1 /*- 2 * Copyright (c) 1999-2005 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 #include <sys/cdefs.h> 31 __FBSDID("$FreeBSD$"); 32 33 #include <sys/param.h> 34 #include <sys/filedesc.h> 35 #include <sys/ipc.h> 36 #include <sys/mount.h> 37 #include <sys/proc.h> 38 #include <sys/socket.h> 39 #include <sys/socketvar.h> 40 #include <sys/protosw.h> 41 #include <sys/domain.h> 42 #include <sys/sbuf.h> 43 #include <sys/systm.h> 44 #include <sys/un.h> 45 #include <sys/vnode.h> 46 47 #include <netinet/in.h> 48 #include <netinet/in_pcb.h> 49 50 #include <security/audit/audit.h> 51 #include <security/audit/audit_private.h> 52 53 /* 54 * Calls to manipulate elements of the audit record structure from system 55 * call code. Macro wrappers will prevent this functions from being entered 56 * if auditing is disabled, avoiding the function call cost. We check the 57 * thread audit record pointer anyway, as the audit condition could change, 58 * and pre-selection may not have allocated an audit record for this event. 59 * 60 * XXXAUDIT: Should we assert, in each case, that this field of the record 61 * hasn't already been filled in? 62 */ 63 void 64 audit_arg_addr(void *addr) 65 { 66 struct kaudit_record *ar; 67 68 ar = currecord(); 69 if (ar == NULL) 70 return; 71 72 ar->k_ar.ar_arg_addr = addr; 73 ARG_SET_VALID(ar, ARG_ADDR); 74 } 75 76 void 77 audit_arg_exit(int status, int retval) 78 { 79 struct kaudit_record *ar; 80 81 ar = currecord(); 82 if (ar == NULL) 83 return; 84 85 ar->k_ar.ar_arg_exitstatus = status; 86 ar->k_ar.ar_arg_exitretval = retval; 87 ARG_SET_VALID(ar, ARG_EXIT); 88 } 89 90 void 91 audit_arg_len(int len) 92 { 93 struct kaudit_record *ar; 94 95 ar = currecord(); 96 if (ar == NULL) 97 return; 98 99 ar->k_ar.ar_arg_len = len; 100 ARG_SET_VALID(ar, ARG_LEN); 101 } 102 103 void 104 audit_arg_fd(int fd) 105 { 106 struct kaudit_record *ar; 107 108 ar = currecord(); 109 if (ar == NULL) 110 return; 111 112 ar->k_ar.ar_arg_fd = fd; 113 ARG_SET_VALID(ar, ARG_FD); 114 } 115 116 void 117 audit_arg_fflags(int fflags) 118 { 119 struct kaudit_record *ar; 120 121 ar = currecord(); 122 if (ar == NULL) 123 return; 124 125 ar->k_ar.ar_arg_fflags = fflags; 126 ARG_SET_VALID(ar, ARG_FFLAGS); 127 } 128 129 void 130 audit_arg_gid(gid_t gid) 131 { 132 struct kaudit_record *ar; 133 134 ar = currecord(); 135 if (ar == NULL) 136 return; 137 138 ar->k_ar.ar_arg_gid = gid; 139 ARG_SET_VALID(ar, ARG_GID); 140 } 141 142 void 143 audit_arg_uid(uid_t uid) 144 { 145 struct kaudit_record *ar; 146 147 ar = currecord(); 148 if (ar == NULL) 149 return; 150 151 ar->k_ar.ar_arg_uid = uid; 152 ARG_SET_VALID(ar, ARG_UID); 153 } 154 155 void 156 audit_arg_egid(gid_t egid) 157 { 158 struct kaudit_record *ar; 159 160 ar = currecord(); 161 if (ar == NULL) 162 return; 163 164 ar->k_ar.ar_arg_egid = egid; 165 ARG_SET_VALID(ar, ARG_EGID); 166 } 167 168 void 169 audit_arg_euid(uid_t euid) 170 { 171 struct kaudit_record *ar; 172 173 ar = currecord(); 174 if (ar == NULL) 175 return; 176 177 ar->k_ar.ar_arg_euid = euid; 178 