1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 #include <bsm/adt.h> 27 #include <bsm/adt_event.h> 28 #include <assert.h> 29 #include <bsm/audit.h> 30 #include <bsm/audit_record.h> 31 #include <bsm/libbsm.h> 32 #include <door.h> 33 #include <errno.h> 34 #include <generic.h> 35 #include <md5.h> 36 #include <sys/mkdev.h> 37 #include <netdb.h> 38 #include <nss_dbdefs.h> 39 #include <pwd.h> 40 #include <sys/stat.h> 41 #include <time.h> 42 #include <stdlib.h> 43 #include <string.h> 44 #include <synch.h> 45 #include <sys/systeminfo.h> 46 #include <syslog.h> 47 #include <thread.h> 48 #include <unistd.h> 49 #include <adt_xlate.h> 50 #include <adt_ucred.h> 51 #include <arpa/inet.h> 52 #include <net/if.h> 53 #include <libinetutil.h> 54 55 static int adt_selected(struct adt_event_state *, au_event_t, int); 56 static int adt_init(adt_internal_state_t *, int); 57 static int adt_import(adt_internal_state_t *, const adt_export_data_t *); 58 static m_label_t *adt_ucred_label(ucred_t *); 59 static void adt_setto_unaudited(adt_internal_state_t *); 60 static int adt_get_local_address(int, struct ifaddrlist *); 61 62 #ifdef C2_DEBUG 63 #define DPRINTF(x) { (void) printf x; } 64 #define DFLUSH (void) fflush(stdout); 65 #else 66 #define DPRINTF(x) 67 #define DFLUSH 68 #endif 69 70 /* 71 * Local audit states are a bit mask 72 * 73 * The global audit states are 74 * 75 * AUC_UNSET 0 - on/off hasn't been decided 76 * AUC_ENABLED 1 - loaded and enabled 77 * 78 * The local Zone states are 79 * 80 * AUC_AUDITING 0x1 - audit daemon is active 81 * AUC_NOAUDIT 0x2 - audit daemon is not active 82 * AUC_INIT_AUDIT 0x4 - audit is ready but auditd has not run 83 * AUC_NOSPACE 0x8 - audit enabled, no space for audit records 84 * 85 * The only values returned by auditon(A_GETCOND) are: 86 * AUC_INIT_AUDIT, AUC_AUDITING, AUC_NOAUDIT, AUC_NOSPACE 87 * 88 * The pseudo audit state used when the c2audit module is excluded is 89 * 90 * AUC_DISABLED 0x100 - c2audit module is excluded 91 */ 92 93 static int auditstate = AUC_DISABLED; /* default state */ 94 95 /* 96 * adt_write_syslog 97 * 98 * errors that are not the user's fault (bugs or whatever in 99 * the underlying audit code are noted in syslog.) 100 * 101 * Avoid calling adt_write_syslog for things that can happen 102 * at high volume. 103 * 104 * syslog's open (openlog) and close (closelog) are interesting; 105 * openlog *may* create a file descriptor and is optional. closelog 106 * *will* close any open file descriptors and is also optional. 107 * 108 * Since syslog may also be used by the calling application, the 109 * choice is to avoid openlog, which sets some otherwise useful 110 * parameters, and to embed "Solaris_audit" in the log message. 111 */ 112 113 void 114 adt_write_syslog(const char *message, int err) 115 { 116 int save_errno = errno; 117 int mask_priority; 118 119 DPRINTF(("syslog called: %s\n", message)); 120 121 mask_priority = setlogmask(LOG_MASK(LOG_ALERT)); 122 errno = err; 123 syslog(LOG_ALERT, "Solaris_audit %s: %m", message); 124 (void) setlogmask(mask_priority); 125 errno = save_errno; 126 } 127 128 /* 129 * return true if c2audit is not excluded. 130 * 131 * For purpose of this API, anything but AUC_DISABLED 132 * is enabled; however one never actually sees 133 * AUC_DISABLED since auditon returns ENOTSUP in that case. Any 134 * auditon error is considered the same as ENOTSUP for our 135 * purpose. auditstate is not changed by auditon if an error 136 * is returned. 137 */ 138 139 /* 140 * XXX this should probably be eliminated and adt_audit_state() replace it. 141 * All the legitimate uses are to not fork a waiting process for 142 * process exit processing, as in su, login, dtlogin. Other bogus 143 * users are zoneadmd and init. 144 * All but dtlogin are in ON, so we can do this without cross gate 145 * synchronization. 146 * 147 * No longer used in adt.c. 148 */ 149 150 boolean_t 151 adt_audit_enabled(void) 152 { 153 154 (void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate)); 155 156 return (auditstate != AUC_DISABLED); 157 } 158 159 /* 160 * See adt_audit_enabled() for state discussions. 161 * The state parameter is a hedge until all the uses become clear. 162 * Likely if adt_audit_enabled is brought internal to this file, 163 * it could be modified to take one or more parameters to describe the 164 * state. 165 */ 166 167 boolean_t 168 adt_audit_state(int states) 169 { 170 171 (void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate)); 172 173 return ((auditstate & states) ? B_TRUE : B_FALSE); 174 } 175 176 /* 177 * Get user_specific/non-attributable audit mask. This may be called even when 178 * auditing is off. 179 */ 180 181 static int 182 adt_get_mask_from_user(uid_t uid, au_mask_t *mask) 183 { 184 struct passwd pwd; 185 long buff_sz; 186 char *pwd_buff; 187 188 189 if (auditstate & AUC_DISABLED) { 190 /* c2audit excluded */ 191 mask->am_success = 0; 192 mask->am_failure = 0; 193 } else if (uid <= MAXUID) { 194 if ((buff_sz = sysconf(_SC_GETPW_R_SIZE_MAX)) == -1) { 195 adt_write_syslog("couldn't determine maximum size of " 196 "password buffer", errno); 197 return (-1); 198 } 199 if ((pwd_buff = calloc(1, (size_t)++buff_sz)) == NULL) { 200 return (-1); 201 } 202 if (getpwuid_r(uid, &pwd, pwd_buff, (int)buff_sz) == NULL) { 203 errno = EINVAL; /* user doesn't exist */ 204 free(pwd_buff); 205 return (-1); 206 } 207 free(pwd_buff); 208 if (au_user_mask(pwd.pw_name, mask)) { 209 errno = EFAULT; /* undetermined failure */ 210 return (-1); 211 } 212 } else if (auditon(A_GETKMASK, (caddr_t)mask, sizeof (*mask)) == -1) { 213 return (-1); 214 } 215 216 return (0); 217 } 218 219 /* 220 * adt_get_unique_id -- generate a hopefully unique 32 bit value 221 * 222 * there will be a follow up to replace this with the use of /dev/random 223 * 224 * An MD5 hash is taken on a buffer of 225 * hostname . audit id . unix time . pid . count 226 * 227 * "count = noise++;" is subject to a race condition but I don't 228 * see a need to put a lock around it. 229 */ 230 231 au_asid_t 232 adt_get_unique_id(au_id_t uid) 233 { 234 char hostname[MAXHOSTNAMELEN]; 235 union { 236 au_id_t v[4]; 237 unsigned char obuff[128/8]; 238 } output; 239 MD5_CTX context; 240 241 static int noise = 0; 242 243 int count = noise++; 244 time_t timebits = time(NULL); 245 pid_t pidbits = getpid(); 246 au_asid_t retval = 0; 247 248 if (gethostname(hostname, MAXHOSTNAMELEN)) { 249 adt_write_syslog("gethostname call failed", errno); 250 (void) strncpy(hostname, "invalidHostName", MAXHOSTNAMELEN); 251 } 252 253 while (retval == 0) { /* 0 is the only invalid result */ 254 MD5Init(&context); 255 256 MD5Update(&context, (unsigned char *)hostname, 257 (unsigned int) strlen((const char *)hostname)); 258 259 MD5Update(&context, (unsigned char *) &uid, sizeof (uid_t)); 260 261 MD5Update(&context, 262 (unsigned char *) &timebits, sizeof (time_t)); 263 264 MD5Update(&context, (unsigned char *) &pidbits, 265 sizeof (pid_t)); 266 267 MD5Update(&context, (unsigned char *) &(count), sizeof (int)); 268 MD5Final(output.obuff, &context); 269 270 retval = output.v[count % 4]; 271 } 272 return (retval); 273 } 274 275 /* 276 * the following "port" function deals with the following issues: 277 * 278 * 1 the kernel and ucred deal with a dev_t as a 64 bit value made 279 * up from a 32 bit major and 32 bit minor. 280 * 2 User space deals with a dev_t as either the above 64 bit value 281 * or a 32 bit value made from a 14 bit major and an 18 bit minor. 