xref: /freebsd/sys/security/audit/audit_bsm_klib.c (revision e4c66ddabdb470bab319705c1834a4867c508a43)
1 /*-
2  * SPDX-License-Identifier: BSD-3-Clause
3  *
4  * Copyright (c) 1999-2009 Apple Inc.
5  * Copyright (c) 2005, 2016-2017 Robert N. M. Watson
6  * All rights reserved.
7  *
8  * Portions of this software were developed by BAE Systems, the University of
9  * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
10  * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
11  * Computing (TC) research program.
12  *
13  * Redistribution and use in source and binary forms, with or without
14  * modification, are permitted provided that the following conditions
15  * are met:
16  * 1.  Redistributions of source code must retain the above copyright
17  *     notice, this list of conditions and the following disclaimer.
18  * 2.  Redistributions in binary form must reproduce the above copyright
19  *     notice, this list of conditions and the following disclaimer in the
20  *     documentation and/or other materials provided with the distribution.
21  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
22  *     its contributors may be used to endorse or promote products derived
23  *     from this software without specific prior written permission.
24  *
25  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
26  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
29  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
33  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
34  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
35  * POSSIBILITY OF SUCH DAMAGE.
36  */
37 
38 #include <sys/cdefs.h>
39 __FBSDID("$FreeBSD$");
40 
41 #include <sys/param.h>
42 #include <sys/capsicum.h>
43 #include <sys/fcntl.h>
44 #include <sys/filedesc.h>
45 #include <sys/libkern.h>
46 #include <sys/malloc.h>
47 #include <sys/mount.h>
48 #include <sys/proc.h>
49 #include <sys/rwlock.h>
50 #include <sys/sem.h>
51 #include <sys/sbuf.h>
52 #include <sys/sx.h>
53 #include <sys/syscall.h>
54 #include <sys/sysctl.h>
55 #include <sys/sysent.h>
56 #include <sys/vnode.h>
57 
58 #include <bsm/audit.h>
59 #include <bsm/audit_kevents.h>
60 #include <security/audit/audit.h>
61 #include <security/audit/audit_private.h>
62 
63 struct aue_open_event {
64 	int		aoe_flags;
65 	au_event_t	aoe_event;
66 };
67 
68 static const struct aue_open_event aue_open[] = {
69 	{ O_RDONLY,					AUE_OPEN_R },
70 	{ (O_RDONLY | O_CREAT),				AUE_OPEN_RC },
71 	{ (O_RDONLY | O_CREAT | O_TRUNC),		AUE_OPEN_RTC },
72 	{ (O_RDONLY | O_TRUNC),				AUE_OPEN_RT },
73 	{ O_RDWR,					AUE_OPEN_RW },
74 	{ (O_RDWR | O_CREAT),				AUE_OPEN_RWC },
75 	{ (O_RDWR | O_CREAT | O_TRUNC),			AUE_OPEN_RWTC },
76 	{ (O_RDWR | O_TRUNC),				AUE_OPEN_RWT },
77 	{ O_WRONLY,					AUE_OPEN_W },
78 	{ (O_WRONLY | O_CREAT),				AUE_OPEN_WC },
79 	{ (O_WRONLY | O_CREAT | O_TRUNC),		AUE_OPEN_WTC },
80 	{ (O_WRONLY | O_TRUNC),				AUE_OPEN_WT },
81 };
82 
83 static const struct aue_open_event aue_openat[] = {
84 	{ O_RDONLY,					AUE_OPENAT_R },
85 	{ (O_RDONLY | O_CREAT),				AUE_OPENAT_RC },
86 	{ (O_RDONLY | O_CREAT | O_TRUNC),		AUE_OPENAT_RTC },
87 	{ (O_RDONLY | O_TRUNC),				AUE_OPENAT_RT },
88 	{ O_RDWR,					AUE_OPENAT_RW },
89 	{ (O_RDWR | O_CREAT),				AUE_OPENAT_RWC },
90 	{ (O_RDWR | O_CREAT | O_TRUNC),			AUE_OPENAT_RWTC },
91 	{ (O_RDWR | O_TRUNC),				AUE_OPENAT_RWT },
92 	{ O_WRONLY,					AUE_OPENAT_W },
93 	{ (O_WRONLY | O_CREAT),				AUE_OPENAT_WC },
94 	{ (O_WRONLY | O_CREAT | O_TRUNC),		AUE_OPENAT_WTC },
95 	{ (O_WRONLY | O_TRUNC),				AUE_OPENAT_WT },
96 };
97 
98 static const int aue_msgsys[] = {
99 	/* 0 */ AUE_MSGCTL,
100 	/* 1 */ AUE_MSGGET,
101 	/* 2 */ AUE_MSGSND,
102 	/* 3 */ AUE_MSGRCV,
103 };
104 static const int aue_msgsys_count = sizeof(aue_msgsys) / sizeof(int);
105 
106 static const int aue_semsys[] = {
107 	/* 0 */ AUE_SEMCTL,
108 	/* 1 */ AUE_SEMGET,
109 	/* 2 */ AUE_SEMOP,
110 };
111 static const int aue_semsys_count = sizeof(aue_semsys) / sizeof(int);
112 
113 static const int aue_shmsys[] = {
114 	/* 0 */ AUE_SHMAT,
115 	/* 1 */ AUE_SHMDT,
116 	/* 2 */ AUE_SHMGET,
117 	/* 3 */ AUE_SHMCTL,
118 };
119 static const int aue_shmsys_count = sizeof(aue_shmsys) / sizeof(int);
120 
121 /*
122  * Check whether an event is auditable by comparing the mask of classes this
123  * event is part of against the given mask.
