2 * Copyright (c) 1999-2005 Apple Computer, Inc.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
32 #include <sys/param.h>
33 #include <sys/filedesc.h>
35 #include <sys/mount.h>
37 #include <sys/socket.h>
38 #include <sys/socketvar.h>
39 #include <sys/protosw.h>
40 #include <sys/domain.h>
42 #include <sys/systm.h>
44 #include <sys/vnode.h>
46 #include <netinet/in.h>
47 #include <netinet/in_pcb.h>
49 #include <security/audit/audit.h>
50 #include <security/audit/audit_private.h>
53 * Calls to manipulate elements of the audit record structure from system
54 * call code. Macro wrappers will prevent this functions from being entered
55 * if auditing is disabled, avoiding the function call cost. We check the
56 * thread audit record pointer anyway, as the audit condition could change,
57 * and pre-selection may not have allocated an audit record for this event.
59 * XXXAUDIT: Should we assert, in each case, that this field of the record
60 * hasn't already been filled in?
63 audit_arg_addr(void *addr)
65 struct kaudit_record *ar;
71 ar->k_ar.ar_arg_addr = addr;
72 ARG_SET_VALID(ar, ARG_ADDR);
76 audit_arg_exit(int status, int retval)
78 struct kaudit_record *ar;
84 ar->k_ar.ar_arg_exitstatus = status;
85 ar->k_ar.ar_arg_exitretval = retval;
86 ARG_SET_VALID(ar, ARG_EXIT);
90 audit_arg_len(int len)
92 struct kaudit_record *ar;
98 ar->k_ar.ar_arg_len = len;
99 ARG_SET_VALID(ar, ARG_LEN);
105 struct kaudit_record *ar;
111 ar->k_ar.ar_arg_fd = fd;
112 ARG_SET_VALID(ar, ARG_FD);
116 audit_arg_fflags(int fflags)
118 struct kaudit_record *ar;
124 ar->k_ar.ar_arg_fflags = fflags;
125 ARG_SET_VALID(ar, ARG_FFLAGS);
129 audit_arg_gid(gid_t gid)
131 struct kaudit_record *ar;
137 ar->k_ar.ar_arg_gid = gid;
138 ARG_SET_VALID(ar, ARG_GID);
142 audit_arg_uid(uid_t uid)
144 struct kaudit_record *ar;
150 ar->k_ar.ar_arg_uid = uid;
151 ARG_SET_VALID(ar, ARG_UID);
155 audit_arg_egid(gid_t egid)
157 struct kaudit_record *ar;
163 ar->k_ar.ar_arg_egid = egid;
164 ARG_SET_VALID(ar, ARG_EGID);
168 audit_arg_euid(uid_t euid)
170 struct kaudit_record *ar;
176 ar->k_ar.ar_arg_euid = euid;
177 ARG_SET_VALID(ar, ARG_EUID);
181 audit_arg_rgid(gid_t rgid)
183 struct kaudit_record *ar;
189 ar->k_ar.ar_arg_rgid = rgid;
190 ARG_SET_VALID(ar, ARG_RGID);
194 audit_arg_ruid(uid_t ruid)
196 struct kaudit_record *ar;
202 ar->k_ar.ar_arg_ruid = ruid;
203 ARG_SET_VALID(ar, ARG_RUID);
207 audit_arg_sgid(gid_t sgid)
209 struct kaudit_record *ar;
215 ar->k_ar.ar_arg_sgid = sgid;
216 ARG_SET_VALID(ar, ARG_SGID);
220 audit_arg_suid(uid_t suid)
222 struct kaudit_record *ar;
228 ar->k_ar.ar_arg_suid = suid;
229 ARG_SET_VALID(ar, ARG_SUID);
233 audit_arg_groupset(gid_t *gidset, u_int gidset_size)
236 struct kaudit_record *ar;
242 for (i = 0; i < gidset_size; i++)
243 ar->k_ar.ar_arg_groups.gidset[i] = gidset[i];
244 ar->k_ar.ar_arg_groups.gidset_size = gidset_size;
245 ARG_SET_VALID(ar, ARG_GROUPSET);
249 audit_arg_login(char *login)
251 struct kaudit_record *ar;
257 strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME);
258 ARG_SET_VALID(ar, ARG_LOGIN);
262 audit_arg_ctlname(int *name, int namelen)
264 struct kaudit_record *ar;
270 bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int));
271 ar->k_ar.ar_arg_len = namelen;
272 ARG_SET_VALID(ar, ARG_CTLNAME | ARG_LEN);
276 audit_arg_mask(int mask)
278 struct kaudit_record *ar;
284 ar->k_ar.ar_arg_mask = mask;
285 ARG_SET_VALID(ar, ARG_MASK);
