1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 #include <bsm/adt.h> 27 #include <bsm/adt_event.h> 28 #include <assert.h> 29 #include <bsm/audit.h> 30 #include <bsm/audit_record.h> 31 #include <bsm/libbsm.h> 32 #include <door.h> 33 #include <errno.h> 34 #include <generic.h> 35 #include <md5.h> 36 #include <sys/mkdev.h> 37 #include <netdb.h> 38 #include <nss_dbdefs.h> 39 #include <pwd.h> 40 #include <sys/stat.h> 41 #include <time.h> 42 #include <stdlib.h> 43 #include <string.h> 44 #include <synch.h> 45 #include <sys/systeminfo.h> 46 #include <syslog.h> 47 #include <thread.h> 48 #include <unistd.h> 49 #include <adt_xlate.h> 50 #include <adt_ucred.h> 51 #include <arpa/inet.h> 52 #include <net/if.h> 53 #include <libinetutil.h> 54 55 static int adt_selected(struct adt_event_state *, au_event_t, int); 56 static int adt_init(adt_internal_state_t *, int); 57 static int adt_import(adt_internal_state_t *, const adt_export_data_t *); 58 static m_label_t *adt_ucred_label(ucred_t *); 59 static void adt_setto_unaudited(adt_internal_state_t *); 60 static int adt_get_local_address(int, struct ifaddrlist *); 61 62 #ifdef C2_DEBUG 63 #define DPRINTF(x) { (void) printf x; } 64 #define DFLUSH (void) fflush(stdout); 65 #else 66 #define DPRINTF(x) 67 #define DFLUSH 68 #endif 69 70 /* 71 * Local audit states are a bit mask 72 * 73 * The global audit states are 74 * 75 * AUC_UNSET 0 - on/off hasn't been decided 76 * AUC_ENABLED 1 - loaded and enabled 77 * 78 * The local Zone states are 79 * 80 * AUC_AUDITING 0x1 - audit daemon is active 81 * AUC_NOAUDIT 0x2 - audit daemon is not active 82 * AUC_INIT_AUDIT 0x4 - audit is ready but auditd has not run 83 * AUC_NOSPACE 0x8 - audit enabled, no space for audit records 84 * 85 * The only values returned by auditon(A_GETCOND) are: 86 * AUC_INIT_AUDIT, AUC_AUDITING, AUC_NOAUDIT, AUC_NOSPACE 87 * 88 * The pseudo audit state used when the c2audit module is excluded is 89 * 90 * AUC_DISABLED 0x100 - c2audit module is excluded 91 */ 92 93 static int auditstate = AUC_DISABLED; /* default state */ 94 95 /* 96 * adt_write_syslog 97 * 98 * errors that are not the user's fault (bugs or whatever in 99 * the underlying audit code are noted in syslog.) 100 * 101 * Avoid calling adt_write_syslog for things that can happen 102 * at high volume. 103 * 104 * syslog's open (openlog) and close (closelog) are interesting; 105 * openlog *may* create a file descriptor and is optional. closelog 106 * *will* close any open file descriptors and is also optional. 107 * 108 * Since syslog may also be used by the calling application, the 109 * choice is to avoid openlog, which sets some otherwise useful 110 * parameters, and to embed "Solaris_audit" in the log message. 111 */ 112 113 void 114 adt_write_syslog(const char *message, int err) 115 { 116 int save_errno = errno; 117 int mask_priority; 118 119 DPRINTF(("syslog called: %s\n", message)); 120 121 mask_priority = setlogmask(LOG_MASK(LOG_ALERT)); 122 errno = err; 123 syslog(LOG_ALERT, "Solaris_audit %s: %m", message); 124 (void) setlogmask(mask_priority); 125 errno = save_errno; 126 } 127 128 /* 129 * return true if c2audit is not excluded. 130 * 131 * For purpose of this API, anything but AUC_DISABLED 132 * is enabled; however one never actually sees 133 * AUC_DISABLED since auditon returns ENOTSUP in that case. Any 134 * auditon error is considered the same as ENOTSUP for our 135 * purpose. auditstate is not changed by auditon if an error 136 * is returned. 137 */ 138 139 /* 140 * XXX this should probably be eliminated and adt_audit_state() replace it. 141 * All the legitimate uses are to not fork a waiting process for 142 * process exit processing, as in su, login, dtlogin. Other bogus 143 * users are zoneadmd and init. 144 * All but dtlogin are in ON, so we can do this without cross gate 145 * synchronization. 146 * 147 * No longer used in adt.c. 148 */ 149 150 boolean_t 151 adt_audit_enabled(void) 152 { 153 154 (void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate)); 155 156 return (auditstate != AUC_DISABLED); 157 } 158 159 /* 160 * See adt_audit_enabled() for state discussions. 161 * The state parameter is a hedge until all the uses become clear. 162 * Likely if adt_audit_enabled is brought internal to this file, 163 * it can take a parameter discussing the state. 164 */ 165 166 boolean_t 167 adt_audit_state(int state) 168 { 169 170 (void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate)); 171 172 return (auditstate & state); 173 } 174 175 /* 176 * The man page for getpwuid_r says the buffer must be big enough 177 * or ERANGE will be returned, but offers no guidance for how big 178 * the buffer should be or a way to calculate it. If you get 179 * ERANGE, double pwd_buff's size. 180 * 181 * This may be called even when auditing is off. 182 */ 183 184 #define NAFLAG_LEN 512 185 186 static int 187 adt_get_mask_from_user(uid_t uid, au_mask_t *mask) 188 { 189 struct passwd pwd; 190 char pwd_buff[NSS_BUFSIZ]; 191 char naflag_buf[NAFLAG_LEN]; 192 193 if (auditstate & AUC_DISABLED) { 194 /* c2audit excluded */ 195 mask->am_success = 0; 196 mask->am_failure = 0; 197 } else if (uid <= MAXUID) { 198 if (getpwuid_r(uid, &pwd, pwd_buff, NSS_BUFSIZ) == NULL) { 199 /* 200 * getpwuid_r returns NULL without setting 201 * errno if the user does not exist; only 202 * if the input is the wrong length does it 203 * set errno. 204 */ 205 if (errno != ERANGE) 206 errno = EINVAL; 207 return (-1); 208 } 209 if (au_user_mask(pwd.pw_name, mask)) { 210 errno = EFAULT; /* undetermined failure */ 211 return (-1); 212 } 213 } else if (getacna(naflag_buf, NAFLAG_LEN - 1) == 0) { 214 if (getauditflagsbin(naflag_buf, mask)) 215 return (-1); 216 } else { 217 return (-1); 218 } 219 return (0); 220 } 221 222 /* 223 * adt_get_unique_id -- generate a hopefully unique 32 bit value 224 * 225 * there will be a follow up to replace this with the use of /dev/random 226 * 227 * An MD5 hash is taken on a buffer of 228 * hostname . audit id . unix time . pid . count 229 * 230 * "count = noise++;" is subject to a race condition but I don't 231 * see a need to put a lock around it. 232 */ 233 234 au_asid_t 235 adt_get_unique_id(au_id_t uid) 236 { 237 char hostname[MAXHOSTNAMELEN]; 238 union { 239 au_id_t v[4]; 240 unsigned char obuff[128/8]; 241 } output; 242 MD5_CTX context; 243 244 static int noise = 0; 245 246 int count = noise++; 247 time_t timebits = time(NULL); 248 pid_t pidbits = getpid(); 249 au_asid_t retval = 0; 250 251 if (gethostname(hostname, MAXHOSTNAMELEN)) { 252 adt_write_syslog("gethostname call failed", errno); 253 (void) strncpy(hostname, "invalidHostName", MAXHOSTNAMELEN); 254 } 255 256 while (retval == 0) { /* 0 is the only invalid result */ 257 MD5Init(&context); 258 259 MD5Update(&context, (unsigned char *)hostname, 260 (unsigned int) strlen((const char *)hostname)); 261 262 MD5Update(&context, (unsigned char *) &uid, sizeof (uid_t)); 263 264 MD5Update(&context, 265 (unsigned char *) &timebits, sizeof (time_t)); 266 267 MD5Update(&context, (unsigned char *) &pidbits, 268 sizeof (pid_t)); 269 270 MD5Update(&context, (unsigned char *) &(count), sizeof (int)); 271 MD5Final(output.obuff, &context); 272 273 retval = output.v[count % 4]; 274 } 275 return (retval); 276 } 277 278 /* 279 * the following "port" function deals with the following issues: 280 * 281 * 1 the kernel and ucred deal with a dev_t as a 64 bit value made 282 * up from a 32 bit major and 32 bit minor. 283 * 2 User space deals with a dev_t as either the above 64 bit value 284 * or a 32 bit value made from a 14 bit major and an 18 bit minor. 