xref: /freebsd/sys/security/audit/audit.c (revision c321779676d0722f5d0a65c30e8b23b8a6547364)
1 /*-
2  * Copyright (c) 1999-2005 Apple Inc.
3  * Copyright (c) 2006-2007, 2016-2017 Robert N. M. Watson
4  * All rights reserved.
5  *
6  * Portions of this software were developed by BAE Systems, the University of
7  * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
8  * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
9  * Computing (TC) research program.
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted provided that the following conditions
13  * are met:
14  * 1.  Redistributions of source code must retain the above copyright
15  *     notice, this list of conditions and the following disclaimer.
16  * 2.  Redistributions in binary form must reproduce the above copyright
17  *     notice, this list of conditions and the following disclaimer in the
18  *     documentation and/or other materials provided with the distribution.
19  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
20  *     its contributors may be used to endorse or promote products derived
21  *     from this software without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33  * POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 #include <sys/cdefs.h>
37 __FBSDID("$FreeBSD$");
38 
39 #include <sys/param.h>
40 #include <sys/condvar.h>
41 #include <sys/conf.h>
42 #include <sys/file.h>
43 #include <sys/filedesc.h>
44 #include <sys/fcntl.h>
45 #include <sys/ipc.h>
46 #include <sys/jail.h>
47 #include <sys/kernel.h>
48 #include <sys/kthread.h>
49 #include <sys/malloc.h>
50 #include <sys/mount.h>
51 #include <sys/namei.h>
52 #include <sys/priv.h>
53 #include <sys/proc.h>
54 #include <sys/queue.h>
55 #include <sys/socket.h>
56 #include <sys/socketvar.h>
57 #include <sys/protosw.h>
58 #include <sys/domain.h>
59 #include <sys/sysctl.h>
60 #include <sys/sysproto.h>
61 #include <sys/sysent.h>
62 #include <sys/systm.h>
63 #include <sys/ucred.h>
64 #include <sys/uio.h>
65 #include <sys/un.h>
66 #include <sys/unistd.h>
67 #include <sys/vnode.h>
68 
69 #include <bsm/audit.h>
70 #include <bsm/audit_internal.h>
71 #include <bsm/audit_kevents.h>
72 
73 #include <netinet/in.h>
74 #include <netinet/in_pcb.h>
75 
76 #include <security/audit/audit.h>
77 #include <security/audit/audit_private.h>
78 
79 #include <vm/uma.h>
80 
81 FEATURE(audit, "BSM audit support");
82 
83 static uma_zone_t	audit_record_zone;
84 static MALLOC_DEFINE(M_AUDITCRED, "audit_cred", "Audit cred storage");
85 MALLOC_DEFINE(M_AUDITDATA, "audit_data", "Audit data storage");
86 MALLOC_DEFINE(M_AUDITPATH, "audit_path", "Audit path storage");
87 MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage");
88 MALLOC_DEFINE(M_AUDITGIDSET, "audit_gidset", "Audit GID set storage");
89 
90 static SYSCTL_NODE(_security, OID_AUTO, audit, CTLFLAG_RW, 0,
91     "TrustedBSD audit controls");
92 
93 /*
94  * Audit control settings that are set/read by system calls and are hence
95  * non-static.
96  *
97  * Define the audit control flags.
98  */
99 int			audit_enabled;
100 int			audit_suspended;
101 
102 /*
103  * Flags controlling behavior in low storage situations.  Should we panic if
104  * a write fails?  Should we fail stop if we're out of disk space?
105  */
106 int			audit_panic_on_write_fail;
107 int			audit_fail_stop;
108 int			audit_argv;
109 int			audit_arge;
110 
111 /*
112  * Are we currently "failing stop" due to out of disk space?
113  */
114 int			audit_in_failure;
115 
116 /*
117  * Global audit statistics.
118  */
119 struct audit_fstat	audit_fstat;
120 
121 /*
122  * Preselection mask for non-attributable events.
123  */
124 struct au_mask		audit_nae_mask;
125 
126 /*
127  * Mutex to protect global variables shared between various threads and
128  * processes.
129  */
130 struct mtx		audit_mtx;
131 
132 /*
133  * Queue of audit records ready for delivery to disk.  We insert new records
134  * at the tail, and remove records from the head.  Also, a count of the
135  * number of records used for checking queue depth.  In addition, a counter
136  * of records that we have allocated but are not yet in the queue, which is
137  * needed to estimate the total size of the combined set of records
138  * outstanding in the system.
