1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 #include <bsm/adt.h> 27 #include <bsm/adt_event.h> 28 #include <assert.h> 29 #include <bsm/audit.h> 30 #include <bsm/audit_record.h> 31 #include <bsm/libbsm.h> 32 #include <door.h> 33 #include <errno.h> 34 #include <generic.h> 35 #include <md5.h> 36 #include <sys/mkdev.h> 37 #include <netdb.h> 38 #include <nss_dbdefs.h> 39 #include <pwd.h> 40 #include <sys/stat.h> 41 #include <time.h> 42 #include <stdlib.h> 43 #include <string.h> 44 #include <synch.h> 45 #include <sys/systeminfo.h> 46 #include <syslog.h> 47 #include <thread.h> 48 #include <unistd.h> 49 #include <adt_xlate.h> 50 #include <adt_ucred.h> 51 #include <arpa/inet.h> 52 #include <net/if.h> 53 #include <libinetutil.h> 54 55 static int adt_selected(struct adt_event_state *, au_event_t, int); 56 static int adt_init(adt_internal_state_t *, int); 57 static int adt_import(adt_internal_state_t *, const adt_export_data_t *); 58 static m_label_t *adt_ucred_label(ucred_t *); 59 static void adt_setto_unaudited(adt_internal_state_t *); 60 static int adt_get_local_address(int, struct ifaddrlist *); 61 62 #ifdef C2_DEBUG 63 #define DPRINTF(x) { (void) printf x; } 64 #define DFLUSH (void) fflush(stdout); 65 #else 66 #define DPRINTF(x) 67 #define DFLUSH 68 #endif 69 70 /* 71 * Local audit states are a bit mask 72 * 73 * The global audit states are 74 * 75 * AUC_UNSET 0 - on/off hasn't been decided 76 * AUC_ENABLED 1 - loaded and enabled 77 * 78 * The local Zone states are 79 * 80 * AUC_AUDITING 0x1 - audit daemon is active 81 * AUC_NOAUDIT 0x2 - audit daemon is not active 82 * AUC_INIT_AUDIT 0x4 - audit is ready but auditd has not run 83 * AUC_NOSPACE 0x8 - audit enabled, no space for audit records 84 * 85 * The only values returned by auditon(A_GETCOND) are: 86 * AUC_INIT_AUDIT, AUC_AUDITING, AUC_NOAUDIT, AUC_NOSPACE 87 * 88 * The pseudo audit state used when the c2audit module is excluded is 89 * 90 * AUC_DISABLED 0x100 - c2audit module is excluded 91 */ 92 93 static int auditstate = AUC_DISABLED; /* default state */ 94 95 /* 96 * adt_write_syslog 97 * 98 * errors that are not the user's fault (bugs or whatever in 99 * the underlying audit code are noted in syslog.) 100 * 101 * Avoid calling adt_write_syslog for things that can happen 102 * at high volume. 103 * 104 * syslog's open (openlog) and close (closelog) are interesting; 105 * openlog *may* create a file descriptor and is optional. closelog 106 * *will* close any open file descriptors and is also optional. 107 * 108 * Since syslog may also be used by the calling application, the 109 * choice is to avoid openlog, which sets some otherwise useful 110 * parameters, and to embed "Solaris_audit" in the log message. 111 */ 112 113 void 114 adt_write_syslog(const char *message, int err) 115 { 116 int save_errno = errno; 117 int mask_priority; 118 119 DPRINTF(("syslog called: %s\n", message)); 120 121 mask_priority = setlogmask(LOG_MASK(LOG_ALERT)); 122 errno = err; 123 syslog(LOG_ALERT, "Solaris_audit %s: %m", message); 124 (void) setlogmask(mask_priority); 125 errno = save_errno; 126 } 127 128 /* 129 * return true if c2audit is not excluded. 130 * 131 * For purpose of this API, anything but AUC_DISABLED 132 * is enabled; however one never actually sees 133 * AUC_DISABLED since auditon returns ENOTSUP in that case. Any 134 * auditon error is considered the same as ENOTSUP for our 135 * purpose. auditstate is not changed by auditon if an error 136 * is returned. 137 */ 138 139 /* 140 * XXX this should probably be eliminated and adt_audit_state() replace it. 141 * All the legitimate uses are to not fork a waiting process for 142 * process exit processing, as in su, login, dtlogin. Other bogus 143 * users are zoneadmd and init. 144 * All but dtlogin are in ON, so we can do this without cross gate 145 * synchronization. 146 * 147 * No longer used in adt.c. 148 */ 149 150 boolean_t 151 adt_audit_enabled(void) 152 { 153 154 (void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate)); 155 156 return (auditstate != AUC_DISABLED); 157 } 158 159 /* 160 * See adt_audit_enabled() for state discussions. 161 * The state parameter is a hedge until all the uses become clear. 162 * Likely if adt_audit_enabled is brought internal to this file, 163 * it could be modified to take one or more parameters to describe the 164 * state. 165 */ 166 167 boolean_t 168 adt_audit_state(int states) 169 { 170 171 (void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate)); 172 173 return ((auditstate & states) ? B_TRUE : B_FALSE); 174 } 175 176 /* 177 * Get user_specific/non-attributable audit mask. This may be called even when 178 * auditing is off. 179 */ 180 181 static int 182 adt_get_mask_from_user(uid_t uid, au_mask_t *mask) 183 { 184 struct passwd pwd; 185 long buff_sz; 186 char *pwd_buff; 187 188 189 if (auditstate & AUC_DISABLED) { 190 /* c2audit excluded */ 191 mask->am_success = 0; 192 mask->am_failure = 0; 193 } else if (uid <= MAXUID) { 194 if ((buff_sz = sysconf(_SC_GETPW_R_SIZE_MAX)) == -1) { 195 adt_write_syslog("couldn't determine maximum size of " 196 "password buffer", errno); 197 return (-1); 198 } 199 if ((pwd_buff = calloc(1, (size_t)++buff_sz)) == NULL) { 200 return (-1); 201 } 202 if (getpwuid_r(uid, &pwd, pwd_buff, (int)buff_sz) == NULL) { 203 errno = EINVAL; /* user doesn't exist */ 204 free(pwd_buff); 205 return (-1); 206 } 207 if (au_user_mask(pwd.pw_name, mask)) { 208 free(pwd_buff); 209 errno = EFAULT; /* undetermined failure */ 210 return (-1); 211 } 212 free(pwd_buff); 213 } else if (auditon(A_GETKMASK, (caddr_t)mask, sizeof (*mask)) == -1) { 214 return (-1); 215 } 216 217 return (0); 218 } 219 220 /* 221 * adt_get_unique_id -- generate a hopefully unique 32 bit value 222 * 223 * there will be a follow up to replace this with the use of /dev/random 224 * 225 * An MD5 hash is taken on a buffer of 226 * hostname . audit id . unix time . pid . count 227 * 228 * "count = noise++;" is subject to a race condition but I don't 229 * see a need to put a lock around it. 230 */ 231 232 au_asid_t 233 adt_get_unique_id(au_id_t uid) 234 { 235 char hostname[MAXHOSTNAMELEN]; 236 union { 237 au_id_t v[4]; 238 unsigned char obuff[128/8]; 239 } output; 240 MD5_CTX context; 241 242 static int noise = 0; 243 244 int count = noise++; 245 time_t timebits = time(NULL); 246 pid_t pidbits = getpid(); 247 au_asid_t retval = 0; 248 249 if (gethostname(hostname, MAXHOSTNAMELEN)) { 250 adt_write_syslog("gethostname call failed", errno); 251 (void) strncpy(hostname, "invalidHostName", MAXHOSTNAMELEN); 252 } 253 254 while (retval == 0) { /* 0 is the only invalid result */ 255 MD5Init(&context); 256 257 MD5Update(&context, (unsigned char *)hostname, 258 (unsigned int) strlen((const char *)hostname)); 259 260 MD5Update(&context, (unsigned char *) &uid, sizeof (uid_t)); 261 262 MD5Update(&context, 263 (unsigned char *) &timebits, sizeof (time_t)); 264 265 MD5Update(&context, (unsigned char *) &pidbits, 266 sizeof (pid_t)); 267 268 MD5Update(&context, (unsigned char *) &(count), sizeof (int)); 269 MD5Final(output.obuff, &context); 270 271 retval = output.v[count % 4]; 272 } 273 return (retval); 274 } 275 276 /* 277 * the following "port" function deals with the following issues: 278 * 279 * 1 the kernel and ucred deal with a dev_t as a 64 bit value made 280 * up from a 32 bit major and 32 bit minor. 281 * 2 User space deals with a dev_t as either the above 64 bit value 282 * or a 32 bit value made from a 14 bit major and an 18 bit minor. 