This is xnu-11215.1.10. See this file in:
/*-
* Copyright (c) 1999-2016 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
*/
/*
* NOTICE: This file was modified by McAfee Research in 2004 to introduce
* support for mandatory and extensible security protections. This notice
* is included in support of clause 2.2 (b) of the Apple Public License,
* Version 2.0.
*/
#include <sys/param.h>
#include <sys/fcntl.h>
#include <sys/kernel.h>
#include <sys/lock.h>
#include <sys/namei.h>
#include <sys/proc_internal.h>
#include <sys/kauth.h>
#include <sys/queue.h>
#include <sys/systm.h>
#include <sys/time.h>
#include <sys/ucred.h>
#include <sys/uio.h>
#include <sys/unistd.h>
#include <sys/file_internal.h>
#include <sys/vnode_internal.h>
#include <sys/user.h>
#include <sys/syscall.h>
#include <sys/un.h>
#include <sys/sysent.h>
#include <sys/sysproto.h>
#include <sys/vfs_context.h>
#include <sys/domain.h>
#include <sys/protosw.h>
#include <sys/socketvar.h>
#include <sys/codesign.h>
#include <sys/ubc.h>
#include <bsm/audit.h>
#include <bsm/audit_internal.h>
#include <bsm/audit_kevents.h>
#include <security/audit/audit.h>
#include <security/audit/audit_bsd.h>
#include <security/audit/audit_private.h>
#include <mach/host_priv.h>
#include <mach/host_special_ports.h>
#include <mach/audit_triggers_server.h>
#include <kern/host.h>
#include <kern/zalloc.h>
#include <kern/sched_prim.h>
#if CONFIG_MACF
#include <bsm/audit_record.h>
#include <security/mac.h>
#include <security/mac_framework.h>
#include <security/mac_policy.h>
extern zone_t audit_mac_label_zone;
#endif
#include <net/route.h>
#include <netinet/in.h>
#include <netinet/in_pcb.h>
#if CONFIG_AUDIT
/*
* Calls to manipulate elements of the audit record structure from system
* call code. Macro wrappers will prevent this functions from being entered
* if auditing is disabled, avoiding the function call cost. We check the
* thread audit record pointer anyway, as the audit condition could change,
* and pre-selection may not have allocated an audit record for this event.
*
* XXXAUDIT: Should we assert, in each case, that this field of the record
* hasn't already been filled in?
*/
void
audit_arg_addr(struct kaudit_record *ar, user_addr_t addr)
{
struct proc *p = current_proc();
ar->k_ar.ar_arg_addr = addr;
/*
* If the process is 64-bit then flag the address as such.
*/
if (proc_is64bit(p)) {
ARG_SET_VALID(ar, ARG_ADDR64);
} else {
ARG_SET_VALID(ar, ARG_ADDR32);
}
}
void
audit_arg_exit(struct kaudit_record *ar, int status, int retval)
{
ar->k_ar.ar_arg_exitstatus = status;
ar->k_ar.ar_arg_exitretval = retval;
ARG_SET_VALID(ar, ARG_EXIT);
}
void
audit_arg_len(struct kaudit_record *ar, user_size_t len)
{
ar->k_ar.ar_arg_len = len;
ARG_SET_VALID(ar, ARG_LEN);
}
void
audit_arg_fd2(struct kaudit_record *ar, int fd)
{
ar->k_ar.ar_arg_fd2 = fd;
ARG_SET_VALID(ar, ARG_FD2);
}
void
audit_arg_fd(struct kaudit_record *ar, int fd)
{
