1 /*-
2 * Copyright (c) 1999-2020 Apple Inc.
3 * Copyright (c) 2006-2007 Robert N. M. Watson
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
15 * its contributors may be used to endorse or promote products derived
16 * from this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 *
30 */
31 /*
32 * NOTICE: This file was modified by McAfee Research in 2004 to introduce
33 * support for mandatory and extensible security protections. This notice
34 * is included in support of clause 2.2 (b) of the Apple Public License,
35 * Version 2.0.
36 */
37
38 #include <sys/param.h>
39 #include <sys/fcntl.h>
40 #include <sys/kernel.h>
41 #include <sys/lock.h>
42 #include <sys/namei.h>
43 #include <sys/proc_internal.h>
44 #include <sys/kauth.h>
45 #include <sys/queue.h>
46 #include <sys/systm.h>
47 #include <sys/time.h>
48 #include <sys/ucred.h>
49 #include <sys/uio.h>
50 #include <sys/unistd.h>
51 #include <sys/file_internal.h>
52 #include <sys/vnode_internal.h>
53 #include <sys/user.h>
54 #include <sys/syscall.h>
55 #include <sys/un.h>
56 #include <sys/sysent.h>
57 #include <sys/sysproto.h>
58 #include <sys/vfs_context.h>
59 #include <sys/domain.h>
60 #include <sys/protosw.h>
61 #include <sys/socketvar.h>
62
63 #include <bsm/audit.h>
64 #include <bsm/audit_internal.h>
65 #include <bsm/audit_kevents.h>
66
67 #include <security/audit/audit.h>
68 #include <security/audit/audit_bsd.h>
69 #include <security/audit/audit_private.h>
70
71 #include <mach/host_priv.h>
72 #include <mach/host_special_ports.h>
73 #include <mach/audit_triggers_server.h>
74
75 #include <kern/host.h>
76 #include <kern/zalloc.h>
77 #include <kern/sched_prim.h>
78
79 #include <net/route.h>
80
81 #include <netinet/in.h>
82 #include <netinet/in_pcb.h>
83
84 #if CONFIG_AUDIT
85 MALLOC_DEFINE(M_AUDITDATA, "audit_data", "Audit data storage");
86 MALLOC_DEFINE(M_AUDITPATH, "audit_path", "Audit path storage");
87 MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage");
88
89 /*
90 * Audit control settings that are set/read by system calls and are hence
91 * non-static.
92 *
93 * Define the audit control flags.
94 */
95 int audit_enabled;
96 int audit_suspended;
97
98 int audit_syscalls;
99 au_class_t audit_kevent_mask;
100
101 /*
102 * The audit control mode is used to ensure configuration settings are only
103 * accepted from appropriate sources based on the current mode.
104 */
105 au_ctlmode_t audit_ctl_mode;
106 au_expire_after_t audit_expire_after;
107
108 /*
109 * Flags controlling behavior in low storage situations. Should we panic if
110 * a write fails? Should we fail stop if we're out of disk space?
111 */
112 int audit_panic_on_write_fail;
113 int audit_fail_stop;
114 int audit_argv;
115 int audit_arge;
116
117 /*
118 * Are we currently "failing stop" due to out of disk space?
119 */
120 int audit_in_failure;
121
122 /*
123 * Global audit statistics.
124 */
125 struct audit_fstat audit_fstat;
126
127 /*
128 * Preselection mask for non-attributable events.
129 */
130 struct au_mask audit_nae_mask;
131
132 /*
133 * Mutex to protect global variables shared between various threads and
134 * processes.
135 */
136 struct mtx audit_mtx;
137
138 /*
139 * Queue of audit records ready for delivery to disk. We insert new records
140 * at the tail, and remove records from the head. Also, a count of the
141 * number of records used for checking queue depth. In addition, a counter
142 * of records that we have allocated but are not yet in the queue, which is
143 * needed to estimate the total size of the combined set of records
144 * outstanding in the system.
145 */
146 struct kaudit_queue audit_q;
147 int audit_q_len;
148 int audit_pre_q_len;
149
150 /*
151 * Audit queue control settings (minimum free, low/high water marks, etc.)
152 */
153 struct au_qctrl audit_qctrl;
154
155 /*
156 * Condition variable to signal to the worker that it has work to do: either
157 * new records are in the queue, or a log replacement is taking place.
