1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1999-2005 Apple Inc. 5 * Copyright (c) 2016-2017 Robert N. M. Watson 6 * All rights reserved. 7 * 8 * Portions of this software were developed by BAE Systems, the University of 9 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL 10 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent 11 * Computing (TC) research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 22 * its contributors may be used to endorse or promote products derived 23 * from this software without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 29 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 33 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 34 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 35 * POSSIBILITY OF SUCH DAMAGE. 36 */ 37 38 #include <sys/param.h> 39 #include <sys/filedesc.h> 40 #include <sys/capsicum.h> 41 #include <sys/ipc.h> 42 #include <sys/mount.h> 43 #include <sys/proc.h> 44 #include <sys/socket.h> 45 #include <sys/socketvar.h> 46 #include <sys/protosw.h> 47 #include <sys/domain.h> 48 #include <sys/sbuf.h> 49 #include <sys/systm.h> 50 #include <sys/un.h> 51 #include <sys/vnode.h> 52 53 #include <netinet/in.h> 54 #include <netinet/in_pcb.h> 55 56 #include <security/audit/audit.h> 57 #include <security/audit/audit_private.h> 58 59 /* 60 * Calls to manipulate elements of the audit record structure from system 61 * call code. Macro wrappers will prevent this functions from being entered 62 * if auditing is disabled, avoiding the function call cost. We check the 63 * thread audit record pointer anyway, as the audit condition could change, 64 * and pre-selection may not have allocated an audit record for this event. 65 * 66 * XXXAUDIT: Should we assert, in each case, that this field of the record 67 * hasn't already been filled in? 68 */ 69 void 70 audit_arg_addr(void *addr) 71 { 72 struct kaudit_record *ar; 73 74 ar = currecord(); 75 if (ar == NULL) 76 return; 77 78 ar->k_ar.ar_arg_addr = addr; 79 ARG_SET_VALID(ar, ARG_ADDR); 80 } 81 82 void 83 audit_arg_exit(int status, int retval) 84 { 85 struct kaudit_record *ar; 86 87 ar = currecord(); 88 if (ar == NULL) 89 return; 90 91 ar->k_ar.ar_arg_exitstatus = status; 92 ar->k_ar.ar_arg_exitretval = retval; 93 ARG_SET_VALID(ar, ARG_EXIT); 94 } 95 96 void 97 audit_arg_len(int len) 98 { 99 struct kaudit_record *ar; 100 101 ar = currecord(); 102 if (ar == NULL) 103 return; 104 105 ar->k_ar.ar_arg_len = len; 106 ARG_SET_VALID(ar, ARG_LEN); 107 } 108 109 void 110 audit_arg_atfd1(int atfd) 111 { 112 struct kaudit_record *ar; 113 114 ar = currecord(); 115 if (ar == NULL) 116 return; 117 118 ar->k_ar.ar_arg_atfd1 = atfd; 119 ARG_SET_VALID(ar, ARG_ATFD1); 120 } 121 122 void 123 audit_arg_atfd2(int atfd) 124 { 125 struct kaudit_record *ar; 126 127 ar = currecord(); 128 if (ar == NULL) 129 return; 130 131 ar->k_ar.ar_arg_atfd2 = atfd; 132 ARG_SET_VALID(ar, ARG_ATFD2); 133 } 134 135 void 136 audit_arg_fd(int fd) 137 { 138 struct kaudit_record *ar; 139 140 ar = currecord(); 141 if (ar == NULL) 142 return; 143 144 ar->k_ar.ar_arg_fd = fd; 145 ARG_SET_VALID(ar, ARG_FD); 146 } 147 148 void 149 audit_arg_fflags(int fflags) 150 { 151 struct kaudit_record *ar; 152 153 ar = currecord(); 154 if (ar == NULL) 155 return; 156 157 ar->k_ar.ar_arg_fflags = fflags; 158 ARG_SET_VALID(ar, ARG_FFLAGS); 159 } 160 161 void 162 audit_arg_gid(gid_t gid) 163 { 164 struct kaudit_record *ar; 165 166 ar = currecord(); 167 if (ar == NULL) 168 return; 169 170 ar->k_ar.ar_arg_gid = gid; 171 ARG_SET_VALID(ar, ARG_GID); 172 } 173 174 void 175 audit_arg_uid(uid_t uid) 176 { 177 struct kaudit_record *ar; 178 179 ar = currecord(); 180 if (ar == NULL) 181 return; 182 183 ar->k_ar.ar_arg_uid = uid; 184 ARG_SET_VALID(ar, ARG_UID); 185 } 186 187 void 188 audit_arg_egid(gid_t egid) 189 { 190 struct kaudit_record *ar; 191 192 ar = currecord(); 193 if (ar == NULL) 194 return; 195 196 ar->k_ar.ar_arg_egid = egid; 197 ARG_SET_VALID(ar, ARG_EGID); 198 } 199 200 void 201 audit_arg_euid(uid_t euid) 202 { 203 struct kaudit_record *ar; 204 205 ar = currecord(); 206 if (ar == NULL) 207 return; 208 209 ar->k_ar.ar_arg_euid = euid; 210 ARG_SET_VALID(ar, ARG_EUID); 211 } 212 213 void 214 audit_arg_rgid(gid_t rgid) 215 { 216 struct kaudit_record *ar; 217 218 ar = currecord(); 219 if (ar == NULL) 220 return; 221 222 ar->k_ar.ar_arg_rgid = rgid; 223 ARG_SET_VALID(ar, ARG_RGID); 224 } 225 226 void 227 audit_arg_ruid(uid_t ruid) 228 { 229 struct kaudit_record *ar; 230 231 ar = currecord(); 232 if (ar == NULL) 233 return; 234 235 ar->k_ar.ar_arg_ruid = ruid; 236 ARG_SET_VALID(ar, ARG_RUID); 237 } 238 239 void 240 audit_arg_sgid(gid_t sgid) 241 { 242 struct kaudit_record *ar; 243 244 ar = currecord(); 245 if (ar == NULL) 246 return; 247 248 ar->k_ar.ar_arg_sgid = sgid; 249 ARG_SET_VALID(ar, ARG_SGID); 250 } 251 252 void 253 audit_arg_suid(uid_t suid) 254 { 255 struct kaudit_record *ar; 256 257 ar = currecord(); 258 if (ar == NULL) 259 return; 260 261 ar->k_ar.ar_arg_suid = suid; 262 ARG_SET_VALID(ar, ARG_SUID); 263 } 264 265 void 266 audit_arg_groupset(gid_t *gidset, u_int gidset_size) 267 { 268 u_int i; 269 struct kaudit_record *ar; 270 271 KASSERT(gidset_size <= ngroups_max + 1, 272 ("audit_arg_groupset: gidset_size > (kern.ngroups + 1)")); 273 274 ar = currecord(); 275 if (ar == NULL) 276 return; 277 278 if (ar->k_ar.ar_arg_groups.gidset == NULL) 279 ar->k_ar.ar_arg_groups.gidset = malloc( 280 sizeof(gid_t) * gidset_size, M_AUDITGIDSET, M_WAITOK); 281 282 for (i = 0; i < gidset_size; i++) 283 ar->k_ar.ar_arg_groups.gidset[i] = gidset[i]; 284 ar->k_ar.ar_arg_groups.gidset_size = gidset_size; 285 ARG_SET_VALID(ar, ARG_GROUPSET); 286 } 287 288 void 289 audit_arg_login(char *login) 290 { 291 struct kaudit_record *ar; 292 293 ar = currecord(); 294 if (ar == NULL) 295 return; 296 297 strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME); 298 ARG_SET_VALID(ar, ARG_LOGIN); 299 } 300 301 void 302 audit_arg_ctlname(int *name, int namelen) 303 { 304 struct kaudit_record *ar; 305 306 ar = currecord(); 307 if (ar == NULL) 308 return; 309 310 bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int)); 311 ar->k_ar.ar_arg_len = namelen; 312 ARG_SET_VALID(ar, ARG_CTLNAME | ARG_LEN); 313 } 314 315 void 316 audit_arg_mask(int mask) 317 { 318 struct kaudit_record *ar; 319 320 ar = currecord(); 321 if (ar == NULL) 322 return; 323 324 ar->k_ar.ar_arg_mask = mask; 325 ARG_SET_VALID(ar, ARG_MASK); 326 } 327 328 void 329 audit_arg_mode(mode_t