1 /* 2 * Copyright (c) 1999-2009 Apple Inc. 3 * Copyright (c) 2005 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 15 * its contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31 #include <sys/cdefs.h> 32 __FBSDID("$FreeBSD$"); 33 34 #include <sys/param.h> 35 #include <sys/capsicum.h> 36 #include <sys/fcntl.h> 37 #include <sys/filedesc.h> 38 #include <sys/libkern.h> 39 #include <sys/malloc.h> 40 #include <sys/mount.h> 41 #include <sys/proc.h> 42 #include <sys/rwlock.h> 43 #include <sys/sem.h> 44 #include <sys/sbuf.h> 45 #include <sys/syscall.h> 46 #include <sys/sysctl.h> 47 #include <sys/sysent.h> 48 #include <sys/vnode.h> 49 50 #include <bsm/audit.h> 51 #include <bsm/audit_kevents.h> 52 #include <security/audit/audit.h> 53 #include <security/audit/audit_private.h> 54 55 /* 56 * Hash table functions for the audit event number to event class mask 57 * mapping. 58 */ 59 #define EVCLASSMAP_HASH_TABLE_SIZE 251 60 struct evclass_elem { 61 au_event_t event; 62 au_class_t class; 63 LIST_ENTRY(evclass_elem) entry; 64 }; 65 struct evclass_list { 66 LIST_HEAD(, evclass_elem) head; 67 }; 68 69 static MALLOC_DEFINE(M_AUDITEVCLASS, "audit_evclass", "Audit event class"); 70 static struct rwlock evclass_lock; 71 static struct evclass_list evclass_hash[EVCLASSMAP_HASH_TABLE_SIZE]; 72 73 #define EVCLASS_LOCK_INIT() rw_init(&evclass_lock, "evclass_lock") 74 #define EVCLASS_RLOCK() rw_rlock(&evclass_lock) 75 #define EVCLASS_RUNLOCK() rw_runlock(&evclass_lock) 76 #define EVCLASS_WLOCK() rw_wlock(&evclass_lock) 77 #define EVCLASS_WUNLOCK() rw_wunlock(&evclass_lock) 78 79 struct aue_open_event { 80 int aoe_flags; 81 au_event_t aoe_event; 82 }; 83 84 static const struct aue_open_event aue_open[] = { 85 { O_RDONLY, AUE_OPEN_R }, 86 { (O_RDONLY | O_CREAT), AUE_OPEN_RC }, 87 { (O_RDONLY | O_CREAT | O_TRUNC), AUE_OPEN_RTC }, 88 { (O_RDONLY | O_TRUNC), AUE_OPEN_RT }, 89 { O_RDWR, AUE_OPEN_RW }, 90 { (O_RDWR | O_CREAT), AUE_OPEN_RWC }, 91 { (O_RDWR | O_CREAT | O_TRUNC), AUE_OPEN_RWTC }, 92 { (O_RDWR | O_TRUNC), AUE_OPEN_RWT }, 93 { O_WRONLY, AUE_OPEN_W }, 94 { (O_WRONLY | O_CREAT), AUE_OPEN_WC }, 95 { (O_WRONLY | O_CREAT | O_TRUNC), AUE_OPEN_WTC }, 96 { (O_WRONLY | O_TRUNC), AUE_OPEN_WT }, 97 }; 98 static const int aue_open_count = sizeof(aue_open) / sizeof(aue_open[0]); 99 100 static const struct aue_open_event aue_openat[] = { 101 { O_RDONLY, AUE_OPENAT_R }, 102 { (O_RDONLY | O_CREAT), AUE_OPENAT_RC }, 103 { (O_RDONLY | O_CREAT | O_TRUNC), AUE_OPENAT_RTC }, 104 { (O_RDONLY | O_TRUNC), AUE_OPENAT_RT }, 105 { O_RDWR, AUE_OPENAT_RW }, 106 { (O_RDWR | O_CREAT), AUE_OPENAT_RWC }, 107 { (O_RDWR | O_CREAT | O_TRUNC), AUE_OPENAT_RWTC }, 108 { (O_RDWR | O_TRUNC), AUE_OPENAT_RWT }, 109 { O_WRONLY, AUE_OPENAT_W }, 110 { (O_WRONLY | O_CREAT), AUE_OPENAT_WC }, 111 { (O_WRONLY | O_CREAT | O_TRUNC), AUE_OPENAT_WTC }, 112 { (O_WRONLY | O_TRUNC), AUE_OPENAT_WT }, 113 }; 114 static const int aue_openat_count = sizeof(aue_openat) / sizeof(aue_openat[0]); 115 116 /* 117 * Look up the class for an audit event in the class mapping table. 118 */ 119 au_class_t 120 au_event_class(au_event_t event) 121 { 122 struct evclass_list *evcl; 123 struct evclass_elem *evc; 124 au_class_t class; 125 126 EVCLASS_RLOCK(); 127 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE]; 128 class = 0; 129 LIST_FOREACH(evc, &evcl->head, entry) { 130 if (evc->event == event) { 131 class = evc->class; 132 goto out; 133 } 134 } 135 out: 136 EVCLASS_RUNLOCK(); 137 return (class); 138 } 139 140 /* 141 * Insert a event to class mapping. If the event already exists in the 142 * mapping, then replace the mapping with the new one. 143 * 144 * XXX There is currently no constraints placed on the number of mappings. 