1/*-
2 * Copyright (c) 1999-2008 Apple Inc.
3 * All rights reserved.
4 *
5 * @APPLE_BSD_LICENSE_HEADER_START@
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
16 * its contributors may be used to endorse or promote products derived
17 * from this software without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
23 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
27 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
28 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
30 *
31 * @APPLE_BSD_LICENSE_HEADER_END@
32 */
33/*
34 * NOTICE: This file was modified by McAfee Research in 2004 to introduce
35 * support for mandatory and extensible security protections. This notice
36 * is included in support of clause 2.2 (b) of the Apple Public License,
37 * Version 2.0.
38 */
39
40#include <sys/kernel.h>
41#include <sys/proc.h>
42#include <sys/kauth.h>
43#include <sys/queue.h>
44#include <sys/systm.h>
45
46#include <bsm/audit.h>
47#include <bsm/audit_internal.h>
48#include <bsm/audit_kevents.h>
49
50#include <security/audit/audit.h>
51#include <security/audit/audit_private.h>
52
53#include <mach/host_priv.h>
54#include <mach/host_special_ports.h>
55#include <mach/audit_triggers_server.h>
56
57#include <kern/host.h>
58#include <kern/kalloc.h>
59#include <kern/zalloc.h>
60#include <kern/sched_prim.h>
61
62#if CONFIG_AUDIT
63
64#if CONFIG_MACF
65#include <bsm/audit_record.h>
66#include <security/mac.h>
67#include <security/mac_framework.h>
68#include <security/mac_policy.h>
69#define MAC_ARG_PREFIX "arg: "
70#define MAC_ARG_PREFIX_LEN 5
71
72zone_t audit_mac_label_zone;
73extern zone_t mac_audit_data_zone;
74
75void
76audit_mac_init(void)
77{
78 /* Assume 3 MAC labels for each audit record: two for vnodes,
79 * one for creds.
80 */
81 audit_mac_label_zone = zinit(MAC_AUDIT_LABEL_LEN,
82 AQ_HIWATER * 3*MAC_AUDIT_LABEL_LEN, 8192, "audit_mac_label_zone");
83}
84
85int
86audit_mac_new(proc_t p, struct kaudit_record *ar)
87{
88 struct mac mac;
89
90 /*
91 * Retrieve the MAC labels for the process.
92 */
93 ar->k_ar.ar_cred_mac_labels = (char *)zalloc(audit_mac_label_zone);
94 if (ar->k_ar.ar_cred_mac_labels == NULL)
95 return (1);
96 mac.m_buflen = MAC_AUDIT_LABEL_LEN;
97 mac.m_string = ar->k_ar.ar_cred_mac_labels;
98 mac_cred_label_externalize_audit(p, &mac);
99
100 /*
101 * grab space for the reconds.
102 */
103 ar->k_ar.ar_mac_records = (struct mac_audit_record_list_t *)
104 kalloc(sizeof(*ar->k_ar.ar_mac_records));
105 if (ar->k_ar.ar_mac_records == NULL) {
106 zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels);
107 return (1);
108 }
109 LIST_INIT(ar->k_ar.ar_mac_records);
110 ar->k_ar.ar_forced_by_mac = 0;
111
112 return (0);
113}
114
115void
116audit_mac_free(struct kaudit_record *ar)
117{
118 struct mac_audit_record *head, *next;
119
120 if (ar->k_ar.ar_vnode1_mac_labels != NULL)
121 zfree(audit_mac_label_zone, ar->k_ar.ar_vnode1_mac_labels);
122 if (ar->k_ar.ar_vnode2_mac_labels != NULL)
123 zfree(audit_mac_label_zone, ar->k_ar.ar_vnode2_mac_labels);
124 if (ar->k_ar.ar_cred_mac_labels != NULL)
125 zfree(audit_mac_label_zone, ar->k_ar.ar_cred_mac_labels);
126 if (ar->k_ar.ar_arg_mac_string != NULL)
127 kfree(ar->k_ar.ar_arg_mac_string,
128 MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);
129
130 /*
131 * Free the audit data from the MAC policies.
