1/*- 2 * Copyright (c) 1999-2008 Apple Inc. 3 * All rights reserved. 4 * 5 * @APPLE_BSD_LICENSE_HEADER_START@ 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 16 * its contributors may be used to endorse or promote products derived 17 * from this software without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 23 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 27 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 28 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 * 31 * @APPLE_BSD_LICENSE_HEADER_END@ 32 */ 33/* 34 * NOTICE: This file was modified by McAfee Research in 2004 to introduce 35 * support for mandatory and extensible security protections. This notice 36 * is included in support of clause 2.2 (b) of the Apple Public License, 37 * Version 2.0. 38 */ 39 40#include <sys/kernel.h> 41#include <sys/proc.h> 42#include <sys/kauth.h> 43#include <sys/queue.h> 44#include <sys/systm.h> 45 46#include <bsm/audit.h> 47#include <bsm/audit_internal.h> 48#include <bsm/audit_kevents.h> 49 50#include <security/audit/audit.h> 51#include <security/audit/audit_private.h> 52 53#include <mach/host_priv.h> 54#include <mach/host_special_ports.h> 55#include <mach/audit_triggers_server.h> 56 57#include <kern/host.h> 58#include <kern/kalloc.h> 59#include <kern/zalloc.h> 60#include <kern/lock.h> 61#include <kern/wait_queue.h> 62#include <kern/sched_prim.h> 63 64#if CONFIG_AUDIT 65 66#if CONFIG_MACF 67#include <bsm/audit_record.h> 68#include <security/mac.h> 69#include <security/mac_framework.h> 70#include <security/mac_policy.h> 71#define MAC_ARG_PREFIX "arg: " 72#define MAC_ARG_PREFIX_LEN 5 73 74zone_t audit_mac_label_zone; 75extern zone_t mac_audit_data_zone; 76 77void 78audit_mac_init(void) 79{ 80 /* Assume 3 MAC labels for each audit record: two for vnodes, 81 * one for creds. 82 */ 83 audit_mac_label_zone = zinit(MAC_AUDIT_LABEL_LEN, 84 AQ_HIWATER * 3*MAC_AUDIT_LABEL_LEN, 8192, "audit_mac_label_zone"); 85} 86 87int 88audit_mac_new(proc_t p, struct kaudit_record *ar) 89{ 90 struct mac mac; 91 92 /* 93 * Retrieve the MAC labels for the process. 94 */ 95 ar->k_ar.ar_cred_mac_labels = (char *)zalloc(audit_mac_label_zone); 96 if (ar->k_ar.ar_cred_mac_labels == NULL) 97 return (1); 98 mac.m_buflen = MAC_AUDIT_LABEL_LEN; 99 mac.m_string = ar->k_ar.ar_cred_mac_labels; 100 mac_cred_label_externalize_audit(p, &mac); 101 102 /* 103 * grab space for the reconds. 104 */ 105 ar->k_ar.ar_mac_records = (struct mac_audit_record_list_t *) 106 kalloc(sizeof(*ar->k_ar.ar_mac_records)); 107 if (ar->k_ar.ar_mac_records == NULL) { 108 zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels); 109 return (1); 110 } 111 LIST_INIT(ar->k_ar.ar_mac_records); 112 ar->k_ar.ar_forced_by_mac = 0; 113 114 return (0); 115} 116 117void 118audit_mac_free(struct kaudit_record *ar) 119{ 120 struct mac_audit_record *head, *next; 121 122 if (ar->k_ar.ar_vnode1_mac_labels != NULL) 123 zfree(audit_mac_label_zone, ar->k_ar.ar_vnode1_mac_labels); 124 if (ar->k_ar.ar_vnode2_mac_labels != NULL) 125 zfree(audit_mac_label_zone, ar->k_ar.ar_vnode2_mac_labels); 126 if (ar->k_ar.ar_cred_mac_labels != NULL) 127 zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels); 128 if (ar->k_ar.ar_arg_mac_string != NULL) 129 kfree(ar->k_ar.ar_arg_mac_string, 130 MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN); 131 132 /* 133 * Free the audit data from the MAC policies. 