xref: /illumos-gate/usr/src/uts/common/c2/audit_kernel.h (revision fb2a9bae0030340ad72b9c26ba1ffee2ee3cafec)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef _BSM_AUDIT_KERNEL_H
27 #define	_BSM_AUDIT_KERNEL_H
28 
29 
30 /*
31  * This file contains the basic auditing control structure definitions.
32  */
33 
34 #include <c2/audit_kevents.h>
35 #include <sys/priv_impl.h>
36 #include <sys/taskq.h>
37 #include <sys/zone.h>
38 
39 #include <sys/tsol/label.h>
40 
41 #ifdef __cplusplus
42 extern "C" {
43 #endif
44 
45 /*
46  * This table contains the mapping from the system call ID to a corresponding
47  * audit event.
48  *
49  *   au_init() is a function called at the beginning of the system call that
50  *   performs any necessary setup/processing. It maps the call into the
51  *   appropriate event, depending on the system call arguments. It is called
52  *   by audit_start() from trap.c .
53  *
54  *   au_event is the audit event associated with the system call. Most of the
55  *   time it will map directly from the system call i.e. There is one system
56  *   call associated with the event. In some cases, such as shmsys, or open,
57  *   the au_start() function will map the system call to more than one event,
58  *   depending on the system call arguments.
59  *
60  *   au_start() is a function that provides per system call processing at the
61  *   beginning of a system call. It is mainly concerned with preseving the
62  *   audit record components that may be altered so that we can determine
63  *   what the original paramater was before as well as after the system call.
64  *   It is possible that au_start() may be taken away. It might be cleaner to
65  *   define flags in au_ctrl to save a designated argument. For the moment we
66  *   support both mechanisms, however the use of au_start() will be reviewed
67  *   for 4.1.1 and CMW and ZEUS to see if such a general method is justified.
68  *
69  *   au_finish() is a function that provides per system call processing at the
70  *   completion of a system call. In certain circumstances, the type of audit
71  *   event depends on intermidiate results during the processing of the system
72  *   call. It is called in audit_finish() from trap.c .
73  *
74  *   au_ctrl is a control vector that indicates what processing might have to
75  *   be performed, even if there is no auditing for this system call. At
76  *   present this is mostly for path processing for chmod, chroot. We need to
77  *   process the path information in vfs_lookup, even when we are not auditing
78  *   the system call in the case of chdir and chroot.
79  */
80 /*
81  * Defines for au_ctrl
82  */
83 #define	S2E_SP  PAD_SAVPATH	/* save path for later use */
84 #define	S2E_MLD PAD_MLD		/* only one lookup per system call */
85 #define	S2E_NPT PAD_NOPATH	/* force no path in audit record */
86 #define	S2E_PUB PAD_PUBLIC_EV	/* syscall is defined as a public op */
87 #define	S2E_ATC	PAD_ATCALL	/* syscall is one of the *at() family */
88 
89 /*
90  * At present, we are using the audit classes imbedded with in the kernel. Each
91  * event has a bit mask determining which classes the event is associated.
92  * The table audit_e2s maps the audit event ID to the audit state.
93  *
94  * Note that this may change radically. If we use a bit vector for the audit
95  * class, we can allow granularity at the event ID for each user. In this
96  * case, the vector would be determined at user level and passed to the kernel
97  * via the setaudit system call.
98  */
99 
100 /*
101  * The audit_pad structure holds paths for the current root and directory
102  * for the process, as well as for open files and directly manipulated objects.
103  * The reference count minimizes data copies since the process's current
104  * directory changes very seldom.
105  */
106 struct audit_path {
107 	uint_t		audp_ref;	/* reference count */
108 	uint_t		audp_size;	/* allocated size of this structure */
109 	uint_t		audp_cnt;	/* number of path sections */
110 	char		*audp_sect[1];	/* path section pointers */
111 					/* audp_sect[0] is the path name */
112 					/* audp_sect[1+] are attribute paths */
113 };
114 
115 /*
116  * The structure of the terminal ID within the kernel is different from the
117  * terminal ID in user space. It is a combination of port and IP address.
118  */
119 
120 struct au_termid {
121 	dev_t	at_port;
122 	uint_t	at_type;
123 	uint_t	at_addr[4];
124 };
125 typedef struct au_termid au_termid_t;
126 
127 /*
128  * Attributes for deferring the queuing of an event.
