1/*-
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 1999-2009 Apple Inc.
5 * Copyright (c) 2005, 2016-2017 Robert N. M. Watson
6 * All rights reserved.
7 *
8 * Portions of this software were developed by BAE Systems, the University of
9 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
10 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
11 * Computing (TC) research program.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1.  Redistributions of source code must retain the above copyright
17 *     notice, this list of conditions and the following disclaimer.
18 * 2.  Redistributions in binary form must reproduce the above copyright
19 *     notice, this list of conditions and the following disclaimer in the
20 *     documentation and/or other materials provided with the distribution.
21 * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
22 *     its contributors may be used to endorse or promote products derived
23 *     from this software without specific prior written permission.
24 *
25 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
29 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
33 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
34 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
35 * POSSIBILITY OF SUCH DAMAGE.
36 */
37
38#include <sys/cdefs.h>
39__FBSDID("$FreeBSD$");
40
41#include <sys/param.h>
42#include <sys/capsicum.h>
43#include <sys/fcntl.h>
44#include <sys/filedesc.h>
45#include <sys/libkern.h>
46#include <sys/malloc.h>
47#include <sys/mount.h>
48#include <sys/proc.h>
49#include <sys/rwlock.h>
50#include <sys/sem.h>
51#include <sys/sbuf.h>
52#include <sys/sx.h>
53#include <sys/syscall.h>
54#include <sys/sysctl.h>
55#include <sys/sysent.h>
56#include <sys/vnode.h>
57
58#include <bsm/audit.h>
59#include <bsm/audit_kevents.h>
60#include <security/audit/audit.h>
61#include <security/audit/audit_private.h>
62
63struct aue_open_event {
64	int		aoe_flags;
65	au_event_t	aoe_event;
66};
67
68static const struct aue_open_event aue_open[] = {
69	{ O_RDONLY,					AUE_OPEN_R },
70	{ (O_RDONLY | O_CREAT),				AUE_OPEN_RC },
71	{ (O_RDONLY | O_CREAT | O_TRUNC),		AUE_OPEN_RTC },
72	{ (O_RDONLY | O_TRUNC),				AUE_OPEN_RT },
73	{ O_RDWR,					AUE_OPEN_RW },
74	{ (O_RDWR | O_CREAT),				AUE_OPEN_RWC },
75	{ (O_RDWR | O_CREAT | O_TRUNC),			AUE_OPEN_RWTC },
76	{ (O_RDWR | O_TRUNC),				AUE_OPEN_RWT },
77	{ O_WRONLY,					AUE_OPEN_W },
78	{ (O_WRONLY | O_CREAT),				AUE_OPEN_WC },
79	{ (O_WRONLY | O_CREAT | O_TRUNC),		AUE_OPEN_WTC },
80	{ (O_WRONLY | O_TRUNC),				AUE_OPEN_WT },
81};
82
83static const struct aue_open_event aue_openat[] = {
84	{ O_RDONLY,					AUE_OPENAT_R },
85	{ (O_RDONLY | O_CREAT),				AUE_OPENAT_RC },
86	{ (O_RDONLY | O_CREAT | O_TRUNC),		AUE_OPENAT_RTC },
87	{ (O_RDONLY | O_TRUNC),				AUE_OPENAT_RT },
88	{ O_RDWR,					AUE_OPENAT_RW },
89	{ (O_RDWR | O_CREAT),				AUE_OPENAT_RWC },
90	{ (O_RDWR | O_CREAT | O_TRUNC),			AUE_OPENAT_RWTC },
91	{ (O_RDWR | O_TRUNC),				AUE_OPENAT_RWT },
92	{ O_WRONLY,					AUE_OPENAT_W },
93	{ (O_WRONLY | O_CREAT),				AUE_OPENAT_WC },
94	{ (O_WRONLY | O_CREAT | O_TRUNC),		AUE_OPENAT_WTC },
95	{ (O_WRONLY | O_TRUNC),				AUE_OPENAT_WT },
96};
97
98static const int aue_msgsys[] = {
99	/* 0 */ AUE_MSGCTL,
100	/* 1 */ AUE_MSGGET,
101	/* 2 */ AUE_MSGSND,
102	/* 3 */ AUE_MSGRCV,
103};
104static const int aue_msgsys_count = sizeof(aue_msgsys) / sizeof(int);
105
106static const int aue_semsys[] = {
107	/* 0 */ AUE_SEMCTL,
108	/* 1 */ AUE_SEMGET,
109	/* 2 */ AUE_SEMOP,
110};
111static const int aue_semsys_count = sizeof(aue_semsys) / sizeof(int);
112
113static const int aue_shmsys[] = {
114	/* 0 */ AUE_SHMAT,
115	/* 1 */ AUE_SHMDT,
116	/* 2 */ AUE_SHMGET,
117	/* 3 */ AUE_SHMCTL,
118};
119static const int aue_shmsys_count = sizeof(aue_shmsys) / sizeof(int);
120
121/*
122 * Check whether an event is auditable by comparing the mask of classes this
123 * event is part of against the given mask.
