audit_bsm_klib.c revision 331722 
1/*
2 * Copyright (c) 1999-2009 Apple Inc.
3 * Copyright (c) 2005 Robert N. M. Watson
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1.  Redistributions of source code must retain the above copyright
10 *     notice, this list of conditions and the following disclaimer.
11 * 2.  Redistributions in binary form must reproduce the above copyright
12 *     notice, this list of conditions and the following disclaimer in the
13 *     documentation and/or other materials provided with the distribution.
14 * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
15 *     its contributors may be used to endorse or promote products derived
16 *     from this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 */
30
31#include <sys/cdefs.h>
32__FBSDID("$FreeBSD: stable/11/sys/security/audit/audit_bsm_klib.c 331722 2018-03-29 02:50:57Z eadler $");
33
34#include <sys/param.h>
35#include <sys/capsicum.h>
36#include <sys/fcntl.h>
37#include <sys/filedesc.h>
38#include <sys/libkern.h>
39#include <sys/malloc.h>
40#include <sys/mount.h>
41#include <sys/proc.h>
42#include <sys/rwlock.h>
43#include <sys/sem.h>
44#include <sys/sbuf.h>
45#include <sys/syscall.h>
46#include <sys/sysctl.h>
47#include <sys/sysent.h>
48#include <sys/vnode.h>
49
50#include <bsm/audit.h>
51#include <bsm/audit_kevents.h>
52#include <security/audit/audit.h>
53#include <security/audit/audit_private.h>
54
55/*
56 * Hash table functions for the audit event number to event class mask
57 * mapping.
58 */
59#define	EVCLASSMAP_HASH_TABLE_SIZE	251
60struct evclass_elem {
61	au_event_t event;
62	au_class_t class;
63	LIST_ENTRY(evclass_elem) entry;
64};
65struct evclass_list {
66	LIST_HEAD(, evclass_elem) head;
67};
68
69static MALLOC_DEFINE(M_AUDITEVCLASS, "audit_evclass", "Audit event class");
70static struct rwlock		evclass_lock;
71static struct evclass_list	evclass_hash[EVCLASSMAP_HASH_TABLE_SIZE];
72
73#define	EVCLASS_LOCK_INIT()	rw_init(&evclass_lock, "evclass_lock")
74#define	EVCLASS_RLOCK()		rw_rlock(&evclass_lock)
75#define	EVCLASS_RUNLOCK()	rw_runlock(&evclass_lock)
76#define	EVCLASS_WLOCK()		rw_wlock(&evclass_lock)
77#define	EVCLASS_WUNLOCK()	rw_wunlock(&evclass_lock)
78
79struct aue_open_event {
80	int		aoe_flags;
81	au_event_t	aoe_event;
82};
83
84static const struct aue_open_event aue_open[] = {
85	{ O_RDONLY,					AUE_OPEN_R },
86	{ (O_RDONLY | O_CREAT),				AUE_OPEN_RC },
87	{ (O_RDONLY | O_CREAT | O_TRUNC),		AUE_OPEN_RTC },
88	{ (O_RDONLY | O_TRUNC),				AUE_OPEN_RT },
89	{ O_RDWR,					AUE_OPEN_RW },
90	{ (O_RDWR | O_CREAT),				AUE_OPEN_RWC },
91	{ (O_RDWR | O_CREAT | O_TRUNC),			AUE_OPEN_RWTC },
92	{ (O_RDWR | O_TRUNC),				AUE_OPEN_RWT },
93	{ O_WRONLY,					AUE_OPEN_W },
94	{ (O_WRONLY | O_CREAT),				AUE_OPEN_WC },
95	{ (O_WRONLY | O_CREAT | O_TRUNC),		AUE_OPEN_WTC },
96	{ (O_WRONLY | O_TRUNC),				AUE_OPEN_WT },
97};
98
99static const struct aue_open_event aue_openat[] = {
100	{ O_RDONLY,					AUE_OPENAT_R },
101	{ (O_RDONLY | O_CREAT),				AUE_OPENAT_RC },
102	{ (O_RDONLY | O_CREAT | O_TRUNC),		AUE_OPENAT_RTC },
103	{ (O_RDONLY | O_TRUNC),				AUE_OPENAT_RT },
104	{ O_RDWR,					AUE_OPENAT_RW },
105	{ (O_RDWR | O_CREAT),				AUE_OPENAT_RWC },
106	{ (O_RDWR | O_CREAT | O_TRUNC),			AUE_OPENAT_RWTC },
107	{ (O_RDWR | O_TRUNC),				AUE_OPENAT_RWT },
108	{ O_WRONLY,					AUE_OPENAT_W },
109	{ (O_WRONLY | O_CREAT),				AUE_OPENAT_WC },
110	{ (O_WRONLY | O_CREAT | O_TRUNC),		AUE_OPENAT_WTC },
111	{ (O_WRONLY | O_TRUNC),				AUE_OPENAT_WT },
112};
113
114/*
115 * Look up the class for an audit event in the class mapping table.
