1f6d4a8a7SRobert Watson /*- 2bc9a43d6SRobert Watson * Copyright (c) 1999-2005 Apple Inc. 3b7830259SRobert Watson * Copyright (c) 2016-2017 Robert N. M. Watson 4718c8510SRobert Watson * All rights reserved. 5718c8510SRobert Watson * 6b7830259SRobert Watson * Portions of this software were developed by BAE Systems, the University of 7b7830259SRobert Watson * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL 8b7830259SRobert Watson * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent 9b7830259SRobert Watson * Computing (TC) research program. 10b7830259SRobert Watson * 11718c8510SRobert Watson * Redistribution and use in source and binary forms, with or without 12718c8510SRobert Watson * modification, are permitted provided that the following conditions 13718c8510SRobert Watson * are met: 14718c8510SRobert Watson * 1. Redistributions of source code must retain the above copyright 15718c8510SRobert Watson * notice, this list of conditions and the following disclaimer. 16718c8510SRobert Watson * 2. Redistributions in binary form must reproduce the above copyright 17718c8510SRobert Watson * notice, this list of conditions and the following disclaimer in the 18718c8510SRobert Watson * documentation and/or other materials provided with the distribution. 19bc9a43d6SRobert Watson * 3. Neither the name of Apple Inc. ("Apple") nor the names of 20718c8510SRobert Watson * its contributors may be used to endorse or promote products derived 21718c8510SRobert Watson * from this software without specific prior written permission. 22718c8510SRobert Watson * 23718c8510SRobert Watson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 24718c8510SRobert Watson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25718c8510SRobert Watson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26718c8510SRobert Watson * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 27718c8510SRobert Watson * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28718c8510SRobert Watson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29718c8510SRobert Watson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30718c8510SRobert Watson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 31718c8510SRobert Watson * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 32718c8510SRobert Watson * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33718c8510SRobert Watson * POSSIBILITY OF SUCH DAMAGE. 34718c8510SRobert Watson */ 35718c8510SRobert Watson 36dda409d4SRobert Watson #include <sys/cdefs.h> 37dda409d4SRobert Watson __FBSDID("$FreeBSD$"); 38dda409d4SRobert Watson 39718c8510SRobert Watson #include <sys/param.h> 40718c8510SRobert Watson #include <sys/filedesc.h> 419ef8328dSMateusz Guzik #include <sys/capsicum.h> 42718c8510SRobert Watson #include <sys/ipc.h> 43718c8510SRobert Watson #include <sys/mount.h> 44718c8510SRobert Watson #include <sys/proc.h> 45718c8510SRobert Watson #include <sys/socket.h> 46718c8510SRobert Watson #include <sys/socketvar.h> 47718c8510SRobert Watson #include <sys/protosw.h> 48718c8510SRobert Watson #include <sys/domain.h> 495619113cSRobert Watson #include <sys/sbuf.h> 50718c8510SRobert Watson #include <sys/systm.h> 51718c8510SRobert Watson #include <sys/un.h> 52718c8510SRobert Watson #include <sys/vnode.h> 53718c8510SRobert Watson 54718c8510SRobert Watson #include <netinet/in.h> 55718c8510SRobert Watson #include <netinet/in_pcb.h> 56718c8510SRobert Watson 57718c8510SRobert Watson #include <security/audit/audit.h> 58718c8510SRobert Watson #include <security/audit/audit_private.h> 59718c8510SRobert Watson 60718c8510SRobert Watson /* 61718c8510SRobert Watson * Calls to manipulate elements of the audit record structure from system 62d8c0f4dcSRobert Watson * call code. Macro wrappers will prevent this functions from being entered 63d8c0f4dcSRobert Watson * if auditing is disabled, avoiding the function call cost. We check the 64d8c0f4dcSRobert Watson * thread audit record pointer anyway, as the audit condition could change, 65d8c0f4dcSRobert Watson * and pre-selection may not have allocated an audit record for this event. 66718c8510SRobert Watson * 67718c8510SRobert Watson * XXXAUDIT: Should we assert, in each case, that this field of the record 68718c8510SRobert Watson * hasn't already been filled in? 69718c8510SRobert Watson */ 70718c8510SRobert Watson void 71718c8510SRobert Watson audit_arg_addr(void *addr) 72718c8510SRobert Watson { 73718c8510SRobert Watson struct kaudit_record *ar; 74718c8510SRobert Watson 75718c8510SRobert Watson ar = currecord(); 76718c8510SRobert Watson if (ar == NULL) 77718c8510SRobert Watson return; 78718c8510SRobert Watson 79718c8510SRobert Watson ar->k_ar.ar_arg_addr = addr; 80718c8510SRobert Watson ARG_SET_VALID(ar, ARG_ADDR); 81718c8510SRobert Watson } 82718c8510SRobert Watson 83718c8510SRobert Watson void 84718c8510SRobert Watson audit_arg_exit(int status, int retval) 85718c8510SRobert Watson { 86718c8510SRobert Watson struct kaudit_record *ar; 87718c8510SRobert Watson 88718c8510SRobert Watson ar = currecord(); 89718c8510SRobert Watson if (ar == NULL) 90718c8510SRobert Watson return; 91718c8510SRobert Watson 92718c8510SRobert Watson ar->k_ar.ar_arg_exitstatus = status; 93718c8510SRobert Watson ar->k_ar.ar_arg_exitretval = retval; 94718c8510SRobert Watson ARG_SET_VALID(ar, ARG_EXIT); 95718c8510SRobert Watson } 96718c8510SRobert Watson 97718c8510SRobert Watson void 98718c8510SRobert Watson audit_arg_len(int len) 99718c8510SRobert Watson { 100718c8510SRobert Watson struct kaudit_record *ar; 101718c8510SRobert Watson 102718c8510SRobert Watson ar = currecord(); 