129  */
130 typedef struct au_defer_info {
131 	struct au_defer_info	*audi_next;	/* next on linked list */
132 	void	 *audi_ad;		/* audit record */
133 	au_event_t	audi_e_type;	/* audit event id */
134 	au_emod_t	audi_e_mod;	/* audit event modifier */
135 	int	audi_flag;		/* au_close*() flags */
136 	timestruc_t	audi_atime;	/* audit event timestamp */
137 } au_defer_info_t;
138 
139 /*
140  * The structure p_audit_data hangs off of the process structure. It contains
141  * all of the audit information necessary to manage the audit record generation
142  * for each process.
143  *
144  * The pad_lock is constructed in the kmem_cache; the rest is combined
145  * in a sub structure so it can be copied/zeroed in one statement.
146  *
147  * The members have been reordered for maximum packing on 64 bit Solaris.
148  */
149 struct p_audit_data {
150 	kmutex_t	pad_lock;	/* lock pad data during changes */
151 	struct _pad_data {
152 		struct audit_path	*pad_root;	/* process root path */
153 		struct audit_path	*pad_cwd;	/* process cwd path */
154 		au_mask_t		pad_newmask;	/* pending new mask */
155 		int			pad_flags;
156 	} pad_data;
157 };
158 typedef struct p_audit_data p_audit_data_t;
159 
160 #define	pad_root	pad_data.pad_root
161 #define	pad_cwd		pad_data.pad_cwd
162 #define	pad_newmask	pad_data.pad_newmask
163 #define	pad_flags	pad_data.pad_flags
164 
165 /*
166  * Defines for pad_flags
167  */
168 #define	PAD_SETMASK 	0x00000001	/* need to complete pending setmask */
169 
170 extern kmem_cache_t *au_pad_cache;
171 
172 /*
173  * Defines for tad_ctrl
174  */
175 #define	PAD_SAVPATH 	0x00000001	/* save path for further processing */
176 #define	PAD_MLD		0x00000002	/* system call involves MLD */
177 #define	PAD_NOPATH  	0x00000004	/* force no paths in audit record */
178 #define	PAD_ABSPATH 	0x00000008	/* path from lookup is absolute */
179 #define	PAD_NOATTRB 	0x00000010	/* do not automatically add attribute */
180 					/* 0x20 unused */
181 #define	PAD_ATCALL	0x00000040	/* *at() syscall, like openat() */
182 #define	PAD_LFLOAT  	0x00000080	/* Label float */
183 #define	PAD_NOAUDIT 	0x00000100	/* discard audit record */
184 #define	PAD_PATHFND 	0x00000200	/* found path, don't retry lookup */
185 #define	PAD_SPRIV   	0x00000400	/* succ priv use. extra audit_finish */
186 #define	PAD_FPRIV   	0x00000800	/* fail priv use. extra audit_finish */
187 #define	PAD_SMAC    	0x00001000	/* succ mac use. extra audit_finish */
188 #define	PAD_FMAC    	0x00002000	/* fail mac use. extra audit_finish */
189 #define	PAD_AUDITME 	0x00004000	/* audit me because of NFS operation */
190 #define	PAD_ATTPATH  	0x00008000	/* attribute file lookup */
191 #define	PAD_TRUE_CREATE 0x00010000	/* true create, file not found */
192 #define	PAD_CORE	0x00020000	/* save attribute during core dump */
193 #define	PAD_ERRJMP	0x00040000	/* abort record generation on error */
194 #define	PAD_PUBLIC_EV	0x00080000	/* syscall is defined as a public op */
195 
196 /*
197  * The structure t_audit_data hangs off of the thread structure. It contains
198  * all of the audit information necessary to manage the audit record generation
199  * for each thread.
200  *
201  */
202 
203 struct t_audit_data {
204 	kthread_id_t  tad_thread;	/* DEBUG pointer to parent thread */
205 	unsigned int  tad_scid;		/* system call ID for finish */
206 	au_event_t	tad_event;	/* event for audit record */
207 	au_emod_t	tad_evmod;	/* event modifier for audit record */
208 	int	tad_ctrl;	/* audit control/status flags */
209 	void	*tad_errjmp;	/* error longjmp (audit record aborted) */
210 	int	tad_flag;	/* to audit or not to audit */
211 	uint32_t tad_audit;	/* auditing enabled/disabled */
212 	struct audit_path	*tad_aupath;	/* captured at vfs_lookup */
213 	struct audit_path	*tad_atpath;	/* openat prefix, path of fd */
214 	struct vnode *tad_vn;	/* saved inode from vfs_lookup */
215 	caddr_t tad_ad;		/* base of accumulated audit data */
216 	au_defer_info_t	*tad_defer_head;	/* queue of records to defer */
217 						/* until syscall end: */
218 	au_defer_info_t	*tad_defer_tail;	/* tail of defer queue */
219 	priv_set_t tad_sprivs;	/* saved (success) used privs */
220 	priv_set_t tad_fprivs;	/* saved (failed) used privs */
221 };
222 typedef struct t_audit_data t_audit_data_t;
223 
224 /*
225  * The f_audit_data structure hangs off of the file structure. It contains
226  * three fields of data. The audit ID, the audit state, and a path name.
