| audit_arg.c (fac3e318aaf30c9aea4e806b6c7d06e904bb0bb8) | audit_arg.c (871499fef514fd9934f9a8a07194e8ef86c07bd5) |
|---|---|
| 1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 377 unchanged lines hidden (view full) --- 386 ar->k_ar.ar_arg_signum = signum; 387 ARG_SET_VALID(ar, ARG_SIGNUM); 388} 389 390void 391audit_arg_socket(int sodomain, int sotype, int soprotocol) 392{ 393 struct kaudit_record *ar; | 1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 377 unchanged lines hidden (view full) --- 386 ar->k_ar.ar_arg_signum = signum; 387 ARG_SET_VALID(ar, ARG_SIGNUM); 388} 389 390void 391audit_arg_socket(int sodomain, int sotype, int soprotocol) 392{ 393 struct kaudit_record *ar; |
| 394 | 394 |
| 395 ar = currecord(); 396 if (ar == NULL) 397 return; 398 399 ar->k_ar.ar_arg_sockinfo.so_domain = sodomain; 400 ar->k_ar.ar_arg_sockinfo.so_type = sotype; 401 ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol; 402 ARG_SET_VALID(ar, ARG_SOCKINFO); --- 18 unchanged lines hidden (view full) --- 421 ARG_SET_VALID(ar, ARG_SADDRINET); 422 break; 423 424 case AF_INET6: 425 ARG_SET_VALID(ar, ARG_SADDRINET6); 426 break; 427 428 case AF_UNIX: | 395 ar = currecord(); 396 if (ar == NULL) 397 return; 398 399 ar->k_ar.ar_arg_sockinfo.so_domain = sodomain; 400 ar->k_ar.ar_arg_sockinfo.so_type = sotype; 401 ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol; 402 ARG_SET_VALID(ar, ARG_SOCKINFO); --- 18 unchanged lines hidden (view full) --- 421 ARG_SET_VALID(ar, ARG_SADDRINET); 422 break; 423 424 case AF_INET6: 425 ARG_SET_VALID(ar, ARG_SADDRINET6); 426 break; 427 428 case AF_UNIX: |
| 429 audit_arg_upath(td, ((struct sockaddr_un *)so)->sun_path, | 429 audit_arg_upath(td, ((struct sockaddr_un *)so)->sun_path, |
| 430 ARG_UPATH1); 431 ARG_SET_VALID(ar, ARG_SADDRUNIX); 432 break; 433 /* XXXAUDIT: default:? */ 434 } 435} 436 437void --- 37 unchanged lines hidden (view full) --- 475 return; 476 477 /* 478 * XXXAUDIT: Why do we accept a possibly NULL string here? 479 */ 480 /* Invalidate the text string */ 481 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT); 482 if (text == NULL) | 430 ARG_UPATH1); 431 ARG_SET_VALID(ar, ARG_SADDRUNIX); 432 break; 433 /* XXXAUDIT: default:? */ 434 } 435} 436 437void --- 37 unchanged lines hidden (view full) --- 475 return; 476 477 /* 478 * XXXAUDIT: Why do we accept a possibly NULL string here? 479 */ 480 /* Invalidate the text string */ 481 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT); 482 if (text == NULL) |
| 483 return; | 483 return; |
| 484 485 if (ar->k_ar.ar_arg_text == NULL) 486 ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT, 487 M_WAITOK); 488 489 strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN); 490 ARG_SET_VALID(ar, ARG_TEXT); 491} --- 28 unchanged lines hidden (view full) --- 520audit_arg_svipc_perm(struct ipc_perm *perm) 521{ 522 struct kaudit_record *ar; 523 524 ar = currecord(); 525 if (ar == NULL) 526 return; 527 | 484 485 if (ar->k_ar.ar_arg_text == NULL) 486 ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT, 487 M_WAITOK); 488 489 strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN); 490 ARG_SET_VALID(ar, ARG_TEXT); 491} --- 28 unchanged lines hidden (view full) --- 520audit_arg_svipc_perm(struct ipc_perm *perm) 521{ 522 struct kaudit_record *ar; 523 524 ar = currecord(); 525 if (ar == NULL) 526 return; 527 |