ARG_SET_VALID(ar, ARG_EUID); 179 } 180 181 void 182 audit_arg_rgid(gid_t rgid) 183 { 184 struct kaudit_record *ar; 185 186 ar = currecord(); 187 if (ar == NULL) 188 return; 189 190 ar->k_ar.ar_arg_rgid = rgid; 191 ARG_SET_VALID(ar, ARG_RGID); 192 } 193 194 void 195 audit_arg_ruid(uid_t ruid) 196 { 197 struct kaudit_record *ar; 198 199 ar = currecord(); 200 if (ar == NULL) 201 return; 202 203 ar->k_ar.ar_arg_ruid = ruid; 204 ARG_SET_VALID(ar, ARG_RUID); 205 } 206 207 void 208 audit_arg_sgid(gid_t sgid) 209 { 210 struct kaudit_record *ar; 211 212 ar = currecord(); 213 if (ar == NULL) 214 return; 215 216 ar->k_ar.ar_arg_sgid = sgid; 217 ARG_SET_VALID(ar, ARG_SGID); 218 } 219 220 void 221 audit_arg_suid(uid_t suid) 222 { 223 struct kaudit_record *ar; 224 225 ar = currecord(); 226 if (ar == NULL) 227 return; 228 229 ar->k_ar.ar_arg_suid = suid; 230 ARG_SET_VALID(ar, ARG_SUID); 231 } 232 233 void 234 audit_arg_groupset(gid_t *gidset, u_int gidset_size) 235 { 236 u_int i; 237 struct kaudit_record *ar; 238 239 ar = currecord(); 240 if (ar == NULL) 241 return; 242 243 for (i = 0; i < gidset_size; i++) 244 ar->k_ar.ar_arg_groups.gidset[i] = gidset[i]; 245 ar->k_ar.ar_arg_groups.gidset_size = gidset_size; 246 ARG_SET_VALID(ar, ARG_GROUPSET); 247 } 248 249 void 250 audit_arg_login(char *login) 251 { 252 struct kaudit_record *ar; 253 254 ar = currecord(); 255 if (ar == NULL) 256 return; 257 258 strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME); 259 ARG_SET_VALID(ar, ARG_LOGIN); 260 } 261 262 void 263 audit_arg_ctlname(int *name, int namelen) 264 { 265 struct kaudit_record *ar; 266 267 ar = currecord(); 268 if (ar == NULL) 269 return; 270 271 bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int)); 272 ar->k_ar.ar_arg_len = namelen; 273 ARG_SET_VALID(ar, ARG_CTLNAME | ARG_LEN); 274 } 275 276 void 277 audit_arg_mask(int mask) 278 { 279 struct kaudit_record *ar; 280 281 ar = currecord(); 282 if (ar == NULL) 283 return; 284 285 ar->k_ar.ar_arg_mask = mask; 286 ARG_SET_VALID(ar, ARG_MASK); 287 } 288 289 void 290 audit_arg_mode(mode_t mode) 291 { 292 struct kaudit_record *ar; 293 294 ar = currecord(); 295 if (ar == NULL) 296 return; 297 298 ar->k_ar.ar_arg_mode = mode; 299 ARG_SET_VALID(ar, ARG_MODE); 300 } 301 302 void 303 audit_arg_dev(int dev) 304 { 305 struct kaudit_record *ar; 306 307 ar = currecord(); 308 if (ar == NULL) 309 return; 310 311 ar->k_ar.ar_arg_dev = dev; 312 ARG_SET_VALID(ar, ARG_DEV); 313 } 314 315 void 316 audit_arg_value(long value) 317 { 318 struct kaudit_record *ar; 319 320 ar = currecord(); 321 if (ar == NULL) 322 return; 323 324 ar->k_ar.ar_arg_value = value; 325 ARG_SET_VALID(ar, ARG_VALUE); 326 } 327 328 void 329 audit_arg_owner(uid_t uid, gid_t gid) 330 { 331 struct kaudit_record *ar; 332 333 ar = currecord(); 334 if (ar == NULL) 335 return; 336 337 ar->k_ar.ar_arg_uid = uid; 338 ar->k_ar.ar_arg_gid = gid; 339 ARG_SET_VALID(ar, ARG_UID | ARG_GID); 340 } 341 342 void 343 audit_arg_pid(pid_t pid) 344 { 345 struct kaudit_record *ar; 346 347 ar = currecord(); 348 if (ar == NULL) 349 return; 350 351 ar->k_ar.ar_arg_pid = pid; 352 ARG_SET_VALID(ar, ARG_PID); 353 } 354 355 void 356 audit_arg_process(struct proc *p) 357 { 358 struct kaudit_record *ar; 359 struct ucred *cred; 360 361 KASSERT(p != NULL, ("audit_arg_process: p == NULL")); 362 363 PROC_LOCK_ASSERT(p, MA_OWNED); 364 365 ar = currecord(); 366 if (ar == NULL) 367 return; 368 369 cred = p->p_ucred; 370 ar->k_ar.ar_arg_auid = cred->cr_audit.ai_auid; 371 ar->k_ar.ar_arg_euid = cred->cr_uid; 372 ar->k_ar.ar_arg_egid = cred->cr_groups[0]; 373 ar->k_ar.ar_arg_ruid = cred->cr_ruid; 374 ar->k_ar.ar_arg_rgid = cred->cr_rgid; 375 ar->k_ar.ar_arg_asid = cred->cr_audit.ai_asid; 376 ar->k_ar.ar_arg_termid_addr = cred->cr_audit.ai_termid; 377 ar->k_ar.ar_arg_pid = p->p_pid; 378 ARG_SET_VALID(ar, ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID | 379 ARG_RGID | ARG_ASID | ARG_TERMID_ADDR | ARG_PID | ARG_PROCESS); 380 } 381 382 void 383 audit_arg_signum(u_int signum) 384 { 385 struct kaudit_record *ar; 386 387 ar = currecord(); 388 if (ar == NULL) 389 return; 390 391 ar->k_ar.ar_arg_signum = signum; 392 ARG_SET_VALID(ar, ARG_SIGNUM); 393 } 394 395 void 396 audit_arg_socket(int sodomain, int sotype, int soprotocol) 397 { 398 struct kaudit_record *ar; 399 400 ar = currecord(); 401 if (ar == NULL) 402 return; 403 404 ar->k_ar.ar_arg_sockinfo.so_domain = sodomain; 405 ar->k_ar.ar_arg_sockinfo.so_type = sotype; 406 ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol; 407 ARG_SET_VALID(ar, ARG_SOCKINFO); 408 } 409 410 void 411 audit_arg_sockaddr(struct thread *td, struct sockaddr *sa) 412 { 413 struct kaudit_record *ar; 414 415 KASSERT(td != NULL, ("audit_arg_sockaddr: td == NULL")); 416 KASSERT(sa != NULL, ("audit_arg_sockaddr: sa == NULL")); 417 418 ar = currecord(); 419 if (ar == NULL) 420 return; 421 422 bcopy(sa, &ar->k_ar.ar_arg_sockaddr, sa->sa_len); 423 switch (sa->sa_family) { 424 case AF_INET: 425 ARG_SET_VALID(ar, ARG_SADDRINET); 426 break; 427 428 case AF_INET6: 429 ARG_SET_VALID(ar, ARG_SADDRINET6); 430 break; 431 432 case AF_UNIX: 433 audit_arg_upath(td, ((struct sockaddr_un *)sa)->sun_path, 434 ARG_UPATH1); 435 ARG_SET_VALID(ar, ARG_SADDRUNIX); 436 break; 437 /* XXXAUDIT: default:? */ 438 } 439 } 440 441 void 442 audit_arg_auid(uid_t auid) 443 { 444 struct kaudit_record *ar; 445 446 ar = currecord(); 447 if (ar == NULL) 448 return; 449 450 ar->k_ar.ar_arg_auid = auid; 451 ARG_SET_VALID(ar, ARG_AUID); 452 } 453 454 void 455 audit_arg_auditinfo(struct auditinfo *au_info) 456 { 457 struct kaudit_record *ar; 458 459 ar = currecord(); 460 if (ar == NULL) 461 return; 462 463 ar->k_ar.ar_arg_auid = au_info->ai_auid; 464 ar->k_ar.ar_arg_asid = au_info->ai_asid; 465 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success; 466 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure; 467 ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port; 468 ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine; 469 ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID); 470 } 471 472 void 473 