xref: /illumos-gate/usr/src/uts/common/c2/audit_start.c (revision 1a220b56b93ff1dc80855691548503117af4cc10)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 /*
29  * This file contains the envelope code for system call auditing.
30  */
31 
32 #include <sys/param.h>
33 #include <sys/types.h>
34 #include <sys/time.h>
35 #include <sys/kmem.h>
36 #include <sys/proc.h>
37 #include <sys/vnode.h>
38 #include <sys/file.h>
39 #include <sys/user.h>
40 #include <sys/stropts.h>
41 #include <sys/systm.h>
42 #include <sys/pathname.h>
43 #include <sys/debug.h>
44 #include <sys/cred_impl.h>
45 #include <sys/zone.h>
46 #include <sys/tsol/label.h>
47 #include <c2/audit.h>
48 #include <c2/audit_kernel.h>
49 #include <c2/audit_kevents.h>
50 #include <c2/audit_record.h>
51 #include "audit_door_infc.h"
52 
53 extern uint_t num_syscall;		/* size of audit_s2e table */
54 extern kmutex_t pidlock;		/* proc table lock */
55 
56 int audit_load = 0;	/* set from /etc/system */
57 
58 struct p_audit_data *pad0;
59 struct t_audit_data *tad0;
60 
61 /*
62  * Das Boot. Initialize first process. Also generate an audit record indicating
63  * that the system has been booted.
64  */
65 void
66 audit_init()
67 {
68 	kthread_t *au_thread;
69 	token_t *rp = NULL;
70 	label_t jb;
71 	struct audit_path apempty;
72 	auditinfo_addr_t *ainfo;
73 
74 	if (audit_load == 0) {
75 		audit_active = 0;
76 		au_auditstate = AUC_DISABLED;
77 		return;
78 #ifdef DEBUG
79 	} else if (audit_load == 2) {
80 		debug_enter((char *)NULL);
81 #endif
82 	}
83 
84 	audit_active = 1;
85 	set_all_proc_sys();		/* set pre- and post-syscall flags */
86 
87 	/* initialize memory allocators */
88 	au_mem_init();
89 
90 	au_zone_setup();
91 
92 	/* inital thread structure */
93 	tad0 = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP);
94 
95 	/* initial process structure */
96 	pad0 = kmem_cache_alloc(au_pad_cache, KM_SLEEP);
97 	bzero(&pad0->pad_data, sizeof (pad0->pad_data));
98 
99 	T2A(curthread) = tad0;
100 	P2A(curproc) = pad0;
101 
102 	/*
103 	 * The kernel allocates a bunch of threads make sure they have
104 	 * a valid tad
105 	 */
106 
107 	mutex_enter(&pidlock);
108 
109 	au_thread = curthread;
110 	do {
111 		if (T2A(au_thread) == NULL) {
112 			T2A(au_thread) = tad0;
113 		}
114 		au_thread = au_thread->t_next;
115 	} while (au_thread != curthread);
116 
117 	tad0->tad_ad   = NULL;
118 	mutex_exit(&pidlock);
119 
120 	/*
121 	 * Initialize audit context in our cred (kcred).
122 	 * No copy-on-write needed here because it's so early in init.
123 	 */
124 	ainfo = crgetauinfo_modifiable(kcred);
125 	ASSERT(ainfo != NULL);
126 	bzero(ainfo, sizeof (auditinfo_addr_t));
127 	ainfo->ai_auid = AU_NOAUDITID;
128 
129 	/* fabricate an empty audit_path to extend */
130 	apempty.audp_cnt = 0;
131 	apempty.audp_sect[0] = (char *)(&apempty.audp_sect[1]);
132 	pad0->pad_root = au_pathdup(&apempty, 1, 2);
133 	bcopy("/", pad0->pad_root->audp_sect[0], 2);
134 	au_pathhold(pad0->pad_root);
135 	pad0->pad_cwd = pad0->pad_root;
136 
137 	/*
138 	 * setup environment for asynchronous auditing. We can't use
139 	 * audit_async_start() here since it assumes the audit system
140 	 * has been started via auditd(1m). auditd sets the variable,
141 	 * auk_auditstate, to indicate audit record generation should
142 	 * commence. Here we want to always generate an audit record.
143 	 */
144 	if (setjmp(&jb)) {
145 		/* process audit policy (AUDIT_AHLT) for asynchronous events */
146 		audit_async_drop((caddr_t *)(&rp), 0);
147 		return;
148 	}
149 
150 	ASSERT(tad0->tad_errjmp == NULL);
151 	tad0->tad_errjmp = (void *)&jb;
152 	tad0->tad_ctrl |= PAD_ERRJMP;
153 
154 	/* generate a system-booted audit record */
155 	au_write((caddr_t *)&rp, au_to_text("booting kernel"));
156 
157 	audit_async_finish((caddr_t *)&rp, AUE_SYSTEMBOOT, NULL);
158 }
159 
160 void
161 audit_free()
162 {
163 }
164 
165 /*
166  * Check for any pending changes to the audit context for the given proc.
