1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 /* 29 * This file contains the envelope code for system call auditing. 30 */ 31 32 #include <sys/param.h> 33 #include <sys/types.h> 34 #include <sys/time.h> 35 #include <sys/kmem.h> 36 #include <sys/proc.h> 37 #include <sys/vnode.h> 38 #include <sys/file.h> 39 #include <sys/user.h> 40 #include <sys/stropts.h> 41 #include <sys/systm.h> 42 #include <sys/pathname.h> 43 #include <sys/debug.h> 44 #include <sys/cred_impl.h> 45 #include <sys/zone.h> 46 #include <c2/audit.h> 47 #include <c2/audit_kernel.h> 48 #include <c2/audit_kevents.h> 49 #include <c2/audit_record.h> 50 #include "audit_door_infc.h" 51 52 extern uint_t num_syscall; /* size of audit_s2e table */ 53 extern kmutex_t pidlock; /* proc table lock */ 54 55 int audit_load = 0; /* set from /etc/system */ 56 57 struct p_audit_data *pad0; 58 struct t_audit_data *tad0; 59 60 /* 61 * Das Boot. Initialize first process. Also generate an audit record indicating 62 * that the system has been booted. 63 */ 64 void 65 audit_init() 66 { 67 kthread_t *au_thread; 68 token_t *rp = NULL; 69 label_t jb; 70 struct audit_path apempty; 71 auditinfo_addr_t *ainfo; 72 73 if (audit_load == 0) { 74 audit_active = 0; 75 au_auditstate = AUC_DISABLED; 76 return; 77 #ifdef DEBUG 78 } else if (audit_load == 2) { 79 debug_enter((char *)NULL); 80 #endif 81 } 82 83 audit_active = 1; 84 set_all_proc_sys(); /* set pre- and post-syscall flags */ 85 86 /* initialize memory allocators */ 87 au_mem_init(); 88 89 au_zone_setup(); 90 91 /* inital thread structure */ 92 tad0 = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP); 93 94 /* initial process structure */ 95 pad0 = kmem_cache_alloc(au_pad_cache, KM_SLEEP); 96 bzero(&pad0->pad_data, sizeof (pad0->pad_data)); 97 98 T2A(curthread) = tad0; 99 P2A(curproc) = pad0; 100 101 /* 102 * The kernel allocates a bunch of threads make sure they have 103 * a valid tad 104 */ 105 106 mutex_enter(&pidlock); 107 108 au_thread = curthread; 109 do { 110 if (T2A(au_thread) == NULL) { 111 T2A(au_thread) = tad0; 112 } 113 au_thread = au_thread->t_next; 114 } while (au_thread != curthread); 115 116 tad0->tad_ad = NULL; 117 mutex_exit(&pidlock); 118 119 /* 120 * Initialize audit context in our cred (kcred). 121 * No copy-on-write needed here because it's so early in init. 122 */ 123 ainfo = crgetauinfo_modifiable(kcred); 124 ASSERT(ainfo != NULL); 125 bzero(ainfo, sizeof (auditinfo_addr_t)); 126 ainfo->ai_auid = AU_NOAUDITID; 127 128 /* fabricate an empty audit_path to extend */ 129 apempty.audp_cnt = 0; 130 apempty.audp_sect[0] = (char *)(&apempty.audp_sect[1]); 131 pad0->pad_root = au_pathdup(&apempty, 1, 2); 132 bcopy("/", pad0->pad_root->audp_sect[0], 2); 133 au_pathhold(pad0->pad_root); 134 pad0->pad_cwd = pad0->pad_root; 135 136 /* 137 * setup environment for asynchronous auditing. We can't use 138 * audit_async_start() here since it assumes the audit system 139 * has been started via auditd(1m). auditd sets the variable, 140 * auk_auditstate, to indicate audit record generation should 141 * commence. Here we want to always generate an audit record. 