xref: /freebsd/sys/security/audit/audit_bsm_klib.c (revision 5c831a5bd61576cacb48b39f8eeb47b92707a355)
1 /*
2  * Copyright (c) 1999-2009 Apple Inc.
3  * Copyright (c) 2005, 2016-2017 Robert N. M. Watson
4  * All rights reserved.
5  *
6  * Portions of this software were developed by BAE Systems, the University of
7  * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
8  * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
9  * Computing (TC) research program.
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted provided that the following conditions
13  * are met:
14  * 1.  Redistributions of source code must retain the above copyright
15  *     notice, this list of conditions and the following disclaimer.
16  * 2.  Redistributions in binary form must reproduce the above copyright
17  *     notice, this list of conditions and the following disclaimer in the
18  *     documentation and/or other materials provided with the distribution.
19  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
20  *     its contributors may be used to endorse or promote products derived
21  *     from this software without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33  * POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 #include <sys/cdefs.h>
37 __FBSDID("$FreeBSD$");
38 
39 #include <sys/param.h>
40 #include <sys/capsicum.h>
41 #include <sys/fcntl.h>
42 #include <sys/filedesc.h>
43 #include <sys/libkern.h>
44 #include <sys/malloc.h>
45 #include <sys/mount.h>
46 #include <sys/proc.h>
47 #include <sys/rwlock.h>
48 #include <sys/sem.h>
49 #include <sys/sbuf.h>
50 #include <sys/sx.h>
51 #include <sys/syscall.h>
52 #include <sys/sysctl.h>
53 #include <sys/sysent.h>
54 #include <sys/vnode.h>
55 
56 #include <bsm/audit.h>
57 #include <bsm/audit_kevents.h>
58 #include <security/audit/audit.h>
59 #include <security/audit/audit_private.h>
60 
61 struct aue_open_event {
62 	int		aoe_flags;
63 	au_event_t	aoe_event;
64 };
65 
66 static const struct aue_open_event aue_open[] = {
67 	{ O_RDONLY,					AUE_OPEN_R },
68 	{ (O_RDONLY | O_CREAT),				AUE_OPEN_RC },
69 	{ (O_RDONLY | O_CREAT | O_TRUNC),		AUE_OPEN_RTC },
70 	{ (O_RDONLY | O_TRUNC),				AUE_OPEN_RT },
71 	{ O_RDWR,					AUE_OPEN_RW },
72 	{ (O_RDWR | O_CREAT),				AUE_OPEN_RWC },
73 	{ (O_RDWR | O_CREAT | O_TRUNC),			AUE_OPEN_RWTC },
74 	{ (O_RDWR | O_TRUNC),				AUE_OPEN_RWT },
75 	{ O_WRONLY,					AUE_OPEN_W },
76 	{ (O_WRONLY | O_CREAT),				AUE_OPEN_WC },
77 	{ (O_WRONLY | O_CREAT | O_TRUNC),		AUE_OPEN_WTC },
78 	{ (O_WRONLY | O_TRUNC),				AUE_OPEN_WT },
79 };
80 
81 static const struct aue_open_event aue_openat[] = {
82 	{ O_RDONLY,					AUE_OPENAT_R },
83 	{ (O_RDONLY | O_CREAT),				AUE_OPENAT_RC },
84 	{ (O_RDONLY | O_CREAT | O_TRUNC),		AUE_OPENAT_RTC },
85 	{ (O_RDONLY | O_TRUNC),				AUE_OPENAT_RT },
86 	{ O_RDWR,					AUE_OPENAT_RW },
87 	{ (O_RDWR | O_CREAT),				AUE_OPENAT_RWC },
88 	{ (O_RDWR | O_CREAT | O_TRUNC),			AUE_OPENAT_RWTC },
89 	{ (O_RDWR | O_TRUNC),				AUE_OPENAT_RWT },
90 	{ O_WRONLY,					AUE_OPENAT_W },
91 	{ (O_WRONLY | O_CREAT),				AUE_OPENAT_WC },
92 	{ (O_WRONLY | O_CREAT | O_TRUNC),		AUE_OPENAT_WTC },
93 	{ (O_WRONLY | O_TRUNC),				AUE_OPENAT_WT },
94 };
95 
96 static const int aue_msgsys[] = {
97 	/* 0 */ AUE_MSGCTL,
98 	/* 1 */ AUE_MSGGET,
99 	/* 2 */ AUE_MSGSND,
100 	/* 3 */ AUE_MSGRCV,
101 };
102 static const int aue_msgsys_count = sizeof(aue_msgsys) / sizeof(int);
103 
104 static const int aue_semsys[] = {
105 	/* 0 */ AUE_SEMCTL,
106 	/* 1 */ AUE_SEMGET,
107 	/* 2 */ AUE_SEMOP,
108 };
109 static const int aue_semsys_count = sizeof(aue_semsys) / sizeof(int);
110 
111 static const int aue_shmsys[] = {
112 	/* 0 */ AUE_SHMAT,
113 	/* 1 */ AUE_SHMDT,
114 	/* 2 */ AUE_SHMGET,
115 	/* 3 */ AUE_SHMCTL,
116 };
117 static const int aue_shmsys_count = sizeof(aue_shmsys) / sizeof(int);
118 
119 /*
120  * Check whether an event is aditable by comparing the mask of classes this
121  * event is part of against the given mask.
