1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26 /*
27 * This file contains the audit hook support code for auditing.
28 */
29
30 #include <sys/types.h>
31 #include <sys/proc.h>
32 #include <sys/vnode.h>
33 #include <sys/vfs.h>
34 #include <sys/file.h>
35 #include <sys/user.h>
36 #include <sys/stropts.h>
37 #include <sys/systm.h>
38 #include <sys/pathname.h>
39 #include <sys/syscall.h>
40 #include <sys/fcntl.h>
41 #include <sys/ipc_impl.h>
42 #include <sys/msg_impl.h>
43 #include <sys/sem_impl.h>
44 #include <sys/shm_impl.h>
45 #include <sys/kmem.h> /* for KM_SLEEP */
46 #include <sys/socket.h>
47 #include <sys/cmn_err.h> /* snprintf... */
48 #include <sys/debug.h>
49 #include <sys/thread.h>
50 #include <netinet/in.h>
51 #include <c2/audit.h> /* needs to be included before user.h */
52 #include <c2/audit_kernel.h> /* for M_DONTWAIT */
53 #include <c2/audit_kevents.h>
54 #include <c2/audit_record.h>
55 #include <sys/strsubr.h>
56 #include <sys/tihdr.h>
57 #include <sys/tiuser.h>
58 #include <sys/timod.h>
59 #include <sys/model.h> /* for model_t */
60 #include <sys/disp.h> /* for servicing_interrupt() */
61 #include <sys/devpolicy.h>
62 #include <sys/crypto/ioctladmin.h>
63 #include <sys/cred_impl.h>
64 #include <inet/kssl/kssl.h>
65 #include <net/pfpolicy.h>
66
67 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval);
68
69 static void audit_pathbuild(struct pathname *pnp);
70
71
72 /*
73 * ROUTINE: AUDIT_SAVEPATH
74 * PURPOSE:
75 * CALLBY: LOOKUPPN
76 *
77 * NOTE: We have reached the end of a path in fs/lookup.c.
78 * We get two pieces of information here:
79 * the vnode of the last component (vp) and
80 * the status of the last access (flag).
81 * TODO:
82 * QUESTION:
83 */
84
85 /*ARGSUSED*/
86 int
audit_savepath(struct pathname * pnp,struct vnode * vp,struct vnode * pvp,int flag,cred_t * cr)87 audit_savepath(
88 struct pathname *pnp, /* pathname to lookup */
89 struct vnode *vp, /* vnode of the last component */
90 struct vnode *pvp, /* vnode of the last parent component */
91 int flag, /* status of the last access */
92 cred_t *cr) /* cred of requestor */
93 {
94
95 t_audit_data_t *tad; /* current thread */
96 au_kcontext_t *kctx = GET_KCTX_PZ;
97
98 tad = U2A(u);
99
100 /*
101 * Noise elimination in audit trails - this event will be discarded if:
102 * - the public policy is not active AND
103 * - the system call is a public operation AND
104 * - the file was not found: VFS lookup failed with ENOENT error AND
105 * - the missing file would have been located in the public directory
106 * owned by root if it had existed
107 */
108 if (tad->tad_flag != 0 && flag == ENOENT && pvp != NULL &&
109 (tad->tad_ctrl & TAD_PUBLIC_EV) &&
110 !(kctx->auk_policy & AUDIT_PUBLIC)) {
111 struct vattr attr;
112
113 attr.va_mask = AT_ALL;
114 if (VOP_GETATTR(pvp, &attr, 0, CRED(), NULL) == 0) {
115 if (object_is_public(&attr)) {
116 tad->tad_ctrl |= TAD_NOAUDIT;
117 }
118 }
119 }
120
121 /*
122 * this event being audited or do we need path information
123 * later? This might be for a chdir/chroot or open (add path
124 * to file pointer. If the path has already been found for an
125 * open/creat then we don't need to process the path.
126 *
127 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
128 * chroot, chdir, open, creat system call processing. It determines
129 * if audit_savepath() will discard the path or we need it later.
130 * TAD_PATHFND means path already included in this audit record. It
131 * is used in cases where multiple path lookups are done per
132 * system call. The policy flag, AUDIT_PATH, controls if multiple
133 * paths are allowed.
134 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
135 * exit processing to inhibit any paths that may be added due to
136 * closes.
137 */
138 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) ||
139 ((tad->tad_ctrl & TAD_PATHFND) &&
140 !(kctx->auk_policy & AUDIT_PATH)) ||
141 (tad->tad_ctrl & TAD_NOPATH)) {
142 return (0);
143 }
144
145 tad->tad_ctrl |= TAD_NOPATH; /* prevent possible reentry */
146
147 audit_pathbuild(pnp);
148
149 /*
150 * are we auditing only if error, or if it is not open or create
151 * otherwise audit_setf will do it
152 */
153
154 if (tad->tad_flag) {
155 if (flag &&
156 (tad->tad_scid == SYS_open ||
157 tad->tad_scid == SYS_open64 ||
158 tad->tad_scid == SYS_openat ||
159 tad->tad_scid == SYS_openat64)) {
160 tad->tad_ctrl |= TAD_TRUE_CREATE;
161 }
162
163 /* add token to audit record for this name */
164 au_uwrite(au_to_path(tad->tad_aupath));
165
166 /* add the attributes of the object */
167 if (vp) {
168 /*
169 * only capture attributes when there is no error
170 * lookup will not return the vnode of the failing
171 * component.
172 *
173 * if there was a lookup error, then don't add
174 * attribute. if lookup in vn_create(),
175 * then don't add attribute,
176 * it will be added at end of vn_create().
177 */
178 if (!flag && !(tad->tad_ctrl & TAD_NOATTRB))
179 audit_attributes(vp);
180 }
181 }
182
183 /* free up space if we're not going to save path (open, creat) */
184 if ((tad->tad_ctrl & TAD_SAVPATH) == 0) {
185 if (tad->tad_aupath != NULL) {
186 au_pathrele(tad->tad_aupath);
187 tad->tad_aupath = NULL;
188 }
189 }
190 if (tad->tad_ctrl & TAD_MLD)
191 tad->tad_ctrl |= TAD_PATHFND;
192
193 tad->tad_ctrl &= ~TAD_NOPATH; /* restore */
194 return (0);
195 }
196
197 static void
audit_pathbuild(struct pathname * pnp)198 audit_pathbuild(struct pathname *pnp)
199 {
200 char *pp; /* pointer to path */
201 int len; /* length of incoming segment */
202 int newsect; /* path requires a new section */
203 struct audit_path *pfxapp; /* prefix for path */
204 struct audit_path *newapp; /* new audit_path */
205 t_audit_data_t *tad; /* current thread */
206 p_audit_data_t *pad; /* current process */
207
208 tad = U2A(u);
209 ASSERT(tad != NULL);
210 pad = P2A(curproc);
211 ASSERT(pad != NULL);
212
213 len = (pnp->pn_path - pnp->pn_buf) + 1; /* +1 for terminator */
214 ASSERT(len > 0);
215
216 /* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */
217 mutex_enter(&pad->pad_lock);
218 if (tad->tad_aupath != NULL) {
219 pfxapp = tad->tad_aupath;
220 } else if ((tad->tad_ctrl & TAD_ATCALL) && pnp->pn_buf[0] != '/') {
221 ASSERT(tad->tad_atpath != NULL);
222 pfxapp = tad->tad_atpath;
223 } else if (tad->tad_ctrl & TAD_ABSPATH) {
224 pfxapp = pad->pad_root;
225 } else {
226 pfxapp = pad->pad_cwd;
227 }
228 au_pathhold(pfxapp);
229 mutex_exit(&pad->pad_lock);
230
231 /* get an expanded buffer to hold the anchored path */
232 newsect = tad->tad_ctrl & TAD_ATTPATH;
233 newapp = au_pathdup(pfxapp, newsect, len);
234 au_pathrele(pfxapp);
235
236 pp = newapp->audp_sect[newapp->audp_cnt] - len;
237 if (!newsect) {
238 /* overlay previous NUL terminator */
239 *(pp - 1) = '/';
240 }
241
242 /* now add string of processed path */
243 bcopy(pnp->pn_buf, pp, len);
244 pp[len - 1] = '\0';
245
246 /* perform path simplification as necessary */
247 audit_fixpath(newapp, len);
248
249 if (tad->tad_aupath)
250 au_pathrele(tad->tad_aupath);
251 tad->tad_aupath = newapp;
252
253 /* for case where multiple lookups in one syscall (rename) */
254 tad->tad_ctrl &= ~(TAD_ABSPATH | TAD_ATTPATH);
255 }
256
257
258 /*
259 * ROUTINE: AUDIT_ANCHORPATH
260 * PURPOSE:
261 * CALLBY: LOOKUPPN
262 * NOTE:
263 * anchor path at "/". We have seen a symbolic link or entering for the
264 * first time we will throw away any saved path if path is anchored.
