1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 /*
26 * This file contains the envelope code for system call auditing.
27 */
28
29 #include <sys/param.h>
30 #include <sys/types.h>
31 #include <sys/time.h>
32 #include <sys/kmem.h>
33 #include <sys/proc.h>
34 #include <sys/vnode.h>
35 #include <sys/file.h>
36 #include <sys/user.h>
37 #include <sys/stropts.h>
38 #include <sys/systm.h>
39 #include <sys/pathname.h>
40 #include <sys/debug.h>
41 #include <sys/cred.h>
42 #include <sys/zone.h>
43 #include <c2/audit.h>
44 #include <c2/audit_kernel.h>
45 #include <c2/audit_kevents.h>
46 #include <c2/audit_record.h>
47 #include "audit_door_infc.h"
48
49 extern uint_t num_syscall; /* size of audit_s2e table */
50 extern kmutex_t pidlock; /* proc table lock */
51
52 /*
53 * Obsolete and ignored - Historically, the 'set c2audit:audit_load=1' entry
54 * in /etc/system enabled auditing. The No Reboot Audit project does not
55 * use this entry. However, to prevent the system from printing warning
56 * messages, the audit_load entry is being left in /etc/system. It will be
57 * removed when there is a small chance that the entry is used on currently
58 * running systems.
59 */
60 int audit_load = 0;
61
62 kmutex_t module_lock; /* audit_module_state lock */
63
64 /*
65 * Das Boot. Initialize first process. Also generate an audit record indicating
66 * that the system has been booted.
67 */
68 void
audit_init_module()69 audit_init_module()
70 {
71 token_t *rp = NULL;
72 label_t jb;
73 t_audit_data_t *tad = U2A(u);
74
75 /*
76 * Solaris Auditing module is being loaded -> change the state. The lock
77 * is here to prevent memory leaks caused by multiple initializations.
78 */
79 mutex_enter(&module_lock);
80 if (audit_active != C2AUDIT_UNLOADED) {
81 mutex_exit(&module_lock);
82 return;
83 }
84 audit_active = C2AUDIT_LOADED;
85 mutex_exit(&module_lock);
86
87 /* initialize memory allocators */
88 au_mem_init();
89
90 /*
91 * setup environment for asynchronous auditing. We can't use
92 * audit_async_start() here since it assumes the audit system
93 * has been started via auditd(1m). auditd sets the variable,
94 * auk_auditstate, to indicate audit record generation should
95 * commence. Here we want to always generate an audit record.
96 */
97 if (setjmp(&jb)) {
98 /* process audit policy (AUDIT_AHLT) for asynchronous events */
99 audit_async_drop((caddr_t *)(&rp), 0);
100 return;
101 }
102
103 ASSERT(tad->tad_errjmp == NULL);
104 tad->tad_errjmp = (void *)&jb;
105 tad->tad_ctrl |= TAD_ERRJMP;
106
107 /* generate a system-booted audit record */
108 au_write((caddr_t *)&rp, au_to_text("booting kernel"));
109 audit_async_finish((caddr_t *)&rp, AUE_SYSTEMBOOT, NULL,
110 &(p0.p_user.u_start));
111 }
112
113
114 /*
115 * Enter system call. Do any necessary setup here. allocate resouces, etc.
116 */
117
118 #include <sys/syscall.h>
119
120
121 /*ARGSUSED*/
122 int
audit_start(unsigned type,unsigned scid,uint32_t audit_state,int error,klwp_t * lwp)123 audit_start(
124 unsigned type,
125 unsigned scid,
126 uint32_t audit_state,
127 int error,
128 klwp_t *lwp)
129 {
130 struct t_audit_data *tad;
131 au_kcontext_t *kctx;
132
133 tad = U2A(u);
134 ASSERT(tad != NULL);
135
136 /* Remember the audit state in the cache */
137 tad->tad_audit = audit_state;
138
139 if (error) {
140 tad->tad_ctrl = 0;
141 tad->tad_flag = 0;
142 return (0);
143 }
144
145 audit_update_context(curproc, NULL);
146
147 /*
148 * if this is an indirect system call then don't do anything.
149 * audit_start will be called again from indir() in trap.c
150 */
151 if (scid == 0) {
152 tad->tad_ctrl = 0;
153 tad->tad_flag = 0;
154 return (0);
155 }
156 if (scid >= num_syscall)
157 scid = 0;
158
159 /*
160 * we can no longer depend on a valid lwp_ap, so we need to
161 * copy the syscall args as future audit stuff may need them.
162 */
163 (void) save_syscall_args();
164
165 /*
166 * We need to gather paths for certain system calls even if they are
167 * not audited so that we can audit the various f* calls and be
168 * sure to have a CWD and CAR. Thus we thus set tad_ctrl over the
169 * system call regardless if the call is audited or not.
