| 1 | /*- |
|---|---|
| 2 | * Copyright (c) 1999-2009 Apple Inc. |
| 3 | * Copyright (c) 2005 Robert N. M. Watson |
| 4 | * All rights reserved. |
| 5 | * |
| 6 | * @APPLE_BSD_LICENSE_HEADER_START@ |
| 7 | * |
| 8 | * Redistribution and use in source and binary forms, with or without |
| 9 | * modification, are permitted provided that the following conditions |
| 10 | * are met: |
| 11 | * 1. Redistributions of source code must retain the above copyright |
| 12 | * notice, this list of conditions and the following disclaimer. |
| 13 | * 2. Redistributions in binary form must reproduce the above copyright |
| 14 | * notice, this list of conditions and the following disclaimer in the |
| 15 | * documentation and/or other materials provided with the distribution. |
| 16 | * 3. Neither the name of Apple Inc. ("Apple") nor the names of |
| 17 | * its contributors may be used to endorse or promote products derived |
| 18 | * from this software without specific prior written permission. |
| 19 | * |
| 20 | * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND |
| 21 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 23 | * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR |
| 24 | * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
| 28 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING |
| 29 | * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
| 30 | * POSSIBILITY OF SUCH DAMAGE. |
| 31 | * |
| 32 | * @APPLE_BSD_LICENSE_HEADER_END@ |
| 33 | */ |
| 34 | /* |
| 35 | * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce |
| 36 | * support for mandatory and extensible security protections. This notice |
| 37 | * is included in support of clause 2.2 (b) of the Apple Public License, |
| 38 | * Version 2.0. |
| 39 | */ |
| 40 | |
| 41 | #include <sys/systm.h> |
| 42 | #include <sys/sysent.h> |
| 43 | #include <sys/types.h> |
| 44 | #include <sys/proc_internal.h> |
| 45 | #include <sys/vnode_internal.h> |
| 46 | #include <sys/fcntl.h> |
| 47 | #include <sys/filedesc.h> |
| 48 | #include <sys/sem.h> |
| 49 | #include <sys/syscall.h> |
| 50 | |
| 51 | #include <bsm/audit.h> |
| 52 | #include <bsm/audit_kevents.h> |
| 53 | #include <security/audit/audit.h> |
| 54 | #include <security/audit/audit_bsd.h> |
| 55 | #include <security/audit/audit_private.h> |
| 56 | #include <IOKit/IOBSD.h> |
| 57 | |
| 58 | #if CONFIG_AUDIT |
| 59 | /* |
| 60 | * Hash table functions for the audit event number to event class mask |
| 61 | * mapping. |
| 62 | */ |
| 63 | #define EVCLASSMAP_HASH_TABLE_SIZE 251 |
| 64 | struct evclass_elem { |
| 65 | au_event_t event; |
| 66 | au_class_t class; |
| 67 | LIST_ENTRY(evclass_elem) entry; |
| 68 | }; |
| 69 | struct evclass_list { |
| 70 | LIST_HEAD(, evclass_elem) head; |
| 71 | }; |
| 72 | |
| 73 | static MALLOC_DEFINE(M_AUDITEVCLASS, "audit_evclass", "Audit event class"); |
| 74 | static struct rwlock evclass_lock; |
| 75 | static struct evclass_list evclass_hash[EVCLASSMAP_HASH_TABLE_SIZE]; |
| 76 | |
| 77 | #define EVCLASS_LOCK_INIT() rw_init(&evclass_lock, "evclass_lock") |
| 78 | #define EVCLASS_RLOCK() rw_rlock(&evclass_lock) |
| 79 | #define EVCLASS_RUNLOCK() rw_runlock(&evclass_lock) |
| 80 | #define EVCLASS_WLOCK() rw_wlock(&evclass_lock) |
| 81 | #define EVCLASS_WUNLOCK() rw_wunlock(&evclass_lock) |
| 82 | |
| 83 | /* |
