xref: /freebsd/sys/security/audit/audit.c (revision cd0d51baaa4509a1db83251a601d34404d20c990)
1 /*-
2  * SPDX-License-Identifier: BSD-3-Clause
3  *
4  * Copyright (c) 1999-2005 Apple Inc.
5  * Copyright (c) 2006-2007, 2016-2018 Robert N. M. Watson
6  * All rights reserved.
7  *
8  * Portions of this software were developed by BAE Systems, the University of
9  * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
10  * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
11  * Computing (TC) research program.
12  *
13  * Redistribution and use in source and binary forms, with or without
14  * modification, are permitted provided that the following conditions
15  * are met:
16  * 1.  Redistributions of source code must retain the above copyright
17  *     notice, this list of conditions and the following disclaimer.
18  * 2.  Redistributions in binary form must reproduce the above copyright
19  *     notice, this list of conditions and the following disclaimer in the
20  *     documentation and/or other materials provided with the distribution.
21  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
22  *     its contributors may be used to endorse or promote products derived
23  *     from this software without specific prior written permission.
24  *
25  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
26  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
29  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
33  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
34  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
35  * POSSIBILITY OF SUCH DAMAGE.
36  */
37 
38 #include <sys/cdefs.h>
39 __FBSDID("$FreeBSD$");
40 
41 #include <sys/param.h>
42 #include <sys/condvar.h>
43 #include <sys/conf.h>
44 #include <sys/eventhandler.h>
45 #include <sys/file.h>
46 #include <sys/filedesc.h>
47 #include <sys/fcntl.h>
48 #include <sys/ipc.h>
49 #include <sys/jail.h>
50 #include <sys/kernel.h>
51 #include <sys/kthread.h>
52 #include <sys/malloc.h>
53 #include <sys/mount.h>
54 #include <sys/namei.h>
55 #include <sys/priv.h>
56 #include <sys/proc.h>
57 #include <sys/queue.h>
58 #include <sys/socket.h>
59 #include <sys/socketvar.h>
60 #include <sys/protosw.h>
61 #include <sys/domain.h>
62 #include <sys/sysctl.h>
63 #include <sys/sysproto.h>
64 #include <sys/sysent.h>
65 #include <sys/systm.h>
66 #include <sys/ucred.h>
67 #include <sys/uio.h>
68 #include <sys/un.h>
69 #include <sys/unistd.h>
70 #include <sys/vnode.h>
71 
72 #include <bsm/audit.h>
73 #include <bsm/audit_internal.h>
74 #include <bsm/audit_kevents.h>
75 
76 #include <netinet/in.h>
77 #include <netinet/in_pcb.h>
78 
79 #include <security/audit/audit.h>
80 #include <security/audit/audit_private.h>
81 
82 #include <vm/uma.h>
83 
84 FEATURE(audit, "BSM audit support");
85 
86 static uma_zone_t	audit_record_zone;
87 static MALLOC_DEFINE(M_AUDITCRED, "audit_cred", "Audit cred storage");
88 MALLOC_DEFINE(M_AUDITDATA, "audit_data", "Audit data storage");
89 MALLOC_DEFINE(M_AUDITPATH, "audit_path", "Audit path storage");
90 MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage");
91 MALLOC_DEFINE(M_AUDITGIDSET, "audit_gidset", "Audit GID set storage");
92 
93 static SYSCTL_NODE(_security, OID_AUTO, audit, CTLFLAG_RW, 0,
94     "TrustedBSD audit controls");
95 
96 /*
97  * Audit control settings that are set/read by system calls and are hence
98  * non-static.
99  *
100  * Define the audit control flags.
101  */
102 int			audit_trail_enabled;
103 int			audit_trail_suspended;
104 #ifdef KDTRACE_HOOKS
105 u_int			audit_dtrace_enabled;
106 #endif
107 bool __read_frequently	audit_syscalls_enabled;
108 
109 /*
110  * Flags controlling behavior in low storage situations.  Should we panic if
111  * a write fails?  Should we fail stop if we're out of disk space?
