xref: /freebsd/sys/security/audit/audit_arg.c (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1 /*
2  * Copyright (c) 1999-2005 Apple Computer, Inc.
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1.  Redistributions of source code must retain the above copyright
9  *     notice, this list of conditions and the following disclaimer.
10  * 2.  Redistributions in binary form must reproduce the above copyright
11  *     notice, this list of conditions and the following disclaimer in the
12  *     documentation and/or other materials provided with the distribution.
13  * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14  *     its contributors may be used to endorse or promote products derived
15  *     from this software without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27  * POSSIBILITY OF SUCH DAMAGE.
28  *
29  * $FreeBSD$
30  */
31 
32 #include <sys/param.h>
33 #include <sys/filedesc.h>
34 #include <sys/ipc.h>
35 #include <sys/mount.h>
36 #include <sys/proc.h>
37 #include <sys/socket.h>
38 #include <sys/socketvar.h>
39 #include <sys/protosw.h>
40 #include <sys/domain.h>
41 #include <sys/sbuf.h>
42 #include <sys/systm.h>
43 #include <sys/un.h>
44 #include <sys/vnode.h>
45 
46 #include <netinet/in.h>
47 #include <netinet/in_pcb.h>
48 
49 #include <security/audit/audit.h>
50 #include <security/audit/audit_private.h>
51 
52 /*
53  * Calls to manipulate elements of the audit record structure from system
54  * call code.  Macro wrappers will prevent this functions from being entered
55  * if auditing is disabled, avoiding the function call cost.  We check the
56  * thread audit record pointer anyway, as the audit condition could change,
57  * and pre-selection may not have allocated an audit record for this event.
58  *
59  * XXXAUDIT: Should we assert, in each case, that this field of the record
60  * hasn't already been filled in?
61  */
62 void
63 audit_arg_addr(void *addr)
64 {
65 	struct kaudit_record *ar;
66 
67 	ar = currecord();
68 	if (ar == NULL)
69 		return;
70 
71 	ar->k_ar.ar_arg_addr = addr;
72 	ARG_SET_VALID(ar, ARG_ADDR);
73 }
74 
75 void
76 audit_arg_exit(int status, int retval)
77 {
78 	struct kaudit_record *ar;
79 
80 	ar = currecord();
81 	if (ar == NULL)
82 		return;
83 
84 	ar->k_ar.ar_arg_exitstatus = status;
85 	ar->k_ar.ar_arg_exitretval = retval;
86 	ARG_SET_VALID(ar, ARG_EXIT);
87 }
88 
89 void
90 audit_arg_len(int len)
91 {
92 	struct kaudit_record *ar;
93 
94 	ar = currecord();
95 	if (ar == NULL)
96 		return;
97 
98 	ar->k_ar.ar_arg_len = len;
99 	ARG_SET_VALID(ar, ARG_LEN);
100 }
101 
102 void
103 audit_arg_fd(int fd)
104 {
105 	struct kaudit_record *ar;
106 
107 	ar = currecord();
108 	if (ar == NULL)
109 		return;
110 
111 	ar->k_ar.ar_arg_fd = fd;
112 	ARG_SET_VALID(ar, ARG_FD);
113 }
114 
115 void
116 audit_arg_fflags(int fflags)
