1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 #ifndef _BSM_AUDIT_KERNEL_H 26 #define _BSM_AUDIT_KERNEL_H 27 28 29 /* 30 * This file contains the basic auditing control structure definitions. 31 */ 32 33 #include <c2/audit_kevents.h> 34 #include <sys/priv_impl.h> 35 #include <sys/taskq.h> 36 #include <sys/zone.h> 37 38 #include <sys/tsol/label.h> 39 40 #ifdef __cplusplus 41 extern "C" { 42 #endif 43 44 /* 45 * This table contains the mapping from the system call ID to a corresponding 46 * audit event. 47 * 48 * au_init() is a function called at the beginning of the system call that 49 * performs any necessary setup/processing. It maps the call into the 50 * appropriate event, depending on the system call arguments. It is called 51 * by audit_start() from trap.c . 52 * 53 * au_event is the audit event associated with the system call. Most of the 54 * time it will map directly from the system call i.e. There is one system 55 * call associated with the event. In some cases, such as shmsys, or open, 56 * the au_start() function will map the system call to more than one event, 57 * depending on the system call arguments. 58 * 59 * au_start() is a function that provides per system call processing at the 60 * beginning of a system call. It is mainly concerned with preseving the 61 * audit record components that may be altered so that we can determine 62 * what the original paramater was before as well as after the system call. 63 * It is possible that au_start() may be taken away. It might be cleaner to 64 * define flags in au_ctrl to save a designated argument. For the moment we 65 * support both mechanisms, however the use of au_start() will be reviewed 66 * for 4.1.1 and CMW and ZEUS to see if such a general method is justified. 67 * 68 * au_finish() is a function that provides per system call processing at the 69 * completion of a system call. In certain circumstances, the type of audit 70 * event depends on intermidiate results during the processing of the system 71 * call. It is called in audit_finish() from trap.c . 72 * 73 * au_ctrl is a control vector that indicates what processing might have to 74 * be performed, even if there is no auditing for this system call. At 75 * present this is mostly for path processing for chmod, chroot. We need to 76 * process the path information in vfs_lookup, even when we are not auditing 77 * the system call in the case of chdir and chroot. 78 */ 79 /* 80 * Defines for au_ctrl 81 */ 82 #define S2E_SP TAD_SAVPATH /* save path for later use */ 83 #define S2E_MLD TAD_MLD /* only one lookup per system call */ 84 #define S2E_NPT TAD_NOPATH /* force no path in audit record */ 85 #define S2E_PUB TAD_PUBLIC_EV /* syscall is defined as a public op */ 86 87 /* 88 * At present, we are using the audit classes imbedded with in the kernel. Each 89 * event has a bit mask determining which classes the event is associated. 90 * The table audit_e2s maps the audit event ID to the audit state. 91 * 92 * Note that this may change radically. If we use a bit vector for the audit 93 * class, we can allow granularity at the event ID for each user. In this 94 * case, the vector would be determined at user level and passed to the kernel 95 * via the setaudit system call. 96 */ 97 98 /* 99 * The audit_pad structure holds paths for the current root and directory 100 * for the process, as well as for open files and directly manipulated objects. 101 * The reference count minimizes data copies since the process's current 102 * directory changes very seldom. 