2 * Copyright (c) 1999-2005 Apple Inc.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
35 #include <sys/param.h>
36 #include <sys/mount.h>
37 #include <sys/namei.h>
40 #include <sys/sysproto.h>
41 #include <sys/systm.h>
42 #include <sys/vnode.h>
45 #include <bsm/audit.h>
46 #include <bsm/audit_kevents.h>
48 #include <security/audit/audit.h>
49 #include <security/audit/audit_private.h>
50 #include <security/mac/mac_framework.h>
55 * System call to allow a user space application to submit a BSM audit record
56 * to the kernel for inclusion in the audit log. This function does little
57 * verification on the audit record that is submitted.
59 * XXXAUDIT: Audit preselection for user records does not currently work,
60 * since we pre-select only based on the AUE_audit event type, not the event
61 * type submitted as part of the user audit data.
65 audit(struct thread *td, struct audit_args *uap)
69 struct kaudit_record *ar;
71 if (jailed(td->td_ucred))
73 error = priv_check(td, PRIV_AUDIT_SUBMIT);
77 if ((uap->length <= 0) || (uap->length > audit_qctrl.aq_bufsz))
83 * If there's no current audit record (audit() itself not audited)
84 * commit the user audit record.
89 * This is not very efficient; we're required to allocate a
90 * complete kernel audit record just so the user record can
93 * XXXAUDIT: Maybe AUE_AUDIT in the system call context and
94 * special pre-select handling?
96 td->td_ar = audit_new(AUE_NULL, td);
97 if (td->td_ar == NULL)
99 td->td_pflags |= TDP_AUDITREC;
103 if (uap->length > MAX_AUDIT_RECORD_SIZE)
106 rec = malloc(uap->length, M_AUDITDATA, M_WAITOK);
108 error = copyin(uap->record, rec, uap->length);
112 /* Verify the record. */
113 if (bsm_rec_verify(rec) == 0) {
119 error = mac_check_system_audit(td->td_ucred, rec, uap->length);
125 * Attach the user audit record to the kernel audit record. Because
126 * this system call is an auditable event, we will write the user
127 * record along with the record for this audit event.
129 * XXXAUDIT: KASSERT appropriate starting values of k_udata, k_ulen,
130 * k_ar_commit & AR_COMMIT_USER?
133 ar->k_ulen = uap->length;
134 ar->k_ar_commit |= AR_COMMIT_USER;
137 * Currently we assume that all preselection has been performed in
138 * userspace. We unconditionally set these masks so that the records
139 * get committed both to the trail and pipe. In the future we will
140 * want to setup kernel based preselection.
142 ar->k_ar_commit |= (AR_PRESELECT_USER_TRAIL | AR_PRESELECT_USER_PIPE);
147 * audit_syscall_exit() will free the audit record on the thread even
148 * if we allocated it above.
150 free(rec, M_AUDITDATA);
155 * System call to manipulate auditing.
159 auditon(struct thread *td, struct auditon_args *uap)
161 struct ucred *cred, *newcred, *oldcred;
163 union auditon_udata udata;
166 if (jailed(td->td_ucred))
168 AUDIT_ARG(cmd, uap->cmd);
171 error = mac_check_system_auditon(td->td_ucred, uap->cmd);
176 error = priv_check(td, PRIV_AUDIT_CONTROL);
180 if ((uap->length <= 0) || (uap->length > sizeof(union auditon_udata)))
183 memset((void *)&udata, 0, sizeof(udata));
186 * Some of the GET commands use the arguments too.
202 case A_GETPINFO_ADDR:
204 error = copyin(uap->data, (void *)&udata, uap->length);
207 AUDIT_ARG(auditon, &udata);
216 if (!audit_fail_stop)
217 udata.au_policy |= AUDIT_CNT;
218 if (audit_panic_on_write_fail)
219 udata.au_policy |= AUDIT_AHLT;
221 udata.au_policy |= AUDIT_ARGV;
223 udata.au_policy |= AUDIT_ARGE;
227 if (udata.au_policy & ~(AUDIT_CNT|AUDIT_AHLT|AUDIT_ARGV|
231 * XXX - Need to wake up waiters if the policy relaxes?
