| audit.c (08e57af45b017063650fb576449bd345696e9046) | audit.c (871499fef514fd9934f9a8a07194e8ef86c07bd5) |
|---|---|
| 1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * Copyright (c) 2006 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: --- 62 unchanged lines hidden (view full) --- 71 72static uma_zone_t audit_record_zone; 73static MALLOC_DEFINE(M_AUDITPROC, "audit_proc", "Audit process storage"); 74MALLOC_DEFINE(M_AUDITDATA, "audit_data", "Audit data storage"); 75MALLOC_DEFINE(M_AUDITPATH, "audit_path", "Audit path storage"); 76MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage"); 77 78/* | 1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * Copyright (c) 2006 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: --- 62 unchanged lines hidden (view full) --- 71 72static uma_zone_t audit_record_zone; 73static MALLOC_DEFINE(M_AUDITPROC, "audit_proc", "Audit process storage"); 74MALLOC_DEFINE(M_AUDITDATA, "audit_data", "Audit data storage"); 75MALLOC_DEFINE(M_AUDITPATH, "audit_path", "Audit path storage"); 76MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage"); 77 78/* |
| 79 * Audit control settings that are set/read by system calls and are | 79 * Audit control settings that are set/read by system calls and are |
| 80 * hence non-static. 81 */ | 80 * hence non-static. 81 */ |
| 82/* | 82/* |
| 83 * Define the audit control flags. 84 */ | 83 * Define the audit control flags. 84 */ |
| 85int audit_enabled; 86int audit_suspended; | 85int audit_enabled; 86int audit_suspended; |
| 87 88/* 89 * Flags controlling behavior in low storage situations. 90 * Should we panic if a write fails? Should we fail stop 91 * if we're out of disk space? 92 */ | 87 88/* 89 * Flags controlling behavior in low storage situations. 90 * Should we panic if a write fails? Should we fail stop 91 * if we're out of disk space? 92 */ |
| 93int audit_panic_on_write_fail; 94int audit_fail_stop; | 93int audit_panic_on_write_fail; 94int audit_fail_stop; |
| 95 96/* 97 * Are we currently "failing stop" due to out of disk space? 98 */ | 95 96/* 97 * Are we currently "failing stop" due to out of disk space? 98 */ |
| 99int audit_in_failure; | 99int audit_in_failure; |
| 100 101/* | 100 101/* |
| 102 * Global audit statistiscs. | 102 * Global audit statistiscs. |
| 103 */ | 103 */ |
| 104struct audit_fstat audit_fstat; | 104struct audit_fstat audit_fstat; |
| 105 106/* 107 * Preselection mask for non-attributable events. 108 */ | 105 106/* 107 * Preselection mask for non-attributable events. 108 */ |
| 109struct au_mask audit_nae_mask; | 109struct au_mask audit_nae_mask; |
| 110 111/* 112 * Mutex to protect global variables shared between various threads and 113 * processes. 114 */ | 110 111/* 112 * Mutex to protect global variables shared between various threads and 113 * processes. 114 */ |
| 115struct mtx audit_mtx; | 115struct mtx audit_mtx; |
| 116 117/* 118 * Queue of audit records ready for delivery to disk. We insert new 119 * records at the tail, and remove records from the head. Also, 120 * a count of the number of records used for checking queue depth. 121 * In addition, a counter of records that we have allocated but are 122 * not yet in the queue, which is needed to estimate the total 123 * size of the combined set of records outstanding in the system. 124 */ | 116 117/* 118 * Queue of audit records ready for delivery to disk. We insert new 119 * records at the tail, and remove records from the head. Also, 120 * a count of the number of records used for checking queue depth. 121 * In addition, a counter of records that we have allocated but are 122 * not yet in the queue, which is needed to estimate the total 123 * size of the combined set of records outstanding in the system. 124 */ |
| 125struct kaudit_queue audit_q; 126int audit_q_len; 127int audit_pre_q_len; | 125struct kaudit_queue audit_q; 126int audit_q_len; 127int audit_pre_q_len; |