117 {
118 	struct kaudit_record *ar;
119 
120 	ar = currecord();
121 	if (ar == NULL)
122 		return;
123 
124 	ar->k_ar.ar_arg_fflags = fflags;
125 	ARG_SET_VALID(ar, ARG_FFLAGS);
126 }
127 
128 void
129 audit_arg_gid(gid_t gid)
130 {
131 	struct kaudit_record *ar;
132 
133 	ar = currecord();
134 	if (ar == NULL)
135 		return;
136 
137 	ar->k_ar.ar_arg_gid = gid;
138 	ARG_SET_VALID(ar, ARG_GID);
139 }
140 
141 void
142 audit_arg_uid(uid_t uid)
143 {
144 	struct kaudit_record *ar;
145 
146 	ar = currecord();
147 	if (ar == NULL)
148 		return;
149 
150 	ar->k_ar.ar_arg_uid = uid;
151 	ARG_SET_VALID(ar, ARG_UID);
152 }
153 
154 void
155 audit_arg_egid(gid_t egid)
156 {
157 	struct kaudit_record *ar;
158 
159 	ar = currecord();
160 	if (ar == NULL)
161 		return;
162 
163 	ar->k_ar.ar_arg_egid = egid;
164 	ARG_SET_VALID(ar, ARG_EGID);
165 }
166 
167 void
168 audit_arg_euid(uid_t euid)
169 {
170 	struct kaudit_record *ar;
171 
172 	ar = currecord();
173 	if (ar == NULL)
174 		return;
175 
176 	ar->k_ar.ar_arg_euid = euid;
177 	ARG_SET_VALID(ar, ARG_EUID);
178 }
179 
180 void
181 audit_arg_rgid(gid_t rgid)
182 {
183 	struct kaudit_record *ar;
184 
185 	ar = currecord();
186 	if (ar == NULL)
187 		return;
188 
189 	ar->k_ar.ar_arg_rgid = rgid;
190 	ARG_SET_VALID(ar, ARG_RGID);
191 }
192 
193 void
194 audit_arg_ruid(uid_t ruid)
195 {
196 	struct kaudit_record *ar;
197 
198 	ar = currecord();
199 	if (ar == NULL)
200 		return;
201 
202 	ar->k_ar.ar_arg_ruid = ruid;
203 	ARG_SET_VALID(ar, ARG_RUID);
204 }
205 
206 void
207 audit_arg_sgid(gid_t sgid)
208 {
209 	struct kaudit_record *ar;
210 
211 	ar = currecord();
212 	if (ar == NULL)
213 		return;
214 
215 	ar->k_ar.ar_arg_sgid = sgid;
216 	ARG_SET_VALID(ar, ARG_SGID);
217 }
218 
219 void
220 audit_arg_suid(uid_t suid)
221 {
222 	struct kaudit_record *ar;
223 
224 	ar = currecord();
225 	if (ar == NULL)
226 		return;
227 
228 	ar->k_ar.ar_arg_suid = suid;
229 	ARG_SET_VALID(ar, ARG_SUID);
230 }
231 
232 void
233 audit_arg_groupset(gid_t *gidset, u_int gidset_size)
234 {
235 	int i;
236 	struct kaudit_record *ar;
237 
238 	ar = currecord();
239 	if (ar == NULL)
240 		return;
241 
242 	for (i = 0; i < gidset_size; i++)
243 		ar->k_ar.ar_arg_groups.gidset[i] = gidset[i];
244 	ar->k_ar.ar_arg_groups.gidset_size = gidset_size;
245 	ARG_SET_VALID(ar, ARG_GROUPSET);
246 }
247 
248 void
249 audit_arg_login(char *login)
250 {
251 	struct kaudit_record *ar;
252 
253 	ar = currecord();
254 	if (ar == NULL)
255 		return;
256 
257 	strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME);
258 	ARG_SET_VALID(ar, ARG_LOGIN);
259 }
260 
261 void
262 audit_arg_ctlname(int *name, int namelen)
263 {
264 	struct kaudit_record *ar;
265 
266 	ar = currecord();
267 	if (ar == NULL)
268 		return;
269 
270 	bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int));