122  */
123 int
124 au_preselect(au_event_t event, au_class_t class, au_mask_t *mask_p, int sorf)
125 {
126 	au_class_t effmask = 0;
127 
128 	if (mask_p == NULL)
129 		return (-1);
130 
131 	/*
132 	 * Perform the actual check of the masks against the event.
133 	 */
134 	if (sorf & AU_PRS_SUCCESS)
135 		effmask |= (mask_p->am_success & class);
136 
137 	if (sorf & AU_PRS_FAILURE)
138 		effmask |= (mask_p->am_failure & class);
139 
140 	if (effmask)
141 		return (1);
142 	else
143 		return (0);
144 }
145 
146 /*
147  * Convert sysctl names and present arguments to events.
148  */
149 au_event_t
150 audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg)
151 {
152 
153 	/* can't parse it - so return the worst case */
154 	if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != (ARG_CTLNAME | ARG_LEN))
155 		return (AUE_SYSCTL);
156 
157 	switch (name[0]) {
158 	/* non-admin "lookups" treat them special */
159 	case KERN_OSTYPE:
160 	case KERN_OSRELEASE:
161 	case KERN_OSREV:
162 	case KERN_VERSION:
163 	case KERN_ARGMAX:
164 	case KERN_CLOCKRATE:
165 	case KERN_BOOTTIME:
166 	case KERN_POSIX1:
167 	case KERN_NGROUPS:
168 	case KERN_JOB_CONTROL:
169 	case KERN_SAVED_IDS:
170 	case KERN_OSRELDATE:
171 	case KERN_DUMMY:
172 		return (AUE_SYSCTL_NONADMIN);
173 
174 	/* only treat the changeable controls as admin */
175 	case KERN_MAXVNODES:
176 	case KERN_MAXPROC:
177 	case KERN_MAXFILES:
178 	case KERN_MAXPROCPERUID:
179 	case KERN_MAXFILESPERPROC:
180 	case KERN_HOSTID:
181 	case KERN_SECURELVL:
182 	case KERN_HOSTNAME:
183 	case KERN_VNODE:
184 	case KERN_PROC:
185 	case KERN_FILE:
186 	case KERN_PROF:
187 	case KERN_NISDOMAINNAME:
188 	case KERN_UPDATEINTERVAL:
189 	case KERN_NTP_PLL:
190 	case KERN_BOOTFILE:
191 	case KERN_DUMPDEV:
192 	case KERN_IPC:
193 	case KERN_PS_STRINGS:
194 	case KERN_USRSTACK:
195 	case KERN_LOGSIGEXIT:
196 	case KERN_IOV_MAX:
197 		return ((valid_arg & ARG_VALUE) ?
198 		    AUE_SYSCTL : AUE_SYSCTL_NONADMIN);
199 
200 	default:
201 		return (AUE_SYSCTL);
202 	}
203 	/* NOTREACHED */
204 }
205 
206 /*
207  * Convert an open flags specifier into a specific type of open event for
208  * auditing purposes.
209  */
210 au_event_t
211 audit_flags_and_error_to_openevent(int oflags, int error)
212 {
213 	int i;
214 
215 	/*
216 	 * Need to check only those flags we care about.
217 	 */
218 	oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
219 	for (i = 0; i < nitems(aue_open); i++) {
220 		if (aue_open[i].aoe_flags == oflags)
221 			return (aue_open[i].aoe_event);
222 	}
223 	return (AUE_OPEN);
224 }
225 
226 au_event_t
227 audit_flags_and_error_to_openatevent(int oflags, int error)
228 {
229 	int i;
230 
231 	/*
232 	 * Need to check only those flags we care about.
233 	 */
234 	oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
235 	for (i = 0; i < nitems(aue_openat); i++) {
236 		if (aue_openat[i].aoe_flags == oflags)
237 			return (aue_openat[i].aoe_event);
238 	}
239 	return (AUE_OPENAT);
240 }
241 
242 /*
243  * Convert a MSGCTL command to a specific event.