| 528 bcopy(perm, &ar->k_ar.ar_arg_svipc_perm, 529 sizeof(ar->k_ar.ar_arg_svipc_perm)); | 528 bcopy(perm, &ar->k_ar.ar_arg_svipc_perm, 529 sizeof(ar->k_ar.ar_arg_svipc_perm)); |
| 530 ARG_SET_VALID(ar, ARG_SVIPC_PERM); 531} 532 533void 534audit_arg_svipc_id(int id) 535{ 536 struct kaudit_record *ar; 537 --- 37 unchanged lines hidden (view full) --- 575audit_arg_auditon(union auditon_udata *udata) 576{ 577 struct kaudit_record *ar; 578 579 ar = currecord(); 580 if (ar == NULL) 581 return; 582 | 530 ARG_SET_VALID(ar, ARG_SVIPC_PERM); 531} 532 533void 534audit_arg_svipc_id(int id) 535{ 536 struct kaudit_record *ar; 537 --- 37 unchanged lines hidden (view full) --- 575audit_arg_auditon(union auditon_udata *udata) 576{ 577 struct kaudit_record *ar; 578 579 ar = currecord(); 580 if (ar == NULL) 581 return; 582 |
| 583 bcopy((void *)udata, &ar->k_ar.ar_arg_auditon, 584 sizeof(ar->k_ar.ar_arg_auditon)); | 583 bcopy((void *)udata, &ar->k_ar.ar_arg_auditon, 584 sizeof(ar->k_ar.ar_arg_auditon)); |
| 585 ARG_SET_VALID(ar, ARG_AUDITON); 586} 587 588/* 589 * Audit information about a file, either the file's vnode info, or its 590 * socket address info. 591 */ 592void --- 30 unchanged lines hidden (view full) --- 623 /* 624 * XXXAUDIT: Socket locking? Inpcb locking? 625 */ 626 so = (struct socket *)fp->f_data; 627 if (INP_CHECK_SOCKAF(so, PF_INET)) { 628 if (so->so_pcb == NULL) 629 return; 630 ar->k_ar.ar_arg_sockinfo.so_type = | 585 ARG_SET_VALID(ar, ARG_AUDITON); 586} 587 588/* 589 * Audit information about a file, either the file's vnode info, or its 590 * socket address info. 591 */ 592void --- 30 unchanged lines hidden (view full) --- 623 /* 624 * XXXAUDIT: Socket locking? Inpcb locking? 625 */ 626 so = (struct socket *)fp->f_data; 627 if (INP_CHECK_SOCKAF(so, PF_INET)) { 628 if (so->so_pcb == NULL) 629 return; 630 ar->k_ar.ar_arg_sockinfo.so_type = |
| 631 so->so_type; | 631 so->so_type; |
| 632 ar->k_ar.ar_arg_sockinfo.so_domain = | 632 ar->k_ar.ar_arg_sockinfo.so_domain = |
| 633 INP_SOCKAF(so); | 633 INP_SOCKAF(so); |
| 634 ar->k_ar.ar_arg_sockinfo.so_protocol = | 634 ar->k_ar.ar_arg_sockinfo.so_protocol = |
| 635 so->so_proto->pr_protocol; | 635 so->so_proto->pr_protocol; |
| 636 pcb = (struct inpcb *)so->so_pcb; 637 ar->k_ar.ar_arg_sockinfo.so_raddr = | 636 pcb = (struct inpcb *)so->so_pcb; 637 ar->k_ar.ar_arg_sockinfo.so_raddr = |
| 638 pcb->inp_faddr.s_addr; | 638 pcb->inp_faddr.s_addr; |
| 639 ar->k_ar.ar_arg_sockinfo.so_laddr = | 639 ar->k_ar.ar_arg_sockinfo.so_laddr = |
| 640 pcb->inp_laddr.s_addr; | 640 pcb->inp_laddr.s_addr; |
| 641 ar->k_ar.ar_arg_sockinfo.so_rport = | 641 ar->k_ar.ar_arg_sockinfo.so_rport = |
| 642 pcb->inp_fport; | 642 pcb->inp_fport; |
| 643 ar->k_ar.ar_arg_sockinfo.so_lport = | 643 ar->k_ar.ar_arg_sockinfo.so_lport = |