112  */
113 int			audit_panic_on_write_fail;
114 int			audit_fail_stop;
115 int			audit_argv;
116 int			audit_arge;
117 
118 /*
119  * Are we currently "failing stop" due to out of disk space?
120  */
121 int			audit_in_failure;
122 
123 /*
124  * Global audit statistics.
125  */
126 struct audit_fstat	audit_fstat;
127 
128 /*
129  * Preselection mask for non-attributable events.
130  */
131 struct au_mask		audit_nae_mask;
132 
133 /*
134  * Mutex to protect global variables shared between various threads and
135  * processes.
136  */
137 struct mtx		audit_mtx;
138 
139 /*
140  * Queue of audit records ready for delivery to disk.  We insert new records
141  * at the tail, and remove records from the head.  Also, a count of the
142  * number of records used for checking queue depth.  In addition, a counter
143  * of records that we have allocated but are not yet in the queue, which is
144  * needed to estimate the total size of the combined set of records
145  * outstanding in the system.
146  */
147 struct kaudit_queue	audit_q;
148 int			audit_q_len;
149 int			audit_pre_q_len;
150 
151 /*
152  * Audit queue control settings (minimum free, low/high water marks, etc.)
153  */
154 struct au_qctrl		audit_qctrl;
155 
156 /*
157  * Condition variable to signal to the worker that it has work to do: either
158  * new records are in the queue, or a log replacement is taking place.
159  */
160 struct cv		audit_worker_cv;
161 
162 /*
163  * Condition variable to flag when crossing the low watermark, meaning that
164  * threads blocked due to hitting the high watermark can wake up and continue
165  * to commit records.
166  */
167 struct cv		audit_watermark_cv;
168 
169 /*
170  * Condition variable for  auditing threads wait on when in fail-stop mode.
171  * Threads wait on this CV forever (and ever), never seeing the light of day
172  * again.
173  */
174 static struct cv	audit_fail_cv;
175 
176 /*
177  * Optional DTrace audit provider support: function pointers for preselection
178  * and commit events.
179  */
180 #ifdef KDTRACE_HOOKS
181 void	*(*dtaudit_hook_preselect)(au_id_t auid, au_event_t event,
182 	    au_class_t class);
183 int	(*dtaudit_hook_commit)(struct kaudit_record *kar, au_id_t auid,
184 	    au_event_t event, au_class_t class, int sorf);
185 void	(*dtaudit_hook_bsm)(struct kaudit_record *kar, au_id_t auid,
186 	    au_event_t event, au_class_t class, int sorf,
187 	    void *bsm_data, size_t bsm_lenlen);
188 #endif
189 
190 /*
191  * Kernel audit information.  This will store the current audit address
192  * or host information that the kernel will use when it's generating
193  * audit records.  This data is modified by the A_GET{SET}KAUDIT auditon(2)
194  * command.
195  */
196 static struct auditinfo_addr	audit_kinfo;
197 static struct rwlock		audit_kinfo_lock;
198 
199 #define	KINFO_LOCK_INIT()	rw_init(&audit_kinfo_lock, \
200 				    "audit_kinfo_lock")
201 #define	KINFO_RLOCK()		rw_rlock(&audit_kinfo_lock)
202 #define	KINFO_WLOCK()		rw_wlock(&audit_kinfo_lock)
203 #define	KINFO_RUNLOCK()		rw_runlock(&audit_kinfo_lock)
204 #define	KINFO_WUNLOCK()		rw_wunlock(&audit_kinfo_lock)
205 
206 /*
207  * Check various policies to see if we should enable system-call audit hooks.
208  * Note that despite the mutex being held, we want to assign a value exactly
209  * once, as checks of the flag are performed lock-free for performance
210  * reasons.  The mutex is used to get a consistent snapshot of policy state --
211  * e.g., safely accessing the two audit_trail flags.
