2 * Copyright (c) 1999-2005 Apple Inc.
3 * Copyright (c) 2016-2017 Robert N. M. Watson
6 * Portions of this software were developed by BAE Systems, the University of
7 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
8 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
9 * Computing (TC) research program.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
20 * its contributors may be used to endorse or promote products derived
21 * from this software without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
36 #include <sys/cdefs.h>
37 __FBSDID("$FreeBSD$");
39 #include <sys/param.h>
40 #include <sys/filedesc.h>
41 #include <sys/capsicum.h>
43 #include <sys/mount.h>
45 #include <sys/socket.h>
46 #include <sys/socketvar.h>
47 #include <sys/protosw.h>
48 #include <sys/domain.h>
50 #include <sys/systm.h>
52 #include <sys/vnode.h>
54 #include <netinet/in.h>
55 #include <netinet/in_pcb.h>
57 #include <security/audit/audit.h>
58 #include <security/audit/audit_private.h>
61 * Calls to manipulate elements of the audit record structure from system
62 * call code. Macro wrappers will prevent this functions from being entered
63 * if auditing is disabled, avoiding the function call cost. We check the
64 * thread audit record pointer anyway, as the audit condition could change,
65 * and pre-selection may not have allocated an audit record for this event.
67 * XXXAUDIT: Should we assert, in each case, that this field of the record
68 * hasn't already been filled in?
71 audit_arg_addr(void *addr)
73 struct kaudit_record *ar;
79 ar->k_ar.ar_arg_addr = addr;
80 ARG_SET_VALID(ar, ARG_ADDR);
84 audit_arg_exit(int status, int retval)
86 struct kaudit_record *ar;
92 ar->k_ar.ar_arg_exitstatus = status;
93 ar->k_ar.ar_arg_exitretval = retval;
94 ARG_SET_VALID(ar, ARG_EXIT);
98 audit_arg_len(int len)
100 struct kaudit_record *ar;
106 ar->k_ar.ar_arg_len = len;
107 ARG_SET_VALID(ar, ARG_LEN);
111 audit_arg_atfd1(int atfd)
113 struct kaudit_record *ar;
119 ar->k_ar.ar_arg_atfd1 = atfd;
120 ARG_SET_VALID(ar, ARG_ATFD1);
124 audit_arg_atfd2(int atfd)
126 struct kaudit_record *ar;
132 ar->k_ar.ar_arg_atfd2 = atfd;
133 ARG_SET_VALID(ar, ARG_ATFD2);
139 struct kaudit_record *ar;
145 ar->k_ar.ar_arg_fd = fd;
146 ARG_SET_VALID(ar, ARG_FD);
150 audit_arg_fflags(int fflags)
152 struct kaudit_record *ar;
158 ar->k_ar.ar_arg_fflags = fflags;
159 ARG_SET_VALID(ar, ARG_FFLAGS);
163 audit_arg_gid(gid_t gid)
165 struct kaudit_record *ar;
171 ar->k_ar.ar_arg_gid = gid;
172 ARG_SET_VALID(ar, ARG_GID);
176 audit_arg_uid(uid_t uid)
178 struct kaudit_record *ar;
184 ar->k_ar.ar_arg_uid = uid;
185 ARG_SET_VALID(ar, ARG_UID);
189 audit_arg_egid(gid_t egid)
191 struct kaudit_record *ar;
197 ar->k_ar.ar_arg_egid = egid;
198 ARG_SET_VALID(ar, ARG_EGID);
202 audit_arg_euid(uid_t euid)
204 struct kaudit_record *ar;
210 ar->k_ar.ar_arg_euid = euid;
211 ARG_SET_VALID(ar, ARG_EUID);
215 audit_arg_rgid(gid_t rgid)
217 struct kaudit_record *ar;
223 ar->k_ar.ar_arg_rgid = rgid;
224 ARG_SET_VALID(ar, ARG_RGID);
228 audit_arg_ruid(uid_t ruid)
230 struct kaudit_record *ar;
236 ar->k_ar.ar_arg_ruid = ruid;
237 ARG_SET_VALID(ar, ARG_RUID);
241 audit_arg_sgid(gid_t sgid)
243 struct kaudit_record *ar;
249 ar->k_ar.ar_arg_sgid = sgid;
250 ARG_SET_VALID(ar, ARG_SGID);
254 audit_arg_suid(uid_t suid)
256 struct kaudit_record *ar;
262 ar->k_ar.ar_arg_suid = suid;