116 */
117au_class_t
118au_event_class(au_event_t event)
119{
120	struct evclass_list *evcl;
121	struct evclass_elem *evc;
122	au_class_t class;
123
124	EVCLASS_RLOCK();
125	evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
126	class = 0;
127	LIST_FOREACH(evc, &evcl->head, entry) {
128		if (evc->event == event) {
129			class = evc->class;
130			goto out;
131		}
132	}
133out:
134	EVCLASS_RUNLOCK();
135	return (class);
136}
137
138/*
139 * Insert a event to class mapping. If the event already exists in the
140 * mapping, then replace the mapping with the new one.
141 *
142 * XXX There is currently no constraints placed on the number of mappings.
143 * May want to either limit to a number, or in terms of memory usage.
144 */
145void
146au_evclassmap_insert(au_event_t event, au_class_t class)
147{
148	struct evclass_list *evcl;
149	struct evclass_elem *evc, *evc_new;
150
151	/*
152	 * Pessimistically, always allocate storage before acquiring mutex.
153	 * Free if there is already a mapping for this event.
154	 */
155	evc_new = malloc(sizeof(*evc), M_AUDITEVCLASS, M_WAITOK);
156
157	EVCLASS_WLOCK();
158	evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
159	LIST_FOREACH(evc, &evcl->head, entry) {
160		if (evc->event == event) {
161			evc->class = class;
162			EVCLASS_WUNLOCK();
163			free(evc_new, M_AUDITEVCLASS);
164			return;
165		}
166	}
167	evc = evc_new;
168	evc->event = event;
169	evc->class = class;
170	LIST_INSERT_HEAD(&evcl->head, evc, entry);
171	EVCLASS_WUNLOCK();
172}
173
174void
175au_evclassmap_init(void)
176{
177	int i;
178
179	EVCLASS_LOCK_INIT();
180	for (i = 0; i < EVCLASSMAP_HASH_TABLE_SIZE; i++)
181		LIST_INIT(&evclass_hash[i].head);
182
183	/*
184	 * Set up the initial event to class mapping for system calls.
185	 *
186	 * XXXRW: Really, this should walk all possible audit events, not all
187	 * native ABI system calls, as there may be audit events reachable
188	 * only through non-native system calls.  It also seems a shame to
189	 * frob the mutex this early.
190	 */
191	for (i = 0; i < SYS_MAXSYSCALL; i++) {
192		if (sysent[i].sy_auevent != AUE_NULL)
193			au_evclassmap_insert(sysent[i].sy_auevent, 0);
194	}
195}
196
197/*
198 * Check whether an event is aditable by comparing the mask of classes this
199 * event is part of against the given mask.
200 */
201int
202au_preselect(au_event_t event, au_class_t class, au_mask_t *mask_p, int sorf)
203{
204	au_class_t effmask = 0;
205
206	if (mask_p == NULL)
207		return (-1);
208
209	/*
210	 * Perform the actual check of the masks against the event.
211	 */
212	if (sorf & AU_PRS_SUCCESS)
213		effmask |= (mask_p->am_success & class);
214
215	if (sorf & AU_PRS_FAILURE)
216		effmask |= (mask_p->am_failure & class);
217
218	if (effmask)
219		return (1);
220	else
221		return (0);
222}
223
224/*
225 * Convert sysctl names and present arguments to events.
226 */
227au_event_t
228audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg)
229{
230
231	/* can't parse it - so return the worst case */
232	if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != (ARG_CTLNAME | ARG_LEN))
233		return (AUE_SYSCTL);
234
235	switch (name[0]) {
236	/* non-admin "lookups" treat them special */
237	case KERN_OSTYPE:
238	case KERN_OSRELEASE:
239	case KERN_OSREV:
240	case KERN_VERSION:
241	case KERN_ARGMAX:
242	case KERN_CLOCKRATE:
243	case KERN_BOOTTIME:
244	case KERN_POSIX1:
245	case KERN_NGROUPS:
246	case KERN_JOB_CONTROL:
247	case KERN_SAVED_IDS:
248	case KERN_OSRELDATE:
249	case KERN_DUMMY:
250		return (AUE_SYSCTL_NONADMIN);
251
252	/* only treat the changeable controls as admin */
253	case KERN_MAXVNODES:
254	case KERN_MAXPROC:
255	case KERN_MAXFILES:
256	case KERN_MAXPROCPERUID:
257	case KERN_MAXFILESPERPROC:
258	case KERN_HOSTID:
259	case KERN_SECURELVL:
260	case KERN_HOSTNAME:
261	case KERN_VNODE:
262	case KERN_PROC:
263	case KERN_FILE:
264	case KERN_PROF:
265	case KERN_NISDOMAINNAME:
266	case KERN_UPDATEINTERVAL:
267	case KERN_NTP_PLL:
268	case KERN_BOOTFILE:
269	case KERN_DUMPDEV:
270	case KERN_IPC:
271	case KERN_PS_STRINGS:
272	case KERN_USRSTACK:
273	case KERN_LOGSIGEXIT:
274	case KERN_IOV_MAX:
275		return ((valid_arg & ARG_VALUE) ?
