1 /* 2 * Copyright (c) 1999-2009 Apple Inc. 3 * Copyright (c) 2005, 2016-2017 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Portions of this software were developed by BAE Systems, the University of 7 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL 8 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent 9 * Computing (TC) research program. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 20 * its contributors may be used to endorse or promote products derived 21 * from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 #include <sys/cdefs.h> 37 __FBSDID("$FreeBSD$"); 38 39 #include <sys/param.h> 40 #include <sys/capsicum.h> 41 #include <sys/fcntl.h> 42 #include <sys/filedesc.h> 43 #include <sys/libkern.h> 44 #include <sys/malloc.h> 45 #include <sys/mount.h> 46 #include <sys/proc.h> 47 #include <sys/rwlock.h> 48 #include <sys/sem.h> 49 #include <sys/sbuf.h> 50 #include <sys/sx.h> 51 #include <sys/syscall.h> 52 #include <sys/sysctl.h> 53 #include <sys/sysent.h> 54 #include <sys/vnode.h> 55 56 #include <bsm/audit.h> 57 #include <bsm/audit_kevents.h> 58 #include <security/audit/audit.h> 59 #include <security/audit/audit_private.h> 60 61 struct aue_open_event { 62 int aoe_flags; 63 au_event_t aoe_event; 64 }; 65 66 static const struct aue_open_event aue_open[] = { 67 { O_RDONLY, AUE_OPEN_R }, 68 { (O_RDONLY | O_CREAT), AUE_OPEN_RC }, 69 { (O_RDONLY | O_CREAT | O_TRUNC), AUE_OPEN_RTC }, 70 { (O_RDONLY | O_TRUNC), AUE_OPEN_RT }, 71 { O_RDWR, AUE_OPEN_RW }, 72 { (O_RDWR | O_CREAT), AUE_OPEN_RWC }, 73 { (O_RDWR | O_CREAT | O_TRUNC), AUE_OPEN_RWTC }, 74 { (O_RDWR | O_TRUNC), AUE_OPEN_RWT }, 75 { O_WRONLY, AUE_OPEN_W }, 76 { (O_WRONLY | O_CREAT), AUE_OPEN_WC }, 77 { (O_WRONLY | O_CREAT | O_TRUNC), AUE_OPEN_WTC }, 78 { (O_WRONLY | O_TRUNC), AUE_OPEN_WT }, 79 }; 80 81 static const struct aue_open_event aue_openat[] = { 82 { O_RDONLY, AUE_OPENAT_R }, 83 { (O_RDONLY | O_CREAT), AUE_OPENAT_RC }, 84 { (O_RDONLY | O_CREAT | O_TRUNC), AUE_OPENAT_RTC }, 85 { (O_RDONLY | O_TRUNC), AUE_OPENAT_RT }, 86 { O_RDWR, AUE_OPENAT_RW }, 87 { (O_RDWR | O_CREAT), AUE_OPENAT_RWC }, 88 { (O_RDWR | O_CREAT | O_TRUNC), AUE_OPENAT_RWTC }, 89 { (O_RDWR | O_TRUNC), AUE_OPENAT_RWT }, 90 { O_WRONLY, AUE_OPENAT_W }, 91 { (O_WRONLY | O_CREAT), AUE_OPENAT_WC }, 92 { (O_WRONLY | O_CREAT | O_TRUNC), AUE_OPENAT_WTC }, 93 { (O_WRONLY | O_TRUNC), AUE_OPENAT_WT }, 94 }; 95 96 static const int aue_msgsys[] = { 97 /* 0 */ AUE_MSGCTL, 98 /* 1 */ AUE_MSGGET, 99 /* 2 */ AUE_MSGSND, 100 /* 3 */ AUE_MSGRCV, 101 }; 102 static const int aue_msgsys_count = sizeof(aue_msgsys) / sizeof(int); 103 104 static const int aue_semsys[] = { 105 /* 0 */ AUE_SEMCTL, 106 /* 1 */ AUE_SEMGET, 107 /* 2 */ AUE_SEMOP, 108 }; 109 static const int aue_semsys_count = sizeof(aue_semsys) / sizeof(int); 110 111 static const int aue_shmsys[] = { 112 /* 0 */ AUE_SHMAT, 113 /* 1 */ AUE_SHMDT, 114 /* 2 */ AUE_SHMGET, 115 /* 3 */ AUE_SHMCTL, 116 }; 117 static const int aue_shmsys_count = sizeof(aue_shmsys) / sizeof(int); 118 119 /* 120 * Check whether an event is aditable by comparing the mask of classes this 121 * event is part of against the given mask. 122 */ 123 int 124 au_preselect(au_event_t event, au_class_t class, au_mask_t *mask_p, int sorf) 125 { 126 au_class_t effmask = 0; 127 128 if (mask_p == NULL) 129 return (-1); 130 131 /* 132 * Perform the actual check of the masks against the event. 