xref: /illumos-gate/usr/src/uts/common/c2/audit_start.c (revision 334edc4840d12dfd25a5559468cdd15a375cd111)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 /*
29  * This file contains the envelope code for system call auditing.
30  */
31 
32 #include <sys/param.h>
33 #include <sys/types.h>
34 #include <sys/time.h>
35 #include <sys/kmem.h>
36 #include <sys/proc.h>
37 #include <sys/vnode.h>
38 #include <sys/file.h>
39 #include <sys/user.h>
40 #include <sys/stropts.h>
41 #include <sys/systm.h>
42 #include <sys/pathname.h>
43 #include <sys/debug.h>
44 #include <sys/cred_impl.h>
45 #include <sys/zone.h>
46 #include <c2/audit.h>
47 #include <c2/audit_kernel.h>
48 #include <c2/audit_kevents.h>
49 #include <c2/audit_record.h>
50 #include "audit_door_infc.h"
51 
52 extern uint_t num_syscall;		/* size of audit_s2e table */
53 extern kmutex_t pidlock;		/* proc table lock */
54 
55 int audit_load = 0;	/* set from /etc/system */
56 
57 struct p_audit_data *pad0;
58 struct t_audit_data *tad0;
59 
60 /*
61  * Das Boot. Initialize first process. Also generate an audit record indicating
62  * that the system has been booted.
63  */
64 void
65 audit_init()
66 {
67 	kthread_t *au_thread;
68 	token_t *rp = NULL;
69 	label_t jb;
70 	struct audit_path apempty;
71 	auditinfo_addr_t *ainfo;
72 
73 	if (audit_load == 0) {
74 		audit_active = 0;
75 		au_auditstate = AUC_DISABLED;
76 		return;
77 #ifdef DEBUG
78 	} else if (audit_load == 2) {
79 		debug_enter((char *)NULL);
80 #endif
81 	}
82 
83 	audit_active = 1;
84 	set_all_proc_sys();		/* set pre- and post-syscall flags */
85 
86 	/* initialize memory allocators */
87 	au_mem_init();
88 
89 	au_zone_setup();
90 
91 	/* inital thread structure */
92 	tad0 = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP);
93 
94 	/* initial process structure */
95 	pad0 = kmem_cache_alloc(au_pad_cache, KM_SLEEP);
96 	bzero(&pad0->pad_data, sizeof (pad0->pad_data));
97 
98 	T2A(curthread) = tad0;
99 	P2A(curproc) = pad0;
100 
101 	/*
102 	 * The kernel allocates a bunch of threads make sure they have
103 	 * a valid tad
104 	 */
105 
106 	mutex_enter(&pidlock);
107 
108 	au_thread = curthread;
109 	do {
110 		if (T2A(au_thread) == NULL) {
111 			T2A(au_thread) = tad0;
112 		}
113 		au_thread = au_thread->t_next;
114 	} while (au_thread != curthread);
115 
116 	tad0->tad_ad   = NULL;
117 	mutex_exit(&pidlock);
118 
119 	/*
120 	 * Initialize audit context in our cred (kcred).
121 	 * No copy-on-write needed here because it's so early in init.
122 	 */
123 	ainfo = crgetauinfo_modifiable(kcred);
124 	ASSERT(ainfo != NULL);
125 	bzero(ainfo, sizeof (auditinfo_addr_t));
126 	ainfo->ai_auid = AU_NOAUDITID;
127 
128 	/* fabricate an empty audit_path to extend */
129 	apempty.audp_cnt = 0;
130 	apempty.audp_sect[0] = (char *)(&apempty.audp_sect[1]);
131 	pad0->pad_root = au_pathdup(&apempty, 1, 2);
132 	bcopy("/", pad0->pad_root->audp_sect[0], 2);
133 	au_pathhold(pad0->pad_root);
134 	pad0->pad_cwd = pad0->pad_root;
135 
136 	/*
137 	 * setup environment for asynchronous auditing. We can't use
138 	 * audit_async_start() here since it assumes the audit system
139 	 * has been started via auditd(1m). auditd sets the variable,
140 	 * auk_auditstate, to indicate audit record generation should
141 	 * commence. Here we want to always generate an audit record.
142 	 */
143 	if (setjmp(&jb)) {
144 		/* process audit policy (AUDIT_AHLT) for asynchronous events */
145 		audit_async_drop((caddr_t *)(&rp), 0);
146 		return;
147 	}
148 
149 	ASSERT(tad0->tad_errjmp == NULL);
150 	tad0->tad_errjmp = (void *)&jb;
151 	tad0->tad_ctrl |= PAD_ERRJMP;
152 
153 	/* generate a system-booted audit record */
154 	au_write((caddr_t *)&rp, au_to_text("booting kernel"));
155 
156 	audit_async_finish((caddr_t *)&rp, AUE_SYSTEMBOOT, NULL);
157 }
158 
159 void
160 audit_free()
161 {
162 }
163 
164 /*
165  * Check for any pending changes to the audit context for the given proc.
