1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 1994, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 #include <sys/systm.h>
26 #include <sys/errno.h>
27 #include <sys/policy.h>
28
29 #include <c2/audit.h>
30 #include <c2/audit_kernel.h>
31 #include <c2/audit_record.h>
32
33 #define CLEAR_VAL -1
34
35 extern kmutex_t pidlock;
36
37 uint32_t audit_policy; /* global audit policies in force */
38
39
40 /*ARGSUSED1*/
41 int
auditsys(struct auditcalls * uap,rval_t * rvp)42 auditsys(struct auditcalls *uap, rval_t *rvp)
43 {
44 int err;
45 int result = 0;
46
47 if (audit_active == C2AUDIT_DISABLED)
48 return (ENOTSUP);
49
50 switch (uap->code) {
51 case BSM_GETAUID:
52 result = getauid((caddr_t)uap->a1);
53 break;
54 case BSM_SETAUID:
55 result = setauid((caddr_t)uap->a1);
56 break;
57 case BSM_GETAUDIT:
58 result = getaudit((caddr_t)uap->a1);
59 break;
60 case BSM_GETAUDIT_ADDR:
61 result = getaudit_addr((caddr_t)uap->a1, (int)uap->a2);
62 break;
63 case BSM_SETAUDIT:
64 result = setaudit((caddr_t)uap->a1);
65 break;
66 case BSM_SETAUDIT_ADDR:
67 result = setaudit_addr((caddr_t)uap->a1, (int)uap->a2);
68 break;
69 case BSM_AUDITCTL:
70 result = auditctl((int)uap->a1, (caddr_t)uap->a2, (int)uap->a3);
71 break;
72 case BSM_AUDIT:
73 if (audit_active == C2AUDIT_UNLOADED)
74 return (0);
75 result = audit((caddr_t)uap->a1, (int)uap->a2);
76 break;
77 case BSM_AUDITDOOR:
78 if (audit_active == C2AUDIT_LOADED) {
79 result = auditdoor((int)uap->a1);
80 break;
81 }
82 default:
83 if (audit_active == C2AUDIT_LOADED) {
84 result = EINVAL;
85 break;
86 }
87 /* Return a different error when not privileged */
88 err = secpolicy_audit_config(CRED());
89 if (err == 0)
90 return (EINVAL);
91 else
92 return (err);
93 }
94 rvp->r_vals = result;
95 return (result);
96 }
97
98 /*
99 * Return the audit user ID for the current process. Currently only
100 * the privileged processes may see the audit id. That may change.
101 * If copyout is unsucessful return EFAULT.
102 */
103 int
getauid(caddr_t auid_p)104 getauid(caddr_t auid_p)
105 {
106 const auditinfo_addr_t *ainfo;
107
108 if (secpolicy_audit_getattr(CRED(), B_FALSE) != 0)
109 return (EPERM);
110
111 ainfo = crgetauinfo(CRED());
112 if (ainfo == NULL)
113 return (EINVAL);
114
115 if (copyout(&ainfo->ai_auid, auid_p, sizeof (au_id_t)))
116 return (EFAULT);
117
118 return (0);
119 }
120
121 /*
122 * Set the audit userid, for a process. This can only be changed by
123 * privileged processes. The audit userid is inherited across forks & execs.
124 * Passed in is a pointer to the au_id_t; if copyin unsuccessful return EFAULT.
125 */
126 int
setauid(caddr_t auid_p)127 setauid(caddr_t auid_p)
128 {
129 proc_t *p;
130 au_id_t auid;
131 cred_t *newcred;
132 auditinfo_addr_t *auinfo;
133
134 if (secpolicy_audit_config(CRED()) != 0)
135 return (EPERM);
136
137 if (copyin(auid_p, &auid, sizeof (au_id_t))) {
138 return (EFAULT);
139 }
140
141 newcred = cralloc();
142 if ((auinfo = crgetauinfo_modifiable(newcred)) == NULL) {
143 crfree(newcred);
144 return (EINVAL);
145 }
146
147 /* grab p_crlock and switch to new cred */
148 p = curproc;
149 mutex_enter(&p->p_crlock);
150 crcopy_to(p->p_cred, newcred);
151 p->p_cred = newcred;
152
153 auinfo->ai_auid = auid; /* update the auid */
154
155 /* unlock and broadcast the cred changes */
156 mutex_exit(&p->p_crlock);
157 crset(p, newcred);
158
159 return (0);
160 }
161
162 /*
163 * Get the audit state information from the current process.
164 * Return EFAULT if copyout fails.
165 */
166 int
getaudit(caddr_t info_p)167 getaudit(caddr_t info_p)
168 {
169 STRUCT_DECL(auditinfo, info);
170 const auditinfo_addr_t *ainfo;
171 model_t model;
172
173 if (secpolicy_audit_getattr(CRED(), B_FALSE) != 0)
174 return (EPERM);
175
176 model = get_udatamodel();
177 STRUCT_INIT(info, model);
178
179 ainfo = crgetauinfo(CRED());
180 if (ainfo == NULL)
181 return (EINVAL);
182
183 /* trying to read a process with an IPv6 address? */
184 if (ainfo->ai_termid.at_type == AU_IPv6)
185 return (EOVERFLOW);
186
187 STRUCT_FSET(info, ai_auid, ainfo->ai_auid);
188 STRUCT_FSET(info, ai_mask, ainfo->ai_mask);
189 #ifdef _LP64
190 if (model == DATAMODEL_ILP32) {
191 dev32_t dev;
192 /* convert internal 64 bit form to 32 bit version */
193 if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) {
194 return (EOVERFLOW);
195 }
196 STRUCT_FSET(info, ai_termid.port, dev);
197 } else
198 STRUCT_FSET(info, ai_termid.port, ainfo->ai_termid.at_port);
199 #else
200 STRUCT_FSET(info, ai_termid.port, ainfo->ai_termid.at_port);
201 #endif
202 STRUCT_FSET(info, ai_termid.machine, ainfo->ai_termid.at_addr[0]);
203 STRUCT_FSET(info, ai_asid, ainfo->ai_asid);
204
205 if (copyout(STRUCT_BUF(info), info_p, STRUCT_SIZE(info)))
206 return (EFAULT);
207
208 return (0);
209 }
210
211 /*
212 * Get the audit state information from the current process.
213 * Return EFAULT if copyout fails.
