bsm_wrappers.c revision 159248 
1155131Srwatson/*
2155131Srwatson * Copyright (c) 2004 Apple Computer, Inc.
3155131Srwatson * All rights reserved.
4155131Srwatson *
5155131Srwatson * Redistribution and use in source and binary forms, with or without
6155131Srwatson * modification, are permitted provided that the following conditions
7155131Srwatson * are met:
8155131Srwatson * 1.  Redistributions of source code must retain the above copyright
9155131Srwatson *     notice, this list of conditions and the following disclaimer.
10155131Srwatson * 2.  Redistributions in binary form must reproduce the above copyright
11155131Srwatson *     notice, this list of conditions and the following disclaimer in the
12155131Srwatson *     documentation and/or other materials provided with the distribution.
13155131Srwatson * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14155131Srwatson *     its contributors may be used to endorse or promote products derived
15155131Srwatson *     from this software without specific prior written permission.
16155131Srwatson *
17155131Srwatson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18155131Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19155131Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20155131Srwatson * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21155131Srwatson * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22155131Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23155131Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24155131Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25155131Srwatson * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26155131Srwatson * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27155131Srwatson * POSSIBILITY OF SUCH DAMAGE.
28155131Srwatson *
29159248Srwatson * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_wrappers.c#23 $
30155131Srwatson */
31155131Srwatson
32155518Srwatson#ifdef __APPLE__
33155518Srwatson#define	_SYS_AUDIT_H		/* Prevent include of sys/audit.h. */
34155518Srwatson#endif
35155518Srwatson
36155131Srwatson#include <sys/param.h>
37155131Srwatson#include <sys/stat.h>
38156283Srwatson
39156283Srwatson#ifdef __APPLE__
40156283Srwatson#include <sys/queue.h>		/* Our bsm/audit.h doesn't include queue.h. */
41156283Srwatson#endif
42156283Srwatson
43155131Srwatson#include <sys/sysctl.h>
44155131Srwatson
45155131Srwatson#include <bsm/libbsm.h>
46155131Srwatson
47155131Srwatson#include <unistd.h>
48155131Srwatson#include <syslog.h>
49159248Srwatson#include <stdarg.h>
50155131Srwatson#include <string.h>
51155131Srwatson#include <errno.h>
52155131Srwatson
53155131Srwatson/* These are not advertised in libbsm.h */
54155131Srwatsonint audit_set_terminal_port(dev_t *p);
55155131Srwatsonint audit_set_terminal_host(uint32_t *m);
56155131Srwatson
57159248Srwatson/*
58159248Srwatson * General purpose audit submission mechanism for userspace.
59159248Srwatson */
60155131Srwatsonint
61159248Srwatsonaudit_submit(short au_event, au_id_t auid, char status,
62159248Srwatson    int reterr, const char *fmt, ...)
63159248Srwatson{
64159248Srwatson	char text[MAX_AUDITSTRING_LEN];
65159248Srwatson	token_t *token;
66159248Srwatson	long acond;
67159248Srwatson	va_list ap;
68159248Srwatson	pid_t pid;
69159248Srwatson	int error, afd;
70159248Srwatson	struct auditinfo ai;
71159248Srwatson
72159248Srwatson	if (auditon(A_GETCOND, &acond, sizeof(acond)) < 0) {
73159248Srwatson		/*
74159248Srwatson		 * If auditon(2) returns ENOSYS, then audit has not been
75159248Srwatson		 * compiled into the kernel, so just return.
