1/*- 2 * Copyright (c) 1999-2008 Apple Inc. 3 * All rights reserved. 4 * 5 * @APPLE_BSD_LICENSE_HEADER_START@ 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 16 * its contributors may be used to endorse or promote products derived 17 * from this software without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 23 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 27 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 28 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 * 31 * @APPLE_BSD_LICENSE_HEADER_END@ 32 */ 33/* 34 * NOTICE: This file was modified by McAfee Research in 2004 to introduce 35 * support for mandatory and extensible security protections. This notice 36 * is included in support of clause 2.2 (b) of the Apple Public License, 37 * Version 2.0. 38 */ 39 40#include <sys/kernel.h> 41#include <sys/proc.h> 42#include <sys/kauth.h> 43#include <sys/queue.h> 44#include <sys/systm.h> 45 46#include <bsm/audit.h> 47#include <bsm/audit_internal.h> 48#include <bsm/audit_kevents.h> 49 50#include <security/audit/audit.h> 51#include <security/audit/audit_private.h> 52 53#include <mach/host_priv.h> 54#include <mach/host_special_ports.h> 55#include <mach/audit_triggers_server.h> 56 57#include <kern/host.h> 58#include <kern/kalloc.h> 59#include <kern/zalloc.h> 60#include <kern/wait_queue.h> 61#include <kern/sched_prim.h> 62 63#if CONFIG_AUDIT 64 65#if CONFIG_MACF 66#include <bsm/audit_record.h> 67#include <security/mac.h> 68#include <security/mac_framework.h> 69#include <security/mac_policy.h> 70#define MAC_ARG_PREFIX "arg: " 71#define MAC_ARG_PREFIX_LEN 5 72 73zone_t audit_mac_label_zone; 74extern zone_t mac_audit_data_zone; 75 76void 77audit_mac_init(void) 78{ 79 /* Assume 3 MAC labels for each audit record: two for vnodes, 80 * one for creds. 81 */ 82 audit_mac_label_zone = zinit(MAC_AUDIT_LABEL_LEN, 83 AQ_HIWATER * 3*MAC_AUDIT_LABEL_LEN, 8192, "audit_mac_label_zone"); 84} 85 86int 87audit_mac_new(proc_t p, struct kaudit_record *ar) 88{ 89 struct mac mac; 90 91 /* 92 * Retrieve the MAC labels for the process. 93 */ 94 ar->k_ar.ar_cred_mac_labels = (char *)zalloc(audit_mac_label_zone); 95 if (ar->k_ar.ar_cred_mac_labels == NULL) 96 return (1); 97 mac.m_buflen = MAC_AUDIT_LABEL_LEN; 98 mac.m_string = ar->k_ar.ar_cred_mac_labels; 99 mac_cred_label_externalize_audit(p, &mac); 100 101 /* 102 * grab space for the reconds. 103 */ 104 ar->k_ar.ar_mac_records = (struct mac_audit_record_list_t *) 105 kalloc(sizeof(*ar->k_ar.ar_mac_records)); 106 if (ar->k_ar.ar_mac_records == NULL) { 107 zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels); 108 return (1); 109 } 110 LIST_INIT(ar->k_ar.ar_mac_records); 111 ar->k_ar.ar_forced_by_mac = 0; 112 113 return (0); 114} 115 116void 117audit_mac_free(struct kaudit_record *ar) 118{ 119 struct mac_audit_record *head, *next; 120 121 if (ar->k_ar.ar_vnode1_mac_labels != NULL) 122 zfree(audit_mac_label_zone, ar->k_ar.ar_vnode1_mac_labels); 123 if (ar->k_ar.ar_vnode2_mac_labels != NULL) 124 zfree(audit_mac_label_zone, ar->k_ar.ar_vnode2_mac_labels); 125 if (ar->k_ar.ar_cred_mac_labels != NULL) 126 zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels); 127 if (ar->k_ar.ar_arg_mac_string != NULL) 128 kfree(ar->k_ar.ar_arg_mac_string, 129 MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN); 130 131 /* 132 * Free the audit data from the MAC policies. 