124 */
125int
126au_preselect(au_event_t event, au_class_t class, au_mask_t *mask_p, int sorf)
127{
128	au_class_t effmask = 0;
129
130	if (mask_p == NULL)
131		return (-1);
132
133	/*
134	 * Perform the actual check of the masks against the event.
135	 */
136	if (sorf & AU_PRS_SUCCESS)
137		effmask |= (mask_p->am_success & class);
138
139	if (sorf & AU_PRS_FAILURE)
140		effmask |= (mask_p->am_failure & class);
141
142	if (effmask)
143		return (1);
144	else
145		return (0);
146}
147
148/*
149 * Convert sysctl names and present arguments to events.
150 */
151au_event_t
152audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg)
153{
154
155	/* can't parse it - so return the worst case */
156	if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != (ARG_CTLNAME | ARG_LEN))
157		return (AUE_SYSCTL);
158
159	switch (name[0]) {
160	/* non-admin "lookups" treat them special */
161	case KERN_OSTYPE:
162	case KERN_OSRELEASE:
163	case KERN_OSREV:
164	case KERN_VERSION:
165	case KERN_ARGMAX:
166	case KERN_CLOCKRATE:
167	case KERN_BOOTTIME:
168	case KERN_POSIX1:
169	case KERN_NGROUPS:
170	case KERN_JOB_CONTROL:
171	case KERN_SAVED_IDS:
172	case KERN_OSRELDATE:
173	case KERN_DUMMY:
174		return (AUE_SYSCTL_NONADMIN);
175
176	/* only treat the changeable controls as admin */
177	case KERN_MAXVNODES:
178	case KERN_MAXPROC:
179	case KERN_MAXFILES:
180	case KERN_MAXPROCPERUID:
181	case KERN_MAXFILESPERPROC:
182	case KERN_HOSTID:
183	case KERN_SECURELVL:
184	case KERN_HOSTNAME:
185	case KERN_VNODE:
186	case KERN_PROC:
187	case KERN_FILE:
188	case KERN_PROF:
189	case KERN_NISDOMAINNAME:
190	case KERN_UPDATEINTERVAL:
191	case KERN_NTP_PLL:
192	case KERN_BOOTFILE:
193	case KERN_DUMPDEV:
194	case KERN_IPC:
195	case KERN_PS_STRINGS:
196	case KERN_USRSTACK:
197	case KERN_LOGSIGEXIT:
198	case KERN_IOV_MAX:
199		return ((valid_arg & ARG_VALUE) ?
200		    AUE_SYSCTL : AUE_SYSCTL_NONADMIN);
201
202	default:
203		return (AUE_SYSCTL);
204	}
205	/* NOTREACHED */
206}
207
208/*
209 * Convert an open flags specifier into a specific type of open event for
210 * auditing purposes.
211 */
212au_event_t
213audit_flags_and_error_to_openevent(int oflags, int error)
214{
215	int i;
216
217	/*
218	 * Need to check only those flags we care about.
219	 */
220	oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
221	for (i = 0; i < nitems(aue_open); i++) {
222		if (aue_open[i].aoe_flags == oflags)
223			return (aue_open[i].aoe_event);
224	}
225	return (AUE_OPEN);
226}
227
228au_event_t
229audit_flags_and_error_to_openatevent(int oflags, int error)
230{
231	int i;
232
233	/*
234	 * Need to check only those flags we care about.
235	 */
236	oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
237	for (i = 0; i < nitems(aue_openat); i++) {
238		if (aue_openat[i].aoe_flags == oflags)
239			return (aue_openat[i].aoe_event);
240	}
241	return (AUE_OPENAT);
242}
243
244/*
245 * Convert a MSGCTL command to a specific event.