283 * 3 The various audit interfaces (except ucred) pass the 32 or 284 * 64 bit version depending the architecture of the userspace 285 * application. If you get a port value from ucred and pass it 286 * to the kernel via auditon(), it must be squeezed into a 32 287 * bit value because the kernel knows the userspace app's bit 288 * size. 289 * 290 * The internal state structure for adt (adt_internal_state_t) uses 291 * dev_t, so adt converts data from ucred to fit. The import/export 292 * functions, however, can't know if they are importing/exporting 293 * from 64 or 32 bit applications, so they always send 64 bits and 294 * the 32 bit end(s) are responsible to convert 32 -> 64 -> 32 as 295 * appropriate. 296 */ 297 298 /* 299 * adt_cpy_tid() -- if lib is 64 bit, just copy it (dev_t and port are 300 * both 64 bits). If lib is 32 bits, squeeze the two-int port into 301 * a 32 bit dev_t. A port fits in the "minor" part of au_port_t, 302 * so it isn't broken up into pieces. (When it goes to the kernel 303 * and back, however, it will have been split into major/minor 304 * pieces.) 305 */ 306 307 static void 308 adt_cpy_tid(au_tid_addr_t *dest, const au_tid64_addr_t *src) 309 { 310 #ifdef _LP64 311 (void) memcpy(dest, src, sizeof (au_tid_addr_t)); 312 #else /* _LP64 */ 313 dest->at_type = src->at_type; 314 315 dest->at_port = src->at_port.at_minor & MAXMIN32; 316 dest->at_port |= (src->at_port.at_major & MAXMAJ32) << 317 NBITSMINOR32; 318 319 (void) memcpy(dest->at_addr, src->at_addr, 4 * sizeof (uint32_t)); 320 #endif /* _LP64 */ 321 } 322 323 /* 324 * adt_start_session -- create interface handle, create context 325 * 326 * The imported_state input is normally NULL, if not, it represents 327 * a continued session; its values obviate the need for a subsequent 328 * call to adt_set_user(). 329 * 330 * The flag is used to decide how to set the initial state of the session. 331 * If 0, the session is "no audit" until a call to adt_set_user; if 332 * ADT_USE_PROC_DATA, the session is built from the process audit 333 * characteristics obtained from the kernel. If imported_state is 334 * not NULL, the resulting audit mask is an OR of the current process 335 * audit mask and that passed in. 336 * 337 * The basic model is that the caller can use the pointer returned 338 * by adt_start_session whether or not auditing is enabled or an 339 * error was returned. The functions that take the session handle 340 * as input generally return without doing anything if auditing is 341 * disabled. 342 */ 343 344 int 345 adt_start_session(adt_session_data_t **new_session, 346 const adt_export_data_t *imported_state, adt_session_flags_t flags) 347 { 348 adt_internal_state_t *state; 349 adt_session_flags_t flgmask = ADT_FLAGS_ALL; 350 351 /* test and set auditstate */ 352 if (adt_audit_state(AUC_DISABLED)) { 353 /* c2audit excluded */ 354 *new_session = NULL; 355 return (0); 356 } 357 358 if ((flags & ~flgmask) != 0) { 359 errno = EINVAL; 360 goto return_err; 361 } 362 363 if ((state = calloc(1, sizeof (adt_internal_state_t))) == NULL) { 364 goto return_err; 365 } 366 367 if (adt_init(state, flags & ADT_USE_PROC_DATA) != 0) { 368 goto return_err_free; /* errno from adt_init() */ 369 } 370 371 /* 372 * The imported state overwrites the initial state if the 373 * imported state represents a valid audit trail 374 */ 375 376 if (imported_state != NULL) { 377 if (adt_import(state, imported_state) != 0) { 378 goto return_err_free; 379 } 380 } else if (flags & ADT_USE_PROC_DATA) { 381 state->as_session_model = ADT_PROCESS_MODEL; 382 } 383 state->as_flags = flags; 384 DPRINTF(("(%lld) Starting session id = %08X\n", 385 (long long) getpid(), state->as_info.ai_asid)); 386 387 *new_session = (adt_session_data_t *)state; 388 return (0); 389 390 return_err_free: 391 free(state); 392 return_err: 393 *new_session = NULL; 394 adt_write_syslog("audit session create failed", errno); 395 return (-1); 396 } 397 398 /* 399 * adt_load_table() 400 * 401 * loads the event translation table into the audit session. 402 */ 403 404 void 405 adt_load_table(const adt_session_data_t *session_data, 406 adt_translation_t **xlate, void (*preload)(au_event_t, adt_event_data_t *)) 407 { 408 adt_internal_state_t *state = (adt_internal_state_t *)session_data; 409 410 if (state != NULL) { 411 assert(state->as_check == ADT_VALID); 412 state->as_xlate = xlate; 413 state->as_preload = preload; 414 } 415 } 416 417 /* 418 * adt_get_asid() and adt_set_asid() 419 * 420 * if you use this interface, you are responsible to insure that the 421 * rest of the session data is populated correctly before calling 422 * adt_proccess_attr() 423 * 424 * neither of these are intended for general use and will likely 425 * remain private interfaces for a long time. Forever is a long 426 * time. In the case of adt_set_asid(), you should have a very, 427 * very good reason for setting your own session id. The process 428 * audit characteristics are not changed by put, use adt_set_proc(). 429 * 430 * These are "volatile" (more changable than "evolving") and will 431 * probably change in the S10 period. 432 */ 433 434 void 435 adt_get_asid(const adt_session_data_t *session_data, au_asid_t *asid) 436 { 437 438 if (session_data == NULL) { 439 *asid = 0; 440 } else { 441 assert(((adt_internal_state_t *)session_data)->as_check == 442 ADT_VALID); 443 444 *asid = ((adt_internal_state_t *)session_data)->as_info.ai_asid; 445 } 446 } 447 448 void 449 adt_set_asid(const adt_session_data_t *session_data, const au_asid_t session_id) 450 { 451 452 if (session_data != NULL) { 453 assert(((adt_internal_state_t *)session_data)->as_check == 454 ADT_VALID); 455 456 ((adt_internal_state_t *)session_data)->as_have_user_data |= 457 ADT_HAVE_ASID; 458 ((adt_internal_state_t *)session_data)->as_info.ai_asid = 459 session_id; 460 } 461 } 462 463 /* 464 * adt_get_auid() and adt_set_auid() 465 * 466 * neither of these are intended for general use and will likely 467 * remain private interfaces for a long time. Forever is a long 468 * time. In the case of adt_set_auid(), you should have a very, 469 * very good reason for setting your own audit id. The process 470 * audit characteristics are not changed by put, use adt_set_proc(). 471 */ 472 473 void 474 adt_get_auid(const adt_session_data_t *session_data, au_id_t *auid) 475 { 476 477 if (session_data == NULL) { 478 *auid = AU_NOAUDITID; 479 } else { 480 assert(((adt_internal_state_t *)session_data)->as_check == 481 ADT_VALID); 482 483 *auid = ((adt_internal_state_t *)session_data)->as_info.ai_auid; 484 } 485 } 486 487 void 488 adt_set_auid(const adt_session_data_t *session_data, const au_id_t audit_id) 489 { 490 491 if (session_data != NULL) { 492 assert(((adt_internal_state_t *)session_data)->as_check == 493 ADT_VALID); 494 495 ((adt_internal_state_t *)session_data)->as_have_user_data |= 496 ADT_HAVE_AUID; 497 ((adt_internal_state_t *)session_data)->as_info.ai_auid = 498 audit_id; 499 } 500 } 501 502 /* 503 * adt_get_termid(), adt_set_termid() 504 * 505 * if you use this interface, you are responsible to insure that the 506 * rest of the session data is populated correctly before calling 507 * adt_proccess_attr() 508 * 509 * The process audit characteristics are not changed by put, use 510 * adt_set_proc(). 511 */ 512 513 void 514 adt_get_termid(const adt_session_data_t *session_data, au_tid_addr_t *termid) 515 { 516 517 if (session_data == NULL) { 518 (void) memset(termid, 0, sizeof (au_tid_addr_t)); 519 termid->at_type = AU_IPv4; 520 } else { 521 assert(((adt_internal_state_t *)session_data)->as_check == 522 ADT_VALID); 523 524 *termid = 525 ((adt_internal_state_t *)session_data)->as_info.ai_termid; 526 } 527 } 528 529 void 530 adt_set_termid(const adt_session_data_t *session_data, 531 const au_tid_addr_t *termid) 532 { 533 534 if (session_data != NULL) { 535 assert(((adt_internal_state_t *)session_data)->as_check == 536 ADT_VALID); 537 538 ((adt_internal_state_t *)session_data)->as_info.ai_termid = 539 *termid; 540 541 ((adt_internal_state_t *)session_data)->as_have_user_data |= 542 ADT_HAVE_TID; 543 } 544 } 545 546 /* 547 * adt_get_mask(), adt_set_mask() 548 * 549 * if you use this interface, you are responsible to insure that the 550 * rest of the session data is populated correctly before calling 551 * adt_proccess_attr() 552 * 553 * The process audit characteristics are not changed by put, use 554 * adt_set_proc(). 