158 */
159 struct cv audit_worker_cv;
160
161 /*
162 * Condition variable to signal when the worker is done draining the audit
163 * queue.
164 */
165 struct cv audit_drain_cv;
166
167 /*
168 * Condition variable to flag when crossing the low watermark, meaning that
169 * threads blocked due to hitting the high watermark can wake up and continue
170 * to commit records.
171 */
172 struct cv audit_watermark_cv;
173
174 /*
175 * Condition variable for auditing threads wait on when in fail-stop mode.
176 * Threads wait on this CV forever (and ever), never seeing the light of day
177 * again.
178 */
179 static struct cv audit_fail_cv;
180
181 static ZONE_DEFINE(audit_record_zone, "audit_zone",
182 sizeof(struct kaudit_record), ZC_NONE);
183
184 /*
185 * Kernel audit information. This will store the current audit address
186 * or host information that the kernel will use when it's generating
187 * audit records. This data is modified by the A_GET{SET}KAUDIT auditon(2)
188 * command.
189 */
190 static struct auditinfo_addr audit_kinfo;
191 static struct rwlock audit_kinfo_lock;
192
193 #define KINFO_LOCK_INIT() rw_init(&audit_kinfo_lock, \
194 "audit_kinfo_lock")
195 #define KINFO_RLOCK() rw_rlock(&audit_kinfo_lock)
196 #define KINFO_WLOCK() rw_wlock(&audit_kinfo_lock)
197 #define KINFO_RUNLOCK() rw_runlock(&audit_kinfo_lock)
198 #define KINFO_WUNLOCK() rw_wunlock(&audit_kinfo_lock)
199
200 void
audit_set_kinfo(struct auditinfo_addr * ak)201 audit_set_kinfo(struct auditinfo_addr *ak)
202 {
203 KASSERT(ak->ai_termid.at_type == AU_IPv4 ||
204 ak->ai_termid.at_type == AU_IPv6,
205 ("audit_set_kinfo: invalid address type"));
206
207 KINFO_WLOCK();
208 bcopy(ak, &audit_kinfo, sizeof(audit_kinfo));
209 KINFO_WUNLOCK();
210 }
211
212 void
audit_get_kinfo(struct auditinfo_addr * ak)213 audit_get_kinfo(struct auditinfo_addr *ak)
214 {
215 KASSERT(audit_kinfo.ai_termid.at_type == AU_IPv4 ||
216 audit_kinfo.ai_termid.at_type == AU_IPv6,
217 ("audit_set_kinfo: invalid address type"));
218
219 KINFO_RLOCK();
220 bcopy(&audit_kinfo, ak, sizeof(*ak));
221 KINFO_RUNLOCK();
222 }
223
224 /*
225 * Construct an audit record for the passed thread.
226 */
227 static void
audit_record_ctor(proc_t p,struct kaudit_record * ar)228 audit_record_ctor(proc_t p, struct kaudit_record *ar)
229 {
230 kauth_cred_t cred;
231
232 bzero(ar, sizeof(*ar));
233 ar->k_ar.ar_magic = AUDIT_RECORD_MAGIC;
234 nanotime(&ar->k_ar.ar_starttime);
235
236 if (PROC_NULL != p) {
237 cred = kauth_cred_proc_ref(p);
238
239 /*
240 * Export the subject credential.