124  */
125 int
126 au_preselect(au_event_t event, au_class_t class, au_mask_t *mask_p, int sorf)
127 {
128 	au_class_t effmask = 0;
129 
130 	if (mask_p == NULL)
131 		return (-1);
132 
133 	/*
134 	 * Perform the actual check of the masks against the event.
135 	 */
136 	if (sorf & AU_PRS_SUCCESS)
137 		effmask |= (mask_p->am_success & class);
138 
139 	if (sorf & AU_PRS_FAILURE)
140 		effmask |= (mask_p->am_failure & class);
141 
142 	if (effmask)
143 		return (1);
144 	else
145 		return (0);
146 }
147 
148 /*
149  * Convert sysctl names and present arguments to events.
150  */
151 au_event_t
152 audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg)
153 {
154 
155 	/* can't parse it - so return the worst case */
156 	if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != (ARG_CTLNAME | ARG_LEN))
157 		return (AUE_SYSCTL);
158 
159 	switch (name[0]) {
160 	/* non-admin "lookups" treat them special */
161 	case KERN_OSTYPE:
162 	case KERN_OSRELEASE:
163 	case KERN_OSREV:
164 	case KERN_VERSION:
165 	case KERN_ARGMAX:
166 	case KERN_CLOCKRATE:
167 	case KERN_BOOTTIME:
168 	case KERN_POSIX1:
169 	case KERN_NGROUPS:
170 	case KERN_JOB_CONTROL:
171 	case KERN_SAVED_IDS:
172 	case KERN_OSRELDATE:
173 	case KERN_DUMMY:
174 		return (AUE_SYSCTL_NONADMIN);
175 
176 	/* only treat the changeable controls as admin */
177 	case KERN_MAXVNODES:
178 	case KERN_MAXPROC:
179 	case KERN_MAXFILES:
180 	case KERN_MAXPROCPERUID:
181 	case KERN_MAXFILESPERPROC:
182 	case KERN_HOSTID:
183 	case KERN_SECURELVL:
184 	case KERN_HOSTNAME:
185 	case KERN_VNODE:
186 	case KERN_PROC:
187 	case KERN_FILE:
188 	case KERN_PROF:
189 	case KERN_NISDOMAINNAME:
190 	case KERN_UPDATEINTERVAL:
191 	case KERN_NTP_PLL:
192 	case KERN_BOOTFILE:
193 	case KERN_DUMPDEV:
194 	case KERN_IPC:
195 	case KERN_PS_STRINGS:
196 	case KERN_USRSTACK:
197 	case KERN_LOGSIGEXIT:
198 	case KERN_IOV_MAX:
199 		return ((valid_arg & ARG_VALUE) ?
200 		    AUE_SYSCTL : AUE_SYSCTL_NONADMIN);
201 
202 	default:
203 		return (AUE_SYSCTL);
204 	}
205 	/* NOTREACHED */
206 }
207 
208 /*
209  * Convert an open flags specifier into a specific type of open event for
210  * auditing purposes.
211  */
212 au_event_t
213 audit_flags_and_error_to_openevent(int oflags, int error)
214 {
215 	int i;
216 
217 	/*
218 	 * Need to check only those flags we care about.
219 	 */
220 	oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
221 	for (i = 0; i < nitems(aue_open); i++) {
222 		if (aue_open[i].aoe_flags == oflags)
223 			return (aue_open[i].aoe_event);
224 	}
225 	return (AUE_OPEN);
226 }
227 
228 au_event_t
229 audit_flags_and_error_to_openatevent(int oflags, int error)
230 {
231 	int i;
232 
233 	/*
234 	 * Need to check only those flags we care about.
235 	 */
236 	oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
237 	for (i = 0; i < nitems(aue_openat); i++) {
238 		if (aue_openat[i].aoe_flags == oflags)
239 			return (aue_openat[i].aoe_event);
240 	}
241 	return (AUE_OPENAT);
242 }
243 
244 /*
245  * Convert a MSGCTL command to a specific event.
