1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 /* 29 * This file contains the envelope code for system call auditing. 30 */ 31 32 #include <sys/param.h> 33 #include <sys/types.h> 34 #include <sys/time.h> 35 #include <sys/kmem.h> 36 #include <sys/proc.h> 37 #include <sys/vnode.h> 38 #include <sys/file.h> 39 #include <sys/user.h> 40 #include <sys/stropts.h> 41 #include <sys/systm.h> 42 #include <sys/pathname.h> 43 #include <sys/debug.h> 44 #include <sys/cred_impl.h> 45 #include <sys/zone.h> 46 #include <c2/audit.h> 47 #include <c2/audit_kernel.h> 48 #include <c2/audit_kevents.h> 49 #include <c2/audit_record.h> 50 #include "audit_door_infc.h" 51 52 extern uint_t num_syscall; /* size of audit_s2e table */ 53 extern kmutex_t pidlock; /* proc table lock */ 54 55 int audit_load = 0; /* set from /etc/system */ 56 57 struct p_audit_data *pad0; 58 struct t_audit_data *tad0; 59 60 /* 61 * Das Boot. Initialize first process. Also generate an audit record indicating 62 * that the system has been booted. 63 */ 64 void 65 audit_init() 66 { 67 kthread_t *au_thread; 68 token_t *rp = NULL; 69 label_t jb; 70 struct audit_path apempty; 71 auditinfo_addr_t *ainfo; 72 73 if (audit_load == 0) { 74 audit_active = 0; 75 au_auditstate = AUC_DISABLED; 76 return; 77 #ifdef DEBUG 78 } else if (audit_load == 2) { 79 debug_enter((char *)NULL); 80 #endif 81 } 82 83 audit_active = 1; 84 set_all_proc_sys(); /* set pre- and post-syscall flags */ 85 86 /* initialize memory allocators */ 87 au_mem_init(); 88 89 au_zone_setup(); 90 91 /* inital thread structure */ 92 tad0 = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP); 93 94 /* initial process structure */ 95 pad0 = kmem_cache_alloc(au_pad_cache, KM_SLEEP); 96 bzero(&pad0->pad_data, sizeof (pad0->pad_data)); 97 98 T2A(curthread) = tad0; 99 P2A(curproc) = pad0; 100 101 /* 102 * The kernel allocates a bunch of threads make sure they have 103 * a valid tad 104 */ 105 106 mutex_enter(&pidlock); 107 108 au_thread = curthread; 109 do { 110 if (T2A(au_thread) == NULL) { 111 T2A(au_thread) = tad0; 112 } 113 au_thread = au_thread->t_next; 114 } while (au_thread != curthread); 115 116 tad0->tad_ad = NULL; 117 mutex_exit(&pidlock); 118 119 /* 120 * Initialize audit context in our cred (kcred). 121 * No copy-on-write needed here because it's so early in init. 122 */ 123 ainfo = crgetauinfo_modifiable(kcred); 124 ASSERT(ainfo != NULL); 125 bzero(ainfo, sizeof (auditinfo_addr_t)); 126 ainfo->ai_auid = AU_NOAUDITID; 127 128 /* fabricate an empty audit_path to extend */ 129 apempty.audp_cnt = 0; 130 apempty.audp_sect[0] = (char *)(&apempty.audp_sect[1]); 131 pad0->pad_root = au_pathdup(&apempty, 1, 2); 132 bcopy("/", pad0->pad_root->audp_sect[0], 2); 133 au_pathhold(pad0->pad_root); 134 pad0->pad_cwd = pad0->pad_root; 135 136 /* 137 * setup environment for asynchronous auditing. We can't use 138 * audit_async_start() here since it assumes the audit system 139 * has been started via auditd(1m). auditd sets the variable, 140 * auk_auditstate, to indicate audit record generation should 141 * commence. Here we want to always generate an audit record. 