xref: /freebsd/sys/security/audit/audit_bsm_klib.c (revision edf8578117e8844e02c0121147f45e4609b30680)
1 /*-
2  * SPDX-License-Identifier: BSD-3-Clause
3  *
4  * Copyright (c) 1999-2009 Apple Inc.
5  * Copyright (c) 2005, 2016-2017 Robert N. M. Watson
6  * All rights reserved.
7  *
8  * Portions of this software were developed by BAE Systems, the University of
9  * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
10  * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
11  * Computing (TC) research program.
12  *
13  * Redistribution and use in source and binary forms, with or without
14  * modification, are permitted provided that the following conditions
15  * are met:
16  * 1.  Redistributions of source code must retain the above copyright
17  *     notice, this list of conditions and the following disclaimer.
18  * 2.  Redistributions in binary form must reproduce the above copyright
19  *     notice, this list of conditions and the following disclaimer in the
20  *     documentation and/or other materials provided with the distribution.
21  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
22  *     its contributors may be used to endorse or promote products derived
23  *     from this software without specific prior written permission.
24  *
25  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
26  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
29  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
33  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
34  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
35  * POSSIBILITY OF SUCH DAMAGE.
36  */
37 
38 #include <sys/cdefs.h>
39 #include <sys/param.h>
40 #include <sys/capsicum.h>
41 #include <sys/fcntl.h>
42 #include <sys/filedesc.h>
43 #include <sys/libkern.h>
44 #include <sys/malloc.h>
45 #include <sys/mount.h>
46 #include <sys/proc.h>
47 #include <sys/rwlock.h>
48 #include <sys/sem.h>
49 #include <sys/sbuf.h>
50 #include <sys/sx.h>
51 #include <sys/syscall.h>
52 #include <sys/sysctl.h>
53 #include <sys/sysent.h>
54 #include <sys/vnode.h>
55 
56 #include <bsm/audit.h>
57 #include <bsm/audit_kevents.h>
58 #include <security/audit/audit.h>
59 #include <security/audit/audit_private.h>
60 
61 struct aue_open_event {
62 	int		aoe_flags;
63 	au_event_t	aoe_event;
64 };
65 
66 static const struct aue_open_event aue_open[] = {
67 	{ O_RDONLY,					AUE_OPEN_R },
68 	{ (O_RDONLY | O_CREAT),				AUE_OPEN_RC },
69 	{ (O_RDONLY | O_CREAT | O_TRUNC),		AUE_OPEN_RTC },
70 	{ (O_RDONLY | O_TRUNC),				AUE_OPEN_RT },
71 	{ O_RDWR,					AUE_OPEN_RW },
72 	{ (O_RDWR | O_CREAT),				AUE_OPEN_RWC },
73 	{ (O_RDWR | O_CREAT | O_TRUNC),			AUE_OPEN_RWTC },
74 	{ (O_RDWR | O_TRUNC),				AUE_OPEN_RWT },
75 	{ O_WRONLY,					AUE_OPEN_W },
76 	{ (O_WRONLY | O_CREAT),				AUE_OPEN_WC },
77 	{ (O_WRONLY | O_CREAT | O_TRUNC),		AUE_OPEN_WTC },
78 	{ (O_WRONLY | O_TRUNC),				AUE_OPEN_WT },
79 };
80 
81 static const struct aue_open_event aue_openat[] = {
82 	{ O_RDONLY,					AUE_OPENAT_R },
83 	{ (O_RDONLY | O_CREAT),				AUE_OPENAT_RC },
84 	{ (O_RDONLY | O_CREAT | O_TRUNC),		AUE_OPENAT_RTC },
85 	{ (O_RDONLY | O_TRUNC),				AUE_OPENAT_RT },
86 	{ O_RDWR,					AUE_OPENAT_RW },
87 	{ (O_RDWR | O_CREAT),				AUE_OPENAT_RWC },
88 	{ (O_RDWR | O_CREAT | O_TRUNC),			AUE_OPENAT_RWTC },
89 	{ (O_RDWR | O_TRUNC),				AUE_OPENAT_RWT },
90 	{ O_WRONLY,					AUE_OPENAT_W },
91 	{ (O_WRONLY | O_CREAT),				AUE_OPENAT_WC },
92 	{ (O_WRONLY | O_CREAT | O_TRUNC),		AUE_OPENAT_WTC },
93 	{ (O_WRONLY | O_TRUNC),				AUE_OPENAT_WT },
94 };
95 
96 static const int aue_msgsys[] = {
97 	/* 0 */ AUE_MSGCTL,
98 	/* 1 */ AUE_MSGGET,
99 	/* 2 */ AUE_MSGSND,
100 	/* 3 */ AUE_MSGRCV,
101 };
102 static const int aue_msgsys_count = sizeof(aue_msgsys) / sizeof(int);
103 
104 static const int aue_semsys[] = {
105 	/* 0 */ AUE_SEMCTL,
106 	/* 1 */ AUE_SEMGET,
107 	/* 2 */ AUE_SEMOP,
108 };
109 static const int aue_semsys_count = sizeof(aue_semsys) / sizeof(int);
110 
111 static const int aue_shmsys[] = {
112 	/* 0 */ AUE_SHMAT,
113 	/* 1 */ AUE_SHMDT,
114 	/* 2 */ AUE_SHMGET,
115 	/* 3 */ AUE_SHMCTL,
116 };
117 static const int aue_shmsys_count = sizeof(aue_shmsys) / sizeof(int);
118 
119 /*
120  * Check whether an event is auditable by comparing the mask of classes this
121  * event is part of against the given mask.
