1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * This file contains the envelope code for system call auditing. 28 */ 29 30 #include <sys/param.h> 31 #include <sys/types.h> 32 #include <sys/time.h> 33 #include <sys/kmem.h> 34 #include <sys/proc.h> 35 #include <sys/vnode.h> 36 #include <sys/file.h> 37 #include <sys/user.h> 38 #include <sys/stropts.h> 39 #include <sys/systm.h> 40 #include <sys/pathname.h> 41 #include <sys/debug.h> 42 #include <sys/cred.h> 43 #include <sys/zone.h> 44 #include <c2/audit.h> 45 #include <c2/audit_kernel.h> 46 #include <c2/audit_kevents.h> 47 #include <c2/audit_record.h> 48 #include "audit_door_infc.h" 49 50 extern uint_t num_syscall; /* size of audit_s2e table */ 51 extern kmutex_t pidlock; /* proc table lock */ 52 53 /* 54 * Obsolete and ignored - Historically, the 'set c2audit:audit_load=1' entry 55 * in /etc/system enabled auditing. The No Reboot Audit project does not 56 * use this entry. However, to prevent the system from printing warning 57 * messages, the audit_load entry is being left in /etc/system. It will be 58 * removed when there is a small chance that the entry is used on currently 59 * running systems. 60 */ 61 int audit_load = 0; 62 63 kmutex_t module_lock; /* audit_module_state lock */ 64 65 /* 66 * Das Boot. Initialize first process. Also generate an audit record indicating 67 * that the system has been booted. 68 */ 69 void 70 audit_init_module() 71 { 72 token_t *rp = NULL; 73 label_t jb; 74 75 /* 76 * Solaris Auditing module is being loaded -> change the state. The lock 77 * is here to prevent memory leaks caused by multiple initializations. 78 */ 79 mutex_enter(&module_lock); 80 if (audit_active != C2AUDIT_UNLOADED) { 81 mutex_exit(&module_lock); 82 return; 83 } 84 audit_active = C2AUDIT_LOADED; 85 mutex_exit(&module_lock); 86 87 /* initialize memory allocators */ 88 au_mem_init(); 89 90 /* 91 * setup environment for asynchronous auditing. We can't use 92 * audit_async_start() here since it assumes the audit system 93 * has been started via auditd(1m). auditd sets the variable, 94 * auk_auditstate, to indicate audit record generation should 95 * commence. Here we want to always generate an audit record. 96 */ 97 if (setjmp(&jb)) { 98 /* process audit policy (AUDIT_AHLT) for asynchronous events */ 99 audit_async_drop((caddr_t *)(&rp), 0); 100 return; 101 } 102 103 ASSERT(tad0->tad_errjmp == NULL); 104 tad0->tad_errjmp = (void *)&jb; 105 tad0->tad_ctrl |= PAD_ERRJMP; 106 107 /* generate a system-booted audit record */ 108 au_write((caddr_t *)&rp, au_to_text("booting kernel")); 109 audit_async_finish((caddr_t *)&rp, AUE_SYSTEMBOOT, NULL, 110 &(p0.p_user.u_start)); 111 } 112 113 114 /* 115 * Enter system call. Do any necessary setup here. allocate resouces, etc. 116 */ 117 118 #include <sys/syscall.h> 119 120 121 /*ARGSUSED*/ 122 int 123 audit_start( 124 unsigned type, 125 unsigned scid, 126 uint32_t audit_state, 127 int error, 128 klwp_t *lwp) 129 { 130 struct t_audit_data *tad; 131 au_kcontext_t *kctx; 132 133 tad = U2A(u); 134 ASSERT(tad != NULL); 135 136 /* Remember the audit state in the cache */ 137 tad->tad_audit = audit_state; 138 139 if (error) { 140 tad->tad_ctrl = 0; 141 tad->tad_flag = 0; 142 return (0); 143 } 144 145 audit_update_context(curproc, NULL); 146 147 /* 148 * if this is an indirect system call then don't do anything. 149 * audit_start will be called again from indir() in trap.c 150 */ 151 if (scid == 0) { 152 tad->tad_ctrl = 0; 153 tad->tad_flag = 0; 154 return (0); 155 } 156 if (scid >= num_syscall) 157 scid = 0; 158 159 /* 160 * we can no longer depend on a valid lwp_ap, so we need to 161 * copy the syscall args as future audit stuff may need them. 162 */ 163 (void) save_syscall_args(); 164 165 /* 166 * We need to gather paths for certain system calls even if they are 167 * not audited so that we can audit the various f* calls and be 168 * sure to have a CWD and CAR. Thus we thus set tad_ctrl over the 169 * system call regardless if the call is audited or not. 170 * We allow the event specific initial processing routines (au_init) 171 * to adjust the tad_ctrl as necessary. 