1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * This file contains the auditing system call code. 28 * 29 */ 30 31 #include <sys/param.h> 32 #include <sys/systm.h> 33 #include <sys/user.h> 34 #include <sys/vnode.h> 35 #include <sys/vfs.h> 36 #include <sys/session.h> /* for session structure (auditctl(2) */ 37 #include <sys/kmem.h> /* for KM_SLEEP */ 38 #include <sys/cred.h> 39 #include <sys/types.h> 40 #include <sys/proc.h> 41 #include <sys/uio.h> 42 #include <sys/file.h> 43 #include <sys/stat.h> 44 #include <sys/pathname.h> 45 #include <sys/acct.h> 46 #include <sys/stropts.h> 47 #include <sys/exec.h> 48 #include <sys/thread.h> 49 #include <sys/cmn_err.h> 50 #include <sys/debug.h> 51 #include <sys/disp.h> 52 #include <sys/kobj.h> 53 #include <sys/sysmacros.h> 54 #include <sys/policy.h> 55 #include <sys/taskq.h> 56 #include <sys/zone.h> 57 58 #include <c2/audit.h> 59 #include <c2/audit_kernel.h> 60 #include <c2/audit_record.h> 61 62 #define HEADER_SIZE64 1; 63 #define HEADER_SIZE32 0; 64 #define AU_MIN_FILE_SZ 0x80000 /* minumum audit file size */ 65 #define AUDIT_REC_SIZE 0x8000 /* maximum user audit record size */ 66 67 extern pri_t minclsyspri; /* priority for taskq */ 68 69 static clock_t au_resid = 15; /* wait .15 sec before droping a rec */ 70 71 static void au_output_thread(); 72 73 /* 74 * This is the loadable module wrapper. 75 */ 76 #include <sys/modctl.h> 77 78 /* 79 * Module linkage information for the kernel. 80 */ 81 static struct modlmisc modlmisc = { 82 &mod_miscops, "Solaris Auditing (C2)" 83 }; 84 85 static struct modlinkage modlinkage = { 86 MODREV_1, (void *)&modlmisc, 0 87 }; 88 89 int 90 _init() 91 { 92 return (mod_install(&modlinkage)); 93 } 94 95 int 96 _fini() 97 { 98 return (EBUSY); 99 } 100 101 int 102 _info(struct modinfo *modinfop) 103 { 104 return (mod_info(&modlinkage, modinfop)); 105 } 106 107 /* 108 * The audit system call. Trust what the user has sent down and save it 109 * away in the audit file. User passes a complete audit record and its 110 * length. We will fill in the time stamp, check the header and the length 111 * Put a trailer and a sequence token if policy requires. 112 * In the future length might become size_t instead of an int. 113 * 114 * The call is valid whether or not AUDIT_PERZONE is set (think of 115 * login to a zone). When the local audit state (auk_auditstate) is 116 * AUC_INIT_AUDIT, records are accepted even though auditd isn't 117 * running. 118 */ 119 int 120 audit(caddr_t record, int length) 121 { 122 char c; 123 int count, l; 124 token_t *m, *n, *s, *ad; 125 int hdrlen, delta; 126 adr_t hadr; 127 adr_t sadr; 128 int size; /* 0: 32 bit utility 1: 64 bit utility */ 129 int host_len; 130 size_t zlen; 131 au_kcontext_t *kctx = GET_KCTX_PZ; 132 uint32_t auditing; 133 134 /* if auditing not enabled, then don't generate an audit record */ 135 auditing = (U2A(u)->tad_audit != AUC_UNSET) ? 136 U2A(u)->tad_audit : kctx->auk_auditstate; 137 if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT)) 138 return (0); 139 140 /* Only privileged processes can audit */ 141 if (secpolicy_audit_modify(CRED()) != 0) 142 return (EPERM); 143 144 /* Max user record size is 32K */ 145 if (length > AUDIT_REC_SIZE) 146 return (E2BIG); 147 148 /* 149 * The specified length must be at least as big as the smallest 150 * possible header token. Later after beginning to scan the 151 * header we'll determine the true minimum length according to 152 * the header type and attributes. 