214 */
215 int
getaudit_addr(caddr_t info_p,int len)216 getaudit_addr(caddr_t info_p, int len)
217 {
218 STRUCT_DECL(auditinfo_addr, info);
219 const auditinfo_addr_t *ainfo;
220 model_t model;
221
222 if (secpolicy_audit_getattr(CRED(), B_FALSE) != 0)
223 return (EPERM);
224
225 model = get_udatamodel();
226 STRUCT_INIT(info, model);
227
228 if (len < STRUCT_SIZE(info))
229 return (EOVERFLOW);
230
231 ainfo = crgetauinfo(CRED());
232
233 if (ainfo == NULL)
234 return (EINVAL);
235
236 STRUCT_FSET(info, ai_auid, ainfo->ai_auid);
237 STRUCT_FSET(info, ai_mask, ainfo->ai_mask);
238 #ifdef _LP64
239 if (model == DATAMODEL_ILP32) {
240 dev32_t dev;
241 /* convert internal 64 bit form to 32 bit version */
242 if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) {
243 return (EOVERFLOW);
244 }
245 STRUCT_FSET(info, ai_termid.at_port, dev);
246 } else
247 STRUCT_FSET(info, ai_termid.at_port, ainfo->ai_termid.at_port);
248 #else
249 STRUCT_FSET(info, ai_termid.at_port, ainfo->ai_termid.at_port);
250 #endif
251 STRUCT_FSET(info, ai_termid.at_type, ainfo->ai_termid.at_type);
252 STRUCT_FSET(info, ai_termid.at_addr[0], ainfo->ai_termid.at_addr[0]);
253 STRUCT_FSET(info, ai_termid.at_addr[1], ainfo->ai_termid.at_addr[1]);
254 STRUCT_FSET(info, ai_termid.at_addr[2], ainfo->ai_termid.at_addr[2]);
255 STRUCT_FSET(info, ai_termid.at_addr[3], ainfo->ai_termid.at_addr[3]);
256 STRUCT_FSET(info, ai_asid, ainfo->ai_asid);
257
258 if (copyout(STRUCT_BUF(info), info_p, STRUCT_SIZE(info)))
259 return (EFAULT);
260
261 return (0);
262 }
263
264 /*
265 * Set the audit state information for the current process.
266 * Return EFAULT if copyout fails.
267 */
268 int
setaudit(caddr_t info_p)269 setaudit(caddr_t info_p)
270 {
271 STRUCT_DECL(auditinfo, info);
272 proc_t *p;
273 cred_t *newcred;
274 model_t model;
275 auditinfo_addr_t *ainfo;
276
277 if (secpolicy_audit_config(CRED()) != 0)
278 return (EPERM);
279
280 model = get_udatamodel();
281 STRUCT_INIT(info, model);
282
283 if (copyin(info_p, STRUCT_BUF(info), STRUCT_SIZE(info)))
284 return (EFAULT);
285
286 newcred = cralloc();
287 if ((ainfo = crgetauinfo_modifiable(newcred)) == NULL) {
288 crfree(newcred);
289 return (EINVAL);
290 }
291
292 /* grab p_crlock and switch to new cred */
293 p = curproc;
294 mutex_enter(&p->p_crlock);
295 crcopy_to(p->p_cred, newcred);
296 p->p_cred = newcred;
297
298 /* Set audit mask, id, termid and session id as specified */
299 ainfo->ai_auid = STRUCT_FGET(info, ai_auid);
300 #ifdef _LP64
301 /* only convert to 64 bit if coming from a 32 bit binary */
302 if (model == DATAMODEL_ILP32)
303 ainfo->ai_termid.at_port =
304 DEVEXPL(STRUCT_FGET(info, ai_termid.port));
305 else
306 ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.port);
307 #else
308 ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.port);
309 #endif
310 ainfo->ai_termid.at_type = AU_IPv4;
311 ainfo->ai_termid.at_addr[0] = STRUCT_FGET(info, ai_termid.machine);
312 ainfo->ai_asid = STRUCT_FGET(info, ai_asid);
313 ainfo->ai_mask = STRUCT_FGET(info, ai_mask);
314
315 /* unlock and broadcast the cred changes */
316 mutex_exit(&p->p_crlock);
317 crset(p, newcred);
318
319 return (0);
320 }
321
322 /*
323 * Set the audit state information for the current process.
324 * Return EFAULT if copyin fails.
325 */
326 int
setaudit_addr(caddr_t info_p,int len)327 setaudit_addr(caddr_t info_p, int len)
328 {
329 STRUCT_DECL(auditinfo_addr, info);
330 proc_t *p;
331 cred_t *newcred;
332 model_t model;
333 int i;
334 int type;
335 auditinfo_addr_t *ainfo;
336
337 if (secpolicy_audit_config(CRED()) != 0)
338 return (EPERM);
339
340 model = get_udatamodel();
341 STRUCT_INIT(info, model);
342
343 if (len < STRUCT_SIZE(info))
344 return (EOVERFLOW);
345
346 if (copyin(info_p, STRUCT_BUF(info), STRUCT_SIZE(info)))
347 return (EFAULT);
348
349 type = STRUCT_FGET(info, ai_termid.at_type);
350 if ((type != AU_IPv4) && (type != AU_IPv6))
351 return (EINVAL);
352
353 newcred = cralloc();
354 if ((ainfo = crgetauinfo_modifiable(newcred)) == NULL) {
355 crfree(newcred);
356 return (EINVAL);
357 }
358
359 /* grab p_crlock and switch to new cred */
360 p = curproc;
361 mutex_enter(&p->p_crlock);
362 crcopy_to(p->p_cred, newcred);
363 p->p_cred = newcred;
364
365 /* Set audit mask, id, termid and session id as specified */
366 ainfo->ai_auid = STRUCT_FGET(info, ai_auid);
367 ainfo->ai_mask = STRUCT_FGET(info, ai_mask);
368 #ifdef _LP64
369 /* only convert to 64 bit if coming from a 32 bit binary */
370 if (model == DATAMODEL_ILP32)
371 ainfo->ai_termid.at_port =
372 DEVEXPL(STRUCT_FGET(info, ai_termid.at_port));
373 else
374 ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.at_port);
375 #else
376 ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.at_port);
377 #endif
378 ainfo->ai_termid.at_type = type;
379 bzero(&ainfo->ai_termid.at_addr[0], sizeof (ainfo->ai_termid.at_addr));
380 for (i = 0; i < (type/sizeof (int)); i++)
381 ainfo->ai_termid.at_addr[i] =
382 STRUCT_FGET(info, ai_termid.at_addr[i]);
383
384 if (ainfo->ai_termid.at_type == AU_IPv6 &&
385 IN6_IS_ADDR_V4MAPPED(((in6_addr_t *)ainfo->ai_termid.at_addr))) {
386 ainfo->ai_termid.at_type = AU_IPv4;
387 ainfo->ai_termid.at_addr[0] = ainfo->ai_termid.at_addr[3];
388 ainfo->ai_termid.at_addr[1] = 0;
389 ainfo->ai_termid.at_addr[2] = 0;
390 ainfo->ai_termid.at_addr[3] = 0;
391 }
392
393 ainfo->ai_asid = STRUCT_FGET(info, ai_asid);
394
395 /* unlock and broadcast the cred changes */
396 mutex_exit(&p->p_crlock);
397 crset(p, newcred);
398
399 return (0);
400 }
401
402 /*
403 * Get the global policy flag
404 */
405 static int
getpolicy(caddr_t data)406 getpolicy(caddr_t data)
407 {
408 uint32_t policy;
409 au_kcontext_t *kctx = GET_KCTX_PZ;
410
411 policy = audit_policy | kctx->auk_policy;
412
413 if (copyout(&policy, data, sizeof (policy)))
414 return (EFAULT);
415 return (0);
416 }
417
418 /*
419 * Set the global and local policy flags
420 *
421 * The global flags only make sense from the global zone;
422 * the local flags depend on the AUDIT_PERZONE policy:
423 * if the perzone policy is set, then policy is set separately
424 * per zone, else held only in the global zone.