170 * We allow the event specific initial processing routines (au_init)
171 * to adjust the tad_ctrl as necessary.
172 */
173 tad->tad_ctrl = audit_s2e[scid].au_ctrl;
174 tad->tad_scid = scid;
175
176 /* get basic event for system call */
177 tad->tad_event = audit_s2e[scid].au_event;
178 if (audit_s2e[scid].au_init != (au_event_t)AUE_NULL) {
179 /* get specific event */
180 tad->tad_event = (*audit_s2e[scid].au_init)(tad->tad_event);
181 }
182
183 kctx = GET_KCTX_PZ;
184
185 /* now do preselection. Audit or not to Audit, that is the question */
186 if ((tad->tad_flag = auditme(kctx, tad,
187 kctx->auk_ets[tad->tad_event])) == 0) {
188 /*
189 * we assume that audit_finish will always be called.
190 */
191 return (0);
192 }
193
194 /*
195 * if auditing not enabled, then don't generate an audit record
196 * and don't count it.
197 */
198 if (audit_state & ~(AUC_AUDITING | AUC_INIT_AUDIT)) {
199 /*
200 * we assume that audit_finish will always be called.
201 */
202 tad->tad_flag = 0;
203 return (0);
204 }
205
206 /*
207 * audit daemon has informed us that there is no longer any
208 * space left to hold audit records. We decide here if records
209 * should be dropped (but counted).
210 */
211 if (audit_state == AUC_NOSPACE) {
212 if ((kctx->auk_policy & AUDIT_CNT) ||
213 (kctx->auk_policy & AUDIT_SCNT)) {
214 /* assume that audit_finish will always be called. */
215 tad->tad_flag = 0;
216
217 /* just count # of dropped audit records */
218 AS_INC(as_dropped, 1, kctx);
219
220 return (0);
221 }
222 }
223
224 tad->tad_evmod = 0;
225
226 if (audit_s2e[scid].au_start != NULL) {
227 /* do start of system call processing */
228 (*audit_s2e[scid].au_start)(tad);
229 }
230
231 return (0);
232 }
233
234 /*
235 * system call has completed. Now determine if we genearate an audit record
236 * or not.
237 */
238 /*ARGSUSED*/
239 void
audit_finish(unsigned type,unsigned scid,int error,rval_t * rval)240 audit_finish(
241 unsigned type,
242 unsigned scid,
243 int error,
244 rval_t *rval)
245 {
246 struct t_audit_data *tad;
247 int flag;
248 au_defer_info_t *attr;
249 au_kcontext_t *kctx = GET_KCTX_PZ;
250
251 tad = U2A(u);
252
253 /*
254 * Process all deferred events first.
255 */
256 attr = tad->tad_defer_head;
257 while (attr != NULL) {
258 au_defer_info_t *tmp_attr = attr;
259
260 au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag,
261 attr->audi_e_type, attr->audi_e_mod, &(attr->audi_atime));
262
263 attr = attr->audi_next;
264 kmem_free(tmp_attr, sizeof (au_defer_info_t));
265 }
266 tad->tad_defer_head = tad->tad_defer_tail = NULL;
267
268 if (tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) {
269 /*
270 * clear the ctrl flag so that we don't have spurious
271 * collection of audit information.
272 */
273 tad->tad_scid = 0;
274 tad->tad_event = 0;
275 tad->tad_evmod = 0;
276 tad->tad_ctrl = 0;
277 tad->tad_audit = AUC_UNSET;
278 ASSERT(tad->tad_aupath == NULL);
279 return;
280 }
281
282 scid = tad->tad_scid;
283
284 /*
285 * Perform any extra processing and determine if we are
286 * really going to generate any audit record.