555 */ 556 557 void 558 adt_get_mask(const adt_session_data_t *session_data, au_mask_t *mask) 559 { 560 561 if (session_data == NULL) { 562 mask->am_success = 0; 563 mask->am_failure = 0; 564 } else { 565 assert(((adt_internal_state_t *)session_data)->as_check == 566 ADT_VALID); 567 568 *mask = ((adt_internal_state_t *)session_data)->as_info.ai_mask; 569 } 570 } 571 572 void 573 adt_set_mask(const adt_session_data_t *session_data, const au_mask_t *mask) 574 { 575 576 if (session_data != NULL) { 577 assert(((adt_internal_state_t *)session_data)->as_check == 578 ADT_VALID); 579 580 ((adt_internal_state_t *)session_data)->as_info.ai_mask = *mask; 581 582 ((adt_internal_state_t *)session_data)->as_have_user_data |= 583 ADT_HAVE_MASK; 584 } 585 } 586 587 /* 588 * helpers for adt_load_termid 589 */ 590 591 static void 592 adt_do_ipv6_address(struct sockaddr_in6 *peer, struct sockaddr_in6 *sock, 593 au_tid_addr_t *termid) 594 { 595 596 termid->at_port = ((peer->sin6_port<<16) | (sock->sin6_port)); 597 termid->at_type = AU_IPv6; 598 (void) memcpy(termid->at_addr, &peer->sin6_addr, 4 * sizeof (uint_t)); 599 } 600 601 static void 602 adt_do_ipv4_address(struct sockaddr_in *peer, struct sockaddr_in *sock, 603 au_tid_addr_t *termid) 604 { 605 606 termid->at_port = ((peer->sin_port<<16) | (sock->sin_port)); 607 608 termid->at_type = AU_IPv4; 609 termid->at_addr[0] = (uint32_t)peer->sin_addr.s_addr; 610 (void) memset(&(termid->at_addr[1]), 0, 3 * sizeof (uint_t)); 611 } 612 613 /* 614 * adt_load_termid: convenience function; inputs file handle and 615 * outputs an au_tid_addr struct. 616 * 617 * This code was stolen from audit_settid.c; it differs from audit_settid() 618 * in that it does not write the terminal id to the process. 619 */ 620 621 int 622 adt_load_termid(int fd, adt_termid_t **termid) 623 { 624 au_tid_addr_t *p_term; 625 struct sockaddr_in6 peer; 626 struct sockaddr_in6 sock; 627 int peerlen = sizeof (peer); 628 int socklen = sizeof (sock); 629 630 /* get peer name if its a socket, else assume local terminal */ 631 632 if (getpeername(fd, (struct sockaddr *)&peer, (socklen_t *)&peerlen) 633 < 0) { 634 if (errno == ENOTSOCK) { 635 return (adt_load_hostname(NULL, termid)); 636 } 637 goto return_err; 638 } 639 640 if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) { 641 goto return_err; 642 } 643 644 /* get sock name */ 645 if (getsockname(fd, (struct sockaddr *)&sock, 646 (socklen_t *)&socklen) < 0) { 647 goto return_err_free; 648 } 649 650 if (peer.sin6_family == AF_INET6) { 651 adt_do_ipv6_address(&peer, &sock, p_term); 652 } else { 653 adt_do_ipv4_address((struct sockaddr_in *)&peer, 654 (struct sockaddr_in *)&sock, p_term); 655 } 656 *termid = (adt_termid_t *)p_term; 657 658 return (0); 659 660 return_err_free: 661 free(p_term); 662 return_err: 663 *termid = NULL; 664 return (-1); 665 } 666 667 static boolean_t 668 adt_have_termid(au_tid_addr_t *dest) 669 { 670 struct auditinfo_addr audit_data; 671 672 if (getaudit_addr(&audit_data, sizeof (audit_data)) < 0) { 673 adt_write_syslog("getaudit failed", errno); 674 return (B_FALSE); 675 } 676 677 if ((audit_data.ai_termid.at_type == 0) || 678 (audit_data.ai_termid.at_addr[0] | 679 audit_data.ai_termid.at_addr[1] | 680 audit_data.ai_termid.at_addr[2] | 681 audit_data.ai_termid.at_addr[3]) == 0) 682 return (B_FALSE); 683 684 (void) memcpy(dest, &(audit_data.ai_termid), 685 sizeof (au_tid_addr_t)); 686 687 return (B_TRUE); 688 } 689 690 /* 691 * adt_get_hostIP - construct a terminal id from a hostname 692 * 693 * Returns 0 = success 694 * -1 = failure and errno = ENETDOWN with the address 695 * defaulted to IPv4 loopback. 696 */ 697 698 static int 699 adt_get_hostIP(const char *hostname, au_tid_addr_t *p_term) 700 { 701 struct addrinfo *ai = NULL; 702 int tries = 3; 703 char msg[512]; 704 int eai_err; 705 706 while ((tries-- > 0) && 707 ((eai_err = getaddrinfo(hostname, NULL, NULL, &ai)) != 0)) { 708 /* 709 * getaddrinfo returns its own set of errors. 710 * Log them here, so any subsequent syslogs will 711 * have a context. adt_get_hostIP callers can only 712 * return errno, so subsequent syslogs may be lacking 713 * that getaddrinfo failed. 714 */ 715 (void) snprintf(msg, sizeof (msg), "getaddrinfo(%s) " 716 "failed[%s]", hostname, gai_strerror(eai_err)); 717 adt_write_syslog(msg, 0); 718 719 if (eai_err != EAI_AGAIN) { 720 721 break; 722 } 723 /* see if resolution becomes available */ 724 (void) sleep(1); 725 } 726 if (ai != NULL) { 727 if (ai->ai_family == AF_INET) { 728 p_term->at_type = AU_IPv4; 729 (void) memcpy(p_term->at_addr, 730 /* LINTED */ 731 &((struct sockaddr_in *)ai->ai_addr)->sin_addr, 732 AU_IPv4); 733 } else { 734 p_term->at_type = AU_IPv6; 735 (void) memcpy(p_term->at_addr, 736 /* LINTED */ 737 &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr, 738 AU_IPv6); 739 } 740 freeaddrinfo(ai); 741 return (0); 742 } else if (auditstate & (AUC_AUDITING | AUC_NOSPACE)) { 743 auditinfo_addr_t audit_info; 744 745 /* 746 * auditd is running so there should be a 747 * kernel audit context 748 */ 749 if (auditon(A_GETKAUDIT, (caddr_t)&audit_info, 750 sizeof (audit_info)) < 0) { 751 adt_write_syslog("unable to get kernel audit context", 752 errno); 753 goto try_interface; 754 } 755 adt_write_syslog("setting Audit IP address to kernel", 0); 756 *p_term = audit_info.ai_termid; 757 return (0); 758 } 759 try_interface: 760 { 761 struct ifaddrlist al; 762 int family; 763 char ntop[INET6_ADDRSTRLEN]; 764 765 /* 766 * getaddrinfo has failed to map the hostname 767 * to an IP address, try to get an IP address 768 * from a local interface. If none up, default 769 * to loopback. 770 */ 771 family = AF_INET6; 772 if (adt_get_local_address(family, &al) != 0) { 773 family = AF_INET; 774 775 if (adt_get_local_address(family, &al) != 0) { 776 adt_write_syslog("adt_get_local_address " 777 "failed, no Audit IP address available, " 778 "faking loopback and error", 779 errno); 780 IN_SET_LOOPBACK_ADDR( 781 (struct sockaddr_in *)&(al.addr.addr)); 782 (void) memcpy(p_term->at_addr, &al.addr.addr, 783 AU_IPv4); 784 p_term->at_type = AU_IPv4; 785 return (-1); 786 } 787 } 788 if (family == AF_INET) { 789 p_term->at_type = AU_IPv4; 790 (void) memcpy(p_term->at_addr, &al.addr.addr, AU_IPv4); 791 } else { 792 p_term->at_type = AU_IPv6; 793 (void) memcpy(p_term->at_addr, &al.addr.addr6, AU_IPv6); 794 } 795 796 (void) snprintf(msg, sizeof (msg), "mapping %s to %s", 797 hostname, inet_ntop(family, &(al.addr), ntop, 798 sizeof (ntop))); 799 adt_write_syslog(msg, 0); 800 return (0); 801 } 802 } 803 804 /* 805 * adt_load_hostname() is called when the caller does not have a file 806 * handle that gives access to the socket info or any other way to 807 * pass in both port and ip address. The hostname input is ignored if 808 * the terminal id has already been set; instead it returns the 809 * existing terminal id. 810 * 811 * If c2audit is excluded, success is returned. 812 * If the hostname lookup fails, the loopback address is assumed, 813 * errno is set to ENETDOWN, this allows the caller to interpret 814 * whether failure is fatal, and if not to have a address for the 815 * hostname. 816 * Otherwise the caller would need to be aware of the audit state. 817 * 818 * Other errors are ignored if not auditing. 