xref: /illumos-gate/usr/src/uts/common/c2/audit_start.c (revision 60405de4d8688d96dd05157c28db3ade5c9bc234)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 /*
29  * This file contains the envelope code for system call auditing.
30  */
31 
32 #include <sys/param.h>
33 #include <sys/types.h>
34 #include <sys/time.h>
35 #include <sys/kmem.h>
36 #include <sys/proc.h>
37 #include <sys/vnode.h>
38 #include <sys/file.h>
39 #include <sys/user.h>
40 #include <sys/stropts.h>
41 #include <sys/systm.h>
42 #include <sys/pathname.h>
43 #include <sys/debug.h>
44 #include <sys/cred_impl.h>
45 #include <sys/zone.h>
46 #include <c2/audit.h>
47 #include <c2/audit_kernel.h>
48 #include <c2/audit_kevents.h>
49 #include <c2/audit_record.h>
50 #include "audit_door_infc.h"
51 
52 extern uint_t num_syscall;		/* size of audit_s2e table */
53 extern kmutex_t pidlock;		/* proc table lock */
54 
55 int audit_load = 0;	/* set from /etc/system */
56 
57 struct p_audit_data *pad0;
58 struct t_audit_data *tad0;
59 
60 /*
61  * Das Boot. Initialize first process. Also generate an audit record indicating
62  * that the system has been booted.
63  */
64 void
65 audit_init()
66 {
67 	kthread_t *au_thread;
68 	token_t *rp = NULL;
69 	label_t jb;
70 	struct audit_path apempty;
71 	auditinfo_addr_t *ainfo;
72 
73 	if (audit_load == 0) {
74 		audit_active = 0;
75 		au_auditstate = AUC_DISABLED;
76 		return;
77 #ifdef DEBUG
78 	} else if (audit_load == 2) {
79 		debug_enter((char *)NULL);
80 #endif
81 	}
82 
83 	audit_active = 1;
84 	set_all_proc_sys();		/* set pre- and post-syscall flags */
85 
86 	/* initialize memory allocators */
87 	au_mem_init();
88 
89 	au_zone_setup();
90 
91 	/* inital thread structure */
92 	tad0 = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP);
93 
94 	/* initial process structure */
95 	pad0 = kmem_cache_alloc(au_pad_cache, KM_SLEEP);
96 	bzero(&pad0->pad_data, sizeof (pad0->pad_data));
97 
98 	T2A(curthread) = tad0;
99 	P2A(curproc) = pad0;
100 
101 	/*
102 	 * The kernel allocates a bunch of threads make sure they have
103 	 * a valid tad
104 	 */
105 
106 	mutex_enter(&pidlock);
107 
108 	au_thread = curthread;
109 	do {
110 		if (T2A(au_thread) == NULL) {
111 			T2A(au_thread) = tad0;
112 		}
113 		au_thread = au_thread->t_next;
114 	} while (au_thread != curthread);
115 
116 	tad0->tad_ad   = NULL;
117 	mutex_exit(&pidlock);
118 
119 	/*
120 	 * Initialize audit context in our cred (kcred).
121 	 * No copy-on-write needed here because it's so early in init.
122 	 */
123 	ainfo = crgetauinfo_modifiable(kcred);
124 	ASSERT(ainfo != NULL);
125 	bzero(ainfo, sizeof (auditinfo_addr_t));
126 	ainfo->ai_auid = AU_NOAUDITID;
127 
128 	/* fabricate an empty audit_path to extend */
129 	apempty.audp_cnt = 0;
130 	apempty.audp_sect[0] = (char *)(&apempty.audp_sect[1]);
131 	pad0->pad_root = au_pathdup(&apempty, 1, 2);
132 	bcopy("/", pad0->pad_root->audp_sect[0], 2);
133 	au_pathhold(pad0->pad_root);
134 	pad0->pad_cwd = pad0->pad_root;
135 
136 	/*
137 	 * setup environment for asynchronous auditing. We can't use
138 	 * audit_async_start() here since it assumes the audit system
139 	 * has been started via auditd(1m). auditd sets the variable,
140 	 * auk_auditstate, to indicate audit record generation should
141 	 * commence. Here we want to always generate an audit record.
142 	 */
143 	if (setjmp(&jb)) {
144 		/* process audit policy (AUDIT_AHLT) for asynchronous events */
145 		audit_async_drop((caddr_t *)(&rp), 0);
146 		return;
147 	}
148 
149 	ASSERT(tad0->tad_errjmp == NULL);
150 	tad0->tad_errjmp = (void *)&jb;
151 	tad0->tad_ctrl |= PAD_ERRJMP;
152 
153 	/* generate a system-booted audit record */
154 	au_write((caddr_t *)&rp, au_to_text("booting kernel"));
155 
156 	audit_async_finish((caddr_t *)&rp, AUE_SYSTEMBOOT, NULL);
157 }
158 
159 void
160 audit_free()
161 {
162 }
163 
164 /*
165  * Check for any pending changes to the audit context for the given proc.