241 */
242 cru2x(cred, &ar->k_ar.ar_subj_cred);
243 ar->k_ar.ar_subj_ruid = kauth_cred_getruid(cred);
244 ar->k_ar.ar_subj_rgid = kauth_cred_getrgid(cred);
245 ar->k_ar.ar_subj_egid = kauth_cred_getgid(cred);
246 ar->k_ar.ar_subj_pid = proc_getpid(p);
247 ar->k_ar.ar_subj_auid = cred->cr_audit.as_aia_p->ai_auid;
248 ar->k_ar.ar_subj_asid = cred->cr_audit.as_aia_p->ai_asid;
249 bcopy(&cred->cr_audit.as_mask, &ar->k_ar.ar_subj_amask,
250 sizeof(struct au_mask));
251 bcopy(&cred->cr_audit.as_aia_p->ai_termid,
252 &ar->k_ar.ar_subj_term_addr, sizeof(struct au_tid_addr));
253 kauth_cred_unref(&cred);
254 }
255 }
256
257 static void
audit_record_dtor(struct kaudit_record * ar)258 audit_record_dtor(struct kaudit_record *ar)
259 {
260 if (ar->k_ar.ar_arg_upath1 != NULL) {
261 zfree(ZV_NAMEI, ar->k_ar.ar_arg_upath1);
262 }
263 if (ar->k_ar.ar_arg_upath2 != NULL) {
264 zfree(ZV_NAMEI, ar->k_ar.ar_arg_upath2);
265 }
266 if (ar->k_ar.ar_arg_kpath1 != NULL) {
267 zfree(ZV_NAMEI, ar->k_ar.ar_arg_kpath1);
268 }
269 if (ar->k_ar.ar_arg_kpath2 != NULL) {
270 zfree(ZV_NAMEI, ar->k_ar.ar_arg_kpath2);
271 }
272 if (ar->k_ar.ar_arg_text != NULL) {
273 zfree(ZV_NAMEI, ar->k_ar.ar_arg_text);
274 }
275 if (ar->k_ar.ar_arg_opaque != NULL) {
276 kfree_data(ar->k_ar.ar_arg_opaque, ar->k_ar.ar_arg_opq_size);
277 }
278 if (ar->k_ar.ar_arg_data != NULL) {
279 kfree_data_addr(ar->k_ar.ar_arg_data);
280 }
281 if (ar->k_udata != NULL) {
282 kfree_data_addr(ar->k_udata);
283 }
284 if (ar->k_ar.ar_arg_argv != NULL) {
285 kfree_data_addr(ar->k_ar.ar_arg_argv);
286 }
287 if (ar->k_ar.ar_arg_envv != NULL) {
288 kfree_data_addr(ar->k_ar.ar_arg_envv);
289 }
290 audit_identity_info_destruct(&ar->k_ar.ar_arg_identity);
291 }
292
293 /*
294 * Initialize the Audit subsystem: configuration state, work queue,
295 * synchronization primitives, worker thread, and trigger device node. Also
296 * call into the BSM assembly code to initialize it.
297 */
298 void
audit_init(void)299 audit_init(void)
300 {
301 audit_enabled = 0;
302 audit_syscalls = 0;
303 audit_kevent_mask = 0;
304 audit_suspended = 0;
305 audit_panic_on_write_fail = 0;
306 audit_fail_stop = 0;
307 audit_in_failure = 0;
308 audit_argv = 0;
309 audit_arge = 0;
310 audit_ctl_mode = AUDIT_CTLMODE_NORMAL;
311 audit_expire_after.age = 0;
312 audit_expire_after.size = 0;
313 audit_expire_after.op_type = AUDIT_EXPIRE_OP_AND;
314
315 audit_fstat.af_filesz = 0; /* '0' means unset, unbounded. */
316 audit_fstat.af_currsz = 0;
317 audit_nae_mask.am_success = 0;
318 audit_nae_mask.am_failure = 0;
319
320 TAILQ_INIT(&audit_q);
321 audit_q_len = 0;
322 audit_pre_q_len = 0;
323 audit_qctrl.aq_hiwater = AQ_HIWATER;
324 audit_qctrl.aq_lowater = AQ_LOWATER;
325 audit_qctrl.aq_bufsz = AQ_BUFSZ;
326 audit_qctrl.aq_minfree = AU_FS_MINFREE;
327
328 audit_kinfo.ai_termid.at_type = AU_IPv4;
329 audit_kinfo.ai_termid.at_addr[0] = INADDR_ANY;
330
331 mtx_init(&audit_mtx, "audit_mtx", NULL, MTX_DEF);
332 KINFO_LOCK_INIT();
333 cv_init(&audit_worker_cv, "audit_worker_cv");
334 cv_init(&audit_drain_cv, "audit_drain_cv");
335 cv_init(&audit_watermark_cv, "audit_watermark_cv");
336 cv_init(&audit_fail_cv, "audit_fail_cv");
337
338 /* Init audit session subsystem. */
339 audit_session_init();
340
341 /* Initialize the BSM audit subsystem. */
342 kau_init();
343
344 /* audit_trigger_init(); */
345
346 /* Start audit worker thread. */
347 (void) audit_pipe_init();
348
349 /* Start audit worker thread. */
350 audit_worker_init();
351 }
352
353 /*
354 * Drain the audit queue and close the log at shutdown. Note that this can
355 * be called both from the system shutdown path and also from audit
356 * configuration syscalls, so 'arg' and 'howto' are ignored.
