1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26 /*
27 * This file contains the audit hook support code for auditing.
28 */
29
30 #include <sys/types.h>
31 #include <sys/proc.h>
32 #include <sys/vnode.h>
33 #include <sys/vfs.h>
34 #include <sys/file.h>
35 #include <sys/user.h>
36 #include <sys/stropts.h>
37 #include <sys/systm.h>
38 #include <sys/pathname.h>
39 #include <sys/syscall.h>
40 #include <sys/fcntl.h>
41 #include <sys/ipc_impl.h>
42 #include <sys/msg_impl.h>
43 #include <sys/sem_impl.h>
44 #include <sys/shm_impl.h>
45 #include <sys/kmem.h> /* for KM_SLEEP */
46 #include <sys/socket.h>
47 #include <sys/cmn_err.h> /* snprintf... */
48 #include <sys/debug.h>
49 #include <sys/thread.h>
50 #include <netinet/in.h>
51 #include <c2/audit.h> /* needs to be included before user.h */
52 #include <c2/audit_kernel.h> /* for M_DONTWAIT */
53 #include <c2/audit_kevents.h>
54 #include <c2/audit_record.h>
55 #include <sys/strsubr.h>
56 #include <sys/tihdr.h>
57 #include <sys/tiuser.h>
58 #include <sys/timod.h>
59 #include <sys/model.h> /* for model_t */
60 #include <sys/disp.h> /* for servicing_interrupt() */
61 #include <sys/devpolicy.h>
62 #include <sys/crypto/ioctladmin.h>
63 #include <sys/cred_impl.h>
64 #include <net/pfpolicy.h>
65
66 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval);
67
68 static void audit_pathbuild(struct pathname *pnp);
69
70
71 /*
72 * ROUTINE: AUDIT_SAVEPATH
73 * PURPOSE:
74 * CALLBY: LOOKUPPN
75 *
76 * NOTE: We have reached the end of a path in fs/lookup.c.
77 * We get two pieces of information here:
78 * the vnode of the last component (vp) and
79 * the status of the last access (flag).
80 * TODO:
81 * QUESTION:
82 */
83
84 /*ARGSUSED*/
85 int
audit_savepath(struct pathname * pnp,struct vnode * vp,struct vnode * pvp,int flag,cred_t * cr)86 audit_savepath(
87 struct pathname *pnp, /* pathname to lookup */
88 struct vnode *vp, /* vnode of the last component */
89 struct vnode *pvp, /* vnode of the last parent component */
90 int flag, /* status of the last access */
91 cred_t *cr) /* cred of requestor */
92 {
93
94 t_audit_data_t *tad; /* current thread */
95 au_kcontext_t *kctx = GET_KCTX_PZ;
96
97 tad = U2A(u);
98
99 /*
100 * Noise elimination in audit trails - this event will be discarded if:
101 * - the public policy is not active AND
102 * - the system call is a public operation AND
103 * - the file was not found: VFS lookup failed with ENOENT error AND
104 * - the missing file would have been located in the public directory
105 * owned by root if it had existed
106 */
107 if (tad->tad_flag != 0 && flag == ENOENT && pvp != NULL &&
108 (tad->tad_ctrl & TAD_PUBLIC_EV) &&
109 !(kctx->auk_policy & AUDIT_PUBLIC)) {
110 struct vattr attr;
111
112 attr.va_mask = AT_ALL;
113 if (VOP_GETATTR(pvp, &attr, 0, CRED(), NULL) == 0) {
114 if (object_is_public(&attr)) {
115 tad->tad_ctrl |= TAD_NOAUDIT;
116 }
117 }
118 }
119
120 /*
121 * this event being audited or do we need path information
122 * later? This might be for a chdir/chroot or open (add path
123 * to file pointer. If the path has already been found for an
124 * open/creat then we don't need to process the path.
125 *
126 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
127 * chroot, chdir, open, creat system call processing. It determines
128 * if audit_savepath() will discard the path or we need it later.
129 * TAD_PATHFND means path already included in this audit record. It
130 * is used in cases where multiple path lookups are done per
131 * system call. The policy flag, AUDIT_PATH, controls if multiple
132 * paths are allowed.
133 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
134 * exit processing to inhibit any paths that may be added due to
135 * closes.
136 */
137 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) ||
138 ((tad->tad_ctrl & TAD_PATHFND) &&
139 !(kctx->auk_policy & AUDIT_PATH)) ||
140 (tad->tad_ctrl & TAD_NOPATH)) {
141 return (0);
142 }
143
144 tad->tad_ctrl |= TAD_NOPATH; /* prevent possible reentry */
145
146 audit_pathbuild(pnp);
147
148 /*
149 * are we auditing only if error, or if it is not open or create
150 * otherwise audit_setf will do it
151 */
152
153 if (tad->tad_flag) {
154 if (flag &&
155 (tad->tad_scid == SYS_open ||
156 tad->tad_scid == SYS_open64 ||
157 tad->tad_scid == SYS_openat ||
158 tad->tad_scid == SYS_openat64)) {
159 tad->tad_ctrl |= TAD_TRUE_CREATE;
160 }
161
162 /* add token to audit record for this name */
163 au_uwrite(au_to_path(tad->tad_aupath));
164
165 /* add the attributes of the object */
166 if (vp) {
167 /*
168 * only capture attributes when there is no error
169 * lookup will not return the vnode of the failing
170 * component.
171 *
172 * if there was a lookup error, then don't add
173 * attribute. if lookup in vn_create(),
174 * then don't add attribute,
175 * it will be added at end of vn_create().
176 */
177 if (!flag && !(tad->tad_ctrl & TAD_NOATTRB))
178 audit_attributes(vp);
179 }
180 }
181
182 /* free up space if we're not going to save path (open, creat) */
183 if ((tad->tad_ctrl & TAD_SAVPATH) == 0) {
184 if (tad->tad_aupath != NULL) {
185 au_pathrele(tad->tad_aupath);
186 tad->tad_aupath = NULL;
187 }
188 }
189 if (tad->tad_ctrl & TAD_MLD)
190 tad->tad_ctrl |= TAD_PATHFND;
191
192 tad->tad_ctrl &= ~TAD_NOPATH; /* restore */
193 return (0);
194 }
195
196 static void
audit_pathbuild(struct pathname * pnp)197 audit_pathbuild(struct pathname *pnp)
198 {
199 char *pp; /* pointer to path */
200 int len; /* length of incoming segment */
201 int newsect; /* path requires a new section */
202 struct audit_path *pfxapp; /* prefix for path */
203 struct audit_path *newapp; /* new audit_path */
204 t_audit_data_t *tad; /* current thread */
205 p_audit_data_t *pad; /* current process */
206
207 tad = U2A(u);
208 ASSERT(tad != NULL);
209 pad = P2A(curproc);
210 ASSERT(pad != NULL);
211
212 len = (pnp->pn_path - pnp->pn_buf) + 1; /* +1 for terminator */
213 ASSERT(len > 0);
214
215 /* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */
216 mutex_enter(&pad->pad_lock);
217 if (tad->tad_aupath != NULL) {
218 pfxapp = tad->tad_aupath;
219 } else if ((tad->tad_ctrl & TAD_ATCALL) && pnp->pn_buf[0] != '/') {
220 ASSERT(tad->tad_atpath != NULL);
221 pfxapp = tad->tad_atpath;
222 } else if (tad->tad_ctrl & TAD_ABSPATH) {
223 pfxapp = pad->pad_root;
224 } else {
225 pfxapp = pad->pad_cwd;
226 }
227 au_pathhold(pfxapp);
228 mutex_exit(&pad->pad_lock);
229
230 /* get an expanded buffer to hold the anchored path */
231 newsect = tad->tad_ctrl & TAD_ATTPATH;
232 newapp = au_pathdup(pfxapp, newsect, len);
233 au_pathrele(pfxapp);
234
235 pp = newapp->audp_sect[newapp->audp_cnt] - len;
236 if (!newsect) {
237 /* overlay previous NUL terminator */
238 *(pp - 1) = '/';
239 }
240
241 /* now add string of processed path */
242 bcopy(pnp->pn_buf, pp, len);
243 pp[len - 1] = '\0';
244
245 /* perform path simplification as necessary */
246 audit_fixpath(newapp, len);
247
248 if (tad->tad_aupath)
249 au_pathrele(tad->tad_aupath);
250 tad->tad_aupath = newapp;
251
252 /* for case where multiple lookups in one syscall (rename) */
253 tad->tad_ctrl &= ~(TAD_ABSPATH | TAD_ATTPATH);
254 }
255
256
257 /*
258 * ROUTINE: AUDIT_ANCHORPATH
259 * PURPOSE:
260 * CALLBY: LOOKUPPN
261 * NOTE:
262 * anchor path at "/". We have seen a symbolic link or entering for the
263 * first time we will throw away any saved path if path is anchored.