166  * p_crlock and pad_lock for the process are acquired here. Caller is
167  * responsible for assuring the process doesn't go away. If context is
168  * updated, the specified cralloc'ed cred will be used, otherwise it's freed.
169  * If no cred is given, it will be cralloc'ed here and caller assures that
170  * it is safe to allocate memory.
171  */
172 void
173 audit_update_context(proc_t *p, cred_t *ncr)
174 {
175 	struct p_audit_data *pad;
176 	cred_t	*newcred = ncr;
177 
178 	pad = P2A(p);
179 	if (pad == NULL) {
180 		if (newcred != NULL)
181 			crfree(newcred);
182 		return;
183 	}
184 
185 	/* If a mask update is pending, take care of it. */
186 	if (pad->pad_flags & PAD_SETMASK) {
187 		auditinfo_addr_t *ainfo;
188 
189 		if (newcred == NULL)
190 			newcred = cralloc();
191 
192 		mutex_enter(&pad->pad_lock);
193 		/* the condition may have been handled by the time we lock */
194 		if (pad->pad_flags & PAD_SETMASK) {
195 			ainfo = crgetauinfo_modifiable(newcred);
196 			if (ainfo == NULL) {
197 				mutex_enter(&pad->pad_lock);
198 				crfree(newcred);
199 				return;
200 			}
201 
202 			mutex_enter(&p->p_crlock);
203 			crcopy_to(p->p_cred, newcred);
204 			p->p_cred = newcred;
205 
206 			ainfo->ai_mask = pad->pad_newmask;
207 
208 			/* Unlock and cleanup. */
209 			mutex_exit(&p->p_crlock);
210 			pad->pad_flags &= ~PAD_SETMASK;
211 
212 			/*
213 			 * For curproc, assure that our thread points to right
214 			 * cred, so CRED() will be correct. Otherwise, no need
215 			 * to broadcast changes (via set_proc_pre_sys), since
216 			 * t_pre_sys is ALWAYS on when audit is enabled... due
217 			 * to syscall auditing.
218 			 */
219 			if (p == curproc)
220 				crset(p, newcred);
221 			else
222 				crfree(newcred);
223 		} else {
224 			crfree(newcred);
225 		}
226 		mutex_exit(&pad->pad_lock);
227 	} else {
228 		if (newcred != NULL)
229 			crfree(newcred);
230 	}
231 }
232 
233 
234 /*
235  * Enter system call. Do any necessary setup here. allocate resouces, etc.
236  */
237 
238 #include <sys/syscall.h>
239 
240 
241 /*ARGSUSED*/
242 int
243 audit_start(
244 	unsigned type,
245 	unsigned scid,
246 	int error,
247 	klwp_t *lwp)
248 {
249 	int			ctrl;
250 	au_event_t		event;
251 	au_state_t		estate;
252 	struct t_audit_data	*tad;
253 	au_kcontext_t		*kctx;
254 
255 	tad = U2A(u);
256 	ASSERT(tad != NULL);
257 
258 	if (error) {
259 		tad->tad_ctrl = 0;
260 		tad->tad_flag = 0;
261 		return (0);
262 	}
263 
264 	audit_update_context(curproc, NULL);
265 
266 	/*
267 	 * if this is an indirect system call then don't do anything.
268 	 * audit_start will be called again from indir() in trap.c
269 	 */
270 	if (scid == 0) {
271 		tad->tad_ctrl = 0;
272 		tad->tad_flag = 0;
273 		return (0);
274 	}
275 	if (scid >= num_syscall)
276 		scid = 0;
277 
278 	/* we can no longer ber guarantied a valid lwp_ap */
279 	/* so we need to force it valid a lot of stuff needs it */
280 	(void) save_syscall_args();
281 
282 	/* get control information */
283 	ctrl  = audit_s2e[scid].au_ctrl;
284 
285 	/*
286 	 * We need to gather paths for certain system calls even if they are
287 	 * not audited so that we can audit the various f* calls and be
288 	 * sure to have a CWD and CAR. Thus we thus set tad_ctrl over the
289 	 * system call regardless if the call is audited or not.
290 	 * We allow the au_init() routine to adjust the tad_ctrl.