285 * 3 The various audit interfaces (except ucred) pass the 32 or 286 * 64 bit version depending the architecture of the userspace 287 * application. If you get a port value from ucred and pass it 288 * to the kernel via auditon(), it must be squeezed into a 32 289 * bit value because the kernel knows the userspace app's bit 290 * size. 291 * 292 * The internal state structure for adt (adt_internal_state_t) uses 293 * dev_t, so adt converts data from ucred to fit. The import/export 294 * functions, however, can't know if they are importing/exporting 295 * from 64 or 32 bit applications, so they always send 64 bits and 296 * the 32 bit end(s) are responsible to convert 32 -> 64 -> 32 as 297 * appropriate. 298 */ 299 300 /* 301 * adt_cpy_tid() -- if lib is 64 bit, just copy it (dev_t and port are 302 * both 64 bits). If lib is 32 bits, squeeze the two-int port into 303 * a 32 bit dev_t. A port fits in the "minor" part of au_port_t, 304 * so it isn't broken up into pieces. (When it goes to the kernel 305 * and back, however, it will have been split into major/minor 306 * pieces.) 307 */ 308 309 static void 310 adt_cpy_tid(au_tid_addr_t *dest, const au_tid64_addr_t *src) 311 { 312 #ifdef _LP64 313 (void) memcpy(dest, src, sizeof (au_tid_addr_t)); 314 #else /* _LP64 */ 315 dest->at_type = src->at_type; 316 317 dest->at_port = src->at_port.at_minor & MAXMIN32; 318 dest->at_port |= (src->at_port.at_major & MAXMAJ32) << 319 NBITSMINOR32; 320 321 (void) memcpy(dest->at_addr, src->at_addr, 4 * sizeof (uint32_t)); 322 #endif /* _LP64 */ 323 } 324 325 /* 326 * adt_start_session -- create interface handle, create context 327 * 328 * The imported_state input is normally NULL, if not, it represents 329 * a continued session; its values obviate the need for a subsequent 330 * call to adt_set_user(). 331 * 332 * The flag is used to decide how to set the initial state of the session. 333 * If 0, the session is "no audit" until a call to adt_set_user; if 334 * ADT_USE_PROC_DATA, the session is built from the process audit 335 * characteristics obtained from the kernel. If imported_state is 336 * not NULL, the resulting audit mask is an OR of the current process 337 * audit mask and that passed in. 338 * 339 * The basic model is that the caller can use the pointer returned 340 * by adt_start_session whether or not auditing is enabled or an 341 * error was returned. The functions that take the session handle 342 * as input generally return without doing anything if auditing is 343 * disabled. 344 */ 345 346 int 347 adt_start_session(adt_session_data_t **new_session, 348 const adt_export_data_t *imported_state, adt_session_flags_t flags) 349 { 350 adt_internal_state_t *state; 351 adt_session_flags_t flgmask = ADT_FLAGS_ALL; 352 353 /* test and set auditstate */ 354 if (adt_audit_state(AUC_DISABLED)) { 355 /* c2audit excluded */ 356 *new_session = NULL; 357 return (0); 358 } 359 360 if ((flags & ~flgmask) != 0) { 361 errno = EINVAL; 362 goto return_err; 363 } 364 365 if ((state = calloc(1, sizeof (adt_internal_state_t))) == NULL) { 366 goto return_err; 367 } 368 369 if (adt_init(state, flags & ADT_USE_PROC_DATA) != 0) { 370 goto return_err_free; /* errno from adt_init() */ 371 } 372 373 /* 374 * The imported state overwrites the initial state if the 375 * imported state represents a valid audit trail 376 */ 377 378 if (imported_state != NULL) { 379 if (adt_import(state, imported_state) != 0) { 380 goto return_err_free; 381 } 382 } else if (flags & ADT_USE_PROC_DATA) { 383 state->as_session_model = ADT_PROCESS_MODEL; 384 } 385 state->as_flags = flags; 386 DPRINTF(("(%lld) Starting session id = %08X\n", 387 (long long) getpid(), state->as_info.ai_asid)); 388 389 *new_session = (adt_session_data_t *)state; 390 return (0); 391 392 return_err_free: 393 free(state); 394 return_err: 395 *new_session = NULL; 396 adt_write_syslog("audit session create failed", errno); 397 return (-1); 398 } 399 400 /* 401 * adt_load_table() 402 * 403 * loads the event translation table into the audit session. 404 */ 405 406 void 407 adt_load_table(const adt_session_data_t *session_data, 408 adt_translation_t **xlate, void (*preload)(au_event_t, adt_event_data_t *)) 409 { 410 adt_internal_state_t *state = (adt_internal_state_t *)session_data; 411 412 if (state != NULL) { 413 assert(state->as_check == ADT_VALID); 414 state->as_xlate = xlate; 415 state->as_preload = preload; 416 } 417 } 418 419 /* 420 * adt_get_asid() and adt_set_asid() 421 * 422 * if you use this interface, you are responsible to insure that the 423 * rest of the session data is populated correctly before calling 424 * adt_proccess_attr() 425 * 426 * neither of these are intended for general use and will likely 427 * remain private interfaces for a long time. Forever is a long 428 * time. In the case of adt_set_asid(), you should have a very, 429 * very good reason for setting your own session id. The process 430 * audit characteristics are not changed by put, use adt_set_proc(). 431 * 432 * These are "volatile" (more changable than "evolving") and will 433 * probably change in the S10 period. 434 */ 435 436 void 437 adt_get_asid(const adt_session_data_t *session_data, au_asid_t *asid) 438 { 439 440 if (session_data == NULL) { 441 *asid = 0; 442 } else { 443 assert(((adt_internal_state_t *)session_data)->as_check == 444 ADT_VALID); 445 446 *asid = ((adt_internal_state_t *)session_data)->as_info.ai_asid; 447 } 448 } 449 450 void 451 adt_set_asid(const adt_session_data_t *session_data, const au_asid_t session_id) 452 { 453 454 if (session_data != NULL) { 455 assert(((adt_internal_state_t *)session_data)->as_check == 456 ADT_VALID); 457 458 ((adt_internal_state_t *)session_data)->as_have_user_data |= 459 ADT_HAVE_ASID; 460 ((adt_internal_state_t *)session_data)->as_info.ai_asid = 461 session_id; 462 } 463 } 464 465 /* 466 * adt_get_auid() and adt_set_auid() 467 * 468 * neither of these are intended for general use and will likely 469 * remain private interfaces for a long time. Forever is a long 470 * time. In the case of adt_set_auid(), you should have a very, 471 * very good reason for setting your own audit id. The process 472 * audit characteristics are not changed by put, use adt_set_proc(). 473 */ 474 475 void 476 adt_get_auid(const adt_session_data_t *session_data, au_id_t *auid) 477 { 478 479 if (session_data == NULL) { 480 *auid = AU_NOAUDITID; 481 } else { 482 assert(((adt_internal_state_t *)session_data)->as_check == 483 ADT_VALID); 484 485 *auid = ((adt_internal_state_t *)session_data)->as_info.ai_auid; 486 } 487 } 488 489 void 490 adt_set_auid(const adt_session_data_t *session_data, const au_id_t audit_id) 491 { 492 493 if (session_data != NULL) { 494 assert(((adt_internal_state_t *)session_data)->as_check == 495 ADT_VALID); 496 497 ((adt_internal_state_t *)session_data)->as_have_user_data |= 498 ADT_HAVE_AUID; 499 ((adt_internal_state_t *)session_data)->as_info.ai_auid = 500 audit_id; 501 } 502 } 503 504 /* 505 * adt_get_termid(), adt_set_termid() 506 * 507 * if you use this interface, you are responsible to insure that the 508 * rest of the session data is populated correctly before calling 509 * adt_proccess_attr() 510 * 511 * The process audit characteristics are not changed by put, use 512 * adt_set_proc(). 513 */ 514 515 void 516 adt_get_termid(const adt_session_data_t *session_data, au_tid_addr_t *termid) 517 { 518 519 if (session_data == NULL) { 520 (void) memset(termid, 0, sizeof (au_tid_addr_t)); 521 termid->at_type = AU_IPv4; 522 } else { 523 assert(((adt_internal_state_t *)session_data)->as_check == 524 ADT_VALID); 525 526 *termid = 527 ((adt_internal_state_t *)session_data)->as_info.ai_termid; 528 } 529 } 530 531 void 532 adt_set_termid(const adt_session_data_t *session_data, 533 const au_tid_addr_t *termid) 534 { 535 536 if (session_data != NULL) { 537 assert(((adt_internal_state_t *)session_data)->as_check == 538 ADT_VALID); 539 540 ((adt_internal_state_t *)session_data)->as_info.ai_termid = 541 *termid; 542 543 ((adt_internal_state_t *)session_data)->as_have_user_data |= 544 ADT_HAVE_TID; 545 } 546 } 547 548 /* 549 * adt_get_mask(), adt_set_mask() 550 * 551 * if you use this interface, you are responsible to insure that the 552 * rest of the session data is populated correctly before calling 553 * adt_proccess_attr() 554 * 555 * The process audit characteristics are not changed by put, use 556 * adt_set_proc(). 