1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 #include <sys/param.h>
26 #include <sys/types.h>
27 #include <sys/time.h>
28 #include <sys/kmem.h>
29 #include <sys/proc.h>
30 #include <sys/vnode.h>
31 #include <sys/file.h>
32 #include <sys/user.h>
33 #include <sys/stropts.h>
34 #include <sys/systm.h>
35 #include <sys/pathname.h>
36 #include <sys/debug.h>
37 #include <sys/cred_impl.h>
38 #include <sys/zone.h>
39 #include <sys/modctl.h>
40 #include <sys/sysconf.h>
41 #include <c2/audit.h>
42 #include <c2/audit_kernel.h>
43 #include <c2/audit_kevents.h>
44 #include <c2/audit_record.h>
45
46
47 struct p_audit_data *pad0;
48 struct t_audit_data *tad0;
49
50 extern uint_t num_syscall; /* size of audit_s2e table */
51 extern kmutex_t pidlock; /* proc table lock */
52
53
54 void
audit_init()55 audit_init()
56 {
57 kthread_t *au_thread;
58 auditinfo_addr_t *ainfo;
59 struct audit_path apempty;
60
61 /*
62 * If the c2audit module is explicitely excluded in /etc/system,
63 * it cannot be loaded later (e.g. using modload). Make a notice
64 * that the module won't be present and do nothing.
65 */
66
67 if (mod_sysctl(SYS_CHECK_EXCLUDE, "c2audit") != 0) {
68 audit_active = C2AUDIT_DISABLED;
69 return;
70 }
71
72 /* c2audit module can be loaded anytime */
73 audit_active = C2AUDIT_UNLOADED;
74
75 /* initialize the process audit data (pad) memory allocator */
76 au_pad_init();
77
78 /* initialize the zone audit context */
79 au_zone_setup();
80
81 /* inital thread structure */
82 tad0 = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP);
83
84 /* initial process structure */
85 pad0 = kmem_cache_alloc(au_pad_cache, KM_SLEEP);
86 bzero(&pad0->pad_data, sizeof (pad0->pad_data));
87
88 curthread->t_audit_data = tad0;
89 curproc->p_audit_data = pad0;
90
91 /*
92 * The kernel allocates a bunch of threads make sure they have
93 * a valid tad
94 */
95
96 mutex_enter(&pidlock);
97
98 au_thread = curthread;
99 do {
100 if (T2A(au_thread) == NULL) {
101 T2A(au_thread) = tad0;
102 }
103 au_thread = au_thread->t_next;
104 } while (au_thread != curthread);
105
106 tad0->tad_ad = NULL;
107 mutex_exit(&pidlock);
108
109 /*
110 * Initialize audit context in our cred (kcred).
111 * No copy-on-write needed here because it's so early in init.
112 */
113
114 ainfo = crgetauinfo_modifiable(kcred);
115 ASSERT(ainfo != NULL);
116 bzero(ainfo, sizeof (auditinfo_addr_t));
117 ainfo->ai_auid = AU_NOAUDITID;
118
119 /* fabricate an empty audit_path to extend */
120 apempty.audp_cnt = 0;
121 apempty.audp_sect[0] = (char *)(&apempty.audp_sect[1]);
122 pad0->pad_root = au_pathdup(&apempty, 1, 2);
123 bcopy("/", pad0->pad_root->audp_sect[0], 2);
124 au_pathhold(pad0->pad_root);
125 pad0->pad_cwd = pad0->pad_root;
126 }
127
128 /*
129 * Check for any pending changes to the audit context for the given proc.
130 * p_crlock and pad_lock for the process are acquired here. Caller is
131 * responsible for assuring the process doesn't go away. If context is
132 * updated, the specified cralloc'ed cred will be used, otherwise it's freed.
133 * If no cred is given, it will be cralloc'ed here and caller assures that
134 * it is safe to allocate memory.