142 */ 143 if (setjmp(&jb)) { 144 /* process audit policy (AUDIT_AHLT) for asynchronous events */ 145 audit_async_drop((caddr_t *)(&rp), 0); 146 return; 147 } 148 149 ASSERT(tad0->tad_errjmp == NULL); 150 tad0->tad_errjmp = (void *)&jb; 151 tad0->tad_ctrl |= PAD_ERRJMP; 152 153 /* generate a system-booted audit record */ 154 au_write((caddr_t *)&rp, au_to_text("booting kernel")); 155 156 audit_async_finish((caddr_t *)&rp, AUE_SYSTEMBOOT, NULL); 157 } 158 159 void 160 audit_free() 161 { 162 } 163 164 /* 165 * Check for any pending changes to the audit context for the given proc. 166 * p_crlock and pad_lock for the process are acquired here. Caller is 167 * responsible for assuring the process doesn't go away. If context is 168 * updated, the specified cralloc'ed cred will be used, otherwise it's freed. 169 * If no cred is given, it will be cralloc'ed here and caller assures that 170 * it is safe to allocate memory. 171 */ 172 void 173 audit_update_context(proc_t *p, cred_t *ncr) 174 { 175 struct p_audit_data *pad; 176 cred_t *newcred = ncr; 177 178 pad = P2A(p); 179 if (pad == NULL) { 180 if (newcred != NULL) 181 crfree(newcred); 182 return; 183 } 184 185 /* If a mask update is pending, take care of it. */ 186 if (pad->pad_flags & PAD_SETMASK) { 187 auditinfo_addr_t *ainfo; 188 189 if (newcred == NULL) 190 newcred = cralloc(); 191 192 mutex_enter(&pad->pad_lock); 193 /* the condition may have been handled by the time we lock */ 194 if (pad->pad_flags & PAD_SETMASK) { 195 ainfo = crgetauinfo_modifiable(newcred); 196 if (ainfo == NULL) { 197 mutex_enter(&pad->pad_lock); 198 crfree(newcred); 199 return; 200 } 201 202 mutex_enter(&p->p_crlock); 203 crcopy_to(p->p_cred, newcred); 204 p->p_cred = newcred; 205 206 ainfo->ai_mask = pad->pad_newmask; 207 208 /* Unlock and cleanup. */ 209 mutex_exit(&p->p_crlock); 210 pad->pad_flags &= ~PAD_SETMASK; 211 212 /* 213 * For curproc, assure that our thread points to right 214 * cred, so CRED() will be correct. Otherwise, no need 215 * to broadcast changes (via set_proc_pre_sys), since 216 * t_pre_sys is ALWAYS on when audit is enabled... due 217 * to syscall auditing. 218 */ 219 if (p == curproc) 220 crset(p, newcred); 221 else 222 crfree(newcred); 223 } else { 224 crfree(newcred); 225 } 226 mutex_exit(&pad->pad_lock); 227 } else { 228 if (newcred != NULL) 229 crfree(newcred); 230 } 231 } 232 233 234 /* 235 * Enter system call. Do any necessary setup here. allocate resouces, etc. 236 */ 237 238 #include <sys/syscall.h> 239 240 241 /*ARGSUSED*/ 242 int 243 audit_start( 244 unsigned type, 245 unsigned scid, 246 int error, 247 klwp_t *lwp) 248 { 249 int ctrl; 250 au_event_t event; 251 au_state_t estate; 252 struct t_audit_data *tad; 253 au_kcontext_t *kctx; 254 255 tad = U2A(u); 256 ASSERT(tad != NULL); 257 258 if (error) { 259 tad->tad_ctrl = 0; 260 tad->tad_flag = 0; 261 return (0); 262 } 263 264 audit_update_context(curproc, NULL); 265 266 /* 267 * if this is an indirect system call then don't do anything. 268 * audit_start will be called again from indir() in trap.c 269 */ 270 if (scid == 0) { 271 tad->tad_ctrl = 0; 272 tad->tad_flag = 0; 273 return (0); 274 } 275 if (scid >= num_syscall) 276 scid = 0; 277 278 /* we can no longer ber guarantied a valid lwp_ap */ 279 /* so we need to force it valid a lot of stuff needs it */ 280 (void) save_syscall_args(); 281 282 /* get control information */ 283 ctrl = audit_s2e[scid].au_ctrl; 284 285 /* 286 * We need to gather paths for certain system calls even if they are 287 * not audited so that we can audit the various f* calls and be 288 * sure to have a CWD and CAR. Thus we thus set tad_ctrl over the 289 * system call regardless if the call is audited or not. 290 * We allow the au_init() routine to adjust the tad_ctrl. 291 */ 292 tad->tad_ctrl = ctrl; 293 tad->tad_scid = scid; 294 295 /* get basic event for system call */ 296 event = (*audit_s2e[scid].au_init)(audit_s2e[scid].au_event); 297 298 kctx = GET_KCTX_PZ; 299 300 estate = kctx->auk_ets[event]; 301 302 /* now do preselection. Audit or not to Audit, that is the question */ 303 if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0) { 304 /* 305 * we assume that audit_finish will always be called. 