xref: /illumos-gate/usr/src/uts/common/c2/audit_start.c (revision c9ffe217655ce62448bdb45d6f113f43b4dfcc54)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 /*
26  * This file contains the envelope code for system call auditing.
27  */
28 
29 #include <sys/param.h>
30 #include <sys/types.h>
31 #include <sys/time.h>
32 #include <sys/kmem.h>
33 #include <sys/proc.h>
34 #include <sys/vnode.h>
35 #include <sys/file.h>
36 #include <sys/user.h>
37 #include <sys/stropts.h>
38 #include <sys/systm.h>
39 #include <sys/pathname.h>
40 #include <sys/debug.h>
41 #include <sys/cred.h>
42 #include <sys/zone.h>
43 #include <c2/audit.h>
44 #include <c2/audit_kernel.h>
45 #include <c2/audit_kevents.h>
46 #include <c2/audit_record.h>
47 #include "audit_door_infc.h"
48 
49 extern uint_t num_syscall;		/* size of audit_s2e table */
50 extern kmutex_t pidlock;		/* proc table lock */
51 
52 /*
53  * Obsolete and ignored - Historically, the 'set c2audit:audit_load=1' entry
54  * in /etc/system enabled auditing. The No Reboot Audit project does not
55  * use this entry. However, to prevent the system from printing warning
56  * messages, the audit_load entry is being left in /etc/system. It will be
57  * removed when there is a small chance that the entry is used on currently
58  * running systems.
59  */
60 int audit_load = 0;
61 
62 kmutex_t module_lock;			/* audit_module_state lock */
63 
64 /*
65  * Das Boot. Initialize first process. Also generate an audit record indicating
66  * that the system has been booted.
67  */
68 void
69 audit_init_module()
70 {
71 	token_t *rp = NULL;
72 	label_t jb;
73 	t_audit_data_t *tad = U2A(u);
74 
75 	/*
76 	 * Solaris Auditing module is being loaded -> change the state. The lock
77 	 * is here to prevent memory leaks caused by multiple initializations.
78 	 */
79 	mutex_enter(&module_lock);
80 	if (audit_active != C2AUDIT_UNLOADED) {
81 		mutex_exit(&module_lock);
82 		return;
83 	}
84 	audit_active = C2AUDIT_LOADED;
85 	mutex_exit(&module_lock);
86 
87 	/* initialize memory allocators */
88 	au_mem_init();
89 
90 	/*
91 	 * setup environment for asynchronous auditing. We can't use
92 	 * audit_async_start() here since it assumes the audit system
93 	 * has been started via auditd(1m). auditd sets the variable,
94 	 * auk_auditstate, to indicate audit record generation should
95 	 * commence. Here we want to always generate an audit record.
96 	 */
97 	if (setjmp(&jb)) {
98 		/* process audit policy (AUDIT_AHLT) for asynchronous events */
99 		audit_async_drop((caddr_t *)(&rp), 0);
100 		return;
101 	}
102 
103 	ASSERT(tad->tad_errjmp == NULL);
104 	tad->tad_errjmp = (void *)&jb;
105 	tad->tad_ctrl |= TAD_ERRJMP;
106 
107 	/* generate a system-booted audit record */
108 	au_write((caddr_t *)&rp, au_to_text("booting kernel"));
109 	audit_async_finish((caddr_t *)&rp, AUE_SYSTEMBOOT, 0,
110 	    &(p0.p_user.u_start));
111 }
112 
113 
114 /*
115  * Enter system call. Do any necessary setup here. allocate resouces, etc.