| 84 | * Look up the class for an audit event in the class mapping table. |
| 85 | */ |
| 86 | au_class_t |
| 87 | au_event_class(au_event_t event) |
| 88 | { |
| 89 | struct evclass_list *evcl; |
| 90 | struct evclass_elem *evc; |
| 91 | au_class_t class; |
| 92 | |
| 93 | EVCLASS_RLOCK(); |
| 94 | evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE]; |
| 95 | class = 0; |
| 96 | LIST_FOREACH(evc, &evcl->head, entry) { |
| 97 | if (evc->event == event) { |
| 98 | class = evc->class; |
| 99 | goto out; |
| 100 | } |
| 101 | } |
| 102 | out: |
| 103 | EVCLASS_RUNLOCK(); |
| 104 | return (class); |
| 105 | } |
| 106 | |
| 107 | /* |
| 108 | * Return a new class mask that allows changing the reserved class bit |
| 109 | * only if the current task is entitled to do so or if this is being done |
| 110 | * from the kernel task. If the current task is not allowed to make the |
| 111 | * change, the reserved bit is reverted to its previous state and the rest |
| 112 | * of the mask is left intact. |
| 113 | */ |
| 114 | static au_class_t |
| 115 | au_class_protect(au_class_t old_class, au_class_t new_class) |
| 116 | { |
| 117 | au_class_t result = new_class; |
| 118 | |
| 119 | /* Check if the reserved class bit has been flipped */ |
| 120 | if ((old_class & AU_CLASS_MASK_RESERVED) != |
| 121 | (new_class & AU_CLASS_MASK_RESERVED)) { |
| 122 | |
| 123 | task_t task = current_task(); |
| 124 | if (task != kernel_task && |
| 125 | !IOTaskHasEntitlement(task, AU_CLASS_RESERVED_ENTITLEMENT)) { |
| 126 | /* |
| 127 | * If the caller isn't entitled, revert the class bit: |
| 128 | * - First remove the reserved bit from the new_class mask |
| 129 | * - Next get the state of the old_class mask's reserved bit |
| 130 | * - Finally, OR the result from the first two operations |
| 131 | */ |
| 132 | result = (new_class & ~AU_CLASS_MASK_RESERVED) | |
| 133 | (old_class & AU_CLASS_MASK_RESERVED); |
| 134 | } |
| 135 | } |
| 136 | |
| 137 | return result; |
| 138 | } |
| 139 | |
| 140 | /* |
| 141 | * Insert a event to class mapping. If the event already exists in the |
| 142 | * mapping, then replace the mapping with the new one. |
| 143 | * |
| 144 | * IMPORTANT: This function should only be called from the kernel during |
| 145 | * initialization (e.g. during au_evclassmap_init). Calling afterwards can |
| 146 | * have adverse effects on other system components that rely on event/class |
| 147 | * map state. |
| 148 | * |
| 149 | * XXX There is currently no constraints placed on the number of mappings. |
| 150 | * May want to either limit to a number, or in terms of memory usage. |
| 151 | */ |
| 152 | void |
| 153 | au_evclassmap_insert(au_event_t event, au_class_t class) |
| 154 | { |
| 155 | struct evclass_list *evcl; |
| 156 | struct evclass_elem *evc, *evc_new; |
| 157 | |
| 158 | /* |
| 159 | * If this event requires auditing a system call then add it to our |
| 160 | * audit kernel event mask. We use audit_kevent_mask to check to see |
| 161 | * if the audit syscalls flag needs to be set when preselection masks |
| 162 | * are set. |
| 163 | */ |
| 164 | if (AUE_IS_A_KEVENT(event)) |
| 165 | audit_kevent_mask |= class; |
| 166 | |
| 167 | /* |
| 168 | * Pessimistically, always allocate storage before acquiring mutex. |
| 169 | * Free if there is already a mapping for this event. |
| 170 | */ |
