xref: /illumos-gate/usr/src/uts/common/c2/audit_syscalls.c (revision 269e59f9a28bf47e0f463e64fc5af4a408b73b21)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * This file contains the auditing system call code.
28  *
29  */
30 
31 #include <sys/param.h>
32 #include <sys/systm.h>
33 #include <sys/user.h>
34 #include <sys/vnode.h>
35 #include <sys/vfs.h>
36 #include <sys/session.h>	/* for session structure (auditctl(2) */
37 #include <sys/kmem.h>		/* for KM_SLEEP */
38 #include <sys/cred.h>
39 #include <sys/types.h>
40 #include <sys/proc.h>
41 #include <sys/uio.h>
42 #include <sys/file.h>
43 #include <sys/stat.h>
44 #include <sys/pathname.h>
45 #include <sys/acct.h>
46 #include <sys/stropts.h>
47 #include <sys/exec.h>
48 #include <sys/thread.h>
49 #include <sys/cmn_err.h>
50 #include <sys/debug.h>
51 #include <sys/disp.h>
52 #include <sys/kobj.h>
53 #include <sys/sysmacros.h>
54 #include <sys/policy.h>
55 #include <sys/taskq.h>
56 #include <sys/zone.h>
57 
58 #include <c2/audit.h>
59 #include <c2/audit_kernel.h>
60 #include <c2/audit_record.h>
61 
62 #define	HEADER_SIZE64	1;
63 #define	HEADER_SIZE32	0;
64 #define	AU_MIN_FILE_SZ	0x80000	/* minumum audit file size */
65 #define	AUDIT_REC_SIZE	0x8000	/* maximum user audit record size */
66 
67 extern pri_t	minclsyspri;	/* priority for taskq */
68 
69 static clock_t	au_resid = 15;	/* wait .15 sec before droping a rec */
70 
71 static void	au_output_thread();
72 
73 /*
74  * This is the loadable module wrapper.
75  */
76 #include <sys/modctl.h>
77 
78 /*
79  * Module linkage information for the kernel.
80  */
81 static struct modlmisc modlmisc = {
82 	&mod_miscops, "Solaris Auditing (C2)"
83 };
84 
85 static struct modlinkage modlinkage = {
86 	MODREV_1, (void *)&modlmisc, 0
87 };
88 
89 int
90 _init()
91 {
92 	return (mod_install(&modlinkage));
93 }
94 
95 int
96 _fini()
97 {
98 	return (EBUSY);
99 }
100 
101 int
102 _info(struct modinfo *modinfop)
103 {
104 	return (mod_info(&modlinkage, modinfop));
105 }
106 
107 /*
108  * The audit system call. Trust what the user has sent down and save it
109  * away in the audit file. User passes a complete audit record and its
110  * length.  We will fill in the time stamp, check the header and the length
111  * Put a trailer and a sequence token if policy requires.
112  * In the future length might become size_t instead of an int.
113  *
114  * The call is valid whether or not AUDIT_PERZONE is set (think of
115  * login to a zone).  When the local audit state (auk_auditstate) is
116  * AUC_INIT_AUDIT, records are accepted even though auditd isn't
117  * running.
118  */
119 int
120 audit(caddr_t record, int length)
121 {
122 	char	c;
123 	int	count, l;
124 	token_t	*m, *n, *s, *ad;
125 	int	hdrlen, delta;
126 	adr_t	hadr;
127 	adr_t	sadr;
128 	int	size;	/* 0: 32 bit utility  1: 64 bit utility */
129 	int	host_len;
130 	size_t	zlen;
131 	au_kcontext_t	*kctx = GET_KCTX_PZ;
132 	uint32_t auditing;
133 
134 	/* if auditing not enabled, then don't generate an audit record */
135 	auditing = (U2A(u)->tad_audit != AUC_UNSET) ?
136 	    U2A(u)->tad_audit : kctx->auk_auditstate;
137 	if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT))
138 		return (0);
139 
140 	/* Only privileged processes can audit */
141 	if (secpolicy_audit_modify(CRED()) != 0)
142 		return (EPERM);
143 
144 	/* Max user record size is 32K */
145 	if (length > AUDIT_REC_SIZE)
146 		return (E2BIG);
147 
148 	/*
149 	 * The specified length must be at least as big as the smallest
150 	 * possible header token. Later after beginning to scan the
151 	 * header we'll determine the true minimum length according to
152 	 * the header type and attributes.
