1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 /* 29 * This file contains the envelope code for system call auditing. 30 */ 31 32 #include <sys/param.h> 33 #include <sys/types.h> 34 #include <sys/time.h> 35 #include <sys/kmem.h> 36 #include <sys/proc.h> 37 #include <sys/vnode.h> 38 #include <sys/file.h> 39 #include <sys/user.h> 40 #include <sys/stropts.h> 41 #include <sys/systm.h> 42 #include <sys/pathname.h> 43 #include <sys/debug.h> 44 #include <sys/cred_impl.h> 45 #include <sys/zone.h> 46 #include <c2/audit.h> 47 #include <c2/audit_kernel.h> 48 #include <c2/audit_kevents.h> 49 #include <c2/audit_record.h> 50 #include "audit_door_infc.h" 51 52 extern uint_t num_syscall; /* size of audit_s2e table */ 53 extern kmutex_t pidlock; /* proc table lock */ 54 55 int audit_load = 0; /* set from /etc/system */ 56 57 struct p_audit_data *pad0; 58 struct t_audit_data *tad0; 59 60 /* 61 * Das Boot. Initialize first process. Also generate an audit record indicating 62 * that the system has been booted. 63 */ 64 void 65 audit_init() 66 { 67 kthread_t *au_thread; 68 token_t *rp = NULL; 69 label_t jb; 70 struct audit_path apempty; 71 auditinfo_addr_t *ainfo; 72 73 if (audit_load == 0) { 74 audit_active = 0; 75 au_auditstate = AUC_DISABLED; 76 return; 77 #ifdef DEBUG 78 } else if (audit_load == 2) { 79 debug_enter((char *)NULL); 80 #endif 81 } 82 83 audit_active = 1; 84 set_all_proc_sys(); /* set pre- and post-syscall flags */ 85 86 /* initialize memory allocators */ 87 au_mem_init(); 88 89 au_zone_setup(); 90 91 /* inital thread structure */ 92 tad0 = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP); 93 94 /* initial process structure */ 95 pad0 = kmem_cache_alloc(au_pad_cache, KM_SLEEP); 96 bzero(&pad0->pad_data, sizeof (pad0->pad_data)); 97 98 T2A(curthread) = tad0; 99 P2A(curproc) = pad0; 100 101 /* 102 * The kernel allocates a bunch of threads make sure they have 103 * a valid tad 104 */ 105 106 mutex_enter(&pidlock); 107 108 au_thread = curthread; 109 do { 110 if (T2A(au_thread) == NULL) { 111 T2A(au_thread) = tad0; 112 } 113 au_thread = au_thread->t_next; 114 } while (au_thread != curthread); 115 116 tad0->tad_ad = NULL; 117 mutex_exit(&pidlock); 118 119 /* 120 * Initialize audit context in our cred (kcred). 121 * No copy-on-write needed here because it's so early in init. 122 */ 123 ainfo = crgetauinfo_modifiable(kcred); 124 ASSERT(ainfo != NULL); 125 bzero(ainfo, sizeof (auditinfo_addr_t)); 126 ainfo->ai_auid = AU_NOAUDITID; 127 128 /* fabricate an empty audit_path to extend */ 129 apempty.audp_cnt = 0; 130 apempty.audp_sect[0] = (char *)(&apempty.audp_sect[1]); 131 pad0->pad_root = au_pathdup(&apempty, 1, 2); 132 bcopy("/", pad0->pad_root->audp_sect[0], 2); 133 au_pathhold(pad0->pad_root); 134 pad0->pad_cwd = pad0->pad_root; 135 136 /* 137 * setup environment for asynchronous auditing. We can't use 138 * audit_async_start() here since it assumes the audit system 139 * has been started via auditd(1m). auditd sets the variable, 140 * auk_auditstate, to indicate audit record generation should 141 * commence. Here we want to always generate an audit record. 142 */ 143 if (setjmp(&jb)) { 144 /* process audit policy (AUDIT_AHLT) for asynchronous events */ 145 audit_async_drop((caddr_t *)(&rp), 0); 146 return; 147 } 148 149 ASSERT(tad0->tad_errjmp == NULL); 150 tad0->tad_errjmp = (void *)&jb; 151 tad0->tad_ctrl |= PAD_ERRJMP; 152 153 /* generate a system-booted audit record */ 154 au_write((caddr_t *)&rp, au_to_text("booting kernel")); 155 156 audit_async_finish((caddr_t *)&rp, AUE_SYSTEMBOOT, NULL); 157 } 158 159 void 160 audit_free() 161 { 162 } 163 164 /* 165 * Check for any pending changes to the audit context for the given proc. 166 * p_crlock and pad_lock for the process are acquired here. Caller is 167 * responsible for assuring the process doesn't go away. If context is 168 * updated, the specified cralloc'ed cred will be used, otherwise it's freed. 