1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23 * Use is subject to license terms.
24 */
25
26/*
27 * This file contains the auditing system call code.
28 *
29 */
30
31#include <sys/param.h>
32#include <sys/systm.h>
33#include <sys/user.h>
34#include <sys/vnode.h>
35#include <sys/vfs.h>
36#include <sys/session.h>	/* for session structure (auditctl(2) */
37#include <sys/kmem.h>		/* for KM_SLEEP */
38#include <sys/cred.h>
39#include <sys/types.h>
40#include <sys/proc.h>
41#include <sys/uio.h>
42#include <sys/file.h>
43#include <sys/stat.h>
44#include <sys/pathname.h>
45#include <sys/acct.h>
46#include <sys/stropts.h>
47#include <sys/exec.h>
48#include <sys/thread.h>
49#include <sys/cmn_err.h>
50#include <sys/debug.h>
51#include <sys/disp.h>
52#include <sys/kobj.h>
53#include <sys/sysmacros.h>
54#include <sys/policy.h>
55#include <sys/taskq.h>
56#include <sys/zone.h>
57
58#include <c2/audit.h>
59#include <c2/audit_kernel.h>
60#include <c2/audit_record.h>
61
62#define	HEADER_SIZE64	1;
63#define	HEADER_SIZE32	0;
64#define	AU_MIN_FILE_SZ	0x80000	/* minumum audit file size */
65#define	AUDIT_REC_SIZE	0x8000	/* maximum user audit record size */
66
67extern pri_t	minclsyspri;	/* priority for taskq */
68
69static clock_t	au_resid = 15;	/* wait .15 sec before droping a rec */
70
71static void	au_output_thread();
72
73/*
74 * This is the loadable module wrapper.
75 */
76#include <sys/modctl.h>
77
78/*
79 * Module linkage information for the kernel.
80 */
81static struct modlmisc modlmisc = {
82	&mod_miscops, "Solaris Auditing (C2)"
83};
84
85static struct modlinkage modlinkage = {
86	MODREV_1, (void *)&modlmisc, 0
87};
88
89int
90_init()
91{
92	return (mod_install(&modlinkage));
93}
94
95int
96_fini()
97{
98	return (EBUSY);
99}
100
101int
102_info(struct modinfo *modinfop)
103{
104	return (mod_info(&modlinkage, modinfop));
105}
106
107/*
108 * The audit system call. Trust what the user has sent down and save it
109 * away in the audit file. User passes a complete audit record and its
110 * length.  We will fill in the time stamp, check the header and the length
111 * Put a trailer and a sequence token if policy requires.
112 * In the future length might become size_t instead of an int.
113 *
114 * The call is valid whether or not AUDIT_PERZONE is set (think of
115 * login to a zone).  When the local audit state (auk_auditstate) is
116 * AUC_INIT_AUDIT, records are accepted even though auditd isn't
117 * running.
118 */
119int
120audit(caddr_t record, int length)
121{
122	char	c;
123	int	count, l;
124	token_t	*m, *n, *s, *ad;
125	int	hdrlen, delta;
126	adr_t	hadr;
127	adr_t	sadr;
128	int	size;	/* 0: 32 bit utility  1: 64 bit utility */
129	int	host_len;
130	size_t	zlen;
131	au_kcontext_t	*kctx = GET_KCTX_PZ;
132	uint32_t auditing;
133
134	/* if auditing not enabled, then don't generate an audit record */
135	auditing = (U2A(u)->tad_audit != AUC_UNSET) ?
136	    U2A(u)->tad_audit : kctx->auk_auditstate;
137	if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT))
138		return (0);
139
140	/* Only privileged processes can audit */
141	if (secpolicy_audit_modify(CRED()) != 0)
142		return (EPERM);
143
144	/* Max user record size is 32K */
145	if (length > AUDIT_REC_SIZE)
146		return (E2BIG);
147
148	/*
149	 * The specified length must be at least as big as the smallest
150	 * possible header token. Later after beginning to scan the
151	 * header we'll determine the true minimum length according to
152	 * the header type and attributes.