142 */ 143 if (setjmp(&jb)) { 144 /* process audit policy (AUDIT_AHLT) for asynchronous events */ 145 audit_async_drop((caddr_t *)(&rp), 0); 146 return; 147 } 148 149 ASSERT(tad0->tad_errjmp == NULL); 150 tad0->tad_errjmp = (void *)&jb; 151 tad0->tad_ctrl |= PAD_ERRJMP; 152 153 /* generate a system-booted audit record */ 154 au_write((caddr_t *)&rp, au_to_text("booting kernel")); 155 156 audit_async_finish((caddr_t *)&rp, AUE_SYSTEMBOOT, NULL); 157 } 158 159 void 160 audit_free() 161 { 162 } 163 164 /* 165 * Check for any pending changes to the audit context for the given proc. 166 * p_crlock and pad_lock for the process are acquired here. Caller is 167 * responsible for assuring the process doesn't go away. If context is 168 * updated, the specified cralloc'ed cred will be used, otherwise it's freed. 169 * If no cred is given, it will be cralloc'ed here and caller assures that 170 * it is safe to allocate memory. 171 */ 172 void 173 audit_update_context(proc_t *p, cred_t *ncr) 174 { 175 struct p_audit_data *pad; 176 cred_t *newcred = ncr; 177 178 pad = P2A(p); 179 if (pad == NULL) { 180 if (newcred != NULL) 181 crfree(newcred); 182 return; 183 } 184 185 /* If a mask update is pending, take care of it. */ 186 if (pad->pad_flags & PAD_SETMASK) { 187 auditinfo_addr_t *ainfo; 188 189 if (newcred == NULL) 190 newcred = cralloc(); 191 192 mutex_enter(&pad->pad_lock); 193 /* the condition may have been handled by the time we lock */ 194 if (pad->pad_flags & PAD_SETMASK) { 195 ainfo = crgetauinfo_modifiable(newcred); 196 if (ainfo == NULL) { 197 mutex_enter(&pad->pad_lock); 198 crfree(newcred); 199 return; 200 } 201 202 mutex_enter(&p->p_crlock); 203 crcopy_to(p->p_cred, newcred); 204 p->p_cred = newcred; 205 206 ainfo->ai_mask = pad->pad_newmask; 207 208 /* Unlock and cleanup. */ 209 mutex_exit(&p->p_crlock); 210 pad->pad_flags &= ~PAD_SETMASK; 211 212 /* 213 * For curproc, assure that our thread points to right 214 * cred, so CRED() will be correct. Otherwise, no need 215 * to broadcast changes (via set_proc_pre_sys), since 216 * t_pre_sys is ALWAYS on when audit is enabled... due 217 * to syscall auditing. 218 */ 219 if (p == curproc) 220 crset(p, newcred); 221 else 222 crfree(newcred); 223 } else { 224 crfree(newcred); 225 } 226 mutex_exit(&pad->pad_lock); 227 } else { 228 if (newcred != NULL) 229 crfree(newcred); 230 } 231 } 232 233 234 /* 235 * Enter system call. Do any necessary setup here. allocate resouces, etc. 236 */ 237 238 #include <sys/syscall.h> 239 240 241 /*ARGSUSED*/ 242 int 243 audit_start( 244 unsigned type, 245 unsigned scid, 246 int error, 247 klwp_t *lwp) 248 { 249 int ctrl; 250 au_event_t event; 251 au_state_t estate; 252 struct t_audit_data *tad; 253 au_kcontext_t *kctx; 254 255 tad = U2A(u); 256 ASSERT(tad != NULL); 257 258 if (error) { 259 tad->tad_ctrl = 0; 260 tad->tad_flag = 0; 261 return (0); 262 } 263 264 audit_update_context(curproc, NULL); 265 266 /* 267 * if this is an indirect system call then don't do anything. 268 * audit_start will be called again from indir() in trap.c 269 */ 270 if (scid == 0) { 271 tad->tad_ctrl = 0; 272 tad->tad_flag = 0; 273 return (0); 274 } 275 if (scid >= num_syscall) 276 scid = 0; 277 278 /* we can no longer ber guarantied a valid lwp_ap */ 279 /* so we need to force it valid a lot of stuff needs it */ 280 (void) save_syscall_args(); 281 282 /* get control information */ 283 ctrl = audit_s2e[scid].au_ctrl; 284 285 /* 286 * We need to gather paths for certain system calls even if they are 287 * not audited so that we can audit the various f* calls and be 288 * sure to have a CWD and CAR. Thus we thus set tad_ctrl over the 289 * system call regardless if the call is audited or not. 290 * We allow the au_init() routine to adjust the tad_ctrl. 291 */ 292 tad->tad_ctrl = ctrl; 293 tad->tad_scid = scid; 294 295 /* get basic event for system call */ 296 event = (*audit_s2e[scid].au_init)(audit_s2e[scid].au_event); 297 298 kctx = SET_KCTX_PZ; 299 if (kctx == NULL) { 300 zone_status_t zstate = zone_status_get(curproc->p_zone); 301 ASSERT(zstate != ZONE_IS_READY); 302 return (0); 303 } 304 305 estate = kctx->auk_ets[event]; 306 307 /* now do preselection. Audit or not to Audit, that is the question */ 308 if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0) { 309 /* 310 * we assume that audit_finish will always be called. 