103718c8510SRobert Watson if (ar == NULL) 104718c8510SRobert Watson return; 105718c8510SRobert Watson 106718c8510SRobert Watson ar->k_ar.ar_arg_len = len; 107718c8510SRobert Watson ARG_SET_VALID(ar, ARG_LEN); 108718c8510SRobert Watson } 109718c8510SRobert Watson 110718c8510SRobert Watson void 111e4b4bbb6SRobert Watson audit_arg_atfd1(int atfd) 112e4b4bbb6SRobert Watson { 113e4b4bbb6SRobert Watson struct kaudit_record *ar; 114e4b4bbb6SRobert Watson 115e4b4bbb6SRobert Watson ar = currecord(); 116e4b4bbb6SRobert Watson if (ar == NULL) 117e4b4bbb6SRobert Watson return; 118e4b4bbb6SRobert Watson 119e4b4bbb6SRobert Watson ar->k_ar.ar_arg_atfd1 = atfd; 120e4b4bbb6SRobert Watson ARG_SET_VALID(ar, ARG_ATFD1); 121e4b4bbb6SRobert Watson } 122e4b4bbb6SRobert Watson 123e4b4bbb6SRobert Watson void 124e4b4bbb6SRobert Watson audit_arg_atfd2(int atfd) 125e4b4bbb6SRobert Watson { 126e4b4bbb6SRobert Watson struct kaudit_record *ar; 127e4b4bbb6SRobert Watson 128e4b4bbb6SRobert Watson ar = currecord(); 129e4b4bbb6SRobert Watson if (ar == NULL) 130e4b4bbb6SRobert Watson return; 131e4b4bbb6SRobert Watson 132e4b4bbb6SRobert Watson ar->k_ar.ar_arg_atfd2 = atfd; 133e4b4bbb6SRobert Watson ARG_SET_VALID(ar, ARG_ATFD2); 134e4b4bbb6SRobert Watson } 135e4b4bbb6SRobert Watson 136e4b4bbb6SRobert Watson void 137718c8510SRobert Watson audit_arg_fd(int fd) 138718c8510SRobert Watson { 139718c8510SRobert Watson struct kaudit_record *ar; 140718c8510SRobert Watson 141718c8510SRobert Watson ar = currecord(); 142718c8510SRobert Watson if (ar == NULL) 143718c8510SRobert Watson return; 144718c8510SRobert Watson 145718c8510SRobert Watson ar->k_ar.ar_arg_fd = fd; 146718c8510SRobert Watson ARG_SET_VALID(ar, ARG_FD); 147718c8510SRobert Watson } 148718c8510SRobert Watson 149718c8510SRobert Watson void 150718c8510SRobert Watson audit_arg_fflags(int fflags) 151718c8510SRobert Watson { 152718c8510SRobert Watson struct kaudit_record *ar; 153718c8510SRobert Watson 154718c8510SRobert Watson ar = currecord(); 155718c8510SRobert Watson if (ar == NULL) 156718c8510SRobert Watson return; 157718c8510SRobert Watson 158718c8510SRobert Watson ar->k_ar.ar_arg_fflags = fflags; 159718c8510SRobert Watson ARG_SET_VALID(ar, ARG_FFLAGS); 160718c8510SRobert Watson } 161718c8510SRobert Watson 162718c8510SRobert Watson void 163718c8510SRobert Watson audit_arg_gid(gid_t gid) 164718c8510SRobert Watson { 165718c8510SRobert Watson struct kaudit_record *ar; 166718c8510SRobert Watson 167718c8510SRobert Watson ar = currecord(); 168718c8510SRobert Watson if (ar == NULL) 169718c8510SRobert Watson return; 170718c8510SRobert Watson 171718c8510SRobert Watson ar->k_ar.ar_arg_gid = gid; 172718c8510SRobert Watson ARG_SET_VALID(ar, ARG_GID); 173718c8510SRobert Watson } 174718c8510SRobert Watson 175718c8510SRobert Watson void 176718c8510SRobert Watson audit_arg_uid(uid_t uid) 177718c8510SRobert Watson { 178718c8510SRobert Watson struct kaudit_record *ar; 179718c8510SRobert Watson 180718c8510SRobert Watson ar = currecord(); 181718c8510SRobert Watson if (ar == NULL) 182718c8510SRobert Watson return; 183718c8510SRobert Watson 184718c8510SRobert Watson ar->k_ar.ar_arg_uid = uid; 185718c8510SRobert Watson ARG_SET_VALID(ar, ARG_UID); 186718c8510SRobert Watson } 187718c8510SRobert Watson 188718c8510SRobert Watson void 189718c8510SRobert Watson audit_arg_egid(gid_t egid) 190718c8510SRobert Watson { 191718c8510SRobert Watson struct kaudit_record *ar; 192718c8510SRobert Watson 193718c8510SRobert Watson ar = currecord(); 194718c8510SRobert Watson if (ar == NULL) 195718c8510SRobert Watson return; 196718c8510SRobert Watson 197718c8510SRobert Watson ar->k_ar.ar_arg_egid = egid; 198718c8510SRobert Watson ARG_SET_VALID(ar, ARG_EGID); 199718c8510SRobert Watson } 200718c8510SRobert Watson 201718c8510SRobert Watson void 202718c8510SRobert Watson audit_arg_euid(uid_t euid) 203718c8510SRobert Watson { 204718c8510SRobert Watson struct kaudit_record *ar; 205718c8510SRobert Watson 206718c8510SRobert Watson ar = currecord(); 207718c8510SRobert Watson if (ar == NULL) 208718c8510SRobert Watson return; 209718c8510SRobert Watson 210718c8510SRobert Watson ar->k_ar.ar_arg_euid = euid; 211718c8510SRobert Watson ARG_SET_VALID(ar, ARG_EUID); 212718c8510SRobert Watson } 213718c8510SRobert Watson 214718c8510SRobert Watson void 215718c8510SRobert Watson audit_arg_rgid(gid_t rgid) 216718c8510SRobert Watson { 217718c8510SRobert Watson struct kaudit_record *ar; 218718c8510SRobert Watson 219718c8510SRobert Watson ar = currecord(); 220718c8510SRobert Watson if (ar == NULL) 221718c8510SRobert Watson return; 222718c8510SRobert Watson 223718c8510SRobert Watson ar->k_ar.ar_arg_rgid = rgid; 224718c8510SRobert Watson ARG_SET_VALID(ar, ARG_RGID); 225718c8510SRobert Watson } 226718c8510SRobert Watson 227718c8510SRobert Watson void 228718c8510SRobert Watson audit_arg_ruid(uid_t ruid) 229718c8510SRobert Watson { 230718c8510SRobert Watson struct kaudit_record *ar; 231718c8510SRobert Watson 232718c8510SRobert Watson ar = currecord(); 233718c8510SRobert Watson if (ar == NULL) 234718c8510SRobert Watson return; 235718c8510SRobert Watson 236718c8510SRobert Watson ar->k_ar.ar_arg_ruid = ruid; 237718c8510SRobert Watson ARG_SET_VALID(ar, ARG_RUID); 238718c8510SRobert Watson } 239718c8510SRobert Watson 240718c8510SRobert Watson void 241718c8510SRobert Watson audit_arg_sgid(gid_t sgid) 242718c8510SRobert Watson { 243718c8510SRobert Watson struct kaudit_record *ar; 244718c8510SRobert Watson 245718c8510SRobert Watson ar = currecord(); 246718c8510SRobert Watson if (ar == NULL) 247718c8510SRobert Watson return; 248718c8510SRobert Watson 249718c8510SRobert