1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <bsm/adt.h> 30 #include <bsm/adt_event.h> 31 #include <assert.h> 32 #include <bsm/audit.h> 33 #include <bsm/audit_record.h> 34 #include <bsm/libbsm.h> 35 #include <door.h> 36 #include <errno.h> 37 #include <generic.h> 38 #include <md5.h> 39 #include <sys/mkdev.h> 40 #include <netdb.h> 41 #include <nss_dbdefs.h> 42 #include <pwd.h> 43 #include <sys/stat.h> 44 #include <time.h> 45 #include <stdlib.h> 46 #include <string.h> 47 #include <synch.h> 48 #include <sys/systeminfo.h> 49 #include <syslog.h> 50 #include <thread.h> 51 #include <unistd.h> 52 #include <adt_xlate.h> 53 #include <adt_ucred.h> 54 #include <arpa/inet.h> 55 #include <net/if.h> 56 #include <libinetutil.h> 57 58 static int adt_selected(struct adt_event_state *, au_event_t, int); 59 static int adt_init(adt_internal_state_t *, int); 60 static int adt_import(adt_internal_state_t *, const adt_export_data_t *); 61 static m_label_t *adt_ucred_label(ucred_t *); 62 static void adt_setto_unaudited(adt_internal_state_t *); 63 static int adt_get_local_address(int, struct ifaddrlist *); 64 65 #ifdef C2_DEBUG 66 #define DPRINTF(x) {printf x; } 67 #define DFLUSH fflush(stdout); 68 #else 69 #define DPRINTF(x) 70 #define DFLUSH 71 #endif 72 73 static int auditstate = AUC_DISABLED; /* default state */ 74 75 /* 76 * adt_write_syslog 77 * 78 * errors that are not the user's fault (bugs or whatever in 79 * the underlying audit code are noted in syslog.) 80 * 81 * Avoid calling adt_write_syslog for things that can happen 82 * at high volume. 83 * 84 * syslog's open (openlog) and close (closelog) are interesting; 85 * openlog *may* create a file descriptor and is optional. closelog 86 * *will* close any open file descriptors and is also optional. 87 * 88 * Since syslog may also be used by the calling application, the 89 * choice is to avoid openlog, which sets some otherwise useful 90 * parameters, and to embed "Solaris_audit" in the log message. 91 */ 92 93 void 94 adt_write_syslog(const char *message, int err) 95 { 96 int save_errno = errno; 97 int mask_priority; 98 99 DPRINTF(("syslog called: %s\n", message)); 100 101 mask_priority = setlogmask(LOG_MASK(LOG_ALERT)); 102 errno = err; 103 syslog(LOG_ALERT, "Solaris_audit %s: %m", message); 104 (void) setlogmask(mask_priority); 105 errno = save_errno; 106 } 107 108 /* 109 * return true if audit is enabled. "Enabled" is any state 110 * other than AUC_DISABLED. 111 * 112 * states are 113 * AUC_INIT_AUDIT -- c2audit queuing enabled. 114 * AUC_AUDITING -- up and running 115 * AUC_DISABLED -- no audit subsystem loaded 116 * AUC_UNSET -- early boot state 117 * AUC_NOAUDIT -- subsystem loaded, turned off via 118 * auditon(A_SETCOND...) 119 * AUC_NOSPACE -- up and running, but log partitions are full 120 * 121 * For purpose of this API, anything but AUC_DISABLED or 122 * AUC_UNSET is enabled; however one never actually sees 123 * AUC_DISABLED since auditon returns EINVAL in that case. Any 124 * auditon error is considered the same as EINVAL for our 125 * purpose. auditstate is not changed by auditon if an error 126 * is returned. 127 */ 128 129 /* 130 * XXX this should probably be eliminated and adt_audit_state() replace it. 131 * All the legitimate uses are to not fork a waiting process for 132 * process exit processing, as in su, login, dtlogin. Other bogus 133 * users are zoneadmd and init. 134 * All but dtlogin are in ON, so we can do this without cross gate 135 * synchronization. 136 */ 137 138 boolean_t 139 adt_audit_enabled(void) 140 { 141 142 (void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate)); 143 144 return (auditstate != AUC_DISABLED); 145 } 146 147 /* 148 * See adt_audit_enabled() for state discussions. 149 * The state parameter is a hedge until all the uses become clear. 150 * Likely if adt_audit_enabled is brought internal to this file, 151 * it can take a parameter discussing the state. 152 */ 153 154 boolean_t 155 adt_audit_state(int state) 156 { 157 158 (void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate)); 159 160 return (auditstate == state); 161 } 162 163 /* 164 * The man page for getpwuid_r says the buffer must be big enough 165 * or ERANGE will be returned, but offers no guidance for how big 166 * the buffer should be or a way to calculate it. If you get 167 * ERANGE, double pwd_buff's size. 168 * 169 * This may be called even when auditing is off. 170 */ 171 172 #define NAFLAG_LEN 512 173 174 static int 175 adt_get_mask_from_user(uid_t uid, au_mask_t *mask) 176 { 177 struct passwd pwd; 178 char pwd_buff[NSS_BUFSIZ]; 179 char naflag_buf[NAFLAG_LEN]; 180 181 if (auditstate == AUC_DISABLED) { 182 mask->am_success = 0; 183 mask->am_failure = 0; 184 } else if (uid <= MAXUID) { 185 if (getpwuid_r(uid, &pwd, pwd_buff, NSS_BUFSIZ) == NULL) { 186 /* 187 * getpwuid_r returns NULL without setting 188 * errno if the user does not exist; only 189 * if the input is the wrong length does it 190 * set errno. 191 */ 192 if (errno != ERANGE) 193 errno = EINVAL; 194 return (-1); 195 } 196 if (au_user_mask(pwd.pw_name, mask)) { 197 errno = EFAULT; /* undetermined failure */ 198 return (-1); 199 } 200 } else if (getacna(naflag_buf, NAFLAG_LEN - 1) == 0) { 201 if (getauditflagsbin(naflag_buf, mask)) 202 return (-1); 203 } else { 204 return (-1); 205 } 206 return (0); 207 } 208 209 /* 210 * adt_get_unique_id -- generate a hopefully unique 32 bit value 211 * 212 * there will be a follow up to replace this with the use of /dev/random 213 * 214 * An MD5 hash is taken on a buffer of 215 * hostname . audit id . unix time . pid . count 216 * 217 * "count = noise++;" is subject to a race condition but I don't 218 * see a need to put a lock around it. 219 */ 220 221 au_id_t 222 adt_get_unique_id(au_id_t uid) 223 { 224 char hostname[MAXHOSTNAMELEN]; 225 union { 226 au_id_t v[4]; 227 unsigned char obuff[128/8]; 228 } output; 229 MD5_CTX context; 230 231 static int noise = 0; 232 233 int count = noise++; 234 time_t timebits = time(NULL); 235 pid_t pidbits = getpid(); 236 au_id_t retval = 0; 237 238 if (gethostname(hostname, MAXHOSTNAMELEN)) { 239 adt_write_syslog("gethostname call failed", errno); 240 (void) strncpy(hostname, "invalidHostName", MAXHOSTNAMELEN); 241 } 242 243 while (retval == 0) { /* 0 is the only invalid result */ 244 MD5Init(&context); 245 246 MD5Update(&context, (unsigned char *)hostname, 247 (unsigned int) strlen((const char *)hostname)); 248 249 MD5Update(&context, (unsigned char *) &uid, sizeof (uid_t)); 250 251 MD5Update(&context, 252 (unsigned char *) &timebits, sizeof (time_t)); 253 254 MD5Update(&context, (unsigned char *) &pidbits, 255 sizeof (pid_t)); 256 257 MD5Update(&context, (unsigned char *) &(count), sizeof (int)); 258 MD5Final(output.obuff, &context); 259 260 retval = output.v[count % 4]; 261 } 262 return (retval); 263 } 264 265 /* 266 * the following "port" function deals with the following issues: 267 * 268 * 1 the kernel and ucred deal with a dev_t as a 64 bit value made 269 * up from a 32 bit major and 32 bit minor. 270 * 2 User space deals with a dev_t as either the above 64 bit value 271 * or a 32 bit value made from a 14 bit major and an 18 bit minor. 272 * 3 The various audit interfaces (except ucred) pass the 32 or 273 * 64 bit version depending the architecture of the userspace 274 * application. If you get a port value from ucred and pass it 275 * to the kernel via auditon(), it must be squeezed into a 32 276 * bit value because the kernel knows the userspace app's bit 277 * size. 278 * 279 * The internal state structure for adt (adt_internal_state_t) uses 280 * dev_t, so adt converts data from ucred to fit. The import/export 281 * functions, however, can't know if they are importing/exporting 282 * from 64 or 32 bit applications, so they always send 64 bits and 283 * the 32 bit end(s) are responsible to convert 32 -> 64 -> 32 as 284 * appropriate. 