153 	 */
154 #define	AU_MIN_HEADER_LEN	(sizeof (char) + sizeof (int32_t) + \
155 	sizeof (char) + sizeof (short) + sizeof (short) + \
156 	(sizeof (int32_t) * 2))
157 
158 	if (length < AU_MIN_HEADER_LEN)
159 		return (EINVAL);
160 
161 	/* Read in user's audit record */
162 	count = length;
163 	m = n = s = ad = NULL;
164 	while (count) {
165 		m = au_getclr();
166 		if (!s)
167 			s = n = m;
168 		else {
169 			n->next_buf = m;
170 			n = m;
171 		}
172 		l = MIN(count, AU_BUFSIZE);
173 		if (copyin(record, memtod(m, caddr_t), (size_t)l)) {
174 			/* copyin failed release au_membuf */
175 			au_free_rec(s);
176 			return (EFAULT);
177 		}
178 		record += l;
179 		count -= l;
180 		m->len = (uchar_t)l;
181 	}
182 
183 	/* Now attach the entire thing to ad */
184 	au_write((caddr_t *)&(ad), s);
185 
186 	/* validate header token type. trust everything following it */
187 	adr_start(&hadr, memtod(s, char *));
188 	(void) adr_getchar(&hadr, &c);
189 	switch (c) {
190 	case AUT_HEADER32:
191 		/* size vers+event_ID+event_modifier fields */
192 		delta = 1 + 2 + 2;
193 		hdrlen = 1 + 4 + delta + (sizeof (int32_t) * 2);
194 		size = HEADER_SIZE32;
195 		break;
196 
197 #ifdef _LP64
198 	case AUT_HEADER64:
199 		/* size vers+event_ID+event_modifier fields */
200 		delta = 1 + 2 + 2;
201 		hdrlen = 1 + 4 + delta + (sizeof (int64_t) * 2);
202 		size = HEADER_SIZE64;
203 		break;
204 #endif
205 
206 	case AUT_HEADER32_EX:
207 		/*
208 		 * Skip over the length/version/type/mod fields and
209 		 * grab the host address type (length), then rewind.
210 		 * This is safe per the previous minimum length check.
211 		 */
212 		hadr.adr_now += 9;
213 		(void) adr_getint32(&hadr, &host_len);
214 		hadr.adr_now -= 9 + sizeof (int32_t);
215 
216 		/* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */
217 		delta = 1 + 2 + 2 + 4 + host_len;
218 		hdrlen = 1 + 4 + delta + (sizeof (int32_t) * 2);
219 		size = HEADER_SIZE32;
220 		break;
221 
222 #ifdef _LP64
223 	case AUT_HEADER64_EX:
224 		/*
225 		 * Skip over the length/version/type/mod fields and grab
226 		 * the host address type (length), then rewind.
227 		 * This is safe per the previous minimum length check.
228 		 */
229 		hadr.adr_now += 9;
230 		(void) adr_getint32(&hadr, &host_len);
231 		hadr.adr_now -= 9 + sizeof (int32_t);
232 
233 		/* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */
234 		delta = 1 + 2 + 2 + 4 + host_len;
235 		hdrlen = 1 + 4 + delta + (sizeof (int64_t) * 2);
236 		size = HEADER_SIZE64;
237 		break;
238 #endif
239 
240 	default:
241 		/* Header is wrong, reject message */
242 		au_free_rec(s);
243 		return (EINVAL);
244 	}
245 
246 	if (length < hdrlen) {
247 		au_free_rec(s);
248 		return (0);
249 	}
250 
251 	/* advance over header token length field */
252 	hadr.adr_now += 4;
253 
254 	/* validate version */
255 	(void) adr_getchar(&hadr, &c);
256 	if (c != TOKEN_VERSION) {
257 		/* version is wrong, reject message */
258 		au_free_rec(s);
259 		return (EINVAL);
260 	}
261 
262 	/* backup to header length field (including version field) */
