2 * Copyright (c) 2004 Apple Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
6 * This code was developed in part by Robert N. M. Watson, Senior Principal
7 * Scientist, SPARTA, Inc.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
18 * its contributors may be used to endorse or promote products derived
19 * from this software without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
25 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
34 #include <sys/types.h>
36 #include <config/config.h>
37 #ifdef HAVE_FULL_QUEUE_H
38 #include <sys/queue.h>
40 #include <compat/queue.h>
43 #include <bsm/audit_internal.h>
44 #include <bsm/libbsm.h>
46 #include <netinet/in.h>
49 #ifdef HAVE_PTHREAD_MUTEX_LOCK
55 /* array of used descriptors */
56 static au_record_t *open_desc_table[MAX_AUDIT_RECORDS];
58 /* The current number of active record descriptors */
59 static int audit_rec_count = 0;
62 * Records that can be recycled are maintained in the list given below. The
63 * maximum number of elements that can be present in this list is bounded by
64 * MAX_AUDIT_RECORDS. Memory allocated for these records are never freed.
66 static LIST_HEAD(, au_record) audit_free_q;
68 #ifdef HAVE_PTHREAD_MUTEX_LOCK
69 static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
73 * This call frees a token_t and its internal data.
76 au_free_token(token_t *tok)
87 * This call reserves memory for the audit record. Memory must be guaranteed
88 * before any auditable event can be generated. The au_record_t structure
89 * maintains a reference to the memory allocated above and also the list of
90 * tokens associated with this record. Descriptors are recyled once the
91 * records are added to the audit trail following au_close().
96 au_record_t *rec = NULL;
98 #ifdef HAVE_PTHREAD_MUTEX_LOCK
99 pthread_mutex_lock(&mutex);
102 if (audit_rec_count == 0)
103 LIST_INIT(&audit_free_q);
106 * Find an unused descriptor, remove it from the free list, mark as
109 if (!LIST_EMPTY(&audit_free_q)) {
110 rec = LIST_FIRST(&audit_free_q);
112 LIST_REMOVE(rec, au_rec_q);
115 #ifdef HAVE_PTHREAD_MUTEX_LOCK
116 pthread_mutex_unlock(&mutex);
121 * Create a new au_record_t if no descriptors are available.
123 rec = malloc (sizeof(au_record_t));
127 rec->data = malloc (MAX_AUDIT_RECORD_SIZE * sizeof(u_char));
128 if (rec->data == NULL) {
134 #ifdef HAVE_PTHREAD_MUTEX_LOCK
135 pthread_mutex_lock(&mutex);
138 if (audit_rec_count == MAX_AUDIT_RECORDS) {
139 #ifdef HAVE_PTHREAD_MUTEX_LOCK
140 pthread_mutex_unlock(&mutex);
145 /* XXX We need to increase size of MAX_AUDIT_RECORDS */
149 rec->desc = audit_rec_count;
150 open_desc_table[audit_rec_count] = rec;
153 #ifdef HAVE_PTHREAD_MUTEX_LOCK
154 pthread_mutex_unlock(&mutex);
159 memset(rec->data, 0, MAX_AUDIT_RECORD_SIZE);
161 TAILQ_INIT(&rec->token_q);
169 * Store the token with the record descriptor.
171 * Don't permit writing more to the buffer than would let the trailer be
175 au_write(int d, token_t *tok)
181 return (-1); /* Invalid Token */
184 /* Write the token to the record descriptor */
185 rec = open_desc_table[d];
186 if ((rec == NULL) || (rec->used == 0)) {
188 return (-1); /* Invalid descriptor */
191 if (rec->len + tok->len + AUDIT_TRAILER_SIZE > MAX_AUDIT_RECORD_SIZE) {
196 /* Add the token to the tail */
198 * XXX Not locking here -- we should not be writing to
199 * XXX the same descriptor from different threads
201 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
203 rec->len += tok->len; /* grow record length by token size bytes */
205 /* Token should not be available after this call */
207 return (0); /* Success */
211 * Assemble an audit record out of its tokens, including allocating header and
212 * trailer tokens. Does not free the token chain, which must be done by the
213 * caller if desirable.
215 * XXX: Assumes there is sufficient space for the header and trailer.