819 */ 820 821 int 822 adt_load_hostname(const char *hostname, adt_termid_t **termid) 823 { 824 char localhost[MAXHOSTNAMELEN + 1]; 825 au_tid_addr_t *p_term; 826 827 if (adt_audit_state(AUC_DISABLED)) { 828 /* c2audit excluded */ 829 *termid = NULL; 830 return (0); 831 } 832 833 if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) { 834 goto return_err; 835 } 836 837 if (adt_have_termid(p_term)) { 838 *termid = (adt_termid_t *)p_term; 839 return (0); 840 } 841 p_term->at_port = 0; 842 843 if (hostname == NULL || *hostname == '\0') { 844 (void) sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN); 845 hostname = localhost; 846 } 847 if (adt_get_hostIP(hostname, p_term) == 0) { 848 *termid = (adt_termid_t *)p_term; 849 return (0); 850 } else { 851 *termid = (adt_termid_t *)p_term; 852 return (-1); 853 } 854 855 return_err: 856 *termid = NULL; 857 if (auditstate & AUC_NOAUDIT) { 858 return (0); 859 } 860 861 return (-1); 862 } 863 864 /* 865 * adt_load_ttyname() is called when the caller does not have a file 866 * handle that gives access to the local terminal or any other way 867 * of determining the device id. The ttyname input is ignored if 868 * the terminal id has already been set; instead it returns the 869 * existing terminal id. 870 * 871 * If c2audit is excluded, success is returned. 872 * The local hostname is used for the local IP address. 873 * If that hostname lookup fails, the loopback address is assumed, 874 * errno is set to ENETDOWN, this allows the caller to interpret 875 * whether failure is fatal, and if not to have a address for the 876 * hostname. 877 * Otherwise the caller would need to be aware of the audit state. 878 * 879 * Other errors are ignored if not auditing. 880 */ 881 882 int 883 adt_load_ttyname(const char *ttyname, adt_termid_t **termid) 884 { 885 char localhost[MAXHOSTNAMELEN + 1]; 886 au_tid_addr_t *p_term; 887 struct stat stat_buf; 888 889 if (adt_audit_state(AUC_DISABLED)) { 890 /* c2audit excluded */ 891 *termid = NULL; 892 return (0); 893 } 894 895 if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) { 896 goto return_err; 897 } 898 899 if (adt_have_termid(p_term)) { 900 *termid = (adt_termid_t *)p_term; 901 return (0); 902 } 903 904 p_term->at_port = 0; 905 906 if (sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN) < 0) { 907 goto return_err_free; /* errno from sysinfo */ 908 } 909 910 if (ttyname != NULL && *ttyname != '\0') { 911 if (stat(ttyname, &stat_buf) < 0) { 912 goto return_err_free; 913 } 914 915 p_term->at_port = stat_buf.st_rdev; 916 } 917 918 if (adt_get_hostIP(localhost, p_term) == 0) { 919 *termid = (adt_termid_t *)p_term; 920 return (0); 921 } else { 922 *termid = (adt_termid_t *)p_term; 923 return (-1); 924 } 925 926 return_err_free: 927 free(p_term); 928 929 return_err: 930 *termid = NULL; 931 if (auditstate & AUC_NOAUDIT) { 932 return (0); 933 } 934 935 return (-1); 936 } 937 938 /* 939 * adt_get_session_id returns a stringified representation of 940 * the audit session id. See also adt_get_asid() for how to 941 * get the unexpurgated version. No guarantees as to how long 942 * the returned string will be or its general form; hex for now. 943 * 944 * An empty string is returned if auditing is off; length = 1 945 * and the pointer is valid. 946 * 947 * returns strlen + 1 if buffer is valid; else 0 and errno. 948 */ 949 950 size_t 951 adt_get_session_id(const adt_session_data_t *session_data, char **buff) 952 { 953 au_asid_t session_id; 954 size_t length; 955 /* 956 * output is 0x followed by 957 * two characters per byte 958 * plus terminator, 959 * except leading 0's are suppressed, so a few bytes may 960 * be unused. 961 */ 962 length = 2 + (2 * sizeof (session_id)) + 1; 963 *buff = malloc(length); 964 965 if (*buff == NULL) { 966 return (0); 967 } 968 if (session_data == NULL) { /* NULL is not an error */ 969 **buff = '\0'; 970 return (1); 971 } 972 adt_get_asid(session_data, &session_id); 973 974 length = snprintf(*buff, length, "0x%X", (int)session_id); 975 976 /* length < 1 is a bug: the session data type may have changed */ 977 assert(length > 0); 978 979 return (length); 980 } 981 982 /* 983 * adt_end_session -- close handle, clear context 984 * 985 * if as_check is invalid, no harm, no foul, EXCEPT that this could 986 * be an attempt to free data already free'd, so output to syslog 987 * to help explain why the process cored dumped. 988 */ 989 990 int 991 adt_end_session(adt_session_data_t *session_data) 992 { 993 adt_internal_state_t *state; 994 995 if (session_data != NULL) { 996 state = (adt_internal_state_t *)session_data; 997 if (state->as_check != ADT_VALID) { 998 adt_write_syslog("freeing invalid data", EINVAL); 999 } else { 1000 state->as_check = 0; 1001 m_label_free(state->as_label); 1002 free(session_data); 1003 } 1004 } 1005 /* no errors yet defined */ 1006 return (0); 1007 } 1008 1009 /* 1010 * adt_dup_session -- copy the session data 1011 */ 1012 1013 int 1014 adt_dup_session(const adt_session_data_t *source, adt_session_data_t **dest) 1015 { 1016 adt_internal_state_t *source_state; 1017 adt_internal_state_t *dest_state = NULL; 1018 int rc = 0; 1019 1020 if (source != NULL) { 1021 source_state = (adt_internal_state_t *)source; 1022 assert(source_state->as_check == ADT_VALID); 1023 1024 dest_state = malloc(sizeof (adt_internal_state_t)); 1025 if (dest_state == NULL) { 1026 rc = -1; 1027 goto return_rc; 1028 } 1029 (void) memcpy(dest_state, source, 1030 sizeof (struct adt_internal_state)); 1031 1032 if (source_state->as_label != NULL) { 1033 dest_state->as_label = NULL; 1034 if ((rc = m_label_dup(&dest_state->as_label, 1035 source_state->as_label)) != 0) { 1036 free(dest_state); 1037 dest_state = NULL; 1038 } 1039 } 1040 } 1041 return_rc: 1042 *dest = (adt_session_data_t *)dest_state; 1043 return (rc); 1044 } 1045 1046 /* 1047 * from_export_format() 1048 * read from a network order buffer into struct adt_session_data 1049 */ 1050 1051 static size_t 1052 adt_from_export_format(adt_internal_state_t *internal, 1053 const adt_export_data_t *external) 1054 { 1055 struct export_header head; 1056 struct export_link link; 1057 adr_t context; 1058 int32_t offset; 1059 int32_t length; 1060 int32_t version; 1061 size_t label_len; 1062 char *p = (char *)external; 1063 1064 adrm_start(&context, (char *)external); 1065 adrm_int32(&context, (int *)&head, 4); 1066 1067 if ((internal->as_check = head.ax_check) != ADT_VALID) { 1068 errno = EINVAL; 1069 return (0); 1070 } 1071 offset = head.ax_link.ax_offset; 1072 version = head.ax_link.ax_version; 1073 length = head.ax_buffer_length; 1074 1075 /* 1076 * Skip newer versions. 1077 */ 1078 while (version > PROTOCOL_VERSION_2) { 1079 if (offset < 1) { 1080 return (0); /* failed to match version */ 1081 } 1082 p += offset; /* point to next version # */ 1083 1084 if (p > (char *)external + length) { 1085 return (0); 1086 } 1087 adrm_start(&context, p); 1088 adrm_int32(&context, (int *)&link, 2); 1089 offset = link.ax_offset; 1090 version = link.ax_version; 1091 assert(version != 0); 1092 } 1093 /* 1094 * Adjust buffer pointer to the first data item (euid). 