103 */ 104 struct audit_path { 105 uint_t audp_ref; /* reference count */ 106 uint_t audp_size; /* allocated size of this structure */ 107 uint_t audp_cnt; /* number of path sections */ 108 char *audp_sect[1]; /* path section pointers */ 109 /* audp_sect[0] is the path name */ 110 /* audp_sect[1+] are attribute paths */ 111 }; 112 113 /* 114 * The structure of the terminal ID within the kernel is different from the 115 * terminal ID in user space. It is a combination of port and IP address. 116 */ 117 118 struct au_termid { 119 dev_t at_port; 120 uint_t at_type; 121 uint_t at_addr[4]; 122 }; 123 typedef struct au_termid au_termid_t; 124 125 /* 126 * Attributes for deferring the queuing of an event. 127 */ 128 typedef struct au_defer_info { 129 struct au_defer_info *audi_next; /* next on linked list */ 130 void *audi_ad; /* audit record */ 131 au_event_t audi_e_type; /* audit event id */ 132 au_emod_t audi_e_mod; /* audit event modifier */ 133 int audi_flag; /* au_close*() flags */ 134 timestruc_t audi_atime; /* audit event timestamp */ 135 } au_defer_info_t; 136 137 /* 138 * The structure p_audit_data hangs off of the process structure. It contains 139 * all of the audit information necessary to manage the audit record generation 140 * for each process. 141 * 142 * The pad_lock is constructed in the kmem_cache; the rest is combined 143 * in a sub structure so it can be copied/zeroed in one statement. 144 * 145 * The members have been reordered for maximum packing on 64 bit Solaris. 146 */ 147 struct p_audit_data { 148 kmutex_t pad_lock; /* lock pad data during changes */ 149 struct _pad_data { 150 struct audit_path *pad_root; /* process root path */ 151 struct audit_path *pad_cwd; /* process cwd path */ 152 au_mask_t pad_newmask; /* pending new mask */ 153 int pad_flags; 154 } pad_data; 155 }; 156 typedef struct p_audit_data p_audit_data_t; 157 158 #define pad_root pad_data.pad_root 159 #define pad_cwd pad_data.pad_cwd 160 #define pad_newmask pad_data.pad_newmask 161 #define pad_flags pad_data.pad_flags 162 163 /* 164 * Defines for process audit flags (pad_flags) 165 */ 166 #define PAD_SETMASK 0x00000001 /* need to complete pending setmask */ 167 168 extern kmem_cache_t *au_pad_cache; 169 170 /* 171 * Defines for thread audit control/status flags (tad_ctrl) 172 */ 173 #define TAD_ABSPATH 0x00000001 /* path from lookup is absolute */ 174 #define TAD_ATCALL 0x00000002 /* *at() syscall, like openat() */ 175 #define TAD_ATTPATH 0x00000004 /* attribute file lookup */ 176 #define TAD_CORE 0x00000008 /* save attribute during core dump */ 177 #define TAD_ERRJMP 0x00000010 /* abort record generation on error */ 178 #define TAD_MLD 0x00000020 /* system call involves MLD */ 179 #define TAD_NOATTRB 0x00000040 /* do not automatically add attribute */ 180 #define TAD_NOAUDIT 0x00000080 /* discard audit record */ 181 #define TAD_NOPATH 0x00000100 /* force no paths in audit record */ 182 #define TAD_PATHFND 0x00000200 /* found path, don't retry lookup */ 183 #define TAD_PUBLIC_EV 0x00000400 /* syscall is defined as a public op */ 184 #define TAD_SAVPATH 0x00000800 /* save path for further processing */ 185 #define TAD_TRUE_CREATE 0x00001000 /* true create, file not found */ 186 187 /* 188 * The structure t_audit_data hangs off of the thread structure. It contains 189 * all of the audit information necessary to manage the audit record generation 190 * for each thread. 