271 	ar->k_ar.ar_arg_len = namelen;
272 	ARG_SET_VALID(ar, ARG_CTLNAME | ARG_LEN);
273 }
274 
275 void
276 audit_arg_mask(int mask)
277 {
278 	struct kaudit_record *ar;
279 
280 	ar = currecord();
281 	if (ar == NULL)
282 		return;
283 
284 	ar->k_ar.ar_arg_mask = mask;
285 	ARG_SET_VALID(ar, ARG_MASK);
286 }
287 
288 void
289 audit_arg_mode(mode_t mode)
290 {
291 	struct kaudit_record *ar;
292 
293 	ar = currecord();
294 	if (ar == NULL)
295 		return;
296 
297 	ar->k_ar.ar_arg_mode = mode;
298 	ARG_SET_VALID(ar, ARG_MODE);
299 }
300 
301 void
302 audit_arg_dev(int dev)
303 {
304 	struct kaudit_record *ar;
305 
306 	ar = currecord();
307 	if (ar == NULL)
308 		return;
309 
310 	ar->k_ar.ar_arg_dev = dev;
311 	ARG_SET_VALID(ar, ARG_DEV);
312 }
313 
314 void
315 audit_arg_value(long value)
316 {
317 	struct kaudit_record *ar;
318 
319 	ar = currecord();
320 	if (ar == NULL)
321 		return;
322 
323 	ar->k_ar.ar_arg_value = value;
324 	ARG_SET_VALID(ar, ARG_VALUE);
325 }
326 
327 void
328 audit_arg_owner(uid_t uid, gid_t gid)
329 {
330 	struct kaudit_record *ar;
331 
332 	ar = currecord();
333 	if (ar == NULL)
334 		return;
335 
336 	ar->k_ar.ar_arg_uid = uid;
337 	ar->k_ar.ar_arg_gid = gid;
338 	ARG_SET_VALID(ar, ARG_UID | ARG_GID);
339 }
340 
341 void
342 audit_arg_pid(pid_t pid)
343 {
344 	struct kaudit_record *ar;
345 
346 	ar = currecord();
347 	if (ar == NULL)
348 		return;
349 
350 	ar->k_ar.ar_arg_pid = pid;
351 	ARG_SET_VALID(ar, ARG_PID);
352 }
353 
354 void
355 audit_arg_process(struct proc *p)
356 {
357 	struct kaudit_record *ar;
358 
359 	KASSERT(p != NULL, ("audit_arg_process: p == NULL"));
360 
361 	PROC_LOCK_ASSERT(p, MA_OWNED);
362 
363 	ar = currecord();
364 	if (ar == NULL)
365 		return;
366 
367 	ar->k_ar.ar_arg_auid = p->p_ucred->cr_audit.ai_auid;
368 	ar->k_ar.ar_arg_euid = p->p_ucred->cr_uid;
369 	ar->k_ar.ar_arg_egid = p->p_ucred->cr_groups[0];
370 	ar->k_ar.ar_arg_ruid = p->p_ucred->cr_ruid;
371 	ar->k_ar.ar_arg_rgid = p->p_ucred->cr_rgid;
372 	ar->k_ar.ar_arg_asid = p->p_ucred->cr_audit.ai_asid;
373 	ar->k_ar.ar_arg_termid_addr = p->p_ucred->cr_audit.ai_termid;
374 	ar->k_ar.ar_arg_pid = p->p_pid;
375 	ARG_SET_VALID(ar, ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID |
376 	    ARG_RGID | ARG_ASID | ARG_TERMID_ADDR | ARG_PID | ARG_PROCESS);
377 }
378 
379 void
380 audit_arg_signum(u_int signum)
381 {
382 	struct kaudit_record *ar;
383 
384 	ar = currecord();
385 	if (ar == NULL)
386 		return;
387 
388 	ar->k_ar.ar_arg_signum = signum;
389 	ARG_SET_VALID(ar, ARG_SIGNUM);
390 }
391 
392 void
393 audit_arg_socket(int sodomain, int sotype, int soprotocol)
394 {
395 	struct kaudit_record *ar;
396 
397 	ar = currecord();
398 	if (ar == NULL)
399 		return;
400 
401 	ar->k_ar.ar_arg_sockinfo.so_domain = sodomain;