| 128 129/* 130 * Audit queue control settings (minimum free, low/high water marks, etc.) 131 */ | 128 129/* 130 * Audit queue control settings (minimum free, low/high water marks, etc.) 131 */ |
| 132struct au_qctrl audit_qctrl; | 132struct au_qctrl audit_qctrl; |
| 133 134/* 135 * Condition variable to signal to the worker that it has work to do: 136 * either new records are in the queue, or a log replacement is taking 137 * place. 138 */ | 133 134/* 135 * Condition variable to signal to the worker that it has work to do: 136 * either new records are in the queue, or a log replacement is taking 137 * place. 138 */ |
| 139struct cv audit_cv; | 139struct cv audit_cv; |
| 140 141/* 142 * Condition variable to signal to the worker that it has work to do: 143 * either new records are in the queue, or a log replacement is taking 144 * place. 145 * 146 * XXXRW: This description is incorrect. 147 */ | 140 141/* 142 * Condition variable to signal to the worker that it has work to do: 143 * either new records are in the queue, or a log replacement is taking 144 * place. 145 * 146 * XXXRW: This description is incorrect. 147 */ |
| 148struct cv audit_commit_cv; | 148struct cv audit_commit_cv; |
| 149 | 149 |
| 150/* 151 * Condition variable for auditing threads wait on when in fail-stop mode. 152 * Threads wait on this CV forever (and ever), never seeing the light of | 150/* 151 * Condition variable for auditing threads wait on when in fail-stop mode. 152 * Threads wait on this CV forever (and ever), never seeing the light of |
| 153 * day again. 154 */ | 153 * day again. 154 */ |
| 155static struct cv audit_fail_cv; | 155static struct cv audit_fail_cv; |
| 156 157/* 158 * Construct an audit record for the passed thread. 159 */ 160static int 161audit_record_ctor(void *mem, int size, void *arg, int flags) 162{ 163 struct kaudit_record *ar; --- 57 unchanged lines hidden (view full) --- 221 printf("Security auditing service present\n"); 222 audit_enabled = 0; 223 audit_suspended = 0; 224 audit_panic_on_write_fail = 0; 225 audit_fail_stop = 0; 226 audit_in_failure = 0; 227 228 audit_fstat.af_filesz = 0; /* '0' means unset, unbounded */ | 156 157/* 158 * Construct an audit record for the passed thread. 159 */ 160static int 161audit_record_ctor(void *mem, int size, void *arg, int flags) 162{ 163 struct kaudit_record *ar; --- 57 unchanged lines hidden (view full) --- 221 printf("Security auditing service present\n"); 222 audit_enabled = 0; 223 audit_suspended = 0; 224 audit_panic_on_write_fail = 0; 225 audit_fail_stop = 0; 226 audit_in_failure = 0; 227 228 audit_fstat.af_filesz = 0; /* '0' means unset, unbounded */ |
| 229 audit_fstat.af_currsz = 0; | 229 audit_fstat.af_currsz = 0; |
| 230 audit_nae_mask.am_success = AU_NULL; 231 audit_nae_mask.am_failure = AU_NULL; 232 233 TAILQ_INIT(&audit_q); 234 audit_q_len = 0; 235 audit_pre_q_len = 0; 236 audit_qctrl.aq_hiwater = AQ_HIWATER; 237 audit_qctrl.aq_lowater = AQ_LOWATER; --- 108 unchanged lines hidden (view full) --- 346 * audit mask. 347 * 348 * XXXAUDIT: Synchronize access to audit_nae_mask? 349 */ 350 if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID) 351 aumask = &audit_nae_mask; 352 else 353 aumask = &ar->k_ar.ar_subj_amask; | 230 audit_nae_mask.am_success = AU_NULL; 231 audit_nae_mask.am_failure = AU_NULL; 232 233 TAILQ_INIT(&audit_q); 234 audit_q_len = 0; 235 audit_pre_q_len = 0; 236 audit_qctrl.aq_hiwater = AQ_HIWATER; 237 audit_qctrl.aq_lowater = AQ_LOWATER; --- 108 unchanged lines hidden (view full) --- 346 * audit mask. 347 * 348 * XXXAUDIT: Synchronize access to audit_nae_mask? 349 */ 350 if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID) 351 aumask = &audit_nae_mask; 352 else 353 aumask = &ar->k_ar.ar_subj_amask; |
| 354 | 354 |
