xref: /freebsd/sys/security/audit/audit_bsm_klib.c (revision 39ee7a7a6bdd1557b1c3532abf60d139798ac88b)
1 /*
2  * Copyright (c) 1999-2009 Apple Inc.
3  * Copyright (c) 2005 Robert N. M. Watson
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1.  Redistributions of source code must retain the above copyright
10  *     notice, this list of conditions and the following disclaimer.
11  * 2.  Redistributions in binary form must reproduce the above copyright
12  *     notice, this list of conditions and the following disclaimer in the
13  *     documentation and/or other materials provided with the distribution.
14  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
15  *     its contributors may be used to endorse or promote products derived
16  *     from this software without specific prior written permission.
17  *
18  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
19  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
22  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
27  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28  * POSSIBILITY OF SUCH DAMAGE.
29  */
30 
31 #include <sys/cdefs.h>
32 __FBSDID("$FreeBSD$");
33 
34 #include <sys/param.h>
35 #include <sys/capsicum.h>
36 #include <sys/fcntl.h>
37 #include <sys/filedesc.h>
38 #include <sys/libkern.h>
39 #include <sys/malloc.h>
40 #include <sys/mount.h>
41 #include <sys/proc.h>
42 #include <sys/rwlock.h>
43 #include <sys/sem.h>
44 #include <sys/sbuf.h>
45 #include <sys/syscall.h>
46 #include <sys/sysctl.h>
47 #include <sys/sysent.h>
48 #include <sys/vnode.h>
49 
50 #include <bsm/audit.h>
51 #include <bsm/audit_kevents.h>
52 #include <security/audit/audit.h>
53 #include <security/audit/audit_private.h>
54 
55 /*
56  * Hash table functions for the audit event number to event class mask
57  * mapping.
58  */
59 #define	EVCLASSMAP_HASH_TABLE_SIZE	251
60 struct evclass_elem {
61 	au_event_t event;
62 	au_class_t class;
63 	LIST_ENTRY(evclass_elem) entry;
64 };
65 struct evclass_list {
66 	LIST_HEAD(, evclass_elem) head;
67 };
68 
69 static MALLOC_DEFINE(M_AUDITEVCLASS, "audit_evclass", "Audit event class");
70 static struct rwlock		evclass_lock;
71 static struct evclass_list	evclass_hash[EVCLASSMAP_HASH_TABLE_SIZE];
72 
73 #define	EVCLASS_LOCK_INIT()	rw_init(&evclass_lock, "evclass_lock")
74 #define	EVCLASS_RLOCK()		rw_rlock(&evclass_lock)
75 #define	EVCLASS_RUNLOCK()	rw_runlock(&evclass_lock)
76 #define	EVCLASS_WLOCK()		rw_wlock(&evclass_lock)
77 #define	EVCLASS_WUNLOCK()	rw_wunlock(&evclass_lock)
78 
79 struct aue_open_event {
80 	int		aoe_flags;
81 	au_event_t	aoe_event;
82 };
83 
84 static const struct aue_open_event aue_open[] = {
85 	{ O_RDONLY,					AUE_OPEN_R },
86 	{ (O_RDONLY | O_CREAT),				AUE_OPEN_RC },
87 	{ (O_RDONLY | O_CREAT | O_TRUNC),		AUE_OPEN_RTC },
88 	{ (O_RDONLY | O_TRUNC),				AUE_OPEN_RT },
89 	{ O_RDWR,					AUE_OPEN_RW },
90 	{ (O_RDWR | O_CREAT),				AUE_OPEN_RWC },
91 	{ (O_RDWR | O_CREAT | O_TRUNC),			AUE_OPEN_RWTC },
92 	{ (O_RDWR | O_TRUNC),				AUE_OPEN_RWT },
93 	{ O_WRONLY,					AUE_OPEN_W },
94 	{ (O_WRONLY | O_CREAT),				AUE_OPEN_WC },
95 	{ (O_WRONLY | O_CREAT | O_TRUNC),		AUE_OPEN_WTC },
96 	{ (O_WRONLY | O_TRUNC),				AUE_OPEN_WT },
97 };
98 static const int aue_open_count = sizeof(aue_open) / sizeof(aue_open[0]);
