1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 #ifndef _BSM_AUDIT_KERNEL_H 26 #define _BSM_AUDIT_KERNEL_H 27 28 29 /* 30 * This file contains the basic auditing control structure definitions. 31 */ 32 33 #include <c2/audit_kevents.h> 34 #include <sys/priv_impl.h> 35 #include <sys/taskq.h> 36 #include <sys/zone.h> 37 38 #include <sys/tsol/label.h> 39 40 #ifdef __cplusplus 41 extern "C" { 42 #endif 43 44 /* 45 * This table contains the mapping from the system call ID to a corresponding 46 * audit event. 47 * 48 * au_init() is a function called at the beginning of the system call that 49 * performs any necessary setup/processing. It maps the call into the 50 * appropriate event, depending on the system call arguments. It is called 51 * by audit_start() from trap.c . 52 * 53 * au_event is the audit event associated with the system call. Most of the 54 * time it will map directly from the system call i.e. There is one system 55 * call associated with the event. In some cases, such as shmsys, or open, 56 * the au_start() function will map the system call to more than one event, 57 * depending on the system call arguments. 58 * 59 * au_start() is a function that provides per system call processing at the 60 * beginning of a system call. It is mainly concerned with preseving the 61 * audit record components that may be altered so that we can determine 62 * what the original paramater was before as well as after the system call. 63 * It is possible that au_start() may be taken away. It might be cleaner to 64 * define flags in au_ctrl to save a designated argument. For the moment we 65 * support both mechanisms, however the use of au_start() will be reviewed 66 * for 4.1.1 and CMW and ZEUS to see if such a general method is justified. 67 * 68 * au_finish() is a function that provides per system call processing at the 69 * completion of a system call. In certain circumstances, the type of audit 70 * event depends on intermidiate results during the processing of the system 71 * call. It is called in audit_finish() from trap.c . 72 * 73 * au_ctrl is a control vector that indicates what processing might have to 74 * be performed, even if there is no auditing for this system call. At 75 * present this is mostly for path processing for chmod, chroot. We need to 76 * process the path information in vfs_lookup, even when we are not auditing 77 * the system call in the case of chdir and chroot. 78 */ 79 /* 80 * Defines for au_ctrl 81 */ 82 #define S2E_SP TAD_SAVPATH /* save path for later use */ 83 #define S2E_MLD TAD_MLD /* only one lookup per system call */ 84 #define S2E_NPT TAD_NOPATH /* force no path in audit record */ 85 #define S2E_PUB TAD_PUBLIC_EV /* syscall is defined as a public op */ 86 #define S2E_ATC TAD_ATCALL /* syscall is one of the *at() family */ 87 88 /* 89 * At present, we are using the audit classes imbedded with in the kernel. Each 90 * event has a bit mask determining which classes the event is associated. 91 * The table audit_e2s maps the audit event ID to the audit state. 92 * 93 * Note that this may change radically. If we use a bit vector for the audit 94 * class, we can allow granularity at the event ID for each user. In this 95 * case, the vector would be determined at user level and passed to the kernel 96 * via the setaudit system call. 97 */ 98 99 /* 100 * The audit_pad structure holds paths for the current root and directory 101 * for the process, as well as for open files and directly manipulated objects. 102 * The reference count minimizes data copies since the process's current 103 * directory changes very seldom. 