246 */
247au_event_t
248audit_msgctl_to_event(int cmd)
249{
250
251	switch (cmd) {
252	case IPC_RMID:
253		return (AUE_MSGCTL_RMID);
254
255	case IPC_SET:
256		return (AUE_MSGCTL_SET);
257
258	case IPC_STAT:
259		return (AUE_MSGCTL_STAT);
260
261	default:
262		/* We will audit a bad command. */
263		return (AUE_MSGCTL);
264	}
265}
266
267/*
268 * Convert a SEMCTL command to a specific event.
269 */
270au_event_t
271audit_semctl_to_event(int cmd)
272{
273
274	switch (cmd) {
275	case GETALL:
276		return (AUE_SEMCTL_GETALL);
277
278	case GETNCNT:
279		return (AUE_SEMCTL_GETNCNT);
280
281	case GETPID:
282		return (AUE_SEMCTL_GETPID);
283
284	case GETVAL:
285		return (AUE_SEMCTL_GETVAL);
286
287	case GETZCNT:
288		return (AUE_SEMCTL_GETZCNT);
289
290	case IPC_RMID:
291		return (AUE_SEMCTL_RMID);
292
293	case IPC_SET:
294		return (AUE_SEMCTL_SET);
295
296	case SETALL:
297		return (AUE_SEMCTL_SETALL);
298
299	case SETVAL:
300		return (AUE_SEMCTL_SETVAL);
301
302	case IPC_STAT:
303		return (AUE_SEMCTL_STAT);
304
305	default:
306		/* We will audit a bad command. */
307		return (AUE_SEMCTL);
308	}
309}
310
311/*
312 * Convert msgsys(2), semsys(2), and shmsys(2) system-call variations into
313 * audit events, if possible.
314 */
315au_event_t
316audit_msgsys_to_event(int which)
317{
318
319	if ((which >= 0) && (which < aue_msgsys_count))
320		return (aue_msgsys[which]);
321
322	/* Audit a bad command. */
323	return (AUE_MSGSYS);
324}
325
326au_event_t
327audit_semsys_to_event(int which)
328{
329
330	if ((which >= 0) && (which < aue_semsys_count))
331		return (aue_semsys[which]);
332
333	/* Audit a bad command. */
334	return (AUE_SEMSYS);
335}
336
337au_event_t
338audit_shmsys_to_event(int which)
339{
340
341	if ((which >= 0) && (which < aue_shmsys_count))
342		return (aue_shmsys[which]);
343
344	/* Audit a bad command. */
345	return (AUE_SHMSYS);
346}
347
348/*
349 * Convert a command for the auditon() system call to a audit event.
350 */
351au_event_t
352auditon_command_event(int cmd)
353{
354
355	switch(cmd) {
356	case A_GETPOLICY:
357		return (AUE_AUDITON_GPOLICY);
358
359	case A_SETPOLICY:
360		return (AUE_AUDITON_SPOLICY);
361
362	case A_GETKMASK:
363		return (AUE_AUDITON_GETKMASK);
364
365	case A_SETKMASK:
366		return (AUE_AUDITON_SETKMASK);
367
368	case A_GETQCTRL:
369		return (AUE_AUDITON_GQCTRL);
370
371	case A_SETQCTRL:
372		return (AUE_AUDITON_SQCTRL);
373
374	case A_GETCWD:
375		return (AUE_AUDITON_GETCWD);
376
377	case A_GETCAR:
378		return (AUE_AUDITON_GETCAR);
379
380	case A_GETSTAT:
381		return (AUE_AUDITON_GETSTAT);
382
383	case A_SETSTAT:
384		return (AUE_AUDITON_SETSTAT);
385
386	case A_SETUMASK:
387		return (AUE_AUDITON_SETUMASK);
388
389	case A_SETSMASK:
390		return (AUE_AUDITON_SETSMASK);
391
392	case A_GETCOND:
393		return (AUE_AUDITON_GETCOND);
394
395	case A_SETCOND:
396		return (AUE_AUDITON_SETCOND);
397
398	case A_GETCLASS:
399		return (AUE_AUDITON_GETCLASS);
400
401	case A_SETCLASS:
402		return (AUE_AUDITON_SETCLASS);
403
404	case A_GETPINFO:
405	case A_SETPMASK:
406	case A_SETFSIZE:
407	case A_GETFSIZE:
408	case A_GETPINFO_ADDR:
409	case A_GETKAUDIT:
410	case A_SETKAUDIT:
411	default:
412		return (AUE_AUDITON);	/* No special record */
413	}
414}
415
416/*
417 * Create a canonical path from given path by prefixing either the root
418 * directory, or the current working directory.  If the process working
419 * directory is NULL, we could use 'rootvnode' to obtain the root directory,
420 * but this results in a volfs name written to the audit log. So we will
421 * leave the filename starting with '/' in the audit log in this case.