| 171 | evc_new = malloc(sizeof(*evc), M_AUDITEVCLASS, M_WAITOK); |
| 172 | |
| 173 | EVCLASS_WLOCK(); |
| 174 | evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE]; |
| 175 | LIST_FOREACH(evc, &evcl->head, entry) { |
| 176 | if (evc->event == event) { |
| 177 | evc->class = au_class_protect(evc->class, class); |
| 178 | EVCLASS_WUNLOCK(); |
| 179 | free(evc_new, M_AUDITEVCLASS); |
| 180 | return; |
| 181 | } |
| 182 | } |
| 183 | evc = evc_new; |
| 184 | evc->event = event; |
| 185 | /* |
| 186 | * Mappings that require a new element must use 0 as the "old_class" since |
| 187 | * there is no previous state. |
| 188 | */ |
| 189 | evc->class = au_class_protect(0, class); |
| 190 | LIST_INSERT_HEAD(&evcl->head, evc, entry); |
| 191 | EVCLASS_WUNLOCK(); |
| 192 | } |
| 193 | |
| 194 | void |
| 195 | au_evclassmap_init(void) |
| 196 | { |
| 197 | unsigned int i; |
| 198 | |
| 199 | EVCLASS_LOCK_INIT(); |
| 200 | for (i = 0; i < EVCLASSMAP_HASH_TABLE_SIZE; i++) |
| 201 | LIST_INIT(&evclass_hash[i].head); |
| 202 | |
| 203 | /* |
| 204 | * Set up the initial event to class mapping for system calls. |
| 205 | */ |
| 206 | for (i = 0; i < nsysent; i++) { |
| 207 | if (sys_au_event[i] != AUE_NULL) |
| 208 | au_evclassmap_insert(sys_au_event[i], 0); |
| 209 | |
| 210 | } |
| 211 | |
| 212 | /* |
| 213 | * Add the Mach system call events. These are not in sys_au_event[]. |
| 214 | */ |
| 215 | au_evclassmap_insert(AUE_TASKFORPID, 0); |
| 216 | au_evclassmap_insert(AUE_PIDFORTASK, 0); |
| 217 | au_evclassmap_insert(AUE_SWAPON, 0); |
| 218 | au_evclassmap_insert(AUE_SWAPOFF, 0); |
| 219 | au_evclassmap_insert(AUE_MAPFD, 0); |
| 220 | au_evclassmap_insert(AUE_INITPROCESS, 0); |
| 221 | } |
| 222 | |
| 223 | /* |
| 224 | * Check whether an event is aditable by comparing the mask of classes this |
| 225 | * event is part of against the given mask. |
| 226 | */ |
| 227 | int |
| 228 | au_preselect(__unused au_event_t event, au_class_t class, au_mask_t *mask_p, |
| 229 | int sorf) |
| 230 | { |
| 231 | au_class_t effmask = 0; |
| 232 | |
| 233 | if (mask_p == NULL) |
| 234 | return (-1); |
| 235 | |
| 236 | /* |
| 237 | * Perform the actual check of the masks against the event. |
| 238 | */ |
| 239 | if (sorf & AU_PRS_SUCCESS) |
| 240 | effmask |= (mask_p->am_success & class); |
| 241 | |
| 242 | if (sorf & AU_PRS_FAILURE) |
| 243 | effmask |= (mask_p->am_failure & class); |
| 244 | |
| 245 | if (effmask) |
| 246 | return (1); |
| 247 | else |
| 248 | return (0); |
| 249 | } |
| 250 | |
| 251 | /* |
| 252 | * Convert sysctl names and present arguments to events. |
| 253 | */ |
| 254 | au_event_t |
| 255 | audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg) |
| 256 | { |
| 257 | |
| 258 | /* can't parse it - so return the worst case */ |
| 259 | if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != (ARG_CTLNAME | ARG_LEN)) |
| 260 | return (AUE_SYSCTL); |
| 261 | |
| 262 | switch (name[0]) { |
| 263 | /* non-admin "lookups" treat them special */ |
| 264 | case KERN_OSTYPE: |
| 265 | case KERN_OSRELEASE: |
| 266 | case KERN_OSREV: |
| 267 | case KERN_VERSION: |
| 268 | case KERN_ARGMAX: |
| 269 | case KERN_CLOCKRATE: |
| 270 | case KERN_BOOTTIME: |
| 271 | case KERN_POSIX1: |
| 272 | case KERN_NGROUPS: |
| 273 | case KERN_JOB_CONTROL: |
| 274 | case KERN_SAVED_IDS: |
| 275 | case KERN_OSRELDATE: |
