#include <sys/param.h>
#include <sys/mount.h>
#include <sys/namei.h>
#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/sysproto.h>
#include <sys/systm.h>
#include <sys/vnode.h>
#include <sys/jail.h>
#include <bsm/audit.h>
#include <bsm/audit_kevents.h>
#include <security/audit/audit.h>
#include <security/audit/audit_private.h>
#include <security/mac/mac_framework.h>
#ifdef AUDIT
static int
audit_priv_check_cred(struct ucred *cred, int priv)
{
int error;
error = priv_check_cred(cred, priv);
if (error == EPERM && jailed(cred)) {
error = ENOSYS;
}
return (error);
}
static int
audit_priv_check(struct thread *td, int priv)
{
return (audit_priv_check_cred(td->td_ucred, priv));
}
int
sys_audit(struct thread *td, struct audit_args *uap)
{
int error;
void * rec;
struct kaudit_record *ar;
if (jailed(td->td_ucred))
return (ENOSYS);
error = priv_check(td, PRIV_AUDIT_SUBMIT);
if (error)
return (error);
if ((uap->length <= 0) || (uap->length > audit_qctrl.aq_bufsz))
return (EINVAL);
ar = currecord();
if (ar == NULL) {
td->td_ar = audit_new(AUE_NULL, td);
if (td->td_ar == NULL)
return (ENOTSUP);
td->td_pflags |= TDP_AUDITREC;
ar = td->td_ar;
}
if (uap->length > MAX_AUDIT_RECORD_SIZE)
return (EINVAL);
rec = malloc(uap->length, M_AUDITDATA, M_WAITOK);
error = copyin(uap->record, rec, uap->length);
if (error)
goto free_out;
if (bsm_rec_verify(rec) == 0) {
error = EINVAL;
goto free_out;
}
#ifdef MAC
error = mac_system_check_audit(td->td_ucred, rec, uap->length);
if (error)
goto free_out;
#endif
ar->k_udata = rec;
ar->k_ulen = uap->length;
ar->k_ar_commit |= AR_COMMIT_USER;
ar->k_ar_commit |= (AR_PRESELECT_USER_TRAIL | AR_PRESELECT_USER_PIPE);
return (0);
free_out:
free(rec, M_AUDITDATA);
return (error);
}
int
sys_auditon(struct thread *td, struct auditon_args *uap)
{
struct ucred *cred, *newcred, *oldcred;
int error;
union auditon_udata udata;
struct proc *tp;
if (jailed(td->td_ucred))
return (ENOSYS);
AUDIT_ARG_CMD(uap->cmd);
#ifdef MAC
error = mac_system_check_auditon(td->td_ucred, uap->cmd);
if (error)
return (error);
#endif
error = priv_check(td, PRIV_AUDIT_CONTROL);
if (error)
return (error);
if ((uap->length <= 0) || (uap->length > sizeof(union auditon_udata)))
return (EINVAL);
memset((void *)&udata, 0, sizeof(udata));
switch (uap->cmd) {
case A_SETPOLICY:
case A_OLDSETPOLICY:
case A_SETKMASK:
case A_SETQCTRL:
case A_OLDSETQCTRL:
case A_SETSTAT:
case A_SETUMASK:
case A_SETSMASK:
case A_SETCOND:
case A_OLDSETCOND:
case A_SETCLASS:
case A_SETEVENT:
case A_SETPMASK:
case A_SETFSIZE:
case A_SETKAUDIT:
case A_GETCLASS:
case A_GETEVENT:
case A_GETPINFO:
case A_GETPINFO_ADDR:
case A_SENDTRIGGER:
error = copyin(uap->data, (void *)&udata, uap->length);
if (error)
return (error);
AUDIT_ARG_AUDITON(&udata);
break;
}
switch (uap->cmd) {