557 */ 558 559 void 560 adt_get_mask(const adt_session_data_t *session_data, au_mask_t *mask) 561 { 562 563 if (session_data == NULL) { 564 mask->am_success = 0; 565 mask->am_failure = 0; 566 } else { 567 assert(((adt_internal_state_t *)session_data)->as_check == 568 ADT_VALID); 569 570 *mask = ((adt_internal_state_t *)session_data)->as_info.ai_mask; 571 } 572 } 573 574 void 575 adt_set_mask(const adt_session_data_t *session_data, const au_mask_t *mask) 576 { 577 578 if (session_data != NULL) { 579 assert(((adt_internal_state_t *)session_data)->as_check == 580 ADT_VALID); 581 582 ((adt_internal_state_t *)session_data)->as_info.ai_mask = *mask; 583 584 ((adt_internal_state_t *)session_data)->as_have_user_data |= 585 ADT_HAVE_MASK; 586 } 587 } 588 589 /* 590 * helpers for adt_load_termid 591 */ 592 593 static void 594 adt_do_ipv6_address(struct sockaddr_in6 *peer, struct sockaddr_in6 *sock, 595 au_tid_addr_t *termid) 596 { 597 598 termid->at_port = ((peer->sin6_port<<16) | (sock->sin6_port)); 599 termid->at_type = AU_IPv6; 600 (void) memcpy(termid->at_addr, &peer->sin6_addr, 4 * sizeof (uint_t)); 601 } 602 603 static void 604 adt_do_ipv4_address(struct sockaddr_in *peer, struct sockaddr_in *sock, 605 au_tid_addr_t *termid) 606 { 607 608 termid->at_port = ((peer->sin_port<<16) | (sock->sin_port)); 609 610 termid->at_type = AU_IPv4; 611 termid->at_addr[0] = (uint32_t)peer->sin_addr.s_addr; 612 (void) memset(&(termid->at_addr[1]), 0, 3 * sizeof (uint_t)); 613 } 614 615 /* 616 * adt_load_termid: convenience function; inputs file handle and 617 * outputs an au_tid_addr struct. 618 * 619 * This code was stolen from audit_settid.c; it differs from audit_settid() 620 * in that it does not write the terminal id to the process. 621 */ 622 623 int 624 adt_load_termid(int fd, adt_termid_t **termid) 625 { 626 au_tid_addr_t *p_term; 627 struct sockaddr_in6 peer; 628 struct sockaddr_in6 sock; 629 int peerlen = sizeof (peer); 630 int socklen = sizeof (sock); 631 632 /* get peer name if its a socket, else assume local terminal */ 633 634 if (getpeername(fd, (struct sockaddr *)&peer, (socklen_t *)&peerlen) 635 < 0) { 636 if (errno == ENOTSOCK) { 637 return (adt_load_hostname(NULL, termid)); 638 } 639 goto return_err; 640 } 641 642 if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) { 643 goto return_err; 644 } 645 646 /* get sock name */ 647 if (getsockname(fd, (struct sockaddr *)&sock, 648 (socklen_t *)&socklen) < 0) { 649 goto return_err_free; 650 } 651 652 if (peer.sin6_family == AF_INET6) { 653 adt_do_ipv6_address(&peer, &sock, p_term); 654 } else { 655 adt_do_ipv4_address((struct sockaddr_in *)&peer, 656 (struct sockaddr_in *)&sock, p_term); 657 } 658 *termid = (adt_termid_t *)p_term; 659 660 return (0); 661 662 return_err_free: 663 free(p_term); 664 return_err: 665 *termid = NULL; 666 return (-1); 667 } 668 669 static boolean_t 670 adt_have_termid(au_tid_addr_t *dest) 671 { 672 struct auditinfo_addr audit_data; 673 674 if (getaudit_addr(&audit_data, sizeof (audit_data)) < 0) { 675 adt_write_syslog("getaudit failed", errno); 676 return (B_FALSE); 677 } 678 679 if ((audit_data.ai_termid.at_type == 0) || 680 (audit_data.ai_termid.at_addr[0] | 681 audit_data.ai_termid.at_addr[1] | 682 audit_data.ai_termid.at_addr[2] | 683 audit_data.ai_termid.at_addr[3]) == 0) 684 return (B_FALSE); 685 686 (void) memcpy(dest, &(audit_data.ai_termid), 687 sizeof (au_tid_addr_t)); 688 689 return (B_TRUE); 690 } 691 692 /* 693 * adt_get_hostIP - construct a terminal id from a hostname 694 * 695 * Returns 0 = success 696 * -1 = failure and errno = ENETDOWN with the address 697 * defaulted to IPv4 loopback. 698 */ 699 700 static int 701 adt_get_hostIP(const char *hostname, au_tid_addr_t *p_term) 702 { 703 struct addrinfo *ai = NULL; 704 int tries = 3; 705 char msg[512]; 706 int eai_err; 707 708 while ((tries-- > 0) && 709 ((eai_err = getaddrinfo(hostname, NULL, NULL, &ai)) != 0)) { 710 /* 711 * getaddrinfo returns its own set of errors. 712 * Log them here, so any subsequent syslogs will 713 * have a context. adt_get_hostIP callers can only 714 * return errno, so subsequent syslogs may be lacking 715 * that getaddrinfo failed. 716 */ 717 (void) snprintf(msg, sizeof (msg), "getaddrinfo(%s) " 718 "failed[%s]", hostname, gai_strerror(eai_err)); 719 adt_write_syslog(msg, 0); 720 721 if (eai_err != EAI_AGAIN) { 722 723 break; 724 } 725 /* see if resolution becomes available */ 726 (void) sleep(1); 727 } 728 if (ai != NULL) { 729 if (ai->ai_family == AF_INET) { 730 p_term->at_type = AU_IPv4; 731 (void) memcpy(p_term->at_addr, 732 /* LINTED */ 733 &((struct sockaddr_in *)ai->ai_addr)->sin_addr, 734 AU_IPv4); 735 } else { 736 p_term->at_type = AU_IPv6; 737 (void) memcpy(p_term->at_addr, 738 /* LINTED */ 739 &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr, 740 AU_IPv6); 741 } 742 freeaddrinfo(ai); 743 return (0); 744 } else if (auditstate & (AUC_AUDITING | AUC_NOSPACE)) { 745 auditinfo_addr_t audit_info; 746 747 /* 748 * auditd is running so there should be a 749 * kernel audit context 750 */ 751 if (auditon(A_GETKAUDIT, (caddr_t)&audit_info, 752 sizeof (audit_info)) < 0) { 753 adt_write_syslog("unable to get kernel audit context", 754 errno); 755 goto try_interface; 756 } 757 adt_write_syslog("setting Audit IP address to kernel", 0); 758 *p_term = audit_info.ai_termid; 759 return (0); 760 } 761 try_interface: 762 { 763 struct ifaddrlist al; 764 int family; 765 char ntop[INET6_ADDRSTRLEN]; 766 767 /* 768 * getaddrinfo has failed to map the hostname 769 * to an IP address, try to get an IP address 770 * from a local interface. If none up, default 771 * to loopback. 772 */ 773 family = AF_INET6; 774 if (adt_get_local_address(family, &al) != 0) { 775 family = AF_INET; 776 777 if (adt_get_local_address(family, &al) != 0) { 778 adt_write_syslog("adt_get_local_address " 779 "failed, no Audit IP address available, " 780 "faking loopback and error", 781 errno); 782 IN_SET_LOOPBACK_ADDR( 783 (struct sockaddr_in *)&(al.addr.addr)); 784 (void) memcpy(p_term->at_addr, &al.addr.addr, 785 AU_IPv4); 786 p_term->at_type = AU_IPv4; 787 return (-1); 788 } 789 } 790 if (family == AF_INET) { 791 p_term->at_type = AU_IPv4; 792 (void) memcpy(p_term->at_addr, &al.addr.addr, AU_IPv4); 793 } else { 794 p_term->at_type = AU_IPv6; 795 (void) memcpy(p_term->at_addr, &al.addr.addr6, AU_IPv6); 796 } 797 798 (void) snprintf(msg, sizeof (msg), "mapping %s to %s", 799 hostname, inet_ntop(family, &(al.addr), ntop, 800 sizeof (ntop))); 801 adt_write_syslog(msg, 0); 802 return (0); 803 } 804 } 805 806 /* 807 * adt_load_hostname() is called when the caller does not have a file 808 * handle that gives access to the socket info or any other way to 809 * pass in both port and ip address. The hostname input is ignored if 810 * the terminal id has already been set; instead it returns the 811 * existing terminal id. 812 * 813 * If c2audit is excluded, success is returned. 814 * If the hostname lookup fails, the loopback address is assumed, 815 * errno is set to ENETDOWN, this allows the caller to interpret 816 * whether failure is fatal, and if not to have a address for the 817 * hostname. 818 * Otherwise the caller would need to be aware of the audit state. 