116  */
117 
118 #include <sys/syscall.h>
119 
120 
121 /*ARGSUSED*/
122 int
123 audit_start(
124 	unsigned type,
125 	unsigned scid,
126 	uint32_t audit_state,
127 	int error,
128 	klwp_t *lwp)
129 {
130 	struct t_audit_data	*tad;
131 	au_kcontext_t		*kctx;
132 
133 	tad = U2A(u);
134 	ASSERT(tad != NULL);
135 
136 	/* Remember the audit state in the cache */
137 	tad->tad_audit = audit_state;
138 
139 	if (error) {
140 		tad->tad_ctrl = 0;
141 		tad->tad_flag = 0;
142 		return (0);
143 	}
144 
145 	audit_update_context(curproc, NULL);
146 
147 	/*
148 	 * if this is an indirect system call then don't do anything.
149 	 * audit_start will be called again from indir() in trap.c
150 	 */
151 	if (scid == 0) {
152 		tad->tad_ctrl = 0;
153 		tad->tad_flag = 0;
154 		return (0);
155 	}
156 	if (scid >= num_syscall)
157 		scid = 0;
158 
159 	/*
160 	 * we can no longer depend on a valid lwp_ap, so we need to
161 	 * copy the syscall args as future audit stuff may need them.
162 	 */
163 	(void) save_syscall_args();
164 
165 	/*
166 	 * We need to gather paths for certain system calls even if they are
167 	 * not audited so that we can audit the various f* calls and be
168 	 * sure to have a CWD and CAR. Thus we thus set tad_ctrl over the
169 	 * system call regardless if the call is audited or not.
170 	 * We allow the event specific initial processing routines (au_init)
171 	 * to adjust the tad_ctrl as necessary.
172 	 */
173 	tad->tad_ctrl   = audit_s2e[scid].au_ctrl;
174 	tad->tad_scid   = scid;
175 
176 	/* get basic event for system call */
177 	tad->tad_event = audit_s2e[scid].au_event;
178 	if (audit_s2e[scid].au_init != (au_event_t (*)(au_event_t))NULL) {
179 		/* get specific event */
180 		tad->tad_event = (*audit_s2e[scid].au_init)(tad->tad_event);
181 	}
182 
183 	kctx = GET_KCTX_PZ;
184 
185 	/* now do preselection. Audit or not to Audit, that is the question */
186 	if ((tad->tad_flag = auditme(kctx, tad,
187 	    kctx->auk_ets[tad->tad_event])) == 0) {
188 		/*
189 		 * we assume that audit_finish will always be called.
190 		 */
191 		return (0);
192 	}
193 
194 	/*
195 	 * if auditing not enabled, then don't generate an audit record
196 	 * and don't count it.
197 	 */
198 	if (audit_state & ~(AUC_AUDITING | AUC_INIT_AUDIT)) {
199 		/*
200 		 * we assume that audit_finish will always be called.
201 		 */
202 		tad->tad_flag = 0;
203 		return (0);
204 	}
205 
206 	/*
207 	 * audit daemon has informed us that there is no longer any
208 	 * space left to hold audit records. We decide here if records
209 	 * should be dropped (but counted).
210 	 */
211 	if (audit_state == AUC_NOSPACE) {
212 		if ((kctx->auk_policy & AUDIT_CNT) ||
213 		    (kctx->auk_policy & AUDIT_SCNT)) {
214 			/* assume that audit_finish will always be called. */
215 			tad->tad_flag = 0;
216 
217 			/* just count # of dropped audit records */
218 			AS_INC(as_dropped, 1, kctx);
219 
220 			return (0);
221 		}
222 	}
223 
224 	tad->tad_evmod  = 0;
225 
226 	if (audit_s2e[scid].au_start != NULL) {
227 		/* do start of system call processing */
228 		(*audit_s2e[scid].au_start)(tad);
229 	}
230 
231 	return (0);
232 }
233 
234 /*
235  * system call has completed. Now determine if we genearate an audit record
236  * or not.