1095 */ 1096 if (p == (char *)external) { 1097 adrm_start(&context, (char *)(p + sizeof (head))); 1098 } else { 1099 adrm_start(&context, (char *)(p + sizeof (link))); 1100 } 1101 /* 1102 * if down rev version, neither pid nor label are included 1103 * in v1 ax_size_of_tsol_data intentionally ignored 1104 */ 1105 if (version == PROTOCOL_VERSION_1) { 1106 adrm_int32(&context, (int *)&(internal->as_euid), 1); 1107 adrm_int32(&context, (int *)&(internal->as_ruid), 1); 1108 adrm_int32(&context, (int *)&(internal->as_egid), 1); 1109 adrm_int32(&context, (int *)&(internal->as_rgid), 1); 1110 adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1); 1111 adrm_int32(&context, 1112 (int *)&(internal->as_info.ai_mask.am_success), 2); 1113 adrm_int32(&context, 1114 (int *)&(internal->as_info.ai_termid.at_port), 1); 1115 adrm_int32(&context, 1116 (int *)&(internal->as_info.ai_termid.at_type), 1); 1117 adrm_int32(&context, 1118 (int *)&(internal->as_info.ai_termid.at_addr[0]), 4); 1119 adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1); 1120 adrm_int32(&context, (int *)&(internal->as_audit_state), 1); 1121 internal->as_pid = (pid_t)-1; 1122 internal->as_label = NULL; 1123 } else if (version == PROTOCOL_VERSION_2) { 1124 adrm_int32(&context, (int *)&(internal->as_euid), 1); 1125 adrm_int32(&context, (int *)&(internal->as_ruid), 1); 1126 adrm_int32(&context, (int *)&(internal->as_egid), 1); 1127 adrm_int32(&context, (int *)&(internal->as_rgid), 1); 1128 adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1); 1129 adrm_int32(&context, 1130 (int *)&(internal->as_info.ai_mask.am_success), 2); 1131 adrm_int32(&context, 1132 (int *)&(internal->as_info.ai_termid.at_port), 1); 1133 adrm_int32(&context, 1134 (int *)&(internal->as_info.ai_termid.at_type), 1); 1135 adrm_int32(&context, 1136 (int *)&(internal->as_info.ai_termid.at_addr[0]), 4); 1137 adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1); 1138 adrm_int32(&context, (int *)&(internal->as_audit_state), 1); 1139 adrm_int32(&context, (int *)&(internal->as_pid), 1); 1140 adrm_int32(&context, (int *)&label_len, 1); 1141 if (label_len > 0) { 1142 /* read in and deal with different sized labels. */ 1143 size32_t my_label_len = blabel_size(); 1144 1145 if ((internal->as_label = 1146 m_label_alloc(MAC_LABEL)) == NULL) { 1147 return (0); 1148 } 1149 if (label_len > my_label_len) { 1150 errno = EINVAL; 1151 m_label_free(internal->as_label); 1152 return (0); 1153 } 1154 (void) memset(internal->as_label, 0, my_label_len); 1155 adrm_int32(&context, (int *)(internal->as_label), 1156 label_len / sizeof (int32_t)); 1157 } else { 1158 internal->as_label = NULL; 1159 } 1160 } 1161 1162 return (length); 1163 } 1164 1165 /* 1166 * adt_to_export_format 1167 * read from struct adt_session_data into a network order buffer. 1168 * 1169 * (network order 'cause this data may be shared with a remote host.) 1170 */ 1171 1172 static size_t 1173 adt_to_export_format(adt_export_data_t *external, 1174 adt_internal_state_t *internal) 1175 { 1176 struct export_header head; 1177 struct export_link tail; 1178 adr_t context; 1179 size32_t label_len = 0; 1180 1181 adrm_start(&context, (char *)external); 1182 1183 if (internal->as_label != NULL) { 1184 label_len = blabel_size(); 1185 } 1186 1187 head.ax_check = ADT_VALID; 1188 head.ax_buffer_length = sizeof (struct adt_export_data) + label_len; 1189 1190 /* version 2 first */ 1191 1192 head.ax_link.ax_version = PROTOCOL_VERSION_2; 1193 head.ax_link.ax_offset = sizeof (struct export_header) + 1194 sizeof (struct adt_export_v2) + label_len; 1195 1196 adrm_putint32(&context, (int *)&head, 4); 1197 1198 adrm_putint32(&context, (int *)&(internal->as_euid), 1); 1199 adrm_putint32(&context, (int *)&(internal->as_ruid), 1); 1200 adrm_putint32(&context, (int *)&(internal->as_egid), 1); 1201 adrm_putint32(&context, (int *)&(internal->as_rgid), 1); 1202 adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1); 1203 adrm_putint32(&context, 1204 (int *)&(internal->as_info.ai_mask.am_success), 2); 1205 adrm_putint32(&context, 1206 (int *)&(internal->as_info.ai_termid.at_port), 1); 1207 adrm_putint32(&context, 1208 (int *)&(internal->as_info.ai_termid.at_type), 1); 1209 adrm_putint32(&context, 1210 (int *)&(internal->as_info.ai_termid.at_addr[0]), 4); 1211 adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1); 1212 adrm_putint32(&context, (int *)&(internal->as_audit_state), 1); 1213 adrm_putint32(&context, (int *)&(internal->as_pid), 1); 1214 adrm_putint32(&context, (int *)&label_len, 1); 1215 if (internal->as_label != NULL) { 1216 /* serialize the label */ 1217 adrm_putint32(&context, (int *)(internal->as_label), 1218 (label_len / sizeof (int32_t))); 1219 } 1220 1221 /* now version 1 */ 1222 1223 tail.ax_version = PROTOCOL_VERSION_1; 1224 tail.ax_offset = 0; 1225 1226 adrm_putint32(&context, (int *)&tail, 2); 1227 1228 adrm_putint32(&context, (int *)&(internal->as_euid), 1); 1229 adrm_putint32(&context, (int *)&(internal->as_ruid), 1); 1230 adrm_putint32(&context, (int *)&(internal->as_egid), 1); 1231 adrm_putint32(&context, (int *)&(internal->as_rgid), 1); 1232 adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1); 1233 adrm_putint32(&context, 1234 (int *)&(internal->as_info.ai_mask.am_success), 2); 1235 adrm_putint32(&context, 1236 (int *)&(internal->as_info.ai_termid.at_port), 1); 1237 adrm_putint32(&context, 1238 (int *)&(internal->as_info.ai_termid.at_type), 1); 1239 adrm_putint32(&context, 1240 (int *)&(internal->as_info.ai_termid.at_addr[0]), 4); 1241 adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1); 1242 adrm_putint32(&context, (int *)&(internal->as_audit_state), 1); 1243 /* ignored in v1 */ 1244 adrm_putint32(&context, (int *)&label_len, 1); 1245 1246 /* finally terminator */ 1247 1248 tail.ax_version = 0; /* invalid version number */ 1249 tail.ax_offset = 0; 1250 1251 adrm_putint32(&context, (int *)&tail, 2); 1252 1253 return (head.ax_buffer_length); 1254 } 1255 1256 /* 1257 * adt_ucred_label() -- if label is available, duplicate it. 1258 */ 1259 1260 static m_label_t * 1261 adt_ucred_label(ucred_t *uc) 1262 { 1263 m_label_t *ul = NULL; 1264 1265 if (ucred_getlabel(uc) != NULL) { 1266 (void) m_label_dup(&ul, ucred_getlabel(uc)); 1267 } 1268 1269 return (ul); 1270 } 1271 1272 /* 1273 * adt_import() -- convert from network order to machine-specific order 1274 */ 1275 1276 static int 1277 adt_import(adt_internal_state_t *internal, const adt_export_data_t *external) 1278 { 1279 au_mask_t mask; 1280 1281 /* save local audit state */ 1282 int local_audit_state = internal->as_audit_state; 1283 1284 if (adt_from_export_format(internal, external) < 1) 1285 return (-1); /* errno from adt_from_export_format */ 1286 1287 /* 1288 * If audit isn't enabled on the remote, they were unable 1289 * to generate the audit mask, so generate it based on 1290 * local configuration. If the user id has changed, the 1291 * resulting mask may miss some subtleties that occurred 1292 * on the remote system. 1293 * 1294 * If the remote failed to generate a terminal id, it is not 1295 * recoverable. 1296 */ 1297 1298 if (!(internal->as_audit_state & AUC_DISABLED)) { 1299 if (adt_get_mask_from_user(internal->as_info.ai_auid, 1300 &(internal->as_info.ai_mask))) 1301 return (-1); 1302 if (internal->as_info.ai_auid != internal->as_ruid) { 1303 if (adt_get_mask_from_user(internal->as_info.ai_auid, 1304 &mask)) 1305 return (-1); 1306 internal->as_info.ai_mask.am_success |= 1307 mask.am_success; 1308 internal->as_info.ai_mask.am_failure |= 1309 mask.am_failure; 1310 } 1311 } 1312 internal->as_audit_state = local_audit_state; 1313 1314 DPRINTF(("(%lld)imported asid = %X %u\n", (long long) getpid(), 1315 internal->as_info.ai_asid, 1316 internal->as_info.ai_asid)); 1317 1318 internal->as_have_user_data = ADT_HAVE_ALL; 1319 1320 return (0); 1321 } 1322 1323 /* 1324 * adt_export_session_data() 1325 * copies a adt_session_data struct into a network order buffer 1326 * 1327 * In a misconfigured network, the local host may have auditing 1328 * off while the destination may have auditing on, so if there 1329 * is sufficient memory, a buffer will be returned even in the 1330 * audit off case. 1331 */ 1332 1333 size_t 1334 adt_export_session_data(const adt_session_data_t *internal, 1335 adt_export_data_t **external) 1336 { 1337 size32_t length = 