Watson ar->k_ar.ar_arg_sgid = sgid; 250718c8510SRobert Watson ARG_SET_VALID(ar, ARG_SGID); 251718c8510SRobert Watson } 252718c8510SRobert Watson 253718c8510SRobert Watson void 254718c8510SRobert Watson audit_arg_suid(uid_t suid) 255718c8510SRobert Watson { 256718c8510SRobert Watson struct kaudit_record *ar; 257718c8510SRobert Watson 258718c8510SRobert Watson ar = currecord(); 259718c8510SRobert Watson if (ar == NULL) 260718c8510SRobert Watson return; 261718c8510SRobert Watson 262718c8510SRobert Watson ar->k_ar.ar_arg_suid = suid; 263718c8510SRobert Watson ARG_SET_VALID(ar, ARG_SUID); 264718c8510SRobert Watson } 265718c8510SRobert Watson 266718c8510SRobert Watson void 267718c8510SRobert Watson audit_arg_groupset(gid_t *gidset, u_int gidset_size) 268718c8510SRobert Watson { 26959b622e6SRobert Watson u_int i; 270718c8510SRobert Watson struct kaudit_record *ar; 271718c8510SRobert Watson 272412f9500SBrooks Davis KASSERT(gidset_size <= ngroups_max + 1, 273412f9500SBrooks Davis ("audit_arg_groupset: gidset_size > (kern.ngroups + 1)")); 27486120afaSStacey Son 275718c8510SRobert Watson ar = currecord(); 276718c8510SRobert Watson if (ar == NULL) 277718c8510SRobert Watson return; 278718c8510SRobert Watson 27986120afaSStacey Son if (ar->k_ar.ar_arg_groups.gidset == NULL) 28086120afaSStacey Son ar->k_ar.ar_arg_groups.gidset = malloc( 28186120afaSStacey Son sizeof(gid_t) * gidset_size, M_AUDITGIDSET, M_WAITOK); 28286120afaSStacey Son 283718c8510SRobert Watson for (i = 0; i < gidset_size; i++) 284718c8510SRobert Watson ar->k_ar.ar_arg_groups.gidset[i] = gidset[i]; 285718c8510SRobert Watson ar->k_ar.ar_arg_groups.gidset_size = gidset_size; 286718c8510SRobert Watson ARG_SET_VALID(ar, ARG_GROUPSET); 287718c8510SRobert Watson } 288718c8510SRobert Watson 289718c8510SRobert Watson void 290718c8510SRobert Watson audit_arg_login(char *login) 291718c8510SRobert Watson { 292718c8510SRobert Watson struct kaudit_record *ar; 293718c8510SRobert Watson 294718c8510SRobert Watson ar = currecord(); 295718c8510SRobert Watson if (ar == NULL) 296718c8510SRobert Watson return; 297718c8510SRobert Watson 298718c8510SRobert Watson strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME); 299718c8510SRobert Watson ARG_SET_VALID(ar, ARG_LOGIN); 300718c8510SRobert Watson } 301718c8510SRobert Watson 302718c8510SRobert Watson void 303718c8510SRobert Watson audit_arg_ctlname(int *name, int namelen) 304718c8510SRobert Watson { 305718c8510SRobert Watson struct kaudit_record *ar; 306718c8510SRobert Watson 307718c8510SRobert Watson ar = currecord(); 308718c8510SRobert Watson if (ar == NULL) 309718c8510SRobert Watson return; 310718c8510SRobert Watson 311718c8510SRobert Watson bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int)); 312718c8510SRobert Watson ar->k_ar.ar_arg_len = namelen; 313718c8510SRobert Watson ARG_SET_VALID(ar, ARG_CTLNAME | ARG_LEN); 314718c8510SRobert Watson } 315718c8510SRobert Watson 316718c8510SRobert Watson void 317718c8510SRobert Watson audit_arg_mask(int mask) 318718c8510SRobert Watson { 319718c8510SRobert Watson struct kaudit_record *ar; 320718c8510SRobert Watson 321718c8510SRobert Watson ar = currecord(); 322718c8510SRobert Watson if (ar == NULL) 323718c8510SRobert Watson return; 324718c8510SRobert Watson 325718c8510SRobert Watson ar->k_ar.ar_arg_mask = mask; 326718c8510SRobert Watson ARG_SET_VALID(ar, ARG_MASK); 327718c8510SRobert Watson } 328718c8510SRobert Watson 329718c8510SRobert Watson void 330718c8510SRobert Watson audit_arg_mode(mode_t mode) 331718c8510SRobert Watson { 332718c8510SRobert Watson struct kaudit_record *ar; 333718c8510SRobert Watson 334718c8510SRobert Watson ar = currecord(); 335718c8510SRobert Watson if (ar == NULL) 336718c8510SRobert Watson return; 337718c8510SRobert Watson 338718c8510SRobert Watson ar->k_ar.ar_arg_mode = mode; 339718c8510SRobert Watson ARG_SET_VALID(ar, ARG_MODE); 340718c8510SRobert Watson } 341718c8510SRobert Watson 342718c8510SRobert Watson void 343718c8510SRobert Watson audit_arg_dev(int dev) 344718c8510SRobert Watson { 345718c8510SRobert Watson struct kaudit_record *ar; 346718c8510SRobert Watson 347718c8510SRobert Watson ar = currecord(); 348718c8510SRobert Watson if (ar == NULL) 349718c8510SRobert Watson return; 350718c8510SRobert Watson 351718c8510SRobert Watson ar->k_ar.ar_arg_dev = dev; 352718c8510SRobert Watson ARG_SET_VALID(ar, ARG_DEV); 353718c8510SRobert Watson } 354718c8510SRobert Watson 355718c8510SRobert Watson void 356718c8510SRobert Watson audit_arg_value(long value) 357718c8510SRobert Watson { 358718c8510SRobert Watson struct kaudit_record *ar; 359718c8510SRobert Watson 360718c8510SRobert Watson ar = currecord(); 361718c8510SRobert Watson if (ar == NULL) 362718c8510SRobert Watson return; 363718c8510SRobert Watson 364718c8510SRobert Watson ar->k_ar.ar_arg_value = value; 365718c8510SRobert Watson ARG_SET_VALID(ar, ARG_VALUE); 366718c8510SRobert Watson } 367718c8510SRobert Watson 368718c8510SRobert Watson void 369718c8510SRobert Watson audit_arg_owner(uid_t uid, gid_t gid) 370718c8510SRobert Watson { 371718c8510SRobert Watson struct kaudit_record *ar; 372718c8510SRobert Watson 373718c8510SRobert Watson ar = currecord(); 374718c8510SRobert Watson if (ar == NULL) 375718c8510SRobert Watson return; 376718c8510SRobert Watson 377718c8510SRobert Watson ar->k_ar.ar_arg_uid = uid; 378718c8510SRobert Watson ar->k_ar.ar_arg_gid = gid; 379718c8510SRobert Watson ARG_SET_VALID(ar, ARG_UID | ARG_GID); 380718c8510SRobert Watson } 381718c8510SRobert Watson 382718c8510SRobert Watson void 383718c8510SRobert Watson audit_arg_pid(pid_t pid) 384718c8510SRobert