xref: /illumos-gate/usr/src/uts/common/os/audit_core.c (revision 6a634c9d)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 #include <sys/param.h>
26 #include <sys/types.h>
27 #include <sys/time.h>
28 #include <sys/kmem.h>
29 #include <sys/proc.h>
30 #include <sys/vnode.h>
31 #include <sys/file.h>
32 #include <sys/user.h>
33 #include <sys/stropts.h>
34 #include <sys/systm.h>
35 #include <sys/pathname.h>
36 #include <sys/debug.h>
37 #include <sys/cred_impl.h>
38 #include <sys/zone.h>
39 #include <sys/modctl.h>
40 #include <sys/sysconf.h>
41 #include <c2/audit.h>
42 #include <c2/audit_kernel.h>
43 #include <c2/audit_kevents.h>
44 #include <c2/audit_record.h>
45 
46 
47 struct p_audit_data *pad0;
48 struct t_audit_data *tad0;
49 
50 extern uint_t num_syscall;		/* size of audit_s2e table */
51 extern kmutex_t pidlock;		/* proc table lock */
52 
53 
54 void
audit_init()55 audit_init()
56 {
57 	kthread_t	    *au_thread;
58 	auditinfo_addr_t    *ainfo;
59 	struct audit_path   apempty;
60 
61 	/*
62 	 * If the c2audit module is explicitely excluded in /etc/system,
63 	 * it cannot be loaded later (e.g. using modload). Make a notice
64 	 * that the module won't be present and do nothing.
65 	 */
66 
67 	if (mod_sysctl(SYS_CHECK_EXCLUDE, "c2audit") != 0) {
68 		audit_active = C2AUDIT_DISABLED;
69 		return;
70 	}
71 
72 	/* c2audit module can be loaded anytime */
73 	audit_active = C2AUDIT_UNLOADED;
74 
75 	/* initialize the process audit data (pad) memory allocator */
76 	au_pad_init();
77 
78 	/* initialize the zone audit context */
79 	au_zone_setup();
80 
81 	/* inital thread structure */
82 	tad0 = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP);
83 
84 	/* initial process structure */
85 	pad0 = kmem_cache_alloc(au_pad_cache, KM_SLEEP);
86 	bzero(&pad0->pad_data, sizeof (pad0->pad_data));
87 
88 	curthread->t_audit_data = tad0;
89 	curproc->p_audit_data = pad0;
90 
91 	/*
92 	 * The kernel allocates a bunch of threads make sure they have
93 	 * a valid tad
94 	 */
95 
96 	mutex_enter(&pidlock);
97 
98 	au_thread = curthread;
99 	do {
100 		if (T2A(au_thread) == NULL) {
101 			T2A(au_thread) = tad0;
102 		}
103 		au_thread = au_thread->t_next;
104 	} while (au_thread != curthread);
105 
106 	tad0->tad_ad = NULL;
107 	mutex_exit(&pidlock);
108 
109 	/*
110 	 * Initialize audit context in our cred (kcred).
111 	 * No copy-on-write needed here because it's so early in init.
112 	 */
113 
114 	ainfo = crgetauinfo_modifiable(kcred);
115 	ASSERT(ainfo != NULL);
116 	bzero(ainfo, sizeof (auditinfo_addr_t));
117 	ainfo->ai_auid = AU_NOAUDITID;
118 
119 	/* fabricate an empty audit_path to extend */
120 	apempty.audp_cnt = 0;
121 	apempty.audp_sect[0] = (char *)(&apempty.audp_sect[1]);
122 	pad0->pad_root = au_pathdup(&apempty, 1, 2);
123 	bcopy("/", pad0->pad_root->audp_sect[0], 2);
124 	au_pathhold(pad0->pad_root);
125 	pad0->pad_cwd = pad0->pad_root;
126 }
127 
128 /*
129  * Check for any pending changes to the audit context for the given proc.
130  * p_crlock and pad_lock for the process are acquired here. Caller is
131  * responsible for assuring the process doesn't go away. If context is
132  * updated, the specified cralloc'ed cred will be used, otherwise it's freed.
133  * If no cred is given, it will be cralloc'ed here and caller assures that
134  * it is safe to allocate memory.