133 */ 134 head = LIST_FIRST(ar->k_ar.ar_mac_records); 135 while (head != NULL) { 136 next = LIST_NEXT(head, records); 137 zfree(mac_audit_data_zone, head->data); 138 kfree(head, sizeof(*head)); 139 head = next; 140 } 141 kfree(ar->k_ar.ar_mac_records, sizeof(*ar->k_ar.ar_mac_records)); 142} 143 144int 145audit_mac_syscall_enter(unsigned short code, proc_t p, struct uthread *uthread, 146 kauth_cred_t my_cred, au_event_t event) 147{ 148 int error; 149 150 error = mac_audit_check_preselect(my_cred, code, 151 (void *)uthread->uu_arg); 152 if (error == MAC_AUDIT_YES) { 153 uthread->uu_ar = audit_new(event, p, uthread); 154 uthread->uu_ar->k_ar.ar_forced_by_mac = 1; 155 au_to_text("Forced by a MAC policy"); 156 return (1); 157 } else if (error == MAC_AUDIT_NO) { 158 return (0); 159 } else if (error == MAC_AUDIT_DEFAULT) { 160 return (1); 161 } 162 163 return (0); 164} 165 166int 167audit_mac_syscall_exit(unsigned short code, struct uthread *uthread, int error, 168 int retval) 169{ 170 int mac_error; 171 172 if (uthread->uu_ar == NULL) /* syscall wasn't audited */ 173 return (1); 174 175 /* 176 * Note, no other postselect mechanism exists. If 177 * mac_audit_check_postselect returns MAC_AUDIT_NO, the record will be 178 * suppressed. Other values at this point result in the audit record 179 * being committed. This suppression behavior will probably go away in 180 * the port to 10.3.4. 181 */ 182 mac_error = mac_audit_check_postselect(kauth_cred_get(), code, 183 (void *) uthread->uu_arg, error, retval, 184 uthread->uu_ar->k_ar.ar_forced_by_mac); 185 186 if (mac_error == MAC_AUDIT_YES) 187 uthread->uu_ar->k_ar_commit |= AR_COMMIT_KERNEL; 188 else if (mac_error == MAC_AUDIT_NO) { 189 audit_free(uthread->uu_ar); 190 return (1); 191 } 192 return (0); 193} 194 195/* 196 * This function is called by the MAC Framework to add audit data 197 * from a policy to the current audit record. 198 */ 199int 200audit_mac_data(int type, int len, u_char *data) { 201 struct kaudit_record *cur; 202 struct mac_audit_record *record; 203 204 if (audit_enabled == 0) { 205 kfree(data, len); 206 return (ENOTSUP); 207 } 208 209 cur = currecord(); 210 if (cur == NULL) { 211 kfree(data, len); 212 return (ENOTSUP); 213 } 214 215 /* 216 * XXX: Note that we silently drop the audit data if this 217 * allocation fails - this is consistent with the rest of the 218 * audit implementation. 219 */ 220 record = kalloc(sizeof(*record)); 221 if (record == NULL) { 222 kfree(data, len); 223 return (0); 224 } 225 226 record->type = type; 227 record->length = len; 228 record->data = data; 229 LIST_INSERT_HEAD(cur->k_ar.ar_mac_records, record, records); 230 231 return (0); 232} 233 234void 235audit_arg_mac_string(struct kaudit_record *ar, char *string) 236{ 237 238 if (ar->k_ar.ar_arg_mac_string == NULL) 239 ar->k_ar.ar_arg_mac_string = 240 kalloc(MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN); 241 242 /* 243 * XXX This should be a rare event. If kalloc() returns NULL, 244 * the system is low on kernel virtual memory. To be 245 * consistent with the rest of audit, just return 246 * (may need to panic if required to for audit). 247 */ 248 if (ar->k_ar.ar_arg_mac_string == NULL) 249 if (ar->k_ar.ar_arg_mac_string == NULL) 250 return; 251 252 strncpy(ar->k_ar.ar_arg_mac_string, MAC_ARG_PREFIX, 253 MAC_ARG_PREFIX_LEN); 254 strncpy(ar->k_ar.ar_arg_mac_string + MAC_ARG_PREFIX_LEN, string, 255 MAC_MAX_LABEL_BUF_LEN); 256 ARG_SET_VALID(ar, ARG_MAC_STRING); 257} 258#endif /* MAC */ 259 260#endif /* CONFIG_AUDIT */ 261