2 * Copyright (c) 1999-2009 Apple Inc.
3 * Copyright (c) 2005, 2016-2017 Robert N. M. Watson
6 * Portions of this software were developed by BAE Systems, the University of
7 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
8 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
9 * Computing (TC) research program.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
20 * its contributors may be used to endorse or promote products derived
21 * from this software without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
36 #include <sys/cdefs.h>
37 __FBSDID("$FreeBSD$");
39 #include <sys/param.h>
40 #include <sys/capsicum.h>
41 #include <sys/fcntl.h>
42 #include <sys/filedesc.h>
43 #include <sys/libkern.h>
44 #include <sys/malloc.h>
45 #include <sys/mount.h>
47 #include <sys/rwlock.h>
51 #include <sys/syscall.h>
52 #include <sys/sysctl.h>
53 #include <sys/sysent.h>
54 #include <sys/vnode.h>
56 #include <bsm/audit.h>
57 #include <bsm/audit_kevents.h>
58 #include <security/audit/audit.h>
59 #include <security/audit/audit_private.h>
61 struct aue_open_event {
66 static const struct aue_open_event aue_open[] = {
67 { O_RDONLY, AUE_OPEN_R },
68 { (O_RDONLY | O_CREAT), AUE_OPEN_RC },
69 { (O_RDONLY | O_CREAT | O_TRUNC), AUE_OPEN_RTC },
70 { (O_RDONLY | O_TRUNC), AUE_OPEN_RT },
71 { O_RDWR, AUE_OPEN_RW },
72 { (O_RDWR | O_CREAT), AUE_OPEN_RWC },
73 { (O_RDWR | O_CREAT | O_TRUNC), AUE_OPEN_RWTC },
74 { (O_RDWR | O_TRUNC), AUE_OPEN_RWT },
75 { O_WRONLY, AUE_OPEN_W },
76 { (O_WRONLY | O_CREAT), AUE_OPEN_WC },
77 { (O_WRONLY | O_CREAT | O_TRUNC), AUE_OPEN_WTC },
78 { (O_WRONLY | O_TRUNC), AUE_OPEN_WT },
81 static const struct aue_open_event aue_openat[] = {
82 { O_RDONLY, AUE_OPENAT_R },
83 { (O_RDONLY | O_CREAT), AUE_OPENAT_RC },
84 { (O_RDONLY | O_CREAT | O_TRUNC), AUE_OPENAT_RTC },
85 { (O_RDONLY | O_TRUNC), AUE_OPENAT_RT },
86 { O_RDWR, AUE_OPENAT_RW },
87 { (O_RDWR | O_CREAT), AUE_OPENAT_RWC },
88 { (O_RDWR | O_CREAT | O_TRUNC), AUE_OPENAT_RWTC },
89 { (O_RDWR | O_TRUNC), AUE_OPENAT_RWT },
90 { O_WRONLY, AUE_OPENAT_W },
91 { (O_WRONLY | O_CREAT), AUE_OPENAT_WC },
92 { (O_WRONLY | O_CREAT | O_TRUNC), AUE_OPENAT_WTC },
93 { (O_WRONLY | O_TRUNC), AUE_OPENAT_WT },
96 static const int aue_msgsys[] = {
102 static const int aue_msgsys_count = sizeof(aue_msgsys) / sizeof(int);
104 static const int aue_semsys[] = {
109 static const int aue_semsys_count = sizeof(aue_semsys) / sizeof(int);
111 static const int aue_shmsys[] = {
117 static const int aue_shmsys_count = sizeof(aue_shmsys) / sizeof(int);
120 * Check whether an event is aditable by comparing the mask of classes this
121 * event is part of against the given mask.
124 au_preselect(au_event_t event, au_class_t class, au_mask_t *mask_p, int sorf)
126 au_class_t effmask = 0;
132 * Perform the actual check of the masks against the event.
134 if (sorf & AU_PRS_SUCCESS)
135 effmask |= (mask_p->am_success & class);
137 if (sorf & AU_PRS_FAILURE)
138 effmask |= (mask_p->am_failure & class);
147 * Convert sysctl names and present arguments to events.
150 audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg)
153 /* can't parse it - so return the worst case */
154 if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != (ARG_CTLNAME | ARG_LEN))
158 /* non-admin "lookups" treat them special */
168 case KERN_JOB_CONTROL:
172 return (AUE_SYSCTL_NONADMIN);
174 /* only treat the changeable controls as admin */
178 case KERN_MAXPROCPERUID:
179 case KERN_MAXFILESPERPROC:
187 case KERN_NISDOMAINNAME:
188 case KERN_UPDATEINTERVAL:
193 case KERN_PS_STRINGS:
195 case KERN_LOGSIGEXIT:
197 return ((valid_arg & ARG_VALUE) ?
198 AUE_SYSCTL : AUE_SYSCTL_NONADMIN);
207 * Convert an open flags specifier into a specific type of open event for
211 audit_flags_and_error_to_openevent(int oflags, int error)
216 * Need to check only those flags we care about.
218 oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
219 for (i = 0; i < nitems(aue_open); i++) {
220 if (aue_open[i].aoe_flags == oflags)
221 return (aue_open[i].aoe_event);
227 audit_flags_and_error_to_openatevent(int oflags, int error)
232 * Need to check only those flags we care about.