99 
100 static const struct aue_open_event aue_openat[] = {
101 	{ O_RDONLY,					AUE_OPENAT_R },
102 	{ (O_RDONLY | O_CREAT),				AUE_OPENAT_RC },
103 	{ (O_RDONLY | O_CREAT | O_TRUNC),		AUE_OPENAT_RTC },
104 	{ (O_RDONLY | O_TRUNC),				AUE_OPENAT_RT },
105 	{ O_RDWR,					AUE_OPENAT_RW },
106 	{ (O_RDWR | O_CREAT),				AUE_OPENAT_RWC },
107 	{ (O_RDWR | O_CREAT | O_TRUNC),			AUE_OPENAT_RWTC },
108 	{ (O_RDWR | O_TRUNC),				AUE_OPENAT_RWT },
109 	{ O_WRONLY,					AUE_OPENAT_W },
110 	{ (O_WRONLY | O_CREAT),				AUE_OPENAT_WC },
111 	{ (O_WRONLY | O_CREAT | O_TRUNC),		AUE_OPENAT_WTC },
112 	{ (O_WRONLY | O_TRUNC),				AUE_OPENAT_WT },
113 };
114 static const int aue_openat_count = sizeof(aue_openat) / sizeof(aue_openat[0]);
115 
116 /*
117  * Look up the class for an audit event in the class mapping table.
118  */
119 au_class_t
120 au_event_class(au_event_t event)
121 {
122 	struct evclass_list *evcl;
123 	struct evclass_elem *evc;
124 	au_class_t class;
125 
126 	EVCLASS_RLOCK();
127 	evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
128 	class = 0;
129 	LIST_FOREACH(evc, &evcl->head, entry) {
130 		if (evc->event == event) {
131 			class = evc->class;
132 			goto out;
133 		}
134 	}
135 out:
136 	EVCLASS_RUNLOCK();
137 	return (class);
138 }
139 
140 /*
141  * Insert a event to class mapping. If the event already exists in the
142  * mapping, then replace the mapping with the new one.
143  *
144  * XXX There is currently no constraints placed on the number of mappings.
145  * May want to either limit to a number, or in terms of memory usage.
146  */
147 void
148 au_evclassmap_insert(au_event_t event, au_class_t class)
149 {
150 	struct evclass_list *evcl;
151 	struct evclass_elem *evc, *evc_new;
152 
153 	/*
154 	 * Pessimistically, always allocate storage before acquiring mutex.
155 	 * Free if there is already a mapping for this event.
156 	 */
157 	evc_new = malloc(sizeof(*evc), M_AUDITEVCLASS, M_WAITOK);
158 
159 	EVCLASS_WLOCK();
160 	evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
161 	LIST_FOREACH(evc, &evcl->head, entry) {
162 		if (evc->event == event) {
163 			evc->class = class;
164 			EVCLASS_WUNLOCK();
165 			free(evc_new, M_AUDITEVCLASS);
166 			return;
167 		}
168 	}
169 	evc = evc_new;
170 	evc->event = event;
171 	evc->class = class;
172 	LIST_INSERT_HEAD(&evcl->head, evc, entry);
173 	EVCLASS_WUNLOCK();
174 }
175 
176 void
177 au_evclassmap_init(void)
178 {
179 	int i;
180 
181 	EVCLASS_LOCK_INIT();
182 	for (i = 0; i < EVCLASSMAP_HASH_TABLE_SIZE; i++)
183 		LIST_INIT(&evclass_hash[i].head);
184 
185 	/*
186 	 * Set up the initial event to class mapping for system calls.
187 	 *
188 	 * XXXRW: Really, this should walk all possible audit events, not all
189 	 * native ABI system calls, as there may be audit events reachable
190 	 * only through non-native system calls.  It also seems a shame to
191 	 * frob the mutex this early.
192 	 */
193 	for (i = 0; i < SYS_MAXSYSCALL; i++) {
194 		if (sysent[i].sy_auevent != AUE_NULL)
195 			au_evclassmap_insert(sysent[i].sy_auevent, 0);
196 	}
197 }
198 
199 /*
200  * Check whether an event is aditable by comparing the mask of classes this
201  * event is part of against the given mask.