282 * 3 The various audit interfaces (except ucred) pass the 32 or 283 * 64 bit version depending the architecture of the userspace 284 * application. If you get a port value from ucred and pass it 285 * to the kernel via auditon(), it must be squeezed into a 32 286 * bit value because the kernel knows the userspace app's bit 287 * size. 288 * 289 * The internal state structure for adt (adt_internal_state_t) uses 290 * dev_t, so adt converts data from ucred to fit. The import/export 291 * functions, however, can't know if they are importing/exporting 292 * from 64 or 32 bit applications, so they always send 64 bits and 293 * the 32 bit end(s) are responsible to convert 32 -> 64 -> 32 as 294 * appropriate. 295 */ 296 297 /* 298 * adt_cpy_tid() -- if lib is 64 bit, just copy it (dev_t and port are 299 * both 64 bits). If lib is 32 bits, squeeze the two-int port into 300 * a 32 bit dev_t. A port fits in the "minor" part of au_port_t, 301 * so it isn't broken up into pieces. (When it goes to the kernel 302 * and back, however, it will have been split into major/minor 303 * pieces.) 304 */ 305 306 static void 307 adt_cpy_tid(au_tid_addr_t *dest, const au_tid64_addr_t *src) 308 { 309 #ifdef _LP64 310 (void) memcpy(dest, src, sizeof (au_tid_addr_t)); 311 #else /* _LP64 */ 312 dest->at_type = src->at_type; 313 314 dest->at_port = src->at_port.at_minor & MAXMIN32; 315 dest->at_port |= (src->at_port.at_major & MAXMAJ32) << 316 NBITSMINOR32; 317 318 (void) memcpy(dest->at_addr, src->at_addr, 4 * sizeof (uint32_t)); 319 #endif /* _LP64 */ 320 } 321 322 /* 323 * adt_start_session -- create interface handle, create context 324 * 325 * The imported_state input is normally NULL, if not, it represents 326 * a continued session; its values obviate the need for a subsequent 327 * call to adt_set_user(). 328 * 329 * The flag is used to decide how to set the initial state of the session. 330 * If 0, the session is "no audit" until a call to adt_set_user; if 331 * ADT_USE_PROC_DATA, the session is built from the process audit 332 * characteristics obtained from the kernel. If imported_state is 333 * not NULL, the resulting audit mask is an OR of the current process 334 * audit mask and that passed in. 335 * 336 * The basic model is that the caller can use the pointer returned 337 * by adt_start_session whether or not auditing is enabled or an 338 * error was returned. The functions that take the session handle 339 * as input generally return without doing anything if auditing is 340 * disabled. 341 */ 342 343 int 344 adt_start_session(adt_session_data_t **new_session, 345 const adt_export_data_t *imported_state, adt_session_flags_t flags) 346 { 347 adt_internal_state_t *state; 348 adt_session_flags_t flgmask = ADT_FLAGS_ALL; 349 350 /* test and set auditstate */ 351 if (adt_audit_state(AUC_DISABLED)) { 352 /* c2audit excluded */ 353 *new_session = NULL; 354 return (0); 355 } 356 357 if ((flags & ~flgmask) != 0) { 358 errno = EINVAL; 359 goto return_err; 360 } 361 362 if ((state = calloc(1, sizeof (adt_internal_state_t))) == NULL) { 363 goto return_err; 364 } 365 366 if (adt_init(state, flags & ADT_USE_PROC_DATA) != 0) { 367 goto return_err_free; /* errno from adt_init() */ 368 } 369 370 /* 371 * The imported state overwrites the initial state if the 372 * imported state represents a valid audit trail 373 */ 374 375 if (imported_state != NULL) { 376 if (adt_import(state, imported_state) != 0) { 377 goto return_err_free; 378 } 379 } else if (flags & ADT_USE_PROC_DATA) { 380 state->as_session_model = ADT_PROCESS_MODEL; 381 } 382 state->as_flags = flags; 383 DPRINTF(("(%lld) Starting session id = %08X\n", 384 (long long) getpid(), state->as_info.ai_asid)); 385 386 *new_session = (adt_session_data_t *)state; 387 return (0); 388 389 return_err_free: 390 free(state); 391 return_err: 392 *new_session = NULL; 393 adt_write_syslog("audit session create failed", errno); 394 return (-1); 395 } 396 397 /* 398 * adt_load_table() 399 * 400 * loads the event translation table into the audit session. 401 */ 402 403 void 404 adt_load_table(const adt_session_data_t *session_data, 405 adt_translation_t **xlate, void (*preload)(au_event_t, adt_event_data_t *)) 406 { 407 adt_internal_state_t *state = (adt_internal_state_t *)session_data; 408 409 if (state != NULL) { 410 assert(state->as_check == ADT_VALID); 411 state->as_xlate = xlate; 412 state->as_preload = preload; 413 } 414 } 415 416 /* 417 * adt_get_asid() and adt_set_asid() 418 * 419 * if you use this interface, you are responsible to insure that the 420 * rest of the session data is populated correctly before calling 421 * adt_proccess_attr() 422 * 423 * neither of these are intended for general use and will likely 424 * remain private interfaces for a long time. Forever is a long 425 * time. In the case of adt_set_asid(), you should have a very, 426 * very good reason for setting your own session id. The process 427 * audit characteristics are not changed by put, use adt_set_proc(). 428 * 429 * These are "volatile" (more changable than "evolving") and will 430 * probably change in the S10 period. 431 */ 432 433 void 434 adt_get_asid(const adt_session_data_t *session_data, au_asid_t *asid) 435 { 436 437 if (session_data == NULL) { 438 *asid = 0; 439 } else { 440 assert(((adt_internal_state_t *)session_data)->as_check == 441 ADT_VALID); 442 443 *asid = ((adt_internal_state_t *)session_data)->as_info.ai_asid; 444 } 445 } 446 447 void 448 adt_set_asid(const adt_session_data_t *session_data, const au_asid_t session_id) 449 { 450 451 if (session_data != NULL) { 452 assert(((adt_internal_state_t *)session_data)->as_check == 453 ADT_VALID); 454 455 ((adt_internal_state_t *)session_data)->as_have_user_data |= 456 ADT_HAVE_ASID; 457 ((adt_internal_state_t *)session_data)->as_info.ai_asid = 458 session_id; 459 } 460 } 461 462 /* 463 * adt_get_auid() and adt_set_auid() 464 * 465 * neither of these are intended for general use and will likely 466 * remain private interfaces for a long time. Forever is a long 467 * time. In the case of adt_set_auid(), you should have a very, 468 * very good reason for setting your own audit id. The process 469 * audit characteristics are not changed by put, use adt_set_proc(). 470 */ 471 472 void 473 adt_get_auid(const adt_session_data_t *session_data, au_id_t *auid) 474 { 475 476 if (session_data == NULL) { 477 *auid = AU_NOAUDITID; 478 } else { 479 assert(((adt_internal_state_t *)session_data)->as_check == 480 ADT_VALID); 481 482 *auid = ((adt_internal_state_t *)session_data)->as_info.ai_auid; 483 } 484 } 485 486 void 487 adt_set_auid(const adt_session_data_t *session_data, const au_id_t audit_id) 488 { 489 490 if (session_data != NULL) { 491 assert(((adt_internal_state_t *)session_data)->as_check == 492 ADT_VALID); 493 494 ((adt_internal_state_t *)session_data)->as_have_user_data |= 495 ADT_HAVE_AUID; 496 ((adt_internal_state_t *)session_data)->as_info.ai_auid = 497 audit_id; 498 } 499 } 500 501 /* 502 * adt_get_termid(), adt_set_termid() 503 * 504 * if you use this interface, you are responsible to insure that the 505 * rest of the session data is populated correctly before calling 506 * adt_proccess_attr() 507 * 508 * The process audit characteristics are not changed by put, use 509 * adt_set_proc(). 510 */ 511 512 void 513 adt_get_termid(const adt_session_data_t *session_data, au_tid_addr_t *termid) 514 { 515 516 if (session_data == NULL) { 517 (void) memset(termid, 0, sizeof (au_tid_addr_t)); 518 termid->at_type = AU_IPv4; 519 } else { 520 assert(((adt_internal_state_t *)session_data)->as_check == 521 ADT_VALID); 522 523 *termid = 524 ((adt_internal_state_t *)session_data)->as_info.ai_termid; 525 } 526 } 527 528 void 529 adt_set_termid(const adt_session_data_t *session_data, 530 const au_tid_addr_t *termid) 531 { 532 533 if (session_data != NULL) { 534 assert(((adt_internal_state_t *)session_data)->as_check == 535 ADT_VALID); 536 537 ((adt_internal_state_t *)session_data)->as_info.ai_termid = 538 *termid; 539 540 ((adt_internal_state_t *)session_data)->as_have_user_data |= 541 ADT_HAVE_TID; 542 } 543 } 544 545 /* 546 * adt_get_mask(), adt_set_mask() 547 * 548 * if you use this interface, you are responsible to insure that the 549 * rest of the session data is populated correctly before calling 550 * adt_proccess_attr() 551 * 552 * The process audit characteristics are not changed by put, use 553 * adt_set_proc(). 