135 */
136
137 void
audit_update_context(proc_t * p,cred_t * ncr)138 audit_update_context(proc_t *p, cred_t *ncr)
139 {
140 struct p_audit_data *pad;
141 cred_t *newcred = ncr;
142
143 pad = P2A(p);
144 if (pad == NULL) {
145 if (newcred != NULL)
146 crfree(newcred);
147 return;
148 }
149
150 /* If a mask update is pending, take care of it. */
151 if (pad->pad_flags & PAD_SETMASK) {
152 auditinfo_addr_t *ainfo;
153
154 if (newcred == NULL)
155 newcred = cralloc();
156
157 mutex_enter(&pad->pad_lock);
158 /* the condition may have been handled by the time we lock */
159 if (pad->pad_flags & PAD_SETMASK) {
160 ainfo = crgetauinfo_modifiable(newcred);
161 if (ainfo == NULL) {
162 mutex_exit(&pad->pad_lock);
163 crfree(newcred);
164 return;
165 }
166
167 mutex_enter(&p->p_crlock);
168 crcopy_to(p->p_cred, newcred);
169 p->p_cred = newcred;
170
171 ainfo->ai_mask = pad->pad_newmask;
172
173 /* Unlock and cleanup. */
174 mutex_exit(&p->p_crlock);
175 pad->pad_flags &= ~PAD_SETMASK;
176
177 /*
178 * For curproc, assure that our thread points to right
179 * cred, so CRED() will be correct. Otherwise, no need
180 * to broadcast changes (via set_proc_pre_sys), since
181 * t_pre_sys is ALWAYS on when audit is enabled... due
182 * to syscall auditing.
183 */
184 if (p == curproc)
185 crset(p, newcred);
186 else
187 crfree(newcred);
188 } else {
189 crfree(newcred);
190 }
191 mutex_exit(&pad->pad_lock);
192 } else {
193 if (newcred != NULL)
194 crfree(newcred);
195 }
196 }
197
198 /*
199 * ROUTINE: AUDIT_NEWPROC
200 * PURPOSE: initialize the child p_audit_data structure
201 * CALLBY: GETPROC
202 * NOTE: All threads for the parent process are locked at this point.
203 * We are essentially running singled threaded for this reason.
204 * GETPROC is called when system creates a new process.
205 * By the time AUDIT_NEWPROC is called, the child proc
206 * structure has already been initialized. What we need
207 * to do is to allocate the child p_audit_data and
208 * initialize it with the content of current parent process.
209 */
210
211 void
audit_newproc(struct proc * cp)212 audit_newproc(struct proc *cp) /* initialized child proc structure */
213 {
214 p_audit_data_t *pad; /* child process audit data */
215 p_audit_data_t *opad; /* parent process audit data */
216
217 pad = kmem_cache_alloc(au_pad_cache, KM_SLEEP);
218
219 P2A(cp) = pad;
220
221 opad = P2A(curproc);
222
223 /*
224 * copy the audit data. Note that all threads of current
225 * process have been "held". Thus there is no race condition
226 * here with mutiple threads trying to alter the cwrd
227 * structure (such as releasing it).
228 *
229 * The audit context in the cred is "duplicated" for the new
230 * proc by elsewhere crhold'ing the parent's cred which it shares.
231 *
232 * We still want to hold things since auditon() [A_SETUMASK,
233 * A_SETSMASK] could be walking through the processes to
234 * update things.
235 */
236 mutex_enter(&opad->pad_lock); /* lock opad structure during copy */
237 pad->pad_data = opad->pad_data; /* copy parent's process audit data */
238 au_pathhold(pad->pad_root);
239 au_pathhold(pad->pad_cwd);
240 mutex_exit(&opad->pad_lock); /* current proc will keep cwrd open */
241
242 /*
243 * If we are in the limited mode, there is nothing to audit and
244 * there could not have been anything to audit, since it is not
245 * possible to switch from the full mode into the limited mode
246 * once the full mode is set.
247 */
248 if (audit_active != C2AUDIT_LOADED)
249 return;
250
251 /*
252 * finish auditing of parent here so that it will be done
253 * before child has a chance to run. We include the child
254 * pid since the return value in the return token is a dummy
255 * one and contains no useful information (it is included to
256 * make the audit record structure consistant).
257 *
258 * tad_flag is set if auditing is on
259 */
260 if (((t_audit_data_t *)T2A(curthread))->tad_flag)
261 au_uwrite(au_to_arg32(0, "child PID", (uint32_t)cp->p_pid));
262
263 /*
264 * finish up audit record generation here because child process
265 * is set to run before parent process. We distinguish here
266 * between FORK, FORK1, or VFORK by the saved system call ID.
267 */
268 audit_finish(0, ((t_audit_data_t *)T2A(curthread))->tad_scid, 0, 0);
269 }
270
271 /*
272 * ROUTINE: AUDIT_PFREE
273 * PURPOSE: deallocate the per-process udit data structure
274 * CALLBY: EXIT
275 * FORK_FAIL
276 * NOTE: all lwp except current one have stopped in SEXITLWPS
277 * why we are single threaded?
278 * . all lwp except current one have stopped in SEXITLWPS.