153	 */
154#define	AU_MIN_HEADER_LEN	(sizeof (char) + sizeof (int32_t) + \
155	sizeof (char) + sizeof (short) + sizeof (short) + \
156	(sizeof (int32_t) * 2))
157
158	if (length < AU_MIN_HEADER_LEN)
159		return (EINVAL);
160
161	/* Read in user's audit record */
162	count = length;
163	m = n = s = ad = NULL;
164	while (count) {
165		m = au_getclr();
166		if (!s)
167			s = n = m;
168		else {
169			n->next_buf = m;
170			n = m;
171		}
172		l = MIN(count, AU_BUFSIZE);
173		if (copyin(record, memtod(m, caddr_t), (size_t)l)) {
174			/* copyin failed release au_membuf */
175			au_free_rec(s);
176			return (EFAULT);
177		}
178		record += l;
179		count -= l;
180		m->len = (uchar_t)l;
181	}
182
183	/* Now attach the entire thing to ad */
184	au_write((caddr_t *)&(ad), s);
185
186	/* validate header token type. trust everything following it */
187	adr_start(&hadr, memtod(s, char *));
188	(void) adr_getchar(&hadr, &c);
189	switch (c) {
190	case AUT_HEADER32:
191		/* size vers+event_ID+event_modifier fields */
192		delta = 1 + 2 + 2;
193		hdrlen = 1 + 4 + delta + (sizeof (int32_t) * 2);
194		size = HEADER_SIZE32;
195		break;
196
197#ifdef _LP64
198	case AUT_HEADER64:
199		/* size vers+event_ID+event_modifier fields */
200		delta = 1 + 2 + 2;
201		hdrlen = 1 + 4 + delta + (sizeof (int64_t) * 2);
202		size = HEADER_SIZE64;
203		break;
204#endif
205
206	case AUT_HEADER32_EX:
207		/*
208		 * Skip over the length/version/type/mod fields and
209		 * grab the host address type (length), then rewind.
210		 * This is safe per the previous minimum length check.
211		 */
212		hadr.adr_now += 9;
213		(void) adr_getint32(&hadr, &host_len);
214		hadr.adr_now -= 9 + sizeof (int32_t);
215
216		/* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */
217		delta = 1 + 2 + 2 + 4 + host_len;
218		hdrlen = 1 + 4 + delta + (sizeof (int32_t) * 2);
219		size = HEADER_SIZE32;
220		break;
221
222#ifdef _LP64
223	case AUT_HEADER64_EX:
224		/*
225		 * Skip over the length/version/type/mod fields and grab
226		 * the host address type (length), then rewind.
227		 * This is safe per the previous minimum length check.
228		 */
229		hadr.adr_now += 9;
230		(void) adr_getint32(&hadr, &host_len);
231		hadr.adr_now -= 9 + sizeof (int32_t);
232
233		/* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */
234		delta = 1 + 2 + 2 + 4 + host_len;
235		hdrlen = 1 + 4 + delta + (sizeof (int64_t) * 2);
236		size = HEADER_SIZE64;
237		break;
238#endif
239
240	default:
241		/* Header is wrong, reject message */
242		au_free_rec(s);
243		return (EINVAL);
244	}
245
246	if (length < hdrlen) {
247		au_free_rec(s);
248		return (0);
249	}
250
251	/* advance over header token length field */
252	hadr.adr_now += 4;
253
254	/* validate version */
255	(void) adr_getchar(&hadr, &c);
256	if (c != TOKEN_VERSION) {
257		/* version is wrong, reject message */
258		au_free_rec(s);
259		return (EINVAL);
260	}
261
262	/* backup to header length field (including version field) */
