Cross Reference: /freebsd-10.3-release/sys/security/audit/audit.c

Deleted Added

sdiff udiff text old ( 162176 ) new ( 162380 )

full compact

audit.c (162176)	audit.c (162380)
1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * Copyright (c) 2006 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 15 * its contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 *	1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * Copyright (c) 2006 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 15 * its contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 *
30 * $FreeBSD: head/sys/security/audit/audit.c 162176 2006-09-09 10:23:00Z rwatson $	30 * $FreeBSD: head/sys/security/audit/audit.c 162380 2006-09-17 17:52:57Z csjp $
31 / 32 33#include <sys/param.h> 34#include <sys/condvar.h> 35#include <sys/conf.h> 36#include <sys/file.h> 37#include <sys/filedesc.h> 38#include <sys/fcntl.h> 39#include <sys/ipc.h> 40#include <sys/kernel.h> 41#include <sys/kthread.h> 42#include <sys/malloc.h> 43#include <sys/mount.h> 44#include <sys/namei.h> 45#include <sys/proc.h> 46#include <sys/queue.h> 47#include <sys/socket.h> 48#include <sys/socketvar.h> 49#include <sys/protosw.h> 50#include <sys/domain.h> 51#include <sys/sysproto.h> 52#include <sys/sysent.h> 53#include <sys/systm.h> 54#include <sys/ucred.h> 55#include <sys/uio.h> 56#include <sys/un.h> 57#include <sys/unistd.h> 58#include <sys/vnode.h> 59 60#include <bsm/audit.h> 61#include <bsm/audit_internal.h> 62#include <bsm/audit_kevents.h> 63 64#include <netinet/in.h> 65#include <netinet/in_pcb.h> 66 67#include <security/audit/audit.h> 68#include <security/audit/audit_private.h> 69 70#include <vm/uma.h> 71 72static uma_zone_t audit_record_zone; 73static MALLOC_DEFINE(M_AUDITPROC, "audit_proc", "Audit process storage"); 74MALLOC_DEFINE(M_AUDITDATA, "audit_data", "Audit data storage"); 75MALLOC_DEFINE(M_AUDITPATH, "audit_path", "Audit path storage"); 76MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage"); 77 78/ 79 * Audit control settings that are set/read by system calls and are 80 * hence non-static. 81 / 82/ 83 * Define the audit control flags. 84 / 85int audit_enabled; 86int audit_suspended; 87 88/ 89 * Flags controlling behavior in low storage situations. Should we panic if 90 * a write fails? Should we fail stop if we're out of disk space? 91 / 92int audit_panic_on_write_fail; 93int audit_fail_stop; 94int audit_argv; 95int audit_arge; 96 97/ 98 * Are we currently "failing stop" due to out of disk space? 99 / 100int audit_in_failure; 101* 102/* 103 * Global audit statistiscs. 104 / 105struct audit_fstat audit_fstat; 106* 107/* 108 * Preselection mask for non-attributable events. 109 / 110struct au_mask audit_nae_mask; 111* 112/* 113 * Mutex to protect global variables shared between various threads and 114 * processes. 115 / 116struct mtx audit_mtx; 117* 118/* 119 * Queue of audit records ready for delivery to disk. We insert new 120 * records at the tail, and remove records from the head. Also, 121 * a count of the number of records used for checking queue depth. 122 * In addition, a counter of records that we have allocated but are 123 * not yet in the queue, which is needed to estimate the total 124 * size of the combined set of records outstanding in the system. 125 / 126struct kaudit_queue audit_q; 127int audit_q_len; 128int audit_pre_q_len; 129* 130/* 131 * Audit queue control settings (minimum free, low/high water marks, etc.) 132 / 133struct au_qctrl audit_qctrl; 134* 135/* 136 * Condition variable to signal to the worker that it has work to do: 137 * either new records are in the queue, or a log replacement is taking 138 * place. 139 / 140struct cv audit_worker_cv; 141* 142/* 143 * Condition variable to flag when crossing the low watermark, meaning that 144 * threads blocked due to hitting the high watermark can wake up and continue 145 * to commit records. 146 / 147struct cv audit_watermark_cv; 148* 149/* 150 * Condition variable for auditing threads wait on when in fail-stop mode. 151 * Threads wait on this CV forever (and ever), never seeing the light of 152 * day again. 153 / 154static struct cv audit_fail_cv; 155* 156/* 157 * Construct an audit record for the passed thread. 158 / 159static int 160audit_record_ctor(void mem, int size, void arg, int flags) 161{ 162* struct kaudit_record ar; 163* struct thread td; 164* 165 KASSERT(sizeof(ar) == size, ("audit_record_ctor: wrong size")); 166* 167 td = arg; 168 ar = mem; 169 bzero(ar, sizeof(ar)); 170* ar->k_ar.ar_magic = AUDIT_RECORD_MAGIC; 171 nanotime(&ar->k_ar.ar_starttime); 172 173 /* 174 * Export the subject credential. 