1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 #ifndef _BSM_AUDIT_KERNEL_H 26 #define _BSM_AUDIT_KERNEL_H 27 28 29 /* 30 * This file contains the basic auditing control structure definitions. 31 */ 32 33 #include <c2/audit_kevents.h> 34 #include <sys/priv_impl.h> 35 #include <sys/taskq.h> 36 #include <sys/zone.h> 37 38 #include <sys/tsol/label.h> 39 40 #ifdef __cplusplus 41 extern "C" { 42 #endif 43 44 /* 45 * This table contains the mapping from the system call ID to a corresponding 46 * audit event. 47 * 48 * au_init() is a function called at the beginning of the system call that 49 * performs any necessary setup/processing. It maps the call into the 50 * appropriate event, depending on the system call arguments. It is called 51 * by audit_start() from trap.c . 52 * 53 * au_event is the audit event associated with the system call. Most of the 54 * time it will map directly from the system call i.e. There is one system 55 * call associated with the event. In some cases, such as shmsys, or open, 56 * the au_start() function will map the system call to more than one event, 57 * depending on the system call arguments. 58 * 59 * au_start() is a function that provides per system call processing at the 60 * beginning of a system call. It is mainly concerned with preseving the 61 * audit record components that may be altered so that we can determine 62 * what the original paramater was before as well as after the system call. 63 * It is possible that au_start() may be taken away. It might be cleaner to 64 * define flags in au_ctrl to save a designated argument. For the moment we 65 * support both mechanisms, however the use of au_start() will be reviewed 66 * for 4.1.1 and CMW and ZEUS to see if such a general method is justified. 67 * 68 * au_finish() is a function that provides per system call processing at the 69 * completion of a system call. In certain circumstances, the type of audit 70 * event depends on intermidiate results during the processing of the system 71 * call. It is called in audit_finish() from trap.c . 72 * 73 * au_ctrl is a control vector that indicates what processing might have to 74 * be performed, even if there is no auditing for this system call. At 75 * present this is mostly for path processing for chmod, chroot. We need to 76 * process the path information in vfs_lookup, even when we are not auditing 77 * the system call in the case of chdir and chroot. 78 */ 79 /* 80 * Defines for au_ctrl 81 */ 82 #define S2E_SP PAD_SAVPATH /* save path for later use */ 83 #define S2E_MLD PAD_MLD /* only one lookup per system call */ 84 #define S2E_NPT PAD_NOPATH /* force no path in audit record */ 85 #define S2E_PUB PAD_PUBLIC_EV /* syscall is defined as a public op */ 86 #define S2E_ATC PAD_ATCALL /* syscall is one of the *at() family */ 87 88 /* 89 * At present, we are using the audit classes imbedded with in the kernel. Each 90 * event has a bit mask determining which classes the event is associated. 91 * The table audit_e2s maps the audit event ID to the audit state. 92 * 93 * Note that this may change radically. If we use a bit vector for the audit 94 * class, we can allow granularity at the event ID for each user. In this 95 * case, the vector would be determined at user level and passed to the kernel 96 * via the setaudit system call. 97 */ 98 99 /* 100 * The audit_pad structure holds paths for the current root and directory 101 * for the process, as well as for open files and directly manipulated objects. 102 * The reference count minimizes data copies since the process's current 103 * directory changes very seldom. 