104 */ 105 struct audit_path { 106 uint_t audp_ref; /* reference count */ 107 uint_t audp_size; /* allocated size of this structure */ 108 uint_t audp_cnt; /* number of path sections */ 109 char *audp_sect[1]; /* path section pointers */ 110 /* audp_sect[0] is the path name */ 111 /* audp_sect[1+] are attribute paths */ 112 }; 113 114 /* 115 * The structure of the terminal ID within the kernel is different from the 116 * terminal ID in user space. It is a combination of port and IP address. 117 */ 118 119 struct au_termid { 120 dev_t at_port; 121 uint_t at_type; 122 uint_t at_addr[4]; 123 }; 124 typedef struct au_termid au_termid_t; 125 126 /* 127 * Attributes for deferring the queuing of an event. 128 */ 129 typedef struct au_defer_info { 130 struct au_defer_info *audi_next; /* next on linked list */ 131 void *audi_ad; /* audit record */ 132 au_event_t audi_e_type; /* audit event id */ 133 au_emod_t audi_e_mod; /* audit event modifier */ 134 int audi_flag; /* au_close*() flags */ 135 timestruc_t audi_atime; /* audit event timestamp */ 136 } au_defer_info_t; 137 138 /* 139 * The structure p_audit_data hangs off of the process structure. It contains 140 * all of the audit information necessary to manage the audit record generation 141 * for each process. 142 * 143 * The pad_lock is constructed in the kmem_cache; the rest is combined 144 * in a sub structure so it can be copied/zeroed in one statement. 145 * 146 * The members have been reordered for maximum packing on 64 bit Solaris. 147 */ 148 struct p_audit_data { 149 kmutex_t pad_lock; /* lock pad data during changes */ 150 struct _pad_data { 151 struct audit_path *pad_root; /* process root path */ 152 struct audit_path *pad_cwd; /* process cwd path */ 153 au_mask_t pad_newmask; /* pending new mask */ 154 int pad_flags; 155 } pad_data; 156 }; 157 typedef struct p_audit_data p_audit_data_t; 158 159 #define pad_root pad_data.pad_root 160 #define pad_cwd pad_data.pad_cwd 161 #define pad_newmask pad_data.pad_newmask 162 #define pad_flags pad_data.pad_flags 163 164 /* 165 * Defines for process audit flags (pad_flags) 166 */ 167 #define PAD_SETMASK 0x00000001 /* need to complete pending setmask */ 168 169 extern kmem_cache_t *au_pad_cache; 170 171 /* 172 * Defines for thread audit control/status flags (tad_ctrl) 173 */ 174 #define TAD_ABSPATH 0x00000001 /* path from lookup is absolute */ 175 #define TAD_ATCALL 0x00000002 /* *at() syscall, like openat() */ 176 #define TAD_ATTPATH 0x00000004 /* attribute file lookup */ 177 #define TAD_CORE 0x00000008 /* save attribute during core dump */ 178 #define TAD_ERRJMP 0x00000010 /* abort record generation on error */ 179 #define TAD_MLD 0x00000020 /* system call involves MLD */ 180 #define TAD_NOATTRB 0x00000040 /* do not automatically add attribute */ 181 #define TAD_NOAUDIT 0x00000080 /* discard audit record */ 182 #define TAD_NOPATH 0x00000100 /* force no paths in audit record */ 183 #define TAD_PATHFND 0x00000200 /* found path, don't retry lookup */ 184 #define TAD_PUBLIC_EV 0x00000400 /* syscall is defined as a public op */ 185 #define TAD_SAVPATH 0x00000800 /* save path for further processing */ 186 #define TAD_TRUE_CREATE 0x00001000 /* true create, file not found */ 187 188 /* 189 * The structure t_audit_data hangs off of the thread structure. It contains 190 * all of the audit information necessary to manage the audit record generation 191 * for each thread. 