191 * 192 */ 193 194 struct t_audit_data { 195 kthread_id_t tad_thread; /* DEBUG pointer to parent thread */ 196 unsigned int tad_scid; /* system call ID for finish */ 197 au_event_t tad_event; /* event for audit record */ 198 au_emod_t tad_evmod; /* event modifier for audit record */ 199 int tad_ctrl; /* audit control/status flags */ 200 void *tad_errjmp; /* error longjmp (audit record aborted) */ 201 int tad_flag; /* to audit or not to audit */ 202 uint32_t tad_audit; /* auditing enabled/disabled */ 203 struct audit_path *tad_aupath; /* captured at vfs_lookup */ 204 struct audit_path *tad_atpath; /* openat prefix, path of fd */ 205 caddr_t tad_ad; /* base of accumulated audit data */ 206 au_defer_info_t *tad_defer_head; /* queue of records to defer */ 207 /* until syscall end: */ 208 au_defer_info_t *tad_defer_tail; /* tail of defer queue */ 209 priv_set_t tad_sprivs; /* saved (success) used privs */ 210 priv_set_t tad_fprivs; /* saved (failed) used privs */ 211 }; 212 typedef struct t_audit_data t_audit_data_t; 213 214 /* 215 * The f_audit_data structure hangs off of the file structure. It contains 216 * three fields of data. The audit ID, the audit state, and a path name. 217 */ 218 219 struct f_audit_data { 220 kthread_id_t fad_thread; /* DEBUG creating thread */ 221 int fad_flags; /* audit control flags */ 222 struct audit_path *fad_aupath; /* path from vfs_lookup */ 223 }; 224 typedef struct f_audit_data f_audit_data_t; 225 226 #define FAD_READ 0x0001 /* read system call seen */ 227 #define FAD_WRITE 0x0002 /* write system call seen */ 228 229 #define P2A(p) (p->p_audit_data) 230 #define T2A(t) (t->t_audit_data) 231 #define U2A(u) (curthread->t_audit_data) 232 #define F2A(f) (f->f_audit_data) 233 234 #define u_ad ((U2A(u))->tad_ad) 235 #define ad_ctrl ((U2A(u))->tad_ctrl) 236 #define ad_flag ((U2A(u))->tad_flag) 237 238 #define AU_BUFSIZE 128 /* buffer size for the buffer pool */ 239 240 struct au_buff { 241 char buf[AU_BUFSIZE]; 242 struct au_buff *next_buf; 243 struct au_buff *next_rec; 244 ushort_t rec_len; 245 uchar_t len; 246 uchar_t flag; 247 }; 248 249 typedef struct au_buff au_buff_t; 250 251 /* 252 * Kernel audit queue structure. 253 */ 254 struct audit_queue { 255 au_buff_t *head; /* head of queue */ 256 au_buff_t *tail; /* tail of queue */ 257 ssize_t cnt; /* number elements on queue */ 258 size_t hiwater; /* high water mark to block */ 259 size_t lowater; /* low water mark to restart */ 260 size_t bufsz; /* audit trail write buffer size */ 261 size_t buflen; /* audit trail buffer length in use */ 262 clock_t delay; /* delay before flushing queue */ 263 int wt_block; /* writer is blocked (1) */ 264 int rd_block; /* reader is blocked (1) */ 265 kmutex_t lock; /* mutex lock for queue modification */ 266 kcondvar_t write_cv; /* sleep structure for write block */ 267 kcondvar_t read_cv; /* sleep structure for read block */ 268 }; 269 270 271 union rval; 272 struct audit_s2e { 273 au_event_t (*au_init)(au_event_t); 274 /* convert au_event to real audit event ID */ 275 276 int au_event; /* default audit event for this system call */ 277 void (*au_start)(struct t_audit_data *); 278 /* pre-system call audit processing */ 279 void (*au_finish)(struct t_audit_data *, int, union rval *); 280 /* post-system call audit processing */ 281 int au_ctrl; /* control flags for auditing actions */ 282 }; 283 284 extern struct audit_s2e audit_s2e[]; 285 286 #define AUK_VALID 0x5A5A5A5A 287 #define AUK_INVALID 0 288 /* 289 * per zone audit context 290 */ 291 struct au_kcontext { 292 uint32_t auk_valid; 293 zoneid_t auk_zid; 294 295 boolean_t auk_hostaddr_valid; 296 int auk_sequence; 297 int auk_auditstate; 298 int auk_output_active; 299 struct vnode *auk_current_vp; 300 uint32_t auk_policy; 301 302 struct audit_queue auk_queue; 303 304 au_dbuf_t *auk_dbuffer; /* auditdoor output */ 305 306 au_stat_t auk_statistics; 307 308 