285 */ 286 287 /* 288 * adt_cpy_tid() -- if lib is 64 bit, just copy it (dev_t and port are 289 * both 64 bits). If lib is 32 bits, squeeze the two-int port into 290 * a 32 bit dev_t. A port fits in the "minor" part of au_port_t, 291 * so it isn't broken up into pieces. (When it goes to the kernel 292 * and back, however, it will have been split into major/minor 293 * pieces.) 294 */ 295 296 static void 297 adt_cpy_tid(au_tid_addr_t *dest, const au_tid64_addr_t *src) 298 { 299 #ifdef _LP64 300 (void) memcpy(dest, src, sizeof (au_tid_addr_t)); 301 #else /* _LP64 */ 302 dest->at_type = src->at_type; 303 304 dest->at_port = src->at_port.at_minor & MAXMIN32; 305 dest->at_port |= (src->at_port.at_major & MAXMAJ32) << 306 NBITSMINOR32; 307 308 (void) memcpy(dest->at_addr, src->at_addr, 4 * sizeof (uint32_t)); 309 #endif /* _LP64 */ 310 } 311 312 /* 313 * adt_start_session -- create interface handle, create context 314 * 315 * The imported_state input is normally NULL, if not, it represents 316 * a continued session; its values obviate the need for a subsequent 317 * call to adt_set_user(). 318 * 319 * The flag is used to decide how to set the initial state of the session. 320 * If 0, the session is "no audit" until a call to adt_set_user; if 321 * ADT_USE_PROC_DATA, the session is built from the process audit 322 * characteristics obtained from the kernel. If imported_state is 323 * not NULL, the resulting audit mask is an OR of the current process 324 * audit mask and that passed in. 325 * 326 * The basic model is that the caller can use the pointer returned 327 * by adt_start_session whether or not auditing is enabled or an 328 * error was returned. The functions that take the session handle 329 * as input generally return without doing anything if auditing is 330 * disabled. 331 */ 332 333 int 334 adt_start_session(adt_session_data_t **new_session, 335 const adt_export_data_t *imported_state, adt_session_flags_t flags) 336 { 337 adt_internal_state_t *state; 338 adt_session_flags_t flgmask = ADT_FLAGS_ALL; 339 340 *new_session = NULL; /* assume failure */ 341 342 /* ensure that auditstate is set */ 343 (void) adt_audit_enabled(); 344 345 if ((flags & ~flgmask) != 0) { 346 errno = EINVAL; 347 goto return_err; 348 } 349 state = calloc(1, sizeof (adt_internal_state_t)); 350 351 if (state == NULL) 352 goto return_err; 353 354 if (adt_init(state, flags & ADT_USE_PROC_DATA) != 0) 355 goto return_err_free; /* errno from adt_init() */ 356 357 /* 358 * The imported state overwrites the initial state if the 359 * imported state represents a valid audit trail 360 */ 361 362 if (imported_state != NULL) { 363 if (adt_import(state, imported_state) != 0) { 364 goto return_err_free; 365 } 366 } else if (flags & ADT_USE_PROC_DATA) { 367 state->as_session_model = ADT_PROCESS_MODEL; 368 } 369 state->as_flags = flags; 370 DPRINTF(("(%d) Starting session id = %08X\n", 371 getpid(), state->as_info.ai_asid)); 372 373 if (state->as_audit_enabled) { 374 *new_session = (adt_session_data_t *)state; 375 } else { 376 free(state); 377 } 378 379 return (0); 380 return_err_free: 381 free(state); 382 return_err: 383 adt_write_syslog("audit session create failed", errno); 384 return (-1); 385 } 386 387 /* 388 * adt_get_asid() and adt_set_asid() 389 * 390 * if you use this interface, you are responsible to insure that the 391 * rest of the session data is populated correctly before calling 392 * adt_proccess_attr() 393 * 394 * neither of these are intended for general use and will likely 395 * remain private interfaces for a long time. Forever is a long 396 * time. In the case of adt_set_asid(), you should have a very, 397 * very good reason for setting your own session id. The process 398 * audit characteristics are not changed by put, use adt_set_proc(). 399 * 400 * These are "volatile" (more changable than "evolving") and will 401 * probably change in the S10 period. 402 */ 403 404 void 405 adt_get_asid(const adt_session_data_t *session_data, au_asid_t *asid) 406 { 407 408 if (session_data == NULL) { 409 *asid = 0; 410 } else { 411 assert(((adt_internal_state_t *)session_data)->as_check == 412 ADT_VALID); 413 414 *asid = ((adt_internal_state_t *)session_data)->as_info.ai_asid; 415 } 416 } 417 418 void 419 adt_set_asid(const adt_session_data_t *session_data, const au_asid_t session_id) 420 { 421 422 if (session_data != NULL) { 423 assert(((adt_internal_state_t *)session_data)->as_check == 424 ADT_VALID); 425 426 ((adt_internal_state_t *)session_data)->as_have_user_data |= 427 ADT_HAVE_ASID; 428 ((adt_internal_state_t *)session_data)->as_info.ai_asid = 429 session_id; 430 } 431 } 432 433 /* 434 * adt_get_auid() and adt_set_auid() 435 * 436 * neither of these are intended for general use and will likely 437 * remain private interfaces for a long time. Forever is a long 438 * time. In the case of adt_set_auid(), you should have a very, 439 * very good reason for setting your own audit id. The process 440 * audit characteristics are not changed by put, use adt_set_proc(). 441 */ 442 443 void 444 adt_get_auid(const adt_session_data_t *session_data, au_id_t *auid) 445 { 446 447 if (session_data == NULL) { 448 *auid = AU_NOAUDITID; 449 } else { 450 assert(((adt_internal_state_t *)session_data)->as_check == 451 ADT_VALID); 452 453 *auid = ((adt_internal_state_t *)session_data)->as_info.ai_auid; 454 } 455 } 456 457 void 458 adt_set_auid(const adt_session_data_t *session_data, const au_id_t audit_id) 459 { 460 461 if (session_data != NULL) { 462 assert(((adt_internal_state_t *)session_data)->as_check == 463 ADT_VALID); 464 465 ((adt_internal_state_t *)session_data)->as_have_user_data |= 466 ADT_HAVE_AUID; 467 ((adt_internal_state_t *)session_data)->as_info.ai_auid = 468 audit_id; 469 } 470 } 471 472 /* 473 * adt_get_termid(), adt_set_termid() 474 * 475 * if you use this interface, you are responsible to insure that the 476 * rest of the session data is populated correctly before calling 477 * adt_proccess_attr() 478 * 479 * The process audit characteristics are not changed by put, use 480 * adt_set_proc(). 481 */ 482 483 void 484 adt_get_termid(const adt_session_data_t *session_data, au_tid_addr_t *termid) 485 { 486 487 if (session_data == NULL) { 488 (void) memset(termid, 0, sizeof (au_tid_addr_t)); 489 termid->at_type = AU_IPv4; 490 } else { 491 assert(((adt_internal_state_t *)session_data)->as_check == 492 ADT_VALID); 493 494 *termid = 495 ((adt_internal_state_t *)session_data)->as_info.ai_termid; 496 } 497 } 498 499 void 500 adt_set_termid(const adt_session_data_t *session_data, 501 const au_tid_addr_t *termid) 502 { 503 504 if (session_data != NULL) { 505 assert(((adt_internal_state_t *)session_data)->as_check == 506 ADT_VALID); 507 508 ((adt_internal_state_t *)session_data)->as_info.ai_termid = 509 *termid; 510 511 ((adt_internal_state_t *)session_data)->as_have_user_data |= 512 ADT_HAVE_TID; 513 } 514 } 515 516 /* 517 * adt_get_mask(), adt_set_mask() 518 * 519 * if you use this interface, you are responsible to insure that the 520 * rest of the session data is populated correctly before calling 521 * adt_proccess_attr() 522 * 523 * The process audit characteristics are not changed by put, use 524 * adt_set_proc(). 