1 | /* |
2 | * Copyright (c) 2006-2007 Apple Inc. All rights reserved. |
3 | * |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ |
5 | * |
6 | * This file contains Original Code and/or Modifications of Original Code |
7 | * as defined in and that are subject to the Apple Public Source License |
8 | * Version 2.0 (the 'License'). You may not use this file except in |
9 | * compliance with the License. The rights granted to you under the License |
10 | * may not be used to create, or enable the creation or redistribution of, |
11 | * unlawful or unlicensed copies of an Apple operating system, or to |
12 | * circumvent, violate, or enable the circumvention or violation of, any |
13 | * terms of an Apple operating system software license agreement. |
14 | * |
15 | * Please obtain a copy of the License at |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. |
17 | * |
18 | * The Original Code and all software distributed under the License are |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
23 | * Please see the License for the specific language governing rights and |
24 | * limitations under the License. |
25 | * |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ |
27 | */ |
28 | /* |
29 | * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson |
30 | * Copyright (c) 2001 Ilmar S. Habibulin |
31 | * Copyright (c) 2001, 2002, 2003, 2004 Networks Associates Technology, Inc. |
32 | * |
33 | * This software was developed by Robert Watson and Ilmar Habibulin for the |
34 | * TrustedBSD Project. |
35 | * |
36 | * This software was developed for the FreeBSD Project in part by Network |
37 | * Associates Laboratories, the Security Research Division of Network |
38 | * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), |
39 | * as part of the DARPA CHATS research program. |
40 | * |
41 | * Redistribution and use in source and binary forms, with or without |
42 | * modification, are permitted provided that the following conditions |
43 | * are met: |
44 | * 1. Redistributions of source code must retain the above copyright |
45 | * notice, this list of conditions and the following disclaimer. |
46 | * 2. Redistributions in binary form must reproduce the above copyright |
47 | * notice, this list of conditions and the following disclaimer in the |
48 | * documentation and/or other materials provided with the distribution. |
49 | * |
50 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
51 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
52 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
53 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
54 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
55 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
56 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
57 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
58 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
59 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
60 | * SUCH DAMAGE. |
61 | * |
62 | */ |
63 | #include <sys/param.h> |
64 | #include <sys/types.h> |
65 | #include <sys/vnode.h> |
66 | #include <sys/vnode_internal.h> |
67 | #include <sys/kauth.h> |
68 | #include <sys/queue.h> |
69 | #include <security/mac_internal.h> |
70 | #include <bsd/bsm/audit.h> |
71 | #include <bsd/security/audit/audit.h> |
72 | #include <bsd/sys/malloc.h> |
73 | #include <vm/vm_kern.h> |
74 | #include <kern/kalloc.h> |
75 | #include <kern/zalloc.h> |
76 | |
77 | #if CONFIG_AUDIT |
78 | |
79 | /* The zone allocator is initialized in mac_base.c. */ |
80 | zone_t mac_audit_data_zone; |
81 | |
82 | int |
83 | mac_system_check_audit(struct ucred *cred, void *record, int length) |
84 | { |
85 | int error; |
86 | |
87 | MAC_CHECK(system_check_audit, cred, record, length); |
88 | |
89 | return (error); |
90 | } |
91 | |
92 | int |
93 | mac_system_check_auditon(struct ucred *cred, int cmd) |
94 | { |
95 | int error; |
96 | |
97 | MAC_CHECK(system_check_auditon, cred, cmd); |
98 | |
99 | return (error); |
100 | } |
101 | |
102 | int |
103 | mac_system_check_auditctl(struct ucred *cred, struct vnode *vp) |
104 | { |
105 | int error; |
106 | struct label *vl = vp ? vp->v_label : NULL; |
107 | |
108 | MAC_CHECK(system_check_auditctl, cred, vp, vl); |
