xref: /illumos-gate/usr/src/uts/common/c2/audit_start.c (revision 67dbe2be)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * This file contains the envelope code for system call auditing.
28  */
29 
30 #include <sys/param.h>
31 #include <sys/types.h>
32 #include <sys/time.h>
33 #include <sys/kmem.h>
34 #include <sys/proc.h>
35 #include <sys/vnode.h>
36 #include <sys/file.h>
37 #include <sys/user.h>
38 #include <sys/stropts.h>
39 #include <sys/systm.h>
40 #include <sys/pathname.h>
41 #include <sys/debug.h>
42 #include <sys/cred.h>
43 #include <sys/zone.h>
44 #include <c2/audit.h>
45 #include <c2/audit_kernel.h>
46 #include <c2/audit_kevents.h>
47 #include <c2/audit_record.h>
48 #include "audit_door_infc.h"
49 
50 extern uint_t num_syscall;		/* size of audit_s2e table */
51 extern kmutex_t pidlock;		/* proc table lock */
52 
53 int audit_load = 0;	/* set from /etc/system */
54 
55 struct p_audit_data *pad0;
56 struct t_audit_data *tad0;
57 
58 /*
59  * Das Boot. Initialize first process. Also generate an audit record indicating
60  * that the system has been booted.
61  */
62 void
63 audit_init()
64 {
65 	kthread_t *au_thread;
66 	token_t *rp = NULL;
67 	label_t jb;
68 	struct audit_path apempty;
69 	auditinfo_addr_t *ainfo;
70 
71 	if (audit_load == 0) {
72 		audit_active = 0;
73 		au_auditstate = AUC_DISABLED;
74 		return;
75 #ifdef DEBUG
76 	} else if (audit_load == 2) {
77 		debug_enter((char *)NULL);
78 #endif
79 	}
80 
81 	audit_active = 1;
82 	set_all_proc_sys();		/* set pre- and post-syscall flags */
83 
84 	/* initialize memory allocators */
85 	au_mem_init();
86 
87 	au_zone_setup();
88 
89 	/* inital thread structure */
90 	tad0 = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP);
91 
92 	/* initial process structure */
93 	pad0 = kmem_cache_alloc(au_pad_cache, KM_SLEEP);
94 	bzero(&pad0->pad_data, sizeof (pad0->pad_data));
95 
96 	T2A(curthread) = tad0;
97 	P2A(curproc) = pad0;
98 
99 	/*
100 	 * The kernel allocates a bunch of threads make sure they have
101 	 * a valid tad
102 	 */
103 
104 	mutex_enter(&pidlock);
105 
106 	au_thread = curthread;
107 	do {
108 		if (T2A(au_thread) == NULL) {
109 			T2A(au_thread) = tad0;
110 		}
111 		au_thread = au_thread->t_next;
112 	} while (au_thread != curthread);
113 
114 	tad0->tad_ad   = NULL;
115 	mutex_exit(&pidlock);
116 
117 	/*
118 	 * Initialize audit context in our cred (kcred).
119 	 * No copy-on-write needed here because it's so early in init.
120 	 */
121 	ainfo = crgetauinfo_modifiable(kcred);
122 	ASSERT(ainfo != NULL);
123 	bzero(ainfo, sizeof (auditinfo_addr_t));
124 	ainfo->ai_auid = AU_NOAUDITID;
125 
126 	/* fabricate an empty audit_path to extend */
127 	apempty.audp_cnt = 0;
128 	apempty.audp_sect[0] = (char *)(&apempty.audp_sect[1]);
129 	pad0->pad_root = au_pathdup(&apempty, 1, 2);
130 	bcopy("/", pad0->pad_root->audp_sect[0], 2);
131 	au_pathhold(pad0->pad_root);
132 	pad0->pad_cwd = pad0->pad_root;
133 
134 	/*
135 	 * setup environment for asynchronous auditing. We can't use
136 	 * audit_async_start() here since it assumes the audit system
137 	 * has been started via auditd(1m). auditd sets the variable,
138 	 * auk_auditstate, to indicate audit record generation should
139 	 * commence. Here we want to always generate an audit record.
140 	 */
141 	if (setjmp(&jb)) {
142 		/* process audit policy (AUDIT_AHLT) for asynchronous events */
143 		audit_async_drop((caddr_t *)(&rp), 0);
144 		return;
145 	}
146 
147 	ASSERT(tad0->tad_errjmp == NULL);
148 	tad0->tad_errjmp = (void *)&jb;
149 	tad0->tad_ctrl |= PAD_ERRJMP;
150 
151 	/* generate a system-booted audit record */
152 	au_write((caddr_t *)&rp, au_to_text("booting kernel"));
153 
154 	audit_async_finish((caddr_t *)&rp, AUE_SYSTEMBOOT, NULL);
155 }
156 
157 void
158 audit_free()
159 {
160 }
161 
162 /*
163  * Check for any pending changes to the audit context for the given proc.