525 */ 526 527 void 528 adt_get_mask(const adt_session_data_t *session_data, au_mask_t *mask) 529 { 530 531 if (session_data == NULL) { 532 mask->am_success = 0; 533 mask->am_failure = 0; 534 } else { 535 assert(((adt_internal_state_t *)session_data)->as_check == 536 ADT_VALID); 537 538 *mask = ((adt_internal_state_t *)session_data)->as_info.ai_mask; 539 } 540 } 541 542 void 543 adt_set_mask(const adt_session_data_t *session_data, const au_mask_t *mask) 544 { 545 546 if (session_data != NULL) { 547 assert(((adt_internal_state_t *)session_data)->as_check == 548 ADT_VALID); 549 550 ((adt_internal_state_t *)session_data)->as_info.ai_mask = *mask; 551 552 ((adt_internal_state_t *)session_data)->as_have_user_data |= 553 ADT_HAVE_MASK; 554 } 555 } 556 557 /* 558 * helpers for adt_load_termid 559 */ 560 561 static void 562 adt_do_ipv6_address(struct sockaddr_in6 *peer, struct sockaddr_in6 *sock, 563 au_tid_addr_t *termid) 564 { 565 566 termid->at_port = ((peer->sin6_port<<16) | (sock->sin6_port)); 567 termid->at_type = AU_IPv6; 568 (void) memcpy(termid->at_addr, &peer->sin6_addr, 4 * sizeof (uint_t)); 569 } 570 571 static void 572 adt_do_ipv4_address(struct sockaddr_in *peer, struct sockaddr_in *sock, 573 au_tid_addr_t *termid) 574 { 575 576 termid->at_port = ((peer->sin_port<<16) | (sock->sin_port)); 577 578 termid->at_type = AU_IPv4; 579 termid->at_addr[0] = (uint32_t)peer->sin_addr.s_addr; 580 (void) memset(&(termid->at_addr[1]), 0, 3 * sizeof (uint_t)); 581 } 582 583 /* 584 * adt_load_termid: convenience function; inputs file handle and 585 * outputs an au_tid_addr struct. 586 * 587 * This code was stolen from audit_settid.c; it differs from audit_settid() 588 * in that it does not write the terminal id to the process. 589 */ 590 591 int 592 adt_load_termid(int fd, adt_termid_t **termid) 593 { 594 au_tid_addr_t *p_term; 595 struct sockaddr_in6 peer; 596 struct sockaddr_in6 sock; 597 int peerlen = sizeof (peer); 598 int socklen = sizeof (sock); 599 600 *termid = NULL; 601 602 /* get peer name if its a socket, else assume local terminal */ 603 604 if (getpeername(fd, (struct sockaddr *)&peer, (socklen_t *)&peerlen) 605 < 0) { 606 if (errno == ENOTSOCK) 607 return (adt_load_hostname(NULL, termid)); 608 goto return_err; 609 } 610 611 if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) 612 goto return_err; 613 614 /* get sock name */ 615 if (getsockname(fd, (struct sockaddr *)&sock, 616 (socklen_t *)&socklen) < 0) 617 goto return_err_free; 618 619 if (peer.sin6_family == AF_INET6) { 620 adt_do_ipv6_address(&peer, &sock, p_term); 621 } else { 622 adt_do_ipv4_address((struct sockaddr_in *)&peer, 623 (struct sockaddr_in *)&sock, p_term); 624 } 625 *termid = (adt_termid_t *)p_term; 626 627 return (0); 628 629 return_err_free: 630 free(p_term); 631 return_err: 632 return (-1); 633 } 634 635 static boolean_t 636 adt_have_termid(au_tid_addr_t *dest) 637 { 638 struct auditinfo_addr audit_data; 639 640 if (getaudit_addr(&audit_data, sizeof (audit_data)) < 0) { 641 adt_write_syslog("getaudit failed", errno); 642 return (B_FALSE); 643 } 644 645 if ((audit_data.ai_termid.at_type == 0) || 646 (audit_data.ai_termid.at_addr[0] | 647 audit_data.ai_termid.at_addr[1] | 648 audit_data.ai_termid.at_addr[2] | 649 audit_data.ai_termid.at_addr[3]) == 0) 650 return (B_FALSE); 651 652 (void) memcpy(dest, &(audit_data.ai_termid), 653 sizeof (au_tid_addr_t)); 654 655 return (B_TRUE); 656 } 657 658 static int 659 adt_get_hostIP(const char *hostname, au_tid_addr_t *p_term) 660 { 661 struct addrinfo *ai = NULL; 662 int tries = 3; 663 char msg[512]; 664 int eai_err; 665 666 while ((tries-- > 0) && 667 ((eai_err = getaddrinfo(hostname, NULL, NULL, &ai)) != 0)) { 668 /* 669 * getaddrinfo returns its own set of errors. 670 * Log them here, so any subsequent syslogs will 671 * have a context. adt_get_hostIP callers can only 672 * return errno, so subsequent syslogs may be lacking 673 * that getaddrinfo failed. 674 */ 675 (void) snprintf(msg, sizeof (msg), "getaddrinfo(%s) " 676 "failed[%s]", hostname, gai_strerror(eai_err)); 677 adt_write_syslog(msg, 0); 678 679 if (eai_err != EAI_AGAIN) { 680 681 break; 682 } 683 /* see if resolution becomes available */ 684 (void) sleep(1); 685 } 686 if (ai != NULL) { 687 if (ai->ai_family == AF_INET) { 688 p_term->at_type = AU_IPv4; 689 (void) memcpy(p_term->at_addr, 690 /* LINTED */ 691 &((struct sockaddr_in *)ai->ai_addr)->sin_addr, 692 AU_IPv4); 693 } else { 694 p_term->at_type = AU_IPv6; 695 (void) memcpy(p_term->at_addr, 696 /* LINTED */ 697 &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr, 698 AU_IPv6); 699 } 700 freeaddrinfo(ai); 701 return (0); 702 } else { 703 struct ifaddrlist al; 704 int family; 705 char ntop[INET6_ADDRSTRLEN]; 706 707 /* 708 * getaddrinfo has failed to map the hostname 709 * to an IP address, try to get an IP address 710 * from a local interface. 711 */ 712 family = AF_INET6; 713 if (adt_get_local_address(family, &al) != 0) { 714 family = AF_INET; 715 716 if (adt_get_local_address(family, &al) != 0) { 717 adt_write_syslog("adt_get_local_address " 718 "failed, no Audit IP address available", 719 errno); 720 return (-1); 721 } 722 } 723 if (family == AF_INET) { 724 p_term->at_type = AU_IPv4; 725 (void) memcpy(p_term->at_addr, &al.addr.addr, AU_IPv4); 726 } else { 727 p_term->at_type = AU_IPv6; 728 (void) memcpy(p_term->at_addr, &al.addr.addr6, AU_IPv6); 729 } 730 731 (void) snprintf(msg, sizeof (msg), "mapping %s to %s", 732 hostname, inet_ntop(family, &(al.addr), ntop, 733 sizeof (ntop))); 734 adt_write_syslog(msg, 0); 735 return (0); 736 } 737 } 738 739 /* 740 * adt_load_hostname() is called when the caller does not have a file 741 * handle that gives access to the socket info or any other way to 742 * pass in both port and ip address. The hostname input is ignored if 743 * the terminal id has already been set; instead it returns the 744 * existing terminal id. 745 * 746 * If audit is off and the hostname lookup fails, no error is 747 * returned, since an error may be interpreted by the caller 748 * as grounds for denying a login. Otherwise the caller would 749 * need to be aware of the audit state. 750 */ 751 752 int 753 adt_load_hostname(const char *hostname, adt_termid_t **termid) 754 { 755 char localhost[MAXHOSTNAMELEN + 1]; 756 au_tid_addr_t *p_term; 757 758 *termid = NULL; 759 760 if (!adt_audit_enabled()) 761 return (0); 762 763 if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) 764 goto return_err; 765 766 if (adt_have_termid(p_term)) { 767 *termid = (adt_termid_t *)p_term; 768 return (0); 769 } 770 p_term->at_port = 0; 771 772 if (hostname == NULL || *hostname == '\0') { 773 (void) sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN); 774 hostname = localhost; 775 } 776 if (adt_get_hostIP(hostname, p_term)) 777 goto return_err_free; 778 779 *termid = (adt_termid_t *)p_term; 780 return (0); 781 782 return_err_free: 783 free(p_term); 784 785 return_err: 786 if ((auditstate == AUC_DISABLED) || 787 (auditstate == AUC_NOAUDIT)) 788 return (0); 789 790 return (-1); 791 } 792 793 /* 794 * adt_load_ttyname() is called when the caller does not have a file 795 * handle that gives access to the local terminal or any other way 796 * of determining the device id. The ttyname input is ignored if 797 * the terminal id has already been set; instead it returns the 798 * existing terminal id. 799 * 800 * If audit is off and the ttyname lookup fails, no error is 801 * returned, since an error may be interpreted by the caller 802 * as grounds for denying a login. Otherwise the caller would 803 * need to be aware of the audit state. 