402 	ar->k_ar.ar_arg_sockinfo.so_type = sotype;
403 	ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol;
404 	ARG_SET_VALID(ar, ARG_SOCKINFO);
405 }
406 
407 void
408 audit_arg_sockaddr(struct thread *td, struct sockaddr *sa)
409 {
410 	struct kaudit_record *ar;
411 
412 	KASSERT(td != NULL, ("audit_arg_sockaddr: td == NULL"));
413 	KASSERT(sa != NULL, ("audit_arg_sockaddr: sa == NULL"));
414 
415 	ar = currecord();
416 	if (ar == NULL)
417 		return;
418 
419 	bcopy(sa, &ar->k_ar.ar_arg_sockaddr, sa->sa_len);
420 	switch (sa->sa_family) {
421 	case AF_INET:
422 		ARG_SET_VALID(ar, ARG_SADDRINET);
423 		break;
424 
425 	case AF_INET6:
426 		ARG_SET_VALID(ar, ARG_SADDRINET6);
427 		break;
428 
429 	case AF_UNIX:
430 		audit_arg_upath(td, ((struct sockaddr_un *)sa)->sun_path,
431 				ARG_UPATH1);
432 		ARG_SET_VALID(ar, ARG_SADDRUNIX);
433 		break;
434 	/* XXXAUDIT: default:? */
435 	}
436 }
437 
438 void
439 audit_arg_auid(uid_t auid)
440 {
441 	struct kaudit_record *ar;
442 
443 	ar = currecord();
444 	if (ar == NULL)
445 		return;
446 
447 	ar->k_ar.ar_arg_auid = auid;
448 	ARG_SET_VALID(ar, ARG_AUID);
449 }
450 
451 void
452 audit_arg_auditinfo(struct auditinfo *au_info)
453 {
454 	struct kaudit_record *ar;
455 
456 	ar = currecord();
457 	if (ar == NULL)
458 		return;
459 
460 	ar->k_ar.ar_arg_auid = au_info->ai_auid;
461 	ar->k_ar.ar_arg_asid = au_info->ai_asid;
462 	ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
463 	ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
464 	ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port;
465 	ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine;
466 	ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID);
467 }
468 
469 void
470 audit_arg_auditinfo_addr(struct auditinfo_addr *au_info)
471 {
472 	struct kaudit_record *ar;
473 
474 	ar = currecord();
475 	if (ar == NULL)
476 		return;
477 
478 	ar->k_ar.ar_arg_auid = au_info->ai_auid;
479 	ar->k_ar.ar_arg_asid = au_info->ai_asid;
480 	ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
481 	ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
482 	ar->k_ar.ar_arg_termid_addr.at_type = au_info->ai_termid.at_type;
483 	ar->k_ar.ar_arg_termid_addr.at_port = au_info->ai_termid.at_port;
484 	ar->k_ar.ar_arg_termid_addr.at_addr[0] = au_info->ai_termid.at_addr[0];
485 	ar->k_ar.ar_arg_termid_addr.at_addr[1] = au_info->ai_termid.at_addr[1];
486 	ar->k_ar.ar_arg_termid_addr.at_addr[2] = au_info->ai_termid.at_addr[2];
487 	ar->k_ar.ar_arg_termid_addr.at_addr[3] = au_info->ai_termid.at_addr[3];
488 	ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID_ADDR);
489 }
490 
491 void
492 audit_arg_text(char *text)
493 {
494 	struct kaudit_record *ar;
495 
496 	KASSERT(text != NULL, ("audit_arg_text: text == NULL"));
497 
498 	ar = currecord();
499 	if (ar == NULL)
500 		return;
501 