554 */ 555 556 void 557 adt_get_mask(const adt_session_data_t *session_data, au_mask_t *mask) 558 { 559 560 if (session_data == NULL) { 561 mask->am_success = 0; 562 mask->am_failure = 0; 563 } else { 564 assert(((adt_internal_state_t *)session_data)->as_check == 565 ADT_VALID); 566 567 *mask = ((adt_internal_state_t *)session_data)->as_info.ai_mask; 568 } 569 } 570 571 void 572 adt_set_mask(const adt_session_data_t *session_data, const au_mask_t *mask) 573 { 574 575 if (session_data != NULL) { 576 assert(((adt_internal_state_t *)session_data)->as_check == 577 ADT_VALID); 578 579 ((adt_internal_state_t *)session_data)->as_info.ai_mask = *mask; 580 581 ((adt_internal_state_t *)session_data)->as_have_user_data |= 582 ADT_HAVE_MASK; 583 } 584 } 585 586 /* 587 * helpers for adt_load_termid 588 */ 589 590 static void 591 adt_do_ipv6_address(struct sockaddr_in6 *peer, struct sockaddr_in6 *sock, 592 au_tid_addr_t *termid) 593 { 594 595 termid->at_port = ((peer->sin6_port<<16) | (sock->sin6_port)); 596 termid->at_type = AU_IPv6; 597 (void) memcpy(termid->at_addr, &peer->sin6_addr, 4 * sizeof (uint_t)); 598 } 599 600 static void 601 adt_do_ipv4_address(struct sockaddr_in *peer, struct sockaddr_in *sock, 602 au_tid_addr_t *termid) 603 { 604 605 termid->at_port = ((peer->sin_port<<16) | (sock->sin_port)); 606 607 termid->at_type = AU_IPv4; 608 termid->at_addr[0] = (uint32_t)peer->sin_addr.s_addr; 609 (void) memset(&(termid->at_addr[1]), 0, 3 * sizeof (uint_t)); 610 } 611 612 /* 613 * adt_load_termid: convenience function; inputs file handle and 614 * outputs an au_tid_addr struct. 615 * 616 * This code was stolen from audit_settid.c; it differs from audit_settid() 617 * in that it does not write the terminal id to the process. 618 */ 619 620 int 621 adt_load_termid(int fd, adt_termid_t **termid) 622 { 623 au_tid_addr_t *p_term; 624 struct sockaddr_in6 peer; 625 struct sockaddr_in6 sock; 626 int peerlen = sizeof (peer); 627 int socklen = sizeof (sock); 628 629 /* get peer name if its a socket, else assume local terminal */ 630 631 if (getpeername(fd, (struct sockaddr *)&peer, (socklen_t *)&peerlen) 632 < 0) { 633 if (errno == ENOTSOCK) { 634 return (adt_load_hostname(NULL, termid)); 635 } 636 goto return_err; 637 } 638 639 if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) { 640 goto return_err; 641 } 642 643 /* get sock name */ 644 if (getsockname(fd, (struct sockaddr *)&sock, 645 (socklen_t *)&socklen) < 0) { 646 goto return_err_free; 647 } 648 649 if (peer.sin6_family == AF_INET6) { 650 adt_do_ipv6_address(&peer, &sock, p_term); 651 } else { 652 adt_do_ipv4_address((struct sockaddr_in *)&peer, 653 (struct sockaddr_in *)&sock, p_term); 654 } 655 *termid = (adt_termid_t *)p_term; 656 657 return (0); 658 659 return_err_free: 660 free(p_term); 661 return_err: 662 *termid = NULL; 663 return (-1); 664 } 665 666 static boolean_t 667 adt_have_termid(au_tid_addr_t *dest) 668 { 669 struct auditinfo_addr audit_data; 670 671 if (getaudit_addr(&audit_data, sizeof (audit_data)) < 0) { 672 adt_write_syslog("getaudit failed", errno); 673 return (B_FALSE); 674 } 675 676 if ((audit_data.ai_termid.at_type == 0) || 677 (audit_data.ai_termid.at_addr[0] | 678 audit_data.ai_termid.at_addr[1] | 679 audit_data.ai_termid.at_addr[2] | 680 audit_data.ai_termid.at_addr[3]) == 0) 681 return (B_FALSE); 682 683 (void) memcpy(dest, &(audit_data.ai_termid), 684 sizeof (au_tid_addr_t)); 685 686 return (B_TRUE); 687 } 688 689 /* 690 * adt_get_hostIP - construct a terminal id from a hostname 691 * 692 * Returns 0 = success 693 * -1 = failure and errno = ENETDOWN with the address 694 * defaulted to IPv4 loopback. 695 */ 696 697 static int 698 adt_get_hostIP(const char *hostname, au_tid_addr_t *p_term) 699 { 700 struct addrinfo *ai = NULL; 701 int tries = 3; 702 char msg[512]; 703 int eai_err; 704 705 while ((tries-- > 0) && 706 ((eai_err = getaddrinfo(hostname, NULL, NULL, &ai)) != 0)) { 707 /* 708 * getaddrinfo returns its own set of errors. 709 * Log them here, so any subsequent syslogs will 710 * have a context. adt_get_hostIP callers can only 711 * return errno, so subsequent syslogs may be lacking 712 * that getaddrinfo failed. 713 */ 714 (void) snprintf(msg, sizeof (msg), "getaddrinfo(%s) " 715 "failed[%s]", hostname, gai_strerror(eai_err)); 716 adt_write_syslog(msg, 0); 717 718 if (eai_err != EAI_AGAIN) { 719 720 break; 721 } 722 /* see if resolution becomes available */ 723 (void) sleep(1); 724 } 725 if (ai != NULL) { 726 if (ai->ai_family == AF_INET) { 727 p_term->at_type = AU_IPv4; 728 (void) memcpy(p_term->at_addr, 729 /* LINTED */ 730 &((struct sockaddr_in *)ai->ai_addr)->sin_addr, 731 AU_IPv4); 732 } else { 733 p_term->at_type = AU_IPv6; 734 (void) memcpy(p_term->at_addr, 735 /* LINTED */ 736 &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr, 737 AU_IPv6); 738 } 739 freeaddrinfo(ai); 740 return (0); 741 } else if (auditstate & (AUC_AUDITING | AUC_NOSPACE)) { 742 auditinfo_addr_t audit_info; 743 744 /* 745 * auditd is running so there should be a 746 * kernel audit context 747 */ 748 if (auditon(A_GETKAUDIT, (caddr_t)&audit_info, 749 sizeof (audit_info)) < 0) { 750 adt_write_syslog("unable to get kernel audit context", 751 errno); 752 goto try_interface; 753 } 754 adt_write_syslog("setting Audit IP address to kernel", 0); 755 *p_term = audit_info.ai_termid; 756 return (0); 757 } 758 try_interface: 759 { 760 struct ifaddrlist al; 761 int family; 762 char ntop[INET6_ADDRSTRLEN]; 763 764 /* 765 * getaddrinfo has failed to map the hostname 766 * to an IP address, try to get an IP address 767 * from a local interface. If none up, default 768 * to loopback. 769 */ 770 family = AF_INET6; 771 if (adt_get_local_address(family, &al) != 0) { 772 family = AF_INET; 773 774 if (adt_get_local_address(family, &al) != 0) { 775 adt_write_syslog("adt_get_local_address " 776 "failed, no Audit IP address available, " 777 "faking loopback and error", 778 errno); 779 IN_SET_LOOPBACK_ADDR( 780 (struct sockaddr_in *)&(al.addr.addr)); 781 (void) memcpy(p_term->at_addr, &al.addr.addr, 782 AU_IPv4); 783 p_term->at_type = AU_IPv4; 784 return (-1); 785 } 786 } 787 if (family == AF_INET) { 788 p_term->at_type = AU_IPv4; 789 (void) memcpy(p_term->at_addr, &al.addr.addr, AU_IPv4); 790 } else { 791 p_term->at_type = AU_IPv6; 792 (void) memcpy(p_term->at_addr, &al.addr.addr6, AU_IPv6); 793 } 794 795 (void) snprintf(msg, sizeof (msg), "mapping %s to %s", 796 hostname, inet_ntop(family, &(al.addr), ntop, 797 sizeof (ntop))); 798 adt_write_syslog(msg, 0); 799 return (0); 800 } 801 } 802 803 /* 804 * adt_load_hostname() is called when the caller does not have a file 805 * handle that gives access to the socket info or any other way to 806 * pass in both port and ip address. The hostname input is ignored if 807 * the terminal id has already been set; instead it returns the 808 * existing terminal id. 809 * 810 * If c2audit is excluded, success is returned. 811 * If the hostname lookup fails, the loopback address is assumed, 812 * errno is set to ENETDOWN, this allows the caller to interpret 813 * whether failure is fatal, and if not to have a address for the 814 * hostname. 815 * Otherwise the caller would need to be aware of the audit state. 816 * 817 * Other errors are ignored if not auditing. 