1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 /* 29 * This file contains the envelope code for system call auditing. 30 */ 31 32 #include <sys/param.h> 33 #include <sys/types.h> 34 #include <sys/time.h> 35 #include <sys/kmem.h> 36 #include <sys/proc.h> 37 #include <sys/vnode.h> 38 #include <sys/file.h> 39 #include <sys/user.h> 40 #include <sys/stropts.h> 41 #include <sys/systm.h> 42 #include <sys/pathname.h> 43 #include <sys/debug.h> 44 #include <sys/cred_impl.h> 45 #include <sys/zone.h> 46 #include <sys/tsol/label.h> 47 #include <c2/audit.h> 48 #include <c2/audit_kernel.h> 49 #include <c2/audit_kevents.h> 50 #include <c2/audit_record.h> 51 #include "audit_door_infc.h" 52 53 extern uint_t num_syscall; /* size of audit_s2e table */ 54 extern kmutex_t pidlock; /* proc table lock */ 55 56 int audit_load = 0; /* set from /etc/system */ 57 58 struct p_audit_data *pad0; 59 struct t_audit_data *tad0; 60 61 /* 62 * Das Boot. Initialize first process. Also generate an audit record indicating 63 * that the system has been booted. 64 */ 65 void 66 audit_init() 67 { 68 kthread_t *au_thread; 69 token_t *rp = NULL; 70 label_t jb; 71 struct audit_path apempty; 72 auditinfo_addr_t *ainfo; 73 74 if (audit_load == 0) { 75 audit_active = 0; 76 au_auditstate = AUC_DISABLED; 77 return; 78 #ifdef DEBUG 79 } else if (audit_load == 2) { 80 debug_enter((char *)NULL); 81 #endif 82 } 83 84 audit_active = 1; 85 set_all_proc_sys(); /* set pre- and post-syscall flags */ 86 87 /* initialize memory allocators */ 88 au_mem_init(); 89 90 au_zone_setup(); 91 92 /* inital thread structure */ 93 tad0 = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP); 94 95 /* initial process structure */ 96 pad0 = kmem_cache_alloc(au_pad_cache, KM_SLEEP); 97 bzero(&pad0->pad_data, sizeof (pad0->pad_data)); 98 99 T2A(curthread) = tad0; 100 P2A(curproc) = pad0; 101 102 /* 103 * The kernel allocates a bunch of threads make sure they have 104 * a valid tad 105 */ 106 107 mutex_enter(&pidlock); 108 109 au_thread = curthread; 110 do { 111 if (T2A(au_thread) == NULL) { 112 T2A(au_thread) = tad0; 113 } 114 au_thread = au_thread->t_next; 115 } while (au_thread != curthread); 116 117 tad0->tad_ad = NULL; 118 mutex_exit(&pidlock); 119 120 /* 121 * Initialize audit context in our cred (kcred). 122 * No copy-on-write needed here because it's so early in init. 123 */ 124 ainfo = crgetauinfo_modifiable(kcred); 125 ASSERT(ainfo != NULL); 126 bzero(ainfo, sizeof (auditinfo_addr_t)); 127 ainfo->ai_auid = AU_NOAUDITID; 128 129 /* fabricate an empty audit_path to extend */ 130 apempty.audp_cnt = 0; 131 apempty.audp_sect[0] = (char *)(&apempty.audp_sect[1]); 132 pad0->pad_root = au_pathdup(&apempty, 1, 2); 133 bcopy("/", pad0->pad_root->audp_sect[0], 2); 134 au_pathhold(pad0->pad_root); 135 pad0->pad_cwd = pad0->pad_root; 136 137 /* 138 * setup environment for asynchronous auditing. We can't use 139 * audit_async_start() here since it assumes the audit system 140 * has been started via auditd(1m). auditd sets the variable, 141 * auk_auditstate, to indicate audit record generation should 142 * commence. Here we want to always generate an audit record. 143 */ 144 if (setjmp(&jb)) { 145 /* process audit policy (AUDIT_AHLT) for asynchronous events */ 146 audit_async_drop((caddr_t *)(&rp), 0); 147 return; 148 } 149 150 ASSERT(tad0->tad_errjmp == NULL); 151 tad0->tad_errjmp = (void *)&jb; 152 tad0->tad_ctrl |= PAD_ERRJMP; 153 154 /* generate a system-booted audit record */ 155 au_write((caddr_t *)&rp, au_to_text("booting kernel")); 156 157 audit_async_finish((caddr_t *)&rp, AUE_SYSTEMBOOT, NULL); 158 } 159 160 void 161 audit_free() 162 { 163 } 164 165 /* 166 * Check for any pending changes to the audit context for the given proc. 167 * p_crlock and pad_lock for the process are acquired here. Caller is 168 * responsible for assuring the process doesn't go away. If context is 169 * updated, the specified cralloc'ed cred will be used, otherwise it's freed. 