172 */ 173 tad->tad_ctrl = audit_s2e[scid].au_ctrl; 174 tad->tad_scid = scid; 175 176 /* get basic event for system call */ 177 tad->tad_event = audit_s2e[scid].au_event; 178 if (audit_s2e[scid].au_init != (au_event_t)AUE_NULL) { 179 /* get specific event */ 180 tad->tad_event = (*audit_s2e[scid].au_init)(tad->tad_event); 181 } 182 183 kctx = GET_KCTX_PZ; 184 185 /* now do preselection. Audit or not to Audit, that is the question */ 186 if ((tad->tad_flag = auditme(kctx, tad, 187 kctx->auk_ets[tad->tad_event])) == 0) { 188 /* 189 * we assume that audit_finish will always be called. 190 */ 191 return (0); 192 } 193 194 /* 195 * if auditing not enabled, then don't generate an audit record 196 * and don't count it. 197 */ 198 if (audit_state & ~(AUC_AUDITING | AUC_INIT_AUDIT)) { 199 /* 200 * we assume that audit_finish will always be called. 201 */ 202 tad->tad_flag = 0; 203 return (0); 204 } 205 206 /* 207 * audit daemon has informed us that there is no longer any 208 * space left to hold audit records. We decide here if records 209 * should be dropped (but counted). 210 */ 211 if (audit_state == AUC_NOSPACE) { 212 if ((kctx->auk_policy & AUDIT_CNT) || 213 (kctx->auk_policy & AUDIT_SCNT)) { 214 /* assume that audit_finish will always be called. */ 215 tad->tad_flag = 0; 216 217 /* just count # of dropped audit records */ 218 AS_INC(as_dropped, 1, kctx); 219 220 return (0); 221 } 222 } 223 224 tad->tad_evmod = 0; 225 226 if (audit_s2e[scid].au_start != NULL) { 227 /* do start of system call processing */ 228 (*audit_s2e[scid].au_start)(tad); 229 } 230 231 return (0); 232 } 233 234 /* 235 * system call has completed. Now determine if we genearate an audit record 236 * or not. 237 */ 238 /*ARGSUSED*/ 239 void 240 audit_finish( 241 unsigned type, 242 unsigned scid, 243 int error, 244 rval_t *rval) 245 { 246 struct t_audit_data *tad; 247 int flag; 248 au_defer_info_t *attr; 249 au_kcontext_t *kctx = GET_KCTX_PZ; 250 251 tad = U2A(u); 252 253 /* 254 * Process all deferred events first. 255 */ 256 attr = tad->tad_defer_head; 257 while (attr != NULL) { 258 au_defer_info_t *tmp_attr = attr; 259 260 au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag, 261 attr->audi_e_type, attr->audi_e_mod, &(attr->audi_atime)); 262 263 attr = attr->audi_next; 264 kmem_free(tmp_attr, sizeof (au_defer_info_t)); 265 } 266 tad->tad_defer_head = tad->tad_defer_tail = NULL; 267 268 if (tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) { 269 /* 270 * clear the ctrl flag so that we don't have spurious 271 * collection of audit information. 272 */ 273 tad->tad_scid = 0; 274 tad->tad_event = 0; 275 tad->tad_evmod = 0; 276 tad->tad_ctrl = 0; 277 tad->tad_audit = AUC_UNSET; 278 ASSERT(tad->tad_aupath == NULL); 279 return; 280 } 281 282 scid = tad->tad_scid; 283 284 /* 285 * Perform any extra processing and determine if we are 286 * really going to generate any audit record. 287 */ 288 if (audit_s2e[scid].au_finish != NULL) { 289 /* do any post system call processing */ 290 (*audit_s2e[scid].au_finish)(tad, error, rval); 291 } 292 if (tad->tad_flag) { 293 tad->tad_flag = 0; 294 295 if (flag = audit_success(kctx, tad, error, NULL)) { 296 unsigned int sy_flags; 297 cred_t *cr = CRED(); 298 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 299 300 ASSERT(ainfo != NULL); 301 302 /* Add subject information */ 303 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 304 305 if (tad->tad_evmod & PAD_SPRIVUSE) { 306 au_write(&(u_ad), 307 au_to_privset("", &tad->tad_sprivs, 308 AUT_UPRIV, 1)); 309 } 310 311 if (tad->tad_evmod & PAD_FPRIVUSE) { 312 au_write(&(u_ad), 