233 audit_fail_stop = ((udata.au_policy & AUDIT_CNT) == 0);
234 audit_panic_on_write_fail = (udata.au_policy & AUDIT_AHLT);
235 audit_argv = (udata.au_policy & AUDIT_ARGV);
236 audit_arge = (udata.au_policy & AUDIT_ARGE);
240 udata.au_mask = audit_nae_mask;
244 audit_nae_mask = udata.au_mask;
248 udata.au_qctrl = audit_qctrl;
252 if ((udata.au_qctrl.aq_hiwater > AQ_MAXHIGH) ||
253 (udata.au_qctrl.aq_lowater >= udata.au_qctrl.aq_hiwater) ||
254 (udata.au_qctrl.aq_bufsz > AQ_MAXBUFSZ) ||
255 (udata.au_qctrl.aq_minfree < 0) ||
256 (udata.au_qctrl.aq_minfree > 100))
259 audit_qctrl = udata.au_qctrl;
260 /* XXX The queue delay value isn't used with the kernel. */
261 audit_qctrl.aq_delay = -1;
289 if (audit_enabled && !audit_suspended)
290 udata.au_cond = AUC_AUDITING;
292 udata.au_cond = AUC_NOAUDIT;
296 if (udata.au_cond == AUC_NOAUDIT)
298 if (udata.au_cond == AUC_AUDITING)
300 if (udata.au_cond == AUC_DISABLED) {
302 audit_shutdown(NULL, 0);
307 udata.au_evclass.ec_class = au_event_class(
308 udata.au_evclass.ec_number);
312 au_evclassmap_insert(udata.au_evclass.ec_number,
313 udata.au_evclass.ec_class);
317 if (udata.au_aupinfo.ap_pid < 1)
319 if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL)
321 if ((error = p_cansee(td, tp)) != 0) {
326 if (cred->cr_audit.ai_termid.at_type == AU_IPv6) {
330 udata.au_aupinfo.ap_auid = cred->cr_audit.ai_auid;
331 udata.au_aupinfo.ap_mask.am_success =
332 cred->cr_audit.ai_mask.am_success;
333 udata.au_aupinfo.ap_mask.am_failure =
334 cred->cr_audit.ai_mask.am_failure;
335 udata.au_aupinfo.ap_termid.machine =
336 cred->cr_audit.ai_termid.at_addr[0];
337 udata.au_aupinfo.ap_termid.port =
338 (dev_t)cred->cr_audit.ai_termid.at_port;
339 udata.au_aupinfo.ap_asid = cred->cr_audit.ai_asid;
344 if (udata.au_aupinfo.ap_pid < 1)
347 if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL) {
351 if ((error = p_cansee(td, tp)) != 0) {
356 oldcred = tp->p_ucred;
357 crcopy(newcred, oldcred);
358 newcred->cr_audit.ai_mask.am_success =
359 udata.au_aupinfo.ap_mask.am_success;
360 newcred->cr_audit.ai_mask.am_failure =
361 udata.au_aupinfo.ap_mask.am_failure;
362 td->td_proc->p_ucred = newcred;
368 if ((udata.au_fstat.af_filesz != 0) &&
369 (udata.au_fstat.af_filesz < MIN_AUDIT_FILE_SIZE))
371 audit_fstat.af_filesz = udata.au_fstat.af_filesz;
375 udata.au_fstat.af_filesz = audit_fstat.af_filesz;
376 udata.au_fstat.af_currsz = audit_fstat.af_currsz;
379 case A_GETPINFO_ADDR:
380 if (udata.au_aupinfo_addr.ap_pid < 1)
382 if ((tp = pfind(udata.au_aupinfo_addr.ap_pid)) == NULL)
385 udata.au_aupinfo_addr.ap_auid = cred->cr_audit.ai_auid;
386 udata.au_aupinfo_addr.ap_mask.am_success =
387 cred->cr_audit.ai_mask.am_success;
388 udata.au_aupinfo_addr.ap_mask.am_failure =
389 cred->cr_audit.ai_mask.am_failure;
390 udata.au_aupinfo_addr.ap_termid = cred->cr_audit.ai_termid;
391 udata.au_aupinfo_addr.ap_asid = cred->cr_audit.ai_asid;
404 if ((udata.au_trigger < AUDIT_TRIGGER_MIN) ||
405 (udata.au_trigger > AUDIT_TRIGGER_MAX))
407 return (audit_send_trigger(udata.au_trigger));
414 * Copy data back to userspace for the GET comands.
427 case A_GETPINFO_ADDR:
429 error = copyout((void *)&udata, uap->data, uap->length);
439 * System calls to manage the user audit information.
443 getauid(struct thread *td, struct getauid_args *uap)
447 if (jailed(td->td_ucred))
449 error = priv_check(td, PRIV_AUDIT_GETAUDIT);
452 return (copyout(&td->td_ucred->cr_audit.ai_auid, uap->auid,
453 sizeof(td->td_ucred->cr_audit.ai_auid)));
458 setauid(struct thread *td, struct setauid_args *uap)
460 struct ucred *newcred, *oldcred;
464 if (jailed(td->td_ucred))
466 error = copyin(uap->auid, &id, sizeof(id));
471 PROC_LOCK(td->td_proc);
472 oldcred = td->td_proc->p_ucred;
473 crcopy(newcred, oldcred);
475 error = mac_check_proc_setauid(oldcred, id);
479 error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT, 0);
482 newcred->cr_audit.ai_auid = id;
483 td->td_proc->p_ucred = newcred;
484 PROC_UNLOCK(td->td_proc);
488 PROC_UNLOCK(td->td_proc);
494 * System calls to get and set process audit information.