804 */ 805 806 int 807 adt_load_ttyname(const char *ttyname, adt_termid_t **termid) 808 { 809 char localhost[MAXHOSTNAMELEN + 1]; 810 au_tid_addr_t *p_term; 811 struct stat stat_buf; 812 813 *termid = NULL; 814 815 if (!adt_audit_enabled()) 816 return (0); 817 818 if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) 819 goto return_err; 820 821 if (adt_have_termid(p_term)) { 822 *termid = (adt_termid_t *)p_term; 823 return (0); 824 } 825 826 p_term->at_port = 0; 827 828 if (sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN) < 0) 829 goto return_err_free; /* errno from sysinfo */ 830 831 if (ttyname != NULL) { 832 if (stat(ttyname, &stat_buf) < 0) 833 goto return_err_free; 834 835 p_term->at_port = stat_buf.st_rdev; 836 } 837 838 if (adt_get_hostIP(localhost, p_term)) 839 goto return_err_free; 840 841 *termid = (adt_termid_t *)p_term; 842 return (0); 843 844 return_err_free: 845 free(p_term); 846 847 return_err: 848 if ((auditstate == AUC_DISABLED) || 849 (auditstate == AUC_NOAUDIT)) 850 return (0); 851 852 return (-1); 853 } 854 855 /* 856 * adt_get_session_id returns a stringified representation of 857 * the audit session id. See also adt_get_asid() for how to 858 * get the unexpurgated version. No guarantees as to how long 859 * the returned string will be or its general form; hex for now. 860 * 861 * An empty string is returned if auditing is off; length = 1 862 * and the pointer is valid. 863 * 864 * returns strlen + 1 if buffer is valid; else 0 and errno. 865 */ 866 867 size_t 868 adt_get_session_id(const adt_session_data_t *session_data, char **buff) 869 { 870 au_asid_t session_id; 871 size_t length; 872 /* 873 * output is 0x followed by 874 * two characters per byte 875 * plus terminator, 876 * except leading 0's are suppressed, so a few bytes may 877 * be unused. 878 */ 879 length = 2 + (2 * sizeof (session_id)) + 1; 880 *buff = malloc(length); 881 882 if (*buff == NULL) { 883 return (0); 884 } 885 if (session_data == NULL) { /* NULL is not an error */ 886 **buff = '\0'; 887 return (1); 888 } 889 adt_get_asid(session_data, &session_id); 890 891 length = snprintf(*buff, length, "0x%X", (int)session_id); 892 893 /* length < 1 is a bug: the session data type may have changed */ 894 assert(length > 0); 895 896 return (length); 897 } 898 899 /* 900 * adt_end_session -- close handle, clear context 901 * 902 * if as_check is invalid, no harm, no foul, EXCEPT that this could 903 * be an attempt to free data already free'd, so output to syslog 904 * to help explain why the process cored dumped. 905 */ 906 907 int 908 adt_end_session(adt_session_data_t *session_data) 909 { 910 adt_internal_state_t *state; 911 912 if (session_data != NULL) { 913 state = (adt_internal_state_t *)session_data; 914 if (state->as_check != ADT_VALID) { 915 adt_write_syslog("freeing invalid data", EINVAL); 916 } else { 917 state->as_check = 0; 918 m_label_free(state->as_label); 919 free(session_data); 920 } 921 } 922 /* no errors yet defined */ 923 return (0); 924 } 925 926 /* 927 * adt_dup_session -- copy the session data 928 */ 929 930 int 931 adt_dup_session(const adt_session_data_t *source, adt_session_data_t **dest) 932 { 933 adt_internal_state_t *source_state; 934 adt_internal_state_t *dest_state = NULL; 935 int rc = 0; 936 937 if (source != NULL) { 938 source_state = (adt_internal_state_t *)source; 939 assert(source_state->as_check == ADT_VALID); 940 941 dest_state = malloc(sizeof (adt_internal_state_t)); 942 if (dest_state == NULL) { 943 rc = -1; 944 goto return_rc; 945 } 946 (void) memcpy(dest_state, source, 947 sizeof (struct adt_internal_state)); 948 949 if (source_state->as_label != NULL) { 950 dest_state->as_label = NULL; 951 if ((rc = m_label_dup(&dest_state->as_label, 952 source_state->as_label)) != 0) { 953 free(dest_state); 954 dest_state = NULL; 955 } 956 } 957 } 958 return_rc: 959 *dest = (adt_session_data_t *)dest_state; 960 return (rc); 961 } 962 963 /* 964 * from_export_format() 965 * read from a network order buffer into struct adt_session_data 966 */ 967 968 static size_t 969 adt_from_export_format(adt_internal_state_t *internal, 970 const adt_export_data_t *external) 971 { 972 struct export_header head; 973 struct export_link link; 974 adr_t context; 975 int32_t offset; 976 int32_t length; 977 int32_t version; 978 size_t label_len; 979 char *p = (char *)external; 980 981 adrm_start(&context, (char *)external); 982 adrm_int32(&context, (int *)&head, 4); 983 984 if ((internal->as_check = head.ax_check) != ADT_VALID) { 985 errno = EINVAL; 986 return (0); 987 } 988 offset = head.ax_link.ax_offset; 989 version = head.ax_link.ax_version; 990 length = head.ax_buffer_length; 991 992 /* 993 * Skip newer versions. 994 */ 995 while (version > PROTOCOL_VERSION_2) { 996 if (offset < 1) { 997 return (0); /* failed to match version */ 998 } 999 p += offset; /* point to next version # */ 1000 1001 if (p > (char *)external + length) { 1002 return (0); 1003 } 1004 adrm_start(&context, p); 1005 adrm_int32(&context, (int *)&link, 2); 1006 offset = link.ax_offset; 1007 version = link.ax_version; 1008 assert(version != 0); 1009 } 1010 /* 1011 * Adjust buffer pointer to the first data item (euid). 1012 */ 1013 if (p == (char *)external) { 1014 adrm_start(&context, (char *)(p + sizeof (head))); 1015 } else { 1016 adrm_start(&context, (char *)(p + sizeof (link))); 1017 } 1018 /* 1019 * if down rev version, neither pid nor label are included 1020 * in v1 ax_size_of_tsol_data intentionally ignored 1021 */ 1022 if (version == PROTOCOL_VERSION_1) { 1023 adrm_int32(&context, (int *)&(internal->as_euid), 1); 1024 adrm_int32(&context, (int *)&(internal->as_ruid), 1); 1025 adrm_int32(&context, (int *)&(internal->as_egid), 1); 1026 adrm_int32(&context, (int *)&(internal->as_rgid), 1); 1027 adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1); 1028 adrm_int32(&context, 1029 (int *)&(internal->as_info.ai_mask.am_success), 2); 1030 adrm_int32(&context, 1031 (int *)&(internal->as_info.ai_termid.at_port), 1); 1032 adrm_int32(&context, 1033 (int *)&(internal->as_info.ai_termid.at_type), 1); 1034 adrm_int32(&context, 1035 (int *)&(internal->as_info.ai_termid.at_addr[0]), 4); 1036 adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1); 1037 adrm_int32(&context, (int *)&(internal->as_audit_enabled), 1); 1038 internal->as_pid = (pid_t)-1; 1039 internal->as_label = NULL; 1040 } else if (version == PROTOCOL_VERSION_2) { 1041 adrm_int32(&context, (int *)&(internal->as_euid), 1); 1042 adrm_int32(&context, (int *)&(internal->as_ruid), 1); 1043 adrm_int32(&context, (int *)&(internal->as_egid), 1); 1044 adrm_int32(&context, (int *)&(internal->as_rgid), 1); 1045 adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1); 1046 adrm_int32(&context, 1047 (int *)&(internal->as_info.ai_mask.am_success), 2); 1048 adrm_int32(&context, 1049 (int *)&(internal->as_info.ai_termid.at_port), 1); 1050 adrm_int32(&context, 1051 (int *)&(internal->as_info.ai_termid.at_type), 1); 1052 adrm_int32(&context, 1053 (int *)&(internal->as_info.ai_termid.at_addr[0]), 4); 1054 adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1); 1055 adrm_int32(&context, (int *)&(internal->as_audit_enabled), 1); 1056 adrm_int32(&context, (int *)&(internal->as_pid), 1); 1057 adrm_int32(&context, (int *)&label_len, 1); 1058 if (label_len > 0) { 1059 /* read in and deal with different sized labels. */ 1060 size_t my_label_len = blabel_size(); 1061 1062 if ((internal->as_label = 1063 m_label_alloc(MAC_LABEL)) == NULL) { 1064 return (0); 1065 } 1066 if (label_len > my_label_len) { 1067 errno = EINVAL; 1068 m_label_free(internal->as_label); 1069 return (0); 1070 } 1071 (void) memset(internal->as_label, 0, my_label_len); 1072 adrm_int32(&context, (int *)(internal->as_label), 1073 label_len / sizeof (int32_t)); 1074 } else { 1075 internal->as_label = NULL; 1076 } 1077 } 1078 1079 return (length); 1080 } 1081 1082 /* 1083 * adt_to_export_format 1084 * read from struct adt_session_data into a network order buffer. 