175 / 176* cru2x(td->td_ucred, &ar->k_ar.ar_subj_cred); 177 ar->k_ar.ar_subj_ruid = td->td_ucred->cr_ruid; 178 ar->k_ar.ar_subj_rgid = td->td_ucred->cr_rgid; 179 ar->k_ar.ar_subj_egid = td->td_ucred->cr_groups[0]; 180 PROC_LOCK(td->td_proc); 181 ar->k_ar.ar_subj_auid = td->td_proc->p_au->ai_auid; 182 ar->k_ar.ar_subj_asid = td->td_proc->p_au->ai_asid; 183 ar->k_ar.ar_subj_pid = td->td_proc->p_pid; 184 ar->k_ar.ar_subj_amask = td->td_proc->p_au->ai_mask; 185 ar->k_ar.ar_subj_term = td->td_proc->p_au->ai_termid; 186 bcopy(td->td_proc->p_comm, ar->k_ar.ar_subj_comm, MAXCOMLEN); 187 PROC_UNLOCK(td->td_proc); 188 189 return (0); 190} 191 192static void 193audit_record_dtor(void mem, int size, void arg) 194{ 195 struct kaudit_record ar; 196* 197 KASSERT(sizeof(ar) == size, ("audit_record_dtor: wrong size")); 198* 199 ar = mem; 200 if (ar->k_ar.ar_arg_upath1 != NULL) 201 free(ar->k_ar.ar_arg_upath1, M_AUDITPATH); 202 if (ar->k_ar.ar_arg_upath2 != NULL) 203 free(ar->k_ar.ar_arg_upath2, M_AUDITPATH); 204 if (ar->k_ar.ar_arg_text != NULL) 205 free(ar->k_ar.ar_arg_text, M_AUDITTEXT); 206 if (ar->k_udata != NULL) 207 free(ar->k_udata, M_AUDITDATA); 208 if (ar->k_ar.ar_arg_argv != NULL) 209 free(ar->k_ar.ar_arg_argv, M_AUDITTEXT); 210 if (ar->k_ar.ar_arg_envv != NULL) 211 free(ar->k_ar.ar_arg_envv, M_AUDITTEXT); 212} 213 214/* 215 * Initialize the Audit subsystem: configuration state, work queue, 216 * synchronization primitives, worker thread, and trigger device node. Also 217 * call into the BSM assembly code to initialize it. 218 / 219static void 220audit_init(void) 221{ 222* 223 printf("Security auditing service present\n"); 224 audit_enabled = 0; 225 audit_suspended = 0; 226 audit_panic_on_write_fail = 0; 227 audit_fail_stop = 0; 228 audit_in_failure = 0; 229 audit_argv = 0; 230 audit_arge = 0; 231 232 audit_fstat.af_filesz = 0; /* '0' means unset, unbounded / 233* audit_fstat.af_currsz = 0; 234 audit_nae_mask.am_success = AU_NULL; 235 audit_nae_mask.am_failure = AU_NULL; 236 237 TAILQ_INIT(&audit_q); 238 audit_q_len = 0; 239 audit_pre_q_len = 0; 240 audit_qctrl.aq_hiwater = AQ_HIWATER; 241 audit_qctrl.aq_lowater = AQ_LOWATER; 242 audit_qctrl.aq_bufsz = AQ_BUFSZ; 243 audit_qctrl.aq_minfree = AU_FS_MINFREE; 244 245 mtx_init(&audit_mtx, "audit_mtx", NULL, MTX_DEF); 246 cv_init(&audit_worker_cv, "audit_worker_cv"); 247 cv_init(&audit_watermark_cv, "audit_watermark_cv"); 248 cv_init(&audit_fail_cv, "audit_fail_cv"); 249 250 audit_record_zone = uma_zcreate("audit_record", 251 sizeof(struct kaudit_record), audit_record_ctor, 252 audit_record_dtor, NULL, NULL, UMA_ALIGN_PTR, 0); 253 254 /* Initialize the BSM audit subsystem. / 255* kau_init(); 256 257 audit_trigger_init(); 258 259 /* Register shutdown handler. / 260* EVENTHANDLER_REGISTER(shutdown_pre_sync, audit_shutdown, NULL, 261 SHUTDOWN_PRI_FIRST); 262 263 /* Start audit worker thread. / 264* audit_worker_init(); 265} 266 267SYSINIT(audit_init, SI_SUB_AUDIT, SI_ORDER_FIRST, audit_init, NULL) 268 269/* 270 * Drain the audit queue and close the log at shutdown. Note that this can 271 * be called both from the system shutdown path and also from audit 272 * configuration syscalls, so 'arg' and 'howto' are ignored. 273 / 274void 275audit_shutdown(void arg, int howto) 276{ 277 278 audit_rotate_vnode(NULL, NULL); 279} 280 281/* 282 * Return the current thread's audit record, if any. 283 / 284__inline__ struct kaudit_record 285currecord(void) 286{ 287 288 return (curthread->td_ar); 289} 290 291/* 292 * MPSAFE 293 * 294 * XXXAUDIT: There are a number of races present in the code below due to 295 * release and re-grab of the mutex. The code should be revised to become 296 * slightly less racy. 297 * 298 * XXXAUDIT: Shouldn't there be logic here to sleep waiting on available 299 * pre_q space, suspending the system call until there is room? 300 / 301struct kaudit_record 302audit_new(int event, struct thread td) 303{ 304* struct kaudit_record ar; 305* int no_record; 306 307 mtx_lock(&audit_mtx); 308 no_record = (audit_suspended \|\| !audit_enabled); 309 mtx_unlock(&audit_mtx); 310 if (no_record) 311 return (NULL); 312 313 /* 314 * XXX: The number of outstanding uncommitted audit records is 315 * limited to the number of concurrent threads servicing system 316 * calls in the kernel. 