425 *
426 * The initial value of a local zone's policy flag is determined
427 * by the value of the global zone's flags at the time the
428 * local zone is created.
429 *
430 * While auditconfig(1M) allows setting and unsetting policies one bit
431 * at a time, the mask passed in from auditconfig() is created by a
432 * syscall to getpolicy and then modified based on the auditconfig()
433 * cmd line, so the input policy value is used to replace the existing
434 * policy.
435 */
436 static int
setpolicy(caddr_t data)437 setpolicy(caddr_t data)
438 {
439 uint32_t policy;
440 au_kcontext_t *kctx;
441
442 if (copyin(data, &policy, sizeof (policy)))
443 return (EFAULT);
444
445 kctx = GET_KCTX_NGZ;
446
447 if (INGLOBALZONE(curproc)) {
448 if (policy & ~(AUDIT_GLOBAL | AUDIT_LOCAL))
449 return (EINVAL);
450
451 audit_policy = policy & AUDIT_GLOBAL;
452 } else {
453 if (!(audit_policy & AUDIT_PERZONE))
454 return (EINVAL);
455
456 if (policy & ~AUDIT_LOCAL) /* global bits are a no-no */
457 return (EINVAL);
458 }
459 kctx->auk_policy = policy & AUDIT_LOCAL;
460
461 /*
462 * auk_current_vp is NULL before auditd starts (or during early
463 * auditd starup) or if auditd is halted; in either case,
464 * notification of a policy change is not needed, since auditd
465 * reads policy as it comes up. The error return from au_doormsg()
466 * is ignored to avoid a race condition -- for example if auditd
467 * segv's, the audit state may be "auditing" but the door may
468 * be closed. Returning an error if the door is open makes it
469 * impossible for Greenline to restart auditd.
470 */
471 if (kctx->auk_current_vp != NULL)
472 (void) au_doormsg(kctx, AU_DBUF_POLICY, &policy);
473
474 /*
475 * Wake up anyone who might have blocked on full audit
476 * partitions. audit daemons need to set AUDIT_FULL when no
477 * space so we can tell if we should start dropping records.
478 */
479 mutex_enter(&(kctx->auk_queue.lock));
480
481 if ((policy & (AUDIT_CNT | AUDIT_SCNT) &&
482 (kctx->auk_queue.cnt >= kctx->auk_queue.hiwater)))
483 cv_broadcast(&(kctx->auk_queue.write_cv));
484
485 mutex_exit(&(kctx->auk_queue.lock));
486
487 return (0);
488 }
489
490 static int
getamask(caddr_t data)491 getamask(caddr_t data)
492 {
493 au_kcontext_t *kctx;
494
495 kctx = GET_KCTX_PZ;
496
497 if (copyout(&kctx->auk_info.ai_amask, data, sizeof (au_mask_t)))
498 return (EFAULT);
499
500 return (0);
501 }
502
503 static int
setamask(caddr_t data)504 setamask(caddr_t data)
505 {
506 au_mask_t mask;
507 au_kcontext_t *kctx;
508
509 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
510 return (EINVAL);
511
512 kctx = GET_KCTX_NGZ;
513
514 if (copyin(data, &mask, sizeof (au_mask_t)))
515 return (EFAULT);
516
517 kctx->auk_info.ai_amask = mask;
518 return (0);
519 }
520
521 static int
getkmask(caddr_t data)522 getkmask(caddr_t data)
523 {
524 au_kcontext_t *kctx;
525
526 kctx = GET_KCTX_PZ;
527
528 if (copyout(&kctx->auk_info.ai_namask, data, sizeof (au_mask_t)))
529 return (EFAULT);
530 return (0);
531 }
532
533 static int
setkmask(caddr_t data)534 setkmask(caddr_t data)
535 {
536 au_mask_t mask;
537 au_kcontext_t *kctx;
538
539 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
540 return (EINVAL);
541
542 kctx = GET_KCTX_NGZ;
543
544 if (copyin(data, &mask, sizeof (au_mask_t)))
545 return (EFAULT);
546
547 kctx->auk_info.ai_namask = mask;
548 return (0);
549 }
550
551 static int
getkaudit(caddr_t info_p,int len)552 getkaudit(caddr_t info_p, int len)
553 {
554 STRUCT_DECL(auditinfo_addr, info);
555 model_t model;
556 au_kcontext_t *kctx = GET_KCTX_PZ;
557
558 model = get_udatamodel();
559 STRUCT_INIT(info, model);
560
561 if (len < STRUCT_SIZE(info))
562 return (EOVERFLOW);
563
564 STRUCT_FSET(info, ai_auid, kctx->auk_info.ai_auid);
565 STRUCT_FSET(info, ai_mask, kctx->auk_info.ai_namask);
566 #ifdef _LP64
567 if (model == DATAMODEL_ILP32) {
568 dev32_t dev;
569 /* convert internal 64 bit form to 32 bit version */
570 if (cmpldev(&dev, kctx->auk_info.ai_termid.at_port) == 0) {
571 return (EOVERFLOW);
572 }
573 STRUCT_FSET(info, ai_termid.at_port, dev);
574 } else {
575 STRUCT_FSET(info, ai_termid.at_port,
576 kctx->auk_info.ai_termid.at_port);
577 }
578 #else
579 STRUCT_FSET(info, ai_termid.at_port,
580 kctx->auk_info.ai_termid.at_port);
581 #endif
582 STRUCT_FSET(info, ai_termid.at_type,
583 kctx->auk_info.ai_termid.at_type);
584 STRUCT_FSET(info, ai_termid.at_addr[0],
585 kctx->auk_info.ai_termid.at_addr[0]);
586 STRUCT_FSET(info, ai_termid.at_addr[1],
587 kctx->auk_info.ai_termid.at_addr[1]);
588 STRUCT_FSET(info, ai_termid.at_addr[2],
589 kctx->auk_info.ai_termid.at_addr[2]);
590 STRUCT_FSET(info, ai_termid.at_addr[3],
591 kctx->auk_info.ai_termid.at_addr[3]);
592 STRUCT_FSET(info, ai_asid, kctx->auk_info.ai_asid);
593
594 if (copyout(STRUCT_BUF(info), info_p, STRUCT_SIZE(info)))
595 return (EFAULT);
596
597 return (0);
598 }
599
600 /*
601 * the host address for AUDIT_PERZONE == 0 is that of the global
602 * zone and for local zones it is of the current zone.