0; 1338 1339 if ((internal != NULL) && 1340 ((adt_internal_state_t *)internal)->as_label != NULL) { 1341 length = blabel_size(); 1342 } 1343 1344 *external = malloc(sizeof (adt_export_data_t) + length); 1345 1346 if (*external == NULL) 1347 return (0); 1348 1349 if (internal == NULL) { 1350 adt_internal_state_t *dummy; 1351 1352 dummy = malloc(sizeof (adt_internal_state_t)); 1353 if (dummy == NULL) 1354 goto return_length_free; 1355 1356 if (adt_init(dummy, 0)) { /* 0 == don't copy from proc */ 1357 free(dummy); 1358 goto return_length_free; 1359 } 1360 length = adt_to_export_format(*external, dummy); 1361 free(dummy); 1362 } else { 1363 length = adt_to_export_format(*external, 1364 (adt_internal_state_t *)internal); 1365 } 1366 return (length); 1367 1368 return_length_free: 1369 free(*external); 1370 *external = NULL; 1371 return (0); 1372 } 1373 1374 static void 1375 adt_setto_unaudited(adt_internal_state_t *state) 1376 { 1377 if (state->as_audit_state & AUC_DISABLED) { 1378 state->as_ruid = AU_NOAUDITID; 1379 state->as_euid = AU_NOAUDITID; 1380 state->as_rgid = AU_NOAUDITID; 1381 state->as_egid = AU_NOAUDITID; 1382 state->as_pid = (pid_t)-1; 1383 state->as_label = NULL; 1384 } else { 1385 state->as_info.ai_asid = 0; 1386 state->as_info.ai_auid = AU_NOAUDITID; 1387 1388 (void) memset((void *)&(state->as_info.ai_termid), 0, 1389 sizeof (au_tid_addr_t)); 1390 state->as_info.ai_termid.at_type = AU_IPv4; 1391 1392 (void) memset((void *)&(state->as_info.ai_mask), 0, 1393 sizeof (au_mask_t)); 1394 state->as_have_user_data = 0; 1395 } 1396 } 1397 1398 /* 1399 * adt_init -- set session context by copying the audit characteristics 1400 * from the proc and picking up current uid/tid information. 1401 * 1402 * By default, an audit session is based on the process; the default 1403 * is overriden by adt_set_user() 1404 */ 1405 1406 static int 1407 adt_init(adt_internal_state_t *state, int use_proc_data) 1408 { 1409 /* ensure auditstate is set */ 1410 1411 (void) adt_audit_state(0); 1412 state->as_audit_state = auditstate; 1413 1414 if (use_proc_data) { 1415 state->as_ruid = getuid(); 1416 state->as_euid = geteuid(); 1417 state->as_rgid = getgid(); 1418 state->as_egid = getegid(); 1419 state->as_pid = getpid(); 1420 1421 if (!(state->as_audit_state & AUC_DISABLED)) { 1422 const au_tid64_addr_t *tid; 1423 const au_mask_t *mask; 1424 ucred_t *ucred = ucred_get(P_MYID); 1425 1426 /* 1427 * Even if the ucred is NULL, the underlying 1428 * credential may have a valid terminal id; if the 1429 * terminal id is set, then that's good enough. An 1430 * example of where this matters is failed login, 1431 * where rlogin/telnet sets the terminal id before 1432 * calling login; login does not load the credential 1433 * since auth failed. 1434 */ 1435 if (ucred == NULL) { 1436 if (!adt_have_termid( 1437 &(state->as_info.ai_termid))) 1438 return (-1); 1439 } else { 1440 mask = ucred_getamask(ucred); 1441 if (mask != NULL) { 1442 state->as_info.ai_mask = *mask; 1443 } else { 1444 ucred_free(ucred); 1445 return (-1); 1446 } 1447 tid = ucred_getatid(ucred); 1448 if (tid != NULL) { 1449 adt_cpy_tid(&(state->as_info.ai_termid), 1450 tid); 1451 } else { 1452 ucred_free(ucred); 1453 return (-1); 1454 } 1455 state->as_info.ai_asid = ucred_getasid(ucred); 1456 state->as_info.ai_auid = ucred_getauid(ucred); 1457 state->as_label = adt_ucred_label(ucred); 1458 ucred_free(ucred); 1459 } 1460 state->as_have_user_data = ADT_HAVE_ALL; 1461 } 1462 } else { 1463 adt_setto_unaudited(state); 1464 } 1465 state->as_session_model = ADT_SESSION_MODEL; /* default */ 1466 1467 if ((state->as_audit_state & (AUC_AUDITING | AUC_NOSPACE)) && 1468 auditon(A_GETPOLICY, (caddr_t)&(state->as_kernel_audit_policy), 1469 sizeof (state->as_kernel_audit_policy))) { 1470 return (-1); /* errno set by auditon */ 1471 } 1472 state->as_check = ADT_VALID; 1473 adt_load_table((adt_session_data_t *)state, &adt_xlate_table[0], 1474 &adt_preload); 1475 return (0); 1476 } 1477 1478 /* 1479 * adt_set_proc 1480 * 1481 * Copy the current session state to the process. If this function 1482 * is called, the model becomes a process model rather than a 1483 * session model. 1484 * 1485 * In the current implementation, the value state->as_have_user_data 1486 * must contain all of: ADT_HAVE_{AUID,MASK,TID,ASID}. These are all set 1487 * by adt_set_user() when the ADT_SETTID or ADT_NEW flag is passed in. 1488 * 1489 */ 1490 1491 int 1492 adt_set_proc(const adt_session_data_t *session_data) 1493 { 1494 adt_internal_state_t *state; 1495 1496 if (session_data == NULL) { 1497 return (0); 1498 } 1499 1500 state = (adt_internal_state_t *)session_data; 1501 1502 assert(state->as_check == ADT_VALID); 1503 1504 if ((state->as_have_user_data & (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) != 1505 (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) { 1506 errno = EINVAL; 1507 goto return_err; 1508 } 1509 1510 if (setaudit_addr((auditinfo_addr_t *)&(state->as_info), 1511 sizeof (auditinfo_addr_t)) < 0) { 1512 goto return_err; /* errno set by setaudit_addr() */ 1513 } 1514 1515 state->as_session_model = ADT_PROCESS_MODEL; 1516 1517 return (0); 1518 1519 return_err: 1520 adt_write_syslog("failed to set process audit characteristics", errno); 1521 return (-1); 1522 } 1523 1524 static int 1525 adt_newuser(adt_internal_state_t *state, uid_t ruid, au_tid_addr_t *termid) 1526 { 1527 au_tid_addr_t no_tid = {0, AU_IPv4, 0, 0, 0, 0}; 1528 au_mask_t no_mask = {0, 0}; 1529 1530 if (ruid == ADT_NO_AUDIT) { 1531 state->as_info.ai_auid = AU_NOAUDITID; 1532 state->as_info.ai_asid = 0; 1533 state->as_info.ai_termid = no_tid; 1534 state->as_info.ai_mask = no_mask; 1535 return (0); 1536 } 1537 state->as_info.ai_auid = ruid; 1538 state->as_info.ai_asid = adt_get_unique_id(ruid); 1539 if (termid != NULL) 1540 state->as_info.ai_termid = *termid; 1541 1542 if (adt_get_mask_from_user(ruid, &(state->as_info.ai_mask))) 1543 return (-1); 1544 1545 /* Assume intending to audit as this process */ 1546 1547 if (state->as_pid == (pid_t)-1) 1548 state->as_pid = getpid(); 1549 1550 if (is_system_labeled() && state->as_label == NULL) { 1551 ucred_t *ucred = ucred_get(P_MYID); 1552 1553 state->as_label = adt_ucred_label(ucred); 1554 ucred_free(ucred); 1555 } 1556 1557 return (0); 1558 } 1559 1560 static int 1561 adt_changeuser(adt_internal_state_t *state, uid_t ruid) 1562 { 1563 au_mask_t mask; 1564 1565 if (!(state->as_have_user_data & ADT_HAVE_AUID)) 1566 state->as_info.ai_auid = ruid; 1567 if (!(state->as_have_user_data & ADT_HAVE_ASID)) 1568 state->as_info.ai_asid = adt_get_unique_id(ruid); 1569 1570 if (ruid <= MAXEPHUID) { 1571 if (adt_get_mask_from_user(ruid, &mask)) 1572 return (-1); 1573 1574 state->as_info.ai_mask.am_success |= mask.am_success; 1575 state->as_info.ai_mask.am_failure |= mask.am_failure; 1576 } 1577 DPRINTF(("changed mask to %08X/%08X for ruid=%d\n", 1578 state->as_info.ai_mask.am_success, 1579 state->as_info.ai_mask.am_failure, 1580 ruid)); 1581 return (0); 1582 } 1583 1584 /* 1585 * adt_set_user -- see also adt_set_from_ucred() 1586 * 1587 * ADT_NO_ATTRIB is a valid uid/gid meaning "not known" or 1588 * "unattributed." If ruid, change the model to session. 1589 * 1590 * ADT_NO_CHANGE is a valid uid/gid meaning "do not change this value" 1591 * only valid with ADT_UPDATE. 1592 * 1593 * ADT_NO_AUDIT is the external equivalent to AU_NOAUDITID -- there 1594 * isn't a good reason to call adt_set_user() with it unless you don't 1595 * have a good value yet and intend to replace it later; auid will be 1596 * AU_NOAUDITID. 