135  */
136 
137 void
audit_update_context(proc_t * p,cred_t * ncr)138 audit_update_context(proc_t *p, cred_t *ncr)
139 {
140 	struct p_audit_data *pad;
141 	cred_t *newcred = ncr;
142 
143 	pad = P2A(p);
144 	if (pad == NULL) {
145 		if (newcred != NULL)
146 			crfree(newcred);
147 		return;
148 	}
149 
150 	/* If a mask update is pending, take care of it. */
151 	if (pad->pad_flags & PAD_SETMASK) {
152 		auditinfo_addr_t *ainfo;
153 
154 		if (newcred == NULL)
155 			newcred = cralloc();
156 
157 		mutex_enter(&pad->pad_lock);
158 		/* the condition may have been handled by the time we lock */
159 		if (pad->pad_flags & PAD_SETMASK) {
160 			ainfo = crgetauinfo_modifiable(newcred);
161 			if (ainfo == NULL) {
162 				mutex_exit(&pad->pad_lock);
163 				crfree(newcred);
164 				return;
165 			}
166 
167 			mutex_enter(&p->p_crlock);
168 			crcopy_to(p->p_cred, newcred);
169 			p->p_cred = newcred;
170 
171 			ainfo->ai_mask = pad->pad_newmask;
172 
173 			/* Unlock and cleanup. */
174 			mutex_exit(&p->p_crlock);
175 			pad->pad_flags &= ~PAD_SETMASK;
176 
177 			/*
178 			 * For curproc, assure that our thread points to right
179 			 * cred, so CRED() will be correct. Otherwise, no need
180 			 * to broadcast changes (via set_proc_pre_sys), since
181 			 * t_pre_sys is ALWAYS on when audit is enabled... due
182 			 * to syscall auditing.
183 			 */
184 			if (p == curproc)
185 				crset(p, newcred);
186 			else
187 				crfree(newcred);
188 		} else {
189 			crfree(newcred);
190 		}
191 		mutex_exit(&pad->pad_lock);
192 	} else {
193 		if (newcred != NULL)
194 			crfree(newcred);
195 	}
196 }
197 
198 /*
199  * ROUTINE:	AUDIT_NEWPROC
200  * PURPOSE:	initialize the child p_audit_data structure
201  * CALLBY:	GETPROC
202  * NOTE:	All threads for the parent process are locked at this point.
203  *		We are essentially running singled threaded for this reason.
204  *		GETPROC is called when system creates a new process.
205  *		By the time AUDIT_NEWPROC is called, the child proc
206  *		structure has already been initialized. What we need
207  *		to do is to allocate the child p_audit_data and
208  *		initialize it with the content of current parent process.
209  */
210 
211 void
audit_newproc(struct proc * cp)212 audit_newproc(struct proc *cp)	/* initialized child proc structure */
213 {
214 	p_audit_data_t *pad;	/* child process audit data */
215 	p_audit_data_t *opad;	/* parent process audit data */
216 
217 	pad = kmem_cache_alloc(au_pad_cache, KM_SLEEP);
218 
219 	P2A(cp) = pad;
220 
221 	opad = P2A(curproc);
222 
223 	/*
224 	 * copy the audit data. Note that all threads of current
225 	 *   process have been "held". Thus there is no race condition
226 	 *   here with mutiple threads trying to alter the cwrd
227 	 *   structure (such as releasing it).
228 	 *
229 	 *   The audit context in the cred is "duplicated" for the new
230 	 *   proc by elsewhere crhold'ing the parent's cred which it shares.
231 	 *
232 	 *   We still want to hold things since auditon() [A_SETUMASK,
233 	 *   A_SETSMASK] could be walking through the processes to
234 	 *   update things.
235 	 */
236 	mutex_enter(&opad->pad_lock);	/* lock opad structure during copy */
237 	pad->pad_data = opad->pad_data;	/* copy parent's process audit data */
238 	au_pathhold(pad->pad_root);
239 	au_pathhold(pad->pad_cwd);
240 	mutex_exit(&opad->pad_lock);	/* current proc will keep cwrd open */
241 
242 	/*
243 	 * If we are in the limited mode, there is nothing to audit and
244 	 * there could not have been anything to audit, since it is not
245 	 * possible to switch from the full mode into the limited mode
246 	 * once the full mode is set.
247 	 */
248 	if (audit_active != C2AUDIT_LOADED)
249 		return;
250 
251 	/*
252 	 * finish auditing of parent here so that it will be done
253 	 * before child has a chance to run. We include the child
254 	 * pid since the return value in the return token is a dummy
255 	 * one and contains no useful information (it is included to
256 	 * make the audit record structure consistant).
257 	 *
258 	 * tad_flag is set if auditing is on
259 	 */
260 	if (((t_audit_data_t *)T2A(curthread))->tad_flag)
261 		au_uwrite(au_to_arg32(0, "child PID", (uint32_t)cp->p_pid));
262 
263 	/*
264 	 * finish up audit record generation here because child process
265 	 * is set to run before parent process. We distinguish here
266 	 * between FORK, FORK1, or VFORK by the saved system call ID.
267 	 */
268 	audit_finish(0, ((t_audit_data_t *)T2A(curthread))->tad_scid, 0, 0);
269 }
270 
271 /*
272  * ROUTINE:	AUDIT_PFREE
273  * PURPOSE:	deallocate the per-process udit data structure
274  * CALLBY:	EXIT
275  *		FORK_FAIL
276  * NOTE:	all lwp except current one have stopped in SEXITLWPS
277  * 		why we are single threaded?
278  *		. all lwp except current one have stopped in SEXITLWPS.
