1 /*
2 * Copyright (c) 1999-2009 Apple Inc.
3 * Copyright (c) 2005 Robert N. M. Watson
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
15 * its contributors may be used to endorse or promote products derived
16 * from this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <sys/cdefs.h>
32 __FBSDID("$FreeBSD$");
33
34 #include <sys/param.h>
35 #include <sys/capsicum.h>
36 #include <sys/fcntl.h>
37 #include <sys/filedesc.h>
38 #include <sys/libkern.h>
39 #include <sys/malloc.h>
40 #include <sys/mount.h>
41 #include <sys/proc.h>
42 #include <sys/rwlock.h>
43 #include <sys/sem.h>
44 #include <sys/sbuf.h>
45 #include <sys/syscall.h>
46 #include <sys/sysctl.h>
47 #include <sys/sysent.h>
48 #include <sys/vnode.h>
49
50 #include <bsm/audit.h>
51 #include <bsm/audit_kevents.h>
52 #include <security/audit/audit.h>
53 #include <security/audit/audit_private.h>
54
55 /*
56 * Hash table functions for the audit event number to event class mask
57 * mapping.
58 */
59 #define EVCLASSMAP_HASH_TABLE_SIZE 251
60 struct evclass_elem {
61 au_event_t event;
62 au_class_t class;
63 LIST_ENTRY(evclass_elem) entry;
64 };
65 struct evclass_list {
66 LIST_HEAD(, evclass_elem) head;
67 };
68
69 static MALLOC_DEFINE(M_AUDITEVCLASS, "audit_evclass", "Audit event class");
70 static struct rwlock evclass_lock;
71 static struct evclass_list evclass_hash[EVCLASSMAP_HASH_TABLE_SIZE];
72
73 #define EVCLASS_LOCK_INIT() rw_init(&evclass_lock, "evclass_lock")
74 #define EVCLASS_RLOCK() rw_rlock(&evclass_lock)
75 #define EVCLASS_RUNLOCK() rw_runlock(&evclass_lock)
76 #define EVCLASS_WLOCK() rw_wlock(&evclass_lock)
77 #define EVCLASS_WUNLOCK() rw_wunlock(&evclass_lock)
78
79 struct aue_open_event {
80 int aoe_flags;
81 au_event_t aoe_event;
82 };
83
84 static const struct aue_open_event aue_open[] = {
85 { O_RDONLY, AUE_OPEN_R },
86 { (O_RDONLY | O_CREAT), AUE_OPEN_RC },
87 { (O_RDONLY | O_CREAT | O_TRUNC), AUE_OPEN_RTC },
88 { (O_RDONLY | O_TRUNC), AUE_OPEN_RT },
89 { O_RDWR, AUE_OPEN_RW },
90 { (O_RDWR | O_CREAT), AUE_OPEN_RWC },
91 { (O_RDWR | O_CREAT | O_TRUNC), AUE_OPEN_RWTC },
92 { (O_RDWR | O_TRUNC), AUE_OPEN_RWT },
93 { O_WRONLY, AUE_OPEN_W },
94 { (O_WRONLY | O_CREAT), AUE_OPEN_WC },
95 { (O_WRONLY | O_CREAT | O_TRUNC), AUE_OPEN_WTC },
96 { (O_WRONLY | O_TRUNC), AUE_OPEN_WT },
97 };
98 static const int aue_open_count = sizeof(aue_open) / sizeof(aue_open[0]);
99
100 static const struct aue_open_event aue_openat[] = {
101 { O_RDONLY, AUE_OPENAT_R },
102 { (O_RDONLY | O_CREAT), AUE_OPENAT_RC },
103 { (O_RDONLY | O_CREAT | O_TRUNC), AUE_OPENAT_RTC },
104 { (O_RDONLY | O_TRUNC), AUE_OPENAT_RT },
105 { O_RDWR, AUE_OPENAT_RW },
106 { (O_RDWR | O_CREAT), AUE_OPENAT_RWC },
107 { (O_RDWR | O_CREAT | O_TRUNC), AUE_OPENAT_RWTC },
108 { (O_RDWR | O_TRUNC), AUE_OPENAT_RWT },
109 { O_WRONLY, AUE_OPENAT_W },
110 { (O_WRONLY | O_CREAT), AUE_OPENAT_WC },
111 { (O_WRONLY | O_CREAT | O_TRUNC), AUE_OPENAT_WTC },
112 { (O_WRONLY | O_TRUNC), AUE_OPENAT_WT },
113 };
114 static const int aue_openat_count = sizeof(aue_openat) / sizeof(aue_openat[0]);
115
116 /*
117 * Look up the class for an audit event in the class mapping table.
