1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 #include <sys/param.h> 26 #include <sys/types.h> 27 #include <sys/time.h> 28 #include <sys/kmem.h> 29 #include <sys/proc.h> 30 #include <sys/vnode.h> 31 #include <sys/file.h> 32 #include <sys/user.h> 33 #include <sys/stropts.h> 34 #include <sys/systm.h> 35 #include <sys/pathname.h> 36 #include <sys/debug.h> 37 #include <sys/cred_impl.h> 38 #include <sys/zone.h> 39 #include <sys/modctl.h> 40 #include <sys/sysconf.h> 41 #include <c2/audit.h> 42 #include <c2/audit_kernel.h> 43 #include <c2/audit_kevents.h> 44 #include <c2/audit_record.h> 45 46 47 struct p_audit_data *pad0; 48 struct t_audit_data *tad0; 49 50 extern uint_t num_syscall; /* size of audit_s2e table */ 51 extern kmutex_t pidlock; /* proc table lock */ 52 53 54 void 55 audit_init() 56 { 57 kthread_t *au_thread; 58 auditinfo_addr_t *ainfo; 59 struct audit_path apempty; 60 61 /* 62 * If the c2audit module is explicitely excluded in /etc/system, 63 * it cannot be loaded later (e.g. using modload). Make a notice 64 * that the module won't be present and do nothing. 65 */ 66 67 if (mod_sysctl(SYS_CHECK_EXCLUDE, "c2audit") != 0) { 68 audit_active = C2AUDIT_DISABLED; 69 return; 70 } 71 72 /* c2audit module can be loaded anytime */ 73 audit_active = C2AUDIT_UNLOADED; 74 75 /* initialize the process audit data (pad) memory allocator */ 76 au_pad_init(); 77 78 /* initialize the zone audit context */ 79 au_zone_setup(); 80 81 /* inital thread structure */ 82 tad0 = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP); 83 84 /* initial process structure */ 85 pad0 = kmem_cache_alloc(au_pad_cache, KM_SLEEP); 86 bzero(&pad0->pad_data, sizeof (pad0->pad_data)); 87 88 curthread->t_audit_data = tad0; 89 curproc->p_audit_data = pad0; 90 91 /* 92 * The kernel allocates a bunch of threads make sure they have 93 * a valid tad 94 */ 95 96 mutex_enter(&pidlock); 97 98 au_thread = curthread; 99 do { 100 if (T2A(au_thread) == NULL) { 101 T2A(au_thread) = tad0; 102 } 103 au_thread = au_thread->t_next; 104 } while (au_thread != curthread); 105 106 tad0->tad_ad = NULL; 107 mutex_exit(&pidlock); 108 109 /* 110 * Initialize audit context in our cred (kcred). 111 * No copy-on-write needed here because it's so early in init. 112 */ 113 114 ainfo = crgetauinfo_modifiable(kcred); 115 ASSERT(ainfo != NULL); 116 bzero(ainfo, sizeof (auditinfo_addr_t)); 117 ainfo->ai_auid = AU_NOAUDITID; 118 119 /* fabricate an empty audit_path to extend */ 120 apempty.audp_cnt = 0; 121 apempty.audp_sect[0] = (char *)(&apempty.audp_sect[1]); 122 pad0->pad_root = au_pathdup(&apempty, 1, 2); 123 bcopy("/", pad0->pad_root->audp_sect[0], 2); 124 au_pathhold(pad0->pad_root); 125 pad0->pad_cwd = pad0->pad_root; 126 } 127 128 /* 129 * Check for any pending changes to the audit context for the given proc. 130 * p_crlock and pad_lock for the process are acquired here. Caller is 131 * responsible for assuring the process doesn't go away. If context is 132 * updated, the specified cralloc'ed cred will be used, otherwise it's freed. 133 * If no cred is given, it will be cralloc'ed here and caller assures that 134 * it is safe to allocate memory. 