145 * May want to either limit to a number, or in terms of memory usage. 146 */ 147 void 148 au_evclassmap_insert(au_event_t event, au_class_t class) 149 { 150 struct evclass_list *evcl; 151 struct evclass_elem *evc, *evc_new; 152 153 /* 154 * Pessimistically, always allocate storage before acquiring mutex. 155 * Free if there is already a mapping for this event. 156 */ 157 evc_new = malloc(sizeof(*evc), M_AUDITEVCLASS, M_WAITOK); 158 159 EVCLASS_WLOCK(); 160 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE]; 161 LIST_FOREACH(evc, &evcl->head, entry) { 162 if (evc->event == event) { 163 evc->class = class; 164 EVCLASS_WUNLOCK(); 165 free(evc_new, M_AUDITEVCLASS); 166 return; 167 } 168 } 169 evc = evc_new; 170 evc->event = event; 171 evc->class = class; 172 LIST_INSERT_HEAD(&evcl->head, evc, entry); 173 EVCLASS_WUNLOCK(); 174 } 175 176 void 177 au_evclassmap_init(void) 178 { 179 int i; 180 181 EVCLASS_LOCK_INIT(); 182 for (i = 0; i < EVCLASSMAP_HASH_TABLE_SIZE; i++) 183 LIST_INIT(&evclass_hash[i].head); 184 185 /* 186 * Set up the initial event to class mapping for system calls. 187 * 188 * XXXRW: Really, this should walk all possible audit events, not all 189 * native ABI system calls, as there may be audit events reachable 190 * only through non-native system calls. It also seems a shame to 191 * frob the mutex this early. 192 */ 193 for (i = 0; i < SYS_MAXSYSCALL; i++) { 194 if (sysent[i].sy_auevent != AUE_NULL) 195 au_evclassmap_insert(sysent[i].sy_auevent, 0); 196 } 197 } 198 199 /* 200 * Check whether an event is aditable by comparing the mask of classes this 201 * event is part of against the given mask. 202 */ 203 int 204 au_preselect(au_event_t event, au_class_t class, au_mask_t *mask_p, int sorf) 205 { 206 au_class_t effmask = 0; 207 208 if (mask_p == NULL) 209 return (-1); 210 211 /* 212 * Perform the actual check of the masks against the event. 213 */ 214 if (sorf & AU_PRS_SUCCESS) 215 effmask |= (mask_p->am_success & class); 216 217 if (sorf & AU_PRS_FAILURE) 218 effmask |= (mask_p->am_failure & class); 219 220 if (effmask) 221 return (1); 222 else 223 return (0); 224 } 225 226 /* 227 * Convert sysctl names and present arguments to events. 228 */ 229 au_event_t 230 audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg) 231 { 232 233 /* can't parse it - so return the worst case */ 234 if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != (ARG_CTLNAME | ARG_LEN)) 235 return (AUE_SYSCTL); 236 237 switch (name[0]) { 238 /* non-admin "lookups" treat them special */ 239 case KERN_OSTYPE: 240 case KERN_OSRELEASE: 241 case KERN_OSREV: 242 case KERN_VERSION: 243 case KERN_ARGMAX: 244 case KERN_CLOCKRATE: 245 case KERN_BOOTTIME: 246 case KERN_POSIX1: 247 case KERN_NGROUPS: 248 case KERN_JOB_CONTROL: 249 case KERN_SAVED_IDS: 250 case KERN_OSRELDATE: 251 case KERN_DUMMY: 252 return (AUE_SYSCTL_NONADMIN); 253 254 /* only treat the changeable controls as admin */ 255 case KERN_MAXVNODES: 256 case KERN_MAXPROC: 257 case KERN_MAXFILES: 258 case KERN_MAXPROCPERUID: 259 case KERN_MAXFILESPERPROC: 260 case KERN_HOSTID: 261 case KERN_SECURELVL: 262 case KERN_HOSTNAME: 263 case KERN_VNODE: 264 case KERN_PROC: 265 case KERN_FILE: 266 case KERN_PROF: 267 case KERN_NISDOMAINNAME: 268 case KERN_UPDATEINTERVAL: 269 case KERN_NTP_PLL: 270 case KERN_BOOTFILE: 271 case KERN_DUMPDEV: 272 case KERN_IPC: 273 case KERN_PS_STRINGS: 274 case KERN_USRSTACK: 275 case KERN_LOGSIGEXIT: 276 case KERN_IOV_MAX: 277 return ((valid_arg & ARG_VALUE) ? 