Watson { 385718c8510SRobert Watson struct kaudit_record *ar; 386718c8510SRobert Watson 387718c8510SRobert Watson ar = currecord(); 388718c8510SRobert Watson if (ar == NULL) 389718c8510SRobert Watson return; 390718c8510SRobert Watson 391718c8510SRobert Watson ar->k_ar.ar_arg_pid = pid; 392718c8510SRobert Watson ARG_SET_VALID(ar, ARG_PID); 393718c8510SRobert Watson } 394718c8510SRobert Watson 395718c8510SRobert Watson void 396718c8510SRobert Watson audit_arg_process(struct proc *p) 397718c8510SRobert Watson { 398718c8510SRobert Watson struct kaudit_record *ar; 399e6870c95SRobert Watson struct ucred *cred; 400718c8510SRobert Watson 401814fe9e9SRobert Watson KASSERT(p != NULL, ("audit_arg_process: p == NULL")); 402814fe9e9SRobert Watson 403814fe9e9SRobert Watson PROC_LOCK_ASSERT(p, MA_OWNED); 404814fe9e9SRobert Watson 405718c8510SRobert Watson ar = currecord(); 406814fe9e9SRobert Watson if (ar == NULL) 407718c8510SRobert Watson return; 408718c8510SRobert Watson 409e6870c95SRobert Watson cred = p->p_ucred; 410e6870c95SRobert Watson ar->k_ar.ar_arg_auid = cred->cr_audit.ai_auid; 411e6870c95SRobert Watson ar->k_ar.ar_arg_euid = cred->cr_uid; 412e6870c95SRobert Watson ar->k_ar.ar_arg_egid = cred->cr_groups[0]; 413e6870c95SRobert Watson ar->k_ar.ar_arg_ruid = cred->cr_ruid; 414e6870c95SRobert Watson ar->k_ar.ar_arg_rgid = cred->cr_rgid; 415e6870c95SRobert Watson ar->k_ar.ar_arg_asid = cred->cr_audit.ai_asid; 416e6870c95SRobert Watson ar->k_ar.ar_arg_termid_addr = cred->cr_audit.ai_termid; 4175619113cSRobert Watson ar->k_ar.ar_arg_pid = p->p_pid; 418718c8510SRobert Watson ARG_SET_VALID(ar, ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID | 419f0cbfcc4SChristian S.J. Peron ARG_RGID | ARG_ASID | ARG_TERMID_ADDR | ARG_PID | ARG_PROCESS); 420718c8510SRobert Watson } 421718c8510SRobert Watson 422718c8510SRobert Watson void 423718c8510SRobert Watson audit_arg_signum(u_int signum) 424718c8510SRobert Watson { 425718c8510SRobert Watson struct kaudit_record *ar; 426718c8510SRobert Watson 427718c8510SRobert Watson ar = currecord(); 428718c8510SRobert Watson if (ar == NULL) 429718c8510SRobert Watson return; 430718c8510SRobert Watson 431718c8510SRobert Watson ar->k_ar.ar_arg_signum = signum; 432718c8510SRobert Watson ARG_SET_VALID(ar, ARG_SIGNUM); 433718c8510SRobert Watson } 434718c8510SRobert Watson 435718c8510SRobert Watson void 436718c8510SRobert Watson audit_arg_socket(int sodomain, int sotype, int soprotocol) 437718c8510SRobert Watson { 438718c8510SRobert Watson struct kaudit_record *ar; 439718c8510SRobert Watson 440718c8510SRobert Watson ar = currecord(); 441718c8510SRobert Watson if (ar == NULL) 442718c8510SRobert Watson return; 443718c8510SRobert Watson 444718c8510SRobert Watson ar->k_ar.ar_arg_sockinfo.so_domain = sodomain; 445718c8510SRobert Watson ar->k_ar.ar_arg_sockinfo.so_type = sotype; 446718c8510SRobert Watson ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol; 447718c8510SRobert Watson ARG_SET_VALID(ar, ARG_SOCKINFO); 448718c8510SRobert Watson } 449718c8510SRobert Watson 450718c8510SRobert Watson void 4517493f24eSPawel Jakub Dawidek audit_arg_sockaddr(struct thread *td, int dirfd, struct sockaddr *sa) 452718c8510SRobert Watson { 453718c8510SRobert Watson struct kaudit_record *ar; 454718c8510SRobert Watson 455814fe9e9SRobert Watson KASSERT(td != NULL, ("audit_arg_sockaddr: td == NULL")); 456814fe9e9SRobert Watson KASSERT(sa != NULL, ("audit_arg_sockaddr: sa == NULL")); 457814fe9e9SRobert Watson 458718c8510SRobert Watson ar = currecord(); 459814fe9e9SRobert Watson if (ar == NULL) 460718c8510SRobert Watson return; 461718c8510SRobert Watson 462130b1468SChristian S.J. Peron bcopy(sa, &ar->k_ar.ar_arg_sockaddr, sa->sa_len); 463814fe9e9SRobert Watson switch (sa->sa_family) { 464718c8510SRobert Watson case AF_INET: 465718c8510SRobert Watson ARG_SET_VALID(ar, ARG_SADDRINET); 466718c8510SRobert Watson break; 467718c8510SRobert Watson 468718c8510SRobert Watson case AF_INET6: 469718c8510SRobert Watson ARG_SET_VALID(ar, ARG_SADDRINET6); 470718c8510SRobert Watson break; 471718c8510SRobert Watson 472718c8510SRobert Watson case AF_UNIX: 4737493f24eSPawel Jakub Dawidek if (dirfd != AT_FDCWD) 4747493f24eSPawel Jakub Dawidek audit_arg_atfd1(dirfd); 4757493f24eSPawel Jakub Dawidek audit_arg_upath1(td, dirfd, 476499f0f4dSPawel Jakub Dawidek ((struct sockaddr_un *)sa)->sun_path); 477718c8510SRobert Watson ARG_SET_VALID(ar, ARG_SADDRUNIX); 478718c8510SRobert Watson break; 479718c8510SRobert Watson /* XXXAUDIT: default:? */ 480718c8510SRobert Watson } 481718c8510SRobert Watson } 482718c8510SRobert Watson 483718c8510SRobert Watson void 484718c8510SRobert Watson audit_arg_auid(uid_t auid) 485718c8510SRobert Watson { 486718c8510SRobert Watson struct kaudit_record *ar; 487718c8510SRobert Watson 488718c8510SRobert Watson ar = currecord(); 489718c8510SRobert Watson if (ar == NULL) 490718c8510SRobert Watson return; 491718c8510SRobert Watson 492718c8510SRobert Watson ar->k_ar.ar_arg_auid = auid; 493718c8510SRobert Watson ARG_SET_VALID(ar, ARG_AUID); 494718c8510SRobert Watson } 495718c8510SRobert Watson 496718c8510SRobert Watson void 497718c8510SRobert Watson audit_arg_auditinfo(struct auditinfo *au_info) 498718c8510SRobert Watson { 499718c8510SRobert Watson struct kaudit_record *ar; 500718c8510SRobert Watson 501718c8510SRobert Watson ar = currecord(); 502718c8510SRobert Watson if (ar == NULL) 503718c8510SRobert Watson return; 504718c8510SRobert Watson 505718c8510SRobert Watson ar->k_ar.ar_arg_auid = au_info->ai_auid; 506718c8510SRobert Watson ar->k_ar.ar_arg_asid = au_info->ai_asid; 507718c8510SRobert Watson ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success; 508718c8510SRobert Watson ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure; 509718c8510SRobert Watson ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port; 510718c8510SRobert Watson ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine; 511718c8510SRobert Watson ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID); 512718c8510SRobert Watson } 513718c8510SRobert Watson 514718c8510SRobert Watson void 515cac465aaSChristian S.J. Peron audit_arg_auditinfo_addr(struct auditinfo_addr *au_info) 516cac465aaSChristian S.J. Peron { 517cac465aaSChristian S.J. Peron struct kaudit_record *ar; 518cac465aaSChristian S.J. Peron 519cac465aaSChristian S.J. Peron ar = currecord(); 520cac465aaSChristian S.J. Peron if (ar == NULL) 521cac465aaSChristian S.J. Peron return; 522cac465aaSChristian S.J. Peron 523cac465aaSChristian S.J. Peron ar->k_ar.ar_arg_auid = au_info->ai_auid; 524cac465aaSChristian S.J. Peron ar->k_ar.ar_arg_asid = au_info->ai_asid; 525cac465aaSChristian S.J. Peron ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success; 526cac465aaSChristian S.J. Peron ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure; 527cac465aaSChristian S.J. Peron ar->k_ar.ar_arg_termid_addr.at_type = au_info->ai_termid.at_type; 528cac465aaSChristian S.J. Peron ar->k_ar.ar_arg_termid_addr.at_port = au_info->ai_termid.at_port; 529cac465aaSChristian S.J. Peron ar->k_ar.ar_arg_termid_addr.at_addr[0] = au_info->ai_termid.at_addr[0]; 530cac465aaSChristian S.J. Peron ar->k_ar.ar_arg_termid_addr.at_addr[1] = au_info->ai_termid.at_addr[1]; 531cac465aaSChristian S.J. Peron ar->k_ar.ar_arg_termid_addr.at_addr[2] = au_info->ai_termid.at_addr[2]; 532cac465aaSChristian S.J. Peron ar->k_ar.ar_arg_termid_addr.at_addr[3] = au_info->ai_termid.at_addr[3]; 533cac465aaSChristian S.J. Peron ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID_ADDR); 534cac465aaSChristian S.J. Peron } 535cac465aaSChristian S.J. Peron 536cac465aaSChristian S.J. Peron void 537718c8510SRobert Watson audit_arg_text(char *text) 538718c8510SRobert Watson { 539718c8510SRobert Watson struct kaudit_record *ar; 540718c8510SRobert Watson 541814fe9e9SRobert Watson KASSERT(text != NULL, ("audit_arg_text: text == NULL")); 542814fe9e9SRobert Watson 543718c8510SRobert Watson ar = currecord(); 544718c8510SRobert Watson if (ar == NULL) 545718c8510SRobert Watson return; 546718c8510SRobert Watson 547718c8510SRobert Watson /* Invalidate the text string */ 548718c8510SRobert Watson ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT); 549718c8510SRobert Watson 550718c8510SRobert Watson if (ar->k_ar.ar_arg_text == NULL) 551718c8510SRobert Watson ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT, 552718c8510SRobert Watson M_WAITOK); 553718c8510SRobert Watson 554718c8510SRobert Watson strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN); 555718c8510SRobert Watson ARG_SET_VALID(ar, ARG_TEXT); 556718c8510SRobert Watson } 557718c8510SRobert Watson 558718c8510SRobert Watson void 559718c8510SRobert Watson audit_arg_cmd(int cmd) 560718c8510SRobert Watson { 561718c8510SRobert Watson struct kaudit_record *ar; 562718c8510SRobert Watson 563718c8510SRobert Watson ar = currecord(); 564718c8510SRobert Watson if (ar == NULL) 565718c8510SRobert Watson return; 566718c8510SRobert Watson 567718c8510SRobert Watson ar->k_ar.ar_arg_cmd = cmd; 568718c8510SRobert Watson ARG_SET_VALID(ar, ARG_CMD); 569718c8510SRobert Watson } 570718c8510SRobert Watson 571718c8510SRobert Watson void 572718c8510SRobert Watson audit_arg_svipc_cmd(int cmd) 573718c8510SRobert Watson { 574718c8510SRobert Watson struct kaudit_record *ar; 575718c8510SRobert Watson 576718c8510SRobert Watson ar = currecord(); 577718c8510SRobert Watson if (ar == NULL) 578718c8510SRobert Watson return; 579718c8510SRobert Watson 580718c8510SRobert Watson ar->k_ar.ar_arg_svipc_cmd = cmd; 581718c8510SRobert Watson ARG_SET_VALID(ar, ARG_SVIPC_CMD); 582718c8510SRobert Watson } 583718c8510SRobert Watson 584718c8510SRobert Watson void 585718c8510SRobert Watson audit_arg_svipc_perm(struct ipc_perm *perm) 586718c8510SRobert Watson { 587718c8510SRobert Watson struct kaudit_record *ar; 588718c8510SRobert Watson 589718c8510SRobert Watson ar = currecord(); 590718c8510SRobert Watson if (ar == NULL) 591718c8510SRobert Watson return; 592718c8510SRobert Watson 593718c8510SRobert Watson bcopy(perm, &ar->k_ar.ar_arg_svipc_perm, 594718c8510SRobert Watson sizeof(ar->k_ar.ar_arg_svipc_perm)); 595718c8510SRobert Watson ARG_SET_VALID(ar, ARG_SVIPC_PERM); 596718c8510SRobert Watson } 597718c8510SRobert Watson 598718c8510SRobert Watson void 599718c8510SRobert Watson audit_arg_svipc_id(int id) 600718c8510SRobert Watson { 601718c8510SRobert Watson struct kaudit_record *ar; 602718c8510SRobert Watson 603718c8510SRobert Watson ar = currecord(); 604718c8510SRobert Watson if (ar == NULL) 605718c8510SRobert Watson return; 606718c8510SRobert Watson 607718c8510SRobert Watson ar->k_ar.ar_arg_svipc_id = id; 608718c8510SRobert Watson ARG_SET_VALID(ar, ARG_SVIPC_ID); 609718c8510SRobert Watson } 610718c8510SRobert Watson 611718c8510SRobert Watson void 612718c8510SRobert Watson audit_arg_svipc_addr(void * addr) 613718c8510SRobert Watson { 614718c8510SRobert Watson struct kaudit_record *ar; 615718c8510SRobert Watson 616718c8510SRobert Watson ar = currecord(); 617718c8510SRobert Watson if (ar == NULL) 618718c8510SRobert Watson return; 619718c8510SRobert Watson 620718c8510SRobert Watson ar->k_ar.ar_arg_svipc_addr = addr; 621718c8510SRobert Watson ARG_SET_VALID(ar, ARG_SVIPC_ADDR); 