603 */
604 static int
setkaudit(caddr_t info_p,int len)605 setkaudit(caddr_t info_p, int len)
606 {
607 STRUCT_DECL(auditinfo_addr, info);
608 model_t model;
609 au_kcontext_t *kctx;
610
611 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
612 return (EINVAL);
613
614 kctx = GET_KCTX_NGZ;
615
616 model = get_udatamodel();
617 STRUCT_INIT(info, model);
618
619 if (len < STRUCT_SIZE(info))
620 return (EOVERFLOW);
621
622 if (copyin(info_p, STRUCT_BUF(info), STRUCT_SIZE(info)))
623 return (EFAULT);
624
625 if ((STRUCT_FGET(info, ai_termid.at_type) != AU_IPv4) &&
626 (STRUCT_FGET(info, ai_termid.at_type) != AU_IPv6))
627 return (EINVAL);
628
629 /* Set audit mask, termid and session id as specified */
630 kctx->auk_info.ai_auid = STRUCT_FGET(info, ai_auid);
631 kctx->auk_info.ai_namask = STRUCT_FGET(info, ai_mask);
632 #ifdef _LP64
633 /* only convert to 64 bit if coming from a 32 bit binary */
634 if (model == DATAMODEL_ILP32)
635 kctx->auk_info.ai_termid.at_port =
636 DEVEXPL(STRUCT_FGET(info, ai_termid.at_port));
637 else
638 kctx->auk_info.ai_termid.at_port =
639 STRUCT_FGET(info, ai_termid.at_port);
640 #else
641 kctx->auk_info.ai_termid.at_port = STRUCT_FGET(info, ai_termid.at_port);
642 #endif
643 kctx->auk_info.ai_termid.at_type = STRUCT_FGET(info, ai_termid.at_type);
644 bzero(&kctx->auk_info.ai_termid.at_addr[0],
645 sizeof (kctx->auk_info.ai_termid.at_addr));
646 kctx->auk_info.ai_termid.at_addr[0] =
647 STRUCT_FGET(info, ai_termid.at_addr[0]);
648 kctx->auk_info.ai_termid.at_addr[1] =
649 STRUCT_FGET(info, ai_termid.at_addr[1]);
650 kctx->auk_info.ai_termid.at_addr[2] =
651 STRUCT_FGET(info, ai_termid.at_addr[2]);
652 kctx->auk_info.ai_termid.at_addr[3] =
653 STRUCT_FGET(info, ai_termid.at_addr[3]);
654 kctx->auk_info.ai_asid = STRUCT_FGET(info, ai_asid);
655
656 if (kctx->auk_info.ai_termid.at_type == AU_IPv6 &&
657 IN6_IS_ADDR_V4MAPPED(
658 ((in6_addr_t *)kctx->auk_info.ai_termid.at_addr))) {
659 kctx->auk_info.ai_termid.at_type = AU_IPv4;
660 kctx->auk_info.ai_termid.at_addr[0] =
661 kctx->auk_info.ai_termid.at_addr[3];
662 kctx->auk_info.ai_termid.at_addr[1] = 0;
663 kctx->auk_info.ai_termid.at_addr[2] = 0;
664 kctx->auk_info.ai_termid.at_addr[3] = 0;
665 }
666 if (kctx->auk_info.ai_termid.at_type == AU_IPv6)
667 kctx->auk_hostaddr_valid = IN6_IS_ADDR_UNSPECIFIED(
668 (in6_addr_t *)kctx->auk_info.ai_termid.at_addr) ? 0 : 1;
669 else
670 kctx->auk_hostaddr_valid =
671 (kctx->auk_info.ai_termid.at_addr[0] ==
672 htonl(INADDR_ANY)) ? 0 : 1;
673
674 return (0);
675 }
676
677 static int
getqctrl(caddr_t data)678 getqctrl(caddr_t data)
679 {
680 au_kcontext_t *kctx = GET_KCTX_PZ;
681 STRUCT_DECL(au_qctrl, qctrl);
682 STRUCT_INIT(qctrl, get_udatamodel());
683
684 mutex_enter(&(kctx->auk_queue.lock));
685 STRUCT_FSET(qctrl, aq_hiwater, kctx->auk_queue.hiwater);
686 STRUCT_FSET(qctrl, aq_lowater, kctx->auk_queue.lowater);
687 STRUCT_FSET(qctrl, aq_bufsz, kctx->auk_queue.bufsz);
688 STRUCT_FSET(qctrl, aq_delay, kctx->auk_queue.delay);
689 mutex_exit(&(kctx->auk_queue.lock));
690
691 if (copyout(STRUCT_BUF(qctrl), data, STRUCT_SIZE(qctrl)))
692 return (EFAULT);
693
694 return (0);
695 }
696
697 static int
setqctrl(caddr_t data)698 setqctrl(caddr_t data)
699 {
700 au_kcontext_t *kctx;
701 struct au_qctrl qctrl_tmp;
702 STRUCT_DECL(au_qctrl, qctrl);
703 STRUCT_INIT(qctrl, get_udatamodel());
704
705 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
706 return (EINVAL);
707 kctx = GET_KCTX_NGZ;
708
709 if (copyin(data, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
710 return (EFAULT);
711
712 qctrl_tmp.aq_hiwater = (size_t)STRUCT_FGET(qctrl, aq_hiwater);
713 qctrl_tmp.aq_lowater = (size_t)STRUCT_FGET(qctrl, aq_lowater);
714 qctrl_tmp.aq_bufsz = (size_t)STRUCT_FGET(qctrl, aq_bufsz);
715 qctrl_tmp.aq_delay = (clock_t)STRUCT_FGET(qctrl, aq_delay);
716
717 /* enforce sane values */
718
719 if (qctrl_tmp.aq_hiwater <= qctrl_tmp.aq_lowater)
720 return (EINVAL);
721
722 if (qctrl_tmp.aq_hiwater < AQ_LOWATER)
723 return (EINVAL);
724
725 if (qctrl_tmp.aq_hiwater > AQ_MAXHIGH)
726 return (EINVAL);
727
728 if (qctrl_tmp.aq_bufsz < AQ_BUFSZ)
729 return (EINVAL);
730
731 if (qctrl_tmp.aq_bufsz > AQ_MAXBUFSZ)
732 return (EINVAL);
733
734 if (qctrl_tmp.aq_delay == 0)
735 return (EINVAL);
736
737 if (qctrl_tmp.aq_delay > AQ_MAXDELAY)
738 return (EINVAL);
739
740 /* update everything at once so things are consistant */
741 mutex_enter(&(kctx->auk_queue.lock));
742 kctx->auk_queue.hiwater = qctrl_tmp.aq_hiwater;
743 kctx->auk_queue.lowater = qctrl_tmp.aq_lowater;
744 kctx->auk_queue.bufsz = qctrl_tmp.aq_bufsz;
745 kctx->auk_queue.delay = qctrl_tmp.aq_delay;