167  * p_crlock and pad_lock for the process are acquired here. Caller is
168  * responsible for assuring the process doesn't go away. If context is
169  * updated, the specified cralloc'ed cred will be used, otherwise it's freed.
170  * If no cred is given, it will be cralloc'ed here and caller assures that
171  * it is safe to allocate memory.
172  */
173 void
174 audit_update_context(proc_t *p, cred_t *ncr)
175 {
176 	struct p_audit_data *pad;
177 	cred_t	*newcred = ncr;
178 
179 	pad = P2A(p);
180 	if (pad == NULL) {
181 		if (newcred != NULL)
182 			crfree(newcred);
183 		return;
184 	}
185 
186 	/* If a mask update is pending, take care of it. */
187 	if (pad->pad_flags & PAD_SETMASK) {
188 		auditinfo_addr_t *ainfo;
189 
190 		if (newcred == NULL)
191 			newcred = cralloc();
192 
193 		mutex_enter(&pad->pad_lock);
194 		/* the condition may have been handled by the time we lock */
195 		if (pad->pad_flags & PAD_SETMASK) {
196 			ainfo = crgetauinfo_modifiable(newcred);
197 			if (ainfo == NULL) {
198 				mutex_enter(&pad->pad_lock);
199 				crfree(newcred);
200 				return;
201 			}
202 
203 			mutex_enter(&p->p_crlock);
204 			crcopy_to(p->p_cred, newcred);
205 			p->p_cred = newcred;
206 
207 			ainfo->ai_mask = pad->pad_newmask;
208 
209 			/* Unlock and cleanup. */
210 			mutex_exit(&p->p_crlock);
211 			pad->pad_flags &= ~PAD_SETMASK;
212 
213 			/*
214 			 * For curproc, assure that our thread points to right
215 			 * cred, so CRED() will be correct. Otherwise, no need
216 			 * to broadcast changes (via set_proc_pre_sys), since
217 			 * t_pre_sys is ALWAYS on when audit is enabled... due
218 			 * to syscall auditing.
219 			 */
220 			if (p == curproc)
221 				crset(p, newcred);
222 			else
223 				crfree(newcred);
224 		} else {
225 			crfree(newcred);
226 		}
227 		mutex_exit(&pad->pad_lock);
228 	} else {
229 		if (newcred != NULL)
230 			crfree(newcred);
231 	}
232 }
233 
234 
235 /*
236  * Enter system call. Do any necessary setup here. allocate resouces, etc.
237  */
238 
239 #include <sys/syscall.h>
240 
241 
242 /*ARGSUSED*/
243 int
244 audit_start(
245 	unsigned type,
246 	unsigned scid,
247 	int error,
248 	klwp_t *lwp)
249 {
250 	int			ctrl;
251 	au_event_t		event;
252 	au_state_t		estate;
253 	struct t_audit_data	*tad;
254 	au_kcontext_t		*kctx;
255 
256 	tad = U2A(u);
257 	ASSERT(tad != NULL);
258 
259 	if (error) {
260 		tad->tad_ctrl = 0;
261 		tad->tad_flag = 0;
262 		return (0);
263 	}
264 
265 	audit_update_context(curproc, NULL);
266 
267 	/*
268 	 * if this is an indirect system call then don't do anything.
269 	 * audit_start will be called again from indir() in trap.c
270 	 */
271 	if (scid == 0) {
272 		tad->tad_ctrl = 0;
273 		tad->tad_flag = 0;
274 		return (0);
275 	}
276 	if (scid >= num_syscall)
277 		scid = 0;
278 
279 	/* we can no longer ber guarantied a valid lwp_ap */
280 	/* so we need to force it valid a lot of stuff needs it */
281 	(void) save_syscall_args();
282 
283 	/* get control information */
284 	ctrl  = audit_s2e[scid].au_ctrl;
285 
286 	/*
287 	 * We need to gather paths for certain system calls even if they are
288 	 * not audited so that we can audit the various f* calls and be
289 	 * sure to have a CWD and CAR. Thus we thus set tad_ctrl over the
290 	 * system call regardless if the call is audited or not.
291 	 * We allow the au_init() routine to adjust the tad_ctrl.
292 	 */
293 	tad->tad_ctrl   = ctrl;
294 	tad->tad_scid   = scid;
295 
296 	/* get basic event for system call */
297 	event = (*audit_s2e[scid].au_init)(audit_s2e[scid].au_event);
298 
299 	kctx = SET_KCTX_PZ;
300 	if (kctx == NULL) {
301 		zone_status_t zstate = zone_status_get(curproc->p_zone);
302 		ASSERT(zstate != ZONE_IS_READY);
303 		return (0);
304 	}
305 
306 	estate = kctx->auk_ets[event];
307 
308 	/* now do preselection. Audit or not to Audit, that is the question */
309 	if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0) {
310 		/*
311 		 * we assume that audit_finish will always be called.