202  */
203 int
204 au_preselect(au_event_t event, au_class_t class, au_mask_t *mask_p, int sorf)
205 {
206 	au_class_t effmask = 0;
207 
208 	if (mask_p == NULL)
209 		return (-1);
210 
211 	/*
212 	 * Perform the actual check of the masks against the event.
213 	 */
214 	if (sorf & AU_PRS_SUCCESS)
215 		effmask |= (mask_p->am_success & class);
216 
217 	if (sorf & AU_PRS_FAILURE)
218 		effmask |= (mask_p->am_failure & class);
219 
220 	if (effmask)
221 		return (1);
222 	else
223 		return (0);
224 }
225 
226 /*
227  * Convert sysctl names and present arguments to events.
228  */
229 au_event_t
230 audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg)
231 {
232 
233 	/* can't parse it - so return the worst case */
234 	if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != (ARG_CTLNAME | ARG_LEN))
235 		return (AUE_SYSCTL);
236 
237 	switch (name[0]) {
238 	/* non-admin "lookups" treat them special */
239 	case KERN_OSTYPE:
240 	case KERN_OSRELEASE:
241 	case KERN_OSREV:
242 	case KERN_VERSION:
243 	case KERN_ARGMAX:
244 	case KERN_CLOCKRATE:
245 	case KERN_BOOTTIME:
246 	case KERN_POSIX1:
247 	case KERN_NGROUPS:
248 	case KERN_JOB_CONTROL:
249 	case KERN_SAVED_IDS:
250 	case KERN_OSRELDATE:
251 	case KERN_DUMMY:
252 		return (AUE_SYSCTL_NONADMIN);
253 
254 	/* only treat the changeable controls as admin */
255 	case KERN_MAXVNODES:
256 	case KERN_MAXPROC:
257 	case KERN_MAXFILES:
258 	case KERN_MAXPROCPERUID:
259 	case KERN_MAXFILESPERPROC:
260 	case KERN_HOSTID:
261 	case KERN_SECURELVL:
262 	case KERN_HOSTNAME:
263 	case KERN_VNODE:
264 	case KERN_PROC:
265 	case KERN_FILE:
266 	case KERN_PROF:
267 	case KERN_NISDOMAINNAME:
268 	case KERN_UPDATEINTERVAL:
269 	case KERN_NTP_PLL:
270 	case KERN_BOOTFILE:
271 	case KERN_DUMPDEV:
272 	case KERN_IPC:
273 	case KERN_PS_STRINGS:
274 	case KERN_USRSTACK:
275 	case KERN_LOGSIGEXIT:
276 	case KERN_IOV_MAX:
277 		return ((valid_arg & ARG_VALUE) ?
278 		    AUE_SYSCTL : AUE_SYSCTL_NONADMIN);
279 
280 	default:
281 		return (AUE_SYSCTL);
282 	}
283 	/* NOTREACHED */
284 }
285 
286 /*
287  * Convert an open flags specifier into a specific type of open event for
288  * auditing purposes.
289  */
290 au_event_t
291 audit_flags_and_error_to_openevent(int oflags, int error)
292 {
293 	int i;
294 
295 	/*
296 	 * Need to check only those flags we care about.
297 	 */
298 	oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
299 	for (i = 0; i < aue_open_count; i++) {
300 		if (aue_open[i].aoe_flags == oflags)
301 			return (aue_open[i].aoe_event);
302 	}
303 	return (AUE_OPEN);
304 }
305 
306 au_event_t
307 audit_flags_and_error_to_openatevent(int oflags, int error)
308 {
309 	int i;
310 
311 	/*
312 	 * Need to check only those flags we care about.
313 	 */
314 	oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
315 	for (i = 0; i < aue_openat_count; i++) {
316 		if (aue_openat[i].aoe_flags == oflags)
317 			return (aue_openat[i].aoe_event);
318 	}
319 	return (AUE_OPENAT);
320 }
321 
322 /*
323  * Convert a MSGCTL command to a specific event.