265 *
266 * flag = 0, path is relative.
267 * flag = 1, path is absolute. Free any saved path and set flag to TAD_ABSPATH.
268 *
269 * If the (new) path is absolute, then we have to throw away whatever we have
270 * already accumulated since it is being superseded by new path which is
271 * anchored at the root.
272 * Note that if the path is relative, this function does nothing
273 * TODO:
274 * QUESTION:
275 */
276 /*ARGSUSED*/
277 void
audit_anchorpath(struct pathname * pnp,int flag)278 audit_anchorpath(struct pathname *pnp, int flag)
279 {
280 au_kcontext_t *kctx = GET_KCTX_PZ;
281 t_audit_data_t *tad;
282
283 tad = U2A(u);
284
285 /*
286 * this event being audited or do we need path information
287 * later? This might be for a chdir/chroot or open (add path
288 * to file pointer. If the path has already been found for an
289 * open/creat then we don't need to process the path.
290 *
291 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
292 * chroot, chdir, open, creat system call processing. It determines
293 * if audit_savepath() will discard the path or we need it later.
294 * TAD_PATHFND means path already included in this audit record. It
295 * is used in cases where multiple path lookups are done per
296 * system call. The policy flag, AUDIT_PATH, controls if multiple
297 * paths are allowed.
298 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
299 * exit processing to inhibit any paths that may be added due to
300 * closes.
301 */
302 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) ||
303 ((tad->tad_ctrl & TAD_PATHFND) &&
304 !(kctx->auk_policy & AUDIT_PATH)) ||
305 (tad->tad_ctrl & TAD_NOPATH)) {
306 return;
307 }
308
309 if (flag) {
310 tad->tad_ctrl |= TAD_ABSPATH;
311 if (tad->tad_aupath != NULL) {
312 au_pathrele(tad->tad_aupath);
313 tad->tad_aupath = NULL;
314 }
315 }
316 }
317
318
319 /*
320 * symbolic link. Save previous components.
321 *
322 * the path seen so far looks like this
323 *
324 * +-----------------------+----------------+
325 * | path processed so far | remaining path |
326 * +-----------------------+----------------+
327 * \-----------------------/
328 * save this string if
329 * symbolic link relative
330 * (but don't include symlink component)
331 */
332
333 /*ARGSUSED*/
334
335
336 /*
337 * ROUTINE: AUDIT_SYMLINK
338 * PURPOSE:
339 * CALLBY: LOOKUPPN
340 * NOTE:
341 * TODO:
342 * QUESTION:
343 */
344 void
audit_symlink(struct pathname * pnp,struct pathname * sympath)345 audit_symlink(struct pathname *pnp, struct pathname *sympath)
346 {
347 char *sp; /* saved initial pp */
348 char *cp; /* start of symlink path */
349 uint_t len_path; /* processed path before symlink */
350 t_audit_data_t *tad;
351 au_kcontext_t *kctx = GET_KCTX_PZ;
352
353 tad = U2A(u);
354
355 /*
356 * this event being audited or do we need path information
357 * later? This might be for a chdir/chroot or open (add path
358 * to file pointer. If the path has already been found for an
359 * open/creat then we don't need to process the path.
360 *
361 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
362 * chroot, chdir, open, creat system call processing. It determines
363 * if audit_savepath() will discard the path or we need it later.
364 * TAD_PATHFND means path already included in this audit record. It
365 * is used in cases where multiple path lookups are done per
366 * system call. The policy flag, AUDIT_PATH, controls if multiple
367 * paths are allowed.
368 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
369 * exit processing to inhibit any paths that may be added due to
370 * closes.
371 */
372 if ((tad->tad_flag == 0 &&
373 !(tad->tad_ctrl & TAD_SAVPATH)) ||
374 ((tad->tad_ctrl & TAD_PATHFND) &&
375 !(kctx->auk_policy & AUDIT_PATH)) ||
376 (tad->tad_ctrl & TAD_NOPATH)) {
377 return;
378 }
379
380 /*
381 * if symbolic link is anchored at / then do nothing.
382 * When we cycle back to begin: in lookuppn() we will
383 * call audit_anchorpath() with a flag indicating if the
384 * path is anchored at / or is relative. We will release
385 * any saved path at that point.
386 *
387 * Note In the event that an error occurs in pn_combine then
388 * we want to remain pointing at the component that caused the
389 * path to overflow the pnp structure.
390 */
391 if (sympath->pn_buf[0] == '/')
392 return;
393
394 /* backup over last component */
395 sp = cp = pnp->pn_path;
396 while (*--cp != '/' && cp > pnp->pn_buf)
397 ;
398
399 len_path = cp - pnp->pn_buf;
400
401 /* is there anything to save? */
402 if (len_path) {
403 pnp->pn_path = pnp->pn_buf;
404 audit_pathbuild(pnp);
405 pnp->pn_path = sp;
406 }
407 }
408
409 /*
410 * object_is_public : determine whether events for the object (corresponding to
411 * the specified file/directory attr) should be audited or
412 * ignored.
413 *
414 * returns: 1 - if audit policy and object attributes indicate that
415 * file/directory is effectively public. read events for
416 * the file should not be audited.
417 * 0 - otherwise
418 *
419 * The required attributes to be considered a public object are:
420 * - owned by root, AND
421 * - world-readable (permissions for other include read), AND
422 * - NOT world-writeable (permissions for other don't
423 * include write)
424 * (mode doesn't need to be checked for symlinks)
425 */
426 int
object_is_public(struct vattr * attr)427 object_is_public(struct vattr *attr)
428 {
429 au_kcontext_t *kctx = GET_KCTX_PZ;
430
431 if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) &&
432 ((attr->va_type == VLNK) ||
433 ((attr->va_mode & (VREAD>>6)) != 0) &&
434 ((attr->va_mode & (VWRITE>>6)) == 0))) {
435 return (1);
436 }
437 return (0);
438 }
439
440
441 /*
442 * ROUTINE: AUDIT_ATTRIBUTES
443 * PURPOSE: Audit the attributes so we can tell why the error occurred
444 * CALLBY: AUDIT_SAVEPATH
445 * AUDIT_VNCREATE_FINISH
446 * AUS_FCHOWN...audit_event.c...audit_path.c
447 * NOTE:
448 * TODO:
449 * QUESTION:
450 */
451 void
audit_attributes(struct vnode * vp)452 audit_attributes(struct vnode *vp)
453 {
454 struct vattr attr;
455 struct t_audit_data *tad;
456
457 tad = U2A(u);
458
459 if (vp) {
460 attr.va_mask = AT_ALL;
461 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0)
462 return;
463
464 if (object_is_public(&attr) &&
465 (tad->tad_ctrl & TAD_PUBLIC_EV)) {
466 /*
467 * This is a public object and a "public" event
468 * (i.e., read only) -- either by definition
469 * (e.g., stat, access...) or by virtue of write access
470 * not being requested (e.g. mmap).
471 * Flag it in the tad to prevent this audit at the end.
472 */
473 tad->tad_ctrl |= TAD_NOAUDIT;
474 } else {
475 au_uwrite(au_to_attr(&attr));
476 audit_sec_attributes(&(u_ad), vp);
477 }
478 }
479 }
480
481
482 /*
483 * ROUTINE: AUDIT_EXIT
484 * PURPOSE:
485 * CALLBY: EXIT
486 * NOTE:
487 * TODO:
488 * QUESTION: why cmw code as offset by 2 but not here
489 */
490 /* ARGSUSED */
491 void
audit_exit(int code,int what)492 audit_exit(int code, int what)
493 {
494 struct t_audit_data *tad;
495 tad = U2A(u);
496
497 /*
498 * tad_scid will be set by audit_start even if we are not auditing
499 * the event.
500 */
501 if (tad->tad_scid == SYS_exit) {
502 /*
503 * if we are auditing the exit system call, then complete
504 * audit record generation (no return from system call).
505 */
506 if (tad->tad_flag && tad->tad_event == AUE_EXIT)
507 audit_finish(0, SYS_exit, 0, 0);
508 return;
509 }
510
511 /*
512 * Anyone auditing the system call that was aborted?
513 */
514 if (tad->tad_flag) {
515 au_uwrite(au_to_text("event aborted"));
516 audit_finish(0, tad->tad_scid, 0, 0);
517 }
518
519 /*
520 * Generate an audit record for process exit if preselected.