166  * p_crlock and pad_lock for the process are acquired here. Caller is
167  * responsible for assuring the process doesn't go away. If context is
168  * updated, the specified cralloc'ed cred will be used, otherwise it's freed.
169  * If no cred is given, it will be cralloc'ed here and caller assures that
170  * it is safe to allocate memory.
171  */
172 void
173 audit_update_context(proc_t *p, cred_t *ncr)
174 {
175 	struct p_audit_data *pad;
176 	cred_t	*newcred = ncr;
177 
178 	pad = P2A(p);
179 	if (pad == NULL) {
180 		if (newcred != NULL)
181 			crfree(newcred);
182 		return;
183 	}
184 
185 	/* If a mask update is pending, take care of it. */
186 	if (pad->pad_flags & PAD_SETMASK) {
187 		auditinfo_addr_t *ainfo;
188 
189 		if (newcred == NULL)
190 			newcred = cralloc();
191 
192 		mutex_enter(&pad->pad_lock);
193 		/* the condition may have been handled by the time we lock */
194 		if (pad->pad_flags & PAD_SETMASK) {
195 			ainfo = crgetauinfo_modifiable(newcred);
196 			if (ainfo == NULL) {
197 				mutex_enter(&pad->pad_lock);
198 				crfree(newcred);
199 				return;
200 			}
201 
202 			mutex_enter(&p->p_crlock);
203 			crcopy_to(p->p_cred, newcred);
204 			p->p_cred = newcred;
205 
206 			ainfo->ai_mask = pad->pad_newmask;
207 
208 			/* Unlock and cleanup. */
209 			mutex_exit(&p->p_crlock);
210 			pad->pad_flags &= ~PAD_SETMASK;
211 
212 			/*
213 			 * For curproc, assure that our thread points to right
214 			 * cred, so CRED() will be correct. Otherwise, no need
215 			 * to broadcast changes (via set_proc_pre_sys), since
216 			 * t_pre_sys is ALWAYS on when audit is enabled... due
217 			 * to syscall auditing.
218 			 */
219 			if (p == curproc)
220 				crset(p, newcred);
221 			else
222 				crfree(newcred);
223 		} else {
224 			crfree(newcred);
225 		}
226 		mutex_exit(&pad->pad_lock);
227 	} else {
228 		if (newcred != NULL)
229 			crfree(newcred);
230 	}
231 }
232 
233 
234 /*
235  * Enter system call. Do any necessary setup here. allocate resouces, etc.
236  */
237 
238 #include <sys/syscall.h>
239 
240 
241 /*ARGSUSED*/
242 int
243 audit_start(
244 	unsigned type,
245 	unsigned scid,
246 	int error,
247 	klwp_t *lwp)
248 {
249 	struct t_audit_data	*tad;
250 	au_kcontext_t		*kctx;
251 
252 	tad = U2A(u);
253 	ASSERT(tad != NULL);
254 
255 	if (error) {
256 		tad->tad_ctrl = 0;
257 		tad->tad_flag = 0;
258 		return (0);
259 	}
260 
261 	audit_update_context(curproc, NULL);
262 
263 	/*
264 	 * if this is an indirect system call then don't do anything.
265 	 * audit_start will be called again from indir() in trap.c
266 	 */
267 	if (scid == 0) {
268 		tad->tad_ctrl = 0;
269 		tad->tad_flag = 0;
270 		return (0);
271 	}
272 	if (scid >= num_syscall)
273 		scid = 0;
274 
275 	/*
276 	 * we can no longer depend on a valid lwp_ap, so we need to
277 	 * copy the syscall args as future audit stuff may need them.
278 	 */
279 	(void) save_syscall_args();
280 
281 	/*
282 	 * We need to gather paths for certain system calls even if they are
283 	 * not audited so that we can audit the various f* calls and be
284 	 * sure to have a CWD and CAR. Thus we thus set tad_ctrl over the
285 	 * system call regardless if the call is audited or not.
286 	 * We allow the event specific initial processing routines (au_init)
287 	 * to adjust the tad_ctrl as necessary.
288 	 */
289 	tad->tad_ctrl   = audit_s2e[scid].au_ctrl;
290 	tad->tad_scid   = scid;
291 
292 	/* get basic event for system call */
293 	tad->tad_event = audit_s2e[scid].au_event;
294 	if (audit_s2e[scid].au_init != NULL) {
295 		/* get specific event */
296 		tad->tad_event = (*audit_s2e[scid].au_init)(tad->tad_event);
297 	}
298 
299 	kctx = GET_KCTX_PZ;
300 
301 	/* now do preselection. Audit or not to Audit, that is the question */
302 	if ((tad->tad_flag = auditme(kctx, tad,
303 	    kctx->auk_ets[tad->tad_event])) == 0) {
304 		/*
305 		 * we assume that audit_finish will always be called.