287 */
288 if (audit_s2e[scid].au_finish != NULL) {
289 /* do any post system call processing */
290 (*audit_s2e[scid].au_finish)(tad, error, rval);
291 }
292 if (tad->tad_flag) {
293 tad->tad_flag = 0;
294
295 if (flag = audit_success(kctx, tad, error, NULL)) {
296 unsigned int sy_flags;
297 cred_t *cr = CRED();
298 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
299
300 ASSERT(ainfo != NULL);
301
302 /* Add subject information */
303 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
304
305 if (tad->tad_evmod & PAD_SPRIVUSE) {
306 au_write(&(u_ad),
307 au_to_privset("", &tad->tad_sprivs,
308 AUT_UPRIV, 1));
309 }
310
311 if (tad->tad_evmod & PAD_FPRIVUSE) {
312 au_write(&(u_ad),
313 au_to_privset("", &tad->tad_fprivs,
314 AUT_UPRIV, 0));
315 }
316
317 /* Add a return token */
318 #ifdef _SYSCALL32_IMPL
319 if (lwp_getdatamodel(ttolwp(curthread)) ==
320 DATAMODEL_NATIVE) {
321 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
322 } else {
323 sy_flags =
324 sysent32[scid].sy_flags & SE_RVAL_MASK;
325 }
326 #else /* _SYSCALL64_IMPL */
327 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
328 #endif /* _SYSCALL32_IMPL */
329
330 if (sy_flags == SE_32RVAL1) {
331 if (type == 0) {
332 au_write(&(u_ad),
333 au_to_return32(error, 0));
334 } else {
335 au_write(&(u_ad), au_to_return32(error,
336 rval->r_val1));
337 }
338 }
339 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) {
340 if (type == 0) {
341 au_write(&(u_ad),
342 au_to_return32(error, 0));
343 } else {
344 au_write(&(u_ad),
345 au_to_return32(error,
346 rval->r_val1));
347 #ifdef NOTYET /* for possible future support */
348 au_write(&(u_ad), au_to_return32(error,
349 rval->r_val2));
350 #endif
351 }
352 }
353 if (sy_flags == SE_64RVAL) {
354 if (type == 0) {
355 au_write(&(u_ad),
356 au_to_return64(error, 0));
357 } else {
358 au_write(&(u_ad), au_to_return64(error,
359 rval->r_vals));
360 }
361 }
362
363 AS_INC(as_generated, 1, kctx);
364 AS_INC(as_kernel, 1, kctx);
365 }
366
367 /* Close up everything */
368 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod,
369 NULL);
370 }
371
372 ASSERT(u_ad == NULL);
373
374 /* free up any space remaining with the path's */
375 if (tad->tad_aupath != NULL) {
376 au_pathrele(tad->tad_aupath);
377 tad->tad_aupath = NULL;
378 }
379
380 /* free up any space remaining with openat path's */
381 if (tad->tad_atpath) {
382 au_pathrele(tad->tad_atpath);
383 tad->tad_atpath = NULL;
384 }
385
386 /*
387 * clear the ctrl flag so that we don't have spurious collection of
388 * audit information.
389 */
390 tad->tad_scid = 0;
391 tad->tad_event = 0;
392 tad->tad_evmod = 0;
393 tad->tad_ctrl = 0;
394 tad->tad_audit = AUC_UNSET;
395 }
396
397 int
audit_success(au_kcontext_t * kctx,struct t_audit_data * tad,int error,cred_t * cr)398 audit_success(au_kcontext_t *kctx, struct t_audit_data *tad, int error,
399 cred_t *cr)
400 {
401 au_state_t ess;
402 au_state_t esf;
403 au_mask_t amask;
404 const auditinfo_addr_t *ainfo;
405
406 ess = esf = kctx->auk_ets[tad->tad_event];
407
408 if (error)
409 tad->tad_evmod |= PAD_FAILURE;
410
411 /* see if we really want to generate an audit record */
412 if (tad->tad_ctrl & TAD_NOAUDIT)
413 return (0);
414
415 /*
416 * Used passed cred if available, otherwise use cred from kernel thread
417 */
418 if (cr == NULL)
419 cr = CRED();
420 ainfo = crgetauinfo(cr);
421 if (ainfo == NULL)
422 return (0);
423 amask = ainfo->ai_mask;
424
425 if (error == 0)
426 return ((ess & amask.as_success) ? AU_OK : 0);
427 else
428 return ((esf & amask.as_failure) ? AU_OK : 0);
429 }
430
431 /*
432 * determine if we've preselected this event (system call).
433 */
434 int
auditme(au_kcontext_t * kctx,struct t_audit_data * tad,au_state_t estate)435 auditme(au_kcontext_t *kctx, struct t_audit_data *tad, au_state_t estate)
436 {
437 int flag = 0;
438 au_mask_t amask;
439 const auditinfo_addr_t *ainfo;
440
441 ainfo = crgetauinfo(CRED());
442 if (ainfo == NULL)
443 return (0);
444 amask = ainfo->ai_mask;
445
446 /* preselected system call */
447
448 if (amask.as_success & estate || amask.as_failure & estate) {
449 flag = 1;
450 } else if ((tad->tad_scid == SYS_putmsg) ||
451 (tad->tad_scid == SYS_getmsg)) {
452 estate = kctx->auk_ets[AUE_SOCKCONNECT] |
453 kctx->auk_ets[AUE_SOCKACCEPT] |
454 kctx->auk_ets[AUE_SOCKSEND] |
455 kctx->auk_ets[AUE_SOCKRECEIVE];
456 if (amask.as_success & estate || amask.as_failure & estate)
457 flag = 1;
458 } else if (tad->tad_scid == SYS_execve &&
459 getpflags(PRIV_PFEXEC, CRED()) != 0) {
460 estate = kctx->auk_ets[AUE_PFEXEC];
461 if (amask.as_success & estate || amask.as_failure & estate)
462 flag = 1;
463 }
464
465 return (flag);
466 }
467