case A_OLDGETPOLICY:
case A_GETPOLICY:
if (uap->length == sizeof(udata.au_policy64)) {
if (!audit_fail_stop)
udata.au_policy64 |= AUDIT_CNT;
if (audit_panic_on_write_fail)
udata.au_policy64 |= AUDIT_AHLT;
if (audit_argv)
udata.au_policy64 |= AUDIT_ARGV;
if (audit_arge)
udata.au_policy64 |= AUDIT_ARGE;
break;
}
if (uap->length != sizeof(udata.au_policy))
return (EINVAL);
if (!audit_fail_stop)
udata.au_policy |= AUDIT_CNT;
if (audit_panic_on_write_fail)
udata.au_policy |= AUDIT_AHLT;
if (audit_argv)
udata.au_policy |= AUDIT_ARGV;
if (audit_arge)
udata.au_policy |= AUDIT_ARGE;
break;
case A_OLDSETPOLICY:
case A_SETPOLICY:
if (uap->length == sizeof(udata.au_policy64)) {
if (udata.au_policy & ~(AUDIT_CNT|AUDIT_AHLT|
AUDIT_ARGV|AUDIT_ARGE))
return (EINVAL);
audit_fail_stop = ((udata.au_policy64 & AUDIT_CNT) ==
0);
audit_panic_on_write_fail = (udata.au_policy64 &
AUDIT_AHLT);
audit_argv = (udata.au_policy64 & AUDIT_ARGV);
audit_arge = (udata.au_policy64 & AUDIT_ARGE);
break;
}
if (uap->length != sizeof(udata.au_policy))
return (EINVAL);
if (udata.au_policy & ~(AUDIT_CNT|AUDIT_AHLT|AUDIT_ARGV|
AUDIT_ARGE))
return (EINVAL);
audit_fail_stop = ((udata.au_policy & AUDIT_CNT) == 0);
audit_panic_on_write_fail = (udata.au_policy & AUDIT_AHLT);
audit_argv = (udata.au_policy & AUDIT_ARGV);
audit_arge = (udata.au_policy & AUDIT_ARGE);
break;
case A_GETKMASK:
if (uap->length != sizeof(udata.au_mask))
return (EINVAL);
udata.au_mask = audit_nae_mask;
break;
case A_SETKMASK:
if (uap->length != sizeof(udata.au_mask))
return (EINVAL);
audit_nae_mask = udata.au_mask;
break;
case A_OLDGETQCTRL:
case A_GETQCTRL:
if (uap->length == sizeof(udata.au_qctrl64)) {
udata.au_qctrl64.aq64_hiwater =
(u_int64_t)audit_qctrl.aq_hiwater;
udata.au_qctrl64.aq64_lowater =
(u_int64_t)audit_qctrl.aq_lowater;
udata.au_qctrl64.aq64_bufsz =
(u_int64_t)audit_qctrl.aq_bufsz;
udata.au_qctrl64.aq64_minfree =
(u_int64_t)audit_qctrl.aq_minfree;
break;
}
if (uap->length != sizeof(udata.au_qctrl))
return (EINVAL);
udata.au_qctrl = audit_qctrl;
break;
case A_OLDSETQCTRL:
case A_SETQCTRL:
if (uap->length == sizeof(udata.au_qctrl64)) {
if ((udata.au_qctrl64.aq64_hiwater > AQ_MAXHIGH) ||
(udata.au_qctrl64.aq64_lowater >=
udata.au_qctrl.aq_hiwater) ||
(udata.au_qctrl64.aq64_bufsz > AQ_MAXBUFSZ) ||
(udata.au_qctrl64.aq64_minfree > 100))
return (EINVAL);
audit_qctrl.aq_hiwater =
(int)udata.au_qctrl64.aq64_hiwater;
audit_qctrl.aq_lowater =
(int)udata.au_qctrl64.aq64_lowater;
audit_qctrl.aq_bufsz =
(int)udata.au_qctrl64.aq64_bufsz;
audit_qctrl.aq_minfree =
(int)udata.au_qctrl64.aq64_minfree;
audit_qctrl.aq_delay = -1;
break;
}
if (uap->length != sizeof(udata.au_qctrl))
return (EINVAL);
if ((udata.au_qctrl.aq_hiwater > AQ_MAXHIGH) ||
(udata.au_qctrl.aq_lowater >= udata.au_qctrl.aq_hiwater) ||
