| blob | af40a74b5f8480e947d2c3ef0b5a3499e41b968c |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
22 /*
23 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
26 #include <bsm/adt.h>
27 #include <bsm/adt_event.h>
28 #include <assert.h>
29 #include <bsm/audit.h>
30 #include <bsm/audit_record.h>
31 #include <bsm/libbsm.h>
32 #include <door.h>
33 #include <errno.h>
34 #include <generic.h>
35 #include <md5.h>
36 #include <sys/mkdev.h>
37 #include <netdb.h>
38 #include <nss_dbdefs.h>
39 #include <pwd.h>
40 #include <sys/stat.h>
41 #include <time.h>
42 #include <stdlib.h>
43 #include <string.h>
44 #include <synch.h>
45 #include <sys/systeminfo.h>
46 #include <syslog.h>
47 #include <thread.h>
48 #include <unistd.h>
49 #include <adt_xlate.h>
50 #include <adt_ucred.h>
51 #include <arpa/inet.h>
52 #include <net/if.h>
53 #include <libinetutil.h>
61 #ifdef C2_DEBUG
62 #define DPRINTF(x) { (void) printf x; }
63 #define DFLUSH (void) fflush(stdout);
64 #else
65 #define DPRINTF(x)
66 #define DFLUSH
67 #endif
69 /*
70 * Local audit states are a bit mask
71 *
72 * The global audit states are
73 *
74 * AUC_UNSET 0 - on/off hasn't been decided
75 * AUC_ENABLED 1 - loaded and enabled
76 *
77 * The local Zone states are
78 *
79 * AUC_AUDITING 0x1 - audit daemon is active
80 * AUC_NOAUDIT 0x2 - audit daemon is not active
81 * AUC_INIT_AUDIT 0x4 - audit is ready but auditd has not run
82 * AUC_NOSPACE 0x8 - audit enabled, no space for audit records
83 *
84 * The only values returned by auditon(A_GETCOND) are:
85 * AUC_INIT_AUDIT, AUC_AUDITING, AUC_NOAUDIT, AUC_NOSPACE
86 *
87 * The pseudo audit state used when the c2audit module is excluded is
88 *
89 * AUC_DISABLED 0x100 - c2audit module is excluded
90 */
94 /*
95 * adt_write_syslog
96 *
97 * errors that are not the user's fault (bugs or whatever in
98 * the underlying audit code are noted in syslog.)
99 *
100 * Avoid calling adt_write_syslog for things that can happen
101 * at high volume.
102 *
103 * syslog's open (openlog) and close (closelog) are interesting;
104 * openlog *may* create a file descriptor and is optional. closelog
105 * *will* close any open file descriptors and is also optional.
106 *
107 * Since syslog may also be used by the calling application, the
108 * choice is to avoid openlog, which sets some otherwise useful
109 * parameters, and to embed "Solaris_audit" in the log message.
110 */
112 void
114 {
125 }
127 /*
128 * return true if c2audit is not excluded.
129 *
130 * For purpose of this API, anything but AUC_DISABLED
131 * is enabled; however one never actually sees
132 * AUC_DISABLED since auditon returns ENOTSUP in that case. Any
133 * auditon error is considered the same as ENOTSUP for our
134 * purpose. auditstate is not changed by auditon if an error
135 * is returned.
136 */
138 /*
139 * XXX this should probably be eliminated and adt_audit_state() replace it.
140 * All the legitimate uses are to not fork a waiting process for
141 * process exit processing, as in su, login, dtlogin. Other bogus
142 * users are zoneadmd and init.
143 * All but dtlogin are in ON, so we can do this without cross gate
144 * synchronization.
145 *
146 * No longer used in adt.c.
147 */
149 boolean_t
151 {
156 }
158 /*
159 * See adt_audit_enabled() for state discussions.
160 * The state parameter is a hedge until all the uses become clear.
161 * Likely if adt_audit_enabled is brought internal to this file,
162 * it could be modified to take one or more parameters to describe the
163 * state.
164 */
166 boolean_t
168 {
173 }
175 /*
176 * Get user_specific/non-attributable audit mask. This may be called even when
177 * auditing is off.