276		    AUE_SYSCTL : AUE_SYSCTL_NONADMIN);
277
278	default:
279		return (AUE_SYSCTL);
280	}
281	/* NOTREACHED */
282}
283
284/*
285 * Convert an open flags specifier into a specific type of open event for
286 * auditing purposes.
287 */
288au_event_t
289audit_flags_and_error_to_openevent(int oflags, int error)
290{
291	int i;
292
293	/*
294	 * Need to check only those flags we care about.
295	 */
296	oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
297	for (i = 0; i < nitems(aue_open); i++) {
298		if (aue_open[i].aoe_flags == oflags)
299			return (aue_open[i].aoe_event);
300	}
301	return (AUE_OPEN);
302}
303
304au_event_t
305audit_flags_and_error_to_openatevent(int oflags, int error)
306{
307	int i;
308
309	/*
310	 * Need to check only those flags we care about.
311	 */
312	oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
313	for (i = 0; i < nitems(aue_openat); i++) {
314		if (aue_openat[i].aoe_flags == oflags)
315			return (aue_openat[i].aoe_event);
316	}
317	return (AUE_OPENAT);
318}
319
320/*
321 * Convert a MSGCTL command to a specific event.
322 */
323au_event_t
324audit_msgctl_to_event(int cmd)
325{
326
327	switch (cmd) {
328	case IPC_RMID:
329		return (AUE_MSGCTL_RMID);
330
331	case IPC_SET:
332		return (AUE_MSGCTL_SET);
333
334	case IPC_STAT:
335		return (AUE_MSGCTL_STAT);
336
337	default:
338		/* We will audit a bad command. */
339		return (AUE_MSGCTL);
340	}
341}
342
343/*
344 * Convert a SEMCTL command to a specific event.
345 */
346au_event_t
347audit_semctl_to_event(int cmd)
348{
349
350	switch (cmd) {
351	case GETALL:
352		return (AUE_SEMCTL_GETALL);
353
354	case GETNCNT:
355		return (AUE_SEMCTL_GETNCNT);
356
357	case GETPID:
358		return (AUE_SEMCTL_GETPID);
359
360	case GETVAL:
361		return (AUE_SEMCTL_GETVAL);
362
363	case GETZCNT:
364		return (AUE_SEMCTL_GETZCNT);
365
366	case IPC_RMID:
367		return (AUE_SEMCTL_RMID);
368
369	case IPC_SET:
370		return (AUE_SEMCTL_SET);
371
372	case SETALL:
373		return (AUE_SEMCTL_SETALL);
374
375	case SETVAL:
376		return (AUE_SEMCTL_SETVAL);
377
378	case IPC_STAT:
379		return (AUE_SEMCTL_STAT);
380
381	default:
382		/* We will audit a bad command. */
383		return (AUE_SEMCTL);
384	}
385}
386
387/*
388 * Convert a command for the auditon() system call to a audit event.
389 */
390au_event_t
391auditon_command_event(int cmd)
392{
393
394	switch(cmd) {
395	case A_GETPOLICY:
396		return (AUE_AUDITON_GPOLICY);
397
398	case A_SETPOLICY:
399		return (AUE_AUDITON_SPOLICY);
400
401	case A_GETKMASK:
402		return (AUE_AUDITON_GETKMASK);
403
404	case A_SETKMASK:
405		return (AUE_AUDITON_SETKMASK);
406
407	case A_GETQCTRL:
408		return (AUE_AUDITON_GQCTRL);
409
410	case A_SETQCTRL:
411		return (AUE_AUDITON_SQCTRL);
412
413	case A_GETCWD:
414		return (AUE_AUDITON_GETCWD);
415
416	case A_GETCAR:
417		return (AUE_AUDITON_GETCAR);
418
419	case A_GETSTAT:
420		return (AUE_AUDITON_GETSTAT);
421
422	case A_SETSTAT:
423		return (AUE_AUDITON_SETSTAT);
424
425	case A_SETUMASK:
426		return (AUE_AUDITON_SETUMASK);
427
428	case A_SETSMASK:
429		return (AUE_AUDITON_SETSMASK);
430
431	case A_GETCOND:
432		return (AUE_AUDITON_GETCOND);
433
434	case A_SETCOND:
435		return (AUE_AUDITON_SETCOND);
436
437	case A_GETCLASS:
438		return (AUE_AUDITON_GETCLASS);
439
440	case A_SETCLASS:
441		return (AUE_AUDITON_SETCLASS);
442
443	case A_GETPINFO:
444	case A_SETPMASK:
445	case A_SETFSIZE:
446	case A_GETFSIZE:
447	case A_GETPINFO_ADDR:
448	case A_GETKAUDIT:
449	case A_SETKAUDIT:
450	default:
451		return (AUE_AUDITON);	/* No special record */
452	}
453}
454
455/*
456 * Create a canonical path from given path by prefixing either the root
457 * directory, or the current working directory.  If the process working
458 * directory is NULL, we could use 'rootvnode' to obtain the root directory,
459 * but this results in a volfs name written to the audit log. So we will
460 * leave the filename starting with '/' in the audit log in this case.