192 * 193 */ 194 195 struct t_audit_data { 196 kthread_id_t tad_thread; /* DEBUG pointer to parent thread */ 197 unsigned int tad_scid; /* system call ID for finish */ 198 au_event_t tad_event; /* event for audit record */ 199 au_emod_t tad_evmod; /* event modifier for audit record */ 200 int tad_ctrl; /* audit control/status flags */ 201 void *tad_errjmp; /* error longjmp (audit record aborted) */ 202 int tad_flag; /* to audit or not to audit */ 203 uint32_t tad_audit; /* auditing enabled/disabled */ 204 struct audit_path *tad_aupath; /* captured at vfs_lookup */ 205 struct audit_path *tad_atpath; /* openat prefix, path of fd */ 206 caddr_t tad_ad; /* base of accumulated audit data */ 207 au_defer_info_t *tad_defer_head; /* queue of records to defer */ 208 /* until syscall end: */ 209 au_defer_info_t *tad_defer_tail; /* tail of defer queue */ 210 priv_set_t tad_sprivs; /* saved (success) used privs */ 211 priv_set_t tad_fprivs; /* saved (failed) used privs */ 212 }; 213 typedef struct t_audit_data t_audit_data_t; 214 215 /* 216 * The f_audit_data structure hangs off of the file structure. It contains 217 * three fields of data. The audit ID, the audit state, and a path name. 218 */ 219 220 struct f_audit_data { 221 kthread_id_t fad_thread; /* DEBUG creating thread */ 222 int fad_flags; /* audit control flags */ 223 struct audit_path *fad_aupath; /* path from vfs_lookup */ 224 }; 225 typedef struct f_audit_data f_audit_data_t; 226 227 #define FAD_READ 0x0001 /* read system call seen */ 228 #define FAD_WRITE 0x0002 /* write system call seen */ 229 230 #define P2A(p) (p->p_audit_data) 231 #define T2A(t) (t->t_audit_data) 232 #define U2A(u) (curthread->t_audit_data) 233 #define F2A(f) (f->f_audit_data) 234 235 #define u_ad ((U2A(u))->tad_ad) 236 #define ad_ctrl ((U2A(u))->tad_ctrl) 237 #define ad_flag ((U2A(u))->tad_flag) 238 239 #define AU_BUFSIZE 128 /* buffer size for the buffer pool */ 240 241 struct au_buff { 242 char buf[AU_BUFSIZE]; 243 struct au_buff *next_buf; 244 struct au_buff *next_rec; 245 ushort_t rec_len; 246 uchar_t len; 247 uchar_t flag; 248 }; 249 250 typedef struct au_buff au_buff_t; 251 252 /* 253 * Kernel audit queue structure. 254 */ 255 struct audit_queue { 256 au_buff_t *head; /* head of queue */ 257 au_buff_t *tail; /* tail of queue */ 258 ssize_t cnt; /* number elements on queue */ 259 size_t hiwater; /* high water mark to block */ 260 size_t lowater; /* low water mark to restart */ 261 size_t bufsz; /* audit trail write buffer size */ 262 size_t buflen; /* audit trail buffer length in use */ 263 clock_t delay; /* delay before flushing queue */ 264 int wt_block; /* writer is blocked (1) */ 265 int rd_block; /* reader is blocked (1) */ 266 kmutex_t lock; /* mutex lock for queue modification */ 267 kcondvar_t write_cv; /* sleep structure for write block */ 268 kcondvar_t read_cv; /* sleep structure for read block */ 269 }; 270 271 272 union rval; 273 struct audit_s2e { 274 au_event_t (*au_init)(au_event_t); 275 /* convert au_event to real audit event ID */ 276 277 int au_event; /* default audit event for this system call */ 278 void (*au_start)(struct t_audit_data *); 279 /* pre-system call audit processing */ 280 void (*au_finish)(struct t_audit_data *, int, union rval *); 281 /* post-system call audit processing */ 282 int au_ctrl; /* control flags for auditing actions */ 283 }; 284 285 extern struct audit_s2e audit_s2e[]; 286 287 #define AUK_VALID 0x5A5A5A5A 288 #define AUK_INVALID 0 289 /* 290 * per zone audit context 291 */ 292 struct au_kcontext { 293 uint32_t auk_valid; 294 zoneid_t auk_zid; 295 296 boolean_t auk_hostaddr_valid; 297 int auk_sequence; 298 int auk_auditstate; 299 int auk_output_active; 300 struct vnode *auk_current_vp; 301 uint32_t auk_policy; 302 303 struct audit_queue auk_queue; 304 305 au_dbuf_t *auk_dbuffer; /* auditdoor output */ 306 307 au_stat_t auk_statistics; 