2 * Copyright (c) 1999-2005 Apple Computer, Inc.
3 * Copyright (c) 2005 Robert N. M. Watson
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
15 * its contributors may be used to endorse or promote products derived
16 * from this software without specific prior written permission.
18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
33 #include <sys/param.h>
34 #include <sys/fcntl.h>
35 #include <sys/filedesc.h>
36 #include <sys/libkern.h>
37 #include <sys/malloc.h>
38 #include <sys/mount.h>
41 #include <sys/syscall.h>
42 #include <sys/sysctl.h>
43 #include <sys/sysent.h>
44 #include <sys/vnode.h>
46 #include <bsm/audit.h>
47 #include <bsm/audit_kevents.h>
48 #include <security/audit/audit.h>
49 #include <security/audit/audit_private.h>
52 * Hash table functions for the audit event number to event class mask
55 #define EVCLASSMAP_HASH_TABLE_SIZE 251
59 LIST_ENTRY(evclass_elem) entry;
62 LIST_HEAD(, evclass_elem) head;
65 static MALLOC_DEFINE(M_AUDITEVCLASS, "audit_evclass", "Audit event class");
66 static struct mtx evclass_mtx;
67 static struct evclass_list evclass_hash[EVCLASSMAP_HASH_TABLE_SIZE];
70 * Look up the class for an audit event in the class mapping table.
73 au_event_class(au_event_t event)
75 struct evclass_list *evcl;
76 struct evclass_elem *evc;
79 mtx_lock(&evclass_mtx);
80 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
82 LIST_FOREACH(evc, &evcl->head, entry) {
83 if (evc->event == event) {
89 mtx_unlock(&evclass_mtx);
94 * Insert a event to class mapping. If the event already exists in the
95 * mapping, then replace the mapping with the new one.
97 * XXX There is currently no constraints placed on the number of mappings.
98 * May want to either limit to a number, or in terms of memory usage.
101 au_evclassmap_insert(au_event_t event, au_class_t class)
103 struct evclass_list *evcl;
104 struct evclass_elem *evc, *evc_new;
107 * Pessimistically, always allocate storage before acquiring mutex.
108 * Free if there is already a mapping for this event.
110 evc_new = malloc(sizeof(*evc), M_AUDITEVCLASS, M_WAITOK);
112 mtx_lock(&evclass_mtx);
113 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
114 LIST_FOREACH(evc, &evcl->head, entry) {
115 if (evc->event == event) {
117 mtx_unlock(&evclass_mtx);
118 free(evc_new, M_AUDITEVCLASS);
125 LIST_INSERT_HEAD(&evcl->head, evc, entry);
126 mtx_unlock(&evclass_mtx);
130 au_evclassmap_init(void)
134 mtx_init(&evclass_mtx, "evclass_mtx", NULL, MTX_DEF);
135 for (i = 0; i < EVCLASSMAP_HASH_TABLE_SIZE; i++)
136 LIST_INIT(&evclass_hash[i].head);
139 * Set up the initial event to class mapping for system calls.
141 * XXXRW: Really, this should walk all possible audit events, not all
142 * native ABI system calls, as there may be audit events reachable
143 * only through non-native system calls. It also seems a shame to
144 * frob the mutex this early.
146 for (i = 0; i < SYS_MAXSYSCALL; i++) {
147 if (sysent[i].sy_auevent != AUE_NULL)
148 au_evclassmap_insert(sysent[i].sy_auevent, 0);
153 * Check whether an event is aditable by comparing the mask of classes this
154 * event is part of against the given mask.
157 au_preselect(au_event_t event, au_class_t class, au_mask_t *mask_p, int sorf)
159 au_class_t effmask = 0;
165 * Perform the actual check of the masks against the event.
167 if (sorf & AU_PRS_SUCCESS)
168 effmask |= (mask_p->am_success & class);
170 if (sorf & AU_PRS_FAILURE)
171 effmask |= (mask_p->am_failure & class);
180 * Convert sysctl names and present arguments to events.
183 ctlname_to_sysctlevent(int name[], uint64_t valid_arg)
186 /* can't parse it - so return the worst case */
187 if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != (ARG_CTLNAME | ARG_LEN))
191 /* non-admin "lookups" treat them special */
201 case KERN_JOB_CONTROL:
205 return (AUE_SYSCTL_NONADMIN);
207 /* only treat the changeable controls as admin */
211 case KERN_MAXPROCPERUID:
212 case KERN_MAXFILESPERPROC:
220 case KERN_NISDOMAINNAME:
221 case KERN_UPDATEINTERVAL:
226 case KERN_PS_STRINGS:
228 case KERN_LOGSIGEXIT:
231 return ((valid_arg & ARG_VALUE) ?
232 AUE_SYSCTL : AUE_SYSCTL_NONADMIN);
241 * Convert an open flags specifier into a specific type of open event for
245 flags_and_error_to_openevent(int oflags, int error)
250 * Need to check only those flags we care about.
252 oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
255 * These checks determine what flags are on with the condition that
256 * ONLY that combination is on, and no other flags are on.