498 getaudit(struct thread *td, struct getaudit_args *uap)
507 error = priv_check(td, PRIV_AUDIT_GETAUDIT);
510 if (cred->cr_audit.ai_termid.at_type == AU_IPv6)
512 bzero(&ai, sizeof(ai));
513 ai.ai_auid = cred->cr_audit.ai_auid;
514 ai.ai_mask = cred->cr_audit.ai_mask;
515 ai.ai_asid = cred->cr_audit.ai_asid;
516 ai.ai_termid.machine = cred->cr_audit.ai_termid.at_addr[0];
517 ai.ai_termid.port = cred->cr_audit.ai_termid.at_port;
518 return (copyout(&ai, uap->auditinfo, sizeof(ai)));
523 setaudit(struct thread *td, struct setaudit_args *uap)
525 struct ucred *newcred, *oldcred;
529 if (jailed(td->td_ucred))
531 error = copyin(uap->auditinfo, &ai, sizeof(ai));
534 audit_arg_auditinfo(&ai);
536 PROC_LOCK(td->td_proc);
537 oldcred = td->td_proc->p_ucred;
538 crcopy(newcred, oldcred);
540 error = mac_check_proc_setaudit(oldcred, &ai);
544 error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT, 0);
547 bzero(&newcred->cr_audit, sizeof(newcred->cr_audit));
548 newcred->cr_audit.ai_auid = ai.ai_auid;
549 newcred->cr_audit.ai_mask = ai.ai_mask;
550 newcred->cr_audit.ai_asid = ai.ai_asid;
551 newcred->cr_audit.ai_termid.at_addr[0] = ai.ai_termid.machine;
552 newcred->cr_audit.ai_termid.at_port = ai.ai_termid.port;
553 newcred->cr_audit.ai_termid.at_type = AU_IPv4;
554 td->td_proc->p_ucred = newcred;
555 PROC_UNLOCK(td->td_proc);
559 PROC_UNLOCK(td->td_proc);
566 getaudit_addr(struct thread *td, struct getaudit_addr_args *uap)
570 if (jailed(td->td_ucred))
572 if (uap->length < sizeof(*uap->auditinfo_addr))
574 error = priv_check(td, PRIV_AUDIT_GETAUDIT);
577 return (copyout(&td->td_ucred->cr_audit, uap->auditinfo_addr,
578 sizeof(*uap->auditinfo_addr)));
583 setaudit_addr(struct thread *td, struct setaudit_addr_args *uap)
585 struct ucred *newcred, *oldcred;
586 struct auditinfo_addr aia;
589 if (jailed(td->td_ucred))
591 error = copyin(uap->auditinfo_addr, &aia, sizeof(aia));
594 audit_arg_auditinfo_addr(&aia);
595 if (aia.ai_termid.at_type != AU_IPv6 &&
596 aia.ai_termid.at_type != AU_IPv4)
599 PROC_LOCK(td->td_proc);
600 oldcred = td->td_proc->p_ucred;
601 crcopy(newcred, oldcred);
603 error = mac_check_proc_setaudit_addr(oldcred, &aia);
607 error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT, 0);
610 newcred->cr_audit = aia;
611 td->td_proc->p_ucred = newcred;
612 PROC_UNLOCK(td->td_proc);
616 PROC_UNLOCK(td->td_proc);
622 * Syscall to manage audit files.
626 auditctl(struct thread *td, struct auditctl_args *uap)
632 int flags, vfslocked;
634 if (jailed(td->td_ucred))
636 error = priv_check(td, PRIV_AUDIT_CONTROL);
644 * If a path is specified, open the replacement vnode, perform
645 * validity checks, and grab another reference to the current
648 * On Darwin, a NULL path argument is also used to disable audit.
650 if (uap->path == NULL)
653 NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | MPSAFE | AUDITVNODE1,
654 UIO_USERSPACE, uap->path, td);
655 flags = AUDIT_OPEN_FLAGS;
656 error = vn_open(&nd, &flags, 0, NULL);
659 vfslocked = NDHASGIANT(&nd);
662 error = mac_check_system_auditctl(td->td_ucred, vp);
663 VOP_UNLOCK(vp, 0, td);
665 vn_close(vp, AUDIT_CLOSE_FLAGS, td->td_ucred, td);
666 VFS_UNLOCK_GIANT(vfslocked);
670 VOP_UNLOCK(vp, 0, td);
672 NDFREE(&nd, NDF_ONLY_PNBUF);
673 if (vp->v_type != VREG) {
674 vn_close(vp, AUDIT_CLOSE_FLAGS, td->td_ucred, td);
675 VFS_UNLOCK_GIANT(vfslocked);
678 VFS_UNLOCK_GIANT(vfslocked);
683 * XXXAUDIT: Should audit_suspended actually be cleared by
688 audit_rotate_vnode(cred, vp);
696 audit(struct thread *td, struct audit_args *uap)
703 auditon(struct thread *td, struct auditon_args *uap)
710 getauid(struct thread *td, struct getauid_args *uap)
717 setauid(struct thread *td, struct setauid_args *uap)
724 getaudit(struct thread *td, struct getaudit_args *uap)
731 setaudit(struct thread *td, struct setaudit_args *uap)
738 getaudit_addr(struct thread *td, struct getaudit_addr_args *uap)
745 setaudit_addr(struct thread *td, struct setaudit_addr_args *uap)
752 auditctl(struct thread *td, struct auditctl_args *uap)