357 */
358 void
audit_shutdown(void)359 audit_shutdown(void)
360 {
361 audit_rotate_vnode(NULL, NULL);
362 }
363
364 /*
365 * Return the current thread's audit record, if any.
366 */
367 struct kaudit_record *
currecord(void)368 currecord(void)
369 {
370 return curthread()->uu_ar;
371 }
372
373 /*
374 * XXXAUDIT: There are a number of races present in the code below due to
375 * release and re-grab of the mutex. The code should be revised to become
376 * slightly less racy.
377 *
378 * XXXAUDIT: Shouldn't there be logic here to sleep waiting on available
379 * pre_q space, suspending the system call until there is room?
380 */
381 struct kaudit_record *
audit_new(int event,proc_t p,__unused struct uthread * uthread)382 audit_new(int event, proc_t p, __unused struct uthread *uthread)
383 {
384 struct kaudit_record *ar;
385 int no_record;
386 int audit_override;
387
388 /*
389 * Override the audit_suspended and audit_enabled if it always
390 * audits session events.
391 *
392 * XXXss - This really needs to be a generalized call to a filter
393 * interface so if other things that use the audit subsystem in the
394 * future can simply plugged in.
395 */
396 audit_override = (AUE_SESSION_START == event ||
397 AUE_SESSION_UPDATE == event || AUE_SESSION_END == event ||
398 AUE_SESSION_CLOSE == event);
399
400 mtx_lock(&audit_mtx);
401 no_record = (audit_suspended || !audit_enabled);
402 mtx_unlock(&audit_mtx);
403 if (!audit_override && no_record) {
404 return NULL;
405 }
406
407 /*
408 * Initialize the audit record header.
409 * XXX: We may want to fail-stop if allocation fails.
410 *
411 * Note: the number of outstanding uncommitted audit records is
412 * limited to the number of concurrent threads servicing system calls
413 * in the kernel.
414 */
415 ar = zalloc_flags(audit_record_zone, Z_WAITOK | Z_NOFAIL);
416 audit_record_ctor(p, ar);
417 ar->k_ar.ar_event = event;
418
419 #if CONFIG_MACF
420 if (PROC_NULL != p) {
421 if (audit_mac_new(p, ar) != 0) {
422 zfree(audit_record_zone, ar);
423 return NULL;
424 }
425 } else {
426 ar->k_ar.ar_mac_records = NULL;
427 }
428 #endif
429
430 mtx_lock(&audit_mtx);
431 audit_pre_q_len++;
432 mtx_unlock(&audit_mtx);
433
434 return ar;
435 }
436
437 void
audit_free(struct kaudit_record * ar)438 audit_free(struct kaudit_record *ar)
439 {
440 audit_record_dtor(ar);
441 #if CONFIG_MACF
442 if (NULL != ar->k_ar.ar_mac_records) {
443 audit_mac_free(ar);
444 }
445 #endif
446 zfree(audit_record_zone, ar);
447 }
448
449 void
audit_commit(struct kaudit_record * ar,int error,int retval)450 audit_commit(struct kaudit_record *ar, int error, int retval)
451 {
452 au_event_t event;
453 au_class_t class;
454 au_id_t auid;
455 int sorf;
456 struct au_mask *aumask;
457 int audit_override;
458
459 if (ar == NULL) {
460 return;
461 }
462
463 /*
464 * Decide whether to commit the audit record by checking the error
465 * value from the system call and using the appropriate audit mask.
466 */
467 if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID) {
468 aumask = &audit_nae_mask;
469 } else {
470 aumask = &ar->k_ar.ar_subj_amask;
471 }
472
473 if (error) {
474 sorf = AU_PRS_FAILURE;
475 } else {
476 sorf = AU_PRS_SUCCESS;
477 }
478
479 switch (ar->k_ar.ar_event) {
480 case AUE_OPEN_RWTC:
481 /*
482 * The open syscall always writes a AUE_OPEN_RWTC event;
483 * change it to the proper type of event based on the flags
484 * and the error value.
