1 /*-
2  * SPDX-License-Identifier: BSD-3-Clause
4  * Copyright (c) 1999-2005 Apple Inc.
5  * Copyright (c) 2006-2007, 2016-2018 Robert N. M. Watson
10  * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
95  * non-static.
126  * Preselection mask for non-attributable events.
167  * Condition variable for  auditing threads wait on when in fail-stop mode.
204  * Check various policies to see if we should enable system-call audit hooks.
206  * once, as checks of the flag are performed lock-free for performance
207  * reasons.  The mutex is used to get a consistent snapshot of policy state --
234 	KASSERT(ak->ai_termid.at_type == AU_IPv4 ||  in audit_set_kinfo()
235 	    ak->ai_termid.at_type == AU_IPv6,  in audit_set_kinfo()
272 	ar->k_ar.ar_magic = AUDIT_RECORD_MAGIC;  in audit_record_ctor()
273 	nanotime(&ar->k_ar.ar_starttime);  in audit_record_ctor()
278 	cred = td->td_ucred;  in audit_record_ctor()
279 	cru2x(cred, &ar->k_ar.ar_subj_cred);  in audit_record_ctor()
280 	ar->k_ar.ar_subj_ruid = cred->cr_ruid;  in audit_record_ctor()
281 	ar->k_ar.ar_subj_rgid = cred->cr_rgid;  in audit_record_ctor()
282 	ar->k_ar.ar_subj_egid = cred->cr_gid;  in audit_record_ctor()
283 	ar->k_ar.ar_subj_auid = cred->cr_audit.ai_auid;  in audit_record_ctor()
284 	ar->k_ar.ar_subj_asid = cred->cr_audit.ai_asid;  in audit_record_ctor()
285 	ar->k_ar.ar_subj_pid = td->td_proc->p_pid;  in audit_record_ctor()
286 	ar->k_ar.ar_subj_amask = cred->cr_audit.ai_mask;  in audit_record_ctor()
287 	ar->k_ar.ar_subj_term_addr = cred->cr_audit.ai_termid;  in audit_record_ctor()
289 	 * If this process is jailed, make sure we capture the name of the  in audit_record_ctor()
294 		pr = cred->cr_prison;  in audit_record_ctor()
295 		(void) strlcpy(ar->k_ar.ar_jailname, pr->pr_name,  in audit_record_ctor()
296 		    sizeof(ar->k_ar.ar_jailname));  in audit_record_ctor()
298 		ar->k_ar.ar_jailname[0] = '\0';  in audit_record_ctor()
310 	if (ar->k_ar.ar_arg_upath1 != NULL)  in audit_record_dtor()
311 		free(ar->k_ar.ar_arg_upath1, M_AUDITPATH);  in audit_record_dtor()
312 	if (ar->k_ar.ar_arg_upath2 != NULL)  in audit_record_dtor()
313 		free(ar->k_ar.ar_arg_upath2, M_AUDITPATH);  in audit_record_dtor()
314 	if (ar->k_ar.ar_arg_text != NULL)  in audit_record_dtor()
315 		free(ar->k_ar.ar_arg_text, M_AUDITTEXT);  in audit_record_dtor()
316 	if (ar->k_udata != NULL)  in audit_record_dtor()
317 		free(ar->k_udata, M_AUDITDATA);  in audit_record_dtor()
318 	if (ar->k_ar.ar_arg_argv != NULL)  in audit_record_dtor()
319 		free(ar->k_ar.ar_arg_argv, M_AUDITTEXT);  in audit_record_dtor()
320 	if (ar->k_ar.ar_arg_envv != NULL)  in audit_record_dtor()
321 		free(ar->k_ar.ar_arg_envv, M_AUDITTEXT);  in audit_record_dtor()
322 	if (ar->k_ar.ar_arg_groups.gidset != NULL)  in audit_record_dtor()
323 		free(ar->k_ar.ar_arg_groups.gidset, M_AUDITGIDSET);  in audit_record_dtor()
327  * Initialize the Audit subsystem: configuration state, work queue,
373 	/* Initialize the BSM audit subsystem. */  in audit_init()
411 	return (curthread->td_ar);  in currecord()
436 	ar->k_ar.ar_event = event;  in audit_new()
459 	ar->k_ar.ar_errno = error;  in audit_commit()
460 	ar->k_ar.ar_retval = retval;  in audit_commit()
461 	nanotime(&ar->k_ar.ar_endtime);  in audit_commit()
467 	if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID)  in audit_commit()
470 		aumask = &ar->k_ar.ar_subj_amask;  in audit_commit()
482 	switch(ar->k_ar.ar_event) {  in audit_commit()
484 		ar->k_ar.ar_event = audit_flags_and_error_to_openevent(  in audit_commit()
485 		    ar->k_ar.ar_arg_fflags, error);  in audit_commit()
489 		ar->k_ar.ar_event = audit_flags_and_error_to_openatevent(  in audit_commit()
490 		    ar->k_ar.ar_arg_fflags, error);  in audit_commit()
494 		ar->k_ar.ar_event = audit_ctlname_to_sysctlevent(  in audit_commit()