122  */
123 int
124 au_preselect(au_event_t event, au_class_t class, au_mask_t *mask_p, int sorf)
125 {
126 	au_class_t effmask = 0;
127 
128 	if (mask_p == NULL)
129 		return (-1);
130 
131 	/*
132 	 * Perform the actual check of the masks against the event.
133 	 */
134 	if (sorf & AU_PRS_SUCCESS)
135 		effmask |= (mask_p->am_success & class);
136 
137 	if (sorf & AU_PRS_FAILURE)
138 		effmask |= (mask_p->am_failure & class);
139 
140 	if (effmask)
141 		return (1);
142 	else
143 		return (0);
144 }
145 
146 /*
147  * Convert sysctl names and present arguments to events.
148  */
149 au_event_t
150 audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg)
151 {
152 
153 	/* can't parse it - so return the worst case */
154 	if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != (ARG_CTLNAME | ARG_LEN))
155 		return (AUE_SYSCTL);
156 
157 	switch (name[0]) {
158 	/* non-admin "lookups" treat them special */
159 	case KERN_OSTYPE:
160 	case KERN_OSRELEASE:
161 	case KERN_OSREV:
162 	case KERN_VERSION:
163 	case KERN_ARGMAX:
164 	case KERN_CLOCKRATE:
165 	case KERN_BOOTTIME:
166 	case KERN_POSIX1:
167 	case KERN_NGROUPS:
168 	case KERN_JOB_CONTROL:
169 	case KERN_SAVED_IDS:
170 	case KERN_OSRELDATE:
171 	case KERN_DUMMY:
172 		return (AUE_SYSCTL_NONADMIN);
173 
174 	/* only treat the changeable controls as admin */
175 	case KERN_MAXVNODES:
176 	case KERN_MAXPROC:
177 	case KERN_MAXFILES:
178 	case KERN_MAXPROCPERUID:
179 	case KERN_MAXFILESPERPROC:
180 	case KERN_HOSTID:
181 	case KERN_SECURELVL:
182 	case KERN_HOSTNAME:
183 	case KERN_PROC:
184 	case KERN_FILE:
185 	case KERN_PROF:
186 	case KERN_NISDOMAINNAME:
187 	case KERN_UPDATEINTERVAL:
188 	case KERN_NTP_PLL:
189 	case KERN_BOOTFILE:
190 	case KERN_DUMPDEV:
191 	case KERN_IPC:
192 	case KERN_PS_STRINGS:
193 	case KERN_USRSTACK:
194 	case KERN_LOGSIGEXIT:
195 	case KERN_IOV_MAX:
196 		return ((valid_arg & ARG_VALUE) ?
197 		    AUE_SYSCTL : AUE_SYSCTL_NONADMIN);
198 
199 	default:
200 		return (AUE_SYSCTL);
201 	}
202 	/* NOTREACHED */
203 }
204 
205 /*
206  * Convert an open flags specifier into a specific type of open event for
207  * auditing purposes.
208  */
209 au_event_t
210 audit_flags_and_error_to_openevent(int oflags, int error)
211 {
212 	int i;
213 
214 	/*
215 	 * Need to check only those flags we care about.
216 	 */
217 	oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
218 	for (i = 0; i < nitems(aue_open); i++) {
219 		if (aue_open[i].aoe_flags == oflags)
220 			return (aue_open[i].aoe_event);
221 	}
222 	return (AUE_OPEN);
223 }
224 
225 au_event_t
226 audit_flags_and_error_to_openatevent(int oflags, int error)
227 {
228 	int i;
229 
230 	/*
231 	 * Need to check only those flags we care about.