317 / 318* ar = uma_zalloc_arg(audit_record_zone, td, M_WAITOK); 319 ar->k_ar.ar_event = event; 320 321 mtx_lock(&audit_mtx); 322 audit_pre_q_len++; 323 mtx_unlock(&audit_mtx); 324 325 return (ar); 326} 327 328void 329audit_free(struct kaudit_record ar) 330{ 331* 332 uma_zfree(audit_record_zone, ar); 333} 334 335/* 336 * MPSAFE 337 / 338void 339audit_commit(struct kaudit_record ar, int error, int retval) 340{ 341 au_event_t event; 342 au_class_t class; 343 au_id_t auid; 344 int sorf; 345 struct au_mask aumask; 346* 347 if (ar == NULL) 348 return; 349 350 /* 351 * Decide whether to commit the audit record by checking the 352 * error value from the system call and using the appropriate 353 * audit mask. 354 * 355 * XXXAUDIT: Synchronize access to audit_nae_mask? 356 / 357* if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID) 358 aumask = &audit_nae_mask; 359 else 360 aumask = &ar->k_ar.ar_subj_amask; 361 362 if (error) 363 sorf = AU_PRS_FAILURE; 364 else 365 sorf = AU_PRS_SUCCESS; 366 367 switch(ar->k_ar.ar_event) { 368 369 case AUE_OPEN_RWTC: 370 /* The open syscall always writes a AUE_OPEN_RWTC event; change 371 * it to the proper type of event based on the flags and the 372 * error value. 373 / 374* ar->k_ar.ar_event = flags_and_error_to_openevent( 375 ar->k_ar.ar_arg_fflags, error); 376 break; 377 378 case AUE_SYSCTL: 379 ar->k_ar.ar_event = ctlname_to_sysctlevent( 380 ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg); 381 break; 382 383 case AUE_AUDITON: 384 /* Convert the auditon() command to an event / 385* ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd); 386 break; 387 } 388 389 auid = ar->k_ar.ar_subj_auid; 390 event = ar->k_ar.ar_event; 391 class = au_event_class(event); 392 393 ar->k_ar_commit \|= AR_COMMIT_KERNEL; 394 if (au_preselect(event, class, aumask, sorf) != 0) 395 ar->k_ar_commit \|= AR_PRESELECT_TRAIL; 396 if (audit_pipe_preselect(auid, event, class, sorf, 397 ar->k_ar_commit & AR_PRESELECT_TRAIL) != 0) 398 ar->k_ar_commit \|= AR_PRESELECT_PIPE;	31 / 32 33#include <sys/param.h> 34#include <sys/condvar.h> 35#include <sys/conf.h> 36#include <sys/file.h> 37#include <sys/filedesc.h> 38#include <sys/fcntl.h> 39#include <sys/ipc.h> 40#include <sys/kernel.h> 41#include <sys/kthread.h> 42#include <sys/malloc.h> 43#include <sys/mount.h> 44#include <sys/namei.h> 45#include <sys/proc.h> 46#include <sys/queue.h> 47#include <sys/socket.h> 48#include <sys/socketvar.h> 49#include <sys/protosw.h> 50#include <sys/domain.h> 51#include <sys/sysproto.h> 52#include <sys/sysent.h> 53#include <sys/systm.h> 54#include <sys/ucred.h> 55#include <sys/uio.h> 56#include <sys/un.h> 57#include <sys/unistd.h> 58#include <sys/vnode.h> 59 60#include <bsm/audit.h> 61#include <bsm/audit_internal.h> 62#include <bsm/audit_kevents.h> 63 64#include <netinet/in.h> 65#include <netinet/in_pcb.h> 66 67#include <security/audit/audit.h> 68#include <security/audit/audit_private.h> 69 70#include <vm/uma.h> 71 72static uma_zone_t audit_record_zone; 73static MALLOC_DEFINE(M_AUDITPROC, "audit_proc", "Audit process storage"); 74MALLOC_DEFINE(M_AUDITDATA, "audit_data", "Audit data storage"); 75MALLOC_DEFINE(M_AUDITPATH, "audit_path", "Audit path storage"); 76MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage"); 77 78/ 79 * Audit control settings that are set/read by system calls and are 80 * hence non-static. 81 / 82/ 83 * Define the audit control flags. 84 / 85int audit_enabled; 86int audit_suspended; 87 88/ 89 * Flags controlling behavior in low storage situations. Should we panic if 90 * a write fails? Should we fail stop if we're out of disk space? 91 / 92int audit_panic_on_write_fail; 93int audit_fail_stop; 94int audit_argv; 95int audit_arge; 96 97/ 98 * Are we currently "failing stop" due to out of disk space? 99 / 100int audit_in_failure; 101* 102/* 103 * Global audit statistiscs. 104 / 105struct audit_fstat audit_fstat; 106* 107/* 108 * Preselection mask for non-attributable events. 109 / 110struct au_mask audit_nae_mask; 111* 112/* 113 * Mutex to protect global variables shared between various threads and 114 * processes. 115 / 116struct mtx audit_mtx; 117* 118/* 119 * Queue of audit records ready for delivery to disk. We insert new 120 * records at the tail, and remove records from the head. Also, 121 * a count of the number of records used for checking queue depth. 122 * In addition, a counter of records that we have allocated but are 123 * not yet in the queue, which is needed to estimate the total 124 * size of the combined set of records outstanding in the system. 