audit_arg_auditinfo_addr(struct auditinfo_addr *au_info) 474 { 475 struct kaudit_record *ar; 476 477 ar = currecord(); 478 if (ar == NULL) 479 return; 480 481 ar->k_ar.ar_arg_auid = au_info->ai_auid; 482 ar->k_ar.ar_arg_asid = au_info->ai_asid; 483 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success; 484 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure; 485 ar->k_ar.ar_arg_termid_addr.at_type = au_info->ai_termid.at_type; 486 ar->k_ar.ar_arg_termid_addr.at_port = au_info->ai_termid.at_port; 487 ar->k_ar.ar_arg_termid_addr.at_addr[0] = au_info->ai_termid.at_addr[0]; 488 ar->k_ar.ar_arg_termid_addr.at_addr[1] = au_info->ai_termid.at_addr[1]; 489 ar->k_ar.ar_arg_termid_addr.at_addr[2] = au_info->ai_termid.at_addr[2]; 490 ar->k_ar.ar_arg_termid_addr.at_addr[3] = au_info->ai_termid.at_addr[3]; 491 ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID_ADDR); 492 } 493 494 void 495 audit_arg_text(char *text) 496 { 497 struct kaudit_record *ar; 498 499 KASSERT(text != NULL, ("audit_arg_text: text == NULL")); 500 501 ar = currecord(); 502 if (ar == NULL) 503 return; 504 505 /* Invalidate the text string */ 506 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT); 507 508 if (ar->k_ar.ar_arg_text == NULL) 509 ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT, 510 M_WAITOK); 511 512 strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN); 513 ARG_SET_VALID(ar, ARG_TEXT); 514 } 515 516 void 517 audit_arg_cmd(int cmd) 518 { 519 struct kaudit_record *ar; 520 521 ar = currecord(); 522 if (ar == NULL) 523 return; 524 525 ar->k_ar.ar_arg_cmd = cmd; 526 ARG_SET_VALID(ar, ARG_CMD); 527 } 528 529 void 530 audit_arg_svipc_cmd(int cmd) 531 { 532 struct kaudit_record *ar; 533 534 ar = currecord(); 535 if (ar == NULL) 536 return; 537 538 ar->k_ar.ar_arg_svipc_cmd = cmd; 539 ARG_SET_VALID(ar, ARG_SVIPC_CMD); 540 } 541 542 void 543 audit_arg_svipc_perm(struct ipc_perm *perm) 544 { 545 struct kaudit_record *ar; 546 547 ar = currecord(); 548 if (ar == NULL) 549 return; 550 551 bcopy(perm, &ar->k_ar.ar_arg_svipc_perm, 552 sizeof(ar->k_ar.ar_arg_svipc_perm)); 553 ARG_SET_VALID(ar, ARG_SVIPC_PERM); 554 } 555 556 void 557 audit_arg_svipc_id(int id) 558 { 559 struct kaudit_record *ar; 560 561 ar = currecord(); 562 if (ar == NULL) 563 return; 564 565 ar->k_ar.ar_arg_svipc_id = id; 566 ARG_SET_VALID(ar, ARG_SVIPC_ID); 567 } 568 569 void 570 audit_arg_svipc_addr(void * addr) 571 { 572 struct kaudit_record *ar; 573 574 ar = currecord(); 575 if (ar == NULL) 576 return; 577 578 ar->k_ar.ar_arg_svipc_addr = addr; 579 ARG_SET_VALID(ar, ARG_SVIPC_ADDR); 580 } 581 582 void 583 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode) 584 { 585 struct kaudit_record *ar; 586 587 ar = currecord(); 588 if (ar == NULL) 589 return; 590 591 ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid; 592 ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid; 593 ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode; 594 ARG_SET_VALID(ar, ARG_POSIX_IPC_PERM); 595 } 596 597 void 598 audit_arg_auditon(union auditon_udata *udata) 599 { 600 struct kaudit_record *ar; 601 602 ar = currecord(); 603 if (ar == NULL) 604 return; 605 606 bcopy((void *)udata, &ar->k_ar.ar_arg_auditon, 607 sizeof(ar->k_ar.ar_arg_auditon)); 608 ARG_SET_VALID(ar, ARG_AUDITON); 609 } 610 611 /* 612 * Audit information about a file, either the file's vnode info, or its 613 * socket address info. 614 */ 615 void 616 audit_arg_file(struct proc *p, struct file *fp) 617 { 618 struct kaudit_record *ar; 619 struct socket *so; 620 struct inpcb *pcb; 621 struct vnode *vp; 622 int vfslocked; 623 624 ar = currecord(); 625 if (ar == NULL) 626 return; 627 628 switch (fp->f_type) { 629 case DTYPE_VNODE: 630 case DTYPE_FIFO: 631 /* 632 * XXXAUDIT: Only possibly to record as first vnode? 633 */ 634 vp = fp->f_vnode; 635 vfslocked = VFS_LOCK_GIANT(vp->v_mount); 636 vn_lock(vp, LK_SHARED | LK_RETRY); 637 audit_arg_vnode(vp, ARG_VNODE1); 638 VOP_UNLOCK(vp, 0); 639 VFS_UNLOCK_GIANT(vfslocked); 640 break; 641 642 case DTYPE_SOCKET: 643 so = (struct socket *)fp->f_data; 644 if (INP_CHECK_SOCKAF(so, PF_INET)) { 645 SOCK_LOCK(so); 646 ar->k_ar.ar_arg_sockinfo.so_type = 647 so->so_type; 648 ar->k_ar.ar_arg_sockinfo.so_domain = 649 INP_SOCKAF(so); 650 ar->k_ar.ar_arg_sockinfo.so_protocol = 651 so->so_proto->pr_protocol; 652 SOCK_UNLOCK(so); 653 pcb = (struct inpcb *)so->so_pcb; 654 INP_RLOCK(pcb); 655 ar->k_ar.ar_arg_sockinfo.so_raddr = 656 pcb->inp_faddr.s_addr; 657 ar->k_ar.ar_arg_sockinfo.so_laddr = 658 pcb->inp_laddr.s_addr; 659 ar->k_ar.ar_arg_sockinfo.so_rport = 660 pcb->inp_fport; 661 ar->k_ar.ar_arg_sockinfo.so_lport = 662 pcb->inp_lport; 663 INP_RUNLOCK(pcb); 664 ARG_SET_VALID(ar, ARG_SOCKINFO); 665 } 666 break; 667 668 default: 669 /* XXXAUDIT: else? */ 670 break; 671 } 672 } 673 674 /* 675 * Store a path as given by the user process for auditing into the audit 676 * record stored on the user thread. This function will allocate the memory 677 * to store the path info if not already available. This memory will be 678 * freed when the audit record is freed. 679 * 680 * XXXAUDIT: Possibly assert that the memory isn't already allocated? 681 */ 682 void 683 audit_arg_upath(struct thread *td, char *upath, u_int64_t flag) 684 { 685 struct kaudit_record *ar; 686 char **pathp; 687 688 KASSERT(td != NULL, ("audit_arg_upath: td == NULL")); 689 KASSERT(upath != NULL, ("audit_arg_upath: upath == NULL")); 690 691 ar = currecord(); 692 if (ar == NULL) 693 return; 694 695 KASSERT((flag == ARG_UPATH1) || (flag == ARG_UPATH2), 696 ("audit_arg_upath: flag %llu", (unsigned long long)flag)); 697 KASSERT((flag != ARG_UPATH1) || (flag != ARG_UPATH2), 698 ("audit_arg_upath: flag %llu", (unsigned long long)flag)); 699 700 if (flag == ARG_UPATH1) 701 pathp = &ar->k_ar.ar_arg_upath1; 702 else 703 pathp = &ar->k_ar.ar_arg_upath2; 704 705 if (*pathp == NULL) 706 *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK); 707 708 audit_canon_path(td, upath, *pathp); 709 710 ARG_SET_VALID(ar, flag); 711 } 712 713 /* 714 * Function to save the path and vnode attr information into the audit 715 * record. 