1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
24 */
25
26 /*
27 * This file contains the envelope code for system call auditing.
28 */
29
30 #include <sys/param.h>
31 #include <sys/types.h>
32 #include <sys/time.h>
33 #include <sys/kmem.h>
34 #include <sys/proc.h>
35 #include <sys/vnode.h>
36 #include <sys/file.h>
37 #include <sys/user.h>
38 #include <sys/stropts.h>
39 #include <sys/systm.h>
40 #include <sys/pathname.h>
41 #include <sys/debug.h>
42 #include <sys/cred.h>
43 #include <sys/zone.h>
44 #include <c2/audit.h>
45 #include <c2/audit_kernel.h>
46 #include <c2/audit_kevents.h>
47 #include <c2/audit_record.h>
48 #include "audit_door_infc.h"
49
50 extern uint_t num_syscall; /* size of audit_s2e table */
51 extern kmutex_t pidlock; /* proc table lock */
52
53 /*
54 * Obsolete and ignored - Historically, the 'set c2audit:audit_load=1' entry
55 * in /etc/system enabled auditing. The No Reboot Audit project does not
56 * use this entry. However, to prevent the system from printing warning
57 * messages, the audit_load entry is being left in /etc/system. It will be
58 * removed when there is a small chance that the entry is used on currently
59 * running systems.
60 */
61 int audit_load = 0;
62
63 kmutex_t module_lock; /* audit_module_state lock */
64
65 /*
66 * Das Boot. Initialize first process. Also generate an audit record indicating
67 * that the system has been booted.
68 */
69 void
70 audit_init_module()
71 {
72 token_t *rp = NULL;
73 label_t jb;
74 t_audit_data_t *tad = U2A(u);
75
76 /*
77 * Solaris Auditing module is being loaded -> change the state. The lock
78 * is here to prevent memory leaks caused by multiple initializations.
79 */
80 mutex_enter(&module_lock);
81 if (audit_active != C2AUDIT_UNLOADED) {
82 mutex_exit(&module_lock);
83 return;
84 }
85 audit_active = C2AUDIT_LOADED;
86 mutex_exit(&module_lock);
87
88 /* initialize memory allocators */
89 au_mem_init();
90
91 /*
92 * setup environment for asynchronous auditing. We can't use
93 * audit_async_start() here since it assumes the audit system
94 * has been started via auditd(1m). auditd sets the variable,
95 * auk_auditstate, to indicate audit record generation should
96 * commence. Here we want to always generate an audit record.
97 */
98 if (setjmp(&jb)) {
99 /* process audit policy (AUDIT_AHLT) for asynchronous events */
100 audit_async_drop((caddr_t *)(&rp), 0);
101 return;
102 }
103
104 ASSERT(tad->tad_errjmp == NULL);
105 tad->tad_errjmp = (void *)&jb;
106 tad->tad_ctrl |= TAD_ERRJMP;
107
108 /* generate a system-booted audit record */
109 au_write((caddr_t *)&rp, au_to_text("booting kernel"));
110 audit_async_finish((caddr_t *)&rp, AUE_SYSTEMBOOT, NULL,
111 &(p0.p_user.u_start));
112 }
113
114
115 /*
116 * Enter system call. Do any necessary setup here. allocate resouces, etc.
117 */
118
119 #include <sys/syscall.h>
120
121
122 /*ARGSUSED*/
123 int
124 audit_start(
125 unsigned type,
126 unsigned scid,
127 uint32_t audit_state,
128 int error,
129 klwp_t *lwp)
130 {
131 struct t_audit_data *tad;
132 au_kcontext_t *kctx;
133
134 tad = U2A(u);
135 ASSERT(tad != NULL);
136
137 /* Remember the audit state in the cache */
138 tad->tad_audit = audit_state;
139
140 if (error) {
141 tad->tad_ctrl = 0;
142 tad->tad_flag = 0;
143 return (0);
144 }
145
146 audit_update_context(curproc, NULL);
147
148 /*
149 * if this is an indirect system call then don't do anything.
150 * audit_start will be called again from indir() in trap.c
151 */
152 if (scid == 0) {
153 tad->tad_ctrl = 0;
154 tad->tad_flag = 0;
155 return (0);
156 }
157 if (scid >= num_syscall)
158 scid = 0;
159
160 /*
161 * we can no longer depend on a valid lwp_ap, so we need to
162 * copy the syscall args as future audit stuff may need them.
163 */
164 (void) save_syscall_args();
165
166 /*
167 * We need to gather paths for certain system calls even if they are
168 * not audited so that we can audit the various f* calls and be
169 * sure to have a CWD and CAR. Thus we thus set tad_ctrl over the
170 * system call regardless if the call is audited or not.
171 * We allow the event specific initial processing routines (au_init)
172 * to adjust the tad_ctrl as necessary.