306 */ 307 return (0); 308 } 309 310 /* 311 * if auditing not enabled, then don't generate an audit record 312 * and don't count it. 313 */ 314 if ((kctx->auk_auditstate != AUC_AUDITING && 315 kctx->auk_auditstate != AUC_INIT_AUDIT)) { 316 /* 317 * we assume that audit_finish will always be called. 318 */ 319 tad->tad_flag = 0; 320 return (0); 321 } 322 323 /* 324 * audit daemon has informed us that there is no longer any 325 * space left to hold audit records. We decide here if records 326 * should be dropped (but counted). 327 */ 328 if (kctx->auk_auditstate == AUC_NOSPACE) { 329 if ((kctx->auk_policy & AUDIT_CNT) || 330 (kctx->auk_policy & AUDIT_SCNT)) { 331 /* assume that audit_finish will always be called. */ 332 tad->tad_flag = 0; 333 334 /* just count # of dropped audit records */ 335 AS_INC(as_dropped, 1, kctx); 336 337 return (0); 338 } 339 } 340 341 tad->tad_event = event; 342 tad->tad_evmod = 0; 343 344 (*audit_s2e[scid].au_start)(tad); 345 346 return (0); 347 } 348 349 /* 350 * system call has completed. Now determine if we genearate an audit record 351 * or not. 352 */ 353 /*ARGSUSED*/ 354 void 355 audit_finish( 356 unsigned type, 357 unsigned scid, 358 int error, 359 rval_t *rval) 360 { 361 struct t_audit_data *tad; 362 int flag; 363 au_defer_info_t *attr; 364 au_kcontext_t *kctx = GET_KCTX_PZ; 365 366 tad = U2A(u); 367 368 /* 369 * Process all deferred events first. 370 */ 371 attr = tad->tad_defer_head; 372 while (attr != NULL) { 373 au_defer_info_t *tmp_attr = attr; 374 375 au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag, 376 attr->audi_e_type, attr->audi_e_mod, &(attr->audi_atime)); 377 378 attr = attr->audi_next; 379 kmem_free(tmp_attr, sizeof (au_defer_info_t)); 380 } 381 tad->tad_defer_head = tad->tad_defer_tail = NULL; 382 383 if (tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) { 384 /* 385 * clear the ctrl flag so that we don't have spurious 386 * collection of audit information. 387 */ 388 tad->tad_scid = 0; 389 tad->tad_event = 0; 390 tad->tad_evmod = 0; 391 tad->tad_ctrl = 0; 392 ASSERT(tad->tad_aupath == NULL); 393 return; 394 } 395 396 scid = tad->tad_scid; 397 398 /* 399 * Perform any extra processing and determine if we are 400 * really going to generate any audit record. 401 */ 402 (*audit_s2e[scid].au_finish)(tad, error, rval); 403 if (tad->tad_flag) { 404 tad->tad_flag = 0; 405 406 if (flag = audit_success(kctx, tad, error, NULL)) { 407 unsigned int sy_flags; 408 cred_t *cr = CRED(); 409 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 410 411 ASSERT(ainfo != NULL); 412 413 /* Add subject information */ 414 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 415 416 if (tad->tad_evmod & PAD_SPRIVUSE) 417 au_write(&(u_ad), 418 au_to_privset("", &tad->tad_sprivs, 419 AUT_UPRIV, 1)); 420 421 if (tad->tad_evmod & PAD_FPRIVUSE) 422 au_write(&(u_ad), 423 au_to_privset("", &tad->tad_fprivs, 424 AUT_UPRIV, 0)); 425 426 /* Add a return token */ 427 #ifdef _SYSCALL32_IMPL 428 if (lwp_getdatamodel( 429 ttolwp(curthread)) == DATAMODEL_NATIVE) 430 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 431 else 