xref: /titanic_44/usr/src/uts/common/c2/audit_start.c (revision fdd1ecae0dfe07e6aa8ee90687e2e91c876dc189)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 /*
29  * This file contains the envelope code for system call auditing.
30  */
31 
32 #include <sys/param.h>
33 #include <sys/types.h>
34 #include <sys/time.h>
35 #include <sys/kmem.h>
36 #include <sys/proc.h>
37 #include <sys/vnode.h>
38 #include <sys/file.h>
39 #include <sys/user.h>
40 #include <sys/stropts.h>
41 #include <sys/systm.h>
42 #include <sys/pathname.h>
43 #include <sys/debug.h>
44 #include <sys/cred_impl.h>
45 #include <sys/zone.h>
46 #include <c2/audit.h>
47 #include <c2/audit_kernel.h>
48 #include <c2/audit_kevents.h>
49 #include <c2/audit_record.h>
50 #include "audit_door_infc.h"
51 
52 extern uint_t num_syscall;		/* size of audit_s2e table */
53 extern kmutex_t pidlock;		/* proc table lock */
54 
55 int audit_load = 0;	/* set from /etc/system */
56 
57 struct p_audit_data *pad0;
58 struct t_audit_data *tad0;
59 
60 /*
61  * Das Boot. Initialize first process. Also generate an audit record indicating
62  * that the system has been booted.
63  */
64 void
65 audit_init()
66 {
67 	kthread_t *au_thread;
68 	token_t *rp = NULL;
69 	label_t jb;
70 	struct audit_path apempty;
71 	auditinfo_addr_t *ainfo;
72 
73 	if (audit_load == 0) {
74 		audit_active = 0;
75 		au_auditstate = AUC_DISABLED;
76 		return;
77 #ifdef DEBUG
78 	} else if (audit_load == 2) {
79 		debug_enter((char *)NULL);
80 #endif
81 	}
82 
83 	audit_active = 1;
84 	set_all_proc_sys();		/* set pre- and post-syscall flags */
85 
86 	/* initialize memory allocators */
87 	au_mem_init();
88 
89 	au_zone_setup();
90 
91 	/* inital thread structure */
92 	tad0 = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP);
93 
94 	/* initial process structure */
95 	pad0 = kmem_cache_alloc(au_pad_cache, KM_SLEEP);
96 	bzero(&pad0->pad_data, sizeof (pad0->pad_data));
97 
98 	T2A(curthread) = tad0;
99 	P2A(curproc) = pad0;
100 
101 	/*
102 	 * The kernel allocates a bunch of threads make sure they have
103 	 * a valid tad
104 	 */
105 
106 	mutex_enter(&pidlock);
107 
108 	au_thread = curthread;
109 	do {
110 		if (T2A(au_thread) == NULL) {
111 			T2A(au_thread) = tad0;
112 		}
113 		au_thread = au_thread->t_next;
114 	} while (au_thread != curthread);
115 
116 	tad0->tad_ad   = NULL;
117 	mutex_exit(&pidlock);
118 
119 	/*
120 	 * Initialize audit context in our cred (kcred).
121 	 * No copy-on-write needed here because it's so early in init.
122 	 */
123 	ainfo = crgetauinfo_modifiable(kcred);
124 	ASSERT(ainfo != NULL);
125 	bzero(ainfo, sizeof (auditinfo_addr_t));
126 	ainfo->ai_auid = AU_NOAUDITID;
127 
128 	/* fabricate an empty audit_path to extend */
129 	apempty.audp_cnt = 0;
130 	apempty.audp_sect[0] = (char *)(&apempty.audp_sect[1]);
131 	pad0->pad_root = au_pathdup(&apempty, 1, 2);
132 	bcopy("/", pad0->pad_root->audp_sect[0], 2);
133 	au_pathhold(pad0->pad_root);
134 	pad0->pad_cwd = pad0->pad_root;
135 
136 	/*
137 	 * setup environment for asynchronous auditing. We can't use
138 	 * audit_async_start() here since it assumes the audit system
139 	 * has been started via auditd(1m). auditd sets the variable,
140 	 * auk_auditstate, to indicate audit record generation should
141 	 * commence. Here we want to always generate an audit record.
142 	 */
143 	if (setjmp(&jb)) {
144 		/* process audit policy (AUDIT_AHLT) for asynchronous events */
145 		audit_async_drop((caddr_t *)(&rp), 0);
146 		return;
147 	}
148 
149 	ASSERT(tad0->tad_errjmp == NULL);
150 	tad0->tad_errjmp = (void *)&jb;
151 	tad0->tad_ctrl |= PAD_ERRJMP;
152 
153 	/* generate a system-booted audit record */
154 	au_write((caddr_t *)&rp, au_to_text("booting kernel"));
155 
156 	audit_async_finish((caddr_t *)&rp, AUE_SYSTEMBOOT, NULL);
157 }
158 
159 void
160 audit_free()
161 {
162 }
163 
164 /*
165  * Check for any pending changes to the audit context for the given proc.
