1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 /*
27 * This file contains the auditing system call code.
28 *
29 */
30
31 #include <sys/param.h>
32 #include <sys/systm.h>
33 #include <sys/user.h>
34 #include <sys/vnode.h>
35 #include <sys/vfs.h>
36 #include <sys/session.h> /* for session structure (auditctl(2) */
37 #include <sys/kmem.h> /* for KM_SLEEP */
38 #include <sys/cred.h>
39 #include <sys/types.h>
40 #include <sys/proc.h>
41 #include <sys/uio.h>
42 #include <sys/file.h>
43 #include <sys/stat.h>
44 #include <sys/pathname.h>
45 #include <sys/acct.h>
46 #include <sys/stropts.h>
47 #include <sys/exec.h>
48 #include <sys/thread.h>
49 #include <sys/cmn_err.h>
50 #include <sys/debug.h>
51 #include <sys/disp.h>
52 #include <sys/kobj.h>
53 #include <sys/sysmacros.h>
54 #include <sys/policy.h>
55 #include <sys/taskq.h>
56 #include <sys/zone.h>
57
58 #include <c2/audit.h>
59 #include <c2/audit_kernel.h>
60 #include <c2/audit_record.h>
61
62 #define HEADER_SIZE64 1;
63 #define HEADER_SIZE32 0;
64 #define AU_MIN_FILE_SZ 0x80000 /* minumum audit file size */
65 #define AUDIT_REC_SIZE 0x8000 /* maximum user audit record size */
66
67 extern pri_t minclsyspri; /* priority for taskq */
68
69 static clock_t au_resid = 15; /* wait .15 sec before droping a rec */
70
71 static void au_output_thread();
72
73 /*
74 * This is the loadable module wrapper.
75 */
76 #include <sys/modctl.h>
77
78 /*
79 * Module linkage information for the kernel.
80 */
81 static struct modlmisc modlmisc = {
82 &mod_miscops, "Solaris Auditing (C2)"
83 };
84
85 static struct modlinkage modlinkage = {
86 MODREV_1, (void *)&modlmisc, 0
87 };
88
89 int
_init()90 _init()
91 {
92 return (mod_install(&modlinkage));
93 }
94
95 int
_fini()96 _fini()
97 {
98 return (EBUSY);
99 }
100
101 int
_info(struct modinfo * modinfop)102 _info(struct modinfo *modinfop)
103 {
104 return (mod_info(&modlinkage, modinfop));
105 }
106
107 /*
108 * The audit system call. Trust what the user has sent down and save it
109 * away in the audit file. User passes a complete audit record and its
110 * length. We will fill in the time stamp, check the header and the length
111 * Put a trailer and a sequence token if policy requires.
112 * In the future length might become size_t instead of an int.
113 *
114 * The call is valid whether or not AUDIT_PERZONE is set (think of
115 * login to a zone). When the local audit state (auk_auditstate) is
116 * AUC_INIT_AUDIT, records are accepted even though auditd isn't
117 * running.
118 */
119 int
audit(caddr_t record,int length)120 audit(caddr_t record, int length)
121 {
122 char c;
123 int count, l;
124 token_t *m, *n, *s, *ad;
125 int hdrlen, delta;
126 adr_t hadr;
127 adr_t sadr;
128 int size; /* 0: 32 bit utility 1: 64 bit utility */
129 int host_len;
130 size_t zlen;
131 au_kcontext_t *kctx = GET_KCTX_PZ;
132 uint32_t auditing;
133
134 /* if auditing not enabled, then don't generate an audit record */
135 auditing = (U2A(u)->tad_audit != AUC_UNSET) ?
136 U2A(u)->tad_audit : kctx->auk_auditstate;
137 if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT))
138 return (0);
139
140 /* Only privileged processes can audit */
141 if (secpolicy_audit_modify(CRED()) != 0)
142 return (EPERM);
143
144 /* Max user record size is 32K */
145 if (length > AUDIT_REC_SIZE)
146 return (E2BIG);
147
148 /*
149 * The specified length must be at least as big as the smallest
150 * possible header token. Later after beginning to scan the
151 * header we'll determine the true minimum length according to
152 * the header type and attributes.