104 */ 105 struct audit_path { 106 uint_t audp_ref; /* reference count */ 107 uint_t audp_size; /* allocated size of this structure */ 108 uint_t audp_cnt; /* number of path sections */ 109 char *audp_sect[1]; /* path section pointers */ 110 /* audp_sect[0] is the path name */ 111 /* audp_sect[1+] are attribute paths */ 112 }; 113 114 /* 115 * The structure of the terminal ID within the kernel is different from the 116 * terminal ID in user space. It is a combination of port and IP address. 117 */ 118 119 struct au_termid { 120 dev_t at_port; 121 uint_t at_type; 122 uint_t at_addr[4]; 123 }; 124 typedef struct au_termid au_termid_t; 125 126 /* 127 * Attributes for deferring the queuing of an event. 128 */ 129 typedef struct au_defer_info { 130 struct au_defer_info *audi_next; /* next on linked list */ 131 void *audi_ad; /* audit record */ 132 au_event_t audi_e_type; /* audit event id */ 133 au_emod_t audi_e_mod; /* audit event modifier */ 134 int audi_flag; /* au_close*() flags */ 135 timestruc_t audi_atime; /* audit event timestamp */ 136 } au_defer_info_t; 137 138 /* 139 * The structure p_audit_data hangs off of the process structure. It contains 140 * all of the audit information necessary to manage the audit record generation 141 * for each process. 142 * 143 * The pad_lock is constructed in the kmem_cache; the rest is combined 144 * in a sub structure so it can be copied/zeroed in one statement. 145 * 146 * The members have been reordered for maximum packing on 64 bit Solaris. 147 */ 148 struct p_audit_data { 149 kmutex_t pad_lock; /* lock pad data during changes */ 150 struct _pad_data { 151 struct audit_path *pad_root; /* process root path */ 152 struct audit_path *pad_cwd; /* process cwd path */ 153 au_mask_t pad_newmask; /* pending new mask */ 154 int pad_flags; 155 } pad_data; 156 }; 157 typedef struct p_audit_data p_audit_data_t; 158 159 #define pad_root pad_data.pad_root 160 #define pad_cwd pad_data.pad_cwd 161 #define pad_newmask pad_data.pad_newmask 162 #define pad_flags pad_data.pad_flags 163 164 /* 165 * Defines for pad_flags 166 */ 167 #define PAD_SETMASK 0x00000001 /* need to complete pending setmask */ 168 169 extern kmem_cache_t *au_pad_cache; 170 171 /* 172 * Defines for tad_ctrl 173 */ 174 #define PAD_SAVPATH 0x00000001 /* save path for further processing */ 175 #define PAD_MLD 0x00000002 /* system call involves MLD */ 176 #define PAD_NOPATH 0x00000004 /* force no paths in audit record */ 177 #define PAD_ABSPATH 0x00000008 /* path from lookup is absolute */ 178 #define PAD_NOATTRB 0x00000010 /* do not automatically add attribute */ 179 /* 0x20 unused */ 180 #define PAD_ATCALL 0x00000040 /* *at() syscall, like openat() */ 181 #define PAD_LFLOAT 0x00000080 /* Label float */ 182 #define PAD_NOAUDIT 0x00000100 /* discard audit record */ 183 #define PAD_PATHFND 0x00000200 /* found path, don't retry lookup */ 184 #define PAD_SPRIV 0x00000400 /* succ priv use. extra audit_finish */ 185 #define PAD_FPRIV 0x00000800 /* fail priv use. extra audit_finish */ 186 #define PAD_SMAC 0x00001000 /* succ mac use. extra audit_finish */ 187 #define PAD_FMAC 0x00002000 /* fail mac use. extra audit_finish */ 188 #define PAD_AUDITME 0x00004000 /* audit me because of NFS operation */ 189 #define PAD_ATTPATH 0x00008000 /* attribute file lookup */ 190 #define PAD_TRUE_CREATE 0x00010000 /* true create, file not found */ 191 #define PAD_CORE 0x00020000 /* save attribute during core dump */ 192 #define PAD_ERRJMP 0x00040000 /* abort record generation on error */ 193 #define PAD_PUBLIC_EV 0x00080000 /* syscall is defined as a public op */ 194 195 /* 196 * The structure t_audit_data hangs off of the thread structure. It contains 197 * all of the audit information necessary to manage the audit record generation 198 * for each thread. 