311 */ 312 return (0); 313 } 314 315 /* 316 * if auditing not enabled, then don't generate an audit record 317 * and don't count it. 318 */ 319 if ((kctx->auk_auditstate != AUC_AUDITING && 320 kctx->auk_auditstate != AUC_INIT_AUDIT)) { 321 /* 322 * we assume that audit_finish will always be called. 323 */ 324 tad->tad_flag = 0; 325 return (0); 326 } 327 328 /* 329 * audit daemon has informed us that there is no longer any 330 * space left to hold audit records. We decide here if records 331 * should be dropped (but counted). 332 */ 333 if (kctx->auk_auditstate == AUC_NOSPACE) { 334 if ((kctx->auk_policy & AUDIT_CNT) || 335 (kctx->auk_policy & AUDIT_SCNT)) { 336 /* assume that audit_finish will always be called. */ 337 tad->tad_flag = 0; 338 339 /* just count # of dropped audit records */ 340 AS_INC(as_dropped, 1, kctx); 341 342 return (0); 343 } 344 } 345 346 tad->tad_event = event; 347 tad->tad_evmod = 0; 348 349 (*audit_s2e[scid].au_start)(tad); 350 351 return (0); 352 } 353 354 /* 355 * system call has completed. Now determine if we genearate an audit record 356 * or not. 357 */ 358 /*ARGSUSED*/ 359 void 360 audit_finish( 361 unsigned type, 362 unsigned scid, 363 int error, 364 rval_t *rval) 365 { 366 struct t_audit_data *tad; 367 int flag; 368 au_defer_info_t *attr; 369 au_kcontext_t *kctx = SET_KCTX_PZ; 370 371 if (kctx == NULL) { 372 zone_status_t zstate = zone_status_get(curproc->p_zone); 373 ASSERT(zstate != ZONE_IS_READY); 374 return; 375 } 376 377 tad = U2A(u); 378 379 /* 380 * Process all deferred events first. 381 */ 382 attr = tad->tad_defer_head; 383 while (attr != NULL) { 384 au_defer_info_t *tmp_attr = attr; 385 386 au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag, 387 attr->audi_e_type, attr->audi_e_mod, &(attr->audi_atime)); 388 389 attr = attr->audi_next; 390 kmem_free(tmp_attr, sizeof (au_defer_info_t)); 391 } 392 tad->tad_defer_head = tad->tad_defer_tail = NULL; 393 394 if (tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) { 395 /* 396 * clear the ctrl flag so that we don't have spurious 397 * collection of audit information. 398 */ 399 tad->tad_scid = 0; 400 tad->tad_event = 0; 401 tad->tad_evmod = 0; 402 tad->tad_ctrl = 0; 403 ASSERT(tad->tad_aupath == NULL); 404 return; 405 } 406 407 scid = tad->tad_scid; 408 409 /* 410 * Perform any extra processing and determine if we are 411 * really going to generate any audit record. 412 */ 413 (*audit_s2e[scid].au_finish)(tad, error, rval); 414 if (tad->tad_flag) { 415 tad->tad_flag = 0; 416 417 if (flag = audit_success(kctx, tad, error)) { 418 unsigned int sy_flags; 419 cred_t *cr = CRED(); 420 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 421 422 ASSERT(ainfo != NULL); 423 424 /* Add subject information */ 425 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 426 427 if (tad->tad_evmod & PAD_SPRIVUSE) 428 au_write(&(u_ad), 429 au_to_privset("", &tad->tad_sprivs, 430 AUT_UPRIV, 1)); 431 432 if (tad->tad_evmod & PAD_FPRIVUSE) 433 au_write(&(u_ad), 434 au_to_privset("", &tad->tad_fprivs, 435 AUT_UPRIV, 0)); 436 437 /* Add a return