263 ARG_SET_VALID(ar, ARG_SUID);
267 audit_arg_groupset(gid_t *gidset, u_int gidset_size)
270 struct kaudit_record *ar;
272 KASSERT(gidset_size <= ngroups_max + 1,
273 ("audit_arg_groupset: gidset_size > (kern.ngroups + 1)"));
279 if (ar->k_ar.ar_arg_groups.gidset == NULL)
280 ar->k_ar.ar_arg_groups.gidset = malloc(
281 sizeof(gid_t) * gidset_size, M_AUDITGIDSET, M_WAITOK);
283 for (i = 0; i < gidset_size; i++)
284 ar->k_ar.ar_arg_groups.gidset[i] = gidset[i];
285 ar->k_ar.ar_arg_groups.gidset_size = gidset_size;
286 ARG_SET_VALID(ar, ARG_GROUPSET);
290 audit_arg_login(char *login)
292 struct kaudit_record *ar;
298 strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME);
299 ARG_SET_VALID(ar, ARG_LOGIN);
303 audit_arg_ctlname(int *name, int namelen)
305 struct kaudit_record *ar;
311 bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int));
312 ar->k_ar.ar_arg_len = namelen;
313 ARG_SET_VALID(ar, ARG_CTLNAME | ARG_LEN);
317 audit_arg_mask(int mask)
319 struct kaudit_record *ar;
325 ar->k_ar.ar_arg_mask = mask;
326 ARG_SET_VALID(ar, ARG_MASK);
330 audit_arg_mode(mode_t mode)
332 struct kaudit_record *ar;
338 ar->k_ar.ar_arg_mode = mode;
339 ARG_SET_VALID(ar, ARG_MODE);
343 audit_arg_dev(int dev)
345 struct kaudit_record *ar;
351 ar->k_ar.ar_arg_dev = dev;
352 ARG_SET_VALID(ar, ARG_DEV);
356 audit_arg_value(long value)
358 struct kaudit_record *ar;
364 ar->k_ar.ar_arg_value = value;
365 ARG_SET_VALID(ar, ARG_VALUE);
369 audit_arg_owner(uid_t uid, gid_t gid)
371 struct kaudit_record *ar;
377 ar->k_ar.ar_arg_uid = uid;
378 ar->k_ar.ar_arg_gid = gid;
379 ARG_SET_VALID(ar, ARG_UID | ARG_GID);
383 audit_arg_pid(pid_t pid)
385 struct kaudit_record *ar;
391 ar->k_ar.ar_arg_pid = pid;
392 ARG_SET_VALID(ar, ARG_PID);
396 audit_arg_process(struct proc *p)
398 struct kaudit_record *ar;
401 KASSERT(p != NULL, ("audit_arg_process: p == NULL"));
403 PROC_LOCK_ASSERT(p, MA_OWNED);
410 ar->k_ar.ar_arg_auid = cred->cr_audit.ai_auid;
411 ar->k_ar.ar_arg_euid = cred->cr_uid;
412 ar->k_ar.ar_arg_egid = cred->cr_groups[0];
413 ar->k_ar.ar_arg_ruid = cred->cr_ruid;
414 ar->k_ar.ar_arg_rgid = cred->cr_rgid;
415 ar->k_ar.ar_arg_asid = cred->cr_audit.ai_asid;
416 ar->k_ar.ar_arg_termid_addr = cred->cr_audit.ai_termid;
417 ar->k_ar.ar_arg_pid = p->p_pid;
418 ARG_SET_VALID(ar, ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID |
419 ARG_RGID | ARG_ASID | ARG_TERMID_ADDR | ARG_PID | ARG_PROCESS);
423 audit_arg_signum(u_int signum)
425 struct kaudit_record *ar;
431 ar->k_ar.ar_arg_signum = signum;
432 ARG_SET_VALID(ar, ARG_SIGNUM);
436 audit_arg_socket(int sodomain, int sotype, int soprotocol)
438 struct kaudit_record *ar;
444 ar->k_ar.ar_arg_sockinfo.so_domain = sodomain;
445 ar->k_ar.ar_arg_sockinfo.so_type = sotype;
446 ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol;
447 ARG_SET_VALID(ar, ARG_SOCKINFO);
451 audit_arg_sockaddr(struct thread *td, int dirfd, struct sockaddr *sa)
453 struct kaudit_record *ar;
455 KASSERT(td != NULL, ("audit_arg_sockaddr: td == NULL"));
456 KASSERT(sa != NULL, ("audit_arg_sockaddr: sa == NULL"));
462 bcopy(sa, &ar->k_ar.ar_arg_sockaddr, sa->sa_len);
463 switch (sa->sa_family) {
465 ARG_SET_VALID(ar, ARG_SADDRINET);
469 ARG_SET_VALID(ar, ARG_SADDRINET6);
473 if (dirfd != AT_FDCWD)
474 audit_arg_atfd1(dirfd);
475 audit_arg_upath1(td, dirfd,
476 ((struct sockaddr_un *)sa)->sun_path);
477 ARG_SET_VALID(ar, ARG_SADDRUNIX);