263 	hadr.adr_now -= 5;
264 
265 	/*
266 	 * add on the zonename token if policy AUDIT_ZONENAME is set
267 	 */
268 	if (kctx->auk_policy & AUDIT_ZONENAME) {
269 		zlen = au_zonename_length(NULL);
270 		if (zlen > 0) {
271 			length += zlen;
272 			m = au_to_zonename(zlen, NULL);
273 			(void) au_append_rec(ad, m, AU_PACK);
274 		}
275 	}
276 	/* Add an (optional) sequence token. NULL offset if none */
277 	if (kctx->auk_policy & AUDIT_SEQ) {
278 		/* get the sequnce token */
279 		m = au_to_seq();
280 
281 		/* sequence token 5 bytes long */
282 		length += 5;
283 
284 		/* link to audit record (i.e. don't pack the data) */
285 		(void) au_append_rec(ad, m, AU_LINK);
286 
287 		/* advance to count field of token */
288 		adr_start(&sadr, memtod(m, char *));
289 		sadr.adr_now += 1;
290 	} else
291 		sadr.adr_now = (char *)NULL;
292 
293 	/* add the (optional) trailer token */
294 	if (kctx->auk_policy & AUDIT_TRAIL) {
295 		/* trailer token is 7 bytes long */
296 		length += 7;
297 
298 		/* append to audit record */
299 		(void) au_append_rec(ad, au_to_trailer(length), AU_PACK);
300 	}
301 
302 	/* audit record completely assembled. set the length */
303 	adr_int32(&hadr, (int32_t *)&length, 1);
304 
305 	/* advance to date/time field of header */
306 	hadr.adr_now += delta;
307 
308 	/* We are done  put it on the queue */
309 	AS_INC(as_generated, 1, kctx);
310 	AS_INC(as_audit, 1, kctx);
311 
312 	au_enqueue(kctx, s, &hadr, &sadr, size, 0);
313 
314 	AS_INC(as_totalsize, length, kctx);
315 
316 	return (0);
317 }
318 
319 /*
320  * auditdoor starts a kernel thread to generate output from the audit
321  * queue.  The thread terminates when it detects auditing being turned
322  * off, such as when auditd exits with a SIGTERM.  If a subsequent
323  * auditdoor arrives while the thread is running, the door descriptor
324  * of the last auditdoor in will be used for output.  auditd is responsible
325  * for insuring that multiple copies are not running.
326  */
327 
328 int
329 auditdoor(int fd)
330 {
331 	struct file	*fp;
332 	struct vnode	*vp;
333 	int		do_create = 0;
334 	au_kcontext_t	*kctx;
335 
336 	if (secpolicy_audit_config(CRED()) != 0)
337 		return (EPERM);
338 
339 	if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
340 		return (EINVAL);
341 
342 	kctx = GET_KCTX_NGZ;
343 
344 	/*
345 	 * convert file pointer to file descriptor
346 	 *   Note: fd ref count incremented here.
347 	 */
348 	if ((fp = (struct file *)getf(fd)) == NULL) {
349 		return (EBADF);
350 	}
351 	vp = fp->f_vnode;
352 	if (vp->v_type != VDOOR) {
353 		cmn_err(CE_WARN,
354 		    "auditdoor() did not get the expected door descriptor\n");
355 		releasef(fd);
356 		return (EINVAL);
357 	}
358 	/*
359 	 * If the output thread is already running, then replace the
360 	 * door descriptor with the new one and continue; otherwise
361 	 * create the thread too.  Since au_output_thread makes a call
362 	 * to au_doorio() which also does
363 	 * mutex_lock(&(kctx->auk_svc_lock)), the create/dispatch is
364 	 * done after the unlock...