1597 * 1598 * adt_set_user should be called even if auditing is not enabled 1599 * so that adt_export_session_data() will have useful stuff to 1600 * work with. 1601 * 1602 * See the note preceding adt_set_proc() about the use of ADT_HAVE_TID 1603 * and ADT_HAVE_ALL. 1604 */ 1605 1606 int 1607 adt_set_user(const adt_session_data_t *session_data, uid_t euid, gid_t egid, 1608 uid_t ruid, gid_t rgid, const adt_termid_t *termid, 1609 enum adt_user_context user_context) 1610 { 1611 adt_internal_state_t *state; 1612 int rc; 1613 1614 if (session_data == NULL) /* no session exists to audit */ 1615 return (0); 1616 1617 state = (adt_internal_state_t *)session_data; 1618 assert(state->as_check == ADT_VALID); 1619 1620 switch (user_context) { 1621 case ADT_NEW: 1622 if (ruid == ADT_NO_CHANGE || euid == ADT_NO_CHANGE || 1623 rgid == ADT_NO_CHANGE || egid == ADT_NO_CHANGE) { 1624 errno = EINVAL; 1625 return (-1); 1626 } 1627 if ((rc = adt_newuser(state, ruid, 1628 (au_tid_addr_t *)termid)) != 0) 1629 return (rc); 1630 1631 state->as_have_user_data = ADT_HAVE_ALL; 1632 break; 1633 case ADT_UPDATE: 1634 if (state->as_have_user_data != ADT_HAVE_ALL) { 1635 errno = EINVAL; 1636 return (-1); 1637 } 1638 1639 if (ruid != ADT_NO_CHANGE) 1640 if ((rc = adt_changeuser(state, ruid)) != 0) 1641 return (rc); 1642 break; 1643 case ADT_USER: 1644 if (state->as_have_user_data != ADT_HAVE_ALL) { 1645 errno = EINVAL; 1646 return (-1); 1647 } 1648 break; 1649 case ADT_SETTID: 1650 assert(termid != NULL); 1651 state->as_info.ai_termid = *((au_tid_addr_t *)termid); 1652 /* avoid fooling pam_setcred()... */ 1653 state->as_info.ai_auid = AU_NOAUDITID; 1654 state->as_info.ai_asid = 0; 1655 state->as_info.ai_mask.am_failure = 0; 1656 state->as_info.ai_mask.am_success = 0; 1657 state->as_have_user_data = ADT_HAVE_TID | 1658 ADT_HAVE_AUID | ADT_HAVE_ASID | ADT_HAVE_MASK; 1659 return (0); 1660 default: 1661 errno = EINVAL; 1662 return (-1); 1663 } 1664 1665 if (ruid == ADT_NO_AUDIT) { 1666 state->as_ruid = AU_NOAUDITID; 1667 state->as_euid = AU_NOAUDITID; 1668 state->as_rgid = AU_NOAUDITID; 1669 state->as_egid = AU_NOAUDITID; 1670 } else { 1671 if (ruid != ADT_NO_CHANGE) 1672 state->as_ruid = ruid; 1673 if (euid != ADT_NO_CHANGE) 1674 state->as_euid = euid; 1675 if (rgid != ADT_NO_CHANGE) 1676 state->as_rgid = rgid; 1677 if (egid != ADT_NO_CHANGE) 1678 state->as_egid = egid; 1679 } 1680 1681 if (ruid == ADT_NO_ATTRIB) { 1682 state->as_session_model = ADT_SESSION_MODEL; 1683 } 1684 1685 return (0); 1686 } 1687 1688 /* 1689 * adt_set_from_ucred() 1690 * 1691 * an alternate to adt_set_user that fills the same role but uses 1692 * a pointer to a ucred rather than a list of id's. If the ucred 1693 * pointer is NULL, use the credential from the this process. 1694 * 1695 * A key difference is that for ADT_NEW, adt_set_from_ucred() does 1696 * not overwrite the asid and auid unless auid has not been set. 1697 * ADT_NEW differs from ADT_UPDATE in that it does not OR together 1698 * the incoming audit mask with the one that already exists. 1699 * 1700 * adt_set_from_ucred should be called even if auditing is not enabled 1701 * so that adt_export_session_data() will have useful stuff to 1702 * work with. 1703 */ 1704 1705 int 1706 adt_set_from_ucred(const adt_session_data_t *session_data, const ucred_t *uc, 1707 enum adt_user_context user_context) 1708 { 1709 adt_internal_state_t *state; 1710 int rc = -1; 1711 const au_tid64_addr_t *tid64; 1712 au_tid_addr_t termid, *tid; 1713 ucred_t *ucred = (ucred_t *)uc; 1714 boolean_t local_uc = B_FALSE; 1715 1716 if (session_data == NULL) /* no session exists to audit */ 1717 return (0); 1718 1719 state = (adt_internal_state_t *)session_data; 1720 assert(state->as_check == ADT_VALID); 1721 1722 if (ucred == NULL) { 1723 ucred = ucred_get(P_MYID); 1724 1725 if (ucred == NULL) 1726 goto return_rc; 1727 local_uc = B_TRUE; 1728 } 1729 1730 switch (user_context) { 1731 case ADT_NEW: 1732 tid64 = ucred_getatid(ucred); 1733 if (tid64 != NULL) { 1734 adt_cpy_tid(&termid, tid64); 1735 tid = &termid; 1736 } else { 1737 tid = NULL; 1738 } 1739 if (ucred_getauid(ucred) == AU_NOAUDITID) { 1740 adt_setto_unaudited(state); 1741 state->as_have_user_data = ADT_HAVE_ALL; 1742 rc = 0; 1743 goto return_rc; 1744 } else { 1745 state->as_info.ai_auid = ucred_getauid(ucred); 1746 state->as_info.ai_asid = ucred_getasid(ucred); 1747 state->as_info.ai_mask = *ucred_getamask(ucred); 1748 state->as_info.ai_termid = *tid; 1749 } 1750 state->as_have_user_data = ADT_HAVE_ALL; 1751 break; 1752 case ADT_UPDATE: 1753 if (state->as_have_user_data != ADT_HAVE_ALL) { 1754 errno = EINVAL; 1755 goto return_rc; 1756 } 1757 1758 if ((rc = adt_changeuser(state, ucred_getruid(ucred))) != 0) 1759 goto return_rc; 1760 break; 1761 case ADT_USER: 1762 if (state->as_have_user_data != ADT_HAVE_ALL) { 1763 errno = EINVAL; 1764 goto return_rc; 1765 } 1766 break; 1767 default: 1768 errno = EINVAL; 1769 goto return_rc; 1770 } 1771 rc = 0; 1772 1773 state->as_ruid = ucred_getruid(ucred); 1774 state->as_euid = ucred_geteuid(ucred); 1775 state->as_rgid = ucred_getrgid(ucred); 1776 state->as_egid = ucred_getegid(ucred); 1777 state->as_pid = ucred_getpid(ucred); 1778 state->as_label = adt_ucred_label(ucred); 1779 1780 return_rc: 1781 if (local_uc) { 1782 ucred_free(ucred); 1783 } 1784 return (rc); 1785 } 1786 1787 /* 1788 * adt_alloc_event() returns a pointer to allocated memory 1789 * 1790 */ 1791 1792 adt_event_data_t 1793 *adt_alloc_event(const adt_session_data_t *session_data, au_event_t event_id) 1794 { 1795 struct adt_event_state *event_state; 1796 adt_internal_state_t *session_state; 1797 adt_event_data_t *return_event = NULL; 1798 /* 1799 * need to return a valid event pointer even if audit is 1800 * off, else the caller will end up either (1) keeping its 1801 * own flags for on/off or (2) writing to a NULL pointer. 1802 * If auditing is on, the session data must be valid; otherwise 1803 * we don't care. 1804 */ 1805 if (session_data != NULL) { 1806 session_state = (adt_internal_state_t *)session_data; 1807 assert(session_state->as_check == ADT_VALID); 1808 } 1809 event_state = calloc(1, sizeof (struct adt_event_state)); 1810 if (event_state == NULL) 1811 goto return_ptr; 1812 1813 event_state->ae_check = ADT_VALID; 1814 1815 event_state->ae_event_id = event_id; 1816 event_state->ae_session = (struct adt_internal_state *)session_data; 1817 1818 return_event = (adt_event_data_t *)&(event_state->ae_event_data); 1819 1820 /* 1821 * preload data so the adt_au_*() functions can detect un-supplied 1822 * values (0 and NULL are free via calloc()). 1823 */ 1824 if (session_data != NULL) { 1825 session_state->as_preload(event_id, return_event); 1826 } 1827 1828 return_ptr: 1829 return (return_event); 1830 } 1831 1832 /* 1833 * adt_getXlateTable -- look up translation table address for event id 1834 */ 1835 1836 static adt_translation_t * 1837 adt_getXlateTable(adt_translation_t **xlate, au_event_t event_id) 1838 { 1839 /* xlate_table is global in adt_xlate.c */ 1840 adt_translation_t **p_xlate = xlate; 1841 adt_translation_t *p_event; 1842 1843 while (*p_xlate != NULL) { 1844 p_event = *p_xlate; 1845 if (event_id == p_event->tx_external_event) 1846 return (p_event); 1847 p_xlate++; 1848 } 1849 return (NULL); 1850 } 1851 1852 /* 1853 * adt_calcOffsets 1854 * 1855 * the call to this function is surrounded by a mutex. 1856 * 1857 * i walks down the table picking up next_token. j walks again to 1858 * calculate the offset to the input data. k points to the next 1859 * token's row. Finally, l, is used to sum the values in the 1860 * datadef array. 1861 * 1862 * What's going on? The entry array is in the order of the input 1863 * fields but the processing of array entries is in the order of 1864 * the output (see next_token). Calculating the offset to the 1865 * "next" input can't be done in the outer loop (i) since i doesn't 1866 * point to the current entry and it can't be done with the k index 1867 * because it doesn't represent the order of input fields. 