289 audit_arg_mode(mode_t mode)
291 struct kaudit_record *ar;
297 ar->k_ar.ar_arg_mode = mode;
298 ARG_SET_VALID(ar, ARG_MODE);
302 audit_arg_dev(int dev)
304 struct kaudit_record *ar;
310 ar->k_ar.ar_arg_dev = dev;
311 ARG_SET_VALID(ar, ARG_DEV);
315 audit_arg_value(long value)
317 struct kaudit_record *ar;
323 ar->k_ar.ar_arg_value = value;
324 ARG_SET_VALID(ar, ARG_VALUE);
328 audit_arg_owner(uid_t uid, gid_t gid)
330 struct kaudit_record *ar;
336 ar->k_ar.ar_arg_uid = uid;
337 ar->k_ar.ar_arg_gid = gid;
338 ARG_SET_VALID(ar, ARG_UID | ARG_GID);
342 audit_arg_pid(pid_t pid)
344 struct kaudit_record *ar;
350 ar->k_ar.ar_arg_pid = pid;
351 ARG_SET_VALID(ar, ARG_PID);
355 audit_arg_process(struct proc *p)
357 struct kaudit_record *ar;
359 KASSERT(p != NULL, ("audit_arg_process: p == NULL"));
361 PROC_LOCK_ASSERT(p, MA_OWNED);
367 ar->k_ar.ar_arg_auid = p->p_au->ai_auid;
368 ar->k_ar.ar_arg_euid = p->p_ucred->cr_uid;
369 ar->k_ar.ar_arg_egid = p->p_ucred->cr_groups[0];
370 ar->k_ar.ar_arg_ruid = p->p_ucred->cr_ruid;
371 ar->k_ar.ar_arg_rgid = p->p_ucred->cr_rgid;
372 ar->k_ar.ar_arg_asid = p->p_au->ai_asid;
373 ar->k_ar.ar_arg_termid_addr = p->p_au->ai_termid;
374 ar->k_ar.ar_arg_pid = p->p_pid;
375 ARG_SET_VALID(ar, ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID |
376 ARG_RGID | ARG_ASID | ARG_TERMID_ADDR | ARG_PID | ARG_PROCESS);
380 audit_arg_signum(u_int signum)
382 struct kaudit_record *ar;
388 ar->k_ar.ar_arg_signum = signum;
389 ARG_SET_VALID(ar, ARG_SIGNUM);
393 audit_arg_socket(int sodomain, int sotype, int soprotocol)
395 struct kaudit_record *ar;
401 ar->k_ar.ar_arg_sockinfo.so_domain = sodomain;
402 ar->k_ar.ar_arg_sockinfo.so_type = sotype;
403 ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol;
404 ARG_SET_VALID(ar, ARG_SOCKINFO);
408 audit_arg_sockaddr(struct thread *td, struct sockaddr *sa)
410 struct kaudit_record *ar;
412 KASSERT(td != NULL, ("audit_arg_sockaddr: td == NULL"));
413 KASSERT(sa != NULL, ("audit_arg_sockaddr: sa == NULL"));
419 bcopy(sa, &ar->k_ar.ar_arg_sockaddr, sa->sa_len);
420 switch (sa->sa_family) {
422 ARG_SET_VALID(ar, ARG_SADDRINET);
426 ARG_SET_VALID(ar, ARG_SADDRINET6);
430 audit_arg_upath(td, ((struct sockaddr_un *)sa)->sun_path,
432 ARG_SET_VALID(ar, ARG_SADDRUNIX);
434 /* XXXAUDIT: default:? */
439 audit_arg_auid(uid_t auid)
441 struct kaudit_record *ar;
447 ar->k_ar.ar_arg_auid = auid;
448 ARG_SET_VALID(ar, ARG_AUID);
452 audit_arg_auditinfo(struct auditinfo *au_info)
454 struct kaudit_record *ar;
460 ar->k_ar.ar_arg_auid = au_info->ai_auid;
461 ar->k_ar.ar_arg_asid = au_info->ai_asid;
462 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
463 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
464 ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port;
465 ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine;
466 ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID);
470 audit_arg_auditinfo_addr(struct auditinfo_addr *au_info)
472 struct kaudit_record *ar;
478 ar->k_ar.ar_arg_auid = au_info->ai_auid;
479 ar->k_ar.ar_arg_asid = au_info->ai_asid;
480 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
481 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
482 ar->k_ar.ar_arg_termid_addr.at_type = au_info->ai_termid.at_type;
483 ar->k_ar.ar_arg_termid_addr.at_port = au_info->ai_termid.at_port;
484 ar->k_ar.ar_arg_termid_addr.at_addr[0] = au_info->ai_termid.at_addr[0];