521 */
522 (void) audit_start(0, SYS_exit, AUC_UNSET, 0, 0);
523 audit_finish(0, SYS_exit, 0, 0);
524 }
525
526 /*
527 * ROUTINE: AUDIT_CORE_START
528 * PURPOSE:
529 * CALLBY: PSIG
530 * NOTE:
531 * TODO:
532 */
533 void
audit_core_start(int sig)534 audit_core_start(int sig)
535 {
536 au_event_t event;
537 au_state_t estate;
538 t_audit_data_t *tad;
539 au_kcontext_t *kctx;
540
541 tad = U2A(u);
542
543 ASSERT(tad != (t_audit_data_t *)0);
544
545 ASSERT(tad->tad_scid == 0);
546 ASSERT(tad->tad_event == 0);
547 ASSERT(tad->tad_evmod == 0);
548 ASSERT(tad->tad_ctrl == 0);
549 ASSERT(tad->tad_flag == 0);
550 ASSERT(tad->tad_aupath == NULL);
551
552 kctx = GET_KCTX_PZ;
553
554 /* get basic event for system call */
555 event = AUE_CORE;
556 estate = kctx->auk_ets[event];
557
558 if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0)
559 return;
560
561 /* reset the flags for non-user attributable events */
562 tad->tad_ctrl = TAD_CORE;
563 tad->tad_scid = 0;
564
565 /* if auditing not enabled, then don't generate an audit record */
566
567 if (!((kctx->auk_auditstate == AUC_AUDITING ||
568 kctx->auk_auditstate == AUC_INIT_AUDIT) ||
569 kctx->auk_auditstate == AUC_NOSPACE)) {
570 tad->tad_flag = 0;
571 tad->tad_ctrl = 0;
572 return;
573 }
574
575 tad->tad_event = event;
576 tad->tad_evmod = 0;
577
578 ASSERT(tad->tad_ad == NULL);
579
580 au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig));
581 }
582
583 /*
584 * ROUTINE: AUDIT_CORE_FINISH
585 * PURPOSE:
586 * CALLBY: PSIG
587 * NOTE:
588 * TODO:
589 * QUESTION:
590 */
591
592 /*ARGSUSED*/
593 void
audit_core_finish(int code)594 audit_core_finish(int code)
595 {
596 int flag;
597 t_audit_data_t *tad;
598 au_kcontext_t *kctx;
599
600 tad = U2A(u);
601
602 ASSERT(tad != (t_audit_data_t *)0);
603
604 if ((flag = tad->tad_flag) == 0) {
605 tad->tad_event = 0;
606 tad->tad_evmod = 0;
607 tad->tad_ctrl = 0;
608 ASSERT(tad->tad_aupath == NULL);
609 return;
610 }
611 tad->tad_flag = 0;
612
613 kctx = GET_KCTX_PZ;
614
615 /* kludge for error 0, should use `code==CLD_DUMPED' instead */
616 if (flag = audit_success(kctx, tad, 0, NULL)) {
617 cred_t *cr = CRED();
618 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
619
620 ASSERT(ainfo != NULL);
621
622 /*
623 * Add subject information (no locks since our private copy of
624 * credential
625 */
626 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
627
628 /* Add a return token (should use f argument) */
629 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
630
631 AS_INC(as_generated, 1, kctx);
632 AS_INC(as_kernel, 1, kctx);
633 }
634
635 /* Close up everything */
636 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod, NULL);
637
638 /* free up any space remaining with the path's */
639 if (tad->tad_aupath != NULL) {
640 au_pathrele(tad->tad_aupath);
641 tad->tad_aupath = NULL;
642 }
643 tad->tad_event = 0;
644 tad->tad_evmod = 0;
645 tad->tad_ctrl = 0;
646 }
647
648
649 /*ARGSUSED*/
650 void
audit_strgetmsg(struct vnode * vp,struct strbuf * mctl,struct strbuf * mdata,unsigned char * pri,int * flag,int fmode)651 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
652 unsigned char *pri, int *flag, int fmode)
653 {
654 struct stdata *stp;
655 t_audit_data_t *tad = U2A(u);
656
657 ASSERT(tad != (t_audit_data_t *)0);
658
659 stp = vp->v_stream;
660
661 /* lock stdata from audit_sock */
662 mutex_enter(&stp->sd_lock);
663
664 /* proceed ONLY if user is being audited */
665 if (!tad->tad_flag) {
666 /*
667 * this is so we will not add audit data onto
668 * a thread that is not being audited.
669 */
670 stp->sd_t_audit_data = NULL;
671 mutex_exit(&stp->sd_lock);
672 return;
673 }
674
675 stp->sd_t_audit_data = (caddr_t)curthread;
676 mutex_exit(&stp->sd_lock);
677 }
678
679 /*ARGSUSED*/
680 void
audit_strputmsg(struct vnode * vp,struct strbuf * mctl,struct strbuf * mdata,unsigned char pri,int flag,int fmode)681 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
682 unsigned char pri, int flag, int fmode)
683 {
684 struct stdata *stp;
685 t_audit_data_t *tad = U2A(u);
686
687 ASSERT(tad != (t_audit_data_t *)0);
688
689 stp = vp->v_stream;
690
691 /* lock stdata from audit_sock */
692 mutex_enter(&stp->sd_lock);
693
694 /* proceed ONLY if user is being audited */
695 if (!tad->tad_flag) {
696 /*
697 * this is so we will not add audit data onto
698 * a thread that is not being audited.
699 */
700 stp->sd_t_audit_data = NULL;
701 mutex_exit(&stp->sd_lock);
702 return;
703 }
704
705 stp->sd_t_audit_data = (caddr_t)curthread;
706 mutex_exit(&stp->sd_lock);
707 }
708
709 /*
710 * ROUTINE: AUDIT_CLOSEF
711 * PURPOSE:
712 * CALLBY: CLOSEF
713 * NOTE:
714 * release per file audit resources when file structure is being released.
715 *
716 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
717 * on the audit queue if it becomes full. This means
718 * audit_closef can not be called when f_count == 0. Since
719 * f_count == 0 indicates the file structure is free, another
720 * process could attempt to use the file while we were still
721 * asleep waiting on the audit queue. This would cause the
722 * per file audit data to be corrupted when we finally do
723 * wakeup.
724 * TODO:
725 * QUESTION:
726 */
727
728 void
audit_closef(struct file * fp)729 audit_closef(struct file *fp)
730 { /* AUDIT_CLOSEF */
731 f_audit_data_t *fad;
732 t_audit_data_t *tad;
733 int success;
734 au_state_t estate;
735 struct vnode *vp;
736 token_t *ad = NULL;
737 struct vattr attr;
738 au_emod_t evmod = 0;
739 const auditinfo_addr_t *ainfo;
740 cred_t *cr;
741 au_kcontext_t *kctx = GET_KCTX_PZ;
742 uint32_t auditing;
743 boolean_t audit_attr = B_FALSE;
744
745 fad = F2A(fp);
746 estate = kctx->auk_ets[AUE_CLOSE];
747 tad = U2A(u);
748 cr = CRED();
749
750 /* audit record already generated by system call envelope */
751 if (tad->tad_event == AUE_CLOSE) {
752 /* so close audit event will have bits set */
753 tad->tad_evmod |= (au_emod_t)fad->fad_flags;
754 return;
755 }
756
757 /* if auditing not enabled, then don't generate an audit record */
758 auditing = (tad->tad_audit == AUC_UNSET) ?
759 kctx->auk_auditstate : tad->tad_audit;
760 if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT | AUC_NOSPACE))
761 return;
762
763 ainfo = crgetauinfo(cr);
764 if (ainfo == NULL)
765 return;
766
767 success = ainfo->ai_mask.as_success & estate;
768
769 /* not selected for this event */
770 if (success == 0)
771 return;
772
773 /*
774 * can't use audit_attributes here since we use a private audit area
775 * to build the audit record instead of the one off the thread.
776 */
777 if ((vp = fp->f_vnode) != NULL) {
778 attr.va_mask = AT_ALL;
779 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
780 if ((fp->f_flag & FWRITE) == 0 &&
781 object_is_public(&attr)) {
782 /*
783 * When write was not used and the file can be
784 * considered public, then skip the audit.
785 */
786 return;
787 }
788 audit_attr = B_TRUE;
789 }
790 }
791
792 evmod = (au_emod_t)fad->fad_flags;
793 if (fad->fad_aupath != NULL) {
794 au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath));
795 } else {
796 #ifdef _LP64
797 au_write((caddr_t *)&(ad), au_to_arg64(
798 1, "no path: fp", (uint64_t)fp));
799 #else
800 au_write((caddr_t *)&(ad), au_to_arg32(
801 1, "no path: fp", (uint32_t)fp));
802 #endif
803 }
804
805 if (audit_attr) {
806 au_write((caddr_t *)&(ad), au_to_attr(&attr));
807 audit_sec_attributes((caddr_t *)&(ad), vp);
808 }
809
810 /* Add subject information */
811 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
812
813 /* add a return token */
814 add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0);
815
816 AS_INC(as_generated, 1, kctx);
817 AS_INC(as_kernel, 1, kctx);
818
819 /*
820 * Close up everything
821 * Note: path space recovery handled by normal system
822 * call envelope if not at last close.
823 * Note there is no failure at this point since
824 * this represents closes due to exit of process,
825 * thus we always indicate successful closes.