227  */
228 
229 struct f_audit_data {
230 	kthread_id_t	fad_thread;	/* DEBUG creating thread */
231 	int		fad_flags;	/* audit control flags */
232 	struct audit_path	*fad_aupath;	/* path from vfs_lookup */
233 };
234 typedef struct f_audit_data f_audit_data_t;
235 
236 #define	FAD_READ	0x0001		/* read system call seen */
237 #define	FAD_WRITE	0x0002		/* write system call seen */
238 
239 #define	P2A(p)	(p->p_audit_data)
240 #define	T2A(t)	(t->t_audit_data)
241 #define	U2A(u)	(curthread->t_audit_data)
242 #define	F2A(f)	(f->f_audit_data)
243 
244 #define	u_ad    ((U2A(u))->tad_ad)
245 #define	ad_ctrl ((U2A(u))->tad_ctrl)
246 #define	ad_flag ((U2A(u))->tad_flag)
247 
248 #define	AU_BUFSIZE	128		/* buffer size for the buffer pool */
249 
250 struct au_buff {
251 	char		buf[AU_BUFSIZE];
252 	struct au_buff	*next_buf;
253 	struct au_buff	*next_rec;
254 	ushort_t	rec_len;
255 	uchar_t		len;
256 	uchar_t		flag;
257 };
258 
259 typedef struct au_buff au_buff_t;
260 
261 /*
262  * Kernel audit queue structure.
263  */
264 struct audit_queue {
265 	au_buff_t *head;	/* head of queue */
266 	au_buff_t *tail;	/* tail of queue */
267 	ssize_t	cnt;		/* number elements on queue */
268 	size_t	hiwater;	/* high water mark to block */
269 	size_t	lowater;	/* low water mark to restart */
270 	size_t	bufsz;		/* audit trail write buffer size */
271 	size_t	buflen;		/* audit trail buffer length in use */
272 	clock_t	delay;		/* delay before flushing queue */
273 	int	wt_block;	/* writer is blocked (1) */
274 	int	rd_block;	/* reader is blocked (1) */
275 	kmutex_t lock;		/* mutex lock for queue modification */
276 	kcondvar_t write_cv;	/* sleep structure for write block */
277 	kcondvar_t read_cv;	/* sleep structure for read block */
278 };
279 
280 
281 union rval;
282 struct audit_s2e {
283 	au_event_t (*au_init)(au_event_t);
284 				/* convert au_event to real audit event ID */
285 
286 	int au_event;		/* default audit event for this system call */
287 	void (*au_start)(struct t_audit_data *);
288 				/* pre-system call audit processing */
289 	void (*au_finish)(struct t_audit_data *, int, union rval *);
290 				/* post-system call audit processing */
291 	int au_ctrl;		/* control flags for auditing actions */
292 };
293 
294 extern struct audit_s2e audit_s2e[];
295 
296 #define	AUK_VALID	0x5A5A5A5A
297 #define	AUK_INVALID	0
298 /*
299  * per zone audit context
300  */
301 struct au_kcontext {
302 	uint32_t		auk_valid;
303 	zoneid_t		auk_zid;
304 
305 	boolean_t		auk_hostaddr_valid;
306 	int			auk_sequence;
307 	int			auk_auditstate;
308 	int			auk_output_active;
309 	struct vnode		*auk_current_vp;
310 	uint32_t		auk_policy;
311 
312 	struct audit_queue	auk_queue;
313 
314 	au_dbuf_t		*auk_dbuffer;	/* auditdoor output */
315 
316 	au_stat_t		auk_statistics;
317 
318 	struct auditinfo_addr	auk_info;
319 	kmutex_t		auk_eagain_mutex; /* door call retry */
320 	kcondvar_t		auk_eagain_cv;
321 
322 	taskq_t			*auk_taskq;	/* output thread */
323 
324 	/* Only one audit svc per zone at a time */
325 	/* With the elimination of auditsvc, can this also go? see 6648414 */
326 	kmutex_t 		auk_svc_lock;
