xref: /freebsd/contrib/openbsm/libbsm/bsm_audit.c (revision 884a2a699669ec61e2366e3e358342dbc94be24a)
1 /*-
2  * Copyright (c) 2004 Apple Inc.
3  * Copyright (c) 2005 SPARTA, Inc.
4  * All rights reserved.
5  *
6  * This code was developed in part by Robert N. M. Watson, Senior Principal
7  * Scientist, SPARTA, Inc.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1.  Redistributions of source code must retain the above copyright
13  *     notice, this list of conditions and the following disclaimer.
14  * 2.  Redistributions in binary form must reproduce the above copyright
15  *     notice, this list of conditions and the following disclaimer in the
16  *     documentation and/or other materials provided with the distribution.
17  * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
18  *     its contributors may be used to endorse or promote products derived
19  *     from this software without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
25  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
30  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31  * POSSIBILITY OF SUCH DAMAGE.
32  *
33  * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_audit.c#36 $
34  */
35 
36 #include <sys/types.h>
37 
38 #include <config/config.h>
39 #ifdef HAVE_FULL_QUEUE_H
40 #include <sys/queue.h>
41 #else
42 #include <compat/queue.h>
43 #endif
44 
45 #include <bsm/audit_internal.h>
46 #include <bsm/libbsm.h>
47 
48 #include <netinet/in.h>
49 
50 #include <errno.h>
51 #ifdef HAVE_PTHREAD_MUTEX_LOCK
52 #include <pthread.h>
53 #endif
54 #include <stdlib.h>
55 #include <string.h>
56 
57 /* array of used descriptors */
58 static au_record_t	*open_desc_table[MAX_AUDIT_RECORDS];
59 
60 /* The current number of active record descriptors */
61 static int	audit_rec_count = 0;
62 
63 /*
64  * Records that can be recycled are maintained in the list given below.  The
65  * maximum number of elements that can be present in this list is bounded by
66  * MAX_AUDIT_RECORDS.  Memory allocated for these records are never freed.
67  */
68 static LIST_HEAD(, au_record)	audit_free_q;
69 
70 #ifdef HAVE_PTHREAD_MUTEX_LOCK
71 static pthread_mutex_t	mutex = PTHREAD_MUTEX_INITIALIZER;
72 #endif
73 
74 /*
75  * This call frees a token_t and its internal data.
76  */
77 void
78 au_free_token(token_t *tok)
79 {
80 
81 	if (tok != NULL) {
82 		if (tok->t_data)
83 			free(tok->t_data);
84 		free(tok);
85 	}
86 }
87 
88 /*
89  * This call reserves memory for the audit record.  Memory must be guaranteed
90  * before any auditable event can be generated.  The au_record_t structure
91  * maintains a reference to the memory allocated above and also the list of
92  * tokens associated with this record.  Descriptors are recyled once the
93  * records are added to the audit trail following au_close().
94  */
95 int
96 au_open(void)
97 {
98 	au_record_t *rec = NULL;
99 
100 #ifdef HAVE_PTHREAD_MUTEX_LOCK
101 	pthread_mutex_lock(&mutex);
102 #endif
103 
104 	if (audit_rec_count == 0)
105 		LIST_INIT(&audit_free_q);
106 
107 	/*
108 	 * Find an unused descriptor, remove it from the free list, mark as
109 	 * used.
110 	 */
111 	if (!LIST_EMPTY(&audit_free_q)) {
112 		rec = LIST_FIRST(&audit_free_q);
113 		rec->used = 1;
114 		LIST_REMOVE(rec, au_rec_q);
115 	}
116 
117 #ifdef HAVE_PTHREAD_MUTEX_LOCK
118 	pthread_mutex_unlock(&mutex);
119 #endif
120 
121 	if (rec == NULL) {
122 		/*
123 		 * Create a new au_record_t if no descriptors are available.
124 		 */
125 		rec = malloc (sizeof(au_record_t));
126 		if (rec == NULL)
127 			return (-1);
128 
129 		rec->data = malloc (MAX_AUDIT_RECORD_SIZE * sizeof(u_char));
130 		if (rec->data == NULL) {
131 			free(rec);
132 			errno = ENOMEM;
133 			return (-1);
134 		}
135 
136 #ifdef HAVE_PTHREAD_MUTEX_LOCK
137 		pthread_mutex_lock(&mutex);
138 #endif
139 
140 		if (audit_rec_count == MAX_AUDIT_RECORDS) {
141 #ifdef HAVE_PTHREAD_MUTEX_LOCK
142 			pthread_mutex_unlock(&mutex);
143 #endif
144 			free(rec->data);
145 			free(rec);
146 
147 			/* XXX We need to increase size of MAX_AUDIT_RECORDS */
148 			errno = ENOMEM;
149 			return (-1);
150 		}
151 		rec->desc = audit_rec_count;
152 		open_desc_table[audit_rec_count] = rec;
153 		audit_rec_count++;
154 
155 #ifdef HAVE_PTHREAD_MUTEX_LOCK
156 		pthread_mutex_unlock(&mutex);
157 #endif
158 
159 	}
160 
161 	memset(rec->data, 0, MAX_AUDIT_RECORD_SIZE);
162 
163 	TAILQ_INIT(&rec->token_q);
164 	rec->len = 0;
165 	rec->used = 1;
166 
167 	return (rec->desc);
168 }
169 
170 /*
171  * Store the token with the record descriptor.