264 *
265 * flag = 0, path is relative.
266 * flag = 1, path is absolute. Free any saved path and set flag to TAD_ABSPATH.
267 *
268 * If the (new) path is absolute, then we have to throw away whatever we have
269 * already accumulated since it is being superseded by new path which is
270 * anchored at the root.
271 * Note that if the path is relative, this function does nothing
272 * TODO:
273 * QUESTION:
274 */
275 /*ARGSUSED*/
276 void
audit_anchorpath(struct pathname * pnp,int flag)277 audit_anchorpath(struct pathname *pnp, int flag)
278 {
279 au_kcontext_t *kctx = GET_KCTX_PZ;
280 t_audit_data_t *tad;
281
282 tad = U2A(u);
283
284 /*
285 * this event being audited or do we need path information
286 * later? This might be for a chdir/chroot or open (add path
287 * to file pointer. If the path has already been found for an
288 * open/creat then we don't need to process the path.
289 *
290 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
291 * chroot, chdir, open, creat system call processing. It determines
292 * if audit_savepath() will discard the path or we need it later.
293 * TAD_PATHFND means path already included in this audit record. It
294 * is used in cases where multiple path lookups are done per
295 * system call. The policy flag, AUDIT_PATH, controls if multiple
296 * paths are allowed.
297 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
298 * exit processing to inhibit any paths that may be added due to
299 * closes.
300 */
301 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) ||
302 ((tad->tad_ctrl & TAD_PATHFND) &&
303 !(kctx->auk_policy & AUDIT_PATH)) ||
304 (tad->tad_ctrl & TAD_NOPATH)) {
305 return;
306 }
307
308 if (flag) {
309 tad->tad_ctrl |= TAD_ABSPATH;
310 if (tad->tad_aupath != NULL) {
311 au_pathrele(tad->tad_aupath);
312 tad->tad_aupath = NULL;
313 }
314 }
315 }
316
317
318 /*
319 * symbolic link. Save previous components.
320 *
321 * the path seen so far looks like this
322 *
323 * +-----------------------+----------------+
324 * | path processed so far | remaining path |
325 * +-----------------------+----------------+
326 * \-----------------------/
327 * save this string if
328 * symbolic link relative
329 * (but don't include symlink component)
330 */
331
332 /*ARGSUSED*/
333
334
335 /*
336 * ROUTINE: AUDIT_SYMLINK
337 * PURPOSE:
338 * CALLBY: LOOKUPPN
339 * NOTE:
340 * TODO:
341 * QUESTION:
342 */
343 void
audit_symlink(struct pathname * pnp,struct pathname * sympath)344 audit_symlink(struct pathname *pnp, struct pathname *sympath)
345 {
346 char *sp; /* saved initial pp */
347 char *cp; /* start of symlink path */
348 uint_t len_path; /* processed path before symlink */
349 t_audit_data_t *tad;
350 au_kcontext_t *kctx = GET_KCTX_PZ;
351
352 tad = U2A(u);
353
354 /*
355 * this event being audited or do we need path information
356 * later? This might be for a chdir/chroot or open (add path
357 * to file pointer. If the path has already been found for an
358 * open/creat then we don't need to process the path.
359 *
360 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
361 * chroot, chdir, open, creat system call processing. It determines
362 * if audit_savepath() will discard the path or we need it later.
363 * TAD_PATHFND means path already included in this audit record. It
364 * is used in cases where multiple path lookups are done per
365 * system call. The policy flag, AUDIT_PATH, controls if multiple
366 * paths are allowed.
367 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
368 * exit processing to inhibit any paths that may be added due to
369 * closes.
370 */
371 if ((tad->tad_flag == 0 &&
372 !(tad->tad_ctrl & TAD_SAVPATH)) ||
373 ((tad->tad_ctrl & TAD_PATHFND) &&
374 !(kctx->auk_policy & AUDIT_PATH)) ||
375 (tad->tad_ctrl & TAD_NOPATH)) {
376 return;
377 }
378
379 /*
380 * if symbolic link is anchored at / then do nothing.
381 * When we cycle back to begin: in lookuppn() we will
382 * call audit_anchorpath() with a flag indicating if the
383 * path is anchored at / or is relative. We will release
384 * any saved path at that point.
385 *
386 * Note In the event that an error occurs in pn_combine then
387 * we want to remain pointing at the component that caused the
388 * path to overflow the pnp structure.
389 */
390 if (sympath->pn_buf[0] == '/')
391 return;
392
393 /* backup over last component */
394 sp = cp = pnp->pn_path;
395 while (*--cp != '/' && cp > pnp->pn_buf)
396 ;
397
398 len_path = cp - pnp->pn_buf;
399
400 /* is there anything to save? */
401 if (len_path) {
402 pnp->pn_path = pnp->pn_buf;
403 audit_pathbuild(pnp);
404 pnp->pn_path = sp;
405 }
406 }
407
408 /*
409 * object_is_public : determine whether events for the object (corresponding to
410 * the specified file/directory attr) should be audited or
411 * ignored.
412 *
413 * returns: 1 - if audit policy and object attributes indicate that
414 * file/directory is effectively public. read events for
415 * the file should not be audited.
416 * 0 - otherwise
417 *
418 * The required attributes to be considered a public object are:
419 * - owned by root, AND
420 * - world-readable (permissions for other include read), AND
421 * - NOT world-writeable (permissions for other don't
422 * include write)
423 * (mode doesn't need to be checked for symlinks)
424 */
425 int
object_is_public(struct vattr * attr)426 object_is_public(struct vattr *attr)
427 {
428 au_kcontext_t *kctx = GET_KCTX_PZ;
429
430 if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) &&
431 ((attr->va_type == VLNK) ||
432 ((attr->va_mode & (VREAD>>6)) != 0) &&
433 ((attr->va_mode & (VWRITE>>6)) == 0))) {
434 return (1);
435 }
436 return (0);
437 }
438
439
440 /*
441 * ROUTINE: AUDIT_ATTRIBUTES
442 * PURPOSE: Audit the attributes so we can tell why the error occurred
443 * CALLBY: AUDIT_SAVEPATH
444 * AUDIT_VNCREATE_FINISH
445 * AUS_FCHOWN...audit_event.c...audit_path.c
446 * NOTE:
447 * TODO:
448 * QUESTION:
449 */
450 void
audit_attributes(struct vnode * vp)451 audit_attributes(struct vnode *vp)
452 {
453 struct vattr attr;
454 struct t_audit_data *tad;
455
456 tad = U2A(u);
457
458 if (vp) {
459 attr.va_mask = AT_ALL;
460 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0)
461 return;
462
463 if (object_is_public(&attr) &&
464 (tad->tad_ctrl & TAD_PUBLIC_EV)) {
465 /*
466 * This is a public object and a "public" event
467 * (i.e., read only) -- either by definition
468 * (e.g., stat, access...) or by virtue of write access
469 * not being requested (e.g. mmap).
470 * Flag it in the tad to prevent this audit at the end.
471 */
472 tad->tad_ctrl |= TAD_NOAUDIT;
473 } else {
474 au_uwrite(au_to_attr(&attr));
475 audit_sec_attributes(&(u_ad), vp);
476 }
477 }
478 }
479
480
481 /*
482 * ROUTINE: AUDIT_EXIT
483 * PURPOSE:
484 * CALLBY: EXIT
485 * NOTE:
486 * TODO:
487 * QUESTION: why cmw code as offset by 2 but not here
488 */
489 /* ARGSUSED */
490 void
audit_exit(int code,int what)491 audit_exit(int code, int what)
492 {
493 struct t_audit_data *tad;
494 tad = U2A(u);
495
496 /*
497 * tad_scid will be set by audit_start even if we are not auditing
498 * the event.
499 */
500 if (tad->tad_scid == SYS_exit) {
501 /*
502 * if we are auditing the exit system call, then complete
503 * audit record generation (no return from system call).
504 */
505 if (tad->tad_flag && tad->tad_event == AUE_EXIT)
506 audit_finish(0, SYS_exit, 0, 0);
507 return;
508 }
509
510 /*
511 * Anyone auditing the system call that was aborted?
512 */
513 if (tad->tad_flag) {
514 au_uwrite(au_to_text("event aborted"));
515 audit_finish(0, tad->tad_scid, 0, 0);
516 }
517
518 /*
519 * Generate an audit record for process exit if preselected.