199 * 200 */ 201 202 struct t_audit_data { 203 kthread_id_t tad_thread; /* DEBUG pointer to parent thread */ 204 unsigned int tad_scid; /* system call ID for finish */ 205 au_event_t tad_event; /* event for audit record */ 206 au_emod_t tad_evmod; /* event modifier for audit record */ 207 int tad_ctrl; /* audit control/status flags */ 208 void *tad_errjmp; /* error longjmp (audit record aborted) */ 209 int tad_flag; /* to audit or not to audit */ 210 uint32_t tad_audit; /* auditing enabled/disabled */ 211 struct audit_path *tad_aupath; /* captured at vfs_lookup */ 212 struct audit_path *tad_atpath; /* openat prefix, path of fd */ 213 struct vnode *tad_vn; /* saved inode from vfs_lookup */ 214 caddr_t tad_ad; /* base of accumulated audit data */ 215 au_defer_info_t *tad_defer_head; /* queue of records to defer */ 216 /* until syscall end: */ 217 au_defer_info_t *tad_defer_tail; /* tail of defer queue */ 218 priv_set_t tad_sprivs; /* saved (success) used privs */ 219 priv_set_t tad_fprivs; /* saved (failed) used privs */ 220 }; 221 typedef struct t_audit_data t_audit_data_t; 222 223 /* 224 * The f_audit_data structure hangs off of the file structure. It contains 225 * three fields of data. The audit ID, the audit state, and a path name. 226 */ 227 228 struct f_audit_data { 229 kthread_id_t fad_thread; /* DEBUG creating thread */ 230 int fad_flags; /* audit control flags */ 231 struct audit_path *fad_aupath; /* path from vfs_lookup */ 232 }; 233 typedef struct f_audit_data f_audit_data_t; 234 235 #define FAD_READ 0x0001 /* read system call seen */ 236 #define FAD_WRITE 0x0002 /* write system call seen */ 237 238 #define P2A(p) (p->p_audit_data) 239 #define T2A(t) (t->t_audit_data) 240 #define U2A(u) (curthread->t_audit_data) 241 #define F2A(f) (f->f_audit_data) 242 243 #define u_ad ((U2A(u))->tad_ad) 244 #define ad_ctrl ((U2A(u))->tad_ctrl) 245 #define ad_flag ((U2A(u))->tad_flag) 246 247 #define AU_BUFSIZE 128 /* buffer size for the buffer pool */ 248 249 struct au_buff { 250 char buf[AU_BUFSIZE]; 251 struct au_buff *next_buf; 252 struct au_buff *next_rec; 253 ushort_t rec_len; 254 uchar_t len; 255 uchar_t flag; 256 }; 257 258 typedef struct au_buff au_buff_t; 259 260 /* 261 * Kernel audit queue structure. 262 */ 263 struct audit_queue { 264 au_buff_t *head; /* head of queue */ 265 au_buff_t *tail; /* tail of queue */ 266 ssize_t cnt; /* number elements on queue */ 267 size_t hiwater; /* high water mark to block */ 268 size_t lowater; /* low water mark to restart */ 269 size_t bufsz; /* audit trail write buffer size */ 270 size_t buflen; /* audit trail buffer length in use */ 271 clock_t delay; /* delay before flushing queue */ 272 int wt_block; /* writer is blocked (1) */ 273 int rd_block; /* reader is blocked (1) */ 274 kmutex_t lock; /* mutex lock for queue modification */ 275 kcondvar_t write_cv; /* sleep structure for write block */ 276 kcondvar_t read_cv; /* sleep structure for read block */ 277 }; 278 279 280 union rval; 281 struct audit_s2e { 282 au_event_t (*au_init)(au_event_t); 283 /* convert au_event to real audit event ID */ 284 285 int au_event; /* default audit event for this system call */ 286 void (*au_start)(struct t_audit_data *); 287 /* pre-system call audit processing */ 288 void (*au_finish)(struct t_audit_data *, int, union rval *); 289 /* post-system call audit processing */ 290 int au_ctrl; /* control flags for auditing actions */ 291 }; 292 293 extern struct audit_s2e audit_s2e[]; 294 295 #define AUK_VALID 0x5A5A5A5A 296 #define AUK_INVALID 0 297 /* 298 * per zone audit context 299 */ 300 struct au_kcontext { 301 uint32_t auk_valid; 302 zoneid_t auk_zid; 303 304 boolean_t auk_hostaddr_valid; 305 int auk_sequence; 306 int auk_auditstate; 307 int auk_output_active; 308 struct vnode *auk_current_vp; 309 uint32_t auk_policy; 310 311 struct