178 */
180 static int
182 {
190 /* c2audit excluded */
198 }
201 }
207 }
212 }
216 }
219 }
221 /*
222 * adt_get_unique_id -- generate a hopefully unique 32 bit value
223 *
224 * there will be a follow up to replace this with the use of /dev/random
225 *
226 * An MD5 hash is taken on a buffer of
227 * hostname . audit id . unix time . pid . count
228 *
229 * "count = noise++;" is subject to a race condition but I don't
230 * see a need to put a lock around it.
231 */
233 au_asid_t
235 {
241 MD5_CTX context;
253 }
273 }
275 }
277 /*
278 * the following "port" function deals with the following issues:
279 *
280 * 1 the kernel and ucred deal with a dev_t as a 64 bit value made
281 * up from a 32 bit major and 32 bit minor.
282 * 2 User space deals with a dev_t as either the above 64 bit value
283 * or a 32 bit value made from a 14 bit major and an 18 bit minor.
284 * 3 The various audit interfaces (except ucred) pass the 32 or
285 * 64 bit version depending the architecture of the userspace
286 * application. If you get a port value from ucred and pass it
287 * to the kernel via auditon(), it must be squeezed into a 32
288 * bit value because the kernel knows the userspace app's bit
289 * size.
290 *
291 * The internal state structure for adt (adt_internal_state_t) uses
292 * dev_t, so adt converts data from ucred to fit. The import/export
293 * functions, however, can't know if they are importing/exporting
294 * from 64 or 32 bit applications, so they always send 64 bits and
295 * the 32 bit end(s) are responsible to convert 32 -> 64 -> 32 as
296 * appropriate.
297 */
299 /*
300 * adt_cpy_tid() -- if lib is 64 bit, just copy it (dev_t and port are
301 * both 64 bits). If lib is 32 bits, squeeze the two-int port into
302 * a 32 bit dev_t. A port fits in the "minor" part of au_port_t,
303 * so it isn't broken up into pieces. (When it goes to the kernel
304 * and back, however, it will have been split into major/minor
305 * pieces.)
306 */
308 static void
310 {
311 #ifdef _LP64
318 NBITSMINOR32;
322 }
324 /*
325 * adt_start_session -- create interface handle, create context
326 *
327 * The imported_state input is normally NULL, if not, it represents
328 * a continued session; its values obviate the need for a subsequent
329 * call to adt_set_user().
330 *
331 * The flag is used to decide how to set the initial state of the session.
332 * If 0, the session is "no audit" until a call to adt_set_user; if
333 * ADT_USE_PROC_DATA, the session is built from the process audit
334 * characteristics obtained from the kernel. If imported_state is
335 * not NULL, the resulting audit mask is an OR of the current process
336 * audit mask and that passed in.
337 *
338 * The basic model is that the caller can use the pointer returned
339 * by adt_start_session whether or not auditing is enabled or an
340 * error was returned. The functions that take the session handle
341 * as input generally return without doing anything if auditing is
342 * disabled.
343 */
345 int
348 {
352 /* test and set auditstate */
354 /* c2audit excluded */
357 }
362 }
366 }
370 }
372 /*
373 * The imported state overwrites the initial state if the
374 * imported state represents a valid audit trail
375 */
380 }
383 }
391 return_err_free:
393 return_err:
397 }
399 /*
400 * adt_load_table()
401 *
402 * loads the event translation table into the audit session.
403 */
405 void
408 {
415 }
416 }
418 /*
419 * adt_get_asid() and adt_set_asid()
420 *
421 * if you use this interface, you are responsible to insure that the
422 * rest of the session data is populated correctly before calling
423 * adt_proccess_attr()
424 *
425 * neither of these are intended for general use and will likely
426 * remain private interfaces for a long time. Forever is a long
427 * time. In the case of adt_set_asid(), you should have a very,
428 * very good reason for setting your own session id. The process
429 * audit characteristics are not changed by put, use adt_set_proc().
430 *
431 * These are "volatile" (more changable than "evolving") and will
432 * probably change in the S10 period.