ar->k_ar.ar_arg_fd = fd;
ARG_SET_VALID(ar, ARG_FD);
}
void
audit_arg_fflags(struct kaudit_record *ar, int fflags)
{
ar->k_ar.ar_arg_fflags = fflags;
ARG_SET_VALID(ar, ARG_FFLAGS);
}
void
audit_arg_gid(struct kaudit_record *ar, gid_t gid)
{
ar->k_ar.ar_arg_gid = gid;
ARG_SET_VALID(ar, ARG_GID);
}
void
audit_arg_uid(struct kaudit_record *ar, uid_t uid)
{
ar->k_ar.ar_arg_uid = uid;
ARG_SET_VALID(ar, ARG_UID);
}
void
audit_arg_egid(struct kaudit_record *ar, gid_t egid)
{
ar->k_ar.ar_arg_egid = egid;
ARG_SET_VALID(ar, ARG_EGID);
}
void
audit_arg_euid(struct kaudit_record *ar, uid_t euid)
{
ar->k_ar.ar_arg_euid = euid;
ARG_SET_VALID(ar, ARG_EUID);
}
void
audit_arg_rgid(struct kaudit_record *ar, gid_t rgid)
{
ar->k_ar.ar_arg_rgid = rgid;
ARG_SET_VALID(ar, ARG_RGID);
}
void
audit_arg_ruid(struct kaudit_record *ar, uid_t ruid)
{
ar->k_ar.ar_arg_ruid = ruid;
ARG_SET_VALID(ar, ARG_RUID);
}
void
audit_arg_sgid(struct kaudit_record *ar, gid_t sgid)
{
ar->k_ar.ar_arg_sgid = sgid;
ARG_SET_VALID(ar, ARG_SGID);
}
void
audit_arg_suid(struct kaudit_record *ar, uid_t suid)
{
ar->k_ar.ar_arg_suid = suid;
ARG_SET_VALID(ar, ARG_SUID);
}
void
audit_arg_groupset(struct kaudit_record *ar, const gid_t *gidset, u_int gidset_size)
{
u_int i;
for (i = 0; i < gidset_size; i++) {
ar->k_ar.ar_arg_groups.gidset[i] = gidset[i];
}
ar->k_ar.ar_arg_groups.gidset_size = gidset_size;
ARG_SET_VALID(ar, ARG_GROUPSET);
}
void
audit_arg_login(struct kaudit_record *ar, const char *login)
{
strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME);
ARG_SET_VALID(ar, ARG_LOGIN);
}
void
audit_arg_ctlname(struct kaudit_record *ar, const int *name, int namelen)
{
bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int));
ar->k_ar.ar_arg_len = namelen;
ARG_SET_VALID(ar, ARG_CTLNAME | ARG_LEN);
}
void
audit_arg_mask(struct kaudit_record *ar, int mask)
{
ar->k_ar.ar_arg_mask = mask;
ARG_SET_VALID(ar, ARG_MASK);
}
void
audit_arg_mode(struct kaudit_record *ar, mode_t mode)
{
ar->k_ar.ar_arg_mode = mode;
ARG_SET_VALID(ar, ARG_MODE);
}
void
audit_arg_value32(struct kaudit_record *ar, uint32_t value32)
{
ar->k_ar.ar_arg_value32 = value32;
ARG_SET_VALID(ar, ARG_VALUE32);
}
void
audit_arg_value64(struct kaudit_record *ar, uint64_t value64)
{
ar->k_ar.ar_arg_value64 = value64;
ARG_SET_VALID(ar, ARG_VALUE64);
}
void
audit_arg_owner(struct kaudit_record *ar, uid_t uid, gid_t gid)
{
ar->k_ar.ar_arg_uid = uid;
ar->k_ar.ar_arg_gid = gid;
ARG_SET_VALID(ar, ARG_UID | ARG_GID);
}
void
audit_arg_pid(struct kaudit_record *ar, pid_t pid)
{
ar->k_ar.ar_arg_pid = pid;
ARG_SET_VALID(ar, ARG_PID);
}
void
audit_arg_process(struct kaudit_record *ar, proc_t p)
{
kauth_cred_t my_cred;
KASSERT(p != NULL, ("audit_arg_process: p == NULL"));
if (p == NULL) {
return;
}
my_cred = kauth_cred_proc_ref(p);
ar->k_ar.ar_arg_auid = my_cred->cr_audit.as_aia_p->ai_auid;
ar->k_ar.ar_arg_asid = my_cred->cr_audit.as_aia_p->ai_asid;