| 276 | case KERN_NETBOOT: |
| 277 | case KERN_SYMFILE: |
| 278 | case KERN_SHREG_PRIVATIZABLE: |
| 279 | case KERN_OSVERSION: |
| 280 | return (AUE_SYSCTL_NONADMIN); |
| 281 | |
| 282 | /* only treat the changeable controls as admin */ |
| 283 | case KERN_MAXVNODES: |
| 284 | case KERN_MAXPROC: |
| 285 | case KERN_MAXFILES: |
| 286 | case KERN_MAXPROCPERUID: |
| 287 | case KERN_MAXFILESPERPROC: |
| 288 | case KERN_HOSTID: |
| 289 | case KERN_AIOMAX: |
| 290 | case KERN_AIOPROCMAX: |
| 291 | case KERN_AIOTHREADS: |
| 292 | case KERN_COREDUMP: |
| 293 | case KERN_SUGID_COREDUMP: |
| 294 | case KERN_NX_PROTECTION: |
| 295 | return ((valid_arg & ARG_VALUE32) ? |
| 296 | AUE_SYSCTL : AUE_SYSCTL_NONADMIN); |
| 297 | |
| 298 | default: |
| 299 | return (AUE_SYSCTL); |
| 300 | } |
| 301 | /* NOTREACHED */ |
| 302 | } |
| 303 | |
| 304 | /* |
| 305 | * Convert an open flags specifier into a specific type of open event for |
| 306 | * auditing purposes. |
| 307 | */ |
| 308 | au_event_t |
| 309 | audit_flags_and_error_to_openevent(int oflags, int error) |
| 310 | { |
| 311 | au_event_t aevent; |
| 312 | |
| 313 | /* |
| 314 | * Need to check only those flags we care about. |
| 315 | */ |
| 316 | oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY); |
| 317 | |
| 318 | /* |
| 319 | * These checks determine what flags are on with the condition that |
| 320 | * ONLY that combination is on, and no other flags are on. |
| 321 | */ |
| 322 | switch (oflags) { |
| 323 | case O_RDONLY: |
| 324 | aevent = AUE_OPEN_R; |
| 325 | break; |
| 326 | |
| 327 | case (O_RDONLY | O_CREAT): |
| 328 | aevent = AUE_OPEN_RC; |
| 329 | break; |
| 330 | |
| 331 | case (O_RDONLY | O_CREAT | O_TRUNC): |
| 332 | aevent = AUE_OPEN_RTC; |
| 333 | break; |
| 334 | |
| 335 | case (O_RDONLY | O_TRUNC): |
| 336 | aevent = AUE_OPEN_RT; |
| 337 | break; |
| 338 | |
| 339 | case O_RDWR: |
| 340 | aevent = AUE_OPEN_RW; |
| 341 | break; |
| 342 | |
| 343 | case (O_RDWR | O_CREAT): |
| 344 | aevent = AUE_OPEN_RWC; |
| 345 | break; |
| 346 | |
| 347 | case (O_RDWR | O_CREAT | O_TRUNC): |
| 348 | aevent = AUE_OPEN_RWTC; |
| 349 | break; |
| 350 | |
| 351 | case (O_RDWR | O_TRUNC): |
| 352 | aevent = AUE_OPEN_RWT; |
| 353 | break; |
| 354 | |
| 355 | case O_WRONLY: |
| 356 | aevent = AUE_OPEN_W; |
| 357 | break; |
| 358 | |
| 359 | case (O_WRONLY | O_CREAT): |
| 360 | aevent = AUE_OPEN_WC; |
| 361 | break; |
| 362 | |
| 363 | case (O_WRONLY | O_CREAT | O_TRUNC): |
| 364 | aevent = AUE_OPEN_WTC; |
| 365 | break; |
| 366 | |
| 367 | case (O_WRONLY | O_TRUNC): |
| 368 | aevent = AUE_OPEN_WT; |
| 369 | break; |
| 370 | |
| 371 | default: |
| 372 | aevent = AUE_OPEN; |
| 373 | break; |
| 374 | } |
| 375 | |
| 376 | /* |
| 377 | * Convert chatty errors to better matching events. Failures to |
| 378 | * find a file are really just attribute events -- so recast them as |
| 379 | * such. |
| 380 | * |
| 381 | * XXXAUDIT: Solaris defines that AUE_OPEN will never be returned, it |
| 382 | * is just a placeholder. However, in Darwin we return that in |
| 383 | * preference to other events. |
| 384 | * |
| 385 | * XXXRW: This behavior differs from FreeBSD, so possibly revise this |
| 386 | * code or this comment. |
| 387 | */ |
| 388 | switch (aevent) { |
| 389 | case AUE_OPEN_R: |
| 390 | case AUE_OPEN_RT: |
| 391 | case AUE_OPEN_RW: |
