1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  23  * Use is subject to license terms.
  24  */
  25 
  26 /*
  27  * This file contains the auditing system call code.
  28  *
  29  */
  30 
  31 #include <sys/param.h>
  32 #include <sys/systm.h>
  33 #include <sys/user.h>
  34 #include <sys/vnode.h>
  35 #include <sys/vfs.h>
  36 #include <sys/session.h>  /* for session structure (auditctl(2) */
  37 #include <sys/kmem.h>             /* for KM_SLEEP */
  38 #include <sys/cred.h>
  39 #include <sys/types.h>
  40 #include <sys/proc.h>
  41 #include <sys/uio.h>
  42 #include <sys/file.h>
  43 #include <sys/stat.h>
  44 #include <sys/pathname.h>
  45 #include <sys/acct.h>
  46 #include <sys/stropts.h>
  47 #include <sys/exec.h>
  48 #include <sys/thread.h>
  49 #include <sys/cmn_err.h>
  50 #include <sys/debug.h>
  51 #include <sys/disp.h>
  52 #include <sys/kobj.h>
  53 #include <sys/sysmacros.h>
  54 #include <sys/policy.h>
  55 #include <sys/taskq.h>
  56 #include <sys/zone.h>
  57 
  58 #include <c2/audit.h>
  59 #include <c2/audit_kernel.h>
  60 #include <c2/audit_record.h>
  61 
  62 #define HEADER_SIZE64   1;
  63 #define HEADER_SIZE32   0;
  64 #define AU_MIN_FILE_SZ  0x80000 /* minumum audit file size */
  65 #define AUDIT_REC_SIZE  0x8000  /* maximum user audit record size */
  66 
  67 extern pri_t    minclsyspri;    /* priority for taskq */
  68 
  69 static clock_t  au_resid = 15;  /* wait .15 sec before droping a rec */
  70 
  71 static void     au_output_thread();
  72 
  73 /*
  74  * This is the loadable module wrapper.
  75  */
  76 #include <sys/modctl.h>
  77 
  78 /*
  79  * Module linkage information for the kernel.
  80  */
  81 static struct modlmisc modlmisc = {
  82         &mod_miscops, "Solaris Auditing (C2)"
  83 };
  84 
  85 static struct modlinkage modlinkage = {
  86         MODREV_1, (void *)&modlmisc, 0
  87 };
  88 
  89 int
  90 _init()
  91 {
  92         return (mod_install(&modlinkage));
  93 }
  94 
  95 int
  96 _fini()
  97 {
  98         return (EBUSY);
  99 }
 100 
 101 int
 102 _info(struct modinfo *modinfop)
 103 {
 104         return (mod_info(&modlinkage, modinfop));
 105 }
 106 
 107 /*
 108  * The audit system call. Trust what the user has sent down and save it
 109  * away in the audit file. User passes a complete audit record and its
 110  * length.  We will fill in the time stamp, check the header and the length
 111  * Put a trailer and a sequence token if policy requires.
 112  * In the future length might become size_t instead of an int.
 113  *
 114  * The call is valid whether or not AUDIT_PERZONE is set (think of
 115  * login to a zone).  When the local audit state (auk_auditstate) is
 116  * AUC_INIT_AUDIT, records are accepted even though auditd isn't
 117  * running.
 118  */
 119 int
 120 audit(caddr_t record, int length)
 121 {
 122         char    c;
 123         int     count, l;
 124         token_t *m, *n, *s, *ad;
 125         int     hdrlen, delta;
 126         adr_t   hadr;
 127         adr_t   sadr;
 128         int     size;   /* 0: 32 bit utility  1: 64 bit utility */
 129         int     host_len;
 130         size_t  zlen;
 131         au_kcontext_t   *kctx = GET_KCTX_PZ;
 132         uint32_t auditing;
 133 
 134         /* if auditing not enabled, then don't generate an audit record */
 135         auditing = (U2A(u)->tad_audit != AUC_UNSET) ?
 136             U2A(u)->tad_audit : kctx->auk_auditstate;
 137         if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT))
 138                 return (0);
 139 
 140         /* Only privileged processes can audit */
 141         if (secpolicy_audit_modify(CRED()) != 0)
 142                 return (EPERM);
 143 
 144         /* Max user record size is 32K */
 145         if (length > AUDIT_REC_SIZE)
 146                 return (E2BIG);
 147 
 148         /*
 149          * The specified length must be at least as big as the smallest
 150          * possible header token. Later after beginning to scan the
 151          * header we'll determine the true minimum length according to
 152          * the header type and attributes.