bcopy(&my_cred->cr_audit.as_aia_p->ai_termid,
&ar->k_ar.ar_arg_termid_addr, sizeof(au_tid_addr_t));
ar->k_ar.ar_arg_euid = kauth_cred_getuid(my_cred);
ar->k_ar.ar_arg_egid = kauth_cred_getgid(my_cred);
ar->k_ar.ar_arg_ruid = kauth_cred_getruid(my_cred);
ar->k_ar.ar_arg_rgid = kauth_cred_getrgid(my_cred);
kauth_cred_unref(&my_cred);
ar->k_ar.ar_arg_pid = proc_getpid(p);
ARG_SET_VALID(ar, ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID |
ARG_RGID | ARG_ASID | ARG_TERMID_ADDR | ARG_PID | ARG_PROCESS);
}
void
audit_arg_signum(struct kaudit_record *ar, u_int signum)
{
ar->k_ar.ar_arg_signum = signum;
ARG_SET_VALID(ar, ARG_SIGNUM);
}
void
audit_arg_socket(struct kaudit_record *ar, int sodomain, int sotype,
int soprotocol)
{
ar->k_ar.ar_arg_sockinfo.sai_domain = sodomain;
ar->k_ar.ar_arg_sockinfo.sai_type = sotype;
ar->k_ar.ar_arg_sockinfo.sai_protocol = soprotocol;
ARG_SET_VALID(ar, ARG_SOCKINFO);
}
/*
* Note that the current working directory vp must be supplied at the audit
* call site to permit per thread current working directories, and that it
* must take a upath starting with '/' into account for chroot if the path
* is absolute. This results in the real (non-chroot) path being recorded
* in the audit record.
*/
void
audit_arg_sockaddr(struct kaudit_record *ar, struct vnode *cwd_vp,
struct sockaddr *sa)
{
char path[SOCK_MAXADDRLEN - offsetof(struct sockaddr_un, sun_path) + 1] = "";
struct sockaddr_un *sun;
ssize_t namelen;
KASSERT(sa != NULL, ("audit_arg_sockaddr: sa == NULL"));
if (cwd_vp == NULL || sa == NULL) {
return;
}
if (sa->sa_len > sizeof(ar->k_ar.ar_arg_sockaddr)) {
bcopy(sa, &ar->k_ar.ar_arg_sockaddr, sizeof(ar->k_ar.ar_arg_sockaddr));
} else {
bcopy(sa, &ar->k_ar.ar_arg_sockaddr, sa->sa_len);
}
switch (sa->sa_family) {
case AF_INET:
ARG_SET_VALID(ar, ARG_SADDRINET);
break;
case AF_INET6:
ARG_SET_VALID(ar, ARG_SADDRINET6);
break;
case AF_UNIX:
sun = (struct sockaddr_un *)sa;
namelen = sun->sun_len - offsetof(struct sockaddr_un, sun_path);
if (namelen > 0 && (size_t)namelen < sizeof(path)) {
/*
* Make sure the path is NUL-terminated
*/
bcopy(sun->sun_path, path, namelen);
path[namelen] = 0;
audit_arg_upath(ar, cwd_vp, path, ARG_UPATH1);
}
ARG_SET_VALID(ar, ARG_SADDRUNIX);
break;
/* XXXAUDIT: default:? */
}
}
void
audit_arg_auid(struct kaudit_record *ar, uid_t auid)
{
ar->k_ar.ar_arg_auid = auid;
ARG_SET_VALID(ar, ARG_AUID);
}
void
audit_arg_auditinfo(struct kaudit_record *ar, const struct auditinfo *au_info)
{
ar->k_ar.ar_arg_auid = au_info->ai_auid;
ar->k_ar.ar_arg_asid = au_info->ai_asid;
ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port;
ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine;
ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID);
}
void
audit_arg_auditinfo_addr(struct kaudit_record *ar,
const struct auditinfo_addr *au_info)
{
ar->k_ar.ar_arg_auid = au_info->ai_auid;
ar->k_ar.ar_arg_asid = au_info->ai_asid;
ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
ar->k_ar.ar_arg_termid_addr.at_type = au_info->ai_termid.at_type;
ar->k_ar.ar_arg_termid_addr.at_port = au_info->ai_termid.at_port;
ar->k_ar.ar_arg_termid_addr.at_addr[0] = au_info->ai_termid.at_addr[0];
ar->k_ar.ar_arg_termid_addr.at_addr[1] = au_info->ai_termid.at_addr[1];
ar->k_ar.ar_arg_termid_addr.at_addr[2] = au_info->ai_termid.at_addr[2];
ar->k_ar.ar_arg_termid_addr.at_addr[3] = au_info->ai_termid.at_addr[3];
ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID_ADDR);
}
void
audit_arg_text(struct kaudit_record *ar, const char *text)
{
KASSERT(text != NULL, ("audit_arg_text: text == NULL"));
/* Invalidate the text string */
ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT);
if (text == NULL) {
return;
}
if (ar->k_ar.ar_arg_text == NULL) {
ar->k_ar.ar_arg_text = zalloc(ZV_NAMEI);
}
strlcpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN);
ARG_SET_VALID(ar, ARG_TEXT);
}
void
audit_arg_opaque(struct kaudit_record *ar, const void *data, size_t size)
{
KASSERT(data != NULL, ("audit_arg_opaque: data == NULL"));
KASSERT(size <= UINT16_MAX, ("audit_arg_opaque: size > UINT16_MAX"));
if (data == NULL || size > UINT16_MAX) {
return;
}
if (ar->k_ar.ar_arg_opaque == NULL) {
ar->k_ar.ar_arg_opaque = kalloc_data(size, Z_WAITOK);
} else {
return;
}
if (ar->k_ar.ar_arg_opaque == NULL) {
return;
}
memcpy(ar->k_ar.ar_arg_opaque, data, size);
ar->k_ar.ar_arg_opq_size = (u_int16_t) size;
ARG_SET_VALID(ar, ARG_OPAQUE);
}
void
audit_arg_data(struct kaudit_record *ar, const void *data, size_t size, size_t number)
{
size_t sz;
KASSERT(data != NULL, ("audit_arg_data: data == NULL"));
KASSERT(size >= AUR_BYTE_SIZE && size <= AUR_INT64_SIZE,
("audit_arg_data: size < AUR_BYTE_SIZE or size > AUR_INT64_SIZE"));
KASSERT(number <= UINT8_MAX,
("audit_arg_data: number > UINT8_MAX"));
if (data == NULL || size < AUR_BYTE_SIZE || size > AUR_INT64_SIZE ||
number > UINT8_MAX) {
return;
}
sz = size * number;
if (ar->k_ar.ar_arg_data == NULL) {
ar->k_ar.ar_arg_data = kalloc_data(sz, Z_WAITOK);
} else {
return;
}
if (ar->k_ar.ar_arg_data == NULL) {
return;
}
memcpy(ar->k_ar.ar_arg_data, data, sz);
switch (size) {
case AUR_BYTE_SIZE:
ar->k_ar.ar_arg_data_type = AUR_BYTE;
break;
case AUR_SHORT_SIZE:
ar->k_ar.ar_arg_data_type = AUR_SHORT;
break;
case AUR_INT32_SIZE:
ar->k_ar.ar_arg_data_type = AUR_INT32;
break;
case AUR_INT64_SIZE:
ar->k_ar.ar_arg_data_type = AUR_INT64;
break;
default:
kfree_data(ar->k_ar.ar_arg_data, sz);
ar->k_ar.ar_arg_data = NULL;
return;
}
ar->k_ar.ar_arg_data_count = (u_char)number;
ARG_SET_VALID(ar, ARG_DATA);
}
void
audit_arg_cmd(struct kaudit_record *ar, int cmd)
{
ar->k_ar.ar_arg_cmd = cmd;
ARG_SET_VALID(ar, ARG_CMD);
}
void
audit_arg_svipc_cmd(struct kaudit_record *ar, int cmd)
{
ar->k_ar.ar_arg_svipc_cmd = cmd;
ARG_SET_VALID(ar, ARG_SVIPC_CMD);
}
void
audit_arg_svipc_perm(struct kaudit_record *ar, const struct ipc_perm *perm)