| 392 | case AUE_OPEN_RWT: |
| 393 | case AUE_OPEN_W: |
| 394 | case AUE_OPEN_WT: |
| 395 | if (error == ENOENT) |
| 396 | aevent = AUE_OPEN; |
| 397 | } |
| 398 | return (aevent); |
| 399 | } |
| 400 | |
| 401 | /* |
| 402 | * Convert an open flags specifier into a specific type of open_extended event |
| 403 | * for auditing purposes. |
| 404 | */ |
| 405 | au_event_t |
| 406 | audit_flags_and_error_to_openextendedevent(int oflags, int error) |
| 407 | { |
| 408 | au_event_t aevent; |
| 409 | |
| 410 | /* |
| 411 | * Need to check only those flags we care about. |
| 412 | */ |
| 413 | oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY); |
| 414 | |
| 415 | /* |
| 416 | * These checks determine what flags are on with the condition that |
| 417 | * ONLY that combination is on, and no other flags are on. |
| 418 | */ |
| 419 | switch (oflags) { |
| 420 | case O_RDONLY: |
| 421 | aevent = AUE_OPEN_EXTENDED_R; |
| 422 | break; |
| 423 | |
| 424 | case (O_RDONLY | O_CREAT): |
| 425 | aevent = AUE_OPEN_EXTENDED_RC; |
| 426 | break; |
| 427 | |
| 428 | case (O_RDONLY | O_CREAT | O_TRUNC): |
| 429 | aevent = AUE_OPEN_EXTENDED_RTC; |
| 430 | break; |
| 431 | |
| 432 | case (O_RDONLY | O_TRUNC): |
| 433 | aevent = AUE_OPEN_EXTENDED_RT; |
| 434 | break; |
| 435 | |
| 436 | case O_RDWR: |
| 437 | aevent = AUE_OPEN_EXTENDED_RW; |
| 438 | break; |
| 439 | |
| 440 | case (O_RDWR | O_CREAT): |
| 441 | aevent = AUE_OPEN_EXTENDED_RWC; |
| 442 | break; |
| 443 | |
| 444 | case (O_RDWR | O_CREAT | O_TRUNC): |
| 445 | aevent = AUE_OPEN_EXTENDED_RWTC; |
| 446 | break; |
| 447 | |
| 448 | case (O_RDWR | O_TRUNC): |
| 449 | aevent = AUE_OPEN_EXTENDED_RWT; |
| 450 | break; |
| 451 | |
| 452 | case O_WRONLY: |
| 453 | aevent = AUE_OPEN_EXTENDED_W; |
| 454 | break; |
| 455 | |
| 456 | case (O_WRONLY | O_CREAT): |
| 457 | aevent = AUE_OPEN_EXTENDED_WC; |
| 458 | break; |
| 459 | |
| 460 | case (O_WRONLY | O_CREAT | O_TRUNC): |
| 461 | aevent = AUE_OPEN_EXTENDED_WTC; |
| 462 | break; |
| 463 | |
| 464 | case (O_WRONLY | O_TRUNC): |
| 465 | aevent = AUE_OPEN_EXTENDED_WT; |
| 466 | break; |
| 467 | |
| 468 | default: |
| 469 | aevent = AUE_OPEN_EXTENDED; |
| 470 | break; |
| 471 | } |
| 472 | |
| 473 | /* |
| 474 | * Convert chatty errors to better matching events. Failures to |
| 475 | * find a file are really just attribute events -- so recast them as |
| 476 | * such. |
| 477 | * |
| 478 | * XXXAUDIT: Solaris defines that AUE_OPEN will never be returned, it |
| 479 | * is just a placeholder. However, in Darwin we return that in |
| 480 | * preference to other events. |
| 481 | * |
| 482 | * XXXRW: This behavior differs from FreeBSD, so possibly revise this |
| 483 | * code or this comment. |
| 484 | */ |
| 485 | switch (aevent) { |
| 486 | case AUE_OPEN_EXTENDED_R: |
| 487 | case AUE_OPEN_EXTENDED_RT: |
| 488 | case AUE_OPEN_EXTENDED_RW: |
| 489 | case AUE_OPEN_EXTENDED_RWT: |
| 490 | case AUE_OPEN_EXTENDED_W: |
| 491 | case AUE_OPEN_EXTENDED_WT: |
| 492 | if (error == ENOENT) |
| 493 | aevent = AUE_OPEN_EXTENDED; |
| 494 | } |
| 495 | return (aevent); |
| 496 | } |
| 497 | |
| 498 | /* |
| 499 | * Convert an open flags specifier into a specific type of open_extended event |
| 500 | * for auditing purposes. |
| 501 | */ |
| 502 | au_event_t |
| 503 | audit_flags_and_error_to_openatevent(int oflags, int error) |
