2 * SPDX-License-Identifier: BSD-3-Clause
4 * Copyright (c) 1999-2009 Apple Inc.
5 * Copyright (c) 2016, 2018 Robert N. M. Watson
8 * Portions of this software were developed by BAE Systems, the University of
9 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
10 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
11 * Computing (TC) research program.
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
22 * its contributors may be used to endorse or promote products derived
23 * from this software without specific prior written permission.
25 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
29 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
33 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
34 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
35 * POSSIBILITY OF SUCH DAMAGE.
38 #include <sys/cdefs.h>
39 __FBSDID("$FreeBSD$");
41 #include <sys/param.h>
42 #include <sys/mount.h>
43 #include <sys/namei.h>
46 #include <sys/sysproto.h>
47 #include <sys/systm.h>
48 #include <sys/vnode.h>
51 #include <bsm/audit.h>
52 #include <bsm/audit_kevents.h>
54 #include <security/audit/audit.h>
55 #include <security/audit/audit_private.h>
56 #include <security/mac/mac_framework.h>
61 * System call to allow a user space application to submit a BSM audit record
62 * to the kernel for inclusion in the audit log. This function does little
63 * verification on the audit record that is submitted.
65 * XXXAUDIT: Audit preselection for user records does not currently work,
66 * since we pre-select only based on the AUE_audit event type, not the event
67 * type submitted as part of the user audit data.
71 sys_audit(struct thread *td, struct audit_args *uap)
75 struct kaudit_record *ar;
77 if (jailed(td->td_ucred))
79 error = priv_check(td, PRIV_AUDIT_SUBMIT);
83 if ((uap->length <= 0) || (uap->length > audit_qctrl.aq_bufsz))
89 * If there's no current audit record (audit() itself not audited)
90 * commit the user audit record.
94 * This is not very efficient; we're required to allocate a
95 * complete kernel audit record just so the user record can
98 * XXXAUDIT: Maybe AUE_AUDIT in the system call context and
99 * special pre-select handling?
101 td->td_ar = audit_new(AUE_NULL, td);
102 if (td->td_ar == NULL)
104 td->td_pflags |= TDP_AUDITREC;
108 if (uap->length > MAX_AUDIT_RECORD_SIZE)
111 rec = malloc(uap->length, M_AUDITDATA, M_WAITOK);
113 error = copyin(uap->record, rec, uap->length);
117 /* Verify the record. */
118 if (bsm_rec_verify(rec) == 0) {
124 error = mac_system_check_audit(td->td_ucred, rec, uap->length);
130 * Attach the user audit record to the kernel audit record. Because
131 * this system call is an auditable event, we will write the user
132 * record along with the record for this audit event.
134 * XXXAUDIT: KASSERT appropriate starting values of k_udata, k_ulen,
135 * k_ar_commit & AR_COMMIT_USER?
138 ar->k_ulen = uap->length;
139 ar->k_ar_commit |= AR_COMMIT_USER;
142 * Currently we assume that all preselection has been performed in
143 * userspace. We unconditionally set these masks so that the records
144 * get committed both to the trail and pipe. In the future we will
145 * want to setup kernel based preselection.
147 ar->k_ar_commit |= (AR_PRESELECT_USER_TRAIL | AR_PRESELECT_USER_PIPE);
152 * audit_syscall_exit() will free the audit record on the thread even
153 * if we allocated it above.
155 free(rec, M_AUDITDATA);
160 * System call to manipulate auditing.
164 sys_auditon(struct thread *td, struct auditon_args *uap)
166 struct ucred *cred, *newcred, *oldcred;
168 union auditon_udata udata;
171 if (jailed(td->td_ucred))
173 AUDIT_ARG_CMD(uap->cmd);
176 error = mac_system_check_auditon(td->td_ucred, uap->cmd);
181 error = priv_check(td, PRIV_AUDIT_CONTROL);
185 if ((uap->length <= 0) || (uap->length > sizeof(union auditon_udata)))
188 memset((void *)&udata, 0, sizeof(udata));
191 * Some of the GET commands use the arguments too.