{
bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
sizeof(ar->k_ar.ar_arg_svipc_perm));
ARG_SET_VALID(ar, ARG_SVIPC_PERM);
}
void
audit_arg_svipc_id(struct kaudit_record *ar, int id)
{
ar->k_ar.ar_arg_svipc_id = id;
ARG_SET_VALID(ar, ARG_SVIPC_ID);
}
void
audit_arg_svipc_addr(struct kaudit_record *ar, user_addr_t addr)
{
ar->k_ar.ar_arg_svipc_addr = addr;
ARG_SET_VALID(ar, ARG_SVIPC_ADDR);
}
void
audit_arg_posix_ipc_perm(struct kaudit_record *ar, uid_t uid, gid_t gid,
mode_t mode)
{
ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid;
ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid;
ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode;
ARG_SET_VALID(ar, ARG_POSIX_IPC_PERM);
}
void
audit_arg_auditon(struct kaudit_record *ar, const union auditon_udata *udata)
{
bcopy((const void *)udata, &ar->k_ar.ar_arg_auditon,
sizeof(ar->k_ar.ar_arg_auditon));
ARG_SET_VALID(ar, ARG_AUDITON);
}
/*
* Audit information about a file, either the file's vnode info, or its
* socket address info.
*/
void
audit_arg_file(struct kaudit_record *ar, __unused proc_t p,
struct fileproc *fp)
{
struct socket *so;
struct inpcb *pcb;
struct sockaddr_in *sin;
struct sockaddr_in6 *sin6;
switch (FILEGLOB_DTYPE(fp->fp_glob)) {
case DTYPE_VNODE:
/* case DTYPE_FIFO: */
audit_arg_vnpath_withref(ar,
(struct vnode *)fp_get_data(fp), ARG_VNODE1);
break;
case DTYPE_SOCKET:
so = (struct socket *)fp_get_data(fp);
if (SOCK_CHECK_DOM(so, PF_INET)) {
if (so->so_pcb == NULL) {
break;
}
ar->k_ar.ar_arg_sockinfo.sai_type =
so->so_type;
ar->k_ar.ar_arg_sockinfo.sai_domain = SOCK_DOM(so);
ar->k_ar.ar_arg_sockinfo.sai_protocol = SOCK_PROTO(so);
pcb = (struct inpcb *)so->so_pcb;
sin = (struct sockaddr_in *)
&ar->k_ar.ar_arg_sockinfo.sai_faddr;
sin->sin_addr.s_addr = pcb->inp_faddr.s_addr;
sin->sin_port = pcb->inp_fport;
sin = (struct sockaddr_in *)
&ar->k_ar.ar_arg_sockinfo.sai_laddr;
sin->sin_addr.s_addr = pcb->inp_laddr.s_addr;
sin->sin_port = pcb->inp_lport;
ARG_SET_VALID(ar, ARG_SOCKINFO);
}
if (SOCK_CHECK_DOM(so, PF_INET6)) {
if (so->so_pcb == NULL) {
break;
}
ar->k_ar.ar_arg_sockinfo.sai_type =
so->so_type;
ar->k_ar.ar_arg_sockinfo.sai_domain = SOCK_DOM(so);
ar->k_ar.ar_arg_sockinfo.sai_protocol = SOCK_PROTO(so);
pcb = (struct inpcb *)so->so_pcb;
sin6 = (struct sockaddr_in6 *)
&ar->k_ar.ar_arg_sockinfo.sai_faddr;
sin6->sin6_addr = pcb->in6p_faddr;
sin6->sin6_port = pcb->in6p_fport;
sin6 = (struct sockaddr_in6 *)
&ar->k_ar.ar_arg_sockinfo.sai_laddr;
sin6->sin6_addr = pcb->in6p_laddr;
sin6->sin6_port = pcb->in6p_lport;
ARG_SET_VALID(ar, ARG_SOCKINFO);
}
break;
default:
/* XXXAUDIT: else? */
break;
}
}
/*
* Store a path as given by the user process for auditing into the audit
* record stored on the user thread. This function will allocate the memory
* to store the path info if not already available. This memory will be
* freed when the audit record is freed.