133 */ 134 if (sorf & AU_PRS_SUCCESS) 135 effmask |= (mask_p->am_success & class); 136 137 if (sorf & AU_PRS_FAILURE) 138 effmask |= (mask_p->am_failure & class); 139 140 if (effmask) 141 return (1); 142 else 143 return (0); 144 } 145 146 /* 147 * Convert sysctl names and present arguments to events. 148 */ 149 au_event_t 150 audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg) 151 { 152 153 /* can't parse it - so return the worst case */ 154 if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != (ARG_CTLNAME | ARG_LEN)) 155 return (AUE_SYSCTL); 156 157 switch (name[0]) { 158 /* non-admin "lookups" treat them special */ 159 case KERN_OSTYPE: 160 case KERN_OSRELEASE: 161 case KERN_OSREV: 162 case KERN_VERSION: 163 case KERN_ARGMAX: 164 case KERN_CLOCKRATE: 165 case KERN_BOOTTIME: 166 case KERN_POSIX1: 167 case KERN_NGROUPS: 168 case KERN_JOB_CONTROL: 169 case KERN_SAVED_IDS: 170 case KERN_OSRELDATE: 171 case KERN_DUMMY: 172 return (AUE_SYSCTL_NONADMIN); 173 174 /* only treat the changeable controls as admin */ 175 case KERN_MAXVNODES: 176 case KERN_MAXPROC: 177 case KERN_MAXFILES: 178 case KERN_MAXPROCPERUID: 179 case KERN_MAXFILESPERPROC: 180 case KERN_HOSTID: 181 case KERN_SECURELVL: 182 case KERN_HOSTNAME: 183 case KERN_VNODE: 184 case KERN_PROC: 185 case KERN_FILE: 186 case KERN_PROF: 187 case KERN_NISDOMAINNAME: 188 case KERN_UPDATEINTERVAL: 189 case KERN_NTP_PLL: 190 case KERN_BOOTFILE: 191 case KERN_DUMPDEV: 192 case KERN_IPC: 193 case KERN_PS_STRINGS: 194 case KERN_USRSTACK: 195 case KERN_LOGSIGEXIT: 196 case KERN_IOV_MAX: 197 return ((valid_arg & ARG_VALUE) ? 198 AUE_SYSCTL : AUE_SYSCTL_NONADMIN); 199 200 default: 201 return (AUE_SYSCTL); 202 } 203 /* NOTREACHED */ 204 } 205 206 /* 207 * Convert an open flags specifier into a specific type of open event for 208 * auditing purposes. 209 */ 210 au_event_t 211 audit_flags_and_error_to_openevent(int oflags, int error) 212 { 213 int i; 214 215 /* 216 * Need to check only those flags we care about. 217 */ 218 oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY); 219 for (i = 0; i < nitems(aue_open); i++) { 220 if (aue_open[i].aoe_flags == oflags) 221 return (aue_open[i].aoe_event); 222 } 223 return (AUE_OPEN); 224 } 225 226 au_event_t 227 audit_flags_and_error_to_openatevent(int oflags, int error) 228 { 229 int i; 230 231 /* 232 * Need to check only those flags we care about. 233 */ 234 oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY); 235 for (i = 0; i < nitems(aue_openat); i++) { 236 if (aue_openat[i].aoe_flags == oflags) 237 return (aue_openat[i].aoe_event); 238 } 239 return (AUE_OPENAT); 240 } 241 242 /* 243 * Convert a MSGCTL command to a specific event. 244 */ 245 au_event_t 246 audit_msgctl_to_event(int cmd) 247 { 248 249 switch (cmd) { 250 case IPC_RMID: 251 return (AUE_MSGCTL_RMID); 252 253 case IPC_SET: 254 return (AUE_MSGCTL_SET); 255 256 case IPC_STAT: 257 return (AUE_MSGCTL_STAT); 258 259 default: 260 /* We will audit a bad command. */ 261 return (AUE_MSGCTL); 262 } 263 } 264 265 /* 266 * Convert a SEMCTL command to a specific event. 