| 504 | { |
| 505 | au_event_t aevent; |
| 506 | |
| 507 | /* |
| 508 | * Need to check only those flags we care about. |
| 509 | */ |
| 510 | oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY); |
| 511 | |
| 512 | /* |
| 513 | * These checks determine what flags are on with the condition that |
| 514 | * ONLY that combination is on, and no other flags are on. |
| 515 | */ |
| 516 | switch (oflags) { |
| 517 | case O_RDONLY: |
| 518 | aevent = AUE_OPENAT_R; |
| 519 | break; |
| 520 | |
| 521 | case (O_RDONLY | O_CREAT): |
| 522 | aevent = AUE_OPENAT_RC; |
| 523 | break; |
| 524 | |
| 525 | case (O_RDONLY | O_CREAT | O_TRUNC): |
| 526 | aevent = AUE_OPENAT_RTC; |
| 527 | break; |
| 528 | |
| 529 | case (O_RDONLY | O_TRUNC): |
| 530 | aevent = AUE_OPENAT_RT; |
| 531 | break; |
| 532 | |
| 533 | case O_RDWR: |
| 534 | aevent = AUE_OPENAT_RW; |
| 535 | break; |
| 536 | |
| 537 | case (O_RDWR | O_CREAT): |
| 538 | aevent = AUE_OPENAT_RWC; |
| 539 | break; |
| 540 | |
| 541 | case (O_RDWR | O_CREAT | O_TRUNC): |
| 542 | aevent = AUE_OPENAT_RWTC; |
| 543 | break; |
| 544 | |
| 545 | case (O_RDWR | O_TRUNC): |
| 546 | aevent = AUE_OPENAT_RWT; |
| 547 | break; |
| 548 | |
| 549 | case O_WRONLY: |
| 550 | aevent = AUE_OPENAT_W; |
| 551 | break; |
| 552 | |
| 553 | case (O_WRONLY | O_CREAT): |
| 554 | aevent = AUE_OPENAT_WC; |
| 555 | break; |
| 556 | |
| 557 | case (O_WRONLY | O_CREAT | O_TRUNC): |
| 558 | aevent = AUE_OPENAT_WTC; |
| 559 | break; |
| 560 | |
| 561 | case (O_WRONLY | O_TRUNC): |
| 562 | aevent = AUE_OPENAT_WT; |
| 563 | break; |
| 564 | |
| 565 | default: |
| 566 | aevent = AUE_OPENAT; |
| 567 | break; |
| 568 | } |
| 569 | |
| 570 | /* |
| 571 | * Convert chatty errors to better matching events. Failures to |
| 572 | * find a file are really just attribute events -- so recast them as |
| 573 | * such. |
| 574 | * |
| 575 | * XXXAUDIT: Solaris defines that AUE_OPENAT will never be returned, it |
| 576 | * is just a placeholder. However, in Darwin we return that in |
| 577 | * preference to other events. |
| 578 | * |
| 579 | * XXXRW: This behavior differs from FreeBSD, so possibly revise this |
| 580 | * code or this comment. |
| 581 | */ |
| 582 | switch (aevent) { |
| 583 | case AUE_OPENAT_R: |
| 584 | case AUE_OPENAT_RT: |
| 585 | case AUE_OPENAT_RW: |
| 586 | case AUE_OPENAT_RWT: |
| 587 | case AUE_OPENAT_W: |
| 588 | case AUE_OPENAT_WT: |
| 589 | if (error == ENOENT) |
| 590 | aevent = AUE_OPENAT; |
| 591 | } |
| 592 | return (aevent); |
| 593 | } |
| 594 | |
| 595 | /* |
| 596 | * Convert an open flags specifier into a specific type of openbyid event |
| 597 | * for auditing purposes. |
| 598 | */ |
| 599 | au_event_t |
| 600 | audit_flags_and_error_to_openbyidevent(int oflags, int error) |
| 601 | { |
| 602 | au_event_t aevent; |
| 603 | |
| 604 | /* |
| 605 | * Need to check only those flags we care about. |
| 606 | */ |
| 607 | oflags = oflags & (O_RDONLY | O_TRUNC | O_RDWR | O_WRONLY); |
| 608 | |
| 609 | /* |
| 610 | * These checks determine what flags are on with the condition that |
| 611 | * ONLY that combination is on, and no other flags are on. |
| 612 | */ |
| 613 | switch (oflags) { |
| 614 | case O_RDONLY: |
| 615 | aevent = AUE_OPENBYID_R; |
| 616 | break; |
| 617 | |
| 618 | case (O_RDONLY | O_TRUNC): |
| 619 | aevent = AUE_OPENBYID_RT; |
