Commit Graph

182 Commits

Author SHA1 Message Date
Robert Watson
8f8dedbed8 Set the lower bound on queue size for an audit pipe to 1 instead of 0,
as an audit pipe with a queue length of 0 is less useful.

Obtained from:	TrustedBSD Project
Sponsored by:	Apple, Inc.
MFC after:	1 week
2009-02-08 15:38:31 +00:00
Robert Watson
f4f93a63f5 Change various routines that are responsible for transforming audit
event IDs based on arguments to return au_event_t rather than int.

Obtained from:	TrustedBSD Project
Sponsored by:	Apple, Inc.
MFC after:	1 week
2009-02-08 14:39:35 +00:00
Robert Watson
8b14aeee4b Audit AUE_MAC_EXECVE; currently just the standard AUE_EXECVE arguments
and not the label.

Obtained from:	TrustedBSD Project
Sponsored by:	Apple, Inc.
MFC after:	1 week
2009-02-08 14:24:35 +00:00
Robert Watson
4ba1f444c5 Audit the flag argument to the nfssvc(2) system call.
Obtained from:	TrustedBSD Project
Sponsored by:	Apple, Inc.
2009-02-08 14:04:08 +00:00
Robert Watson
91e832e0c3 Eliminate the local variable 'ape' in audit_pipe_kqread(), as it's only
used for an assertion that we don't really need anymore.

MFC after:	1 week
Reported by:	Christoph Mallon <christoph dot mallon at gmx dot de>
2009-02-04 19:56:37 +00:00
Robert Watson
07cd9ab013 Update copyright, P4 version number as audit_bsm_token.c reflects changes
in bsm_token.c through #86 from OpenBSM.

MFC after:	1 month
Sponsored by:	Apple, Inc.
Obtained from:	TrustedBSD Project
2009-01-14 12:16:14 +00:00
Robert Watson
c74c7b73a0 Merge OpenBSM alpha 5 from OpenBSM vendor branch to head, both
contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
merge).  Hook up bsm_domain.c and bsm_socket_type.c to the libbsm
build along with man pages, add audit_bsm_domain.c and
audit_bsm_socket_type.c to the kernel environment.

OpenBSM history for imported revisions below for reference.

MFC after:      1 month
Sponsored by:   Apple Inc.
Obtained from:  TrustedBSD Project

OpenBSM 1.1 alpha 5

- Stub libauditd(3) man page added.
- All BSM error number constants with BSM_ERRNO_.
- Interfaces to convert between local and BSM socket types and protocol
  families have been added: au_bsm_to_domain(3), au_bsm_to_socket_type(3),
  au_domain_to_bsm(3), and au_socket_type_to_bsm(3), along with definitions
  of constants in audit_domain.h and audit_socket_type.h.  This improves
  interoperability by converting local constant spaces, which vary by OS, to
  and from Solaris constants (where available) or OpenBSM constants for
  protocol domains not present in Solaris (a fair number).  These routines
  should be used when generating and interpreting extended socket tokens.
- Fix build warnings with full gcc warnings enabled on most supported
  platforms.
- Don't compile error strings into bsm_errno.c when building it in the kernel
  environment.
- When started by launchd, use the label com.apple.auditd rather than
  org.trustedbsd.auditd.
2009-01-14 10:44:16 +00:00
Robert Watson
d423f266c4 Do a lockless read of the audit pipe list before grabbing the audit pipe
lock in order to avoid the lock acquire hit if the pipe list is very
likely empty.

Obtained from:	TrustedBSD Project
MFC after:	3 weeks
Sponsored by:	Apple, Inc.
2009-01-06 14:15:38 +00:00
Robert Watson
cd6bbe656e In AUDIT_SYSCALL_EXIT(), invoke audit_syscall_exit() only if an audit
record is active on the current thread--historically we may always
have wanted to enter the audit code if auditing was enabled, but now
we just commit the audit record so don't need to enter if there isn't
one.