622718c8510SRobert Watson } 623718c8510SRobert Watson 624718c8510SRobert Watson void 625b7830259SRobert Watson audit_arg_svipc_which(int which) 626b7830259SRobert Watson { 627b7830259SRobert Watson struct kaudit_record *ar; 628b7830259SRobert Watson 629b7830259SRobert Watson ar = currecord(); 630b7830259SRobert Watson if (ar == NULL) 631b7830259SRobert Watson return; 632b7830259SRobert Watson 633b7830259SRobert Watson ar->k_ar.ar_arg_svipc_which = which; 634b7830259SRobert Watson ARG_SET_VALID(ar, ARG_SVIPC_WHICH); 635b7830259SRobert Watson } 636b7830259SRobert Watson 637b7830259SRobert Watson void 638718c8510SRobert Watson audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode) 639718c8510SRobert Watson { 640718c8510SRobert Watson struct kaudit_record *ar; 641718c8510SRobert Watson 642718c8510SRobert Watson ar = currecord(); 643718c8510SRobert Watson if (ar == NULL) 644718c8510SRobert Watson return; 645718c8510SRobert Watson 646718c8510SRobert Watson ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid; 647718c8510SRobert Watson ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid; 648718c8510SRobert Watson ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode; 649718c8510SRobert Watson ARG_SET_VALID(ar, ARG_POSIX_IPC_PERM); 650718c8510SRobert Watson } 651718c8510SRobert Watson 652718c8510SRobert Watson void 653718c8510SRobert Watson audit_arg_auditon(union auditon_udata *udata) 654718c8510SRobert Watson { 655718c8510SRobert Watson struct kaudit_record *ar; 656718c8510SRobert Watson 657718c8510SRobert Watson ar = currecord(); 658718c8510SRobert Watson if (ar == NULL) 659718c8510SRobert Watson return; 660718c8510SRobert Watson 661718c8510SRobert Watson bcopy((void *)udata, &ar->k_ar.ar_arg_auditon, 662718c8510SRobert Watson sizeof(ar->k_ar.ar_arg_auditon)); 663718c8510SRobert Watson ARG_SET_VALID(ar, ARG_AUDITON); 664718c8510SRobert Watson } 665718c8510SRobert Watson 666718c8510SRobert Watson /* 667718c8510SRobert Watson * Audit information about a file, either the file's vnode info, or its 668718c8510SRobert Watson * socket address info. 669718c8510SRobert Watson */ 670718c8510SRobert Watson void 671718c8510SRobert Watson audit_arg_file(struct proc *p, struct file *fp) 672718c8510SRobert Watson { 673718c8510SRobert Watson struct kaudit_record *ar; 674718c8510SRobert Watson struct socket *so; 675718c8510SRobert Watson struct inpcb *pcb; 676718c8510SRobert Watson struct vnode *vp; 677718c8510SRobert Watson 678814fe9e9SRobert Watson ar = currecord(); 679814fe9e9SRobert Watson if (ar == NULL) 680814fe9e9SRobert Watson return; 681814fe9e9SRobert Watson 682718c8510SRobert Watson switch (fp->f_type) { 683718c8510SRobert Watson case DTYPE_VNODE: 684718c8510SRobert Watson case DTYPE_FIFO: 685718c8510SRobert Watson /* 686718c8510SRobert Watson * XXXAUDIT: Only possibly to record as first vnode? 687718c8510SRobert Watson */ 688718c8510SRobert Watson vp = fp->f_vnode; 689927edcc9SJohn Baldwin vn_lock(vp, LK_SHARED | LK_RETRY); 690b146fc1bSRobert Watson audit_arg_vnode1(vp); 69122db15c0SAttilio Rao VOP_UNLOCK(vp, 0); 692718c8510SRobert Watson break; 693718c8510SRobert Watson 694718c8510SRobert Watson case DTYPE_SOCKET: 695718c8510SRobert Watson so = (struct socket *)fp->f_data; 696718c8510SRobert Watson if (INP_CHECK_SOCKAF(so, PF_INET)) { 697a1f3b839SRobert Watson SOCK_LOCK(so); 698718c8510SRobert Watson ar->k_ar.ar_arg_sockinfo.so_type = 699718c8510SRobert Watson so->so_type; 700718c8510SRobert Watson ar->k_ar.ar_arg_sockinfo.so_domain = 701718c8510SRobert Watson INP_SOCKAF(so); 702718c8510SRobert Watson ar->k_ar.ar_arg_sockinfo.so_protocol = 703718c8510SRobert Watson so->so_proto->pr_protocol; 704a1f3b839SRobert Watson SOCK_UNLOCK(so); 705718c8510SRobert Watson pcb = (struct inpcb *)so->so_pcb; 7061a46aa80SRobert Watson INP_RLOCK(pcb); 707718c8510SRobert Watson ar->k_ar.ar_arg_sockinfo.so_raddr = 708718c8510SRobert Watson pcb->inp_faddr.s_addr; 709718c8510SRobert Watson ar->k_ar.ar_arg_sockinfo.so_laddr = 710718c8510SRobert Watson pcb->inp_laddr.s_addr; 711718c8510SRobert Watson ar->k_ar.ar_arg_sockinfo.so_rport = 712718c8510SRobert Watson pcb->inp_fport; 713718c8510SRobert Watson ar->k_ar.ar_arg_sockinfo.so_lport = 714718c8510SRobert Watson pcb->inp_lport; 7151a46aa80SRobert Watson INP_RUNLOCK(pcb); 716718c8510SRobert Watson ARG_SET_VALID(ar, ARG_SOCKINFO); 717718c8510SRobert Watson } 718718c8510SRobert Watson break; 719718c8510SRobert Watson 720718c8510SRobert Watson default: 721718c8510SRobert Watson /* XXXAUDIT: else? */ 722718c8510SRobert Watson break; 723718c8510SRobert Watson } 724718c8510SRobert Watson } 725718c8510SRobert Watson 726718c8510SRobert Watson /* 727718c8510SRobert Watson * Store a path as given by the user process for auditing into the audit 728871499feSRobert Watson * record stored on the user thread. This function will allocate the memory 729c2f027ffSRobert Watson * to store the path info if not already available. This memory will be 730d422682fSRobert Watson * freed when the audit record is freed. The path is canonlicalised with 731d422682fSRobert Watson * respect to the thread and directory descriptor passed. 