*
* Note that the current working directory vp must be supplied at the audit call
* site to permit per thread current working directories, and that it must take
* a upath starting with '/' into account for chroot if the path is absolute.
* This results in the real (non-chroot) path being recorded in the audit
* record.
*
* XXXAUDIT: Possibly assert that the memory isn't already allocated?
*/
void
audit_arg_upath(struct kaudit_record *ar, struct vnode *cwd_vp, const char *upath, u_int64_t flag)
{
char **pathp;
KASSERT(upath != NULL, ("audit_arg_upath: upath == NULL"));
KASSERT((flag == ARG_UPATH1) || (flag == ARG_UPATH2),
("audit_arg_upath: flag %llu", (unsigned long long)flag));
KASSERT((flag != ARG_UPATH1) || (flag != ARG_UPATH2),
("audit_arg_upath: flag %llu", (unsigned long long)flag));
if (flag == ARG_UPATH1) {
pathp = &ar->k_ar.ar_arg_upath1;
} else {
pathp = &ar->k_ar.ar_arg_upath2;
}
if (*pathp == NULL) {
*pathp = zalloc(ZV_NAMEI);
} else {
return;
}
if (audit_canon_path(cwd_vp, upath, *pathp) == 0) {
ARG_SET_VALID(ar, flag);
} else {
zfree(ZV_NAMEI, *pathp);
*pathp = NULL;
}
}
void
audit_arg_kpath(struct kaudit_record *ar, const char *kpath, u_int64_t flag)
{
char **pathp;
KASSERT(kpath != NULL, ("audit_arg_kpath: kpath == NULL"));
KASSERT((flag == ARG_KPATH1) || (flag == ARG_KPATH2),
("audit_arg_kpath: flag %llu", (unsigned long long)flag));
KASSERT((flag != ARG_KPATH1) || (flag != ARG_KPATH2),
("audit_arg_kpath: flag %llu", (unsigned long long)flag));
if (flag == ARG_KPATH1) {
pathp = &ar->k_ar.ar_arg_kpath1;
} else {
pathp = &ar->k_ar.ar_arg_kpath2;
}
if (*pathp == NULL) {
*pathp = zalloc(ZV_NAMEI);
} else {
return;
}
strlcpy(*pathp, kpath, MAXPATHLEN);
ARG_SET_VALID(ar, flag);
}
/*
* Function to save the path and vnode attr information into the audit
* record.
*
* It is assumed that the caller will hold any vnode locks necessary to
* perform a VNOP_GETATTR() on the passed vnode.
*
* XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but always
* provides access to the generation number as we need that to construct the
* BSM file ID.
*
* XXX: We should accept the process argument from the caller, since it's
* very likely they already have a reference.
*
* XXX: Error handling in this function is poor.
*
* XXXAUDIT: Possibly KASSERT the path pointer is NULL?
*/
void
audit_arg_vnpath(struct kaudit_record *ar, struct vnode *vp, u_int64_t flags)
{
struct vnode_attr va;
int error;
int len;
char **pathp;
struct vnode_au_info *vnp;
proc_t p;
#if CONFIG_MACF
char **vnode_mac_labelp;
struct mac mac;
#endif
KASSERT(vp != NULL, ("audit_arg_vnpath: vp == NULL"));
KASSERT((flags == ARG_VNODE1) || (flags == ARG_VNODE2),
("audit_arg_vnpath: flags != ARG_VNODE[1,2]"));
p = current_proc();
/*
* XXXAUDIT: The below clears, and then resets the flags for valid
* arguments. Ideally, either the new vnode is used, or the old one
* would be.