232 	 */
233 	oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
234 	for (i = 0; i < nitems(aue_openat); i++) {
235 		if (aue_openat[i].aoe_flags == oflags)
236 			return (aue_openat[i].aoe_event);
237 	}
238 	return (AUE_OPENAT);
239 }
240 
241 /*
242  * Convert a MSGCTL command to a specific event.
243  */
244 au_event_t
245 audit_msgctl_to_event(int cmd)
246 {
247 
248 	switch (cmd) {
249 	case IPC_RMID:
250 		return (AUE_MSGCTL_RMID);
251 
252 	case IPC_SET:
253 		return (AUE_MSGCTL_SET);
254 
255 	case IPC_STAT:
256 		return (AUE_MSGCTL_STAT);
257 
258 	default:
259 		/* We will audit a bad command. */
260 		return (AUE_MSGCTL);
261 	}
262 }
263 
264 /*
265  * Convert a SEMCTL command to a specific event.
266  */
267 au_event_t
268 audit_semctl_to_event(int cmd)
269 {
270 
271 	switch (cmd) {
272 	case GETALL:
273 		return (AUE_SEMCTL_GETALL);
274 
275 	case GETNCNT:
276 		return (AUE_SEMCTL_GETNCNT);
277 
278 	case GETPID:
279 		return (AUE_SEMCTL_GETPID);
280 
281 	case GETVAL:
282 		return (AUE_SEMCTL_GETVAL);
283 
284 	case GETZCNT:
285 		return (AUE_SEMCTL_GETZCNT);
286 
287 	case IPC_RMID:
288 		return (AUE_SEMCTL_RMID);
289 
290 	case IPC_SET:
291 		return (AUE_SEMCTL_SET);
292 
293 	case SETALL:
294 		return (AUE_SEMCTL_SETALL);
295 
296 	case SETVAL:
297 		return (AUE_SEMCTL_SETVAL);
298 
299 	case IPC_STAT:
300 		return (AUE_SEMCTL_STAT);
301 
302 	default:
303 		/* We will audit a bad command. */
304 		return (AUE_SEMCTL);
305 	}
306 }
307 
308 /*
309  * Convert msgsys(2), semsys(2), and shmsys(2) system-call variations into
310  * audit events, if possible.
311  */
312 au_event_t
313 audit_msgsys_to_event(int which)
314 {
315 
316 	if ((which >= 0) && (which < aue_msgsys_count))
317 		return (aue_msgsys[which]);
318 
319 	/* Audit a bad command. */
320 	return (AUE_MSGSYS);
321 }
322 
323 au_event_t
324 audit_semsys_to_event(int which)
325 {
326 
327 	if ((which >= 0) && (which < aue_semsys_count))
328 		return (aue_semsys[which]);
329 
330 	/* Audit a bad command. */
331 	return (AUE_SEMSYS);
332 }
333 
334 au_event_t
335 audit_shmsys_to_event(int which)
336 {
337 
338 	if ((which >= 0) && (which < aue_shmsys_count))
339 		return (aue_shmsys[which]);
340 
341 	/* Audit a bad command. */
342 	return (AUE_SHMSYS);
343 }
344 
345 /*
346  * Convert a command for the auditon() system call to a audit event.
347  */
348 au_event_t
349 auditon_command_event(int cmd)
350 {
351 
352 	switch(cmd) {
353 	case A_GETPOLICY:
354 		return (AUE_AUDITON_GPOLICY);
355 
356 	case A_SETPOLICY:
357 		return (AUE_AUDITON_SPOLICY);
358 
359 	case A_GETKMASK:
360 		return (AUE_AUDITON_GETKMASK);
361 
362 	case A_SETKMASK:
363 		return (AUE_AUDITON_SETKMASK);
364 
365 	case A_GETQCTRL:
366 		return (AUE_AUDITON_GQCTRL);
367 
368 	case A_SETQCTRL:
369 		return (AUE_AUDITON_SQCTRL);
370 
371 	case A_GETCWD:
372 		return (AUE_AUDITON_GETCWD);
373 
374 	case A_GETCAR:
375 		return (AUE_AUDITON_GETCAR);
376 
377 	case A_GETSTAT:
378 		return (AUE_AUDITON_GETSTAT);
379 
380 	case A_SETSTAT:
381 		return (AUE_AUDITON_SETSTAT);
382 
383 	case A_SETUMASK:
384 		return (AUE_AUDITON_SETUMASK);
385 
386 	case A_SETSMASK:
387 		return (AUE_AUDITON_SETSMASK);
388 
389 	case A_GETCOND:
390 		return (AUE_AUDITON_GETCOND);
391 
392 	case A_SETCOND:
393 		return (AUE_AUDITON_SETCOND);
394 
395 	case A_GETCLASS:
396 		return (AUE_AUDITON_GETCLASS);
397 
398 	case A_SETCLASS:
399 		return (AUE_AUDITON_SETCLASS);
400 
401 	case A_GETPINFO:
402 	case A_SETPMASK:
403 	case A_SETFSIZE:
404 	case A_GETFSIZE:
405 	case A_GETPINFO_ADDR:
406 	case A_GETKAUDIT:
407 	case A_SETKAUDIT:
408 	default:
409 		return (AUE_AUDITON);	/* No special record */
410 	}
411 }
412 
413 /*
414  * Create a canonical path from given path by prefixing either the root
415  * directory, or the current working directory.  If the process working
416  * directory is NULL, we could use 'rootvnode' to obtain the root directory,
417  * but this results in a volfs name written to the audit log. So we will
418  * leave the filename starting with '/' in the audit log in this case.