(udata.au_qctrl.aq_bufsz > AQ_MAXBUFSZ) ||
(udata.au_qctrl.aq_minfree < 0) ||
(udata.au_qctrl.aq_minfree > 100))
return (EINVAL);
audit_qctrl = udata.au_qctrl;
audit_qctrl.aq_delay = -1;
break;
case A_GETCWD:
return (ENOSYS);
break;
case A_GETCAR:
return (ENOSYS);
break;
case A_GETSTAT:
return (ENOSYS);
break;
case A_SETSTAT:
return (ENOSYS);
break;
case A_SETUMASK:
return (ENOSYS);
break;
case A_SETSMASK:
return (ENOSYS);
break;
case A_OLDGETCOND:
case A_GETCOND:
if (uap->length == sizeof(udata.au_cond64)) {
if (audit_trail_enabled && !audit_trail_suspended)
udata.au_cond64 = AUC_AUDITING;
else
udata.au_cond64 = AUC_NOAUDIT;
break;
}
if (uap->length != sizeof(udata.au_cond))
return (EINVAL);
if (audit_trail_enabled && !audit_trail_suspended)
udata.au_cond = AUC_AUDITING;
else
udata.au_cond = AUC_NOAUDIT;
break;
case A_OLDSETCOND:
case A_SETCOND:
if (uap->length == sizeof(udata.au_cond64)) {
if (udata.au_cond64 == AUC_NOAUDIT)
audit_trail_suspended = 1;
if (udata.au_cond64 == AUC_AUDITING)
audit_trail_suspended = 0;
if (udata.au_cond64 == AUC_DISABLED) {
audit_trail_suspended = 1;
audit_shutdown(NULL, 0);
}
audit_syscalls_enabled_update();
break;
}
if (uap->length != sizeof(udata.au_cond))
return (EINVAL);
if (udata.au_cond == AUC_NOAUDIT)
audit_trail_suspended = 1;
if (udata.au_cond == AUC_AUDITING)
audit_trail_suspended = 0;
if (udata.au_cond == AUC_DISABLED) {
audit_trail_suspended = 1;
audit_shutdown(NULL, 0);
}
audit_syscalls_enabled_update();
break;
case A_GETCLASS:
if (uap->length != sizeof(udata.au_evclass))
return (EINVAL);
udata.au_evclass.ec_class = au_event_class(
udata.au_evclass.ec_number);
break;
case A_GETEVENT:
if (uap->length != sizeof(udata.au_evname))
return (EINVAL);
error = au_event_name(udata.au_evname.en_number,
udata.au_evname.en_name);
if (error != 0)
return (error);
break;
case A_SETCLASS:
if (uap->length != sizeof(udata.au_evclass))
return (EINVAL);
au_evclassmap_insert(udata.au_evclass.ec_number,
udata.au_evclass.ec_class);
break;
case A_SETEVENT:
if (uap->length != sizeof(udata.au_evname))
return (EINVAL);
udata.au_evname.en_name[sizeof(udata.au_evname.en_name) - 1]
= 0;
au_evnamemap_insert(udata.au_evname.en_number,
udata.au_evname.en_name);
break;
case A_GETPINFO:
if (uap->length != sizeof(udata.au_aupinfo))
return (EINVAL);
if (udata.au_aupinfo.ap_pid < 1)
return (ESRCH);
if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL)
return (ESRCH);
if ((error = p_cansee(td, tp)) != 0) {
PROC_UNLOCK(tp);
return (error);
}
cred = tp->p_ucred;
if (cred->cr_audit.ai_termid.at_type == AU_IPv6) {
PROC_UNLOCK(tp);
return (EINVAL);
}
udata.au_aupinfo.ap_auid = cred->cr_audit.ai_auid;
udata.au_aupinfo.ap_mask.am_success =
cred->cr_audit.ai_mask.am_success;
udata.au_aupinfo.ap_mask.am_failure =