172  *
173  * Don't permit writing more to the buffer than would let the trailer be
174  * appended later.
175  */
176 int
177 au_write(int d, token_t *tok)
178 {
179 	au_record_t *rec;
180 
181 	if (tok == NULL) {
182 		errno = EINVAL;
183 		return (-1); /* Invalid Token */
184 	}
185 
186 	/* Write the token to the record descriptor */
187 	rec = open_desc_table[d];
188 	if ((rec == NULL) || (rec->used == 0)) {
189 		errno = EINVAL;
190 		return (-1); /* Invalid descriptor */
191 	}
192 
193 	if (rec->len + tok->len + AUDIT_TRAILER_SIZE > MAX_AUDIT_RECORD_SIZE) {
194 		errno = ENOMEM;
195 		return (-1);
196 	}
197 
198 	/* Add the token to the tail */
199 	/*
200 	 * XXX Not locking here -- we should not be writing to
201 	 * XXX the same descriptor from different threads
202 	 */
203 	TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
204 
205 	rec->len += tok->len; /* grow record length by token size bytes */
206 
207 	/* Token should not be available after this call */
208 	tok = NULL;
209 	return (0); /* Success */
210 }
211 
212 /*
213  * Assemble an audit record out of its tokens, including allocating header and
214  * trailer tokens.  Does not free the token chain, which must be done by the
215  * caller if desirable.
216  *
217  * XXX: Assumes there is sufficient space for the header and trailer.
218  */
219 static int
220 au_assemble(au_record_t *rec, short event)
221 {
222 #ifdef HAVE_AUDIT_SYSCALLS
223 	struct in6_addr *aptr;
224 	struct auditinfo_addr aia;
225 	struct timeval tm;
226 	size_t hdrsize;
227 #endif /* HAVE_AUDIT_SYSCALLS */
228 	token_t *header, *tok, *trailer;
229 	size_t tot_rec_size;
230 	u_char *dptr;
231 	int error;
232 
233 #ifdef HAVE_AUDIT_SYSCALLS
234 	/*
235 	 * Grab the size of the address family stored in the kernel's audit
236 	 * state.
237 	 */
238 	aia.ai_termid.at_type = AU_IPv4;
239 	aia.ai_termid.at_addr[0] = INADDR_ANY;
240 	if (audit_get_kaudit(&aia, sizeof(aia)) != 0) {
241 		if (errno != ENOSYS && errno != EPERM)
242 			return (-1);
243 #endif /* HAVE_AUDIT_SYSCALLS */
244 		tot_rec_size = rec->len + AUDIT_HEADER_SIZE +
245 		    AUDIT_TRAILER_SIZE;
246 		header = au_to_header(tot_rec_size, event, 0);
247 #ifdef HAVE_AUDIT_SYSCALLS
248 	} else {
249 		if (gettimeofday(&tm, NULL) < 0)
250 			return (-1);
251 		switch (aia.ai_termid.at_type) {
252 		case AU_IPv4:
253 			hdrsize = (aia.ai_termid.at_addr[0] == INADDR_ANY) ?
254 			    AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&aia);
255 			break;
256 		case AU_IPv6:
257 			aptr = (struct in6_addr *)&aia.ai_termid.at_addr[0];
258 			hdrsize =
259 			    (IN6_IS_ADDR_UNSPECIFIED(aptr)) ?
260 			    AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&aia);
261 			break;
262 		default:
263 			return (-1);
264 		}
265 		tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE;
266 		/*
267 		 * A header size greater then AUDIT_HEADER_SIZE means
268 		 * that we are using an extended header.
269 		 */
270 		if (hdrsize > AUDIT_HEADER_SIZE)
271 			header = au_to_header32_ex_tm(tot_rec_size, event,
272 			    0, tm, &aia);
273 		else
274 			header = au_to_header(tot_rec_size, event, 0);
275 	}
276 #endif /* HAVE_AUDIT_SYSCALLS */
277 	if (header == NULL)
278 		return (-1);
279 
280 	trailer = au_to_trailer(tot_rec_size);
281 	if (trailer == NULL) {
282 		error = errno;
283 		au_free_token(header);
284 		errno = error;
285 		return (-1);
286 	}
287 
288 	TAILQ_INSERT_HEAD(&rec->token_q, header, tokens);
289 	TAILQ_INSERT_TAIL(&rec->token_q, trailer, tokens);
290 
291 	rec->len = tot_rec_size;
292 	dptr = rec->data;
293 
294 	TAILQ_FOREACH(tok, &rec->token_q, tokens) {
295 		memcpy(dptr, tok->t_data, tok->len);
296 		dptr += tok->len;
297 	}
298 
299 	return (0);
300 }
301 
302 /*
303  * Given a record that is no longer of interest, tear it down and convert to a
304  * free record.