125 / 126struct kaudit_queue audit_q; 127int audit_q_len; 128int audit_pre_q_len; 129* 130/* 131 * Audit queue control settings (minimum free, low/high water marks, etc.) 132 / 133struct au_qctrl audit_qctrl; 134* 135/* 136 * Condition variable to signal to the worker that it has work to do: 137 * either new records are in the queue, or a log replacement is taking 138 * place. 139 / 140struct cv audit_worker_cv; 141* 142/* 143 * Condition variable to flag when crossing the low watermark, meaning that 144 * threads blocked due to hitting the high watermark can wake up and continue 145 * to commit records. 146 / 147struct cv audit_watermark_cv; 148* 149/* 150 * Condition variable for auditing threads wait on when in fail-stop mode. 151 * Threads wait on this CV forever (and ever), never seeing the light of 152 * day again. 153 / 154static struct cv audit_fail_cv; 155* 156/* 157 * Construct an audit record for the passed thread. 158 / 159static int 160audit_record_ctor(void mem, int size, void arg, int flags) 161{ 162* struct kaudit_record ar; 163* struct thread td; 164* 165 KASSERT(sizeof(ar) == size, ("audit_record_ctor: wrong size")); 166* 167 td = arg; 168 ar = mem; 169 bzero(ar, sizeof(ar)); 170* ar->k_ar.ar_magic = AUDIT_RECORD_MAGIC; 171 nanotime(&ar->k_ar.ar_starttime); 172 173 /* 174 * Export the subject credential. 175 / 176* cru2x(td->td_ucred, &ar->k_ar.ar_subj_cred); 177 ar->k_ar.ar_subj_ruid = td->td_ucred->cr_ruid; 178 ar->k_ar.ar_subj_rgid = td->td_ucred->cr_rgid; 179 ar->k_ar.ar_subj_egid = td->td_ucred->cr_groups[0]; 180 PROC_LOCK(td->td_proc); 181 ar->k_ar.ar_subj_auid = td->td_proc->p_au->ai_auid; 182 ar->k_ar.ar_subj_asid = td->td_proc->p_au->ai_asid; 183 ar->k_ar.ar_subj_pid = td->td_proc->p_pid; 184 ar->k_ar.ar_subj_amask = td->td_proc->p_au->ai_mask; 185 ar->k_ar.ar_subj_term = td->td_proc->p_au->ai_termid; 186 bcopy(td->td_proc->p_comm, ar->k_ar.ar_subj_comm, MAXCOMLEN); 187 PROC_UNLOCK(td->td_proc); 188 189 return (0); 190} 191 192static void 193audit_record_dtor(void mem, int size, void arg) 194{ 195 struct kaudit_record ar; 196* 197 KASSERT(sizeof(ar) == size, ("audit_record_dtor: wrong size")); 198* 199 ar = mem; 200 if (ar->k_ar.ar_arg_upath1 != NULL) 201 free(ar->k_ar.ar_arg_upath1, M_AUDITPATH); 202 if (ar->k_ar.ar_arg_upath2 != NULL) 203 free(ar->k_ar.ar_arg_upath2, M_AUDITPATH); 204 if (ar->k_ar.ar_arg_text != NULL) 205 free(ar->k_ar.ar_arg_text, M_AUDITTEXT); 206 if (ar->k_udata != NULL) 207 free(ar->k_udata, M_AUDITDATA); 208 if (ar->k_ar.ar_arg_argv != NULL) 209 free(ar->k_ar.ar_arg_argv, M_AUDITTEXT); 210 if (ar->k_ar.ar_arg_envv != NULL) 211 free(ar->k_ar.ar_arg_envv, M_AUDITTEXT); 212} 213 214/* 215 * Initialize the Audit subsystem: configuration state, work queue, 216 * synchronization primitives, worker thread, and trigger device node. Also 217 * call into the BSM assembly code to initialize it. 218 / 219static void 220audit_init(void) 221{ 222* 223 printf("Security auditing service present\n"); 224 audit_enabled = 0; 225 audit_suspended = 0; 226 audit_panic_on_write_fail = 0; 227 audit_fail_stop = 0; 228 audit_in_failure = 0; 229 audit_argv = 0; 230 audit_arge = 0; 231 232 audit_fstat.af_filesz = 0; /* '0' means unset, unbounded / 233* audit_fstat.af_currsz = 0; 234 audit_nae_mask.am_success = AU_NULL; 235 audit_nae_mask.am_failure = AU_NULL; 236 237 TAILQ_INIT(&audit_q); 238 audit_q_len = 0; 239 audit_pre_q_len = 0; 240 audit_qctrl.aq_hiwater = AQ_HIWATER; 241 audit_qctrl.aq_lowater = AQ_LOWATER; 242 audit_qctrl.aq_bufsz = AQ_BUFSZ; 243 audit_qctrl.aq_minfree = AU_FS_MINFREE; 244 245 mtx_init(&audit_mtx, "audit_mtx", NULL, MTX_DEF); 246 cv_init(&audit_worker_cv, "audit_worker_cv"); 247 cv_init(&audit_watermark_cv, "audit_watermark_cv"); 248 cv_init(&audit_fail_cv, "audit_fail_cv"); 249 250 audit_record_zone = uma_zcreate("audit_record", 251 sizeof(struct kaudit_record), audit_record_ctor, 252 audit_record_dtor, NULL, NULL, UMA_ALIGN_PTR, 0); 253 254 /* Initialize the BSM audit subsystem. / 255* kau_init(); 256 257 audit_trigger_init(); 258 259 /* Register shutdown handler. / 260* EVENTHANDLER_REGISTER(shutdown_pre_sync, audit_shutdown, NULL, 261 SHUTDOWN_PRI_FIRST); 262 263 /* Start audit worker thread. / 264* audit_worker_init(); 265} 266 267SYSINIT(audit_init, SI_SUB_AUDIT, SI_ORDER_FIRST, audit_init, NULL) 268 269/* 270 * Drain the audit queue and close the log at shutdown. Note that this can 271 * be called both from the system shutdown path and also from audit 272 * configuration syscalls, so 'arg' and 'howto' are ignored. 