166  * p_crlock and pad_lock for the process are acquired here. Caller is
167  * responsible for assuring the process doesn't go away. If context is
168  * updated, the specified cralloc'ed cred will be used, otherwise it's freed.
169  * If no cred is given, it will be cralloc'ed here and caller assures that
170  * it is safe to allocate memory.
171  */
172 void
173 audit_update_context(proc_t *p, cred_t *ncr)
174 {
175 	struct p_audit_data *pad;
176 	cred_t	*newcred = ncr;
177 
178 	pad = P2A(p);
179 	if (pad == NULL) {
180 		if (newcred != NULL)
181 			crfree(newcred);
182 		return;
183 	}
184 
185 	/* If a mask update is pending, take care of it. */
186 	if (pad->pad_flags & PAD_SETMASK) {
187 		auditinfo_addr_t *ainfo;
188 
189 		if (newcred == NULL)
190 			newcred = cralloc();
191 
192 		mutex_enter(&pad->pad_lock);
193 		/* the condition may have been handled by the time we lock */
194 		if (pad->pad_flags & PAD_SETMASK) {
195 			ainfo = crgetauinfo_modifiable(newcred);
196 			if (ainfo == NULL) {
197 				mutex_enter(&pad->pad_lock);
198 				crfree(newcred);
199 				return;
200 			}
201 
202 			mutex_enter(&p->p_crlock);
203 			crcopy_to(p->p_cred, newcred);
204 			p->p_cred = newcred;
205 
206 			ainfo->ai_mask = pad->pad_newmask;
207 
208 			/* Unlock and cleanup. */
209 			mutex_exit(&p->p_crlock);
210 			pad->pad_flags &= ~PAD_SETMASK;
211 
212 			/*
213 			 * For curproc, assure that our thread points to right
214 			 * cred, so CRED() will be correct. Otherwise, no need
215 			 * to broadcast changes (via set_proc_pre_sys), since
216 			 * t_pre_sys is ALWAYS on when audit is enabled... due
217 			 * to syscall auditing.
218 			 */
219 			if (p == curproc)
220 				crset(p, newcred);
221 			else
222 				crfree(newcred);
223 		} else {
224 			crfree(newcred);
225 		}
226 		mutex_exit(&pad->pad_lock);
227 	} else {
228 		if (newcred != NULL)
229 			crfree(newcred);
230 	}
231 }
232 
233 
234 /*
235  * Enter system call. Do any necessary setup here. allocate resouces, etc.
236  */
237 
238 #include <sys/syscall.h>
239 
240 
241 /*ARGSUSED*/
242 int
243 audit_start(
244 	unsigned type,
245 	unsigned scid,
246 	int error,
247 	klwp_t *lwp)
248 {
249 	int			ctrl;
250 	au_event_t		event;
251 	au_state_t		estate;
252 	struct t_audit_data	*tad;
253 	au_kcontext_t		*kctx;
254 
255 	tad = U2A(u);
256 	ASSERT(tad != NULL);
257 
258 	if (error) {
259 		tad->tad_ctrl = 0;
260 		tad->tad_flag = 0;
261 		return (0);
262 	}
263 
264 	audit_update_context(curproc, NULL);
265 
266 	/*
267 	 * if this is an indirect system call then don't do anything.
268 	 * audit_start will be called again from indir() in trap.c
269 	 */
270 	if (scid == 0) {
271 		tad->tad_ctrl = 0;
272 		tad->tad_flag = 0;
273 		return (0);
274 	}
275 	if (scid >= num_syscall)
276 		scid = 0;
277 
278 	/* we can no longer ber guarantied a valid lwp_ap */
279 	/* so we need to force it valid a lot of stuff needs it */
280 	(void) save_syscall_args();
281 
282 	/* get control information */
283 	ctrl  = audit_s2e[scid].au_ctrl;
284 
285 	/*
286 	 * We need to gather paths for certain system calls even if they are
287 	 * not audited so that we can audit the various f* calls and be
288 	 * sure to have a CWD and CAR. Thus we thus set tad_ctrl over the
289 	 * system call regardless if the call is audited or not.
290 	 * We allow the au_init() routine to adjust the tad_ctrl.