312 		 */
313 		return (0);
314 	}
315 
316 	/*
317 	 * if auditing not enabled, then don't generate an audit record
318 	 * and don't count it.
319 	 */
320 	if ((kctx->auk_auditstate != AUC_AUDITING &&
321 	    kctx->auk_auditstate != AUC_INIT_AUDIT)) {
322 		/*
323 		 * we assume that audit_finish will always be called.
324 		 */
325 		tad->tad_flag = 0;
326 		return (0);
327 	}
328 
329 	/*
330 	 * audit daemon has informed us that there is no longer any
331 	 * space left to hold audit records. We decide here if records
332 	 * should be dropped (but counted).
333 	 */
334 	if (kctx->auk_auditstate == AUC_NOSPACE) {
335 		if ((kctx->auk_policy & AUDIT_CNT) ||
336 		    (kctx->auk_policy & AUDIT_SCNT)) {
337 			/* assume that audit_finish will always be called. */
338 			tad->tad_flag = 0;
339 
340 			/* just count # of dropped audit records */
341 			AS_INC(as_dropped, 1, kctx);
342 
343 			return (0);
344 		}
345 	}
346 
347 	tad->tad_event  = event;
348 	tad->tad_evmod  = 0;
349 
350 	(*audit_s2e[scid].au_start)(tad);
351 
352 	return (0);
353 }
354 
355 /*
356  * system call has completed. Now determine if we genearate an audit record
357  * or not.
358  */
359 /*ARGSUSED*/
360 void
361 audit_finish(
362 	unsigned type,
363 	unsigned scid,
364 	int error,
365 	rval_t *rval)
366 {
367 	struct t_audit_data *tad;
368 	int	flag;
369 	au_defer_info_t	*attr;
370 	au_kcontext_t *kctx = SET_KCTX_PZ;
371 
372 	if (kctx == NULL) {
373 		zone_status_t zstate = zone_status_get(curproc->p_zone);
374 		ASSERT(zstate != ZONE_IS_READY);
375 		return;
376 	}
377 
378 	tad = U2A(u);
379 
380 	/*
381 	 * Process all deferred events first.
382 	 */
383 	attr = tad->tad_defer_head;
384 	while (attr != NULL) {
385 		au_defer_info_t	*tmp_attr = attr;
386 
387 		au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag,
388 		    attr->audi_e_type, attr->audi_e_mod, &(attr->audi_atime));
389 
390 		attr = attr->audi_next;
391 		kmem_free(tmp_attr, sizeof (au_defer_info_t));
392 	}
393 	tad->tad_defer_head = tad->tad_defer_tail = NULL;
394 
395 	if (tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) {
396 		/*
397 		 * clear the ctrl flag so that we don't have spurious
398 		 * collection of audit information.
399 		 */
400 		tad->tad_scid  = 0;
401 		tad->tad_event = 0;
402 		tad->tad_evmod = 0;
403 		tad->tad_ctrl  = 0;
404 		ASSERT(tad->tad_aupath == NULL);
405 		return;
406 	}
407 
408 	scid = tad->tad_scid;
409 
410 	/*
411 	 * Perform any extra processing and determine if we are
412 	 * really going to generate any audit record.