273 / 274void 275audit_shutdown(void arg, int howto) 276{ 277 278 audit_rotate_vnode(NULL, NULL); 279} 280 281/* 282 * Return the current thread's audit record, if any. 283 / 284__inline__ struct kaudit_record 285currecord(void) 286{ 287 288 return (curthread->td_ar); 289} 290 291/* 292 * MPSAFE 293 * 294 * XXXAUDIT: There are a number of races present in the code below due to 295 * release and re-grab of the mutex. The code should be revised to become 296 * slightly less racy. 297 * 298 * XXXAUDIT: Shouldn't there be logic here to sleep waiting on available 299 * pre_q space, suspending the system call until there is room? 300 / 301struct kaudit_record 302audit_new(int event, struct thread td) 303{ 304* struct kaudit_record ar; 305* int no_record; 306 307 mtx_lock(&audit_mtx); 308 no_record = (audit_suspended \|\| !audit_enabled); 309 mtx_unlock(&audit_mtx); 310 if (no_record) 311 return (NULL); 312 313 /* 314 * XXX: The number of outstanding uncommitted audit records is 315 * limited to the number of concurrent threads servicing system 316 * calls in the kernel. 317 / 318* ar = uma_zalloc_arg(audit_record_zone, td, M_WAITOK); 319 ar->k_ar.ar_event = event; 320 321 mtx_lock(&audit_mtx); 322 audit_pre_q_len++; 323 mtx_unlock(&audit_mtx); 324 325 return (ar); 326} 327 328void 329audit_free(struct kaudit_record ar) 330{ 331* 332 uma_zfree(audit_record_zone, ar); 333} 334 335/* 336 * MPSAFE 337 / 338void 339audit_commit(struct kaudit_record ar, int error, int retval) 340{ 341 au_event_t event; 342 au_class_t class; 343 au_id_t auid; 344 int sorf; 345 struct au_mask aumask; 346* 347 if (ar == NULL) 348 return; 349 350 /* 351 * Decide whether to commit the audit record by checking the 352 * error value from the system call and using the appropriate 353 * audit mask. 354 * 355 * XXXAUDIT: Synchronize access to audit_nae_mask? 356 / 357* if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID) 358 aumask = &audit_nae_mask; 359 else 360 aumask = &ar->k_ar.ar_subj_amask; 361 362 if (error) 363 sorf = AU_PRS_FAILURE; 364 else 365 sorf = AU_PRS_SUCCESS; 366 367 switch(ar->k_ar.ar_event) { 368 369 case AUE_OPEN_RWTC: 370 /* The open syscall always writes a AUE_OPEN_RWTC event; change 371 * it to the proper type of event based on the flags and the 372 * error value. 373 / 374* ar->k_ar.ar_event = flags_and_error_to_openevent( 375 ar->k_ar.ar_arg_fflags, error); 376 break; 377 378 case AUE_SYSCTL: 379 ar->k_ar.ar_event = ctlname_to_sysctlevent( 380 ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg); 381 break; 382 383 case AUE_AUDITON: 384 /* Convert the auditon() command to an event / 385* ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd); 386 break; 387 } 388 389 auid = ar->k_ar.ar_subj_auid; 390 event = ar->k_ar.ar_event; 391 class = au_event_class(event); 392 393 ar->k_ar_commit \|= AR_COMMIT_KERNEL; 394 if (au_preselect(event, class, aumask, sorf) != 0) 395 ar->k_ar_commit \|= AR_PRESELECT_TRAIL; 396 if (audit_pipe_preselect(auid, event, class, sorf, 397 ar->k_ar_commit & AR_PRESELECT_TRAIL) != 0) 398 ar->k_ar_commit \|= AR_PRESELECT_PIPE;
399 if ((ar->k_ar_commit & (AR_PRESELECT_TRAIL \| AR_PRESELECT_PIPE)) == 400 0) {	399 if ((ar->k_ar_commit & (AR_PRESELECT_TRAIL \| AR_PRESELECT_PIPE \| 400 AR_PRESELECT_USER_TRAIL \| AR_PRESELECT_USER_PIPE)) == 0) {
401 mtx_lock(&audit_mtx); 402 audit_pre_q_len--; 403 mtx_unlock(&audit_mtx); 404 audit_free(ar); 405 return; 406 } 407 408 ar->k_ar.ar_errno = error; 409 ar->k_ar.ar_retval = retval; 410 411 /* 412 * We might want to do some system-wide post-filtering 413 * here at some point. 414 / 415* 416 /* 417 * Timestamp system call end. 418 / 419* nanotime(&ar->k_ar.ar_endtime); 420 421 mtx_lock(&audit_mtx); 422 423 /* 424 * Note: it could be that some records initiated while audit was 425 * enabled should still be committed? 426 / 427* if (audit_suspended \|\| !audit_enabled) { 428 audit_pre_q_len--; 429 mtx_unlock(&audit_mtx); 430 audit_free(ar); 431 return; 432 } 433 434 /* 435 * Constrain the number of committed audit records based on 436 * the configurable parameter. 437 / 438* while (audit_q_len >= audit_qctrl.aq_hiwater) { 439 AUDIT_PRINTF(("audit_commit: sleeping to wait for " 440 "audit queue to drain below high water mark\n")); 441 cv_wait(&audit_watermark_cv, &audit_mtx); 442 AUDIT_PRINTF(("audit_commit: woke up waiting for " 443 "audit queue draining\n")); 444 } 445 446 TAILQ_INSERT_TAIL(&audit_q, ar, k_q); 447 audit_q_len++; 448 audit_pre_q_len--; 449 cv_signal(&audit_worker_cv); 450 mtx_unlock(&audit_mtx); 451} 452 453/* 454 * audit_syscall_enter() is called on entry to each system call. It is 455 * responsible for deciding whether or not to audit the call (preselection), 456 * and if so, allocating a per-thread audit record. audit_new() will fill in 457 * basic thread/credential properties. 