token */ 438 #ifdef _SYSCALL32_IMPL 439 if (lwp_getdatamodel( 440 ttolwp(curthread)) == DATAMODEL_NATIVE) 441 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 442 else 443 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 444 #else 445 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 446 #endif 447 448 if (sy_flags == SE_32RVAL1) { 449 if (type == 0) { 450 au_write(&(u_ad), au_to_return32(error, 0)); 451 } else { 452 au_write(&(u_ad), au_to_return32(error, 453 rval->r_val1)); 454 } 455 } 456 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) { 457 if (type == 0) { 458 au_write(&(u_ad), au_to_return32(error, 0)); 459 } else { 460 au_write(&(u_ad), au_to_return32(error, 461 rval->r_val1)); 462 #ifdef NOTYET /* for possible future support */ 463 au_write(&(u_ad), au_to_return32(error, 464 rval->r_val2)); 465 #endif 466 } 467 } 468 if (sy_flags == SE_64RVAL) { 469 if (type == 0) { 470 au_write(&(u_ad), au_to_return64(error, 0)); 471 } else { 472 au_write(&(u_ad), au_to_return64(error, 473 rval->r_vals)); 474 } 475 } 476 477 AS_INC(as_generated, 1, kctx); 478 AS_INC(as_kernel, 1, kctx); 479 } 480 481 /* Close up everything */ 482 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod); 483 } 484 485 ASSERT(u_ad == NULL); 486 487 /* free up any space remaining with the path's */ 488 if (tad->tad_aupath != NULL) { 489 au_pathrele(tad->tad_aupath); 490 tad->tad_aupath = NULL; 491 tad->tad_vn = NULL; 492 } 493 494 /* free up any space remaining with openat path's */ 495 if (tad->tad_atpath) { 496 au_pathrele(tad->tad_atpath); 497 tad->tad_atpath = NULL; 498 } 499 500 /* 501 * clear the ctrl flag so that we don't have spurious collection of 502 * audit information. 503 */ 504 tad->tad_scid = 0; 505 tad->tad_event = 0; 506 tad->tad_evmod = 0; 507 tad->tad_ctrl = 0; 508 } 509 510 int 511 audit_success(au_kcontext_t *kctx, struct t_audit_data *tad, int error) 512 { 513 au_state_t ess; 514 au_state_t esf; 515 au_mask_t amask; 516 const auditinfo_addr_t *ainfo; 517 518 ess = esf = kctx->auk_ets[tad->tad_event]; 519 520 if (error) 521 tad->tad_evmod |= PAD_FAILURE; 522 523 /* see if we really want to generate an audit record */ 524 if (tad->tad_ctrl & PAD_NOAUDIT) 525 return (0); 526 527 /* 528 * nfs operation and we're auditing privilege or MAC. This 529 * is so we have a client audit record to match a nfs server 530 * audit record. 531 */ 532 if (tad->tad_ctrl & PAD_AUDITME) 533 return (AU_OK); 534 535 ainfo = crgetauinfo(CRED()); 536 if (ainfo == NULL) 537 return (0); 538 amask = ainfo->ai_mask; 539 540 if (error == 0) 541 return ((ess & amask.as_success) ? AU_OK : 0); 542 else 543 return ((esf & amask.as_failure) ? AU_OK : 0); 544 } 545 546 /* 547 * determine if we've preselected this event (system call). 548 */ 549 int 550 auditme(au_kcontext_t *kctx, struct t_audit_data *tad, au_state_t estate) 551 { 552 int flag = 0; 553 au_mask_t amask; 554 const auditinfo_addr_t *ainfo; 555 556 ainfo = crgetauinfo(CRED()); 557 if (ainfo == NULL) 558 return (0); 559 amask = ainfo->ai_mask; 560 561 /* preselected system call */ 562 563 if (amask.as_success & estate || amask.as_failure & estate) { 564 flag = 1; 565 } else if ((tad->tad_scid == SYS_putmsg) || 566 (tad->tad_scid == SYS_getmsg)) { 567 estate = kctx->auk_ets[AUE_SOCKCONNECT] | 568 kctx->auk_ets[AUE_SOCKACCEPT] | 569 kctx->auk_ets[AUE_SOCKSEND] | 570 kctx->auk_ets[AUE_SOCKRECEIVE]; 571 if (amask.as_success & estate || amask.as_failure & estate) 572 flag = 1; 573 } 574 575 return (flag); 576 } 577