1 /*-
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 1999-2009 Apple Inc.
5 * Copyright (c) 2005, 2016-2017 Robert N. M. Watson
6 * All rights reserved.
7 *
8 * Portions of this software were developed by BAE Systems, the University of
9 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
10 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
11 * Computing (TC) research program.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
22 * its contributors may be used to endorse or promote products derived
23 * from this software without specific prior written permission.
24 *
25 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
29 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
33 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
34 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
35 * POSSIBILITY OF SUCH DAMAGE.
36 */
37
38 #include <sys/cdefs.h>
39 #include <sys/param.h>
40 #include <sys/capsicum.h>
41 #include <sys/fcntl.h>
42 #include <sys/filedesc.h>
43 #include <sys/libkern.h>
44 #include <sys/malloc.h>
45 #include <sys/mount.h>
46 #include <sys/proc.h>
47 #include <sys/rwlock.h>
48 #include <sys/sem.h>
49 #include <sys/sbuf.h>
50 #include <sys/sx.h>
51 #include <sys/syscall.h>
52 #include <sys/sysctl.h>
53 #include <sys/sysent.h>
54 #include <sys/vnode.h>
55
56 #include <bsm/audit.h>
57 #include <bsm/audit_kevents.h>
58 #include <security/audit/audit.h>
59 #include <security/audit/audit_private.h>
60
61 struct aue_open_event {
62 int aoe_flags;
63 au_event_t aoe_event;
64 };
65
66 static const struct aue_open_event aue_open[] = {
67 { O_RDONLY, AUE_OPEN_R },
68 { (O_RDONLY | O_CREAT), AUE_OPEN_RC },
69 { (O_RDONLY | O_CREAT | O_TRUNC), AUE_OPEN_RTC },
70 { (O_RDONLY | O_TRUNC), AUE_OPEN_RT },
71 { O_RDWR, AUE_OPEN_RW },
72 { (O_RDWR | O_CREAT), AUE_OPEN_RWC },
73 { (O_RDWR | O_CREAT | O_TRUNC), AUE_OPEN_RWTC },
74 { (O_RDWR | O_TRUNC), AUE_OPEN_RWT },
75 { O_WRONLY, AUE_OPEN_W },
76 { (O_WRONLY | O_CREAT), AUE_OPEN_WC },
77 { (O_WRONLY | O_CREAT | O_TRUNC), AUE_OPEN_WTC },
78 { (O_WRONLY | O_TRUNC), AUE_OPEN_WT },
79 };
80
81 static const struct aue_open_event aue_openat[] = {
82 { O_RDONLY, AUE_OPENAT_R },
83 { (O_RDONLY | O_CREAT), AUE_OPENAT_RC },
84 { (O_RDONLY | O_CREAT | O_TRUNC), AUE_OPENAT_RTC },
85 { (O_RDONLY | O_TRUNC), AUE_OPENAT_RT },
86 { O_RDWR, AUE_OPENAT_RW },
87 { (O_RDWR | O_CREAT), AUE_OPENAT_RWC },
88 { (O_RDWR | O_CREAT | O_TRUNC), AUE_OPENAT_RWTC },
89 { (O_RDWR | O_TRUNC), AUE_OPENAT_RWT },
90 { O_WRONLY, AUE_OPENAT_W },
91 { (O_WRONLY | O_CREAT), AUE_OPENAT_WC },
92 { (O_WRONLY | O_CREAT | O_TRUNC), AUE_OPENAT_WTC },
93 { (O_WRONLY | O_TRUNC), AUE_OPENAT_WT },
94 };
95
96 static const int aue_msgsys[] = {
97 /* 0 */ AUE_MSGCTL,
98 /* 1 */ AUE_MSGGET,
99 /* 2 */ AUE_MSGSND,
100 /* 3 */ AUE_MSGRCV,
101 };
102 static const int aue_msgsys_count = sizeof(aue_msgsys) / sizeof(int);
103
104 static const int aue_semsys[] = {
105 /* 0 */ AUE_SEMCTL,
106 /* 1 */ AUE_SEMGET,
107 /* 2 */ AUE_SEMOP,
108 };
109 static const int aue_semsys_count = sizeof(aue_semsys) / sizeof(int);
110
111 static const int aue_shmsys[] = {
112 /* 0 */ AUE_SHMAT,
113 /* 1 */ AUE_SHMDT,
114 /* 2 */ AUE_SHMGET,
115 /* 3 */ AUE_SHMCTL,
116 };
117 static const int aue_shmsys_count = sizeof(aue_shmsys) / sizeof(int);
118
119 /*
120 * Check whether an event is auditable by comparing the mask of classes this
121 * event is part of against the given mask.