433 */
435 void
437 {
443 ADT_VALID);
446 }
447 }
449 void
451 {
455 ADT_VALID);
458 ADT_HAVE_ASID;
460 session_id;
461 }
462 }
464 /*
465 * adt_get_auid() and adt_set_auid()
466 *
467 * neither of these are intended for general use and will likely
468 * remain private interfaces for a long time. Forever is a long
469 * time. In the case of adt_set_auid(), you should have a very,
470 * very good reason for setting your own audit id. The process
471 * audit characteristics are not changed by put, use adt_set_proc().
472 */
474 void
476 {
482 ADT_VALID);
485 }
486 }
488 void
490 {
494 ADT_VALID);
497 ADT_HAVE_AUID;
499 audit_id;
500 }
501 }
503 /*
504 * adt_get_termid(), adt_set_termid()
505 *
506 * if you use this interface, you are responsible to insure that the
507 * rest of the session data is populated correctly before calling
508 * adt_proccess_attr()
509 *
510 * The process audit characteristics are not changed by put, use
511 * adt_set_proc().
512 */
514 void
516 {
523 ADT_VALID);
527 }
528 }
530 void
533 {
537 ADT_VALID);
543 ADT_HAVE_TID;
544 }
545 }
547 /*
548 * adt_get_mask(), adt_set_mask()
549 *
550 * if you use this interface, you are responsible to insure that the
551 * rest of the session data is populated correctly before calling
552 * adt_proccess_attr()
553 *
554 * The process audit characteristics are not changed by put, use
555 * adt_set_proc().
556 */
558 void
560 {
567 ADT_VALID);
570 }
571 }
573 void
575 {
579 ADT_VALID);
584 ADT_HAVE_MASK;
585 }
586 }
588 /*
589 * helpers for adt_load_termid
590 */
592 static void
595 {
600 }
602 static void
605 {
612 }
614 /*
615 * adt_load_termid: convenience function; inputs file handle and
616 * outputs an au_tid_addr struct.
617 *
618 * This code was stolen from audit_settid.c; it differs from audit_settid()
619 * in that it does not write the terminal id to the process.
620 */
622 int
624 {
631 /* get peer name if its a socket, else assume local terminal */
637 }
639 }
643 }
645 /* get sock name */
649 }
656 }
661 return_err_free:
663 return_err:
666 }
668 static boolean_t
670 {
676 }
689 }
691 /*
692 * adt_get_hostIP - construct a terminal id from a hostname
693 *
694 * Returns 0 = success
695 * -1 = failure and errno = ENETDOWN with the address
696 * defaulted to IPv4 loopback.
697 */
699 static int
701 {
709 /*
710 * getaddrinfo returns its own set of errors.
711 * Log them here, so any subsequent syslogs will
712 * have a context. adt_get_hostIP callers can only
713 * return errno, so subsequent syslogs may be lacking
714 * that getaddrinfo failed.
715 */
723 }
724 /* see if resolution becomes available */
726 }
731 /* LINTED */
733 AU_IPv4);
737 /* LINTED */
739 AU_IPv6);
740 }
744 auditinfo_addr_t audit_info;
746 /*
747 * auditd is running so there should be a
748 * kernel audit context
749 */
753 errno);
755 }
759 }
760 try_interface:
761 {
766 /*
767 * getaddrinfo has failed to map the hostname
768 * to an IP address, try to get an IP address
769 * from a local interface. If none up, default
770 * to loopback.
771 */
778 "failed, no Audit IP address available, "
780 errno);
784 AU_IPv4);
787 }
788 }
795 }
802 }
803 }
805 /*
806 * adt_load_hostname() is called when the caller does not have a file
807 * handle that gives access to the socket info or any other way to
808 * pass in both port and ip address. The hostname input is ignored if
809 * the terminal id has already been set; instead it returns the
810 * existing terminal id.
811 *
812 * If c2audit is excluded, success is returned.
813 * If the hostname lookup fails, the loopback address is assumed,
814 * errno is set to ENETDOWN, this allows the caller to interpret
815 * whether failure is fatal, and if not to have a address for the
816 * hostname.