520 */
521 (void) audit_start(0, SYS_exit, AUC_UNSET, 0, 0);
522 audit_finish(0, SYS_exit, 0, 0);
523 }
524
525 /*
526 * ROUTINE: AUDIT_CORE_START
527 * PURPOSE:
528 * CALLBY: PSIG
529 * NOTE:
530 * TODO:
531 */
532 void
audit_core_start(int sig)533 audit_core_start(int sig)
534 {
535 au_event_t event;
536 au_state_t estate;
537 t_audit_data_t *tad;
538 au_kcontext_t *kctx;
539
540 tad = U2A(u);
541
542 ASSERT(tad != (t_audit_data_t *)0);
543
544 ASSERT(tad->tad_scid == 0);
545 ASSERT(tad->tad_event == 0);
546 ASSERT(tad->tad_evmod == 0);
547 ASSERT(tad->tad_ctrl == 0);
548 ASSERT(tad->tad_flag == 0);
549 ASSERT(tad->tad_aupath == NULL);
550
551 kctx = GET_KCTX_PZ;
552
553 /* get basic event for system call */
554 event = AUE_CORE;
555 estate = kctx->auk_ets[event];
556
557 if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0)
558 return;
559
560 /* reset the flags for non-user attributable events */
561 tad->tad_ctrl = TAD_CORE;
562 tad->tad_scid = 0;
563
564 /* if auditing not enabled, then don't generate an audit record */
565
566 if (!((kctx->auk_auditstate == AUC_AUDITING ||
567 kctx->auk_auditstate == AUC_INIT_AUDIT) ||
568 kctx->auk_auditstate == AUC_NOSPACE)) {
569 tad->tad_flag = 0;
570 tad->tad_ctrl = 0;
571 return;
572 }
573
574 tad->tad_event = event;
575 tad->tad_evmod = 0;
576
577 ASSERT(tad->tad_ad == NULL);
578
579 au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig));
580 }
581
582 /*
583 * ROUTINE: AUDIT_CORE_FINISH
584 * PURPOSE:
585 * CALLBY: PSIG
586 * NOTE:
587 * TODO:
588 * QUESTION:
589 */
590
591 /*ARGSUSED*/
592 void
audit_core_finish(int code)593 audit_core_finish(int code)
594 {
595 int flag;
596 t_audit_data_t *tad;
597 au_kcontext_t *kctx;
598
599 tad = U2A(u);
600
601 ASSERT(tad != (t_audit_data_t *)0);
602
603 if ((flag = tad->tad_flag) == 0) {
604 tad->tad_event = 0;
605 tad->tad_evmod = 0;
606 tad->tad_ctrl = 0;
607 ASSERT(tad->tad_aupath == NULL);
608 return;
609 }
610 tad->tad_flag = 0;
611
612 kctx = GET_KCTX_PZ;
613
614 /* kludge for error 0, should use `code==CLD_DUMPED' instead */
615 if (flag = audit_success(kctx, tad, 0, NULL)) {
616 cred_t *cr = CRED();
617 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
618
619 ASSERT(ainfo != NULL);
620
621 /*
622 * Add subject information (no locks since our private copy of
623 * credential
624 */
625 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
626
627 /* Add a return token (should use f argument) */
628 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
629
630 AS_INC(as_generated, 1, kctx);
631 AS_INC(as_kernel, 1, kctx);
632 }
633
634 /* Close up everything */
635 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod, NULL);
636
637 /* free up any space remaining with the path's */
638 if (tad->tad_aupath != NULL) {
639 au_pathrele(tad->tad_aupath);
640 tad->tad_aupath = NULL;
641 }
642 tad->tad_event = 0;
643 tad->tad_evmod = 0;
644 tad->tad_ctrl = 0;
645 }
646
647
648 /*ARGSUSED*/
649 void
audit_strgetmsg(struct vnode * vp,struct strbuf * mctl,struct strbuf * mdata,unsigned char * pri,int * flag,int fmode)650 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
651 unsigned char *pri, int *flag, int fmode)
652 {
653 struct stdata *stp;
654 t_audit_data_t *tad = U2A(u);
655
656 ASSERT(tad != (t_audit_data_t *)0);
657
658 stp = vp->v_stream;
659
660 /* lock stdata from audit_sock */
661 mutex_enter(&stp->sd_lock);
662
663 /* proceed ONLY if user is being audited */
664 if (!tad->tad_flag) {
665 /*
666 * this is so we will not add audit data onto
667 * a thread that is not being audited.
668 */
669 stp->sd_t_audit_data = NULL;
670 mutex_exit(&stp->sd_lock);
671 return;
672 }
673
674 stp->sd_t_audit_data = (caddr_t)curthread;
675 mutex_exit(&stp->sd_lock);
676 }
677
678 /*ARGSUSED*/
679 void
audit_strputmsg(struct vnode * vp,struct strbuf * mctl,struct strbuf * mdata,unsigned char pri,int flag,int fmode)680 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
681 unsigned char pri, int flag, int fmode)
682 {
683 struct stdata *stp;
684 t_audit_data_t *tad = U2A(u);
685
686 ASSERT(tad != (t_audit_data_t *)0);
687
688 stp = vp->v_stream;
689
690 /* lock stdata from audit_sock */
691 mutex_enter(&stp->sd_lock);
692
693 /* proceed ONLY if user is being audited */
694 if (!tad->tad_flag) {
695 /*
696 * this is so we will not add audit data onto
697 * a thread that is not being audited.
698 */
699 stp->sd_t_audit_data = NULL;
700 mutex_exit(&stp->sd_lock);
701 return;
702 }
703
704 stp->sd_t_audit_data = (caddr_t)curthread;
705 mutex_exit(&stp->sd_lock);
706 }
707
708 /*
709 * ROUTINE: AUDIT_CLOSEF
710 * PURPOSE:
711 * CALLBY: CLOSEF
712 * NOTE:
713 * release per file audit resources when file structure is being released.
714 *
715 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
716 * on the audit queue if it becomes full. This means
717 * audit_closef can not be called when f_count == 0. Since
718 * f_count == 0 indicates the file structure is free, another
719 * process could attempt to use the file while we were still
720 * asleep waiting on the audit queue. This would cause the
721 * per file audit data to be corrupted when we finally do
722 * wakeup.
723 * TODO:
724 * QUESTION:
725 */
726
727 void
audit_closef(struct file * fp)728 audit_closef(struct file *fp)
729 {
730 f_audit_data_t *fad;
731 t_audit_data_t *tad;
732 int success;
733 au_state_t estate;
734 struct vnode *vp;
735 token_t *ad = NULL;
736 struct vattr attr;
737 au_emod_t evmod = 0;
738 const auditinfo_addr_t *ainfo;
739 cred_t *cr;
740 au_kcontext_t *kctx = GET_KCTX_PZ;
741 uint32_t auditing;
742 boolean_t audit_attr = B_FALSE;
743
744 fad = F2A(fp);
745 estate = kctx->auk_ets[AUE_CLOSE];
746 tad = U2A(u);
747 cr = CRED();
748
749 /* audit record already generated by system call envelope */
750 if (tad->tad_event == AUE_CLOSE) {
751 /* so close audit event will have bits set */
752 tad->tad_evmod |= (au_emod_t)fad->fad_flags;
753 return;
754 }
755
756 /* if auditing not enabled, then don't generate an audit record */
757 auditing = (tad->tad_audit == AUC_UNSET) ?
758 kctx->auk_auditstate : tad->tad_audit;
759 if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT | AUC_NOSPACE))
760 return;
761
762 ainfo = crgetauinfo(cr);
763 if (ainfo == NULL)
764 return;
765
766 success = ainfo->ai_mask.as_success & estate;
767
768 /* not selected for this event */
769 if (success == 0)
770 return;
771
772 /*
773 * can't use audit_attributes here since we use a private audit area
774 * to build the audit record instead of the one off the thread.
775 */
776 if ((vp = fp->f_vnode) != NULL) {
777 attr.va_mask = AT_ALL;
778 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
779 if ((fp->f_flag & FWRITE) == 0 &&
780 object_is_public(&attr)) {
781 /*
782 * When write was not used and the file can be
783 * considered public, then skip the audit.
784 */
785 return;
786 }
787 audit_attr = B_TRUE;
788 }
789 }
790
791 evmod = (au_emod_t)fad->fad_flags;
792 if (fad->fad_aupath != NULL) {
793 au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath));
794 } else {
795 #ifdef _LP64
796 au_write((caddr_t *)&(ad), au_to_arg64(
797 1, "no path: fp", (uint64_t)fp));
798 #else
799 au_write((caddr_t *)&(ad), au_to_arg32(
800 1, "no path: fp", (uint32_t)fp));
801 #endif
802 }
803
804 if (audit_attr) {
805 au_write((caddr_t *)&(ad), au_to_attr(&attr));
806 audit_sec_attributes((caddr_t *)&(ad), vp);
807 }
808
809 /* Add subject information */
810 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
811
812 /* add a return token */
813 add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0);
814
815 AS_INC(as_generated, 1, kctx);
816 AS_INC(as_kernel, 1, kctx);
817
818 /*
819 * Close up everything
820 * Note: path space recovery handled by normal system
821 * call envelope if not at last close.