461 */
462void
463audit_canon_path(struct thread *td, int dirfd, char *path, char *cpath)
464{
465	struct vnode *cvnp, *rvnp;
466	char *rbuf, *fbuf, *copy;
467	struct filedesc *fdp;
468	struct sbuf sbf;
469	cap_rights_t rights;
470	int error, needslash;
471
472	WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "%s: at %s:%d",
473	    __func__,  __FILE__, __LINE__);
474
475	copy = path;
476	rvnp = cvnp = NULL;
477	fdp = td->td_proc->p_fd;
478	FILEDESC_SLOCK(fdp);
479	/*
480	 * Make sure that we handle the chroot(2) case.  If there is an
481	 * alternate root directory, prepend it to the audited pathname.
482	 */
483	if (fdp->fd_rdir != NULL && fdp->fd_rdir != rootvnode) {
484		rvnp = fdp->fd_rdir;
485		vhold(rvnp);
486	}
487	/*
488	 * If the supplied path is relative, make sure we capture the current
489	 * working directory so we can prepend it to the supplied relative
490	 * path.
491	 */
492	if (*path != '/') {
493		if (dirfd == AT_FDCWD) {
494			cvnp = fdp->fd_cdir;
495			vhold(cvnp);
496		} else {
497			/* XXX: fgetvp() that vhold()s vnode instead of vref()ing it would be better */
498			error = fgetvp(td, dirfd, cap_rights_init(&rights), &cvnp);
499			if (error) {
500				FILEDESC_SUNLOCK(fdp);
501				cpath[0] = '\0';
502				if (rvnp != NULL)
503					vdrop(rvnp);
504				return;
505			}
506			vhold(cvnp);
507			vrele(cvnp);
508		}
509		needslash = (fdp->fd_rdir != cvnp);
510	} else {
511		needslash = 1;
512	}
513	FILEDESC_SUNLOCK(fdp);
514	/*
515	 * NB: We require that the supplied array be at least MAXPATHLEN bytes
516	 * long.  If this is not the case, then we can run into serious trouble.
517	 */
518	(void) sbuf_new(&sbf, cpath, MAXPATHLEN, SBUF_FIXEDLEN);
519	/*
520	 * Strip leading forward slashes.
521	 */
522	while (*copy == '/')
523		copy++;
524	/*
525	 * Make sure we handle chroot(2) and prepend the global path to these
526	 * environments.
527	 *
528	 * NB: vn_fullpath(9) on FreeBSD is less reliable than vn_getpath(9)
529	 * on Darwin.  As a result, this may need some additional attention
530	 * in the future.
531	 */
532	if (rvnp != NULL) {
533		error = vn_fullpath_global(td, rvnp, &rbuf, &fbuf);
534		vdrop(rvnp);
535		if (error) {
536			cpath[0] = '\0';
537			if (cvnp != NULL)
538				vdrop(cvnp);
539			return;
540		}
541		(void) sbuf_cat(&sbf, rbuf);
542		free(fbuf, M_TEMP);
543	}
544	if (cvnp != NULL) {
545		error = vn_fullpath(td, cvnp, &rbuf, &fbuf);
546		vdrop(cvnp);
547		if (error) {
548			cpath[0] = '\0';
549			return;
550		}
551		(void) sbuf_cat(&sbf, rbuf);
552		free(fbuf, M_TEMP);
553	}
554	if (needslash)
555		(void) sbuf_putc(&sbf, '/');
556	/*
557	 * Now that we have processed any alternate root and relative path
558	 * names, add the supplied pathname.
559	 */
560        (void) sbuf_cat(&sbf, copy);
561	/*
562	 * One or more of the previous sbuf operations could have resulted in
563	 * the supplied buffer being overflowed.  Check to see if this is the
564	 * case.
565	 */
566	if (sbuf_error(&sbf) != 0) {
567		cpath[0] = '\0';
568		return;
569	}
570	sbuf_finish(&sbf);
571}
572