218 au_assemble(au_record_t *rec, short event)
220 #ifdef HAVE_AUDIT_SYSCALLS
221 struct in6_addr *aptr;
222 struct auditinfo_addr aia;
225 #endif /* HAVE_AUDIT_SYSCALLS */
226 token_t *header, *tok, *trailer;
231 #ifdef HAVE_AUDIT_SYSCALLS
233 * Grab the size of the address family stored in the kernel's audit
236 aia.ai_termid.at_type = AU_IPv4;
237 aia.ai_termid.at_addr[0] = INADDR_ANY;
238 if (audit_get_kaudit(&aia, sizeof(aia)) != 0) {
239 if (errno != ENOSYS && errno != EPERM)
241 #endif /* HAVE_AUDIT_SYSCALLS */
242 tot_rec_size = rec->len + AUDIT_HEADER_SIZE +
244 header = au_to_header(tot_rec_size, event, 0);
245 #ifdef HAVE_AUDIT_SYSCALLS
247 if (gettimeofday(&tm, NULL) < 0)
249 switch (aia.ai_termid.at_type) {
251 hdrsize = (aia.ai_termid.at_addr[0] == INADDR_ANY) ?
252 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&aia);
255 aptr = (struct in6_addr *)&aia.ai_termid.at_addr[0];
257 (IN6_IS_ADDR_UNSPECIFIED(aptr)) ?
258 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&aia);
263 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE;
265 * A header size greater then AUDIT_HEADER_SIZE means
266 * that we are using an extended header.
268 if (hdrsize > AUDIT_HEADER_SIZE)
269 header = au_to_header32_ex_tm(tot_rec_size, event,
272 header = au_to_header(tot_rec_size, event, 0);
274 #endif /* HAVE_AUDIT_SYSCALLS */
278 trailer = au_to_trailer(tot_rec_size);
279 if (trailer == NULL) {
281 au_free_token(header);
286 TAILQ_INSERT_HEAD(&rec->token_q, header, tokens);
287 TAILQ_INSERT_TAIL(&rec->token_q, trailer, tokens);
289 rec->len = tot_rec_size;
292 TAILQ_FOREACH(tok, &rec->token_q, tokens) {
293 memcpy(dptr, tok->t_data, tok->len);
301 * Given a record that is no longer of interest, tear it down and convert to a
305 au_teardown(au_record_t *rec)
309 /* Free the token list */
310 while ((tok = TAILQ_FIRST(&rec->token_q)) != NULL) {
311 TAILQ_REMOVE(&rec->token_q, tok, tokens);
319 #ifdef HAVE_PTHREAD_MUTEX_LOCK
320 pthread_mutex_lock(&mutex);
323 /* Add the record to the freelist tail */
324 LIST_INSERT_HEAD(&audit_free_q, rec, au_rec_q);
326 #ifdef HAVE_PTHREAD_MUTEX_LOCK
327 pthread_mutex_unlock(&mutex);
331 #ifdef HAVE_AUDIT_SYSCALLS
333 * Add the header token, identify any missing tokens. Write out the tokens to
334 * the record memory and finally, call audit.
337 au_close(int d, int keep, short event)
343 rec = open_desc_table[d];
344 if ((rec == NULL) || (rec->used == 0)) {
346 return (-1); /* Invalid descriptor */
349 if (keep == AU_TO_NO_WRITE) {
354 tot_rec_size = rec->len + MAX_AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE;
356 if (tot_rec_size > MAX_AUDIT_RECORD_SIZE) {
358 * XXXRW: Since au_write() is supposed to prevent this, spew
361 fprintf(stderr, "au_close failed");
367 if (au_assemble(rec, event) < 0) {
369 * XXXRW: This is also not supposed to happen, but might if we
370 * are unable to allocate header and trailer memory.
376 /* Call the kernel interface to audit */
377 retval = audit(rec->data, rec->len);
384 #endif /* HAVE_AUDIT_SYSCALLS */
387 * au_close(), except onto an in-memory buffer. Buffer size as an argument,
388 * record size returned via same argument on success.
391 au_close_buffer(int d, short event, u_char *buffer, size_t *buflen)
397 rec = open_desc_table[d];
398 if ((rec == NULL) || (rec->used == 0)) {
404 tot_rec_size = rec->len + MAX_AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE;
405 if ((tot_rec_size > MAX_AUDIT_RECORD_SIZE) ||
406 (tot_rec_size > *buflen)) {
408 * XXXRW: See au_close() comment.
410 fprintf(stderr, "au_close_buffer failed %zd", tot_rec_size);
416 if (au_assemble(rec, event) < 0) {
417 /* XXXRW: See au_close() comment. */
422 memcpy(buffer, rec->data, rec->len);
431 * au_close_token() returns the byte format of a token_t. This won't
432 * generally be used by applications, but is quite useful for writing test
433 * tools. Will free the token on either success or failure.
436 au_close_token(token_t *tok, u_char *buffer, size_t *buflen)
439 if (tok->len > *buflen) {
445 memcpy(buffer, tok->t_data, tok->len);