| 355 if (error) 356 sorf = AU_PRS_FAILURE; 357 else 358 sorf = AU_PRS_SUCCESS; 359 360 switch(ar->k_ar.ar_event) { 361 362 case AUE_OPEN_RWTC: 363 /* The open syscall always writes a AUE_OPEN_RWTC event; change | 355 if (error) 356 sorf = AU_PRS_FAILURE; 357 else 358 sorf = AU_PRS_SUCCESS; 359 360 switch(ar->k_ar.ar_event) { 361 362 case AUE_OPEN_RWTC: 363 /* The open syscall always writes a AUE_OPEN_RWTC event; change |
| 364 * it to the proper type of event based on the flags and the | 364 * it to the proper type of event based on the flags and the |
| 365 * error value. 366 */ 367 ar->k_ar.ar_event = flags_and_error_to_openevent( 368 ar->k_ar.ar_arg_fflags, error); 369 break; 370 371 case AUE_SYSCTL: 372 ar->k_ar.ar_event = ctlname_to_sysctlevent( --- 41 unchanged lines hidden (view full) --- 414 * enabled should still be committed? 415 */ 416 if (audit_suspended || !audit_enabled) { 417 audit_pre_q_len--; 418 mtx_unlock(&audit_mtx); 419 uma_zfree(audit_record_zone, ar); 420 return; 421 } | 365 * error value. 366 */ 367 ar->k_ar.ar_event = flags_and_error_to_openevent( 368 ar->k_ar.ar_arg_fflags, error); 369 break; 370 371 case AUE_SYSCTL: 372 ar->k_ar.ar_event = ctlname_to_sysctlevent( --- 41 unchanged lines hidden (view full) --- 414 * enabled should still be committed? 415 */ 416 if (audit_suspended || !audit_enabled) { 417 audit_pre_q_len--; 418 mtx_unlock(&audit_mtx); 419 uma_zfree(audit_record_zone, ar); 420 return; 421 } |
| 422 | 422 |
| 423 /* 424 * Constrain the number of committed audit records based on 425 * the configurable parameter. 426 */ 427 while (audit_q_len >= audit_qctrl.aq_hiwater) { 428 AUDIT_PRINTF(("audit_commit: sleeping to wait for " 429 "audit queue to drain below high water mark\n")); 430 cv_wait(&audit_commit_cv, &audit_mtx); --- 42 unchanged lines hidden (view full) --- 473 /* 474 * Check which audit mask to use; either the kernel non-attributable 475 * event mask or the process audit mask. 476 */ 477 if (td->td_proc->p_au->ai_auid == AU_DEFAUDITID) 478 aumask = &audit_nae_mask; 479 else 480 aumask = &td->td_proc->p_au->ai_mask; | 423 /* 424 * Constrain the number of committed audit records based on 425 * the configurable parameter. 426 */ 427 while (audit_q_len >= audit_qctrl.aq_hiwater) { 428 AUDIT_PRINTF(("audit_commit: sleeping to wait for " 429 "audit queue to drain below high water mark\n")); 430 cv_wait(&audit_commit_cv, &audit_mtx); --- 42 unchanged lines hidden (view full) --- 473 /* 474 * Check which audit mask to use; either the kernel non-attributable 475 * event mask or the process audit mask. 476 */ 477 if (td->td_proc->p_au->ai_auid == AU_DEFAUDITID) 478 aumask = &audit_nae_mask; 479 else 480 aumask = &td->td_proc->p_au->ai_mask; |
| 481 | 481 |
| 482 /* | 482 /* |
| 483 * Allocate an audit record, if preselection allows it, and store | 483 * Allocate an audit record, if preselection allows it, and store |
| 484 * in the thread for later use. 485 */ 486 if (au_preselect(audit_event, aumask, 487 AU_PRS_FAILURE | AU_PRS_SUCCESS)) { 488 /* 489 * If we're out of space and need to suspend unprivileged 490 * processes, do that here rather than trying to allocate 491 * another audit record. --- 34 unchanged lines hidden (view full) --- 526 */ 527 if (error) 528 retval = -1; 529 else 530 retval = td->td_retval[0]; 531 532 audit_commit(td->td_ar, error, retval); 533 if (td->td_ar != NULL) | 484 * in the thread for later use. 485 */ 486 if (au_preselect(audit_event, aumask, 487 AU_PRS_FAILURE | AU_PRS_SUCCESS)) { 488 /* 489 * If we're out of space and need to suspend unprivileged 490 * processes, do that here rather than trying to allocate 491 * another audit record. --- 34 unchanged lines hidden (view full) --- 526 */ 527 if (error) 528 retval = -1; 529 else 530 retval = td->td_retval[0]; 531 532 audit_commit(td->td_ar, error, retval); 533 if (td->td_ar != NULL) |
