1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * This file contains the envelope code for system call auditing. 28 */ 29 30 #include <sys/param.h> 31 #include <sys/types.h> 32 #include <sys/time.h> 33 #include <sys/kmem.h> 34 #include <sys/proc.h> 35 #include <sys/vnode.h> 36 #include <sys/file.h> 37 #include <sys/user.h> 38 #include <sys/stropts.h> 39 #include <sys/systm.h> 40 #include <sys/pathname.h> 41 #include <sys/debug.h> 42 #include <sys/cred_impl.h> 43 #include <sys/zone.h> 44 #include <c2/audit.h> 45 #include <c2/audit_kernel.h> 46 #include <c2/audit_kevents.h> 47 #include <c2/audit_record.h> 48 #include "audit_door_infc.h" 49 50 extern uint_t num_syscall; /* size of audit_s2e table */ 51 extern kmutex_t pidlock; /* proc table lock */ 52 53 int audit_load = 0; /* set from /etc/system */ 54 55 struct p_audit_data *pad0; 56 struct t_audit_data *tad0; 57 58 /* 59 * Das Boot. Initialize first process. Also generate an audit record indicating 60 * that the system has been booted. 61 */ 62 void 63 audit_init() 64 { 65 kthread_t *au_thread; 66 token_t *rp = NULL; 67 label_t jb; 68 struct audit_path apempty; 69 auditinfo_addr_t *ainfo; 70 71 if (audit_load == 0) { 72 audit_active = 0; 73 au_auditstate = AUC_DISABLED; 74 return; 75 #ifdef DEBUG 76 } else if (audit_load == 2) { 77 debug_enter((char *)NULL); 78 #endif 79 } 80 81 audit_active = 1; 82 set_all_proc_sys(); /* set pre- and post-syscall flags */ 83 84 /* initialize memory allocators */ 85 au_mem_init(); 86 87 au_zone_setup(); 88 89 /* inital thread structure */ 90 tad0 = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP); 91 92 /* initial process structure */ 93 pad0 = kmem_cache_alloc(au_pad_cache, KM_SLEEP); 94 bzero(&pad0->pad_data, sizeof (pad0->pad_data)); 95 96 T2A(curthread) = tad0; 97 P2A(curproc) = pad0; 98 99 /* 100 * The kernel allocates a bunch of threads make sure they have 101 * a valid tad 102 */ 103 104 mutex_enter(&pidlock); 105 106 au_thread = curthread; 107 do { 108 if (T2A(au_thread) == NULL) { 109 T2A(au_thread) = tad0; 110 } 111 au_thread = au_thread->t_next; 112 } while (au_thread != curthread); 113 114 tad0->tad_ad = NULL; 115 mutex_exit(&pidlock); 116 117 /* 118 * Initialize audit context in our cred (kcred). 119 * No copy-on-write needed here because it's so early in init. 120 */ 121 ainfo = crgetauinfo_modifiable(kcred); 122 ASSERT(ainfo != NULL); 123 bzero(ainfo, sizeof (auditinfo_addr_t)); 124 ainfo->ai_auid = AU_NOAUDITID; 125 126 /* fabricate an empty audit_path to extend */ 127 apempty.audp_cnt = 0; 128 apempty.audp_sect[0] = (char *)(&apempty.audp_sect[1]); 129 pad0->pad_root = au_pathdup(&apempty, 1, 2); 130 bcopy("/", pad0->pad_root->audp_sect[0], 2); 131 au_pathhold(pad0->pad_root); 132 pad0->pad_cwd = pad0->pad_root; 133 134 /* 135 * setup environment for asynchronous auditing. We can't use 136 * audit_async_start() here since it assumes the audit system 137 * has been started via auditd(1m). auditd sets the variable, 138 * auk_auditstate, to indicate audit record generation should 139 * commence. Here we want to always generate an audit record. 140 */ 141 if (setjmp(&jb)) { 142 /* process audit policy (AUDIT_AHLT) for asynchronous events */ 143 audit_async_drop((caddr_t *)(&rp), 0); 144 return; 145 } 146 147 ASSERT(tad0->tad_errjmp == NULL); 148 tad0->tad_errjmp = (void *)&jb; 149 tad0->tad_ctrl |= PAD_ERRJMP; 150 151 /* generate a system-booted audit record */ 152 au_write((caddr_t *)&rp, au_to_text("booting kernel")); 153 154 audit_async_finish((caddr_t *)&rp, AUE_SYSTEMBOOT, NULL); 155 } 156 157 void 158 audit_free() 159 { 160 } 161 162 /* 163 * Check for any pending changes to the audit context for the given proc. 164 * p_crlock and pad_lock for the process are acquired here. Caller is 165 * responsible for assuring the process doesn't go away. If context is 166 * updated, the specified cralloc'ed cred will be used, otherwise it's freed. 