279 */
280
281 void
audit_pfree(struct proc * p)282 audit_pfree(struct proc *p) /* proc structure to be freed */
283
284 { /* AUDIT_PFREE */
285
286 p_audit_data_t *pad;
287
288 pad = P2A(p);
289
290 /* better be a per process audit data structure */
291 ASSERT(pad != (p_audit_data_t *)0);
292
293 if (pad == pad0) {
294 return;
295 }
296
297 /* deallocate all auditing resources for this process */
298 au_pathrele(pad->pad_root);
299 au_pathrele(pad->pad_cwd);
300
301 /*
302 * Since the pad structure is completely overwritten after alloc,
303 * we don't bother to clear it.
304 */
305
306 kmem_cache_free(au_pad_cache, pad);
307 }
308
309 /*
310 * ROUTINE: AUDIT_THREAD_CREATE
311 * PURPOSE: allocate per-process thread audit data structure
312 * CALLBY: THREAD_CREATE
313 * NOTE: This is called just after *t was bzero'd.
314 * We are single threaded in this routine.
315 * TODO:
316 * QUESTION:
317 */
318
319 void
audit_thread_create(kthread_id_t t)320 audit_thread_create(kthread_id_t t)
321 {
322 t_audit_data_t *tad; /* per-thread audit data */
323
324 tad = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP);
325
326 T2A(t) = tad; /* set up thread audit data ptr */
327 tad->tad_thread = t; /* back ptr to thread: DEBUG */
328 }
329
330 /*
331 * ROUTINE: AUDIT_THREAD_FREE
332 * PURPOSE: free the per-thread audit data structure
333 * CALLBY: THREAD_FREE
334 * NOTE: most thread data is clear after return
335 */
336
337 void
audit_thread_free(kthread_t * t)338 audit_thread_free(kthread_t *t)
339 {
340 t_audit_data_t *tad;
341 au_defer_info_t *attr;
342
343 tad = T2A(t);
344
345 /* thread audit data must still be set */
346
347 if (tad == tad0) {
348 return;
349 }
350
351 if (tad == NULL) {
352 return;
353 }
354
355 t->t_audit_data = 0;
356
357 /* must not have any audit record residual */
358 ASSERT(tad->tad_ad == NULL);
359
360 /* saved path must be empty */
361 ASSERT(tad->tad_aupath == NULL);
362
363 if (tad->tad_atpath)
364 au_pathrele(tad->tad_atpath);
365
366 if (audit_active == C2AUDIT_LOADED) {
367 attr = tad->tad_defer_head;
368 while (attr != NULL) {
369 au_defer_info_t *tmp_attr = attr;
370
371 au_free_rec(attr->audi_ad);
372
373 attr = attr->audi_next;
374 kmem_free(tmp_attr, sizeof (au_defer_info_t));
375 }
376 }
377
378 kmem_free(tad, sizeof (*tad));
379 }
380
381 /*
382 * ROUTINE: AUDIT_FALLOC
383 * PURPOSE: allocating a new file structure
384 * CALLBY: FALLOC
385 * NOTE: file structure already initialized
386 * TODO:
387 * QUESTION:
388 */
389
390 void
audit_falloc(struct file * fp)391 audit_falloc(struct file *fp)
392 { /* AUDIT_FALLOC */
393
394 f_audit_data_t *fad;
395
396 /* allocate per file audit structure if there a'int any */
397 ASSERT(F2A(fp) == NULL);
398
399 fad = kmem_zalloc(sizeof (struct f_audit_data), KM_SLEEP);
400
401 F2A(fp) = fad;
402
403 fad->fad_thread = curthread; /* file audit data back ptr; DEBUG */
404 }
405
406 /*
407 * ROUTINE: AUDIT_UNFALLOC
408 * PURPOSE: deallocate file audit data structure
409 * CALLBY: CLOSEF
410 * UNFALLOC
411 * NOTE:
412 * TODO:
413 * QUESTION:
414 */
415
416 void
audit_unfalloc(struct file * fp)417 audit_unfalloc(struct file *fp)
418 {
419 f_audit_data_t *fad;
420
421 fad = F2A(fp);
422
423 if (!fad) {
424 return;
425 }
426 if (fad->fad_aupath != NULL) {
427 au_pathrele(fad->fad_aupath);
428 }
429 fp->f_audit_data = 0;
430 kmem_free(fad, sizeof (struct f_audit_data));
431 }
432
433 uint32_t
audit_getstate()434 audit_getstate()
435 {
436 return (audit_active == C2AUDIT_LOADED &&
437 ((AU_AUDIT_MASK) & U2A(u)->tad_audit));
438 }
439