| 644 pcb->inp_lport; | 644 pcb->inp_lport; |
| 645 ARG_SET_VALID(ar, ARG_SOCKINFO); 646 } 647 break; 648 649 default: 650 /* XXXAUDIT: else? */ 651 break; 652 } 653 654} 655 | 645 ARG_SET_VALID(ar, ARG_SOCKINFO); 646 } 647 break; 648 649 default: 650 /* XXXAUDIT: else? */ 651 break; 652 } 653 654} 655 |
| 656/* 657 * Store a path as given by the user process for auditing into the audit 658 * record stored on the user thread. This function will allocate the memory to 659 * store the path info if not already available. This memory will be 660 * freed when the audit record is freed. | 656/* 657 * Store a path as given by the user process for auditing into the audit 658 * record stored on the user thread. This function will allocate the memory 659 * to store the path info if not already available. This memory will be freed 660 * when the audit record is freed. |
| 661 * 662 * XXXAUDIT: Possibly assert that the memory isn't already allocated? 663 */ 664void 665audit_arg_upath(struct thread *td, char *upath, u_int64_t flag) 666{ 667 struct kaudit_record *ar; 668 char **pathp; 669 | 661 * 662 * XXXAUDIT: Possibly assert that the memory isn't already allocated? 663 */ 664void 665audit_arg_upath(struct thread *td, char *upath, u_int64_t flag) 666{ 667 struct kaudit_record *ar; 668 char **pathp; 669 |
| 670 if (td == NULL || upath == NULL) | 670 if (td == NULL || upath == NULL) |
| 671 return; /* nothing to do! */ 672 673 /* 674 * XXXAUDIT: Witness warning for possible sleep here? 675 */ 676 KASSERT((flag == ARG_UPATH1) || (flag == ARG_UPATH2), 677 ("audit_arg_upath: flag %llu", (unsigned long long)flag)); 678 KASSERT((flag != ARG_UPATH1) || (flag != ARG_UPATH2), --- 12 unchanged lines hidden (view full) --- 691 *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK); 692 693 canon_path(td, upath, *pathp); 694 695 ARG_SET_VALID(ar, flag); 696} 697 698/* | 671 return; /* nothing to do! */ 672 673 /* 674 * XXXAUDIT: Witness warning for possible sleep here? 675 */ 676 KASSERT((flag == ARG_UPATH1) || (flag == ARG_UPATH2), 677 ("audit_arg_upath: flag %llu", (unsigned long long)flag)); 678 KASSERT((flag != ARG_UPATH1) || (flag != ARG_UPATH2), --- 12 unchanged lines hidden (view full) --- 691 *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK); 692 693 canon_path(td, upath, *pathp); 694 695 ARG_SET_VALID(ar, flag); 696} 697 698/* |
| 699 * Function to save the path and vnode attr information into the audit 700 * record. | 699 * Function to save the path and vnode attr information into the audit 700 * record. |
| 701 * 702 * It is assumed that the caller will hold any vnode locks necessary to 703 * perform a VOP_GETATTR() on the passed vnode. 704 * 705 * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but 706 * always provides access to the generation number as we need that 707 * to construct the BSM file ID. 708 * XXX: We should accept the process argument from the caller, since --- 20 unchanged lines hidden (view full) --- 729 /* 730 * Assume that if the caller is calling audit_arg_vnode() on a 731 * non-MPSAFE vnode, then it will have acquired Giant. 