1 /* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * Copyright (c) 2005 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 15 * its contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 * 30 * $FreeBSD$ 31 */ 32 33 #include <sys/param.h> 34 #include <sys/fcntl.h> 35 #include <sys/filedesc.h> 36 #include <sys/libkern.h> 37 #include <sys/malloc.h> 38 #include <sys/mount.h> 39 #include <sys/proc.h> 40 #include <sys/sem.h> 41 #include <sys/syscall.h> 42 #include <sys/sysctl.h> 43 #include <sys/sysent.h> 44 #include <sys/vnode.h> 45 46 #include <bsm/audit.h> 47 #include <bsm/audit_kevents.h> 48 #include <security/audit/audit.h> 49 #include <security/audit/audit_private.h> 50 51 /* 52 * Hash table functions for the audit event number to event class mask 53 * mapping. 54 */ 55 #define EVCLASSMAP_HASH_TABLE_SIZE 251 56 struct evclass_elem { 57 au_event_t event; 58 au_class_t class; 59 LIST_ENTRY(evclass_elem) entry; 60 }; 61 struct evclass_list { 62 LIST_HEAD(, evclass_elem) head; 63 }; 64 65 static MALLOC_DEFINE(M_AUDITEVCLASS, "audit_evclass", "Audit event class"); 66 static struct mtx evclass_mtx; 67 static struct evclass_list evclass_hash[EVCLASSMAP_HASH_TABLE_SIZE]; 68 69 /* 70 * Look up the class for an audit event in the class mapping table. 71 */ 72 au_class_t 73 au_event_class(au_event_t event) 74 { 75 struct evclass_list *evcl; 76 struct evclass_elem *evc; 77 au_class_t class; 78 79 mtx_lock(&evclass_mtx); 80 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE]; 81 class = 0; 82 LIST_FOREACH(evc, &evcl->head, entry) { 83 if (evc->event == event) { 84 class = evc->class; 85 goto out; 86 } 87 } 88 out: 89 mtx_unlock(&evclass_mtx); 90 return (class); 91 } 92 93 /* 94 * Insert a event to class mapping. If the event already exists in the 95 * mapping, then replace the mapping with the new one. 96 * 97 * XXX There is currently no constraints placed on the number of mappings. 98 * May want to either limit to a number, or in terms of memory usage. 99 */ 100 void 101 au_evclassmap_insert(au_event_t event, au_class_t class) 102 { 103 struct evclass_list *evcl; 104 struct evclass_elem *evc, *evc_new; 105 106 /* 107 * Pessimistically, always allocate storage before acquiring mutex. 108 * Free if there is already a mapping for this event. 109 */ 110 evc_new = malloc(sizeof(*evc), M_AUDITEVCLASS, M_WAITOK); 111 112 mtx_lock(&evclass_mtx); 113 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE]; 114 LIST_FOREACH(evc, &evcl->head, entry) { 115 if (evc->event == event) { 116 evc->class = class; 117 mtx_unlock(&evclass_mtx); 118 free(evc_new, M_AUDITEVCLASS); 119 return; 120 } 121 } 122 evc = evc_new; 123 evc->event = event; 124 evc->class = class; 125 LIST_INSERT_HEAD(&evcl->head, evc, entry); 126 mtx_unlock(&evclass_mtx); 127 } 128 129 void 130 au_evclassmap_init(void) 131 { 132 int i; 133 134 mtx_init(&evclass_mtx, "evclass_mtx", NULL, MTX_DEF); 135 for (i = 0; i < EVCLASSMAP_HASH_TABLE_SIZE; i++) 136 LIST_INIT(&evclass_hash[i].head); 137 138 /* 139 * Set up the initial event to class mapping for system calls. 