164  * p_crlock and pad_lock for the process are acquired here. Caller is
165  * responsible for assuring the process doesn't go away. If context is
166  * updated, the specified cralloc'ed cred will be used, otherwise it's freed.
167  * If no cred is given, it will be cralloc'ed here and caller assures that
168  * it is safe to allocate memory.
169  */
170 void
171 audit_update_context(proc_t *p, cred_t *ncr)
172 {
173 	struct p_audit_data *pad;
174 	cred_t	*newcred = ncr;
175 
176 	pad = P2A(p);
177 	if (pad == NULL) {
178 		if (newcred != NULL)
179 			crfree(newcred);
180 		return;
181 	}
182 
183 	/* If a mask update is pending, take care of it. */
184 	if (pad->pad_flags & PAD_SETMASK) {
185 		auditinfo_addr_t *ainfo;
186 
187 		if (newcred == NULL)
188 			newcred = cralloc();
189 
190 		mutex_enter(&pad->pad_lock);
191 		/* the condition may have been handled by the time we lock */
192 		if (pad->pad_flags & PAD_SETMASK) {
193 			ainfo = crgetauinfo_modifiable(newcred);
194 			if (ainfo == NULL) {
195 				mutex_enter(&pad->pad_lock);
196 				crfree(newcred);
197 				return;
198 			}
199 
200 			mutex_enter(&p->p_crlock);
201 			crcopy_to(p->p_cred, newcred);
202 			p->p_cred = newcred;
203 
204 			ainfo->ai_mask = pad->pad_newmask;
205 
206 			/* Unlock and cleanup. */
207 			mutex_exit(&p->p_crlock);
208 			pad->pad_flags &= ~PAD_SETMASK;
209 
210 			/*
211 			 * For curproc, assure that our thread points to right
212 			 * cred, so CRED() will be correct. Otherwise, no need
213 			 * to broadcast changes (via set_proc_pre_sys), since
214 			 * t_pre_sys is ALWAYS on when audit is enabled... due
215 			 * to syscall auditing.
216 			 */
217 			if (p == curproc)
218 				crset(p, newcred);
219 			else
220 				crfree(newcred);
221 		} else {
222 			crfree(newcred);
223 		}
224 		mutex_exit(&pad->pad_lock);
225 	} else {
226 		if (newcred != NULL)
227 			crfree(newcred);
228 	}
229 }
230 
231 
232 /*
233  * Enter system call. Do any necessary setup here. allocate resouces, etc.
234  */
235 
236 #include <sys/syscall.h>
237 
238 
239 /*ARGSUSED*/
240 int
241 audit_start(
242 	unsigned type,
243 	unsigned scid,
244 	int error,
245 	klwp_t *lwp)
246 {
247 	struct t_audit_data	*tad;
248 	au_kcontext_t		*kctx;
249 
250 	tad = U2A(u);
251 	ASSERT(tad != NULL);
252 
253 	if (error) {
254 		tad->tad_ctrl = 0;
255 		tad->tad_flag = 0;
256 		return (0);
257 	}
258 
259 	audit_update_context(curproc, NULL);
260 
261 	/*
262 	 * if this is an indirect system call then don't do anything.
263 	 * audit_start will be called again from indir() in trap.c
264 	 */
265 	if (scid == 0) {
266 		tad->tad_ctrl = 0;
267 		tad->tad_flag = 0;
268 		return (0);
269 	}
270 	if (scid >= num_syscall)
271 		scid = 0;
272 
273 	/*
274 	 * we can no longer depend on a valid lwp_ap, so we need to
275 	 * copy the syscall args as future audit stuff may need them.
276 	 */
277 	(void) save_syscall_args();
278 
279 	/*
280 	 * We need to gather paths for certain system calls even if they are
281 	 * not audited so that we can audit the various f* calls and be
282 	 * sure to have a CWD and CAR. Thus we thus set tad_ctrl over the
283 	 * system call regardless if the call is audited or not.
284 	 * We allow the event specific initial processing routines (au_init)
285 	 * to adjust the tad_ctrl as necessary.
286 	 */
287 	tad->tad_ctrl   = audit_s2e[scid].au_ctrl;
288 	tad->tad_scid   = scid;
289 
290 	/* get basic event for system call */
291 	tad->tad_event = audit_s2e[scid].au_event;
292 	if (audit_s2e[scid].au_init != (au_event_t)AUE_NULL) {
293 		/* get specific event */
294 		tad->tad_event = (*audit_s2e[scid].au_init)(tad->tad_event);
295 	}
296 
297 	kctx = GET_KCTX_PZ;
298 
299 	/* now do preselection. Audit or not to Audit, that is the question */
300 	if ((tad->tad_flag = auditme(kctx, tad,
301 	    kctx->auk_ets[tad->tad_event])) == 0) {
302 		/*
303 		 * we assume that audit_finish will always be called.