327 
328 	au_state_t		auk_ets[MAX_KEVENTS + 1];
329 };
330 #ifndef AUK_CONTEXT_T
331 #define	AUK_CONTEXT_T
332 typedef struct au_kcontext au_kcontext_t;
333 #endif
334 
335 extern zone_key_t au_zone_key;
336 
337 /*
338  * Kernel auditing external variables
339  */
340 extern uint32_t audit_policy;
341 extern int audit_active;
342 
343 extern struct audit_queue au_queue;
344 extern struct p_audit_data *pad0;
345 extern struct t_audit_data *tad0;
346 
347 /*
348  * audit_path support routines
349  */
350 void au_pathhold(struct audit_path *);
351 void au_pathrele(struct audit_path *);
352 struct audit_path *au_pathdup(const struct audit_path *, int, int);
353 
354 void au_pad_init(void);
355 
356 int auditctl(int cmd, caddr_t data, int length);
357 int auditdoor(int fd);
358 int getauid(caddr_t);
359 int setauid(caddr_t);
360 int getaudit(caddr_t);
361 int getaudit_addr(caddr_t, int);
362 int setaudit(caddr_t);
363 int setaudit_addr(caddr_t, int);
364 
365 /*
366  * Macros to hide asynchronous, non-blocking audit record start and finish
367  * processing.
368  *
369  * NOTE: must be used in (void) funcction () { ... }
370  */
371 
372 #define	AUDIT_ASYNC_START(rp, audit_event, sorf) \
373 { \
374 	label_t jb; \
375 	if (setjmp(&jb)) { \
376 		/* cleanup any residual audit data */ \
377 		audit_async_drop((caddr_t *)&(rp), 0); \
378 		return; \
379 	} \
380 	/* auditing enabled and we're preselected for this event? */ \
381 	if (audit_async_start(&jb, audit_event, sorf)) { \
382 		return; \
383 	} \
384 }
385 
386 #define	AUDIT_ASYNC_FINISH(rp, audit_event, event_modifier, event_time) \
387 	audit_async_finish((caddr_t *)&(rp), audit_event, event_modifier, \
388 	event_time);
389 
390 
391 #ifdef	_KERNEL
392 au_buff_t *au_get_buff(void), *au_free_buff(au_buff_t *);
393 #endif
394 
395 /*
396  * Macro for uniform "subject" token(s) generation
397  */
398 #define	AUDIT_SETSUBJ_GENERIC(u, c, a, k, p)		\
399 	(au_write((u), au_to_subject(crgetuid(c),	\
400 	    crgetgid(c), crgetruid(c), crgetrgid(c),	\
401 	    p, (a)->ai_auid, (a)->ai_asid,		\
402 	    &((a)->ai_termid))));			\
403 	((is_system_labeled()) ?  au_write((u),		\
404 	    au_to_label(CR_SL((c)))) : (void) 0);	\
405 	(((k)->auk_policy & AUDIT_GROUP) ? au_write((u),\
406 	    au_to_groups(crgetgroups(c),		\
407 	    crgetngroups(c))) : (void) 0)
408 
409 #define	AUDIT_SETSUBJ(u, c, a, k)      		\
410 	AUDIT_SETSUBJ_GENERIC(u, c, a, k, curproc->p_pid)
411 
412 /*
413  * Macros for type conversion
414  */
415 
416 /* au_membuf head, to typed data */
417 #define	memtod(x, t)	((t)x->buf)
418 
419 /* au_membuf types */
420 #define	MT_FREE		0	/* should be on free list */
421 #define	MT_DATA		1	/* dynamic (data) allocation */
422 
423 /* flags to au_memget */
424 #define	DONTWAIT	0
425 #define	WAIT		1
426 
427 #define	AU_PACK	1	/* pack data in au_append_rec() */
428 #define	AU_LINK 0	/* link data in au_append_rec() */
429 
430 /* flags to async routines */
431 #define	AU_BACKEND	1	/* called from softcall backend */
432 
433 #ifdef __cplusplus
434 }
435 #endif
436 
437 #endif /* _BSM_AUDIT_KERNEL_H */
438