732718c8510SRobert Watson */ 733791b0ad2SRobert Watson static void 734499f0f4dSPawel Jakub Dawidek audit_arg_upath(struct thread *td, int dirfd, char *upath, char **pathp) 735791b0ad2SRobert Watson { 736791b0ad2SRobert Watson 737791b0ad2SRobert Watson if (*pathp == NULL) 738791b0ad2SRobert Watson *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK); 739499f0f4dSPawel Jakub Dawidek audit_canon_path(td, dirfd, upath, *pathp); 740791b0ad2SRobert Watson } 741791b0ad2SRobert Watson 742718c8510SRobert Watson void 743499f0f4dSPawel Jakub Dawidek audit_arg_upath1(struct thread *td, int dirfd, char *upath) 744718c8510SRobert Watson { 745718c8510SRobert Watson struct kaudit_record *ar; 746814fe9e9SRobert Watson 747814fe9e9SRobert Watson ar = currecord(); 748814fe9e9SRobert Watson if (ar == NULL) 749814fe9e9SRobert Watson return; 750718c8510SRobert Watson 751499f0f4dSPawel Jakub Dawidek audit_arg_upath(td, dirfd, upath, &ar->k_ar.ar_arg_upath1); 752791b0ad2SRobert Watson ARG_SET_VALID(ar, ARG_UPATH1); 753791b0ad2SRobert Watson } 754718c8510SRobert Watson 755791b0ad2SRobert Watson void 756499f0f4dSPawel Jakub Dawidek audit_arg_upath2(struct thread *td, int dirfd, char *upath) 757791b0ad2SRobert Watson { 758791b0ad2SRobert Watson struct kaudit_record *ar; 759718c8510SRobert Watson 760791b0ad2SRobert Watson ar = currecord(); 761791b0ad2SRobert Watson if (ar == NULL) 762791b0ad2SRobert Watson return; 763718c8510SRobert Watson 764499f0f4dSPawel Jakub Dawidek audit_arg_upath(td, dirfd, upath, &ar->k_ar.ar_arg_upath2); 765791b0ad2SRobert Watson ARG_SET_VALID(ar, ARG_UPATH2); 766718c8510SRobert Watson } 767718c8510SRobert Watson 768718c8510SRobert Watson /* 769*15bcf785SRobert Watson * Variants on path auditing that do not canonicalise the path passed in; 770*15bcf785SRobert Watson * these are for use with filesystem-like subsystems that employ string names, 771*15bcf785SRobert Watson * but do not support a hierarchical namespace -- for example, POSIX IPC 772*15bcf785SRobert Watson * objects. The subsystem should have performed any necessary 773*15bcf785SRobert Watson * canonicalisation required to make the paths useful to audit analysis. 774*15bcf785SRobert Watson */ 775*15bcf785SRobert Watson static void 776*15bcf785SRobert Watson audit_arg_upath_canon(char *upath, char **pathp) 777*15bcf785SRobert Watson { 778*15bcf785SRobert Watson 779*15bcf785SRobert Watson if (*pathp == NULL) 780*15bcf785SRobert Watson *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK); 781*15bcf785SRobert Watson (void)snprintf(*pathp, MAXPATHLEN, "%s", upath); 782*15bcf785SRobert Watson } 783*15bcf785SRobert Watson 784*15bcf785SRobert Watson void 785*15bcf785SRobert Watson audit_arg_upath1_canon(char *upath) 786*15bcf785SRobert Watson { 787*15bcf785SRobert Watson struct kaudit_record *ar; 788*15bcf785SRobert Watson 789*15bcf785SRobert Watson ar = currecord(); 790*15bcf785SRobert Watson if (ar == NULL) 791*15bcf785SRobert Watson return; 792*15bcf785SRobert Watson 793*15bcf785SRobert Watson audit_arg_upath_canon(upath, &ar->k_ar.ar_arg_upath1); 794*15bcf785SRobert Watson ARG_SET_VALID(ar, ARG_UPATH1); 795*15bcf785SRobert Watson } 796*15bcf785SRobert Watson 797*15bcf785SRobert Watson void 798*15bcf785SRobert Watson audit_arg_upath2_canon(char *upath) 799*15bcf785SRobert Watson { 800*15bcf785SRobert Watson struct kaudit_record *ar; 801*15bcf785SRobert Watson 802*15bcf785SRobert Watson ar = currecord(); 803*15bcf785SRobert Watson if (ar == NULL) 804*15bcf785SRobert Watson return; 805*15bcf785SRobert Watson 806*15bcf785SRobert Watson audit_arg_upath_canon(upath, &ar->k_ar.ar_arg_upath2); 807*15bcf785SRobert Watson ARG_SET_VALID(ar, ARG_UPATH2); 808*15bcf785SRobert Watson } 809*15bcf785SRobert Watson 810*15bcf785SRobert Watson /* 811718c8510SRobert Watson * Function to save the path and vnode attr information into the audit 812718c8510SRobert Watson * record. 813718c8510SRobert Watson * 814718c8510SRobert Watson * It is assumed that the caller will hold any vnode locks necessary to 815718c8510SRobert Watson * perform a VOP_GETATTR() on the passed vnode. 816718c8510SRobert Watson * 817d8c0f4dcSRobert Watson * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but always 818d8c0f4dcSRobert Watson * provides access to the generation number as we need that to construct the 819d8c0f4dcSRobert Watson * BSM file ID. 820d8c0f4dcSRobert Watson * 821d8c0f4dcSRobert Watson * XXX: We should accept the process argument from the caller, since it's 822d8c0f4dcSRobert Watson * very likely they already have a reference. 823d8c0f4dcSRobert Watson * 824718c8510SRobert Watson * XXX: Error handling in this function is poor. 825718c8510SRobert Watson * 826718c8510SRobert Watson * XXXAUDIT: Possibly KASSERT the path pointer is NULL? 827718c8510SRobert Watson */ 828b146fc1bSRobert Watson static int 829b146fc1bSRobert Watson audit_arg_vnode(struct vnode *vp, struct vnode_au_info *vnp) 830718c8510SRobert Watson { 831718c8510SRobert Watson struct vattr vattr; 832718c8510SRobert Watson int error; 833718c8510SRobert Watson 834718c8510SRobert Watson ASSERT_VOP_LOCKED(vp, "audit_arg_vnode"); 835718c8510SRobert Watson 8360359a12eSAttilio Rao error = VOP_GETATTR(vp, &vattr, curthread->td_ucred); 837718c8510SRobert Watson if (error) { 838718c8510SRobert Watson /* XXX: How to handle this case? */ 839b146fc1bSRobert Watson return (error); 840718c8510SRobert Watson } 841718c8510SRobert Watson 842718c8510SRobert Watson vnp->vn_mode = vattr.va_mode; 843718c8510SRobert Watson vnp->vn_uid = vattr.va_uid; 844718c8510SRobert Watson vnp->vn_gid = vattr.va_gid; 845718c8510SRobert Watson vnp->vn_dev = vattr.va_rdev; 846718c8510SRobert Watson vnp->vn_fsid = vattr.va_fsid; 847718c8510SRobert Watson vnp->vn_fileid = vattr.va_fileid; 848718c8510SRobert Watson vnp->vn_gen = vattr.va_gen; 849b146fc1bSRobert Watson return (0); 850b146fc1bSRobert Watson } 851b146fc1bSRobert Watson 852b146fc1bSRobert Watson void 853b146fc1bSRobert Watson audit_arg_vnode1(struct vnode *vp) 854b146fc1bSRobert Watson { 855b146fc1bSRobert Watson struct