212  */
213 void
214 audit_syscalls_enabled_update(void)
215 {
216 
217 	mtx_lock(&audit_mtx);
218 #ifdef KDTRACE_HOOKS
219 	if (audit_dtrace_enabled)
220 		audit_syscalls_enabled = true;
221 	else {
222 #endif
223 		if (audit_trail_enabled && !audit_trail_suspended)
224 			audit_syscalls_enabled = true;
225 		else
226 			audit_syscalls_enabled = false;
227 #ifdef KDTRACE_HOOKS
228 	}
229 #endif
230 	mtx_unlock(&audit_mtx);
231 }
232 
233 void
234 audit_set_kinfo(struct auditinfo_addr *ak)
235 {
236 
237 	KASSERT(ak->ai_termid.at_type == AU_IPv4 ||
238 	    ak->ai_termid.at_type == AU_IPv6,
239 	    ("audit_set_kinfo: invalid address type"));
240 
241 	KINFO_WLOCK();
242 	audit_kinfo = *ak;
243 	KINFO_WUNLOCK();
244 }
245 
246 void
247 audit_get_kinfo(struct auditinfo_addr *ak)
248 {
249 
250 	KASSERT(audit_kinfo.ai_termid.at_type == AU_IPv4 ||
251 	    audit_kinfo.ai_termid.at_type == AU_IPv6,
252 	    ("audit_set_kinfo: invalid address type"));
253 
254 	KINFO_RLOCK();
255 	*ak = audit_kinfo;
256 	KINFO_RUNLOCK();
257 }
258 
259 /*
260  * Construct an audit record for the passed thread.
261  */
262 static int
263 audit_record_ctor(void *mem, int size, void *arg, int flags)
264 {
265 	struct kaudit_record *ar;
266 	struct thread *td;
267 	struct ucred *cred;
268 	struct prison *pr;
269 
270 	KASSERT(sizeof(*ar) == size, ("audit_record_ctor: wrong size"));
271 
272 	td = arg;
273 	ar = mem;
274 	bzero(ar, sizeof(*ar));
275 	ar->k_ar.ar_magic = AUDIT_RECORD_MAGIC;
276 	nanotime(&ar->k_ar.ar_starttime);
277 
278 	/*
279 	 * Export the subject credential.
280 	 */
281 	cred = td->td_ucred;
282 	cru2x(cred, &ar->k_ar.ar_subj_cred);
283 	ar->k_ar.ar_subj_ruid = cred->cr_ruid;
284 	ar->k_ar.ar_subj_rgid = cred->cr_rgid;
285 	ar->k_ar.ar_subj_egid = cred->cr_groups[0];
286 	ar->k_ar.ar_subj_auid = cred->cr_audit.ai_auid;
287 	ar->k_ar.ar_subj_asid = cred->cr_audit.ai_asid;
288 	ar->k_ar.ar_subj_pid = td->td_proc->p_pid;
289 	ar->k_ar.ar_subj_amask = cred->cr_audit.ai_mask;
290 	ar->k_ar.ar_subj_term_addr = cred->cr_audit.ai_termid;
291 	/*
292 	 * If this process is jailed, make sure we capture the name of the
293 	 * jail so we can use it to generate a zonename token when we covert
294 	 * this record to BSM.
295 	 */
296 	if (jailed(cred)) {
297 		pr = cred->cr_prison;
298 		(void) strlcpy(ar->k_ar.ar_jailname, pr->pr_name,
299 		    sizeof(ar->k_ar.ar_jailname));
300 	} else
301 		ar->k_ar.ar_jailname[0] = '\0';
302 	return (0);
303 }
304 
305 static void
306 audit_record_dtor(void *mem, int size, void *arg)
307 {
308 	struct kaudit_record *ar;
309 
310 	KASSERT(sizeof(*ar) == size, ("audit_record_dtor: wrong size"));
311 
312 	ar = mem;
313 	if (ar->k_ar.ar_arg_upath1 != NULL)
314 		free(ar->k_ar.ar_arg_upath1, M_AUDITPATH);
315 	if (ar->k_ar.ar_arg_upath2 != NULL)
316 		free(ar->k_ar.ar_arg_upath2, M_AUDITPATH);
317 	if (ar->k_ar.ar_arg_text != NULL)
318 		free(ar->k_ar.ar_arg_text, M_AUDITTEXT);
319 	if (ar->k_udata != NULL)
320 		free(ar->k_udata, M_AUDITDATA);
321 	if (ar->k_ar.ar_arg_argv != NULL)
322 		free(ar->k_ar.ar_arg_argv, M_AUDITTEXT);
323 	if (ar->k_ar.ar_arg_envv != NULL)
324 		free(ar->k_ar.ar_arg_envv, M_AUDITTEXT);
325 	if (ar->k_ar.ar_arg_groups.gidset != NULL)
326 		free(ar->k_ar.ar_arg_groups.gidset, M_AUDITGIDSET);
327 }
328 
329 /*
330  * Initialize the Audit subsystem: configuration state, work queue,
331  * synchronization primitives, worker thread, and trigger device node.  Also
332  * call into the BSM assembly code to initialize it.