173 */
174 tad->tad_ctrl = audit_s2e[scid].au_ctrl;
175 tad->tad_scid = scid;
176
177 /* get basic event for system call */
178 tad->tad_event = audit_s2e[scid].au_event;
179 if (audit_s2e[scid].au_init != (au_event_t)AUE_NULL) {
180 /* get specific event */
181 tad->tad_event = (*audit_s2e[scid].au_init)(tad->tad_event);
182 }
183
184 kctx = GET_KCTX_PZ;
185
186 /* now do preselection. Audit or not to Audit, that is the question */
187 if ((tad->tad_flag = auditme(kctx, tad,
188 kctx->auk_ets[tad->tad_event])) == 0) {
189 /*
190 * we assume that audit_finish will always be called.
191 */
192 return (0);
193 }
194
195 /*
196 * if auditing not enabled, then don't generate an audit record
197 * and don't count it.
198 */
199 if (audit_state & ~(AUC_AUDITING | AUC_INIT_AUDIT)) {
200 /*
201 * we assume that audit_finish will always be called.
202 */
203 tad->tad_flag = 0;
204 return (0);
205 }
206
207 /*
208 * audit daemon has informed us that there is no longer any
209 * space left to hold audit records. We decide here if records
210 * should be dropped (but counted).
211 */
212 if (audit_state == AUC_NOSPACE) {
213 if ((kctx->auk_policy & AUDIT_CNT) ||
214 (kctx->auk_policy & AUDIT_SCNT)) {
215 /* assume that audit_finish will always be called. */
216 tad->tad_flag = 0;
217
218 /* just count # of dropped audit records */
219 AS_INC(as_dropped, 1, kctx);
220
221 return (0);
222 }
223 }
224
225 tad->tad_evmod = 0;
226
227 if (audit_s2e[scid].au_start != NULL) {
228 /* do start of system call processing */
229 (*audit_s2e[scid].au_start)(tad);
230 }
231
232 return (0);
233 }
234
235 /*
236 * system call has completed. Now determine if we genearate an audit record
237 * or not.
238 */
239 /*ARGSUSED*/
240 void
241 audit_finish(
242 unsigned type,
243 unsigned scid,
244 int error,
245 rval_t *rval)
246 {
247 struct t_audit_data *tad;
248 int flag;
249 au_defer_info_t *attr;
250 au_kcontext_t *kctx = GET_KCTX_PZ;
251
252 tad = U2A(u);
253
254 /*
255 * Process all deferred events first.
256 */
257 attr = tad->tad_defer_head;
258 while (attr != NULL) {
259 au_defer_info_t *tmp_attr = attr;
260
261 au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag,
262 attr->audi_e_type, attr->audi_e_mod, &(attr->audi_atime));
263
264 attr = attr->audi_next;
265 kmem_free(tmp_attr, sizeof (au_defer_info_t));
266 }
267 tad->tad_defer_head = tad->tad_defer_tail = NULL;
268
269 if (tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) {
270 /*
271 * clear the ctrl flag so that we don't have spurious
272 * collection of audit information.
273 */
274 tad->tad_scid = 0;
275 tad->tad_event = 0;
276 tad->tad_evmod = 0;
277 tad->tad_ctrl = 0;
278 tad->tad_audit = AUC_UNSET;
279 ASSERT(tad->tad_aupath == NULL);
280 return;
281 }
282
283 scid = tad->tad_scid;
284
285 /*
286 * Perform any extra processing and determine if we are
287 * really going to generate any audit record.
288 */
289 if (audit_s2e[scid].au_finish != NULL) {
290 /* do any post system call processing */
291 (*audit_s2e[scid].au_finish)(tad, error, rval);
292 }
293 if (tad->tad_flag) {
294 tad->tad_flag = 0;
295
296 if (flag = audit_success(kctx, tad, error, NULL)) {
297 unsigned int sy_flags;
298 cred_t *cr = CRED();
299 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
300
301 ASSERT(ainfo != NULL);
302
303 /* Add subject information */
304 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
305
306 if (tad->tad_evmod & PAD_SPRIVUSE) {
307 au_write(&(u_ad),
308 au_to_privset("", &tad->tad_sprivs,
309 AUT_UPRIV, 1));
310 }
311
312 if (tad->tad_evmod & PAD_FPRIVUSE) {
313 au_write(&(u_ad),
314 au_to_privset("", &tad->tad_fprivs,
315 AUT_UPRIV, 0));
316 }
317
318 /* Add a return token */
319 #ifdef _SYSCALL32_IMPL
320 if (lwp_getdatamodel(ttolwp(curthread)) ==
321 DATAMODEL_NATIVE) {
322 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
323 } else {
324 sy_flags =
325 sysent32[scid].sy_flags & SE_RVAL_MASK;
326 }
327 #else /* _SYSCALL64_IMPL */