212 case A_GETPINFO_ADDR:
214 error = copyin(uap->data, (void *)&udata, uap->length);
217 AUDIT_ARG_AUDITON(&udata);
227 if (uap->length == sizeof(udata.au_policy64)) {
228 if (!audit_fail_stop)
229 udata.au_policy64 |= AUDIT_CNT;
230 if (audit_panic_on_write_fail)
231 udata.au_policy64 |= AUDIT_AHLT;
233 udata.au_policy64 |= AUDIT_ARGV;
235 udata.au_policy64 |= AUDIT_ARGE;
238 if (uap->length != sizeof(udata.au_policy))
240 if (!audit_fail_stop)
241 udata.au_policy |= AUDIT_CNT;
242 if (audit_panic_on_write_fail)
243 udata.au_policy |= AUDIT_AHLT;
245 udata.au_policy |= AUDIT_ARGV;
247 udata.au_policy |= AUDIT_ARGE;
252 if (uap->length == sizeof(udata.au_policy64)) {
253 if (udata.au_policy & ~(AUDIT_CNT|AUDIT_AHLT|
254 AUDIT_ARGV|AUDIT_ARGE))
256 audit_fail_stop = ((udata.au_policy64 & AUDIT_CNT) ==
258 audit_panic_on_write_fail = (udata.au_policy64 &
260 audit_argv = (udata.au_policy64 & AUDIT_ARGV);
261 audit_arge = (udata.au_policy64 & AUDIT_ARGE);
264 if (uap->length != sizeof(udata.au_policy))
266 if (udata.au_policy & ~(AUDIT_CNT|AUDIT_AHLT|AUDIT_ARGV|
270 * XXX - Need to wake up waiters if the policy relaxes?
272 audit_fail_stop = ((udata.au_policy & AUDIT_CNT) == 0);
273 audit_panic_on_write_fail = (udata.au_policy & AUDIT_AHLT);
274 audit_argv = (udata.au_policy & AUDIT_ARGV);
275 audit_arge = (udata.au_policy & AUDIT_ARGE);
279 if (uap->length != sizeof(udata.au_mask))
281 udata.au_mask = audit_nae_mask;
285 if (uap->length != sizeof(udata.au_mask))
287 audit_nae_mask = udata.au_mask;
292 if (uap->length == sizeof(udata.au_qctrl64)) {
293 udata.au_qctrl64.aq64_hiwater =
294 (u_int64_t)audit_qctrl.aq_hiwater;
295 udata.au_qctrl64.aq64_lowater =
296 (u_int64_t)audit_qctrl.aq_lowater;
297 udata.au_qctrl64.aq64_bufsz =
298 (u_int64_t)audit_qctrl.aq_bufsz;
299 udata.au_qctrl64.aq64_minfree =
300 (u_int64_t)audit_qctrl.aq_minfree;
303 if (uap->length != sizeof(udata.au_qctrl))
305 udata.au_qctrl = audit_qctrl;
310 if (uap->length == sizeof(udata.au_qctrl64)) {
311 /* NB: aq64_minfree is unsigned unlike aq_minfree. */
312 if ((udata.au_qctrl64.aq64_hiwater > AQ_MAXHIGH) ||
313 (udata.au_qctrl64.aq64_lowater >=
314 udata.au_qctrl.aq_hiwater) ||
315 (udata.au_qctrl64.aq64_bufsz > AQ_MAXBUFSZ) ||
316 (udata.au_qctrl64.aq64_minfree > 100))
318 audit_qctrl.aq_hiwater =
319 (int)udata.au_qctrl64.aq64_hiwater;
320 audit_qctrl.aq_lowater =
321 (int)udata.au_qctrl64.aq64_lowater;
322 audit_qctrl.aq_bufsz =
323 (int)udata.au_qctrl64.aq64_bufsz;
324 audit_qctrl.aq_minfree =
325 (int)udata.au_qctrl64.aq64_minfree;
326 audit_qctrl.aq_delay = -1; /* Not used. */
329 if (uap->length != sizeof(udata.au_qctrl))
331 if ((udata.au_qctrl.aq_hiwater > AQ_MAXHIGH) ||
332 (udata.au_qctrl.aq_lowater >= udata.au_qctrl.aq_hiwater) ||