817 * Otherwise the caller would need to be aware of the audit state.
818 *
819 * Other errors are ignored if not auditing.
820 */
822 int
824 {
829 /* c2audit excluded */
832 }
836 }
841 }
847 }
854 }
856 return_err:
860 }
863 }
865 /*
866 * adt_load_ttyname() is called when the caller does not have a file
867 * handle that gives access to the local terminal or any other way
868 * of determining the device id. The ttyname input is ignored if
869 * the terminal id has already been set; instead it returns the
870 * existing terminal id.
871 *
872 * If c2audit is excluded, success is returned.
873 * The local hostname is used for the local IP address.
874 * If that hostname lookup fails, the loopback address is assumed,
875 * errno is set to ENETDOWN, this allows the caller to interpret
876 * whether failure is fatal, and if not to have a address for the
877 * hostname.
878 * Otherwise the caller would need to be aware of the audit state.
879 *
880 * Other errors are ignored if not auditing.
881 */
883 int
885 {
891 /* c2audit excluded */
894 }
898 }
903 }
909 }
914 }
917 }
925 }
927 return_err_free:
930 return_err:
934 }
937 }
939 /*
940 * adt_get_session_id returns a stringified representation of
941 * the audit session id. See also adt_get_asid() for how to
942 * get the unexpurgated version. No guarantees as to how long
943 * the returned string will be or its general form; hex for now.
944 *
945 * An empty string is returned if auditing is off; length = 1
946 * and the pointer is valid.
947 *
948 * returns strlen + 1 if buffer is valid; else 0 and errno.
949 */
951 size_t
953 {
954 au_asid_t session_id;
956 /*
957 * output is 0x followed by
958 * two characters per byte
959 * plus terminator,
960 * except leading 0's are suppressed, so a few bytes may
961 * be unused.
962 */
968 }
972 }
977 /* length < 1 is a bug: the session data type may have changed */
981 }
983 /*
984 * adt_end_session -- close handle, clear context
985 *
986 * if as_check is invalid, no harm, no foul, EXCEPT that this could
987 * be an attempt to free data already free'd, so output to syslog
988 * to help explain why the process cored dumped.
989 */
991 int
993 {
1003 }
1004 }
1005 /* no errors yet defined */
1007 }
1009 /*
1010 * adt_dup_session -- copy the session data
1011 */
1013 int
1015 {
1028 }
1031 }
1032 return_rc:
1035 }
1037 /*
1038 * from_export_format()
1039 * read from a network order buffer into struct adt_session_data
1040 */
1042 static size_t
1045 {
1048 adr_t context;
1060 }
1065 /*
1066 * Skip newer versions.
1067 */
1071 }
1076 }
1082 }
1083 /*
1084 * Adjust buffer pointer to the first data item (euid).
1085 */
1090 }
1091 /*
1092 * if down rev version, pid is not included
1093 */
1128 }
1131 }
1133 /*
1134 * adt_to_export_format
1135 * read from struct adt_session_data into a network order buffer.
1136 *
1137 * (network order 'cause this data may be shared with a remote host.)
1138 */
1140 static size_t
1143 {
1146 adr_t context;
1153 /* version 2 first */
1178 /* now version 1 */
1201 /* finally terminator */
1209 }
1211 /*
1212 * adt_import() -- convert from network order to machine-specific order
1213 */
1215 static int
1217 {
1218 au_mask_t mask;
1220 /* save local audit state */
1226 /*
1227 * If audit isn't enabled on the remote, they were unable
1228 * to generate the audit mask, so generate it based on
1229 * local configuration. If the user id has changed, the
1230 * resulting mask may miss some subtleties that occurred
1231 * on the remote system.
1232 *
1233 * If the remote failed to generate a terminal id, it is not
1234 * recoverable.
1235 */
1249 }
1250 }
1260 }
1262 /*
1263 * adt_export_session_data()
1264 * copies a adt_session_data struct into a network order buffer
1265 *
1266 * In a misconfigured network, the local host may have auditing
1267 * off while the destination may have auditing on, so if there
1268 * is sufficient memory, a buffer will be returned even in the
1269 * audit off case.