140 * 141 * XXXRW: Really, this should walk all possible audit events, not all 142 * native ABI system calls, as there may be audit events reachable 143 * only through non-native system calls. It also seems a shame to 144 * frob the mutex this early. 145 */ 146 for (i = 0; i < SYS_MAXSYSCALL; i++) { 147 if (sysent[i].sy_auevent != AUE_NULL) 148 au_evclassmap_insert(sysent[i].sy_auevent, 0); 149 } 150 } 151 152 /* 153 * Check whether an event is aditable by comparing the mask of classes this 154 * event is part of against the given mask. 155 */ 156 int 157 au_preselect(au_event_t event, au_class_t class, au_mask_t *mask_p, int sorf) 158 { 159 au_class_t effmask = 0; 160 161 if (mask_p == NULL) 162 return (-1); 163 164 /* 165 * Perform the actual check of the masks against the event. 166 */ 167 if (sorf & AU_PRS_SUCCESS) 168 effmask |= (mask_p->am_success & class); 169 170 if (sorf & AU_PRS_FAILURE) 171 effmask |= (mask_p->am_failure & class); 172 173 if (effmask) 174 return (1); 175 else 176 return (0); 177 } 178 179 /* 180 * Convert sysctl names and present arguments to events. 181 */ 182 au_event_t 183 ctlname_to_sysctlevent(int name[], uint64_t valid_arg) 184 { 185 186 /* can't parse it - so return the worst case */ 187 if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != (ARG_CTLNAME | ARG_LEN)) 188 return (AUE_SYSCTL); 189 190 switch (name[0]) { 191 /* non-admin "lookups" treat them special */ 192 case KERN_OSTYPE: 193 case KERN_OSRELEASE: 194 case KERN_OSREV: 195 case KERN_VERSION: 196 case KERN_ARGMAX: 197 case KERN_CLOCKRATE: 198 case KERN_BOOTTIME: 199 case KERN_POSIX1: 200 case KERN_NGROUPS: 201 case KERN_JOB_CONTROL: 202 case KERN_SAVED_IDS: 203 case KERN_OSRELDATE: 204 case KERN_DUMMY: 205 return (AUE_SYSCTL_NONADMIN); 206 207 /* only treat the changeable controls as admin */ 208 case KERN_MAXVNODES: 209 case KERN_MAXPROC: 210 case KERN_MAXFILES: 211 case KERN_MAXPROCPERUID: 212 case KERN_MAXFILESPERPROC: 213 case KERN_HOSTID: 214 case KERN_SECURELVL: 215 case KERN_HOSTNAME: 216 case KERN_VNODE: 217 case KERN_PROC: 218 case KERN_FILE: 219 case KERN_PROF: 220 case KERN_NISDOMAINNAME: 221 case KERN_UPDATEINTERVAL: 222 case KERN_NTP_PLL: 223 case KERN_BOOTFILE: 224 case KERN_DUMPDEV: 225 case KERN_IPC: 226 case KERN_PS_STRINGS: 227 case KERN_USRSTACK: 228 case KERN_LOGSIGEXIT: 229 case KERN_IOV_MAX: 230 case KERN_MAXID: 231 return ((valid_arg & ARG_VALUE) ? 232 AUE_SYSCTL : AUE_SYSCTL_NONADMIN); 233 234 default: 235 return (AUE_SYSCTL); 236 } 237 /* NOTREACHED */ 238 } 239 240 /* 241 * Convert an open flags specifier into a specific type of open event for 242 * auditing purposes. 243 */ 244 au_event_t 245 flags_and_error_to_openevent(int oflags, int error) 246 { 247 au_event_t aevent; 248 249 /* 250 * Need to check only those flags we care about. 