826 */
827 au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER,
828 AUE_CLOSE, evmod, NULL);
829 }
830
831 /*
832 * ROUTINE: AUDIT_SET
833 * PURPOSE: Audit the file path and file attributes.
834 * CALLBY: SETF
835 * NOTE: SETF associate a file pointer with user area's open files.
836 * TODO:
837 * call audit_finish directly ???
838 * QUESTION:
839 */
840
841 /*ARGSUSED*/
842 void
audit_setf(file_t * fp,int fd)843 audit_setf(file_t *fp, int fd)
844 {
845 f_audit_data_t *fad;
846 t_audit_data_t *tad;
847
848 if (fp == NULL)
849 return;
850
851 tad = T2A(curthread);
852 fad = F2A(fp);
853
854 if (!(tad->tad_scid == SYS_open ||
855 tad->tad_scid == SYS_open64 ||
856 tad->tad_scid == SYS_openat ||
857 tad->tad_scid == SYS_openat64))
858 return;
859
860 /* no path */
861 if (tad->tad_aupath == 0)
862 return;
863
864 /*
865 * assign path information associated with file audit data
866 * use tad hold
867 */
868 fad->fad_aupath = tad->tad_aupath;
869 tad->tad_aupath = NULL;
870
871 if (!(tad->tad_ctrl & TAD_TRUE_CREATE)) {
872 /* adjust event type by dropping the 'creat' part */
873 switch (tad->tad_event) {
874 case AUE_OPEN_RC:
875 tad->tad_event = AUE_OPEN_R;
876 tad->tad_ctrl |= TAD_PUBLIC_EV;
877 break;
878 case AUE_OPEN_RTC:
879 tad->tad_event = AUE_OPEN_RT;
880 break;
881 case AUE_OPEN_WC:
882 tad->tad_event = AUE_OPEN_W;
883 break;
884 case AUE_OPEN_WTC:
885 tad->tad_event = AUE_OPEN_WT;
886 break;
887 case AUE_OPEN_RWC:
888 tad->tad_event = AUE_OPEN_RW;
889 break;
890 case AUE_OPEN_RWTC:
891 tad->tad_event = AUE_OPEN_RWT;
892 break;
893 default:
894 break;
895 }
896 }
897 }
898
899
900 void
audit_ipc(int type,int id,void * vp)901 audit_ipc(int type, int id, void *vp)
902 {
903 /* if not auditing this event, then do nothing */
904 if (ad_flag == 0)
905 return;
906
907 switch (type) {
908 case AT_IPC_MSG:
909 au_uwrite(au_to_ipc(AT_IPC_MSG, id));
910 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
911 break;
912 case AT_IPC_SEM:
913 au_uwrite(au_to_ipc(AT_IPC_SEM, id));
914 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
915 break;
916 case AT_IPC_SHM:
917 au_uwrite(au_to_ipc(AT_IPC_SHM, id));
918 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
919 break;
920 }
921 }
922
923 void
audit_ipcget(int type,void * vp)924 audit_ipcget(int type, void *vp)
925 {
926 /* if not auditing this event, then do nothing */
927 if (ad_flag == 0)
928 return;
929
930 switch (type) {
931 case NULL:
932 au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp));
933 break;
934 case AT_IPC_MSG:
935 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
936 break;
937 case AT_IPC_SEM:
938 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
939 break;
940 case AT_IPC_SHM:
941 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
942 break;
943 }
944 }
945
946 /*
947 * ROUTINE: AUDIT_REBOOT
948 * PURPOSE:
949 * CALLBY:
950 * NOTE:
951 * At this point we know that the system call reboot will not return. We thus
952 * have to complete the audit record generation and put it onto the queue.
953 * This might be fairly useless if the auditing daemon is already dead....
954 * TODO:
955 * QUESTION: who calls audit_reboot
956 */
957
958 void
audit_reboot(void)959 audit_reboot(void)
960 {
961 int flag;
962 t_audit_data_t *tad;
963 au_kcontext_t *kctx = GET_KCTX_PZ;
964
965 tad = U2A(u);
966
967 /* if not auditing this event, then do nothing */
968 if (tad->tad_flag == 0)
969 return;
970
971 /* do preselection on success/failure */
972 if (flag = audit_success(kctx, tad, 0, NULL)) {
973 /* add a process token */
974
975 cred_t *cr = CRED();
976 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
977
978 if (ainfo == NULL)
979 return;
980
981 /* Add subject information */
982 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
983
984 /* add a return token */
985 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
986
987 AS_INC(as_generated, 1, kctx);
988 AS_INC(as_kernel, 1, kctx);
989 }
990
991 /*
992 * Flow control useless here since we're going
993 * to drop everything in the queue anyway. Why
994 * block and wait. There aint anyone left alive to
995 * read the records remaining anyway.
996 */
997
998 /* Close up everything */
999 au_close(kctx, &(u_ad), flag | AU_DONTBLOCK,
1000 tad->tad_event, tad->tad_evmod, NULL);
1001 }
1002
1003 void
audit_setfsat_path(int argnum)1004 audit_setfsat_path(int argnum)
1005 {
1006 klwp_id_t clwp = ttolwp(curthread);
1007 struct file *fp;
1008 uint32_t fd;
1009 t_audit_data_t *tad;
1010 struct f_audit_data *fad;
1011 p_audit_data_t *pad; /* current process */
1012 uint_t fm;
1013 struct a {
1014 long arg1;
1015 long arg2;
1016 long arg3;
1017 long arg4;
1018 long arg5;
1019 } *uap;
1020
1021 if (clwp == NULL)
1022 return;
1023 uap = (struct a *)clwp->lwp_ap;
1024
1025 tad = U2A(u);
1026 ASSERT(tad != NULL);
1027
1028 switch (tad->tad_scid) {
1029 case SYS_faccessat:
1030 case SYS_fchmodat:
1031 case SYS_fchownat:
1032 case SYS_fstatat:
1033 case SYS_fstatat64:
1034 case SYS_mkdirat:
1035 case SYS_mknodat:
1036 case SYS_openat:
1037 case SYS_openat64:
1038 case SYS_readlinkat:
1039 case SYS_unlinkat:
1040 fd = uap->arg1;
1041 break;
1042 case SYS_linkat:
1043 case SYS_renameat:
1044 if (argnum == 3)
1045 fd = uap->arg3;
1046 else
1047 fd = uap->arg1;
1048 break;
1049 case SYS_symlinkat:
1050 case SYS_utimesys:
1051 fd = uap->arg2;
1052 break;
1053 case SYS_open:
1054 case SYS_open64:
1055 fd = AT_FDCWD;
1056 break;
1057 default:
1058 return;
1059 }
1060
1061 if (tad->tad_atpath != NULL) {
1062 au_pathrele(tad->tad_atpath);
1063 tad->tad_atpath = NULL;
1064 }
1065
1066 if (fd != AT_FDCWD) {
1067 tad->tad_ctrl |= TAD_ATCALL;
1068
1069 if (tad->tad_scid == SYS_openat ||
1070 tad->tad_scid == SYS_openat64) {
1071 fm = (uint_t)uap->arg3;
1072 if (fm & (FXATTR | FXATTRDIROPEN)) {
1073 tad->tad_ctrl |= TAD_ATTPATH;
1074 }
1075 }
1076
1077 if ((fp = getf(fd)) == NULL) {
1078 tad->tad_ctrl |= TAD_NOPATH;
1079 return;
1080 }
1081 fad = F2A(fp);
1082 ASSERT(fad);
1083 if (fad->fad_aupath == NULL) {
1084 tad->tad_ctrl |= TAD_NOPATH;
1085 releasef(fd);
1086 return;
1087 }
1088 au_pathhold(fad->fad_aupath);
1089 tad->tad_atpath = fad->fad_aupath;
1090 releasef(fd);
1091 } else {
1092 if (tad->tad_scid == SYS_open ||
1093 tad->tad_scid == SYS_open64) {
1094 fm = (uint_t)uap->arg2;
1095 if (fm & FXATTR) {
1096 tad->tad_ctrl |= TAD_ATTPATH;
1097 }
1098 return;
1099 }
1100 pad = P2A(curproc);
1101 mutex_enter(&pad->pad_lock);
1102 au_pathhold(pad->pad_cwd);
1103 tad->tad_atpath = pad->pad_cwd;
1104 mutex_exit(&pad->pad_lock);
1105 }
1106 }
1107
1108 void
audit_symlink_create(vnode_t * dvp,char * sname,char * target,int error)1109 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error)
1110 {
1111 t_audit_data_t *tad;
1112 vnode_t *vp;
1113
1114 tad = U2A(u);
1115
1116 /* if not auditing this event, then do nothing */
1117 if (tad->tad_flag == 0)
1118 return;
1119
1120 au_uwrite(au_to_text(target));
1121
1122 if (error)