1270 */
1272 size_t
1275 {
1293 }
1299 }
1302 return_length_free:
1306 }
1308 static void
1310 {
1328 }
1329 }
1331 /*
1332 * adt_init -- set session context by copying the audit characteristics
1333 * from the proc and picking up current uid/tid information.
1334 *
1335 * By default, an audit session is based on the process; the default
1336 * is overriden by adt_set_user()
1337 */
1339 static int
1341 {
1342 /* ensure auditstate is set */
1359 /*
1360 * Even if the ucred is NULL, the underlying
1361 * credential may have a valid terminal id; if the
1362 * terminal id is set, then that's good enough. An
1363 * example of where this matters is failed login,
1364 * where rlogin/telnet sets the terminal id before
1365 * calling login; login does not load the credential
1366 * since auth failed.
1367 */
1379 }
1383 tid);
1387 }
1391 }
1393 }
1396 }
1403 }
1408 }
1410 /*
1411 * adt_set_proc
1412 *
1413 * Copy the current session state to the process. If this function
1414 * is called, the model becomes a process model rather than a
1415 * session model.
1416 *
1417 * In the current implementation, the value state->as_have_user_data
1418 * must contain all of: ADT_HAVE_{AUID,MASK,TID,ASID}. These are all set
1419 * by adt_set_user() when the ADT_SETTID or ADT_NEW flag is passed in.
1420 *
1421 */
1423 int
1425 {
1430 }
1440 }
1445 }
1451 return_err:
1454 }
1456 static int
1458 {
1468 }
1477 /* Assume intending to audit as this process */
1483 }
1485 static int
1487 {
1488 au_mask_t mask;
1501 }
1505 ruid));
1507 }
1509 /*
1510 * adt_set_user -- see also adt_set_from_ucred()
1511 *
1512 * ADT_NO_ATTRIB is a valid uid/gid meaning "not known" or
1513 * "unattributed." If ruid, change the model to session.
1514 *
1515 * ADT_NO_CHANGE is a valid uid/gid meaning "do not change this value"
1516 * only valid with ADT_UPDATE.
1517 *
1518 * ADT_NO_AUDIT is the external equivalent to AU_NOAUDITID -- there
1519 * isn't a good reason to call adt_set_user() with it unless you don't
1520 * have a good value yet and intend to replace it later; auid will be
1521 * AU_NOAUDITID.
1522 *
1523 * adt_set_user should be called even if auditing is not enabled
1524 * so that adt_export_session_data() will have useful stuff to
1525 * work with.
1526 *
1527 * See the note preceding adt_set_proc() about the use of ADT_HAVE_TID
1528 * and ADT_HAVE_ALL.
1529 */
1531 int
1535 {
1551 }
1562 }
1572 }
1577 /* avoid fooling pam_setcred()... */
1588 }
1604 }
1608 }
1611 }
1613 /*
1614 * adt_set_from_ucred()
1615 *
1616 * an alternate to adt_set_user that fills the same role but uses
1617 * a pointer to a ucred rather than a list of id's. If the ucred
1618 * pointer is NULL, use the credential from the this process.
1619 *
1620 * A key difference is that for ADT_NEW, adt_set_from_ucred() does
1621 * not overwrite the asid and auid unless auid has not been set.
1622 * ADT_NEW differs from ADT_UPDATE in that it does not OR together
1623 * the incoming audit mask with the one that already exists.
1624 *
1625 * adt_set_from_ucred should be called even if auditing is not enabled
1626 * so that adt_export_session_data() will have useful stuff to
1627 * work with.
1628 */
1630 int
1633 {
1653 }
1663 }
1674 }
1681 }
1690 }
1695 }
1704 return_rc:
1707 }
1709 }
1711 /*
1712 * adt_alloc_event() returns a pointer to allocated memory
1713 *
1714 */
1716 adt_event_data_t
1718 {
1722 /*
1723 * need to return a valid event pointer even if audit is
1724 * off, else the caller will end up either (1) keeping its
1725 * own flags for on/off or (2) writing to a NULL pointer.
1726 * If auditing is on, the session data must be valid; otherwise
1727 * we don't care.