k_auditinfo_addr_t auk_info; 309 kmutex_t auk_eagain_mutex; /* door call retry */ 310 kcondvar_t auk_eagain_cv; 311 312 taskq_t *auk_taskq; /* output thread */ 313 314 /* Only one audit svc per zone at a time */ 315 /* With the elimination of auditsvc, can this also go? see 6648414 */ 316 kmutex_t auk_svc_lock; 317 318 au_state_t auk_ets[MAX_KEVENTS + 1]; 319 }; 320 #ifndef AUK_CONTEXT_T 321 #define AUK_CONTEXT_T 322 typedef struct au_kcontext au_kcontext_t; 323 #endif 324 325 extern zone_key_t au_zone_key; 326 327 /* 328 * Kernel auditing external variables 329 */ 330 extern uint32_t audit_policy; 331 extern int audit_active; 332 333 extern struct audit_queue au_queue; 334 extern struct p_audit_data *pad0; 335 extern struct t_audit_data *tad0; 336 337 /* 338 * audit_path support routines 339 */ 340 void au_pathhold(struct audit_path *); 341 void au_pathrele(struct audit_path *); 342 struct audit_path *au_pathdup(const struct audit_path *, int, int); 343 344 void au_pad_init(void); 345 346 int auditctl(int cmd, caddr_t data, int length); 347 int auditdoor(int fd); 348 int getauid(caddr_t); 349 int setauid(caddr_t); 350 int getaudit(caddr_t); 351 int getaudit_addr(caddr_t, int); 352 int setaudit(caddr_t); 353 int setaudit_addr(caddr_t, int); 354 355 /* 356 * Macros to hide asynchronous, non-blocking audit record start and finish 357 * processing. 358 * 359 * NOTE: must be used in (void) funcction () { ... } 360 */ 361 362 #define AUDIT_ASYNC_START(rp, audit_event, sorf) \ 363 { \ 364 label_t jb; \ 365 if (setjmp(&jb)) { \ 366 /* cleanup any residual audit data */ \ 367 audit_async_drop((caddr_t *)&(rp), 0); \ 368 return; \ 369 } \ 370 /* auditing enabled and we're preselected for this event? */ \ 371 if (audit_async_start(&jb, audit_event, sorf)) { \ 372 return; \ 373 } \ 374 } 375 376 #define AUDIT_ASYNC_FINISH(rp, audit_event, event_modifier, event_time) \ 377 audit_async_finish((caddr_t *)&(rp), audit_event, event_modifier, \ 378 event_time); 379 380 381 #ifdef _KERNEL 382 au_buff_t *au_get_buff(void), *au_free_buff(au_buff_t *); 383 #endif 384 385 /* 386 * Macro for uniform "subject" token(s) generation 387 */ 388 #define AUDIT_SETSUBJ_GENERIC(u, c, a, k, p) \ 389 (au_write((u), au_to_subject(crgetuid(c), \ 390 crgetgid(c), crgetruid(c), crgetrgid(c), \ 391 p, (a)->ai_auid, (a)->ai_asid, \ 392 &((a)->ai_termid)))); \ 393 ((is_system_labeled()) ? au_write((u), \ 394 au_to_label(CR_SL((c)))) : (void) 0); \ 395 (((k)->auk_policy & AUDIT_GROUP) ? au_write((u),\ 396 au_to_groups(crgetgroups(c), \ 397 crgetngroups(c))) : (void) 0) 398 399 #define AUDIT_SETSUBJ(u, c, a, k) \ 400 AUDIT_SETSUBJ_GENERIC(u, c, a, k, curproc->p_pid) 401 402 #define AUDIT_SETPROC_GENERIC(u, c, a, p) \ 403 (au_write((u), au_to_process(crgetuid(c), \ 404 crgetgid(c), crgetruid(c), crgetrgid(c), \ 405 p, (a)->ai_auid, (a)->ai_asid, \ 406 &((a)->ai_termid)))); 407 408 #define AUDIT_SETPROC(u, c, a) \ 409 AUDIT_SETPROC_GENERIC(u, c, a, curproc->p_pid) 410 411 /* 412 * Macros for type conversion 413 */ 414 415 /* au_membuf head, to typed data */ 416 #define memtod(x, t) ((t)x->buf) 417 418 /* au_membuf types */ 419 #define MT_FREE 0 /* should be on free list */ 420 #define MT_DATA 1 /* dynamic (data) allocation */ 421 422 /* flags to au_memget */ 423 #define DONTWAIT 0 424 #define WAIT 1 425 426 #define AU_PACK 1 /* pack data in au_append_rec() */ 427 #define AU_LINK 0 /* link data in au_append_rec() */ 428 429 /* flags to async routines */ 430 #define AU_BACKEND 1 /* called from softcall backend */ 431 432 #ifdef __cplusplus 433 } 434 #endif 435 436 #endif /* _BSM_AUDIT_KERNEL_H */ 437