| 620 | break; |
| 621 | |
| 622 | case O_RDWR: |
| 623 | aevent = AUE_OPENBYID_RW; |
| 624 | break; |
| 625 | |
| 626 | case (O_RDWR | O_TRUNC): |
| 627 | aevent = AUE_OPENBYID_RWT; |
| 628 | break; |
| 629 | |
| 630 | case O_WRONLY: |
| 631 | aevent = AUE_OPENBYID_W; |
| 632 | break; |
| 633 | |
| 634 | case (O_WRONLY | O_TRUNC): |
| 635 | aevent = AUE_OPENBYID_WT; |
| 636 | break; |
| 637 | |
| 638 | default: |
| 639 | aevent = AUE_OPENBYID; |
| 640 | break; |
| 641 | } |
| 642 | |
| 643 | /* |
| 644 | * Convert chatty errors to better matching events. Failures to |
| 645 | * find a file are really just attribute events -- so recast them as |
| 646 | * such. |
| 647 | */ |
| 648 | switch (aevent) { |
| 649 | case AUE_OPENBYID_R: |
| 650 | case AUE_OPENBYID_RT: |
| 651 | case AUE_OPENBYID_RW: |
| 652 | case AUE_OPENBYID_RWT: |
| 653 | case AUE_OPENBYID_W: |
| 654 | case AUE_OPENBYID_WT: |
| 655 | if (error == ENOENT) |
| 656 | aevent = AUE_OPENBYID; |
| 657 | } |
| 658 | return (aevent); |
| 659 | } |
| 660 | |
| 661 | /* |
| 662 | * Convert a MSGCTL command to a specific event. |
| 663 | */ |
| 664 | au_event_t |
| 665 | audit_msgctl_to_event(int cmd) |
| 666 | { |
| 667 | |
| 668 | switch (cmd) { |
| 669 | case IPC_RMID: |
| 670 | return (AUE_MSGCTL_RMID); |
| 671 | |
| 672 | case IPC_SET: |
| 673 | return (AUE_MSGCTL_SET); |
| 674 | |
| 675 | case IPC_STAT: |
| 676 | return (AUE_MSGCTL_STAT); |
| 677 | |
| 678 | default: |
| 679 | /* We will audit a bad command. */ |
| 680 | return (AUE_MSGCTL); |
| 681 | } |
| 682 | } |
| 683 | |
| 684 | /* |
| 685 | * Convert a SEMCTL command to a specific event. |
| 686 | */ |
| 687 | au_event_t |
| 688 | audit_semctl_to_event(int cmd) |
| 689 | { |
| 690 | |
| 691 | switch (cmd) { |
| 692 | case GETALL: |
| 693 | return (AUE_SEMCTL_GETALL); |
| 694 | |
| 695 | case GETNCNT: |
| 696 | return (AUE_SEMCTL_GETNCNT); |
| 697 | |
| 698 | case GETPID: |
| 699 | return (AUE_SEMCTL_GETPID); |
| 700 | |
| 701 | case GETVAL: |
| 702 | return (AUE_SEMCTL_GETVAL); |
| 703 | |
| 704 | case GETZCNT: |
| 705 | return (AUE_SEMCTL_GETZCNT); |
| 706 | |
| 707 | case IPC_RMID: |
| 708 | return (AUE_SEMCTL_RMID); |
| 709 | |
| 710 | case IPC_SET: |
| 711 | return (AUE_SEMCTL_SET); |
| 712 | |
| 713 | case SETALL: |
| 714 | return (AUE_SEMCTL_SETALL); |
| 715 | |
| 716 | case SETVAL: |
| 717 | return (AUE_SEMCTL_SETVAL); |
| 718 | |
| 719 | case IPC_STAT: |
| 720 | return (AUE_SEMCTL_STAT); |
| 721 | |
| 722 | default: |
| 723 | /* We will audit a bad command. */ |
| 724 | return (AUE_SEMCTL); |
| 725 | } |
| 726 | } |
| 727 | |
| 728 | /* |
| 729 | * Convert a command for the auditon() system call to a audit event. |
| 730 | */ |
| 731 | au_event_t |
| 732 | auditon_command_event(int cmd) |
| 733 | { |
| 734 | |
| 735 | switch(cmd) { |
| 736 | case A_GETPOLICY: |
| 737 | return (AUE_AUDITON_GPOLICY); |
| 738 | |
| 739 | case A_SETPOLICY: |
| 740 | return (AUE_AUDITON_SPOLICY); |
| 741 | |
| 742 | case A_GETKMASK: |
| 743 | return (AUE_AUDITON_GETKMASK); |
| 744 | |
| 745 | case A_SETKMASK: |
| 746 | return (AUE_AUDITON_SETKMASK); |
| 747 | |
| 748 | case A_GETQCTRL: |
| 749 | return (AUE_AUDITON_GQCTRL); |
| 750 | |
| 751 | case A_SETQCTRL: |
| 752 | return (AUE_AUDITON_SQCTRL); |
| 753 | |
| 754 | case A_GETCWD: |
| 755 | return (AUE_AUDITON_GETCWD); |