109 | |
110 | return (error); |
111 | } |
112 | |
113 | int |
114 | mac_proc_check_getauid(struct proc *curp) |
115 | { |
116 | kauth_cred_t cred; |
117 | int error; |
118 | |
119 | #if SECURITY_MAC_CHECK_ENFORCE |
120 | /* 21167099 - only check if we allow write */ |
121 | if (!mac_proc_enforce) |
122 | return 0; |
123 | #endif |
124 | |
125 | if (!mac_proc_check_enforce(curp)) |
126 | return 0; |
127 | |
128 | cred = kauth_cred_proc_ref(curp); |
129 | MAC_CHECK(proc_check_getauid, cred); |
130 | kauth_cred_unref(&cred); |
131 | |
132 | return (error); |
133 | } |
134 | |
135 | int |
136 | mac_proc_check_setauid(struct proc *curp, uid_t auid) |
137 | { |
138 | kauth_cred_t cred; |
139 | int error; |
140 | |
141 | #if SECURITY_MAC_CHECK_ENFORCE |
142 | /* 21167099 - only check if we allow write */ |
143 | if (!mac_proc_enforce) |
144 | return 0; |
145 | #endif |
146 | if (!mac_proc_check_enforce(curp)) |
147 | return 0; |
148 | |
149 | cred = kauth_cred_proc_ref(curp); |
150 | MAC_CHECK(proc_check_setauid, cred, auid); |
151 | kauth_cred_unref(&cred); |
152 | |
153 | return (error); |
154 | } |
155 | |
156 | int |
157 | mac_proc_check_getaudit(struct proc *curp) |
158 | { |
159 | kauth_cred_t cred; |
160 | int error; |
161 | |
162 | #if SECURITY_MAC_CHECK_ENFORCE |
163 | /* 21167099 - only check if we allow write */ |
164 | if (!mac_proc_enforce) |
165 | return 0; |
166 | #endif |
167 | if (!mac_proc_check_enforce(curp)) |
168 | return 0; |
169 | |
170 | cred = kauth_cred_proc_ref(curp); |
171 | MAC_CHECK(proc_check_getaudit, cred); |
172 | kauth_cred_unref(&cred); |
173 | |
174 | return (error); |
175 | } |
176 | |
177 | int |
178 | mac_proc_check_setaudit(struct proc *curp, struct auditinfo_addr *ai) |
179 | { |
180 | kauth_cred_t cred; |
181 | int error; |
182 | |
183 | #if SECURITY_MAC_CHECK_ENFORCE |
184 | /* 21167099 - only check if we allow write */ |
185 | if (!mac_proc_enforce) |
186 | return 0; |
187 | #endif |
188 | if (!mac_proc_check_enforce(curp)) |
189 | return 0; |
190 | |
191 | cred = kauth_cred_proc_ref(curp); |
192 | MAC_CHECK(proc_check_setaudit, cred, ai); |
193 | kauth_cred_unref(&cred); |
194 | |
195 | return (error); |
196 | } |
197 | |
198 | #if 0 |
199 | /* |
200 | * This is the framework entry point for MAC policies to use to add |
201 | * arbitrary data to the current audit record. |
202 | * (Currently not supported, as no existing audit viewers would |
203 | * display this format) |
204 | * |
205 | */ |
206 | int |
207 | mac_audit_data(int len, u_char *data, mac_policy_handle_t handle) |
208 | { |
209 | char *sanitized; |
210 | |
211 | if ((len <= 0) || (len > MAC_AUDIT_DATA_LIMIT)) |
212 | return (EINVAL); |
213 | |
214 | sanitized = (char *)zalloc(mac_audit_data_zone); |
215 | |
216 | bcopy(data, sanitized, len); |
217 | return (audit_mac_data(MAC_AUDIT_DATA_TYPE, len, sanitized)); |
218 | } |
219 | #endif |
220 | |
221 | /* |
222 | * This is the entry point a MAC policy will call to add NULL- |
223 | * terminated ASCII text to the current audit record. |
224 | */ |
225 | int |
226 | mac_audit_text(char *text, mac_policy_handle_t handle) |
227 | { |
228 | char *sanitized; |
229 | const char *name; |
230 | int i, size, plen, len; |
231 | |
232 | name = mac_get_mpc(handle)->mpc_name; |
233 | len = strlen(text); |
234 | plen = 2 + strlen(name); |
235 | if (plen + len >= MAC_AUDIT_DATA_LIMIT) |
236 | return (EINVAL); |
237 | |
238 | /* |
239 | * Make sure the text is only composed of only ASCII printable |
240 | * characters. |
241 | */ |
242 | for (i=0; i < len; i++) |
243 | if (text[i] < (char) 32 || text[i] > (char) 126) |
244 | return (EINVAL); |
245 | |
246 | size = len + plen + 1; |
247 | sanitized = (char *)zalloc(mac_audit_data_zone); |
248 | |
249 | strlcpy(sanitized, name, MAC_AUDIT_DATA_LIMIT); |
250 | strncat(sanitized, ": " , MAC_AUDIT_DATA_LIMIT - plen + 2); |
251 | strncat(sanitized, text, MAC_AUDIT_DATA_LIMIT - plen); |
252 | |
253 | return (audit_mac_data(MAC_AUDIT_TEXT_TYPE, size, (u_char *)sanitized)); |
254 | } |
255 | |
256 | int |
257 | mac_audit_check_preselect(struct ucred *cred, unsigned short syscode, void *args) |
258 | { |
259 | struct mac_policy_conf *mpc; |