246  */
247 au_event_t
248 audit_msgctl_to_event(int cmd)
249 {
250 
251 	switch (cmd) {
252 	case IPC_RMID:
253 		return (AUE_MSGCTL_RMID);
254 
255 	case IPC_SET:
256 		return (AUE_MSGCTL_SET);
257 
258 	case IPC_STAT:
259 		return (AUE_MSGCTL_STAT);
260 
261 	default:
262 		/* We will audit a bad command. */
263 		return (AUE_MSGCTL);
264 	}
265 }
266 
267 /*
268  * Convert a SEMCTL command to a specific event.
269  */
270 au_event_t
271 audit_semctl_to_event(int cmd)
272 {
273 
274 	switch (cmd) {
275 	case GETALL:
276 		return (AUE_SEMCTL_GETALL);
277 
278 	case GETNCNT:
279 		return (AUE_SEMCTL_GETNCNT);
280 
281 	case GETPID:
282 		return (AUE_SEMCTL_GETPID);
283 
284 	case GETVAL:
285 		return (AUE_SEMCTL_GETVAL);
286 
287 	case GETZCNT:
288 		return (AUE_SEMCTL_GETZCNT);
289 
290 	case IPC_RMID:
291 		return (AUE_SEMCTL_RMID);
292 
293 	case IPC_SET:
294 		return (AUE_SEMCTL_SET);
295 
296 	case SETALL:
297 		return (AUE_SEMCTL_SETALL);
298 
299 	case SETVAL:
300 		return (AUE_SEMCTL_SETVAL);
301 
302 	case IPC_STAT:
303 		return (AUE_SEMCTL_STAT);
304 
305 	default:
306 		/* We will audit a bad command. */
307 		return (AUE_SEMCTL);
308 	}
309 }
310 
311 /*
312  * Convert msgsys(2), semsys(2), and shmsys(2) system-call variations into
313  * audit events, if possible.
314  */
315 au_event_t
316 audit_msgsys_to_event(int which)
317 {
318 
319 	if ((which >= 0) && (which < aue_msgsys_count))
320 		return (aue_msgsys[which]);
321 
322 	/* Audit a bad command. */
323 	return (AUE_MSGSYS);
324 }
325 
326 au_event_t
327 audit_semsys_to_event(int which)
328 {
329 
330 	if ((which >= 0) && (which < aue_semsys_count))
331 		return (aue_semsys[which]);
332 
333 	/* Audit a bad command. */
334 	return (AUE_SEMSYS);
335 }
336 
337 au_event_t
338 audit_shmsys_to_event(int which)
339 {
340 
341 	if ((which >= 0) && (which < aue_shmsys_count))
342 		return (aue_shmsys[which]);
343 
344 	/* Audit a bad command. */
345 	return (AUE_SHMSYS);
346 }
347 
348 /*
349  * Convert a command for the auditon() system call to a audit event.
350  */
351 au_event_t
352 auditon_command_event(int cmd)
353 {
354 
355 	switch(cmd) {
356 	case A_GETPOLICY:
357 		return (AUE_AUDITON_GPOLICY);
358 
359 	case A_SETPOLICY:
360 		return (AUE_AUDITON_SPOLICY);
361 
362 	case A_GETKMASK:
363 		return (AUE_AUDITON_GETKMASK);
364 
365 	case A_SETKMASK:
366 		return (AUE_AUDITON_SETKMASK);
367 
368 	case A_GETQCTRL:
369 		return (AUE_AUDITON_GQCTRL);
370 
371 	case A_SETQCTRL:
372 		return (AUE_AUDITON_SQCTRL);
373 
374 	case A_GETCWD:
375 		return (AUE_AUDITON_GETCWD);
376 
377 	case A_GETCAR:
378 		return (AUE_AUDITON_GETCAR);
379 
380 	case A_GETSTAT:
381 		return (AUE_AUDITON_GETSTAT);
382 
383 	case A_SETSTAT:
384 		return (AUE_AUDITON_SETSTAT);
385 
386 	case A_SETUMASK:
387 		return (AUE_AUDITON_SETUMASK);
388 
389 	case A_SETSMASK:
390 		return (AUE_AUDITON_SETSMASK);
391 
392 	case A_GETCOND:
393 		return (AUE_AUDITON_GETCOND);
394 
395 	case A_SETCOND:
396 		return (AUE_AUDITON_SETCOND);
397 
398 	case A_GETCLASS:
399 		return (AUE_AUDITON_GETCLASS);
400 
401 	case A_SETCLASS:
402 		return (AUE_AUDITON_SETCLASS);
403 
404 	case A_GETPINFO:
405 	case A_SETPMASK:
406 	case A_SETFSIZE:
407 	case A_GETFSIZE:
408 	case A_GETPINFO_ADDR:
409 	case A_GETKAUDIT:
410 	case A_SETKAUDIT:
411 	default:
412 		return (AUE_AUDITON);	/* No special record */
413 	}
414 }
415 
416 /*
417  * Create a canonical path from given path by prefixing either the root
418  * directory, or the current working directory.  If the process working
419  * directory is NULL, we could use 'rootvnode' to obtain the root directory,
420  * but this results in a volfs name written to the audit log. So we will
421  * leave the filename starting with '/' in the audit log in this case.