306 		 */
307 		return (0);
308 	}
309 
310 	/*
311 	 * if auditing not enabled, then don't generate an audit record
312 	 * and don't count it.
313 	 */
314 	if ((kctx->auk_auditstate != AUC_AUDITING &&
315 	    kctx->auk_auditstate != AUC_INIT_AUDIT)) {
316 		/*
317 		 * we assume that audit_finish will always be called.
318 		 */
319 		tad->tad_flag = 0;
320 		return (0);
321 	}
322 
323 	/*
324 	 * audit daemon has informed us that there is no longer any
325 	 * space left to hold audit records. We decide here if records
326 	 * should be dropped (but counted).
327 	 */
328 	if (kctx->auk_auditstate == AUC_NOSPACE) {
329 		if ((kctx->auk_policy & AUDIT_CNT) ||
330 		    (kctx->auk_policy & AUDIT_SCNT)) {
331 			/* assume that audit_finish will always be called. */
332 			tad->tad_flag = 0;
333 
334 			/* just count # of dropped audit records */
335 			AS_INC(as_dropped, 1, kctx);
336 
337 			return (0);
338 		}
339 	}
340 
341 	tad->tad_evmod  = 0;
342 
343 	if (audit_s2e[scid].au_start != NULL) {
344 		/* do start of system call processing */
345 		(*audit_s2e[scid].au_start)(tad);
346 	}
347 
348 	return (0);
349 }
350 
351 /*
352  * system call has completed. Now determine if we genearate an audit record
353  * or not.
354  */
355 /*ARGSUSED*/
356 void
357 audit_finish(
358 	unsigned type,
359 	unsigned scid,
360 	int error,
361 	rval_t *rval)
362 {
363 	struct t_audit_data *tad;
364 	int	flag;
365 	au_defer_info_t	*attr;
366 	au_kcontext_t *kctx = GET_KCTX_PZ;
367 
368 	tad = U2A(u);
369 
370 	/*
371 	 * Process all deferred events first.
372 	 */
373 	attr = tad->tad_defer_head;
374 	while (attr != NULL) {
375 		au_defer_info_t	*tmp_attr = attr;
376 
377 		au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag,
378 		    attr->audi_e_type, attr->audi_e_mod, &(attr->audi_atime));
379 
380 		attr = attr->audi_next;
381 		kmem_free(tmp_attr, sizeof (au_defer_info_t));
382 	}
383 	tad->tad_defer_head = tad->tad_defer_tail = NULL;
384 
385 	if (tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) {
386 		/*
387 		 * clear the ctrl flag so that we don't have spurious
388 		 * collection of audit information.
389 		 */
390 		tad->tad_scid  = 0;
391 		tad->tad_event = 0;
392 		tad->tad_evmod = 0;
393 		tad->tad_ctrl  = 0;
394 		ASSERT(tad->tad_aupath == NULL);
395 		return;
396 	}
397 
398 	scid = tad->tad_scid;
399 
400 	/*
401 	 * Perform any extra processing and determine if we are
402 	 * really going to generate any audit record.
403 	 */
404 	if (audit_s2e[scid].au_finish != NULL) {
405 		/* do any post system call processing */
406 		(*audit_s2e[scid].au_finish)(tad, error, rval);
407 	}
408 	if (tad->tad_flag) {
409 		tad->tad_flag = 0;
410 
411 		if (flag = audit_success(kctx, tad, error, NULL)) {
412 			unsigned int sy_flags;
413 			cred_t *cr = CRED();
414 			const auditinfo_addr_t *ainfo = crgetauinfo(cr);
415 
416 			ASSERT(ainfo != NULL);
417 
418 			/* Add subject information */
419 			AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
420 
421 			if (tad->tad_evmod & PAD_SPRIVUSE) {
422 				au_write(&(u_ad),
423 				    au_to_privset("", &tad->tad_sprivs,
424 				    AUT_UPRIV, 1));
425 			}
426 
427 			if (tad->tad_evmod & PAD_FPRIVUSE) {
428 				au_write(&(u_ad),
429 				    au_to_privset("", &tad->tad_fprivs,
430 				    AUT_UPRIV, 0));
431 			}
432 
433 			/* Add a return token */
434 #ifdef	_SYSCALL32_IMPL
435 			if (lwp_getdatamodel(ttolwp(curthread)) ==
436 			    DATAMODEL_NATIVE) {
437 				sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
438 			} else {
439 				sy_flags =
440 				    sysent32[scid].sy_flags & SE_RVAL_MASK;
441 			}
442 #else	/* _SYSCALL64_IMPL */
443 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