audit_queue auk_queue; 312 313 au_dbuf_t *auk_dbuffer; /* auditdoor output */ 314 315 au_stat_t auk_statistics; 316 317 struct auditinfo_addr auk_info; 318 kmutex_t auk_eagain_mutex; /* door call retry */ 319 kcondvar_t auk_eagain_cv; 320 321 taskq_t *auk_taskq; /* output thread */ 322 323 /* Only one audit svc per zone at a time */ 324 /* With the elimination of auditsvc, can this also go? see 6648414 */ 325 kmutex_t auk_svc_lock; 326 327 au_state_t auk_ets[MAX_KEVENTS + 1]; 328 }; 329 #ifndef AUK_CONTEXT_T 330 #define AUK_CONTEXT_T 331 typedef struct au_kcontext au_kcontext_t; 332 #endif 333 334 extern zone_key_t au_zone_key; 335 336 /* 337 * Kernel auditing external variables 338 */ 339 extern uint32_t audit_policy; 340 extern int audit_active; 341 342 extern struct audit_queue au_queue; 343 extern struct p_audit_data *pad0; 344 extern struct t_audit_data *tad0; 345 346 /* 347 * audit_path support routines 348 */ 349 void au_pathhold(struct audit_path *); 350 void au_pathrele(struct audit_path *); 351 struct audit_path *au_pathdup(const struct audit_path *, int, int); 352 353 void au_pad_init(void); 354 355 int auditctl(int cmd, caddr_t data, int length); 356 int auditdoor(int fd); 357 int getauid(caddr_t); 358 int setauid(caddr_t); 359 int getaudit(caddr_t); 360 int getaudit_addr(caddr_t, int); 361 int setaudit(caddr_t); 362 int setaudit_addr(caddr_t, int); 363 364 /* 365 * Macros to hide asynchronous, non-blocking audit record start and finish 366 * processing. 367 * 368 * NOTE: must be used in (void) funcction () { ... } 369 */ 370 371 #define AUDIT_ASYNC_START(rp, audit_event, sorf) \ 372 { \ 373 label_t jb; \ 374 if (setjmp(&jb)) { \ 375 /* cleanup any residual audit data */ \ 376 audit_async_drop((caddr_t *)&(rp), 0); \ 377 return; \ 378 } \ 379 /* auditing enabled and we're preselected for this event? */ \ 380 if (audit_async_start(&jb, audit_event, sorf)) { \ 381 return; \ 382 } \ 383 } 384 385 #define AUDIT_ASYNC_FINISH(rp, audit_event, event_modifier, event_time) \ 386 audit_async_finish((caddr_t *)&(rp), audit_event, event_modifier, \ 387 event_time); 388 389 390 #ifdef _KERNEL 391 au_buff_t *au_get_buff(void), *au_free_buff(au_buff_t *); 392 #endif 393 394 /* 395 * Macro for uniform "subject" token(s) generation 396 */ 397 #define AUDIT_SETSUBJ_GENERIC(u, c, a, k, p) \ 398 (au_write((u), au_to_subject(crgetuid(c), \ 399 crgetgid(c), crgetruid(c), crgetrgid(c), \ 400 p, (a)->ai_auid, (a)->ai_asid, \ 401 &((a)->ai_termid)))); \ 402 ((is_system_labeled()) ? au_write((u), \ 403 au_to_label(CR_SL((c)))) : (void) 0); \ 404 (((k)->auk_policy & AUDIT_GROUP) ? au_write((u),\ 405 au_to_groups(crgetgroups(c), \ 406 crgetngroups(c))) : (void) 0) 407 408 #define AUDIT_SETSUBJ(u, c, a, k) \ 409 AUDIT_SETSUBJ_GENERIC(u, c, a, k, curproc->p_pid) 410 411 #define AUDIT_SETPROC_GENERIC(u, c, a, p) \ 412 (au_write((u), au_to_process(crgetuid(c), \ 413 crgetgid(c), crgetruid(c), crgetrgid(c), \ 414 p, (a)->ai_auid, (a)->ai_asid, \ 415 &((a)->ai_termid)))); 416 417 #define AUDIT_SETPROC(u, c, a) \ 418 AUDIT_SETPROC_GENERIC(u, c, a, curproc->p_pid) 419 420 /* 421 * Macros for type conversion 422 */ 423 424 /* au_membuf head, to typed data */ 425 #define memtod(x, t) ((t)x->buf) 426 427 /* au_membuf types */ 428 #define MT_FREE 0 /* should be on free list */ 429 #define MT_DATA 1 /* dynamic (data) allocation */ 430 431 /* flags to au_memget */ 432 #define DONTWAIT 0 433 #define WAIT 1 434 435 #define AU_PACK 1 /* pack data in au_append_rec() */ 436 #define AU_LINK 0 /* link data in au_append_rec() */ 437 438 /* flags to async routines */ 439 #define AU_BACKEND 1 /* called from softcall backend */ 440 441 #ifdef __cplusplus 442 } 443 #endif 444 445 #endif /* _BSM_AUDIT_KERNEL_H */ 446