Sobrien * auditing purposes. 246218822Sdim */ 247218822Sdimau_event_t 248130561Sobrienflags_and_error_to_openevent(int oflags, int error) { 249218822Sdim au_event_t aevent; 250218822Sdim 251218822Sdim /* Need to check only those flags we care about. */ 252218822Sdim oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY); 253130561Sobrien 254130561Sobrien /* 255218822Sdim * These checks determine what flags are on with the condition that 256218822Sdim * ONLY that combination is on, and no other flags are on. 25760484Sobrien */ 258218822Sdim switch (oflags) { 259218822Sdim case O_RDONLY: 26060484Sobrien aevent = AUE_OPEN_R; 261218822Sdim break; 262218822Sdim 26360484Sobrien case (O_RDONLY | O_CREAT): 264218822Sdim aevent = AUE_OPEN_RC; 265218822Sdim break; 26660484Sobrien 267218822Sdim case (O_RDONLY | O_CREAT | O_TRUNC): 268218822Sdim aevent = AUE_OPEN_RTC; 26960484Sobrien break; 270218822Sdim 271218822Sdim case (O_RDONLY | O_TRUNC): 27260484Sobrien aevent = AUE_OPEN_RT; 273218822Sdim break; 274218822Sdim 27599461Sobrien case O_RDWR: 27660484Sobrien aevent = AUE_OPEN_RW; 27760484Sobrien break; 27860484Sobrien 279218822Sdim case (O_RDWR | O_CREAT): 280218822Sdim aevent = AUE_OPEN_RWC; 281130561Sobrien break; 28260484Sobrien 28360484Sobrien case (O_RDWR | O_CREAT | O_TRUNC): 28460484Sobrien aevent = AUE_OPEN_RWTC; 285218822Sdim break; 286218822Sdim 287218822Sdim case (O_RDWR | O_TRUNC): 288218822Sdim aevent = AUE_OPEN_RWT; 289218822Sdim break; 290218822Sdim 291218822Sdim case O_WRONLY: 292218822Sdim aevent = AUE_OPEN_W; 293218822Sdim break; 294218822Sdim 295 case (O_WRONLY | O_CREAT): 296 aevent = AUE_OPEN_WC; 297 break; 298 299 case (O_WRONLY | O_CREAT | O_TRUNC): 300 aevent = AUE_OPEN_WTC; 301 break; 302 303 case (O_WRONLY | O_TRUNC): 304 aevent = AUE_OPEN_WT; 305 break; 306 307 default: 308 aevent = AUE_OPEN; 309 break; 310 } 311 312#if 0 313 /* 314 * Convert chatty errors to better matching events. 315 * Failures to find a file are really just attribute 316 * events - so recast them as such. 317 * 318 * XXXAUDIT: Solaris defines that AUE_OPEN will never be returned, it 319 * is just a placeholder. However, in Darwin we return that in 320 * preference to other events. For now, comment this out as we don't 321 * have a BSM conversion routine for AUE_OPEN. 322 */ 323 switch (aevent) { 324 case AUE_OPEN_R: 325 case AUE_OPEN_RT: 326 case AUE_OPEN_RW: 327 case AUE_OPEN_RWT: 328 case AUE_OPEN_W: 329 case AUE_OPEN_WT: 330 if (error == ENOENT) 331 aevent = AUE_OPEN; 332 } 333#endif 334 return (aevent); 335} 336 337/* 338 * Convert a MSGCTL command to a specific event. 339 */ 340int 341msgctl_to_event(int cmd) 342{ 343 344 switch (cmd) { 345 case IPC_RMID: 346 return (AUE_MSGCTL_RMID); 347 348 case IPC_SET: 349 return (AUE_MSGCTL_SET); 350 351 case IPC_STAT: 352 return (AUE_MSGCTL_STAT); 353 354 default: 355 /* We will audit a bad command */ 356 return (AUE_MSGCTL); 357 } 358} 359 360/* 361 * Convert a SEMCTL command to a specific event. 362 */ 363int 364semctl_to_event(int cmd) 365{ 366 367 switch (cmd) { 368 case GETALL: 369 return (AUE_SEMCTL_GETALL); 370 371 case GETNCNT: 372 return (AUE_SEMCTL_GETNCNT); 373 374 case GETPID: 375 return (AUE_SEMCTL_GETPID); 376 377 case GETVAL: 378 return (AUE_SEMCTL_GETVAL); 379 380 case GETZCNT: 381 return (AUE_SEMCTL_GETZCNT); 382 383 case IPC_RMID: 384 return (AUE_SEMCTL_RMID); 385 386 case IPC_SET: 387 return (AUE_SEMCTL_SET); 388 389 case SETALL: 390 return (AUE_SEMCTL_SETALL); 391 392 case SETVAL: 393 return (AUE_SEMCTL_SETVAL); 394 395 case IPC_STAT: 396 return (AUE_SEMCTL_STAT); 397 398 default: 399 /* We will audit a bad command */ 400 return (AUE_SEMCTL); 401 } 402} 403 404/* 405 * Convert a command for the auditon() system call to a audit event. 