485 */
486 ar->k_ar.ar_event = audit_flags_and_error_to_openevent(
487 ar->k_ar.ar_arg_fflags, error);
488 break;
489
490 case AUE_OPEN_EXTENDED_RWTC:
491 /*
492 * The open_extended syscall always writes a
493 * AUE_OPEN_EXTENDEDRWTC event; change it to the proper type of
494 * event based on the flags and the error value.
495 */
496 ar->k_ar.ar_event = audit_flags_and_error_to_openextendedevent(
497 ar->k_ar.ar_arg_fflags, error);
498 break;
499
500 case AUE_OPENAT_RWTC:
501 /*
502 * The openat syscall always writes a
503 * AUE_OPENAT_RWTC event; change it to the proper type of
504 * event based on the flags and the error value.
505 */
506 ar->k_ar.ar_event = audit_flags_and_error_to_openatevent(
507 ar->k_ar.ar_arg_fflags, error);
508 break;
509
510 case AUE_OPENBYID_RWT:
511 /*
512 * The openbyid syscall always writes a
513 * AUE_OPENBYID_RWT event; change it to the proper type of
514 * event based on the flags and the error value.
515 */
516 ar->k_ar.ar_event = audit_flags_and_error_to_openbyidevent(
517 ar->k_ar.ar_arg_fflags, error);
518 break;
519
520 case AUE_SYSCTL:
521 ar->k_ar.ar_event = audit_ctlname_to_sysctlevent(
522 ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg);
523 break;
524
525 case AUE_AUDITON:
526 /* Convert the auditon() command to an event. */
527 ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd);
528 break;
529
530 case AUE_FCNTL:
531 /* Convert some fcntl() commands to their own events. */
532 ar->k_ar.ar_event = audit_fcntl_command_event(
533 ar->k_ar.ar_arg_cmd, ar->k_ar.ar_arg_fflags, error);
534 break;
535 }
536
537 auid = ar->k_ar.ar_subj_auid;
538 event = ar->k_ar.ar_event;
539 class = au_event_class(event);
540
541 /*
542 * See if we need to override the audit_suspend and audit_enabled
543 * flags.
544 *
545 * XXXss - This check needs to be generalized so new filters can
546 * easily be added.
547 */
548 audit_override = (AUE_SESSION_START == event ||
549 AUE_SESSION_UPDATE == event || AUE_SESSION_END == event ||
550 AUE_SESSION_CLOSE == event);
551
552 ar->k_ar_commit |= AR_COMMIT_KERNEL;
553 if (au_preselect(event, class, aumask, sorf) != 0) {
554 ar->k_ar_commit |= AR_PRESELECT_TRAIL;
555 }
556 if (audit_pipe_preselect(auid, event, class, sorf,
557 ar->k_ar_commit & AR_PRESELECT_TRAIL) != 0) {
558 ar->k_ar_commit |= AR_PRESELECT_PIPE;
559 }
560 if ((ar->k_ar_commit & (AR_PRESELECT_TRAIL | AR_PRESELECT_PIPE |
561 AR_PRESELECT_USER_TRAIL | AR_PRESELECT_USER_PIPE |
562 AR_PRESELECT_FILTER)) == 0) {
563 mtx_lock(&audit_mtx);
564 audit_pre_q_len--;
565 mtx_unlock(&audit_mtx);
566 audit_free(ar);
567 return;
568 }
569
570 ar->k_ar.ar_errno = error;
571 ar->k_ar.ar_retval = retval;
572 nanotime(&ar->k_ar.ar_endtime);
573
574 /*
575 * Note: it could be that some records initiated while audit was
576 * enabled should still be committed?
577 */
578 mtx_lock(&audit_mtx);
579 if (!audit_override && (audit_suspended || !audit_enabled)) {
580 audit_pre_q_len--;
581 mtx_unlock(&audit_mtx);
582 audit_free(ar);
583 return;
584 }
585
586 /*
587 * Constrain the number of committed audit records based on the
588 * configurable parameter.
589 */
590 while (audit_q_len >= audit_qctrl.aq_hiwater) {
591 cv_wait(&audit_watermark_cv, &audit_mtx);
592 }
593
594 TAILQ_INSERT_TAIL(&audit_q, ar, k_q);
595 audit_q_len++;
596 audit_pre_q_len--;
597 cv_signal(&audit_worker_cv);
598 mtx_unlock(&audit_mtx);
599 }
600
601 /*
602 * audit_syscall_enter() is called on entry to each system call. It is
603 * responsible for deciding whether or not to audit the call (preselection),
604 * and if so, allocating a per-thread audit record. audit_new() will fill in
605 * basic thread/credential properties.