139  */
140 struct kaudit_queue	audit_q;
141 int			audit_q_len;
142 int			audit_pre_q_len;
143 
144 /*
145  * Audit queue control settings (minimum free, low/high water marks, etc.)
146  */
147 struct au_qctrl		audit_qctrl;
148 
149 /*
150  * Condition variable to signal to the worker that it has work to do: either
151  * new records are in the queue, or a log replacement is taking place.
152  */
153 struct cv		audit_worker_cv;
154 
155 /*
156  * Condition variable to flag when crossing the low watermark, meaning that
157  * threads blocked due to hitting the high watermark can wake up and continue
158  * to commit records.
159  */
160 struct cv		audit_watermark_cv;
161 
162 /*
163  * Condition variable for  auditing threads wait on when in fail-stop mode.
164  * Threads wait on this CV forever (and ever), never seeing the light of day
165  * again.
166  */
167 static struct cv	audit_fail_cv;
168 
169 /*
170  * Optional DTrace audit provider support: function pointers for preselection
171  * and commit events.
172  */
173 #ifdef KDTRACE_HOOKS
174 void	*(*dtaudit_hook_preselect)(au_id_t auid, au_event_t event,
175 	    au_class_t class);
176 int	(*dtaudit_hook_commit)(struct kaudit_record *kar, au_id_t auid,
177 	    au_event_t event, au_class_t class, int sorf);
178 void	(*dtaudit_hook_bsm)(struct kaudit_record *kar, au_id_t auid,
179 	    au_event_t event, au_class_t class, int sorf,
180 	    void *bsm_data, size_t bsm_lenlen);
181 #endif
182 
183 /*
184  * Kernel audit information.  This will store the current audit address
185  * or host information that the kernel will use when it's generating
186  * audit records.  This data is modified by the A_GET{SET}KAUDIT auditon(2)
187  * command.
188  */
189 static struct auditinfo_addr	audit_kinfo;
190 static struct rwlock		audit_kinfo_lock;
191 
192 #define	KINFO_LOCK_INIT()	rw_init(&audit_kinfo_lock, \
193 				    "audit_kinfo_lock")
194 #define	KINFO_RLOCK()		rw_rlock(&audit_kinfo_lock)
195 #define	KINFO_WLOCK()		rw_wlock(&audit_kinfo_lock)
196 #define	KINFO_RUNLOCK()		rw_runlock(&audit_kinfo_lock)
197 #define	KINFO_WUNLOCK()		rw_wunlock(&audit_kinfo_lock)
198 
199 void
200 audit_set_kinfo(struct auditinfo_addr *ak)
201 {
202 
203 	KASSERT(ak->ai_termid.at_type == AU_IPv4 ||
204 	    ak->ai_termid.at_type == AU_IPv6,
205 	    ("audit_set_kinfo: invalid address type"));
206 
207 	KINFO_WLOCK();
208 	audit_kinfo = *ak;
209 	KINFO_WUNLOCK();
210 }
211 
212 void
213 audit_get_kinfo(struct auditinfo_addr *ak)
214 {
215 
216 	KASSERT(audit_kinfo.ai_termid.at_type == AU_IPv4 ||
217 	    audit_kinfo.ai_termid.at_type == AU_IPv6,
218 	    ("audit_set_kinfo: invalid address type"));
219 
220 	KINFO_RLOCK();
221 	*ak = audit_kinfo;
222 	KINFO_RUNLOCK();
223 }
224 
225 /*
226  * Construct an audit record for the passed thread.
227  */
228 static int
229 audit_record_ctor(void *mem, int size, void *arg, int flags)
230 {
231 	struct kaudit_record *ar;
232 	struct thread *td;
233 	struct ucred *cred;
234 	struct prison *pr;
235 
236 	KASSERT(sizeof(*ar) == size, ("audit_record_ctor: wrong size"));
237 
238 	td = arg;
239 	ar = mem;
240 	bzero(ar, sizeof(*ar));
241 	ar->k_ar.ar_magic = AUDIT_RECORD_MAGIC;
242 	nanotime(&ar->k_ar.ar_starttime);
243 
244 	/*
245 	 * Export the subject credential.