419  */
420 void
421 audit_canon_path_vp(struct thread *td, struct vnode *rdir, struct vnode *cdir,
422     char *path, char *cpath)
423 {
424 	struct vnode *vp;
425 	char *rbuf, *fbuf, *copy;
426 	struct sbuf sbf;
427 	int error;
428 
429 	WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "%s: at %s:%d",
430 	    __func__,  __FILE__, __LINE__);
431 
432 	copy = path;
433 	if (*path == '/') {
434 		vp = rdir;
435 	} else {
436 		if (cdir == NULL) {
437 			cpath[0] = '\0';
438 			return;
439 		}
440 		vp = cdir;
441 	}
442 	MPASS(vp != NULL);
443 	/*
444 	 * NB: We require that the supplied array be at least MAXPATHLEN bytes
445 	 * long.  If this is not the case, then we can run into serious trouble.
446 	 */
447 	(void) sbuf_new(&sbf, cpath, MAXPATHLEN, SBUF_FIXEDLEN);
448 	/*
449 	 * Strip leading forward slashes.
450 	 *
451 	 * Note this does nothing to fully canonicalize the path.
452 	 */
453 	while (*copy == '/')
454 		copy++;
455 	/*
456 	 * Make sure we handle chroot(2) and prepend the global path to these
457 	 * environments.
458 	 *
459 	 * NB: vn_fullpath(9) on FreeBSD is less reliable than vn_getpath(9)
460 	 * on Darwin.  As a result, this may need some additional attention
461 	 * in the future.
462 	 */
463 	error = vn_fullpath_global(vp, &rbuf, &fbuf);
464 	if (error) {
465 		cpath[0] = '\0';
466 		return;
467 	}
468 	(void) sbuf_cat(&sbf, rbuf);
469 	/*
470 	 * We are going to concatenate the resolved path with the passed path
471 	 * with all slashes removed and we want them glued with a single slash.
472 	 * However, if the directory is /, the slash is already there.
473 	 */
474 	if (rbuf[1] != '\0')
475 		(void) sbuf_putc(&sbf, '/');
476 	free(fbuf, M_TEMP);
477 	/*
478 	 * Now that we have processed any alternate root and relative path
479 	 * names, add the supplied pathname.
480 	 */
481 	(void) sbuf_cat(&sbf, copy);
482 	/*
483 	 * One or more of the previous sbuf operations could have resulted in
484 	 * the supplied buffer being overflowed.  Check to see if this is the
485 	 * case.
486 	 */
487 	if (sbuf_error(&sbf) != 0) {
488 		cpath[0] = '\0';
489 		return;
490 	}
491 	sbuf_finish(&sbf);
492 }
493 
494 void
495 audit_canon_path(struct thread *td, int dirfd, char *path, char *cpath)
496 {
497 	struct vnode *cdir, *rdir;
498 	struct pwd *pwd;
499 	cap_rights_t rights;
500 	int error;
501 	bool vrele_cdir;
502 
503 	WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "%s: at %s:%d",
504 	    __func__,  __FILE__, __LINE__);
505 
506 	pwd = pwd_hold(td);
507 	rdir = pwd->pwd_rdir;
508 	cdir = NULL;
509 	vrele_cdir = false;
510 	if (*path != '/') {
511 		if (dirfd == AT_FDCWD) {
512 			cdir = pwd->pwd_cdir;
513 		} else {
514 			error = fgetvp(td, dirfd, cap_rights_init(&rights), &cdir);
515 			if (error != 0) {
516 				cpath[0] = '\0';
517 				pwd_drop(pwd);
518 				return;
519 			}
520 			vrele_cdir = true;
521 		}
522 	}
523 
524 	audit_canon_path_vp(td, rdir, cdir, path, cpath);
525 
526 	pwd_drop(pwd);
527 	if (vrele_cdir)
528 		vrele(cdir);
529 }
530