1123 return;
1124
1125 error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(),
1126 NULL, NULL, NULL);
1127 if (error == 0) {
1128 audit_attributes(vp);
1129 VN_RELE(vp);
1130 }
1131 }
1132
1133 /*
1134 * ROUTINE: AUDIT_VNCREATE_START
1135 * PURPOSE: set flag so path name lookup in create will not add attribute
1136 * CALLBY: VN_CREATE
1137 * NOTE:
1138 * TODO:
1139 * QUESTION:
1140 */
1141
1142 void
audit_vncreate_start()1143 audit_vncreate_start()
1144 {
1145 t_audit_data_t *tad;
1146
1147 tad = U2A(u);
1148 tad->tad_ctrl |= TAD_NOATTRB;
1149 }
1150
1151 /*
1152 * ROUTINE: AUDIT_VNCREATE_FINISH
1153 * PURPOSE:
1154 * CALLBY: VN_CREATE
1155 * NOTE:
1156 * TODO:
1157 * QUESTION:
1158 */
1159 void
audit_vncreate_finish(struct vnode * vp,int error)1160 audit_vncreate_finish(struct vnode *vp, int error)
1161 {
1162 t_audit_data_t *tad;
1163
1164 if (error)
1165 return;
1166
1167 tad = U2A(u);
1168
1169 /* if not auditing this event, then do nothing */
1170 if (tad->tad_flag == 0)
1171 return;
1172
1173 if (tad->tad_ctrl & TAD_TRUE_CREATE) {
1174 audit_attributes(vp);
1175 }
1176
1177 if (tad->tad_ctrl & TAD_CORE) {
1178 audit_attributes(vp);
1179 tad->tad_ctrl &= ~TAD_CORE;
1180 }
1181
1182 if (!error && ((tad->tad_event == AUE_MKNOD) ||
1183 (tad->tad_event == AUE_MKDIR))) {
1184 audit_attributes(vp);
1185 }
1186
1187 /* for case where multiple lookups in one syscall (rename) */
1188 tad->tad_ctrl &= ~TAD_NOATTRB;
1189 }
1190
1191
1192
1193
1194
1195
1196
1197
1198 /*
1199 * ROUTINE: AUDIT_EXEC
1200 * PURPOSE: Records the function arguments and environment variables
1201 * CALLBY: EXEC_ARGS
1202 * NOTE:
1203 * TODO:
1204 * QUESTION:
1205 */
1206
1207 void
audit_exec(const char * argstr,const char * envstr,ssize_t argc,ssize_t envc,cred_t * pfcred)1208 audit_exec(
1209 const char *argstr, /* argument strings */
1210 const char *envstr, /* environment strings */
1211 ssize_t argc, /* total # arguments */
1212 ssize_t envc, /* total # environment variables */
1213 cred_t *pfcred) /* the additional privileges in a profile */
1214 {
1215 t_audit_data_t *tad;
1216 au_kcontext_t *kctx = GET_KCTX_PZ;
1217
1218 tad = U2A(u);
1219
1220 /* if not auditing this event, then do nothing */
1221 if (!tad->tad_flag)
1222 return;
1223
1224 if (pfcred != NULL) {
1225 p_audit_data_t *pad;
1226 cred_t *cr = CRED();
1227 priv_set_t pset = CR_IPRIV(cr);
1228
1229 pad = P2A(curproc);
1230
1231 /* It's a different event. */
1232 tad->tad_event = AUE_PFEXEC;
1233
1234 /* Add the current working directory to the audit trail. */
1235 if (pad->pad_cwd != NULL)
1236 au_uwrite(au_to_path(pad->pad_cwd));
1237
1238 /*
1239 * The new credential is not yet in place when audit_exec
1240 * is called.
1241 * Compute the additional bits available in the new credential
1242 * and the limit set.
1243 */
1244 priv_inverse(&pset);
1245 priv_intersect(&CR_IPRIV(pfcred), &pset);
1246 if (!priv_isemptyset(&pset) ||
1247 !priv_isequalset(&CR_LPRIV(pfcred), &CR_LPRIV(cr))) {
1248 au_uwrite(au_to_privset(
1249 priv_getsetbynum(PRIV_INHERITABLE), &pset, AUT_PRIV,
1250 0));
1251 au_uwrite(au_to_privset(priv_getsetbynum(PRIV_LIMIT),
1252 &CR_LPRIV(pfcred), AUT_PRIV, 0));
1253 }
1254 /*
1255 * Compare the uids & gids: create a process token if changed.
1256 */
1257 if (crgetuid(cr) != crgetuid(pfcred) ||
1258 crgetruid(cr) != crgetruid(pfcred) ||
1259 crgetgid(cr) != crgetgid(pfcred) ||
1260 crgetrgid(cr) != crgetrgid(pfcred)) {
1261 AUDIT_SETPROC(&(u_ad), cr, crgetauinfo(cr));
1262 }
1263 }
1264
1265 if (pfcred != NULL || (kctx->auk_policy & AUDIT_ARGV) != 0)
1266 au_uwrite(au_to_exec_args(argstr, argc));
1267
1268 if (kctx->auk_policy & AUDIT_ARGE)
1269 au_uwrite(au_to_exec_env(envstr, envc));
1270 }
1271
1272 /*
1273 * ROUTINE: AUDIT_ENTERPROM
1274 * PURPOSE:
1275 * CALLBY: KBDINPUT
1276 * ZSA_XSINT
1277 * NOTE:
1278 * TODO:
1279 * QUESTION:
1280 */
1281 void
audit_enterprom(int flg)1282 audit_enterprom(int flg)
1283 {
1284 token_t *rp = NULL;
1285 int sorf;
1286
1287 if (flg)
1288 sorf = AUM_SUCC;
1289 else
1290 sorf = AUM_FAIL;
1291
1292 AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf);
1293
1294 au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1295
1296 if (flg)
1297 au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1298 else
1299 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1300
1301 AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL, NULL);
1302 }
1303
1304
1305 /*
1306 * ROUTINE: AUDIT_EXITPROM
1307 * PURPOSE:
1308 * CALLBY: KBDINPUT
1309 * ZSA_XSINT
1310 * NOTE:
1311 * TODO:
1312 * QUESTION:
1313 */
1314 void
audit_exitprom(int flg)1315 audit_exitprom(int flg)
1316 {
1317 int sorf;
1318 token_t *rp = NULL;
1319
1320 if (flg)
1321 sorf = AUM_SUCC;
1322 else
1323 sorf = AUM_FAIL;
1324
1325 AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf);
1326
1327 au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1328
1329 if (flg)
1330 au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1331 else
1332 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1333
1334 AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL, NULL);
1335 }
1336
1337 struct fcntla {
1338 int fdes;
1339 int cmd;
1340 intptr_t arg;
1341 };
1342
1343
1344 /*
1345 * ROUTINE: AUDIT_CHDIREC
1346 * PURPOSE:
1347 * CALLBY: CHDIREC
1348 * NOTE: The main function of CHDIREC
1349 * TODO: Move the audit_chdirec hook above the VN_RELE in vncalls.c
1350 * QUESTION:
1351 */
1352
1353 /*ARGSUSED*/
1354 void
audit_chdirec(vnode_t * vp,vnode_t ** vpp)1355 audit_chdirec(vnode_t *vp, vnode_t **vpp)
1356 {
1357 int chdir;
1358 int fchdir;
1359 struct audit_path **appp;
1360 struct file *fp;
1361 f_audit_data_t *fad;
1362 p_audit_data_t *pad = P2A(curproc);
1363 t_audit_data_t *tad = T2A(curthread);
1364
1365 struct a {
1366 long fd;
1367 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
1368
1369 if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) {
1370 chdir = tad->tad_scid == SYS_chdir;
1371 if (tad->tad_aupath) {
1372 mutex_enter(&pad->pad_lock);
1373 if (chdir)
1374 appp = &(pad->pad_cwd);
1375 else
1376 appp = &(pad->pad_root);
1377 au_pathrele(*appp);
1378 /* use tad hold */
1379 *appp = tad->tad_aupath;
1380 tad->tad_aupath = NULL;
1381 mutex_exit(&pad->pad_lock);
1382 }
1383 } else if ((tad->tad_scid == SYS_fchdir) ||
1384 (tad->tad_scid == SYS_fchroot)) {
1385 fchdir = tad->tad_scid == SYS_fchdir;
1386 if ((fp = getf(uap->fd)) == NULL)
1387 return;
1388 fad = F2A(fp);
1389 if (fad->fad_aupath) {
1390 au_pathhold(fad->fad_aupath);
1391 mutex_enter(&pad->pad_lock);
1392 if (fchdir)
1393 appp = &(pad->pad_cwd);
1394 else
1395 appp = &(pad->pad_root);
1396 au_pathrele(*appp);
1397 *appp = fad->fad_aupath;
1398 mutex_exit(&pad->pad_lock);
1399 if (tad->tad_flag) {
1400 au_uwrite(au_to_path(fad->fad_aupath));
1401 audit_attributes(fp->f_vnode);
1402 }
1403 }
1404 releasef(uap->fd);
1405 }
1406 }
1407
1408
1409 /*
1410 * Audit hook for stream based socket and tli request.