246 	 */
247 	cred = td->td_ucred;
248 	cru2x(cred, &ar->k_ar.ar_subj_cred);
249 	ar->k_ar.ar_subj_ruid = cred->cr_ruid;
250 	ar->k_ar.ar_subj_rgid = cred->cr_rgid;
251 	ar->k_ar.ar_subj_egid = cred->cr_groups[0];
252 	ar->k_ar.ar_subj_auid = cred->cr_audit.ai_auid;
253 	ar->k_ar.ar_subj_asid = cred->cr_audit.ai_asid;
254 	ar->k_ar.ar_subj_pid = td->td_proc->p_pid;
255 	ar->k_ar.ar_subj_amask = cred->cr_audit.ai_mask;
256 	ar->k_ar.ar_subj_term_addr = cred->cr_audit.ai_termid;
257 	/*
258 	 * If this process is jailed, make sure we capture the name of the
259 	 * jail so we can use it to generate a zonename token when we covert
260 	 * this record to BSM.
261 	 */
262 	if (jailed(cred)) {
263 		pr = cred->cr_prison;
264 		(void) strlcpy(ar->k_ar.ar_jailname, pr->pr_name,
265 		    sizeof(ar->k_ar.ar_jailname));
266 	} else
267 		ar->k_ar.ar_jailname[0] = '\0';
268 	return (0);
269 }
270 
271 static void
272 audit_record_dtor(void *mem, int size, void *arg)
273 {
274 	struct kaudit_record *ar;
275 
276 	KASSERT(sizeof(*ar) == size, ("audit_record_dtor: wrong size"));
277 
278 	ar = mem;
279 	if (ar->k_ar.ar_arg_upath1 != NULL)
280 		free(ar->k_ar.ar_arg_upath1, M_AUDITPATH);
281 	if (ar->k_ar.ar_arg_upath2 != NULL)
282 		free(ar->k_ar.ar_arg_upath2, M_AUDITPATH);
283 	if (ar->k_ar.ar_arg_text != NULL)
284 		free(ar->k_ar.ar_arg_text, M_AUDITTEXT);
285 	if (ar->k_udata != NULL)
286 		free(ar->k_udata, M_AUDITDATA);
287 	if (ar->k_ar.ar_arg_argv != NULL)
288 		free(ar->k_ar.ar_arg_argv, M_AUDITTEXT);
289 	if (ar->k_ar.ar_arg_envv != NULL)
290 		free(ar->k_ar.ar_arg_envv, M_AUDITTEXT);
291 	if (ar->k_ar.ar_arg_groups.gidset != NULL)
292 		free(ar->k_ar.ar_arg_groups.gidset, M_AUDITGIDSET);
293 }
294 
295 /*
296  * Initialize the Audit subsystem: configuration state, work queue,
297  * synchronization primitives, worker thread, and trigger device node.  Also
298  * call into the BSM assembly code to initialize it.
299  */
300 static void
301 audit_init(void)
302 {
303 
304 	audit_enabled = 0;
305 	audit_suspended = 0;
306 	audit_panic_on_write_fail = 0;
307 	audit_fail_stop = 0;
308 	audit_in_failure = 0;
309 	audit_argv = 0;
310 	audit_arge = 0;
311 
312 	audit_fstat.af_filesz = 0;	/* '0' means unset, unbounded. */
313 	audit_fstat.af_currsz = 0;
314 	audit_nae_mask.am_success = 0;
315 	audit_nae_mask.am_failure = 0;
316 
317 	TAILQ_INIT(&audit_q);
318 	audit_q_len = 0;
319 	audit_pre_q_len = 0;
320 	audit_qctrl.aq_hiwater = AQ_HIWATER;
321 	audit_qctrl.aq_lowater = AQ_LOWATER;
322 	audit_qctrl.aq_bufsz = AQ_BUFSZ;
323 	audit_qctrl.aq_minfree = AU_FS_MINFREE;
324 
325 	audit_kinfo.ai_termid.at_type = AU_IPv4;
326 	audit_kinfo.ai_termid.at_addr[0] = INADDR_ANY;
327 
328 	mtx_init(&audit_mtx, "audit_mtx", NULL, MTX_DEF);
329 	KINFO_LOCK_INIT();
330 	cv_init(&audit_worker_cv, "audit_worker_cv");
331 	cv_init(&audit_watermark_cv, "audit_watermark_cv");
332 	cv_init(&audit_fail_cv, "audit_fail_cv");
333 
334 	audit_record_zone = uma_zcreate("audit_record",
335 	    sizeof(struct kaudit_record), audit_record_ctor,
336 	    audit_record_dtor, NULL, NULL, UMA_ALIGN_PTR, 0);
337 
338 	/* Initialize the BSM audit subsystem. */
339 	kau_init();
340 
341 	audit_trigger_init();
342 
343 	/* Register shutdown handler. */
344 	EVENTHANDLER_REGISTER(shutdown_pre_sync, audit_shutdown, NULL,
345 	    SHUTDOWN_PRI_FIRST);
346 
347 	/* Start audit worker thread. */
348 	audit_worker_init();
349 }
350 
351 SYSINIT(audit_init, SI_SUB_AUDIT, SI_ORDER_FIRST, audit_init, NULL);
352 
353 /*
354  * Drain the audit queue and close the log at shutdown.  Note that this can
355  * be called both from the system shutdown path and also from audit
356  * configuration syscalls, so 'arg' and 'howto' are ignored.