818 */ 819 820 int 821 adt_load_hostname(const char *hostname, adt_termid_t **termid) 822 { 823 char localhost[MAXHOSTNAMELEN + 1]; 824 au_tid_addr_t *p_term; 825 826 if (adt_audit_state(AUC_DISABLED)) { 827 /* c2audit excluded */ 828 *termid = NULL; 829 return (0); 830 } 831 832 if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) { 833 goto return_err; 834 } 835 836 if (adt_have_termid(p_term)) { 837 *termid = (adt_termid_t *)p_term; 838 return (0); 839 } 840 p_term->at_port = 0; 841 842 if (hostname == NULL || *hostname == '\0') { 843 (void) sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN); 844 hostname = localhost; 845 } 846 if (adt_get_hostIP(hostname, p_term) == 0) { 847 *termid = (adt_termid_t *)p_term; 848 return (0); 849 } else { 850 *termid = (adt_termid_t *)p_term; 851 return (-1); 852 } 853 854 return_err: 855 *termid = NULL; 856 if (auditstate & AUC_NOAUDIT) { 857 return (0); 858 } 859 860 return (-1); 861 } 862 863 /* 864 * adt_load_ttyname() is called when the caller does not have a file 865 * handle that gives access to the local terminal or any other way 866 * of determining the device id. The ttyname input is ignored if 867 * the terminal id has already been set; instead it returns the 868 * existing terminal id. 869 * 870 * If c2audit is excluded, success is returned. 871 * The local hostname is used for the local IP address. 872 * If that hostname lookup fails, the loopback address is assumed, 873 * errno is set to ENETDOWN, this allows the caller to interpret 874 * whether failure is fatal, and if not to have a address for the 875 * hostname. 876 * Otherwise the caller would need to be aware of the audit state. 877 * 878 * Other errors are ignored if not auditing. 879 */ 880 881 int 882 adt_load_ttyname(const char *ttyname, adt_termid_t **termid) 883 { 884 char localhost[MAXHOSTNAMELEN + 1]; 885 au_tid_addr_t *p_term; 886 struct stat stat_buf; 887 888 if (adt_audit_state(AUC_DISABLED)) { 889 /* c2audit excluded */ 890 *termid = NULL; 891 return (0); 892 } 893 894 if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) { 895 goto return_err; 896 } 897 898 if (adt_have_termid(p_term)) { 899 *termid = (adt_termid_t *)p_term; 900 return (0); 901 } 902 903 p_term->at_port = 0; 904 905 if (sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN) < 0) { 906 goto return_err_free; /* errno from sysinfo */ 907 } 908 909 if (ttyname != NULL && *ttyname != '\0') { 910 if (stat(ttyname, &stat_buf) < 0) { 911 goto return_err_free; 912 } 913 914 p_term->at_port = stat_buf.st_rdev; 915 } 916 917 if (adt_get_hostIP(localhost, p_term) == 0) { 918 *termid = (adt_termid_t *)p_term; 919 return (0); 920 } else { 921 *termid = (adt_termid_t *)p_term; 922 return (-1); 923 } 924 925 return_err_free: 926 free(p_term); 927 928 return_err: 929 *termid = NULL; 930 if (auditstate & AUC_NOAUDIT) { 931 return (0); 932 } 933 934 return (-1); 935 } 936 937 /* 938 * adt_get_session_id returns a stringified representation of 939 * the audit session id. See also adt_get_asid() for how to 940 * get the unexpurgated version. No guarantees as to how long 941 * the returned string will be or its general form; hex for now. 942 * 943 * An empty string is returned if auditing is off; length = 1 944 * and the pointer is valid. 945 * 946 * returns strlen + 1 if buffer is valid; else 0 and errno. 947 */ 948 949 size_t 950 adt_get_session_id(const adt_session_data_t *session_data, char **buff) 951 { 952 au_asid_t session_id; 953 size_t length; 954 /* 955 * output is 0x followed by 956 * two characters per byte 957 * plus terminator, 958 * except leading 0's are suppressed, so a few bytes may 959 * be unused. 960 */ 961 length = 2 + (2 * sizeof (session_id)) + 1; 962 *buff = malloc(length); 963 964 if (*buff == NULL) { 965 return (0); 966 } 967 if (session_data == NULL) { /* NULL is not an error */ 968 **buff = '\0'; 969 return (1); 970 } 971 adt_get_asid(session_data, &session_id); 972 973 length = snprintf(*buff, length, "0x%X", (int)session_id); 974 975 /* length < 1 is a bug: the session data type may have changed */ 976 assert(length > 0); 977 978 return (length); 979 } 980 981 /* 982 * adt_end_session -- close handle, clear context 983 * 984 * if as_check is invalid, no harm, no foul, EXCEPT that this could 985 * be an attempt to free data already free'd, so output to syslog 986 * to help explain why the process cored dumped. 987 */ 988 989 int 990 adt_end_session(adt_session_data_t *session_data) 991 { 992 adt_internal_state_t *state; 993 994 if (session_data != NULL) { 995 state = (adt_internal_state_t *)session_data; 996 if (state->as_check != ADT_VALID) { 997 adt_write_syslog("freeing invalid data", EINVAL); 998 } else { 999 state->as_check = 0; 1000 m_label_free(state->as_label); 1001 free(session_data); 1002 } 1003 } 1004 /* no errors yet defined */ 1005 return (0); 1006 } 1007 1008 /* 1009 * adt_dup_session -- copy the session data 1010 */ 1011 1012 int 1013 adt_dup_session(const adt_session_data_t *source, adt_session_data_t **dest) 1014 { 1015 adt_internal_state_t *source_state; 1016 adt_internal_state_t *dest_state = NULL; 1017 int rc = 0; 1018 1019 if (source != NULL) { 1020 source_state = (adt_internal_state_t *)source; 1021 assert(source_state->as_check == ADT_VALID); 1022 1023 dest_state = malloc(sizeof (adt_internal_state_t)); 1024 if (dest_state == NULL) { 1025 rc = -1; 1026 goto return_rc; 1027 } 1028 (void) memcpy(dest_state, source, 1029 sizeof (struct adt_internal_state)); 1030 1031 if (source_state->as_label != NULL) { 1032 dest_state->as_label = NULL; 1033 if ((rc = m_label_dup(&dest_state->as_label, 1034 source_state->as_label)) != 0) { 1035 free(dest_state); 1036 dest_state = NULL; 1037 } 1038 } 1039 } 1040 return_rc: 1041 *dest = (adt_session_data_t *)dest_state; 1042 return (rc); 1043 } 1044 1045 /* 1046 * from_export_format() 1047 * read from a network order buffer into struct adt_session_data 1048 */ 1049 1050 static size_t 1051 adt_from_export_format(adt_internal_state_t *internal, 1052 const adt_export_data_t *external) 1053 { 1054 struct export_header head; 1055 struct export_link link; 1056 adr_t context; 1057 int32_t offset; 1058 int32_t length; 1059 int32_t version; 1060 size_t label_len; 1061 char *p = (char *)external; 1062 1063 adrm_start(&context, (char *)external); 1064 adrm_int32(&context, (int *)&head, 4); 1065 1066 if ((internal->as_check = head.ax_check) != ADT_VALID) { 1067 errno = EINVAL; 1068 return (0); 1069 } 1070 offset = head.ax_link.ax_offset; 1071 version = head.ax_link.ax_version; 1072 length = head.ax_buffer_length; 1073 1074 /* 1075 * Skip newer versions. 1076 */ 1077 while (version > PROTOCOL_VERSION_2) { 1078 if (offset < 1) { 1079 return (0); /* failed to match version */ 1080 } 1081 p += offset; /* point to next version # */ 1082 1083 if (p > (char *)external + length) { 1084 return (0); 1085 } 1086 adrm_start(&context, p); 1087 adrm_int32(&context, (int *)&link, 2); 1088 offset = link.ax_offset; 1089 version = link.ax_version; 1090 assert(version != 0); 1091 } 1092 /* 1093 * Adjust buffer pointer to the first data item (euid). 