279  */
280 
281 void
audit_pfree(struct proc * p)282 audit_pfree(struct proc *p)		/* proc structure to be freed */
283 
284 {	/* AUDIT_PFREE */
285 
286 	p_audit_data_t *pad;
287 
288 	pad = P2A(p);
289 
290 	/* better be a per process audit data structure */
291 	ASSERT(pad != (p_audit_data_t *)0);
292 
293 	if (pad == pad0) {
294 		return;
295 	}
296 
297 	/* deallocate all auditing resources for this process */
298 	au_pathrele(pad->pad_root);
299 	au_pathrele(pad->pad_cwd);
300 
301 	/*
302 	 * Since the pad structure is completely overwritten after alloc,
303 	 * we don't bother to clear it.
304 	 */
305 
306 	kmem_cache_free(au_pad_cache, pad);
307 }
308 
309 /*
310  * ROUTINE:	AUDIT_THREAD_CREATE
311  * PURPOSE:	allocate per-process thread audit data structure
312  * CALLBY:	THREAD_CREATE
313  * NOTE:	This is called just after *t was bzero'd.
314  *		We are single threaded in this routine.
315  * TODO:
316  * QUESTION:
317  */
318 
319 void
audit_thread_create(kthread_id_t t)320 audit_thread_create(kthread_id_t t)
321 {
322 	t_audit_data_t *tad;	/* per-thread audit data */
323 
324 	tad = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP);
325 
326 	T2A(t) = tad;		/* set up thread audit data ptr */
327 	tad->tad_thread = t;	/* back ptr to thread: DEBUG */
328 }
329 
330 /*
331  * ROUTINE:	AUDIT_THREAD_FREE
332  * PURPOSE:	free the per-thread audit data structure
333  * CALLBY:	THREAD_FREE
334  * NOTE:	most thread data is clear after return
335  */
336 
337 void
audit_thread_free(kthread_t * t)338 audit_thread_free(kthread_t *t)
339 {
340 	t_audit_data_t *tad;
341 	au_defer_info_t	*attr;
342 
343 	tad = T2A(t);
344 
345 	/* thread audit data must still be set */
346 
347 	if (tad == tad0) {
348 		return;
349 	}
350 
351 	if (tad == NULL) {
352 		return;
353 	}
354 
355 	t->t_audit_data = 0;
356 
357 	/* must not have any audit record residual */
358 	ASSERT(tad->tad_ad == NULL);
359 
360 	/* saved path must be empty */
361 	ASSERT(tad->tad_aupath == NULL);
362 
363 	if (tad->tad_atpath)
364 		au_pathrele(tad->tad_atpath);
365 
366 	if (audit_active == C2AUDIT_LOADED) {
367 		attr = tad->tad_defer_head;
368 		while (attr != NULL) {
369 			au_defer_info_t	*tmp_attr = attr;
370 
371 			au_free_rec(attr->audi_ad);
372 
373 			attr = attr->audi_next;
374 			kmem_free(tmp_attr, sizeof (au_defer_info_t));
375 		}
376 	}
377 
378 	kmem_free(tad, sizeof (*tad));
379 }
380 
381 /*
382  * ROUTINE:	AUDIT_FALLOC
383  * PURPOSE:	allocating a new file structure
384  * CALLBY:	FALLOC
385  * NOTE:	file structure already initialized
386  * TODO:
387  * QUESTION:
388  */
389 
390 void
audit_falloc(struct file * fp)391 audit_falloc(struct file *fp)
392 {	/* AUDIT_FALLOC */
393 
394 	f_audit_data_t *fad;
395 
396 	/* allocate per file audit structure if there a'int any */
397 	ASSERT(F2A(fp) == NULL);
398 
399 	fad = kmem_zalloc(sizeof (struct f_audit_data), KM_SLEEP);
400 
401 	F2A(fp) = fad;
402 
403 	fad->fad_thread = curthread; 	/* file audit data back ptr; DEBUG */
404 }
405 
406 /*
407  * ROUTINE:	AUDIT_UNFALLOC
408  * PURPOSE:	deallocate file audit data structure
409  * CALLBY:	CLOSEF
410  *		UNFALLOC
411  * NOTE:
412  * TODO:
413  * QUESTION:
414  */
415 
416 void
audit_unfalloc(struct file * fp)417 audit_unfalloc(struct file *fp)
418 {
419 	f_audit_data_t *fad;
420 
421 	fad = F2A(fp);
422 
423 	if (!fad) {
424 		return;
425 	}
426 	if (fad->fad_aupath != NULL) {
427 		au_pathrele(fad->fad_aupath);
428 	}
429 	fp->f_audit_data = 0;
430 	kmem_free(fad, sizeof (struct f_audit_data));
431 }
432 
433 uint32_t
audit_getstate()434 audit_getstate()
435 {
436 	return (audit_active == C2AUDIT_LOADED &&
437 	    ((AU_AUDIT_MASK) & U2A(u)->tad_audit));
438 }
439