432 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 433 #else 434 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 435 #endif 436 437 if (sy_flags == SE_32RVAL1) { 438 if (type == 0) { 439 au_write(&(u_ad), au_to_return32(error, 0)); 440 } else { 441 au_write(&(u_ad), au_to_return32(error, 442 rval->r_val1)); 443 } 444 } 445 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) { 446 if (type == 0) { 447 au_write(&(u_ad), au_to_return32(error, 0)); 448 } else { 449 au_write(&(u_ad), au_to_return32(error, 450 rval->r_val1)); 451 #ifdef NOTYET /* for possible future support */ 452 au_write(&(u_ad), au_to_return32(error, 453 rval->r_val2)); 454 #endif 455 } 456 } 457 if (sy_flags == SE_64RVAL) { 458 if (type == 0) { 459 au_write(&(u_ad), au_to_return64(error, 0)); 460 } else { 461 au_write(&(u_ad), au_to_return64(error, 462 rval->r_vals)); 463 } 464 } 465 466 AS_INC(as_generated, 1, kctx); 467 AS_INC(as_kernel, 1, kctx); 468 } 469 470 /* Close up everything */ 471 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod); 472 } 473 474 ASSERT(u_ad == NULL); 475 476 /* free up any space remaining with the path's */ 477 if (tad->tad_aupath != NULL) { 478 au_pathrele(tad->tad_aupath); 479 tad->tad_aupath = NULL; 480 tad->tad_vn = NULL; 481 } 482 483 /* free up any space remaining with openat path's */ 484 if (tad->tad_atpath) { 485 au_pathrele(tad->tad_atpath); 486 tad->tad_atpath = NULL; 487 } 488 489 /* 490 * clear the ctrl flag so that we don't have spurious collection of 491 * audit information. 492 */ 493 tad->tad_scid = 0; 494 tad->tad_event = 0; 495 tad->tad_evmod = 0; 496 tad->tad_ctrl = 0; 497 } 498 499 int 500 audit_success(au_kcontext_t *kctx, struct t_audit_data *tad, int error, 501 cred_t *cr) 502 { 503 au_state_t ess; 504 au_state_t esf; 505 au_mask_t amask; 506 const auditinfo_addr_t *ainfo; 507 508 ess = esf = kctx->auk_ets[tad->tad_event]; 509 510 if (error) 511 tad->tad_evmod |= PAD_FAILURE; 512 513 /* see if we really want to generate an audit record */ 514 if (tad->tad_ctrl & PAD_NOAUDIT) 515 return (0); 516 517 /* 518 * nfs operation and we're auditing privilege or MAC. This 519 * is so we have a client audit record to match a nfs server 520 * audit record. 521 */ 522 if (tad->tad_ctrl & PAD_AUDITME) 523 return (AU_OK); 524 525 /* 526 * Used passed cred if available, otherwise use cred from kernel thread 527 */ 528 if (cr == NULL) 529 cr = CRED(); 530 ainfo = crgetauinfo(cr); 531 if (ainfo == NULL) 532 return (0); 533 amask = ainfo->ai_mask; 534 535 if (error == 0) 536 return ((ess & amask.as_success) ? AU_OK : 0); 537 else 538 return ((esf & amask.as_failure) ? AU_OK : 0); 539 } 540 541 /* 542 * determine if we've preselected this event (system call). 543 */ 544 int 545 auditme(au_kcontext_t *kctx, struct t_audit_data *tad, au_state_t estate) 546 { 547 int flag = 0; 548 au_mask_t amask; 549 const auditinfo_addr_t *ainfo; 550 551 ainfo = crgetauinfo(CRED()); 552 if (ainfo == NULL) 553 return (0); 554 amask = ainfo->ai_mask; 555 556 /* preselected system call */ 557 558 if (amask.as_success & estate || amask.as_failure & estate) { 559 flag = 1; 560 } else if ((tad->tad_scid == SYS_putmsg) || 561 (tad->tad_scid == SYS_getmsg)) { 562 estate = kctx->auk_ets[AUE_SOCKCONNECT] | 563 kctx->auk_ets[AUE_SOCKACCEPT] | 564 kctx->auk_ets[AUE_SOCKSEND] | 565 kctx->auk_ets[AUE_SOCKRECEIVE]; 566 if (amask.as_success & estate || amask.as_failure & estate) 567 flag = 1; 568 } 569 570 return (flag); 571 } 572