1085 * 1086 * (network order 'cause this data may be shared with a remote host.) 1087 */ 1088 1089 static size_t 1090 adt_to_export_format(adt_export_data_t *external, 1091 adt_internal_state_t *internal) 1092 { 1093 struct export_header head; 1094 struct export_link tail; 1095 adr_t context; 1096 size_t label_len = 0; 1097 1098 adrm_start(&context, (char *)external); 1099 1100 if (internal->as_label != NULL) { 1101 label_len = blabel_size(); 1102 } 1103 1104 head.ax_check = ADT_VALID; 1105 head.ax_buffer_length = sizeof (struct adt_export_data) + label_len; 1106 1107 /* version 2 first */ 1108 1109 head.ax_link.ax_version = PROTOCOL_VERSION_2; 1110 head.ax_link.ax_offset = sizeof (struct export_header) + 1111 sizeof (struct adt_export_v2) + label_len; 1112 1113 adrm_putint32(&context, (int *)&head, 4); 1114 1115 adrm_putint32(&context, (int *)&(internal->as_euid), 1); 1116 adrm_putint32(&context, (int *)&(internal->as_ruid), 1); 1117 adrm_putint32(&context, (int *)&(internal->as_egid), 1); 1118 adrm_putint32(&context, (int *)&(internal->as_rgid), 1); 1119 adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1); 1120 adrm_putint32(&context, 1121 (int *)&(internal->as_info.ai_mask.am_success), 2); 1122 adrm_putint32(&context, 1123 (int *)&(internal->as_info.ai_termid.at_port), 1); 1124 adrm_putint32(&context, 1125 (int *)&(internal->as_info.ai_termid.at_type), 1); 1126 adrm_putint32(&context, 1127 (int *)&(internal->as_info.ai_termid.at_addr[0]), 4); 1128 adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1); 1129 adrm_putint32(&context, (int *)&(internal->as_audit_enabled), 1); 1130 adrm_putint32(&context, (int *)&(internal->as_pid), 1); 1131 adrm_putint32(&context, (int *)&label_len, 1); 1132 if (internal->as_label != NULL) { 1133 /* serialize the label */ 1134 adrm_putint32(&context, (int *)(internal->as_label), 1135 (label_len / sizeof (int32_t))); 1136 } 1137 1138 /* now version 1 */ 1139 1140 tail.ax_version = PROTOCOL_VERSION_1; 1141 tail.ax_offset = 0; 1142 1143 adrm_putint32(&context, (int *)&tail, 2); 1144 1145 adrm_putint32(&context, (int *)&(internal->as_euid), 1); 1146 adrm_putint32(&context, (int *)&(internal->as_ruid), 1); 1147 adrm_putint32(&context, (int *)&(internal->as_egid), 1); 1148 adrm_putint32(&context, (int *)&(internal->as_rgid), 1); 1149 adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1); 1150 adrm_putint32(&context, 1151 (int *)&(internal->as_info.ai_mask.am_success), 2); 1152 adrm_putint32(&context, 1153 (int *)&(internal->as_info.ai_termid.at_port), 1); 1154 adrm_putint32(&context, 1155 (int *)&(internal->as_info.ai_termid.at_type), 1); 1156 adrm_putint32(&context, 1157 (int *)&(internal->as_info.ai_termid.at_addr[0]), 4); 1158 adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1); 1159 adrm_putint32(&context, (int *)&(internal->as_audit_enabled), 1); 1160 /* ignored in v1 */ 1161 adrm_putint32(&context, (int *)&label_len, 1); 1162 1163 /* finally terminator */ 1164 1165 tail.ax_version = 0; /* invalid version number */ 1166 tail.ax_offset = 0; 1167 1168 adrm_putint32(&context, (int *)&tail, 2); 1169 1170 return (head.ax_buffer_length); 1171 } 1172 1173 1174 /* 1175 * adt_import_proc() is used by a server acting on behalf 1176 * of a client which has connected via an ipc mechanism such as 1177 * a door. 1178 * 1179 * Since the interface is via ucred, the info.ap_termid.port 1180 * value is always the 64 bit version. What is stored depends 1181 * on how libbsm is compiled. 1182 */ 1183 1184 size_t 1185 adt_import_proc(pid_t pid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1186 adt_export_data_t **external) 1187 { 1188 size_t length = 0; 1189 adt_internal_state_t *state; 1190 ucred_t *ucred; 1191 const au_tid64_addr_t *tid; 1192 1193 state = calloc(1, sizeof (adt_internal_state_t)); 1194 1195 if (state == NULL) 1196 return (0); 1197 1198 if (adt_init(state, 0) != 0) 1199 goto return_length_free; /* errno from adt_init() */ 1200 1201 /* 1202 * ucred_getauid() returns AU_NOAUDITID if audit is off, which 1203 * is the right answer for adt_import_proc(). 1204 * 1205 * Create a local context as near as possible. 1206 */ 1207 1208 ucred = ucred_get(pid); 1209 1210 if (ucred == NULL) 1211 goto return_length_free; 1212 1213 state->as_ruid = ruid != ADT_NO_CHANGE ? ruid : ucred_getruid(ucred); 1214 state->as_euid = euid != ADT_NO_CHANGE ? euid : ucred_geteuid(ucred); 1215 state->as_rgid = rgid != ADT_NO_CHANGE ? rgid : ucred_getrgid(ucred); 1216 state->as_egid = egid != ADT_NO_CHANGE ? egid : ucred_getegid(ucred); 1217 1218 state->as_info.ai_auid = ucred_getauid(ucred); 1219 1220 if (state->as_info.ai_auid == AU_NOAUDITID) { 1221 state->as_info.ai_asid = adt_get_unique_id(ruid); 1222 1223 if (adt_get_mask_from_user(ruid, &(state->as_info.ai_mask))) 1224 goto return_all_free; 1225 } else { 1226 const au_mask_t *mask = ucred_getamask(ucred); 1227 1228 if (mask != NULL) 1229 state->as_info.ai_mask = *mask; 1230 else 1231 goto return_all_free; 1232 1233 state->as_info.ai_asid = ucred_getasid(ucred); 1234 } 1235 1236 tid = ucred_getatid(ucred); 1237 1238 if (tid != NULL) { 1239 adt_cpy_tid(&(state->as_info.ai_termid), tid); 1240 } else { 1241 (void) memset((void *)&(state->as_info.ai_termid), 0, 1242 sizeof (au_tid_addr_t)); 1243 state->as_info.ai_termid.at_type = AU_IPv4; 1244 } 1245 1246 DPRINTF(("import_proc/asid = %X %u\n", state->as_info.ai_asid, 1247 state->as_info.ai_asid)); 1248 1249 DPRINTF(("import_proc/masks = %X %X\n", 1250 state->as_info.ai_mask.am_success, 1251 state->as_info.ai_mask.am_failure)); 1252 1253 if (state->as_label == NULL) { 1254 *external = malloc(sizeof (adt_export_data_t)); 1255 } else { 1256 *external = malloc(sizeof (adt_export_data_t) + blabel_size()); 1257 } 1258 1259 if (*external == NULL) 1260 goto return_all_free; 1261 1262 length = adt_to_export_format(*external, state); 1263 /* 1264 * yes, state is supposed to be free'd for both pass and fail 1265 */ 1266 return_all_free: 1267 ucred_free(ucred); 1268 return_length_free: 1269 free(state); 1270 return (length); 1271 } 1272 1273 /* 1274 * adt_ucred_label() -- if label is available, duplicate it. 1275 */ 1276 1277 static m_label_t * 1278 adt_ucred_label(ucred_t *uc) 1279 { 1280 m_label_t *ul = NULL; 1281 1282 if (ucred_getlabel(uc) != NULL) { 1283 (void) m_label_dup(&ul, ucred_getlabel(uc)); 1284 } 1285 1286 return (ul); 1287 } 1288 1289 /* 1290 * adt_import() -- convert from network order to machine-specific order 1291 */ 1292 1293 static int 1294 adt_import(adt_internal_state_t *internal, const adt_export_data_t *external) 1295 { 1296 au_mask_t mask; 1297 1298 /* save local audit enabled state */ 1299 int local_audit_enabled = internal->as_audit_enabled; 1300 1301 if (adt_from_export_format(internal, external) < 1) 1302 return (-1); /* errno from adt_from_export_format */ 1303 1304 /* 1305 * If audit isn't enabled on the remote, they were unable 1306 * to generate the audit mask, so generate it based on 1307 * local configuration. If the user id has changed, the 1308 * resulting mask may miss some subtleties that occurred 1309 * on the remote system. 1310 * 1311 * If the remote failed to generate a terminal id, it is not 1312 * recoverable. 