122 */
123 int
au_preselect(au_event_t event,au_class_t class,au_mask_t * mask_p,int sorf)124 au_preselect(au_event_t event, au_class_t class, au_mask_t *mask_p, int sorf)
125 {
126 au_class_t effmask = 0;
127
128 if (mask_p == NULL)
129 return (-1);
130
131 /*
132 * Perform the actual check of the masks against the event.
133 */
134 if (sorf & AU_PRS_SUCCESS)
135 effmask |= (mask_p->am_success & class);
136
137 if (sorf & AU_PRS_FAILURE)
138 effmask |= (mask_p->am_failure & class);
139
140 if (effmask)
141 return (1);
142 else
143 return (0);
144 }
145
146 /*
147 * Convert sysctl names and present arguments to events.
148 */
149 au_event_t
audit_ctlname_to_sysctlevent(int name[],uint64_t valid_arg)150 audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg)
151 {
152
153 /* can't parse it - so return the worst case */
154 if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != (ARG_CTLNAME | ARG_LEN))
155 return (AUE_SYSCTL);
156
157 switch (name[0]) {
158 /* non-admin "lookups" treat them special */
159 case KERN_OSTYPE:
160 case KERN_OSRELEASE:
161 case KERN_OSREV:
162 case KERN_VERSION:
163 case KERN_ARGMAX:
164 case KERN_CLOCKRATE:
165 case KERN_BOOTTIME:
166 case KERN_POSIX1:
167 case KERN_NGROUPS:
168 case KERN_JOB_CONTROL:
169 case KERN_SAVED_IDS:
170 case KERN_OSRELDATE:
171 case KERN_DUMMY:
172 return (AUE_SYSCTL_NONADMIN);
173
174 /* only treat the changeable controls as admin */
175 case KERN_MAXVNODES:
176 case KERN_MAXPROC:
177 case KERN_MAXFILES:
178 case KERN_MAXPROCPERUID:
179 case KERN_MAXFILESPERPROC:
180 case KERN_HOSTID:
181 case KERN_SECURELVL:
182 case KERN_HOSTNAME:
183 case KERN_PROC:
184 case KERN_FILE:
185 case KERN_PROF:
186 case KERN_NISDOMAINNAME:
187 case KERN_UPDATEINTERVAL:
188 case KERN_NTP_PLL:
189 case KERN_BOOTFILE:
190 case KERN_DUMPDEV:
191 case KERN_IPC:
192 case KERN_PS_STRINGS:
193 case KERN_USRSTACK:
194 case KERN_LOGSIGEXIT:
195 case KERN_IOV_MAX:
196 return ((valid_arg & ARG_VALUE) ?
197 AUE_SYSCTL : AUE_SYSCTL_NONADMIN);
198
199 default:
200 return (AUE_SYSCTL);
201 }
202 /* NOTREACHED */
203 }
204
205 /*
206 * Convert an open flags specifier into a specific type of open event for
207 * auditing purposes.
208 */
209 au_event_t
audit_flags_and_error_to_openevent(int oflags,int error)210 audit_flags_and_error_to_openevent(int oflags, int error)
211 {
212 int i;
213
214 /*
215 * Need to check only those flags we care about.
216 */
217 oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
218 for (i = 0; i < nitems(aue_open); i++) {
219 if (aue_open[i].aoe_flags == oflags)
220 return (aue_open[i].aoe_event);
221 }
222 return (AUE_OPEN);
223 }
224
225 au_event_t
audit_flags_and_error_to_openatevent(int oflags,int error)226 audit_flags_and_error_to_openatevent(int oflags, int error)
227 {
228 int i;
229
230 /*
231 * Need to check only those flags we care about.
232 */
233 oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
234 for (i = 0; i < nitems(aue_openat); i++) {
235 if (aue_openat[i].aoe_flags == oflags)
236 return (aue_openat[i].aoe_event);
237 }
238 return (AUE_OPENAT);
239 }
240
241 /*
242 * Convert a MSGCTL command to a specific event.