237  */
238 /*ARGSUSED*/
239 void
240 audit_finish(
241 	unsigned type,
242 	unsigned scid,
243 	int error,
244 	rval_t *rval)
245 {
246 	struct t_audit_data *tad;
247 	int	flag;
248 	au_defer_info_t	*attr;
249 	au_kcontext_t *kctx = GET_KCTX_PZ;
250 
251 	tad = U2A(u);
252 
253 	/*
254 	 * Process all deferred events first.
255 	 */
256 	attr = tad->tad_defer_head;
257 	while (attr != NULL) {
258 		au_defer_info_t	*tmp_attr = attr;
259 
260 		au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag,
261 		    attr->audi_e_type, attr->audi_e_mod, &(attr->audi_atime));
262 
263 		attr = attr->audi_next;
264 		kmem_free(tmp_attr, sizeof (au_defer_info_t));
265 	}
266 	tad->tad_defer_head = tad->tad_defer_tail = NULL;
267 
268 	if (tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) {
269 		/*
270 		 * clear the ctrl flag so that we don't have spurious
271 		 * collection of audit information.
272 		 */
273 		tad->tad_scid  = 0;
274 		tad->tad_event = 0;
275 		tad->tad_evmod = 0;
276 		tad->tad_ctrl  = 0;
277 		tad->tad_audit = AUC_UNSET;
278 		ASSERT(tad->tad_aupath == NULL);
279 		return;
280 	}
281 
282 	scid = tad->tad_scid;
283 
284 	/*
285 	 * Perform any extra processing and determine if we are
286 	 * really going to generate any audit record.
287 	 */
288 	if (audit_s2e[scid].au_finish != NULL) {
289 		/* do any post system call processing */
290 		(*audit_s2e[scid].au_finish)(tad, error, rval);
291 	}
292 	if (tad->tad_flag) {
293 		tad->tad_flag = 0;
294 
295 		if (flag = audit_success(kctx, tad, error, NULL)) {
296 			unsigned int sy_flags;
297 			cred_t *cr = CRED();
298 			const auditinfo_addr_t *ainfo = crgetauinfo(cr);
299 
300 			ASSERT(ainfo != NULL);
301 
302 			/* Add subject information */
303 			AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
304 
305 			if (tad->tad_evmod & PAD_SPRIVUSE) {
306 				au_write(&(u_ad),
307 				    au_to_privset("", &tad->tad_sprivs,
308 				    AUT_UPRIV, 1));
309 			}
310 
311 			if (tad->tad_evmod & PAD_FPRIVUSE) {
312 				au_write(&(u_ad),
313 				    au_to_privset("", &tad->tad_fprivs,
314 				    AUT_UPRIV, 0));
315 			}
316 
317 			/* Add a return token */
318 #ifdef	_SYSCALL32_IMPL
319 			if (lwp_getdatamodel(ttolwp(curthread)) ==
320 			    DATAMODEL_NATIVE) {
321 				sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
322 			} else {
323 				sy_flags =
324 				    sysent32[scid].sy_flags & SE_RVAL_MASK;
325 			}
326 #else	/* _SYSCALL64_IMPL */
327 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
328 #endif   /* _SYSCALL32_IMPL */
329 
330 			if (sy_flags == SE_32RVAL1) {
331 				if (type == 0) {
332 					au_write(&(u_ad),
333 					    au_to_return32(error, 0));
334 				} else {
335 					au_write(&(u_ad), au_to_return32(error,
336 					    rval->r_val1));
337 				}
338 			}
339 			if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) {
340 				if (type == 0) {
341 					au_write(&(u_ad),
342 					    au_to_return32(error, 0));
343 				} else {
344 					au_write(&(u_ad),
345 					    au_to_return32(error,
346 					    rval->r_val1));
347 #ifdef NOTYET	/* for possible future support */
348 					au_write(&(u_ad), au_to_return32(error,
349 					    rval->r_val2));
350 #endif
351 				}
352 			}
353 			if (sy_flags == SE_64RVAL) {
354 				if (type == 0) {
355 					au_write(&(u_ad),
356 					    au_to_return64(error, 0));
357 				} else {
358 					au_write(&(u_ad), au_to_return64(error,
359 					    rval->r_vals));
360 				}
361 			}
362 
363 			AS_INC(as_generated, 1, kctx);
364 			AS_INC(as_kernel, 1, kctx);
365 		}
366 
367 		/* Close up everything */
368 		au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod,
369 		    NULL);
370 	}
371 
372 	ASSERT(u_ad == NULL);
373 
374 	/* free up any space remaining with the path's */
375 	if (tad->tad_aupath != NULL) {
376 		au_pathrele(tad->tad_aupath);
377 		tad->tad_aupath = NULL;
378 	}
379 
380 	/* free up any space remaining with openat path's */
381 	if (tad->tad_atpath) {
382 		au_pathrele(tad->tad_atpath);
383 		tad->tad_atpath = NULL;
384 	}
385 
386 	/*
387 	 * clear the ctrl flag so that we don't have spurious collection of
388 	 * audit information.