278 AUE_SYSCTL : AUE_SYSCTL_NONADMIN); 279 280 default: 281 return (AUE_SYSCTL); 282 } 283 /* NOTREACHED */ 284 } 285 286 /* 287 * Convert an open flags specifier into a specific type of open event for 288 * auditing purposes. 289 */ 290 au_event_t 291 audit_flags_and_error_to_openevent(int oflags, int error) 292 { 293 int i; 294 295 /* 296 * Need to check only those flags we care about. 297 */ 298 oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY); 299 for (i = 0; i < aue_open_count; i++) { 300 if (aue_open[i].aoe_flags == oflags) 301 return (aue_open[i].aoe_event); 302 } 303 return (AUE_OPEN); 304 } 305 306 au_event_t 307 audit_flags_and_error_to_openatevent(int oflags, int error) 308 { 309 int i; 310 311 /* 312 * Need to check only those flags we care about. 313 */ 314 oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY); 315 for (i = 0; i < aue_openat_count; i++) { 316 if (aue_openat[i].aoe_flags == oflags) 317 return (aue_openat[i].aoe_event); 318 } 319 return (AUE_OPENAT); 320 } 321 322 /* 323 * Convert a MSGCTL command to a specific event. 324 */ 325 au_event_t 326 audit_msgctl_to_event(int cmd) 327 { 328 329 switch (cmd) { 330 case IPC_RMID: 331 return (AUE_MSGCTL_RMID); 332 333 case IPC_SET: 334 return (AUE_MSGCTL_SET); 335 336 case IPC_STAT: 337 return (AUE_MSGCTL_STAT); 338 339 default: 340 /* We will audit a bad command. */ 341 return (AUE_MSGCTL); 342 } 343 } 344 345 /* 346 * Convert a SEMCTL command to a specific event. 347 */ 348 au_event_t 349 audit_semctl_to_event(int cmd) 350 { 351 352 switch (cmd) { 353 case GETALL: 354 return (AUE_SEMCTL_GETALL); 355 356 case GETNCNT: 357 return (AUE_SEMCTL_GETNCNT); 358 359 case GETPID: 360 return (AUE_SEMCTL_GETPID); 361 362 case GETVAL: 363 return (AUE_SEMCTL_GETVAL); 364 365 case GETZCNT: 366 return (AUE_SEMCTL_GETZCNT); 367 368 case IPC_RMID: 369 return (AUE_SEMCTL_RMID); 370 371 case IPC_SET: 372 return (AUE_SEMCTL_SET); 373 374 case SETALL: 375 return (AUE_SEMCTL_SETALL); 376 377 case SETVAL: 378 return (AUE_SEMCTL_SETVAL); 379 380 case IPC_STAT: 381 return (AUE_SEMCTL_STAT); 382 383 default: 384 /* We will audit a bad command. */ 385 return (AUE_SEMCTL); 386 } 387 } 388 389 /* 390 * Convert a command for the auditon() system call to a audit event. 391 */ 392 au_event_t 393 auditon_command_event(int cmd) 394 { 395 396 switch(cmd) { 397 case A_GETPOLICY: 398 return (AUE_AUDITON_GPOLICY); 399 400 case A_SETPOLICY: 401 return (AUE_AUDITON_SPOLICY); 402 403 case A_GETKMASK: 404 return (AUE_AUDITON_GETKMASK); 405 406 case A_SETKMASK: 407 return (AUE_AUDITON_SETKMASK); 408 409 case A_GETQCTRL: 410 return (AUE_AUDITON_GQCTRL); 411 412 case A_SETQCTRL: 413 return (AUE_AUDITON_SQCTRL); 414 415 case A_GETCWD: 416 return (AUE_AUDITON_GETCWD); 417 418 case A_GETCAR: 419 return (AUE_AUDITON_GETCAR); 420 421 case A_GETSTAT: 422 return (AUE_AUDITON_GETSTAT); 423 424 case A_SETSTAT: 425 return (AUE_AUDITON_SETSTAT); 426 427 case A_SETUMASK: 428 return (AUE_AUDITON_SETUMASK); 429 430 case A_SETSMASK: 431 return (AUE_AUDITON_SETSMASK); 432 433 case A_GETCOND: 434 return (AUE_AUDITON_GETCOND); 435 436 case A_SETCOND: 437 return (AUE_AUDITON_SETCOND); 438 439 case A_GETCLASS: 440 return (AUE_AUDITON_GETCLASS); 441 442 case A_SETCLASS: 443 return (AUE_AUDITON_SETCLASS); 444 445 case A_GETPINFO: 446 case A_SETPMASK: 447 case