479 /* XXXAUDIT: default:? */
484 audit_arg_auid(uid_t auid)
486 struct kaudit_record *ar;
492 ar->k_ar.ar_arg_auid = auid;
493 ARG_SET_VALID(ar, ARG_AUID);
497 audit_arg_auditinfo(struct auditinfo *au_info)
499 struct kaudit_record *ar;
505 ar->k_ar.ar_arg_auid = au_info->ai_auid;
506 ar->k_ar.ar_arg_asid = au_info->ai_asid;
507 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
508 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
509 ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port;
510 ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine;
511 ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID);
515 audit_arg_auditinfo_addr(struct auditinfo_addr *au_info)
517 struct kaudit_record *ar;
523 ar->k_ar.ar_arg_auid = au_info->ai_auid;
524 ar->k_ar.ar_arg_asid = au_info->ai_asid;
525 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
526 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
527 ar->k_ar.ar_arg_termid_addr.at_type = au_info->ai_termid.at_type;
528 ar->k_ar.ar_arg_termid_addr.at_port = au_info->ai_termid.at_port;
529 ar->k_ar.ar_arg_termid_addr.at_addr[0] = au_info->ai_termid.at_addr[0];
530 ar->k_ar.ar_arg_termid_addr.at_addr[1] = au_info->ai_termid.at_addr[1];
531 ar->k_ar.ar_arg_termid_addr.at_addr[2] = au_info->ai_termid.at_addr[2];
532 ar->k_ar.ar_arg_termid_addr.at_addr[3] = au_info->ai_termid.at_addr[3];
533 ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID_ADDR);
537 audit_arg_text(char *text)
539 struct kaudit_record *ar;
541 KASSERT(text != NULL, ("audit_arg_text: text == NULL"));
547 /* Invalidate the text string */
548 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT);
550 if (ar->k_ar.ar_arg_text == NULL)
551 ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT,
554 strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN);
555 ARG_SET_VALID(ar, ARG_TEXT);
559 audit_arg_cmd(int cmd)
561 struct kaudit_record *ar;
567 ar->k_ar.ar_arg_cmd = cmd;
568 ARG_SET_VALID(ar, ARG_CMD);
572 audit_arg_svipc_cmd(int cmd)
574 struct kaudit_record *ar;
580 ar->k_ar.ar_arg_svipc_cmd = cmd;
581 ARG_SET_VALID(ar, ARG_SVIPC_CMD);
585 audit_arg_svipc_perm(struct ipc_perm *perm)
587 struct kaudit_record *ar;
593 bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
594 sizeof(ar->k_ar.ar_arg_svipc_perm));
595 ARG_SET_VALID(ar, ARG_SVIPC_PERM);
599 audit_arg_svipc_id(int id)
601 struct kaudit_record *ar;
607 ar->k_ar.ar_arg_svipc_id = id;
608 ARG_SET_VALID(ar, ARG_SVIPC_ID);
612 audit_arg_svipc_addr(void * addr)
614 struct kaudit_record *ar;
620 ar->k_ar.ar_arg_svipc_addr = addr;
621 ARG_SET_VALID(ar, ARG_SVIPC_ADDR);
625 audit_arg_svipc_which(int which)
627 struct kaudit_record *ar;
633 ar->k_ar.ar_arg_svipc_which = which;
634 ARG_SET_VALID(ar, ARG_SVIPC_WHICH);
638 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode)
640 struct kaudit_record *ar;
646 ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid;
647 ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid;
648 ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode;
649 ARG_SET_VALID(ar, ARG_POSIX_IPC_PERM);
653 audit_arg_auditon(union auditon_udata *udata)
655 struct kaudit_record *ar;
661 bcopy((void *)udata, &ar->k_ar.ar_arg_auditon,
662 sizeof(ar->k_ar.ar_arg_auditon));
663 ARG_SET_VALID(ar, ARG_AUDITON);
667 * Audit information about a file, either the file's vnode info, or its
668 * socket address info.