153 */
154 #define AU_MIN_HEADER_LEN (sizeof (char) + sizeof (int32_t) + \
155 sizeof (char) + sizeof (short) + sizeof (short) + \
156 (sizeof (int32_t) * 2))
157
158 if (length < AU_MIN_HEADER_LEN)
159 return (EINVAL);
160
161 /* Read in user's audit record */
162 count = length;
163 m = n = s = ad = NULL;
164 while (count) {
165 m = au_getclr();
166 if (!s)
167 s = n = m;
168 else {
169 n->next_buf = m;
170 n = m;
171 }
172 l = MIN(count, AU_BUFSIZE);
173 if (copyin(record, memtod(m, caddr_t), (size_t)l)) {
174 /* copyin failed release au_membuf */
175 au_free_rec(s);
176 return (EFAULT);
177 }
178 record += l;
179 count -= l;
180 m->len = (uchar_t)l;
181 }
182
183 /* Now attach the entire thing to ad */
184 au_write((caddr_t *)&(ad), s);
185
186 /* validate header token type. trust everything following it */
187 adr_start(&hadr, memtod(s, char *));
188 (void) adr_getchar(&hadr, &c);
189 switch (c) {
190 case AUT_HEADER32:
191 /* size vers+event_ID+event_modifier fields */
192 delta = 1 + 2 + 2;
193 hdrlen = 1 + 4 + delta + (sizeof (int32_t) * 2);
194 size = HEADER_SIZE32;
195 break;
196
197 #ifdef _LP64
198 case AUT_HEADER64:
199 /* size vers+event_ID+event_modifier fields */
200 delta = 1 + 2 + 2;
201 hdrlen = 1 + 4 + delta + (sizeof (int64_t) * 2);
202 size = HEADER_SIZE64;
203 break;
204 #endif
205
206 case AUT_HEADER32_EX:
207 /*
208 * Skip over the length/version/type/mod fields and
209 * grab the host address type (length), then rewind.
210 * This is safe per the previous minimum length check.
211 */
212 hadr.adr_now += 9;
213 (void) adr_getint32(&hadr, &host_len);
214 hadr.adr_now -= 9 + sizeof (int32_t);
215
216 /* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */
217 delta = 1 + 2 + 2 + 4 + host_len;
218 hdrlen = 1 + 4 + delta + (sizeof (int32_t) * 2);
219 size = HEADER_SIZE32;
220 break;
221
222 #ifdef _LP64
223 case AUT_HEADER64_EX:
224 /*
225 * Skip over the length/version/type/mod fields and grab
226 * the host address type (length), then rewind.
227 * This is safe per the previous minimum length check.
228 */
229 hadr.adr_now += 9;
230 (void) adr_getint32(&hadr, &host_len);
231 hadr.adr_now -= 9 + sizeof (int32_t);
232
233 /* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */
234 delta = 1 + 2 + 2 + 4 + host_len;
235 hdrlen = 1 + 4 + delta + (sizeof (int64_t) * 2);
236 size = HEADER_SIZE64;
237 break;
238 #endif
239
240 default:
241 /* Header is wrong, reject message */
242 au_free_rec(s);
243 return (EINVAL);
244 }
245
246 if (length < hdrlen) {
247 au_free_rec(s);
248 return (0);
249 }
250
251 /* advance over header token length field */
252 hadr.adr_now += 4;
253
254 /* validate version */
255 (void) adr_getchar(&hadr, &c);
256 if (c != TOKEN_VERSION) {
257 /* version is wrong, reject message */
258 au_free_rec(s);
259 return (EINVAL);
260 }
261
262 /* backup to header length field (including version field) */
263 hadr.adr_now -= 5;