118 */
119 au_class_t
au_event_class(au_event_t event)120 au_event_class(au_event_t event)
121 {
122 struct evclass_list *evcl;
123 struct evclass_elem *evc;
124 au_class_t class;
125
126 EVCLASS_RLOCK();
127 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
128 class = 0;
129 LIST_FOREACH(evc, &evcl->head, entry) {
130 if (evc->event == event) {
131 class = evc->class;
132 goto out;
133 }
134 }
135 out:
136 EVCLASS_RUNLOCK();
137 return (class);
138 }
139
140 /*
141 * Insert a event to class mapping. If the event already exists in the
142 * mapping, then replace the mapping with the new one.
143 *
144 * XXX There is currently no constraints placed on the number of mappings.
145 * May want to either limit to a number, or in terms of memory usage.
146 */
147 void
au_evclassmap_insert(au_event_t event,au_class_t class)148 au_evclassmap_insert(au_event_t event, au_class_t class)
149 {
150 struct evclass_list *evcl;
151 struct evclass_elem *evc, *evc_new;
152
153 /*
154 * Pessimistically, always allocate storage before acquiring mutex.
155 * Free if there is already a mapping for this event.
156 */
157 evc_new = malloc(sizeof(*evc), M_AUDITEVCLASS, M_WAITOK);
158
159 EVCLASS_WLOCK();
160 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
161 LIST_FOREACH(evc, &evcl->head, entry) {
162 if (evc->event == event) {
163 evc->class = class;
164 EVCLASS_WUNLOCK();
165 free(evc_new, M_AUDITEVCLASS);
166 return;
167 }
168 }
169 evc = evc_new;
170 evc->event = event;
171 evc->class = class;
172 LIST_INSERT_HEAD(&evcl->head, evc, entry);
173 EVCLASS_WUNLOCK();
174 }
175
176 void
au_evclassmap_init(void)177 au_evclassmap_init(void)
178 {
179 int i;
180
181 EVCLASS_LOCK_INIT();
182 for (i = 0; i < EVCLASSMAP_HASH_TABLE_SIZE; i++)
183 LIST_INIT(&evclass_hash[i].head);
184
185 /*
186 * Set up the initial event to class mapping for system calls.
187 *
188 * XXXRW: Really, this should walk all possible audit events, not all
189 * native ABI system calls, as there may be audit events reachable
190 * only through non-native system calls. It also seems a shame to
191 * frob the mutex this early.
192 */
193 for (i = 0; i < SYS_MAXSYSCALL; i++) {
194 if (sysent[i].sy_auevent != AUE_NULL)
195 au_evclassmap_insert(sysent[i].sy_auevent, 0);
196 }
197 }
198
199 /*
200 * Check whether an event is aditable by comparing the mask of classes this
201 * event is part of against the given mask.
202 */
203 int
au_preselect(au_event_t event,au_class_t class,au_mask_t * mask_p,int sorf)204 au_preselect(au_event_t event, au_class_t class, au_mask_t *mask_p, int sorf)
205 {
206 au_class_t effmask = 0;
207
208 if (mask_p == NULL)
209 return (-1);
210
211 /*
212 * Perform the actual check of the masks against the event.