822 * Note there is no failure at this point since
823 * this represents closes due to exit of process,
824 * thus we always indicate successful closes.
825 */
826 au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER,
827 AUE_CLOSE, evmod, NULL);
828 }
829
830 /*
831 * ROUTINE: AUDIT_SET
832 * PURPOSE: Audit the file path and file attributes.
833 * CALLBY: SETF
834 * NOTE: SETF associate a file pointer with user area's open files.
835 * TODO:
836 * call audit_finish directly ???
837 * QUESTION:
838 */
839
840 /*ARGSUSED*/
841 void
audit_setf(file_t * fp,int fd)842 audit_setf(file_t *fp, int fd)
843 {
844 f_audit_data_t *fad;
845 t_audit_data_t *tad;
846
847 if (fp == NULL)
848 return;
849
850 tad = T2A(curthread);
851 fad = F2A(fp);
852
853 if (!(tad->tad_scid == SYS_open ||
854 tad->tad_scid == SYS_open64 ||
855 tad->tad_scid == SYS_openat ||
856 tad->tad_scid == SYS_openat64))
857 return;
858
859 /* no path */
860 if (tad->tad_aupath == 0)
861 return;
862
863 /*
864 * assign path information associated with file audit data
865 * use tad hold
866 */
867 fad->fad_aupath = tad->tad_aupath;
868 tad->tad_aupath = NULL;
869
870 if (!(tad->tad_ctrl & TAD_TRUE_CREATE)) {
871 /* adjust event type by dropping the 'creat' part */
872 switch (tad->tad_event) {
873 case AUE_OPEN_RC:
874 tad->tad_event = AUE_OPEN_R;
875 tad->tad_ctrl |= TAD_PUBLIC_EV;
876 break;
877 case AUE_OPEN_RTC:
878 tad->tad_event = AUE_OPEN_RT;
879 break;
880 case AUE_OPEN_WC:
881 tad->tad_event = AUE_OPEN_W;
882 break;
883 case AUE_OPEN_WTC:
884 tad->tad_event = AUE_OPEN_WT;
885 break;
886 case AUE_OPEN_RWC:
887 tad->tad_event = AUE_OPEN_RW;
888 break;
889 case AUE_OPEN_RWTC:
890 tad->tad_event = AUE_OPEN_RWT;
891 break;
892 default:
893 break;
894 }
895 }
896 }
897
898
899 void
audit_ipc(int type,int id,void * vp)900 audit_ipc(int type, int id, void *vp)
901 {
902 /* if not auditing this event, then do nothing */
903 if (ad_flag == 0)
904 return;
905
906 switch (type) {
907 case AT_IPC_MSG:
908 au_uwrite(au_to_ipc(AT_IPC_MSG, id));
909 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
910 break;
911 case AT_IPC_SEM:
912 au_uwrite(au_to_ipc(AT_IPC_SEM, id));
913 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
914 break;
915 case AT_IPC_SHM:
916 au_uwrite(au_to_ipc(AT_IPC_SHM, id));
917 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
918 break;
919 }
920 }
921
922 void
audit_ipcget(int type,void * vp)923 audit_ipcget(int type, void *vp)
924 {
925 /* if not auditing this event, then do nothing */
926 if (ad_flag == 0)
927 return;
928
929 switch (type) {
930 case 0:
931 au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp));
932 break;
933 case AT_IPC_MSG:
934 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
935 break;
936 case AT_IPC_SEM:
937 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
938 break;
939 case AT_IPC_SHM:
940 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
941 break;
942 }
943 }
944
945 /*
946 * ROUTINE: AUDIT_REBOOT
947 * PURPOSE:
948 * CALLBY:
949 * NOTE:
950 * At this point we know that the system call reboot will not return. We thus
951 * have to complete the audit record generation and put it onto the queue.
952 * This might be fairly useless if the auditing daemon is already dead....
953 * TODO:
954 * QUESTION: who calls audit_reboot
955 */
956
957 void
audit_reboot(void)958 audit_reboot(void)
959 {
960 int flag;
961 t_audit_data_t *tad;
962 au_kcontext_t *kctx = GET_KCTX_PZ;
963
964 tad = U2A(u);
965
966 /* if not auditing this event, then do nothing */
967 if (tad->tad_flag == 0)
968 return;
969
970 /* do preselection on success/failure */
971 if (flag = audit_success(kctx, tad, 0, NULL)) {
972 /* add a process token */
973
974 cred_t *cr = CRED();
975 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
976
977 if (ainfo == NULL)
978 return;
979
980 /* Add subject information */
981 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
982
983 /* add a return token */
984 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
985
986 AS_INC(as_generated, 1, kctx);
987 AS_INC(as_kernel, 1, kctx);
988 }
989
990 /*
991 * Flow control useless here since we're going
992 * to drop everything in the queue anyway. Why
993 * block and wait. There aint anyone left alive to
994 * read the records remaining anyway.
995 */
996
997 /* Close up everything */
998 au_close(kctx, &(u_ad), flag | AU_DONTBLOCK,
999 tad->tad_event, tad->tad_evmod, NULL);
1000 }
1001
1002 void
audit_setfsat_path(int argnum)1003 audit_setfsat_path(int argnum)
1004 {
1005 klwp_id_t clwp = ttolwp(curthread);
1006 struct file *fp;
1007 uint32_t fd;
1008 t_audit_data_t *tad;
1009 struct f_audit_data *fad;
1010 p_audit_data_t *pad; /* current process */
1011 uint_t fm;
1012 struct a {
1013 long arg1;
1014 long arg2;
1015 long arg3;
1016 long arg4;
1017 long arg5;
1018 } *uap;
1019
1020 if (clwp == NULL)
1021 return;
1022 uap = (struct a *)clwp->lwp_ap;
1023
1024 tad = U2A(u);
1025 ASSERT(tad != NULL);
1026
1027 switch (tad->tad_scid) {
1028 case SYS_faccessat:
1029 case SYS_fchmodat:
1030 case SYS_fchownat:
1031 case SYS_fstatat:
1032 case SYS_fstatat64:
1033 case SYS_mkdirat:
1034 case SYS_mknodat:
1035 case SYS_openat:
1036 case SYS_openat64:
1037 case SYS_readlinkat:
1038 case SYS_unlinkat:
1039 fd = uap->arg1;
1040 break;
1041 case SYS_linkat:
1042 case SYS_renameat:
1043 if (argnum == 3)
1044 fd = uap->arg3;
1045 else
1046 fd = uap->arg1;
1047 break;
1048 case SYS_symlinkat:
1049 case SYS_utimesys:
1050 fd = uap->arg2;
1051 break;
1052 case SYS_open:
1053 case SYS_open64:
1054 fd = AT_FDCWD;
1055 break;
1056 default:
1057 return;
1058 }
1059
1060 if (tad->tad_atpath != NULL) {
1061 au_pathrele(tad->tad_atpath);
1062 tad->tad_atpath = NULL;
1063 }
1064
1065 if (fd != AT_FDCWD) {
1066 tad->tad_ctrl |= TAD_ATCALL;
1067
1068 if (tad->tad_scid == SYS_openat ||
1069 tad->tad_scid == SYS_openat64) {
1070 fm = (uint_t)uap->arg3;
1071 if (fm & (FXATTR | FXATTRDIROPEN)) {
1072 tad->tad_ctrl |= TAD_ATTPATH;
1073 }
1074 }
1075
1076 if ((fp = getf(fd)) == NULL) {
1077 tad->tad_ctrl |= TAD_NOPATH;
1078 return;
1079 }
1080 fad = F2A(fp);
1081 ASSERT(fad);
1082 if (fad->fad_aupath == NULL) {
1083 tad->tad_ctrl |= TAD_NOPATH;
1084 releasef(fd);
1085 return;
1086 }
1087 au_pathhold(fad->fad_aupath);
1088 tad->tad_atpath = fad->fad_aupath;
1089 releasef(fd);
1090 } else {
1091 if (tad->tad_scid == SYS_open ||
1092 tad->tad_scid == SYS_open64) {
1093 fm = (uint_t)uap->arg2;
1094 if (fm & FXATTR) {
1095 tad->tad_ctrl |= TAD_ATTPATH;
1096 }
1097 return;
1098 }
1099 pad = P2A(curproc);
1100 mutex_enter(&pad->pad_lock);
1101 au_pathhold(pad->pad_cwd);
1102 tad->tad_atpath = pad->pad_cwd;
1103 mutex_exit(&pad->pad_lock);
1104 }
1105 }
1106
1107 void
audit_symlink_create(vnode_t * dvp,char * sname,char * target,int error)1108 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error)
1109 {
1110 t_audit_data_t *tad;
1111 vnode_t *vp;
1112
1113 tad = U2A(u);
1114
1115 /* if not auditing this event, then do nothing */
1116 if (tad->tad_flag == 0)
