2 * Copyright (c) 1999-2009 Apple Inc.
3 * Copyright (c) 2016 Robert N. M. Watson
6 * Portions of this software were developed by BAE Systems, the University of
7 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
8 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
9 * Computing (TC) research program.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
20 * its contributors may be used to endorse or promote products derived
21 * from this software without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
36 #include <sys/cdefs.h>
37 __FBSDID("$FreeBSD$");
39 #include <sys/param.h>
40 #include <sys/mount.h>
41 #include <sys/namei.h>
44 #include <sys/sysproto.h>
45 #include <sys/systm.h>
46 #include <sys/vnode.h>
49 #include <bsm/audit.h>
50 #include <bsm/audit_kevents.h>
52 #include <security/audit/audit.h>
53 #include <security/audit/audit_private.h>
54 #include <security/mac/mac_framework.h>
59 * System call to allow a user space application to submit a BSM audit record
60 * to the kernel for inclusion in the audit log. This function does little
61 * verification on the audit record that is submitted.
63 * XXXAUDIT: Audit preselection for user records does not currently work,
64 * since we pre-select only based on the AUE_audit event type, not the event
65 * type submitted as part of the user audit data.
69 sys_audit(struct thread *td, struct audit_args *uap)
73 struct kaudit_record *ar;
75 if (jailed(td->td_ucred))
77 error = priv_check(td, PRIV_AUDIT_SUBMIT);
81 if ((uap->length <= 0) || (uap->length > audit_qctrl.aq_bufsz))
87 * If there's no current audit record (audit() itself not audited)
88 * commit the user audit record.
93 * This is not very efficient; we're required to allocate a
94 * complete kernel audit record just so the user record can
97 * XXXAUDIT: Maybe AUE_AUDIT in the system call context and
98 * special pre-select handling?
100 td->td_ar = audit_new(AUE_NULL, td);
101 if (td->td_ar == NULL)
103 td->td_pflags |= TDP_AUDITREC;
107 if (uap->length > MAX_AUDIT_RECORD_SIZE)
110 rec = malloc(uap->length, M_AUDITDATA, M_WAITOK);
112 error = copyin(uap->record, rec, uap->length);
116 /* Verify the record. */
117 if (bsm_rec_verify(rec) == 0) {
123 error = mac_system_check_audit(td->td_ucred, rec, uap->length);
129 * Attach the user audit record to the kernel audit record. Because
130 * this system call is an auditable event, we will write the user
131 * record along with the record for this audit event.
133 * XXXAUDIT: KASSERT appropriate starting values of k_udata, k_ulen,
134 * k_ar_commit & AR_COMMIT_USER?
137 ar->k_ulen = uap->length;
138 ar->k_ar_commit |= AR_COMMIT_USER;
141 * Currently we assume that all preselection has been performed in
142 * userspace. We unconditionally set these masks so that the records
143 * get committed both to the trail and pipe. In the future we will
144 * want to setup kernel based preselection.
146 ar->k_ar_commit |= (AR_PRESELECT_USER_TRAIL | AR_PRESELECT_USER_PIPE);
151 * audit_syscall_exit() will free the audit record on the thread even
152 * if we allocated it above.
154 free(rec, M_AUDITDATA);
159 * System call to manipulate auditing.
163 sys_auditon(struct thread *td, struct auditon_args *uap)
165 struct ucred *cred, *newcred, *oldcred;
167 union auditon_udata udata;
170 if (jailed(td->td_ucred))
172 AUDIT_ARG_CMD(uap->cmd);
175 error = mac_system_check_auditon(td->td_ucred, uap->cmd);
180 error = priv_check(td, PRIV_AUDIT_CONTROL);
184 if ((uap->length <= 0) || (uap->length > sizeof(union auditon_udata)))
187 memset((void *)&udata, 0, sizeof(udata));
190 * Some of the GET commands use the arguments too.