333 (udata.au_qctrl.aq_bufsz > AQ_MAXBUFSZ) ||
334 (udata.au_qctrl.aq_minfree < 0) ||
335 (udata.au_qctrl.aq_minfree > 100))
338 audit_qctrl = udata.au_qctrl;
339 /* XXX The queue delay value isn't used with the kernel. */
340 audit_qctrl.aq_delay = -1;
369 if (uap->length == sizeof(udata.au_cond64)) {
370 if (audit_trail_enabled && !audit_trail_suspended)
371 udata.au_cond64 = AUC_AUDITING;
373 udata.au_cond64 = AUC_NOAUDIT;
376 if (uap->length != sizeof(udata.au_cond))
378 if (audit_trail_enabled && !audit_trail_suspended)
379 udata.au_cond = AUC_AUDITING;
381 udata.au_cond = AUC_NOAUDIT;
386 if (uap->length == sizeof(udata.au_cond64)) {
387 if (udata.au_cond64 == AUC_NOAUDIT)
388 audit_trail_suspended = 1;
389 if (udata.au_cond64 == AUC_AUDITING)
390 audit_trail_suspended = 0;
391 if (udata.au_cond64 == AUC_DISABLED) {
392 audit_trail_suspended = 1;
393 audit_shutdown(NULL, 0);
395 audit_syscalls_enabled_update();
398 if (uap->length != sizeof(udata.au_cond))
400 if (udata.au_cond == AUC_NOAUDIT)
401 audit_trail_suspended = 1;
402 if (udata.au_cond == AUC_AUDITING)
403 audit_trail_suspended = 0;
404 if (udata.au_cond == AUC_DISABLED) {
405 audit_trail_suspended = 1;
406 audit_shutdown(NULL, 0);
408 audit_syscalls_enabled_update();
412 if (uap->length != sizeof(udata.au_evclass))
414 udata.au_evclass.ec_class = au_event_class(
415 udata.au_evclass.ec_number);
419 if (uap->length != sizeof(udata.au_evname))
421 error = au_event_name(udata.au_evname.en_number,
422 udata.au_evname.en_name);
428 if (uap->length != sizeof(udata.au_evclass))
430 au_evclassmap_insert(udata.au_evclass.ec_number,
431 udata.au_evclass.ec_class);
435 if (uap->length != sizeof(udata.au_evname))
438 /* Ensure nul termination from userspace. */
439 udata.au_evname.en_name[sizeof(udata.au_evname.en_name) - 1]
441 au_evnamemap_insert(udata.au_evname.en_number,
442 udata.au_evname.en_name);
446 if (uap->length != sizeof(udata.au_aupinfo))
448 if (udata.au_aupinfo.ap_pid < 1)
450 if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL)
452 if ((error = p_cansee(td, tp)) != 0) {
457 if (cred->cr_audit.ai_termid.at_type == AU_IPv6) {
461 udata.au_aupinfo.ap_auid = cred->cr_audit.ai_auid;
462 udata.au_aupinfo.ap_mask.am_success =
463 cred->cr_audit.ai_mask.am_success;
464 udata.au_aupinfo.ap_mask.am_failure =
465 cred->cr_audit.ai_mask.am_failure;
466 udata.au_aupinfo.ap_termid.machine =
467 cred->cr_audit.ai_termid.at_addr[0];
468 udata.au_aupinfo.ap_termid.port =
469 (dev_t)cred->cr_audit.ai_termid.at_port;
470 udata.au_aupinfo.ap_asid = cred->cr_audit.ai_asid;
475 if (uap->length != sizeof(udata.au_aupinfo))
477 if (udata.au_aupinfo.ap_pid < 1)
480 if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL) {