1411 * Note that we do not have user context while executing
1412 * this code so we had to record them earlier during the
1413 * putmsg/getmsg to figure out which user we are dealing with.
1414 */
1415
1416 /*ARGSUSED*/
1417 void
audit_sock(int type,queue_t * q,mblk_t * mp,int from)1418 audit_sock(
1419 int type, /* type of tihdr.h header requests */
1420 queue_t *q, /* contains the process and thread audit data */
1421 mblk_t *mp, /* contains the tihdr.h header structures */
1422 int from) /* timod or sockmod request */
1423 {
1424 int32_t len;
1425 int32_t offset;
1426 struct sockaddr_in *sock_data;
1427 struct T_conn_req *conn_req;
1428 struct T_conn_ind *conn_ind;
1429 struct T_unitdata_req *unitdata_req;
1430 struct T_unitdata_ind *unitdata_ind;
1431 au_state_t estate;
1432 t_audit_data_t *tad;
1433 caddr_t saved_thread_ptr;
1434 au_mask_t amask;
1435 const auditinfo_addr_t *ainfo;
1436 au_kcontext_t *kctx;
1437
1438 if (q->q_stream == NULL)
1439 return;
1440 mutex_enter(&q->q_stream->sd_lock);
1441 /* are we being audited */
1442 saved_thread_ptr = q->q_stream->sd_t_audit_data;
1443 /* no pointer to thread, nothing to do */
1444 if (saved_thread_ptr == NULL) {
1445 mutex_exit(&q->q_stream->sd_lock);
1446 return;
1447 }
1448 /* only allow one addition of a record token */
1449 q->q_stream->sd_t_audit_data = NULL;
1450 /*
1451 * thread is not the one being audited, then nothing to do
1452 * This could be the stream thread handling the module
1453 * service routine. In this case, the context for the audit
1454 * record can no longer be assumed. Simplest to just drop
1455 * the operation.
1456 */
1457 if (curthread != (kthread_id_t)saved_thread_ptr) {
1458 mutex_exit(&q->q_stream->sd_lock);
1459 return;
1460 }
1461 if (curthread->t_sysnum >= SYS_so_socket &&
1462 curthread->t_sysnum <= SYS_sockconfig) {
1463 mutex_exit(&q->q_stream->sd_lock);
1464 return;
1465 }
1466 mutex_exit(&q->q_stream->sd_lock);
1467 /*
1468 * we know that the thread that did the put/getmsg is the
1469 * one running. Now we can get the TAD and see if we should
1470 * add an audit token.
1471 */
1472 tad = U2A(u);
1473
1474 kctx = GET_KCTX_PZ;
1475
1476 /* proceed ONLY if user is being audited */
1477 if (!tad->tad_flag)
1478 return;
1479
1480 ainfo = crgetauinfo(CRED());
1481 if (ainfo == NULL)
1482 return;
1483 amask = ainfo->ai_mask;
1484
1485 /*
1486 * Figure out the type of stream networking request here.
1487 * Note that getmsg and putmsg are always preselected
1488 * because during the beginning of the system call we have
1489 * not yet figure out which of the socket or tli request
1490 * we are looking at until we are here. So we need to check
1491 * against that specific request and reset the type of event.
1492 */
1493 switch (type) {
1494 case T_CONN_REQ: /* connection request */
1495 conn_req = (struct T_conn_req *)mp->b_rptr;
1496 if (conn_req->DEST_offset < sizeof (struct T_conn_req))
1497 return;
1498 offset = conn_req->DEST_offset;
1499 len = conn_req->DEST_length;
1500 estate = kctx->auk_ets[AUE_SOCKCONNECT];
1501 if (amask.as_success & estate || amask.as_failure & estate) {
1502 tad->tad_event = AUE_SOCKCONNECT;
1503 break;
1504 } else {
1505 return;
1506 }
1507 case T_CONN_IND: /* connectionless receive request */
1508 conn_ind = (struct T_conn_ind *)mp->b_rptr;
1509 if (conn_ind->SRC_offset < sizeof (struct T_conn_ind))
1510 return;
1511 offset = conn_ind->SRC_offset;
1512 len = conn_ind->SRC_length;
1513 estate = kctx->auk_ets[AUE_SOCKACCEPT];
1514 if (amask.as_success & estate || amask.as_failure & estate) {
1515 tad->tad_event = AUE_SOCKACCEPT;
1516 break;
1517 } else {
1518 return;
1519 }
1520 case T_UNITDATA_REQ: /* connectionless send request */
1521 unitdata_req = (struct T_unitdata_req *)mp->b_rptr;
1522 if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req))
1523 return;
1524 offset = unitdata_req->DEST_offset;
1525 len = unitdata_req->DEST_length;
1526 estate = kctx->auk_ets[AUE_SOCKSEND];
1527 if (amask.as_success & estate || amask.as_failure & estate) {
1528 tad->tad_event = AUE_SOCKSEND;
1529 break;
1530 } else {
1531 return;
1532 }
1533 case T_UNITDATA_IND: /* connectionless receive request */
1534 unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr;
1535 if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind))
1536 return;
1537 offset = unitdata_ind->SRC_offset;
1538 len = unitdata_ind->SRC_length;
1539 estate = kctx->auk_ets[AUE_SOCKRECEIVE];
1540 if (amask.as_success & estate || amask.as_failure & estate) {
1541 tad->tad_event = AUE_SOCKRECEIVE;
1542 break;
1543 } else {
1544 return;
1545 }
1546 default:
1547 return;
1548 }
1549
1550 /*
1551 * we are only interested in tcp stream connections,
1552 * not unix domain stuff
1553 */
1554 if ((len < 0) || (len > sizeof (struct sockaddr_in))) {
1555 tad->tad_event = AUE_GETMSG;
1556 return;
1557 }
1558 /* skip over TPI header and point to the ip address */
1559 sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset);
1560
1561 switch (sock_data->sin_family) {
1562 case AF_INET:
1563 au_write(&(tad->tad_ad), au_to_sock_inet(sock_data));
1564 break;
1565 default: /* reset to AUE_PUTMSG if not a inet request */
1566 tad->tad_event = AUE_GETMSG;
1567 break;
1568 }
1569 }
1570
1571
1572 static void
add_return_token(caddr_t * ad,unsigned int scid,int err,int rval)1573 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval)
1574 {
1575 unsigned int sy_flags;
1576
1577 #ifdef _SYSCALL32_IMPL
1578 /*
1579 * Guard against t_lwp being NULL when this function is called
1580 * from a kernel queue instead of from a direct system call.
1581 * In that case, assume the running kernel data model.
1582 */
1583 if ((curthread->t_lwp == NULL) || (lwp_getdatamodel(
1584 ttolwp(curthread)) == DATAMODEL_NATIVE))
1585 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1586 else
1587 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1588 #else
1589 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1590 #endif
1591
1592 if (sy_flags == SE_64RVAL)
1593 au_write(ad, au_to_return64(err, rval));
1594 else
1595 au_write(ad, au_to_return32(err, rval));
1596
1597 }
1598
1599 /*ARGSUSED*/
1600 void
audit_fdsend(fd,fp,error)1601 audit_fdsend(fd, fp, error)
1602 int fd;
1603 struct file *fp;
1604 int error; /* ignore for now */
1605 {
1606 t_audit_data_t *tad; /* current thread */
1607 f_audit_data_t *fad; /* per file audit structure */
1608 struct vnode *vp; /* for file attributes */
1609
1610 /* is this system call being audited */
1611 tad = U2A(u);
1612 ASSERT(tad != (t_audit_data_t *)0);
1613 if (!tad->tad_flag)
1614 return;
1615
1616 fad = F2A(fp);
1617
1618 /* add path and file attributes */
1619 if (fad != NULL && fad->fad_aupath != NULL) {
1620 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1621 au_uwrite(au_to_path(fad->fad_aupath));
1622 } else {
1623 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1624 #ifdef _LP64
1625 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1626 #else
1627 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1628 #endif
1629 }
1630 vp = fp->f_vnode; /* include vnode attributes */
1631 audit_attributes(vp);
1632 }
1633
1634 /*
1635 * Record privileges successfully used and we attempted to use but
1636 * didn't have.