211 case A_GETPINFO_ADDR:
213 error = copyin(uap->data, (void *)&udata, uap->length);
216 AUDIT_ARG_AUDITON(&udata);
226 if (uap->length == sizeof(udata.au_policy64)) {
227 if (!audit_fail_stop)
228 udata.au_policy64 |= AUDIT_CNT;
229 if (audit_panic_on_write_fail)
230 udata.au_policy64 |= AUDIT_AHLT;
232 udata.au_policy64 |= AUDIT_ARGV;
234 udata.au_policy64 |= AUDIT_ARGE;
237 if (uap->length != sizeof(udata.au_policy))
239 if (!audit_fail_stop)
240 udata.au_policy |= AUDIT_CNT;
241 if (audit_panic_on_write_fail)
242 udata.au_policy |= AUDIT_AHLT;
244 udata.au_policy |= AUDIT_ARGV;
246 udata.au_policy |= AUDIT_ARGE;
251 if (uap->length == sizeof(udata.au_policy64)) {
252 if (udata.au_policy & (~AUDIT_CNT|AUDIT_AHLT|
253 AUDIT_ARGV|AUDIT_ARGE))
255 audit_fail_stop = ((udata.au_policy64 & AUDIT_CNT) ==
257 audit_panic_on_write_fail = (udata.au_policy64 &
259 audit_argv = (udata.au_policy64 & AUDIT_ARGV);
260 audit_arge = (udata.au_policy64 & AUDIT_ARGE);
263 if (uap->length != sizeof(udata.au_policy))
265 if (udata.au_policy & ~(AUDIT_CNT|AUDIT_AHLT|AUDIT_ARGV|
269 * XXX - Need to wake up waiters if the policy relaxes?
271 audit_fail_stop = ((udata.au_policy & AUDIT_CNT) == 0);
272 audit_panic_on_write_fail = (udata.au_policy & AUDIT_AHLT);
273 audit_argv = (udata.au_policy & AUDIT_ARGV);
274 audit_arge = (udata.au_policy & AUDIT_ARGE);
278 if (uap->length != sizeof(udata.au_mask))
280 udata.au_mask = audit_nae_mask;
284 if (uap->length != sizeof(udata.au_mask))
286 audit_nae_mask = udata.au_mask;
291 if (uap->length == sizeof(udata.au_qctrl64)) {
292 udata.au_qctrl64.aq64_hiwater =
293 (u_int64_t)audit_qctrl.aq_hiwater;
294 udata.au_qctrl64.aq64_lowater =
295 (u_int64_t)audit_qctrl.aq_lowater;
296 udata.au_qctrl64.aq64_bufsz =
297 (u_int64_t)audit_qctrl.aq_bufsz;
298 udata.au_qctrl64.aq64_minfree =
299 (u_int64_t)audit_qctrl.aq_minfree;
302 if (uap->length != sizeof(udata.au_qctrl))
304 udata.au_qctrl = audit_qctrl;
309 if (uap->length == sizeof(udata.au_qctrl64)) {
310 /* NB: aq64_minfree is unsigned unlike aq_minfree. */
311 if ((udata.au_qctrl64.aq64_hiwater > AQ_MAXHIGH) ||
312 (udata.au_qctrl64.aq64_lowater >=
313 udata.au_qctrl.aq_hiwater) ||
314 (udata.au_qctrl64.aq64_bufsz > AQ_MAXBUFSZ) ||
315 (udata.au_qctrl64.aq64_minfree > 100))
317 audit_qctrl.aq_hiwater =
318 (int)udata.au_qctrl64.aq64_hiwater;
319 audit_qctrl.aq_lowater =
320 (int)udata.au_qctrl64.aq64_lowater;
321 audit_qctrl.aq_bufsz =
322 (int)udata.au_qctrl64.aq64_bufsz;
323 audit_qctrl.aq_minfree =
324 (int)udata.au_qctrl64.aq64_minfree;
325 audit_qctrl.aq_delay = -1; /* Not used. */
328 if (uap->length != sizeof(udata.au_qctrl))
