#include <string.h>
#include <sys/kernel.h>
#include <sys/proc.h>
#include <sys/systm.h>
#include <kern/host.h>
#include <kern/kalloc.h>
#include <kern/locks.h>
#include <kern/sched_prim.h>
#include <libkern/OSAtomic.h>
#include <bsm/audit.h>
#include <bsm/audit_internal.h>
#include <security/audit/audit_bsd.h>
#include <security/audit/audit.h>
#include <security/audit/audit_private.h>
#include <mach/host_priv.h>
#include <mach/host_special_ports.h>
#include <mach/audit_triggers_server.h>
#if CONFIG_AUDIT
struct mhdr {
size_t mh_size;
au_malloc_type_t *mh_type;
u_long mh_magic;
char mh_data[0];
};
static lck_grp_t *audit_lck_grp = NULL;
#define AUDIT_MHMAGIC 0x4D656C53
#if AUDIT_MALLOC_DEBUG
#define AU_MAX_SHORTDESC 20
#define AU_MAX_LASTCALLER 20
struct au_malloc_debug_info {
SInt64 md_size;
SInt64 md_maxsize;
SInt32 md_inuse;
SInt32 md_maxused;
unsigned md_type;
unsigned md_magic;
char md_shortdesc[AU_MAX_SHORTDESC];
char md_lastcaller[AU_MAX_LASTCALLER];
};
typedef struct au_malloc_debug_info au_malloc_debug_info_t;
au_malloc_type_t *audit_malloc_types[NUM_MALLOC_TYPES];
static int audit_sysctl_malloc_debug(struct sysctl_oid *oidp, void *arg1,
int arg2, struct sysctl_req *req);
SYSCTL_PROC(_kern, OID_AUTO, audit_malloc_debug, CTLFLAG_RD, NULL, 0,
audit_sysctl_malloc_debug, "S,audit_malloc_debug",
"Current malloc debug info for auditing.");
#define AU_MALLOC_DBINFO_SZ \
(NUM_MALLOC_TYPES * sizeof(au_malloc_debug_info_t))
static int
audit_sysctl_malloc_debug(__unused struct sysctl_oid *oidp, __unused void *arg1,
__unused int arg2, struct sysctl_req *req)
{
int i;
size_t sz;
au_malloc_debug_info_t *amdi_ptr, *nxt_ptr;
int err;
if (req->newptr != USER_ADDR_NULL)
return (EPERM);
if (req->oldptr == USER_ADDR_NULL) {
req->oldidx = AU_MALLOC_DBINFO_SZ;
return (0);
}
if (req->oldlen < AU_MALLOC_DBINFO_SZ)
return (ENOMEM);
amdi_ptr = (au_malloc_debug_info_t *)kalloc(AU_MALLOC_DBINFO_SZ);
if (amdi_ptr == NULL)
return (ENOMEM);
bzero(amdi_ptr, AU_MALLOC_DBINFO_SZ);
sz = 0;
nxt_ptr = amdi_ptr;
for(i = 0; i < NUM_MALLOC_TYPES; i++) {
if (audit_malloc_types[i] == NULL)
continue;
if (audit_malloc_types[i]->mt_magic != M_MAGIC) {
nxt_ptr->md_magic = audit_malloc_types[i]->mt_magic;
continue;
}
nxt_ptr->md_magic = audit_malloc_types[i]->mt_magic;
nxt_ptr->md_size = audit_malloc_types[i]->mt_size;
nxt_ptr->md_maxsize = audit_malloc_types[i]->mt_maxsize;
nxt_ptr->md_inuse = (int)audit_malloc_types[i]->mt_inuse;
nxt_ptr->md_maxused = (int)audit_malloc_types[i]->mt_maxused;
strlcpy(nxt_ptr->md_shortdesc,
audit_malloc_types[i]->mt_shortdesc, AU_MAX_SHORTDESC - 1);
strlcpy(nxt_ptr->md_lastcaller,