389 	 */
390 	tad->tad_scid  = 0;
391 	tad->tad_event = 0;
392 	tad->tad_evmod = 0;
393 	tad->tad_ctrl  = 0;
394 	tad->tad_audit = AUC_UNSET;
395 }
396 
397 int
398 audit_success(au_kcontext_t *kctx, struct t_audit_data *tad, int error,
399     cred_t *cr)
400 {
401 	au_state_t ess;
402 	au_state_t esf;
403 	au_mask_t amask;
404 	const auditinfo_addr_t *ainfo;
405 
406 	ess = esf = kctx->auk_ets[tad->tad_event];
407 
408 	if (error)
409 		tad->tad_evmod |= PAD_FAILURE;
410 
411 	/* see if we really want to generate an audit record */
412 	if (tad->tad_ctrl & TAD_NOAUDIT)
413 		return (0);
414 
415 	/*
416 	 * Used passed cred if available, otherwise use cred from kernel thread
417 	 */
418 	if (cr == NULL)
419 		cr = CRED();
420 	ainfo = crgetauinfo(cr);
421 	if (ainfo == NULL)
422 		return (0);
423 	amask = ainfo->ai_mask;
424 
425 	if (error == 0)
426 		return ((ess & amask.as_success) ? AU_OK : 0);
427 	else
428 		return ((esf & amask.as_failure) ? AU_OK : 0);
429 }
430 
431 /*
432  * determine if we've preselected this event (system call).
433  */
434 int
435 auditme(au_kcontext_t *kctx, struct t_audit_data *tad, au_state_t estate)
436 {
437 	int flag = 0;
438 	au_mask_t amask;
439 	const auditinfo_addr_t *ainfo;
440 
441 	ainfo = crgetauinfo(CRED());
442 	if (ainfo == NULL)
443 		return (0);
444 	amask = ainfo->ai_mask;
445 
446 		/* preselected system call */
447 
448 	if (amask.as_success & estate || amask.as_failure & estate) {
449 		flag = 1;
450 	} else if ((tad->tad_scid == SYS_putmsg) ||
451 	    (tad->tad_scid == SYS_getmsg)) {
452 		estate = kctx->auk_ets[AUE_SOCKCONNECT]	|
453 		    kctx->auk_ets[AUE_SOCKACCEPT]	|
454 		    kctx->auk_ets[AUE_SOCKSEND]		|
455 		    kctx->auk_ets[AUE_SOCKRECEIVE];
456 		if (amask.as_success & estate || amask.as_failure & estate)
457 			flag = 1;
458 	} else if (tad->tad_scid == SYS_execve &&
459 	    getpflags(PRIV_PFEXEC, CRED()) != 0) {
460 		estate = kctx->auk_ets[AUE_PFEXEC];
461 		if (amask.as_success & estate || amask.as_failure & estate)
462 			flag = 1;
463 	}
464 
465 	return (flag);
466 }
467