Obtained from:	TrustedBSD Project
Sponsored by:	Apple, Inc.
2009-01-06 13:59:59 +00:00
Robert Watson
efcde1e8c7 Fix white space botch: use carriage returns rather than tabs. 2008-12-31 23:22:45 +00:00
Robert Watson
3c36dc8159 Commit two files missed in previous commit: hook up audit_bsm_errno.c
and adapt for kernel build environment.

Obtained from:	TrustedBSD Project
Sponsored by:	Apple, Inc.
2008-12-31 13:56:31 +00:00
Robert Watson
fcdb2e9607 Call au_errno_to_bsm() on the errno value passed into au_to_return32()
to convert local FreeBSD error numbers into BSM error numbers.

Obtained from:	TrustedBSD Project
2008-12-31 11:56:35 +00:00
Robert Watson
7a0a89d2cb Merge OpenBSM alpha 4 from OpenBSM vendor branch to head, both
contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
merge).  Add libauditd build parts and add to auditd's linkage;
force libbsm to build before libauditd.

OpenBSM history for imported revisions below for reference.

MFC after:      1 month
Sponsored by:   Apple Inc.
Obtained from:  TrustedBSD Project

OpenBSM 1.1 alpha 4

- With the addition of BSM error number mapping, we also need to map the
  local error number passed to audit_submit(3) to a BSM error number,
  rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
  more formal allocation scheme, and add some events allocated in Solaris
  that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
  directly, rather than requiring applications to map to the local error
  space, which might not be able to entirely represent the BSM error
  number space.
- Major auditd rewrite for launchd(8) support.  Add libauditd library
  that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
  (re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
  startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
  has been recovered from not being properly terminated.  This event is
  stored in the new audit trail file and includes the path of recovered
  audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
  auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
  calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.

OpenBSM 1.1 alpha 3

- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
  between BSM error numbers (largely the Solaris definitions) and local
  errno(2) values for 32-bit and 64-bit return tokens.  This is required
  as operating systems don't agree on some of the values of more recent
  error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
  total size for the token.  This buge.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
2008-12-31 11:12:24 +00:00
Robert Watson
52267f7411 Merge OpenBSM 1.1 alpha 2 from the OpenBSM vendor branch to head, both
contrib/openbsm (svn merge) and sys/{bsm,security/audit} (manual merge).

- Add OpenBSM contrib tree to include paths for audit(8) and auditd(8).
- Merge support for new tokens, fixes to existing token generation to
  audit_bsm_token.c.
- Synchronize bsm includes and definitions.

OpenBSM history for imported revisions below for reference.

MFC after:      1 month
Sponsored by:   Apple Inc.
Obtained from:  TrustedBSD Project

--

OpenBSM 1.1 alpha 2

- Include files in OpenBSM are now broken out into two parts: library builds
  required solely for user space, and system includes, which may also be
  required for use in the kernels of systems integrating OpenBSM.  Submitted
  by Stacey Son.
- Configure option --with-native-includes allows forcing the use of native
  include for system includes, rather than the versions bundled with OpenBSM.
  This is intended specifically for platforms that ship OpenBSM, have adapted
  versions of the system includes in a kernel source tree, and will use the
  OpenBSM build infrastructure with an unmodified OpenBSM distribution,
  allowing the customized system includes to be used with the OpenBSM build.
  Submitted by Stacey Son.
- Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s
  or asprintf().  Added compat/strlcpy.h for Linux.
- Remove compatibility defines for old Darwin token constant names; now only
  BSM token names are provided and used.
- Add support for extended header tokens, which contain space for information
  on the host generating the record.
- Add support for setting extended host information in the kernel, which is
  used for setting host information in extended header tokens.  The
  audit_control file now supports a "host" parameter which can be used by
  auditd to set the information; if not present, the kernel parameters won't
  be set and auditd uses unextended headers for records that it generates.