291 	 */
292 	tad->tad_ctrl   = ctrl;
293 	tad->tad_scid   = scid;
294 
295 	/* get basic event for system call */
296 	event = (*audit_s2e[scid].au_init)(audit_s2e[scid].au_event);
297 
298 	kctx = SET_KCTX_PZ;
299 	if (kctx == NULL) {
300 		zone_status_t zstate = zone_status_get(curproc->p_zone);
301 		ASSERT(zstate != ZONE_IS_READY);
302 		return (0);
303 	}
304 
305 	estate = kctx->auk_ets[event];
306 
307 	/* now do preselection. Audit or not to Audit, that is the question */
308 	if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0) {
309 		/*
310 		 * we assume that audit_finish will always be called.
311 		 */
312 		return (0);
313 	}
314 
315 	/*
316 	 * if auditing not enabled, then don't generate an audit record
317 	 * and don't count it.
318 	 */
319 	if ((kctx->auk_auditstate != AUC_AUDITING &&
320 	    kctx->auk_auditstate != AUC_INIT_AUDIT)) {
321 		/*
322 		 * we assume that audit_finish will always be called.
323 		 */
324 		tad->tad_flag = 0;
325 		return (0);
326 	}
327 
328 	/*
329 	 * audit daemon has informed us that there is no longer any
330 	 * space left to hold audit records. We decide here if records
331 	 * should be dropped (but counted).
332 	 */
333 	if (kctx->auk_auditstate == AUC_NOSPACE) {
334 		if ((kctx->auk_policy & AUDIT_CNT) ||
335 		    (kctx->auk_policy & AUDIT_SCNT)) {
336 			/* assume that audit_finish will always be called. */
337 			tad->tad_flag = 0;
338 
339 			/* just count # of dropped audit records */
340 			AS_INC(as_dropped, 1, kctx);
341 
342 			return (0);
343 		}
344 	}
345 
346 	tad->tad_event  = event;
347 	tad->tad_evmod  = 0;
348 
349 	(*audit_s2e[scid].au_start)(tad);
350 
351 	return (0);
352 }
353 
354 /*
355  * system call has completed. Now determine if we genearate an audit record
356  * or not.
357  */
358 /*ARGSUSED*/
359 void
360 audit_finish(
361 	unsigned type,
362 	unsigned scid,
363 	int error,
364 	rval_t *rval)
365 {
366 	struct t_audit_data *tad;
367 	int	flag;
368 	au_defer_info_t	*attr;
369 	au_kcontext_t *kctx = SET_KCTX_PZ;
370 
371 	if (kctx == NULL) {
372 		zone_status_t zstate = zone_status_get(curproc->p_zone);
373 		ASSERT(zstate != ZONE_IS_READY);
374 		return;
375 	}
376 
377 	tad = U2A(u);
378 
379 	/*
380 	 * Process all deferred events first.
381 	 */
382 	attr = tad->tad_defer_head;
383 	while (attr != NULL) {
384 		au_defer_info_t	*tmp_attr = attr;
385 
386 		au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag,
387 		    attr->audi_e_type, attr->audi_e_mod, &(attr->audi_atime));
388 
389 		attr = attr->audi_next;
390 		kmem_free(tmp_attr, sizeof (au_defer_info_t));
391 	}
392 	tad->tad_defer_head = tad->tad_defer_tail = NULL;
393 
394 	if (tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) {
395 		/*
396 		 * clear the ctrl flag so that we don't have spurious
397 		 * collection of audit information.
398 		 */
399 		tad->tad_scid  = 0;
400 		tad->tad_event = 0;
401 		tad->tad_evmod = 0;
402 		tad->tad_ctrl  = 0;
403 		ASSERT(tad->tad_aupath == NULL);
404 		return;
405 	}
406 
407 	scid = tad->tad_scid;
408 
409 	/*
410 	 * Perform any extra processing and determine if we are
411 	 * really going to generate any audit record.