234 oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
235 for (i = 0; i < nitems(aue_openat); i++) {
236 if (aue_openat[i].aoe_flags == oflags)
237 return (aue_openat[i].aoe_event);
243 * Convert a MSGCTL command to a specific event.
246 audit_msgctl_to_event(int cmd)
251 return (AUE_MSGCTL_RMID);
254 return (AUE_MSGCTL_SET);
257 return (AUE_MSGCTL_STAT);
260 /* We will audit a bad command. */
266 * Convert a SEMCTL command to a specific event.
269 audit_semctl_to_event(int cmd)
274 return (AUE_SEMCTL_GETALL);
277 return (AUE_SEMCTL_GETNCNT);
280 return (AUE_SEMCTL_GETPID);
283 return (AUE_SEMCTL_GETVAL);
286 return (AUE_SEMCTL_GETZCNT);
289 return (AUE_SEMCTL_RMID);
292 return (AUE_SEMCTL_SET);
295 return (AUE_SEMCTL_SETALL);
298 return (AUE_SEMCTL_SETVAL);
301 return (AUE_SEMCTL_STAT);
304 /* We will audit a bad command. */
310 * Convert msgsys(2), semsys(2), and shmsys(2) system-call variations into
311 * audit events, if possible.
314 audit_msgsys_to_event(int which)
317 if ((which >= 0) && (which < aue_msgsys_count))
318 return (aue_msgsys[which]);
320 /* Audit a bad command. */
325 audit_semsys_to_event(int which)
328 if ((which >= 0) && (which < aue_semsys_count))
329 return (aue_semsys[which]);
331 /* Audit a bad command. */
336 audit_shmsys_to_event(int which)
339 if ((which >= 0) && (which < aue_shmsys_count))
340 return (aue_shmsys[which]);
342 /* Audit a bad command. */
347 * Convert a command for the auditon() system call to a audit event.
350 auditon_command_event(int cmd)
355 return (AUE_AUDITON_GPOLICY);
358 return (AUE_AUDITON_SPOLICY);
361 return (AUE_AUDITON_GETKMASK);
364 return (AUE_AUDITON_SETKMASK);
367 return (AUE_AUDITON_GQCTRL);
370 return (AUE_AUDITON_SQCTRL);
373 return (AUE_AUDITON_GETCWD);
376 return (AUE_AUDITON_GETCAR);
379 return (AUE_AUDITON_GETSTAT);
382 return (AUE_AUDITON_SETSTAT);
385 return (AUE_AUDITON_SETUMASK);
388 return (AUE_AUDITON_SETSMASK);
391 return (AUE_AUDITON_GETCOND);
394 return (AUE_AUDITON_SETCOND);
397 return (AUE_AUDITON_GETCLASS);
400 return (AUE_AUDITON_SETCLASS);
406 case A_GETPINFO_ADDR:
410 return (AUE_AUDITON); /* No special record */
415 * Create a canonical path from given path by prefixing either the root
416 * directory, or the current working directory. If the process working
417 * directory is NULL, we could use 'rootvnode' to obtain the root directory,
418 * but this results in a volfs name written to the audit log. So we will
419 * leave the filename starting with '/' in the audit log in this case.
422 audit_canon_path(struct thread *td, int dirfd, char *path, char *cpath)
424 struct vnode *cvnp, *rvnp;
425 char *rbuf, *fbuf, *copy;
426 struct filedesc *fdp;
429 int error, needslash;
431 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "%s: at %s:%d",
432 __func__, __FILE__, __LINE__);
436 fdp = td->td_proc->p_fd;
439 * Make sure that we handle the chroot(2) case. If there is an
440 * alternate root directory, prepend it to the audited pathname.
442 if (fdp->fd_rdir != NULL && fdp->fd_rdir != rootvnode) {
447 * If the supplied path is relative, make sure we capture the current
448 * working directory so we can prepend it to the supplied relative
452 if (dirfd == AT_FDCWD) {
456 /* XXX: fgetvp() that vhold()s vnode instead of vref()ing it would be better */
457 error = fgetvp(td, dirfd, cap_rights_init(&rights), &cvnp);
459 FILEDESC_SUNLOCK(fdp);
468 needslash = (fdp->fd_rdir != cvnp);
472 FILEDESC_SUNLOCK(fdp);
474 * NB: We require that the supplied array be at least MAXPATHLEN bytes
475 * long. If this is not the case, then we can run into serious trouble.
477 (void) sbuf_new(&sbf, cpath, MAXPATHLEN, SBUF_FIXEDLEN);
479 * Strip leading forward slashes.
484 * Make sure we handle chroot(2) and prepend the global path to these
487 * NB: vn_fullpath(9) on FreeBSD is less reliable than vn_getpath(9)
488 * on Darwin. As a result, this may need some additional attention
492 error = vn_fullpath_global(td, rvnp, &rbuf, &fbuf);
500 (void) sbuf_cat(&sbf, rbuf);
504 error = vn_fullpath(td, cvnp, &rbuf, &fbuf);
510 (void) sbuf_cat(&sbf, rbuf);
514 (void) sbuf_putc(&sbf, '/');
516 * Now that we have processed any alternate root and relative path
517 * names, add the supplied pathname.
519 (void) sbuf_cat(&sbf, copy);
521 * One or more of the previous sbuf operations could have resulted in
522 * the supplied buffer being overflowed. Check to see if this is the
525 if (sbuf_error(&sbf) != 0) {