2 * Copyright (c) 1999-2005 Apple Inc.
3 * Copyright (c) 2005 Robert N. M. Watson
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
15 * its contributors may be used to endorse or promote products derived
16 * from this software without specific prior written permission.
18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
31 #include <sys/cdefs.h>
32 __FBSDID("$FreeBSD$");
34 #include <sys/param.h>
35 #include <sys/fcntl.h>
36 #include <sys/filedesc.h>
37 #include <sys/libkern.h>
38 #include <sys/malloc.h>
39 #include <sys/mount.h>
43 #include <sys/syscall.h>
44 #include <sys/sysctl.h>
45 #include <sys/sysent.h>
46 #include <sys/vnode.h>
48 #include <bsm/audit.h>
49 #include <bsm/audit_kevents.h>
50 #include <security/audit/audit.h>
51 #include <security/audit/audit_private.h>
54 * Hash table functions for the audit event number to event class mask
57 #define EVCLASSMAP_HASH_TABLE_SIZE 251
61 LIST_ENTRY(evclass_elem) entry;
64 LIST_HEAD(, evclass_elem) head;
67 static MALLOC_DEFINE(M_AUDITEVCLASS, "audit_evclass", "Audit event class");
68 static struct mtx evclass_mtx;
69 static struct evclass_list evclass_hash[EVCLASSMAP_HASH_TABLE_SIZE];
72 * Look up the class for an audit event in the class mapping table.
75 au_event_class(au_event_t event)
77 struct evclass_list *evcl;
78 struct evclass_elem *evc;
81 mtx_lock(&evclass_mtx);
82 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
84 LIST_FOREACH(evc, &evcl->head, entry) {
85 if (evc->event == event) {
91 mtx_unlock(&evclass_mtx);
96 * Insert a event to class mapping. If the event already exists in the
97 * mapping, then replace the mapping with the new one.
99 * XXX There is currently no constraints placed on the number of mappings.
100 * May want to either limit to a number, or in terms of memory usage.
103 au_evclassmap_insert(au_event_t event, au_class_t class)
105 struct evclass_list *evcl;
106 struct evclass_elem *evc, *evc_new;
109 * Pessimistically, always allocate storage before acquiring mutex.
110 * Free if there is already a mapping for this event.
112 evc_new = malloc(sizeof(*evc), M_AUDITEVCLASS, M_WAITOK);
114 mtx_lock(&evclass_mtx);
115 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
116 LIST_FOREACH(evc, &evcl->head, entry) {
117 if (evc->event == event) {
119 mtx_unlock(&evclass_mtx);
120 free(evc_new, M_AUDITEVCLASS);
127 LIST_INSERT_HEAD(&evcl->head, evc, entry);
128 mtx_unlock(&evclass_mtx);
132 au_evclassmap_init(void)
136 mtx_init(&evclass_mtx, "evclass_mtx", NULL, MTX_DEF);
137 for (i = 0; i < EVCLASSMAP_HASH_TABLE_SIZE; i++)
138 LIST_INIT(&evclass_hash[i].head);
141 * Set up the initial event to class mapping for system calls.
143 * XXXRW: Really, this should walk all possible audit events, not all
144 * native ABI system calls, as there may be audit events reachable
145 * only through non-native system calls. It also seems a shame to
146 * frob the mutex this early.
148 for (i = 0; i < SYS_MAXSYSCALL; i++) {
149 if (sysent[i].sy_auevent != AUE_NULL)
150 au_evclassmap_insert(sysent[i].sy_auevent, 0);
155 * Check whether an event is aditable by comparing the mask of classes this
156 * event is part of against the given mask.
159 au_preselect(au_event_t event, au_class_t class, au_mask_t *mask_p, int sorf)
161 au_class_t effmask = 0;
167 * Perform the actual check of the masks against the event.
169 if (sorf & AU_PRS_SUCCESS)
170 effmask |= (mask_p->am_success & class);
172 if (sorf & AU_PRS_FAILURE)
173 effmask |= (mask_p->am_failure & class);
182 * Convert sysctl names and present arguments to events.
185 audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg)
188 /* can't parse it - so return the worst case */
189 if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != (ARG_CTLNAME | ARG_LEN))
193 /* non-admin "lookups" treat them special */
203 case KERN_JOB_CONTROL:
207 return (AUE_SYSCTL_NONADMIN);
209 /* only treat the changeable controls as admin */
213 case KERN_MAXPROCPERUID:
214 case KERN_MAXFILESPERPROC:
222 case KERN_NISDOMAINNAME:
223 case KERN_UPDATEINTERVAL:
228 case KERN_PS_STRINGS:
230 case KERN_LOGSIGEXIT:
233 return ((valid_arg & ARG_VALUE) ?
234 AUE_SYSCTL : AUE_SYSCTL_NONADMIN);
243 * Convert an open flags specifier into a specific type of open event for
247 audit_flags_and_error_to_openevent(int oflags, int error)
252 * Need to check only those flags we care about.
254 oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
257 * These checks determine what flags are on with the condition that
258 * ONLY that combination is on, and no other flags are on.