audit_malloc_types[i]->mt_lastcaller, AU_MAX_LASTCALLER-1);
sz += sizeof(au_malloc_debug_info_t);
nxt_ptr++;
}
req->oldlen = sz;
err = SYSCTL_OUT(req, amdi_ptr, sz);
kfree(amdi_ptr, AU_MALLOC_DBINFO_SZ);
return (err);
}
#endif
void *
#if AUDIT_MALLOC_DEBUG
_audit_malloc(size_t size, au_malloc_type_t *type, int flags, const char *fn)
#else
_audit_malloc(size_t size, au_malloc_type_t *type, int flags)
#endif
{
struct mhdr *hdr;
size_t memsize = sizeof (*hdr) + size;
if (size == 0)
return (NULL);
if (flags & M_NOWAIT) {
hdr = (void *)kalloc_noblock(memsize);
} else {
hdr = (void *)kalloc(memsize);
if (hdr == NULL)
panic("_audit_malloc: kernel memory exhausted");
}
if (hdr == NULL)
return (NULL);
hdr->mh_size = memsize;
hdr->mh_type = type;
hdr->mh_magic = AUDIT_MHMAGIC;
if (flags & M_ZERO)
memset(hdr->mh_data, 0, size);
#if AUDIT_MALLOC_DEBUG
if (type != NULL && type->mt_type < NUM_MALLOC_TYPES) {
OSAddAtomic64(memsize, &type->mt_size);
type->mt_maxsize = max(type->mt_size, type->mt_maxsize);
OSAddAtomic(1, &type->mt_inuse);
type->mt_maxused = max(type->mt_inuse, type->mt_maxused);
type->mt_lastcaller = fn;
audit_malloc_types[type->mt_type] = type;
}
#endif
return (hdr->mh_data);
}
void
#if AUDIT_MALLOC_DEBUG
_audit_free(void *addr, au_malloc_type_t *type)
#else
_audit_free(void *addr, __unused au_malloc_type_t *type)
#endif
{
struct mhdr *hdr;
if (addr == NULL)
return;
hdr = addr; hdr--;
KASSERT(hdr->mh_magic == AUDIT_MHMAGIC,
("_audit_free(): hdr->mh_magic != AUDIT_MHMAGIC"));
#if AUDIT_MALLOC_DEBUG
if (type != NULL) {
OSAddAtomic64(-hdr->mh_size, &type->mt_size);
OSAddAtomic(-1, &type->mt_inuse);
}
#endif
kfree(hdr, hdr->mh_size);
}
void
_audit_cv_init(struct cv *cvp, const char *desc)
{
if (desc == NULL)
cvp->cv_description = "UNKNOWN";
else
cvp->cv_description = desc;
cvp->cv_waiters = 0;
}
void
_audit_cv_destroy(struct cv *cvp)
{
cvp->cv_description = NULL;
cvp->cv_waiters = 0;
}
void
_audit_cv_signal(struct cv *cvp)
{
if (cvp->cv_waiters > 0) {
wakeup_one((caddr_t)cvp);
cvp->cv_waiters--;
}
}
void
_audit_cv_broadcast(struct cv *cvp)
{
if (cvp->cv_waiters > 0) {
wakeup((caddr_t)cvp);
cvp->cv_waiters = 0;
}
}
void
_audit_cv_wait(struct cv *cvp, lck_mtx_t *mp, const char *desc)
{
cvp->cv_waiters++;
(void) msleep(cvp, mp, PZERO, desc, 0);
}
int
_audit_cv_wait_sig(struct cv *cvp, lck_mtx_t *mp, const char *desc)
{
cvp->cv_waiters++;
return (msleep(cvp, mp, PSOCK | PCATCH, desc, 0));
}
void
#if DIAGNOSTIC
_audit_mtx_init(struct mtx *mp, const char *lckname)
#else
_audit_mtx_init(struct mtx *mp, __unused const char *lckname)
#endif
{
mp->mtx_lock = lck_mtx_alloc_init(audit_lck_grp, LCK_ATTR_NULL);