330 if ((udata.au_qctrl.aq_hiwater > AQ_MAXHIGH) ||
331 (udata.au_qctrl.aq_lowater >= udata.au_qctrl.aq_hiwater) ||
332 (udata.au_qctrl.aq_bufsz > AQ_MAXBUFSZ) ||
333 (udata.au_qctrl.aq_minfree < 0) ||
334 (udata.au_qctrl.aq_minfree > 100))
337 audit_qctrl = udata.au_qctrl;
338 /* XXX The queue delay value isn't used with the kernel. */
339 audit_qctrl.aq_delay = -1;
368 if (uap->length == sizeof(udata.au_cond64)) {
369 if (audit_enabled && !audit_suspended)
370 udata.au_cond64 = AUC_AUDITING;
372 udata.au_cond64 = AUC_NOAUDIT;
375 if (uap->length != sizeof(udata.au_cond))
377 if (audit_enabled && !audit_suspended)
378 udata.au_cond = AUC_AUDITING;
380 udata.au_cond = AUC_NOAUDIT;
385 if (uap->length == sizeof(udata.au_cond64)) {
386 if (udata.au_cond64 == AUC_NOAUDIT)
388 if (udata.au_cond64 == AUC_AUDITING)
390 if (udata.au_cond64 == AUC_DISABLED) {
392 audit_shutdown(NULL, 0);
396 if (uap->length != sizeof(udata.au_cond))
398 if (udata.au_cond == AUC_NOAUDIT)
400 if (udata.au_cond == AUC_AUDITING)
402 if (udata.au_cond == AUC_DISABLED) {
404 audit_shutdown(NULL, 0);
409 if (uap->length != sizeof(udata.au_evclass))
411 udata.au_evclass.ec_class = au_event_class(
412 udata.au_evclass.ec_number);
416 if (uap->length != sizeof(udata.au_evname))
418 error = au_event_name(udata.au_evname.en_number,
419 udata.au_evname.en_name);
425 if (uap->length != sizeof(udata.au_evclass))
427 au_evclassmap_insert(udata.au_evclass.ec_number,
428 udata.au_evclass.ec_class);
432 if (uap->length != sizeof(udata.au_evname))
435 /* Ensure nul termination from userspace. */
436 udata.au_evname.en_name[sizeof(udata.au_evname.en_name) - 1]
438 au_evnamemap_insert(udata.au_evname.en_number,
439 udata.au_evname.en_name);
443 if (uap->length != sizeof(udata.au_aupinfo))
445 if (udata.au_aupinfo.ap_pid < 1)
447 if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL)
449 if ((error = p_cansee(td, tp)) != 0) {
454 if (cred->cr_audit.ai_termid.at_type == AU_IPv6) {
458 udata.au_aupinfo.ap_auid = cred->cr_audit.ai_auid;
459 udata.au_aupinfo.ap_mask.am_success =
460 cred->cr_audit.ai_mask.am_success;
461 udata.au_aupinfo.ap_mask.am_failure =
462 cred->cr_audit.ai_mask.am_failure;
463 udata.au_aupinfo.ap_termid.machine =
464 cred->cr_audit.ai_termid.at_addr[0];
465 udata.au_aupinfo.ap_termid.port =
466 (dev_t)cred->cr_audit.ai_termid.at_port;
467 udata.au_aupinfo.ap_asid = cred->cr_audit.ai_asid;
472 if (uap->length != sizeof(udata.au_aupinfo))
474 if (udata.au_aupinfo.ap_pid < 1)
477 if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL) {
481 if ((error = p_cansee(td, tp)) != 0) {
486 oldcred = tp->p_ucred;