502 	/* Invalidate the text string */
503 	ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT);
504 
505 	if (ar->k_ar.ar_arg_text == NULL)
506 		ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT,
507 		    M_WAITOK);
508 
509 	strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN);
510 	ARG_SET_VALID(ar, ARG_TEXT);
511 }
512 
513 void
514 audit_arg_cmd(int cmd)
515 {
516 	struct kaudit_record *ar;
517 
518 	ar = currecord();
519 	if (ar == NULL)
520 		return;
521 
522 	ar->k_ar.ar_arg_cmd = cmd;
523 	ARG_SET_VALID(ar, ARG_CMD);
524 }
525 
526 void
527 audit_arg_svipc_cmd(int cmd)
528 {
529 	struct kaudit_record *ar;
530 
531 	ar = currecord();
532 	if (ar == NULL)
533 		return;
534 
535 	ar->k_ar.ar_arg_svipc_cmd = cmd;
536 	ARG_SET_VALID(ar, ARG_SVIPC_CMD);
537 }
538 
539 void
540 audit_arg_svipc_perm(struct ipc_perm *perm)
541 {
542 	struct kaudit_record *ar;
543 
544 	ar = currecord();
545 	if (ar == NULL)
546 		return;
547 
548 	bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
549 	    sizeof(ar->k_ar.ar_arg_svipc_perm));
550 	ARG_SET_VALID(ar, ARG_SVIPC_PERM);
551 }
552 
553 void
554 audit_arg_svipc_id(int id)
555 {
556 	struct kaudit_record *ar;
557 
558 	ar = currecord();
559 	if (ar == NULL)
560 		return;
561 
562 	ar->k_ar.ar_arg_svipc_id = id;
563 	ARG_SET_VALID(ar, ARG_SVIPC_ID);
564 }
565 
566 void
567 audit_arg_svipc_addr(void * addr)
568 {
569 	struct kaudit_record *ar;
570 
571 	ar = currecord();
572 	if (ar == NULL)
573 		return;
574 
575 	ar->k_ar.ar_arg_svipc_addr = addr;
576 	ARG_SET_VALID(ar, ARG_SVIPC_ADDR);
577 }
578 
579 void
580 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode)
581 {
582 	struct kaudit_record *ar;
583 
584 	ar = currecord();
585 	if (ar == NULL)
586 		return;
587 
588 	ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid;
589 	ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid;
590 	ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode;
591 	ARG_SET_VALID(ar, ARG_POSIX_IPC_PERM);
592 }
593 
594 void
595 audit_arg_auditon(union auditon_udata *udata)
596 {
597 	struct kaudit_record *ar;
598 
599 	ar = currecord();
600 	if (ar == NULL)
601 		return;
602 
603 	bcopy((void *)udata, &ar->k_ar.ar_arg_auditon,
604 	    sizeof(ar->k_ar.ar_arg_auditon));
605 	ARG_SET_VALID(ar, ARG_AUDITON);
606 }
607 
608 /*
609  * Audit information about a file, either the file's vnode info, or its
610  * socket address info.
611  */
612 void
613 audit_arg_file(struct proc *p, struct file *fp)
614 {
615 	struct kaudit_record *ar;
616 	struct socket *so;
617 	struct inpcb *pcb;
618 	struct vnode *vp;
619 	int vfslocked;
620 
621 	ar = currecord();
622 	if (ar == NULL)
623 		return;
624 
625 	switch (fp->f_type) {
626 	case DTYPE_VNODE:
627 	case DTYPE_FIFO:
628 		/*
629 		 * XXXAUDIT: Only possibly to record as first vnode?