746
747 if (kctx->auk_queue.rd_block &&
748 kctx->auk_queue.cnt > kctx->auk_queue.lowater)
749 cv_broadcast(&(kctx->auk_queue.read_cv));
750
751 if (kctx->auk_queue.wt_block &&
752 kctx->auk_queue.cnt < kctx->auk_queue.hiwater)
753 cv_broadcast(&(kctx->auk_queue.write_cv));
754
755 mutex_exit(&(kctx->auk_queue.lock));
756
757 return (0);
758 }
759
760 static int
getcwd(caddr_t data,int length)761 getcwd(caddr_t data, int length)
762 {
763 struct p_audit_data *pad;
764 struct audit_path *app;
765 int pathlen;
766
767 pad = P2A(curproc);
768 ASSERT(pad != NULL);
769
770 mutex_enter(&(pad->pad_lock));
771 app = pad->pad_cwd;
772 au_pathhold(app);
773 mutex_exit(&(pad->pad_lock));
774
775 pathlen = app->audp_sect[1] - app->audp_sect[0];
776 if (pathlen > length) {
777 au_pathrele(app);
778 return (E2BIG);
779 }
780
781 if (copyout(app->audp_sect[0], data, pathlen)) {
782 au_pathrele(app);
783 return (EFAULT);
784 }
785
786 au_pathrele(app);
787 return (0);
788 }
789
790 static int
getcar(caddr_t data,int length)791 getcar(caddr_t data, int length)
792 {
793 struct p_audit_data *pad;
794 struct audit_path *app;
795 int pathlen;
796
797 pad = P2A(curproc);
798 ASSERT(pad != NULL);
799
800 mutex_enter(&(pad->pad_lock));
801 app = pad->pad_root;
802 au_pathhold(app);
803 mutex_exit(&(pad->pad_lock));
804
805 pathlen = app->audp_sect[1] - app->audp_sect[0];
806 if (pathlen > length) {
807 au_pathrele(app);
808 return (E2BIG);
809 }
810
811 if (copyout(app->audp_sect[0], data, pathlen)) {
812 au_pathrele(app);
813 return (EFAULT);
814 }
815
816 au_pathrele(app);
817 return (0);
818 }
819
820 static int
getstat(caddr_t data)821 getstat(caddr_t data)
822 {
823 au_kcontext_t *kctx = GET_KCTX_PZ;
824
825 membar_consumer();
826
827 if (copyout((caddr_t)&(kctx->auk_statistics), data, sizeof (au_stat_t)))
828 return (EFAULT);
829 return (0);
830 }
831
832 static int
setstat(caddr_t data)833 setstat(caddr_t data)
834 {
835 au_kcontext_t *kctx = GET_KCTX_PZ;
836 au_stat_t au_stat;
837
838 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
839 return (EINVAL);
840
841 if (copyin(data, &au_stat, sizeof (au_stat_t)))
842 return (EFAULT);
843
844 if (au_stat.as_generated == CLEAR_VAL)
845 kctx->auk_statistics.as_generated = 0;
846 if (au_stat.as_nonattrib == CLEAR_VAL)
847 kctx->auk_statistics.as_nonattrib = 0;
848 if (au_stat.as_kernel == CLEAR_VAL)
849 kctx->auk_statistics.as_kernel = 0;
850 if (au_stat.as_audit == CLEAR_VAL)
851 kctx->auk_statistics.as_audit = 0;
852 if (au_stat.as_auditctl == CLEAR_VAL)
853 kctx->auk_statistics.as_auditctl = 0;
854 if (au_stat.as_enqueue == CLEAR_VAL)
855 kctx->auk_statistics.as_enqueue = 0;
856 if (au_stat.as_written == CLEAR_VAL)
857 kctx->auk_statistics.as_written = 0;
858 if (au_stat.as_wblocked == CLEAR_VAL)
859 kctx->auk_statistics.as_wblocked = 0;
860 if (au_stat.as_rblocked == CLEAR_VAL)
861 kctx->auk_statistics.as_rblocked = 0;
862 if (au_stat.as_dropped == CLEAR_VAL)
863 kctx->auk_statistics.as_dropped = 0;
864 if (au_stat.as_totalsize == CLEAR_VAL)
865 kctx->auk_statistics.as_totalsize = 0;
866
867 membar_producer();
868
869 return (0);
870
871 }
872
873 static int
setumask(caddr_t data)874 setumask(caddr_t data)
875 {
876 STRUCT_DECL(auditinfo, user_info);
877 struct proc *p;
878 const auditinfo_addr_t *ainfo;
879 model_t model;
880
881 /* setumask not applicable in non-global zones without perzone policy */
882 if (!(audit_policy & AUDIT_PERZONE) && (!INGLOBALZONE(curproc)))
883 return (EINVAL);
884
885 model = get_udatamodel();
886 STRUCT_INIT(user_info, model);
887
888 if (copyin(data, STRUCT_BUF(user_info), STRUCT_SIZE(user_info)))
889 return (EFAULT);
890
891 mutex_enter(&pidlock); /* lock the process queue against updates */
892 for (p = practive; p != NULL; p = p->p_next) {
893 cred_t *cr;
894
895 /* if in non-global zone only modify processes in same zone */
896 if (!HASZONEACCESS(curproc, p->p_zone->zone_id))
897 continue;
898
899 mutex_enter(&p->p_lock); /* so process doesn't go away */
900
901 /* skip system processes and ones being created or going away */
902 if (p->p_stat == SIDL || p->p_stat == SZOMB ||
903 (p->p_flag & (SSYS | SEXITING | SEXITLWPS))) {
904 mutex_exit(&p->p_lock);
905 continue;
906 }
907
908 mutex_enter(&p->p_crlock);
909 crhold(cr = p->p_cred);
910 mutex_exit(&p->p_crlock);
911 ainfo = crgetauinfo(cr);
912 if (ainfo == NULL) {
913 mutex_exit(&p->p_lock);
914 crfree(cr);
915 continue;
916 }
917
918 if (ainfo->ai_auid == STRUCT_FGET(user_info, ai_auid)) {
919 au_mask_t mask;
920 int err;
921
922 /*
923 * Here's a process which matches the specified auid.