487 crcopy(newcred, oldcred);
488 newcred->cr_audit.ai_mask.am_success =
489 udata.au_aupinfo.ap_mask.am_success;
490 newcred->cr_audit.ai_mask.am_failure =
491 udata.au_aupinfo.ap_mask.am_failure;
492 proc_set_cred(tp, newcred);
498 if (uap->length != sizeof(udata.au_fstat))
500 if ((udata.au_fstat.af_filesz != 0) &&
501 (udata.au_fstat.af_filesz < MIN_AUDIT_FILE_SIZE))
503 audit_fstat.af_filesz = udata.au_fstat.af_filesz;
507 if (uap->length != sizeof(udata.au_fstat))
509 udata.au_fstat.af_filesz = audit_fstat.af_filesz;
510 udata.au_fstat.af_currsz = audit_fstat.af_currsz;
513 case A_GETPINFO_ADDR:
514 if (uap->length != sizeof(udata.au_aupinfo_addr))
516 if (udata.au_aupinfo_addr.ap_pid < 1)
518 if ((tp = pfind(udata.au_aupinfo_addr.ap_pid)) == NULL)
521 udata.au_aupinfo_addr.ap_auid = cred->cr_audit.ai_auid;
522 udata.au_aupinfo_addr.ap_mask.am_success =
523 cred->cr_audit.ai_mask.am_success;
524 udata.au_aupinfo_addr.ap_mask.am_failure =
525 cred->cr_audit.ai_mask.am_failure;
526 udata.au_aupinfo_addr.ap_termid = cred->cr_audit.ai_termid;
527 udata.au_aupinfo_addr.ap_asid = cred->cr_audit.ai_asid;
532 if (uap->length != sizeof(udata.au_kau_info))
534 audit_get_kinfo(&udata.au_kau_info);
538 if (uap->length != sizeof(udata.au_kau_info))
540 if (udata.au_kau_info.ai_termid.at_type != AU_IPv4 &&
541 udata.au_kau_info.ai_termid.at_type != AU_IPv6)
543 audit_set_kinfo(&udata.au_kau_info);
547 if (uap->length != sizeof(udata.au_trigger))
549 if ((udata.au_trigger < AUDIT_TRIGGER_MIN) ||
550 (udata.au_trigger > AUDIT_TRIGGER_MAX))
552 return (audit_send_trigger(udata.au_trigger));
559 * Copy data back to userspace for the GET comands.
575 case A_GETPINFO_ADDR:
577 error = copyout((void *)&udata, uap->data, uap->length);
587 * System calls to manage the user audit information.
591 sys_getauid(struct thread *td, struct getauid_args *uap)
595 if (jailed(td->td_ucred))
597 error = priv_check(td, PRIV_AUDIT_GETAUDIT);
600 return (copyout(&td->td_ucred->cr_audit.ai_auid, uap->auid,
601 sizeof(td->td_ucred->cr_audit.ai_auid)));
606 sys_setauid(struct thread *td, struct setauid_args *uap)
608 struct ucred *newcred, *oldcred;
612 if (jailed(td->td_ucred))
614 error = copyin(uap->auid, &id, sizeof(id));
619 PROC_LOCK(td->td_proc);
620 oldcred = td->td_proc->p_ucred;
621 crcopy(newcred, oldcred);
623 error = mac_cred_check_setauid(oldcred, id);
627 error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT, 0);
630 newcred->cr_audit.ai_auid = id;
631 proc_set_cred(td->td_proc, newcred);
632 PROC_UNLOCK(td->td_proc);
636 PROC_UNLOCK(td->td_proc);
642 * System calls to get and set process audit information.