| 534 AUDIT_PRINTF(("audit record committed by pid %d\n", | 534 AUDIT_PRINTF(("audit record committed by pid %d\n", |
| 535 td->td_proc->p_pid)); 536 td->td_ar = NULL; 537 538} 539 540/* 541 * Allocate storage for a new process (init, or otherwise). 542 */ --- 23 unchanged lines hidden (view full) --- 566 */ 567void 568audit_thread_free(struct thread *td) 569{ 570 571 KASSERT(td->td_ar == NULL, ("audit_thread_free: td_ar != NULL")); 572} 573 | 535 td->td_proc->p_pid)); 536 td->td_ar = NULL; 537 538} 539 540/* 541 * Allocate storage for a new process (init, or otherwise). 542 */ --- 23 unchanged lines hidden (view full) --- 566 */ 567void 568audit_thread_free(struct thread *td) 569{ 570 571 KASSERT(td->td_ar == NULL, ("audit_thread_free: td_ar != NULL")); 572} 573 |
| 574/* 575 * Initialize the audit information for the a process, presumably the first | 574/* 575 * Initialize the audit information for the a process, presumably the first |
| 576 * process in the system. | 576 * process in the system. |
| 577 * XXX It is not clear what the initial values should be for audit ID, 578 * session ID, etc. | 577 * XXX It is not clear what the initial values should be for audit ID, 578 * session ID, etc. |
| 579 */ 580void 581audit_proc_kproc0(struct proc *p) 582{ 583 584 KASSERT(p->p_au != NULL, ("audit_proc_kproc0: p->p_au == NULL (%d)", 585 p->p_pid)); 586 //printf("audit_proc_kproc0: pid %d p_au %p\n", p->p_pid, p->p_au); --- 6 unchanged lines hidden (view full) --- 593 594 KASSERT(p->p_au != NULL, ("audit_proc_init: p->p_au == NULL (%d)", 595 p->p_pid)); 596 //printf("audit_proc_init: pid %d p_au %p\n", p->p_pid, p->p_au); 597 bzero(p->p_au, sizeof(*(p)->p_au)); 598 p->p_au->ai_auid = AU_DEFAUDITID; 599} 600 | 579 */ 580void 581audit_proc_kproc0(struct proc *p) 582{ 583 584 KASSERT(p->p_au != NULL, ("audit_proc_kproc0: p->p_au == NULL (%d)", 585 p->p_pid)); 586 //printf("audit_proc_kproc0: pid %d p_au %p\n", p->p_pid, p->p_au); --- 6 unchanged lines hidden (view full) --- 593 594 KASSERT(p->p_au != NULL, ("audit_proc_init: p->p_au == NULL (%d)", 595 p->p_pid)); 596 //printf("audit_proc_init: pid %d p_au %p\n", p->p_pid, p->p_au); 597 bzero(p->p_au, sizeof(*(p)->p_au)); 598 p->p_au->ai_auid = AU_DEFAUDITID; 599} 600 |
| 601/* | 601/* |
| 602 * Copy the audit info from the parent process to the child process when 603 * a fork takes place. 604 */ 605void 606audit_proc_fork(struct proc *parent, struct proc *child) 607{ 608 609 PROC_LOCK_ASSERT(parent, MA_OWNED); --- 9 unchanged lines hidden (view full) --- 619 bcopy(parent->p_au, child->p_au, sizeof(*child->p_au)); 620 /* 621 * XXXAUDIT: Zero pointers to external memory, or assert they are 622 * zero? 623 */ 624} 625 626/* | 602 * Copy the audit info from the parent process to the child process when 603 * a fork takes place. 604 */ 605void 606audit_proc_fork(struct proc *parent, struct proc *child) 607{ 608 609 PROC_LOCK_ASSERT(parent, MA_OWNED); --- 9 unchanged lines hidden (view full) --- 619 bcopy(parent->p_au, child->p_au, sizeof(*child->p_au)); 620 /* 621 * XXXAUDIT: Zero pointers to external memory, or assert they are 622 * zero? 623 */ 624} 625 626/* |
| 627 * Free the auditing structure for the process. | 627 * Free the auditing structure for the process. |
| 628 */ 629void 630audit_proc_free(struct proc *p) 631{ 632 633 KASSERT(p->p_au != NULL, ("p->p_au == NULL (%d)", p->p_pid)); 634 //printf("audit_proc_free: pid %d p_au %p\n", p->p_pid, p->p_au); 635 /* 636 * XXXAUDIT: Assert that external memory pointers are NULL? 637 */ 638 free(p->p_au, M_AUDITPROC); 639 p->p_au = NULL; 640} | 628 */ 629void 630audit_proc_free(struct proc *p) 631{ 632 633 KASSERT(p->p_au != NULL, ("p->p_au == NULL (%d)", p->p_pid)); 634 //printf("audit_proc_free: pid %d p_au %p\n", p->p_pid, p->p_au); 635 /* 636 * XXXAUDIT: Assert that external memory pointers are NULL? 637 */ 638 free(p->p_au, M_AUDITPROC); 639 p->p_au = NULL; 640} |