924 * If its mask doesn't already match the new mask,
925 * save the new mask in the pad, to be picked up
926 * next syscall.
927 */
928 mask = STRUCT_FGET(user_info, ai_mask);
929 err = bcmp(&mask, &ainfo->ai_mask, sizeof (au_mask_t));
930 crfree(cr);
931 if (err != 0) {
932 struct p_audit_data *pad = P2A(p);
933 ASSERT(pad != NULL);
934
935 mutex_enter(&(pad->pad_lock));
936 pad->pad_flags |= PAD_SETMASK;
937 pad->pad_newmask = mask;
938 mutex_exit(&(pad->pad_lock));
939
940 /*
941 * No need to call set_proc_pre_sys(), since
942 * t_pre_sys is ALWAYS on when audit is
943 * enabled...due to syscall auditing.
944 */
945 }
946 } else {
947 crfree(cr);
948 }
949 mutex_exit(&p->p_lock);
950 }
951 mutex_exit(&pidlock);
952
953 return (0);
954 }
955
956 static int
setsmask(caddr_t data)957 setsmask(caddr_t data)
958 {
959 STRUCT_DECL(auditinfo, user_info);
960 struct proc *p;
961 const auditinfo_addr_t *ainfo;
962 model_t model;
963
964 /* setsmask not applicable in non-global zones without perzone policy */
965 if (!(audit_policy & AUDIT_PERZONE) && (!INGLOBALZONE(curproc)))
966 return (EINVAL);
967
968 model = get_udatamodel();
969 STRUCT_INIT(user_info, model);
970
971 if (copyin(data, STRUCT_BUF(user_info), STRUCT_SIZE(user_info)))
972 return (EFAULT);
973
974 mutex_enter(&pidlock); /* lock the process queue against updates */
975 for (p = practive; p != NULL; p = p->p_next) {
976 cred_t *cr;
977
978 /* if in non-global zone only modify processes in same zone */
979 if (!HASZONEACCESS(curproc, p->p_zone->zone_id))
980 continue;
981
982 mutex_enter(&p->p_lock); /* so process doesn't go away */
983
984 /* skip system processes and ones being created or going away */
985 if (p->p_stat == SIDL || p->p_stat == SZOMB ||
986 (p->p_flag & (SSYS | SEXITING | SEXITLWPS))) {
987 mutex_exit(&p->p_lock);
988 continue;
989 }
990
991 mutex_enter(&p->p_crlock);
992 crhold(cr = p->p_cred);
993 mutex_exit(&p->p_crlock);
994 ainfo = crgetauinfo(cr);
995 if (ainfo == NULL) {
996 mutex_exit(&p->p_lock);
997 crfree(cr);
998 continue;
999 }
1000
1001 if (ainfo->ai_asid == STRUCT_FGET(user_info, ai_asid)) {
1002 au_mask_t mask;
1003 int err;
1004
1005 /*
1006 * Here's a process which matches the specified asid.
1007 * If its mask doesn't already match the new mask,
1008 * save the new mask in the pad, to be picked up
1009 * next syscall.
1010 */
1011 mask = STRUCT_FGET(user_info, ai_mask);
1012 err = bcmp(&mask, &ainfo->ai_mask, sizeof (au_mask_t));
1013 crfree(cr);
1014 if (err != 0) {
1015 struct p_audit_data *pad = P2A(p);
1016 ASSERT(pad != NULL);
1017
1018 mutex_enter(&(pad->pad_lock));
1019 pad->pad_flags |= PAD_SETMASK;
1020 pad->pad_newmask = mask;
1021 mutex_exit(&(pad->pad_lock));
1022
1023 /*
1024 * No need to call set_proc_pre_sys(), since
1025 * t_pre_sys is ALWAYS on when audit is
1026 * enabled...due to syscall auditing.
1027 */
1028 }
1029 } else {
1030 crfree(cr);
1031 }
1032 mutex_exit(&p->p_lock);
1033 }
1034 mutex_exit(&pidlock);
1035
1036 return (0);
1037 }
1038
1039 /*
1040 * Get the current audit state of the system
1041 */
1042 static int
getcond(caddr_t data)1043 getcond(caddr_t data)
1044 {
1045 au_kcontext_t *kctx = GET_KCTX_PZ;
1046
1047 if (copyout(&(kctx->auk_auditstate), data, sizeof (int)))
1048 return (EFAULT);
1049
1050 return (0);
1051 }
1052
1053 /*
1054 * Set the current audit state of the system to on (AUC_AUDITING) or
1055 * off (AUC_NOAUDIT).