153 */ 154 #define AU_MIN_HEADER_LEN (sizeof (char) + sizeof (int32_t) + \ 155 sizeof (char) + sizeof (short) + sizeof (short) + \ 156 (sizeof (int32_t) * 2)) 157 158 if (length < AU_MIN_HEADER_LEN) 159 return (EINVAL); 160 161 /* Read in user's audit record */ 162 count = length; 163 m = n = s = ad = NULL; 164 while (count) { 165 m = au_getclr(); 166 if (!s) 167 s = n = m; 168 else { 169 n->next_buf = m; 170 n = m; 171 } 172 l = MIN(count, AU_BUFSIZE); 173 if (copyin(record, memtod(m, caddr_t), (size_t)l)) { 174 /* copyin failed release au_membuf */ 175 au_free_rec(s); 176 return (EFAULT); 177 } 178 record += l; 179 count -= l; 180 m->len = (uchar_t)l; 181 } 182 183 /* Now attach the entire thing to ad */ 184 au_write((caddr_t *)&(ad), s); 185 186 /* validate header token type. trust everything following it */ 187 adr_start(&hadr, memtod(s, char *)); 188 (void) adr_getchar(&hadr, &c); 189 switch (c) { 190 case AUT_HEADER32: 191 /* size vers+event_ID+event_modifier fields */ 192 delta = 1 + 2 + 2; 193 hdrlen = 1 + 4 + delta + (sizeof (int32_t) * 2); 194 size = HEADER_SIZE32; 195 break; 196 197 #ifdef _LP64 198 case AUT_HEADER64: 199 /* size vers+event_ID+event_modifier fields */ 200 delta = 1 + 2 + 2; 201 hdrlen = 1 + 4 + delta + (sizeof (int64_t) * 2); 202 size = HEADER_SIZE64; 203 break; 204 #endif 205 206 case AUT_HEADER32_EX: 207 /* 208 * Skip over the length/version/type/mod fields and 209 * grab the host address type (length), then rewind. 210 * This is safe per the previous minimum length check. 211 */ 212 hadr.adr_now += 9; 213 (void) adr_getint32(&hadr, &host_len); 214 hadr.adr_now -= 9 + sizeof (int32_t); 215 216 /* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */ 217 delta = 1 + 2 + 2 + 4 + host_len; 218 hdrlen = 1 + 4 + delta + (sizeof (int32_t) * 2); 219 size = HEADER_SIZE32; 220 break; 221 222 #ifdef _LP64 223 case AUT_HEADER64_EX: 224 /* 225 * Skip over the length/version/type/mod fields and grab 226 * the host address type (length), then rewind. 227 * This is safe per the previous minimum length check. 228 */ 229 hadr.adr_now += 9; 230 (void) adr_getint32(&hadr, &host_len); 231 hadr.adr_now -= 9 + sizeof (int32_t); 232 233 /* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */ 234 delta = 1 + 2 + 2 + 4 + host_len; 235 hdrlen = 1 + 4 + delta + (sizeof (int64_t) * 2); 236 size = HEADER_SIZE64; 237 break; 238 #endif 239 240 default: 241 /* Header is wrong, reject message */ 242 au_free_rec(s); 243 return (EINVAL); 244 } 245 246 if (length < hdrlen) { 247 au_free_rec(s); 248 return (0); 249 } 250 251 /* advance over header token length field */ 252 hadr.adr_now += 4; 253 254 /* validate version */ 255 (void) adr_getchar(&hadr, &c); 256 if (c != TOKEN_VERSION) { 257 /* version is wrong, reject message */ 258 au_free_rec(s); 259 return (EINVAL); 260 } 261 262 /* backup to header length field (including version field) */ 263 hadr.adr_now -= 5; 264 265 /* 266 * add on the zonename token if