170 * If no cred is given, it will be cralloc'ed here and caller assures that 171 * it is safe to allocate memory. 172 */ 173 void 174 audit_update_context(proc_t *p, cred_t *ncr) 175 { 176 struct p_audit_data *pad; 177 cred_t *newcred = ncr; 178 179 pad = P2A(p); 180 if (pad == NULL) { 181 if (newcred != NULL) 182 crfree(newcred); 183 return; 184 } 185 186 /* If a mask update is pending, take care of it. */ 187 if (pad->pad_flags & PAD_SETMASK) { 188 auditinfo_addr_t *ainfo; 189 190 if (newcred == NULL) 191 newcred = cralloc(); 192 193 mutex_enter(&pad->pad_lock); 194 /* the condition may have been handled by the time we lock */ 195 if (pad->pad_flags & PAD_SETMASK) { 196 ainfo = crgetauinfo_modifiable(newcred); 197 if (ainfo == NULL) { 198 mutex_enter(&pad->pad_lock); 199 crfree(newcred); 200 return; 201 } 202 203 mutex_enter(&p->p_crlock); 204 crcopy_to(p->p_cred, newcred); 205 p->p_cred = newcred; 206 207 ainfo->ai_mask = pad->pad_newmask; 208 209 /* Unlock and cleanup. */ 210 mutex_exit(&p->p_crlock); 211 pad->pad_flags &= ~PAD_SETMASK; 212 213 /* 214 * For curproc, assure that our thread points to right 215 * cred, so CRED() will be correct. Otherwise, no need 216 * to broadcast changes (via set_proc_pre_sys), since 217 * t_pre_sys is ALWAYS on when audit is enabled... due 218 * to syscall auditing. 219 */ 220 if (p == curproc) 221 crset(p, newcred); 222 else 223 crfree(newcred); 224 } else { 225 crfree(newcred); 226 } 227 mutex_exit(&pad->pad_lock); 228 } else { 229 if (newcred != NULL) 230 crfree(newcred); 231 } 232 } 233 234 235 /* 236 * Enter system call. Do any necessary setup here. allocate resouces, etc. 237 */ 238 239 #include <sys/syscall.h> 240 241 242 /*ARGSUSED*/ 243 int 244 audit_start( 245 unsigned type, 246 unsigned scid, 247 int error, 248 klwp_t *lwp) 249 { 250 int ctrl; 251 au_event_t event; 252 au_state_t estate; 253 struct t_audit_data *tad; 254 au_kcontext_t *kctx; 255 256 tad = U2A(u); 257 ASSERT(tad != NULL); 258 259 if (error) { 260 tad->tad_ctrl = 0; 261 tad->tad_flag = 0; 262 return (0); 263 } 264 265 audit_update_context(curproc, NULL); 266 267 /* 268 * if this is an indirect system call then don't do anything. 269 * audit_start will be called again from indir() in trap.c 270 */ 271 if (scid == 0) { 272 tad->tad_ctrl = 0; 273 tad->tad_flag = 0; 274 return (0); 275 } 276 if (scid >= num_syscall) 277 scid = 0; 278 279 /* we can no longer ber guarantied a valid lwp_ap */ 280 /* so we need to force it valid a lot of stuff needs it */ 281 (void) save_syscall_args(); 282 283 /* get control information */ 284 ctrl = audit_s2e[scid].au_ctrl; 285 286 /* 287 * We need to gather paths for certain system calls even if they are 288 * not audited so that we can audit the various f* calls and be 289 * sure to have a CWD and CAR. Thus we thus set tad_ctrl over the 290 * system call regardless if the call is audited or not. 291 * We allow the au_init() routine to adjust the tad_ctrl. 292 */ 293 tad->tad_ctrl = ctrl; 294 tad->tad_scid = scid; 295 296 /* get basic event for system call */ 297 event = (*audit_s2e[scid].au_init)(audit_s2e[scid].au_event); 298 299 kctx = SET_KCTX_PZ; 300 if (kctx == NULL) { 301 zone_status_t zstate = zone_status_get(curproc->p_zone); 302 ASSERT(zstate != ZONE_IS_READY); 303 return (0); 304 } 305 306 estate = kctx->auk_ets[event]; 307 308 /* now do preselection. Audit or not to Audit, that is the question */ 309 if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0) { 310 /* 311 * we assume that audit_finish will always be called. 