167 * If no cred is given, it will be cralloc'ed here and caller assures that 168 * it is safe to allocate memory. 169 */ 170 void 171 audit_update_context(proc_t *p, cred_t *ncr) 172 { 173 struct p_audit_data *pad; 174 cred_t *newcred = ncr; 175 176 pad = P2A(p); 177 if (pad == NULL) { 178 if (newcred != NULL) 179 crfree(newcred); 180 return; 181 } 182 183 /* If a mask update is pending, take care of it. */ 184 if (pad->pad_flags & PAD_SETMASK) { 185 auditinfo_addr_t *ainfo; 186 187 if (newcred == NULL) 188 newcred = cralloc(); 189 190 mutex_enter(&pad->pad_lock); 191 /* the condition may have been handled by the time we lock */ 192 if (pad->pad_flags & PAD_SETMASK) { 193 ainfo = crgetauinfo_modifiable(newcred); 194 if (ainfo == NULL) { 195 mutex_enter(&pad->pad_lock); 196 crfree(newcred); 197 return; 198 } 199 200 mutex_enter(&p->p_crlock); 201 crcopy_to(p->p_cred, newcred); 202 p->p_cred = newcred; 203 204 ainfo->ai_mask = pad->pad_newmask; 205 206 /* Unlock and cleanup. */ 207 mutex_exit(&p->p_crlock); 208 pad->pad_flags &= ~PAD_SETMASK; 209 210 /* 211 * For curproc, assure that our thread points to right 212 * cred, so CRED() will be correct. Otherwise, no need 213 * to broadcast changes (via set_proc_pre_sys), since 214 * t_pre_sys is ALWAYS on when audit is enabled... due 215 * to syscall auditing. 216 */ 217 if (p == curproc) 218 crset(p, newcred); 219 else 220 crfree(newcred); 221 } else { 222 crfree(newcred); 223 } 224 mutex_exit(&pad->pad_lock); 225 } else { 226 if (newcred != NULL) 227 crfree(newcred); 228 } 229 } 230 231 232 /* 233 * Enter system call. Do any necessary setup here. allocate resouces, etc. 234 */ 235 236 #include <sys/syscall.h> 237 238 239 /*ARGSUSED*/ 240 int 241 audit_start( 242 unsigned type, 243 unsigned scid, 244 int error, 245 klwp_t *lwp) 246 { 247 struct t_audit_data *tad; 248 au_kcontext_t *kctx; 249 250 tad = U2A(u); 251 ASSERT(tad != NULL); 252 253 if (error) { 254 tad->tad_ctrl = 0; 255 tad->tad_flag = 0; 256 return (0); 257 } 258 259 audit_update_context(curproc, NULL); 260 261 /* 262 * if this is an indirect system call then don't do anything. 263 * audit_start will be called again from indir() in trap.c 264 */ 265 if (scid == 0) { 266 tad->tad_ctrl = 0; 267 tad->tad_flag = 0; 268 return (0); 269 } 270 if (scid >= num_syscall) 271 scid = 0; 272 273 /* 274 * we can no longer depend on a valid lwp_ap, so we need to 275 * copy the syscall args as future audit stuff may need them. 276 */ 277 (void) save_syscall_args(); 278 279 /* 280 * We need to gather paths for certain system calls even if they are 281 * not audited so that we can audit the various f* calls and be 282 * sure to have a CWD and CAR. Thus we thus set tad_ctrl over the 283 * system call regardless if the call is audited or not. 284 * We allow the event specific initial processing routines (au_init) 285 * to adjust the tad_ctrl as necessary. 286 */ 287 tad->tad_ctrl = audit_s2e[scid].au_ctrl; 288 tad->tad_scid = scid; 289 290 /* get basic event for system call */ 291 tad->tad_event = audit_s2e[scid].au_event; 292 if (audit_s2e[scid].au_init != (au_event_t)AUE_NULL) { 293 /* get specific event */ 294 tad->tad_event = (*audit_s2e[scid].au_init)(tad->tad_event); 295 } 296 297 kctx = GET_KCTX_PZ; 298 299 /* now do preselection. Audit or not to Audit, that is the question */ 300 if ((tad->tad_flag = auditme(kctx, tad, 301 kctx->auk_ets[tad->tad_event])) == 0) { 302 /* 303 * we assume that audit_finish will always be called. 