policy AUDIT_ZONENAME is set 267 */ 268 if (kctx->auk_policy & AUDIT_ZONENAME) { 269 zlen = au_zonename_length(NULL); 270 if (zlen > 0) { 271 length += zlen; 272 m = au_to_zonename(zlen, NULL); 273 (void) au_append_rec(ad, m, AU_PACK); 274 } 275 } 276 /* Add an (optional) sequence token. NULL offset if none */ 277 if (kctx->auk_policy & AUDIT_SEQ) { 278 /* get the sequnce token */ 279 m = au_to_seq(); 280 281 /* sequence token 5 bytes long */ 282 length += 5; 283 284 /* link to audit record (i.e. don't pack the data) */ 285 (void) au_append_rec(ad, m, AU_LINK); 286 287 /* advance to count field of token */ 288 adr_start(&sadr, memtod(m, char *)); 289 sadr.adr_now += 1; 290 } else 291 sadr.adr_now = (char *)NULL; 292 293 /* add the (optional) trailer token */ 294 if (kctx->auk_policy & AUDIT_TRAIL) { 295 /* trailer token is 7 bytes long */ 296 length += 7; 297 298 /* append to audit record */ 299 (void) au_append_rec(ad, au_to_trailer(length), AU_PACK); 300 } 301 302 /* audit record completely assembled. set the length */ 303 adr_int32(&hadr, (int32_t *)&length, 1); 304 305 /* advance to date/time field of header */ 306 hadr.adr_now += delta; 307 308 /* We are done put it on the queue */ 309 AS_INC(as_generated, 1, kctx); 310 AS_INC(as_audit, 1, kctx); 311 312 au_enqueue(kctx, s, &hadr, &sadr, size, 0); 313 314 AS_INC(as_totalsize, length, kctx); 315 316 return (0); 317 } 318 319 /* 320 * auditdoor starts a kernel thread to generate output from the audit 321 * queue. The thread terminates when it detects auditing being turned 322 * off, such as when auditd exits with a SIGTERM. If a subsequent 323 * auditdoor arrives while the thread is running, the door descriptor 324 * of the last auditdoor in will be used for output. auditd is responsible 325 * for insuring that multiple copies are not running. 326 */ 327 328 int 329 auditdoor(int fd) 330 { 331 struct file *fp; 332 struct vnode *vp; 333 int do_create = 0; 334 au_kcontext_t *kctx; 335 336 if (secpolicy_audit_config(CRED()) != 0) 337 return (EPERM); 338 339 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc)) 340 return (EINVAL); 341 342 kctx = GET_KCTX_NGZ; 343 344 /* 345 * convert file pointer to file descriptor 346 * Note: fd ref count incremented here. 347 */ 348 if ((fp = (struct file *)getf(fd)) == NULL) { 349 return (EBADF); 350 } 351 vp = fp->f_vnode; 352 if (vp->v_type != VDOOR) { 353 cmn_err(CE_WARN, 354 "auditdoor() did not get the expected door descriptor\n"); 355 releasef(fd); 356 return (EINVAL); 357 } 358 /* 359 * If the output thread is already running, then replace the 360 * door descriptor with the new one and continue; otherwise 361 * create the thread too. Since au_output_thread makes a call 362 * to au_doorio() which also does 363 * mutex_lock(&(kctx->auk_svc_lock)), the create/dispatch is 364 * done after the unlock... 