213 */
214 if (sorf & AU_PRS_SUCCESS)
215 effmask |= (mask_p->am_success & class);
216
217 if (sorf & AU_PRS_FAILURE)
218 effmask |= (mask_p->am_failure & class);
219
220 if (effmask)
221 return (1);
222 else
223 return (0);
224 }
225
226 /*
227 * Convert sysctl names and present arguments to events.
228 */
229 au_event_t
audit_ctlname_to_sysctlevent(int name[],uint64_t valid_arg)230 audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg)
231 {
232
233 /* can't parse it - so return the worst case */
234 if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != (ARG_CTLNAME | ARG_LEN))
235 return (AUE_SYSCTL);
236
237 switch (name[0]) {
238 /* non-admin "lookups" treat them special */
239 case KERN_OSTYPE:
240 case KERN_OSRELEASE:
241 case KERN_OSREV:
242 case KERN_VERSION:
243 case KERN_ARGMAX:
244 case KERN_CLOCKRATE:
245 case KERN_BOOTTIME:
246 case KERN_POSIX1:
247 case KERN_NGROUPS:
248 case KERN_JOB_CONTROL:
249 case KERN_SAVED_IDS:
250 case KERN_OSRELDATE:
251 case KERN_DUMMY:
252 return (AUE_SYSCTL_NONADMIN);
253
254 /* only treat the changeable controls as admin */
255 case KERN_MAXVNODES:
256 case KERN_MAXPROC:
257 case KERN_MAXFILES:
258 case KERN_MAXPROCPERUID:
259 case KERN_MAXFILESPERPROC:
260 case KERN_HOSTID:
261 case KERN_SECURELVL:
262 case KERN_HOSTNAME:
263 case KERN_VNODE:
264 case KERN_PROC:
265 case KERN_FILE:
266 case KERN_PROF:
267 case KERN_NISDOMAINNAME:
268 case KERN_UPDATEINTERVAL:
269 case KERN_NTP_PLL:
270 case KERN_BOOTFILE:
271 case KERN_DUMPDEV:
272 case KERN_IPC:
273 case KERN_PS_STRINGS:
274 case KERN_USRSTACK:
275 case KERN_LOGSIGEXIT:
276 case KERN_IOV_MAX:
277 return ((valid_arg & ARG_VALUE) ?
278 AUE_SYSCTL : AUE_SYSCTL_NONADMIN);
279
280 default:
281 return (AUE_SYSCTL);
282 }
283 /* NOTREACHED */
284 }
285
286 /*
287 * Convert an open flags specifier into a specific type of open event for
288 * auditing purposes.
289 */
290 au_event_t
audit_flags_and_error_to_openevent(int oflags,int error)291 audit_flags_and_error_to_openevent(int oflags, int error)
292 {
293 int i;
294
295 /*
296 * Need to check only those flags we care about.
297 */
298 oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
299 for (i = 0; i < aue_open_count; i++) {
300 if (aue_open[i].aoe_flags == oflags)
301 return (aue_open[i].aoe_event);
302 }
303 return (AUE_OPEN);
304 }
305
306 au_event_t
audit_flags_and_error_to_openatevent(int oflags,int error)307 audit_flags_and_error_to_openatevent(int oflags, int error)
308 {
309 int i;
310
311 /*
312 * Need to check only those flags we care about.
313 */
314 oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
315 for (i = 0; i < aue_openat_count; i++) {
316 if (aue_openat[i].aoe_flags == oflags)
317 return (aue_openat[i].aoe_event);
318 }
319 return (AUE_OPENAT);
320 }
321
322 /*
323 * Convert a MSGCTL command to a specific event.