264
265 /*
266 * add on the zonename token if policy AUDIT_ZONENAME is set
267 */
268 if (kctx->auk_policy & AUDIT_ZONENAME) {
269 zlen = au_zonename_length(NULL);
270 if (zlen > 0) {
271 length += zlen;
272 m = au_to_zonename(zlen, NULL);
273 (void) au_append_rec(ad, m, AU_PACK);
274 }
275 }
276 /* Add an (optional) sequence token. NULL offset if none */
277 if (kctx->auk_policy & AUDIT_SEQ) {
278 /* get the sequnce token */
279 m = au_to_seq();
280
281 /* sequence token 5 bytes long */
282 length += 5;
283
284 /* link to audit record (i.e. don't pack the data) */
285 (void) au_append_rec(ad, m, AU_LINK);
286
287 /* advance to count field of token */
288 adr_start(&sadr, memtod(m, char *));
289 sadr.adr_now += 1;
290 } else
291 sadr.adr_now = (char *)NULL;
292
293 /* add the (optional) trailer token */
294 if (kctx->auk_policy & AUDIT_TRAIL) {
295 /* trailer token is 7 bytes long */
296 length += 7;
297
298 /* append to audit record */
299 (void) au_append_rec(ad, au_to_trailer(length), AU_PACK);
300 }
301
302 /* audit record completely assembled. set the length */
303 adr_int32(&hadr, (int32_t *)&length, 1);
304
305 /* advance to date/time field of header */
306 hadr.adr_now += delta;
307
308 /* We are done put it on the queue */
309 AS_INC(as_generated, 1, kctx);
310 AS_INC(as_audit, 1, kctx);
311
312 au_enqueue(kctx, s, &hadr, &sadr, size, 0);
313
314 AS_INC(as_totalsize, length, kctx);
315
316 return (0);
317 }
318
319 /*
320 * auditdoor starts a kernel thread to generate output from the audit
321 * queue. The thread terminates when it detects auditing being turned
322 * off, such as when auditd exits with a SIGTERM. If a subsequent
323 * auditdoor arrives while the thread is running, the door descriptor
324 * of the last auditdoor in will be used for output. auditd is responsible
325 * for insuring that multiple copies are not running.
326 */
327
328 int
auditdoor(int fd)329 auditdoor(int fd)
330 {
331 struct file *fp;
332 struct vnode *vp;
333 int do_create = 0;
334 au_kcontext_t *kctx;
335
336 if (secpolicy_audit_config(CRED()) != 0)
337 return (EPERM);
338
339 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
340 return (EINVAL);
341
342 kctx = GET_KCTX_NGZ;
343
344 /*
345 * convert file pointer to file descriptor
346 * Note: fd ref count incremented here.
347 */
348 if ((fp = (struct file *)getf(fd)) == NULL) {
349 return (EBADF);
350 }
351 vp = fp->f_vnode;
352 if (vp->v_type != VDOOR) {
353 cmn_err(CE_WARN,
354 "auditdoor() did not get the expected door descriptor\n");
355 releasef(fd);
356 return (EINVAL);
357 }
358 /*
359 * If the output thread is already running, then replace the
360 * door descriptor with the new one and continue; otherwise
361 * create the thread too. Since au_output_thread makes a call
362 * to au_doorio() which also does
363 * mutex_lock(&(kctx->auk_svc_lock)), the create/dispatch is
364 * done after the unlock...