cred->cr_audit.ai_mask.am_failure;
udata.au_aupinfo.ap_termid.machine =
cred->cr_audit.ai_termid.at_addr[0];
udata.au_aupinfo.ap_termid.port =
(dev_t)cred->cr_audit.ai_termid.at_port;
udata.au_aupinfo.ap_asid = cred->cr_audit.ai_asid;
PROC_UNLOCK(tp);
break;
case A_SETPMASK:
if (uap->length != sizeof(udata.au_aupinfo))
return (EINVAL);
if (udata.au_aupinfo.ap_pid < 1)
return (ESRCH);
newcred = crget();
if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL) {
crfree(newcred);
return (ESRCH);
}
if ((error = p_cansee(td, tp)) != 0) {
PROC_UNLOCK(tp);
crfree(newcred);
return (error);
}
oldcred = tp->p_ucred;
crcopy(newcred, oldcred);
newcred->cr_audit.ai_mask.am_success =
udata.au_aupinfo.ap_mask.am_success;
newcred->cr_audit.ai_mask.am_failure =
udata.au_aupinfo.ap_mask.am_failure;
proc_set_cred(tp, newcred);
PROC_UNLOCK(tp);
crfree(oldcred);
break;
case A_SETFSIZE:
if (uap->length != sizeof(udata.au_fstat))
return (EINVAL);
if ((udata.au_fstat.af_filesz != 0) &&
(udata.au_fstat.af_filesz < MIN_AUDIT_FILE_SIZE))
return (EINVAL);
audit_fstat.af_filesz = udata.au_fstat.af_filesz;
break;
case A_GETFSIZE:
if (uap->length != sizeof(udata.au_fstat))
return (EINVAL);
udata.au_fstat.af_filesz = audit_fstat.af_filesz;
udata.au_fstat.af_currsz = audit_fstat.af_currsz;
break;
case A_GETPINFO_ADDR:
if (uap->length != sizeof(udata.au_aupinfo_addr))
return (EINVAL);
if (udata.au_aupinfo_addr.ap_pid < 1)
return (ESRCH);
if ((tp = pfind(udata.au_aupinfo_addr.ap_pid)) == NULL)
return (ESRCH);
cred = tp->p_ucred;
udata.au_aupinfo_addr.ap_auid = cred->cr_audit.ai_auid;
udata.au_aupinfo_addr.ap_mask.am_success =
cred->cr_audit.ai_mask.am_success;
udata.au_aupinfo_addr.ap_mask.am_failure =
cred->cr_audit.ai_mask.am_failure;
udata.au_aupinfo_addr.ap_termid = cred->cr_audit.ai_termid;
udata.au_aupinfo_addr.ap_asid = cred->cr_audit.ai_asid;
PROC_UNLOCK(tp);
break;
case A_GETKAUDIT:
if (uap->length != sizeof(udata.au_kau_info))
return (EINVAL);
audit_get_kinfo(&udata.au_kau_info);
break;
case A_SETKAUDIT:
if (uap->length != sizeof(udata.au_kau_info))
return (EINVAL);
if (udata.au_kau_info.ai_termid.at_type != AU_IPv4 &&
udata.au_kau_info.ai_termid.at_type != AU_IPv6)
return (EINVAL);
audit_set_kinfo(&udata.au_kau_info);
break;
case A_SENDTRIGGER:
if (uap->length != sizeof(udata.au_trigger))
return (EINVAL);
if ((udata.au_trigger < AUDIT_TRIGGER_MIN) ||
(udata.au_trigger > AUDIT_TRIGGER_MAX))
return (EINVAL);
return (audit_send_trigger(udata.au_trigger));
default:
return (EINVAL);
}
switch (uap->cmd) {
case A_GETPOLICY:
case A_OLDGETPOLICY:
case A_GETKMASK:
case A_GETQCTRL:
case A_OLDGETQCTRL:
case A_GETCWD:
case A_GETCAR:
case A_GETSTAT:
case A_GETCOND:
case A_OLDGETCOND:
case A_GETCLASS:
case A_GETPINFO:
case A_GETFSIZE:
case A_GETPINFO_ADDR:
case A_GETKAUDIT:
error = copyout((void *)&udata, uap->data, uap->length);
if (error)
return (error);
break;
}
return (0);
}
int
sys_getauid(struct thread *td, struct getauid_args *uap)
{
int error;
error = audit_priv_check(td, PRIV_AUDIT_GETAUDIT);
if (error)
return (error);
return (copyout(&td->td_ucred->cr_audit.ai_auid, uap->auid,
sizeof(td->td_ucred->cr_audit.ai_auid)));
}
int
sys_setauid(struct thread *td, struct setauid_args *uap)
{
struct ucred *newcred, *oldcred;
au_id_t id;
int error;
error = copyin(uap->auid, &id, sizeof(id));
if (error)
return (error);
audit_arg_auid(id);
newcred = crget();
PROC_LOCK(td->td_proc);
oldcred = td->td_proc->p_ucred;
crcopy(newcred, oldcred);
#ifdef MAC
error = mac_cred_check_setauid(oldcred, id);
if (error)
goto fail;
#endif
error = audit_priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT);
if (error)
goto fail;
newcred->cr_audit.ai_auid = id;
proc_set_cred(td->td_proc, newcred);
PROC_UNLOCK(td->td_proc);
crfree(oldcred);
return (0);
fail:
PROC_UNLOCK(td->td_proc);
crfree(newcred);
return (error);
}
int
sys_getaudit(struct thread *td, struct getaudit_args *uap)
{
struct auditinfo ai;
struct ucred *cred;
int error;
cred = td->td_ucred;
error = audit_priv_check(td, PRIV_AUDIT_GETAUDIT);
if (error)
return (error);
if (cred->cr_audit.ai_termid.at_type == AU_IPv6)
return (E2BIG);
bzero(&ai, sizeof(ai));
ai.ai_auid = cred->cr_audit.ai_auid;
ai.ai_mask = cred->cr_audit.ai_mask;
ai.ai_asid = cred->cr_audit.ai_asid;
ai.ai_termid.machine = cred->cr_audit.ai_termid.at_addr[0];
ai.ai_termid.port = cred->cr_audit.ai_termid.at_port;
return (copyout(&ai, uap->auditinfo, sizeof(ai)));
}
int
sys_setaudit(struct thread *td, struct setaudit_args *uap)
{
struct ucred *newcred, *oldcred;
struct auditinfo ai;
int error;
error = copyin(uap->auditinfo, &ai, sizeof(ai));
if (error)
return (error);
audit_arg_auditinfo(&ai);
newcred = crget();
PROC_LOCK(td->td_proc);
oldcred = td->td_proc->p_ucred;
crcopy(newcred, oldcred);
#ifdef MAC
error = mac_cred_check_setaudit(oldcred, &ai);
if (error)
goto fail;
#endif
error = audit_priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT);
if (error)
goto fail;
bzero(&newcred->cr_audit, sizeof(newcred->cr_audit));
newcred->cr_audit.ai_auid = ai.ai_auid;
newcred->cr_audit.ai_mask = ai.ai_mask;
newcred->cr_audit.ai_asid = ai.ai_asid;
newcred->cr_audit.ai_termid.at_addr[0] = ai.ai_termid.machine;
newcred->cr_audit.ai_termid.at_port = ai.ai_termid.port;
newcred->cr_audit.ai_termid.at_type = AU_IPv4;
proc_set_cred(td->td_proc, newcred);
PROC_UNLOCK(td->td_proc);
crfree(oldcred);
return (0);
fail:
PROC_UNLOCK(td->td_proc);
crfree(newcred);
return (error);
}
int
sys_getaudit_addr(struct thread *td, struct getaudit_addr_args *uap)
{
int error;
if (uap->length < sizeof(*uap->auditinfo_addr))