1868 * 1869 * While the resulting algorithm is n**2, it is only done once per 1870 * event type. 1871 */ 1872 1873 /* 1874 * adt_calcOffsets is only called once per event type, but it uses 1875 * the address alignment of memory allocated for that event as if it 1876 * were the same for all subsequently allocated memory. This is 1877 * guaranteed by calloc/malloc. Arrays take special handling since 1878 * what matters for figuring out the correct alignment is the size 1879 * of the array element. 1880 */ 1881 1882 static void 1883 adt_calcOffsets(struct entry *p_entry, int tablesize, void *p_data) 1884 { 1885 int i, j; 1886 size_t this_size, prev_size; 1887 void *struct_start = p_data; 1888 1889 for (i = 0; i < tablesize; i++) { 1890 if (p_entry[i].en_type_def == NULL) { 1891 p_entry[i].en_offset = 0; 1892 continue; 1893 } 1894 prev_size = 0; 1895 p_entry[i].en_offset = (char *)p_data - (char *)struct_start; 1896 1897 for (j = 0; j < p_entry[i].en_count_types; j++) { 1898 if (p_entry[i].en_type_def[j].dd_datatype == ADT_MSG) 1899 this_size = sizeof (enum adt_generic); 1900 else 1901 this_size = 1902 p_entry[i].en_type_def[j].dd_input_size; 1903 1904 /* adj for first entry */ 1905 if (prev_size == 0) 1906 prev_size = this_size; 1907 1908 if (p_entry[i].en_type_def[j].dd_datatype == 1909 ADT_UINT32ARRAY) { 1910 p_data = (char *)adt_adjust_address(p_data, 1911 prev_size, sizeof (uint32_t)) + 1912 this_size - sizeof (uint32_t); 1913 1914 prev_size = sizeof (uint32_t); 1915 } else { 1916 p_data = adt_adjust_address(p_data, prev_size, 1917 this_size); 1918 prev_size = this_size; 1919 } 1920 } 1921 } 1922 } 1923 1924 /* 1925 * adt_generate_event 1926 * generate event record from external struct. The order is based on 1927 * the output tokens, allowing for the possibility that the input data 1928 * is in a different order. 1929 * 1930 */ 1931 1932 static int 1933 adt_generate_event(const adt_event_data_t *p_extdata, 1934 struct adt_event_state *p_event, 1935 adt_translation_t *p_xlate) 1936 { 1937 struct entry *p_entry; 1938 static mutex_t lock = DEFAULTMUTEX; 1939 1940 p_entry = p_xlate->tx_first_entry; 1941 assert(p_entry != NULL); 1942 1943 p_event->ae_internal_id = p_xlate->tx_internal_event; 1944 adt_token_open(p_event); 1945 1946 /* 1947 * offsets are not pre-calculated; the initial offsets are all 1948 * 0; valid offsets are >= 0. Offsets for no-input tokens such 1949 * as subject are set to -1 by adt_calcOffset() 1950 */ 1951 if (p_xlate->tx_offsetsCalculated == 0) { 1952 (void) mutex_lock(&lock); 1953 p_xlate->tx_offsetsCalculated = 1; 1954 1955 adt_calcOffsets(p_xlate->tx_top_entry, p_xlate->tx_entries, 1956 (void *)p_extdata); 1957 (void) mutex_unlock(&lock); 1958 } 1959 while (p_entry != NULL) { 1960 adt_generate_token(p_entry, (char *)p_extdata, p_event); 1961 1962 p_entry = p_entry->en_next_token; 1963 } 1964 return (adt_token_close(p_event)); 1965 } 1966 1967 /* 1968 * adt_put_event -- main event generation function. 1969 * The input "event" is the address of the struct containing 1970 * event-specific data. 1971 * 1972 * However if auditing is off or the session handle 1973 * is NULL, no attempt to write a record is made. 1974 */ 1975 1976 int 1977 adt_put_event(const adt_event_data_t *event, int status, int return_val) 1978 { 1979 struct adt_event_state *event_state; 1980 adt_translation_t *xlate; 1981 1982 if (event == NULL) { 1983 errno = EINVAL; 1984 return (-1); 1985 } 1986 event_state = (struct adt_event_state *)event; 1987 1988 /* if this is a broken session or not auditing, exit */ 1989 if ((event_state->ae_session == NULL) || 1990 !(event_state->ae_session->as_audit_state & 1991 (AUC_AUDITING | AUC_NOSPACE))) { 1992 return (0); 1993 } 1994 1995 assert(event_state->ae_check == ADT_VALID); 1996 1997 event_state->ae_rc = status; 1998 event_state->ae_type = return_val; 1999 2000 /* look up the event */ 2001 2002 xlate = adt_getXlateTable(event_state->ae_session->as_xlate, 2003 event_state->ae_event_id); 2004 2005 if (xlate == NULL) { 2006 errno = EINVAL; 2007 return (-1); 2008 } 2009 DPRINTF(("got event %d\n", xlate->tx_internal_event)); 2010 2011 if (adt_selected(event_state, xlate->tx_internal_event, status)) { 2012 return (adt_generate_event(event, event_state, xlate)); 2013 } 2014 2015 return (0); 2016 } 2017 2018 /* 2019 * adt_free_event -- invalidate and free 2020 */ 2021 2022 void 2023 adt_free_event(adt_event_data_t *event) 2024 { 2025 struct adt_event_state *event_state; 2026 2027 if (event == NULL) 2028 return; 2029 2030 event_state = (struct adt_event_state *)event; 2031 2032 assert(event_state->ae_check == ADT_VALID); 2033 2034 event_state->ae_check = 0; 2035 2036 free(event_state); 2037 } 2038 2039 /* 2040 * adt_is_selected -- helper to adt_selected(), below. 2041 * 2042 * "sorf" is "success or fail" status; au_preselect compares 2043 * that with success, fail, or both. 2044 */ 2045 2046 static int 2047 adt_is_selected(au_event_t e, au_mask_t *m, int sorf) 2048 { 2049 int prs_sorf; 2050 2051 if (sorf == 0) 2052 prs_sorf = AU_PRS_SUCCESS; 2053 else 2054 prs_sorf = AU_PRS_FAILURE; 2055 2056 return (au_preselect(e, m, prs_sorf, AU_PRS_REREAD)); 2057 } 2058 2059 /* 2060 * selected -- see if this event is preselected. 2061 * 2062 * if errors are encountered trying to check a preselection mask 2063 * or look up a user name, the event is selected. Otherwise, the 2064 * preselection mask is used for the job. 2065 */ 2066 2067 static int 2068 adt_selected(struct adt_event_state *event, au_event_t actual_id, int status) 2069 { 2070 adt_internal_state_t *sp; 2071 au_mask_t namask; 2072 2073 sp = event->ae_session; 2074 2075 if ((sp->as_have_user_data & ADT_HAVE_IDS) == 0) { 2076 adt_write_syslog("No user data available", EINVAL); 2077 return (1); /* default is "selected" */ 2078 } 2079 2080 /* non-attributable? */ 2081 if ((sp->as_info.ai_auid == AU_NOAUDITID) || 2082 (sp->as_info.ai_auid == ADT_NO_AUDIT)) { 2083 if (auditon(A_GETKMASK, (caddr_t)&namask, 2084 sizeof (namask)) != 0) { 2085 adt_write_syslog("auditon failure", errno); 2086 return (1); 2087 } 2088 return (adt_is_selected(actual_id, &namask, status)); 2089 } else { 2090 return (adt_is_selected(actual_id, &(sp->as_info.ai_mask), 2091 status)); 2092 } 2093 } 2094 2095 /* 2096 * Can't map the host name to an IP address in 2097 * adt_get_hostIP. Get something off an interface 2098 * to act as the hosts IP address for auditing. 2099 */ 2100 2101 static int 2102 adt_get_local_address(int family, struct ifaddrlist *al) 2103 { 2104 struct ifaddrlist *ifal; 2105 char errbuf[ERRBUFSIZE] = "empty list"; 2106 char msg[ERRBUFSIZE + 512]; 2107 int ifal_count; 2108 int i; 2109 2110 if ((ifal_count = ifaddrlist(&ifal, family, 0, errbuf)) < 0) { 2111 int serrno = errno; 2112 2113 (void) snprintf(msg, sizeof (msg), "adt_get_local_address " 2114 "couldn't get %d addrlist %s", family, errbuf); 2115 adt_write_syslog(msg, serrno); 2116 errno = serrno; 2117 return (-1); 2118 } 2119 2120 for (i = 0; i < ifal_count; i++) { 2121 /* 2122 * loopback always defined, 2123 * even if there is no real address 2124 */ 2125 if ((ifal[i].flags & (IFF_UP | IFF_LOOPBACK)) == IFF_UP) { 2126 break; 2127 } 2128 } 2129 if (i >= ifal_count) { 2130 free(ifal); 2131 /* 2132 * Callers of adt_get_hostIP() can only return 2133 * errno to their callers and eventually the application. 2134 * Picked one that seemed least worse for saying no 2135 * usable address for Audit terminal ID. 2136 */ 2137 errno = ENETDOWN; 2138 return (-1); 2139 } 2140 2141 *al = ifal[i]; 2142 free(ifal); 2143 return (0); 2144 } 2145