1094 */ 1095 if (p == (char *)external) { 1096 adrm_start(&context, (char *)(p + sizeof (head))); 1097 } else { 1098 adrm_start(&context, (char *)(p + sizeof (link))); 1099 } 1100 /* 1101 * if down rev version, neither pid nor label are included 1102 * in v1 ax_size_of_tsol_data intentionally ignored 1103 */ 1104 if (version == PROTOCOL_VERSION_1) { 1105 adrm_int32(&context, (int *)&(internal->as_euid), 1); 1106 adrm_int32(&context, (int *)&(internal->as_ruid), 1); 1107 adrm_int32(&context, (int *)&(internal->as_egid), 1); 1108 adrm_int32(&context, (int *)&(internal->as_rgid), 1); 1109 adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1); 1110 adrm_int32(&context, 1111 (int *)&(internal->as_info.ai_mask.am_success), 2); 1112 adrm_int32(&context, 1113 (int *)&(internal->as_info.ai_termid.at_port), 1); 1114 adrm_int32(&context, 1115 (int *)&(internal->as_info.ai_termid.at_type), 1); 1116 adrm_int32(&context, 1117 (int *)&(internal->as_info.ai_termid.at_addr[0]), 4); 1118 adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1); 1119 adrm_int32(&context, (int *)&(internal->as_audit_state), 1); 1120 internal->as_pid = (pid_t)-1; 1121 internal->as_label = NULL; 1122 } else if (version == PROTOCOL_VERSION_2) { 1123 adrm_int32(&context, (int *)&(internal->as_euid), 1); 1124 adrm_int32(&context, (int *)&(internal->as_ruid), 1); 1125 adrm_int32(&context, (int *)&(internal->as_egid), 1); 1126 adrm_int32(&context, (int *)&(internal->as_rgid), 1); 1127 adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1); 1128 adrm_int32(&context, 1129 (int *)&(internal->as_info.ai_mask.am_success), 2); 1130 adrm_int32(&context, 1131 (int *)&(internal->as_info.ai_termid.at_port), 1); 1132 adrm_int32(&context, 1133 (int *)&(internal->as_info.ai_termid.at_type), 1); 1134 adrm_int32(&context, 1135 (int *)&(internal->as_info.ai_termid.at_addr[0]), 4); 1136 adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1); 1137 adrm_int32(&context, (int *)&(internal->as_audit_state), 1); 1138 adrm_int32(&context, (int *)&(internal->as_pid), 1); 1139 adrm_int32(&context, (int *)&label_len, 1); 1140 if (label_len > 0) { 1141 /* read in and deal with different sized labels. */ 1142 size32_t my_label_len = blabel_size(); 1143 1144 if ((internal->as_label = 1145 m_label_alloc(MAC_LABEL)) == NULL) { 1146 return (0); 1147 } 1148 if (label_len > my_label_len) { 1149 errno = EINVAL; 1150 m_label_free(internal->as_label); 1151 return (0); 1152 } 1153 (void) memset(internal->as_label, 0, my_label_len); 1154 adrm_int32(&context, (int *)(internal->as_label), 1155 label_len / sizeof (int32_t)); 1156 } else { 1157 internal->as_label = NULL; 1158 } 1159 } 1160 1161 return (length); 1162 } 1163 1164 /* 1165 * adt_to_export_format 1166 * read from struct adt_session_data into a network order buffer. 1167 * 1168 * (network order 'cause this data may be shared with a remote host.) 1169 */ 1170 1171 static size_t 1172 adt_to_export_format(adt_export_data_t *external, 1173 adt_internal_state_t *internal) 1174 { 1175 struct export_header head; 1176 struct export_link tail; 1177 adr_t context; 1178 size32_t label_len = 0; 1179 1180 adrm_start(&context, (char *)external); 1181 1182 if (internal->as_label != NULL) { 1183 label_len = blabel_size(); 1184 } 1185 1186 head.ax_check = ADT_VALID; 1187 head.ax_buffer_length = sizeof (struct adt_export_data) + label_len; 1188 1189 /* version 2 first */ 1190 1191 head.ax_link.ax_version = PROTOCOL_VERSION_2; 1192 head.ax_link.ax_offset = sizeof (struct export_header) + 1193 sizeof (struct adt_export_v2) + label_len; 1194 1195 adrm_putint32(&context, (int *)&head, 4); 1196 1197 adrm_putint32(&context, (int *)&(internal->as_euid), 1); 1198 adrm_putint32(&context, (int *)&(internal->as_ruid), 1); 1199 adrm_putint32(&context, (int *)&(internal->as_egid), 1); 1200 adrm_putint32(&context, (int *)&(internal->as_rgid), 1); 1201 adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1); 1202 adrm_putint32(&context, 1203 (int *)&(internal->as_info.ai_mask.am_success), 2); 1204 adrm_putint32(&context, 1205 (int *)&(internal->as_info.ai_termid.at_port), 1); 1206 adrm_putint32(&context, 1207 (int *)&(internal->as_info.ai_termid.at_type), 1); 1208 adrm_putint32(&context, 1209 (int *)&(internal->as_info.ai_termid.at_addr[0]), 4); 1210 adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1); 1211 adrm_putint32(&context, (int *)&(internal->as_audit_state), 1); 1212 adrm_putint32(&context, (int *)&(internal->as_pid), 1); 1213 adrm_putint32(&context, (int *)&label_len, 1); 1214 if (internal->as_label != NULL) { 1215 /* serialize the label */ 1216 adrm_putint32(&context, (int *)(internal->as_label), 1217 (label_len / sizeof (int32_t))); 1218 } 1219 1220 /* now version 1 */ 1221 1222 tail.ax_version = PROTOCOL_VERSION_1; 1223 tail.ax_offset = 0; 1224 1225 adrm_putint32(&context, (int *)&tail, 2); 1226 1227 adrm_putint32(&context, (int *)&(internal->as_euid), 1); 1228 adrm_putint32(&context, (int *)&(internal->as_ruid), 1); 1229 adrm_putint32(&context, (int *)&(internal->as_egid), 1); 1230 adrm_putint32(&context, (int *)&(internal->as_rgid), 1); 1231 adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1); 1232 adrm_putint32(&context, 1233 (int *)&(internal->as_info.ai_mask.am_success), 2); 1234 adrm_putint32(&context, 1235 (int *)&(internal->as_info.ai_termid.at_port), 1); 1236 adrm_putint32(&context, 1237 (int *)&(internal->as_info.ai_termid.at_type), 1); 1238 adrm_putint32(&context, 1239 (int *)&(internal->as_info.ai_termid.at_addr[0]), 4); 1240 adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1); 1241 adrm_putint32(&context, (int *)&(internal->as_audit_state), 1); 1242 /* ignored in v1 */ 1243 adrm_putint32(&context, (int *)&label_len, 1); 1244 1245 /* finally terminator */ 1246 1247 tail.ax_version = 0; /* invalid version number */ 1248 tail.ax_offset = 0; 1249 1250 adrm_putint32(&context, (int *)&tail, 2); 1251 1252 return (head.ax_buffer_length); 1253 } 1254 1255 /* 1256 * adt_ucred_label() -- if label is available, duplicate it. 1257 */ 1258 1259 static m_label_t * 1260 adt_ucred_label(ucred_t *uc) 1261 { 1262 m_label_t *ul = NULL; 1263 1264 if (ucred_getlabel(uc) != NULL) { 1265 (void) m_label_dup(&ul, ucred_getlabel(uc)); 1266 } 1267 1268 return (ul); 1269 } 1270 1271 /* 1272 * adt_import() -- convert from network order to machine-specific order 1273 */ 1274 1275 static int 1276 adt_import(adt_internal_state_t *internal, const adt_export_data_t *external) 1277 { 1278 au_mask_t mask; 1279 1280 /* save local audit state */ 1281 int local_audit_state = internal->as_audit_state; 1282 1283 if (adt_from_export_format(internal, external) < 1) 1284 return (-1); /* errno from adt_from_export_format */ 1285 1286 /* 1287 * If audit isn't enabled on the remote, they were unable 1288 * to generate the audit mask, so generate it based on 1289 * local configuration. If the user id has changed, the 1290 * resulting mask may miss some subtleties that occurred 1291 * on the remote system. 1292 * 1293 * If the remote failed to generate a terminal id, it is not 1294 * recoverable. 1295 */ 1296 1297 if (!(internal->as_audit_state & AUC_DISABLED)) { 1298 if (adt_get_mask_from_user(internal->as_info.ai_auid, 1299 &(internal->as_info.ai_mask))) 1300 return (-1); 1301 if (internal->as_info.ai_auid != internal->as_ruid) { 1302 if (adt_get_mask_from_user(internal->as_info.ai_auid, 1303 &mask)) 1304 return (-1); 1305 internal->as_info.ai_mask.am_success |= 1306 mask.am_success; 1307 internal->as_info.ai_mask.am_failure |= 1308 mask.am_failure; 1309 } 1310 } 1311 internal->as_audit_state = local_audit_state; 1312 1313 DPRINTF(("(%lld)imported asid = %X %u\n", (long long) getpid(), 1314 internal->as_info.ai_asid, 1315 internal->as_info.ai_asid)); 1316 1317 internal->as_have_user_data = ADT_HAVE_ALL; 1318 1319 return (0); 1320 } 1321 1322 /* 1323 * adt_export_session_data() 1324 * copies a adt_session_data struct into a network order buffer 1325 * 1326 * In a misconfigured network, the local host may have auditing 1327 * off while the destination may have auditing on, so if there 1328 * is sufficient memory, a buffer will be returned even in the 1329 * audit off case. 1330 */ 1331 1332 size_t 1333 adt_export_session_data(const adt_session_data_t *internal, 1334 adt_export_data_t **external) 1335 { 1336 size32_t length = 0; 1337 