819 * 820 * Other errors are ignored if not auditing. 821 */ 822 823 int 824 adt_load_hostname(const char *hostname, adt_termid_t **termid) 825 { 826 char localhost[MAXHOSTNAMELEN + 1]; 827 au_tid_addr_t *p_term; 828 829 if (adt_audit_state(AUC_DISABLED)) { 830 /* c2audit excluded */ 831 *termid = NULL; 832 return (0); 833 } 834 835 if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) { 836 goto return_err; 837 } 838 839 if (adt_have_termid(p_term)) { 840 *termid = (adt_termid_t *)p_term; 841 return (0); 842 } 843 p_term->at_port = 0; 844 845 if (hostname == NULL || *hostname == '\0') { 846 (void) sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN); 847 hostname = localhost; 848 } 849 if (adt_get_hostIP(hostname, p_term) == 0) { 850 *termid = (adt_termid_t *)p_term; 851 return (0); 852 } else { 853 *termid = (adt_termid_t *)p_term; 854 return (-1); 855 } 856 857 return_err: 858 *termid = NULL; 859 if (auditstate & AUC_NOAUDIT) { 860 return (0); 861 } 862 863 return (-1); 864 } 865 866 /* 867 * adt_load_ttyname() is called when the caller does not have a file 868 * handle that gives access to the local terminal or any other way 869 * of determining the device id. The ttyname input is ignored if 870 * the terminal id has already been set; instead it returns the 871 * existing terminal id. 872 * 873 * If c2audit is excluded, success is returned. 874 * The local hostname is used for the local IP address. 875 * If that hostname lookup fails, the loopback address is assumed, 876 * errno is set to ENETDOWN, this allows the caller to interpret 877 * whether failure is fatal, and if not to have a address for the 878 * hostname. 879 * Otherwise the caller would need to be aware of the audit state. 880 * 881 * Other errors are ignored if not auditing. 882 */ 883 884 int 885 adt_load_ttyname(const char *ttyname, adt_termid_t **termid) 886 { 887 char localhost[MAXHOSTNAMELEN + 1]; 888 au_tid_addr_t *p_term; 889 struct stat stat_buf; 890 891 if (adt_audit_state(AUC_DISABLED)) { 892 /* c2audit excluded */ 893 *termid = NULL; 894 return (0); 895 } 896 897 if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) { 898 goto return_err; 899 } 900 901 if (adt_have_termid(p_term)) { 902 *termid = (adt_termid_t *)p_term; 903 return (0); 904 } 905 906 p_term->at_port = 0; 907 908 if (sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN) < 0) { 909 goto return_err_free; /* errno from sysinfo */ 910 } 911 912 if (ttyname != NULL && *ttyname != '\0') { 913 if (stat(ttyname, &stat_buf) < 0) { 914 goto return_err_free; 915 } 916 917 p_term->at_port = stat_buf.st_rdev; 918 } 919 920 if (adt_get_hostIP(localhost, p_term) == 0) { 921 *termid = (adt_termid_t *)p_term; 922 return (0); 923 } else { 924 *termid = (adt_termid_t *)p_term; 925 return (-1); 926 } 927 928 return_err_free: 929 free(p_term); 930 931 return_err: 932 *termid = NULL; 933 if (auditstate & AUC_NOAUDIT) { 934 return (0); 935 } 936 937 return (-1); 938 } 939 940 /* 941 * adt_get_session_id returns a stringified representation of 942 * the audit session id. See also adt_get_asid() for how to 943 * get the unexpurgated version. No guarantees as to how long 944 * the returned string will be or its general form; hex for now. 945 * 946 * An empty string is returned if auditing is off; length = 1 947 * and the pointer is valid. 948 * 949 * returns strlen + 1 if buffer is valid; else 0 and errno. 950 */ 951 952 size_t 953 adt_get_session_id(const adt_session_data_t *session_data, char **buff) 954 { 955 au_asid_t session_id; 956 size_t length; 957 /* 958 * output is 0x followed by 959 * two characters per byte 960 * plus terminator, 961 * except leading 0's are suppressed, so a few bytes may 962 * be unused. 963 */ 964 length = 2 + (2 * sizeof (session_id)) + 1; 965 *buff = malloc(length); 966 967 if (*buff == NULL) { 968 return (0); 969 } 970 if (session_data == NULL) { /* NULL is not an error */ 971 **buff = '\0'; 972 return (1); 973 } 974 adt_get_asid(session_data, &session_id); 975 976 length = snprintf(*buff, length, "0x%X", (int)session_id); 977 978 /* length < 1 is a bug: the session data type may have changed */ 979 assert(length > 0); 980 981 return (length); 982 } 983 984 /* 985 * adt_end_session -- close handle, clear context 986 * 987 * if as_check is invalid, no harm, no foul, EXCEPT that this could 988 * be an attempt to free data already free'd, so output to syslog 989 * to help explain why the process cored dumped. 990 */ 991 992 int 993 adt_end_session(adt_session_data_t *session_data) 994 { 995 adt_internal_state_t *state; 996 997 if (session_data != NULL) { 998 state = (adt_internal_state_t *)session_data; 999 if (state->as_check != ADT_VALID) { 1000 adt_write_syslog("freeing invalid data", EINVAL); 1001 } else { 1002 state->as_check = 0; 1003 m_label_free(state->as_label); 1004 free(session_data); 1005 } 1006 } 1007 /* no errors yet defined */ 1008 return (0); 1009 } 1010 1011 /* 1012 * adt_dup_session -- copy the session data 1013 */ 1014 1015 int 1016 adt_dup_session(const adt_session_data_t *source, adt_session_data_t **dest) 1017 { 1018 adt_internal_state_t *source_state; 1019 adt_internal_state_t *dest_state = NULL; 1020 int rc = 0; 1021 1022 if (source != NULL) { 1023 source_state = (adt_internal_state_t *)source; 1024 assert(source_state->as_check == ADT_VALID); 1025 1026 dest_state = malloc(sizeof (adt_internal_state_t)); 1027 if (dest_state == NULL) { 1028 rc = -1; 1029 goto return_rc; 1030 } 1031 (void) memcpy(dest_state, source, 1032 sizeof (struct adt_internal_state)); 1033 1034 if (source_state->as_label != NULL) { 1035 dest_state->as_label = NULL; 1036 if ((rc = m_label_dup(&dest_state->as_label, 1037 source_state->as_label)) != 0) { 1038 free(dest_state); 1039 dest_state = NULL; 1040 } 1041 } 1042 } 1043 return_rc: 1044 *dest = (adt_session_data_t *)dest_state; 1045 return (rc); 1046 } 1047 1048 /* 1049 * from_export_format() 1050 * read from a network order buffer into struct adt_session_data 1051 */ 1052 1053 static size_t 1054 adt_from_export_format(adt_internal_state_t *internal, 1055 const adt_export_data_t *external) 1056 { 1057 struct export_header head; 1058 struct export_link link; 1059 adr_t context; 1060 int32_t offset; 1061 int32_t length; 1062 int32_t version; 1063 size_t label_len; 1064 char *p = (char *)external; 1065 1066 adrm_start(&context, (char *)external); 1067 adrm_int32(&context, (int *)&head, 4); 1068 1069 if ((internal->as_check = head.ax_check) != ADT_VALID) { 1070 errno = EINVAL; 1071 return (0); 1072 } 1073 offset = head.ax_link.ax_offset; 1074 version = head.ax_link.ax_version; 1075 length = head.ax_buffer_length; 1076 1077 /* 1078 * Skip newer versions. 1079 */ 1080 while (version > PROTOCOL_VERSION_2) { 1081 if (offset < 1) { 1082 return (0); /* failed to match version */ 1083 } 1084 p += offset; /* point to next version # */ 1085 1086 if (p > (char *)external + length) { 1087 return (0); 1088 } 1089 adrm_start(&context, p); 1090 adrm_int32(&context, (int *)&link, 2); 1091 offset = link.ax_offset; 1092 version = link.ax_version; 1093 assert(version != 0); 1094 } 1095 /* 1096 * Adjust buffer pointer to the first data item (euid). 