485 ar->k_ar.ar_arg_termid_addr.at_addr[1] = au_info->ai_termid.at_addr[1];
486 ar->k_ar.ar_arg_termid_addr.at_addr[2] = au_info->ai_termid.at_addr[2];
487 ar->k_ar.ar_arg_termid_addr.at_addr[3] = au_info->ai_termid.at_addr[3];
488 ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID_ADDR);
492 audit_arg_text(char *text)
494 struct kaudit_record *ar;
496 KASSERT(text != NULL, ("audit_arg_text: text == NULL"));
502 /* Invalidate the text string */
503 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT);
505 if (ar->k_ar.ar_arg_text == NULL)
506 ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT,
509 strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN);
510 ARG_SET_VALID(ar, ARG_TEXT);
514 audit_arg_cmd(int cmd)
516 struct kaudit_record *ar;
522 ar->k_ar.ar_arg_cmd = cmd;
523 ARG_SET_VALID(ar, ARG_CMD);
527 audit_arg_svipc_cmd(int cmd)
529 struct kaudit_record *ar;
535 ar->k_ar.ar_arg_svipc_cmd = cmd;
536 ARG_SET_VALID(ar, ARG_SVIPC_CMD);
540 audit_arg_svipc_perm(struct ipc_perm *perm)
542 struct kaudit_record *ar;
548 bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
549 sizeof(ar->k_ar.ar_arg_svipc_perm));
550 ARG_SET_VALID(ar, ARG_SVIPC_PERM);
554 audit_arg_svipc_id(int id)
556 struct kaudit_record *ar;
562 ar->k_ar.ar_arg_svipc_id = id;
563 ARG_SET_VALID(ar, ARG_SVIPC_ID);
567 audit_arg_svipc_addr(void * addr)
569 struct kaudit_record *ar;
575 ar->k_ar.ar_arg_svipc_addr = addr;
576 ARG_SET_VALID(ar, ARG_SVIPC_ADDR);
580 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode)
582 struct kaudit_record *ar;
588 ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid;
589 ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid;
590 ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode;
591 ARG_SET_VALID(ar, ARG_POSIX_IPC_PERM);
595 audit_arg_auditon(union auditon_udata *udata)
597 struct kaudit_record *ar;
603 bcopy((void *)udata, &ar->k_ar.ar_arg_auditon,
604 sizeof(ar->k_ar.ar_arg_auditon));
605 ARG_SET_VALID(ar, ARG_AUDITON);
609 * Audit information about a file, either the file's vnode info, or its
610 * socket address info.
613 audit_arg_file(struct proc *p, struct file *fp)
615 struct kaudit_record *ar;
625 switch (fp->f_type) {
629 * XXXAUDIT: Only possibly to record as first vnode?
632 vfslocked = VFS_LOCK_GIANT(vp->v_mount);
633 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, curthread);
634 audit_arg_vnode(vp, ARG_VNODE1);
635 VOP_UNLOCK(vp, 0, curthread);
636 VFS_UNLOCK_GIANT(vfslocked);
640 so = (struct socket *)fp->f_data;
642 if (INP_CHECK_SOCKAF(so, PF_INET)) {
643 if (so->so_pcb == NULL) {
647 ar->k_ar.ar_arg_sockinfo.so_type =
649 ar->k_ar.ar_arg_sockinfo.so_domain =
651 ar->k_ar.ar_arg_sockinfo.so_protocol =
652 so->so_proto->pr_protocol;
653 pcb = (struct inpcb *)so->so_pcb;
654 ar->k_ar.ar_arg_sockinfo.so_raddr =
655 pcb->inp_faddr.s_addr;
656 ar->k_ar.ar_arg_sockinfo.so_laddr =
657 pcb->inp_laddr.s_addr;
658 ar->k_ar.ar_arg_sockinfo.so_rport =
660 ar->k_ar.ar_arg_sockinfo.so_lport =
662 ARG_SET_VALID(ar, ARG_SOCKINFO);
668 /* XXXAUDIT: else? */
674 * Store a path as given by the user process for auditing into the audit
675 * record stored on the user thread. This function will allocate the memory
676 * to store the path info if not already available. This memory will be freed
677 * when the audit record is freed.
679 * XXXAUDIT: Possibly assert that the memory isn't already allocated?