458 / 459void 460audit_syscall_enter(unsigned short code, struct thread td) 461{ 462 struct au_mask aumask; 463* au_class_t class; 464 au_event_t event; 465 au_id_t auid; 466 467 KASSERT(td->td_ar == NULL, ("audit_syscall_enter: td->td_ar != NULL")); 468 469 /* 470 * In FreeBSD, each ABI has its own system call table, and hence 471 * mapping of system call codes to audit events. Convert the code to 472 * an audit event identifier using the process system call table 473 * reference. In Darwin, there's only one, so we use the global 474 * symbol for the system call table. 475 * 476 * XXXAUDIT: Should we audit that a bad system call was made, and if 477 * so, how? 478 / 479* if (code >= td->td_proc->p_sysent->sv_size) 480 return; 481 482 event = td->td_proc->p_sysent->sv_table[code].sy_auevent; 483 if (event == AUE_NULL) 484 return; 485 486 /* 487 * Check which audit mask to use; either the kernel non-attributable 488 * event mask or the process audit mask. 489 / 490* auid = td->td_proc->p_au->ai_auid; 491 if (auid == AU_DEFAUDITID) 492 aumask = &audit_nae_mask; 493 else 494 aumask = &td->td_proc->p_au->ai_mask; 495 496 /* 497 * Allocate an audit record, if preselection allows it, and store 498 * in the thread for later use. 499 / 500* class = au_event_class(event); 501 if (au_preselect(event, class, aumask, AU_PRS_BOTH)) { 502 /* 503 * If we're out of space and need to suspend unprivileged 504 * processes, do that here rather than trying to allocate 505 * another audit record. 506 * 507 * XXXRW: We might wish to be able to continue here in the 508 * future, if the system recovers. That should be possible 509 * by means of checking the condition in a loop around 510 * cv_wait(). It might be desirable to reevaluate whether an 511 * audit record is still required for this event by 512 * re-calling au_preselect(). 513 / 514* if (audit_in_failure && suser(td) != 0) { 515 cv_wait(&audit_fail_cv, &audit_mtx); 516 panic("audit_failing_stop: thread continued"); 517 } 518 td->td_ar = audit_new(event, td); 519 } else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0)) 520 td->td_ar = audit_new(event, td); 521 else 522 td->td_ar = NULL; 523} 524 525/* 526 * audit_syscall_exit() is called from the return of every system call, or in 527 * the event of exit1(), during the execution of exit1(). It is responsible 528 * for committing the audit record, if any, along with return condition. 529 / 530void 531audit_syscall_exit(int error, struct thread td) 532{ 533 int retval; 534 535 /* 536 * Commit the audit record as desired; once we pass the record 537 * into audit_commit(), the memory is owned by the audit 538 * subsystem. 539 * The return value from the system call is stored on the user 540 * thread. If there was an error, the return value is set to -1, 541 * imitating the behavior of the cerror routine. 542 / 543* if (error) 544 retval = -1; 545 else 546 retval = td->td_retval[0]; 547 548 audit_commit(td->td_ar, error, retval); 549 if (td->td_ar != NULL) 550 AUDIT_PRINTF(("audit record committed by pid %d\n", 551 td->td_proc->p_pid)); 552 td->td_ar = NULL; 553 554} 555 556/* 557 * Allocate storage for a new process (init, or otherwise). 558 / 559void 560audit_proc_alloc(struct proc p) 561{ 562 563 KASSERT(p->p_au == NULL, ("audit_proc_alloc: p->p_au != NULL (%d)", 564 p->p_pid)); 565 p->p_au = malloc(sizeof((p->p_au)), M_AUDITPROC, M_WAITOK); 566* /* XXXAUDIT: Zero? Slab allocate? / 567* //printf("audit_proc_alloc: pid %d p_au %p\n", p->p_pid, p->p_au); 568} 569 570/* 571 * Allocate storage for a new thread. 572 / 573void 574audit_thread_alloc(struct thread td) 575{ 576 577 td->td_ar = NULL; 578} 579 580/* 581 * Thread destruction. 582 / 583void 584audit_thread_free(struct thread td) 585{ 586 587 KASSERT(td->td_ar == NULL, ("audit_thread_free: td_ar != NULL")); 588} 589 590/* 591 * Initialize the audit information for the a process, presumably the first 592 * process in the system. 