OpenBSM 1.1 alpha 1

- Add option to auditreduce(1) which allows users to invert sense of
  matching, such that BSM records that do not match, are selected.
- Fix bug in audit_write() where we commit an incomplete record in the
  event there is an error writing the subject token.  This was submitted
  by Diego Giagio.
- Build support for Mac OS X 10.5.1 submitted by Eric Hall.
- Fix a bug which resulted in host XML attributes not being arguments so
  that const strings can be passed as arguments to tokens.  This patch was
  submitted by Xin LI.
- Modify the -m option so users can select more then one audit event.
- For Mac OS X, added Mach IPC support for audit trigger messages.
- Fixed a bug in getacna() which resulted in a locking problem on Mac OS X.
- Added LOG_PERROR flag to openlog when -d option is used with auditd.
- AUE events added for Mac OS X Leopard system calls.
2008-12-02 23:26:43 +00:00
Christian S.J. Peron
5ac14ef177 Partially roll back a revision which changed the error code being returned
by getaudit(2).  Some applications such has su, id will interpret E2BIG as
requiring the use of getaudit_addr(2) to pull extended audit state (ip6)
from the kernel.

This change un-breaks the ABI when auditing has been activated on a system
and the users are logged in via ip6.

This is a RELENG_7_1 candidate.

MFC after:	1 day
Discussed with:	rwatson
2008-11-30 19:58:03 +00:00
Robert Watson
a760c0b245 Regularize /* FALLTHROUGH */ comments in the BSM event type switch, and
add one that was missing.

MFC after:	3 weeks
Coverity ID:	3960
2008-11-25 11:25:45 +00:00
Robert Watson
e6870c95e3 When repeatedly accessing a thread credential, cache the credential
pointer in a local thread.  While this is unlikely to significantly
improve performance given modern compiler behavior, it makes the code
more readable and reduces diffs to the Mac OS X version of the same
code (which stores things in creds in the same way, but where the
cred for a thread is reached quite differently).

Discussed with: sson
MFC after:      1 month
Sponsored by:   Apple Inc.
Obtained from:	TrustedBSD Project
2008-11-14 01:24:52 +00:00
Robert Watson
618521b1a2 The audit queue limit variables are size_t, so use size_t for the audit
queue length variables as well, avoiding storing the limit in a larger
type than the length.

Submitted by:	sson
Sponsored by:	Apple Inc.
MFC after:	1 week
2008-11-13 00:21:01 +00:00
Robert Watson
4ebff7e0ca Move audit-internal function definitions for getting and setting audit
kinfo state to audit_private.h.
2008-11-11 23:08:20 +00:00
Robert Watson
91721ee9ba Minor style tweaks and change lock name string to use _'s and not spaces
to improve parseability.
2008-11-11 22:59:40 +00:00
Christian S.J. Peron
ffbcef5a42 Add support for extended header BSM tokens. Currently we use the
regular header tokens.  The extended header tokens contain an IP
or IPv6 address which makes it possible to identify which host an
audit record came from when audit records are centralized.

If the host information has not been specified, the system will
default to the old style headers.  Otherwise, audit records that
are created as a result of system calls will contain host information.

This implemented has been designed to be consistent with the Solaris
implementation.  Host information is set/retrieved using the A_GETKAUDIT
and A_SETKAUDIT auditon(2) commands.  These commands require that a
pointer to a auditinfo_addr_t object is passed.  Currently only IP and
IPv6 address families are supported.

The users pace bits associated with this change will follow in an
openbsm import.

Reviewed by:	rwatson, (sson, wsalamon (older version))
MFC after:	1 month
2008-11-11 21:57:03 +00:00
Robert Watson
b713bf6e3a Wrap sx locking of the audit worker sleep lock in macros, update comments.
MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-11-10 22:06:24 +00:00
John Baldwin
927edcc9ba Use shared vnode locks for auditing vnode arguments as auditing only
does a VOP_GETATTR() which does not require an exclusive lock.

Reviewed by:	csjp, rwatson
2008-11-04 22:31:04 +00:00
John Baldwin
16da60664d Don't lock the vnode around calls to vn_fullpath().
Reviewed by:	csjp, rwatson
2008-11-04 22:30:24 +00:00
Robert Watson
d2f6bb070f Update introductory comment for audit pipes.
MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-11-02 00:25:48 +00:00
Robert Watson
6e1362b499 Remove stale comment about filtering in audit pipe ioctl routine: we do
support filtering now, although we may want to make it more interesting
in the future.

MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-11-02 00:18:19 +00:00
Robert Watson
e4565e2028 Add comment for per-pipe stats.
MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-11-01 23:05:49 +00:00
Robert Watson
cff9c52e23 We only allow a partial read of the first record in an audit pipe
record queue, so move the offset field from the per-record
audit_pipe_entry structure to the audit_pipe structure.

Now that we support reading more than one record at a time, add a
new summary field to audit_pipe, ap_qbyteslen, which tracks the
total number of bytes present in a pipe, and return that (minus
the current offset) via FIONREAD and kqueue's data variable for
the pending byte count rather than the number of bytes remaining
in only the first record.

Add a number of asserts to confirm that these counts and offsets
following the expected rules.

MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-11-01 21:56:45 +00:00
Robert Watson
a9275e0bd5 Allow a single read(2) system call on an audit pipe to retrieve data from
more than one audit record at a time in order to improve efficiency.

MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-11-01 21:16:09 +00:00
Robert Watson
1a0edb10ca Since there is no longer the opportunity for record truncation, just
return 0 if the truncation counter is queried on an audit pipe.

MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-10-31 15:11:01 +00:00
Robert Watson
5a9d15cd4c Historically, /dev/auditpipe has allows only whole records to be read via
read(2), which meant that records longer than the buffer passed to read(2)
were dropped.  Instead take the approach of allowing partial reads to be
continued across multiple system calls more in the style of streaming
character device.

This means retaining a record on the per-pipe queue in a partially read
state, so maintain a current offset into the record.  Keep the record on
the queue during a read, so add a new lock, ap_sx, to serialize removal
of records from the queue by either read(2) or ioctl(2) requesting a pipe
flush.  Modify the kqueue handler to return bytes left in the current
record rather than simply the size of the current record.

It is now possible to use praudit, which used the standard FILE * buffer
sizes, to track much larger record sizes from /dev/auditpipe, such as
very long command lines to execve(2).

MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-10-31 14:40:21 +00:00
Robert Watson
1daa6feb45 When we drop an audit record going to and audit pipe because the audit
pipe has overflowed, drop the newest, rather than oldest, record.  This
makes overflow drop behavior consistent with memory allocation failure
leading to drop, avoids touching the consumer end of the queue from a
producer, and lowers the CPU overhead of dropping a record by dropping
before memory allocation and copying.

Obtained from:	Apple, Inc.
MFC after:	2 months
2008-10-30 23:09:19 +00:00
Robert Watson
846f37f1e7 Break out single audit_pipe_mtx into two types of locks: a global rwlock
protecting the list of audit pipes, and a per-pipe mutex protecting the
queue.

Likewise, replace the single global condition variable used to signal
delivery of a record to one or more pipes, and add a per-pipe condition
variable to avoid spurious wakeups when event subscriptions differ
across multiple pipes.

This slightly increases the cost of delivering to audit pipes, but should
reduce lock contention in the presence of multiple readers as only the
per-pipe lock is required to read from a pipe, as well as avoid
overheading when different pipes are used in different ways.

MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-10-30 21:58:39 +00:00
Robert Watson
c211285f25 Protect the event->class lookup database using an rwlock instead of a
mutex, as it's rarely changed but frequently accessed read-only from
multiple threads, so a potentially significant source of contention.

MFC after:	1 month
Sponsored by:	Apple, Inc.
2008-10-30 17:47:57 +00:00
Ed Schouten
d3ce832719 Remove unit2minor() use from kernel code.
When I changed kern_conf.c three months ago I made device unit numbers
equal to (unneeded) device minor numbers. We used to require
bitshifting, because there were eight bits in the middle that were
reserved for a device major number. Not very long after I turned
dev2unit(), minor(), unit2minor() and minor2unit() into macro's.
The unit2minor() and minor2unit() macro's were no-ops.

We'd better not remove these four macro's from the kernel, because there
is a lot of (external) code that may still depend on them. For now it's
harmless to remove all invocations of unit2minor() and minor2unit().