422  */
423 void
424 audit_canon_path(struct thread *td, int dirfd, char *path, char *cpath)
425 {
426 	struct vnode *cvnp, *rvnp;
427 	char *rbuf, *fbuf, *copy;
428 	struct filedesc *fdp;
429 	struct sbuf sbf;
430 	cap_rights_t rights;
431 	int error, needslash;
432 
433 	WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "%s: at %s:%d",
434 	    __func__,  __FILE__, __LINE__);
435 
436 	copy = path;
437 	rvnp = cvnp = NULL;
438 	fdp = td->td_proc->p_fd;
439 	FILEDESC_SLOCK(fdp);
440 	/*
441 	 * Make sure that we handle the chroot(2) case.  If there is an
442 	 * alternate root directory, prepend it to the audited pathname.
443 	 */
444 	if (fdp->fd_rdir != NULL && fdp->fd_rdir != rootvnode) {
445 		rvnp = fdp->fd_rdir;
446 		vhold(rvnp);
447 	}
448 	/*
449 	 * If the supplied path is relative, make sure we capture the current
450 	 * working directory so we can prepend it to the supplied relative
451 	 * path.
452 	 */
453 	if (*path != '/') {
454 		if (dirfd == AT_FDCWD) {
455 			cvnp = fdp->fd_cdir;
456 			vhold(cvnp);
457 		} else {
458 			/* XXX: fgetvp() that vhold()s vnode instead of vref()ing it would be better */
459 			error = fgetvp(td, dirfd, cap_rights_init(&rights), &cvnp);
460 			if (error) {
461 				FILEDESC_SUNLOCK(fdp);
462 				cpath[0] = '\0';
463 				if (rvnp != NULL)
464 					vdrop(rvnp);
465 				return;
466 			}
467 			vhold(cvnp);
468 			vrele(cvnp);
469 		}
470 		needslash = (fdp->fd_rdir != cvnp);
471 	} else {
472 		needslash = 1;
473 	}
474 	FILEDESC_SUNLOCK(fdp);
475 	/*
476 	 * NB: We require that the supplied array be at least MAXPATHLEN bytes
477 	 * long.  If this is not the case, then we can run into serious trouble.
478 	 */
479 	(void) sbuf_new(&sbf, cpath, MAXPATHLEN, SBUF_FIXEDLEN);
480 	/*
481 	 * Strip leading forward slashes.
482 	 */
483 	while (*copy == '/')
484 		copy++;
485 	/*
486 	 * Make sure we handle chroot(2) and prepend the global path to these
487 	 * environments.
488 	 *
489 	 * NB: vn_fullpath(9) on FreeBSD is less reliable than vn_getpath(9)
490 	 * on Darwin.  As a result, this may need some additional attention
491 	 * in the future.
492 	 */
493 	if (rvnp != NULL) {
494 		error = vn_fullpath_global(td, rvnp, &rbuf, &fbuf);
495 		vdrop(rvnp);
496 		if (error) {
497 			cpath[0] = '\0';
498 			if (cvnp != NULL)
499 				vdrop(cvnp);
500 			return;
501 		}
502 		(void) sbuf_cat(&sbf, rbuf);
503 		free(fbuf, M_TEMP);
504 	}
505 	if (cvnp != NULL) {
506 		error = vn_fullpath(td, cvnp, &rbuf, &fbuf);
507 		vdrop(cvnp);
508 		if (error) {
509 			cpath[0] = '\0';
510 			return;
511 		}
512 		(void) sbuf_cat(&sbf, rbuf);
513 		free(fbuf, M_TEMP);
514 	}
515 	if (needslash)
516 		(void) sbuf_putc(&sbf, '/');
517 	/*
518 	 * Now that we have processed any alternate root and relative path
519 	 * names, add the supplied pathname.
520 	 */
521         (void) sbuf_cat(&sbf, copy);
522 	/*
523 	 * One or more of the previous sbuf operations could have resulted in
524 	 * the supplied buffer being overflowed.  Check to see if this is the
525 	 * case.
526 	 */
527 	if (sbuf_error(&sbf) != 0) {
528 		cpath[0] = '\0';
529 		return;
530 	}
531 	sbuf_finish(&sbf);
532 }
533