169 * If no cred is given, it will be cralloc'ed here and caller assures that 170 * it is safe to allocate memory. 171 */ 172 void 173 audit_update_context(proc_t *p, cred_t *ncr) 174 { 175 struct p_audit_data *pad; 176 cred_t *newcred = ncr; 177 178 pad = P2A(p); 179 if (pad == NULL) { 180 if (newcred != NULL) 181 crfree(newcred); 182 return; 183 } 184 185 /* If a mask update is pending, take care of it. */ 186 if (pad->pad_flags & PAD_SETMASK) { 187 auditinfo_addr_t *ainfo; 188 189 if (newcred == NULL) 190 newcred = cralloc(); 191 192 mutex_enter(&pad->pad_lock); 193 /* the condition may have been handled by the time we lock */ 194 if (pad->pad_flags & PAD_SETMASK) { 195 ainfo = crgetauinfo_modifiable(newcred); 196 if (ainfo == NULL) { 197 mutex_enter(&pad->pad_lock); 198 crfree(newcred); 199 return; 200 } 201 202 mutex_enter(&p->p_crlock); 203 crcopy_to(p->p_cred, newcred); 204 p->p_cred = newcred; 205 206 ainfo->ai_mask = pad->pad_newmask; 207 208 /* Unlock and cleanup. */ 209 mutex_exit(&p->p_crlock); 210 pad->pad_flags &= ~PAD_SETMASK; 211 212 /* 213 * For curproc, assure that our thread points to right 214 * cred, so CRED() will be correct. Otherwise, no need 215 * to broadcast changes (via set_proc_pre_sys), since 216 * t_pre_sys is ALWAYS on when audit is enabled... due 217 * to syscall auditing. 218 */ 219 if (p == curproc) 220 crset(p, newcred); 221 else 222 crfree(newcred); 223 } else { 224 crfree(newcred); 225 } 226 mutex_exit(&pad->pad_lock); 227 } else { 228 if (newcred != NULL) 229 crfree(newcred); 230 } 231 } 232 233 234 /* 235 * Enter system call. Do any necessary setup here. allocate resouces, etc. 236 */ 237 238 #include <sys/syscall.h> 239 240 241 /*ARGSUSED*/ 242 int 243 audit_start( 244 unsigned type, 245 unsigned scid, 246 int error, 247 klwp_t *lwp) 248 { 249 struct t_audit_data *tad; 250 au_kcontext_t *kctx; 251 252 tad = U2A(u); 253 ASSERT(tad != NULL); 254 255 if (error) { 256 tad->tad_ctrl = 0; 257 tad->tad_flag = 0; 258 return (0); 259 } 260 261 audit_update_context(curproc, NULL); 262 263 /* 264 * if this is an indirect system call then don't do anything. 265 * audit_start will be called again from indir() in trap.c 266 */ 267 if (scid == 0) { 268 tad->tad_ctrl = 0; 269 tad->tad_flag = 0; 270 return (0); 271 } 272 if (scid >= num_syscall) 273 scid = 0; 274 275 /* 276 * we can no longer depend on a valid lwp_ap, so we need to 277 * copy the syscall args as future audit stuff may need them. 278 */ 279 (void) save_syscall_args(); 280 281 /* 282 * We need to gather paths for certain system calls even if they are 283 * not audited so that we can audit the various f* calls and be 284 * sure to have a CWD and CAR. Thus we thus set tad_ctrl over the 285 * system call regardless if the call is audited or not. 286 * We allow the event specific initial processing routines (au_init) 287 * to adjust the tad_ctrl as necessary. 288 */ 289 tad->tad_ctrl = audit_s2e[scid].au_ctrl; 290 tad->tad_scid = scid; 291 292 /* get basic event for system call */ 293 tad->tad_event = audit_s2e[scid].au_event; 294 if (audit_s2e[scid].au_init != NULL) { 295 /* get specific event */ 296 tad->tad_event = (*audit_s2e[scid].au_init)(tad->tad_event); 297 } 298 299 kctx = GET_KCTX_PZ; 300 301 /* now do preselection. Audit or not to Audit, that is the question */ 302 if ((tad->tad_flag = auditme(kctx, tad, 303 kctx->auk_ets[tad->tad_event])) == 0) { 304 /* 305 * we assume that audit_finish will always be called. 