412 	 */
413 	(*audit_s2e[scid].au_finish)(tad, error, rval);
414 	if (tad->tad_flag) {
415 		tad->tad_flag = 0;
416 
417 		if (flag = audit_success(kctx, tad, error)) {
418 			unsigned int sy_flags;
419 			cred_t *cr = CRED();
420 			const auditinfo_addr_t *ainfo = crgetauinfo(cr);
421 
422 			ASSERT(ainfo != NULL);
423 
424 			/* Add subject information */
425 			AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
426 
427 			if (tad->tad_evmod & PAD_SPRIVUSE)
428 				au_write(&(u_ad),
429 					au_to_privset("", &tad->tad_sprivs,
430 					    AUT_UPRIV, 1));
431 
432 			if (tad->tad_evmod & PAD_FPRIVUSE)
433 				au_write(&(u_ad),
434 					au_to_privset("", &tad->tad_fprivs,
435 					    AUT_UPRIV, 0));
436 
437 			/* Add a return token */
438 #ifdef _SYSCALL32_IMPL
439 			if (lwp_getdatamodel(
440 				ttolwp(curthread)) == DATAMODEL_NATIVE)
441 			    sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
442 			else
443 			    sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
444 #else
445 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
446 #endif
447 
448 			if (sy_flags == SE_32RVAL1) {
449 			    if (type == 0) {
450 				au_write(&(u_ad), au_to_return32(error, 0));
451 			    } else {
452 				au_write(&(u_ad), au_to_return32(error,
453 								rval->r_val1));
454 			    }
455 			}
456 			if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) {
457 			    if (type == 0) {
458 				au_write(&(u_ad), au_to_return32(error, 0));
459 			    } else {
460 				au_write(&(u_ad), au_to_return32(error,
461 								rval->r_val1));
462 #ifdef NOTYET	/* for possible future support */
463 				au_write(&(u_ad), au_to_return32(error,
464 								rval->r_val2));
465 #endif
466 			    }
467 			}
468 			if (sy_flags == SE_64RVAL) {
469 			    if (type == 0) {
470 				au_write(&(u_ad), au_to_return64(error, 0));
471 			    } else {
472 				au_write(&(u_ad), au_to_return64(error,
473 								rval->r_vals));
474 			    }
475 			}
476 
477 			AS_INC(as_generated, 1, kctx);
478 			AS_INC(as_kernel, 1, kctx);
479 		}
480 
481 		/* Close up everything */
482 		au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod);
483 	}
484 
485 	ASSERT(u_ad == NULL);
486 
487 	/* free up any space remaining with the path's */
488 	if (tad->tad_aupath != NULL) {
489 		au_pathrele(tad->tad_aupath);
490 		tad->tad_aupath = NULL;
491 		tad->tad_vn = NULL;
492 	}
493 
494 	/* free up any space remaining with openat path's */
495 	if (tad->tad_atpath) {
496 		au_pathrele(tad->tad_atpath);
497 		tad->tad_atpath = NULL;
498 	}
499 
500 	/*
501 	 * clear the ctrl flag so that we don't have spurious collection of
502 	 * audit information.
503 	 */
504 	tad->tad_scid  = 0;
505 	tad->tad_event = 0;
506 	tad->tad_evmod = 0;
507 	tad->tad_ctrl  = 0;
508 }
509 
510 int
511 audit_success(au_kcontext_t *kctx, struct t_audit_data *tad, int error)
512 {
513 	au_state_t ess;
514 	au_state_t esf;
515 	au_mask_t amask;
516 	const auditinfo_addr_t *ainfo;
517 
518 	ess = esf = kctx->auk_ets[tad->tad_event];
519 
520 	if (error)
521 		tad->tad_evmod |= PAD_FAILURE;
522 
523 	/* see if we really want to generate an audit record */
524 	if (tad->tad_ctrl & PAD_NOAUDIT)
525 		return (0);
526 
527 	/*
528 	 * nfs operation and we're auditing privilege or MAC. This
529 	 * is so we have a client audit record to match a nfs server
530 	 * audit record.
531 	 */
532 	if (tad->tad_ctrl & PAD_AUDITME)
533 		return (AU_OK);
534 
535 	ainfo = crgetauinfo(CRED());
536 	if (ainfo == NULL)
537 		return (0);
538 	amask = ainfo->ai_mask;
539 
540 	if (error == 0)
541 		return ((ess & amask.as_success) ? AU_OK : 0);
542 	else
543 		return ((esf & amask.as_failure) ? AU_OK : 0);
544 }
545 
546 /*
547  * determine if we've preselected this event (system call).
548  */
549 int
550 auditme(au_kcontext_t *kctx, struct t_audit_data *tad, au_state_t estate)
551 {
552 	int flag = 0;
553 	au_mask_t amask;
554 	const auditinfo_addr_t *ainfo;
555 
556 	ainfo = crgetauinfo(CRED());
557 	if (ainfo == NULL)
558 		return (0);
559 	amask = ainfo->ai_mask;
560 
561 		/* preselected system call */
562 
563 	if (amask.as_success & estate || amask.as_failure & estate) {
564 		flag = 1;
565 	} else if ((tad->tad_scid == SYS_putmsg) ||
566 		(tad->tad_scid == SYS_getmsg)) {
567 		estate = kctx->auk_ets[AUE_SOCKCONNECT]	|
568 			kctx->auk_ets[AUE_SOCKACCEPT]	|
569 			kctx->auk_ets[AUE_SOCKSEND]		|
570 			kctx->auk_ets[AUE_SOCKRECEIVE];
571 		if (amask.as_success & estate || amask.as_failure & estate)
572 			flag = 1;
573 	}
574 
575 	return (flag);
576 }
577