263	hadr.adr_now -= 5;
264
265	/*
266	 * add on the zonename token if policy AUDIT_ZONENAME is set
267	 */
268	if (kctx->auk_policy & AUDIT_ZONENAME) {
269		zlen = au_zonename_length(NULL);
270		if (zlen > 0) {
271			length += zlen;
272			m = au_to_zonename(zlen, NULL);
273			(void) au_append_rec(ad, m, AU_PACK);
274		}
275	}
276	/* Add an (optional) sequence token. NULL offset if none */
277	if (kctx->auk_policy & AUDIT_SEQ) {
278		/* get the sequnce token */
279		m = au_to_seq();
280
281		/* sequence token 5 bytes long */
282		length += 5;
283
284		/* link to audit record (i.e. don't pack the data) */
285		(void) au_append_rec(ad, m, AU_LINK);
286
287		/* advance to count field of token */
288		adr_start(&sadr, memtod(m, char *));
289		sadr.adr_now += 1;
290	} else
291		sadr.adr_now = (char *)NULL;
292
293	/* add the (optional) trailer token */
294	if (kctx->auk_policy & AUDIT_TRAIL) {
295		/* trailer token is 7 bytes long */
296		length += 7;
297
298		/* append to audit record */
299		(void) au_append_rec(ad, au_to_trailer(length), AU_PACK);
300	}
301
302	/* audit record completely assembled. set the length */
303	adr_int32(&hadr, (int32_t *)&length, 1);
304
305	/* advance to date/time field of header */
306	hadr.adr_now += delta;
307
308	/* We are done  put it on the queue */
309	AS_INC(as_generated, 1, kctx);
310	AS_INC(as_audit, 1, kctx);
311
312	au_enqueue(kctx, s, &hadr, &sadr, size, 0);
313
314	AS_INC(as_totalsize, length, kctx);
315
316	return (0);
317}
318
319/*
320 * auditdoor starts a kernel thread to generate output from the audit
321 * queue.  The thread terminates when it detects auditing being turned
322 * off, such as when auditd exits with a SIGTERM.  If a subsequent
323 * auditdoor arrives while the thread is running, the door descriptor
324 * of the last auditdoor in will be used for output.  auditd is responsible
325 * for insuring that multiple copies are not running.
326 */
327
328int
329auditdoor(int fd)
330{
331	struct file	*fp;
332	struct vnode	*vp;
333	int		do_create = 0;
334	au_kcontext_t	*kctx;
335
336	if (secpolicy_audit_config(CRED()) != 0)
337		return (EPERM);
338
339	if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
340		return (EINVAL);
341
342	kctx = GET_KCTX_NGZ;
343
344	/*
345	 * convert file pointer to file descriptor
346	 *   Note: fd ref count incremented here.
347	 */
348	if ((fp = (struct file *)getf(fd)) == NULL) {
349		return (EBADF);
350	}
351	vp = fp->f_vnode;
352	if (vp->v_type != VDOOR) {
353		cmn_err(CE_WARN,
354		    "auditdoor() did not get the expected door descriptor\n");
355		releasef(fd);
356		return (EINVAL);
357	}
358	/*
359	 * If the output thread is already running, then replace the
360	 * door descriptor with the new one and continue; otherwise
361	 * create the thread too.  Since au_output_thread makes a call
362	 * to au_doorio() which also does
363	 * mutex_lock(&(kctx->auk_svc_lock)), the create/dispatch is
364	 * done after the unlock...