1313 */ 1314 1315 if (!internal->as_audit_enabled) { 1316 if (adt_get_mask_from_user(internal->as_info.ai_auid, 1317 &(internal->as_info.ai_mask))) 1318 return (-1); 1319 if (internal->as_info.ai_auid != internal->as_ruid) { 1320 if (adt_get_mask_from_user(internal->as_info.ai_auid, 1321 &mask)) 1322 return (-1); 1323 internal->as_info.ai_mask.am_success |= 1324 mask.am_success; 1325 internal->as_info.ai_mask.am_failure |= 1326 mask.am_failure; 1327 } 1328 } 1329 internal->as_audit_enabled = local_audit_enabled; 1330 1331 DPRINTF(("(%d)imported asid = %X %u\n", getpid(), 1332 internal->as_info.ai_asid, 1333 internal->as_info.ai_asid)); 1334 1335 internal->as_have_user_data = ADT_HAVE_ALL; 1336 1337 return (0); 1338 } 1339 1340 /* 1341 * adt_export_session_data() 1342 * copies a adt_session_data struct into a network order buffer 1343 * 1344 * In a misconfigured network, the local host may have auditing 1345 * off while the destination may have auditing on, so if there 1346 * is sufficient memory, a buffer will be returned even in the 1347 * audit off case. 1348 */ 1349 1350 size_t 1351 adt_export_session_data(const adt_session_data_t *internal, 1352 adt_export_data_t **external) 1353 { 1354 size_t length = 0; 1355 1356 if ((internal != NULL) && 1357 ((adt_internal_state_t *)internal)->as_label != NULL) { 1358 length = blabel_size(); 1359 } 1360 1361 *external = malloc(sizeof (adt_export_data_t) + length); 1362 1363 if (*external == NULL) 1364 return (0); 1365 1366 if (internal == NULL) { 1367 adt_internal_state_t *dummy; 1368 1369 dummy = malloc(sizeof (adt_internal_state_t)); 1370 if (dummy == NULL) 1371 goto return_length_free; 1372 1373 if (adt_init(dummy, 0)) { /* 0 == don't copy from proc */ 1374 free(dummy); 1375 goto return_length_free; 1376 } 1377 length = adt_to_export_format(*external, dummy); 1378 free(dummy); 1379 } else { 1380 length = adt_to_export_format(*external, 1381 (adt_internal_state_t *)internal); 1382 } 1383 return (length); 1384 1385 return_length_free: 1386 free(*external); 1387 *external = NULL; 1388 return (0); 1389 } 1390 1391 static void 1392 adt_setto_unaudited(adt_internal_state_t *state) 1393 { 1394 state->as_ruid = AU_NOAUDITID; 1395 state->as_euid = AU_NOAUDITID; 1396 state->as_rgid = AU_NOAUDITID; 1397 state->as_egid = AU_NOAUDITID; 1398 state->as_pid = (pid_t)-1; 1399 state->as_label = NULL; 1400 1401 if (state->as_audit_enabled) { 1402 state->as_info.ai_asid = 0; 1403 state->as_info.ai_auid = AU_NOAUDITID; 1404 1405 (void) memset((void *)&(state->as_info.ai_termid), 0, 1406 sizeof (au_tid_addr_t)); 1407 state->as_info.ai_termid.at_type = AU_IPv4; 1408 1409 (void) memset((void *)&(state->as_info.ai_mask), 0, 1410 sizeof (au_mask_t)); 1411 state->as_have_user_data = 0; 1412 } 1413 } 1414 1415 /* 1416 * adt_init -- set session context by copying the audit characteristics 1417 * from the proc and picking up current uid/tid information. 1418 * 1419 * By default, an audit session is based on the process; the default 1420 * is overriden by adt_set_user() 1421 */ 1422 1423 static int 1424 adt_init(adt_internal_state_t *state, int use_proc_data) 1425 { 1426 1427 state->as_audit_enabled = (auditstate == AUC_DISABLED) ? 0 : 1; 1428 1429 if (use_proc_data) { 1430 state->as_ruid = getuid(); 1431 state->as_euid = geteuid(); 1432 state->as_rgid = getgid(); 1433 state->as_egid = getegid(); 1434 state->as_pid = getpid(); 1435 1436 if (state->as_audit_enabled) { 1437 const au_tid64_addr_t *tid; 1438 const au_mask_t *mask; 1439 ucred_t *ucred = ucred_get(P_MYID); 1440 1441 /* 1442 * Even if the ucred is NULL, the underlying 1443 * credential may have a valid terminal id; if the 1444 * terminal id is set, then that's good enough. An 1445 * example of where this matters is failed login, 1446 * where rlogin/telnet sets the terminal id before 1447 * calling login; login does not load the credential 1448 * since auth failed. 1449 */ 1450 if (ucred == NULL) { 1451 if (!adt_have_termid( 1452 &(state->as_info.ai_termid))) 1453 return (-1); 1454 } else { 1455 mask = ucred_getamask(ucred); 1456 if (mask != NULL) { 1457 state->as_info.ai_mask = *mask; 1458 } else { 1459 ucred_free(ucred); 1460 return (-1); 1461 } 1462 tid = ucred_getatid(ucred); 1463 if (tid != NULL) { 1464 adt_cpy_tid(&(state->as_info.ai_termid), 1465 tid); 1466 } else { 1467 ucred_free(ucred); 1468 return (-1); 1469 } 1470 state->as_info.ai_asid = ucred_getasid(ucred); 1471 state->as_info.ai_auid = ucred_getauid(ucred); 1472 state->as_label = adt_ucred_label(ucred); 1473 ucred_free(ucred); 1474 } 1475 state->as_have_user_data = ADT_HAVE_ALL; 1476 } 1477 } else { 1478 adt_setto_unaudited(state); 1479 } 1480 state->as_session_model = ADT_SESSION_MODEL; /* default */ 1481 1482 if (state->as_audit_enabled && 1483 auditon(A_GETPOLICY, (caddr_t)&(state->as_kernel_audit_policy), 1484 sizeof (state->as_kernel_audit_policy))) { 1485 return (-1); /* errno set by auditon */ 1486 } 1487 state->as_check = ADT_VALID; 1488 return (0); 1489 } 1490 1491 /* 1492 * adt_set_proc 1493 * 1494 * Copy the current session state to the process. If this function 1495 * is called, the model becomes a process model rather than a 1496 * session model. 1497 * 1498 * In the current implementation, the value state->as_have_user_data 1499 * must contain all of: ADT_HAVE_{AUID,MASK,TID,ASID}. These are all set 1500 * by adt_set_user() when the ADT_SETTID or ADT_NEW flag is passed in. 1501 * 1502 */ 1503 1504 int 1505 adt_set_proc(const adt_session_data_t *session_data) 1506 { 1507 int rc; 1508 adt_internal_state_t *state; 1509 1510 if (auditstate == AUC_DISABLED || (session_data == NULL)) 1511 return (0); 1512 1513 state = (adt_internal_state_t *)session_data; 1514 1515 assert(state->as_check == ADT_VALID); 1516 1517 if ((state->as_have_user_data & (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) != 1518 (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) { 1519 errno = EINVAL; 1520 goto return_err; 1521 } 1522 1523 rc = setaudit_addr((auditinfo_addr_t *)&(state->as_info), 1524 sizeof (auditinfo_addr_t)); 1525 1526 if (rc < 0) 1527 goto return_err; /* errno set by setaudit_addr() */ 1528 1529 state->as_session_model = ADT_PROCESS_MODEL; 1530 1531 return (0); 1532 1533 return_err: 1534 adt_write_syslog("failed to set process audit characteristics", errno); 1535 return (-1); 1536 } 1537 1538 static int 1539 adt_newuser(adt_internal_state_t *state, uid_t ruid, au_tid_addr_t *termid) 1540 { 1541 au_tid_addr_t no_tid = {0, AU_IPv4, 0, 0, 0, 0}; 1542 au_mask_t no_mask = {0, 0}; 1543 1544 if (ruid == ADT_NO_AUDIT) { 1545 state->as_info.ai_auid = AU_NOAUDITID; 1546 state->as_info.ai_asid = 0; 1547 state->as_info.ai_termid = no_tid; 1548 state->as_info.ai_mask = no_mask; 1549 return (0); 1550 } 1551 state->as_info.ai_auid = ruid; 1552 state->as_info.ai_asid = adt_get_unique_id(ruid); 1553 if (termid != NULL) 1554 state->as_info.ai_termid = *termid; 1555 1556 if (adt_get_mask_from_user(ruid, &(state->as_info.ai_mask))) 1557 return (-1); 1558 1559 /* Assume intending to audit as this process */ 1560 1561 if (state->as_pid == (pid_t)-1) 1562 state->as_pid = getpid(); 1563 1564 if (is_system_labeled() && state->as_label == NULL) { 1565 ucred_t *ucred = ucred_get(P_MYID); 1566 1567 state->as_label = adt_ucred_label(ucred); 1568 ucred_free(ucred); 1569 } 1570 1571 return (0); 1572 } 1573 1574 static int 1575 adt_changeuser(adt_internal_state_t *state, uid_t ruid) 1576 { 1577 au_mask_t mask; 1578 1579 if (!(state->as_have_user_data & ADT_HAVE_AUID)) 1580 state->as_info.ai_auid = ruid; 1581 if (!(state->as_have_user_data & ADT_HAVE_ASID)) 1582 state->as_info.ai_asid = adt_get_unique_id(ruid); 1583 1584 if (ruid <= MAXEPHUID) { 1585 if (adt_get_mask_from_user(ruid, &mask)) 1586 return (-1); 1587 1588 state->as_info.ai_mask.am_success |= mask.am_success; 1589 state->as_info.ai_mask.am_failure |= mask.am_failure; 1590 } 1591 DPRINTF(("changed mask to %08X/%08X for ruid=%d\n", 1592 state->as_info.ai_mask.am_success, 1593 state->as_info.ai_mask.am_failure, 1594 ruid)); 1595 return (0); 1596 } 1597 1598 /* 1599 * adt_set_user -- see also adt_set_from_ucred() 1600 * 1601 * ADT_NO_ATTRIB is a valid uid/gid meaning "not known" or 1602 * "unattributed." If ruid, change the model to session. 1603 * 1604 * ADT_NO_CHANGE is a valid uid/gid meaning "do not change this value" 1605 * only valid with ADT_UPDATE. 1606 * 1607 * ADT_NO_AUDIT is the external equivalent to AU_NOAUDITID -- there 1608 * isn't a good reason to call adt_set_user() with it unless you don't 1609 * have a good value yet and intend to replace it later; auid will be 1610 * AU_NOAUDITID. 