1338 if ((internal != NULL) && 1339 ((adt_internal_state_t *)internal)->as_label != NULL) { 1340 length = blabel_size(); 1341 } 1342 1343 *external = malloc(sizeof (adt_export_data_t) + length); 1344 1345 if (*external == NULL) 1346 return (0); 1347 1348 if (internal == NULL) { 1349 adt_internal_state_t *dummy; 1350 1351 dummy = malloc(sizeof (adt_internal_state_t)); 1352 if (dummy == NULL) 1353 goto return_length_free; 1354 1355 if (adt_init(dummy, 0)) { /* 0 == don't copy from proc */ 1356 free(dummy); 1357 goto return_length_free; 1358 } 1359 length = adt_to_export_format(*external, dummy); 1360 free(dummy); 1361 } else { 1362 length = adt_to_export_format(*external, 1363 (adt_internal_state_t *)internal); 1364 } 1365 return (length); 1366 1367 return_length_free: 1368 free(*external); 1369 *external = NULL; 1370 return (0); 1371 } 1372 1373 static void 1374 adt_setto_unaudited(adt_internal_state_t *state) 1375 { 1376 if (state->as_audit_state & AUC_DISABLED) { 1377 state->as_ruid = AU_NOAUDITID; 1378 state->as_euid = AU_NOAUDITID; 1379 state->as_rgid = AU_NOAUDITID; 1380 state->as_egid = AU_NOAUDITID; 1381 state->as_pid = (pid_t)-1; 1382 state->as_label = NULL; 1383 } else { 1384 state->as_info.ai_asid = 0; 1385 state->as_info.ai_auid = AU_NOAUDITID; 1386 1387 (void) memset((void *)&(state->as_info.ai_termid), 0, 1388 sizeof (au_tid_addr_t)); 1389 state->as_info.ai_termid.at_type = AU_IPv4; 1390 1391 (void) memset((void *)&(state->as_info.ai_mask), 0, 1392 sizeof (au_mask_t)); 1393 state->as_have_user_data = 0; 1394 } 1395 } 1396 1397 /* 1398 * adt_init -- set session context by copying the audit characteristics 1399 * from the proc and picking up current uid/tid information. 1400 * 1401 * By default, an audit session is based on the process; the default 1402 * is overriden by adt_set_user() 1403 */ 1404 1405 static int 1406 adt_init(adt_internal_state_t *state, int use_proc_data) 1407 { 1408 /* ensure auditstate is set */ 1409 1410 (void) adt_audit_state(0); 1411 state->as_audit_state = auditstate; 1412 1413 if (use_proc_data) { 1414 state->as_ruid = getuid(); 1415 state->as_euid = geteuid(); 1416 state->as_rgid = getgid(); 1417 state->as_egid = getegid(); 1418 state->as_pid = getpid(); 1419 1420 if (!(state->as_audit_state & AUC_DISABLED)) { 1421 const au_tid64_addr_t *tid; 1422 const au_mask_t *mask; 1423 ucred_t *ucred = ucred_get(P_MYID); 1424 1425 /* 1426 * Even if the ucred is NULL, the underlying 1427 * credential may have a valid terminal id; if the 1428 * terminal id is set, then that's good enough. An 1429 * example of where this matters is failed login, 1430 * where rlogin/telnet sets the terminal id before 1431 * calling login; login does not load the credential 1432 * since auth failed. 1433 */ 1434 if (ucred == NULL) { 1435 if (!adt_have_termid( 1436 &(state->as_info.ai_termid))) 1437 return (-1); 1438 } else { 1439 mask = ucred_getamask(ucred); 1440 if (mask != NULL) { 1441 state->as_info.ai_mask = *mask; 1442 } else { 1443 ucred_free(ucred); 1444 return (-1); 1445 } 1446 tid = ucred_getatid(ucred); 1447 if (tid != NULL) { 1448 adt_cpy_tid(&(state->as_info.ai_termid), 1449 tid); 1450 } else { 1451 ucred_free(ucred); 1452 return (-1); 1453 } 1454 state->as_info.ai_asid = ucred_getasid(ucred); 1455 state->as_info.ai_auid = ucred_getauid(ucred); 1456 state->as_label = adt_ucred_label(ucred); 1457 ucred_free(ucred); 1458 } 1459 state->as_have_user_data = ADT_HAVE_ALL; 1460 } 1461 } else { 1462 adt_setto_unaudited(state); 1463 } 1464 state->as_session_model = ADT_SESSION_MODEL; /* default */ 1465 1466 if ((state->as_audit_state & (AUC_AUDITING | AUC_NOSPACE)) && 1467 auditon(A_GETPOLICY, (caddr_t)&(state->as_kernel_audit_policy), 1468 sizeof (state->as_kernel_audit_policy))) { 1469 return (-1); /* errno set by auditon */ 1470 } 1471 state->as_check = ADT_VALID; 1472 adt_load_table((adt_session_data_t *)state, &adt_xlate_table[0], 1473 &adt_preload); 1474 return (0); 1475 } 1476 1477 /* 1478 * adt_set_proc 1479 * 1480 * Copy the current session state to the process. If this function 1481 * is called, the model becomes a process model rather than a 1482 * session model. 1483 * 1484 * In the current implementation, the value state->as_have_user_data 1485 * must contain all of: ADT_HAVE_{AUID,MASK,TID,ASID}. These are all set 1486 * by adt_set_user() when the ADT_SETTID or ADT_NEW flag is passed in. 1487 * 1488 */ 1489 1490 int 1491 adt_set_proc(const adt_session_data_t *session_data) 1492 { 1493 adt_internal_state_t *state; 1494 1495 if (session_data == NULL) { 1496 return (0); 1497 } 1498 1499 state = (adt_internal_state_t *)session_data; 1500 1501 assert(state->as_check == ADT_VALID); 1502 1503 if ((state->as_have_user_data & (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) != 1504 (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) { 1505 errno = EINVAL; 1506 goto return_err; 1507 } 1508 1509 if (setaudit_addr((auditinfo_addr_t *)&(state->as_info), 1510 sizeof (auditinfo_addr_t)) < 0) { 1511 goto return_err; /* errno set by setaudit_addr() */ 1512 } 1513 1514 state->as_session_model = ADT_PROCESS_MODEL; 1515 1516 return (0); 1517 1518 return_err: 1519 adt_write_syslog("failed to set process audit characteristics", errno); 1520 return (-1); 1521 } 1522 1523 static int 1524 adt_newuser(adt_internal_state_t *state, uid_t ruid, au_tid_addr_t *termid) 1525 { 1526 au_tid_addr_t no_tid = {0, AU_IPv4, 0, 0, 0, 0}; 1527 au_mask_t no_mask = {0, 0}; 1528 1529 if (ruid == ADT_NO_AUDIT) { 1530 state->as_info.ai_auid = AU_NOAUDITID; 1531 state->as_info.ai_asid = 0; 1532 state->as_info.ai_termid = no_tid; 1533 state->as_info.ai_mask = no_mask; 1534 return (0); 1535 } 1536 state->as_info.ai_auid = ruid; 1537 state->as_info.ai_asid = adt_get_unique_id(ruid); 1538 if (termid != NULL) 1539 state->as_info.ai_termid = *termid; 1540 1541 if (adt_get_mask_from_user(ruid, &(state->as_info.ai_mask))) 1542 return (-1); 1543 1544 /* Assume intending to audit as this process */ 1545 1546 if (state->as_pid == (pid_t)-1) 1547 state->as_pid = getpid(); 1548 1549 if (is_system_labeled() && state->as_label == NULL) { 1550 ucred_t *ucred = ucred_get(P_MYID); 1551 1552 state->as_label = adt_ucred_label(ucred); 1553 ucred_free(ucred); 1554 } 1555 1556 return (0); 1557 } 1558 1559 static int 1560 adt_changeuser(adt_internal_state_t *state, uid_t ruid) 1561 { 1562 au_mask_t mask; 1563 1564 if (!(state->as_have_user_data & ADT_HAVE_AUID)) 1565 state->as_info.ai_auid = ruid; 1566 if (!(state->as_have_user_data & ADT_HAVE_ASID)) 1567 state->as_info.ai_asid = adt_get_unique_id(ruid); 1568 1569 if (ruid <= MAXEPHUID) { 1570 if (adt_get_mask_from_user(ruid, &mask)) 1571 return (-1); 1572 1573 state->as_info.ai_mask.am_success |= mask.am_success; 1574 state->as_info.ai_mask.am_failure |= mask.am_failure; 1575 } 1576 DPRINTF(("changed mask to %08X/%08X for ruid=%d\n", 1577 state->as_info.ai_mask.am_success, 1578 state->as_info.ai_mask.am_failure, 1579 ruid)); 1580 return (0); 1581 } 1582 1583 /* 1584 * adt_set_user -- see also adt_set_from_ucred() 1585 * 1586 * ADT_NO_ATTRIB is a valid uid/gid meaning "not known" or 1587 * "unattributed." If ruid, change the model to session. 1588 * 1589 * ADT_NO_CHANGE is a valid uid/gid meaning "do not change this value" 1590 * only valid with ADT_UPDATE. 1591 * 1592 * ADT_NO_AUDIT is the external equivalent to AU_NOAUDITID -- there 1593 * isn't a good reason to call adt_set_user() with it unless you don't 1594 * have a good value yet and intend to replace it later; auid will be 1595 * AU_NOAUDITID. 