243 */
244 au_event_t
audit_msgctl_to_event(int cmd)245 audit_msgctl_to_event(int cmd)
246 {
247
248 switch (cmd) {
249 case IPC_RMID:
250 return (AUE_MSGCTL_RMID);
251
252 case IPC_SET:
253 return (AUE_MSGCTL_SET);
254
255 case IPC_STAT:
256 return (AUE_MSGCTL_STAT);
257
258 default:
259 /* We will audit a bad command. */
260 return (AUE_MSGCTL);
261 }
262 }
263
264 /*
265 * Convert a SEMCTL command to a specific event.
266 */
267 au_event_t
audit_semctl_to_event(int cmd)268 audit_semctl_to_event(int cmd)
269 {
270
271 switch (cmd) {
272 case GETALL:
273 return (AUE_SEMCTL_GETALL);
274
275 case GETNCNT:
276 return (AUE_SEMCTL_GETNCNT);
277
278 case GETPID:
279 return (AUE_SEMCTL_GETPID);
280
281 case GETVAL:
282 return (AUE_SEMCTL_GETVAL);
283
284 case GETZCNT:
285 return (AUE_SEMCTL_GETZCNT);
286
287 case IPC_RMID:
288 return (AUE_SEMCTL_RMID);
289
290 case IPC_SET:
291 return (AUE_SEMCTL_SET);
292
293 case SETALL:
294 return (AUE_SEMCTL_SETALL);
295
296 case SETVAL:
297 return (AUE_SEMCTL_SETVAL);
298
299 case IPC_STAT:
300 return (AUE_SEMCTL_STAT);
301
302 default:
303 /* We will audit a bad command. */
304 return (AUE_SEMCTL);
305 }
306 }
307
308 /*
309 * Convert msgsys(2), semsys(2), and shmsys(2) system-call variations into
310 * audit events, if possible.
311 */
312 au_event_t
audit_msgsys_to_event(int which)313 audit_msgsys_to_event(int which)
314 {
315
316 if ((which >= 0) && (which < aue_msgsys_count))
317 return (aue_msgsys[which]);
318
319 /* Audit a bad command. */
320 return (AUE_MSGSYS);
321 }
322
323 au_event_t
audit_semsys_to_event(int which)324 audit_semsys_to_event(int which)
325 {
326
327 if ((which >= 0) && (which < aue_semsys_count))
328 return (aue_semsys[which]);
329
330 /* Audit a bad command. */
331 return (AUE_SEMSYS);
332 }
333
334 au_event_t
audit_shmsys_to_event(int which)335 audit_shmsys_to_event(int which)
336 {
337
338 if ((which >= 0) && (which < aue_shmsys_count))
339 return (aue_shmsys[which]);
340
341 /* Audit a bad command. */
342 return (AUE_SHMSYS);
343 }
344
345 /*
346 * Convert a command for the auditon() system call to a audit event.
347 */
348 au_event_t
auditon_command_event(int cmd)349 auditon_command_event(int cmd)
350 {
351
352 switch(cmd) {
353 case A_GETPOLICY:
354 return (AUE_AUDITON_GPOLICY);
355
356 case A_SETPOLICY:
357 return (AUE_AUDITON_SPOLICY);
358
359 case A_GETKMASK:
360 return (AUE_AUDITON_GETKMASK);
361
362 case A_SETKMASK:
363 return (AUE_AUDITON_SETKMASK);
364
365 case A_GETQCTRL:
366 return (AUE_AUDITON_GQCTRL);
367
368 case A_SETQCTRL:
369 return (AUE_AUDITON_SQCTRL);
370
371 case A_GETCWD:
372 return (AUE_AUDITON_GETCWD);
373
374 case A_GETCAR:
375 return (AUE_AUDITON_GETCAR);
376
377 case A_GETSTAT:
378 return (AUE_AUDITON_GETSTAT);
379
380 case A_SETSTAT:
381 return (AUE_AUDITON_SETSTAT);
382
383 case A_SETUMASK:
384 return (AUE_AUDITON_SETUMASK);
385
386 case A_SETSMASK:
387 return (AUE_AUDITON_SETSMASK);
388
389 case A_GETCOND:
390 return (AUE_AUDITON_GETCOND);
391
392 case A_SETCOND:
393 return (AUE_AUDITON_SETCOND);
394
395 case A_GETCLASS:
396 return (AUE_AUDITON_GETCLASS);
397
398 case A_SETCLASS:
399 return (AUE_AUDITON_SETCLASS);
400
401 case A_GETPINFO:
402 case A_SETPMASK:
403 case A_SETFSIZE:
404 case A_GETFSIZE:
405 case A_GETPINFO_ADDR:
406 case A_GETKAUDIT:
407 case A_SETKAUDIT:
408 default:
409 return (AUE_AUDITON); /* No special record */
410 }
411 }
412
413 /*
414 * Create a canonical path from given path by prefixing either the root
415 * directory, or the current working directory. If the process working
416 * directory is NULL, we could use 'rootvnode' to obtain the root directory,
417 * but this results in a volfs name written to the audit log. So we will
418 * leave the filename starting with '/' in the audit log in this case.