1728 */
1732 }
1744 /*
1745 * preload data so the adt_au_*() functions can detect un-supplied
1746 * values (0 and NULL are free via calloc()).
1747 */
1750 }
1752 return_ptr:
1754 }
1756 /*
1757 * adt_getXlateTable -- look up translation table address for event id
1758 */
1762 {
1763 /* xlate_table is global in adt_xlate.c */
1771 p_xlate++;
1772 }
1774 }
1776 /*
1777 * adt_calcOffsets
1778 *
1779 * the call to this function is surrounded by a mutex.
1780 *
1781 * i walks down the table picking up next_token. j walks again to
1782 * calculate the offset to the input data. k points to the next
1783 * token's row. Finally, l, is used to sum the values in the
1784 * datadef array.
1785 *
1786 * What's going on? The entry array is in the order of the input
1787 * fields but the processing of array entries is in the order of
1788 * the output (see next_token). Calculating the offset to the
1789 * "next" input can't be done in the outer loop (i) since i doesn't
1790 * point to the current entry and it can't be done with the k index
1791 * because it doesn't represent the order of input fields.
1792 *
1793 * While the resulting algorithm is n**2, it is only done once per
1794 * event type.
1795 */
1797 /*
1798 * adt_calcOffsets is only called once per event type, but it uses
1799 * the address alignment of memory allocated for that event as if it
1800 * were the same for all subsequently allocated memory. This is
1801 * guaranteed by calloc/malloc. Arrays take special handling since
1802 * what matters for figuring out the correct alignment is the size
1803 * of the array element.
1804 */
1806 static void
1808 {
1817 }
1824 else
1825 this_size =
1828 /* adj for first entry */
1833 ADT_UINT32ARRAY) {
1841 this_size);
1843 }
1844 }
1845 }
1846 }
1848 /*
1849 * adt_generate_event
1850 * generate event record from external struct. The order is based on
1851 * the output tokens, allowing for the possibility that the input data
1852 * is in a different order.
1853 *
1854 */
1856 static int
1860 {
1870 /*
1871 * offsets are not pre-calculated; the initial offsets are all
1872 * 0; valid offsets are >= 0. Offsets for no-input tokens such
1873 * as subject are set to -1 by adt_calcOffset()
1874 */
1882 }
1887 }
1889 }
1891 /*
1892 * adt_put_event -- main event generation function.
1893 * The input "event" is the address of the struct containing
1894 * event-specific data.
1895 *
1896 * However if auditing is off or the session handle
1897 * is NULL, no attempt to write a record is made.
1898 */
1900 int
1902 {
1909 }
1912 /* if this is a broken session or not auditing, exit */
1917 }
1924 /* look up the event */
1932 }
1937 }
1940 }
1942 /*
1943 * adt_free_event -- invalidate and free
1944 */
1946 void
1948 {
1961 }
1963 /*
1964 * adt_is_selected -- helper to adt_selected(), below.
1965 *
1966 * "sorf" is "success or fail" status; au_preselect compares
1967 * that with success, fail, or both.
1968 */
1970 static int
1972 {
1977 else
1981 }
1983 /*
1984 * selected -- see if this event is preselected.
1985 *
1986 * if errors are encountered trying to check a preselection mask
1987 * or look up a user name, the event is selected. Otherwise, the
1988 * preselection mask is used for the job.
1989 */
1991 static int
1993 {
1995 au_mask_t namask;
2002 }
2004 /* non-attributable? */
2011 }
2015 status));
2016 }
2017 }
2019 /*
2020 * Can't map the host name to an IP address in
2021 * adt_get_hostIP. Get something off an interface
2022 * to act as the hosts IP address for auditing.
2023 */
2025 static int
2027 {
2042 }
2045 /*
2046 * loopback always defined,
2047 * even if there is no real address
2048 */
2051 }
2052 }
2055 /*
2056 * Callers of adt_get_hostIP() can only return
2057 * errno to their callers and eventually the application.
2058 * Picked one that seemed least worse for saying no
2059 * usable address for Audit terminal ID.
2060 */
2063 }
2068 }