593 * XXX It is not clear what the initial values should be for audit ID, 594 * session ID, etc. 595 / 596void 597audit_proc_kproc0(struct proc p) 598{ 599 600 KASSERT(p->p_au != NULL, ("audit_proc_kproc0: p->p_au == NULL (%d)", 601 p->p_pid)); 602 //printf("audit_proc_kproc0: pid %d p_au %p\n", p->p_pid, p->p_au); 603 bzero(p->p_au, sizeof((p)->p_au)); 604} 605* 606void 607audit_proc_init(struct proc p) 608{ 609* 610 KASSERT(p->p_au != NULL, ("audit_proc_init: p->p_au == NULL (%d)", 611 p->p_pid)); 612 //printf("audit_proc_init: pid %d p_au %p\n", p->p_pid, p->p_au); 613 bzero(p->p_au, sizeof((p)->p_au)); 614* p->p_au->ai_auid = AU_DEFAUDITID; 615} 616 617/* 618 * Copy the audit info from the parent process to the child process when 619 * a fork takes place. 620 / 621void 622audit_proc_fork(struct proc parent, struct proc child) 623{ 624* 625 PROC_LOCK_ASSERT(parent, MA_OWNED); 626 PROC_LOCK_ASSERT(child, MA_OWNED); 627 KASSERT(parent->p_au != NULL, 628 ("audit_proc_fork: parent->p_au == NULL (%d)", parent->p_pid)); 629 KASSERT(child->p_au != NULL, 630 ("audit_proc_fork: child->p_au == NULL (%d)", child->p_pid)); 631 //printf("audit_proc_fork: parent pid %d p_au %p\n", parent->p_pid, 632 // parent->p_au); 633 //printf("audit_proc_fork: child pid %d p_au %p\n", child->p_pid, 634 // child->p_au); 635 bcopy(parent->p_au, child->p_au, sizeof(child->p_au)); 636* /* 637 * XXXAUDIT: Zero pointers to external memory, or assert they are 638 * zero? 639 / 640} 641* 642/* 643 * Free the auditing structure for the process. 644 / 645void 646audit_proc_free(struct proc p) 647{ 648 649 KASSERT(p->p_au != NULL, ("p->p_au == NULL (%d)", p->p_pid)); 650 //printf("audit_proc_free: pid %d p_au %p\n", p->p_pid, p->p_au); 651 /* 652 * XXXAUDIT: Assert that external memory pointers are NULL? 653 / 654* free(p->p_au, M_AUDITPROC); 655 p->p_au = NULL; 656}	401 mtx_lock(&audit_mtx); 402 audit_pre_q_len--; 403 mtx_unlock(&audit_mtx); 404 audit_free(ar); 405 return; 406 } 407 408 ar->k_ar.ar_errno = error; 409 ar->k_ar.ar_retval = retval; 410 411 /* 412 * We might want to do some system-wide post-filtering 413 * here at some point. 414 / 415* 416 /* 417 * Timestamp system call end. 418 / 419* nanotime(&ar->k_ar.ar_endtime); 420 421 mtx_lock(&audit_mtx); 422 423 /* 424 * Note: it could be that some records initiated while audit was 425 * enabled should still be committed? 426 / 427* if (audit_suspended \|\| !audit_enabled) { 428 audit_pre_q_len--; 429 mtx_unlock(&audit_mtx); 430 audit_free(ar); 431 return; 432 } 433 434 /* 435 * Constrain the number of committed audit records based on 436 * the configurable parameter. 437 / 438* while (audit_q_len >= audit_qctrl.aq_hiwater) { 439 AUDIT_PRINTF(("audit_commit: sleeping to wait for " 440 "audit queue to drain below high water mark\n")); 441 cv_wait(&audit_watermark_cv, &audit_mtx); 442 AUDIT_PRINTF(("audit_commit: woke up waiting for " 443 "audit queue draining\n")); 444 } 445 446 TAILQ_INSERT_TAIL(&audit_q, ar, k_q); 447 audit_q_len++; 448 audit_pre_q_len--; 449 cv_signal(&audit_worker_cv); 450 mtx_unlock(&audit_mtx); 451} 452 453/* 454 * audit_syscall_enter() is called on entry to each system call. It is 455 * responsible for deciding whether or not to audit the call (preselection), 456 * and if so, allocating a per-thread audit record. audit_new() will fill in 457 * basic thread/credential properties. 458 / 459void 460audit_syscall_enter(unsigned short code, struct thread td) 461{ 462 struct au_mask aumask; 463* au_class_t class; 464 au_event_t event; 465 au_id_t auid; 466 467 KASSERT(td->td_ar == NULL, ("audit_syscall_enter: td->td_ar != NULL")); 468 469 /* 470 * In FreeBSD, each ABI has its own system call table, and hence 471 * mapping of system call codes to audit events. Convert the code to 472 * an audit event identifier using the process system call table 473 * reference. In Darwin, there's only one, so we use the global 474 * symbol for the system call table. 475 * 476 * XXXAUDIT: Should we audit that a bad system call was made, and if 477 * so, how? 478 / 479* if (code >= td->td_proc->p_sysent->sv_size) 480 return; 481 482 event = td->td_proc->p_sysent->sv_table[code].sy_auevent; 483 if (event == AUE_NULL) 484 return; 485 486 /* 487 * Check which audit mask to use; either the kernel non-attributable 488 * event mask or the process audit mask. 489 / 490* auid = td->td_proc->p_au->ai_auid; 491 if (auid == AU_DEFAUDITID) 492 aumask = &audit_nae_mask; 493 else 494 aumask = &td->td_proc->p_au->ai_mask; 495 496 /* 497 * Allocate an audit record, if preselection allows it, and store 498 * in the thread for later use. 499 / 500* class = au_event_class(event); 501 if (au_preselect(event, class, aumask, AU_PRS_BOTH)) { 502 /* 503 * If we're out of space and need to suspend unprivileged 504 * processes, do that here rather than trying to allocate 505 * another audit record. 