682 audit_arg_upath(struct thread *td, char *upath, u_int64_t flag)
684 struct kaudit_record *ar;
687 KASSERT(td != NULL, ("audit_arg_upath: td == NULL"));
688 KASSERT(upath != NULL, ("audit_arg_upath: upath == NULL"));
694 KASSERT((flag == ARG_UPATH1) || (flag == ARG_UPATH2),
695 ("audit_arg_upath: flag %llu", (unsigned long long)flag));
696 KASSERT((flag != ARG_UPATH1) || (flag != ARG_UPATH2),
697 ("audit_arg_upath: flag %llu", (unsigned long long)flag));
699 if (flag == ARG_UPATH1)
700 pathp = &ar->k_ar.ar_arg_upath1;
702 pathp = &ar->k_ar.ar_arg_upath2;
705 *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK);
707 canon_path(td, upath, *pathp);
709 ARG_SET_VALID(ar, flag);
713 * Function to save the path and vnode attr information into the audit
716 * It is assumed that the caller will hold any vnode locks necessary to
717 * perform a VOP_GETATTR() on the passed vnode.
719 * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but always
720 * provides access to the generation number as we need that to construct the
723 * XXX: We should accept the process argument from the caller, since it's
724 * very likely they already have a reference.
726 * XXX: Error handling in this function is poor.
728 * XXXAUDIT: Possibly KASSERT the path pointer is NULL?
731 audit_arg_vnode(struct vnode *vp, u_int64_t flags)
733 struct kaudit_record *ar;
736 struct vnode_au_info *vnp;
738 KASSERT(vp != NULL, ("audit_arg_vnode: vp == NULL"));
739 KASSERT((flags == ARG_VNODE1) || (flags == ARG_VNODE2),
740 ("audit_arg_vnode: flags %jd", (intmax_t)flags));
743 * Assume that if the caller is calling audit_arg_vnode() on a
744 * non-MPSAFE vnode, then it will have acquired Giant.
746 VFS_ASSERT_GIANT(vp->v_mount);
747 ASSERT_VOP_LOCKED(vp, "audit_arg_vnode");
754 * XXXAUDIT: The below clears, and then resets the flags for valid
755 * arguments. Ideally, either the new vnode is used, or the old one
758 if (flags & ARG_VNODE1) {
759 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE1);
760 vnp = &ar->k_ar.ar_arg_vnode1;
762 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE2);
763 vnp = &ar->k_ar.ar_arg_vnode2;
766 error = VOP_GETATTR(vp, &vattr, curthread->td_ucred, curthread);
768 /* XXX: How to handle this case? */
772 vnp->vn_mode = vattr.va_mode;
773 vnp->vn_uid = vattr.va_uid;
774 vnp->vn_gid = vattr.va_gid;
775 vnp->vn_dev = vattr.va_rdev;
776 vnp->vn_fsid = vattr.va_fsid;
777 vnp->vn_fileid = vattr.va_fileid;
778 vnp->vn_gen = vattr.va_gen;
779 if (flags & ARG_VNODE1)
780 ARG_SET_VALID(ar, ARG_VNODE1);
782 ARG_SET_VALID(ar, ARG_VNODE2);
786 * Audit the argument strings passed to exec.
789 audit_arg_argv(char *argv, int argc, int length)
791 struct kaudit_record *ar;
800 ar->k_ar.ar_arg_argv = malloc(length, M_AUDITTEXT, M_WAITOK);
801 bcopy(argv, ar->k_ar.ar_arg_argv, length);
802 ar->k_ar.ar_arg_argc = argc;
803 ARG_SET_VALID(ar, ARG_ARGV);
807 * Audit the environment strings passed to exec.
810 audit_arg_envv(char *envv, int envc, int length)
812 struct kaudit_record *ar;
821 ar->k_ar.ar_arg_envv = malloc(length, M_AUDITTEXT, M_WAITOK);
822 bcopy(envv, ar->k_ar.ar_arg_envv, length);
823 ar->k_ar.ar_arg_envc = envc;
824 ARG_SET_VALID(ar, ARG_ENVV);
828 * The close() system call uses it's own audit call to capture the path/vnode
829 * information because those pieces are not easily obtained within the system
833 audit_sysclose(struct thread *td, int fd)
835 struct kaudit_record *ar;
840 KASSERT(td != NULL, ("audit_sysclose: td == NULL"));
848 if (getvnode(td->td_proc->p_fd, fd, &fp) != 0)
852 vfslocked = VFS_LOCK_GIANT(vp->v_mount);
853 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
854 audit_arg_vnode(vp, ARG_VNODE1);
855 VOP_UNLOCK(vp, 0, td);
856 VFS_UNLOCK_GIANT(vfslocked);