audit_kernel.h revision 12273:63678502e95e 
1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25#ifndef _BSM_AUDIT_KERNEL_H
26#define	_BSM_AUDIT_KERNEL_H
27
28
29/*
30 * This file contains the basic auditing control structure definitions.
31 */
32
33#include <c2/audit_kevents.h>
34#include <sys/priv_impl.h>
35#include <sys/taskq.h>
36#include <sys/zone.h>
37
38#include <sys/tsol/label.h>
39
40#ifdef __cplusplus
41extern "C" {
42#endif
43
44/*
45 * This table contains the mapping from the system call ID to a corresponding
46 * audit event.
47 *
48 *   au_init() is a function called at the beginning of the system call that
49 *   performs any necessary setup/processing. It maps the call into the
50 *   appropriate event, depending on the system call arguments. It is called
51 *   by audit_start() from trap.c .
52 *
53 *   au_event is the audit event associated with the system call. Most of the
54 *   time it will map directly from the system call i.e. There is one system
55 *   call associated with the event. In some cases, such as shmsys, or open,
56 *   the au_start() function will map the system call to more than one event,
57 *   depending on the system call arguments.
58 *
59 *   au_start() is a function that provides per system call processing at the
60 *   beginning of a system call. It is mainly concerned with preseving the
61 *   audit record components that may be altered so that we can determine
62 *   what the original paramater was before as well as after the system call.
63 *   It is possible that au_start() may be taken away. It might be cleaner to
64 *   define flags in au_ctrl to save a designated argument. For the moment we
65 *   support both mechanisms, however the use of au_start() will be reviewed
66 *   for 4.1.1 and CMW and ZEUS to see if such a general method is justified.
67 *
68 *   au_finish() is a function that provides per system call processing at the
69 *   completion of a system call. In certain circumstances, the type of audit
70 *   event depends on intermidiate results during the processing of the system
71 *   call. It is called in audit_finish() from trap.c .
72 *
73 *   au_ctrl is a control vector that indicates what processing might have to
74 *   be performed, even if there is no auditing for this system call. At
75 *   present this is mostly for path processing for chmod, chroot. We need to
76 *   process the path information in vfs_lookup, even when we are not auditing
77 *   the system call in the case of chdir and chroot.
78 */
79/*
80 * Defines for au_ctrl
81 */
82#define	S2E_SP  PAD_SAVPATH	/* save path for later use */
83#define	S2E_MLD PAD_MLD		/* only one lookup per system call */
84#define	S2E_NPT PAD_NOPATH	/* force no path in audit record */
85#define	S2E_PUB PAD_PUBLIC_EV	/* syscall is defined as a public op */
86#define	S2E_ATC	PAD_ATCALL	/* syscall is one of the *at() family */
87
88/*
89 * At present, we are using the audit classes imbedded with in the kernel. Each
90 * event has a bit mask determining which classes the event is associated.
91 * The table audit_e2s maps the audit event ID to the audit state.
92 *
93 * Note that this may change radically. If we use a bit vector for the audit
94 * class, we can allow granularity at the event ID for each user. In this
95 * case, the vector would be determined at user level and passed to the kernel
96 * via the setaudit system call.
97 */
98
99/*
100 * The audit_pad structure holds paths for the current root and directory
101 * for the process, as well as for open files and directly manipulated objects.
102 * The reference count minimizes data copies since the process's current
103 * directory changes very seldom.
104 */
105struct audit_path {
106	uint_t		audp_ref;	/* reference count */
107	uint_t		audp_size;	/* allocated size of this structure */
108	uint_t		audp_cnt;	/* number of path sections */
109	char		*audp_sect[1];	/* path section pointers */
110					/* audp_sect[0] is the path name */
111					/* audp_sect[1+] are attribute paths */
112};
113
114/*
115 * The structure of the terminal ID within the kernel is different from the
116 * terminal ID in user space. It is a combination of port and IP address.
117 */
118
119struct au_termid {
120	dev_t	at_port;
121	uint_t	at_type;
122	uint_t	at_addr[4];
123};
124typedef struct au_termid au_termid_t;
125
126/*
127 * Attributes for deferring the queuing of an event.