304 */ 305 return (0); 306 } 307 308 /* 309 * if auditing not enabled, then don't generate an audit record 310 * and don't count it. 311 */ 312 if ((kctx->auk_auditstate != AUC_AUDITING && 313 kctx->auk_auditstate != AUC_INIT_AUDIT)) { 314 /* 315 * we assume that audit_finish will always be called. 316 */ 317 tad->tad_flag = 0; 318 return (0); 319 } 320 321 /* 322 * audit daemon has informed us that there is no longer any 323 * space left to hold audit records. We decide here if records 324 * should be dropped (but counted). 325 */ 326 if (kctx->auk_auditstate == AUC_NOSPACE) { 327 if ((kctx->auk_policy & AUDIT_CNT) || 328 (kctx->auk_policy & AUDIT_SCNT)) { 329 /* assume that audit_finish will always be called. */ 330 tad->tad_flag = 0; 331 332 /* just count # of dropped audit records */ 333 AS_INC(as_dropped, 1, kctx); 334 335 return (0); 336 } 337 } 338 339 tad->tad_evmod = 0; 340 341 if (audit_s2e[scid].au_start != NULL) { 342 /* do start of system call processing */ 343 (*audit_s2e[scid].au_start)(tad); 344 } 345 346 return (0); 347 } 348 349 /* 350 * system call has completed. Now determine if we genearate an audit record 351 * or not. 352 */ 353 /*ARGSUSED*/ 354 void 355 audit_finish( 356 unsigned type, 357 unsigned scid, 358 int error, 359 rval_t *rval) 360 { 361 struct t_audit_data *tad; 362 int flag; 363 au_defer_info_t *attr; 364 au_kcontext_t *kctx = GET_KCTX_PZ; 365 366 tad = U2A(u); 367 368 /* 369 * Process all deferred events first. 370 */ 371 attr = tad->tad_defer_head; 372 while (attr != NULL) { 373 au_defer_info_t *tmp_attr = attr; 374 375 au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag, 376 attr->audi_e_type, attr->audi_e_mod, &(attr->audi_atime)); 377 378 attr = attr->audi_next; 379 kmem_free(tmp_attr, sizeof (au_defer_info_t)); 380 } 381 tad->tad_defer_head = tad->tad_defer_tail = NULL; 382 383 if (tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) { 384 /* 385 * clear the ctrl flag so that we don't have spurious 386 * collection of audit information. 387 */ 388 tad->tad_scid = 0; 389 tad->tad_event = 0; 390 tad->tad_evmod = 0; 391 tad->tad_ctrl = 0; 392 ASSERT(tad->tad_aupath == NULL); 393 return; 394 } 395 396 scid = tad->tad_scid; 397 398 /* 399 * Perform any extra processing and determine if we are 400 * really going to generate any audit record. 401 */ 402 if (audit_s2e[scid].au_finish != NULL) { 403 /* do any post system call processing */ 404 (*audit_s2e[scid].au_finish)(tad, error, rval); 405 } 406 if (tad->tad_flag) { 407 tad->tad_flag = 0; 408 409 if (flag = audit_success(kctx, tad, error, NULL)) { 410 unsigned int sy_flags; 411 cred_t *cr = CRED(); 412 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 413 414 ASSERT(ainfo != NULL); 415 416 /* Add subject information */ 417 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 418 419 if (tad->tad_evmod & PAD_SPRIVUSE) { 420 au_write(&(u_ad), 421 au_to_privset("", &tad->tad_sprivs, 422 AUT_UPRIV, 1)); 423 } 424 425 if (tad->tad_evmod & PAD_FPRIVUSE) { 426 au_write(&(u_ad), 427 au_to_privset("", &tad->tad_fprivs, 428 AUT_UPRIV, 0)); 429 } 430 431 /* Add a return token */ 432 #ifdef _SYSCALL32_IMPL 433 if (lwp_getdatamodel(ttolwp(curthread)) == 434 DATAMODEL_NATIVE) { 435 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 