135 */ 136 137 void 138 audit_update_context(proc_t *p, cred_t *ncr) 139 { 140 struct p_audit_data *pad; 141 cred_t *newcred = ncr; 142 143 pad = P2A(p); 144 if (pad == NULL) { 145 if (newcred != NULL) 146 crfree(newcred); 147 return; 148 } 149 150 /* If a mask update is pending, take care of it. */ 151 if (pad->pad_flags & PAD_SETMASK) { 152 auditinfo_addr_t *ainfo; 153 154 if (newcred == NULL) 155 newcred = cralloc(); 156 157 mutex_enter(&pad->pad_lock); 158 /* the condition may have been handled by the time we lock */ 159 if (pad->pad_flags & PAD_SETMASK) { 160 ainfo = crgetauinfo_modifiable(newcred); 161 if (ainfo == NULL) { 162 mutex_exit(&pad->pad_lock); 163 crfree(newcred); 164 return; 165 } 166 167 mutex_enter(&p->p_crlock); 168 crcopy_to(p->p_cred, newcred); 169 p->p_cred = newcred; 170 171 ainfo->ai_mask = pad->pad_newmask; 172 173 /* Unlock and cleanup. */ 174 mutex_exit(&p->p_crlock); 175 pad->pad_flags &= ~PAD_SETMASK; 176 177 /* 178 * For curproc, assure that our thread points to right 179 * cred, so CRED() will be correct. Otherwise, no need 180 * to broadcast changes (via set_proc_pre_sys), since 181 * t_pre_sys is ALWAYS on when audit is enabled... due 182 * to syscall auditing. 183 */ 184 if (p == curproc) 185 crset(p, newcred); 186 else 187 crfree(newcred); 188 } else { 189 crfree(newcred); 190 } 191 mutex_exit(&pad->pad_lock); 192 } else { 193 if (newcred != NULL) 194 crfree(newcred); 195 } 196 } 197 198 /* 199 * ROUTINE: AUDIT_NEWPROC 200 * PURPOSE: initialize the child p_audit_data structure 201 * CALLBY: GETPROC 202 * NOTE: All threads for the parent process are locked at this point. 203 * We are essentially running singled threaded for this reason. 204 * GETPROC is called when system creates a new process. 205 * By the time AUDIT_NEWPROC is called, the child proc 206 * structure has already been initialized. What we need 207 * to do is to allocate the child p_audit_data and 208 * initialize it with the content of current parent process. 209 */ 210 211 void 212 audit_newproc(struct proc *cp) /* initialized child proc structure */ 213 { 214 p_audit_data_t *pad; /* child process audit data */ 215 p_audit_data_t *opad; /* parent process audit data */ 216 217 pad = kmem_cache_alloc(au_pad_cache, KM_SLEEP); 218 219 P2A(cp) = pad; 220 221 opad = P2A(curproc); 222 223 /* 224 * copy the audit data. Note that all threads of current 225 * process have been "held". Thus there is no race condition 226 * here with mutiple threads trying to alter the cwrd 227 * structure (such as releasing it). 228 * 229 * The audit context in the cred is "duplicated" for the new 230 * proc by elsewhere crhold'ing the parent's cred which it shares. 231 * 232 * We still want to hold things since auditon() [A_SETUMASK, 233 * A_SETSMASK] could be walking through the processes to 234 * update things. 235 */ 236 mutex_enter(&opad->pad_lock); /* lock opad structure during copy */ 237 pad->pad_data = opad->pad_data; /* copy parent's process audit data */ 238 au_pathhold(pad->pad_root); 239 au_pathhold(pad->pad_cwd); 240 mutex_exit(&opad->pad_lock); /* current proc will keep cwrd open */ 241 242 /* 243 * If we are in the limited mode, there is nothing to audit and 244 * there could not have been anything to audit, since it is not 245 * possible to switch from the full mode into the limited mode 246 * once the full mode is set. 247 */ 248 if (audit_active != C2AUDIT_LOADED) 249 return; 250 251 /* 252 * finish auditing of parent here so that it will be done 253 * before child has a chance to run. We include the child 254 * pid since the return value in the return token is a dummy 255 * one and contains no useful information (it is included to 256 * make the audit record structure consistant). 257 * 258 * tad_flag is set if auditing is on 259 */ 260 if (((t_audit_data_t *)T2A(curthread))->tad_flag) 261 au_uwrite(au_to_arg32(0, "child PID", (uint32_t)cp->p_pid)); 262 263 /* 264 * finish up audit record generation here because child process 265 * is set to run before parent process. We distinguish here 266 * between FORK, FORK1, or VFORK by the saved system call ID. 267 */ 268 audit_finish(0, ((t_audit_data_t *)T2A(curthread))->tad_scid, 0, 0); 269 } 270 271 /* 272 * ROUTINE: AUDIT_PFREE 273 * PURPOSE: deallocate the per-process udit data structure 274 * CALLBY: EXIT 275 * FORK_FAIL 276 * NOTE: all lwp except current one have stopped in SEXITLWPS 277 * why we are single threaded? 