413 	 */
414 	(*audit_s2e[scid].au_finish)(tad, error, rval);
415 	if (tad->tad_flag) {
416 		tad->tad_flag = 0;
417 
418 		if (flag = audit_success(kctx, tad, error)) {
419 			unsigned int sy_flags;
420 			cred_t *cr = CRED();
421 			const auditinfo_addr_t *ainfo = crgetauinfo(cr);
422 
423 			ASSERT(ainfo != NULL);
424 
425 			/* Add a subject token */
426 			AUDIT_SETSUBJ(&(u_ad), cr, ainfo);
427 
428 			/* Add an optional group token */
429 			AUDIT_SETGROUP(&(u_ad), cr, kctx);
430 
431 			/* Add token for process SL */
432 			if (is_system_labeled())
433 				au_write(&(u_ad), au_to_label(CR_SL(cr)));
434 
435 			if (tad->tad_evmod & PAD_SPRIVUSE)
436 				au_write(&(u_ad),
437 					au_to_privset("", &tad->tad_sprivs,
438 					    AUT_UPRIV, 1));
439 
440 			if (tad->tad_evmod & PAD_FPRIVUSE)
441 				au_write(&(u_ad),
442 					au_to_privset("", &tad->tad_fprivs,
443 					    AUT_UPRIV, 0));
444 
445 			/* Add a return token */
446 #ifdef _SYSCALL32_IMPL
447 			if (lwp_getdatamodel(
448 				ttolwp(curthread)) == DATAMODEL_NATIVE)
449 			    sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
450 			else
451 			    sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
452 #else
453 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
454 #endif
455 
456 			if (sy_flags == SE_32RVAL1) {
457 			    if (type == 0) {
458 				au_write(&(u_ad), au_to_return32(error, 0));
459 			    } else {
460 				au_write(&(u_ad), au_to_return32(error,
461 								rval->r_val1));
462 			    }
463 			}
464 			if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) {
465 			    if (type == 0) {
466 				au_write(&(u_ad), au_to_return32(error, 0));
467 			    } else {
468 				au_write(&(u_ad), au_to_return32(error,
469 								rval->r_val1));
470 #ifdef NOTYET	/* for possible future support */
471 				au_write(&(u_ad), au_to_return32(error,
472 								rval->r_val2));
473 #endif
474 			    }
475 			}
476 			if (sy_flags == SE_64RVAL) {
477 			    if (type == 0) {
478 				au_write(&(u_ad), au_to_return64(error, 0));
479 			    } else {
480 				au_write(&(u_ad), au_to_return64(error,
481 								rval->r_vals));
482 			    }
483 			}
484 
485 			AS_INC(as_generated, 1, kctx);
486 			AS_INC(as_kernel, 1, kctx);
487 		}
488 
489 		/* Close up everything */
490 		au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod);
491 	}
492 
493 	ASSERT(u_ad == NULL);
494 
495 	/* free up any space remaining with the path's */
496 	if (tad->tad_aupath != NULL) {
497 		au_pathrele(tad->tad_aupath);
498 		tad->tad_aupath = NULL;
499 		tad->tad_vn = NULL;
500 	}
501 
502 	/* free up any space remaining with openat path's */
503 	if (tad->tad_atpath) {
504 		au_pathrele(tad->tad_atpath);
505 		tad->tad_atpath = NULL;
506 	}
507 
508 	/*
509 	 * clear the ctrl flag so that we don't have spurious collection of
510 	 * audit information.
511 	 */
512 	tad->tad_scid  = 0;
513 	tad->tad_event = 0;
514 	tad->tad_evmod = 0;
515 	tad->tad_ctrl  = 0;
516 }
517 
518 int
519 audit_success(au_kcontext_t *kctx, struct t_audit_data *tad, int error)
520 {
521 	au_state_t ess;
522 	au_state_t esf;
523 	au_mask_t amask;
524 	const auditinfo_addr_t *ainfo;
525 
526 	ess = esf = kctx->auk_ets[tad->tad_event];
527 
528 	if (error)
529 		tad->tad_evmod |= PAD_FAILURE;
530 
531 	/* see if we really want to generate an audit record */
532 	if (tad->tad_ctrl & PAD_NOAUDIT)
533 		return (0);
534 
535 	/*
536 	 * nfs operation and we're auditing privilege or MAC. This
537 	 * is so we have a client audit record to match a nfs server
538 	 * audit record.
539 	 */
540 	if (tad->tad_ctrl & PAD_AUDITME)
541 		return (AU_OK);
542 
543 	ainfo = crgetauinfo(CRED());
544 	if (ainfo == NULL)
545 		return (0);
546 	amask = ainfo->ai_mask;
547 
548 	if (error == 0)
549 		return ((ess & amask.as_success) ? AU_OK : 0);
550 	else
551 		return ((esf & amask.as_failure) ? AU_OK : 0);
552 }
553 
554 /*
555  * determine if we've preselected this event (system call).
556  */
557 int
558 auditme(au_kcontext_t *kctx, struct t_audit_data *tad, au_state_t estate)
559 {
560 	int flag = 0;
561 	au_mask_t amask;
562 	const auditinfo_addr_t *ainfo;
563 
564 	ainfo = crgetauinfo(CRED());
565 	if (ainfo == NULL)
566 		return (0);
567 	amask = ainfo->ai_mask;
568 
569 		/* preselected system call */
570 
571 	if (amask.as_success & estate || amask.as_failure & estate) {
572 		flag = 1;
573 	} else if ((tad->tad_scid == SYS_putmsg) ||
574 		(tad->tad_scid == SYS_getmsg)) {
575 		estate = kctx->auk_ets[AUE_SOCKCONNECT]	|
576 			kctx->auk_ets[AUE_SOCKACCEPT]	|
577 			kctx->auk_ets[AUE_SOCKSEND]		|
578 			kctx->auk_ets[AUE_SOCKRECEIVE];
579 		if (amask.as_success & estate || amask.as_failure & estate)
580 			flag = 1;
581 	}
582 
583 	return (flag);
584 }
585