1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 /* 26 * This file contains the envelope code for system call auditing. 27 */ 28 29 #include <sys/param.h> 30 #include <sys/types.h> 31 #include <sys/time.h> 32 #include <sys/kmem.h> 33 #include <sys/proc.h> 34 #include <sys/vnode.h> 35 #include <sys/file.h> 36 #include <sys/user.h> 37 #include <sys/stropts.h> 38 #include <sys/systm.h> 39 #include <sys/pathname.h> 40 #include <sys/debug.h> 41 #include <sys/cred.h> 42 #include <sys/zone.h> 43 #include <c2/audit.h> 44 #include <c2/audit_kernel.h> 45 #include <c2/audit_kevents.h> 46 #include <c2/audit_record.h> 47 #include "audit_door_infc.h" 48 49 extern uint_t num_syscall; /* size of audit_s2e table */ 50 extern kmutex_t pidlock; /* proc table lock */ 51 52 /* 53 * Obsolete and ignored - Historically, the 'set c2audit:audit_load=1' entry 54 * in /etc/system enabled auditing. The No Reboot Audit project does not 55 * use this entry. However, to prevent the system from printing warning 56 * messages, the audit_load entry is being left in /etc/system. It will be 57 * removed when there is a small chance that the entry is used on currently 58 * running systems. 59 */ 60 int audit_load = 0; 61 62 kmutex_t module_lock; /* audit_module_state lock */ 63 64 /* 65 * Das Boot. Initialize first process. Also generate an audit record indicating 66 * that the system has been booted. 67 */ 68 void 69 audit_init_module() 70 { 71 token_t *rp = NULL; 72 label_t jb; 73 t_audit_data_t *tad = U2A(u); 74 75 /* 76 * Solaris Auditing module is being loaded -> change the state. The lock 77 * is here to prevent memory leaks caused by multiple initializations. 78 */ 79 mutex_enter(&module_lock); 80 if (audit_active != C2AUDIT_UNLOADED) { 81 mutex_exit(&module_lock); 82 return; 83 } 84 audit_active = C2AUDIT_LOADED; 85 mutex_exit(&module_lock); 86 87 /* initialize memory allocators */ 88 au_mem_init(); 89 90 /* 91 * setup environment for asynchronous auditing. We can't use 92 * audit_async_start() here since it assumes the audit system 93 * has been started via auditd(1m). auditd sets the variable, 94 * auk_auditstate, to indicate audit record generation should 95 * commence. Here we want to always generate an audit record. 96 */ 97 if (setjmp(&jb)) { 98 /* process audit policy (AUDIT_AHLT) for asynchronous events */ 99 audit_async_drop((caddr_t *)(&rp), 0); 100 return; 101 } 102 103 ASSERT(tad->tad_errjmp == NULL); 104 tad->tad_errjmp = (void *)&jb; 105 tad->tad_ctrl |= TAD_ERRJMP; 106 107 /* generate a system-booted audit record */ 108 au_write((caddr_t *)&rp, au_to_text("booting kernel")); 109 audit_async_finish((caddr_t *)&rp, AUE_SYSTEMBOOT, NULL, 110 &(p0.p_user.u_start)); 111 } 112 113 114 /* 115 * Enter system call. Do any necessary setup here. allocate resouces, etc. 116 */ 117 118 #include <sys/syscall.h> 119 120 121 /*ARGSUSED*/ 122 int 123 audit_start( 124 unsigned type, 125 unsigned scid, 126 uint32_t audit_state, 127 int error, 128 klwp_t *lwp) 129 { 130 struct t_audit_data *tad; 131 au_kcontext_t *kctx; 132 133 tad = U2A(u); 134 ASSERT(tad != NULL); 135 136 /* Remember the audit state in the cache */ 137 tad->tad_audit = audit_state; 138 139 if (error) { 140 tad->tad_ctrl = 0; 141 tad->tad_flag = 0; 142 return (0); 143 } 144 145 audit_update_context(curproc, NULL); 146 147 /* 148 * if this is an indirect system call then don't do anything. 149 * audit_start will be called again from indir() in trap.c 150 */ 151 if (scid == 0) { 152 tad->tad_ctrl = 0; 153 tad->tad_flag = 0; 154 return (0); 155 } 156 if (scid >= num_syscall) 157 scid = 0; 158 159 /* 160 * we can no longer depend on a valid lwp_ap, so we need to 161 * copy the syscall args as future audit stuff may need them. 162 */ 163 (void) save_syscall_args(); 164 165 /* 166 * We need to gather paths for certain system calls even if they are 167 * not audited so that we can audit the various f* calls and be 168 * sure to have a CWD and CAR. Thus we thus set tad_ctrl over the 169 * system call regardless if the call is audited or not. 170 * We allow the event specific initial processing routines (au_init) 171 * to adjust the tad_ctrl as necessary. 