365	 */
366	mutex_enter(&(kctx->auk_svc_lock));
367
368	if (kctx->auk_current_vp != NULL)
369		VN_RELE(kctx->auk_current_vp);
370
371	kctx->auk_current_vp = vp;
372	VN_HOLD(kctx->auk_current_vp);
373	releasef(fd);
374
375	if (!kctx->auk_output_active) {
376		kctx->auk_output_active = 1;
377		do_create = 1;
378	}
379	mutex_exit(&(kctx->auk_svc_lock));
380	if (do_create) {
381		kctx->auk_taskq =
382		    taskq_create("output_master", 1, minclsyspri, 1, 1, 0);
383		(void) taskq_dispatch(kctx->auk_taskq,
384		    (task_func_t *)au_output_thread,
385		    kctx, TQ_SLEEP);
386	}
387	return (0);
388}
389
390static void
391audit_dont_stop(void *kctx)
392{
393
394	if ((((au_kcontext_t *)kctx)->auk_valid != AUK_VALID) ||
395	    (((au_kcontext_t *)kctx)->auk_auditstate == AUC_NOAUDIT))
396		return;
397
398	mutex_enter(&(((au_kcontext_t *)kctx)->auk_queue.lock));
399	cv_broadcast(&(((au_kcontext_t *)kctx)->auk_queue.write_cv));
400	mutex_exit(&(((au_kcontext_t *)kctx)->auk_queue.lock));
401}
402
403/*
404 * au_queue_kick -- wake up the output queue after delay ticks
405 */
406static void
407au_queue_kick(void *kctx)
408{
409	/*
410	 * wakeup reader if its not running and there is something
411	 * to do.  It also helps that kctx still be valid...
412	 */
413
414	if ((((au_kcontext_t *)kctx)->auk_valid != AUK_VALID) ||
415	    (((au_kcontext_t *)kctx)->auk_auditstate == AUC_NOAUDIT))
416		return;
417
418	if (((au_kcontext_t *)kctx)->auk_queue.cnt &&
419	    ((au_kcontext_t *)kctx)->auk_queue.rd_block)
420		cv_broadcast(&((au_kcontext_t *)kctx)->auk_queue.read_cv);
421
422	/* fire off timeout event to kick audit queue awake */
423	(void) timeout(au_queue_kick, kctx,
424	    ((au_kcontext_t *)kctx)->auk_queue.delay);
425}
426
427/*
428 * output thread
429 *
430 * this runs "forever" where "forever" means until either auk_auditstate
431 * changes from AUC_AUDITING or if the door descriptor becomes invalid.
432 *
433 * there is one thread per active zone if AUC_PERZONE is set.  Since
434 * there is the possibility that a zone may go down without auditd
435 * terminating properly, a zone shutdown kills its au_output_thread()
436 * via taskq_destroy().
437 */
438
439static void
440au_output_thread(au_kcontext_t *kctx)
441{
442	int		error = 0;
443
444	(void) timeout(au_queue_kick, kctx, kctx->auk_queue.delay);
445
446	/*
447	 * Wait for work, until a signal arrives,
448	 * or until auditing is disabled.
449	 */
450
451	while (!error) {
452		if (kctx->auk_auditstate == AUC_AUDITING) {
453			mutex_enter(&(kctx->auk_queue.lock));
454			while (kctx->auk_queue.head == NULL) {
455				/* safety check. kick writer awake */
456				if (kctx->auk_queue.wt_block) {
457					cv_broadcast(&(kctx->
458					    auk_queue.write_cv));
459				}
460
461				kctx->auk_queue.rd_block = 1;
462				AS_INC(as_rblocked, 1, kctx);
463
464				cv_wait(&(kctx->auk_queue.read_cv),
465				    &(kctx->auk_queue.lock));
466				kctx->auk_queue.rd_block = 0;
467
468				if (kctx->auk_auditstate != AUC_AUDITING) {
469					mutex_exit(&(kctx->auk_queue.lock));
470					(void) timeout(audit_dont_stop, kctx,
471					    au_resid);
472					goto output_exit;
473				}
474				kctx->auk_queue.rd_block = 0;
475			}
476			mutex_exit(&(kctx->auk_queue.lock));
477			/*
478			 * au_doorio() calls au_door_upcall which holds
479			 * auk_svc_lock; au_doorio empties the queue before
480			 * returning.
481			 */
482
483			error = au_doorio(kctx);
484		} else {
485			/* auditing turned off while we slept */
486			break;
487		}
488	}
489output_exit:
490	mutex_enter(&(kctx->auk_svc_lock));
491
492	VN_RELE(kctx->auk_current_vp);
493	kctx->auk_current_vp = NULL;
494
495	kctx->auk_output_active = 0;
496
497	mutex_exit(&(kctx->auk_svc_lock));
498}
499