484 if ((error = p_cansee(td, tp)) != 0) {
489 oldcred = tp->p_ucred;
490 crcopy(newcred, oldcred);
491 newcred->cr_audit.ai_mask.am_success =
492 udata.au_aupinfo.ap_mask.am_success;
493 newcred->cr_audit.ai_mask.am_failure =
494 udata.au_aupinfo.ap_mask.am_failure;
495 proc_set_cred(tp, newcred);
501 if (uap->length != sizeof(udata.au_fstat))
503 if ((udata.au_fstat.af_filesz != 0) &&
504 (udata.au_fstat.af_filesz < MIN_AUDIT_FILE_SIZE))
506 audit_fstat.af_filesz = udata.au_fstat.af_filesz;
510 if (uap->length != sizeof(udata.au_fstat))
512 udata.au_fstat.af_filesz = audit_fstat.af_filesz;
513 udata.au_fstat.af_currsz = audit_fstat.af_currsz;
516 case A_GETPINFO_ADDR:
517 if (uap->length != sizeof(udata.au_aupinfo_addr))
519 if (udata.au_aupinfo_addr.ap_pid < 1)
521 if ((tp = pfind(udata.au_aupinfo_addr.ap_pid)) == NULL)
524 udata.au_aupinfo_addr.ap_auid = cred->cr_audit.ai_auid;
525 udata.au_aupinfo_addr.ap_mask.am_success =
526 cred->cr_audit.ai_mask.am_success;
527 udata.au_aupinfo_addr.ap_mask.am_failure =
528 cred->cr_audit.ai_mask.am_failure;
529 udata.au_aupinfo_addr.ap_termid = cred->cr_audit.ai_termid;
530 udata.au_aupinfo_addr.ap_asid = cred->cr_audit.ai_asid;
535 if (uap->length != sizeof(udata.au_kau_info))
537 audit_get_kinfo(&udata.au_kau_info);
541 if (uap->length != sizeof(udata.au_kau_info))
543 if (udata.au_kau_info.ai_termid.at_type != AU_IPv4 &&
544 udata.au_kau_info.ai_termid.at_type != AU_IPv6)
546 audit_set_kinfo(&udata.au_kau_info);
550 if (uap->length != sizeof(udata.au_trigger))
552 if ((udata.au_trigger < AUDIT_TRIGGER_MIN) ||
553 (udata.au_trigger > AUDIT_TRIGGER_MAX))
555 return (audit_send_trigger(udata.au_trigger));
562 * Copy data back to userspace for the GET comands.
578 case A_GETPINFO_ADDR:
580 error = copyout((void *)&udata, uap->data, uap->length);
590 * System calls to manage the user audit information.
594 sys_getauid(struct thread *td, struct getauid_args *uap)
598 if (jailed(td->td_ucred))
600 error = priv_check(td, PRIV_AUDIT_GETAUDIT);
603 return (copyout(&td->td_ucred->cr_audit.ai_auid, uap->auid,
604 sizeof(td->td_ucred->cr_audit.ai_auid)));
609 sys_setauid(struct thread *td, struct setauid_args *uap)
611 struct ucred *newcred, *oldcred;
615 if (jailed(td->td_ucred))
617 error = copyin(uap->auid, &id, sizeof(id));
622 PROC_LOCK(td->td_proc);
623 oldcred = td->td_proc->p_ucred;
624 crcopy(newcred, oldcred);
626 error = mac_cred_check_setauid(oldcred, id);
630 error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT);
633 newcred->cr_audit.ai_auid = id;
634 proc_set_cred(td->td_proc, newcred);
635 PROC_UNLOCK(td->td_proc);
639 PROC_UNLOCK(td->td_proc);
645 * System calls to get and set process audit information.