1097 */ 1098 if (p == (char *)external) { 1099 adrm_start(&context, (char *)(p + sizeof (head))); 1100 } else { 1101 adrm_start(&context, (char *)(p + sizeof (link))); 1102 } 1103 /* 1104 * if down rev version, neither pid nor label are included 1105 * in v1 ax_size_of_tsol_data intentionally ignored 1106 */ 1107 if (version == PROTOCOL_VERSION_1) { 1108 adrm_int32(&context, (int *)&(internal->as_euid), 1); 1109 adrm_int32(&context, (int *)&(internal->as_ruid), 1); 1110 adrm_int32(&context, (int *)&(internal->as_egid), 1); 1111 adrm_int32(&context, (int *)&(internal->as_rgid), 1); 1112 adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1); 1113 adrm_int32(&context, 1114 (int *)&(internal->as_info.ai_mask.am_success), 2); 1115 adrm_int32(&context, 1116 (int *)&(internal->as_info.ai_termid.at_port), 1); 1117 adrm_int32(&context, 1118 (int *)&(internal->as_info.ai_termid.at_type), 1); 1119 adrm_int32(&context, 1120 (int *)&(internal->as_info.ai_termid.at_addr[0]), 4); 1121 adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1); 1122 adrm_int32(&context, (int *)&(internal->as_audit_state), 1); 1123 internal->as_pid = (pid_t)-1; 1124 internal->as_label = NULL; 1125 } else if (version == PROTOCOL_VERSION_2) { 1126 adrm_int32(&context, (int *)&(internal->as_euid), 1); 1127 adrm_int32(&context, (int *)&(internal->as_ruid), 1); 1128 adrm_int32(&context, (int *)&(internal->as_egid), 1); 1129 adrm_int32(&context, (int *)&(internal->as_rgid), 1); 1130 adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1); 1131 adrm_int32(&context, 1132 (int *)&(internal->as_info.ai_mask.am_success), 2); 1133 adrm_int32(&context, 1134 (int *)&(internal->as_info.ai_termid.at_port), 1); 1135 adrm_int32(&context, 1136 (int *)&(internal->as_info.ai_termid.at_type), 1); 1137 adrm_int32(&context, 1138 (int *)&(internal->as_info.ai_termid.at_addr[0]), 4); 1139 adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1); 1140 adrm_int32(&context, (int *)&(internal->as_audit_state), 1); 1141 adrm_int32(&context, (int *)&(internal->as_pid), 1); 1142 adrm_int32(&context, (int *)&label_len, 1); 1143 if (label_len > 0) { 1144 /* read in and deal with different sized labels. */ 1145 size32_t my_label_len = blabel_size(); 1146 1147 if ((internal->as_label = 1148 m_label_alloc(MAC_LABEL)) == NULL) { 1149 return (0); 1150 } 1151 if (label_len > my_label_len) { 1152 errno = EINVAL; 1153 m_label_free(internal->as_label); 1154 return (0); 1155 } 1156 (void) memset(internal->as_label, 0, my_label_len); 1157 adrm_int32(&context, (int *)(internal->as_label), 1158 label_len / sizeof (int32_t)); 1159 } else { 1160 internal->as_label = NULL; 1161 } 1162 } 1163 1164 return (length); 1165 } 1166 1167 /* 1168 * adt_to_export_format 1169 * read from struct adt_session_data into a network order buffer. 1170 * 1171 * (network order 'cause this data may be shared with a remote host.) 1172 */ 1173 1174 static size_t 1175 adt_to_export_format(adt_export_data_t *external, 1176 adt_internal_state_t *internal) 1177 { 1178 struct export_header head; 1179 struct export_link tail; 1180 adr_t context; 1181 size32_t label_len = 0; 1182 1183 adrm_start(&context, (char *)external); 1184 1185 if (internal->as_label != NULL) { 1186 label_len = blabel_size(); 1187 } 1188 1189 head.ax_check = ADT_VALID; 1190 head.ax_buffer_length = sizeof (struct adt_export_data) + label_len; 1191 1192 /* version 2 first */ 1193 1194 head.ax_link.ax_version = PROTOCOL_VERSION_2; 1195 head.ax_link.ax_offset = sizeof (struct export_header) + 1196 sizeof (struct adt_export_v2) + label_len; 1197 1198 adrm_putint32(&context, (int *)&head, 4); 1199 1200 adrm_putint32(&context, (int *)&(internal->as_euid), 1); 1201 adrm_putint32(&context, (int *)&(internal->as_ruid), 1); 1202 adrm_putint32(&context, (int *)&(internal->as_egid), 1); 1203 adrm_putint32(&context, (int *)&(internal->as_rgid), 1); 1204 adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1); 1205 adrm_putint32(&context, 1206 (int *)&(internal->as_info.ai_mask.am_success), 2); 1207 adrm_putint32(&context, 1208 (int *)&(internal->as_info.ai_termid.at_port), 1); 1209 adrm_putint32(&context, 1210 (int *)&(internal->as_info.ai_termid.at_type), 1); 1211 adrm_putint32(&context, 1212 (int *)&(internal->as_info.ai_termid.at_addr[0]), 4); 1213 adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1); 1214 adrm_putint32(&context, (int *)&(internal->as_audit_state), 1); 1215 adrm_putint32(&context, (int *)&(internal->as_pid), 1); 1216 adrm_putint32(&context, (int *)&label_len, 1); 1217 if (internal->as_label != NULL) { 1218 /* serialize the label */ 1219 adrm_putint32(&context, (int *)(internal->as_label), 1220 (label_len / sizeof (int32_t))); 1221 } 1222 1223 /* now version 1 */ 1224 1225 tail.ax_version = PROTOCOL_VERSION_1; 1226 tail.ax_offset = 0; 1227 1228 adrm_putint32(&context, (int *)&tail, 2); 1229 1230 adrm_putint32(&context, (int *)&(internal->as_euid), 1); 1231 adrm_putint32(&context, (int *)&(internal->as_ruid), 1); 1232 adrm_putint32(&context, (int *)&(internal->as_egid), 1); 1233 adrm_putint32(&context, (int *)&(internal->as_rgid), 1); 1234 adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1); 1235 adrm_putint32(&context, 1236 (int *)&(internal->as_info.ai_mask.am_success), 2); 1237 adrm_putint32(&context, 1238 (int *)&(internal->as_info.ai_termid.at_port), 1); 1239 adrm_putint32(&context, 1240 (int *)&(internal->as_info.ai_termid.at_type), 1); 1241 adrm_putint32(&context, 1242 (int *)&(internal->as_info.ai_termid.at_addr[0]), 4); 1243 adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1); 1244 adrm_putint32(&context, (int *)&(internal->as_audit_state), 1); 1245 /* ignored in v1 */ 1246 adrm_putint32(&context, (int *)&label_len, 1); 1247 1248 /* finally terminator */ 1249 1250 tail.ax_version = 0; /* invalid version number */ 1251 tail.ax_offset = 0; 1252 1253 adrm_putint32(&context, (int *)&tail, 2); 1254 1255 return (head.ax_buffer_length); 1256 } 1257 1258 /* 1259 * adt_ucred_label() -- if label is available, duplicate it. 1260 */ 1261 1262 static m_label_t * 1263 adt_ucred_label(ucred_t *uc) 1264 { 1265 m_label_t *ul = NULL; 1266 1267 if (ucred_getlabel(uc) != NULL) { 1268 (void) m_label_dup(&ul, ucred_getlabel(uc)); 1269 } 1270 1271 return (ul); 1272 } 1273 1274 /* 1275 * adt_import() -- convert from network order to machine-specific order 1276 */ 1277 1278 static int 1279 adt_import(adt_internal_state_t *internal, const adt_export_data_t *external) 1280 { 1281 au_mask_t mask; 1282 1283 /* save local audit state */ 1284 int local_audit_state = internal->as_audit_state; 1285 1286 if (adt_from_export_format(internal, external) < 1) 1287 return (-1); /* errno from adt_from_export_format */ 1288 1289 /* 1290 * If audit isn't enabled on the remote, they were unable 1291 * to generate the audit mask, so generate it based on 1292 * local configuration. If the user id has changed, the 1293 * resulting mask may miss some subtleties that occurred 1294 * on the remote system. 1295 * 1296 * If the remote failed to generate a terminal id, it is not 1297 * recoverable. 1298 */ 1299 1300 if (!(internal->as_audit_state & AUC_DISABLED)) { 1301 if (adt_get_mask_from_user(internal->as_info.ai_auid, 1302 &(internal->as_info.ai_mask))) 1303 return (-1); 1304 if (internal->as_info.ai_auid != internal->as_ruid) { 1305 if (adt_get_mask_from_user(internal->as_info.ai_auid, 1306 &mask)) 1307 return (-1); 1308 internal->as_info.ai_mask.am_success |= 1309 mask.am_success; 1310 internal->as_info.ai_mask.am_failure |= 1311 mask.am_failure; 1312 } 1313 } 1314 internal->as_audit_state = local_audit_state; 1315 1316 DPRINTF(("(%lld)imported asid = %X %u\n", (long long) getpid(), 1317 internal->as_info.ai_asid, 1318 internal->as_info.ai_asid)); 1319 1320 internal->as_have_user_data = ADT_HAVE_ALL; 1321 1322 return (0); 1323 } 1324 1325 /* 1326 * adt_export_session_data() 1327 * copies a adt_session_data struct into a network order buffer 1328 * 1329 * In a misconfigured network, the local host may have auditing 1330 * off while the destination may have auditing on, so if there 1331 * is sufficient memory, a buffer will be returned even in the 1332 * audit off case. 1333 */ 1334 1335 size_t 1336 adt_export_session_data(const adt_session_data_t *internal, 1337 adt_export_data_t **external) 