mode) 330 { 331 struct kaudit_record *ar; 332 333 ar = currecord(); 334 if (ar == NULL) 335 return; 336 337 ar->k_ar.ar_arg_mode = mode; 338 ARG_SET_VALID(ar, ARG_MODE); 339 } 340 341 void 342 audit_arg_dev(int dev) 343 { 344 struct kaudit_record *ar; 345 346 ar = currecord(); 347 if (ar == NULL) 348 return; 349 350 ar->k_ar.ar_arg_dev = dev; 351 ARG_SET_VALID(ar, ARG_DEV); 352 } 353 354 void 355 audit_arg_value(long value) 356 { 357 struct kaudit_record *ar; 358 359 ar = currecord(); 360 if (ar == NULL) 361 return; 362 363 ar->k_ar.ar_arg_value = value; 364 ARG_SET_VALID(ar, ARG_VALUE); 365 } 366 367 void 368 audit_arg_owner(uid_t uid, gid_t gid) 369 { 370 struct kaudit_record *ar; 371 372 ar = currecord(); 373 if (ar == NULL) 374 return; 375 376 ar->k_ar.ar_arg_uid = uid; 377 ar->k_ar.ar_arg_gid = gid; 378 ARG_SET_VALID(ar, ARG_UID | ARG_GID); 379 } 380 381 void 382 audit_arg_pid(pid_t pid) 383 { 384 struct kaudit_record *ar; 385 386 ar = currecord(); 387 if (ar == NULL) 388 return; 389 390 ar->k_ar.ar_arg_pid = pid; 391 ARG_SET_VALID(ar, ARG_PID); 392 } 393 394 void 395 audit_arg_process(struct proc *p) 396 { 397 struct kaudit_record *ar; 398 struct ucred *cred; 399 400 KASSERT(p != NULL, ("audit_arg_process: p == NULL")); 401 402 PROC_LOCK_ASSERT(p, MA_OWNED); 403 404 ar = currecord(); 405 if (ar == NULL) 406 return; 407 408 cred = p->p_ucred; 409 ar->k_ar.ar_arg_auid = cred->cr_audit.ai_auid; 410 ar->k_ar.ar_arg_euid = cred->cr_uid; 411 ar->k_ar.ar_arg_egid = cred->cr_groups[0]; 412 ar->k_ar.ar_arg_ruid = cred->cr_ruid; 413 ar->k_ar.ar_arg_rgid = cred->cr_rgid; 414 ar->k_ar.ar_arg_asid = cred->cr_audit.ai_asid; 415 ar->k_ar.ar_arg_termid_addr = cred->cr_audit.ai_termid; 416 ar->k_ar.ar_arg_pid = p->p_pid; 417 ARG_SET_VALID(ar, ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID | 418 ARG_RGID | ARG_ASID | ARG_TERMID_ADDR | ARG_PID | ARG_PROCESS); 419 } 420 421 void 422 audit_arg_signum(u_int signum) 423 { 424 struct kaudit_record *ar; 425 426 ar = currecord(); 427 if (ar == NULL) 428 return; 429 430 ar->k_ar.ar_arg_signum = signum; 431 ARG_SET_VALID(ar, ARG_SIGNUM); 432 } 433 434 void 435 audit_arg_socket(int sodomain, int sotype, int soprotocol) 436 { 437 struct kaudit_record *ar; 438 439 ar = currecord(); 440 if (ar == NULL) 441 return; 442 443 ar->k_ar.ar_arg_sockinfo.so_domain = sodomain; 444 ar->k_ar.ar_arg_sockinfo.so_type = sotype; 445 ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol; 446 ARG_SET_VALID(ar, ARG_SOCKINFO); 447 } 448 449 void 450 audit_arg_sockaddr(struct thread *td, int dirfd, struct sockaddr *sa) 451 { 452 struct kaudit_record *ar; 453 454 KASSERT(td != NULL, ("audit_arg_sockaddr: td == NULL")); 455 KASSERT(sa != NULL, ("audit_arg_sockaddr: sa == NULL")); 456 457 ar = currecord(); 458 if (ar == NULL) 459 return; 460 461 bcopy(sa, &ar->k_ar.ar_arg_sockaddr, sa->sa_len); 462 switch (sa->sa_family) { 463 case AF_INET: 464 ARG_SET_VALID(ar, ARG_SADDRINET); 465 break; 466 467 case AF_INET6: 468 ARG_SET_VALID(ar, ARG_SADDRINET6); 469 break; 470 471 case AF_UNIX: 472 if (dirfd != AT_FDCWD) 473 audit_arg_atfd1(dirfd); 474 audit_arg_upath1(td, dirfd, 475 ((struct sockaddr_un *)sa)->sun_path); 476 ARG_SET_VALID(ar, ARG_SADDRUNIX); 477 break; 478 /* XXXAUDIT: default:? */ 479 } 480 } 481 482 void 483 audit_arg_auid(uid_t auid) 484 { 485 struct kaudit_record *ar; 486 487 ar = currecord(); 488 if (ar == NULL) 489 return; 490 491 ar->k_ar.ar_arg_auid = auid; 492 ARG_SET_VALID(ar, ARG_AUID); 493 } 494 495 void 496 audit_arg_auditinfo(struct auditinfo *au_info) 497 { 498 struct kaudit_record *ar; 499 500 ar = currecord(); 501 if (ar == NULL) 502 return; 503 504 ar->k_ar.ar_arg_auid = au_info->ai_auid; 505 ar->k_ar.ar_arg_asid = au_info->ai_asid; 506 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success; 507 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure; 508 ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port; 509 ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine; 510 ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID); 511 } 512 513 void 514 audit_arg_auditinfo_addr(struct auditinfo_addr *au_info) 515 { 516 struct kaudit_record *ar; 517 518 ar = currecord(); 519 if (ar == NULL) 520 return; 521 522 ar->k_ar.ar_arg_auid = au_info->ai_auid; 523 ar->k_ar.ar_arg_asid = au_info->ai_asid; 524 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success; 525 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure; 526 ar->k_ar.ar_arg_termid_addr.at_type = au_info->ai_termid.at_type; 527 ar->k_ar.ar_arg_termid_addr.at_port = au_info->ai_termid.at_port; 528 ar->k_ar.ar_arg_termid_addr.at_addr[0] = au_info->ai_termid.at_addr[0]; 529 ar->k_ar.ar_arg_termid_addr.at_addr[1] = au_info->ai_termid.at_addr[1]; 530 ar->k_ar.ar_arg_termid_addr.at_addr[2] = au_info->ai_termid.at_addr[2]; 531 ar->k_ar.ar_arg_termid_addr.at_addr[3] = au_info->ai_termid.at_addr[3]; 532 ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID_ADDR); 533 } 534 535 void 536 audit_arg_text(const char *text) 537 { 538 struct kaudit_record *ar; 539 540 KASSERT(text != NULL, ("audit_arg_text: text == NULL")); 541 542 ar = currecord(); 543 if (ar == NULL) 544 return; 545 546 /* Invalidate the text string */ 547 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT); 548 549 if (ar->k_ar.ar_arg_text == NULL) 550 ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT, 551 M_WAITOK); 552 553 strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN); 554 ARG_SET_VALID(ar, ARG_TEXT); 555 } 556 557 void 558 audit_arg_cmd(int cmd) 559 { 560 struct kaudit_record *ar; 561 562 ar = currecord(); 563 if (ar == NULL) 564 return; 565 566 ar->k_ar.ar_arg_cmd = cmd; 567 ARG_SET_VALID(ar, ARG_CMD); 568 } 569 570 void 571 audit_arg_svipc_cmd(int cmd) 572 { 573 struct kaudit_record *ar; 574 575 ar = currecord(); 576 if (ar == NULL) 577 return; 578 579 ar->k_ar.ar_arg_svipc_cmd = cmd; 580 ARG_SET_VALID(ar, ARG_SVIPC_CMD); 581 } 582 583 void 584 audit_arg_svipc_perm(struct ipc_perm *perm) 585 { 586 struct kaudit_record *ar; 587 588 ar = currecord(); 589 if (ar == NULL) 590 return; 591 592 bcopy(perm, &ar->k_ar.ar_arg_svipc_perm, 593 sizeof(ar->k_ar.ar_arg_svipc_perm)); 594 ARG_SET_VALID(ar, ARG_SVIPC_PERM); 595 } 596 597 void 598 audit_arg_svipc_id(int id) 599 { 600 struct kaudit_record *ar; 601 602 ar = currecord(); 603 if (ar == NULL) 604 return; 605 606 ar->k_ar.ar_arg_svipc_id = id; 607 ARG_SET_VALID(ar, ARG_SVIPC_ID); 608 } 609 610 void 611 audit_arg_svipc_addr(void * addr) 612 { 613 struct kaudit_record *ar; 614 615 ar = currecord(); 616 if (ar == NULL) 617 return; 618 619 ar->k_ar.ar_arg_svipc_addr = addr; 620 ARG_SET_VALID(ar, ARG_SVIPC_ADDR); 621 } 622 623 void 624 audit_arg_svipc_which(int which) 625 { 626 struct kaudit_record *ar; 627 628 ar = currecord(); 629 if (ar == NULL) 630 return; 631 632 ar->k_ar.ar_arg_svipc_which = which; 633 ARG_SET_VALID(ar, ARG_SVIPC_WHICH); 634 } 635 636 void 637 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode) 638 { 639 struct kaudit_record *ar; 640 641 ar = currecord(); 642 if (ar == NULL) 643 return; 644 645 ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid; 646 ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid; 647 ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode; 648 ARG_SET_VALID(ar, ARG_POSIX_IPC_PERM); 649 } 650 651 void 652 audit_arg_auditon(union auditon_udata *udata) 653 { 654 struct kaudit_record *ar; 655 656 ar = currecord(); 657 if (ar == NULL) 658 return; 659 660 bcopy((void *)udata, &ar->k_ar.ar_arg_auditon, 661 sizeof(ar->k_ar.ar_arg_auditon)); 662 ARG_SET_VALID(ar, ARG_AUDITON); 663 } 664 665 /* 666 * Audit information about a file, either the file's vnode info, or its 667 * socket address info. 668 */ 669 void 670 audit_arg_file(struct proc *p, struct file *fp) 671 { 672 struct kaudit_record *ar; 673 struct socket *so; 674 struct inpcb *pcb; 675 struct vnode *vp; 676 677 ar = currecord(); 678 if (ar == NULL) 679 return; 680 681 switch (fp->f_type) { 682 case DTYPE_VNODE: 683 case DTYPE_FIFO: 684 /* 685 * XXXAUDIT: Only possibly to record as first vnode? 686 */ 687 vp = fp->f_vnode; 688 vn_lock(vp, LK_SHARED | LK_RETRY); 689 audit_arg_vnode1(vp); 690 VOP_UNLOCK(vp); 691 break; 692 693 case DTYPE_SOCKET: 694 so = (struct socket *)fp->f_data; 695 if (INP_CHECK_SOCKAF(so, PF_INET)) { 696 SOCK_LOCK(so); 697 ar->k_ar.ar_arg_sockinfo.so_type = 698 so->so_type; 699 ar->k_ar.ar_arg_sockinfo.so_domain = 700 INP_SOCKAF(so); 701 ar->k_ar.ar_arg_sockinfo.so_protocol = 702 so->so_proto->pr_protocol; 703 SOCK_UNLOCK(so); 704 pcb = (struct inpcb *)so->so_pcb; 705 INP_RLOCK(pcb); 706 ar->k_ar.ar_arg_sockinfo.so_raddr = 707 pcb->inp_faddr.s_addr; 708 ar->k_ar.ar_arg_sockinfo.so_laddr = 709 pcb->inp_laddr.s_addr; 710 ar->k_ar.ar_arg_sockinfo.so_rport = 711 pcb->inp_fport; 712 ar->k_ar.ar_arg_sockinfo.so_lport = 713 pcb->inp_lport; 714 INP_RUNLOCK(pcb); 715 ARG_SET_VALID(ar, ARG_SOCKINFO); 716 } 717 break; 718 719 default: 720 /* XXXAUDIT: else? */ 721 break; 722 } 723 } 724 725 /* 726 * Store a path as given by the user process for auditing into the audit 727 * record stored on the user thread. This function will allocate the memory 728 * to store the path info if not already available. This memory will be 729 * freed when the audit record is freed. The path is canonlicalised with 730 * respect to the thread and directory descriptor passed. 