1056 */
1057 /* ARGSUSED */
1058 static int
setcond(caddr_t data)1059 setcond(caddr_t data)
1060 {
1061 int auditstate;
1062 au_kcontext_t *kctx;
1063
1064 if (!(audit_policy & AUDIT_PERZONE) && (!INGLOBALZONE(curproc)))
1065 return (EINVAL);
1066
1067 kctx = GET_KCTX_NGZ;
1068
1069 if (copyin(data, &auditstate, sizeof (int)))
1070 return (EFAULT);
1071
1072 switch (auditstate) {
1073 case AUC_AUDITING: /* Turn auditing on */
1074 if (audit_active == C2AUDIT_UNLOADED)
1075 audit_init_module();
1076 kctx->auk_auditstate = AUC_AUDITING;
1077 if (!(audit_policy & AUDIT_PERZONE) && INGLOBALZONE(curproc))
1078 set_all_zone_usr_proc_sys(ALL_ZONES);
1079 else
1080 set_all_zone_usr_proc_sys(curproc->p_zone->zone_id);
1081 break;
1082
1083 case AUC_NOAUDIT: /* Turn auditing off */
1084 if (kctx->auk_auditstate == AUC_NOAUDIT)
1085 break;
1086 kctx->auk_auditstate = AUC_NOAUDIT;
1087
1088 /* clear out the audit queue */
1089
1090 mutex_enter(&(kctx->auk_queue.lock));
1091 if (kctx->auk_queue.wt_block)
1092 cv_broadcast(&(kctx->auk_queue.write_cv));
1093
1094 /* unblock au_output_thread */
1095 cv_broadcast(&(kctx->auk_queue.read_cv));
1096
1097 mutex_exit(&(kctx->auk_queue.lock));
1098 break;
1099
1100 default:
1101 return (EINVAL);
1102 }
1103
1104 return (0);
1105 }
1106
1107 static int
getclass(caddr_t data)1108 getclass(caddr_t data)
1109 {
1110 au_evclass_map_t event;
1111 au_kcontext_t *kctx = GET_KCTX_PZ;
1112
1113 if (copyin(data, &event, sizeof (au_evclass_map_t)))
1114 return (EFAULT);
1115
1116 if (event.ec_number > MAX_KEVENTS)
1117 return (EINVAL);
1118
1119 event.ec_class = kctx->auk_ets[event.ec_number];
1120
1121 if (copyout(&event, data, sizeof (au_evclass_map_t)))
1122 return (EFAULT);
1123
1124 return (0);
1125 }
1126
1127 static int
setclass(caddr_t data)1128 setclass(caddr_t data)
1129 {
1130 au_evclass_map_t event;
1131 au_kcontext_t *kctx;
1132
1133 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
1134 return (EINVAL);
1135
1136 kctx = GET_KCTX_NGZ;
1137
1138 if (copyin(data, &event, sizeof (au_evclass_map_t)))
1139 return (EFAULT);
1140
1141 if (event.ec_number > MAX_KEVENTS)
1142 return (EINVAL);
1143
1144 kctx->auk_ets[event.ec_number] = event.ec_class;
1145
1146 return (0);
1147 }
1148
1149 static int
getpinfo(caddr_t data)1150 getpinfo(caddr_t data)
1151 {
1152 STRUCT_DECL(auditpinfo, apinfo);
1153 proc_t *proc;
1154 const auditinfo_addr_t *ainfo;
1155 model_t model;
1156 cred_t *cr, *newcred;
1157
1158 model = get_udatamodel();
1159 STRUCT_INIT(apinfo, model);
1160
1161 if (copyin(data, STRUCT_BUF(apinfo), STRUCT_SIZE(apinfo)))
1162 return (EFAULT);
1163
1164 newcred = cralloc();
1165
1166 mutex_enter(&pidlock);
1167 if ((proc = prfind(STRUCT_FGET(apinfo, ap_pid))) == NULL) {
1168 mutex_exit(&pidlock);
1169 crfree(newcred);
1170 return (ESRCH); /* no such process */
1171 }
1172 mutex_enter(&proc->p_lock); /* so process doesn't go away */
1173 mutex_exit(&pidlock);
1174
1175 audit_update_context(proc, newcred); /* make sure it's up-to-date */
1176
1177 mutex_enter(&proc->p_crlock);
1178 crhold(cr = proc->p_cred);
1179 mutex_exit(&proc->p_crlock);
1180 mutex_exit(&proc->p_lock);
1181
1182 ainfo = crgetauinfo(cr);
1183 if (ainfo == NULL) {
1184 crfree(cr);
1185 return (EINVAL);
1186 }
1187
1188 /* designated process has an ipv6 address? */
1189 if (ainfo->ai_termid.at_type == AU_IPv6) {
1190 crfree(cr);
1191 return (EOVERFLOW);
1192 }
1193
1194 STRUCT_FSET(apinfo, ap_auid, ainfo->ai_auid);
1195 STRUCT_FSET(apinfo, ap_asid, ainfo->ai_asid);
1196 #ifdef _LP64
1197 if (model == DATAMODEL_ILP32) {
1198 dev32_t dev;
1199 /* convert internal 64 bit form to 32 bit version */
1200 if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) {
1201 crfree(cr);
1202 return (EOVERFLOW);
1203 }
1204 STRUCT_FSET(apinfo, ap_termid.port, dev);
1205 } else
1206 STRUCT_FSET(apinfo, ap_termid.port, ainfo->ai_termid.at_port);
1207 #else
1208 STRUCT_FSET(apinfo, ap_termid.port, ainfo->ai_termid.at_port);
1209 #endif
1210 STRUCT_FSET(apinfo, ap_termid.machine, ainfo->ai_termid.at_addr[0]);
1211 STRUCT_FSET(apinfo, ap_mask, ainfo->ai_mask);
1212
1213 crfree(cr);
1214
1215 if (copyout(STRUCT_BUF(apinfo), data, STRUCT_SIZE(apinfo)))
1216 return (EFAULT);
1217
1218 return (0);
1219 }
1220
1221 static int
getpinfo_addr(caddr_t data,int len)1222 getpinfo_addr(caddr_t data, int len)
1223 {
1224 STRUCT_DECL(auditpinfo_addr, apinfo);
1225 proc_t *proc;
1226 const auditinfo_addr_t *ainfo;
1227 model_t model;
1228 cred_t *cr, *newcred;
1229
1230 model = get_udatamodel();
1231 STRUCT_INIT(apinfo, model);
1232
1233 if (len < STRUCT_SIZE(apinfo))
1234 return (EOVERFLOW);
1235
1236 if (copyin(data, STRUCT_BUF(apinfo), STRUCT_SIZE(apinfo)))
1237 return (EFAULT);
1238
1239 newcred = cralloc();
1240
1241 mutex_enter(&pidlock);
1242 if ((proc = prfind(STRUCT_FGET(apinfo, ap_pid))) == NULL) {
1243 mutex_exit(&pidlock);
1244 crfree(newcred);
1245 return (ESRCH);
1246 }
1247 mutex_enter(&proc->p_lock); /* so process doesn't go away */
1248 mutex_exit(&pidlock);
1249
1250 audit_update_context(proc, newcred); /* make sure it's up-to-date */
1251
1252 mutex_enter(&proc->p_crlock);
1253 crhold(cr = proc->p_cred);
1254 mutex_exit(&proc->p_crlock);