267 */ 268 au_event_t 269 audit_semctl_to_event(int cmd) 270 { 271 272 switch (cmd) { 273 case GETALL: 274 return (AUE_SEMCTL_GETALL); 275 276 case GETNCNT: 277 return (AUE_SEMCTL_GETNCNT); 278 279 case GETPID: 280 return (AUE_SEMCTL_GETPID); 281 282 case GETVAL: 283 return (AUE_SEMCTL_GETVAL); 284 285 case GETZCNT: 286 return (AUE_SEMCTL_GETZCNT); 287 288 case IPC_RMID: 289 return (AUE_SEMCTL_RMID); 290 291 case IPC_SET: 292 return (AUE_SEMCTL_SET); 293 294 case SETALL: 295 return (AUE_SEMCTL_SETALL); 296 297 case SETVAL: 298 return (AUE_SEMCTL_SETVAL); 299 300 case IPC_STAT: 301 return (AUE_SEMCTL_STAT); 302 303 default: 304 /* We will audit a bad command. */ 305 return (AUE_SEMCTL); 306 } 307 } 308 309 /* 310 * Convert msgsys(2), semsys(2), and shmsys(2) system-call variations into 311 * audit events, if possible. 312 */ 313 au_event_t 314 audit_msgsys_to_event(int which) 315 { 316 317 if ((which >= 0) && (which < aue_msgsys_count)) 318 return (aue_msgsys[which]); 319 320 /* Audit a bad command. */ 321 return (AUE_MSGSYS); 322 } 323 324 au_event_t 325 audit_semsys_to_event(int which) 326 { 327 328 if ((which >= 0) && (which < aue_semsys_count)) 329 return (aue_semsys[which]); 330 331 /* Audit a bad command. */ 332 return (AUE_SEMSYS); 333 } 334 335 au_event_t 336 audit_shmsys_to_event(int which) 337 { 338 339 if ((which >= 0) && (which < aue_shmsys_count)) 340 return (aue_shmsys[which]); 341 342 /* Audit a bad command. */ 343 return (AUE_SHMSYS); 344 } 345 346 /* 347 * Convert a command for the auditon() system call to a audit event. 348 */ 349 au_event_t 350 auditon_command_event(int cmd) 351 { 352 353 switch(cmd) { 354 case A_GETPOLICY: 355 return (AUE_AUDITON_GPOLICY); 356 357 case A_SETPOLICY: 358 return (AUE_AUDITON_SPOLICY); 359 360 case A_GETKMASK: 361 return (AUE_AUDITON_GETKMASK); 362 363 case A_SETKMASK: 364 return (AUE_AUDITON_SETKMASK); 365 366 case A_GETQCTRL: 367 return (AUE_AUDITON_GQCTRL); 368 369 case A_SETQCTRL: 370 return (AUE_AUDITON_SQCTRL); 371 372 case A_GETCWD: 373 return (AUE_AUDITON_GETCWD); 374 375 case A_GETCAR: 376 return (AUE_AUDITON_GETCAR); 377 378 case A_GETSTAT: 379 return (AUE_AUDITON_GETSTAT); 380 381 case A_SETSTAT: 382 return (AUE_AUDITON_SETSTAT); 383 384 case A_SETUMASK: 385 return (AUE_AUDITON_SETUMASK); 386 387 case A_SETSMASK: 388 return (AUE_AUDITON_SETSMASK); 389 390 case A_GETCOND: 391 return (AUE_AUDITON_GETCOND); 392 393 case A_SETCOND: 394 return (AUE_AUDITON_SETCOND); 395 396 case A_GETCLASS: 397 return (AUE_AUDITON_GETCLASS); 398 399 case A_SETCLASS: 400 return (AUE_AUDITON_SETCLASS); 401 402 case A_GETPINFO: 403 case A_SETPMASK: 404 case A_SETFSIZE: 405 case A_GETFSIZE: 406 case A_GETPINFO_ADDR: 407 case A_GETKAUDIT: 408 case A_SETKAUDIT: 409 default: 410 return (AUE_AUDITON); /* No special record */ 411 } 412 } 413 414 /* 415 * Create a canonical path from given path by prefixing either the root 416 * directory, or the current working directory. If the process working 417 * directory is NULL, we