76159248Srwatson		 */
77159248Srwatson		if (errno == ENOSYS)
78159248Srwatson			return (0);
79159248Srwatson		error = errno;
80159248Srwatson		syslog(LOG_AUTH | LOG_ERR, "audit: auditon failed: %s",
81159248Srwatson		    strerror(errno));
82159248Srwatson		errno = error;
83159248Srwatson		return (-1);
84159248Srwatson	}
85159248Srwatson	if (acond == AUC_NOAUDIT)
86159248Srwatson		return (0);
87159248Srwatson	afd = au_open();
88159248Srwatson	if (afd < 0) {
89159248Srwatson		error = errno;
90159248Srwatson		syslog(LOG_AUTH | LOG_ERR, "audit: au_open failed: %s",
91159248Srwatson		    strerror(errno));
92159248Srwatson		errno = error;
93159248Srwatson		return (-1);
94159248Srwatson	}
95159248Srwatson	if (getaudit(&ai) < 0) {
96159248Srwatson		error = errno;
97159248Srwatson		syslog(LOG_AUTH | LOG_ERR, "audit: getaudit failed: %s",
98159248Srwatson		    strerror(errno));
99159248Srwatson		errno = error;
100159248Srwatson		return (-1);
101159248Srwatson	}
102159248Srwatson	pid = getpid();
103159248Srwatson	token = au_to_subject32(auid, geteuid(), getegid(),
104159248Srwatson	    getuid(), getgid(), pid, pid, &ai.ai_termid);
105159248Srwatson	if (token == NULL) {
106159248Srwatson		syslog(LOG_AUTH | LOG_ERR,
107159248Srwatson		    "audit: unable to build subject token");
108159248Srwatson		(void) au_close(afd, AU_TO_NO_WRITE, au_event);
109159248Srwatson		errno = EPERM;
110159248Srwatson		return (-1);
111159248Srwatson	}
112159248Srwatson	if (au_write(afd, token) < 0) {
113159248Srwatson		error = errno;
114159248Srwatson		syslog(LOG_AUTH | LOG_ERR,
115159248Srwatson		    "audit: au_write failed: %s", strerror(errno));
116159248Srwatson		(void) au_close(afd, AU_TO_NO_WRITE, au_event);
117159248Srwatson		errno = error;
118159248Srwatson		return (-1);
119159248Srwatson	}
120159248Srwatson	if (fmt != NULL) {
121159248Srwatson		va_start(ap, fmt);
122159248Srwatson		(void) vsnprintf(text, MAX_AUDITSTRING_LEN, fmt, ap);
123159248Srwatson		va_end(ap);
124159248Srwatson		token = au_to_text(text);
125159248Srwatson		if (token == NULL) {
126159248Srwatson			syslog(LOG_AUTH | LOG_ERR,
127159248Srwatson			    "audit: failed to generate text token");
128159248Srwatson			(void) au_close(afd, AU_TO_NO_WRITE, au_event);
129159248Srwatson			errno = EPERM;
130159248Srwatson			return (-1);
131159248Srwatson		}
132159248Srwatson		if (au_write(afd, token) < 0) {
133159248Srwatson			error = errno;
134159248Srwatson			syslog(LOG_AUTH | LOG_ERR,
135159248Srwatson			    "audit: au_write failed: %s", strerror(errno));
136159248Srwatson			(void) au_close(afd, AU_TO_NO_WRITE, au_event);
137159248Srwatson			errno = error;
138159248Srwatson			return (-1);
139159248Srwatson		}
140159248Srwatson	}
141159248Srwatson	token = au_to_return32(status, reterr);
142159248Srwatson	if (token == NULL) {
143159248Srwatson		syslog(LOG_AUTH | LOG_ERR,
144159248Srwatson		    "audit: enable to build return token");
145159248Srwatson		(void) au_close(afd, AU_TO_NO_WRITE, au_event);
146159248Srwatson		errno = EPERM;
147159248Srwatson		return (-1);
148159248Srwatson	}
149159248Srwatson	if (au_write(afd, token) < 0) {
150159248Srwatson		error = errno;
151159248Srwatson		syslog(LOG_AUTH | LOG_ERR,
152159248Srwatson		    "audit: au_write failed: %s", strerror(errno));
153159248Srwatson		(void) au_close(afd, AU_TO_NO_WRITE, au_event);
154159248Srwatson		errno = error;
155159248Srwatson		return (-1);
156159248Srwatson	}
157159248Srwatson	if (au_close(afd, AU_TO_WRITE, au_event) < 0) {
158159248Srwatson		error = errno;
159159248Srwatson		syslog(LOG_AUTH | LOG_ERR, "audit: record not committed");
160159248Srwatson		errno = error;
161159248Srwatson		return (-1);
162159248Srwatson	}
163159248Srwatson	return (0);
164159248Srwatson}
165159248Srwatson
166159248Srwatsonint
167155131Srwatsonaudit_set_terminal_port(dev_t *p)
168155131Srwatson{
169155131Srwatson	struct stat st;
170155131Srwatson
171155131Srwatson	if (p == NULL)
172155131Srwatson		return (kAUBadParamErr);
173155131Srwatson
174156283Srwatson#ifdef NODEV
175155131Srwatson	*p = NODEV;
176156283Srwatson#else
177156283Srwatson	*p = -1;
178156283Srwatson#endif
179155131Srwatson
180155131Srwatson	/* for /usr/bin/login, try fstat() first */
181155131Srwatson	if (fstat(STDIN_FILENO, &st) != 0) {
182155131Srwatson		if (errno != EBADF) {
183155131Srwatson			syslog(LOG_ERR, "fstat() failed (%s)",
184155131Srwatson			    strerror(errno));
185155131Srwatson			return (kAUStatErr);
186155131Srwatson		}
187155131Srwatson		if (stat("/dev/console", &st) != 0) {
188155131Srwatson			syslog(LOG_ERR, "stat() failed (%s)",
189155131Srwatson			    strerror(errno));