304 		 */
305 		return (0);
306 	}
307 
308 	/*
309 	 * if auditing not enabled, then don't generate an audit record
310 	 * and don't count it.
311 	 */
312 	if ((kctx->auk_auditstate != AUC_AUDITING &&
313 	    kctx->auk_auditstate != AUC_INIT_AUDIT)) {
314 		/*
315 		 * we assume that audit_finish will always be called.
316 		 */
317 		tad->tad_flag = 0;
318 		return (0);
319 	}
320 
321 	/*
322 	 * audit daemon has informed us that there is no longer any
323 	 * space left to hold audit records. We decide here if records
324 	 * should be dropped (but counted).
325 	 */
326 	if (kctx->auk_auditstate == AUC_NOSPACE) {
327 		if ((kctx->auk_policy & AUDIT_CNT) ||
328 		    (kctx->auk_policy & AUDIT_SCNT)) {
329 			/* assume that audit_finish will always be called. */
330 			tad->tad_flag = 0;
331 
332 			/* just count # of dropped audit records */
333 			AS_INC(as_dropped, 1, kctx);
334 
335 			return (0);
336 		}
337 	}
338 
339 	tad->tad_evmod  = 0;
340 
341 	if (audit_s2e[scid].au_start != NULL) {
342 		/* do start of system call processing */
343 		(*audit_s2e[scid].au_start)(tad);
344 	}
345 
346 	return (0);
347 }
348 
349 /*
350  * system call has completed. Now determine if we genearate an audit record
351  * or not.
352  */
353 /*ARGSUSED*/
354 void
355 audit_finish(
356 	unsigned type,
357 	unsigned scid,
358 	int error,
359 	rval_t *rval)
360 {
361 	struct t_audit_data *tad;
362 	int	flag;
363 	au_defer_info_t	*attr;
364 	au_kcontext_t *kctx = GET_KCTX_PZ;
365 
366 	tad = U2A(u);
367 
368 	/*
369 	 * Process all deferred events first.
370 	 */
371 	attr = tad->tad_defer_head;
372 	while (attr != NULL) {
373 		au_defer_info_t	*tmp_attr = attr;
374 
375 		au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag,
376 		    attr->audi_e_type, attr->audi_e_mod, &(attr->audi_atime));
377 
378 		attr = attr->audi_next;
379 		kmem_free(tmp_attr, sizeof (au_defer_info_t));
380 	}
381 	tad->tad_defer_head = tad->tad_defer_tail = NULL;
382 
383 	if (tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) {
384 		/*
385 		 * clear the ctrl flag so that we don't have spurious
386 		 * collection of audit information.
387 		 */
388 		tad->tad_scid  = 0;
389 		tad->tad_event = 0;
390 		tad->tad_evmod = 0;
391 		tad->tad_ctrl  = 0;
392 		ASSERT(tad->tad_aupath == NULL);
393 		return;
394 	}
395 
396 	scid = tad->tad_scid;
397 
398 	/*
399 	 * Perform any extra processing and determine if we are
400 	 * really going to generate any audit record.
401 	 */
402 	if (audit_s2e[scid].au_finish != NULL) {
403 		/* do any post system call processing */
404 		(*audit_s2e[scid].au_finish)(tad, error, rval);
405 	}
406 	if (tad->tad_flag) {
407 		tad->tad_flag = 0;
408 
409 		if (flag = audit_success(kctx, tad, error, NULL)) {
410 			unsigned int sy_flags;
411 			cred_t *cr = CRED();
412 			const auditinfo_addr_t *ainfo = crgetauinfo(cr);
413 
414 			ASSERT(ainfo != NULL);
415 
416 			/* Add subject information */
417 			AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
418 
419 			if (tad->tad_evmod & PAD_SPRIVUSE) {
420 				au_write(&(u_ad),
421 				    au_to_privset("", &tad->tad_sprivs,
422 				    AUT_UPRIV, 1));
423 			}
424 
425 			if (tad->tad_evmod & PAD_FPRIVUSE) {
426 				au_write(&(u_ad),
427 				    au_to_privset("", &tad->tad_fprivs,
428 				    AUT_UPRIV, 0));
429 			}
430 
431 			/* Add a return token */
432 #ifdef	_SYSCALL32_IMPL
433 			if (lwp_getdatamodel(ttolwp(curthread)) ==
434 			    DATAMODEL_NATIVE) {
435 				sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
436 			} else {
437 				sy_flags =
438 				    sysent32[scid].sy_flags & SE_RVAL_MASK;
439 			}
440 #else	/* _SYSCALL64_IMPL */
441 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