128 */
129typedef struct au_defer_info {
130	struct au_defer_info	*audi_next;	/* next on linked list */
131	void	 *audi_ad;		/* audit record */
132	au_event_t	audi_e_type;	/* audit event id */
133	au_emod_t	audi_e_mod;	/* audit event modifier */
134	int	audi_flag;		/* au_close*() flags */
135	timestruc_t	audi_atime;	/* audit event timestamp */
136} au_defer_info_t;
137
138/*
139 * The structure p_audit_data hangs off of the process structure. It contains
140 * all of the audit information necessary to manage the audit record generation
141 * for each process.
142 *
143 * The pad_lock is constructed in the kmem_cache; the rest is combined
144 * in a sub structure so it can be copied/zeroed in one statement.
145 *
146 * The members have been reordered for maximum packing on 64 bit Solaris.
147 */
148struct p_audit_data {
149	kmutex_t	pad_lock;	/* lock pad data during changes */
150	struct _pad_data {
151		struct audit_path	*pad_root;	/* process root path */
152		struct audit_path	*pad_cwd;	/* process cwd path */
153		au_mask_t		pad_newmask;	/* pending new mask */
154		int			pad_flags;
155	} pad_data;
156};
157typedef struct p_audit_data p_audit_data_t;
158
159#define	pad_root	pad_data.pad_root
160#define	pad_cwd		pad_data.pad_cwd
161#define	pad_newmask	pad_data.pad_newmask
162#define	pad_flags	pad_data.pad_flags
163
164/*
165 * Defines for pad_flags
166 */
167#define	PAD_SETMASK 	0x00000001	/* need to complete pending setmask */
168
169extern kmem_cache_t *au_pad_cache;
170
171/*
172 * Defines for tad_ctrl
173 */
174#define	PAD_SAVPATH 	0x00000001	/* save path for further processing */
175#define	PAD_MLD		0x00000002	/* system call involves MLD */
176#define	PAD_NOPATH  	0x00000004	/* force no paths in audit record */
177#define	PAD_ABSPATH 	0x00000008	/* path from lookup is absolute */
178#define	PAD_NOATTRB 	0x00000010	/* do not automatically add attribute */
179					/* 0x20 unused */
180#define	PAD_ATCALL	0x00000040	/* *at() syscall, like openat() */
181#define	PAD_LFLOAT  	0x00000080	/* Label float */
182#define	PAD_NOAUDIT 	0x00000100	/* discard audit record */
183#define	PAD_PATHFND 	0x00000200	/* found path, don't retry lookup */
184#define	PAD_SPRIV   	0x00000400	/* succ priv use. extra audit_finish */
185#define	PAD_FPRIV   	0x00000800	/* fail priv use. extra audit_finish */
186#define	PAD_SMAC    	0x00001000	/* succ mac use. extra audit_finish */
187#define	PAD_FMAC    	0x00002000	/* fail mac use. extra audit_finish */
188#define	PAD_AUDITME 	0x00004000	/* audit me because of NFS operation */
189#define	PAD_ATTPATH  	0x00008000	/* attribute file lookup */
190#define	PAD_TRUE_CREATE 0x00010000	/* true create, file not found */
191#define	PAD_CORE	0x00020000	/* save attribute during core dump */
192#define	PAD_ERRJMP	0x00040000	/* abort record generation on error */
193#define	PAD_PUBLIC_EV	0x00080000	/* syscall is defined as a public op */
194
195/*
196 * The structure t_audit_data hangs off of the thread structure. It contains
197 * all of the audit information necessary to manage the audit record generation
198 * for each thread.
199 *
200 */
201
202struct t_audit_data {
203	kthread_id_t  tad_thread;	/* DEBUG pointer to parent thread */
204	unsigned int  tad_scid;		/* system call ID for finish */
205	au_event_t	tad_event;	/* event for audit record */
206	au_emod_t	tad_evmod;	/* event modifier for audit record */
207	int	tad_ctrl;	/* audit control/status flags */
208	void	*tad_errjmp;	/* error longjmp (audit record aborted) */
209	int	tad_flag;	/* to audit or not to audit */
210	uint32_t tad_audit;	/* auditing enabled/disabled */
211	struct audit_path	*tad_aupath;	/* captured at vfs_lookup */
212	struct audit_path	*tad_atpath;	/* openat prefix, path of fd */
213	struct vnode *tad_vn;	/* saved inode from vfs_lookup */
214	caddr_t tad_ad;		/* base of accumulated audit data */
215	au_defer_info_t	*tad_defer_head;	/* queue of records to defer */
216						/* until syscall end: */
217	au_defer_info_t	*tad_defer_tail;	/* tail of defer queue */
218	priv_set_t tad_sprivs;	/* saved (success) used privs */
219	priv_set_t tad_fprivs;	/* saved (failed) used privs */
220};
221typedef struct t_audit_data t_audit_data_t;
222
223/*
224 * The f_audit_data structure hangs off of the file structure. It contains
225 * three fields of data. The audit ID, the audit state, and a path name.