KASSERT(mp->mtx_lock != NULL,
("_audit_mtx_init: Could not allocate a mutex."));
#if DIAGNOSTIC
strlcpy(mp->mtx_name, lckname, AU_MAX_LCK_NAME);
#endif
}
void
_audit_mtx_destroy(struct mtx *mp)
{
if (mp->mtx_lock) {
lck_mtx_free(mp->mtx_lock, audit_lck_grp);
mp->mtx_lock = NULL;
}
}
void
#if DIAGNOSTIC
_audit_rw_init(struct rwlock *lp, const char *lckname)
#else
_audit_rw_init(struct rwlock *lp, __unused const char *lckname)
#endif
{
lp->rw_lock = lck_rw_alloc_init(audit_lck_grp, LCK_ATTR_NULL);
KASSERT(lp->rw_lock != NULL,
("_audit_rw_init: Could not allocate a rw lock."));
#if DIAGNOSTIC
strlcpy(lp->rw_name, lckname, AU_MAX_LCK_NAME);
#endif
}
void
_audit_rw_destroy(struct rwlock *lp)
{
if (lp->rw_lock) {
lck_rw_free(lp->rw_lock, audit_lck_grp);
lp->rw_lock = NULL;
}
}
int
_audit_cv_wait_continuation(struct cv *cvp, lck_mtx_t *mp, thread_continue_t function)
{
int status = KERN_SUCCESS;
cvp->cv_waiters++;
assert_wait(cvp, THREAD_UNINT);
lck_mtx_unlock(mp);
status = thread_block(function);
lck_mtx_lock(mp);
return status;
}
void
#if DIAGNOSTIC
_audit_rlck_init(struct rlck *lp, const char *lckname)
#else
_audit_rlck_init(struct rlck *lp, __unused const char *lckname)
#endif
{
lp->rl_mtx = lck_mtx_alloc_init(audit_lck_grp, LCK_ATTR_NULL);
KASSERT(lp->rl_mtx != NULL,
("_audit_rlck_init: Could not allocate a recursive lock."));
#if DIAGNOSTIC
strlcpy(lp->rl_name, lckname, AU_MAX_LCK_NAME);
#endif
lp->rl_thread = 0;
lp->rl_recurse = 0;
}
void
_audit_rlck_lock(struct rlck *lp)
{
if (lp->rl_thread == current_thread()) {
OSAddAtomic(1, &lp->rl_recurse);
KASSERT(lp->rl_recurse < 10000,
("_audit_rlck_lock: lock nested too deep."));
} else {
lck_mtx_lock(lp->rl_mtx);
lp->rl_thread = current_thread();
lp->rl_recurse = 1;
}
}
void
_audit_rlck_unlock(struct rlck *lp)
{
KASSERT(lp->rl_thread == current_thread(),
("_audit_rlck_unlock(): Don't own lock."));
if (OSAddAtomic(-1, &lp->rl_recurse) == 1) {
lp->rl_thread = 0;
lck_mtx_unlock(lp->rl_mtx);
}
}
void
_audit_rlck_destroy(struct rlck *lp)
{
if (lp->rl_mtx) {
lck_mtx_free(lp->rl_mtx, audit_lck_grp);
lp->rl_mtx = NULL;
}
}
void
_audit_rlck_assert(struct rlck *lp, u_int assert)
{
thread_t cthd = current_thread();
if (assert == LCK_MTX_ASSERT_OWNED && lp->rl_thread == cthd)
panic("recursive lock (%p) not held by this thread (%p).",
lp, cthd);
if (assert == LCK_MTX_ASSERT_NOTOWNED && lp->rl_thread != 0)
panic("recursive lock (%p) held by thread (%p).",
lp, cthd);
}
void
#if DIAGNOSTIC
_audit_slck_init(struct slck *lp, const char *lckname)
#else
_audit_slck_init(struct slck *lp, __unused const char *lckname)