357  *
358  * XXXRW: In FreeBSD 7.x and 8.x, this fails to wait for the record queue to
359  * drain before returning, which could lead to lost records on shutdown.
360  */
361 void
362 audit_shutdown(void *arg, int howto)
363 {
364 
365 	audit_rotate_vnode(NULL, NULL);
366 }
367 
368 /*
369  * Return the current thread's audit record, if any.
370  */
371 struct kaudit_record *
372 currecord(void)
373 {
374 
375 	return (curthread->td_ar);
376 }
377 
378 /*
379  * XXXAUDIT: There are a number of races present in the code below due to
380  * release and re-grab of the mutex.  The code should be revised to become
381  * slightly less racy.
382  *
383  * XXXAUDIT: Shouldn't there be logic here to sleep waiting on available
384  * pre_q space, suspending the system call until there is room?
385  */
386 struct kaudit_record *
387 audit_new(int event, struct thread *td)
388 {
389 	struct kaudit_record *ar;
390 	int no_record;
391 
392 	mtx_lock(&audit_mtx);
393 	no_record = (audit_suspended || !audit_enabled);
394 	mtx_unlock(&audit_mtx);
395 	if (no_record)
396 		return (NULL);
397 
398 	/*
399 	 * Note: the number of outstanding uncommitted audit records is
400 	 * limited to the number of concurrent threads servicing system calls
401 	 * in the kernel.
402 	 */
403 	ar = uma_zalloc_arg(audit_record_zone, td, M_WAITOK);
404 	ar->k_ar.ar_event = event;
405 
406 	mtx_lock(&audit_mtx);
407 	audit_pre_q_len++;
408 	mtx_unlock(&audit_mtx);
409 
410 	return (ar);
411 }
412 
413 void
414 audit_free(struct kaudit_record *ar)
415 {
416 
417 	uma_zfree(audit_record_zone, ar);
418 }
419 
420 void
421 audit_commit(struct kaudit_record *ar, int error, int retval)
422 {
423 	au_event_t event;
424 	au_class_t class;
425 	au_id_t auid;
426 	int sorf;
427 	struct au_mask *aumask;
428 
429 	if (ar == NULL)
430 		return;
431 
432 	ar->k_ar.ar_errno = error;
433 	ar->k_ar.ar_retval = retval;
434 	nanotime(&ar->k_ar.ar_endtime);
435 
436 	/*
437 	 * Decide whether to commit the audit record by checking the error
438 	 * value from the system call and using the appropriate audit mask.
439 	 */
440 	if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID)
441 		aumask = &audit_nae_mask;
442 	else
443 		aumask = &ar->k_ar.ar_subj_amask;
444 
445 	if (error)
446 		sorf = AU_PRS_FAILURE;
447 	else
448 		sorf = AU_PRS_SUCCESS;
449 
450 	/*
451 	 * syscalls.master sometimes contains a prototype event number, which
452 	 * we will transform into a more specific event number now that we
453 	 * have more complete information gathered during the system call.