1117 return;
1118
1119 au_uwrite(au_to_text(target));
1120
1121 if (error)
1122 return;
1123
1124 error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(),
1125 NULL, NULL, NULL);
1126 if (error == 0) {
1127 audit_attributes(vp);
1128 VN_RELE(vp);
1129 }
1130 }
1131
1132 /*
1133 * ROUTINE: AUDIT_VNCREATE_START
1134 * PURPOSE: set flag so path name lookup in create will not add attribute
1135 * CALLBY: VN_CREATE
1136 * NOTE:
1137 * TODO:
1138 * QUESTION:
1139 */
1140
1141 void
audit_vncreate_start()1142 audit_vncreate_start()
1143 {
1144 t_audit_data_t *tad;
1145
1146 tad = U2A(u);
1147 tad->tad_ctrl |= TAD_NOATTRB;
1148 }
1149
1150 /*
1151 * ROUTINE: AUDIT_VNCREATE_FINISH
1152 * PURPOSE:
1153 * CALLBY: VN_CREATE
1154 * NOTE:
1155 * TODO:
1156 * QUESTION:
1157 */
1158 void
audit_vncreate_finish(struct vnode * vp,int error)1159 audit_vncreate_finish(struct vnode *vp, int error)
1160 {
1161 t_audit_data_t *tad;
1162
1163 if (error)
1164 return;
1165
1166 tad = U2A(u);
1167
1168 /* if not auditing this event, then do nothing */
1169 if (tad->tad_flag == 0)
1170 return;
1171
1172 if (tad->tad_ctrl & TAD_TRUE_CREATE) {
1173 audit_attributes(vp);
1174 }
1175
1176 if (tad->tad_ctrl & TAD_CORE) {
1177 audit_attributes(vp);
1178 tad->tad_ctrl &= ~TAD_CORE;
1179 }
1180
1181 if (!error && ((tad->tad_event == AUE_MKNOD) ||
1182 (tad->tad_event == AUE_MKDIR))) {
1183 audit_attributes(vp);
1184 }
1185
1186 /* for case where multiple lookups in one syscall (rename) */
1187 tad->tad_ctrl &= ~TAD_NOATTRB;
1188 }
1189
1190
1191
1192
1193
1194
1195
1196
1197 /*
1198 * ROUTINE: AUDIT_EXEC
1199 * PURPOSE: Records the function arguments and environment variables
1200 * CALLBY: EXEC_ARGS
1201 * NOTE:
1202 * TODO:
1203 * QUESTION:
1204 */
1205
1206 void
audit_exec(const char * argstr,const char * envstr,ssize_t argc,ssize_t envc,cred_t * pfcred)1207 audit_exec(
1208 const char *argstr, /* argument strings */
1209 const char *envstr, /* environment strings */
1210 ssize_t argc, /* total # arguments */
1211 ssize_t envc, /* total # environment variables */
1212 cred_t *pfcred) /* the additional privileges in a profile */
1213 {
1214 t_audit_data_t *tad;
1215 au_kcontext_t *kctx = GET_KCTX_PZ;
1216
1217 tad = U2A(u);
1218
1219 /* if not auditing this event, then do nothing */
1220 if (!tad->tad_flag)
1221 return;
1222
1223 if (pfcred != NULL) {
1224 p_audit_data_t *pad;
1225 cred_t *cr = CRED();
1226 priv_set_t pset = CR_IPRIV(cr);
1227
1228 pad = P2A(curproc);
1229
1230 /* It's a different event. */
1231 tad->tad_event = AUE_PFEXEC;
1232
1233 /* Add the current working directory to the audit trail. */
1234 if (pad->pad_cwd != NULL)
1235 au_uwrite(au_to_path(pad->pad_cwd));
1236
1237 /*
1238 * The new credential is not yet in place when audit_exec
1239 * is called.
1240 * Compute the additional bits available in the new credential
1241 * and the limit set.
1242 */
1243 priv_inverse(&pset);
1244 priv_intersect(&CR_IPRIV(pfcred), &pset);
1245 if (!priv_isemptyset(&pset) ||
1246 !priv_isequalset(&CR_LPRIV(pfcred), &CR_LPRIV(cr))) {
1247 au_uwrite(au_to_privset(
1248 priv_getsetbynum(PRIV_INHERITABLE), &pset, AUT_PRIV,
1249 0));
1250 au_uwrite(au_to_privset(priv_getsetbynum(PRIV_LIMIT),
1251 &CR_LPRIV(pfcred), AUT_PRIV, 0));
1252 }
1253 /*
1254 * Compare the uids & gids: create a process token if changed.
1255 */
1256 if (crgetuid(cr) != crgetuid(pfcred) ||
1257 crgetruid(cr) != crgetruid(pfcred) ||
1258 crgetgid(cr) != crgetgid(pfcred) ||
1259 crgetrgid(cr) != crgetrgid(pfcred)) {
1260 AUDIT_SETPROC(&(u_ad), cr, crgetauinfo(cr));
1261 }
1262 }
1263
1264 if (pfcred != NULL || (kctx->auk_policy & AUDIT_ARGV) != 0)
1265 au_uwrite(au_to_exec_args(argstr, argc));
1266
1267 if (kctx->auk_policy & AUDIT_ARGE)
1268 au_uwrite(au_to_exec_env(envstr, envc));
1269 }
1270
1271 /*
1272 * ROUTINE: AUDIT_ENTERPROM
1273 * PURPOSE:
1274 * CALLBY: KBDINPUT
1275 * ZSA_XSINT
1276 * NOTE:
1277 * TODO:
1278 * QUESTION:
1279 */
1280 void
audit_enterprom(int flg)1281 audit_enterprom(int flg)
1282 {
1283 token_t *rp = NULL;
1284 int sorf;
1285
1286 if (flg)
1287 sorf = AUM_SUCC;
1288 else
1289 sorf = AUM_FAIL;
1290
1291 AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf);
1292
1293 au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1294
1295 if (flg)
1296 au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1297 else
1298 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1299
1300 AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, 0, NULL);
1301 }
1302
1303
1304 /*
1305 * ROUTINE: AUDIT_EXITPROM
1306 * PURPOSE:
1307 * CALLBY: KBDINPUT
1308 * ZSA_XSINT
1309 * NOTE:
1310 * TODO:
1311 * QUESTION:
1312 */
1313 void
audit_exitprom(int flg)1314 audit_exitprom(int flg)
1315 {
1316 int sorf;
1317 token_t *rp = NULL;
1318
1319 if (flg)
1320 sorf = AUM_SUCC;
1321 else
1322 sorf = AUM_FAIL;
1323
1324 AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf);
1325
1326 au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1327
1328 if (flg)
1329 au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1330 else
1331 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1332
1333 AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, 0, NULL);
1334 }
1335
1336 struct fcntla {
1337 int fdes;
1338 int cmd;
1339 intptr_t arg;
1340 };
1341
1342
1343 /*
1344 * ROUTINE: AUDIT_CHDIREC
1345 * PURPOSE:
1346 * CALLBY: CHDIREC
1347 * NOTE: The main function of CHDIREC
1348 * TODO: Move the audit_chdirec hook above the VN_RELE in vncalls.c
1349 * QUESTION:
1350 */
1351
1352 /*ARGSUSED*/
1353 void
audit_chdirec(vnode_t * vp,vnode_t ** vpp)1354 audit_chdirec(vnode_t *vp, vnode_t **vpp)
1355 {
1356 int chdir;
1357 int fchdir;
1358 struct audit_path **appp;
1359 struct file *fp;
1360 f_audit_data_t *fad;
1361 p_audit_data_t *pad = P2A(curproc);
1362 t_audit_data_t *tad = T2A(curthread);
1363
1364 struct a {
1365 long fd;
1366 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
1367
1368 if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) {
1369 chdir = tad->tad_scid == SYS_chdir;
1370 if (tad->tad_aupath) {
1371 mutex_enter(&pad->pad_lock);
1372 if (chdir)
1373 appp = &(pad->pad_cwd);
1374 else
1375 appp = &(pad->pad_root);
1376 au_pathrele(*appp);
1377 /* use tad hold */
1378 *appp = tad->tad_aupath;
1379 tad->tad_aupath = NULL;
1380 mutex_exit(&pad->pad_lock);
1381 }
1382 } else if ((tad->tad_scid == SYS_fchdir) ||
1383 (tad->tad_scid == SYS_fchroot)) {
1384 fchdir = tad->tad_scid == SYS_fchdir;
1385 if ((fp = getf(uap->fd)) == NULL)
1386 return;
1387 fad = F2A(fp);
1388 if (fad->fad_aupath) {
1389 au_pathhold(fad->fad_aupath);
1390 mutex_enter(&pad->pad_lock);
1391 if (fchdir)
1392 appp = &(pad->pad_cwd);
1393 else
1394 appp = &(pad->pad_root);
1395 au_pathrele(*appp);
1396 *appp = fad->fad_aupath;
1397 mutex_exit(&pad->pad_lock);
1398 if (tad->tad_flag) {
1399 au_uwrite(au_to_path(fad->fad_aupath));
1400 audit_attributes(fp->f_vnode);
1401 }
1402 }
1403 releasef(uap->fd);
1404 }
1405 }
1406
1407
1408 /*
1409 * Audit hook for stream based socket and tli request.