313 au_to_privset("", &tad->tad_fprivs, 314 AUT_UPRIV, 0)); 315 } 316 317 /* Add a return token */ 318 #ifdef _SYSCALL32_IMPL 319 if (lwp_getdatamodel(ttolwp(curthread)) == 320 DATAMODEL_NATIVE) { 321 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 322 } else { 323 sy_flags = 324 sysent32[scid].sy_flags & SE_RVAL_MASK; 325 } 326 #else /* _SYSCALL64_IMPL */ 327 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 328 #endif /* _SYSCALL32_IMPL */ 329 330 if (sy_flags == SE_32RVAL1) { 331 if (type == 0) { 332 au_write(&(u_ad), 333 au_to_return32(error, 0)); 334 } else { 335 au_write(&(u_ad), au_to_return32(error, 336 rval->r_val1)); 337 } 338 } 339 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) { 340 if (type == 0) { 341 au_write(&(u_ad), 342 au_to_return32(error, 0)); 343 } else { 344 au_write(&(u_ad), 345 au_to_return32(error, 346 rval->r_val1)); 347 #ifdef NOTYET /* for possible future support */ 348 au_write(&(u_ad), au_to_return32(error, 349 rval->r_val2)); 350 #endif 351 } 352 } 353 if (sy_flags == SE_64RVAL) { 354 if (type == 0) { 355 au_write(&(u_ad), 356 au_to_return64(error, 0)); 357 } else { 358 au_write(&(u_ad), au_to_return64(error, 359 rval->r_vals)); 360 } 361 } 362 363 AS_INC(as_generated, 1, kctx); 364 AS_INC(as_kernel, 1, kctx); 365 } 366 367 /* Close up everything */ 368 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod, 369 NULL); 370 } 371 372 ASSERT(u_ad == NULL); 373 374 /* free up any space remaining with the path's */ 375 if (tad->tad_aupath != NULL) { 376 au_pathrele(tad->tad_aupath); 377 tad->tad_aupath = NULL; 378 tad->tad_vn = NULL; 379 } 380 381 /* free up any space remaining with openat path's */ 382 if (tad->tad_atpath) { 383 au_pathrele(tad->tad_atpath); 384 tad->tad_atpath = NULL; 385 } 386 387 /* 388 * clear the ctrl flag so that we don't have spurious collection of 389 * audit information. 390 */ 391 tad->tad_scid = 0; 392 tad->tad_event = 0; 393 tad->tad_evmod = 0; 394 tad->tad_ctrl = 0; 395 tad->tad_audit = AUC_UNSET; 396 } 397 398 int 399 audit_success(au_kcontext_t *kctx, struct t_audit_data *tad, int error, 400 cred_t *cr) 401 { 402 au_state_t ess; 403 au_state_t esf; 404 au_mask_t amask; 405 const auditinfo_addr_t *ainfo; 406 407 ess = esf = kctx->auk_ets[tad->tad_event]; 408 409 if (error) 410 tad->tad_evmod |= PAD_FAILURE; 411 412 /* see if we really want to generate an audit record */ 413 if (tad->tad_ctrl & PAD_NOAUDIT) 414 return (0); 415 416 /* 417 * nfs operation and we're auditing privilege or MAC. This 418 * is so we have a client audit record to match a nfs server 419 * audit record. 420 */ 421 if (tad->tad_ctrl & PAD_AUDITME) 422 return (AU_OK); 423 424 /* 425 * Used passed cred if available, otherwise use cred from kernel thread 426 */ 427 if (cr == NULL) 428 cr = CRED(); 429 ainfo = crgetauinfo(cr); 430 if (ainfo == NULL) 431 return (0); 432 amask = ainfo->ai_mask; 433 434 if (error == 0) 435 return ((ess & amask.as_success) ? AU_OK : 0); 436 else 437 return ((esf & amask.as_failure) ? AU_OK : 0); 438 } 439 440 /* 441 * determine if we've preselected this event (system call). 442 */ 443 int 444 auditme(au_kcontext_t *kctx, struct t_audit_data *tad, au_state_t estate) 445 { 446 int flag = 0; 447 au_mask_t amask; 448 const auditinfo_addr_t *ainfo; 449 450 ainfo = crgetauinfo(CRED()); 451 if (ainfo == NULL) 452 return (0); 453 amask = ainfo->ai_mask; 454 455 /* preselected system call */ 456 457 if (amask.as_success & estate || amask.as_failure & estate) { 458 flag = 1; 459 } else if ((tad->tad_scid == SYS_putmsg) || 460 (tad->tad_scid == SYS_getmsg)) { 461 estate = kctx->auk_ets[AUE_SOCKCONNECT] | 462 kctx->auk_ets[AUE_SOCKACCEPT] | 463 kctx->auk_ets[AUE_SOCKSEND] | 464 kctx->auk_ets[AUE_SOCKRECEIVE]; 465 if (amask.as_success & estate || amask.as_failure & estate) 466 flag = 1; 467 } 468 469 return (flag); 470 } 471