305  */
306 static void
307 au_teardown(au_record_t *rec)
308 {
309 	token_t *tok;
310 
311 	/* Free the token list */
312 	while ((tok = TAILQ_FIRST(&rec->token_q)) != NULL) {
313 		TAILQ_REMOVE(&rec->token_q, tok, tokens);
314 		free(tok->t_data);
315 		free(tok);
316 	}
317 
318 	rec->used = 0;
319 	rec->len = 0;
320 
321 #ifdef HAVE_PTHREAD_MUTEX_LOCK
322 	pthread_mutex_lock(&mutex);
323 #endif
324 
325 	/* Add the record to the freelist tail */
326 	LIST_INSERT_HEAD(&audit_free_q, rec, au_rec_q);
327 
328 #ifdef HAVE_PTHREAD_MUTEX_LOCK
329 	pthread_mutex_unlock(&mutex);
330 #endif
331 }
332 
333 #ifdef HAVE_AUDIT_SYSCALLS
334 /*
335  * Add the header token, identify any missing tokens.  Write out the tokens to
336  * the record memory and finally, call audit.
337  */
338 int
339 au_close(int d, int keep, short event)
340 {
341 	au_record_t *rec;
342 	size_t tot_rec_size;
343 	int retval = 0;
344 
345 	rec = open_desc_table[d];
346 	if ((rec == NULL) || (rec->used == 0)) {
347 		errno = EINVAL;
348 		return (-1); /* Invalid descriptor */
349 	}
350 
351 	if (keep == AU_TO_NO_WRITE) {
352 		retval = 0;
353 		goto cleanup;
354 	}
355 
356 	tot_rec_size = rec->len + MAX_AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE;
357 
358 	if (tot_rec_size > MAX_AUDIT_RECORD_SIZE) {
359 		/*
360 		 * XXXRW: Since au_write() is supposed to prevent this, spew
361 		 * an error here.
362 		 */
363 		fprintf(stderr, "au_close failed");
364 		errno = ENOMEM;
365 		retval = -1;
366 		goto cleanup;
367 	}
368 
369 	if (au_assemble(rec, event) < 0) {
370 		/*
371 		 * XXXRW: This is also not supposed to happen, but might if we
372 		 * are unable to allocate header and trailer memory.
373 		 */
374 		retval = -1;
375 		goto cleanup;
376 	}
377 
378 	/* Call the kernel interface to audit */
379 	retval = audit(rec->data, rec->len);
380 
381 cleanup:
382 	/* CLEANUP */
383 	au_teardown(rec);
384 	return (retval);
385 }
386 #endif /* HAVE_AUDIT_SYSCALLS */
387 
388 /*
389  * au_close(), except onto an in-memory buffer.  Buffer size as an argument,
390  * record size returned via same argument on success.
391  */
392 int
393 au_close_buffer(int d, short event, u_char *buffer, size_t *buflen)
394 {
395 	size_t tot_rec_size;
396 	au_record_t *rec;
397 	int retval;
398 
399 	rec = open_desc_table[d];
400 	if ((rec == NULL) || (rec->used == 0)) {
401 		errno = EINVAL;
402 		return (-1);
403 	}
404 
405 	retval = 0;
406 	tot_rec_size = rec->len + MAX_AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE;
407 	if ((tot_rec_size > MAX_AUDIT_RECORD_SIZE) ||
408 	    (tot_rec_size > *buflen)) {
409 		/*
410 		 * XXXRW: See au_close() comment.
411 		 */
412 		fprintf(stderr, "au_close_buffer failed %zd", tot_rec_size);
413 		errno = ENOMEM;
414 		retval = -1;
415 		goto cleanup;
416 	}
417 
418 	if (au_assemble(rec, event) < 0) {
419 		/* XXXRW: See au_close() comment. */
420 		retval = -1;
421 		goto cleanup;
422 	}
423 
424 	memcpy(buffer, rec->data, rec->len);
425 	*buflen = rec->len;
426 
427 cleanup:
428 	au_teardown(rec);
429 	return (retval);
430 }
431 
432 /*
433  * au_close_token() returns the byte format of a token_t.  This won't
434  * generally be used by applications, but is quite useful for writing test
435  * tools.  Will free the token on either success or failure.
436  */
437 int
438 au_close_token(token_t *tok, u_char *buffer, size_t *buflen)
439 {
440 
441 	if (tok->len > *buflen) {
442 		au_free_token(tok);
443 		errno = ENOMEM;
444 		return (EINVAL);
445 	}
446 
447 	memcpy(buffer, tok->t_data, tok->len);
448 	*buflen = tok->len;
449 	au_free_token(tok);
450 	return (0);
451 }
452