1410 * Note that we do not have user context while executing
1411 * this code so we had to record them earlier during the
1412 * putmsg/getmsg to figure out which user we are dealing with.
1413 */
1414
1415 /*ARGSUSED*/
1416 void
audit_sock(int type,queue_t * q,mblk_t * mp,int from)1417 audit_sock(
1418 int type, /* type of tihdr.h header requests */
1419 queue_t *q, /* contains the process and thread audit data */
1420 mblk_t *mp, /* contains the tihdr.h header structures */
1421 int from) /* timod or sockmod request */
1422 {
1423 int32_t len;
1424 int32_t offset;
1425 struct sockaddr_in *sock_data;
1426 struct T_conn_req *conn_req;
1427 struct T_conn_ind *conn_ind;
1428 struct T_unitdata_req *unitdata_req;
1429 struct T_unitdata_ind *unitdata_ind;
1430 au_state_t estate;
1431 t_audit_data_t *tad;
1432 caddr_t saved_thread_ptr;
1433 au_mask_t amask;
1434 const auditinfo_addr_t *ainfo;
1435 au_kcontext_t *kctx;
1436
1437 if (q->q_stream == NULL)
1438 return;
1439 mutex_enter(&q->q_stream->sd_lock);
1440 /* are we being audited */
1441 saved_thread_ptr = q->q_stream->sd_t_audit_data;
1442 /* no pointer to thread, nothing to do */
1443 if (saved_thread_ptr == NULL) {
1444 mutex_exit(&q->q_stream->sd_lock);
1445 return;
1446 }
1447 /* only allow one addition of a record token */
1448 q->q_stream->sd_t_audit_data = NULL;
1449 /*
1450 * thread is not the one being audited, then nothing to do
1451 * This could be the stream thread handling the module
1452 * service routine. In this case, the context for the audit
1453 * record can no longer be assumed. Simplest to just drop
1454 * the operation.
1455 */
1456 if (curthread != (kthread_id_t)saved_thread_ptr) {
1457 mutex_exit(&q->q_stream->sd_lock);
1458 return;
1459 }
1460 if (curthread->t_sysnum >= SYS_so_socket &&
1461 curthread->t_sysnum <= SYS_sockconfig) {
1462 mutex_exit(&q->q_stream->sd_lock);
1463 return;
1464 }
1465 mutex_exit(&q->q_stream->sd_lock);
1466 /*
1467 * we know that the thread that did the put/getmsg is the
1468 * one running. Now we can get the TAD and see if we should
1469 * add an audit token.
1470 */
1471 tad = U2A(u);
1472
1473 kctx = GET_KCTX_PZ;
1474
1475 /* proceed ONLY if user is being audited */
1476 if (!tad->tad_flag)
1477 return;
1478
1479 ainfo = crgetauinfo(CRED());
1480 if (ainfo == NULL)
1481 return;
1482 amask = ainfo->ai_mask;
1483
1484 /*
1485 * Figure out the type of stream networking request here.
1486 * Note that getmsg and putmsg are always preselected
1487 * because during the beginning of the system call we have
1488 * not yet figure out which of the socket or tli request
1489 * we are looking at until we are here. So we need to check
1490 * against that specific request and reset the type of event.
1491 */
1492 switch (type) {
1493 case T_CONN_REQ: /* connection request */
1494 conn_req = (struct T_conn_req *)mp->b_rptr;
1495 if (conn_req->DEST_offset < sizeof (struct T_conn_req))
1496 return;
1497 offset = conn_req->DEST_offset;
1498 len = conn_req->DEST_length;
1499 estate = kctx->auk_ets[AUE_SOCKCONNECT];
1500 if (amask.as_success & estate || amask.as_failure & estate) {
1501 tad->tad_event = AUE_SOCKCONNECT;
1502 break;
1503 } else {
1504 return;
1505 }
1506 case T_CONN_IND: /* connectionless receive request */
1507 conn_ind = (struct T_conn_ind *)mp->b_rptr;
1508 if (conn_ind->SRC_offset < sizeof (struct T_conn_ind))
1509 return;
1510 offset = conn_ind->SRC_offset;
1511 len = conn_ind->SRC_length;
1512 estate = kctx->auk_ets[AUE_SOCKACCEPT];
1513 if (amask.as_success & estate || amask.as_failure & estate) {
1514 tad->tad_event = AUE_SOCKACCEPT;
1515 break;
1516 } else {
1517 return;
1518 }
1519 case T_UNITDATA_REQ: /* connectionless send request */
1520 unitdata_req = (struct T_unitdata_req *)mp->b_rptr;
1521 if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req))
1522 return;
1523 offset = unitdata_req->DEST_offset;
1524 len = unitdata_req->DEST_length;
1525 estate = kctx->auk_ets[AUE_SOCKSEND];
1526 if (amask.as_success & estate || amask.as_failure & estate) {
1527 tad->tad_event = AUE_SOCKSEND;
1528 break;
1529 } else {
1530 return;
1531 }
1532 case T_UNITDATA_IND: /* connectionless receive request */
1533 unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr;
1534 if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind))
1535 return;
1536 offset = unitdata_ind->SRC_offset;
1537 len = unitdata_ind->SRC_length;
1538 estate = kctx->auk_ets[AUE_SOCKRECEIVE];
1539 if (amask.as_success & estate || amask.as_failure & estate) {
1540 tad->tad_event = AUE_SOCKRECEIVE;
1541 break;
1542 } else {
1543 return;
1544 }
1545 default:
1546 return;
1547 }
1548
1549 /*
1550 * we are only interested in tcp stream connections,
1551 * not unix domain stuff
1552 */
1553 if ((len < 0) || (len > sizeof (struct sockaddr_in))) {
1554 tad->tad_event = AUE_GETMSG;
1555 return;
1556 }
1557 /* skip over TPI header and point to the ip address */
1558 sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset);
1559
1560 switch (sock_data->sin_family) {
1561 case AF_INET:
1562 au_write(&(tad->tad_ad), au_to_sock_inet(sock_data));
1563 break;
1564 default: /* reset to AUE_PUTMSG if not a inet request */
1565 tad->tad_event = AUE_GETMSG;
1566 break;
1567 }
1568 }
1569
1570
1571 static void
add_return_token(caddr_t * ad,unsigned int scid,int err,int rval)1572 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval)
1573 {
1574 unsigned int sy_flags;
1575
1576 #ifdef _SYSCALL32_IMPL
1577 /*
1578 * Guard against t_lwp being NULL when this function is called
1579 * from a kernel queue instead of from a direct system call.
1580 * In that case, assume the running kernel data model.
1581 */
1582 if ((curthread->t_lwp == NULL) || (lwp_getdatamodel(
1583 ttolwp(curthread)) == DATAMODEL_NATIVE))
1584 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1585 else
1586 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1587 #else
1588 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1589 #endif
1590
1591 if (sy_flags == SE_64RVAL)
1592 au_write(ad, au_to_return64(err, rval));
1593 else
1594 au_write(ad, au_to_return32(err, rval));
1595
1596 }
1597
1598 /*ARGSUSED*/
1599 void
audit_fdsend(int fd,struct file * fp,int error)1600 audit_fdsend(int fd, struct file *fp, int error)
1601 {
1602 t_audit_data_t *tad; /* current thread */
1603 f_audit_data_t *fad; /* per file audit structure */
1604 struct vnode *vp; /* for file attributes */
1605
1606 /* is this system call being audited */
1607 tad = U2A(u);
1608 ASSERT(tad != (t_audit_data_t *)0);
1609 if (!tad->tad_flag)
1610 return;
1611
1612 fad = F2A(fp);
1613
1614 /* add path and file attributes */
1615 if (fad != NULL && fad->fad_aupath != NULL) {
1616 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1617 au_uwrite(au_to_path(fad->fad_aupath));
1618 } else {
1619 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1620 #ifdef _LP64
1621 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1622 #else
1623 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1624 #endif
1625 }
1626 vp = fp->f_vnode; /* include vnode attributes */
1627 audit_attributes(vp);
1628 }
1629
1630 /*
1631 * Record privileges successfully used and we attempted to use but
1632 * didn't have.