324 */
325 au_event_t
audit_msgctl_to_event(int cmd)326 audit_msgctl_to_event(int cmd)
327 {
328
329 switch (cmd) {
330 case IPC_RMID:
331 return (AUE_MSGCTL_RMID);
332
333 case IPC_SET:
334 return (AUE_MSGCTL_SET);
335
336 case IPC_STAT:
337 return (AUE_MSGCTL_STAT);
338
339 default:
340 /* We will audit a bad command. */
341 return (AUE_MSGCTL);
342 }
343 }
344
345 /*
346 * Convert a SEMCTL command to a specific event.
347 */
348 au_event_t
audit_semctl_to_event(int cmd)349 audit_semctl_to_event(int cmd)
350 {
351
352 switch (cmd) {
353 case GETALL:
354 return (AUE_SEMCTL_GETALL);
355
356 case GETNCNT:
357 return (AUE_SEMCTL_GETNCNT);
358
359 case GETPID:
360 return (AUE_SEMCTL_GETPID);
361
362 case GETVAL:
363 return (AUE_SEMCTL_GETVAL);
364
365 case GETZCNT:
366 return (AUE_SEMCTL_GETZCNT);
367
368 case IPC_RMID:
369 return (AUE_SEMCTL_RMID);
370
371 case IPC_SET:
372 return (AUE_SEMCTL_SET);
373
374 case SETALL:
375 return (AUE_SEMCTL_SETALL);
376
377 case SETVAL:
378 return (AUE_SEMCTL_SETVAL);
379
380 case IPC_STAT:
381 return (AUE_SEMCTL_STAT);
382
383 default:
384 /* We will audit a bad command. */
385 return (AUE_SEMCTL);
386 }
387 }
388
389 /*
390 * Convert a command for the auditon() system call to a audit event.
391 */
392 au_event_t
auditon_command_event(int cmd)393 auditon_command_event(int cmd)
394 {
395
396 switch(cmd) {
397 case A_GETPOLICY:
398 return (AUE_AUDITON_GPOLICY);
399
400 case A_SETPOLICY:
401 return (AUE_AUDITON_SPOLICY);
402
403 case A_GETKMASK:
404 return (AUE_AUDITON_GETKMASK);
405
406 case A_SETKMASK:
407 return (AUE_AUDITON_SETKMASK);
408
409 case A_GETQCTRL:
410 return (AUE_AUDITON_GQCTRL);
411
412 case A_SETQCTRL:
413 return (AUE_AUDITON_SQCTRL);
414
415 case A_GETCWD:
416 return (AUE_AUDITON_GETCWD);
417
418 case A_GETCAR:
419 return (AUE_AUDITON_GETCAR);
420
421 case A_GETSTAT:
422 return (AUE_AUDITON_GETSTAT);
423
424 case A_SETSTAT:
425 return (AUE_AUDITON_SETSTAT);
426
427 case A_SETUMASK:
428 return (AUE_AUDITON_SETUMASK);
429
430 case A_SETSMASK:
431 return (AUE_AUDITON_SETSMASK);
432
433 case A_GETCOND:
434 return (AUE_AUDITON_GETCOND);
435
436 case A_SETCOND:
437 return (AUE_AUDITON_SETCOND);
438
439 case A_GETCLASS:
440 return (AUE_AUDITON_GETCLASS);
441
442 case A_SETCLASS:
443 return (AUE_AUDITON_SETCLASS);
444
445 case A_GETPINFO:
446 case A_SETPMASK:
447 case A_SETFSIZE:
448 case A_GETFSIZE:
449 case A_GETPINFO_ADDR:
450 case A_GETKAUDIT:
451 case A_SETKAUDIT:
452 default:
453 return (AUE_AUDITON); /* No special record */
454 }
455 }
456
457 /*
458 * Create a canonical path from given path by prefixing either the root
459 * directory, or the current working directory. If the process working
460 * directory is NULL, we could use 'rootvnode' to obtain the root directory,
461 * but this results in a volfs name written to the audit log. So we will
462 * leave the filename starting with '/' in the audit log in this case.