671 audit_arg_file(struct proc *p, struct file *fp)
673 struct kaudit_record *ar;
682 switch (fp->f_type) {
686 * XXXAUDIT: Only possibly to record as first vnode?
689 vn_lock(vp, LK_SHARED | LK_RETRY);
690 audit_arg_vnode1(vp);
695 so = (struct socket *)fp->f_data;
696 if (INP_CHECK_SOCKAF(so, PF_INET)) {
698 ar->k_ar.ar_arg_sockinfo.so_type =
700 ar->k_ar.ar_arg_sockinfo.so_domain =
702 ar->k_ar.ar_arg_sockinfo.so_protocol =
703 so->so_proto->pr_protocol;
705 pcb = (struct inpcb *)so->so_pcb;
707 ar->k_ar.ar_arg_sockinfo.so_raddr =
708 pcb->inp_faddr.s_addr;
709 ar->k_ar.ar_arg_sockinfo.so_laddr =
710 pcb->inp_laddr.s_addr;
711 ar->k_ar.ar_arg_sockinfo.so_rport =
713 ar->k_ar.ar_arg_sockinfo.so_lport =
716 ARG_SET_VALID(ar, ARG_SOCKINFO);
721 /* XXXAUDIT: else? */
727 * Store a path as given by the user process for auditing into the audit
728 * record stored on the user thread. This function will allocate the memory
729 * to store the path info if not already available. This memory will be
730 * freed when the audit record is freed. The path is canonlicalised with
731 * respect to the thread and directory descriptor passed.
734 audit_arg_upath(struct thread *td, int dirfd, char *upath, char **pathp)
738 *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK);
739 audit_canon_path(td, dirfd, upath, *pathp);
743 audit_arg_upath1(struct thread *td, int dirfd, char *upath)
745 struct kaudit_record *ar;
751 audit_arg_upath(td, dirfd, upath, &ar->k_ar.ar_arg_upath1);
752 ARG_SET_VALID(ar, ARG_UPATH1);
756 audit_arg_upath2(struct thread *td, int dirfd, char *upath)
758 struct kaudit_record *ar;
764 audit_arg_upath(td, dirfd, upath, &ar->k_ar.ar_arg_upath2);
765 ARG_SET_VALID(ar, ARG_UPATH2);
769 * Variants on path auditing that do not canonicalise the path passed in;
770 * these are for use with filesystem-like subsystems that employ string names,
771 * but do not support a hierarchical namespace -- for example, POSIX IPC
772 * objects. The subsystem should have performed any necessary
773 * canonicalisation required to make the paths useful to audit analysis.