*/
if (flags & ARG_VNODE1) {
ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_KPATH1);
ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE1);
pathp = &ar->k_ar.ar_arg_kpath1;
vnp = &ar->k_ar.ar_arg_vnode1;
#if CONFIG_MACF
vnode_mac_labelp = &ar->k_ar.ar_vnode1_mac_labels;
#endif
} else {
ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_KPATH2);
ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE2);
pathp = &ar->k_ar.ar_arg_kpath2;
vnp = &ar->k_ar.ar_arg_vnode2;
#if CONFIG_MACF
vnode_mac_labelp = &ar->k_ar.ar_vnode2_mac_labels;
#endif
}
if (*pathp == NULL) {
*pathp = zalloc(ZV_NAMEI);
} else {
return;
}
/*
* If vn_getpath() succeeds, place it in a string buffer
* attached to the audit record, and set a flag indicating
* it is present.
*/
len = MAXPATHLEN;
if (vn_getpath(vp, *pathp, &len) == 0) {
if (flags & ARG_VNODE1) {
ARG_SET_VALID(ar, ARG_KPATH1);
} else {
ARG_SET_VALID(ar, ARG_KPATH2);
}
} else {
zfree(ZV_NAMEI, *pathp);
*pathp = NULL;
}
VATTR_INIT(&va);
VATTR_WANTED(&va, va_mode);
VATTR_WANTED(&va, va_uid);
VATTR_WANTED(&va, va_gid);
VATTR_WANTED(&va, va_rdev);
VATTR_WANTED(&va, va_fsid);
VATTR_WANTED(&va, va_fileid);
VATTR_WANTED(&va, va_gen);
error = vnode_getattr(vp, &va, vfs_context_current());
if (error) {
/* XXX: How to handle this case? */
return;
}
#if CONFIG_MACF
if (*vnode_mac_labelp == NULL && (vp->v_lflag & VL_LABELED) == VL_LABELED) {
*vnode_mac_labelp = zalloc_flags(audit_mac_label_zone,
Z_WAITOK | Z_NOFAIL);
mac.m_buflen = MAC_AUDIT_LABEL_LEN;
mac.m_string = *vnode_mac_labelp;
if (mac_vnode_label_externalize_audit(vp, &mac)) {
return;
}
}
#endif
/*
* XXX do we want to fall back here when these aren't supported?
*/
vnp->vn_mode = va.va_mode;
vnp->vn_uid = va.va_uid;
vnp->vn_gid = va.va_gid;
vnp->vn_dev = va.va_rdev;
vnp->vn_fsid = va.va_fsid;
vnp->vn_fileid = (u_int32_t)va.va_fileid;
vnp->vn_gen = va.va_gen;
if (flags & ARG_VNODE1) {
ARG_SET_VALID(ar, ARG_VNODE1);
} else {
ARG_SET_VALID(ar, ARG_VNODE2);
}
}
void
audit_arg_vnpath_withref(struct kaudit_record *ar, struct vnode *vp, u_int64_t flags)
{
if (vp == NULL || vnode_getwithref(vp)) {
return;
}
audit_arg_vnpath(ar, vp, flags);
(void)vnode_put(vp);
}
void
audit_arg_mach_port1(struct kaudit_record *ar, mach_port_name_t port)
{
ar->k_ar.ar_arg_mach_port1 = port;
ARG_SET_VALID(ar, ARG_MACHPORT1);
}
void
audit_arg_mach_port2(struct kaudit_record *ar, mach_port_name_t port)
{
ar->k_ar.ar_arg_mach_port2 = port;
ARG_SET_VALID(ar, ARG_MACHPORT2);
}
/*
* Audit the argument strings passed to exec.
*/
void
audit_arg_argv(struct kaudit_record *ar, const char *argv, int argc, size_t length)
{
if (audit_argv == 0 || argc == 0) {
return;
}
if (ar->k_ar.ar_arg_argv == NULL) {
ar->k_ar.ar_arg_argv = kalloc_data(length, Z_WAITOK);
}
if (ar->k_ar.ar_arg_argv == NULL) {
return;
}
bcopy(argv, ar->k_ar.ar_arg_argv, length);
ar->k_ar.ar_arg_argc = argc;
ARG_SET_VALID(ar, ARG_ARGV);
}
/*
* Audit the environment strings passed to exec.