328 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
329 #endif /* _SYSCALL32_IMPL */
330
331 if (sy_flags == SE_32RVAL1) {
332 if (type == 0) {
333 au_write(&(u_ad),
334 au_to_return32(error, 0));
335 } else {
336 au_write(&(u_ad), au_to_return32(error,
337 rval->r_val1));
338 }
339 }
340 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) {
341 if (type == 0) {
342 au_write(&(u_ad),
343 au_to_return32(error, 0));
344 } else {
345 au_write(&(u_ad),
346 au_to_return32(error,
347 rval->r_val1));
348 #ifdef NOTYET /* for possible future support */
349 au_write(&(u_ad), au_to_return32(error,
350 rval->r_val2));
351 #endif
352 }
353 }
354 if (sy_flags == SE_64RVAL) {
355 if (type == 0) {
356 au_write(&(u_ad),
357 au_to_return64(error, 0));
358 } else {
359 au_write(&(u_ad), au_to_return64(error,
360 rval->r_vals));
361 }
362 }
363
364 AS_INC(as_generated, 1, kctx);
365 AS_INC(as_kernel, 1, kctx);
366 }
367
368 /* Close up everything */
369 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod,
370 NULL);
371 }
372
373 ASSERT(u_ad == NULL);
374
375 /* free up any space remaining with the path's */
376 if (tad->tad_aupath != NULL) {
377 au_pathrele(tad->tad_aupath);
378 tad->tad_aupath = NULL;
379 }
380
381 /* free up any space remaining with openat path's */
382 if (tad->tad_atpath) {
383 au_pathrele(tad->tad_atpath);
384 tad->tad_atpath = NULL;
385 }
386
387 /*
388 * clear the ctrl flag so that we don't have spurious collection of
389 * audit information.
390 */
391 tad->tad_scid = 0;
392 tad->tad_event = 0;
393 tad->tad_evmod = 0;
394 tad->tad_ctrl = 0;
395 tad->tad_audit = AUC_UNSET;
396 }
397
398 int
399 audit_success(au_kcontext_t *kctx, struct t_audit_data *tad, int error,
400 cred_t *cr)
401 {
402 au_state_t ess;
403 au_state_t esf;
404 au_mask_t amask;
405 const auditinfo_addr_t *ainfo;
406
407 ess = esf = kctx->auk_ets[tad->tad_event];
408
409 if (error)
410 tad->tad_evmod |= PAD_FAILURE;
411
412 /* see if we really want to generate an audit record */
413 if (tad->tad_ctrl & TAD_NOAUDIT)
414 return (0);
415
416 /*
417 * Used passed cred if available, otherwise use cred from kernel thread
418 */
419 if (cr == NULL)
420 cr = CRED();
421 ainfo = crgetauinfo(cr);
422 if (ainfo == NULL)
423 return (0);
424 amask = ainfo->ai_mask;
425
426 if (error == 0)
427 return ((ess & amask.as_success) ? AU_OK : 0);
428 else
429 return ((esf & amask.as_failure) ? AU_OK : 0);
430 }
431
432 /*
433 * determine if we've preselected this event (system call).
434 */
435 int
436 auditme(au_kcontext_t *kctx, struct t_audit_data *tad, au_state_t estate)
437 {
438 int flag = 0;
439 au_mask_t amask;
440 const auditinfo_addr_t *ainfo;
441
442 ainfo = crgetauinfo(CRED());
443 if (ainfo == NULL)
444 return (0);
445 amask = ainfo->ai_mask;
446
447 /* preselected system call */
448
449 if (amask.as_success & estate || amask.as_failure & estate) {
450 flag = 1;
451 } else if ((tad->tad_scid == SYS_putmsg) ||
452 (tad->tad_scid == SYS_getmsg)) {
453 estate = kctx->auk_ets[AUE_SOCKCONNECT] |
454 kctx->auk_ets[AUE_SOCKACCEPT] |
455 kctx->auk_ets[AUE_SOCKSEND] |
456 kctx->auk_ets[AUE_SOCKRECEIVE];
457 if (amask.as_success & estate || amask.as_failure & estate)
458 flag = 1;
459 } else if (tad->tad_scid == SYS_execve &&
460 getpflags(PRIV_PFEXEC, CRED()) != 0) {
461 estate = kctx->auk_ets[AUE_PFEXEC];
462 if (amask.as_success & estate || amask.as_failure & estate)
463 flag = 1;
464 }
465
466 return (flag);
467 }
468
469 /*
470 * determine if we've preselected this event (non-syscall).
471 */
472
473 int
474 auditev(au_event_t event, cred_t *cr)
475 {
476 au_mask_t amask;
477 const auditinfo_addr_t *ainfo;
478 au_state_t estate;
479 au_kcontext_t *kctx = GET_KCTX_PZ;
480
481 ASSERT3U(event, <=, MAX_KEVENTS);
482
483 estate = kctx->auk_ets[event];
484 ainfo = crgetauinfo(cr);
485 if (ainfo == NULL)
486 return (0);
487 amask = ainfo->ai_mask;
488
489 if ((amask.as_success & estate) != 0 ||
490 (amask.as_failure & estate) != 0)
491 return (AU_OK);
492
493 return (0);
494 }