646 sys_getaudit(struct thread *td, struct getaudit_args *uap)
655 error = priv_check(td, PRIV_AUDIT_GETAUDIT);
658 if (cred->cr_audit.ai_termid.at_type == AU_IPv6)
660 bzero(&ai, sizeof(ai));
661 ai.ai_auid = cred->cr_audit.ai_auid;
662 ai.ai_mask = cred->cr_audit.ai_mask;
663 ai.ai_asid = cred->cr_audit.ai_asid;
664 ai.ai_termid.machine = cred->cr_audit.ai_termid.at_addr[0];
665 ai.ai_termid.port = cred->cr_audit.ai_termid.at_port;
666 return (copyout(&ai, uap->auditinfo, sizeof(ai)));
671 sys_setaudit(struct thread *td, struct setaudit_args *uap)
673 struct ucred *newcred, *oldcred;
677 if (jailed(td->td_ucred))
679 error = copyin(uap->auditinfo, &ai, sizeof(ai));
682 audit_arg_auditinfo(&ai);
684 PROC_LOCK(td->td_proc);
685 oldcred = td->td_proc->p_ucred;
686 crcopy(newcred, oldcred);
688 error = mac_cred_check_setaudit(oldcred, &ai);
692 error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT, 0);
695 bzero(&newcred->cr_audit, sizeof(newcred->cr_audit));
696 newcred->cr_audit.ai_auid = ai.ai_auid;
697 newcred->cr_audit.ai_mask = ai.ai_mask;
698 newcred->cr_audit.ai_asid = ai.ai_asid;
699 newcred->cr_audit.ai_termid.at_addr[0] = ai.ai_termid.machine;
700 newcred->cr_audit.ai_termid.at_port = ai.ai_termid.port;
701 newcred->cr_audit.ai_termid.at_type = AU_IPv4;
702 proc_set_cred(td->td_proc, newcred);
703 PROC_UNLOCK(td->td_proc);
707 PROC_UNLOCK(td->td_proc);
714 sys_getaudit_addr(struct thread *td, struct getaudit_addr_args *uap)
718 if (jailed(td->td_ucred))
720 if (uap->length < sizeof(*uap->auditinfo_addr))
722 error = priv_check(td, PRIV_AUDIT_GETAUDIT);
725 return (copyout(&td->td_ucred->cr_audit, uap->auditinfo_addr,
726 sizeof(*uap->auditinfo_addr)));
731 sys_setaudit_addr(struct thread *td, struct setaudit_addr_args *uap)
733 struct ucred *newcred, *oldcred;
734 struct auditinfo_addr aia;
737 if (jailed(td->td_ucred))
739 error = copyin(uap->auditinfo_addr, &aia, sizeof(aia));
742 audit_arg_auditinfo_addr(&aia);
743 if (aia.ai_termid.at_type != AU_IPv6 &&
744 aia.ai_termid.at_type != AU_IPv4)
747 PROC_LOCK(td->td_proc);
748 oldcred = td->td_proc->p_ucred;
749 crcopy(newcred, oldcred);
751 error = mac_cred_check_setaudit_addr(oldcred, &aia);
755 error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT, 0);
758 newcred->cr_audit = aia;
759 proc_set_cred(td->td_proc, newcred);
760 PROC_UNLOCK(td->td_proc);
764 PROC_UNLOCK(td->td_proc);
770 * Syscall to manage audit files.
774 sys_auditctl(struct thread *td, struct auditctl_args *uap)
782 if (jailed(td->td_ucred))
784 error = priv_check(td, PRIV_AUDIT_CONTROL);
792 * If a path is specified, open the replacement vnode, perform
793 * validity checks, and grab another reference to the current
796 * On Darwin, a NULL path argument is also used to disable audit.
798 if (uap->path == NULL)
801 NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNODE1,
802 UIO_USERSPACE, uap->path, td);
803 flags = AUDIT_OPEN_FLAGS;
804 error = vn_open(&nd, &flags, 0, NULL);
809 error = mac_system_check_auditctl(td->td_ucred, vp);
812 vn_close(vp, AUDIT_CLOSE_FLAGS, td->td_ucred, td);
818 NDFREE(&nd, NDF_ONLY_PNBUF);
819 if (vp->v_type != VREG) {
820 vn_close(vp, AUDIT_CLOSE_FLAGS, td->td_ucred, td);
827 * XXXAUDIT: Should audit_suspended actually be cleared by
832 audit_rotate_vnode(cred, vp);
840 sys_audit(struct thread *td, struct audit_args *uap)
847 sys_auditon(struct thread *td, struct auditon_args *uap)
854 sys_getauid(struct thread *td, struct getauid_args *uap)
861 sys_setauid(struct thread *td, struct setauid_args *uap)
868 sys_getaudit(struct thread *td, struct getaudit_args *uap)
875 sys_setaudit(struct thread *td, struct setaudit_args *uap)
882 sys_getaudit_addr(struct thread *td, struct getaudit_addr_args *uap)
889 sys_setaudit_addr(struct thread *td, struct setaudit_addr_args *uap)
896 sys_auditctl(struct thread *td, struct auditctl_args *uap)