365 */ 366 mutex_enter(&(kctx->auk_svc_lock)); 367 368 if (kctx->auk_current_vp != NULL) 369 VN_RELE(kctx->auk_current_vp); 370 371 kctx->auk_current_vp = vp; 372 VN_HOLD(kctx->auk_current_vp); 373 releasef(fd); 374 375 if (!kctx->auk_output_active) { 376 kctx->auk_output_active = 1; 377 do_create = 1; 378 } 379 mutex_exit(&(kctx->auk_svc_lock)); 380 if (do_create) { 381 kctx->auk_taskq = 382 taskq_create("output_master", 1, minclsyspri, 1, 1, 0); 383 (void) taskq_dispatch(kctx->auk_taskq, 384 (task_func_t *)au_output_thread, 385 kctx, TQ_SLEEP); 386 } 387 return (0); 388 } 389 390 static void 391 audit_dont_stop(void *kctx) 392 { 393 394 if ((((au_kcontext_t *)kctx)->auk_valid != AUK_VALID) || 395 (((au_kcontext_t *)kctx)->auk_auditstate == AUC_NOAUDIT)) 396 return; 397 398 mutex_enter(&(((au_kcontext_t *)kctx)->auk_queue.lock)); 399 cv_broadcast(&(((au_kcontext_t *)kctx)->auk_queue.write_cv)); 400 mutex_exit(&(((au_kcontext_t *)kctx)->auk_queue.lock)); 401 } 402 403 /* 404 * au_queue_kick -- wake up the output queue after delay ticks 405 */ 406 static void 407 au_queue_kick(void *kctx) 408 { 409 /* 410 * wakeup reader if its not running and there is something 411 * to do. It also helps that kctx still be valid... 412 */ 413 414 if ((((au_kcontext_t *)kctx)->auk_valid != AUK_VALID) || 415 (((au_kcontext_t *)kctx)->auk_auditstate == AUC_NOAUDIT)) 416 return; 417 418 if (((au_kcontext_t *)kctx)->auk_queue.cnt && 419 ((au_kcontext_t *)kctx)->auk_queue.rd_block) 420 cv_broadcast(&((au_kcontext_t *)kctx)->auk_queue.read_cv); 421 422 /* fire off timeout event to kick audit queue awake */ 423 (void) timeout(au_queue_kick, kctx, 424 ((au_kcontext_t *)kctx)->auk_queue.delay); 425 } 426 427 /* 428 * output thread 429 * 430 * this runs "forever" where "forever" means until either auk_auditstate 431 * changes from AUC_AUDITING or if the door descriptor becomes invalid. 432 * 433 * there is one thread per active zone if AUC_PERZONE is set. Since 434 * there is the possibility that a zone may go down without auditd 435 * terminating properly, a zone shutdown kills its au_output_thread() 436 * via taskq_destroy(). 437 */ 438 439 static void 440 au_output_thread(au_kcontext_t *kctx) 441 { 442 int error = 0; 443 444 (void) timeout(au_queue_kick, kctx, kctx->auk_queue.delay); 445 446 /* 447 * Wait for work, until a signal arrives, 448 * or until auditing is disabled. 449 */ 450 451 while (!error) { 452 if (kctx->auk_auditstate == AUC_AUDITING) { 453 mutex_enter(&(kctx->auk_queue.lock)); 454 while (kctx->auk_queue.head == NULL) { 455 /* safety check. kick writer awake */ 456 if (kctx->auk_queue.wt_block) { 457 cv_broadcast(&(kctx-> 458 auk_queue.write_cv)); 459 } 460 461 kctx->auk_queue.rd_block = 1; 462 AS_INC(as_rblocked, 1, kctx); 463 464 cv_wait(&(kctx->auk_queue.read_cv), 465 &(kctx->auk_queue.lock)); 466 kctx->auk_queue.rd_block = 0; 467 468 if (kctx->auk_auditstate != AUC_AUDITING) { 469 mutex_exit(&(kctx->auk_queue.lock)); 470 (void) timeout(audit_dont_stop, kctx, 471 au_resid); 472 goto output_exit; 473 } 474 kctx->auk_queue.rd_block = 0; 475 } 476 mutex_exit(&(kctx->auk_queue.lock)); 477 /* 478 * au_doorio() calls au_door_upcall which holds 479 * auk_svc_lock; au_doorio empties the queue before 480 * returning. 481 */ 482 483 error = au_doorio(kctx); 484 } else { 485 /* auditing turned off while we slept */ 486 break; 487 } 488 } 489 output_exit: 490 mutex_enter(&(kctx->auk_svc_lock)); 491 492 VN_RELE(kctx->auk_current_vp); 493 kctx->auk_current_vp = NULL; 494 495 kctx->auk_output_active = 0; 496 497 mutex_exit(&(kctx->auk_svc_lock)); 498 } 499