731 */ 732 static void 733 audit_arg_upath(struct thread *td, int dirfd, char *upath, char **pathp) 734 { 735 736 if (*pathp == NULL) 737 *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK); 738 audit_canon_path(td, dirfd, upath, *pathp); 739 } 740 741 void 742 audit_arg_upath1(struct thread *td, int dirfd, char *upath) 743 { 744 struct kaudit_record *ar; 745 746 ar = currecord(); 747 if (ar == NULL) 748 return; 749 750 audit_arg_upath(td, dirfd, upath, &ar->k_ar.ar_arg_upath1); 751 ARG_SET_VALID(ar, ARG_UPATH1); 752 } 753 754 void 755 audit_arg_upath2(struct thread *td, int dirfd, char *upath) 756 { 757 struct kaudit_record *ar; 758 759 ar = currecord(); 760 if (ar == NULL) 761 return; 762 763 audit_arg_upath(td, dirfd, upath, &ar->k_ar.ar_arg_upath2); 764 ARG_SET_VALID(ar, ARG_UPATH2); 765 } 766 767 static void 768 audit_arg_upath_vp(struct thread *td, struct vnode *rdir, struct vnode *cdir, 769 char *upath, char **pathp) 770 { 771 772 if (*pathp == NULL) 773 *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK); 774 audit_canon_path_vp(td, rdir, cdir, upath, *pathp); 775 } 776 777 void 778 audit_arg_upath1_vp(struct thread *td, struct vnode *rdir, struct vnode *cdir, 779 char *upath) 780 { 781 struct kaudit_record *ar; 782 783 ar = currecord(); 784 if (ar == NULL) 785 return; 786 787 audit_arg_upath_vp(td, rdir, cdir, upath, &ar->k_ar.ar_arg_upath1); 788 ARG_SET_VALID(ar, ARG_UPATH1); 789 } 790 791 void 792 audit_arg_upath2_vp(struct thread *td, struct vnode *rdir, struct vnode *cdir, 793 char *upath) 794 { 795 struct kaudit_record *ar; 796 797 ar = currecord(); 798 if (ar == NULL) 799 return; 800 801 audit_arg_upath_vp(td, rdir, cdir, upath, &ar->k_ar.ar_arg_upath2); 802 ARG_SET_VALID(ar, ARG_UPATH2); 803 } 804 805 /* 806 * Variants on path auditing that do not canonicalise the path passed in; 807 * these are for use with filesystem-like subsystems that employ string names, 808 * but do not support a hierarchical namespace -- for example, POSIX IPC 809 * objects. The subsystem should have performed any necessary 810 * canonicalisation required to make the paths useful to audit analysis. 811 */ 812 static void 813 audit_arg_upath_canon(char *upath, char **pathp) 814 { 815 816 if (*pathp == NULL) 817 *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK); 818 (void)snprintf(*pathp, MAXPATHLEN, "%s", upath); 819 } 820 821 void 822 audit_arg_upath1_canon(char *upath) 823 { 824 struct kaudit_record *ar; 825 826 ar = currecord(); 827 if (ar == NULL) 828 return; 829 830 audit_arg_upath_canon(upath, &ar->k_ar.ar_arg_upath1); 831 ARG_SET_VALID(ar, ARG_UPATH1); 832 } 833 834 void 835 audit_arg_upath2_canon(char *upath) 836 { 837 struct kaudit_record *ar; 838 839 ar = currecord(); 840 if (ar == NULL) 841 return; 842 843 audit_arg_upath_canon(upath, &ar->k_ar.ar_arg_upath2); 844 ARG_SET_VALID(ar, ARG_UPATH2); 845 } 846 847 /* 848 * Function to save the path and vnode attr information into the audit 849 * record. 850 * 851 * It is assumed that the caller will hold any vnode locks necessary to 852 * perform a VOP_GETATTR() on the passed vnode. 853 * 854 * XXX: The attr code is very similar to vfs_default.c:vop_stdstat(), but always 855 * provides access to the generation number as we need that to construct the 856 * BSM file ID. 857 * 858 * XXX: We should accept the process argument from the caller, since it's 859 * very likely they already have a reference. 