630 		 */
631 		vp = fp->f_vnode;
632 		vfslocked = VFS_LOCK_GIANT(vp->v_mount);
633 		vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
634 		audit_arg_vnode(vp, ARG_VNODE1);
635 		VOP_UNLOCK(vp, 0);
636 		VFS_UNLOCK_GIANT(vfslocked);
637 		break;
638 
639 	case DTYPE_SOCKET:
640 		so = (struct socket *)fp->f_data;
641 		if (INP_CHECK_SOCKAF(so, PF_INET)) {
642 			SOCK_LOCK(so);
643 			ar->k_ar.ar_arg_sockinfo.so_type =
644 			    so->so_type;
645 			ar->k_ar.ar_arg_sockinfo.so_domain =
646 			    INP_SOCKAF(so);
647 			ar->k_ar.ar_arg_sockinfo.so_protocol =
648 			    so->so_proto->pr_protocol;
649 			SOCK_UNLOCK(so);
650 			pcb = (struct inpcb *)so->so_pcb;
651 			INP_LOCK(pcb);
652 			ar->k_ar.ar_arg_sockinfo.so_raddr =
653 			    pcb->inp_faddr.s_addr;
654 			ar->k_ar.ar_arg_sockinfo.so_laddr =
655 			    pcb->inp_laddr.s_addr;
656 			ar->k_ar.ar_arg_sockinfo.so_rport =
657 			    pcb->inp_fport;
658 			ar->k_ar.ar_arg_sockinfo.so_lport =
659 			    pcb->inp_lport;
660 			INP_UNLOCK(pcb);
661 			ARG_SET_VALID(ar, ARG_SOCKINFO);
662 		}
663 		break;
664 
665 	default:
666 		/* XXXAUDIT: else? */
667 		break;
668 	}
669 }
670 
671 /*
672  * Store a path as given by the user process for auditing into the audit
673  * record stored on the user thread. This function will allocate the memory
674  * to store the path info if not already available. This memory will be freed
675  * when the audit record is freed.
676  *
677  * XXXAUDIT: Possibly assert that the memory isn't already allocated?
678  */
679 void
680 audit_arg_upath(struct thread *td, char *upath, u_int64_t flag)
681 {
682 	struct kaudit_record *ar;
683 	char **pathp;
684 
685 	KASSERT(td != NULL, ("audit_arg_upath: td == NULL"));
686 	KASSERT(upath != NULL, ("audit_arg_upath: upath == NULL"));
687 
688 	ar = currecord();
689 	if (ar == NULL)
690 		return;
691 
692 	KASSERT((flag == ARG_UPATH1) || (flag == ARG_UPATH2),
693 	    ("audit_arg_upath: flag %llu", (unsigned long long)flag));
694 	KASSERT((flag != ARG_UPATH1) || (flag != ARG_UPATH2),
695 	    ("audit_arg_upath: flag %llu", (unsigned long long)flag));
696 
697 	if (flag == ARG_UPATH1)
698 		pathp = &ar->k_ar.ar_arg_upath1;
699 	else
700 		pathp = &ar->k_ar.ar_arg_upath2;
701 
702 	if (*pathp == NULL)
703 		*pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK);
704 
705 	canon_path(td, upath, *pathp);
706 
707 	ARG_SET_VALID(ar, flag);
708 }
709 
710 /*
711  * Function to save the path and vnode attr information into the audit
712  * record.
713  *
714  * It is assumed that the caller will hold any vnode locks necessary to
715  * perform a VOP_GETATTR() on the passed vnode.
716  *
717  * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but always
718  * provides access to the generation number as we need that to construct the
719  * BSM file ID.
720  *
721  * XXX: We should accept the process argument from the caller, since it's
722  * very likely they already have a reference.
723  *
724  * XXX: Error handling in this function is poor.
725  *
726  * XXXAUDIT: Possibly KASSERT the path pointer is NULL?
727  */
728 void
729 audit_arg_vnode(struct vnode *vp, u_int64_t flags)
730 {
731 	struct kaudit_record *ar;
732 	struct vattr vattr;
733 	int error;
734 	struct vnode_au_info *vnp;
735 
736 	KASSERT(vp != NULL, ("audit_arg_vnode: vp == NULL"));
737 	KASSERT((flags == ARG_VNODE1) || (flags == ARG_VNODE2),
738 	    ("audit_arg_vnode: flags %jd", (intmax_t)flags));
739 
740 	/*
741 	 * Assume that if the caller is calling audit_arg_vnode() on a
742 	 * non-MPSAFE vnode, then it will have acquired Giant.