*/
void
audit_arg_envv(struct kaudit_record *ar, const char *envv, int envc, size_t length)
{
if (audit_arge == 0 || envc == 0) {
return;
}
if (ar->k_ar.ar_arg_envv == NULL) {
ar->k_ar.ar_arg_envv = kalloc_data(length, Z_WAITOK);
}
if (ar->k_ar.ar_arg_envv == NULL) {
return;
}
bcopy(envv, ar->k_ar.ar_arg_envv, length);
ar->k_ar.ar_arg_envc = envc;
ARG_SET_VALID(ar, ARG_ENVV);
}
/*
* The close() system call uses it's own audit call to capture the path/vnode
* information because those pieces are not easily obtained within the system
* call itself.
*/
void
audit_sysclose(struct kaudit_record *ar, proc_t p, int fd)
{
struct fileproc *fp;
struct vnode *vp;
KASSERT(p != NULL, ("audit_sysclose: p == NULL"));
audit_arg_fd(ar, fd);
if (fp_getfvp(p, fd, &fp, &vp) != 0) {
return;
}
audit_arg_vnpath_withref(ar, (struct vnode *)fp_get_data(fp),
ARG_VNODE1);
fp_drop(p, fd, fp, 0);
}
void
audit_identity_info_destruct(struct au_identity_info *id_info)
{
if (!id_info) {
return;
}
if (id_info->signing_id != NULL) {
kfree_data(id_info->signing_id, MAX_AU_IDENTITY_SIGNING_ID_LENGTH);
id_info->signing_id = NULL;
}
if (id_info->team_id != NULL) {
kfree_data(id_info->team_id, MAX_AU_IDENTITY_TEAM_ID_LENGTH);
id_info->team_id = NULL;
}
if (id_info->cdhash != NULL) {
kfree_data(id_info->cdhash, id_info->cdhash_len);
id_info->cdhash = NULL;
}
}
void
audit_identity_info_construct(struct au_identity_info *id_info)
{
struct proc *p;
struct cs_blob *blob;
unsigned int signer_type = 0;
const char *signing_id = NULL;
const char* team_id = NULL;
const uint8_t *cdhash = NULL;
size_t src_len = 0;
p = current_proc();
blob = csproc_get_blob(p);
if (blob) {
signing_id = csblob_get_identity(blob);
cdhash = csblob_get_cdhash(blob);
team_id = csblob_get_teamid(blob);
signer_type = csblob_get_platform_binary(blob) ? 1 : 0;
}
id_info->signer_type = signer_type;
if (id_info->signing_id == NULL && signing_id != NULL) {
id_info->signing_id = kalloc_data(MAX_AU_IDENTITY_SIGNING_ID_LENGTH,
Z_WAITOK | Z_NOFAIL);
src_len = strlcpy(id_info->signing_id,
signing_id, MAX_AU_IDENTITY_SIGNING_ID_LENGTH);
if (src_len >= MAX_AU_IDENTITY_SIGNING_ID_LENGTH) {
id_info->signing_id_trunc = 1;
}
}
if (id_info->team_id == NULL && team_id != NULL) {
id_info->team_id = kalloc_data(MAX_AU_IDENTITY_TEAM_ID_LENGTH,
Z_WAITOK | Z_NOFAIL);
src_len = strlcpy(id_info->team_id, team_id,
MAX_AU_IDENTITY_TEAM_ID_LENGTH);
if (src_len >= MAX_AU_IDENTITY_TEAM_ID_LENGTH) {
id_info->team_id_trunc = 1;
}
}
if (id_info->cdhash == NULL && cdhash != NULL) {
id_info->cdhash = kalloc_data(CS_CDHASH_LEN, Z_WAITOK | Z_NOFAIL);
memcpy(id_info->cdhash, cdhash, CS_CDHASH_LEN);
id_info->cdhash_len = CS_CDHASH_LEN;
}
}
void
audit_arg_identity(struct kaudit_record *ar)
{
audit_identity_info_construct(&ar->k_ar.ar_arg_identity);
ARG_SET_VALID(ar, ARG_IDENTITY);
}
#endif /* CONFIG_AUDIT */