172 */ 173 tad->tad_ctrl = audit_s2e[scid].au_ctrl; 174 tad->tad_scid = scid; 175 176 /* get basic event for system call */ 177 tad->tad_event = audit_s2e[scid].au_event; 178 if (audit_s2e[scid].au_init != (au_event_t (*)(au_event_t))NULL) { 179 /* get specific event */ 180 tad->tad_event = (*audit_s2e[scid].au_init)(tad->tad_event); 181 } 182 183 kctx = GET_KCTX_PZ; 184 185 /* now do preselection. Audit or not to Audit, that is the question */ 186 if ((tad->tad_flag = auditme(kctx, tad, 187 kctx->auk_ets[tad->tad_event])) == 0) { 188 /* 189 * we assume that audit_finish will always be called. 190 */ 191 return (0); 192 } 193 194 /* 195 * if auditing not enabled, then don't generate an audit record 196 * and don't count it. 197 */ 198 if (audit_state & ~(AUC_AUDITING | AUC_INIT_AUDIT)) { 199 /* 200 * we assume that audit_finish will always be called. 201 */ 202 tad->tad_flag = 0; 203 return (0); 204 } 205 206 /* 207 * audit daemon has informed us that there is no longer any 208 * space left to hold audit records. We decide here if records 209 * should be dropped (but counted). 210 */ 211 if (audit_state == AUC_NOSPACE) { 212 if ((kctx->auk_policy & AUDIT_CNT) || 213 (kctx->auk_policy & AUDIT_SCNT)) { 214 /* assume that audit_finish will always be called. */ 215 tad->tad_flag = 0; 216 217 /* just count # of dropped audit records */ 218 AS_INC(as_dropped, 1, kctx); 219 220 return (0); 221 } 222 } 223 224 tad->tad_evmod = 0; 225 226 if (audit_s2e[scid].au_start != NULL) { 227 /* do start of system call processing */ 228 (*audit_s2e[scid].au_start)(tad); 229 } 230 231 return (0); 232 } 233 234 /* 235 * system call has completed. Now determine if we genearate an audit record 236 * or not. 237 */ 238 /*ARGSUSED*/ 239 void 240 audit_finish( 241 unsigned type, 242 unsigned scid, 243 int error, 244 rval_t *rval) 245 { 246 struct t_audit_data *tad; 247 int flag; 248 au_defer_info_t *attr; 249 au_kcontext_t *kctx = GET_KCTX_PZ; 250 251 tad = U2A(u); 252 253 /* 254 * Process all deferred events first. 255 */ 256 attr = tad->tad_defer_head; 257 while (attr != NULL) { 258 au_defer_info_t *tmp_attr = attr; 259 260 au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag, 261 attr->audi_e_type, attr->audi_e_mod, &(attr->audi_atime)); 262 263 attr = attr->audi_next; 264 kmem_free(tmp_attr, sizeof (au_defer_info_t)); 265 } 266 tad->tad_defer_head = tad->tad_defer_tail = NULL; 267 268 if (tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) { 269 /* 270 * clear the ctrl flag so that we don't have spurious 271 * collection of audit information. 272 */ 273 tad->tad_scid = 0; 274 tad->tad_event = 0; 275 tad->tad_evmod = 0; 276 tad->tad_ctrl = 0; 277 tad->tad_audit = AUC_UNSET; 278 ASSERT(tad->tad_aupath == NULL); 279 return; 280 } 281 282 scid = tad->tad_scid; 283 284 /* 285 * Perform any extra processing and determine if we are 286 * really going to generate any audit record. 287 */ 288 if (audit_s2e[scid].au_finish != NULL) { 289 /* do any post system call processing */ 290 (*audit_s2e[scid].au_finish)(tad, error, rval); 291 } 292 if (tad->tad_flag) { 293 tad->tad_flag = 0; 294 295 if (flag = audit_success(kctx, tad, error, NULL)) { 296 unsigned int sy_flags; 297 cred_t *cr = CRED(); 298 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 299 300 ASSERT(ainfo != NULL); 301 302 /* Add subject information */ 303 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 304 305 if (tad->tad_evmod & PAD_SPRIVUSE) { 306 au_write(&(u_ad), 307 au_to_privset("", &tad->tad_sprivs, 308 AUT_UPRIV, 1)); 309 } 310 311 if (tad->tad_evmod & PAD_FPRIVUSE) { 312 au_write(&(u_ad), 313 au_to_privset("", &tad->tad_fprivs, 314 AUT_UPRIV, 0)); 315 } 316 317 /* Add a return token */ 318 #ifdef _SYSCALL32_IMPL 319 if (lwp_getdatamodel(ttolwp(curthread)) == 320 DATAMODEL_NATIVE) { 321 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 322 } else { 323 sy_flags = 324 sysent32[scid].sy_flags & SE_RVAL_MASK; 325 } 326 #else /* _SYSCALL64_IMPL */ 327 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 328 #endif /* _SYSCALL32_IMPL */ 329 330 if (sy_flags == SE_32RVAL1) { 331 if (type == 0) { 332 au_write(&(u_ad), 333 au_to_return32(error, 0)); 334 } else { 335 au_write(&(u_ad), au_to_return32(error, 336 rval->r_val1)); 337 } 338 } 339 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) { 340 if (type == 0) { 341 au_write(&(u_ad), 342 au_to_return32(error, 0)); 343 } else { 344 au_write(&(u_ad), 345 au_to_return32(error, 346 rval->r_val1)); 347 #ifdef NOTYET /* for possible future support */ 348 au_write(&(u_ad), au_to_return32(error, 349 rval->r_val2)); 350 #endif 351 } 352 } 353 if (sy_flags == SE_64RVAL) { 354 if (type == 0) { 355 au_write(&(u_ad), 356 au_to_return64(error, 0)); 357 } else { 358 au_write(&(u_ad), au_to_return64(error, 359 rval->r_vals)); 360 } 361 } 362 363 AS_INC(as_generated, 1, kctx); 364 AS_INC(as_kernel, 1, kctx); 365 } 366 367 /* Close up everything */ 368 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod, 369 NULL); 370 } 371 372 ASSERT(u_ad == NULL); 373 374 /* free up any space remaining with the path's */ 375 if (tad->tad_aupath != NULL) { 376 au_pathrele(tad->tad_aupath); 377 tad->tad_aupath = NULL; 378 } 379 380 /* free up any space remaining with openat path's */ 381 if (tad->tad_atpath) { 382 au_pathrele(tad->tad_atpath); 383 tad->tad_atpath = NULL; 384 } 385 386 /* 387 * clear the ctrl flag so that we don't have spurious collection of 388 * audit information. 389 */ 390 tad->tad_scid = 0; 391 tad->tad_event = 0; 392 tad->tad_evmod = 0; 393 tad->tad_ctrl = 0; 394 tad->tad_audit = AUC_UNSET; 395 } 396 397 int 398 audit_success(au_kcontext_t *kctx, struct t_audit_data *tad, int error, 399 cred_t *cr) 400 { 401 au_state_t ess; 402 au_state_t esf; 403 au_mask_t amask; 404 const auditinfo_addr_t *ainfo; 405 406 ess = esf = kctx->auk_ets[tad->tad_event]; 407 408 if (error) 409 tad->tad_evmod |= PAD_FAILURE; 410 411 /* see if we really want to generate an audit record */ 412 if (tad->tad_ctrl & TAD_NOAUDIT) 413 return (0); 414 415 /* 416 * Used passed cred if available, otherwise use cred from kernel thread 417 */ 418 if (cr == NULL) 419 cr = CRED(); 420 ainfo = crgetauinfo(cr); 421 if (ainfo == NULL) 422 return (0); 423 amask = ainfo->ai_mask; 424 425 if (error == 0) 426 return ((ess & amask.as_success) ? AU_OK : 0); 427 else 428 return ((esf & amask.as_failure) ? AU_OK : 0); 429 } 430 431 /* 432 * determine if we've preselected this event (system call). 433 */ 434 int 435 auditme(au_kcontext_t *kctx, struct t_audit_data *tad, au_state_t estate) 436 { 437 int flag = 0; 438 au_mask_t amask; 439 const auditinfo_addr_t *ainfo; 440 441 ainfo = crgetauinfo(CRED()); 442 if (ainfo == NULL) 443 return (0); 444 amask = ainfo->ai_mask; 445 446 /* preselected system call */ 447 448 if (amask.as_success & estate || amask.as_failure & estate) { 449 flag = 1; 450 } else if ((tad->tad_scid == SYS_putmsg) || 451 (tad->tad_scid == SYS_getmsg)) { 452 estate = kctx->auk_ets[AUE_SOCKCONNECT] | 453 kctx->auk_ets[AUE_SOCKACCEPT] | 454 kctx->auk_ets[AUE_SOCKSEND] | 455 kctx->auk_ets[AUE_SOCKRECEIVE]; 456 if (amask.as_success & estate || amask.as_failure & estate) 457 flag = 1; 458 } else if (tad->tad_scid == SYS_execve && 459 getpflags(PRIV_PFEXEC, CRED()) != 0) { 460 estate = kctx->auk_ets[AUE_PFEXEC]; 461 if (amask.as_success & estate || amask.as_failure & estate) 462 flag = 1; 463 } 464 465 return (flag); 466 } 467