 153          */
 154 #define AU_MIN_HEADER_LEN       (sizeof (char) + sizeof (int32_t) + \
 155         sizeof (char) + sizeof (short) + sizeof (short) + \
 156         (sizeof (int32_t) * 2))
 157 
 158         if (length < AU_MIN_HEADER_LEN)
 159                 return (EINVAL);
 160 
 161         /* Read in user's audit record */
 162         count = length;
 163         m = n = s = ad = NULL;
 164         while (count) {
 165                 m = au_getclr();
 166                 if (!s)
 167                         s = n = m;
 168                 else {
 169                         n->next_buf = m;
 170                         n = m;
 171                 }
 172                 l = MIN(count, AU_BUFSIZE);
 173                 if (copyin(record, memtod(m, caddr_t), (size_t)l)) {
 174                         /* copyin failed release au_membuf */
 175                         au_free_rec(s);
 176                         return (EFAULT);
 177                 }
 178                 record += l;
 179                 count -= l;
 180                 m->len = (uchar_t)l;
 181         }
 182 
 183         /* Now attach the entire thing to ad */
 184         au_write((caddr_t *)&(ad), s);
 185 
 186         /* validate header token type. trust everything following it */
 187         adr_start(&hadr, memtod(s, char *));
 188         (void) adr_getchar(&hadr, &c);
 189         switch (c) {
 190         case AUT_HEADER32:
 191                 /* size vers+event_ID+event_modifier fields */
 192                 delta = 1 + 2 + 2;
 193                 hdrlen = 1 + 4 + delta + (sizeof (int32_t) * 2);
 194                 size = HEADER_SIZE32;
 195                 break;
 196 
 197 #ifdef _LP64
 198         case AUT_HEADER64:
 199                 /* size vers+event_ID+event_modifier fields */
 200                 delta = 1 + 2 + 2;
 201                 hdrlen = 1 + 4 + delta + (sizeof (int64_t) * 2);
 202                 size = HEADER_SIZE64;
 203                 break;
 204 #endif
 205 
 206         case AUT_HEADER32_EX:
 207                 /*
 208                  * Skip over the length/version/type/mod fields and
 209                  * grab the host address type (length), then rewind.
 210                  * This is safe per the previous minimum length check.
 211                  */
 212                 hadr.adr_now += 9;
 213                 (void) adr_getint32(&hadr, &host_len);
 214                 hadr.adr_now -= 9 + sizeof (int32_t);
 215 
 216                 /* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */
 217                 delta = 1 + 2 + 2 + 4 + host_len;
 218                 hdrlen = 1 + 4 + delta + (sizeof (int32_t) * 2);
 219                 size = HEADER_SIZE32;
 220                 break;
 221 
 222 #ifdef _LP64
 223         case AUT_HEADER64_EX:
 224                 /*
 225                  * Skip over the length/version/type/mod fields and grab
 226                  * the host address type (length), then rewind.
 227                  * This is safe per the previous minimum length check.
 228                  */
 229                 hadr.adr_now += 9;
 230                 (void) adr_getint32(&hadr, &host_len);
 231                 hadr.adr_now -= 9 + sizeof (int32_t);
 232 
 233                 /* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */
 234                 delta = 1 + 2 + 2 + 4 + host_len;
 235                 hdrlen = 1 + 4 + delta + (sizeof (int64_t) * 2);
 236                 size = HEADER_SIZE64;
 237                 break;
 238 #endif
 239 
 240         default:
 241                 /* Header is wrong, reject message */
 242                 au_free_rec(s);
 243                 return (EINVAL);
 244         }
 245 
 246         if (length < hdrlen) {
 247                 au_free_rec(s);
 248                 return (0);
 249         }
 250 
 251         /* advance over header token length field */
 252         hadr.adr_now += 4;
 253 
 254         /* validate version */
 255         (void) adr_getchar(&hadr, &c);
 256         if (c != TOKEN_VERSION) {
 257                 /* version is wrong, reject message */