1338 { 1339 size32_t length = 0; 1340 1341 if ((internal != NULL) && 1342 ((adt_internal_state_t *)internal)->as_label != NULL) { 1343 length = blabel_size(); 1344 } 1345 1346 *external = malloc(sizeof (adt_export_data_t) + length); 1347 1348 if (*external == NULL) 1349 return (0); 1350 1351 if (internal == NULL) { 1352 adt_internal_state_t *dummy; 1353 1354 dummy = malloc(sizeof (adt_internal_state_t)); 1355 if (dummy == NULL) 1356 goto return_length_free; 1357 1358 if (adt_init(dummy, 0)) { /* 0 == don't copy from proc */ 1359 free(dummy); 1360 goto return_length_free; 1361 } 1362 length = adt_to_export_format(*external, dummy); 1363 free(dummy); 1364 } else { 1365 length = adt_to_export_format(*external, 1366 (adt_internal_state_t *)internal); 1367 } 1368 return (length); 1369 1370 return_length_free: 1371 free(*external); 1372 *external = NULL; 1373 return (0); 1374 } 1375 1376 static void 1377 adt_setto_unaudited(adt_internal_state_t *state) 1378 { 1379 if (state->as_audit_state & AUC_DISABLED) { 1380 state->as_ruid = AU_NOAUDITID; 1381 state->as_euid = AU_NOAUDITID; 1382 state->as_rgid = AU_NOAUDITID; 1383 state->as_egid = AU_NOAUDITID; 1384 state->as_pid = (pid_t)-1; 1385 state->as_label = NULL; 1386 } else { 1387 state->as_info.ai_asid = 0; 1388 state->as_info.ai_auid = AU_NOAUDITID; 1389 1390 (void) memset((void *)&(state->as_info.ai_termid), 0, 1391 sizeof (au_tid_addr_t)); 1392 state->as_info.ai_termid.at_type = AU_IPv4; 1393 1394 (void) memset((void *)&(state->as_info.ai_mask), 0, 1395 sizeof (au_mask_t)); 1396 state->as_have_user_data = 0; 1397 } 1398 } 1399 1400 /* 1401 * adt_init -- set session context by copying the audit characteristics 1402 * from the proc and picking up current uid/tid information. 1403 * 1404 * By default, an audit session is based on the process; the default 1405 * is overriden by adt_set_user() 1406 */ 1407 1408 static int 1409 adt_init(adt_internal_state_t *state, int use_proc_data) 1410 { 1411 /* ensure auditstate is set */ 1412 1413 (void) adt_audit_state(0); 1414 state->as_audit_state = auditstate; 1415 1416 if (use_proc_data) { 1417 state->as_ruid = getuid(); 1418 state->as_euid = geteuid(); 1419 state->as_rgid = getgid(); 1420 state->as_egid = getegid(); 1421 state->as_pid = getpid(); 1422 1423 if (!(state->as_audit_state & AUC_DISABLED)) { 1424 const au_tid64_addr_t *tid; 1425 const au_mask_t *mask; 1426 ucred_t *ucred = ucred_get(P_MYID); 1427 1428 /* 1429 * Even if the ucred is NULL, the underlying 1430 * credential may have a valid terminal id; if the 1431 * terminal id is set, then that's good enough. An 1432 * example of where this matters is failed login, 1433 * where rlogin/telnet sets the terminal id before 1434 * calling login; login does not load the credential 1435 * since auth failed. 1436 */ 1437 if (ucred == NULL) { 1438 if (!adt_have_termid( 1439 &(state->as_info.ai_termid))) 1440 return (-1); 1441 } else { 1442 mask = ucred_getamask(ucred); 1443 if (mask != NULL) { 1444 state->as_info.ai_mask = *mask; 1445 } else { 1446 ucred_free(ucred); 1447 return (-1); 1448 } 1449 tid = ucred_getatid(ucred); 1450 if (tid != NULL) { 1451 adt_cpy_tid(&(state->as_info.ai_termid), 1452 tid); 1453 } else { 1454 ucred_free(ucred); 1455 return (-1); 1456 } 1457 state->as_info.ai_asid = ucred_getasid(ucred); 1458 state->as_info.ai_auid = ucred_getauid(ucred); 1459 state->as_label = adt_ucred_label(ucred); 1460 ucred_free(ucred); 1461 } 1462 state->as_have_user_data = ADT_HAVE_ALL; 1463 } 1464 } else { 1465 adt_setto_unaudited(state); 1466 } 1467 state->as_session_model = ADT_SESSION_MODEL; /* default */ 1468 1469 if ((state->as_audit_state & (AUC_AUDITING | AUC_NOSPACE)) && 1470 auditon(A_GETPOLICY, (caddr_t)&(state->as_kernel_audit_policy), 1471 sizeof (state->as_kernel_audit_policy))) { 1472 return (-1); /* errno set by auditon */ 1473 } 1474 state->as_check = ADT_VALID; 1475 adt_load_table((adt_session_data_t *)state, &adt_xlate_table[0], 1476 &adt_preload); 1477 return (0); 1478 } 1479 1480 /* 1481 * adt_set_proc 1482 * 1483 * Copy the current session state to the process. If this function 1484 * is called, the model becomes a process model rather than a 1485 * session model. 1486 * 1487 * In the current implementation, the value state->as_have_user_data 1488 * must contain all of: ADT_HAVE_{AUID,MASK,TID,ASID}. These are all set 1489 * by adt_set_user() when the ADT_SETTID or ADT_NEW flag is passed in. 1490 * 1491 */ 1492 1493 int 1494 adt_set_proc(const adt_session_data_t *session_data) 1495 { 1496 adt_internal_state_t *state; 1497 1498 if (session_data == NULL) { 1499 return (0); 1500 } 1501 1502 state = (adt_internal_state_t *)session_data; 1503 1504 assert(state->as_check == ADT_VALID); 1505 1506 if ((state->as_have_user_data & (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) != 1507 (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) { 1508 errno = EINVAL; 1509 goto return_err; 1510 } 1511 1512 if (setaudit_addr((auditinfo_addr_t *)&(state->as_info), 1513 sizeof (auditinfo_addr_t)) < 0) { 1514 goto return_err; /* errno set by setaudit_addr() */ 1515 } 1516 1517 state->as_session_model = ADT_PROCESS_MODEL; 1518 1519 return (0); 1520 1521 return_err: 1522 adt_write_syslog("failed to set process audit characteristics", errno); 1523 return (-1); 1524 } 1525 1526 static int 1527 adt_newuser(adt_internal_state_t *state, uid_t ruid, au_tid_addr_t *termid) 1528 { 1529 au_tid_addr_t no_tid = {0, AU_IPv4, 0, 0, 0, 0}; 1530 au_mask_t no_mask = {0, 0}; 1531 1532 if (ruid == ADT_NO_AUDIT) { 1533 state->as_info.ai_auid = AU_NOAUDITID; 1534 state->as_info.ai_asid = 0; 1535 state->as_info.ai_termid = no_tid; 1536 state->as_info.ai_mask = no_mask; 1537 return (0); 1538 } 1539 state->as_info.ai_auid = ruid; 1540 state->as_info.ai_asid = adt_get_unique_id(ruid); 1541 if (termid != NULL) 1542 state->as_info.ai_termid = *termid; 1543 1544 if (adt_get_mask_from_user(ruid, &(state->as_info.ai_mask))) 1545 return (-1); 1546 1547 /* Assume intending to audit as this process */ 1548 1549 if (state->as_pid == (pid_t)-1) 1550 state->as_pid = getpid(); 1551 1552 if (is_system_labeled() && state->as_label == NULL) { 1553 ucred_t *ucred = ucred_get(P_MYID); 1554 1555 state->as_label = adt_ucred_label(ucred); 1556 ucred_free(ucred); 1557 } 1558 1559 return (0); 1560 } 1561 1562 static int 1563 adt_changeuser(adt_internal_state_t *state, uid_t ruid) 1564 { 1565 au_mask_t mask; 1566 1567 if (!(state->as_have_user_data & ADT_HAVE_AUID)) 1568 state->as_info.ai_auid = ruid; 1569 if (!(state->as_have_user_data & ADT_HAVE_ASID)) 1570 state->as_info.ai_asid = adt_get_unique_id(ruid); 1571 1572 if (ruid <= MAXEPHUID) { 1573 if (adt_get_mask_from_user(ruid, &mask)) 1574 return (-1); 1575 1576 state->as_info.ai_mask.am_success |= mask.am_success; 1577 state->as_info.ai_mask.am_failure |= mask.am_failure; 1578 } 1579 DPRINTF(("changed mask to %08X/%08X for ruid=%d\n", 1580 state->as_info.ai_mask.am_success, 1581 state->as_info.ai_mask.am_failure, 1582 ruid)); 1583 return (0); 1584 } 1585 1586 /* 1587 * adt_set_user -- see also adt_set_from_ucred() 1588 * 1589 * ADT_NO_ATTRIB is a valid uid/gid meaning "not known" or 1590 * "unattributed." If ruid, change the model to session. 1591 * 1592 * ADT_NO_CHANGE is a valid uid/gid meaning "do not change this value" 1593 * only valid with ADT_UPDATE. 1594 * 1595 * ADT_NO_AUDIT is the external equivalent to AU_NOAUDITID -- there 1596 * isn't a good reason to call adt_set_user() with it unless you don't 1597 * have a good value yet and intend to replace it later; auid will be 1598 * AU_NOAUDITID. 