495 		    ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg);  in audit_commit()
500 		ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd);  in audit_commit()
505 			ar->k_ar.ar_event =  in audit_commit()
506 			    audit_msgsys_to_event(ar->k_ar.ar_arg_svipc_which);  in audit_commit()
511 			ar->k_ar.ar_event =  in audit_commit()
512 			    audit_semsys_to_event(ar->k_ar.ar_arg_svipc_which);  in audit_commit()
517 			ar->k_ar.ar_event =  in audit_commit()
518 			    audit_shmsys_to_event(ar->k_ar.ar_arg_svipc_which);  in audit_commit()
522 	auid = ar->k_ar.ar_subj_auid;  in audit_commit()
523 	event = ar->k_ar.ar_event;  in audit_commit()
526 	ar->k_ar_commit |= AR_COMMIT_KERNEL;  in audit_commit()
528 		ar->k_ar_commit |= AR_PRESELECT_TRAIL;  in audit_commit()
530 	    ar->k_ar_commit & AR_PRESELECT_TRAIL) != 0)  in audit_commit()
531 		ar->k_ar_commit |= AR_PRESELECT_PIPE;  in audit_commit()
540 			ar->k_ar_commit |= AR_PRESELECT_DTRACE;  in audit_commit()
544 	if ((ar->k_ar_commit & (AR_PRESELECT_TRAIL | AR_PRESELECT_PIPE |  in audit_commit()
548 		audit_pre_q_len--;  in audit_commit()
559 	 * DTrace-related obligations have been fulfilled above -- we're just  in audit_commit()
564 		audit_pre_q_len--;  in audit_commit()
572 	audit_pre_q_len--;  in audit_commit()
580  * and if so, allocating a per-thread audit record.  audit_new() will fill in
599 	KASSERT(td->td_ar == NULL, ("audit_syscall_enter: td->td_ar != NULL"));  in audit_syscall_enter()
600 	KASSERT((td->td_pflags & TDP_AUDITREC) == 0,  in audit_syscall_enter()
611 	if (code >= td->td_proc->p_sysent->sv_size)  in audit_syscall_enter()
614 	event = td->td_proc->p_sysent->sv_table[code].sy_auevent;  in audit_syscall_enter()
619 	 * Check which audit mask to use; either the kernel non-attributable  in audit_syscall_enter()
622 	auid = td->td_ucred->cr_audit.ai_auid;  in audit_syscall_enter()
626 		aumask = &td->td_ucred->cr_audit.ai_mask;  in audit_syscall_enter()
644 		 * re-calling au_preselect().  in audit_syscall_enter()
668 	 * below -- i.e., dtaudit_state must must refer to stable memory.  in audit_syscall_enter()
689 		td->td_ar = audit_new(event, td);  in audit_syscall_enter()
690 		if (td->td_ar != NULL) {  in audit_syscall_enter()
691 			td->td_pflags |= TDP_AUDITREC;  in audit_syscall_enter()
693 			td->td_ar->k_dtaudit_state = dtaudit_state;  in audit_syscall_enter()
697 		td->td_ar = NULL;  in audit_syscall_enter()
712 	 * audit_commit(), the memory is owned by the audit subsystem.  The  in audit_syscall_exit()
714 	 * If there was an error, the return value is set to -1, imitating  in audit_syscall_exit()
718 		retval = -1;  in audit_syscall_exit()
720 		retval = td->td_retval[0];  in audit_syscall_exit()
722 	audit_commit(td->td_ar, error, retval);  in audit_syscall_exit()
723 	td->td_ar = NULL;  in audit_syscall_exit()
724 	td->td_pflags &= ~TDP_AUDITREC;  in audit_syscall_exit()
731 	bcopy(&src->cr_audit, &dest->cr_audit, sizeof(dest->cr_audit));  in audit_cred_copy()
744 	bzero(&cred->cr_audit, sizeof(cred->cr_audit));  in audit_cred_init()
755 	cred->cr_audit.ai_auid = AU_DEFAUDITID;  in audit_cred_kproc0()
756 	cred->cr_audit.ai_termid.at_type = AU_IPv4;  in audit_cred_kproc0()
763 	cred->cr_audit.ai_auid = AU_DEFAUDITID;  in audit_cred_proc1()
764 	cred->cr_audit.ai_termid.at_type = AU_IPv4;  in audit_cred_proc1()
771 	td->td_ar = NULL;  in audit_thread_alloc()
778 	KASSERT(td->td_ar == NULL, ("audit_thread_free: td_ar != NULL"));  in audit_thread_free()
779 	KASSERT((td->td_pflags & TDP_AUDITREC) == 0,  in audit_thread_free()
799 	cred = td->td_ucred;  in audit_proc_coredump()
800 	auid = cred->cr_audit.ai_auid;  in audit_proc_coredump()
804 		aumask = &cred->cr_audit.ai_mask;  in audit_proc_coredump()
827 		pathp = &ar->k_ar.ar_arg_upath1;  in audit_proc_coredump()
832 	ar->k_ar.ar_arg_signum = td->td_proc->p_sig;  in audit_proc_coredump()