743 	 */
744 	VFS_ASSERT_GIANT(vp->v_mount);
745 	ASSERT_VOP_LOCKED(vp, "audit_arg_vnode");
746 
747 	ar = currecord();
748 	if (ar == NULL)
749 		return;
750 
751 	/*
752 	 * XXXAUDIT: The below clears, and then resets the flags for valid
753 	 * arguments.  Ideally, either the new vnode is used, or the old one
754 	 * would be.
755 	 */
756 	if (flags & ARG_VNODE1) {
757 		ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE1);
758 		vnp = &ar->k_ar.ar_arg_vnode1;
759 	} else {
760 		ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE2);
761 		vnp = &ar->k_ar.ar_arg_vnode2;
762 	}
763 
764 	error = VOP_GETATTR(vp, &vattr, curthread->td_ucred, curthread);
765 	if (error) {
766 		/* XXX: How to handle this case? */
767 		return;
768 	}
769 
770 	vnp->vn_mode = vattr.va_mode;
771 	vnp->vn_uid = vattr.va_uid;
772 	vnp->vn_gid = vattr.va_gid;
773 	vnp->vn_dev = vattr.va_rdev;
774 	vnp->vn_fsid = vattr.va_fsid;
775 	vnp->vn_fileid = vattr.va_fileid;
776 	vnp->vn_gen = vattr.va_gen;
777 	if (flags & ARG_VNODE1)
778 		ARG_SET_VALID(ar, ARG_VNODE1);
779 	else
780 		ARG_SET_VALID(ar, ARG_VNODE2);
781 }
782 
783 /*
784  * Audit the argument strings passed to exec.
785  */
786 void
787 audit_arg_argv(char *argv, int argc, int length)
788 {
789 	struct kaudit_record *ar;
790 
791 	if (audit_argv == 0)
792 		return;
793 
794 	ar = currecord();
795 	if (ar == NULL)
796 		return;
797 
798 	ar->k_ar.ar_arg_argv = malloc(length, M_AUDITTEXT, M_WAITOK);
799 	bcopy(argv, ar->k_ar.ar_arg_argv, length);
800 	ar->k_ar.ar_arg_argc = argc;
801 	ARG_SET_VALID(ar, ARG_ARGV);
802 }
803 
804 /*
805  * Audit the environment strings passed to exec.
806  */
807 void
808 audit_arg_envv(char *envv, int envc, int length)
809 {
810 	struct kaudit_record *ar;
811 
812 	if (audit_arge == 0)
813 		return;
814 
815 	ar = currecord();
816 	if (ar == NULL)
817 		return;
818 
819 	ar->k_ar.ar_arg_envv = malloc(length, M_AUDITTEXT, M_WAITOK);
820 	bcopy(envv, ar->k_ar.ar_arg_envv, length);
821 	ar->k_ar.ar_arg_envc = envc;
822 	ARG_SET_VALID(ar, ARG_ENVV);
823 }
824 
825 /*
826  * The close() system call uses it's own audit call to capture the path/vnode
827  * information because those pieces are not easily obtained within the system
828  * call itself.
829  */
830 void
831 audit_sysclose(struct thread *td, int fd)
832 {
833 	struct kaudit_record *ar;
834 	struct vnode *vp;
835 	struct file *fp;
836 	int vfslocked;
837 
838 	KASSERT(td != NULL, ("audit_sysclose: td == NULL"));
839 
840 	ar = currecord();
841 	if (ar == NULL)
842 		return;
843 
844 	audit_arg_fd(fd);
845 
846 	if (getvnode(td->td_proc->p_fd, fd, &fp) != 0)
847 		return;
848 
849 	vp = fp->f_vnode;
850 	vfslocked = VFS_LOCK_GIANT(vp->v_mount);
851 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
852 	audit_arg_vnode(vp, ARG_VNODE1);
853 	VOP_UNLOCK(vp, 0);
854 	VFS_UNLOCK_GIANT(vfslocked);
855 	fdrop(fp, td);
856 }
857