226 */
227
228struct f_audit_data {
229	kthread_id_t	fad_thread;	/* DEBUG creating thread */
230	int		fad_flags;	/* audit control flags */
231	struct audit_path	*fad_aupath;	/* path from vfs_lookup */
232};
233typedef struct f_audit_data f_audit_data_t;
234
235#define	FAD_READ	0x0001		/* read system call seen */
236#define	FAD_WRITE	0x0002		/* write system call seen */
237
238#define	P2A(p)	(p->p_audit_data)
239#define	T2A(t)	(t->t_audit_data)
240#define	U2A(u)	(curthread->t_audit_data)
241#define	F2A(f)	(f->f_audit_data)
242
243#define	u_ad    ((U2A(u))->tad_ad)
244#define	ad_ctrl ((U2A(u))->tad_ctrl)
245#define	ad_flag ((U2A(u))->tad_flag)
246
247#define	AU_BUFSIZE	128		/* buffer size for the buffer pool */
248
249struct au_buff {
250	char		buf[AU_BUFSIZE];
251	struct au_buff	*next_buf;
252	struct au_buff	*next_rec;
253	ushort_t	rec_len;
254	uchar_t		len;
255	uchar_t		flag;
256};
257
258typedef struct au_buff au_buff_t;
259
260/*
261 * Kernel audit queue structure.
262 */
263struct audit_queue {
264	au_buff_t *head;	/* head of queue */
265	au_buff_t *tail;	/* tail of queue */
266	ssize_t	cnt;		/* number elements on queue */
267	size_t	hiwater;	/* high water mark to block */
268	size_t	lowater;	/* low water mark to restart */
269	size_t	bufsz;		/* audit trail write buffer size */
270	size_t	buflen;		/* audit trail buffer length in use */
271	clock_t	delay;		/* delay before flushing queue */
272	int	wt_block;	/* writer is blocked (1) */
273	int	rd_block;	/* reader is blocked (1) */
274	kmutex_t lock;		/* mutex lock for queue modification */
275	kcondvar_t write_cv;	/* sleep structure for write block */
276	kcondvar_t read_cv;	/* sleep structure for read block */
277};
278
279
280union rval;
281struct audit_s2e {
282	au_event_t (*au_init)(au_event_t);
283				/* convert au_event to real audit event ID */
284
285	int au_event;		/* default audit event for this system call */
286	void (*au_start)(struct t_audit_data *);
287				/* pre-system call audit processing */
288	void (*au_finish)(struct t_audit_data *, int, union rval *);
289				/* post-system call audit processing */
290	int au_ctrl;		/* control flags for auditing actions */
291};
292
293extern struct audit_s2e audit_s2e[];
294
295#define	AUK_VALID	0x5A5A5A5A
296#define	AUK_INVALID	0
297/*
298 * per zone audit context
299 */
300struct au_kcontext {
301	uint32_t		auk_valid;
302	zoneid_t		auk_zid;
303
304	boolean_t		auk_hostaddr_valid;
305	int			auk_sequence;
306	int			auk_auditstate;
307	int			auk_output_active;
308	struct vnode		*auk_current_vp;
309	uint32_t		auk_policy;
310
311	struct audit_queue	auk_queue;
312
313	au_dbuf_t		*auk_dbuffer;	/* auditdoor output */
314
315	au_stat_t		auk_statistics;
316
317	struct auditinfo_addr	auk_info;
318	kmutex_t		auk_eagain_mutex; /* door call retry */
319	kcondvar_t		auk_eagain_cv;
320
321	taskq_t			*auk_taskq;	/* output thread */
322
323	/* Only one audit svc per zone at a time */
324	/* With the elimination of auditsvc, can this also go? see 6648414 */
325	kmutex_t 		auk_svc_lock;
326
327	au_state_t		auk_ets[MAX_KEVENTS + 1];
328};
329#ifndef AUK_CONTEXT_T
330#define	AUK_CONTEXT_T
331typedef struct au_kcontext au_kcontext_t;
332#endif
333
334extern zone_key_t au_zone_key;
335
336/*
337 * Kernel auditing external variables
338 */
339extern uint32_t audit_policy;
340extern int audit_active;
341
342extern struct audit_queue au_queue;
343extern struct p_audit_data *pad0;
344extern struct t_audit_data *tad0;
345
346/*
347 * audit_path support routines
348 */
349void au_pathhold(struct audit_path *);
350void au_pathrele(struct audit_path *);
351struct audit_path *au_pathdup(const struct audit_path *, int, int);
352
353void au_pad_init(void);
354
355int auditctl(int cmd, caddr_t data, int length);
356int auditdoor(int fd);
357int getauid(caddr_t);
358int setauid(caddr_t);
359int getaudit(caddr_t);
360int getaudit_addr(caddr_t, int);
361int setaudit(caddr_t);
362int setaudit_addr(caddr_t, int);
363
364/*
365 * Macros to hide asynchronous, non-blocking audit record start and finish
366 * processing.