kaudit_record *ar; 856b146fc1bSRobert Watson int error; 857b146fc1bSRobert Watson 858b146fc1bSRobert Watson ar = currecord(); 859b146fc1bSRobert Watson if (ar == NULL) 860b146fc1bSRobert Watson return; 861b146fc1bSRobert Watson 862b146fc1bSRobert Watson ARG_CLEAR_VALID(ar, ARG_VNODE1); 863b146fc1bSRobert Watson error = audit_arg_vnode(vp, &ar->k_ar.ar_arg_vnode1); 864b146fc1bSRobert Watson if (error == 0) 865718c8510SRobert Watson ARG_SET_VALID(ar, ARG_VNODE1); 866b146fc1bSRobert Watson } 867b146fc1bSRobert Watson 868b146fc1bSRobert Watson void 869b146fc1bSRobert Watson audit_arg_vnode2(struct vnode *vp) 870b146fc1bSRobert Watson { 871b146fc1bSRobert Watson struct kaudit_record *ar; 872b146fc1bSRobert Watson int error; 873b146fc1bSRobert Watson 874b146fc1bSRobert Watson ar = currecord(); 875b146fc1bSRobert Watson if (ar == NULL) 876b146fc1bSRobert Watson return; 877b146fc1bSRobert Watson 878b146fc1bSRobert Watson ARG_CLEAR_VALID(ar, ARG_VNODE2); 879b146fc1bSRobert Watson error = audit_arg_vnode(vp, &ar->k_ar.ar_arg_vnode2); 880b146fc1bSRobert Watson if (error == 0) 881718c8510SRobert Watson ARG_SET_VALID(ar, ARG_VNODE2); 882718c8510SRobert Watson } 883718c8510SRobert Watson 884718c8510SRobert Watson /* 885ae1078d6SWayne Salamon * Audit the argument strings passed to exec. 886ae1078d6SWayne Salamon */ 887ae1078d6SWayne Salamon void 888ae1078d6SWayne Salamon audit_arg_argv(char *argv, int argc, int length) 889ae1078d6SWayne Salamon { 890ae1078d6SWayne Salamon struct kaudit_record *ar; 891ae1078d6SWayne Salamon 892ae1078d6SWayne Salamon if (audit_argv == 0) 893ae1078d6SWayne Salamon return; 894ae1078d6SWayne Salamon 895ae1078d6SWayne Salamon ar = currecord(); 896ae1078d6SWayne Salamon if (ar == NULL) 897ae1078d6SWayne Salamon return; 898ae1078d6SWayne Salamon 899ae1078d6SWayne Salamon ar->k_ar.ar_arg_argv = malloc(length, M_AUDITTEXT, M_WAITOK); 900ae1078d6SWayne Salamon bcopy(argv, ar->k_ar.ar_arg_argv, length); 901ae1078d6SWayne Salamon ar->k_ar.ar_arg_argc = argc; 902ae1078d6SWayne Salamon ARG_SET_VALID(ar, ARG_ARGV); 903ae1078d6SWayne Salamon } 904ae1078d6SWayne Salamon 905ae1078d6SWayne Salamon /* 906ae1078d6SWayne Salamon * Audit the environment strings passed to exec. 907ae1078d6SWayne Salamon */ 908ae1078d6SWayne Salamon void 909ae1078d6SWayne Salamon audit_arg_envv(char *envv, int envc, int length) 910ae1078d6SWayne Salamon { 911ae1078d6SWayne Salamon struct kaudit_record *ar; 912ae1078d6SWayne Salamon 913ae1078d6SWayne Salamon if (audit_arge == 0) 914ae1078d6SWayne Salamon return; 915ae1078d6SWayne Salamon 916ae1078d6SWayne Salamon ar = currecord(); 917ae1078d6SWayne Salamon if (ar == NULL) 918ae1078d6SWayne Salamon return; 919ae1078d6SWayne Salamon 920ae1078d6SWayne Salamon ar->k_ar.ar_arg_envv = malloc(length, M_AUDITTEXT, M_WAITOK); 921ae1078d6SWayne Salamon bcopy(envv, ar->k_ar.ar_arg_envv, length); 922ae1078d6SWayne Salamon ar->k_ar.ar_arg_envc = envc; 923ae1078d6SWayne Salamon ARG_SET_VALID(ar, ARG_ENVV); 924ae1078d6SWayne Salamon } 925ae1078d6SWayne Salamon 926778b0e42SJonathan Anderson void 9277008be5bSPawel Jakub Dawidek audit_arg_rights(cap_rights_t *rightsp) 928778b0e42SJonathan Anderson { 929778b0e42SJonathan Anderson struct kaudit_record *ar; 930778b0e42SJonathan Anderson 931778b0e42SJonathan Anderson ar = currecord(); 932778b0e42SJonathan Anderson if (ar == NULL) 933778b0e42SJonathan Anderson return; 934778b0e42SJonathan Anderson 9357008be5bSPawel Jakub Dawidek ar->k_ar.ar_arg_rights = *rightsp; 936778b0e42SJonathan Anderson ARG_SET_VALID(ar, ARG_RIGHTS); 937778b0e42SJonathan Anderson } 938778b0e42SJonathan Anderson 9392609222aSPawel Jakub Dawidek void 9402609222aSPawel Jakub Dawidek audit_arg_fcntl_rights(uint32_t fcntlrights) 9412609222aSPawel Jakub Dawidek { 9422609222aSPawel Jakub Dawidek struct kaudit_record *ar; 9432609222aSPawel Jakub Dawidek 9442609222aSPawel Jakub Dawidek ar = currecord(); 9452609222aSPawel Jakub Dawidek if (ar == NULL) 9462609222aSPawel Jakub Dawidek return; 9472609222aSPawel Jakub Dawidek 9482609222aSPawel Jakub Dawidek ar->k_ar.ar_arg_fcntl_rights = fcntlrights; 9492609222aSPawel Jakub Dawidek ARG_SET_VALID(ar, ARG_FCNTL_RIGHTS); 9502609222aSPawel Jakub Dawidek } 9512609222aSPawel Jakub Dawidek 952ae1078d6SWayne Salamon /* 953871499feSRobert Watson * The close() system call uses it's own audit call to capture the path/vnode 954871499feSRobert Watson * information because those pieces are not easily obtained within the system 955871499feSRobert Watson * call itself. 956718c8510SRobert Watson */ 957718c8510SRobert Watson void 958718c8510SRobert Watson audit_sysclose(struct thread *td, int fd) 959718c8510SRobert Watson { 9609ef8328dSMateusz Guzik cap_rights_t rights; 961814fe9e9SRobert Watson struct kaudit_record *ar; 962718c8510SRobert Watson struct vnode *vp; 963718c8510SRobert Watson struct file *fp; 964718c8510SRobert Watson 965814fe9e9SRobert Watson KASSERT(td != NULL, ("audit_sysclose: td == NULL")); 966814fe9e9SRobert Watson 967814fe9e9SRobert Watson ar = currecord(); 968814fe9e9SRobert Watson if (ar == NULL) 969814fe9e9SRobert Watson return; 970814fe9e9SRobert Watson 971718c8510SRobert Watson audit_arg_fd(fd); 972718c8510SRobert Watson 9734da8456fSMateusz Guzik if (getvnode(td, fd, cap_rights_init(&rights), &fp) != 0) 974718c8510SRobert Watson return; 975718c8510SRobert Watson 976718c8510SRobert Watson vp = fp->f_vnode; 977927edcc9SJohn Baldwin vn_lock(vp, LK_SHARED | LK_RETRY); 978b146fc1bSRobert Watson audit_arg_vnode1(vp); 97922db15c0SAttilio Rao VOP_UNLOCK(vp, 0); 980718c8510SRobert Watson fdrop(fp, td); 981718c8510SRobert Watson } 982