263 case (O_RDONLY | O_CREAT):
264 aevent = AUE_OPEN_RC;
267 case (O_RDONLY | O_CREAT | O_TRUNC):
268 aevent = AUE_OPEN_RTC;
271 case (O_RDONLY | O_TRUNC):
272 aevent = AUE_OPEN_RT;
276 aevent = AUE_OPEN_RW;
279 case (O_RDWR | O_CREAT):
280 aevent = AUE_OPEN_RWC;
283 case (O_RDWR | O_CREAT | O_TRUNC):
284 aevent = AUE_OPEN_RWTC;
287 case (O_RDWR | O_TRUNC):
288 aevent = AUE_OPEN_RWT;
295 case (O_WRONLY | O_CREAT):
296 aevent = AUE_OPEN_WC;
299 case (O_WRONLY | O_CREAT | O_TRUNC):
300 aevent = AUE_OPEN_WTC;
303 case (O_WRONLY | O_TRUNC):
304 aevent = AUE_OPEN_WT;
314 * Convert chatty errors to better matching events. Failures to
315 * find a file are really just attribute events -- so recast them as
318 * XXXAUDIT: Solaris defines that AUE_OPEN will never be returned, it
319 * is just a placeholder. However, in Darwin we return that in
320 * preference to other events. For now, comment this out as we don't
321 * have a BSM conversion routine for AUE_OPEN.
338 * Convert a MSGCTL command to a specific event.
341 msgctl_to_event(int cmd)
346 return (AUE_MSGCTL_RMID);
349 return (AUE_MSGCTL_SET);
352 return (AUE_MSGCTL_STAT);
355 /* We will audit a bad command. */
361 * Convert a SEMCTL command to a specific event.
364 semctl_to_event(int cmd)
369 return (AUE_SEMCTL_GETALL);
372 return (AUE_SEMCTL_GETNCNT);
375 return (AUE_SEMCTL_GETPID);
378 return (AUE_SEMCTL_GETVAL);
381 return (AUE_SEMCTL_GETZCNT);
384 return (AUE_SEMCTL_RMID);
387 return (AUE_SEMCTL_SET);
390 return (AUE_SEMCTL_SETALL);
393 return (AUE_SEMCTL_SETVAL);
396 return (AUE_SEMCTL_STAT);
399 /* We will audit a bad command */
405 * Convert a command for the auditon() system call to a audit event.
408 auditon_command_event(int cmd)
413 return (AUE_AUDITON_GPOLICY);
416 return (AUE_AUDITON_SPOLICY);
419 return (AUE_AUDITON_GETKMASK);
422 return (AUE_AUDITON_SETKMASK);
425 return (AUE_AUDITON_GQCTRL);
428 return (AUE_AUDITON_SQCTRL);
431 return (AUE_AUDITON_GETCWD);
434 return (AUE_AUDITON_GETCAR);
437 return (AUE_AUDITON_GETSTAT);
440 return (AUE_AUDITON_SETSTAT);
443 return (AUE_AUDITON_SETUMASK);
446 return (AUE_AUDITON_SETSMASK);
449 return (AUE_AUDITON_GETCOND);
452 return (AUE_AUDITON_SETCOND);
455 return (AUE_AUDITON_GETCLASS);
458 return (AUE_AUDITON_SETCLASS);
464 case A_GETPINFO_ADDR:
468 return (AUE_AUDITON); /* No special record */
473 * Create a canonical path from given path by prefixing either the root
474 * directory, or the current working directory. If the process working
475 * directory is NULL, we could use 'rootvnode' to obtain the root directory,
476 * but this results in a volfs name written to the audit log. So we will
477 * leave the filename starting with '/' in the audit log in this case.
479 * XXXRW: Since we combine two paths here, ideally a buffer of size
480 * MAXPATHLEN * 2 would be passed in.
483 canon_path(struct thread *td, char *path, char *cpath)
486 char *retbuf, *freebuf;
488 struct filedesc *fdp;
489 int cisr, error, vfslocked;
491 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
492 "canon_path() at %s:%d", __FILE__, __LINE__);
494 fdp = td->td_proc->p_fd;
498 if (*(path) == '/') {
499 while (*(bufp) == '/')
500 bufp++; /* Skip leading '/'s. */
502 * If no process root, or it is the same as the system root,
503 * audit the path as passed in with a single '/'.
505 if ((fdp->fd_rdir == NULL) ||
506 (fdp->fd_rdir == rootvnode)) {
508 bufp--; /* Restore one '/'. */
510 vnp = fdp->fd_rdir; /* Use process root. */
514 vnp = fdp->fd_cdir; /* Prepend the current dir. */
515 cisr = (fdp->fd_rdir == fdp->fd_cdir);
519 FILEDESC_SUNLOCK(fdp);
522 * XXX: vn_fullpath() on FreeBSD is "less reliable" than
523 * vn_getpath() on Darwin, so this will need more attention
524 * in the future. Also, the question and string bounding
525 * here seems a bit questionable and will also require
528 vfslocked = VFS_LOCK_GIANT(vnp->v_mount);
529 vn_lock(vnp, LK_EXCLUSIVE | LK_RETRY, td);
530 error = vn_fullpath(td, vnp, &retbuf, &freebuf);
532 /* Copy and free buffer allocated by vn_fullpath().
533 * If the current working directory was the same as
534 * the root directory, and the path was a relative
535 * pathname, do not separate the two components with
538 snprintf(cpath, MAXPATHLEN, "%s%s%s", retbuf,
539 cisr ? "" : "/", bufp);
540 free(freebuf, M_TEMP);
544 VFS_UNLOCK_GIANT(vfslocked);
546 strlcpy(cpath, bufp, MAXPATHLEN);