244  */
245 au_event_t
246 audit_msgctl_to_event(int cmd)
247 {
248 
249 	switch (cmd) {
250 	case IPC_RMID:
251 		return (AUE_MSGCTL_RMID);
252 
253 	case IPC_SET:
254 		return (AUE_MSGCTL_SET);
255 
256 	case IPC_STAT:
257 		return (AUE_MSGCTL_STAT);
258 
259 	default:
260 		/* We will audit a bad command. */
261 		return (AUE_MSGCTL);
262 	}
263 }
264 
265 /*
266  * Convert a SEMCTL command to a specific event.
267  */
268 au_event_t
269 audit_semctl_to_event(int cmd)
270 {
271 
272 	switch (cmd) {
273 	case GETALL:
274 		return (AUE_SEMCTL_GETALL);
275 
276 	case GETNCNT:
277 		return (AUE_SEMCTL_GETNCNT);
278 
279 	case GETPID:
280 		return (AUE_SEMCTL_GETPID);
281 
282 	case GETVAL:
283 		return (AUE_SEMCTL_GETVAL);
284 
285 	case GETZCNT:
286 		return (AUE_SEMCTL_GETZCNT);
287 
288 	case IPC_RMID:
289 		return (AUE_SEMCTL_RMID);
290 
291 	case IPC_SET:
292 		return (AUE_SEMCTL_SET);
293 
294 	case SETALL:
295 		return (AUE_SEMCTL_SETALL);
296 
297 	case SETVAL:
298 		return (AUE_SEMCTL_SETVAL);
299 
300 	case IPC_STAT:
301 		return (AUE_SEMCTL_STAT);
302 
303 	default:
304 		/* We will audit a bad command. */
305 		return (AUE_SEMCTL);
306 	}
307 }
308 
309 /*
310  * Convert msgsys(2), semsys(2), and shmsys(2) system-call variations into
311  * audit events, if possible.
312  */
313 au_event_t
314 audit_msgsys_to_event(int which)
315 {
316 
317 	if ((which >= 0) && (which < aue_msgsys_count))
318 		return (aue_msgsys[which]);
319 
320 	/* Audit a bad command. */
321 	return (AUE_MSGSYS);
322 }
323 
324 au_event_t
325 audit_semsys_to_event(int which)
326 {
327 
328 	if ((which >= 0) && (which < aue_semsys_count))
329 		return (aue_semsys[which]);
330 
331 	/* Audit a bad command. */
332 	return (AUE_SEMSYS);
333 }
334 
335 au_event_t
336 audit_shmsys_to_event(int which)
337 {
338 
339 	if ((which >= 0) && (which < aue_shmsys_count))
340 		return (aue_shmsys[which]);
341 
342 	/* Audit a bad command. */
343 	return (AUE_SHMSYS);
344 }
345 
346 /*
347  * Convert a command for the auditon() system call to a audit event.
348  */
349 au_event_t
350 auditon_command_event(int cmd)
351 {
352 
353 	switch(cmd) {
354 	case A_GETPOLICY:
355 		return (AUE_AUDITON_GPOLICY);
356 
357 	case A_SETPOLICY:
358 		return (AUE_AUDITON_SPOLICY);
359 
360 	case A_GETKMASK:
361 		return (AUE_AUDITON_GETKMASK);
362 
363 	case A_SETKMASK:
364 		return (AUE_AUDITON_SETKMASK);
365 
366 	case A_GETQCTRL:
367 		return (AUE_AUDITON_GQCTRL);
368 
369 	case A_SETQCTRL:
370 		return (AUE_AUDITON_SQCTRL);
371 
372 	case A_GETCWD:
373 		return (AUE_AUDITON_GETCWD);
374 
375 	case A_GETCAR:
376 		return (AUE_AUDITON_GETCAR);
377 
378 	case A_GETSTAT:
379 		return (AUE_AUDITON_GETSTAT);
380 
381 	case A_SETSTAT:
382 		return (AUE_AUDITON_SETSTAT);
383 
384 	case A_SETUMASK:
385 		return (AUE_AUDITON_SETUMASK);
386 
387 	case A_SETSMASK:
388 		return (AUE_AUDITON_SETSMASK);
389 
390 	case A_GETCOND:
391 		return (AUE_AUDITON_GETCOND);
392 
393 	case A_SETCOND:
394 		return (AUE_AUDITON_SETCOND);
395 
396 	case A_GETCLASS:
397 		return (AUE_AUDITON_GETCLASS);
398 
399 	case A_SETCLASS:
400 		return (AUE_AUDITON_SETCLASS);
401 
402 	case A_GETPINFO:
403 	case A_SETPMASK:
404 	case A_SETFSIZE:
405 	case A_GETFSIZE:
406 	case A_GETPINFO_ADDR:
407 	case A_GETKAUDIT:
408 	case A_SETKAUDIT:
409 	default:
410 		return (AUE_AUDITON);	/* No special record */
411 	}
412 }
413 
414 /*
415  * Create a canonical path from given path by prefixing either the root
416  * directory, or the current working directory.  If the process working
417  * directory is NULL, we could use 'rootvnode' to obtain the root directory,
418  * but this results in a volfs name written to the audit log. So we will
419  * leave the filename starting with '/' in the audit log in this case.