| 756 | |
| 757 | case A_GETCAR: |
| 758 | return (AUE_AUDITON_GETCAR); |
| 759 | |
| 760 | case A_GETSTAT: |
| 761 | return (AUE_AUDITON_GETSTAT); |
| 762 | |
| 763 | case A_SETSTAT: |
| 764 | return (AUE_AUDITON_SETSTAT); |
| 765 | |
| 766 | case A_SETUMASK: |
| 767 | return (AUE_AUDITON_SETUMASK); |
| 768 | |
| 769 | case A_SETSMASK: |
| 770 | return (AUE_AUDITON_SETSMASK); |
| 771 | |
| 772 | case A_GETCOND: |
| 773 | return (AUE_AUDITON_GETCOND); |
| 774 | |
| 775 | case A_SETCOND: |
| 776 | return (AUE_AUDITON_SETCOND); |
| 777 | |
| 778 | case A_GETCLASS: |
| 779 | return (AUE_AUDITON_GETCLASS); |
| 780 | |
| 781 | case A_SETCLASS: |
| 782 | return (AUE_AUDITON_SETCLASS); |
| 783 | |
| 784 | case A_GETPINFO: |
| 785 | case A_SETPMASK: |
| 786 | case A_SETFSIZE: |
| 787 | case A_GETFSIZE: |
| 788 | case A_GETPINFO_ADDR: |
| 789 | case A_GETKAUDIT: |
| 790 | case A_SETKAUDIT: |
| 791 | case A_GETSINFO_ADDR: |
| 792 | default: |
| 793 | return (AUE_AUDITON); /* No special record */ |
| 794 | } |
| 795 | } |
| 796 | |
| 797 | /* |
| 798 | * For darwin we rewrite events generated by fcntl(F_OPENFROM,...) and |
| 799 | * fcntl(F_UNLINKFROM,...) system calls to AUE_OPENAT_* and AUE_UNLINKAT audit |
| 800 | * events. |
| 801 | */ |
| 802 | au_event_t |
| 803 | audit_fcntl_command_event(int cmd, int oflags, int error) |
| 804 | { |
| 805 | switch(cmd) { |
| 806 | case F_OPENFROM: |
| 807 | return (audit_flags_and_error_to_openatevent(oflags, error)); |
| 808 | |
| 809 | case F_UNLINKFROM: |
| 810 | return (AUE_UNLINKAT); |
| 811 | |
| 812 | default: |
| 813 | return (AUE_FCNTL); /* Don't change from AUE_FCNTL. */ |
| 814 | } |
| 815 | } |
| 816 | |
| 817 | /* |
| 818 | * Create a canonical path from given path by prefixing either the root |
| 819 | * directory, or the current working directory. |
| 820 | */ |
| 821 | int |
| 822 | audit_canon_path(struct vnode *cwd_vp, char *path, char *cpath) |
| 823 | { |
| 824 | int len; |
| 825 | int ret; |
| 826 | char *bufp = path; |
| 827 | |
| 828 | /* |
| 829 | * Convert multiple leading '/' into a single '/' if the cwd_vp is |
| 830 | * NULL (i.e. an absolute path), and strip them entirely if the |
| 831 | * cwd_vp represents a chroot directory (i.e. the caller checked for |
| 832 | * an initial '/' character itself, saw one, and passed fdp->fd_rdir). |
| 833 | * Somewhat complicated, but it places the onus for locking structs |
| 834 | * involved on the caller, and makes proxy operations explicit rather |
| 835 | * than implicit. |
| 836 | */ |
| 837 | if (*(path) == '/') { |
| 838 | while (*(bufp) == '/') |
| 839 | bufp++; /* skip leading '/'s */ |
| 840 | if (cwd_vp == NULL) |
| 841 | bufp--; /* restore one '/' */ |
| 842 | } |
| 843 | if (cwd_vp != NULL) { |
| 844 | len = MAXPATHLEN; |
| 845 | ret = vn_getpath(cwd_vp, cpath, &len); |
| 846 | if (ret != 0) { |
| 847 | cpath[0] = '\0'; |
| 848 | return (ret); |
| 849 | } |
| 850 | if (len < MAXPATHLEN) |
| 851 | cpath[len-1] = '/'; |
| 852 | strlcpy(cpath + len, bufp, MAXPATHLEN - len); |
| 853 | } else { |
| 854 | strlcpy(cpath, bufp, MAXPATHLEN); |
| 855 | } |
| 856 | return (0); |
| 857 | } |
| 858 | #endif /* CONFIG_AUDIT */ |
| 859 |
Generated on 2019-Apr-09 from project codebrowser revision 4903.221.2
Powered by 
Code Browser 2.1
Generator usage only permitted with license.