190155131Srwatson			return (kAUStatErr);
191155131Srwatson		}
192155131Srwatson	}
193155131Srwatson	*p = st.st_rdev;
194155131Srwatson	return (kAUNoErr);
195155131Srwatson}
196155131Srwatson
197155131Srwatsonint
198155131Srwatsonaudit_set_terminal_host(uint32_t *m)
199155131Srwatson{
200156283Srwatson
201156283Srwatson#ifdef KERN_HOSTID
202155131Srwatson	int name[2] = { CTL_KERN, KERN_HOSTID };
203155131Srwatson	size_t len;
204155131Srwatson
205155131Srwatson	if (m == NULL)
206155131Srwatson		return (kAUBadParamErr);
207155131Srwatson	*m = 0;
208155131Srwatson	len = sizeof(*m);
209155131Srwatson	if (sysctl(name, 2, m, &len, NULL, 0) != 0) {
210155131Srwatson		syslog(LOG_ERR, "sysctl() failed (%s)", strerror(errno));
211155131Srwatson		return (kAUSysctlErr);
212155131Srwatson	}
213155131Srwatson	return (kAUNoErr);
214156283Srwatson#else
215156283Srwatson	*m = -1;
216156283Srwatson	return (kAUNoErr);
217156283Srwatson#endif
218155131Srwatson}
219155131Srwatson
220155131Srwatsonint
221155131Srwatsonaudit_set_terminal_id(au_tid_t *tid)
222155131Srwatson{
223155131Srwatson	int ret;
224155131Srwatson
225155131Srwatson	if (tid == NULL)
226155131Srwatson		return (kAUBadParamErr);
227155131Srwatson	if ((ret = audit_set_terminal_port(&tid->port)) != kAUNoErr)
228155131Srwatson		return (ret);
229155131Srwatson	return (audit_set_terminal_host(&tid->machine));
230155131Srwatson}
231155131Srwatson
232155131Srwatson/*
233155131Srwatson * This is OK for those callers who have only one token to write.  If you have
234155131Srwatson * multiple tokens that logically form part of the same audit record, you need
235155131Srwatson * to use the existing au_open()/au_write()/au_close() API:
236155131Srwatson *
237155131Srwatson * aufd = au_open();
238155131Srwatson * tok = au_to_random_token_1(...);
239155131Srwatson * au_write(aufd, tok);
240155131Srwatson * tok = au_to_random_token_2(...);
241155131Srwatson * au_write(aufd, tok);
242155131Srwatson * ...
243159248Srwatson * au_close(aufd, AU_TO_WRITE, AUE_your_event_type);
244155131Srwatson *
245155131Srwatson * Assumes, like all wrapper calls, that the caller has previously checked
246155131Srwatson * that auditing is enabled via the audit_get_state() call.
247155131Srwatson *
248155131Srwatson * XXX: Should be more robust against bad arguments.
249155131Srwatson */
250155131Srwatsonint
251155131Srwatsonaudit_write(short event_code, token_t *subject, token_t *misctok, char retval,
252155131Srwatson    int errcode)
253155131Srwatson{
254155131Srwatson	int aufd;
255155131Srwatson	char *func = "audit_write()";
256155131Srwatson	token_t *rettok;
257155131Srwatson
258155131Srwatson	if ((aufd = au_open()) == -1) {
259155131Srwatson		au_free_token(subject);
260155131Srwatson		au_free_token(misctok);
261155131Srwatson		syslog(LOG_ERR, "%s: au_open() failed", func);
262155131Srwatson		return (kAUOpenErr);
263155131Srwatson	}
264155131Srwatson
265155131Srwatson	/* Save subject. */
266155131Srwatson	if (subject && au_write(aufd, subject) == -1) {
267155131Srwatson		au_free_token(subject);
268155131Srwatson		au_free_token(misctok);
269159248Srwatson		(void)au_close(aufd, AU_TO_WRITE, event_code);
270155131Srwatson		syslog(LOG_ERR, "%s: write of subject failed", func);
271155131Srwatson		return (kAUWriteSubjectTokErr);
272155131Srwatson	}
273155131Srwatson
274155131Srwatson	/* Save the event-specific token. */
275155131Srwatson	if (misctok && au_write(aufd, misctok) == -1) {
276155131Srwatson		au_free_token(misctok);
277159248Srwatson		(void)au_close(aufd, AU_TO_NO_WRITE, event_code);
278155131Srwatson		syslog(LOG_ERR, "%s: write of caller token failed", func);
279155131Srwatson		return (kAUWriteCallerTokErr);
280155131Srwatson	}
281155131Srwatson
282155131Srwatson	/* Tokenize and save the return value. */
283155131Srwatson	if ((rettok = au_to_return32(retval, errcode)) == NULL) {
284159248Srwatson		(void)au_close(aufd, AU_TO_NO_WRITE, event_code);
285155131Srwatson		syslog(LOG_ERR, "%s: au_to_return32() failed", func);
286155131Srwatson		return (kAUMakeReturnTokErr);
287155131Srwatson	}
288155131Srwatson
289155131Srwatson	if (au_write(aufd, rettok) == -1) {
290155131Srwatson		au_free_token(rettok);
291159248Srwatson		(void)au_close(aufd, AU_TO_NO_WRITE, event_code);
292155131Srwatson		syslog(LOG_ERR, "%s: write of return code failed", func);
293155131Srwatson		return (kAUWriteReturnTokErr);
294155131Srwatson	}
295155131Srwatson
296155131Srwatson	/*
297159248Srwatson	 * We assume the caller wouldn't have bothered with this
298155131Srwatson	 * function if it hadn't already decided to keep the record.