1611 * 1612 * adt_set_user should be called even if auditing is not enabled 1613 * so that adt_export_session_data() will have useful stuff to 1614 * work with. 1615 * 1616 * See the note preceding adt_set_proc() about the use of ADT_HAVE_TID 1617 * and ADT_HAVE_ALL. 1618 */ 1619 1620 int 1621 adt_set_user(const adt_session_data_t *session_data, uid_t euid, gid_t egid, 1622 uid_t ruid, gid_t rgid, const adt_termid_t *termid, 1623 enum adt_user_context user_context) 1624 { 1625 adt_internal_state_t *state; 1626 int rc; 1627 1628 if (session_data == NULL) /* no session exists to audit */ 1629 return (0); 1630 1631 state = (adt_internal_state_t *)session_data; 1632 assert(state->as_check == ADT_VALID); 1633 1634 switch (user_context) { 1635 case ADT_NEW: 1636 if (ruid == ADT_NO_CHANGE || euid == ADT_NO_CHANGE || 1637 rgid == ADT_NO_CHANGE || egid == ADT_NO_CHANGE) { 1638 errno = EINVAL; 1639 return (-1); 1640 } 1641 if ((rc = adt_newuser(state, ruid, 1642 (au_tid_addr_t *)termid)) != 0) 1643 return (rc); 1644 1645 state->as_have_user_data = ADT_HAVE_ALL; 1646 break; 1647 case ADT_UPDATE: 1648 if (state->as_have_user_data != ADT_HAVE_ALL) { 1649 errno = EINVAL; 1650 return (-1); 1651 } 1652 1653 if (ruid != ADT_NO_CHANGE) 1654 if ((rc = adt_changeuser(state, ruid)) != 0) 1655 return (rc); 1656 break; 1657 case ADT_USER: 1658 if (state->as_have_user_data != ADT_HAVE_ALL) { 1659 errno = EINVAL; 1660 return (-1); 1661 } 1662 break; 1663 case ADT_SETTID: 1664 assert(termid != NULL); 1665 state->as_info.ai_termid = *((au_tid_addr_t *)termid); 1666 /* avoid fooling pam_setcred()... */ 1667 state->as_info.ai_auid = AU_NOAUDITID; 1668 state->as_info.ai_asid = 0; 1669 state->as_info.ai_mask.am_failure = 0; 1670 state->as_info.ai_mask.am_success = 0; 1671 state->as_have_user_data = ADT_HAVE_TID | 1672 ADT_HAVE_AUID | ADT_HAVE_ASID | ADT_HAVE_MASK; 1673 return (0); 1674 default: 1675 errno = EINVAL; 1676 return (-1); 1677 } 1678 1679 if (ruid == ADT_NO_AUDIT) { 1680 state->as_ruid = AU_NOAUDITID; 1681 state->as_euid = AU_NOAUDITID; 1682 state->as_rgid = AU_NOAUDITID; 1683 state->as_egid = AU_NOAUDITID; 1684 } else { 1685 if (ruid != ADT_NO_CHANGE) 1686 state->as_ruid = ruid; 1687 if (euid != ADT_NO_CHANGE) 1688 state->as_euid = euid; 1689 if (rgid != ADT_NO_CHANGE) 1690 state->as_rgid = rgid; 1691 if (egid != ADT_NO_CHANGE) 1692 state->as_egid = egid; 1693 } 1694 1695 if (ruid == ADT_NO_ATTRIB) { 1696 state->as_session_model = ADT_SESSION_MODEL; 1697 } 1698 1699 return (0); 1700 } 1701 1702 /* 1703 * adt_set_from_ucred() 1704 * 1705 * an alternate to adt_set_user that fills the same role but uses 1706 * a pointer to a ucred rather than a list of id's. If the ucred 1707 * pointer is NULL, use the credential from the this process. 1708 * 1709 * A key difference is that for ADT_NEW, adt_set_from_ucred() does 1710 * not overwrite the asid and auid unless auid has not been set. 1711 * ADT_NEW differs from ADT_UPDATE in that it does not OR together 1712 * the incoming audit mask with the one that already exists. 1713 * 1714 * adt_set_from_ucred should be called even if auditing is not enabled 1715 * so that adt_export_session_data() will have useful stuff to 1716 * work with. 1717 */ 1718 1719 int 1720 adt_set_from_ucred(const adt_session_data_t *session_data, const ucred_t *uc, 1721 enum adt_user_context user_context) 1722 { 1723 adt_internal_state_t *state; 1724 int rc = -1; 1725 const au_tid64_addr_t *tid64; 1726 au_tid_addr_t termid, *tid; 1727 ucred_t *ucred = (ucred_t *)uc; 1728 boolean_t local_uc = B_FALSE; 1729 1730 if (session_data == NULL) /* no session exists to audit */ 1731 return (0); 1732 1733 state = (adt_internal_state_t *)session_data; 1734 assert(state->as_check == ADT_VALID); 1735 1736 if (ucred == NULL) { 1737 ucred = ucred_get(P_MYID); 1738 1739 if (ucred == NULL) 1740 goto return_rc; 1741 local_uc = B_TRUE; 1742 } 1743 1744 switch (user_context) { 1745 case ADT_NEW: 1746 tid64 = ucred_getatid(ucred); 1747 if (tid64 != NULL) { 1748 adt_cpy_tid(&termid, tid64); 1749 tid = &termid; 1750 } else { 1751 tid = NULL; 1752 } 1753 if (ucred_getauid(ucred) == AU_NOAUDITID) { 1754 adt_setto_unaudited(state); 1755 state->as_have_user_data = ADT_HAVE_ALL; 1756 rc = 0; 1757 goto return_rc; 1758 } else { 1759 state->as_info.ai_auid = ucred_getauid(ucred); 1760 state->as_info.ai_asid = ucred_getasid(ucred); 1761 state->as_info.ai_mask = *ucred_getamask(ucred); 1762 state->as_info.ai_termid = *tid; 1763 } 1764 state->as_have_user_data = ADT_HAVE_ALL; 1765 break; 1766 case ADT_UPDATE: 1767 if (state->as_have_user_data != ADT_HAVE_ALL) { 1768 errno = EINVAL; 1769 goto return_rc; 1770 } 1771 1772 if ((rc = adt_changeuser(state, ucred_getruid(ucred))) != 0) 1773 goto return_rc; 1774 break; 1775 case ADT_USER: 1776 if (state->as_have_user_data != ADT_HAVE_ALL) { 1777 errno = EINVAL; 1778 goto return_rc; 1779 } 1780 break; 1781 default: 1782 errno = EINVAL; 1783 goto return_rc; 1784 } 1785 rc = 0; 1786 1787 state->as_ruid = ucred_getruid(ucred); 1788 state->as_euid = ucred_geteuid(ucred); 1789 state->as_rgid = ucred_getrgid(ucred); 1790 state->as_egid = ucred_getegid(ucred); 1791 state->as_pid = ucred_getpid(ucred); 1792 state->as_label = adt_ucred_label(ucred); 1793 1794 return_rc: 1795 if (local_uc) { 1796 ucred_free(ucred); 1797 } 1798 return (rc); 1799 } 1800 1801 /* 1802 * adt_alloc_event() returns a pointer to allocated memory 1803 * 1804 */ 1805 1806 adt_event_data_t 1807 *adt_alloc_event(const adt_session_data_t *session_data, au_event_t event_id) 1808 { 1809 struct adt_event_state *event_state; 1810 adt_internal_state_t *session_state; 1811 adt_event_data_t *return_event = NULL; 1812 /* 1813 * need to return a valid event pointer even if audit is 1814 * off, else the caller will end up either (1) keeping its 1815 * own flags for on/off or (2) writing to a NULL pointer. 1816 * If auditing is on, the session data must be valid; otherwise 1817 * we don't care. 1818 */ 1819 if (session_data != NULL) { 1820 session_state = (adt_internal_state_t *)session_data; 1821 assert(session_state->as_check == ADT_VALID); 1822 } 1823 event_state = calloc(1, sizeof (struct adt_event_state)); 1824 if (event_state == NULL) 1825 goto return_ptr; 1826 1827 event_state->ae_check = ADT_VALID; 1828 1829 event_state->ae_event_id = event_id; 1830 event_state->ae_session = (struct adt_internal_state *)session_data; 1831 1832 return_event = (adt_event_data_t *)&(event_state->ae_event_data); 1833 1834 /* 1835 * preload data so the adt_au_*() functions can detect un-supplied 1836 * values (0 and NULL are free via calloc()). 1837 */ 1838 adt_preload(event_id, return_event); 1839 1840 return_ptr: 1841 return (return_event); 1842 } 1843 1844 /* 1845 * adt_getXlateTable -- look up translation table address for event id 1846 */ 1847 1848 static struct translation * 1849 adt_getXlateTable(au_event_t event_id) 1850 { 1851 /* xlate_table is global in adt_xlate.c */ 1852 struct translation **p_xlate = &xlate_table[0]; 1853 struct translation *p_event; 1854 1855 while (*p_xlate != NULL) { 1856 p_event = *p_xlate; 1857 if (event_id == p_event->tx_external_event) 1858 return (p_event); 1859 p_xlate++; 1860 } 1861 return (NULL); 1862 } 1863 1864 /* 1865 * adt_calcOffsets 1866 * 1867 * the call to this function is surrounded by a mutex. 1868 * 1869 * i walks down the table picking up next_token. j walks again to 1870 * calculate the offset to the input data. k points to the next 1871 * token's row. Finally, l, is used to sum the values in the 1872 * datadef array. 