1633 */
1634 void
audit_priv(int priv,const priv_set_t * set,int flag)1635 audit_priv(int priv, const priv_set_t *set, int flag)
1636 {
1637 t_audit_data_t *tad;
1638 int sbit;
1639 priv_set_t *target;
1640
1641 /* Make sure this isn't being called in an interrupt context */
1642 ASSERT(servicing_interrupt() == 0);
1643
1644 tad = U2A(u);
1645
1646 if (tad->tad_flag == 0)
1647 return;
1648
1649 target = flag ? &tad->tad_sprivs : &tad->tad_fprivs;
1650 sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE;
1651
1652 /* Tell audit_success() and audit_finish() that we saw this case */
1653 if (!(tad->tad_evmod & sbit)) {
1654 /* Clear set first time around */
1655 priv_emptyset(target);
1656 tad->tad_evmod |= sbit;
1657 }
1658
1659 /* Save the privileges in the tad */
1660 if (priv == PRIV_ALL) {
1661 priv_fillset(target);
1662 } else {
1663 ASSERT(set != NULL || priv != PRIV_NONE);
1664 if (set != NULL)
1665 priv_union(set, target);
1666 if (priv != PRIV_NONE)
1667 priv_addset(target, priv);
1668 }
1669 }
1670
1671 /*
1672 * Audit the psecflags() system call; the set name, current value, and delta
1673 * are put in the audit trail.
1674 */
1675 void
audit_psecflags(proc_t * p,psecflagwhich_t which,const secflagdelta_t * psd)1676 audit_psecflags(proc_t *p,
1677 psecflagwhich_t which,
1678 const secflagdelta_t *psd)
1679 {
1680 t_audit_data_t *tad;
1681 secflagset_t new;
1682 const secflagset_t *old;
1683 const char *s;
1684 cred_t *cr;
1685 pid_t pid;
1686 const auditinfo_addr_t *ainfo;
1687 const psecflags_t *psec = &p->p_secflags;
1688
1689 tad = U2A(u);
1690
1691 if (tad->tad_flag == 0)
1692 return;
1693
1694 switch (which) {
1695 case PSF_EFFECTIVE:
1696 s = "effective";
1697 old = &psec->psf_effective;
1698 break;
1699 case PSF_INHERIT:
1700 s = "inherit";
1701 old = &psec->psf_inherit;
1702 break;
1703 case PSF_LOWER:
1704 s = "lower";
1705 old = &psec->psf_lower;
1706 break;
1707 case PSF_UPPER:
1708 s = "upper";
1709 old = &psec->psf_upper;
1710 break;
1711 }
1712
1713 secflags_copy(&new, old);
1714 secflags_apply_delta(&new, psd);
1715
1716 au_uwrite(au_to_secflags(s, *old));
1717 au_uwrite(au_to_secflags(s, new));
1718
1719 ASSERT(mutex_owned(&p->p_lock));
1720 mutex_enter(&p->p_crlock);
1721
1722 pid = p->p_pid;
1723 crhold(cr = p->p_cred);
1724 mutex_exit(&p->p_crlock);
1725
1726 if ((ainfo = crgetauinfo(cr)) == NULL) {
1727 crfree(cr);
1728 return;
1729 }
1730
1731 AUDIT_SETPROC_GENERIC(&(u_ad), cr, ainfo, pid);
1732
1733 crfree(cr);
1734 }
1735
1736 /*
1737 * Audit the setpriv() system call; the operation, the set name and
1738 * the current value as well as the set argument are put in the
1739 * audit trail.
1740 */
1741 void
audit_setppriv(int op,int set,const priv_set_t * newpriv,const cred_t * ocr)1742 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr)
1743 {
1744 t_audit_data_t *tad;
1745 const priv_set_t *oldpriv;
1746 priv_set_t report;
1747 const char *setname;
1748
1749 tad = U2A(u);
1750
1751 if (tad->tad_flag == 0)
1752 return;
1753
1754 oldpriv = priv_getset(ocr, set);
1755
1756 /* Generate the actual record, include the before and after */
1757 au_uwrite(au_to_arg32(2, "op", op));
1758 setname = priv_getsetbynum(set);
1759
1760 switch (op) {
1761 case PRIV_OFF:
1762 /* Report privileges actually switched off */
1763 report = *oldpriv;
1764 priv_intersect(newpriv, &report);
1765 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1766 break;
1767 case PRIV_ON:
1768 /* Report privileges actually switched on */
1769 report = *oldpriv;
1770 priv_inverse(&report);
1771 priv_intersect(newpriv, &report);
1772 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1773 break;
1774 case PRIV_SET:
1775 /* Report before and after */
1776 au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0));
1777 au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0));
1778 break;
1779 }
1780 }
1781
1782 /*
1783 * Dump the full device policy setting in the audit trail.
1784 */
1785 void
audit_devpolicy(int nitems,const devplcysys_t * items)1786 audit_devpolicy(int nitems, const devplcysys_t *items)
1787 {
1788 t_audit_data_t *tad;
1789 int i;
1790
1791 tad = U2A(u);
1792
1793 if (tad->tad_flag == 0)
1794 return;
1795
1796 for (i = 0; i < nitems; i++) {
1797 au_uwrite(au_to_arg32(2, "major", items[i].dps_maj));
1798 if (items[i].dps_minornm[0] == '\0') {
1799 au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin));
1800 au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin));
1801 } else
1802 au_uwrite(au_to_text(items[i].dps_minornm));
1803
1804 au_uwrite(au_to_privset("read", &items[i].dps_rdp,
1805 AUT_PRIV, 0));
1806 au_uwrite(au_to_privset("write", &items[i].dps_wrp,
1807 AUT_PRIV, 0));
1808 }
1809 }
1810
1811 /*ARGSUSED*/
1812 void
audit_fdrecv(int fd,struct file * fp)1813 audit_fdrecv(int fd, struct file *fp)
1814 {
1815 t_audit_data_t *tad; /* current thread */
1816 f_audit_data_t *fad; /* per file audit structure */
1817 struct vnode *vp; /* for file attributes */
1818
1819 /* is this system call being audited */
1820 tad = U2A(u);
1821 ASSERT(tad != (t_audit_data_t *)0);
1822 if (!tad->tad_flag)
1823 return;
1824
1825 fad = F2A(fp);
1826
1827 /* add path and file attributes */
1828 if (fad != NULL && fad->fad_aupath != NULL) {
1829 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1830 au_uwrite(au_to_path(fad->fad_aupath));
1831 } else {
1832 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1833 #ifdef _LP64
1834 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1835 #else
1836 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1837 #endif
1838 }
1839 vp = fp->f_vnode; /* include vnode attributes */
1840 audit_attributes(vp);
1841 }
1842
1843 /*
1844 * ROUTINE: AUDIT_CRYPTOADM
1845 * PURPOSE: Records arguments to administrative ioctls on /dev/cryptoadm
1846 * CALLBY: CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED,
1847 * CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG,
1848 * CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN,
1849 * CRYPTO_LOAD_DOOR
1850 * NOTE:
1851 * TODO:
1852 * QUESTION:
1853 */
1854
1855 void
audit_cryptoadm(int cmd,char * module_name,crypto_mech_name_t * mech_names,uint_t mech_count,uint_t device_instance,uint32_t rv,int error)1856 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names,
1857 uint_t mech_count, uint_t device_instance, uint32_t rv, int error)
1858 {
1859 boolean_t mech_list_required = B_FALSE;
1860 cred_t *cr = CRED();
1861 t_audit_data_t *tad;
1862 token_t *ad = NULL;
1863 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
1864 char buffer[MAXNAMELEN * 2];
1865 au_kcontext_t *kctx = GET_KCTX_PZ;
1866
1867 tad = U2A(u);
1868 if (tad == NULL)
1869 return;
1870
1871 if (ainfo == NULL)
1872 return;
1873
1874 tad->tad_event = AUE_CRYPTOADM;
1875
1876 if (audit_success(kctx, tad, error, NULL) != AU_OK)
1877 return;
1878
1879 /* Add subject information */
1880 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
1881
1882 switch (cmd) {
1883 case CRYPTO_LOAD_DEV_DISABLED:
1884 if (error == 0 && rv == CRYPTO_SUCCESS) {
1885 (void) snprintf(buffer, sizeof (buffer),
1886 "op=CRYPTO_LOAD_DEV_DISABLED, module=%s,"
1887 " dev_instance=%d",
1888 module_name, device_instance);
1889 mech_list_required = B_TRUE;
1890 } else {
1891 (void) snprintf(buffer, sizeof (buffer),
1892 "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv);
1893 }
1894 break;
1895
1896 case CRYPTO_LOAD_SOFT_DISABLED:
1897 if (error == 0 && rv == CRYPTO_SUCCESS) {
1898 (void) snprintf(buffer, sizeof (buffer),
1899 "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s",
1900 module_name);
1901 mech_list_required = B_TRUE;
1902 } else {
1903 (void) snprintf(buffer, sizeof (buffer),
1904 "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv);
1905 }
1906 break;
1907
1908 case CRYPTO_UNLOAD_SOFT_MODULE:
1909 if (error == 0 && rv == CRYPTO_SUCCESS) {
1910 (void) snprintf(buffer, sizeof (buffer),
1911 "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s",
1912 module_name);
1913 } else {
1914 (void) snprintf(buffer, sizeof (buffer),
1915 "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv);
1916 }
1917 break;
1918
1919 case CRYPTO_LOAD_SOFT_CONFIG:
1920 if (error == 0 && rv == CRYPTO_SUCCESS) {
1921 (void) snprintf(buffer, sizeof (buffer),
1922 "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s",
1923 module_name);
1924 mech_list_required = B_TRUE;
1925 } else {
1926 (void) snprintf(buffer, sizeof (buffer),
1927 "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv);
1928 }
1929 break;
1930
1931 case CRYPTO_POOL_CREATE:
1932 (void) snprintf(buffer, sizeof (buffer),
1933 "op=CRYPTO_POOL_CREATE");
1934 break;
1935
1936 case CRYPTO_POOL_WAIT:
1937 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT");
1938 break;
1939
1940 case CRYPTO_POOL_RUN:
1941 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN");
1942 break;
1943
1944 case CRYPTO_LOAD_DOOR:
1945 if (error == 0 && rv == CRYPTO_SUCCESS)
1946 (void) snprintf(buffer, sizeof (buffer),
1947 "op=CRYPTO_LOAD_DOOR");
1948 else
1949 (void) snprintf(buffer, sizeof (buffer),
1950 "op=CRYPTO_LOAD_DOOR, return_val=%d", rv);
1951 break;
1952
1953 case CRYPTO_FIPS140_SET:
1954 (void) snprintf(buffer, sizeof (buffer),
1955 "op=CRYPTO_FIPS140_SET, fips_state=%d", rv);
1956 break;
1957
1958 default:
1959 return;
1960 }
1961
1962 au_write((caddr_t *)&ad, au_to_text(buffer));
1963
1964 if (mech_list_required) {
1965 int i;
1966
1967 if (mech_count == 0) {
1968 au_write((caddr_t *)&ad, au_to_text("mech=list empty"));
1969 } else {
1970 char *pb = buffer;
1971 size_t l = sizeof (buffer);
1972 size_t n;
1973 char space[2] = ":";
1974
1975 n = snprintf(pb, l, "mech=");
1976
1977 for (i = 0; i < mech_count; i++) {
1978 pb += n;
1979 l = (n >= l) ? 0 : l - n;
1980
1981 if (i == mech_count - 1)
1982 (void) strcpy(space, "");
1983
1984 n = snprintf(pb, l, "%s%s", mech_names[i],
1985 space);
1986 }
1987 au_write((caddr_t *)&ad, au_to_text(buffer));
1988 }
1989 }
1990
1991 /* add a return token */
1992 if (error || (rv != CRYPTO_SUCCESS))
1993 add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error);
1994 else
1995 add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv);
1996
1997 AS_INC(as_generated, 1, kctx);
1998 AS_INC(as_kernel, 1, kctx);
1999
2000 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, tad->tad_evmod,
2001 NULL);
2002 }
2003
2004 /*
2005 * Audit the kernel PF_POLICY administration commands. Record command,
2006 * zone, policy type (global or tunnel, active or inactive)
2007 */
2008 /*
2009 * ROUTINE: AUDIT_PF_POLICY
2010 * PURPOSE: Records arguments to administrative ioctls on PF_POLICY socket
2011 * CALLBY: SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS,
2012 * SPD_CLONE, SPD_FLIP
2013 * NOTE:
2014 * TODO:
2015 * QUESTION:
2016 */
2017
2018 void
audit_pf_policy(int cmd,cred_t * cred,netstack_t * ns,char * tun,boolean_t active,int error,pid_t pid)2019 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun,
2020 boolean_t active, int error, pid_t pid)
2021 {
2022 const auditinfo_addr_t *ainfo;
2023 t_audit_data_t *tad;
2024 token_t *ad = NULL;
2025 au_kcontext_t *kctx = GET_KCTX_PZ;
2026 char buf[80];
2027 int flag;
2028
2029 tad = U2A(u);
2030 if (tad == NULL)
2031 return;
2032
2033 ainfo = crgetauinfo((cred != NULL) ? cred : CRED());
2034 if (ainfo == NULL)
2035 return;
2036
2037 /*
2038 * Initialize some variables since these are only set
2039 * with system calls.
2040 */
2041
2042 switch (cmd) {
2043 case SPD_ADDRULE: {
2044 tad->tad_event = AUE_PF_POLICY_ADDRULE;
2045 break;
2046 }
2047
2048 case SPD_DELETERULE: {
2049 tad->tad_event = AUE_PF_POLICY_DELRULE;
2050 break;
2051 }
2052
2053 case SPD_FLUSH: {
2054 tad->tad_event = AUE_PF_POLICY_FLUSH;
2055 break;
2056 }
2057
2058 case SPD_UPDATEALGS: {
2059 tad->tad_event = AUE_PF_POLICY_ALGS;
2060 break;
2061 }
2062
2063 case SPD_CLONE: {
2064 tad->tad_event = AUE_PF_POLICY_CLONE;
2065 break;
2066 }
2067
2068 case SPD_FLIP: {
2069 tad->tad_event = AUE_PF_POLICY_FLIP;
2070 break;
2071 }
2072
2073 default:
2074 tad->tad_event = AUE_NULL;
2075 }
2076
2077 tad->tad_evmod = 0;
2078
2079 if (flag = audit_success(kctx, tad, error, cred)) {
2080 zone_t *nszone;
2081
2082 /*
2083 * For now, just audit that an event happened,
2084 * along with the error code.
2085 */
2086 au_write((caddr_t *)&ad,
2087 au_to_arg32(1, "Policy Active?", (uint32_t)active));
2088 au_write((caddr_t *)&ad,
2089 au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL)));
2090
2091 /* Supplemental data */
2092
2093 /*
2094 * Generate this zone token if the target zone differs
2095 * from the administrative zone. If netstacks are expanded
2096 * to something other than a 1-1 relationship with zones,
2097 * the auditing framework should create a new token type
2098 * and audit it as a netstack instead.
2099 * Turn on general zone auditing to get the administrative zone.
2100 */
2101
2102 nszone = zone_find_by_id(netstackid_to_zoneid(
2103 ns->netstack_stackid));
2104 if (nszone != NULL) {
2105 if (strncmp(crgetzone(cred)->zone_name,
2106 nszone->zone_name, ZONENAME_MAX) != 0) {
2107 token_t *ztoken;
2108
2109 ztoken = au_to_zonename(0, nszone);
2110 au_write((caddr_t *)&ad, ztoken);
2111 }
2112 zone_rele(nszone);
2113 }
2114
2115 if (tun != NULL) {
2116 /* write tunnel name - tun is bounded */
2117 (void) snprintf(buf, sizeof (buf), "tunnel_name:%s",
2118 tun);
2119 au_write((caddr_t *)&ad, au_to_text(buf));
2120 }
2121
2122 /* Add subject information */
2123 AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad,
2124 ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid);
2125
2126 /* add a return token */
2127 add_return_token((caddr_t *)&ad, 0, error, 0);
2128
2129 AS_INC(as_generated, 1, kctx);
2130 AS_INC(as_kernel, 1, kctx);
2131
2132 }
2133 au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, tad->tad_evmod,
2134 NULL);
2135
2136 /*
2137 * clear the ctrl flag so that we don't have spurious collection of
2138 * audit information.
2139 */
2140 tad->tad_scid = 0;
2141 tad->tad_event = 0;
2142 tad->tad_evmod = 0;
2143 tad->tad_ctrl = 0;
2144 }
2145
2146 /*
2147 * ROUTINE: AUDIT_SEC_ATTRIBUTES
2148 * PURPOSE: Add security attributes
2149 * CALLBY: AUDIT_ATTRIBUTES
2150 * AUDIT_CLOSEF
2151 * AUS_CLOSE
2152 * NOTE:
2153 * TODO:
2154 * QUESTION:
2155 */
2156
2157 void
audit_sec_attributes(caddr_t * ad,struct vnode * vp)2158 audit_sec_attributes(caddr_t *ad, struct vnode *vp)
2159 {
2160 /* Dump the SL */
2161 if (is_system_labeled()) {
2162 ts_label_t *tsl;
2163 bslabel_t *bsl;
2164
2165 tsl = getflabel(vp);
2166 if (tsl == NULL)
2167 return; /* nothing else to do */
2168
2169 bsl = label2bslabel(tsl);
2170 if (bsl == NULL)
2171 return; /* nothing else to do */
2172 au_write(ad, au_to_label(bsl));
2173 label_rele(tsl);
2174 }
2175
2176 } /* AUDIT_SEC_ATTRIBUTES */
2177