299155131Srwatson	 */
300159248Srwatson	if (au_close(aufd, AU_TO_WRITE, event_code) < 0) {
301155131Srwatson		syslog(LOG_ERR, "%s: au_close() failed", func);
302155131Srwatson		return (kAUCloseErr);
303155131Srwatson	}
304155131Srwatson
305155131Srwatson	return (kAUNoErr);
306155131Srwatson}
307155131Srwatson
308155131Srwatson/*
309155131Srwatson * Same caveats as audit_write().  In addition, this function explicitly
310155131Srwatson * assumes success; use audit_write_failure() on error.
311155131Srwatson */
312155131Srwatsonint
313155131Srwatsonaudit_write_success(short event_code, token_t *tok, au_id_t auid, uid_t euid,
314155131Srwatson    gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid,
315155131Srwatson    au_tid_t *tid)
316155131Srwatson{
317155131Srwatson	char *func = "audit_write_success()";
318155131Srwatson	token_t *subject = NULL;
319155131Srwatson
320155131Srwatson	/* Tokenize and save subject. */
321155131Srwatson	subject = au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
322155131Srwatson	    tid);
323155131Srwatson	if (subject == NULL) {
324155131Srwatson		syslog(LOG_ERR, "%s: au_to_subject32() failed", func);
325155131Srwatson		return kAUMakeSubjectTokErr;
326155131Srwatson	}
327155131Srwatson
328155131Srwatson	return (audit_write(event_code, subject, tok, 0, 0));
329155131Srwatson}
330155131Srwatson
331155131Srwatson/*
332155131Srwatson * Same caveats as audit_write().  In addition, this function explicitly
333155131Srwatson * assumes success; use audit_write_failure_self() on error.
334155131Srwatson */
335155131Srwatsonint
336155131Srwatsonaudit_write_success_self(short event_code, token_t *tok)
337155131Srwatson{
338155131Srwatson	token_t *subject;
339155131Srwatson	char *func = "audit_write_success_self()";
340155131Srwatson
341155131Srwatson	if ((subject = au_to_me()) == NULL) {
342155131Srwatson		syslog(LOG_ERR, "%s: au_to_me() failed", func);
343155131Srwatson		return (kAUMakeSubjectTokErr);
344155131Srwatson	}
345155131Srwatson
346155131Srwatson	return (audit_write(event_code, subject, tok, 0, 0));
347155131Srwatson}
348155131Srwatson
349155131Srwatson/*
350155131Srwatson * Same caveats as audit_write().  In addition, this function explicitly
351155131Srwatson * assumes failure; use audit_write_success() otherwise.
352155131Srwatson *
353155131Srwatson * XXX  This should let the caller pass an error return value rather than
354155131Srwatson * hard-coding -1.