442 #endif   /* _SYSCALL32_IMPL */
443 
444 			if (sy_flags == SE_32RVAL1) {
445 				if (type == 0) {
446 					au_write(&(u_ad),
447 					    au_to_return32(error, 0));
448 				} else {
449 					au_write(&(u_ad), au_to_return32(error,
450 					    rval->r_val1));
451 				}
452 			}
453 			if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) {
454 				if (type == 0) {
455 					au_write(&(u_ad),
456 					    au_to_return32(error, 0));
457 				} else {
458 					au_write(&(u_ad),
459 					    au_to_return32(error,
460 					    rval->r_val1));
461 #ifdef NOTYET	/* for possible future support */
462 					au_write(&(u_ad), au_to_return32(error,
463 					    rval->r_val2));
464 #endif
465 				}
466 			}
467 			if (sy_flags == SE_64RVAL) {
468 				if (type == 0) {
469 					au_write(&(u_ad),
470 					    au_to_return64(error, 0));
471 				} else {
472 					au_write(&(u_ad), au_to_return64(error,
473 					    rval->r_vals));
474 				}
475 			}
476 
477 			AS_INC(as_generated, 1, kctx);
478 			AS_INC(as_kernel, 1, kctx);
479 		}
480 
481 		/* Close up everything */
482 		au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod);
483 	}
484 
485 	ASSERT(u_ad == NULL);
486 
487 	/* free up any space remaining with the path's */
488 	if (tad->tad_aupath != NULL) {
489 		au_pathrele(tad->tad_aupath);
490 		tad->tad_aupath = NULL;
491 		tad->tad_vn = NULL;
492 	}
493 
494 	/* free up any space remaining with openat path's */
495 	if (tad->tad_atpath) {
496 		au_pathrele(tad->tad_atpath);
497 		tad->tad_atpath = NULL;
498 	}
499 
500 	/*
501 	 * clear the ctrl flag so that we don't have spurious collection of
502 	 * audit information.
503 	 */
504 	tad->tad_scid  = 0;
505 	tad->tad_event = 0;
506 	tad->tad_evmod = 0;
507 	tad->tad_ctrl  = 0;
508 }
509 
510 int
511 audit_success(au_kcontext_t *kctx, struct t_audit_data *tad, int error,
512     cred_t *cr)
513 {
514 	au_state_t ess;
515 	au_state_t esf;
516 	au_mask_t amask;
517 	const auditinfo_addr_t *ainfo;
518 
519 	ess = esf = kctx->auk_ets[tad->tad_event];
520 
521 	if (error)
522 		tad->tad_evmod |= PAD_FAILURE;
523 
524 	/* see if we really want to generate an audit record */
525 	if (tad->tad_ctrl & PAD_NOAUDIT)
526 		return (0);
527 
528 	/*
529 	 * nfs operation and we're auditing privilege or MAC. This
530 	 * is so we have a client audit record to match a nfs server
531 	 * audit record.
532 	 */
533 	if (tad->tad_ctrl & PAD_AUDITME)
534 		return (AU_OK);
535 
536 	/*
537 	 * Used passed cred if available, otherwise use cred from kernel thread
538 	 */
539 	if (cr == NULL)
540 		cr = CRED();
541 	ainfo = crgetauinfo(cr);
542 	if (ainfo == NULL)
543 		return (0);
544 	amask = ainfo->ai_mask;
545 
546 	if (error == 0)
547 		return ((ess & amask.as_success) ? AU_OK : 0);
548 	else
549 		return ((esf & amask.as_failure) ? AU_OK : 0);
550 }
551 
552 /*
553  * determine if we've preselected this event (system call).
554  */
555 int
556 auditme(au_kcontext_t *kctx, struct t_audit_data *tad, au_state_t estate)
557 {
558 	int flag = 0;
559 	au_mask_t amask;
560 	const auditinfo_addr_t *ainfo;
561 
562 	ainfo = crgetauinfo(CRED());
563 	if (ainfo == NULL)
564 		return (0);
565 	amask = ainfo->ai_mask;
566 
567 		/* preselected system call */
568 
569 	if (amask.as_success & estate || amask.as_failure & estate) {
570 		flag = 1;
571 	} else if ((tad->tad_scid == SYS_putmsg) ||
572 	    (tad->tad_scid == SYS_getmsg)) {
573 		estate = kctx->auk_ets[AUE_SOCKCONNECT]	|
574 		    kctx->auk_ets[AUE_SOCKACCEPT]	|
575 		    kctx->auk_ets[AUE_SOCKSEND]		|
576 		    kctx->auk_ets[AUE_SOCKRECEIVE];
577 		if (amask.as_success & estate || amask.as_failure & estate)
578 			flag = 1;
579 	}
580 
581 	return (flag);
582 }
583