444 #endif   /* _SYSCALL32_IMPL */
445 
446 			if (sy_flags == SE_32RVAL1) {
447 				if (type == 0) {
448 					au_write(&(u_ad),
449 					    au_to_return32(error, 0));
450 				} else {
451 					au_write(&(u_ad), au_to_return32(error,
452 					    rval->r_val1));
453 				}
454 			}
455 			if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) {
456 				if (type == 0) {
457 					au_write(&(u_ad),
458 					    au_to_return32(error, 0));
459 				} else {
460 					au_write(&(u_ad),
461 					    au_to_return32(error,
462 					    rval->r_val1));
463 #ifdef NOTYET	/* for possible future support */
464 					au_write(&(u_ad), au_to_return32(error,
465 					    rval->r_val2));
466 #endif
467 				}
468 			}
469 			if (sy_flags == SE_64RVAL) {
470 				if (type == 0) {
471 					au_write(&(u_ad),
472 					    au_to_return64(error, 0));
473 				} else {
474 					au_write(&(u_ad), au_to_return64(error,
475 					    rval->r_vals));
476 				}
477 			}
478 
479 			AS_INC(as_generated, 1, kctx);
480 			AS_INC(as_kernel, 1, kctx);
481 		}
482 
483 		/* Close up everything */
484 		au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod);
485 	}
486 
487 	ASSERT(u_ad == NULL);
488 
489 	/* free up any space remaining with the path's */
490 	if (tad->tad_aupath != NULL) {
491 		au_pathrele(tad->tad_aupath);
492 		tad->tad_aupath = NULL;
493 		tad->tad_vn = NULL;
494 	}
495 
496 	/* free up any space remaining with openat path's */
497 	if (tad->tad_atpath) {
498 		au_pathrele(tad->tad_atpath);
499 		tad->tad_atpath = NULL;
500 	}
501 
502 	/*
503 	 * clear the ctrl flag so that we don't have spurious collection of
504 	 * audit information.
505 	 */
506 	tad->tad_scid  = 0;
507 	tad->tad_event = 0;
508 	tad->tad_evmod = 0;
509 	tad->tad_ctrl  = 0;
510 }
511 
512 int
513 audit_success(au_kcontext_t *kctx, struct t_audit_data *tad, int error,
514     cred_t *cr)
515 {
516 	au_state_t ess;
517 	au_state_t esf;
518 	au_mask_t amask;
519 	const auditinfo_addr_t *ainfo;
520 
521 	ess = esf = kctx->auk_ets[tad->tad_event];
522 
523 	if (error)
524 		tad->tad_evmod |= PAD_FAILURE;
525 
526 	/* see if we really want to generate an audit record */
527 	if (tad->tad_ctrl & PAD_NOAUDIT)
528 		return (0);
529 
530 	/*
531 	 * nfs operation and we're auditing privilege or MAC. This
532 	 * is so we have a client audit record to match a nfs server
533 	 * audit record.
534 	 */
535 	if (tad->tad_ctrl & PAD_AUDITME)
536 		return (AU_OK);
537 
538 	/*
539 	 * Used passed cred if available, otherwise use cred from kernel thread
540 	 */
541 	if (cr == NULL)
542 		cr = CRED();
543 	ainfo = crgetauinfo(cr);
544 	if (ainfo == NULL)
545 		return (0);
546 	amask = ainfo->ai_mask;
547 
548 	if (error == 0)
549 		return ((ess & amask.as_success) ? AU_OK : 0);
550 	else
551 		return ((esf & amask.as_failure) ? AU_OK : 0);
552 }
553 
554 /*
555  * determine if we've preselected this event (system call).
556  */
557 int
558 auditme(au_kcontext_t *kctx, struct t_audit_data *tad, au_state_t estate)
559 {
560 	int flag = 0;
561 	au_mask_t amask;
562 	const auditinfo_addr_t *ainfo;
563 
564 	ainfo = crgetauinfo(CRED());
565 	if (ainfo == NULL)
566 		return (0);
567 	amask = ainfo->ai_mask;
568 
569 		/* preselected system call */
570 
571 	if (amask.as_success & estate || amask.as_failure & estate) {
572 		flag = 1;
573 	} else if ((tad->tad_scid == SYS_putmsg) ||
574 	    (tad->tad_scid == SYS_getmsg)) {
575 		estate = kctx->auk_ets[AUE_SOCKCONNECT]	|
576 		    kctx->auk_ets[AUE_SOCKACCEPT]	|
577 		    kctx->auk_ets[AUE_SOCKSEND]		|
578 		    kctx->auk_ets[AUE_SOCKRECEIVE];
579 		if (amask.as_success & estate || amask.as_failure & estate)
580 			flag = 1;
581 	}
582 
583 	return (flag);
584 }
585