1255 mutex_exit(&proc->p_lock);
1256
1257 ainfo = crgetauinfo(cr);
1258 if (ainfo == NULL) {
1259 crfree(cr);
1260 return (EINVAL);
1261 }
1262
1263 STRUCT_FSET(apinfo, ap_auid, ainfo->ai_auid);
1264 STRUCT_FSET(apinfo, ap_asid, ainfo->ai_asid);
1265 #ifdef _LP64
1266 if (model == DATAMODEL_ILP32) {
1267 dev32_t dev;
1268 /* convert internal 64 bit form to 32 bit version */
1269 if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) {
1270 crfree(cr);
1271 return (EOVERFLOW);
1272 }
1273 STRUCT_FSET(apinfo, ap_termid.at_port, dev);
1274 } else
1275 STRUCT_FSET(apinfo, ap_termid.at_port,
1276 ainfo->ai_termid.at_port);
1277 #else
1278 STRUCT_FSET(apinfo, ap_termid.at_port, ainfo->ai_termid.at_port);
1279 #endif
1280 STRUCT_FSET(apinfo, ap_termid.at_type, ainfo->ai_termid.at_type);
1281 STRUCT_FSET(apinfo, ap_termid.at_addr[0], ainfo->ai_termid.at_addr[0]);
1282 STRUCT_FSET(apinfo, ap_termid.at_addr[1], ainfo->ai_termid.at_addr[1]);
1283 STRUCT_FSET(apinfo, ap_termid.at_addr[2], ainfo->ai_termid.at_addr[2]);
1284 STRUCT_FSET(apinfo, ap_termid.at_addr[3], ainfo->ai_termid.at_addr[3]);
1285 STRUCT_FSET(apinfo, ap_mask, ainfo->ai_mask);
1286
1287 crfree(cr);
1288
1289 if (copyout(STRUCT_BUF(apinfo), data, STRUCT_SIZE(apinfo)))
1290 return (EFAULT);
1291
1292 return (0);
1293 }
1294
1295 static int
setpmask(caddr_t data)1296 setpmask(caddr_t data)
1297 {
1298 STRUCT_DECL(auditpinfo, apinfo);
1299 proc_t *proc;
1300 cred_t *newcred;
1301 auditinfo_addr_t *ainfo;
1302 struct p_audit_data *pad;
1303
1304 model_t model;
1305
1306 model = get_udatamodel();
1307 STRUCT_INIT(apinfo, model);
1308
1309 if (copyin(data, STRUCT_BUF(apinfo), STRUCT_SIZE(apinfo)))
1310 return (EFAULT);
1311
1312 mutex_enter(&pidlock);
1313 if ((proc = prfind(STRUCT_FGET(apinfo, ap_pid))) == NULL) {
1314 mutex_exit(&pidlock);
1315 return (ESRCH);
1316 }
1317 mutex_enter(&proc->p_lock); /* so process doesn't go away */
1318 mutex_exit(&pidlock);
1319
1320 newcred = cralloc();
1321 if ((ainfo = crgetauinfo_modifiable(newcred)) == NULL) {
1322 mutex_exit(&proc->p_lock);
1323 crfree(newcred);
1324 return (EINVAL);
1325 }
1326
1327 mutex_enter(&proc->p_crlock);
1328 crcopy_to(proc->p_cred, newcred);
1329 proc->p_cred = newcred;
1330
1331 ainfo->ai_mask = STRUCT_FGET(apinfo, ap_mask);
1332
1333 /*
1334 * Unlock. No need to broadcast changes via set_proc_pre_sys(),
1335 * since t_pre_sys is ALWAYS on when audit is enabled... due to
1336 * syscall auditing.
1337 */
1338 crfree(newcred);
1339 mutex_exit(&proc->p_crlock);
1340
1341 /* Reset flag for any previous pending mask change; this supercedes */
1342 pad = P2A(proc);
1343 ASSERT(pad != NULL);
1344 mutex_enter(&(pad->pad_lock));
1345 pad->pad_flags &= ~PAD_SETMASK;
1346 mutex_exit(&(pad->pad_lock));
1347
1348 mutex_exit(&proc->p_lock);
1349
1350 return (0);
1351 }
1352
1353 /*
1354 * The out of control system call
1355 * This is audit kitchen sink aka auditadm, aka auditon
1356 */
1357 int
auditctl(int cmd,caddr_t data,int length)1358 auditctl(
1359 int cmd,
1360 caddr_t data,
1361 int length)
1362 {
1363 int result;
1364
1365 switch (cmd) {
1366 case A_GETAMASK:
1367 case A_GETCOND:
1368 case A_GETCAR:
1369 case A_GETCLASS:
1370 case A_GETCWD:
1371 case A_GETKAUDIT:
1372 case A_GETKMASK:
1373 case A_GETPINFO:
1374 case A_GETPINFO_ADDR:
1375 case A_GETPOLICY:
1376 case A_GETQCTRL:
1377 case A_GETSTAT:
1378 if (secpolicy_audit_getattr(CRED(), B_FALSE) != 0)
1379 return (EPERM);
1380 break;
1381 default:
1382 if (secpolicy_audit_config(CRED()) != 0)
1383 return (EPERM);
1384 break;
1385 }
1386
1387 switch (cmd) {
1388 case A_GETPOLICY:
1389 result = getpolicy(data);
1390 break;
1391 case A_SETPOLICY:
1392 result = setpolicy(data);
1393 break;
1394 case A_GETAMASK:
1395 result = getamask(data);
1396 break;
1397 case A_SETAMASK:
1398 result = setamask(data);
1399 break;
1400 case A_GETKMASK:
1401 result = getkmask(data);
1402 break;
1403 case A_SETKMASK:
1404 result = setkmask(data);
1405 break;
1406 case A_GETKAUDIT:
1407 result = getkaudit(data, length);
1408 break;
1409 case A_SETKAUDIT:
1410 result = setkaudit(data, length);
1411 break;
1412 case A_GETQCTRL:
1413 result = getqctrl(data);
1414 break;
1415 case A_SETQCTRL:
1416 result = setqctrl(data);
1417 break;
1418 case A_GETCWD:
1419 result = getcwd(data, length);
1420 break;
1421 case A_GETCAR:
1422 result = getcar(data, length);
1423 break;
1424 case A_GETSTAT:
1425 result = getstat(data);
1426 break;
1427 case A_SETSTAT:
1428 result = setstat(data);
1429 break;
1430 case A_SETUMASK:
1431 result = setumask(data);
1432 break;
1433 case A_SETSMASK:
1434 result = setsmask(data);
1435 break;
1436 case A_GETCOND:
1437 result = getcond(data);
1438 break;
1439 case A_SETCOND:
1440 result = setcond(data);
1441 break;
1442 case A_GETCLASS:
1443 result = getclass(data);
1444 break;
1445 case A_SETCLASS:
1446 result = setclass(data);
1447 break;
1448 case A_GETPINFO:
1449 result = getpinfo(data);
1450 break;
1451 case A_GETPINFO_ADDR:
1452 result = getpinfo_addr(data, length);
1453 break;
1454 case A_SETPMASK:
1455 result = setpmask(data);
1456 break;
1457 default:
1458 result = EINVAL;
1459 break;
1460 }
1461 return (result);
1462 }
1463