260 | int ret, error; |
261 | u_int i; |
262 | |
263 | ret = MAC_AUDIT_DEFAULT; |
264 | for (i = 0; i < mac_policy_list.staticmax; i++) { |
265 | mpc = mac_policy_list.entries[i].mpc; |
266 | if (mpc == NULL) |
267 | continue; |
268 | |
269 | if (mpc->mpc_ops->mpo_audit_check_preselect != NULL) { |
270 | error = mpc->mpc_ops->mpo_audit_check_preselect(cred, |
271 | syscode, args); |
272 | ret = (ret > error ? ret : error); |
273 | } |
274 | } |
275 | if (mac_policy_list_conditional_busy() != 0) { |
276 | for (; i <= mac_policy_list.maxindex; i++) { |
277 | mpc = mac_policy_list.entries[i].mpc; |
278 | if (mpc == NULL) |
279 | continue; |
280 | |
281 | if (mpc->mpc_ops->mpo_audit_check_preselect != NULL) { |
282 | error = mpc->mpc_ops->mpo_audit_check_preselect(cred, |
283 | syscode, args); |
284 | ret = (ret > error ? ret : error); |
285 | } |
286 | } |
287 | mac_policy_list_unbusy(); |
288 | } |
289 | |
290 | return (ret); |
291 | } |
292 | |
293 | int |
294 | mac_audit_check_postselect(struct ucred *cred, unsigned short syscode, |
295 | void *args, int error, int retval, int mac_forced) |
296 | { |
297 | struct mac_policy_conf *mpc; |
298 | int ret, mac_error; |
299 | u_int i; |
300 | |
301 | /* |
302 | * If the audit was forced by a MAC policy by mac_audit_check_preselect(), |
303 | * echo that. |
304 | */ |
305 | if (mac_forced) |
306 | return (MAC_AUDIT_YES); |
307 | |
308 | ret = MAC_AUDIT_DEFAULT; |
309 | for (i = 0; i < mac_policy_list.staticmax; i++) { |
310 | mpc = mac_policy_list.entries[i].mpc; |
311 | if (mpc == NULL) |
312 | continue; |
313 | |
314 | if (mpc->mpc_ops->mpo_audit_check_postselect != NULL) { |
315 | mac_error = mpc->mpc_ops->mpo_audit_check_postselect(cred, |
316 | syscode, args, error, retval); |
317 | ret = (ret > mac_error ? ret : mac_error); |
318 | } |
319 | } |
320 | if (mac_policy_list_conditional_busy() != 0) { |
321 | for (; i <= mac_policy_list.maxindex; i++) { |
322 | mpc = mac_policy_list.entries[i].mpc; |
323 | if (mpc == NULL) |
324 | continue; |
325 | |
326 | if (mpc->mpc_ops->mpo_audit_check_postselect != NULL) { |
327 | mac_error = mpc->mpc_ops->mpo_audit_check_postselect(cred, |
328 | syscode, args, error, retval); |
329 | ret = (ret > mac_error ? ret : mac_error); |
330 | } |
331 | } |
332 | mac_policy_list_unbusy(); |
333 | } |
334 | |
335 | return (ret); |
336 | } |
337 | |
338 | #else /* !CONFIG_AUDIT */ |
339 | |
340 | /* |
341 | * Function stubs for when AUDIT isn't defined. |
342 | */ |
343 | |
344 | int |
345 | mac_system_check_audit(__unused struct ucred *cred, __unused void *record, __unused int length) |
346 | { |
347 | |
348 | return (0); |
349 | } |
350 | |
351 | int |
352 | mac_system_check_auditon(__unused struct ucred *cred, __unused int cmd) |
353 | { |
354 | |
355 | return (0); |
356 | } |
357 | |
358 | int |
359 | mac_system_check_auditctl(__unused struct ucred *cred, __unused struct vnode *vp) |
360 | { |
361 | |
362 | return (0); |
363 | } |
364 | |
365 | int |
366 | mac_proc_check_getauid(__unused struct proc *curp) |
367 | { |
368 | |
369 | return (0); |
370 | } |
371 | |
372 | int |
373 | mac_proc_check_setauid(__unused struct proc *curp, __unused uid_t auid) |
374 | { |
375 | |
376 | return (0); |
377 | } |
378 | |
379 | int |
380 | mac_proc_check_getaudit(__unused struct proc *curp) |
381 | { |
382 | |
383 | return (0); |
384 | } |
385 | |
386 | int |
387 | mac_proc_check_setaudit(__unused struct proc *curp, |
388 | __unused struct auditinfo_addr *ai) |
389 | { |
390 | |
391 | return (0); |
392 | } |
393 | |
394 | int |
395 | mac_audit_check_preselect(__unused struct ucred *cred, __unused unsigned short syscode, |
396 | __unused void *args) |
397 | { |
398 | |
399 | return (MAC_AUDIT_DEFAULT); |
400 | } |
401 | |
402 | int |
403 | mac_audit_check_postselect(__unused struct ucred *cred, __unused unsigned short syscode, |
404 | __unused void *args, __unused int error, __unused int retval, __unused int mac_forced) |
405 | { |
406 | |
407 | return (MAC_AUDIT_DEFAULT); |
408 | } |
409 | |
410 | int |
411 | mac_audit_text(__unused char *text, __unused mac_policy_handle_t handle) |
412 | { |
413 | return (0); |
414 | } |
415 | #endif /* !CONFIG_AUDIT */ |
416 | |