1599 * 1600 * adt_set_user should be called even if auditing is not enabled 1601 * so that adt_export_session_data() will have useful stuff to 1602 * work with. 1603 * 1604 * See the note preceding adt_set_proc() about the use of ADT_HAVE_TID 1605 * and ADT_HAVE_ALL. 1606 */ 1607 1608 int 1609 adt_set_user(const adt_session_data_t *session_data, uid_t euid, gid_t egid, 1610 uid_t ruid, gid_t rgid, const adt_termid_t *termid, 1611 enum adt_user_context user_context) 1612 { 1613 adt_internal_state_t *state; 1614 int rc; 1615 1616 if (session_data == NULL) /* no session exists to audit */ 1617 return (0); 1618 1619 state = (adt_internal_state_t *)session_data; 1620 assert(state->as_check == ADT_VALID); 1621 1622 switch (user_context) { 1623 case ADT_NEW: 1624 if (ruid == ADT_NO_CHANGE || euid == ADT_NO_CHANGE || 1625 rgid == ADT_NO_CHANGE || egid == ADT_NO_CHANGE) { 1626 errno = EINVAL; 1627 return (-1); 1628 } 1629 if ((rc = adt_newuser(state, ruid, 1630 (au_tid_addr_t *)termid)) != 0) 1631 return (rc); 1632 1633 state->as_have_user_data = ADT_HAVE_ALL; 1634 break; 1635 case ADT_UPDATE: 1636 if (state->as_have_user_data != ADT_HAVE_ALL) { 1637 errno = EINVAL; 1638 return (-1); 1639 } 1640 1641 if (ruid != ADT_NO_CHANGE) 1642 if ((rc = adt_changeuser(state, ruid)) != 0) 1643 return (rc); 1644 break; 1645 case ADT_USER: 1646 if (state->as_have_user_data != ADT_HAVE_ALL) { 1647 errno = EINVAL; 1648 return (-1); 1649 } 1650 break; 1651 case ADT_SETTID: 1652 assert(termid != NULL); 1653 state->as_info.ai_termid = *((au_tid_addr_t *)termid); 1654 /* avoid fooling pam_setcred()... */ 1655 state->as_info.ai_auid = AU_NOAUDITID; 1656 state->as_info.ai_asid = 0; 1657 state->as_info.ai_mask.am_failure = 0; 1658 state->as_info.ai_mask.am_success = 0; 1659 state->as_have_user_data = ADT_HAVE_TID | 1660 ADT_HAVE_AUID | ADT_HAVE_ASID | ADT_HAVE_MASK; 1661 return (0); 1662 default: 1663 errno = EINVAL; 1664 return (-1); 1665 } 1666 1667 if (ruid == ADT_NO_AUDIT) { 1668 state->as_ruid = AU_NOAUDITID; 1669 state->as_euid = AU_NOAUDITID; 1670 state->as_rgid = AU_NOAUDITID; 1671 state->as_egid = AU_NOAUDITID; 1672 } else { 1673 if (ruid != ADT_NO_CHANGE) 1674 state->as_ruid = ruid; 1675 if (euid != ADT_NO_CHANGE) 1676 state->as_euid = euid; 1677 if (rgid != ADT_NO_CHANGE) 1678 state->as_rgid = rgid; 1679 if (egid != ADT_NO_CHANGE) 1680 state->as_egid = egid; 1681 } 1682 1683 if (ruid == ADT_NO_ATTRIB) { 1684 state->as_session_model = ADT_SESSION_MODEL; 1685 } 1686 1687 return (0); 1688 } 1689 1690 /* 1691 * adt_set_from_ucred() 1692 * 1693 * an alternate to adt_set_user that fills the same role but uses 1694 * a pointer to a ucred rather than a list of id's. If the ucred 1695 * pointer is NULL, use the credential from the this process. 1696 * 1697 * A key difference is that for ADT_NEW, adt_set_from_ucred() does 1698 * not overwrite the asid and auid unless auid has not been set. 1699 * ADT_NEW differs from ADT_UPDATE in that it does not OR together 1700 * the incoming audit mask with the one that already exists. 1701 * 1702 * adt_set_from_ucred should be called even if auditing is not enabled 1703 * so that adt_export_session_data() will have useful stuff to 1704 * work with. 1705 */ 1706 1707 int 1708 adt_set_from_ucred(const adt_session_data_t *session_data, const ucred_t *uc, 1709 enum adt_user_context user_context) 1710 { 1711 adt_internal_state_t *state; 1712 int rc = -1; 1713 const au_tid64_addr_t *tid64; 1714 au_tid_addr_t termid, *tid; 1715 ucred_t *ucred = (ucred_t *)uc; 1716 boolean_t local_uc = B_FALSE; 1717 1718 if (session_data == NULL) /* no session exists to audit */ 1719 return (0); 1720 1721 state = (adt_internal_state_t *)session_data; 1722 assert(state->as_check == ADT_VALID); 1723 1724 if (ucred == NULL) { 1725 ucred = ucred_get(P_MYID); 1726 1727 if (ucred == NULL) 1728 goto return_rc; 1729 local_uc = B_TRUE; 1730 } 1731 1732 switch (user_context) { 1733 case ADT_NEW: 1734 tid64 = ucred_getatid(ucred); 1735 if (tid64 != NULL) { 1736 adt_cpy_tid(&termid, tid64); 1737 tid = &termid; 1738 } else { 1739 tid = NULL; 1740 } 1741 if (ucred_getauid(ucred) == AU_NOAUDITID) { 1742 adt_setto_unaudited(state); 1743 state->as_have_user_data = ADT_HAVE_ALL; 1744 rc = 0; 1745 goto return_rc; 1746 } else { 1747 state->as_info.ai_auid = ucred_getauid(ucred); 1748 state->as_info.ai_asid = ucred_getasid(ucred); 1749 state->as_info.ai_mask = *ucred_getamask(ucred); 1750 state->as_info.ai_termid = *tid; 1751 } 1752 state->as_have_user_data = ADT_HAVE_ALL; 1753 break; 1754 case ADT_UPDATE: 1755 if (state->as_have_user_data != ADT_HAVE_ALL) { 1756 errno = EINVAL; 1757 goto return_rc; 1758 } 1759 1760 if ((rc = adt_changeuser(state, ucred_getruid(ucred))) != 0) 1761 goto return_rc; 1762 break; 1763 case ADT_USER: 1764 if (state->as_have_user_data != ADT_HAVE_ALL) { 1765 errno = EINVAL; 1766 goto return_rc; 1767 } 1768 break; 1769 default: 1770 errno = EINVAL; 1771 goto return_rc; 1772 } 1773 rc = 0; 1774 1775 state->as_ruid = ucred_getruid(ucred); 1776 state->as_euid = ucred_geteuid(ucred); 1777 state->as_rgid = ucred_getrgid(ucred); 1778 state->as_egid = ucred_getegid(ucred); 1779 state->as_pid = ucred_getpid(ucred); 1780 state->as_label = adt_ucred_label(ucred); 1781 1782 return_rc: 1783 if (local_uc) { 1784 ucred_free(ucred); 1785 } 1786 return (rc); 1787 } 1788 1789 /* 1790 * adt_alloc_event() returns a pointer to allocated memory 1791 * 1792 */ 1793 1794 adt_event_data_t 1795 *adt_alloc_event(const adt_session_data_t *session_data, au_event_t event_id) 1796 { 1797 struct adt_event_state *event_state; 1798 adt_internal_state_t *session_state; 1799 adt_event_data_t *return_event = NULL; 1800 /* 1801 * need to return a valid event pointer even if audit is 1802 * off, else the caller will end up either (1) keeping its 1803 * own flags for on/off or (2) writing to a NULL pointer. 1804 * If auditing is on, the session data must be valid; otherwise 1805 * we don't care. 1806 */ 1807 if (session_data != NULL) { 1808 session_state = (adt_internal_state_t *)session_data; 1809 assert(session_state->as_check == ADT_VALID); 1810 } 1811 event_state = calloc(1, sizeof (struct adt_event_state)); 1812 if (event_state == NULL) 1813 goto return_ptr; 1814 1815 event_state->ae_check = ADT_VALID; 1816 1817 event_state->ae_event_id = event_id; 1818 event_state->ae_session = (struct adt_internal_state *)session_data; 1819 1820 return_event = (adt_event_data_t *)&(event_state->ae_event_data); 1821 1822 /* 1823 * preload data so the adt_au_*() functions can detect un-supplied 1824 * values (0 and NULL are free via calloc()). 1825 */ 1826 if (session_data != NULL) { 1827 session_state->as_preload(event_id, return_event); 1828 } 1829 1830 return_ptr: 1831 return (return_event); 1832 } 1833 1834 /* 1835 * adt_getXlateTable -- look up translation table address for event id 1836 */ 1837 1838 static adt_translation_t * 1839 adt_getXlateTable(adt_translation_t **xlate, au_event_t event_id) 1840 { 1841 /* xlate_table is global in adt_xlate.c */ 1842 adt_translation_t **p_xlate = xlate; 1843 adt_translation_t *p_event; 1844 1845 while (*p_xlate != NULL) { 1846 p_event = *p_xlate; 1847 if (event_id == p_event->tx_external_event) 1848 return (p_event); 1849 p_xlate++; 1850 } 1851 return (NULL); 1852 } 1853 1854 /* 1855 * adt_calcOffsets 1856 * 1857 * the call to this function is surrounded by a mutex. 1858 * 1859 * i walks down the table picking up next_token. j walks again to 1860 * calculate the offset to the input data. k points to the next 1861 * token's row. Finally, l, is used to sum the values in the 1862 * datadef array. 1863 * 1864 * What's going on? The entry array is in the order of the input 1865 * fields but the processing of array entries is in the order of 1866 * the output (see next_token). Calculating the offset to the 1867 * "next" input can't be done in the outer loop (i) since i doesn't 1868 * point to the current entry and it can't be done with the k index 1869 * because it doesn't represent the order of input fields. 