333  */
334 static void
335 audit_init(void)
336 {
337 
338 	audit_trail_enabled = 0;
339 	audit_trail_suspended = 0;
340 	audit_syscalls_enabled = false;
341 	audit_panic_on_write_fail = 0;
342 	audit_fail_stop = 0;
343 	audit_in_failure = 0;
344 	audit_argv = 0;
345 	audit_arge = 0;
346 
347 	audit_fstat.af_filesz = 0;	/* '0' means unset, unbounded. */
348 	audit_fstat.af_currsz = 0;
349 	audit_nae_mask.am_success = 0;
350 	audit_nae_mask.am_failure = 0;
351 
352 	TAILQ_INIT(&audit_q);
353 	audit_q_len = 0;
354 	audit_pre_q_len = 0;
355 	audit_qctrl.aq_hiwater = AQ_HIWATER;
356 	audit_qctrl.aq_lowater = AQ_LOWATER;
357 	audit_qctrl.aq_bufsz = AQ_BUFSZ;
358 	audit_qctrl.aq_minfree = AU_FS_MINFREE;
359 
360 	audit_kinfo.ai_termid.at_type = AU_IPv4;
361 	audit_kinfo.ai_termid.at_addr[0] = INADDR_ANY;
362 
363 	mtx_init(&audit_mtx, "audit_mtx", NULL, MTX_DEF);
364 	KINFO_LOCK_INIT();
365 	cv_init(&audit_worker_cv, "audit_worker_cv");
366 	cv_init(&audit_watermark_cv, "audit_watermark_cv");
367 	cv_init(&audit_fail_cv, "audit_fail_cv");
368 
369 	audit_record_zone = uma_zcreate("audit_record",
370 	    sizeof(struct kaudit_record), audit_record_ctor,
371 	    audit_record_dtor, NULL, NULL, UMA_ALIGN_PTR, 0);
372 
373 	/* First initialisation of audit_syscalls_enabled. */
374 	audit_syscalls_enabled_update();
375 
376 	/* Initialize the BSM audit subsystem. */
377 	kau_init();
378 
379 	audit_trigger_init();
380 
381 	/* Register shutdown handler. */
382 	EVENTHANDLER_REGISTER(shutdown_pre_sync, audit_shutdown, NULL,
383 	    SHUTDOWN_PRI_FIRST);
384 
385 	/* Start audit worker thread. */
386 	audit_worker_init();
387 }
388 
389 SYSINIT(audit_init, SI_SUB_AUDIT, SI_ORDER_FIRST, audit_init, NULL);
390 
391 /*
392  * Drain the audit queue and close the log at shutdown.  Note that this can
393  * be called both from the system shutdown path and also from audit
394  * configuration syscalls, so 'arg' and 'howto' are ignored.
395  *
396  * XXXRW: In FreeBSD 7.x and 8.x, this fails to wait for the record queue to
397  * drain before returning, which could lead to lost records on shutdown.
398  */
399 void
400 audit_shutdown(void *arg, int howto)
401 {
402 
403 	audit_rotate_vnode(NULL, NULL);
404 }
405 
406 /*
407  * Return the current thread's audit record, if any.