606 */
607 void
audit_syscall_enter(unsigned int code,proc_t proc,struct uthread * uthread)608 audit_syscall_enter(unsigned int code, proc_t proc, struct uthread *uthread)
609 {
610 struct au_mask *aumask;
611 au_class_t class;
612 au_event_t event;
613 au_id_t auid;
614 kauth_cred_t cred;
615
616 /*
617 * In FreeBSD, each ABI has its own system call table, and hence
618 * mapping of system call codes to audit events. Convert the code to
619 * an audit event identifier using the process system call table
620 * reference. In Darwin, there's only one, so we use the global
621 * symbol for the system call table. No audit record is generated
622 * for bad system calls, as no operation has been performed.
623 *
624 * In Mac OS X, the audit events are stored in a table seperate from
625 * the syscall table(s). This table is generated by makesyscalls.sh
626 * from syscalls.master and stored in audit_kevents.c.
627 */
628 if (code >= nsysent) {
629 return;
630 }
631 event = sys_au_event[code];
632 if (event == AUE_NULL) {
633 return;
634 }
635
636 KASSERT(uthread->uu_ar == NULL,
637 ("audit_syscall_enter: uthread->uu_ar != NULL"));
638
639 /*
640 * Check which audit mask to use; either the kernel non-attributable
641 * event mask or the process audit mask.
642 */
643 cred = kauth_cred_proc_ref(proc);
644 auid = cred->cr_audit.as_aia_p->ai_auid;
645 if (auid == AU_DEFAUDITID) {
646 aumask = &audit_nae_mask;
647 } else {
648 aumask = &cred->cr_audit.as_mask;
649 }
650
651 /*
652 * Allocate an audit record, if preselection allows it, and store in
653 * the thread for later use.
654 */
655 class = au_event_class(event);
656 #if CONFIG_MACF
657 /*
658 * Note: audit_mac_syscall_enter() may call audit_new() and allocate
659 * memory for the audit record (uu_ar).
660 */
661 if (audit_mac_syscall_enter(code, proc, uthread, cred, event) == 0) {
662 goto out;
663 }
664 #endif
665 if (au_preselect(event, class, aumask, AU_PRS_BOTH)) {
666 /*
667 * If we're out of space and need to suspend unprivileged
668 * processes, do that here rather than trying to allocate
669 * another audit record.
670 *
671 * Note: we might wish to be able to continue here in the
672 * future, if the system recovers. That should be possible
673 * by means of checking the condition in a loop around
674 * cv_wait(). It might be desirable to reevaluate whether an
675 * audit record is still required for this event by
676 * re-calling au_preselect().
677 */
678 if (audit_in_failure &&
679 suser(cred, &proc->p_acflag) != 0) {
680 cv_wait(&audit_fail_cv, &audit_mtx);
681 panic("audit_failing_stop: thread continued");
682 }
683 if (uthread->uu_ar == NULL) {
684 uthread->uu_ar = audit_new(event, proc, uthread);
685 }
686 } else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0)) {
687 if (uthread->uu_ar == NULL) {
688 uthread->uu_ar = audit_new(event, proc, uthread);
689 }
690 }
691
692 /*
693 * All audited events will contain an identity
694 *
695 * Note: Identity should be obtained prior to the syscall implementation
696 * being called to handle cases like execve(2) where the process changes
697 */
698 AUDIT_ARG(identity);
699
700 out:
701 kauth_cred_unref(&cred);
702 }
703
704 /*
705 * audit_syscall_exit() is called from the return of every system call, or in
706 * the event of exit1(), during the execution of exit1(). It is responsible
707 * for committing the audit record, if any, along with return condition.
708 *
709 * Note: The audit_syscall_exit() parameter list was modified to support
710 * mac_audit_check_postselect(), which requires the syscall number.