A_SETFSIZE: 448 case A_GETFSIZE: 449 case A_GETPINFO_ADDR: 450 case A_GETKAUDIT: 451 case A_SETKAUDIT: 452 default: 453 return (AUE_AUDITON); /* No special record */ 454 } 455 } 456 457 /* 458 * Create a canonical path from given path by prefixing either the root 459 * directory, or the current working directory. If the process working 460 * directory is NULL, we could use 'rootvnode' to obtain the root directory, 461 * but this results in a volfs name written to the audit log. So we will 462 * leave the filename starting with '/' in the audit log in this case. 463 */ 464 void 465 audit_canon_path(struct thread *td, int dirfd, char *path, char *cpath) 466 { 467 struct vnode *cvnp, *rvnp; 468 char *rbuf, *fbuf, *copy; 469 struct filedesc *fdp; 470 struct sbuf sbf; 471 cap_rights_t rights; 472 int error, needslash; 473 474 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "%s: at %s:%d", 475 __func__, __FILE__, __LINE__); 476 477 copy = path; 478 rvnp = cvnp = NULL; 479 fdp = td->td_proc->p_fd; 480 FILEDESC_SLOCK(fdp); 481 /* 482 * Make sure that we handle the chroot(2) case. If there is an 483 * alternate root directory, prepend it to the audited pathname. 484 */ 485 if (fdp->fd_rdir != NULL && fdp->fd_rdir != rootvnode) { 486 rvnp = fdp->fd_rdir; 487 vhold(rvnp); 488 } 489 /* 490 * If the supplied path is relative, make sure we capture the current 491 * working directory so we can prepend it to the supplied relative 492 * path. 493 */ 494 if (*path != '/') { 495 if (dirfd == AT_FDCWD) { 496 cvnp = fdp->fd_cdir; 497 vhold(cvnp); 498 } else { 499 /* XXX: fgetvp() that vhold()s vnode instead of vref()ing it would be better */ 500 error = fgetvp(td, dirfd, cap_rights_init(&rights), &cvnp); 501 if (error) { 502 FILEDESC_SUNLOCK(fdp); 503 cpath[0] = '\0'; 504 if (rvnp != NULL) 505 vdrop(rvnp); 506 return; 507 } 508 vhold(cvnp); 509 vrele(cvnp); 510 } 511 needslash = (fdp->fd_rdir != cvnp); 512 } else { 513 needslash = 1; 514 } 515 FILEDESC_SUNLOCK(fdp); 516 /* 517 * NB: We require that the supplied array be at least MAXPATHLEN bytes 518 * long. If this is not the case, then we can run into serious trouble. 519 */ 520 (void) sbuf_new(&sbf, cpath, MAXPATHLEN, SBUF_FIXEDLEN); 521 /* 522 * Strip leading forward slashes. 523 */ 524 while (*copy == '/') 525 copy++; 526 /* 527 * Make sure we handle chroot(2) and prepend the global path to these 528 * environments. 529 * 530 * NB: vn_fullpath(9) on FreeBSD is less reliable than vn_getpath(9) 531 * on Darwin. As a result, this may need some additional attention 532 * in the future. 533 */ 534 if (rvnp != NULL) { 535 error = vn_fullpath_global(td, rvnp, &rbuf, &fbuf); 536 vdrop(rvnp); 537 if (error) { 538 cpath[0] = '\0'; 539 if (cvnp != NULL) 540 vdrop(cvnp); 541 return; 542 } 543 (void) sbuf_cat(&sbf, rbuf); 544 free(fbuf, M_TEMP); 545 } 546 if (cvnp != NULL) { 547 error = vn_fullpath(td, cvnp, &rbuf, &fbuf); 548 vdrop(cvnp); 549 if (error) { 550 cpath[0] = '\0'; 551 return; 552 } 553 (void) sbuf_cat(&sbf, rbuf); 554 free(fbuf, M_TEMP); 555 } 556 if (needslash) 557 (void) sbuf_putc(&sbf, '/'); 558 /* 559 * Now that we have processed any alternate root and relative path 560 * names, add the supplied pathname. 561 */ 562 (void) sbuf_cat(&sbf, copy); 563 /* 564 * One or more of the previous sbuf operations could have resulted in 565 * the supplied buffer being overflowed. Check to see if this is the 566 * case. 567 */ 568 if (sbuf_error(&sbf) != 0) { 569 cpath[0] = '\0'; 570 return; 571 } 572 sbuf_finish(&sbf); 573 } 574