Reviewed by:	kib
2008-09-26 14:19:52 +00:00
Dag-Erling Smørgrav
19de3e9011 Unbreak the build.
Pointy hat to:	kevlo
2008-09-04 13:06:36 +00:00
Kevin Lo
f308bddd3f If the process id specified is invalid, the system call returns ESRCH 2008-09-04 10:44:33 +00:00
Attilio Rao
0359a12ead Decontextualize the couplet VOP_GETATTR / VOP_SETATTR as the passed thread
was always curthread and totally unuseful.

Tested by: Giovanni Trematerra <giovanni dot trematerra at gmail dot com>
2008-08-28 15:23:18 +00:00
Robert Watson
3f3978840e More fully audit fexecve(2) and its arguments.
Obtained from:	TrustedBSD Project
Sponsored by:	Google, Inc.
2008-08-25 13:50:01 +00:00
Robert Watson
e08f2b26f4 Use ERANGE instead of EOVERFLOW selected in r182059, this seems more
appropriate even if Solaris doesn't document it (E2BIG) or use it
(EOVERFLOW).

Submitted by:	nectar at apple dot com
Sponsored by:	Apple, Inc.
MFC after:	3 days
2008-08-24 19:55:10 +00:00
Christian S.J. Peron
db8502672e Use sbuf_putc instead of sbuf_cat. This makes more sense, since we are
appending a single character to the buffer.

MFC after:	2 weeks
2008-08-24 03:12:17 +00:00
Robert Watson
cc10282298 When getaudit(2) is unable to fit the terminal IPv6 address into the
space provided by its argument structure, return EOVERFLOW instead of
E2BIG.  The latter is documented in Solaris's man page, but the
former is implemented.  In either case, the caller should use
getaudit_addr(2) to return the IPv6 address.

Submitted by:	sson
Obtained from:	Apple, Inc.
MFC after:	3 days
2008-08-23 14:39:01 +00:00
Christian S.J. Peron
40d288ba0c Make sure we check the preselection masks present for all audit pipes.
It is possible that the audit pipe(s) have different preselection configs
then the global preselection mask.

Spotted by:	Vincenzo Iozzo
MFC after:	2 weeks
2008-08-11 20:14:56 +00:00
Christian S.J. Peron
dfc714fba1 Currently, BSM audit pathname token generation for chrooted or jailed
processes are not producing absolute pathname tokens.  It is required
that audited pathnames are generated relative to the global root mount
point.  This modification changes our implementation of audit_canon_path(9)
and introduces a new function: vn_fullpath_global(9) which performs a
vnode -> pathname translation relative to the global mount point based
on the contents of the name cache.  Much like vn_fullpath,
vn_fullpath_global is a wrapper function which called vn_fullpath1.

Further, the string parsing routines have been converted to use the
sbuf(9) framework.  This change also removes the conditional acquisition
of Giant, since the vn_fullpath1 method will not dip into file system
dependent code.

The vnode locking was modified to use vhold()/vdrop() instead the vref()
and vrele().  This will modify the hold count instead of modifying the
user count.  This makes more sense since it's the kernel that requires
the reference to the vnode.  This also makes sure that the vnode does not
get recycled we hold the reference to it. [1]

Discussed with:	rwatson
Reviewed by:	kib [1]
MFC after:	2 weeks
2008-07-31 16:57:41 +00:00
Robert Watson
f6d4a8a77b Further synchronization of copyrights, licenses, white space, etc from
Apple and from the OpenBSM vendor tree.

Obtained from:	Apple Inc., TrustedBSD Project
MFC after:	3 days
2008-07-31 09:54:35 +00:00
Robert Watson
33f0efe6b0 Minor white space tweak.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-23 07:42:31 +00:00
Robert Watson
93536b495d If an AUE_SYSCTL_NONADMIN audit event is selected, generate a record
with equivilent content to AUE_SYSCTL.

Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 17:54:32 +00:00
Robert Watson
30d0721b59 Further minor style fixes to audit.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 17:49:30 +00:00
Robert Watson
1814e5b748 Remove unneeded \ at the end of a macro.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 17:08:27 +00:00
Robert Watson
3c4636a7d4 Further minor white space tweaks.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 17:06:49 +00:00