408  */
409 struct kaudit_record *
410 currecord(void)
411 {
412 
413 	return (curthread->td_ar);
414 }
415 
416 /*
417  * XXXAUDIT: Shouldn't there be logic here to sleep waiting on available
418  * pre_q space, suspending the system call until there is room?
419  */
420 struct kaudit_record *
421 audit_new(int event, struct thread *td)
422 {
423 	struct kaudit_record *ar;
424 
425 	/*
426 	 * Note: the number of outstanding uncommitted audit records is
427 	 * limited to the number of concurrent threads servicing system calls
428 	 * in the kernel.
429 	 */
430 	ar = uma_zalloc_arg(audit_record_zone, td, M_WAITOK);
431 	ar->k_ar.ar_event = event;
432 
433 	mtx_lock(&audit_mtx);
434 	audit_pre_q_len++;
435 	mtx_unlock(&audit_mtx);
436 
437 	return (ar);
438 }
439 
440 void
441 audit_free(struct kaudit_record *ar)
442 {
443 
444 	uma_zfree(audit_record_zone, ar);
445 }
446 
447 void
448 audit_commit(struct kaudit_record *ar, int error, int retval)
449 {
450 	au_event_t event;
451 	au_class_t class;
452 	au_id_t auid;
453 	int sorf;
454 	struct au_mask *aumask;
455 
456 	if (ar == NULL)
457 		return;
458 
459 	ar->k_ar.ar_errno = error;
460 	ar->k_ar.ar_retval = retval;
461 	nanotime(&ar->k_ar.ar_endtime);
462 
463 	/*
464 	 * Decide whether to commit the audit record by checking the error
465 	 * value from the system call and using the appropriate audit mask.
466 	 */
467 	if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID)
468 		aumask = &audit_nae_mask;
469 	else
470 		aumask = &ar->k_ar.ar_subj_amask;
471 
472 	if (error)
473 		sorf = AU_PRS_FAILURE;
474 	else
475 		sorf = AU_PRS_SUCCESS;
476 
477 	/*
478 	 * syscalls.master sometimes contains a prototype event number, which
479 	 * we will transform into a more specific event number now that we
480 	 * have more complete information gathered during the system call.
481 	 */
482 	switch(ar->k_ar.ar_event) {
483 	case AUE_OPEN_RWTC:
484 		ar->k_ar.ar_event = audit_flags_and_error_to_openevent(
485 		    ar->k_ar.ar_arg_fflags, error);
486 		break;
487 
488 	case AUE_OPENAT_RWTC:
489 		ar->k_ar.ar_event = audit_flags_and_error_to_openatevent(
490 		    ar->k_ar.ar_arg_fflags, error);
491 		break;
492 
493 	case AUE_SYSCTL:
494 		ar->k_ar.ar_event = audit_ctlname_to_sysctlevent(
495 		    ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg);
496 		break;
497 
498 	case AUE_AUDITON:
499 		/* Convert the auditon() command to an event. */
500 		ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd);
501 		break;
502 
503 	case AUE_MSGSYS:
504 		if (ARG_IS_VALID(ar, ARG_SVIPC_WHICH))
505 			ar->k_ar.ar_event =
506 			    audit_msgsys_to_event(ar->k_ar.ar_arg_svipc_which);
507 		break;
508 
509 	case AUE_SEMSYS:
510 		if (ARG_IS_VALID(ar, ARG_SVIPC_WHICH))
511 			ar->k_ar.ar_event =
512 			    audit_semsys_to_event(ar->k_ar.ar_arg_svipc_which);
513 		break;
514 
515 	case AUE_SHMSYS:
516 		if (ARG_IS_VALID(ar, ARG_SVIPC_WHICH))
517 			ar->k_ar.ar_event =
518 			    audit_shmsys_to_event(ar->k_ar.ar_arg_svipc_which);
519 		break;
520 	}
521 
522 	auid = ar->k_ar.ar_subj_auid;
523 	event = ar->k_ar.ar_event;
524 	class = au_event_class(event);
525 
526 	ar->k_ar_commit |= AR_COMMIT_KERNEL;
527 	if (au_preselect(event, class, aumask, sorf) != 0)
528 		ar->k_ar_commit |= AR_PRESELECT_TRAIL;
529 	if (audit_pipe_preselect(auid, event, class, sorf,
530 	    ar->k_ar_commit & AR_PRESELECT_TRAIL) != 0)
531 		ar->k_ar_commit |= AR_PRESELECT_PIPE;
532 #ifdef KDTRACE_HOOKS
533 	/*
534 	 * Expose the audit record to DTrace, both to allow the "commit" probe
535 	 * to fire if it's desirable, and also to allow a decision to be made
536 	 * about later firing with BSM in the audit worker.