365 */
366 mutex_enter(&(kctx->auk_svc_lock));
367
368 if (kctx->auk_current_vp != NULL)
369 VN_RELE(kctx->auk_current_vp);
370
371 kctx->auk_current_vp = vp;
372 VN_HOLD(kctx->auk_current_vp);
373 releasef(fd);
374
375 if (!kctx->auk_output_active) {
376 kctx->auk_output_active = 1;
377 do_create = 1;
378 }
379 mutex_exit(&(kctx->auk_svc_lock));
380 if (do_create) {
381 kctx->auk_taskq =
382 taskq_create("output_master", 1, minclsyspri, 1, 1, 0);
383 (void) taskq_dispatch(kctx->auk_taskq,
384 (task_func_t *)au_output_thread,
385 kctx, TQ_SLEEP);
386 }
387 return (0);
388 }
389
390 static void
audit_dont_stop(void * kctx)391 audit_dont_stop(void *kctx)
392 {
393
394 if ((((au_kcontext_t *)kctx)->auk_valid != AUK_VALID) ||
395 (((au_kcontext_t *)kctx)->auk_auditstate == AUC_NOAUDIT))
396 return;
397
398 mutex_enter(&(((au_kcontext_t *)kctx)->auk_queue.lock));
399 cv_broadcast(&(((au_kcontext_t *)kctx)->auk_queue.write_cv));
400 mutex_exit(&(((au_kcontext_t *)kctx)->auk_queue.lock));
401 }
402
403 /*
404 * au_queue_kick -- wake up the output queue after delay ticks
405 */
406 static void
au_queue_kick(void * kctx)407 au_queue_kick(void *kctx)
408 {
409 /*
410 * wakeup reader if its not running and there is something
411 * to do. It also helps that kctx still be valid...
412 */
413
414 if ((((au_kcontext_t *)kctx)->auk_valid != AUK_VALID) ||
415 (((au_kcontext_t *)kctx)->auk_auditstate == AUC_NOAUDIT))
416 return;
417
418 if (((au_kcontext_t *)kctx)->auk_queue.cnt &&
419 ((au_kcontext_t *)kctx)->auk_queue.rd_block)
420 cv_broadcast(&((au_kcontext_t *)kctx)->auk_queue.read_cv);
421
422 /* fire off timeout event to kick audit queue awake */
423 (void) timeout(au_queue_kick, kctx,
424 ((au_kcontext_t *)kctx)->auk_queue.delay);
425 }
426
427 /*
428 * output thread
429 *
430 * this runs "forever" where "forever" means until either auk_auditstate
431 * changes from AUC_AUDITING or if the door descriptor becomes invalid.
432 *
433 * there is one thread per active zone if AUC_PERZONE is set. Since
434 * there is the possibility that a zone may go down without auditd
435 * terminating properly, a zone shutdown kills its au_output_thread()
436 * via taskq_destroy().
437 */
438
439 static void
au_output_thread(au_kcontext_t * kctx)440 au_output_thread(au_kcontext_t *kctx)
441 {
442 int error = 0;
443
444 (void) timeout(au_queue_kick, kctx, kctx->auk_queue.delay);
445
446 /*
447 * Wait for work, until a signal arrives,
448 * or until auditing is disabled.
449 */
450
451 while (!error) {
452 if (kctx->auk_auditstate == AUC_AUDITING) {
453 mutex_enter(&(kctx->auk_queue.lock));
454 while (kctx->auk_queue.head == NULL) {
455 /* safety check. kick writer awake */
456 if (kctx->auk_queue.wt_block) {
457 cv_broadcast(&(kctx->
458 auk_queue.write_cv));
459 }
460
461 kctx->auk_queue.rd_block = 1;
462 AS_INC(as_rblocked, 1, kctx);
463
464 cv_wait(&(kctx->auk_queue.read_cv),
465 &(kctx->auk_queue.lock));
466 kctx->auk_queue.rd_block = 0;
467
468 if (kctx->auk_auditstate != AUC_AUDITING) {
469 mutex_exit(&(kctx->auk_queue.lock));
470 (void) timeout(audit_dont_stop, kctx,
471 au_resid);
472 goto output_exit;
473 }
474 kctx->auk_queue.rd_block = 0;
475 }
476 mutex_exit(&(kctx->auk_queue.lock));
477 /*
478 * au_doorio() calls au_door_upcall which holds
479 * auk_svc_lock; au_doorio empties the queue before
480 * returning.
481 */
482
483 error = au_doorio(kctx);
484 } else {
485 /* auditing turned off while we slept */
486 break;
487 }
488 }
489 output_exit:
490 mutex_enter(&(kctx->auk_svc_lock));
491
492 VN_RELE(kctx->auk_current_vp);
493 kctx->auk_current_vp = NULL;
494
495 kctx->auk_output_active = 0;
496
497 mutex_exit(&(kctx->auk_svc_lock));
498 }
499