1596 * 1597 * adt_set_user should be called even if auditing is not enabled 1598 * so that adt_export_session_data() will have useful stuff to 1599 * work with. 1600 * 1601 * See the note preceding adt_set_proc() about the use of ADT_HAVE_TID 1602 * and ADT_HAVE_ALL. 1603 */ 1604 1605 int 1606 adt_set_user(const adt_session_data_t *session_data, uid_t euid, gid_t egid, 1607 uid_t ruid, gid_t rgid, const adt_termid_t *termid, 1608 enum adt_user_context user_context) 1609 { 1610 adt_internal_state_t *state; 1611 int rc; 1612 1613 if (session_data == NULL) /* no session exists to audit */ 1614 return (0); 1615 1616 state = (adt_internal_state_t *)session_data; 1617 assert(state->as_check == ADT_VALID); 1618 1619 switch (user_context) { 1620 case ADT_NEW: 1621 if (ruid == ADT_NO_CHANGE || euid == ADT_NO_CHANGE || 1622 rgid == ADT_NO_CHANGE || egid == ADT_NO_CHANGE) { 1623 errno = EINVAL; 1624 return (-1); 1625 } 1626 if ((rc = adt_newuser(state, ruid, 1627 (au_tid_addr_t *)termid)) != 0) 1628 return (rc); 1629 1630 state->as_have_user_data = ADT_HAVE_ALL; 1631 break; 1632 case ADT_UPDATE: 1633 if (state->as_have_user_data != ADT_HAVE_ALL) { 1634 errno = EINVAL; 1635 return (-1); 1636 } 1637 1638 if (ruid != ADT_NO_CHANGE) 1639 if ((rc = adt_changeuser(state, ruid)) != 0) 1640 return (rc); 1641 break; 1642 case ADT_USER: 1643 if (state->as_have_user_data != ADT_HAVE_ALL) { 1644 errno = EINVAL; 1645 return (-1); 1646 } 1647 break; 1648 case ADT_SETTID: 1649 assert(termid != NULL); 1650 state->as_info.ai_termid = *((au_tid_addr_t *)termid); 1651 /* avoid fooling pam_setcred()... */ 1652 state->as_info.ai_auid = AU_NOAUDITID; 1653 state->as_info.ai_asid = 0; 1654 state->as_info.ai_mask.am_failure = 0; 1655 state->as_info.ai_mask.am_success = 0; 1656 state->as_have_user_data = ADT_HAVE_TID | 1657 ADT_HAVE_AUID | ADT_HAVE_ASID | ADT_HAVE_MASK; 1658 return (0); 1659 default: 1660 errno = EINVAL; 1661 return (-1); 1662 } 1663 1664 if (ruid == ADT_NO_AUDIT) { 1665 state->as_ruid = AU_NOAUDITID; 1666 state->as_euid = AU_NOAUDITID; 1667 state->as_rgid = AU_NOAUDITID; 1668 state->as_egid = AU_NOAUDITID; 1669 } else { 1670 if (ruid != ADT_NO_CHANGE) 1671 state->as_ruid = ruid; 1672 if (euid != ADT_NO_CHANGE) 1673 state->as_euid = euid; 1674 if (rgid != ADT_NO_CHANGE) 1675 state->as_rgid = rgid; 1676 if (egid != ADT_NO_CHANGE) 1677 state->as_egid = egid; 1678 } 1679 1680 if (ruid == ADT_NO_ATTRIB) { 1681 state->as_session_model = ADT_SESSION_MODEL; 1682 } 1683 1684 return (0); 1685 } 1686 1687 /* 1688 * adt_set_from_ucred() 1689 * 1690 * an alternate to adt_set_user that fills the same role but uses 1691 * a pointer to a ucred rather than a list of id's. If the ucred 1692 * pointer is NULL, use the credential from the this process. 1693 * 1694 * A key difference is that for ADT_NEW, adt_set_from_ucred() does 1695 * not overwrite the asid and auid unless auid has not been set. 1696 * ADT_NEW differs from ADT_UPDATE in that it does not OR together 1697 * the incoming audit mask with the one that already exists. 1698 * 1699 * adt_set_from_ucred should be called even if auditing is not enabled 1700 * so that adt_export_session_data() will have useful stuff to 1701 * work with. 1702 */ 1703 1704 int 1705 adt_set_from_ucred(const adt_session_data_t *session_data, const ucred_t *uc, 1706 enum adt_user_context user_context) 1707 { 1708 adt_internal_state_t *state; 1709 int rc = -1; 1710 const au_tid64_addr_t *tid64; 1711 au_tid_addr_t termid, *tid; 1712 ucred_t *ucred = (ucred_t *)uc; 1713 boolean_t local_uc = B_FALSE; 1714 1715 if (session_data == NULL) /* no session exists to audit */ 1716 return (0); 1717 1718 state = (adt_internal_state_t *)session_data; 1719 assert(state->as_check == ADT_VALID); 1720 1721 if (ucred == NULL) { 1722 ucred = ucred_get(P_MYID); 1723 1724 if (ucred == NULL) 1725 goto return_rc; 1726 local_uc = B_TRUE; 1727 } 1728 1729 switch (user_context) { 1730 case ADT_NEW: 1731 tid64 = ucred_getatid(ucred); 1732 if (tid64 != NULL) { 1733 adt_cpy_tid(&termid, tid64); 1734 tid = &termid; 1735 } else { 1736 tid = NULL; 1737 } 1738 if (ucred_getauid(ucred) == AU_NOAUDITID) { 1739 adt_setto_unaudited(state); 1740 state->as_have_user_data = ADT_HAVE_ALL; 1741 rc = 0; 1742 goto return_rc; 1743 } else { 1744 state->as_info.ai_auid = ucred_getauid(ucred); 1745 state->as_info.ai_asid = ucred_getasid(ucred); 1746 state->as_info.ai_mask = *ucred_getamask(ucred); 1747 state->as_info.ai_termid = *tid; 1748 } 1749 state->as_have_user_data = ADT_HAVE_ALL; 1750 break; 1751 case ADT_UPDATE: 1752 if (state->as_have_user_data != ADT_HAVE_ALL) { 1753 errno = EINVAL; 1754 goto return_rc; 1755 } 1756 1757 if ((rc = adt_changeuser(state, ucred_getruid(ucred))) != 0) 1758 goto return_rc; 1759 break; 1760 case ADT_USER: 1761 if (state->as_have_user_data != ADT_HAVE_ALL) { 1762 errno = EINVAL; 1763 goto return_rc; 1764 } 1765 break; 1766 default: 1767 errno = EINVAL; 1768 goto return_rc; 1769 } 1770 rc = 0; 1771 1772 state->as_ruid = ucred_getruid(ucred); 1773 state->as_euid = ucred_geteuid(ucred); 1774 state->as_rgid = ucred_getrgid(ucred); 1775 state->as_egid = ucred_getegid(ucred); 1776 state->as_pid = ucred_getpid(ucred); 1777 state->as_label = adt_ucred_label(ucred); 1778 1779 return_rc: 1780 if (local_uc) { 1781 ucred_free(ucred); 1782 } 1783 return (rc); 1784 } 1785 1786 /* 1787 * adt_alloc_event() returns a pointer to allocated memory 1788 * 1789 */ 1790 1791 adt_event_data_t 1792 *adt_alloc_event(const adt_session_data_t *session_data, au_event_t event_id) 1793 { 1794 struct adt_event_state *event_state; 1795 adt_internal_state_t *session_state; 1796 adt_event_data_t *return_event = NULL; 1797 /* 1798 * need to return a valid event pointer even if audit is 1799 * off, else the caller will end up either (1) keeping its 1800 * own flags for on/off or (2) writing to a NULL pointer. 1801 * If auditing is on, the session data must be valid; otherwise 1802 * we don't care. 1803 */ 1804 if (session_data != NULL) { 1805 session_state = (adt_internal_state_t *)session_data; 1806 assert(session_state->as_check == ADT_VALID); 1807 } 1808 event_state = calloc(1, sizeof (struct adt_event_state)); 1809 if (event_state == NULL) 1810 goto return_ptr; 1811 1812 event_state->ae_check = ADT_VALID; 1813 1814 event_state->ae_event_id = event_id; 1815 event_state->ae_session = (struct adt_internal_state *)session_data; 1816 1817 return_event = (adt_event_data_t *)&(event_state->ae_event_data); 1818 1819 /* 1820 * preload data so the adt_au_*() functions can detect un-supplied 1821 * values (0 and NULL are free via calloc()). 1822 */ 1823 if (session_data != NULL) { 1824 session_state->as_preload(event_id, return_event); 1825 } 1826 1827 return_ptr: 1828 return (return_event); 1829 } 1830 1831 /* 1832 * adt_getXlateTable -- look up translation table address for event id 1833 */ 1834 1835 static adt_translation_t * 1836 adt_getXlateTable(adt_translation_t **xlate, au_event_t event_id) 1837 { 1838 /* xlate_table is global in adt_xlate.c */ 1839 adt_translation_t **p_xlate = xlate; 1840 adt_translation_t *p_event; 1841 1842 while (*p_xlate != NULL) { 1843 p_event = *p_xlate; 1844 if (event_id == p_event->tx_external_event) 1845 return (p_event); 1846 p_xlate++; 1847 } 1848 return (NULL); 1849 } 1850 1851 /* 1852 * adt_calcOffsets 1853 * 1854 * the call to this function is surrounded by a mutex. 1855 * 1856 * i walks down the table picking up next_token. j walks again to 1857 * calculate the offset to the input data. k points to the next 1858 * token's row. Finally, l, is used to sum the values in the 1859 * datadef array. 1860 * 1861 * What's going on? The entry array is in the order of the input 1862 * fields but the processing of array entries is in the order of 1863 * the output (see next_token). Calculating the offset to the 1864 * "next" input can't be done in the outer loop (i) since i doesn't 1865 * point to the current entry and it can't be done with the k index 1866 * because it doesn't represent the order of input fields. 