367 *
368 * NOTE: must be used in (void) funcction () { ... }
369 */
370
371#define	AUDIT_ASYNC_START(rp, audit_event, sorf) \
372{ \
373	label_t jb; \
374	if (setjmp(&jb)) { \
375		/* cleanup any residual audit data */ \
376		audit_async_drop((caddr_t *)&(rp), 0); \
377		return; \
378	} \
379	/* auditing enabled and we're preselected for this event? */ \
380	if (audit_async_start(&jb, audit_event, sorf)) { \
381		return; \
382	} \
383}
384
385#define	AUDIT_ASYNC_FINISH(rp, audit_event, event_modifier, event_time) \
386	audit_async_finish((caddr_t *)&(rp), audit_event, event_modifier, \
387	event_time);
388
389
390#ifdef	_KERNEL
391au_buff_t *au_get_buff(void), *au_free_buff(au_buff_t *);
392#endif
393
394/*
395 * Macro for uniform "subject" token(s) generation
396 */
397#define	AUDIT_SETSUBJ_GENERIC(u, c, a, k, p)		\
398	(au_write((u), au_to_subject(crgetuid(c),	\
399	    crgetgid(c), crgetruid(c), crgetrgid(c),	\
400	    p, (a)->ai_auid, (a)->ai_asid,		\
401	    &((a)->ai_termid))));			\
402	((is_system_labeled()) ?  au_write((u),		\
403	    au_to_label(CR_SL((c)))) : (void) 0);	\
404	(((k)->auk_policy & AUDIT_GROUP) ? au_write((u),\
405	    au_to_groups(crgetgroups(c),		\
406	    crgetngroups(c))) : (void) 0)
407
408#define	AUDIT_SETSUBJ(u, c, a, k)      		\
409	AUDIT_SETSUBJ_GENERIC(u, c, a, k, curproc->p_pid)
410
411#define	AUDIT_SETPROC_GENERIC(u, c, a, p)		\
412	(au_write((u), au_to_process(crgetuid(c),	\
413	    crgetgid(c), crgetruid(c), crgetrgid(c),	\
414	    p, (a)->ai_auid, (a)->ai_asid,		\
415	    &((a)->ai_termid))));
416
417#define	AUDIT_SETPROC(u, c, a)      		\
418	AUDIT_SETPROC_GENERIC(u, c, a, curproc->p_pid)
419
420/*
421 * Macros for type conversion
422 */
423
424/* au_membuf head, to typed data */
425#define	memtod(x, t)	((t)x->buf)
426
427/* au_membuf types */
428#define	MT_FREE		0	/* should be on free list */
429#define	MT_DATA		1	/* dynamic (data) allocation */
430
431/* flags to au_memget */
432#define	DONTWAIT	0
433#define	WAIT		1
434
435#define	AU_PACK	1	/* pack data in au_append_rec() */
436#define	AU_LINK 0	/* link data in au_append_rec() */
437
438/* flags to async routines */
439#define	AU_BACKEND	1	/* called from softcall backend */
440
441#ifdef __cplusplus
442}
443#endif
444
445#endif /* _BSM_AUDIT_KERNEL_H */
446