454 	 */
455 	switch(ar->k_ar.ar_event) {
456 	case AUE_OPEN_RWTC:
457 		ar->k_ar.ar_event = audit_flags_and_error_to_openevent(
458 		    ar->k_ar.ar_arg_fflags, error);
459 		break;
460 
461 	case AUE_OPENAT_RWTC:
462 		ar->k_ar.ar_event = audit_flags_and_error_to_openatevent(
463 		    ar->k_ar.ar_arg_fflags, error);
464 		break;
465 
466 	case AUE_SYSCTL:
467 		ar->k_ar.ar_event = audit_ctlname_to_sysctlevent(
468 		    ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg);
469 		break;
470 
471 	case AUE_AUDITON:
472 		/* Convert the auditon() command to an event. */
473 		ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd);
474 		break;
475 
476 	case AUE_MSGSYS:
477 		if (ARG_IS_VALID(ar, ARG_SVIPC_WHICH))
478 			ar->k_ar.ar_event =
479 			    audit_msgsys_to_event(ar->k_ar.ar_arg_svipc_which);
480 		break;
481 
482 	case AUE_SEMSYS:
483 		if (ARG_IS_VALID(ar, ARG_SVIPC_WHICH))
484 			ar->k_ar.ar_event =
485 			    audit_semsys_to_event(ar->k_ar.ar_arg_svipc_which);
486 		break;
487 
488 	case AUE_SHMSYS:
489 		if (ARG_IS_VALID(ar, ARG_SVIPC_WHICH))
490 			ar->k_ar.ar_event =
491 			    audit_shmsys_to_event(ar->k_ar.ar_arg_svipc_which);
492 		break;
493 	}
494 
495 	auid = ar->k_ar.ar_subj_auid;
496 	event = ar->k_ar.ar_event;
497 	class = au_event_class(event);
498 
499 	ar->k_ar_commit |= AR_COMMIT_KERNEL;
500 	if (au_preselect(event, class, aumask, sorf) != 0)
501 		ar->k_ar_commit |= AR_PRESELECT_TRAIL;
502 	if (audit_pipe_preselect(auid, event, class, sorf,
503 	    ar->k_ar_commit & AR_PRESELECT_TRAIL) != 0)
504 		ar->k_ar_commit |= AR_PRESELECT_PIPE;
505 #ifdef KDTRACE_HOOKS
506 	/*
507 	 * Expose the audit record to DTrace, both to allow the "commit" probe
508 	 * to fire if it's desirable, and also to allow a decision to be made
509 	 * about later firing with BSM in the audit worker.
510 	 */
511 	if (dtaudit_hook_commit != NULL) {
512 		if (dtaudit_hook_commit(ar, auid, event, class, sorf) != 0)
513 			ar->k_ar_commit |= AR_PRESELECT_DTRACE;
514 	}
515 #endif
516 
517 	if ((ar->k_ar_commit & (AR_PRESELECT_TRAIL | AR_PRESELECT_PIPE |
518 	    AR_PRESELECT_USER_TRAIL | AR_PRESELECT_USER_PIPE |
519 	    AR_PRESELECT_DTRACE)) == 0) {
520 		mtx_lock(&audit_mtx);
521 		audit_pre_q_len--;
522 		mtx_unlock(&audit_mtx);
523 		audit_free(ar);
524 		return;
525 	}
526 
527 	/*
528 	 * Note: it could be that some records initiated while audit was
529 	 * enabled should still be committed?
530 	 */
531 	mtx_lock(&audit_mtx);
532 	if (audit_suspended || !audit_enabled) {
533 		audit_pre_q_len--;
534 		mtx_unlock(&audit_mtx);
535 		audit_free(ar);
536 		return;
537 	}
538 
539 	/*
540 	 * Constrain the number of committed audit records based on the
541 	 * configurable parameter.
542 	 */
543 	while (audit_q_len >= audit_qctrl.aq_hiwater)
544 		cv_wait(&audit_watermark_cv, &audit_mtx);
545 
546 	TAILQ_INSERT_TAIL(&audit_q, ar, k_q);
547 	audit_q_len++;
548 	audit_pre_q_len--;
549 	cv_signal(&audit_worker_cv);
550 	mtx_unlock(&audit_mtx);
551 }
552 
553 /*
554  * audit_syscall_enter() is called on entry to each system call.  It is
555  * responsible for deciding whether or not to audit the call (preselection),
556  * and if so, allocating a per-thread audit record.  audit_new() will fill in
557  * basic thread/credential properties.