#endif
{
lp->sl_mtx = lck_mtx_alloc_init(audit_lck_grp, LCK_ATTR_NULL);
KASSERT(lp->sl_mtx != NULL,
("_audit_slck_init: Could not allocate a sleep lock."));
#if DIAGNOSTIC
strlcpy(lp->sl_name, lckname, AU_MAX_LCK_NAME);
#endif
lp->sl_locked = 0;
lp->sl_waiting = 0;
}
wait_result_t
_audit_slck_lock(struct slck *lp, int intr)
{
wait_result_t res = THREAD_AWAKENED;
lck_mtx_lock(lp->sl_mtx);
while (lp->sl_locked && res == THREAD_AWAKENED) {
lp->sl_waiting = 1;
res = lck_mtx_sleep(lp->sl_mtx, LCK_SLEEP_DEFAULT,
(event_t) lp, (intr) ? THREAD_INTERRUPTIBLE : THREAD_UNINT);
}
if (res == THREAD_AWAKENED)
lp->sl_locked = 1;
lck_mtx_unlock(lp->sl_mtx);
return (res);
}
void
_audit_slck_unlock(struct slck *lp)
{
lck_mtx_lock(lp->sl_mtx);
lp->sl_locked = 0;
if (lp->sl_waiting) {
lp->sl_waiting = 0;
wakeup((event_t) lp);
}
lck_mtx_unlock(lp->sl_mtx);
}
int
_audit_slck_trylock(struct slck *lp)
{
int result;
lck_mtx_lock(lp->sl_mtx);
result = !lp->sl_locked;
if (result)
lp->sl_locked = 1;
lck_mtx_unlock(lp->sl_mtx);
return (result);
}
void
_audit_slck_assert(struct slck *lp, u_int assert)
{
if (assert == LCK_MTX_ASSERT_OWNED && lp->sl_locked == 0)
panic("sleep lock (%p) not held.", lp);
if (assert == LCK_MTX_ASSERT_NOTOWNED && lp->sl_locked == 1)
panic("sleep lock (%p) held.", lp);
}
void
_audit_slck_destroy(struct slck *lp)
{
if (lp->sl_mtx) {
lck_mtx_free(lp->sl_mtx, audit_lck_grp);
lp->sl_mtx = NULL;
}
}
#ifndef timersub
#define timersub(tvp, uvp, vvp) \
do { \
(vvp)->tv_sec = (tvp)->tv_sec - (uvp)->tv_sec; \
(vvp)->tv_usec = (tvp)->tv_usec - (uvp)->tv_usec; \
if ((vvp)->tv_usec < 0) { \
(vvp)->tv_sec--; \
(vvp)->tv_usec += 1000000; \
} \
} while (0)
#endif
int
_audit_ppsratecheck(struct timeval *lasttime, int *curpps, int maxpps)
{
struct timeval tv, delta;
int rv;
microtime(&tv);
timersub(&tv, lasttime, &delta);
if ((lasttime->tv_sec == 0 && lasttime->tv_usec == 0) ||
delta.tv_sec >= 1) {
*lasttime = tv;
*curpps = 0;
rv = 1;
} else if (maxpps < 0)
rv = 1;
else if (*curpps < maxpps)
rv = 1;
else
rv = 0;
if (*curpps + 1 > 0)
*curpps = *curpps + 1;
return (rv);
}
void
_audit_lck_grp_init(void)
{
audit_lck_grp = lck_grp_alloc_init("Audit", LCK_GRP_ATTR_NULL);
KASSERT(audit_lck_grp != NULL,
("audit_get_lck_grp: Could not allocate the audit lock group."));
}
int
audit_send_trigger(unsigned int trigger)
{
mach_port_t audit_port;
int error;
error = host_get_audit_control_port(host_priv_self(), &audit_port);
if (error == KERN_SUCCESS && audit_port != MACH_PORT_NULL) {
audit_triggers(audit_port, trigger);
return (0);
} else {
printf("Cannot get audit control port\n");
return (error);
}
}
#endif