132 */
133 head = LIST_FIRST(ar->k_ar.ar_mac_records);
134 while (head != NULL) {
135 next = LIST_NEXT(head, records);
136 zfree(mac_audit_data_zone, head->data);
137 kfree(head, sizeof(*head));
138 head = next;
139 }
140 kfree(ar->k_ar.ar_mac_records, sizeof(*ar->k_ar.ar_mac_records));
141}
142
143int
144audit_mac_syscall_enter(unsigned short code, proc_t p, struct uthread *uthread,
145 kauth_cred_t my_cred, au_event_t event)
146{
147 int error;
148
149 error = mac_audit_check_preselect(my_cred, code,
150 (void *)uthread->uu_arg);
151 if (error == MAC_AUDIT_YES) {
152 uthread->uu_ar = audit_new(event, p, uthread);
153 uthread->uu_ar->k_ar.ar_forced_by_mac = 1;
154 au_to_text("Forced by a MAC policy");
155 return (1);
156 } else if (error == MAC_AUDIT_NO) {
157 return (0);
158 } else if (error == MAC_AUDIT_DEFAULT) {
159 return (1);
160 }
161
162 return (0);
163}
164
165int
166audit_mac_syscall_exit(unsigned short code, struct uthread *uthread, int error,
167 int retval)
168{
169 int mac_error;
170
171 if (uthread->uu_ar == NULL) /* syscall wasn't audited */
172 return (1);
173
174 /*
175 * Note, no other postselect mechanism exists. If
176 * mac_audit_check_postselect returns MAC_AUDIT_NO, the record will be
177 * suppressed. Other values at this point result in the audit record
178 * being committed. This suppression behavior will probably go away in
179 * the port to 10.3.4.
180 */
181 mac_error = mac_audit_check_postselect(kauth_cred_get(), code,
182 (void *) uthread->uu_arg, error, retval,
183 uthread->uu_ar->k_ar.ar_forced_by_mac);
184
185 if (mac_error == MAC_AUDIT_YES)
186 uthread->uu_ar->k_ar_commit |= AR_COMMIT_KERNEL;
187 else if (mac_error == MAC_AUDIT_NO) {
188 audit_free(uthread->uu_ar);
189 return (1);
190 }
191 return (0);
192}
193
194/*
195 * This function is called by the MAC Framework to add audit data
196 * from a policy to the current audit record.
197 */
198int
199audit_mac_data(int type, int len, u_char *data) {
200 struct kaudit_record *cur;
201 struct mac_audit_record *record;
202
203 if (audit_enabled == 0) {
204 kfree(data, len);
205 return (ENOTSUP);
206 }
207
208 cur = currecord();
209 if (cur == NULL) {
210 kfree(data, len);
211 return (ENOTSUP);
212 }
213
214 /*
215 * XXX: Note that we silently drop the audit data if this
216 * allocation fails - this is consistent with the rest of the
217 * audit implementation.
218 */
219 record = kalloc(sizeof(*record));
220 if (record == NULL) {
221 kfree(data, len);
222 return (0);
223 }
224
225 record->type = type;
226 record->length = len;
227 record->data = data;
228 LIST_INSERT_HEAD(cur->k_ar.ar_mac_records, record, records);
229
230 return (0);
231}
232
233void
234audit_arg_mac_string(struct kaudit_record *ar, char *string)
235{
236
237 if (ar->k_ar.ar_arg_mac_string == NULL)
238 ar->k_ar.ar_arg_mac_string =
239 kalloc(MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);
240
241 /*
242 * XXX This should be a rare event. If kalloc() returns NULL,
243 * the system is low on kernel virtual memory. To be
244 * consistent with the rest of audit, just return
245 * (may need to panic if required to for audit).
246 */
247 if (ar->k_ar.ar_arg_mac_string == NULL)
248 if (ar->k_ar.ar_arg_mac_string == NULL)
249 return;
250
251 strncpy(ar->k_ar.ar_arg_mac_string, MAC_ARG_PREFIX,
252 MAC_ARG_PREFIX_LEN);
253 strncpy(ar->k_ar.ar_arg_mac_string + MAC_ARG_PREFIX_LEN, string,
254 MAC_MAX_LABEL_BUF_LEN);
255 ARG_SET_VALID(ar, ARG_MAC_STRING);
256}
257#endif /* MAC */
258
259#endif /* CONFIG_AUDIT */
260