306 */ 307 return (0); 308 } 309 310 /* 311 * if auditing not enabled, then don't generate an audit record 312 * and don't count it. 313 */ 314 if ((kctx->auk_auditstate != AUC_AUDITING && 315 kctx->auk_auditstate != AUC_INIT_AUDIT)) { 316 /* 317 * we assume that audit_finish will always be called. 318 */ 319 tad->tad_flag = 0; 320 return (0); 321 } 322 323 /* 324 * audit daemon has informed us that there is no longer any 325 * space left to hold audit records. We decide here if records 326 * should be dropped (but counted). 327 */ 328 if (kctx->auk_auditstate == AUC_NOSPACE) { 329 if ((kctx->auk_policy & AUDIT_CNT) || 330 (kctx->auk_policy & AUDIT_SCNT)) { 331 /* assume that audit_finish will always be called. */ 332 tad->tad_flag = 0; 333 334 /* just count # of dropped audit records */ 335 AS_INC(as_dropped, 1, kctx); 336 337 return (0); 338 } 339 } 340 341 tad->tad_evmod = 0; 342 343 if (audit_s2e[scid].au_start != NULL) { 344 /* do start of system call processing */ 345 (*audit_s2e[scid].au_start)(tad); 346 } 347 348 return (0); 349 } 350 351 /* 352 * system call has completed. Now determine if we genearate an audit record 353 * or not. 354 */ 355 /*ARGSUSED*/ 356 void 357 audit_finish( 358 unsigned type, 359 unsigned scid, 360 int error, 361 rval_t *rval) 362 { 363 struct t_audit_data *tad; 364 int flag; 365 au_defer_info_t *attr; 366 au_kcontext_t *kctx = GET_KCTX_PZ; 367 368 tad = U2A(u); 369 370 /* 371 * Process all deferred events first. 372 */ 373 attr = tad->tad_defer_head; 374 while (attr != NULL) { 375 au_defer_info_t *tmp_attr = attr; 376 377 au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag, 378 attr->audi_e_type, attr->audi_e_mod, &(attr->audi_atime)); 379 380 attr = attr->audi_next; 381 kmem_free(tmp_attr, sizeof (au_defer_info_t)); 382 } 383 tad->tad_defer_head = tad->tad_defer_tail = NULL; 384 385 if (tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) { 386 /* 387 * clear the ctrl flag so that we don't have spurious 388 * collection of audit information. 389 */ 390 tad->tad_scid = 0; 391 tad->tad_event = 0; 392 tad->tad_evmod = 0; 393 tad->tad_ctrl = 0; 394 ASSERT(tad->tad_aupath == NULL); 395 return; 396 } 397 398 scid = tad->tad_scid; 399 400 /* 401 * Perform any extra processing and determine if we are 402 * really going to generate any audit record. 403 */ 404 if (audit_s2e[scid].au_finish != NULL) { 405 /* do any post system call processing */ 406 (*audit_s2e[scid].au_finish)(tad, error, rval); 407 } 408 if (tad->tad_flag) { 409 tad->tad_flag = 0; 410 411 if (flag = audit_success(kctx, tad, error, NULL)) { 412 unsigned int sy_flags; 413 cred_t *cr = CRED(); 414 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 415 416 ASSERT(ainfo != NULL); 417 418 /* Add subject information */ 419 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 420 421 if (tad->tad_evmod & PAD_SPRIVUSE) { 422 au_write(&(u_ad), 423 au_to_privset("", &tad->tad_sprivs, 424 AUT_UPRIV, 1)); 425 } 426 427 if (tad->tad_evmod & PAD_FPRIVUSE) { 428 au_write(&(u_ad), 429 au_to_privset("", &tad->tad_fprivs, 430 AUT_UPRIV, 0)); 431 } 432 433 /* Add a return token */ 434 #ifdef _SYSCALL32_IMPL 435 if (lwp_getdatamodel(ttolwp(curthread)) == 436 DATAMODEL_NATIVE) { 437 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 