251 */ 252 oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY); 253 254 /* 255 * These checks determine what flags are on with the condition that 256 * ONLY that combination is on, and no other flags are on. 257 */ 258 switch (oflags) { 259 case O_RDONLY: 260 aevent = AUE_OPEN_R; 261 break; 262 263 case (O_RDONLY | O_CREAT): 264 aevent = AUE_OPEN_RC; 265 break; 266 267 case (O_RDONLY | O_CREAT | O_TRUNC): 268 aevent = AUE_OPEN_RTC; 269 break; 270 271 case (O_RDONLY | O_TRUNC): 272 aevent = AUE_OPEN_RT; 273 break; 274 275 case O_RDWR: 276 aevent = AUE_OPEN_RW; 277 break; 278 279 case (O_RDWR | O_CREAT): 280 aevent = AUE_OPEN_RWC; 281 break; 282 283 case (O_RDWR | O_CREAT | O_TRUNC): 284 aevent = AUE_OPEN_RWTC; 285 break; 286 287 case (O_RDWR | O_TRUNC): 288 aevent = AUE_OPEN_RWT; 289 break; 290 291 case O_WRONLY: 292 aevent = AUE_OPEN_W; 293 break; 294 295 case (O_WRONLY | O_CREAT): 296 aevent = AUE_OPEN_WC; 297 break; 298 299 case (O_WRONLY | O_CREAT | O_TRUNC): 300 aevent = AUE_OPEN_WTC; 301 break; 302 303 case (O_WRONLY | O_TRUNC): 304 aevent = AUE_OPEN_WT; 305 break; 306 307 default: 308 aevent = AUE_OPEN; 309 break; 310 } 311 312 #if 0 313 /* 314 * Convert chatty errors to better matching events. Failures to 315 * find a file are really just attribute events -- so recast them as 316 * such. 317 * 318 * XXXAUDIT: Solaris defines that AUE_OPEN will never be returned, it 319 * is just a placeholder. However, in Darwin we return that in 320 * preference to other events. For now, comment this out as we don't 321 * have a BSM conversion routine for AUE_OPEN. 322 */ 323 switch (aevent) { 324 case AUE_OPEN_R: 325 case AUE_OPEN_RT: 326 case AUE_OPEN_RW: 327 case AUE_OPEN_RWT: 328 case AUE_OPEN_W: 329 case AUE_OPEN_WT: 330 if (error == ENOENT) 331 aevent = AUE_OPEN; 332 } 333 #endif 334 return (aevent); 335 } 336 337 /* 338 * Convert a MSGCTL command to a specific event. 339 */ 340 int 341 msgctl_to_event(int cmd) 342 { 343 344 switch (cmd) { 345 case IPC_RMID: 346 return (AUE_MSGCTL_RMID); 347 348 case IPC_SET: 349 return (AUE_MSGCTL_SET); 350 351 case IPC_STAT: 352 return (AUE_MSGCTL_STAT); 353 354 default: 355 /* We will audit a bad command. */ 356 return (AUE_MSGCTL); 357 } 358 } 359 360 /* 361 * Convert a SEMCTL command to a specific event. 362 */ 363 int 364 semctl_to_event(int cmd) 365 { 366 367 switch (cmd) { 368 case GETALL: 369 return (AUE_SEMCTL_GETALL); 370 371 case GETNCNT: 372 return (AUE_SEMCTL_GETNCNT); 373 374 case GETPID: 375 return (AUE_SEMCTL_GETPID); 376 377 case GETVAL: 378 return (AUE_SEMCTL_GETVAL); 379 380 case GETZCNT: 381 return (AUE_SEMCTL_GETZCNT); 382 383 case IPC_RMID: 384 return (AUE_SEMCTL_RMID); 385 386 case IPC_SET: 387 return (AUE_SEMCTL_SET); 388 389 case SETALL: 390 return (AUE_SEMCTL_SETALL); 391 392 case SETVAL: 393 return (AUE_SEMCTL_SETVAL); 394 395 case IPC_STAT: 396 return (AUE_SEMCTL_STAT); 397 398 default: 399 /* We will audit a bad command */ 400 return (AUE_SEMCTL); 401 } 402 } 403 404 /* 405 * Convert a command for the auditon() system call to a audit event. 406 */ 407 int 408 auditon_command_event(int cmd) 409 { 410 411 switch(cmd) { 412 case A_GETPOLICY: 413 return (AUE_AUDITON_GPOLICY); 414 415 case A_SETPOLICY: 416 return (AUE_AUDITON_SPOLICY); 417 418 case A_GETKMASK: 419 return (AUE_AUDITON_GETKMASK); 420 421 case A_SETKMASK: 422 return (AUE_AUDITON_SETKMASK); 423 424 case A_GETQCTRL: 425 return (AUE_AUDITON_GQCTRL); 426 427 case A_SETQCTRL: 428 return (AUE_AUDITON_SQCTRL); 429 430 case A_GETCWD: 431 return (AUE_AUDITON_GETCWD); 432 433 case A_GETCAR: 434 return (AUE_AUDITON_GETCAR); 435 436 