355155131Srwatson */
356155131Srwatsonint
357155131Srwatsonaudit_write_failure(short event_code, char *errmsg, int errcode, au_id_t auid,
358155131Srwatson    uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid,
359155131Srwatson    au_tid_t *tid)
360155131Srwatson{
361155131Srwatson	char *func = "audit_write_failure()";
362155131Srwatson	token_t *subject, *errtok;
363155131Srwatson
364155131Srwatson	subject = au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, tid);
365155131Srwatson	if (subject == NULL) {
366155131Srwatson		syslog(LOG_ERR, "%s: au_to_subject32() failed", func);
367155131Srwatson		return (kAUMakeSubjectTokErr);
368155131Srwatson	}
369155131Srwatson
370155131Srwatson	/* tokenize and save the error message */
371155131Srwatson	if ((errtok = au_to_text(errmsg)) == NULL) {
372155131Srwatson		au_free_token(subject);
373155131Srwatson		syslog(LOG_ERR, "%s: au_to_text() failed", func);
374155131Srwatson		return (kAUMakeTextTokErr);
375155131Srwatson	}
376155131Srwatson
377155131Srwatson	return (audit_write(event_code, subject, errtok, -1, errcode));
378155131Srwatson}
379155131Srwatson
380155131Srwatson/*
381155131Srwatson * Same caveats as audit_write().  In addition, this function explicitly
382155131Srwatson * assumes failure; use audit_write_success_self() otherwise.
383155131Srwatson *
384155131Srwatson * XXX  This should let the caller pass an error return value rather than
385155131Srwatson * hard-coding -1.
386155131Srwatson */
387155131Srwatsonint
388155131Srwatsonaudit_write_failure_self(short event_code, char *errmsg, int errret)
389155131Srwatson{
390155131Srwatson	char *func = "audit_write_failure_self()";
391155131Srwatson	token_t *subject, *errtok;
392155131Srwatson
393155131Srwatson	if ((subject = au_to_me()) == NULL) {
394155131Srwatson		syslog(LOG_ERR, "%s: au_to_me() failed", func);
395155131Srwatson		return (kAUMakeSubjectTokErr);
396155131Srwatson	}
397155131Srwatson	/* tokenize and save the error message */
398155131Srwatson	if ((errtok = au_to_text(errmsg)) == NULL) {
399155131Srwatson		au_free_token(subject);
400155131Srwatson		syslog(LOG_ERR, "%s: au_to_text() failed", func);
401155131Srwatson		return (kAUMakeTextTokErr);
402155131Srwatson	}
403155131Srwatson	return (audit_write(event_code, subject, errtok, -1, errret));
404155131Srwatson}
405155131Srwatson
406155131Srwatson/*
407155131Srwatson * For auditing errors during login.  Such errors are implicitly
408155131Srwatson * non-attributable (i.e., not ascribable to any user).
409155131Srwatson *
410155131Srwatson * Assumes, like all wrapper calls, that the caller has previously checked
411155131Srwatson * that auditing is enabled via the audit_get_state() call.
412155131Srwatson */
413155131Srwatsonint
414155131Srwatsonaudit_write_failure_na(short event_code, char *errmsg, int errret, uid_t euid,
415155131Srwatson    uid_t egid, pid_t pid, au_tid_t *tid)
416155131Srwatson{
417155131Srwatson
418155131Srwatson	return (audit_write_failure(event_code, errmsg, errret, -1, euid,
419155131Srwatson	    egid, -1, -1, pid, -1, tid));
420155131Srwatson}
421155131Srwatson
422155131Srwatson/* END OF au_write() WRAPPERS */
423155131Srwatson
424155131Srwatson#ifdef __APPLE__
425155131Srwatsonvoid
426155131Srwatsonaudit_token_to_au32(audit_token_t atoken, uid_t *auidp, uid_t *euidp,
427155131Srwatson    gid_t *egidp, uid_t *ruidp, gid_t *rgidp, pid_t *pidp, au_asid_t *asidp,
428155131Srwatson    au_tid_t *tidp)
429155131Srwatson{
430155131Srwatson
431155131Srwatson	if (auidp != NULL)
432155131Srwatson		*auidp = (uid_t)atoken.val[0];
433155131Srwatson	if (euidp != NULL)
434155131Srwatson		*euidp = (uid_t)atoken.val[1];
435155131Srwatson	if (egidp != NULL)
436155131Srwatson		*egidp = (gid_t)atoken.val[2];
437155131Srwatson	if (ruidp != NULL)
438155131Srwatson		*ruidp = (uid_t)atoken.val[3];
439155131Srwatson	if (rgidp != NULL)
440155131Srwatson		*rgidp = (gid_t)atoken.val[4];
441155131Srwatson	if (pidp != NULL)
442155131Srwatson		*pidp = (pid_t)atoken.val[5];
443155131Srwatson	if (asidp != NULL)
444155131Srwatson		*asidp = (au_asid_t)atoken.val[6];
445155131Srwatson	if (tidp != NULL) {
446155131Srwatson		audit_set_terminal_host(&tidp->machine);
447155131Srwatson		tidp->port = (dev_t)atoken.val[7];
448155131Srwatson	}
449155131Srwatson}
450155131Srwatson#endif /* !__APPLE__ */
451