return (EOVERFLOW);
error = audit_priv_check(td, PRIV_AUDIT_GETAUDIT);
if (error)
return (error);
return (copyout(&td->td_ucred->cr_audit, uap->auditinfo_addr,
sizeof(*uap->auditinfo_addr)));
}
int
sys_setaudit_addr(struct thread *td, struct setaudit_addr_args *uap)
{
struct ucred *newcred, *oldcred;
struct auditinfo_addr aia;
int error;
error = copyin(uap->auditinfo_addr, &aia, sizeof(aia));
if (error)
return (error);
audit_arg_auditinfo_addr(&aia);
if (aia.ai_termid.at_type != AU_IPv6 &&
aia.ai_termid.at_type != AU_IPv4)
return (EINVAL);
newcred = crget();
PROC_LOCK(td->td_proc);
oldcred = td->td_proc->p_ucred;
crcopy(newcred, oldcred);
#ifdef MAC
error = mac_cred_check_setaudit_addr(oldcred, &aia);
if (error)
goto fail;
#endif
error = audit_priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT);
if (error)
goto fail;
newcred->cr_audit = aia;
proc_set_cred(td->td_proc, newcred);
PROC_UNLOCK(td->td_proc);
crfree(oldcred);
return (0);
fail:
PROC_UNLOCK(td->td_proc);
crfree(newcred);
return (error);
}
int
sys_auditctl(struct thread *td, struct auditctl_args *uap)
{
struct nameidata nd;
struct ucred *cred;
struct vnode *vp;
int error = 0;
int flags;
if (jailed(td->td_ucred))
return (ENOSYS);
error = priv_check(td, PRIV_AUDIT_CONTROL);
if (error)
return (error);
vp = NULL;
cred = NULL;
if (uap->path == NULL)
return (EINVAL);
NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNODE1, UIO_USERSPACE,
uap->path);
flags = AUDIT_OPEN_FLAGS;
error = vn_open(&nd, &flags, 0, NULL);
if (error)
return (error);
vp = nd.ni_vp;
#ifdef MAC
error = mac_system_check_auditctl(td->td_ucred, vp);
VOP_UNLOCK(vp);
if (error) {
vn_close(vp, AUDIT_CLOSE_FLAGS, td->td_ucred, td);
return (error);
}
#else
VOP_UNLOCK(vp);
#endif
NDFREE_PNBUF(&nd);
if (vp->v_type != VREG) {
vn_close(vp, AUDIT_CLOSE_FLAGS, td->td_ucred, td);
return (EINVAL);
}
cred = td->td_ucred;
crhold(cred);
audit_trail_suspended = 0;
audit_syscalls_enabled_update();
audit_rotate_vnode(cred, vp);
return (error);
}
#else
int
sys_audit(struct thread *td, struct audit_args *uap)
{
return (ENOSYS);
}
int
sys_auditon(struct thread *td, struct auditon_args *uap)
{
return (ENOSYS);
}
int
sys_getauid(struct thread *td, struct getauid_args *uap)
{
return (ENOSYS);
}
int
sys_setauid(struct thread *td, struct setauid_args *uap)
{
return (ENOSYS);
}
int
sys_getaudit(struct thread *td, struct getaudit_args *uap)
{
return (ENOSYS);
}
int
sys_setaudit(struct thread *td, struct setaudit_args *uap)
{
return (ENOSYS);
}
int
sys_getaudit_addr(struct thread *td, struct getaudit_addr_args *uap)
{
return (ENOSYS);
}
int
sys_setaudit_addr(struct thread *td, struct setaudit_addr_args *uap)
{
return (ENOSYS);
}
int
sys_auditctl(struct thread *td, struct auditctl_args *uap)
{
return (ENOSYS);
}
#endif