537 	 */
538 	if (dtaudit_hook_commit != NULL) {
539 		if (dtaudit_hook_commit(ar, auid, event, class, sorf) != 0)
540 			ar->k_ar_commit |= AR_PRESELECT_DTRACE;
541 	}
542 #endif
543 
544 	if ((ar->k_ar_commit & (AR_PRESELECT_TRAIL | AR_PRESELECT_PIPE |
545 	    AR_PRESELECT_USER_TRAIL | AR_PRESELECT_USER_PIPE |
546 	    AR_PRESELECT_DTRACE)) == 0) {
547 		mtx_lock(&audit_mtx);
548 		audit_pre_q_len--;
549 		mtx_unlock(&audit_mtx);
550 		audit_free(ar);
551 		return;
552 	}
553 
554 	/*
555 	 * Note: it could be that some records initiated while audit was
556 	 * enabled should still be committed?
557 	 *
558 	 * NB: The check here is not for audit_syscalls because any
559 	 * DTrace-related obligations have been fulfilled above -- we're just
560 	 * down to the trail and pipes now.
561 	 */
562 	mtx_lock(&audit_mtx);
563 	if (audit_trail_suspended || !audit_trail_enabled) {
564 		audit_pre_q_len--;
565 		mtx_unlock(&audit_mtx);
566 		audit_free(ar);
567 		return;
568 	}
569 
570 	/*
571 	 * Constrain the number of committed audit records based on the
572 	 * configurable parameter.
573 	 */
574 	while (audit_q_len >= audit_qctrl.aq_hiwater)
575 		cv_wait(&audit_watermark_cv, &audit_mtx);
576 
577 	TAILQ_INSERT_TAIL(&audit_q, ar, k_q);
578 	audit_q_len++;
579 	audit_pre_q_len--;
580 	cv_signal(&audit_worker_cv);
581 	mtx_unlock(&audit_mtx);
582 }
583 
584 /*
585  * audit_syscall_enter() is called on entry to each system call.  It is
586  * responsible for deciding whether or not to audit the call (preselection),
587  * and if so, allocating a per-thread audit record.  audit_new() will fill in
588  * basic thread/credential properties.
589  *
590  * This function will be entered only if audit_syscalls_enabled was set in the
591  * macro wrapper for this function.  It could be cleared by the time this
592  * function runs, but that is an acceptable race.
593  */
594 void
595 audit_syscall_enter(unsigned short code, struct thread *td)
596 {
597 	struct au_mask *aumask;
598 #ifdef KDTRACE_HOOKS
599 	void *dtaudit_state;
600 #endif
601 	au_class_t class;
602 	au_event_t event;
603 	au_id_t auid;
604 	int record_needed;
605 
606 	KASSERT(td->td_ar == NULL, ("audit_syscall_enter: td->td_ar != NULL"));
607 	KASSERT((td->td_pflags & TDP_AUDITREC) == 0,
608 	    ("audit_syscall_enter: TDP_AUDITREC set"));
609 
610 	/*
611 	 * In FreeBSD, each ABI has its own system call table, and hence
612 	 * mapping of system call codes to audit events.  Convert the code to
613 	 * an audit event identifier using the process system call table
614 	 * reference.  In Darwin, there's only one, so we use the global
615 	 * symbol for the system call table.  No audit record is generated
616 	 * for bad system calls, as no operation has been performed.