732 */ 733 VFS_ASSERT_GIANT(vp->v_mount); 734 ASSERT_VOP_LOCKED(vp, "audit_arg_vnode"); 735 736 ar = currecord(); | 701 * 702 * It is assumed that the caller will hold any vnode locks necessary to 703 * perform a VOP_GETATTR() on the passed vnode. 704 * 705 * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but 706 * always provides access to the generation number as we need that 707 * to construct the BSM file ID. 708 * XXX: We should accept the process argument from the caller, since --- 20 unchanged lines hidden (view full) --- 729 /* 730 * Assume that if the caller is calling audit_arg_vnode() on a 731 * non-MPSAFE vnode, then it will have acquired Giant. 732 */ 733 VFS_ASSERT_GIANT(vp->v_mount); 734 ASSERT_VOP_LOCKED(vp, "audit_arg_vnode"); 735 736 ar = currecord(); |
| 737 if (ar == NULL) /* This will be the case for unaudited system calls */ | 737 if (ar == NULL) |
| 738 return; 739 740 /* 741 * XXXAUDIT: KASSERT argument validity instead? 742 * 743 * XXXAUDIT: The below clears, and then resets the flags for valid 744 * arguments. Ideally, either the new vnode is used, or the old one 745 * would be. --- 26 unchanged lines hidden (view full) --- 772 vnp->vn_gen = vattr.va_gen; 773 if (flags & ARG_VNODE1) 774 ARG_SET_VALID(ar, ARG_VNODE1); 775 else 776 ARG_SET_VALID(ar, ARG_VNODE2); 777} 778 779/* | 738 return; 739 740 /* 741 * XXXAUDIT: KASSERT argument validity instead? 742 * 743 * XXXAUDIT: The below clears, and then resets the flags for valid 744 * arguments. Ideally, either the new vnode is used, or the old one 745 * would be. --- 26 unchanged lines hidden (view full) --- 772 vnp->vn_gen = vattr.va_gen; 773 if (flags & ARG_VNODE1) 774 ARG_SET_VALID(ar, ARG_VNODE1); 775 else 776 ARG_SET_VALID(ar, ARG_VNODE2); 777} 778 779/* |
| 780 * The close() system call uses it's own audit call to capture the 781 * path/vnode information because those pieces are not easily obtained 782 * within the system call itself. | 780 * The close() system call uses it's own audit call to capture the path/vnode 781 * information because those pieces are not easily obtained within the system 782 * call itself. |
| 783 */ 784void 785audit_sysclose(struct thread *td, int fd) 786{ 787 struct vnode *vp; 788 struct file *fp; 789 int vfslocked; 790 --- 4 unchanged lines hidden (view full) --- 795 796 vp = fp->f_vnode; 797 vfslocked = VFS_LOCK_GIANT(vp->v_mount); 798 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); 799 audit_arg_vnode(vp, ARG_VNODE1); 800 VOP_UNLOCK(vp, 0, td); 801 VFS_UNLOCK_GIANT(vfslocked); 802 fdrop(fp, td); | 783 */ 784void 785audit_sysclose(struct thread *td, int fd) 786{ 787 struct vnode *vp; 788 struct file *fp; 789 int vfslocked; 790 --- 4 unchanged lines hidden (view full) --- 795 796 vp = fp->f_vnode; 797 vfslocked = VFS_LOCK_GIANT(vp->v_mount); 798 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); 799 audit_arg_vnode(vp, ARG_VNODE1); 800 VOP_UNLOCK(vp, 0, td); 801 VFS_UNLOCK_GIANT(vfslocked); 802 fdrop(fp, td); |
| 803} | 803} |