463 */
464 void
audit_canon_path(struct thread * td,int dirfd,char * path,char * cpath)465 audit_canon_path(struct thread *td, int dirfd, char *path, char *cpath)
466 {
467 struct vnode *cvnp, *rvnp;
468 char *rbuf, *fbuf, *copy;
469 struct filedesc *fdp;
470 struct sbuf sbf;
471 cap_rights_t rights;
472 int error, needslash;
473
474 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "%s: at %s:%d",
475 __func__, __FILE__, __LINE__);
476
477 copy = path;
478 rvnp = cvnp = NULL;
479 fdp = td->td_proc->p_fd;
480 FILEDESC_SLOCK(fdp);
481 /*
482 * Make sure that we handle the chroot(2) case. If there is an
483 * alternate root directory, prepend it to the audited pathname.
484 */
485 if (fdp->fd_rdir != NULL && fdp->fd_rdir != rootvnode) {
486 rvnp = fdp->fd_rdir;
487 vhold(rvnp);
488 }
489 /*
490 * If the supplied path is relative, make sure we capture the current
491 * working directory so we can prepend it to the supplied relative
492 * path.
493 */
494 if (*path != '/') {
495 if (dirfd == AT_FDCWD) {
496 cvnp = fdp->fd_cdir;
497 vhold(cvnp);
498 } else {
499 /* XXX: fgetvp() that vhold()s vnode instead of vref()ing it would be better */
500 error = fgetvp(td, dirfd, cap_rights_init(&rights), &cvnp);
501 if (error) {
502 FILEDESC_SUNLOCK(fdp);
503 cpath[0] = '\0';
504 if (rvnp != NULL)
505 vdrop(rvnp);
506 return;
507 }
508 vhold(cvnp);
509 vrele(cvnp);
510 }
511 needslash = (fdp->fd_rdir != cvnp);
512 } else {
513 needslash = 1;
514 }
515 FILEDESC_SUNLOCK(fdp);
516 /*
517 * NB: We require that the supplied array be at least MAXPATHLEN bytes
518 * long. If this is not the case, then we can run into serious trouble.
519 */
520 (void) sbuf_new(&sbf, cpath, MAXPATHLEN, SBUF_FIXEDLEN);
521 /*
522 * Strip leading forward slashes.
523 */
524 while (*copy == '/')
525 copy++;
526 /*
527 * Make sure we handle chroot(2) and prepend the global path to these
528 * environments.
529 *
530 * NB: vn_fullpath(9) on FreeBSD is less reliable than vn_getpath(9)
531 * on Darwin. As a result, this may need some additional attention
532 * in the future.
533 */
534 if (rvnp != NULL) {
535 error = vn_fullpath_global(td, rvnp, &rbuf, &fbuf);
536 vdrop(rvnp);
537 if (error) {
538 cpath[0] = '\0';
539 if (cvnp != NULL)
540 vdrop(cvnp);
541 return;
542 }
543 (void) sbuf_cat(&sbf, rbuf);
544 free(fbuf, M_TEMP);
545 }
546 if (cvnp != NULL) {
547 error = vn_fullpath(td, cvnp, &rbuf, &fbuf);
548 vdrop(cvnp);
549 if (error) {
550 cpath[0] = '\0';
551 return;
552 }
553 (void) sbuf_cat(&sbf, rbuf);
554 free(fbuf, M_TEMP);
555 }
556 if (needslash)
557 (void) sbuf_putc(&sbf, '/');
558 /*
559 * Now that we have processed any alternate root and relative path
560 * names, add the supplied pathname.
561 */
562 (void) sbuf_cat(&sbf, copy);
563 /*
564 * One or more of the previous sbuf operations could have resulted in
565 * the supplied buffer being overflowed. Check to see if this is the
566 * case.
567 */
568 if (sbuf_error(&sbf) != 0) {
569 cpath[0] = '\0';
570 return;
571 }
572 sbuf_finish(&sbf);
573 }
574