could use 'rootvnode' to obtain the root directory, 418 * but this results in a volfs name written to the audit log. So we will 419 * leave the filename starting with '/' in the audit log in this case. 420 */ 421 void 422 audit_canon_path(struct thread *td, int dirfd, char *path, char *cpath) 423 { 424 struct vnode *cvnp, *rvnp; 425 char *rbuf, *fbuf, *copy; 426 struct filedesc *fdp; 427 struct sbuf sbf; 428 cap_rights_t rights; 429 int error, needslash; 430 431 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "%s: at %s:%d", 432 __func__, __FILE__, __LINE__); 433 434 copy = path; 435 rvnp = cvnp = NULL; 436 fdp = td->td_proc->p_fd; 437 FILEDESC_SLOCK(fdp); 438 /* 439 * Make sure that we handle the chroot(2) case. If there is an 440 * alternate root directory, prepend it to the audited pathname. 441 */ 442 if (fdp->fd_rdir != NULL && fdp->fd_rdir != rootvnode) { 443 rvnp = fdp->fd_rdir; 444 vhold(rvnp); 445 } 446 /* 447 * If the supplied path is relative, make sure we capture the current 448 * working directory so we can prepend it to the supplied relative 449 * path. 450 */ 451 if (*path != '/') { 452 if (dirfd == AT_FDCWD) { 453 cvnp = fdp->fd_cdir; 454 vhold(cvnp); 455 } else { 456 /* XXX: fgetvp() that vhold()s vnode instead of vref()ing it would be better */ 457 error = fgetvp(td, dirfd, cap_rights_init(&rights), &cvnp); 458 if (error) { 459 FILEDESC_SUNLOCK(fdp); 460 cpath[0] = '\0'; 461 if (rvnp != NULL) 462 vdrop(rvnp); 463 return; 464 } 465 vhold(cvnp); 466 vrele(cvnp); 467 } 468 needslash = (fdp->fd_rdir != cvnp); 469 } else { 470 needslash = 1; 471 } 472 FILEDESC_SUNLOCK(fdp); 473 /* 474 * NB: We require that the supplied array be at least MAXPATHLEN bytes 475 * long. If this is not the case, then we can run into serious trouble. 476 */ 477 (void) sbuf_new(&sbf, cpath, MAXPATHLEN, SBUF_FIXEDLEN); 478 /* 479 * Strip leading forward slashes. 480 */ 481 while (*copy == '/') 482 copy++; 483 /* 484 * Make sure we handle chroot(2) and prepend the global path to these 485 * environments. 486 * 487 * NB: vn_fullpath(9) on FreeBSD is less reliable than vn_getpath(9) 488 * on Darwin. As a result, this may need some additional attention 489 * in the future. 490 */ 491 if (rvnp != NULL) { 492 error = vn_fullpath_global(td, rvnp, &rbuf, &fbuf); 493 vdrop(rvnp); 494 if (error) { 495 cpath[0] = '\0'; 496 if (cvnp != NULL) 497 vdrop(cvnp); 498 return; 499 } 500 (void) sbuf_cat(&sbf, rbuf); 501 free(fbuf, M_TEMP); 502 } 503 if (cvnp != NULL) { 504 error = vn_fullpath(td, cvnp, &rbuf, &fbuf); 505 vdrop(cvnp); 506 if (error) { 507 cpath[0] = '\0'; 508 return; 509 } 510 (void) sbuf_cat(&sbf, rbuf); 511 free(fbuf, M_TEMP); 512 } 513 if (needslash) 514 (void) sbuf_putc(&sbf, '/'); 515 /* 516 * Now that we have processed any alternate root and relative path 517 * names, add the supplied pathname. 518 */ 519 (void) sbuf_cat(&sbf, copy); 520 /* 521 * One or more of the previous sbuf operations could have resulted in 522 * the supplied buffer being overflowed. Check to see if this is the 523 * case. 524 */ 525 if (sbuf_error(&sbf) != 0) { 526 cpath[0] = '\0'; 527 return; 528 } 529 sbuf_finish(&sbf); 530 } 531