506 * 507 * XXXRW: We might wish to be able to continue here in the 508 * future, if the system recovers. That should be possible 509 * by means of checking the condition in a loop around 510 * cv_wait(). It might be desirable to reevaluate whether an 511 * audit record is still required for this event by 512 * re-calling au_preselect(). 513 / 514* if (audit_in_failure && suser(td) != 0) { 515 cv_wait(&audit_fail_cv, &audit_mtx); 516 panic("audit_failing_stop: thread continued"); 517 } 518 td->td_ar = audit_new(event, td); 519 } else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0)) 520 td->td_ar = audit_new(event, td); 521 else 522 td->td_ar = NULL; 523} 524 525/* 526 * audit_syscall_exit() is called from the return of every system call, or in 527 * the event of exit1(), during the execution of exit1(). It is responsible 528 * for committing the audit record, if any, along with return condition. 529 / 530void 531audit_syscall_exit(int error, struct thread td) 532{ 533 int retval; 534 535 /* 536 * Commit the audit record as desired; once we pass the record 537 * into audit_commit(), the memory is owned by the audit 538 * subsystem. 539 * The return value from the system call is stored on the user 540 * thread. If there was an error, the return value is set to -1, 541 * imitating the behavior of the cerror routine. 542 / 543* if (error) 544 retval = -1; 545 else 546 retval = td->td_retval[0]; 547 548 audit_commit(td->td_ar, error, retval); 549 if (td->td_ar != NULL) 550 AUDIT_PRINTF(("audit record committed by pid %d\n", 551 td->td_proc->p_pid)); 552 td->td_ar = NULL; 553 554} 555 556/* 557 * Allocate storage for a new process (init, or otherwise). 558 / 559void 560audit_proc_alloc(struct proc p) 561{ 562 563 KASSERT(p->p_au == NULL, ("audit_proc_alloc: p->p_au != NULL (%d)", 564 p->p_pid)); 565 p->p_au = malloc(sizeof((p->p_au)), M_AUDITPROC, M_WAITOK); 566* /* XXXAUDIT: Zero? Slab allocate? / 567* //printf("audit_proc_alloc: pid %d p_au %p\n", p->p_pid, p->p_au); 568} 569 570/* 571 * Allocate storage for a new thread. 572 / 573void 574audit_thread_alloc(struct thread td) 575{ 576 577 td->td_ar = NULL; 578} 579 580/* 581 * Thread destruction. 582 / 583void 584audit_thread_free(struct thread td) 585{ 586 587 KASSERT(td->td_ar == NULL, ("audit_thread_free: td_ar != NULL")); 588} 589 590/* 591 * Initialize the audit information for the a process, presumably the first 592 * process in the system. 593 * XXX It is not clear what the initial values should be for audit ID, 594 * session ID, etc. 595 / 596void 597audit_proc_kproc0(struct proc p) 598{ 599 600 KASSERT(p->p_au != NULL, ("audit_proc_kproc0: p->p_au == NULL (%d)", 601 p->p_pid)); 602 //printf("audit_proc_kproc0: pid %d p_au %p\n", p->p_pid, p->p_au); 603 bzero(p->p_au, sizeof((p)->p_au)); 604} 605* 606void 607audit_proc_init(struct proc p) 608{ 609* 610 KASSERT(p->p_au != NULL, ("audit_proc_init: p->p_au == NULL (%d)", 611 p->p_pid)); 612 //printf("audit_proc_init: pid %d p_au %p\n", p->p_pid, p->p_au); 613 bzero(p->p_au, sizeof((p)->p_au)); 614* p->p_au->ai_auid = AU_DEFAUDITID; 615} 616 617/* 618 * Copy the audit info from the parent process to the child process when 619 * a fork takes place. 620 / 621void 622audit_proc_fork(struct proc parent, struct proc child) 623{ 624* 625 PROC_LOCK_ASSERT(parent, MA_OWNED); 626 PROC_LOCK_ASSERT(child, MA_OWNED); 627 KASSERT(parent->p_au != NULL, 628 ("audit_proc_fork: parent->p_au == NULL (%d)", parent->p_pid)); 629 KASSERT(child->p_au != NULL, 630 ("audit_proc_fork: child->p_au == NULL (%d)", child->p_pid)); 631 //printf("audit_proc_fork: parent pid %d p_au %p\n", parent->p_pid, 632 // parent->p_au); 633 //printf("audit_proc_fork: child pid %d p_au %p\n", child->p_pid, 634 // child->p_au); 635 bcopy(parent->p_au, child->p_au, sizeof(child->p_au)); 636* /* 637 * XXXAUDIT: Zero pointers to external memory, or assert they are 638 * zero? 639 / 640} 641* 642/* 643 * Free the auditing structure for the process. 644 / 645void 646audit_proc_free(struct proc p) 647{ 648 649 KASSERT(p->p_au != NULL, ("p->p_au == NULL (%d)", p->p_pid)); 650 //printf("audit_proc_free: pid %d p_au %p\n", p->p_pid, p->p_au); 651 /* 652 * XXXAUDIT: Assert that external memory pointers are NULL? 653 / 654* free(p->p_au, M_AUDITPROC); 655 p->p_au = NULL; 656}