265 case (O_RDONLY | O_CREAT):
266 aevent = AUE_OPEN_RC;
269 case (O_RDONLY | O_CREAT | O_TRUNC):
270 aevent = AUE_OPEN_RTC;
273 case (O_RDONLY | O_TRUNC):
274 aevent = AUE_OPEN_RT;
278 aevent = AUE_OPEN_RW;
281 case (O_RDWR | O_CREAT):
282 aevent = AUE_OPEN_RWC;
285 case (O_RDWR | O_CREAT | O_TRUNC):
286 aevent = AUE_OPEN_RWTC;
289 case (O_RDWR | O_TRUNC):
290 aevent = AUE_OPEN_RWT;
297 case (O_WRONLY | O_CREAT):
298 aevent = AUE_OPEN_WC;
301 case (O_WRONLY | O_CREAT | O_TRUNC):
302 aevent = AUE_OPEN_WTC;
305 case (O_WRONLY | O_TRUNC):
306 aevent = AUE_OPEN_WT;
316 * Convert chatty errors to better matching events. Failures to
317 * find a file are really just attribute events -- so recast them as
320 * XXXAUDIT: Solaris defines that AUE_OPEN will never be returned, it
321 * is just a placeholder. However, in Darwin we return that in
322 * preference to other events. For now, comment this out as we don't
323 * have a BSM conversion routine for AUE_OPEN.
340 * Convert a MSGCTL command to a specific event.
343 audit_msgctl_to_event(int cmd)
348 return (AUE_MSGCTL_RMID);
351 return (AUE_MSGCTL_SET);
354 return (AUE_MSGCTL_STAT);
357 /* We will audit a bad command. */
363 * Convert a SEMCTL command to a specific event.
366 audit_semctl_to_event(int cmd)
371 return (AUE_SEMCTL_GETALL);
374 return (AUE_SEMCTL_GETNCNT);
377 return (AUE_SEMCTL_GETPID);
380 return (AUE_SEMCTL_GETVAL);
383 return (AUE_SEMCTL_GETZCNT);
386 return (AUE_SEMCTL_RMID);
389 return (AUE_SEMCTL_SET);
392 return (AUE_SEMCTL_SETALL);
395 return (AUE_SEMCTL_SETVAL);
398 return (AUE_SEMCTL_STAT);
401 /* We will audit a bad command. */
407 * Convert a command for the auditon() system call to a audit event.
410 auditon_command_event(int cmd)
415 return (AUE_AUDITON_GPOLICY);
418 return (AUE_AUDITON_SPOLICY);
421 return (AUE_AUDITON_GETKMASK);
424 return (AUE_AUDITON_SETKMASK);
427 return (AUE_AUDITON_GQCTRL);
430 return (AUE_AUDITON_SQCTRL);
433 return (AUE_AUDITON_GETCWD);
436 return (AUE_AUDITON_GETCAR);
439 return (AUE_AUDITON_GETSTAT);
442 return (AUE_AUDITON_SETSTAT);
445 return (AUE_AUDITON_SETUMASK);
448 return (AUE_AUDITON_SETSMASK);
451 return (AUE_AUDITON_GETCOND);
454 return (AUE_AUDITON_SETCOND);
457 return (AUE_AUDITON_GETCLASS);
460 return (AUE_AUDITON_SETCLASS);
466 case A_GETPINFO_ADDR:
470 return (AUE_AUDITON); /* No special record */
475 * Create a canonical path from given path by prefixing either the root
476 * directory, or the current working directory. If the process working
477 * directory is NULL, we could use 'rootvnode' to obtain the root directory,
478 * but this results in a volfs name written to the audit log. So we will
479 * leave the filename starting with '/' in the audit log in this case.
482 audit_canon_path(struct thread *td, char *path, char *cpath)
484 struct vnode *cvnp, *rvnp;
485 char *rbuf, *fbuf, *copy;
486 struct filedesc *fdp;
488 int error, cwir, locked;
490 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "%s: at %s:%d",
491 __func__, __FILE__, __LINE__);
495 fdp = td->td_proc->p_fd;
498 * Make sure that we handle the chroot(2) case. If there is an
499 * alternate root directory, prepend it to the audited pathname.
501 if (fdp->fd_rdir != NULL && fdp->fd_rdir != rootvnode) {
506 * If the supplied path is relative, make sure we capture the current
507 * working directory so we can prepend it to the supplied relative
514 cwir = (fdp->fd_rdir == fdp->fd_cdir);
515 FILEDESC_SUNLOCK(fdp);
517 * NB: We require that the supplied array be at least MAXPATHLEN bytes
518 * long. If this is not the case, then we can run into serious trouble.
520 (void) sbuf_new(&sbf, cpath, MAXPATHLEN, SBUF_FIXEDLEN);
522 * Strip leading forward slashes.
527 * Make sure we handle chroot(2) and prepend the global path to these
530 * NB: vn_fullpath(9) on FreeBSD is less reliable than vn_getpath(9)
531 * on Darwin. As a result, this may need some additional attention
536 * Although unlikely, it is possible for filesystems to define
537 * their own VOP_LOCK, so strictly speaking, we need to
538 * conditionally pickup Giant around calls to vn_lock(9)
540 locked = VFS_LOCK_GIANT(rvnp->v_mount);
541 vn_lock(rvnp, LK_EXCLUSIVE | LK_RETRY);
543 error = vn_fullpath_global(td, rvnp, &rbuf, &fbuf);
545 VFS_UNLOCK_GIANT(locked);
552 (void) sbuf_cat(&sbf, rbuf);
556 locked = VFS_LOCK_GIANT(cvnp->v_mount);
557 vn_lock(cvnp, LK_EXCLUSIVE | LK_RETRY);
559 error = vn_fullpath(td, cvnp, &rbuf, &fbuf);
561 VFS_UNLOCK_GIANT(locked);
566 (void) sbuf_cat(&sbf, rbuf);
569 if (cwir == 0 || (cwir != 0 && cvnp == NULL))
570 (void) sbuf_putc(&sbf, '/');
572 * Now that we have processed any alternate root and relative path
573 * names, add the supplied pathname.
575 (void) sbuf_cat(&sbf, copy);
577 * One or more of the previous sbuf operations could have resulted in
578 * the supplied buffer being overflowed. Check to see if this is the
581 if (sbuf_overflowed(&sbf) != 0) {