1637 */
1638 void
audit_priv(int priv,const priv_set_t * set,int flag)1639 audit_priv(int priv, const priv_set_t *set, int flag)
1640 {
1641 t_audit_data_t *tad;
1642 int sbit;
1643 priv_set_t *target;
1644
1645 /* Make sure this isn't being called in an interrupt context */
1646 ASSERT(servicing_interrupt() == 0);
1647
1648 tad = U2A(u);
1649
1650 if (tad->tad_flag == 0)
1651 return;
1652
1653 target = flag ? &tad->tad_sprivs : &tad->tad_fprivs;
1654 sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE;
1655
1656 /* Tell audit_success() and audit_finish() that we saw this case */
1657 if (!(tad->tad_evmod & sbit)) {
1658 /* Clear set first time around */
1659 priv_emptyset(target);
1660 tad->tad_evmod |= sbit;
1661 }
1662
1663 /* Save the privileges in the tad */
1664 if (priv == PRIV_ALL) {
1665 priv_fillset(target);
1666 } else {
1667 ASSERT(set != NULL || priv != PRIV_NONE);
1668 if (set != NULL)
1669 priv_union(set, target);
1670 if (priv != PRIV_NONE)
1671 priv_addset(target, priv);
1672 }
1673 }
1674
1675 /*
1676 * Audit the setpriv() system call; the operation, the set name and
1677 * the current value as well as the set argument are put in the
1678 * audit trail.
1679 */
1680 void
audit_setppriv(int op,int set,const priv_set_t * newpriv,const cred_t * ocr)1681 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr)
1682 {
1683 t_audit_data_t *tad;
1684 const priv_set_t *oldpriv;
1685 priv_set_t report;
1686 const char *setname;
1687
1688 tad = U2A(u);
1689
1690 if (tad->tad_flag == 0)
1691 return;
1692
1693 oldpriv = priv_getset(ocr, set);
1694
1695 /* Generate the actual record, include the before and after */
1696 au_uwrite(au_to_arg32(2, "op", op));
1697 setname = priv_getsetbynum(set);
1698
1699 switch (op) {
1700 case PRIV_OFF:
1701 /* Report privileges actually switched off */
1702 report = *oldpriv;
1703 priv_intersect(newpriv, &report);
1704 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1705 break;
1706 case PRIV_ON:
1707 /* Report privileges actually switched on */
1708 report = *oldpriv;
1709 priv_inverse(&report);
1710 priv_intersect(newpriv, &report);
1711 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1712 break;
1713 case PRIV_SET:
1714 /* Report before and after */
1715 au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0));
1716 au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0));
1717 break;
1718 }
1719 }
1720
1721 /*
1722 * Dump the full device policy setting in the audit trail.
1723 */
1724 void
audit_devpolicy(int nitems,const devplcysys_t * items)1725 audit_devpolicy(int nitems, const devplcysys_t *items)
1726 {
1727 t_audit_data_t *tad;
1728 int i;
1729
1730 tad = U2A(u);
1731
1732 if (tad->tad_flag == 0)
1733 return;
1734
1735 for (i = 0; i < nitems; i++) {
1736 au_uwrite(au_to_arg32(2, "major", items[i].dps_maj));
1737 if (items[i].dps_minornm[0] == '\0') {
1738 au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin));
1739 au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin));
1740 } else
1741 au_uwrite(au_to_text(items[i].dps_minornm));
1742
1743 au_uwrite(au_to_privset("read", &items[i].dps_rdp,
1744 AUT_PRIV, 0));
1745 au_uwrite(au_to_privset("write", &items[i].dps_wrp,
1746 AUT_PRIV, 0));
1747 }
1748 }
1749
1750 /*ARGSUSED*/
1751 void
audit_fdrecv(fd,fp)1752 audit_fdrecv(fd, fp)
1753 int fd;
1754 struct file *fp;
1755 {
1756 t_audit_data_t *tad; /* current thread */
1757 f_audit_data_t *fad; /* per file audit structure */
1758 struct vnode *vp; /* for file attributes */
1759
1760 /* is this system call being audited */
1761 tad = U2A(u);
1762 ASSERT(tad != (t_audit_data_t *)0);
1763 if (!tad->tad_flag)
1764 return;
1765
1766 fad = F2A(fp);
1767
1768 /* add path and file attributes */
1769 if (fad != NULL && fad->fad_aupath != NULL) {
1770 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1771 au_uwrite(au_to_path(fad->fad_aupath));
1772 } else {
1773 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1774 #ifdef _LP64
1775 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1776 #else
1777 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1778 #endif
1779 }
1780 vp = fp->f_vnode; /* include vnode attributes */
1781 audit_attributes(vp);
1782 }
1783
1784 /*
1785 * ROUTINE: AUDIT_CRYPTOADM
1786 * PURPOSE: Records arguments to administrative ioctls on /dev/cryptoadm
1787 * CALLBY: CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED,
1788 * CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG,
1789 * CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN,
1790 * CRYPTO_LOAD_DOOR
1791 * NOTE:
1792 * TODO:
1793 * QUESTION:
1794 */
1795
1796 void
audit_cryptoadm(int cmd,char * module_name,crypto_mech_name_t * mech_names,uint_t mech_count,uint_t device_instance,uint32_t rv,int error)1797 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names,
1798 uint_t mech_count, uint_t device_instance, uint32_t rv, int error)
1799 {
1800 boolean_t mech_list_required = B_FALSE;
1801 cred_t *cr = CRED();
1802 t_audit_data_t *tad;
1803 token_t *ad = NULL;
1804 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
1805 char buffer[MAXNAMELEN * 2];
1806 au_kcontext_t *kctx = GET_KCTX_PZ;
1807
1808 tad = U2A(u);
1809 if (tad == NULL)
1810 return;
1811
1812 if (ainfo == NULL)
1813 return;
1814
1815 tad->tad_event = AUE_CRYPTOADM;
1816
1817 if (audit_success(kctx, tad, error, NULL) != AU_OK)
1818 return;
1819
1820 /* Add subject information */
1821 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
1822
1823 switch (cmd) {
1824 case CRYPTO_LOAD_DEV_DISABLED:
1825 if (error == 0 && rv == CRYPTO_SUCCESS) {
1826 (void) snprintf(buffer, sizeof (buffer),
1827 "op=CRYPTO_LOAD_DEV_DISABLED, module=%s,"
1828 " dev_instance=%d",
1829 module_name, device_instance);
1830 mech_list_required = B_TRUE;
1831 } else {
1832 (void) snprintf(buffer, sizeof (buffer),
1833 "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv);
1834 }
1835 break;
1836
1837 case CRYPTO_LOAD_SOFT_DISABLED:
1838 if (error == 0 && rv == CRYPTO_SUCCESS) {
1839 (void) snprintf(buffer, sizeof (buffer),
1840 "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s",
1841 module_name);
1842 mech_list_required = B_TRUE;
1843 } else {
1844 (void) snprintf(buffer, sizeof (buffer),
1845 "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv);
1846 }
1847 break;
1848
1849 case CRYPTO_UNLOAD_SOFT_MODULE:
1850 if (error == 0 && rv == CRYPTO_SUCCESS) {
1851 (void) snprintf(buffer, sizeof (buffer),
1852 "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s",
1853 module_name);
1854 } else {
1855 (void) snprintf(buffer, sizeof (buffer),
1856 "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv);
1857 }
1858 break;
1859
1860 case CRYPTO_LOAD_SOFT_CONFIG:
1861 if (error == 0 && rv == CRYPTO_SUCCESS) {
1862 (void) snprintf(buffer, sizeof (buffer),
1863 "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s",
1864 module_name);
1865 mech_list_required = B_TRUE;
1866 } else {
1867 (void) snprintf(buffer, sizeof (buffer),
1868 "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv);
1869 }
1870 break;
1871
1872 case CRYPTO_POOL_CREATE:
1873 (void) snprintf(buffer, sizeof (buffer),
1874 "op=CRYPTO_POOL_CREATE");
1875 break;
1876
1877 case CRYPTO_POOL_WAIT:
1878 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT");
1879 break;
1880
1881 case CRYPTO_POOL_RUN:
1882 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN");
1883 break;
1884
1885 case CRYPTO_LOAD_DOOR:
1886 if (error == 0 && rv == CRYPTO_SUCCESS)
1887 (void) snprintf(buffer, sizeof (buffer),
1888 "op=CRYPTO_LOAD_DOOR");
1889 else
1890 (void) snprintf(buffer, sizeof (buffer),
1891 "op=CRYPTO_LOAD_DOOR, return_val=%d", rv);
1892 break;
1893
1894 case CRYPTO_FIPS140_SET:
1895 (void) snprintf(buffer, sizeof (buffer),
1896 "op=CRYPTO_FIPS140_SET, fips_state=%d", rv);
1897 break;
1898
1899 default:
1900 return;
1901 }
1902
1903 au_write((caddr_t *)&ad, au_to_text(buffer));
1904
1905 if (mech_list_required) {
1906 int i;
1907
1908 if (mech_count == 0) {
1909 au_write((caddr_t *)&ad, au_to_text("mech=list empty"));
1910 } else {
1911 char *pb = buffer;
1912 size_t l = sizeof (buffer);
1913 size_t n;
1914 char space[2] = ":";
1915
1916 n = snprintf(pb, l, "mech=");
1917
1918 for (i = 0; i < mech_count; i++) {
1919 pb += n;
1920 l = (n >= l) ? 0 : l - n;
1921
1922 if (i == mech_count - 1)
1923 (void) strcpy(space, "");
1924
1925 n = snprintf(pb, l, "%s%s", mech_names[i],
1926 space);
1927 }
1928 au_write((caddr_t *)&ad, au_to_text(buffer));
1929 }
1930 }
1931
1932 /* add a return token */
1933 if (error || (rv != CRYPTO_SUCCESS))
1934 add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error);
1935 else
1936 add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv);
1937
1938 AS_INC(as_generated, 1, kctx);
1939 AS_INC(as_kernel, 1, kctx);
1940
1941 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, tad->tad_evmod,
1942 NULL);
1943 }
1944
1945 /*
1946 * Audit the kernel SSL administration command. The address and the
1947 * port number for the SSL instance, and the proxy port are put in the
1948 * audit trail.