438 } else { 439 sy_flags = 440 sysent32[scid].sy_flags & SE_RVAL_MASK; 441 } 442 #else /* _SYSCALL64_IMPL */ 443 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 444 #endif /* _SYSCALL32_IMPL */ 445 446 if (sy_flags == SE_32RVAL1) { 447 if (type == 0) { 448 au_write(&(u_ad), 449 au_to_return32(error, 0)); 450 } else { 451 au_write(&(u_ad), au_to_return32(error, 452 rval->r_val1)); 453 } 454 } 455 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) { 456 if (type == 0) { 457 au_write(&(u_ad), 458 au_to_return32(error, 0)); 459 } else { 460 au_write(&(u_ad), 461 au_to_return32(error, 462 rval->r_val1)); 463 #ifdef NOTYET /* for possible future support */ 464 au_write(&(u_ad), au_to_return32(error, 465 rval->r_val2)); 466 #endif 467 } 468 } 469 if (sy_flags == SE_64RVAL) { 470 if (type == 0) { 471 au_write(&(u_ad), 472 au_to_return64(error, 0)); 473 } else { 474 au_write(&(u_ad), au_to_return64(error, 475 rval->r_vals)); 476 } 477 } 478 479 AS_INC(as_generated, 1, kctx); 480 AS_INC(as_kernel, 1, kctx); 481 } 482 483 /* Close up everything */ 484 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod); 485 } 486 487 ASSERT(u_ad == NULL); 488 489 /* free up any space remaining with the path's */ 490 if (tad->tad_aupath != NULL) { 491 au_pathrele(tad->tad_aupath); 492 tad->tad_aupath = NULL; 493 tad->tad_vn = NULL; 494 } 495 496 /* free up any space remaining with openat path's */ 497 if (tad->tad_atpath) { 498 au_pathrele(tad->tad_atpath); 499 tad->tad_atpath = NULL; 500 } 501 502 /* 503 * clear the ctrl flag so that we don't have spurious collection of 504 * audit information. 505 */ 506 tad->tad_scid = 0; 507 tad->tad_event = 0; 508 tad->tad_evmod = 0; 509 tad->tad_ctrl = 0; 510 } 511 512 int 513 audit_success(au_kcontext_t *kctx, struct t_audit_data *tad, int error, 514 cred_t *cr) 515 { 516 au_state_t ess; 517 au_state_t esf; 518 au_mask_t amask; 519 const auditinfo_addr_t *ainfo; 520 521 ess = esf = kctx->auk_ets[tad->tad_event]; 522 523 if (error) 524 tad->tad_evmod |= PAD_FAILURE; 525 526 /* see if we really want to generate an audit record */ 527 if (tad->tad_ctrl & PAD_NOAUDIT) 528 return (0); 529 530 /* 531 * nfs operation and we're auditing privilege or MAC. This 532 * is so we have a client audit record to match a nfs server 533 * audit record. 534 */ 535 if (tad->tad_ctrl & PAD_AUDITME) 536 return (AU_OK); 537 538 /* 539 * Used passed cred if available, otherwise use cred from kernel thread 540 */ 541 if (cr == NULL) 542 cr = CRED(); 543 ainfo = crgetauinfo(cr); 544 if (ainfo == NULL) 545 return (0); 546 amask = ainfo->ai_mask; 547 548 if (error == 0) 549 return ((ess & amask.as_success) ? AU_OK : 0); 550 else 551 return ((esf & amask.as_failure) ? AU_OK : 0); 552 } 553 554 /* 555 * determine if we've preselected this event (system call). 556 */ 557 int 558 auditme(au_kcontext_t *kctx, struct t_audit_data *tad, au_state_t estate) 559 { 560 int flag = 0; 561 au_mask_t amask; 562 const auditinfo_addr_t *ainfo; 563 564 ainfo = crgetauinfo(CRED()); 565 if (ainfo == NULL) 566 return (0); 567 amask = ainfo->ai_mask; 568 569 /* preselected system call */ 570 571 if (amask.as_success & estate || amask.as_failure & estate) { 572 flag = 1; 573 } else if ((tad->tad_scid == SYS_putmsg) || 574 (tad->tad_scid == SYS_getmsg)) { 575 estate = kctx->auk_ets[AUE_SOCKCONNECT] | 576 kctx->auk_ets[AUE_SOCKACCEPT] | 577 kctx->auk_ets[AUE_SOCKSEND] | 578 kctx->auk_ets[AUE_SOCKRECEIVE]; 579 if (amask.as_success & estate || amask.as_failure & estate) 580 flag = 1; 581 } 582 583 return (flag); 584 } 585