419 */
420 void
audit_canon_path_vp(struct thread * td,struct vnode * rdir,struct vnode * cdir,char * path,char * cpath)421 audit_canon_path_vp(struct thread *td, struct vnode *rdir, struct vnode *cdir,
422 char *path, char *cpath)
423 {
424 struct vnode *vp;
425 char *rbuf, *fbuf, *copy;
426 struct sbuf sbf;
427 int error;
428
429 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "%s: at %s:%d",
430 __func__, __FILE__, __LINE__);
431
432 copy = path;
433 if (*path == '/') {
434 vp = rdir;
435 } else {
436 if (cdir == NULL) {
437 cpath[0] = '\0';
438 return;
439 }
440 vp = cdir;
441 }
442 MPASS(vp != NULL);
443 /*
444 * NB: We require that the supplied array be at least MAXPATHLEN bytes
445 * long. If this is not the case, then we can run into serious trouble.
446 */
447 (void) sbuf_new(&sbf, cpath, MAXPATHLEN, SBUF_FIXEDLEN);
448 /*
449 * Strip leading forward slashes.
450 *
451 * Note this does nothing to fully canonicalize the path.
452 */
453 while (*copy == '/')
454 copy++;
455 /*
456 * Make sure we handle chroot(2) and prepend the global path to these
457 * environments.
458 *
459 * NB: vn_fullpath(9) on FreeBSD is less reliable than vn_getpath(9)
460 * on Darwin. As a result, this may need some additional attention
461 * in the future.
462 */
463 error = vn_fullpath_global(vp, &rbuf, &fbuf);
464 if (error) {
465 cpath[0] = '\0';
466 return;
467 }
468 (void) sbuf_cat(&sbf, rbuf);
469 /*
470 * We are going to concatenate the resolved path with the passed path
471 * with all slashes removed and we want them glued with a single slash.
472 * However, if the directory is /, the slash is already there.
473 */
474 if (rbuf[1] != '\0')
475 (void) sbuf_putc(&sbf, '/');
476 free(fbuf, M_TEMP);
477 /*
478 * Now that we have processed any alternate root and relative path
479 * names, add the supplied pathname.
480 */
481 (void) sbuf_cat(&sbf, copy);
482 /*
483 * One or more of the previous sbuf operations could have resulted in
484 * the supplied buffer being overflowed. Check to see if this is the
485 * case.
486 */
487 if (sbuf_error(&sbf) != 0) {
488 cpath[0] = '\0';
489 return;
490 }
491 sbuf_finish(&sbf);
492 }
493
494 void
audit_canon_path(struct thread * td,int dirfd,char * path,char * cpath)495 audit_canon_path(struct thread *td, int dirfd, char *path, char *cpath)
496 {
497 struct vnode *cdir, *rdir;
498 struct pwd *pwd;
499 cap_rights_t rights;
500 int error;
501 bool vrele_cdir;
502
503 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "%s: at %s:%d",
504 __func__, __FILE__, __LINE__);
505
506 pwd = pwd_hold(td);
507 rdir = pwd->pwd_rdir;
508 cdir = NULL;
509 vrele_cdir = false;
510 if (*path != '/') {
511 if (dirfd == AT_FDCWD) {
512 cdir = pwd->pwd_cdir;
513 } else {
514 error = fgetvp(td, dirfd, cap_rights_init(&rights), &cdir);
515 if (error != 0) {
516 cpath[0] = '\0';
517 pwd_drop(pwd);
518 return;
519 }
520 vrele_cdir = true;
521 }
522 }
523
524 audit_canon_path_vp(td, rdir, cdir, path, cpath);
525
526 pwd_drop(pwd);
527 if (vrele_cdir)
528 vrele(cdir);
529 }
530