1949 */
1950 void
audit_kssl(int cmd,void * params,int error)1951 audit_kssl(int cmd, void *params, int error)
1952 {
1953 cred_t *cr = CRED();
1954 t_audit_data_t *tad;
1955 token_t *ad = NULL;
1956 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
1957 au_kcontext_t *kctx = GET_KCTX_PZ;
1958
1959 tad = U2A(u);
1960
1961 if (ainfo == NULL)
1962 return;
1963
1964 tad->tad_event = AUE_CONFIGKSSL;
1965
1966 if (audit_success(kctx, tad, error, NULL) != AU_OK)
1967 return;
1968
1969 /* Add subject information */
1970 AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx);
1971
1972 switch (cmd) {
1973 case KSSL_ADD_ENTRY: {
1974 char buf[32];
1975 kssl_params_t *kp = (kssl_params_t *)params;
1976 struct sockaddr_in6 *saddr = &kp->kssl_addr;
1977
1978 au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY"));
1979 au_write((caddr_t *)&ad,
1980 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
1981 (void) snprintf(buf, sizeof (buf), "SSL port=%d",
1982 saddr->sin6_port);
1983 au_write((caddr_t *)&ad, au_to_text(buf));
1984
1985 (void) snprintf(buf, sizeof (buf), "proxy port=%d",
1986 kp->kssl_proxy_port);
1987 au_write((caddr_t *)&ad, au_to_text(buf));
1988 break;
1989 }
1990
1991 case KSSL_DELETE_ENTRY: {
1992 char buf[32];
1993 struct sockaddr_in6 *saddr = (struct sockaddr_in6 *)params;
1994
1995 au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY"));
1996 au_write((caddr_t *)&ad,
1997 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
1998 (void) snprintf(buf, sizeof (buf), "SSL port=%d",
1999 saddr->sin6_port);
2000 au_write((caddr_t *)&ad, au_to_text(buf));
2001 break;
2002 }
2003
2004 default:
2005 return;
2006 }
2007
2008 /* add a return token */
2009 add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0);
2010
2011 AS_INC(as_generated, 1, kctx);
2012 AS_INC(as_kernel, 1, kctx);
2013
2014 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, tad->tad_evmod,
2015 NULL);
2016 }
2017
2018 /*
2019 * Audit the kernel PF_POLICY administration commands. Record command,
2020 * zone, policy type (global or tunnel, active or inactive)
2021 */
2022 /*
2023 * ROUTINE: AUDIT_PF_POLICY
2024 * PURPOSE: Records arguments to administrative ioctls on PF_POLICY socket
2025 * CALLBY: SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS,
2026 * SPD_CLONE, SPD_FLIP
2027 * NOTE:
2028 * TODO:
2029 * QUESTION:
2030 */
2031
2032 void
audit_pf_policy(int cmd,cred_t * cred,netstack_t * ns,char * tun,boolean_t active,int error,pid_t pid)2033 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun,
2034 boolean_t active, int error, pid_t pid)
2035 {
2036 const auditinfo_addr_t *ainfo;
2037 t_audit_data_t *tad;
2038 token_t *ad = NULL;
2039 au_kcontext_t *kctx = GET_KCTX_PZ;
2040 char buf[80];
2041 int flag;
2042
2043 tad = U2A(u);
2044 if (tad == NULL)
2045 return;
2046
2047 ainfo = crgetauinfo((cred != NULL) ? cred : CRED());
2048 if (ainfo == NULL)
2049 return;
2050
2051 /*
2052 * Initialize some variables since these are only set
2053 * with system calls.
2054 */
2055
2056 switch (cmd) {
2057 case SPD_ADDRULE: {
2058 tad->tad_event = AUE_PF_POLICY_ADDRULE;
2059 break;
2060 }
2061
2062 case SPD_DELETERULE: {
2063 tad->tad_event = AUE_PF_POLICY_DELRULE;
2064 break;
2065 }
2066
2067 case SPD_FLUSH: {
2068 tad->tad_event = AUE_PF_POLICY_FLUSH;
2069 break;
2070 }
2071
2072 case SPD_UPDATEALGS: {
2073 tad->tad_event = AUE_PF_POLICY_ALGS;
2074 break;
2075 }
2076
2077 case SPD_CLONE: {
2078 tad->tad_event = AUE_PF_POLICY_CLONE;
2079 break;
2080 }
2081
2082 case SPD_FLIP: {
2083 tad->tad_event = AUE_PF_POLICY_FLIP;
2084 break;
2085 }
2086
2087 default:
2088 tad->tad_event = AUE_NULL;
2089 }
2090
2091 tad->tad_evmod = 0;
2092
2093 if (flag = audit_success(kctx, tad, error, cred)) {
2094 zone_t *nszone;
2095
2096 /*
2097 * For now, just audit that an event happened,
2098 * along with the error code.
2099 */
2100 au_write((caddr_t *)&ad,
2101 au_to_arg32(1, "Policy Active?", (uint32_t)active));
2102 au_write((caddr_t *)&ad,
2103 au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL)));
2104
2105 /* Supplemental data */
2106
2107 /*
2108 * Generate this zone token if the target zone differs
2109 * from the administrative zone. If netstacks are expanded
2110 * to something other than a 1-1 relationship with zones,
2111 * the auditing framework should create a new token type
2112 * and audit it as a netstack instead.
2113 * Turn on general zone auditing to get the administrative zone.
2114 */
2115
2116 nszone = zone_find_by_id(netstackid_to_zoneid(
2117 ns->netstack_stackid));
2118 if (nszone != NULL) {
2119 if (strncmp(crgetzone(cred)->zone_name,
2120 nszone->zone_name, ZONENAME_MAX) != 0) {
2121 token_t *ztoken;
2122
2123 ztoken = au_to_zonename(0, nszone);
2124 au_write((caddr_t *)&ad, ztoken);
2125 }
2126 zone_rele(nszone);
2127 }
2128
2129 if (tun != NULL) {
2130 /* write tunnel name - tun is bounded */
2131 (void) snprintf(buf, sizeof (buf), "tunnel_name:%s",
2132 tun);
2133 au_write((caddr_t *)&ad, au_to_text(buf));
2134 }
2135
2136 /* Add subject information */
2137 AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad,
2138 ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid);
2139
2140 /* add a return token */
2141 add_return_token((caddr_t *)&ad, 0, error, 0);
2142
2143 AS_INC(as_generated, 1, kctx);
2144 AS_INC(as_kernel, 1, kctx);
2145
2146 }
2147 au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, tad->tad_evmod,
2148 NULL);
2149
2150 /*
2151 * clear the ctrl flag so that we don't have spurious collection of
2152 * audit information.
2153 */
2154 tad->tad_scid = 0;
2155 tad->tad_event = 0;
2156 tad->tad_evmod = 0;
2157 tad->tad_ctrl = 0;
2158 }
2159
2160 /*
2161 * ROUTINE: AUDIT_SEC_ATTRIBUTES
2162 * PURPOSE: Add security attributes
2163 * CALLBY: AUDIT_ATTRIBUTES
2164 * AUDIT_CLOSEF
2165 * AUS_CLOSE
2166 * NOTE:
2167 * TODO:
2168 * QUESTION:
2169 */
2170
2171 void
audit_sec_attributes(caddr_t * ad,struct vnode * vp)2172 audit_sec_attributes(caddr_t *ad, struct vnode *vp)
2173 {
2174 /* Dump the SL */
2175 if (is_system_labeled()) {
2176 ts_label_t *tsl;
2177 bslabel_t *bsl;
2178
2179 tsl = getflabel(vp);
2180 if (tsl == NULL)
2181 return; /* nothing else to do */
2182
2183 bsl = label2bslabel(tsl);
2184 if (bsl == NULL)
2185 return; /* nothing else to do */
2186 au_write(ad, au_to_label(bsl));
2187 label_rele(tsl);
2188 }
2189
2190 } /* AUDIT_SEC_ATTRIBUTES */
2191