 258                 au_free_rec(s);
 259                 return (EINVAL);
 260         }
 261 
 262         /* backup to header length field (including version field) */
 263         hadr.adr_now -= 5;
 264 
 265         /*
 266          * add on the zonename token if policy AUDIT_ZONENAME is set
 267          */
 268         if (kctx->auk_policy & AUDIT_ZONENAME) {
 269                 zlen = au_zonename_length(NULL);
 270                 if (zlen > 0) {
 271                         length += zlen;
 272                         m = au_to_zonename(zlen, NULL);
 273                         (void) au_append_rec(ad, m, AU_PACK);
 274                 }
 275         }
 276         /* Add an (optional) sequence token. NULL offset if none */
 277         if (kctx->auk_policy & AUDIT_SEQ) {
 278                 /* get the sequnce token */
 279                 m = au_to_seq();
 280 
 281                 /* sequence token 5 bytes long */
 282                 length += 5;
 283 
 284                 /* link to audit record (i.e. don't pack the data) */
 285                 (void) au_append_rec(ad, m, AU_LINK);
 286 
 287                 /* advance to count field of token */
 288                 adr_start(&sadr, memtod(m, char *));
 289                 sadr.adr_now += 1;
 290         } else
 291                 sadr.adr_now = (char *)NULL;
 292 
 293         /* add the (optional) trailer token */
 294         if (kctx->auk_policy & AUDIT_TRAIL) {
 295                 /* trailer token is 7 bytes long */
 296                 length += 7;
 297 
 298                 /* append to audit record */
 299                 (void) au_append_rec(ad, au_to_trailer(length), AU_PACK);
 300         }
 301 
 302         /* audit record completely assembled. set the length */
 303         adr_int32(&hadr, (int32_t *)&length, 1);
 304 
 305         /* advance to date/time field of header */
 306         hadr.adr_now += delta;
 307 
 308         /* We are done  put it on the queue */
 309         AS_INC(as_generated, 1, kctx);
 310         AS_INC(as_audit, 1, kctx);
 311 
 312         au_enqueue(kctx, s, &hadr, &sadr, size, 0);
 313 
 314         AS_INC(as_totalsize, length, kctx);
 315 
 316         return (0);
 317 }
 318 
 319 /*
 320  * auditdoor starts a kernel thread to generate output from the audit
 321  * queue.  The thread terminates when it detects auditing being turned
 322  * off, such as when auditd exits with a SIGTERM.  If a subsequent
 323  * auditdoor arrives while the thread is running, the door descriptor
 324  * of the last auditdoor in will be used for output.  auditd is responsible
 325  * for insuring that multiple copies are not running.
 326  */
 327 
 328 int
 329 auditdoor(int fd)
 330 {
 331         struct file     *fp;
 332         struct vnode    *vp;
 333         int             do_create = 0;
 334         au_kcontext_t   *kctx;
 335 
 336         if (secpolicy_audit_config(CRED()) != 0)
 337                 return (EPERM);
 338 
 339         if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
 340                 return (EINVAL);
 341 
 342         kctx = GET_KCTX_NGZ;
 343 
 344         /*
 345          * convert file pointer to file descriptor
 346          *   Note: fd ref count incremented here.
 347          */
 348         if ((fp = (struct file *)getf(fd)) == NULL) {
 349                 return (EBADF);
 350         }
 351         vp = fp->f_vnode;
 352         if (vp->v_type != VDOOR) {
 353                 cmn_err(CE_WARN,
 354                     "auditdoor() did not get the expected door descriptor\n");
 355                 releasef(fd);
 356                 return (EINVAL);
 357         }
 358         /*
 359          * If the output thread is already running, then replace the
 360          * door descriptor with the new one and continue; otherwise
 361          * create the thread too.  Since au_output_thread makes a call
 362          * to au_doorio() which also does
 363          * mutex_lock(&(kctx->auk_svc_lock)), the create/dispatch is
 364          * done after the unlock...