558  */
559 void
560 audit_syscall_enter(unsigned short code, struct thread *td)
561 {
562 	struct au_mask *aumask;
563 #ifdef KDTRACE_HOOKS
564 	void *dtaudit_state;
565 #endif
566 	au_class_t class;
567 	au_event_t event;
568 	au_id_t auid;
569 	int record_needed;
570 
571 	KASSERT(td->td_ar == NULL, ("audit_syscall_enter: td->td_ar != NULL"));
572 	KASSERT((td->td_pflags & TDP_AUDITREC) == 0,
573 	    ("audit_syscall_enter: TDP_AUDITREC set"));
574 
575 	/*
576 	 * In FreeBSD, each ABI has its own system call table, and hence
577 	 * mapping of system call codes to audit events.  Convert the code to
578 	 * an audit event identifier using the process system call table
579 	 * reference.  In Darwin, there's only one, so we use the global
580 	 * symbol for the system call table.  No audit record is generated
581 	 * for bad system calls, as no operation has been performed.
582 	 */
583 	if (code >= td->td_proc->p_sysent->sv_size)
584 		return;
585 
586 	event = td->td_proc->p_sysent->sv_table[code].sy_auevent;
587 	if (event == AUE_NULL)
588 		return;
589 
590 	/*
591 	 * Check which audit mask to use; either the kernel non-attributable
592 	 * event mask or the process audit mask.
593 	 */
594 	auid = td->td_ucred->cr_audit.ai_auid;
595 	if (auid == AU_DEFAUDITID)
596 		aumask = &audit_nae_mask;
597 	else
598 		aumask = &td->td_ucred->cr_audit.ai_mask;
599 
600 	/*
601 	 * Determine whether trail or pipe preselection would like an audit
602 	 * record allocated for this system call.
603 	 */
604 	class = au_event_class(event);
605 	if (au_preselect(event, class, aumask, AU_PRS_BOTH)) {
606 		/*
607 		 * If we're out of space and need to suspend unprivileged
608 		 * processes, do that here rather than trying to allocate
609 		 * another audit record.
610 		 *
611 		 * Note: we might wish to be able to continue here in the
612 		 * future, if the system recovers.  That should be possible
613 		 * by means of checking the condition in a loop around
614 		 * cv_wait().  It might be desirable to reevaluate whether an
615 		 * audit record is still required for this event by
616 		 * re-calling au_preselect().
617 		 */
618 		if (audit_in_failure &&
619 		    priv_check(td, PRIV_AUDIT_FAILSTOP) != 0) {
620 			cv_wait(&audit_fail_cv, &audit_mtx);
621 			panic("audit_failing_stop: thread continued");
622 		}
623 		record_needed = 1;
624 	} else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0)) {
625 		record_needed = 1;
626 	} else {
627 		record_needed = 0;
628 	}
629 
630 	/*
631 	 * After audit trails and pipes have made their policy choices, DTrace
632 	 * may request that records be generated as well.  This is a slightly
633 	 * complex affair, as the DTrace audit provider needs the audit
634 	 * framework to maintain some state on the audit record, which has not
635 	 * been allocated at the point where the decision has to be made.
636 	 * This hook must run even if we are not changing the decision, as
637 	 * DTrace may want to stick event state onto a record we were going to
638 	 * produce due to the trail or pipes.  The event state returned by the
639 	 * DTrace provider must be safe without locks held between here and
640 	 * below -- i.e., dtaudit_state must must refer to stable memory.
641 	 */
642 #ifdef KDTRACE_HOOKS
643 	dtaudit_state = NULL;
644         if (dtaudit_hook_preselect != NULL) {
645 		dtaudit_state = dtaudit_hook_preselect(auid, event, class);
646 		if (dtaudit_state != NULL)
647 			record_needed = 1;
648 	}
649 #endif
650 
651 	/*
652 	 * If a record is required, allocate it and attach it to the thread
653 	 * for use throughout the system call.  Also attach DTrace state if
654 	 * required.
655 	 *
656 	 * XXXRW: If we decide to reference count the evname_elem underlying
657 	 * dtaudit_state, we will need to free here if no record is allocated
658 	 * or allocatable.
659 	 */
660 	if (record_needed) {
661 		td->td_ar = audit_new(event, td);
662 		if (td->td_ar != NULL) {
663 			td->td_pflags |= TDP_AUDITREC;
664 #ifdef KDTRACE_HOOKS
665 			td->td_ar->k_dtaudit_state = dtaudit_state;
666 #endif
667 		}
668 	} else
669 		td->td_ar = NULL;
670 }
671 
672 /*
673  * audit_syscall_exit() is called from the return of every system call, or in
674  * the event of exit1(), during the execution of exit1().  It is responsible
675  * for committing the audit record, if any, along with return condition.