776 audit_arg_upath_canon(char *upath, char **pathp)
780 *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK);
781 (void)snprintf(*pathp, MAXPATHLEN, "%s", upath);
785 audit_arg_upath1_canon(char *upath)
787 struct kaudit_record *ar;
793 audit_arg_upath_canon(upath, &ar->k_ar.ar_arg_upath1);
794 ARG_SET_VALID(ar, ARG_UPATH1);
798 audit_arg_upath2_canon(char *upath)
800 struct kaudit_record *ar;
806 audit_arg_upath_canon(upath, &ar->k_ar.ar_arg_upath2);
807 ARG_SET_VALID(ar, ARG_UPATH2);
811 * Function to save the path and vnode attr information into the audit
814 * It is assumed that the caller will hold any vnode locks necessary to
815 * perform a VOP_GETATTR() on the passed vnode.
817 * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but always
818 * provides access to the generation number as we need that to construct the
821 * XXX: We should accept the process argument from the caller, since it's
822 * very likely they already have a reference.
824 * XXX: Error handling in this function is poor.
826 * XXXAUDIT: Possibly KASSERT the path pointer is NULL?
829 audit_arg_vnode(struct vnode *vp, struct vnode_au_info *vnp)
834 ASSERT_VOP_LOCKED(vp, "audit_arg_vnode");
836 error = VOP_GETATTR(vp, &vattr, curthread->td_ucred);
838 /* XXX: How to handle this case? */
842 vnp->vn_mode = vattr.va_mode;
843 vnp->vn_uid = vattr.va_uid;
844 vnp->vn_gid = vattr.va_gid;
845 vnp->vn_dev = vattr.va_rdev;
846 vnp->vn_fsid = vattr.va_fsid;
847 vnp->vn_fileid = vattr.va_fileid;
848 vnp->vn_gen = vattr.va_gen;
853 audit_arg_vnode1(struct vnode *vp)
855 struct kaudit_record *ar;
862 ARG_CLEAR_VALID(ar, ARG_VNODE1);
863 error = audit_arg_vnode(vp, &ar->k_ar.ar_arg_vnode1);
865 ARG_SET_VALID(ar, ARG_VNODE1);
869 audit_arg_vnode2(struct vnode *vp)
871 struct kaudit_record *ar;
878 ARG_CLEAR_VALID(ar, ARG_VNODE2);
879 error = audit_arg_vnode(vp, &ar->k_ar.ar_arg_vnode2);
881 ARG_SET_VALID(ar, ARG_VNODE2);
885 * Audit the argument strings passed to exec.
888 audit_arg_argv(char *argv, int argc, int length)
890 struct kaudit_record *ar;
899 ar->k_ar.ar_arg_argv = malloc(length, M_AUDITTEXT, M_WAITOK);
900 bcopy(argv, ar->k_ar.ar_arg_argv, length);
901 ar->k_ar.ar_arg_argc = argc;
902 ARG_SET_VALID(ar, ARG_ARGV);
906 * Audit the environment strings passed to exec.
909 audit_arg_envv(char *envv, int envc, int length)
911 struct kaudit_record *ar;
920 ar->k_ar.ar_arg_envv = malloc(length, M_AUDITTEXT, M_WAITOK);
921 bcopy(envv, ar->k_ar.ar_arg_envv, length);
922 ar->k_ar.ar_arg_envc = envc;
923 ARG_SET_VALID(ar, ARG_ENVV);
927 audit_arg_rights(cap_rights_t *rightsp)
929 struct kaudit_record *ar;
935 ar->k_ar.ar_arg_rights = *rightsp;
936 ARG_SET_VALID(ar, ARG_RIGHTS);
940 audit_arg_fcntl_rights(uint32_t fcntlrights)
942 struct kaudit_record *ar;
948 ar->k_ar.ar_arg_fcntl_rights = fcntlrights;
949 ARG_SET_VALID(ar, ARG_FCNTL_RIGHTS);
953 * The close() system call uses it's own audit call to capture the path/vnode
954 * information because those pieces are not easily obtained within the system
958 audit_sysclose(struct thread *td, int fd)
961 struct kaudit_record *ar;
965 KASSERT(td != NULL, ("audit_sysclose: td == NULL"));
973 if (getvnode(td, fd, cap_rights_init(&rights), &fp) != 0)
977 vn_lock(vp, LK_SHARED | LK_RETRY);
978 audit_arg_vnode1(vp);