291 	 */
292 	tad->tad_ctrl   = ctrl;
293 	tad->tad_scid   = scid;
294 
295 	/* get basic event for system call */
296 	event = (*audit_s2e[scid].au_init)(audit_s2e[scid].au_event);
297 
298 	kctx = GET_KCTX_PZ;
299 
300 	estate = kctx->auk_ets[event];
301 
302 	/* now do preselection. Audit or not to Audit, that is the question */
303 	if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0) {
304 		/*
305 		 * we assume that audit_finish will always be called.
306 		 */
307 		return (0);
308 	}
309 
310 	/*
311 	 * if auditing not enabled, then don't generate an audit record
312 	 * and don't count it.
313 	 */
314 	if ((kctx->auk_auditstate != AUC_AUDITING &&
315 	    kctx->auk_auditstate != AUC_INIT_AUDIT)) {
316 		/*
317 		 * we assume that audit_finish will always be called.
318 		 */
319 		tad->tad_flag = 0;
320 		return (0);
321 	}
322 
323 	/*
324 	 * audit daemon has informed us that there is no longer any
325 	 * space left to hold audit records. We decide here if records
326 	 * should be dropped (but counted).
327 	 */
328 	if (kctx->auk_auditstate == AUC_NOSPACE) {
329 		if ((kctx->auk_policy & AUDIT_CNT) ||
330 		    (kctx->auk_policy & AUDIT_SCNT)) {
331 			/* assume that audit_finish will always be called. */
332 			tad->tad_flag = 0;
333 
334 			/* just count # of dropped audit records */
335 			AS_INC(as_dropped, 1, kctx);
336 
337 			return (0);
338 		}
339 	}
340 
341 	tad->tad_event  = event;
342 	tad->tad_evmod  = 0;
343 
344 	(*audit_s2e[scid].au_start)(tad);
345 
346 	return (0);
347 }
348 
349 /*
350  * system call has completed. Now determine if we genearate an audit record
351  * or not.
352  */
353 /*ARGSUSED*/
354 void
355 audit_finish(
356 	unsigned type,
357 	unsigned scid,
358 	int error,
359 	rval_t *rval)
360 {
361 	struct t_audit_data *tad;
362 	int	flag;
363 	au_defer_info_t	*attr;
364 	au_kcontext_t *kctx = GET_KCTX_PZ;
365 
366 	tad = U2A(u);
367 
368 	/*
369 	 * Process all deferred events first.
370 	 */
371 	attr = tad->tad_defer_head;
372 	while (attr != NULL) {
373 		au_defer_info_t	*tmp_attr = attr;
374 
375 		au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag,
376 		    attr->audi_e_type, attr->audi_e_mod, &(attr->audi_atime));
377 
378 		attr = attr->audi_next;
379 		kmem_free(tmp_attr, sizeof (au_defer_info_t));
380 	}
381 	tad->tad_defer_head = tad->tad_defer_tail = NULL;
382 
383 	if (tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) {
384 		/*
385 		 * clear the ctrl flag so that we don't have spurious
386 		 * collection of audit information.
387 		 */
388 		tad->tad_scid  = 0;
389 		tad->tad_event = 0;
390 		tad->tad_evmod = 0;
391 		tad->tad_ctrl  = 0;
392 		ASSERT(tad->tad_aupath == NULL);
393 		return;
394 	}
395 
396 	scid = tad->tad_scid;
397 
398 	/*
399 	 * Perform any extra processing and determine if we are
400 	 * really going to generate any audit record.