1867 * 1868 * While the resulting algorithm is n**2, it is only done once per 1869 * event type. 1870 */ 1871 1872 /* 1873 * adt_calcOffsets is only called once per event type, but it uses 1874 * the address alignment of memory allocated for that event as if it 1875 * were the same for all subsequently allocated memory. This is 1876 * guaranteed by calloc/malloc. Arrays take special handling since 1877 * what matters for figuring out the correct alignment is the size 1878 * of the array element. 1879 */ 1880 1881 static void 1882 adt_calcOffsets(struct entry *p_entry, int tablesize, void *p_data) 1883 { 1884 int i, j; 1885 size_t this_size, prev_size; 1886 void *struct_start = p_data; 1887 1888 for (i = 0; i < tablesize; i++) { 1889 if (p_entry[i].en_type_def == NULL) { 1890 p_entry[i].en_offset = 0; 1891 continue; 1892 } 1893 prev_size = 0; 1894 p_entry[i].en_offset = (char *)p_data - (char *)struct_start; 1895 1896 for (j = 0; j < p_entry[i].en_count_types; j++) { 1897 if (p_entry[i].en_type_def[j].dd_datatype == ADT_MSG) 1898 this_size = sizeof (enum adt_generic); 1899 else 1900 this_size = 1901 p_entry[i].en_type_def[j].dd_input_size; 1902 1903 /* adj for first entry */ 1904 if (prev_size == 0) 1905 prev_size = this_size; 1906 1907 if (p_entry[i].en_type_def[j].dd_datatype == 1908 ADT_UINT32ARRAY) { 1909 p_data = (char *)adt_adjust_address(p_data, 1910 prev_size, sizeof (uint32_t)) + 1911 this_size - sizeof (uint32_t); 1912 1913 prev_size = sizeof (uint32_t); 1914 } else { 1915 p_data = adt_adjust_address(p_data, prev_size, 1916 this_size); 1917 prev_size = this_size; 1918 } 1919 } 1920 } 1921 } 1922 1923 /* 1924 * adt_generate_event 1925 * generate event record from external struct. The order is based on 1926 * the output tokens, allowing for the possibility that the input data 1927 * is in a different order. 1928 * 1929 */ 1930 1931 static int 1932 adt_generate_event(const adt_event_data_t *p_extdata, 1933 struct adt_event_state *p_event, 1934 adt_translation_t *p_xlate) 1935 { 1936 struct entry *p_entry; 1937 static mutex_t lock = DEFAULTMUTEX; 1938 1939 p_entry = p_xlate->tx_first_entry; 1940 assert(p_entry != NULL); 1941 1942 p_event->ae_internal_id = p_xlate->tx_internal_event; 1943 adt_token_open(p_event); 1944 1945 /* 1946 * offsets are not pre-calculated; the initial offsets are all 1947 * 0; valid offsets are >= 0. Offsets for no-input tokens such 1948 * as subject are set to -1 by adt_calcOffset() 1949 */ 1950 if (p_xlate->tx_offsetsCalculated == 0) { 1951 (void) mutex_lock(&lock); 1952 p_xlate->tx_offsetsCalculated = 1; 1953 1954 adt_calcOffsets(p_xlate->tx_top_entry, p_xlate->tx_entries, 1955 (void *)p_extdata); 1956 (void) mutex_unlock(&lock); 1957 } 1958 while (p_entry != NULL) { 1959 adt_generate_token(p_entry, (char *)p_extdata, p_event); 1960 1961 p_entry = p_entry->en_next_token; 1962 } 1963 return (adt_token_close(p_event)); 1964 } 1965 1966 /* 1967 * adt_put_event -- main event generation function. 1968 * The input "event" is the address of the struct containing 1969 * event-specific data. 1970 * 1971 * However if auditing is off or the session handle 1972 * is NULL, no attempt to write a record is made. 1973 */ 1974 1975 int 1976 adt_put_event(const adt_event_data_t *event, int status, int return_val) 1977 { 1978 struct adt_event_state *event_state; 1979 adt_translation_t *xlate; 1980 1981 if (event == NULL) { 1982 errno = EINVAL; 1983 return (-1); 1984 } 1985 event_state = (struct adt_event_state *)event; 1986 1987 /* if this is a broken session or not auditing, exit */ 1988 if ((event_state->ae_session == NULL) || 1989 !(event_state->ae_session->as_audit_state & 1990 (AUC_AUDITING | AUC_NOSPACE))) { 1991 return (0); 1992 } 1993 1994 assert(event_state->ae_check == ADT_VALID); 1995 1996 event_state->ae_rc = status; 1997 event_state->ae_type = return_val; 1998 1999 /* look up the event */ 2000 2001 xlate = adt_getXlateTable(event_state->ae_session->as_xlate, 2002 event_state->ae_event_id); 2003 2004 if (xlate == NULL) { 2005 errno = EINVAL; 2006 return (-1); 2007 } 2008 DPRINTF(("got event %d\n", xlate->tx_internal_event)); 2009 2010 if (adt_selected(event_state, xlate->tx_internal_event, status)) { 2011 return (adt_generate_event(event, event_state, xlate)); 2012 } 2013 2014 return (0); 2015 } 2016 2017 /* 2018 * adt_free_event -- invalidate and free 2019 */ 2020 2021 void 2022 adt_free_event(adt_event_data_t *event) 2023 { 2024 struct adt_event_state *event_state; 2025 2026 if (event == NULL) 2027 return; 2028 2029 event_state = (struct adt_event_state *)event; 2030 2031 assert(event_state->ae_check == ADT_VALID); 2032 2033 event_state->ae_check = 0; 2034 2035 free(event_state); 2036 } 2037 2038 /* 2039 * adt_is_selected -- helper to adt_selected(), below. 2040 * 2041 * "sorf" is "success or fail" status; au_preselect compares 2042 * that with success, fail, or both. 2043 */ 2044 2045 static int 2046 adt_is_selected(au_event_t e, au_mask_t *m, int sorf) 2047 { 2048 int prs_sorf; 2049 2050 if (sorf == 0) 2051 prs_sorf = AU_PRS_SUCCESS; 2052 else 2053 prs_sorf = AU_PRS_FAILURE; 2054 2055 return (au_preselect(e, m, prs_sorf, AU_PRS_REREAD)); 2056 } 2057 2058 /* 2059 * selected -- see if this event is preselected. 2060 * 2061 * if errors are encountered trying to check a preselection mask 2062 * or look up a user name, the event is selected. Otherwise, the 2063 * preselection mask is used for the job. 2064 */ 2065 2066 static int 2067 adt_selected(struct adt_event_state *event, au_event_t actual_id, int status) 2068 { 2069 adt_internal_state_t *sp; 2070 au_mask_t namask; 2071 2072 sp = event->ae_session; 2073 2074 if ((sp->as_have_user_data & ADT_HAVE_IDS) == 0) { 2075 adt_write_syslog("No user data available", EINVAL); 2076 return (1); /* default is "selected" */ 2077 } 2078 2079 /* non-attributable? */ 2080 if ((sp->as_info.ai_auid == AU_NOAUDITID) || 2081 (sp->as_info.ai_auid == ADT_NO_AUDIT)) { 2082 if (auditon(A_GETKMASK, (caddr_t)&namask, 2083 sizeof (namask)) != 0) { 2084 adt_write_syslog("auditon failure", errno); 2085 return (1); 2086 } 2087 return (adt_is_selected(actual_id, &namask, status)); 2088 } else { 2089 return (adt_is_selected(actual_id, &(sp->as_info.ai_mask), 2090 status)); 2091 } 2092 } 2093 2094 /* 2095 * Can't map the host name to an IP address in 2096 * adt_get_hostIP. Get something off an interface 2097 * to act as the hosts IP address for auditing. 2098 */ 2099 2100 static int 2101 adt_get_local_address(int family, struct ifaddrlist *al) 2102 { 2103 struct ifaddrlist *ifal; 2104 char errbuf[ERRBUFSIZE] = "empty list"; 2105 char msg[ERRBUFSIZE + 512]; 2106 int ifal_count; 2107 int i; 2108 2109 if ((ifal_count = ifaddrlist(&ifal, family, 0, errbuf)) < 0) { 2110 int serrno = errno; 2111 2112 (void) snprintf(msg, sizeof (msg), "adt_get_local_address " 2113 "couldn't get %d addrlist %s", family, errbuf); 2114 adt_write_syslog(msg, serrno); 2115 errno = serrno; 2116 return (-1); 2117 } 2118 2119 for (i = 0; i < ifal_count; i++) { 2120 /* 2121 * loopback always defined, 2122 * even if there is no real address 2123 */ 2124 if ((ifal[i].flags & (IFF_UP | IFF_LOOPBACK)) == IFF_UP) { 2125 break; 2126 } 2127 } 2128 if (i >= ifal_count) { 2129 free(ifal); 2130 /* 2131 * Callers of adt_get_hostIP() can only return 2132 * errno to their callers and eventually the application. 2133 * Picked one that seemed least worse for saying no 2134 * usable address for Audit terminal ID. 2135 */ 2136 errno = ENETDOWN; 2137 return (-1); 2138 } 2139 2140 *al = ifal[i]; 2141 free(ifal); 2142 return (0); 2143 } 2144