 365          */
 366         mutex_enter(&(kctx->auk_svc_lock));
 367 
 368         if (kctx->auk_current_vp != NULL)
 369                 VN_RELE(kctx->auk_current_vp);
 370 
 371         kctx->auk_current_vp = vp;
 372         VN_HOLD(kctx->auk_current_vp);
 373         releasef(fd);
 374 
 375         if (!kctx->auk_output_active) {
 376                 kctx->auk_output_active = 1;
 377                 do_create = 1;
 378         }
 379         mutex_exit(&(kctx->auk_svc_lock));
 380         if (do_create) {
 381                 kctx->auk_taskq =
 382                     taskq_create("output_master", 1, minclsyspri, 1, 1, 0);
 383                 (void) taskq_dispatch(kctx->auk_taskq,
 384                     (task_func_t *)au_output_thread,
 385                     kctx, TQ_SLEEP);
 386         }
 387         return (0);
 388 }
 389 
 390 static void
 391 audit_dont_stop(void *kctx)
 392 {
 393 
 394         if ((((au_kcontext_t *)kctx)->auk_valid != AUK_VALID) ||
 395             (((au_kcontext_t *)kctx)->auk_auditstate == AUC_NOAUDIT))
 396                 return;
 397 
 398         mutex_enter(&(((au_kcontext_t *)kctx)->auk_queue.lock));
 399         cv_broadcast(&(((au_kcontext_t *)kctx)->auk_queue.write_cv));
 400         mutex_exit(&(((au_kcontext_t *)kctx)->auk_queue.lock));
 401 }
 402 
 403 /*
 404  * au_queue_kick -- wake up the output queue after delay ticks
 405  */
 406 static void
 407 au_queue_kick(void *kctx)
 408 {
 409         /*
 410          * wakeup reader if its not running and there is something
 411          * to do.  It also helps that kctx still be valid...
 412          */
 413 
 414         if ((((au_kcontext_t *)kctx)->auk_valid != AUK_VALID) ||
 415             (((au_kcontext_t *)kctx)->auk_auditstate == AUC_NOAUDIT))
 416                 return;
 417 
 418         if (((au_kcontext_t *)kctx)->auk_queue.cnt &&
 419             ((au_kcontext_t *)kctx)->auk_queue.rd_block)
 420                 cv_broadcast(&((au_kcontext_t *)kctx)->auk_queue.read_cv);
 421 
 422         /* fire off timeout event to kick audit queue awake */
 423         (void) timeout(au_queue_kick, kctx,
 424             ((au_kcontext_t *)kctx)->auk_queue.delay);
 425 }
 426 
 427 /*
 428  * output thread
 429  *
 430  * this runs "forever" where "forever" means until either auk_auditstate
 431  * changes from AUC_AUDITING or if the door descriptor becomes invalid.
 432  *
 433  * there is one thread per active zone if AUC_PERZONE is set.  Since
 434  * there is the possibility that a zone may go down without auditd
 435  * terminating properly, a zone shutdown kills its au_output_thread()
 436  * via taskq_destroy().
 437  */
 438 
 439 static void
 440 au_output_thread(au_kcontext_t *kctx)
 441 {
 442         int             error = 0;
 443 
 444         (void) timeout(au_queue_kick, kctx, kctx->auk_queue.delay);
 445 
 446         /*
 447          * Wait for work, until a signal arrives,
 448          * or until auditing is disabled.
 449          */
 450 
 451         while (!error) {
 452                 if (kctx->auk_auditstate == AUC_AUDITING) {
 453                         mutex_enter(&(kctx->auk_queue.lock));
 454                         while (kctx->auk_queue.head == NULL) {
 455                                 /* safety check. kick writer awake */
 456                                 if (kctx->auk_queue.wt_block) {
 457                                         cv_broadcast(&(kctx->
 458                                             auk_queue.write_cv));
 459                                 }
 460 
 461                                 kctx->auk_queue.rd_block = 1;
 462                                 AS_INC(as_rblocked, 1, kctx);
 463 
 464                                 cv_wait(&(kctx->auk_queue.read_cv),
 465                                     &(kctx->auk_queue.lock));
 466                                 kctx->auk_queue.rd_block = 0;
 467 
 468                                 if (kctx->auk_auditstate != AUC_AUDITING) {
 469                                         mutex_exit(&(kctx->auk_queue.lock));
 470                                         (void) timeout(audit_dont_stop, kctx,
 471                                             au_resid);
 472                                         goto output_exit;
 473                                 }
 474                                 kctx->auk_queue.rd_block = 0;
 475                         }
 476                         mutex_exit(&(kctx->auk_queue.lock));
 477                         /*
 478                          * au_doorio() calls au_door_upcall which holds
 479                          * auk_svc_lock; au_doorio empties the queue before
 480                          * returning.
 481                          */
 482 
 483                         error = au_doorio(kctx);
 484                 } else {
 485                         /* auditing turned off while we slept */
 486                         break;
 487                 }
 488         }
 489 output_exit:
 490         mutex_enter(&(kctx->auk_svc_lock));
 491 
 492         VN_RELE(kctx->auk_current_vp);
 493         kctx->auk_current_vp = NULL;
 494 
 495         kctx->auk_output_active = 0;
 496 
 497         mutex_exit(&(kctx->auk_svc_lock));
 498 }