134 */ 135 head = LIST_FIRST(ar->k_ar.ar_mac_records); 136 while (head != NULL) { 137 next = LIST_NEXT(head, records); 138 zfree(mac_audit_data_zone, head->data); 139 kfree(head, sizeof(*head)); 140 head = next; 141 } 142 kfree(ar->k_ar.ar_mac_records, sizeof(*ar->k_ar.ar_mac_records)); 143} 144 145int 146audit_mac_syscall_enter(unsigned short code, proc_t p, struct uthread *uthread, 147 kauth_cred_t my_cred, au_event_t event) 148{ 149 int error; 150 151 error = mac_audit_check_preselect(my_cred, code, 152 (void *)uthread->uu_arg); 153 if (error == MAC_AUDIT_YES) { 154 uthread->uu_ar = audit_new(event, p, uthread); 155 uthread->uu_ar->k_ar.ar_forced_by_mac = 1; 156 au_to_text("Forced by a MAC policy"); 157 return (1); 158 } else if (error == MAC_AUDIT_NO) { 159 return (0); 160 } else if (error == MAC_AUDIT_DEFAULT) { 161 return (1); 162 } 163 164 return (0); 165} 166 167int 168audit_mac_syscall_exit(unsigned short code, struct uthread *uthread, int error, 169 int retval) 170{ 171 int mac_error; 172 173 if (uthread->uu_ar == NULL) /* syscall wasn't audited */ 174 return (1); 175 176 /* 177 * Note, no other postselect mechanism exists. If 178 * mac_audit_check_postselect returns MAC_AUDIT_NO, the record will be 179 * suppressed. Other values at this point result in the audit record 180 * being committed. This suppression behavior will probably go away in 181 * the port to 10.3.4. 182 */ 183 mac_error = mac_audit_check_postselect(kauth_cred_get(), code, 184 (void *) uthread->uu_arg, error, retval, 185 uthread->uu_ar->k_ar.ar_forced_by_mac); 186 187 if (mac_error == MAC_AUDIT_YES) 188 uthread->uu_ar->k_ar_commit |= AR_COMMIT_KERNEL; 189 else if (mac_error == MAC_AUDIT_NO) { 190 audit_free(uthread->uu_ar); 191 return (1); 192 } 193 return (0); 194} 195 196/* 197 * This function is called by the MAC Framework to add audit data 198 * from a policy to the current audit record. 199 */ 200int 201audit_mac_data(int type, int len, u_char *data) { 202 struct kaudit_record *cur; 203 struct mac_audit_record *record; 204 205 if (audit_enabled == 0) { 206 kfree(data, len); 207 return (ENOTSUP); 208 } 209 210 cur = currecord(); 211 if (cur == NULL) { 212 kfree(data, len); 213 return (ENOTSUP); 214 } 215 216 /* 217 * XXX: Note that we silently drop the audit data if this 218 * allocation fails - this is consistent with the rest of the 219 * audit implementation. 220 */ 221 record = kalloc(sizeof(*record)); 222 if (record == NULL) { 223 kfree(data, len); 224 return (0); 225 } 226 227 record->type = type; 228 record->length = len; 229 record->data = data; 230 LIST_INSERT_HEAD(cur->k_ar.ar_mac_records, record, records); 231 232 return (0); 233} 234 235void 236audit_arg_mac_string(struct kaudit_record *ar, char *string) 237{ 238 239 if (ar->k_ar.ar_arg_mac_string == NULL) 240 ar->k_ar.ar_arg_mac_string = 241 kalloc(MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN); 242 243 /* 244 * XXX This should be a rare event. If kalloc() returns NULL, 245 * the system is low on kernel virtual memory. To be 246 * consistent with the rest of audit, just return 247 * (may need to panic if required to for audit). 248 */ 249 if (ar->k_ar.ar_arg_mac_string == NULL) 250 if (ar->k_ar.ar_arg_mac_string == NULL) 251 return; 252 253 strncpy(ar->k_ar.ar_arg_mac_string, MAC_ARG_PREFIX, 254 MAC_ARG_PREFIX_LEN); 255 strncpy(ar->k_ar.ar_arg_mac_string + MAC_ARG_PREFIX_LEN, string, 256 MAC_MAX_LABEL_BUF_LEN); 257 ARG_SET_VALID(ar, ARG_MAC_STRING); 258} 259#endif /* MAC */ 260 261#endif /* CONFIG_AUDIT */ 262