1870 * 1871 * While the resulting algorithm is n**2, it is only done once per 1872 * event type. 1873 */ 1874 1875 /* 1876 * adt_calcOffsets is only called once per event type, but it uses 1877 * the address alignment of memory allocated for that event as if it 1878 * were the same for all subsequently allocated memory. This is 1879 * guaranteed by calloc/malloc. Arrays take special handling since 1880 * what matters for figuring out the correct alignment is the size 1881 * of the array element. 1882 */ 1883 1884 static void 1885 adt_calcOffsets(struct entry *p_entry, int tablesize, void *p_data) 1886 { 1887 int i, j; 1888 size_t this_size, prev_size; 1889 void *struct_start = p_data; 1890 1891 for (i = 0; i < tablesize; i++) { 1892 if (p_entry[i].en_type_def == NULL) { 1893 p_entry[i].en_offset = 0; 1894 continue; 1895 } 1896 prev_size = 0; 1897 p_entry[i].en_offset = (char *)p_data - (char *)struct_start; 1898 1899 for (j = 0; j < p_entry[i].en_count_types; j++) { 1900 if (p_entry[i].en_type_def[j].dd_datatype == ADT_MSG) 1901 this_size = sizeof (enum adt_generic); 1902 else 1903 this_size = 1904 p_entry[i].en_type_def[j].dd_input_size; 1905 1906 /* adj for first entry */ 1907 if (prev_size == 0) 1908 prev_size = this_size; 1909 1910 if (p_entry[i].en_type_def[j].dd_datatype == 1911 ADT_UINT32ARRAY) { 1912 p_data = (char *)adt_adjust_address(p_data, 1913 prev_size, sizeof (uint32_t)) + 1914 this_size - sizeof (uint32_t); 1915 1916 prev_size = sizeof (uint32_t); 1917 } else { 1918 p_data = adt_adjust_address(p_data, prev_size, 1919 this_size); 1920 prev_size = this_size; 1921 } 1922 } 1923 } 1924 } 1925 1926 /* 1927 * adt_generate_event 1928 * generate event record from external struct. The order is based on 1929 * the output tokens, allowing for the possibility that the input data 1930 * is in a different order. 1931 * 1932 */ 1933 1934 static int 1935 adt_generate_event(const adt_event_data_t *p_extdata, 1936 struct adt_event_state *p_event, 1937 adt_translation_t *p_xlate) 1938 { 1939 struct entry *p_entry; 1940 static mutex_t lock = DEFAULTMUTEX; 1941 1942 p_entry = p_xlate->tx_first_entry; 1943 assert(p_entry != NULL); 1944 1945 p_event->ae_internal_id = p_xlate->tx_internal_event; 1946 adt_token_open(p_event); 1947 1948 /* 1949 * offsets are not pre-calculated; the initial offsets are all 1950 * 0; valid offsets are >= 0. Offsets for no-input tokens such 1951 * as subject are set to -1 by adt_calcOffset() 1952 */ 1953 if (p_xlate->tx_offsetsCalculated == 0) { 1954 (void) mutex_lock(&lock); 1955 p_xlate->tx_offsetsCalculated = 1; 1956 1957 adt_calcOffsets(p_xlate->tx_top_entry, p_xlate->tx_entries, 1958 (void *)p_extdata); 1959 (void) mutex_unlock(&lock); 1960 } 1961 while (p_entry != NULL) { 1962 adt_generate_token(p_entry, (char *)p_extdata, p_event); 1963 1964 p_entry = p_entry->en_next_token; 1965 } 1966 return (adt_token_close(p_event)); 1967 } 1968 1969 /* 1970 * adt_put_event -- main event generation function. 1971 * The input "event" is the address of the struct containing 1972 * event-specific data. 1973 * 1974 * However if auditing is off or the session handle 1975 * is NULL, no attempt to write a record is made. 1976 */ 1977 1978 int 1979 adt_put_event(const adt_event_data_t *event, int status, int return_val) 1980 { 1981 struct adt_event_state *event_state; 1982 adt_translation_t *xlate; 1983 1984 if (event == NULL) { 1985 errno = EINVAL; 1986 return (-1); 1987 } 1988 event_state = (struct adt_event_state *)event; 1989 1990 /* if this is a broken session or not auditing, exit */ 1991 if ((event_state->ae_session == NULL) || 1992 !(event_state->ae_session->as_audit_state & 1993 (AUC_AUDITING | AUC_NOSPACE))) { 1994 return (0); 1995 } 1996 1997 assert(event_state->ae_check == ADT_VALID); 1998 1999 event_state->ae_rc = status; 2000 event_state->ae_type = return_val; 2001 2002 /* look up the event */ 2003 2004 xlate = adt_getXlateTable(event_state->ae_session->as_xlate, 2005 event_state->ae_event_id); 2006 2007 if (xlate == NULL) { 2008 errno = EINVAL; 2009 return (-1); 2010 } 2011 DPRINTF(("got event %d\n", xlate->tx_internal_event)); 2012 2013 if (adt_selected(event_state, xlate->tx_internal_event, status)) { 2014 return (adt_generate_event(event, event_state, xlate)); 2015 } 2016 2017 return (0); 2018 } 2019 2020 /* 2021 * adt_free_event -- invalidate and free 2022 */ 2023 2024 void 2025 adt_free_event(adt_event_data_t *event) 2026 { 2027 struct adt_event_state *event_state; 2028 2029 if (event == NULL) 2030 return; 2031 2032 event_state = (struct adt_event_state *)event; 2033 2034 assert(event_state->ae_check == ADT_VALID); 2035 2036 event_state->ae_check = 0; 2037 2038 free(event_state); 2039 } 2040 2041 /* 2042 * adt_is_selected -- helper to adt_selected(), below. 2043 * 2044 * "sorf" is "success or fail" status; au_preselect compares 2045 * that with success, fail, or both. 2046 */ 2047 2048 static int 2049 adt_is_selected(au_event_t e, au_mask_t *m, int sorf) 2050 { 2051 int prs_sorf; 2052 2053 if (sorf == 0) 2054 prs_sorf = AU_PRS_SUCCESS; 2055 else 2056 prs_sorf = AU_PRS_FAILURE; 2057 2058 return (au_preselect(e, m, prs_sorf, AU_PRS_REREAD)); 2059 } 2060 2061 /* 2062 * selected -- see if this event is preselected. 2063 * 2064 * if errors are encountered trying to check a preselection mask 2065 * or look up a user name, the event is selected. Otherwise, the 2066 * preselection mask is used for the job. 2067 */ 2068 2069 static int 2070 adt_selected(struct adt_event_state *event, au_event_t actual_id, int status) 2071 { 2072 adt_internal_state_t *sp; 2073 au_mask_t namask; 2074 2075 sp = event->ae_session; 2076 2077 if ((sp->as_have_user_data & ADT_HAVE_IDS) == 0) { 2078 adt_write_syslog("No user data available", EINVAL); 2079 return (1); /* default is "selected" */ 2080 } 2081 2082 /* non-attributable? */ 2083 if ((sp->as_info.ai_auid == AU_NOAUDITID) || 2084 (sp->as_info.ai_auid == ADT_NO_AUDIT)) { 2085 if (auditon(A_GETKMASK, (caddr_t)&namask, 2086 sizeof (namask)) != 0) { 2087 adt_write_syslog("auditon failure", errno); 2088 return (1); 2089 } 2090 return (adt_is_selected(actual_id, &namask, status)); 2091 } else { 2092 return (adt_is_selected(actual_id, &(sp->as_info.ai_mask), 2093 status)); 2094 } 2095 } 2096 2097 /* 2098 * Can't map the host name to an IP address in 2099 * adt_get_hostIP. Get something off an interface 2100 * to act as the hosts IP address for auditing. 2101 */ 2102 2103 static int 2104 adt_get_local_address(int family, struct ifaddrlist *al) 2105 { 2106 struct ifaddrlist *ifal; 2107 char errbuf[ERRBUFSIZE] = "empty list"; 2108 char msg[ERRBUFSIZE + 512]; 2109 int ifal_count; 2110 int i; 2111 2112 if ((ifal_count = ifaddrlist(&ifal, family, 0, errbuf)) <= 0) { 2113 int serrno = errno; 2114 2115 (void) snprintf(msg, sizeof (msg), "adt_get_local_address " 2116 "couldn't get %d addrlist %s", family, errbuf); 2117 adt_write_syslog(msg, serrno); 2118 errno = serrno; 2119 return (-1); 2120 } 2121 2122 for (i = 0; i < ifal_count; i++) { 2123 /* 2124 * loopback always defined, 2125 * even if there is no real address 2126 */ 2127 if ((ifal[i].flags & (IFF_UP | IFF_LOOPBACK)) == IFF_UP) { 2128 break; 2129 } 2130 } 2131 if (i >= ifal_count) { 2132 free(ifal); 2133 /* 2134 * Callers of adt_get_hostIP() can only return 2135 * errno to their callers and eventually the application. 2136 * Picked one that seemed least worse for saying no 2137 * usable address for Audit terminal ID. 2138 */ 2139 errno = ENETDOWN; 2140 return (-1); 2141 } 2142 2143 *al = ifal[i]; 2144 free(ifal); 2145 return (0); 2146 } 2147