860 * 861 * XXX: Error handling in this function is poor. 862 * 863 * XXXAUDIT: Possibly KASSERT the path pointer is NULL? 864 */ 865 static int 866 audit_arg_vnode(struct vnode *vp, struct vnode_au_info *vnp) 867 { 868 struct vattr vattr; 869 int error; 870 871 ASSERT_VOP_LOCKED(vp, "audit_arg_vnode"); 872 873 VATTR_NULL(&vattr); 874 error = VOP_GETATTR(vp, &vattr, curthread->td_ucred); 875 if (error) { 876 /* XXX: How to handle this case? */ 877 return (error); 878 } 879 880 vnp->vn_mode = vattr.va_mode; 881 vnp->vn_uid = vattr.va_uid; 882 vnp->vn_gid = vattr.va_gid; 883 vnp->vn_dev = vattr.va_rdev; 884 vnp->vn_fsid = vattr.va_fsid; 885 vnp->vn_fileid = vattr.va_fileid; 886 vnp->vn_gen = vattr.va_gen; 887 return (0); 888 } 889 890 void 891 audit_arg_vnode1(struct vnode *vp) 892 { 893 struct kaudit_record *ar; 894 int error; 895 896 ar = currecord(); 897 if (ar == NULL) 898 return; 899 900 ARG_CLEAR_VALID(ar, ARG_VNODE1); 901 error = audit_arg_vnode(vp, &ar->k_ar.ar_arg_vnode1); 902 if (error == 0) 903 ARG_SET_VALID(ar, ARG_VNODE1); 904 } 905 906 void 907 audit_arg_vnode2(struct vnode *vp) 908 { 909 struct kaudit_record *ar; 910 int error; 911 912 ar = currecord(); 913 if (ar == NULL) 914 return; 915 916 ARG_CLEAR_VALID(ar, ARG_VNODE2); 917 error = audit_arg_vnode(vp, &ar->k_ar.ar_arg_vnode2); 918 if (error == 0) 919 ARG_SET_VALID(ar, ARG_VNODE2); 920 } 921 922 /* 923 * Audit the argument strings passed to exec. 924 */ 925 void 926 audit_arg_argv(char *argv, int argc, int length) 927 { 928 struct kaudit_record *ar; 929 930 if (audit_argv == 0) 931 return; 932 933 ar = currecord(); 934 if (ar == NULL) 935 return; 936 937 ar->k_ar.ar_arg_argv = malloc(length, M_AUDITTEXT, M_WAITOK); 938 bcopy(argv, ar->k_ar.ar_arg_argv, length); 939 ar->k_ar.ar_arg_argc = argc; 940 ARG_SET_VALID(ar, ARG_ARGV); 941 } 942 943 /* 944 * Audit the environment strings passed to exec. 945 */ 946 void 947 audit_arg_envv(char *envv, int envc, int length) 948 { 949 struct kaudit_record *ar; 950 951 if (audit_arge == 0) 952 return; 953 954 ar = currecord(); 955 if (ar == NULL) 956 return; 957 958 ar->k_ar.ar_arg_envv = malloc(length, M_AUDITTEXT, M_WAITOK); 959 bcopy(envv, ar->k_ar.ar_arg_envv, length); 960 ar->k_ar.ar_arg_envc = envc; 961 ARG_SET_VALID(ar, ARG_ENVV); 962 } 963 964 void 965 audit_arg_rights(cap_rights_t *rightsp) 966 { 967 struct kaudit_record *ar; 968 969 ar = currecord(); 970 if (ar == NULL) 971 return; 972 973 ar->k_ar.ar_arg_rights = *rightsp; 974 ARG_SET_VALID(ar, ARG_RIGHTS); 975 } 976 977 void 978 audit_arg_fcntl_rights(uint32_t fcntlrights) 979 { 980 struct kaudit_record *ar; 981 982 ar = currecord(); 983 if (ar == NULL) 984 return; 985 986 ar->k_ar.ar_arg_fcntl_rights = fcntlrights; 987 ARG_SET_VALID(ar, ARG_FCNTL_RIGHTS); 988 } 989 990 /* 991 * The close() system call uses it's own audit call to capture the path/vnode 992 * information because those pieces are not easily obtained within the system 993 * call itself. 994 */ 995 void 996 audit_sysclose(struct thread *td, int fd, struct file *fp) 997 { 998 struct kaudit_record *ar; 999 struct vnode *vp; 1000 1001 KASSERT(td != NULL, ("audit_sysclose: td == NULL")); 1002 1003 ar = currecord(); 1004 if (ar == NULL) 1005 return; 1006 1007 audit_arg_fd(fd); 1008 1009 vp = fp->f_vnode; 1010 if (vp == NULL) 1011 return; 1012 vn_lock(vp, LK_SHARED | LK_RETRY); 1013 audit_arg_vnode1(vp); 1014 VOP_UNLOCK(vp); 1015 } 1016