312 */ 313 return (0); 314 } 315 316 /* 317 * if auditing not enabled, then don't generate an audit record 318 * and don't count it. 319 */ 320 if ((kctx->auk_auditstate != AUC_AUDITING && 321 kctx->auk_auditstate != AUC_INIT_AUDIT)) { 322 /* 323 * we assume that audit_finish will always be called. 324 */ 325 tad->tad_flag = 0; 326 return (0); 327 } 328 329 /* 330 * audit daemon has informed us that there is no longer any 331 * space left to hold audit records. We decide here if records 332 * should be dropped (but counted). 333 */ 334 if (kctx->auk_auditstate == AUC_NOSPACE) { 335 if ((kctx->auk_policy & AUDIT_CNT) || 336 (kctx->auk_policy & AUDIT_SCNT)) { 337 /* assume that audit_finish will always be called. */ 338 tad->tad_flag = 0; 339 340 /* just count # of dropped audit records */ 341 AS_INC(as_dropped, 1, kctx); 342 343 return (0); 344 } 345 } 346 347 tad->tad_event = event; 348 tad->tad_evmod = 0; 349 350 (*audit_s2e[scid].au_start)(tad); 351 352 return (0); 353 } 354 355 /* 356 * system call has completed. Now determine if we genearate an audit record 357 * or not. 358 */ 359 /*ARGSUSED*/ 360 void 361 audit_finish( 362 unsigned type, 363 unsigned scid, 364 int error, 365 rval_t *rval) 366 { 367 struct t_audit_data *tad; 368 int flag; 369 au_defer_info_t *attr; 370 au_kcontext_t *kctx = SET_KCTX_PZ; 371 372 if (kctx == NULL) { 373 zone_status_t zstate = zone_status_get(curproc->p_zone); 374 ASSERT(zstate != ZONE_IS_READY); 375 return; 376 } 377 378 tad = U2A(u); 379 380 /* 381 * Process all deferred events first. 382 */ 383 attr = tad->tad_defer_head; 384 while (attr != NULL) { 385 au_defer_info_t *tmp_attr = attr; 386 387 au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag, 388 attr->audi_e_type, attr->audi_e_mod, &(attr->audi_atime)); 389 390 attr = attr->audi_next; 391 kmem_free(tmp_attr, sizeof (au_defer_info_t)); 392 } 393 tad->tad_defer_head = tad->tad_defer_tail = NULL; 394 395 if (tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) { 396 /* 397 * clear the ctrl flag so that we don't have spurious 398 * collection of audit information. 399 */ 400 tad->tad_scid = 0; 401 tad->tad_event = 0; 402 tad->tad_evmod = 0; 403 tad->tad_ctrl = 0; 404 ASSERT(tad->tad_aupath == NULL); 405 return; 406 } 407 408 scid = tad->tad_scid; 409 410 /* 411 * Perform any extra processing and determine if we are 412 * really going to generate any audit record. 413 */ 414 (*audit_s2e[scid].au_finish)(tad, error, rval); 415 if (tad->tad_flag) { 416 tad->tad_flag = 0; 417 418 if (flag = audit_success(kctx, tad, error)) { 419 unsigned int sy_flags; 420 cred_t *cr = CRED(); 421 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 422 423 ASSERT(ainfo != NULL); 424 425 /* Add a subject token */ 426 AUDIT_SETSUBJ(&(u_ad), cr, ainfo); 427 428 /* Add an optional group token */ 429 AUDIT_SETGROUP(&(u_ad), cr, kctx); 430 431 /* Add token for process SL */ 432 if (is_system_labeled()) 433 au_write(&(u_ad), au_to_label(CR_SL(cr))); 434 435 if (tad->tad_evmod & PAD_SPRIVUSE) 436 au_write(&(u_ad), 437 au_to_privset("", &tad->tad_sprivs, 438 AUT_UPRIV, 1)); 439 440 if (tad->tad_evmod & PAD_FPRIVUSE) 441 au_write(&(u_ad), 442 au_to_privset("", &tad->tad_fprivs, 