711 */
712 #if CONFIG_MACF
713 void
audit_syscall_exit(unsigned int code,int error,__unused proc_t proc,struct uthread * uthread)714 audit_syscall_exit(unsigned int code, int error, __unused proc_t proc,
715 struct uthread *uthread)
716 #else
717 void
718 audit_syscall_exit(int error, __unsed proc_t proc, struct uthread *uthread)
719 #endif
720 {
721 int retval;
722
723 /*
724 * Commit the audit record as desired; once we pass the record into
725 * audit_commit(), the memory is owned by the audit subsystem. The
726 * return value from the system call is stored on the user thread.
727 * If there was an error, the return value is set to -1, imitating
728 * the behavior of the cerror routine.
729 */
730 if (error) {
731 retval = -1;
732 } else {
733 retval = uthread->uu_rval[0];
734 }
735
736 #if CONFIG_MACF
737 if (audit_mac_syscall_exit(code, uthread, error, retval) != 0) {
738 goto out;
739 }
740 #endif
741 audit_commit(uthread->uu_ar, error, retval);
742
743 out:
744 uthread->uu_ar = NULL;
745 }
746
747 /*
748 * For system calls such as posix_spawn(2) the sub operations (i.e., file actions
749 * and port actions) need to be audited as their own events. Like with system
750 * calls we need to determine if the sub operation needs to be audited by
751 * examining preselection masks.
752 */
753 void
audit_subcall_enter(au_event_t event,proc_t proc,struct uthread * uthread)754 audit_subcall_enter(au_event_t event, proc_t proc, struct uthread *uthread)
755 {
756 struct au_mask *aumask;
757 au_class_t class;
758 au_id_t auid;
759 kauth_cred_t cred;
760
761 /*
762 * Check which audit mask to use; either the kernel non-attributable
763 * event mask or the process audit mask.
764 */
765 cred = kauth_cred_proc_ref(proc);
766 auid = cred->cr_audit.as_aia_p->ai_auid;
767 if (auid == AU_DEFAUDITID) {
768 aumask = &audit_nae_mask;
769 } else {
770 aumask = &cred->cr_audit.as_mask;
771 }
772
773 /*
774 * Allocate an audit record, if preselection allows it, and store in
775 * the thread for later use.
776 */
777 class = au_event_class(event);
778
779 if (au_preselect(event, class, aumask, AU_PRS_BOTH)) {
780 /*
781 * If we're out of space and need to suspend unprivileged
782 * processes, do that here rather than trying to allocate
783 * another audit record.
784 *
785 * Note: we might wish to be able to continue here in the
786 * future, if the system recovers. That should be possible
787 * by means of checking the condition in a loop around
788 * cv_wait(). It might be desirable to reevaluate whether an
789 * audit record is still required for this event by
790 * re-calling au_preselect().
791 */
792 if (audit_in_failure &&
793 suser(cred, &proc->p_acflag) != 0) {
794 cv_wait(&audit_fail_cv, &audit_mtx);
795 panic("audit_failing_stop: thread continued");
796 }
797 if (uthread->uu_ar == NULL) {
798 uthread->uu_ar = audit_new(event, proc, uthread);
799 }
800 } else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0)) {
801 if (uthread->uu_ar == NULL) {
802 uthread->uu_ar = audit_new(event, proc, uthread);
803 }
804 }
805
806 kauth_cred_unref(&cred);
807 }
808
809 void
audit_subcall_exit(int error,struct uthread * uthread)810 audit_subcall_exit(int error, struct uthread *uthread)
811 {
812 /* A subcall doesn't have a return value so always zero. */
813 audit_commit(uthread->uu_ar, error, 0 /* retval */);
814
815 uthread->uu_ar = NULL;
816 }
817
818 /*
819 * Calls to set up and tear down audit structures used during Mach system
820 * calls.
821 */
822 void
audit_mach_syscall_enter(unsigned short event)823 audit_mach_syscall_enter(unsigned short event)
824 {
825 struct uthread *uthread;
826 proc_t proc;
827 struct au_mask *aumask;
828 kauth_cred_t cred;
829 au_class_t class;
830 au_id_t auid;
831
832 if (event == AUE_NULL) {
833 return;
834 }
835
836 uthread = curthread();
837 if (uthread == NULL) {
838 return;
839 }
840
841 proc = current_proc();
842 if (proc == NULL) {
843 return;
844 }
845
846 KASSERT(uthread->uu_ar == NULL,
847 ("audit_mach_syscall_enter: uthread->uu_ar != NULL"));
848
849 cred = kauth_cred_proc_ref(proc);
850 auid = cred->cr_audit.as_aia_p->ai_auid;
851
852 /*
853 * Check which audit mask to use; either the kernel non-attributable
854 * event mask or the process audit mask.