324  */
325 au_event_t
326 audit_msgctl_to_event(int cmd)
327 {
328 
329 	switch (cmd) {
330 	case IPC_RMID:
331 		return (AUE_MSGCTL_RMID);
332 
333 	case IPC_SET:
334 		return (AUE_MSGCTL_SET);
335 
336 	case IPC_STAT:
337 		return (AUE_MSGCTL_STAT);
338 
339 	default:
340 		/* We will audit a bad command. */
341 		return (AUE_MSGCTL);
342 	}
343 }
344 
345 /*
346  * Convert a SEMCTL command to a specific event.
347  */
348 au_event_t
349 audit_semctl_to_event(int cmd)
350 {
351 
352 	switch (cmd) {
353 	case GETALL:
354 		return (AUE_SEMCTL_GETALL);
355 
356 	case GETNCNT:
357 		return (AUE_SEMCTL_GETNCNT);
358 
359 	case GETPID:
360 		return (AUE_SEMCTL_GETPID);
361 
362 	case GETVAL:
363 		return (AUE_SEMCTL_GETVAL);
364 
365 	case GETZCNT:
366 		return (AUE_SEMCTL_GETZCNT);
367 
368 	case IPC_RMID:
369 		return (AUE_SEMCTL_RMID);
370 
371 	case IPC_SET:
372 		return (AUE_SEMCTL_SET);
373 
374 	case SETALL:
375 		return (AUE_SEMCTL_SETALL);
376 
377 	case SETVAL:
378 		return (AUE_SEMCTL_SETVAL);
379 
380 	case IPC_STAT:
381 		return (AUE_SEMCTL_STAT);
382 
383 	default:
384 		/* We will audit a bad command. */
385 		return (AUE_SEMCTL);
386 	}
387 }
388 
389 /*
390  * Convert a command for the auditon() system call to a audit event.
391  */
392 au_event_t
393 auditon_command_event(int cmd)
394 {
395 
396 	switch(cmd) {
397 	case A_GETPOLICY:
398 		return (AUE_AUDITON_GPOLICY);
399 
400 	case A_SETPOLICY:
401 		return (AUE_AUDITON_SPOLICY);
402 
403 	case A_GETKMASK:
404 		return (AUE_AUDITON_GETKMASK);
405 
406 	case A_SETKMASK:
407 		return (AUE_AUDITON_SETKMASK);
408 
409 	case A_GETQCTRL:
410 		return (AUE_AUDITON_GQCTRL);
411 
412 	case A_SETQCTRL:
413 		return (AUE_AUDITON_SQCTRL);
414 
415 	case A_GETCWD:
416 		return (AUE_AUDITON_GETCWD);
417 
418 	case A_GETCAR:
419 		return (AUE_AUDITON_GETCAR);
420 
421 	case A_GETSTAT:
422 		return (AUE_AUDITON_GETSTAT);
423 
424 	case A_SETSTAT:
425 		return (AUE_AUDITON_SETSTAT);
426 
427 	case A_SETUMASK:
428 		return (AUE_AUDITON_SETUMASK);
429 
430 	case A_SETSMASK:
431 		return (AUE_AUDITON_SETSMASK);
432 
433 	case A_GETCOND:
434 		return (AUE_AUDITON_GETCOND);
435 
436 	case A_SETCOND:
437 		return (AUE_AUDITON_SETCOND);
438 
439 	case A_GETCLASS:
440 		return (AUE_AUDITON_GETCLASS);
441 
442 	case A_SETCLASS:
443 		return (AUE_AUDITON_SETCLASS);
444 
445 	case A_GETPINFO:
446 	case A_SETPMASK:
447 	case A_SETFSIZE:
448 	case A_GETFSIZE:
449 	case A_GETPINFO_ADDR:
450 	case A_GETKAUDIT:
451 	case A_SETKAUDIT:
452 	default:
453 		return (AUE_AUDITON);	/* No special record */
454 	}
455 }
456 
457 /*
458  * Create a canonical path from given path by prefixing either the root
459  * directory, or the current working directory.  If the process working
460  * directory is NULL, we could use 'rootvnode' to obtain the root directory,
461  * but this results in a volfs name written to the audit log. So we will
462  * leave the filename starting with '/' in the audit log in this case.