401 	 */
402 	(*audit_s2e[scid].au_finish)(tad, error, rval);
403 	if (tad->tad_flag) {
404 		tad->tad_flag = 0;
405 
406 		if (flag = audit_success(kctx, tad, error, NULL)) {
407 			unsigned int sy_flags;
408 			cred_t *cr = CRED();
409 			const auditinfo_addr_t *ainfo = crgetauinfo(cr);
410 
411 			ASSERT(ainfo != NULL);
412 
413 			/* Add subject information */
414 			AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
415 
416 			if (tad->tad_evmod & PAD_SPRIVUSE)
417 				au_write(&(u_ad),
418 					au_to_privset("", &tad->tad_sprivs,
419 					    AUT_UPRIV, 1));
420 
421 			if (tad->tad_evmod & PAD_FPRIVUSE)
422 				au_write(&(u_ad),
423 					au_to_privset("", &tad->tad_fprivs,
424 					    AUT_UPRIV, 0));
425 
426 			/* Add a return token */
427 #ifdef _SYSCALL32_IMPL
428 			if (lwp_getdatamodel(
429 				ttolwp(curthread)) == DATAMODEL_NATIVE)
430 			    sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
431 			else
432 			    sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
433 #else
434 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
435 #endif
436 
437 			if (sy_flags == SE_32RVAL1) {
438 			    if (type == 0) {
439 				au_write(&(u_ad), au_to_return32(error, 0));
440 			    } else {
441 				au_write(&(u_ad), au_to_return32(error,
442 								rval->r_val1));
443 			    }
444 			}
445 			if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) {
446 			    if (type == 0) {
447 				au_write(&(u_ad), au_to_return32(error, 0));
448 			    } else {
449 				au_write(&(u_ad), au_to_return32(error,
450 								rval->r_val1));
451 #ifdef NOTYET	/* for possible future support */
452 				au_write(&(u_ad), au_to_return32(error,
453 								rval->r_val2));
454 #endif
455 			    }
456 			}
457 			if (sy_flags == SE_64RVAL) {
458 			    if (type == 0) {
459 				au_write(&(u_ad), au_to_return64(error, 0));
460 			    } else {
461 				au_write(&(u_ad), au_to_return64(error,
462 								rval->r_vals));
463 			    }
464 			}
465 
466 			AS_INC(as_generated, 1, kctx);
467 			AS_INC(as_kernel, 1, kctx);
468 		}
469 
470 		/* Close up everything */
471 		au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod);
472 	}
473 
474 	ASSERT(u_ad == NULL);
475 
476 	/* free up any space remaining with the path's */
477 	if (tad->tad_aupath != NULL) {
478 		au_pathrele(tad->tad_aupath);
479 		tad->tad_aupath = NULL;
480 		tad->tad_vn = NULL;
481 	}
482 
483 	/* free up any space remaining with openat path's */
484 	if (tad->tad_atpath) {
485 		au_pathrele(tad->tad_atpath);
486 		tad->tad_atpath = NULL;
487 	}
488 
489 	/*
490 	 * clear the ctrl flag so that we don't have spurious collection of
491 	 * audit information.
492 	 */
493 	tad->tad_scid  = 0;
494 	tad->tad_event = 0;
495 	tad->tad_evmod = 0;
496 	tad->tad_ctrl  = 0;
497 }
498 
499 int
500 audit_success(au_kcontext_t *kctx, struct t_audit_data *tad, int error,
501     cred_t *cr)
502 {
503 	au_state_t ess;
504 	au_state_t esf;
505 	au_mask_t amask;
506 	const auditinfo_addr_t *ainfo;
507 
508 	ess = esf = kctx->auk_ets[tad->tad_event];
509 
510 	if (error)
511 		tad->tad_evmod |= PAD_FAILURE;
512 
513 	/* see if we really want to generate an audit record */
514 	if (tad->tad_ctrl & PAD_NOAUDIT)
515 		return (0);
516 
517 	/*
518 	 * nfs operation and we're auditing privilege or MAC. This
519 	 * is so we have a client audit record to match a nfs server
520 	 * audit record.
521 	 */
522 	if (tad->tad_ctrl & PAD_AUDITME)
523 		return (AU_OK);
524 
525 	/*
526 	 * Used passed cred if available, otherwise use cred from kernel thread
527 	 */
528 	if (cr == NULL)
529 		cr = CRED();
530 	ainfo = crgetauinfo(cr);
531 	if (ainfo == NULL)
532 		return (0);
533 	amask = ainfo->ai_mask;
534 
535 	if (error == 0)
536 		return ((ess & amask.as_success) ? AU_OK : 0);
537 	else
538 		return ((esf & amask.as_failure) ? AU_OK : 0);
539 }
540 
541 /*
542  * determine if we've preselected this event (system call).
543  */
544 int
545 auditme(au_kcontext_t *kctx, struct t_audit_data *tad, au_state_t estate)
546 {
547 	int flag = 0;
548 	au_mask_t amask;
549 	const auditinfo_addr_t *ainfo;
550 
551 	ainfo = crgetauinfo(CRED());
552 	if (ainfo == NULL)
553 		return (0);
554 	amask = ainfo->ai_mask;
555 
556 		/* preselected system call */
557 
558 	if (amask.as_success & estate || amask.as_failure & estate) {
559 		flag = 1;
560 	} else if ((tad->tad_scid == SYS_putmsg) ||
561 		(tad->tad_scid == SYS_getmsg)) {
562 		estate = kctx->auk_ets[AUE_SOCKCONNECT]	|
563 			kctx->auk_ets[AUE_SOCKACCEPT]	|
564 			kctx->auk_ets[AUE_SOCKSEND]		|
565 			kctx->auk_ets[AUE_SOCKRECEIVE];
566 		if (amask.as_success & estate || amask.as_failure & estate)
567 			flag = 1;
568 	}
569 
570 	return (flag);
571 }
572