649 sys_getaudit(struct thread *td, struct getaudit_args *uap)
658 error = priv_check(td, PRIV_AUDIT_GETAUDIT);
661 if (cred->cr_audit.ai_termid.at_type == AU_IPv6)
663 bzero(&ai, sizeof(ai));
664 ai.ai_auid = cred->cr_audit.ai_auid;
665 ai.ai_mask = cred->cr_audit.ai_mask;
666 ai.ai_asid = cred->cr_audit.ai_asid;
667 ai.ai_termid.machine = cred->cr_audit.ai_termid.at_addr[0];
668 ai.ai_termid.port = cred->cr_audit.ai_termid.at_port;
669 return (copyout(&ai, uap->auditinfo, sizeof(ai)));
674 sys_setaudit(struct thread *td, struct setaudit_args *uap)
676 struct ucred *newcred, *oldcred;
680 if (jailed(td->td_ucred))
682 error = copyin(uap->auditinfo, &ai, sizeof(ai));
685 audit_arg_auditinfo(&ai);
687 PROC_LOCK(td->td_proc);
688 oldcred = td->td_proc->p_ucred;
689 crcopy(newcred, oldcred);
691 error = mac_cred_check_setaudit(oldcred, &ai);
695 error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT);
698 bzero(&newcred->cr_audit, sizeof(newcred->cr_audit));
699 newcred->cr_audit.ai_auid = ai.ai_auid;
700 newcred->cr_audit.ai_mask = ai.ai_mask;
701 newcred->cr_audit.ai_asid = ai.ai_asid;
702 newcred->cr_audit.ai_termid.at_addr[0] = ai.ai_termid.machine;
703 newcred->cr_audit.ai_termid.at_port = ai.ai_termid.port;
704 newcred->cr_audit.ai_termid.at_type = AU_IPv4;
705 proc_set_cred(td->td_proc, newcred);
706 PROC_UNLOCK(td->td_proc);
710 PROC_UNLOCK(td->td_proc);
717 sys_getaudit_addr(struct thread *td, struct getaudit_addr_args *uap)
721 if (jailed(td->td_ucred))
723 if (uap->length < sizeof(*uap->auditinfo_addr))
725 error = priv_check(td, PRIV_AUDIT_GETAUDIT);
728 return (copyout(&td->td_ucred->cr_audit, uap->auditinfo_addr,
729 sizeof(*uap->auditinfo_addr)));
734 sys_setaudit_addr(struct thread *td, struct setaudit_addr_args *uap)
736 struct ucred *newcred, *oldcred;
737 struct auditinfo_addr aia;
740 if (jailed(td->td_ucred))
742 error = copyin(uap->auditinfo_addr, &aia, sizeof(aia));
745 audit_arg_auditinfo_addr(&aia);
746 if (aia.ai_termid.at_type != AU_IPv6 &&
747 aia.ai_termid.at_type != AU_IPv4)
750 PROC_LOCK(td->td_proc);
751 oldcred = td->td_proc->p_ucred;
752 crcopy(newcred, oldcred);
754 error = mac_cred_check_setaudit_addr(oldcred, &aia);
758 error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT);
761 newcred->cr_audit = aia;
762 proc_set_cred(td->td_proc, newcred);
763 PROC_UNLOCK(td->td_proc);
767 PROC_UNLOCK(td->td_proc);
773 * Syscall to manage audit files.
777 sys_auditctl(struct thread *td, struct auditctl_args *uap)
785 if (jailed(td->td_ucred))
787 error = priv_check(td, PRIV_AUDIT_CONTROL);
795 * If a path is specified, open the replacement vnode, perform
796 * validity checks, and grab another reference to the current
799 * On Darwin, a NULL path argument is also used to disable audit.
801 if (uap->path == NULL)
804 NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNODE1,
805 UIO_USERSPACE, uap->path, td);
806 flags = AUDIT_OPEN_FLAGS;
807 error = vn_open(&nd, &flags, 0, NULL);
812 error = mac_system_check_auditctl(td->td_ucred, vp);
815 vn_close(vp, AUDIT_CLOSE_FLAGS, td->td_ucred, td);
821 NDFREE(&nd, NDF_ONLY_PNBUF);
822 if (vp->v_type != VREG) {
823 vn_close(vp, AUDIT_CLOSE_FLAGS, td->td_ucred, td);
830 * XXXAUDIT: Should audit_trail_suspended actually be cleared by
833 audit_trail_suspended = 0;
834 audit_syscalls_enabled_update();
836 audit_rotate_vnode(cred, vp);
844 sys_audit(struct thread *td, struct audit_args *uap)
851 sys_auditon(struct thread *td, struct auditon_args *uap)
858 sys_getauid(struct thread *td, struct getauid_args *uap)
865 sys_setauid(struct thread *td, struct setauid_args *uap)
872 sys_getaudit(struct thread *td, struct getaudit_args *uap)
879 sys_setaudit(struct thread *td, struct setaudit_args *uap)
886 sys_getaudit_addr(struct thread *td, struct getaudit_addr_args *uap)
893 sys_setaudit_addr(struct thread *td, struct setaudit_addr_args *uap)
900 sys_auditctl(struct thread *td, struct auditctl_args *uap)