855 */
856 if (auid == AU_DEFAUDITID) {
857 aumask = &audit_nae_mask;
858 } else {
859 aumask = &cred->cr_audit.as_mask;
860 }
861
862 /*
863 * Allocate an audit record, if desired, and store in the BSD thread
864 * for later use.
865 */
866 class = au_event_class(event);
867 if (au_preselect(event, class, aumask, AU_PRS_BOTH)) {
868 uthread->uu_ar = audit_new(event, proc, uthread);
869 } else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0)) {
870 uthread->uu_ar = audit_new(event, proc, uthread);
871 } else {
872 uthread->uu_ar = NULL;
873 }
874
875 kauth_cred_unref(&cred);
876 }
877
878 void
audit_mach_syscall_exit(int retval,struct uthread * uthread)879 audit_mach_syscall_exit(int retval, struct uthread *uthread)
880 {
881 /*
882 * The error code from Mach system calls is the same as the
883 * return value
884 */
885 /* XXX Is the above statement always true? */
886 audit_commit(uthread->uu_ar, retval, retval);
887 uthread->uu_ar = NULL;
888 }
889
890 /*
891 * kau_will_audit can be used by a security policy to determine
892 * if an audit record will be stored, reducing wasted memory allocation
893 * and string handling.
894 */
895 int
kau_will_audit(void)896 kau_will_audit(void)
897 {
898 return audit_enabled && currecord() != NULL;
899 }
900
901 #if CONFIG_COREDUMP
902 void
audit_proc_coredump(proc_t proc,const char * path,int errcode)903 audit_proc_coredump(proc_t proc, const char *path, int errcode)
904 {
905 struct kaudit_record *ar;
906 struct au_mask *aumask;
907 au_class_t class;
908 int ret, sorf;
909 char **pathp;
910 au_id_t auid;
911 kauth_cred_t my_cred;
912 struct uthread *uthread;
913
914 ret = 0;
915
916 /*
917 * Make sure we are using the correct preselection mask.
918 */
919 my_cred = kauth_cred_proc_ref(proc);
920 auid = my_cred->cr_audit.as_aia_p->ai_auid;
921 if (auid == AU_DEFAUDITID) {
922 aumask = &audit_nae_mask;
923 } else {
924 aumask = &my_cred->cr_audit.as_mask;
925 }
926 kauth_cred_unref(&my_cred);
927 /*
928 * It's possible for coredump(9) generation to fail. Make sure that
929 * we handle this case correctly for preselection.
930 */
931 if (errcode != 0) {
932 sorf = AU_PRS_FAILURE;
933 } else {
934 sorf = AU_PRS_SUCCESS;
935 }
936 class = au_event_class(AUE_CORE);
937 if (au_preselect(AUE_CORE, class, aumask, sorf) == 0 &&
938 audit_pipe_preselect(auid, AUE_CORE, class, sorf, 0) == 0) {
939 return;
940 }
941 /*
942 * If we are interested in seeing this audit record, allocate it.
943 * Where possible coredump records should contain a pathname and arg32
944 * (signal) tokens.
945 */
946 uthread = curthread();
947 ar = audit_new(AUE_CORE, proc, uthread);
948 if (ar == NULL) {
949 return;
950 }
951 if (path != NULL) {
952 pathp = &ar->k_ar.ar_arg_upath1;
953 *pathp = zalloc(ZV_NAMEI);
954 if (audit_canon_path(vfs_context_cwd(vfs_context_current()), path,
955 *pathp)) {
956 zfree(ZV_NAMEI, *pathp);
957 } else {
958 ARG_SET_VALID(ar, ARG_UPATH1);
959 }
960 }
961 ar->k_ar.ar_arg_signum = proc->p_sigacts.ps_sig;
962 ARG_SET_VALID(ar, ARG_SIGNUM);
963 if (errcode != 0) {
964 ret = 1;
965 }
966 audit_commit(ar, errcode, ret);
967 }
968 #endif /* CONFIG_COREDUMP */
969 #endif /* CONFIG_AUDIT */
970