406 */ 407int 408auditon_command_event(int cmd) 409{ 410 411 switch(cmd) { 412 case A_GETPOLICY: 413 return (AUE_AUDITON_GPOLICY); 414 415 case A_SETPOLICY: 416 return (AUE_AUDITON_SPOLICY); 417 418 case A_GETKMASK: 419 return (AUE_AUDITON_GETKMASK); 420 421 case A_SETKMASK: 422 return (AUE_AUDITON_SETKMASK); 423 424 case A_GETQCTRL: 425 return (AUE_AUDITON_GQCTRL); 426 427 case A_SETQCTRL: 428 return (AUE_AUDITON_SQCTRL); 429 430 case A_GETCWD: 431 return (AUE_AUDITON_GETCWD); 432 433 case A_GETCAR: 434 return (AUE_AUDITON_GETCAR); 435 436 case A_GETSTAT: 437 return (AUE_AUDITON_GETSTAT); 438 439 case A_SETSTAT: 440 return (AUE_AUDITON_SETSTAT); 441 442 case A_SETUMASK: 443 return (AUE_AUDITON_SETUMASK); 444 445 case A_SETSMASK: 446 return (AUE_AUDITON_SETSMASK); 447 448 case A_GETCOND: 449 return (AUE_AUDITON_GETCOND); 450 451 case A_SETCOND: 452 return (AUE_AUDITON_SETCOND); 453 454 case A_GETCLASS: 455 return (AUE_AUDITON_GETCLASS); 456 457 case A_SETCLASS: 458 return (AUE_AUDITON_SETCLASS); 459 460 case A_GETPINFO: 461 case A_SETPMASK: 462 case A_SETFSIZE: 463 case A_GETFSIZE: 464 case A_GETPINFO_ADDR: 465 case A_GETKAUDIT: 466 case A_SETKAUDIT: 467 default: 468 return (AUE_AUDITON); /* No special record */ 469 } 470} 471 472/* 473 * Create a canonical path from given path by prefixing either the 474 * root directory, or the current working directory. 475 * If the process working directory is NULL, we could use 'rootvnode' 476 * to obtain the root directoty, but this results in a volfs name 477 * written to the audit log. So we will leave the filename starting 478 * with '/' in the audit log in this case. 479 * 480 * XXXRW: Since we combine two paths here, ideally a buffer of size 481 * MAXPATHLEN * 2 would be passed in. 482 */ 483void 484canon_path(struct thread *td, char *path, char *cpath) 485{ 486 char *bufp; 487 char *retbuf, *freebuf; 488 struct vnode *vnp; 489 struct filedesc *fdp; 490 int error, vfslocked; 491 492 fdp = td->td_proc->p_fd; 493 bufp = path; 494 FILEDESC_LOCK(fdp); 495 if (*(path) == '/') { 496 while (*(bufp) == '/') 497 bufp++; /* skip leading '/'s */ 498 /* If no process root, or it is the same as the system root, 499 * audit the path as passed in with a single '/'. 500 */ 501 if ((fdp->fd_rdir == NULL) || 502 (fdp->fd_rdir == rootvnode)) { 503 vnp = NULL; 504 bufp--; /* restore one '/' */ 505 } else { 506 vnp = fdp->fd_rdir; /* use process root */ 507 vref(vnp); 508 } 509 } else { 510 vnp = fdp->fd_cdir; /* prepend the current dir */ 511 vref(vnp); 512 bufp = path; 513 } 514 FILEDESC_UNLOCK(fdp); 515 if (vnp != NULL) { 516 /* 517 * XXX: vn_fullpath() on FreeBSD is "less reliable" 518 * than vn_getpath() on Darwin, so this will need more 519 * attention in the future. Also, the question and 520 * string bounding here seems a bit questionable and 521 * will also require attention. 522 */ 523 vfslocked = VFS_LOCK_GIANT(vnp->v_mount); 524 vn_lock(vnp, LK_EXCLUSIVE | LK_RETRY, td); 525 error = vn_fullpath(td, vnp, &retbuf, &freebuf); 526 if (error == 0) { 527 /* Copy and free buffer allocated by vn_fullpath() */ 528 snprintf(cpath, MAXPATHLEN, "%s/%s", retbuf, bufp); 529 free(freebuf, M_TEMP); 530 } else { 531 cpath[0] = '\0'; 532 } 533 vput(vnp); 534 VFS_UNLOCK_GIANT(vfslocked); 535 } else { 536 strlcpy(cpath, bufp, MAXPATHLEN); 537 } 538} 539