422 */
423void
424audit_canon_path(struct thread *td, int dirfd, char *path, char *cpath)
425{
426	struct vnode *cvnp, *rvnp;
427	char *rbuf, *fbuf, *copy;
428	struct filedesc *fdp;
429	struct sbuf sbf;
430	cap_rights_t rights;
431	int error, needslash;
432
433	WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "%s: at %s:%d",
434	    __func__,  __FILE__, __LINE__);
435
436	copy = path;
437	rvnp = cvnp = NULL;
438	fdp = td->td_proc->p_fd;
439	FILEDESC_SLOCK(fdp);
440	/*
441	 * Make sure that we handle the chroot(2) case.  If there is an
442	 * alternate root directory, prepend it to the audited pathname.
443	 */
444	if (fdp->fd_rdir != NULL && fdp->fd_rdir != rootvnode) {
445		rvnp = fdp->fd_rdir;
446		vhold(rvnp);
447	}
448	/*
449	 * If the supplied path is relative, make sure we capture the current
450	 * working directory so we can prepend it to the supplied relative
451	 * path.
452	 */
453	if (*path != '/') {
454		if (dirfd == AT_FDCWD) {
455			cvnp = fdp->fd_cdir;
456			vhold(cvnp);
457		} else {
458			/* XXX: fgetvp() that vhold()s vnode instead of vref()ing it would be better */
459			error = fgetvp(td, dirfd, cap_rights_init(&rights), &cvnp);
460			if (error) {
461				FILEDESC_SUNLOCK(fdp);
462				cpath[0] = '\0';
463				if (rvnp != NULL)
464					vdrop(rvnp);
465				return;
466			}
467			vhold(cvnp);
468			vrele(cvnp);
469		}
470		needslash = (fdp->fd_rdir != cvnp);
471	} else {
472		needslash = 1;
473	}
474	FILEDESC_SUNLOCK(fdp);
475	/*
476	 * NB: We require that the supplied array be at least MAXPATHLEN bytes
477	 * long.  If this is not the case, then we can run into serious trouble.
478	 */
479	(void) sbuf_new(&sbf, cpath, MAXPATHLEN, SBUF_FIXEDLEN);
480	/*
481	 * Strip leading forward slashes.
482	 */
483	while (*copy == '/')
484		copy++;
485	/*
486	 * Make sure we handle chroot(2) and prepend the global path to these
487	 * environments.
488	 *
489	 * NB: vn_fullpath(9) on FreeBSD is less reliable than vn_getpath(9)
490	 * on Darwin.  As a result, this may need some additional attention
491	 * in the future.
492	 */
493	if (rvnp != NULL) {
494		error = vn_fullpath_global(td, rvnp, &rbuf, &fbuf);
495		vdrop(rvnp);
496		if (error) {
497			cpath[0] = '\0';
498			if (cvnp != NULL)
499				vdrop(cvnp);
500			return;
501		}
502		(void) sbuf_cat(&sbf, rbuf);
503		free(fbuf, M_TEMP);
504	}
505	if (cvnp != NULL) {
506		error = vn_fullpath(td, cvnp, &rbuf, &fbuf);
507		vdrop(cvnp);
508		if (error) {
509			cpath[0] = '\0';
510			return;
511		}
512		(void) sbuf_cat(&sbf, rbuf);
513		free(fbuf, M_TEMP);
514	}
515	if (needslash)
516		(void) sbuf_putc(&sbf, '/');
517	/*
518	 * Now that we have processed any alternate root and relative path
519	 * names, add the supplied pathname.
520	 */
521        (void) sbuf_cat(&sbf, copy);
522	/*
523	 * One or more of the previous sbuf operations could have resulted in
524	 * the supplied buffer being overflowed.  Check to see if this is the
525	 * case.
526	 */
527	if (sbuf_error(&sbf) != 0) {
528		cpath[0] = '\0';
529		return;
530	}
531	sbuf_finish(&sbf);
532}
533