617 	 */
618 	if (code >= td->td_proc->p_sysent->sv_size)
619 		return;
620 
621 	event = td->td_proc->p_sysent->sv_table[code].sy_auevent;
622 	if (event == AUE_NULL)
623 		return;
624 
625 	/*
626 	 * Check which audit mask to use; either the kernel non-attributable
627 	 * event mask or the process audit mask.
628 	 */
629 	auid = td->td_ucred->cr_audit.ai_auid;
630 	if (auid == AU_DEFAUDITID)
631 		aumask = &audit_nae_mask;
632 	else
633 		aumask = &td->td_ucred->cr_audit.ai_mask;
634 
635 	/*
636 	 * Determine whether trail or pipe preselection would like an audit
637 	 * record allocated for this system call.
638 	 */
639 	class = au_event_class(event);
640 	if (au_preselect(event, class, aumask, AU_PRS_BOTH)) {
641 		/*
642 		 * If we're out of space and need to suspend unprivileged
643 		 * processes, do that here rather than trying to allocate
644 		 * another audit record.
645 		 *
646 		 * Note: we might wish to be able to continue here in the
647 		 * future, if the system recovers.  That should be possible
648 		 * by means of checking the condition in a loop around
649 		 * cv_wait().  It might be desirable to reevaluate whether an
650 		 * audit record is still required for this event by
651 		 * re-calling au_preselect().
652 		 */
653 		if (audit_in_failure &&
654 		    priv_check(td, PRIV_AUDIT_FAILSTOP) != 0) {
655 			cv_wait(&audit_fail_cv, &audit_mtx);
656 			panic("audit_failing_stop: thread continued");
657 		}
658 		record_needed = 1;
659 	} else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0)) {
660 		record_needed = 1;
661 	} else {
662 		record_needed = 0;
663 	}
664 
665 	/*
666 	 * After audit trails and pipes have made their policy choices, DTrace
667 	 * may request that records be generated as well.  This is a slightly
668 	 * complex affair, as the DTrace audit provider needs the audit
669 	 * framework to maintain some state on the audit record, which has not
670 	 * been allocated at the point where the decision has to be made.
671 	 * This hook must run even if we are not changing the decision, as
672 	 * DTrace may want to stick event state onto a record we were going to
673 	 * produce due to the trail or pipes.  The event state returned by the
674 	 * DTrace provider must be safe without locks held between here and
675 	 * below -- i.e., dtaudit_state must must refer to stable memory.
676 	 */
677 #ifdef KDTRACE_HOOKS
678 	dtaudit_state = NULL;
679         if (dtaudit_hook_preselect != NULL) {
680 		dtaudit_state = dtaudit_hook_preselect(auid, event, class);
681 		if (dtaudit_state != NULL)
682 			record_needed = 1;
683 	}
684 #endif
685 
686 	/*
687 	 * If a record is required, allocate it and attach it to the thread
688 	 * for use throughout the system call.  Also attach DTrace state if
689 	 * required.
690 	 *
691 	 * XXXRW: If we decide to reference count the evname_elem underlying
692 	 * dtaudit_state, we will need to free here if no record is allocated
693 	 * or allocatable.
694 	 */
695 	if (record_needed) {
696 		td->td_ar = audit_new(event, td);
697 		if (td->td_ar != NULL) {
698 			td->td_pflags |= TDP_AUDITREC;
699 #ifdef KDTRACE_HOOKS
700 			td->td_ar->k_dtaudit_state = dtaudit_state;
701 #endif
702 		}
703 	} else
704 		td->td_ar = NULL;
705 }
706 
707 /*
708  * audit_syscall_exit() is called from the return of every system call, or in
709  * the event of exit1(), during the execution of exit1().  It is responsible
710  * for committing the audit record, if any, along with return condition.
711  */
712 void
713 audit_syscall_exit(int error, struct thread *td)
714 {
715 	int retval;
716 
717 	/*
718 	 * Commit the audit record as desired; once we pass the record into
719 	 * audit_commit(), the memory is owned by the audit subsystem.  The
720 	 * return value from the system call is stored on the user thread.
721 	 * If there was an error, the return value is set to -1, imitating
722 	 * the behavior of the cerror routine.