1873 * 1874 * What's going on? The entry array is in the order of the input 1875 * fields but the processing of array entries is in the order of 1876 * the output (see next_token). Calculating the offset to the 1877 * "next" input can't be done in the outer loop (i) since i doesn't 1878 * point to the current entry and it can't be done with the k index 1879 * because it doesn't represent the order of input fields. 1880 * 1881 * While the resulting algorithm is n**2, it is only done once per 1882 * event type. 1883 */ 1884 1885 /* 1886 * adt_calcOffsets is only called once per event type, but it uses 1887 * the address alignment of memory allocated for that event as if it 1888 * were the same for all subsequently allocated memory. This is 1889 * guaranteed by calloc/malloc. Arrays take special handling since 1890 * what matters for figuring out the correct alignment is the size 1891 * of the array element. 1892 */ 1893 1894 static void 1895 adt_calcOffsets(struct entry *p_entry, int tablesize, void *p_data) 1896 { 1897 int i, j; 1898 size_t this_size, prev_size; 1899 void *struct_start = p_data; 1900 1901 for (i = 0; i < tablesize; i++) { 1902 if (p_entry[i].en_type_def == NULL) { 1903 p_entry[i].en_offset = 0; 1904 continue; 1905 } 1906 prev_size = 0; 1907 p_entry[i].en_offset = (char *)p_data - (char *)struct_start; 1908 1909 for (j = 0; j < p_entry[i].en_count_types; j++) { 1910 if (p_entry[i].en_type_def[j].dd_datatype == ADT_MSG) 1911 this_size = sizeof (enum adt_generic); 1912 else 1913 this_size = 1914 p_entry[i].en_type_def[j].dd_input_size; 1915 1916 /* adj for first entry */ 1917 if (prev_size == 0) 1918 prev_size = this_size; 1919 1920 if (p_entry[i].en_type_def[j].dd_datatype == 1921 ADT_UINT32ARRAY) { 1922 p_data = (char *)adt_adjust_address(p_data, 1923 prev_size, sizeof (uint32_t)) + 1924 this_size - sizeof (uint32_t); 1925 1926 prev_size = sizeof (uint32_t); 1927 } else { 1928 p_data = adt_adjust_address(p_data, prev_size, 1929 this_size); 1930 prev_size = this_size; 1931 } 1932 } 1933 } 1934 } 1935 1936 /* 1937 * adt_generate_event 1938 * generate event record from external struct. The order is based on 1939 * the output tokens, allowing for the possibility that the input data 1940 * is in a different order. 1941 * 1942 */ 1943 1944 static void 1945 adt_generate_event(const adt_event_data_t *p_extdata, 1946 struct adt_event_state *p_event, 1947 struct translation *p_xlate) 1948 { 1949 struct entry *p_entry; 1950 static mutex_t lock = DEFAULTMUTEX; 1951 1952 p_entry = p_xlate->tx_first_entry; 1953 assert(p_entry != NULL); 1954 1955 p_event->ae_internal_id = p_xlate->tx_internal_event; 1956 adt_token_open(p_event); 1957 1958 /* 1959 * offsets are not pre-calculated; the initial offsets are all 1960 * 0; valid offsets are >= 0. Offsets for no-input tokens such 1961 * as subject are set to -1 by adt_calcOffset() 1962 */ 1963 if (p_xlate->tx_offsetsCalculated == 0) { 1964 (void) mutex_lock(&lock); 1965 p_xlate->tx_offsetsCalculated = 1; 1966 1967 adt_calcOffsets(p_xlate->tx_top_entry, p_xlate->tx_entries, 1968 (void *)p_extdata); 1969 (void) mutex_unlock(&lock); 1970 } 1971 while (p_entry != NULL) { 1972 adt_generate_token(p_entry, (char *)p_extdata, 1973 p_event); 1974 1975 p_entry = p_entry->en_next_token; 1976 } 1977 adt_token_close(p_event); 1978 } 1979 1980 /* 1981 * adt_put_event -- main event generation function. 1982 * The input "event" is the address of the struct containing 1983 * event-specific data. 1984 * 1985 * However if auditing is off or the session handle 1986 * is NULL, no attempt to write a record is made. 1987 */ 1988 1989 int 1990 adt_put_event(const adt_event_data_t *event, int status, int return_val) 1991 { 1992 struct adt_event_state *event_state; 1993 struct translation *xlate; 1994 int rc = 0; 1995 1996 if (event == NULL) { 1997 errno = EINVAL; 1998 rc = -1; 1999 goto return_rc; 2000 } 2001 event_state = (struct adt_event_state *)event; 2002 2003 /* if audit off or this is a broken session, exit */ 2004 if (auditstate == AUC_DISABLED || (event_state->ae_session == NULL)) 2005 goto return_rc; 2006 2007 assert(event_state->ae_check == ADT_VALID); 2008 2009 event_state->ae_rc = status; 2010 event_state->ae_type = return_val; 2011 2012 /* look up the event */ 2013 2014 xlate = adt_getXlateTable(event_state->ae_event_id); 2015 2016 if (xlate == NULL) { 2017 errno = EINVAL; 2018 rc = -1; 2019 goto return_rc; 2020 } 2021 DPRINTF(("got event %d\n", xlate->tx_internal_event)); 2022 2023 if (adt_selected(event_state, xlate->tx_internal_event, status)) 2024 adt_generate_event(event, event_state, xlate); 2025 2026 return_rc: 2027 return (rc); 2028 } 2029 2030 /* 2031 * adt_free_event -- invalidate and free 2032 */ 2033 2034 void 2035 adt_free_event(adt_event_data_t *event) 2036 { 2037 struct adt_event_state *event_state; 2038 2039 if (event == NULL) 2040 return; 2041 2042 event_state = (struct adt_event_state *)event; 2043 2044 assert(event_state->ae_check == ADT_VALID); 2045 2046 event_state->ae_check = 0; 2047 2048 free(event_state); 2049 } 2050 2051 /* 2052 * adt_is_selected -- helper to adt_selected(), below. 2053 * 2054 * "sorf" is "success or fail" status; au_preselect compares 2055 * that with success, fail, or both. 2056 */ 2057 2058 static int 2059 adt_is_selected(au_event_t e, au_mask_t *m, int sorf) 2060 { 2061 int prs_sorf; 2062 2063 if (sorf == 0) 2064 prs_sorf = AU_PRS_SUCCESS; 2065 else 2066 prs_sorf = AU_PRS_FAILURE; 2067 2068 return (au_preselect(e, m, prs_sorf, AU_PRS_REREAD)); 2069 } 2070 2071 /* 2072 * selected -- see if this event is preselected. 2073 * 2074 * if errors are encountered trying to check a preselection mask 2075 * or look up a user name, the event is selected. Otherwise, the 2076 * preselection mask is used for the job. 2077 */ 2078 2079 static int 2080 adt_selected(struct adt_event_state *event, au_event_t actual_id, int status) 2081 { 2082 adt_internal_state_t *sp; 2083 au_mask_t namask; 2084 2085 sp = event->ae_session; 2086 2087 if ((sp->as_have_user_data & ADT_HAVE_IDS) == 0) { 2088 adt_write_syslog("No user data available", EINVAL); 2089 return (1); /* default is "selected" */ 2090 } 2091 2092 /* non-attributable? */ 2093 if ((sp->as_info.ai_auid == AU_NOAUDITID) || 2094 (sp->as_info.ai_auid == ADT_NO_AUDIT)) { 2095 if (auditon(A_GETKMASK, (caddr_t)&namask, 2096 sizeof (namask)) != 0) { 2097 adt_write_syslog("auditon failure", errno); 2098 return (1); 2099 } 2100 return (adt_is_selected(actual_id, &namask, status)); 2101 } else { 2102 return (adt_is_selected(actual_id, &(sp->as_info.ai_mask), 2103 status)); 2104 } 2105 } 2106 2107 /* 2108 * Can't map the host name to an IP address in 2109 * adt_get_hostIP. Get something off an interface 2110 * to act as the hosts IP address for auditing. 2111 */ 2112 2113 int 2114 adt_get_local_address(int family, struct ifaddrlist *al) 2115 { 2116 struct ifaddrlist *ifal; 2117 char errbuf[ERRBUFSIZE] = "empty list"; 2118 char msg[ERRBUFSIZE + 512]; 2119 int ifal_count; 2120 int i; 2121 2122 if ((ifal_count = ifaddrlist(&ifal, family, errbuf)) <= 0) { 2123 int serrno = errno; 2124 2125 (void) snprintf(msg, sizeof (msg), "adt_get_local_address " 2126 "couldn't get %d addrlist %s", family, errbuf); 2127 adt_write_syslog(msg, serrno); 2128 errno = serrno; 2129 return (-1); 2130 } 2131 2132 for (i = 0; i < ifal_count; i++) { 2133 /* 2134 * loopback always defined, 2135 * even if there is no real address 2136 */ 2137 if ((ifal[i].flags & (IFF_UP | IFF_LOOPBACK)) == IFF_UP) { 2138 break; 2139 } 2140 } 2141 if (i >= ifal_count) { 2142 free(ifal); 2143 /* 2144 * Callers of adt_get_hostIP() can only return 2145 * errno to their callers and eventually the application. 2146 * Picked one that seemed least worse for saying no 2147 * usable address for Audit terminal ID. 2148 */ 2149 errno = ENETDOWN; 2150 return (-1); 2151 } 2152 2153 *al = ifal[i]; 2154 free(ifal); 2155 return (0); 2156 } 2157