443 AUT_UPRIV, 0)); 444 445 /* Add a return token */ 446 #ifdef _SYSCALL32_IMPL 447 if (lwp_getdatamodel( 448 ttolwp(curthread)) == DATAMODEL_NATIVE) 449 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 450 else 451 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 452 #else 453 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 454 #endif 455 456 if (sy_flags == SE_32RVAL1) { 457 if (type == 0) { 458 au_write(&(u_ad), au_to_return32(error, 0)); 459 } else { 460 au_write(&(u_ad), au_to_return32(error, 461 rval->r_val1)); 462 } 463 } 464 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) { 465 if (type == 0) { 466 au_write(&(u_ad), au_to_return32(error, 0)); 467 } else { 468 au_write(&(u_ad), au_to_return32(error, 469 rval->r_val1)); 470 #ifdef NOTYET /* for possible future support */ 471 au_write(&(u_ad), au_to_return32(error, 472 rval->r_val2)); 473 #endif 474 } 475 } 476 if (sy_flags == SE_64RVAL) { 477 if (type == 0) { 478 au_write(&(u_ad), au_to_return64(error, 0)); 479 } else { 480 au_write(&(u_ad), au_to_return64(error, 481 rval->r_vals)); 482 } 483 } 484 485 AS_INC(as_generated, 1, kctx); 486 AS_INC(as_kernel, 1, kctx); 487 } 488 489 /* Close up everything */ 490 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod); 491 } 492 493 ASSERT(u_ad == NULL); 494 495 /* free up any space remaining with the path's */ 496 if (tad->tad_aupath != NULL) { 497 au_pathrele(tad->tad_aupath); 498 tad->tad_aupath = NULL; 499 tad->tad_vn = NULL; 500 } 501 502 /* free up any space remaining with openat path's */ 503 if (tad->tad_atpath) { 504 au_pathrele(tad->tad_atpath); 505 tad->tad_atpath = NULL; 506 } 507 508 /* 509 * clear the ctrl flag so that we don't have spurious collection of 510 * audit information. 511 */ 512 tad->tad_scid = 0; 513 tad->tad_event = 0; 514 tad->tad_evmod = 0; 515 tad->tad_ctrl = 0; 516 } 517 518 int 519 audit_success(au_kcontext_t *kctx, struct t_audit_data *tad, int error) 520 { 521 au_state_t ess; 522 au_state_t esf; 523 au_mask_t amask; 524 const auditinfo_addr_t *ainfo; 525 526 ess = esf = kctx->auk_ets[tad->tad_event]; 527 528 if (error) 529 tad->tad_evmod |= PAD_FAILURE; 530 531 /* see if we really want to generate an audit record */ 532 if (tad->tad_ctrl & PAD_NOAUDIT) 533 return (0); 534 535 /* 536 * nfs operation and we're auditing privilege or MAC. This 537 * is so we have a client audit record to match a nfs server 538 * audit record. 539 */ 540 if (tad->tad_ctrl & PAD_AUDITME) 541 return (AU_OK); 542 543 ainfo = crgetauinfo(CRED()); 544 if (ainfo == NULL) 545 return (0); 546 amask = ainfo->ai_mask; 547 548 if (error == 0) 549 return ((ess & amask.as_success) ? AU_OK : 0); 550 else 551 return ((esf & amask.as_failure) ? AU_OK : 0); 552 } 553 554 /* 555 * determine if we've preselected this event (system call). 556 */ 557 int 558 auditme(au_kcontext_t *kctx, struct t_audit_data *tad, au_state_t estate) 559 { 560 int flag = 0; 561 au_mask_t amask; 562 const auditinfo_addr_t *ainfo; 563 564 ainfo = crgetauinfo(CRED()); 565 if (ainfo == NULL) 566 return (0); 567 amask = ainfo->ai_mask; 568 569 /* preselected system call */ 570 571 if (amask.as_success & estate || amask.as_failure & estate) { 572 flag = 1; 573 } else if ((tad->tad_scid == SYS_putmsg) || 574 (tad->tad_scid == SYS_getmsg)) { 575 estate = kctx->auk_ets[AUE_SOCKCONNECT] | 576 kctx->auk_ets[AUE_SOCKACCEPT] | 577 kctx->auk_ets[AUE_SOCKSEND] | 578 kctx->auk_ets[AUE_SOCKRECEIVE]; 579 if (amask.as_success & estate || amask.as_failure & estate) 580 flag = 1; 581 } 582 583 return (flag); 584 } 585