case A_GETSTAT: 437 return (AUE_AUDITON_GETSTAT); 438 439 case A_SETSTAT: 440 return (AUE_AUDITON_SETSTAT); 441 442 case A_SETUMASK: 443 return (AUE_AUDITON_SETUMASK); 444 445 case A_SETSMASK: 446 return (AUE_AUDITON_SETSMASK); 447 448 case A_GETCOND: 449 return (AUE_AUDITON_GETCOND); 450 451 case A_SETCOND: 452 return (AUE_AUDITON_SETCOND); 453 454 case A_GETCLASS: 455 return (AUE_AUDITON_GETCLASS); 456 457 case A_SETCLASS: 458 return (AUE_AUDITON_SETCLASS); 459 460 case A_GETPINFO: 461 case A_SETPMASK: 462 case A_SETFSIZE: 463 case A_GETFSIZE: 464 case A_GETPINFO_ADDR: 465 case A_GETKAUDIT: 466 case A_SETKAUDIT: 467 default: 468 return (AUE_AUDITON); /* No special record */ 469 } 470 } 471 472 /* 473 * Create a canonical path from given path by prefixing either the root 474 * directory, or the current working directory. If the process working 475 * directory is NULL, we could use 'rootvnode' to obtain the root directory, 476 * but this results in a volfs name written to the audit log. So we will 477 * leave the filename starting with '/' in the audit log in this case. 478 * 479 * XXXRW: Since we combine two paths here, ideally a buffer of size 480 * MAXPATHLEN * 2 would be passed in. 481 */ 482 void 483 canon_path(struct thread *td, char *path, char *cpath) 484 { 485 char *bufp; 486 char *retbuf, *freebuf; 487 struct vnode *vnp; 488 struct filedesc *fdp; 489 int cisr, error, vfslocked; 490 491 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 492 "canon_path() at %s:%d", __FILE__, __LINE__); 493 494 fdp = td->td_proc->p_fd; 495 bufp = path; 496 cisr = 0; 497 FILEDESC_SLOCK(fdp); 498 if (*(path) == '/') { 499 while (*(bufp) == '/') 500 bufp++; /* Skip leading '/'s. */ 501 /* 502 * If no process root, or it is the same as the system root, 503 * audit the path as passed in with a single '/'. 504 */ 505 if ((fdp->fd_rdir == NULL) || 506 (fdp->fd_rdir == rootvnode)) { 507 vnp = NULL; 508 bufp--; /* Restore one '/'. */ 509 } else { 510 vnp = fdp->fd_rdir; /* Use process root. */ 511 vref(vnp); 512 } 513 } else { 514 vnp = fdp->fd_cdir; /* Prepend the current dir. */ 515 cisr = (fdp->fd_rdir == fdp->fd_cdir); 516 vref(vnp); 517 bufp = path; 518 } 519 FILEDESC_SUNLOCK(fdp); 520 if (vnp != NULL) { 521 /* 522 * XXX: vn_fullpath() on FreeBSD is "less reliable" than 523 * vn_getpath() on Darwin, so this will need more attention 524 * in the future. Also, the question and string bounding 525 * here seems a bit questionable and will also require 526 * attention. 527 */ 528 vfslocked = VFS_LOCK_GIANT(vnp->v_mount); 529 vn_lock(vnp, LK_EXCLUSIVE | LK_RETRY); 530 error = vn_fullpath(td, vnp, &retbuf, &freebuf); 531 if (error == 0) { 532 /* Copy and free buffer allocated by vn_fullpath(). 533 * If the current working directory was the same as 534 * the root directory, and the path was a relative 535 * pathname, do not separate the two components with 536 * the '/' character. 537 */ 538 snprintf(cpath, MAXPATHLEN, "%s%s%s", retbuf, 539 cisr ? "" : "/", bufp); 540 free(freebuf, M_TEMP); 541 } else 542 cpath[0] = '\0'; 543 vput(vnp); 544 VFS_UNLOCK_GIANT(vfslocked); 545 } else 546 strlcpy(cpath, bufp, MAXPATHLEN); 547 } 548