420  */
421 void
422 audit_canon_path(struct thread *td, int dirfd, char *path, char *cpath)
423 {
424 	struct vnode *cvnp, *rvnp;
425 	char *rbuf, *fbuf, *copy;
426 	struct filedesc *fdp;
427 	struct sbuf sbf;
428 	cap_rights_t rights;
429 	int error, needslash;
430 
431 	WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "%s: at %s:%d",
432 	    __func__,  __FILE__, __LINE__);
433 
434 	copy = path;
435 	rvnp = cvnp = NULL;
436 	fdp = td->td_proc->p_fd;
437 	FILEDESC_SLOCK(fdp);
438 	/*
439 	 * Make sure that we handle the chroot(2) case.  If there is an
440 	 * alternate root directory, prepend it to the audited pathname.
441 	 */
442 	if (fdp->fd_rdir != NULL && fdp->fd_rdir != rootvnode) {
443 		rvnp = fdp->fd_rdir;
444 		vhold(rvnp);
445 	}
446 	/*
447 	 * If the supplied path is relative, make sure we capture the current
448 	 * working directory so we can prepend it to the supplied relative
449 	 * path.
450 	 */
451 	if (*path != '/') {
452 		if (dirfd == AT_FDCWD) {
453 			cvnp = fdp->fd_cdir;
454 			vhold(cvnp);
455 		} else {
456 			/* XXX: fgetvp() that vhold()s vnode instead of vref()ing it would be better */
457 			error = fgetvp(td, dirfd, cap_rights_init(&rights), &cvnp);
458 			if (error) {
459 				FILEDESC_SUNLOCK(fdp);
460 				cpath[0] = '\0';
461 				if (rvnp != NULL)
462 					vdrop(rvnp);
463 				return;
464 			}
465 			vhold(cvnp);
466 			vrele(cvnp);
467 		}
468 		needslash = (fdp->fd_rdir != cvnp);
469 	} else {
470 		needslash = 1;
471 	}
472 	FILEDESC_SUNLOCK(fdp);
473 	/*
474 	 * NB: We require that the supplied array be at least MAXPATHLEN bytes
475 	 * long.  If this is not the case, then we can run into serious trouble.
476 	 */
477 	(void) sbuf_new(&sbf, cpath, MAXPATHLEN, SBUF_FIXEDLEN);
478 	/*
479 	 * Strip leading forward slashes.
480 	 */
481 	while (*copy == '/')
482 		copy++;
483 	/*
484 	 * Make sure we handle chroot(2) and prepend the global path to these
485 	 * environments.
486 	 *
487 	 * NB: vn_fullpath(9) on FreeBSD is less reliable than vn_getpath(9)
488 	 * on Darwin.  As a result, this may need some additional attention
489 	 * in the future.
490 	 */
491 	if (rvnp != NULL) {
492 		error = vn_fullpath_global(td, rvnp, &rbuf, &fbuf);
493 		vdrop(rvnp);
494 		if (error) {
495 			cpath[0] = '\0';
496 			if (cvnp != NULL)
497 				vdrop(cvnp);
498 			return;
499 		}
500 		(void) sbuf_cat(&sbf, rbuf);
501 		free(fbuf, M_TEMP);
502 	}
503 	if (cvnp != NULL) {
504 		error = vn_fullpath(td, cvnp, &rbuf, &fbuf);
505 		vdrop(cvnp);
506 		if (error) {
507 			cpath[0] = '\0';
508 			return;
509 		}
510 		(void) sbuf_cat(&sbf, rbuf);
511 		free(fbuf, M_TEMP);
512 	}
513 	if (needslash)
514 		(void) sbuf_putc(&sbf, '/');
515 	/*
516 	 * Now that we have processed any alternate root and relative path
517 	 * names, add the supplied pathname.
518 	 */
519         (void) sbuf_cat(&sbf, copy);
520 	/*
521 	 * One or more of the previous sbuf operations could have resulted in
522 	 * the supplied buffer being overflowed.  Check to see if this is the
523 	 * case.
524 	 */
525 	if (sbuf_error(&sbf) != 0) {
526 		cpath[0] = '\0';
527 		return;
528 	}
529 	sbuf_finish(&sbf);
530 }
531