308 309 struct auditinfo_addr auk_info; 310 kmutex_t auk_eagain_mutex; /* door call retry */ 311 kcondvar_t auk_eagain_cv; 312 313 taskq_t *auk_taskq; /* output thread */ 314 315 /* Only one audit svc per zone at a time */ 316 /* With the elimination of auditsvc, can this also go? see 6648414 */ 317 kmutex_t auk_svc_lock; 318 319 au_state_t auk_ets[MAX_KEVENTS + 1]; 320 }; 321 #ifndef AUK_CONTEXT_T 322 #define AUK_CONTEXT_T 323 typedef struct au_kcontext au_kcontext_t; 324 #endif 325 326 extern zone_key_t au_zone_key; 327 328 /* 329 * Kernel auditing external variables 330 */ 331 extern uint32_t audit_policy; 332 extern int audit_active; 333 334 extern struct audit_queue au_queue; 335 extern struct p_audit_data *pad0; 336 extern struct t_audit_data *tad0; 337 338 /* 339 * audit_path support routines 340 */ 341 void au_pathhold(struct audit_path *); 342 void au_pathrele(struct audit_path *); 343 struct audit_path *au_pathdup(const struct audit_path *, int, int); 344 345 void au_pad_init(void); 346 347 int auditctl(int cmd, caddr_t data, int length); 348 int auditdoor(int fd); 349 int getauid(caddr_t); 350 int setauid(caddr_t); 351 int getaudit(caddr_t); 352 int getaudit_addr(caddr_t, int); 353 int setaudit(caddr_t); 354 int setaudit_addr(caddr_t, int); 355 356 /* 357 * Macros to hide asynchronous, non-blocking audit record start and finish 358 * processing. 359 * 360 * NOTE: must be used in (void) funcction () { ... } 361 */ 362 363 #define AUDIT_ASYNC_START(rp, audit_event, sorf) \ 364 { \ 365 label_t jb; \ 366 if (setjmp(&jb)) { \ 367 /* cleanup any residual audit data */ \ 368 audit_async_drop((caddr_t *)&(rp), 0); \ 369 return; \ 370 } \ 371 /* auditing enabled and we're preselected for this event? */ \ 372 if (audit_async_start(&jb, audit_event, sorf)) { \ 373 return; \ 374 } \ 375 } 376 377 #define AUDIT_ASYNC_FINISH(rp, audit_event, event_modifier, event_time) \ 378 audit_async_finish((caddr_t *)&(rp), audit_event, event_modifier, \ 379 event_time); 380 381 382 #ifdef _KERNEL 383 au_buff_t *au_get_buff(void), *au_free_buff(au_buff_t *); 384 #endif 385 386 /* 387 * Macro for uniform "subject" token(s) generation 388 */ 389 #define AUDIT_SETSUBJ_GENERIC(u, c, a, k, p) \ 390 (au_write((u), au_to_subject(crgetuid(c), \ 391 crgetgid(c), crgetruid(c), crgetrgid(c), \ 392 p, (a)->ai_auid, (a)->ai_asid, \ 393 &((a)->ai_termid)))); \ 394 ((is_system_labeled()) ? au_write((u), \ 395 au_to_label(CR_SL((c)))) : (void) 0); \ 396 (((k)->auk_policy & AUDIT_GROUP) ? au_write((u),\ 397 au_to_groups(crgetgroups(c), \ 398 crgetngroups(c))) : (void) 0) 399 400 #define AUDIT_SETSUBJ(u, c, a, k) \ 401 AUDIT_SETSUBJ_GENERIC(u, c, a, k, curproc->p_pid) 402 403 #define AUDIT_SETPROC_GENERIC(u, c, a, p) \ 404 (au_write((u), au_to_process(crgetuid(c), \ 405 crgetgid(c), crgetruid(c), crgetrgid(c), \ 406 p, (a)->ai_auid, (a)->ai_asid, \ 407 &((a)->ai_termid)))); 408 409 #define AUDIT_SETPROC(u, c, a) \ 410 AUDIT_SETPROC_GENERIC(u, c, a, curproc->p_pid) 411 412 /* 413 * Macros for type conversion 414 */ 415 416 /* au_membuf head, to typed data */ 417 #define memtod(x, t) ((t)x->buf) 418 419 /* au_membuf types */ 420 #define MT_FREE 0 /* should be on free list */ 421 #define MT_DATA 1 /* dynamic (data) allocation */ 422 423 /* flags to au_memget */ 424 #define DONTWAIT 0 425 #define WAIT 1 426 427 #define AU_PACK 1 /* pack data in au_append_rec() */ 428 #define AU_LINK 0 /* link data in au_append_rec() */ 429 430 /* flags to async routines */ 431 #define AU_BACKEND 1 /* called from softcall backend */ 432 433 #ifdef __cplusplus 434 } 435 #endif 436 437 #endif /* _BSM_AUDIT_KERNEL_H */ 438