676  */
677 void
678 audit_syscall_exit(int error, struct thread *td)
679 {
680 	int retval;
681 
682 	/*
683 	 * Commit the audit record as desired; once we pass the record into
684 	 * audit_commit(), the memory is owned by the audit subsystem.  The
685 	 * return value from the system call is stored on the user thread.
686 	 * If there was an error, the return value is set to -1, imitating
687 	 * the behavior of the cerror routine.
688 	 */
689 	if (error)
690 		retval = -1;
691 	else
692 		retval = td->td_retval[0];
693 
694 	audit_commit(td->td_ar, error, retval);
695 	td->td_ar = NULL;
696 	td->td_pflags &= ~TDP_AUDITREC;
697 }
698 
699 void
700 audit_cred_copy(struct ucred *src, struct ucred *dest)
701 {
702 
703 	bcopy(&src->cr_audit, &dest->cr_audit, sizeof(dest->cr_audit));
704 }
705 
706 void
707 audit_cred_destroy(struct ucred *cred)
708 {
709 
710 }
711 
712 void
713 audit_cred_init(struct ucred *cred)
714 {
715 
716 	bzero(&cred->cr_audit, sizeof(cred->cr_audit));
717 }
718 
719 /*
720  * Initialize audit information for the first kernel process (proc 0) and for
721  * the first user process (init).
722  */
723 void
724 audit_cred_kproc0(struct ucred *cred)
725 {
726 
727 	cred->cr_audit.ai_auid = AU_DEFAUDITID;
728 	cred->cr_audit.ai_termid.at_type = AU_IPv4;
729 }
730 
731 void
732 audit_cred_proc1(struct ucred *cred)
733 {
734 
735 	cred->cr_audit.ai_auid = AU_DEFAUDITID;
736 	cred->cr_audit.ai_termid.at_type = AU_IPv4;
737 }
738 
739 void
740 audit_thread_alloc(struct thread *td)
741 {
742 
743 	td->td_ar = NULL;
744 }
745 
746 void
747 audit_thread_free(struct thread *td)
748 {
749 
750 	KASSERT(td->td_ar == NULL, ("audit_thread_free: td_ar != NULL"));
751 	KASSERT((td->td_pflags & TDP_AUDITREC) == 0,
752 	    ("audit_thread_free: TDP_AUDITREC set"));
753 }
754 
755 void
756 audit_proc_coredump(struct thread *td, char *path, int errcode)
757 {
758 	struct kaudit_record *ar;
759 	struct au_mask *aumask;
760 	struct ucred *cred;
761 	au_class_t class;
762 	int ret, sorf;
763 	char **pathp;
764 	au_id_t auid;
765 
766 	ret = 0;
767 
768 	/*
769 	 * Make sure we are using the correct preselection mask.
770 	 */
771 	cred = td->td_ucred;
772 	auid = cred->cr_audit.ai_auid;
773 	if (auid == AU_DEFAUDITID)
774 		aumask = &audit_nae_mask;
775 	else
776 		aumask = &cred->cr_audit.ai_mask;
777 	/*
778 	 * It's possible for coredump(9) generation to fail.  Make sure that
779 	 * we handle this case correctly for preselection.
780 	 */
781 	if (errcode != 0)
782 		sorf = AU_PRS_FAILURE;
783 	else
784 		sorf = AU_PRS_SUCCESS;
785 	class = au_event_class(AUE_CORE);
786 	if (au_preselect(AUE_CORE, class, aumask, sorf) == 0 &&
787 	    audit_pipe_preselect(auid, AUE_CORE, class, sorf, 0) == 0)
788 		return;
789 
790 	/*
791 	 * If we are interested in seeing this audit record, allocate it.
792 	 * Where possible coredump records should contain a pathname and arg32
793 	 * (signal) tokens.
794 	 */
795 	ar = audit_new(AUE_CORE, td);
796 	if (ar == NULL)
797 		return;
798 	if (path != NULL) {
799 		pathp = &ar->k_ar.ar_arg_upath1;
800 		*pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK);
801 		audit_canon_path(td, AT_FDCWD, path, *pathp);
802 		ARG_SET_VALID(ar, ARG_UPATH1);
803 	}
804 	ar->k_ar.ar_arg_signum = td->td_proc->p_sig;
805 	ARG_SET_VALID(ar, ARG_SIGNUM);
806 	if (errcode != 0)
807 		ret = 1;
808 	audit_commit(ar, errcode, ret);
809 }
810