278 * . all lwp except current one have stopped in SEXITLWPS. 279 */ 280 281 void 282 audit_pfree(struct proc *p) /* proc structure to be freed */ 283 284 { /* AUDIT_PFREE */ 285 286 p_audit_data_t *pad; 287 288 pad = P2A(p); 289 290 /* better be a per process audit data structure */ 291 ASSERT(pad != (p_audit_data_t *)0); 292 293 if (pad == pad0) { 294 return; 295 } 296 297 /* deallocate all auditing resources for this process */ 298 au_pathrele(pad->pad_root); 299 au_pathrele(pad->pad_cwd); 300 301 /* 302 * Since the pad structure is completely overwritten after alloc, 303 * we don't bother to clear it. 304 */ 305 306 kmem_cache_free(au_pad_cache, pad); 307 } 308 309 /* 310 * ROUTINE: AUDIT_THREAD_CREATE 311 * PURPOSE: allocate per-process thread audit data structure 312 * CALLBY: THREAD_CREATE 313 * NOTE: This is called just after *t was bzero'd. 314 * We are single threaded in this routine. 315 * TODO: 316 * QUESTION: 317 */ 318 319 void 320 audit_thread_create(kthread_id_t t) 321 { 322 t_audit_data_t *tad; /* per-thread audit data */ 323 324 tad = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP); 325 326 T2A(t) = tad; /* set up thread audit data ptr */ 327 tad->tad_thread = t; /* back ptr to thread: DEBUG */ 328 } 329 330 /* 331 * ROUTINE: AUDIT_THREAD_FREE 332 * PURPOSE: free the per-thread audit data structure 333 * CALLBY: THREAD_FREE 334 * NOTE: most thread data is clear after return 335 */ 336 337 void 338 audit_thread_free(kthread_t *t) 339 { 340 t_audit_data_t *tad; 341 au_defer_info_t *attr; 342 343 tad = T2A(t); 344 345 /* thread audit data must still be set */ 346 347 if (tad == tad0) { 348 return; 349 } 350 351 if (tad == NULL) { 352 return; 353 } 354 355 t->t_audit_data = 0; 356 357 /* must not have any audit record residual */ 358 ASSERT(tad->tad_ad == NULL); 359 360 /* saved path must be empty */ 361 ASSERT(tad->tad_aupath == NULL); 362 363 if (tad->tad_atpath) 364 au_pathrele(tad->tad_atpath); 365 366 if (audit_active == C2AUDIT_LOADED) { 367 attr = tad->tad_defer_head; 368 while (attr != NULL) { 369 au_defer_info_t *tmp_attr = attr; 370 371 au_free_rec(attr->audi_ad); 372 373 attr = attr->audi_next; 374 kmem_free(tmp_attr, sizeof (au_defer_info_t)); 375 } 376 } 377 378 kmem_free(tad, sizeof (*tad)); 379 } 380 381 /* 382 * ROUTINE: AUDIT_FALLOC 383 * PURPOSE: allocating a new file structure 384 * CALLBY: FALLOC 385 * NOTE: file structure already initialized 386 * TODO: 387 * QUESTION: 388 */ 389 390 void 391 audit_falloc(struct file *fp) 392 { /* AUDIT_FALLOC */ 393 394 f_audit_data_t *fad; 395 396 /* allocate per file audit structure if there a'int any */ 397 ASSERT(F2A(fp) == NULL); 398 399 fad = kmem_zalloc(sizeof (struct f_audit_data), KM_SLEEP); 400 401 F2A(fp) = fad; 402 403 fad->fad_thread = curthread; /* file audit data back ptr; DEBUG */ 404 } 405 406 /* 407 * ROUTINE: AUDIT_UNFALLOC 408 * PURPOSE: deallocate file audit data structure 409 * CALLBY: CLOSEF 410 * UNFALLOC 411 * NOTE: 412 * TODO: 413 * QUESTION: 414 */ 415 416 void 417 audit_unfalloc(struct file *fp) 418 { 419 f_audit_data_t *fad; 420 421 fad = F2A(fp); 422 423 if (!fad) { 424 return; 425 } 426 if (fad->fad_aupath != NULL) { 427 au_pathrele(fad->fad_aupath); 428 } 429 fp->f_audit_data = 0; 430 kmem_free(fad, sizeof (struct f_audit_data)); 431 } 432 433 uint32_t 434 audit_getstate() 435 { 436 return (audit_active == C2AUDIT_LOADED && 437 ((AU_AUDIT_MASK) & U2A(u)->tad_audit)); 438 } 439