365 	 */
366 	mutex_enter(&(kctx->auk_svc_lock));
367 
368 	if (kctx->auk_current_vp != NULL)
369 		VN_RELE(kctx->auk_current_vp);
370 
371 	kctx->auk_current_vp = vp;
372 	VN_HOLD(kctx->auk_current_vp);
373 	releasef(fd);
374 
375 	if (!kctx->auk_output_active) {
376 		kctx->auk_output_active = 1;
377 		do_create = 1;
378 	}
379 	mutex_exit(&(kctx->auk_svc_lock));
380 	if (do_create) {
381 		kctx->auk_taskq =
382 		    taskq_create("output_master", 1, minclsyspri, 1, 1, 0);
383 		(void) taskq_dispatch(kctx->auk_taskq,
384 		    (task_func_t *)au_output_thread,
385 		    kctx, TQ_SLEEP);
386 	}
387 	return (0);
388 }
389 
390 static void
391 audit_dont_stop(void *kctx)
392 {
393 
394 	if ((((au_kcontext_t *)kctx)->auk_valid != AUK_VALID) ||
395 	    (((au_kcontext_t *)kctx)->auk_auditstate == AUC_NOAUDIT))
396 		return;
397 
398 	mutex_enter(&(((au_kcontext_t *)kctx)->auk_queue.lock));
399 	cv_broadcast(&(((au_kcontext_t *)kctx)->auk_queue.write_cv));
400 	mutex_exit(&(((au_kcontext_t *)kctx)->auk_queue.lock));
401 }
402 
403 /*
404  * au_queue_kick -- wake up the output queue after delay ticks
405  */
406 static void
407 au_queue_kick(void *kctx)
408 {
409 	/*
410 	 * wakeup reader if its not running and there is something
411 	 * to do.  It also helps that kctx still be valid...
412 	 */
413 
414 	if ((((au_kcontext_t *)kctx)->auk_valid != AUK_VALID) ||
415 	    (((au_kcontext_t *)kctx)->auk_auditstate == AUC_NOAUDIT))
416 		return;
417 
418 	if (((au_kcontext_t *)kctx)->auk_queue.cnt &&
419 	    ((au_kcontext_t *)kctx)->auk_queue.rd_block)
420 		cv_broadcast(&((au_kcontext_t *)kctx)->auk_queue.read_cv);
421 
422 	/* fire off timeout event to kick audit queue awake */
423 	(void) timeout(au_queue_kick, kctx,
424 	    ((au_kcontext_t *)kctx)->auk_queue.delay);
425 }
426 
427 /*
428  * output thread
429  *
430  * this runs "forever" where "forever" means until either auk_auditstate
431  * changes from AUC_AUDITING or if the door descriptor becomes invalid.
432  *
433  * there is one thread per active zone if AUC_PERZONE is set.  Since
434  * there is the possibility that a zone may go down without auditd
435  * terminating properly, a zone shutdown kills its au_output_thread()
436  * via taskq_destroy().
437  */
438 
439 static void
440 au_output_thread(au_kcontext_t *kctx)
441 {
442 	int		error = 0;
443 
444 	(void) timeout(au_queue_kick, kctx, kctx->auk_queue.delay);
445 
446 	/*
447 	 * Wait for work, until a signal arrives,
448 	 * or until auditing is disabled.
449 	 */
450 
451 	while (!error) {
452 		if (kctx->auk_auditstate == AUC_AUDITING) {
453 			mutex_enter(&(kctx->auk_queue.lock));
454 			while (kctx->auk_queue.head == NULL) {
455 				/* safety check. kick writer awake */
456 				if (kctx->auk_queue.wt_block) {
457 					cv_broadcast(&(kctx->
458 					    auk_queue.write_cv));
459 				}
460 
461 				kctx->auk_queue.rd_block = 1;
462 				AS_INC(as_rblocked, 1, kctx);
463 
464 				cv_wait(&(kctx->auk_queue.read_cv),
465 				    &(kctx->auk_queue.lock));
466 				kctx->auk_queue.rd_block = 0;
467 
468 				if (kctx->auk_auditstate != AUC_AUDITING) {
469 					mutex_exit(&(kctx->auk_queue.lock));
470 					(void) timeout(audit_dont_stop, kctx,
471 					    au_resid);
472 					goto output_exit;
473 				}
474 				kctx->auk_queue.rd_block = 0;
475 			}
476 			mutex_exit(&(kctx->auk_queue.lock));
477 			/*
478 			 * au_doorio() calls au_door_upcall which holds
479 			 * auk_svc_lock; au_doorio empties the queue before
480 			 * returning.
481 			 */
482 
483 			error = au_doorio(kctx);
484 		} else {
485 			/* auditing turned off while we slept */
486 			break;
487 		}
488 	}
489 output_exit:
490 	mutex_enter(&(kctx->auk_svc_lock));
491 
492 	VN_RELE(kctx->auk_current_vp);
493 	kctx->auk_current_vp = NULL;
494 
495 	kctx->auk_output_active = 0;
496 
497 	mutex_exit(&(kctx->auk_svc_lock));
498 }
499