723 	 */
724 	if (error)
725 		retval = -1;
726 	else
727 		retval = td->td_retval[0];
728 
729 	audit_commit(td->td_ar, error, retval);
730 	td->td_ar = NULL;
731 	td->td_pflags &= ~TDP_AUDITREC;
732 }
733 
734 void
735 audit_cred_copy(struct ucred *src, struct ucred *dest)
736 {
737 
738 	bcopy(&src->cr_audit, &dest->cr_audit, sizeof(dest->cr_audit));
739 }
740 
741 void
742 audit_cred_destroy(struct ucred *cred)
743 {
744 
745 }
746 
747 void
748 audit_cred_init(struct ucred *cred)
749 {
750 
751 	bzero(&cred->cr_audit, sizeof(cred->cr_audit));
752 }
753 
754 /*
755  * Initialize audit information for the first kernel process (proc 0) and for
756  * the first user process (init).
757  */
758 void
759 audit_cred_kproc0(struct ucred *cred)
760 {
761 
762 	cred->cr_audit.ai_auid = AU_DEFAUDITID;
763 	cred->cr_audit.ai_termid.at_type = AU_IPv4;
764 }
765 
766 void
767 audit_cred_proc1(struct ucred *cred)
768 {
769 
770 	cred->cr_audit.ai_auid = AU_DEFAUDITID;
771 	cred->cr_audit.ai_termid.at_type = AU_IPv4;
772 }
773 
774 void
775 audit_thread_alloc(struct thread *td)
776 {
777 
778 	td->td_ar = NULL;
779 }
780 
781 void
782 audit_thread_free(struct thread *td)
783 {
784 
785 	KASSERT(td->td_ar == NULL, ("audit_thread_free: td_ar != NULL"));
786 	KASSERT((td->td_pflags & TDP_AUDITREC) == 0,
787 	    ("audit_thread_free: TDP_AUDITREC set"));
788 }
789 
790 void
791 audit_proc_coredump(struct thread *td, char *path, int errcode)
792 {
793 	struct kaudit_record *ar;
794 	struct au_mask *aumask;
795 	struct ucred *cred;
796 	au_class_t class;
797 	int ret, sorf;
798 	char **pathp;
799 	au_id_t auid;
800 
801 	ret = 0;
802 
803 	/*
804 	 * Make sure we are using the correct preselection mask.
805 	 */
806 	cred = td->td_ucred;
807 	auid = cred->cr_audit.ai_auid;
808 	if (auid == AU_DEFAUDITID)
809 		aumask = &audit_nae_mask;
810 	else
811 		aumask = &cred->cr_audit.ai_mask;
812 	/*
813 	 * It's possible for coredump(9) generation to fail.  Make sure that
814 	 * we handle this case correctly for preselection.
815 	 */
816 	if (errcode != 0)
817 		sorf = AU_PRS_FAILURE;
818 	else
819 		sorf = AU_PRS_SUCCESS;
820 	class = au_event_class(AUE_CORE);
821 	if (au_preselect(AUE_CORE, class, aumask, sorf) == 0 &&
822 	    audit_pipe_preselect(auid, AUE_CORE, class, sorf, 0) == 0)
823 		return;
824 
825 	/*
826 	 * If we are interested in seeing this audit record, allocate it.
827 	 * Where possible coredump records should contain a pathname and arg32
828 	 * (signal) tokens.
829 	 */
830 	ar = audit_new(AUE_CORE, td);
831 	if (ar == NULL)
832 		return;
833 	if (path != NULL) {
834 		pathp = &ar->k_ar.ar_arg_upath1;
835 		*pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK);
836 		audit_canon_path(td, AT_FDCWD, path, *pathp);
837 		ARG_SET_VALID(ar, ARG_UPATH1);
838 	}
839 	ar->k_ar.ar_arg_signum = td->td_proc->p_sig;
840 	ARG_SET_VALID(ar, ARG_SIGNUM);
841 	if (errcode != 0)
842 		ret = 1;
843 	audit_commit(ar, errcode, ret);
844 }
845