463  */
464 void
465 audit_canon_path(struct thread *td, int dirfd, char *path, char *cpath)
466 {
467 	struct vnode *cvnp, *rvnp;
468 	char *rbuf, *fbuf, *copy;
469 	struct filedesc *fdp;
470 	struct sbuf sbf;
471 	cap_rights_t rights;
472 	int error, needslash;
473 
474 	WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "%s: at %s:%d",
475 	    __func__,  __FILE__, __LINE__);
476 
477 	copy = path;
478 	rvnp = cvnp = NULL;
479 	fdp = td->td_proc->p_fd;
480 	FILEDESC_SLOCK(fdp);
481 	/*
482 	 * Make sure that we handle the chroot(2) case.  If there is an
483 	 * alternate root directory, prepend it to the audited pathname.
484 	 */
485 	if (fdp->fd_rdir != NULL && fdp->fd_rdir != rootvnode) {
486 		rvnp = fdp->fd_rdir;
487 		vhold(rvnp);
488 	}
489 	/*
490 	 * If the supplied path is relative, make sure we capture the current
491 	 * working directory so we can prepend it to the supplied relative
492 	 * path.
493 	 */
494 	if (*path != '/') {
495 		if (dirfd == AT_FDCWD) {
496 			cvnp = fdp->fd_cdir;
497 			vhold(cvnp);
498 		} else {
499 			/* XXX: fgetvp() that vhold()s vnode instead of vref()ing it would be better */
500 			error = fgetvp(td, dirfd, cap_rights_init(&rights), &cvnp);
501 			if (error) {
502 				FILEDESC_SUNLOCK(fdp);
503 				cpath[0] = '\0';
504 				if (rvnp != NULL)
505 					vdrop(rvnp);
506 				return;
507 			}
508 			vhold(cvnp);
509 			vrele(cvnp);
510 		}
511 		needslash = (fdp->fd_rdir != cvnp);
512 	} else {
513 		needslash = 1;
514 	}
515 	FILEDESC_SUNLOCK(fdp);
516 	/*
517 	 * NB: We require that the supplied array be at least MAXPATHLEN bytes
518 	 * long.  If this is not the case, then we can run into serious trouble.
519 	 */
520 	(void) sbuf_new(&sbf, cpath, MAXPATHLEN, SBUF_FIXEDLEN);
521 	/*
522 	 * Strip leading forward slashes.
523 	 */
524 	while (*copy == '/')
525 		copy++;
526 	/*
527 	 * Make sure we handle chroot(2) and prepend the global path to these
528 	 * environments.
529 	 *
530 	 * NB: vn_fullpath(9) on FreeBSD is less reliable than vn_getpath(9)
531 	 * on Darwin.  As a result, this may need some additional attention
532 	 * in the future.
533 	 */
534 	if (rvnp != NULL) {
535 		error = vn_fullpath_global(td, rvnp, &rbuf, &fbuf);
536 		vdrop(rvnp);
537 		if (error) {
538 			cpath[0] = '\0';
539 			if (cvnp != NULL)
540 				vdrop(cvnp);
541 			return;
542 		}
543 		(void) sbuf_cat(&sbf, rbuf);
544 		free(fbuf, M_TEMP);
545 	}
546 	if (cvnp != NULL) {
547 		error = vn_fullpath(td, cvnp, &rbuf, &fbuf);
548 		vdrop(cvnp);
549 		if (error) {
550 			cpath[0] = '\0';
551 			return;
552 		}
553 		(void) sbuf_cat(&sbf, rbuf);
554 		free(fbuf, M_TEMP);
555 	}
556 	if (needslash)
557 		(void) sbuf_putc(&sbf, '/');
558 	/*
559 	 * Now that we have processed any alternate root and relative path
560 	 * names, add the supplied pathname.
561 	 */
562         (void) sbuf_cat(&sbf, copy);
563 	/*
564 	 * One or more of the previous sbuf operations could have resulted in
565 	 * the supplied buffer being overflowed.  Check to see if this is the
566 	 * case.
567 	 */
568 	if (sbuf_error(&sbf) != 0) {
569 		cpath[0] = '\0';
570 		return;
571 	}
572 	sbuf_finish(&sbf);
573 }
574