436 } else { 437 sy_flags = 438 sysent32[scid].sy_flags & SE_RVAL_MASK; 439 } 440 #else /* _SYSCALL64_IMPL */ 441 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 442 #endif /* _SYSCALL32_IMPL */ 443 444 if (sy_flags == SE_32RVAL1) { 445 if (type == 0) { 446 au_write(&(u_ad), 447 au_to_return32(error, 0)); 448 } else { 449 au_write(&(u_ad), au_to_return32(error, 450 rval->r_val1)); 451 } 452 } 453 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) { 454 if (type == 0) { 455 au_write(&(u_ad), 456 au_to_return32(error, 0)); 457 } else { 458 au_write(&(u_ad), 459 au_to_return32(error, 460 rval->r_val1)); 461 #ifdef NOTYET /* for possible future support */ 462 au_write(&(u_ad), au_to_return32(error, 463 rval->r_val2)); 464 #endif 465 } 466 } 467 if (sy_flags == SE_64RVAL) { 468 if (type == 0) { 469 au_write(&(u_ad), 470 au_to_return64(error, 0)); 471 } else { 472 au_write(&(u_ad), au_to_return64(error, 473 rval->r_vals)); 474 } 475 } 476 477 AS_INC(as_generated, 1, kctx); 478 AS_INC(as_kernel, 1, kctx); 479 } 480 481 /* Close up everything */ 482 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod); 483 } 484 485 ASSERT(u_ad == NULL); 486 487 /* free up any space remaining with the path's */ 488 if (tad->tad_aupath != NULL) { 489 au_pathrele(tad->tad_aupath); 490 tad->tad_aupath = NULL; 491 tad->tad_vn = NULL; 492 } 493 494 /* free up any space remaining with openat path's */ 495 if (tad->tad_atpath) { 496 au_pathrele(tad->tad_atpath); 497 tad->tad_atpath = NULL; 498 } 499 500 /* 501 * clear the ctrl flag so that we don't have spurious collection of 502 * audit information. 503 */ 504 tad->tad_scid = 0; 505 tad->tad_event = 0; 506 tad->tad_evmod = 0; 507 tad->tad_ctrl = 0; 508 } 509 510 int 511 audit_success(au_kcontext_t *kctx, struct t_audit_data *tad, int error, 512 cred_t *cr) 513 { 514 au_state_t ess; 515 au_state_t esf; 516 au_mask_t amask; 517 const auditinfo_addr_t *ainfo; 518 519 ess = esf = kctx->auk_ets[tad->tad_event]; 520 521 if (error) 522 tad->tad_evmod |= PAD_FAILURE; 523 524 /* see if we really want to generate an audit record */ 525 if (tad->tad_ctrl & PAD_NOAUDIT) 526 return (0); 527 528 /* 529 * nfs operation and we're auditing privilege or MAC. This 530 * is so we have a client audit record to match a nfs server 531 * audit record. 532 */ 533 if (tad->tad_ctrl & PAD_AUDITME) 534 return (AU_OK); 535 536 /* 537 * Used passed cred if available, otherwise use cred from kernel thread 538 */ 539 if (cr == NULL) 540 cr = CRED(); 541 ainfo = crgetauinfo(cr); 542 if (ainfo == NULL) 543 return (0); 544 amask = ainfo->ai_mask; 545 546 if (error == 0) 547 return ((ess & amask.as_success) ? AU_OK : 0); 548 else 549 return ((esf & amask.as_failure) ? AU_OK : 0); 550 } 551 552 /* 553 * determine if we've preselected this event (system call). 554 */ 555 int 556 auditme(au_kcontext_t *kctx, struct t_audit_data *tad, au_state_t estate) 557 { 558 int flag = 0; 559 au_mask_t amask; 560 const auditinfo_addr_t *ainfo; 561 562 ainfo = crgetauinfo(CRED()); 563 if (ainfo == NULL) 564 return (0); 565 amask = ainfo->ai_mask; 566 567 /* preselected system call */ 568 569 if (amask.as_success & estate || amask.as_failure & estate) { 570 flag = 1; 571 } else if ((tad->tad_scid == SYS_putmsg) || 572 (tad->tad_scid == SYS_getmsg)) { 573 estate = kctx->auk_ets[AUE_SOCKCONNECT] | 574 kctx->auk_ets[AUE_SOCKACCEPT] | 575 kctx->auk_ets[AUE_SOCKSEND] | 576 kctx->auk_ets[AUE_SOCKRECEIVE]; 577 if (amask.as_success & estate || amask.as_failure & estate) 578 flag = 1; 579 } 580 581 return (flag); 582 } 583