716 * 717 * It is assumed that the caller will hold any vnode locks necessary to 718 * perform a VOP_GETATTR() on the passed vnode. 719 * 720 * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but always 721 * provides access to the generation number as we need that to construct the 722 * BSM file ID. 723 * 724 * XXX: We should accept the process argument from the caller, since it's 725 * very likely they already have a reference. 726 * 727 * XXX: Error handling in this function is poor. 728 * 729 * XXXAUDIT: Possibly KASSERT the path pointer is NULL? 730 */ 731 void 732 audit_arg_vnode(struct vnode *vp, u_int64_t flags) 733 { 734 struct kaudit_record *ar; 735 struct vattr vattr; 736 int error; 737 struct vnode_au_info *vnp; 738 739 KASSERT(vp != NULL, ("audit_arg_vnode: vp == NULL")); 740 KASSERT((flags == ARG_VNODE1) || (flags == ARG_VNODE2), 741 ("audit_arg_vnode: flags %jd", (intmax_t)flags)); 742 743 /* 744 * Assume that if the caller is calling audit_arg_vnode() on a 745 * non-MPSAFE vnode, then it will have acquired Giant. 746 */ 747 VFS_ASSERT_GIANT(vp->v_mount); 748 ASSERT_VOP_LOCKED(vp, "audit_arg_vnode"); 749 750 ar = currecord(); 751 if (ar == NULL) 752 return; 753 754 /* 755 * XXXAUDIT: The below clears, and then resets the flags for valid 756 * arguments. Ideally, either the new vnode is used, or the old one 757 * would be. 758 */ 759 if (flags & ARG_VNODE1) { 760 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE1); 761 vnp = &ar->k_ar.ar_arg_vnode1; 762 } else { 763 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE2); 764 vnp = &ar->k_ar.ar_arg_vnode2; 765 } 766 767 error = VOP_GETATTR(vp, &vattr, curthread->td_ucred); 768 if (error) { 769 /* XXX: How to handle this case? */ 770 return; 771 } 772 773 vnp->vn_mode = vattr.va_mode; 774 vnp->vn_uid = vattr.va_uid; 775 vnp->vn_gid = vattr.va_gid; 776 vnp->vn_dev = vattr.va_rdev; 777 vnp->vn_fsid = vattr.va_fsid; 778 vnp->vn_fileid = vattr.va_fileid; 779 vnp->vn_gen = vattr.va_gen; 780 if (flags & ARG_VNODE1) 781 ARG_SET_VALID(ar, ARG_VNODE1); 782 else 783 ARG_SET_VALID(ar, ARG_VNODE2); 784 } 785 786 /* 787 * Audit the argument strings passed to exec. 788 */ 789 void 790 audit_arg_argv(char *argv, int argc, int length) 791 { 792 struct kaudit_record *ar; 793 794 if (audit_argv == 0) 795 return; 796 797 ar = currecord(); 798 if (ar == NULL) 799 return; 800 801 ar->k_ar.ar_arg_argv = malloc(length, M_AUDITTEXT, M_WAITOK); 802 bcopy(argv, ar->k_ar.ar_arg_argv, length); 803 ar->k_ar.ar_arg_argc = argc; 804 ARG_SET_VALID(ar, ARG_ARGV); 805 } 806 807 /* 808 * Audit the environment strings passed to exec. 809 */ 810 void 811 audit_arg_envv(char *envv, int envc, int length) 812 { 813 struct kaudit_record *ar; 814 815 if (audit_arge == 0) 816 return; 817 818 ar = currecord(); 819 if (ar == NULL) 820 return; 821 822 ar->k_ar.ar_arg_envv = malloc(length, M_AUDITTEXT, M_WAITOK); 823 bcopy(envv, ar->k_ar.ar_arg_envv, length); 824 ar->k_ar.ar_arg_envc = envc; 825 ARG_SET_VALID(ar, ARG_ENVV); 826 } 827 828 /* 829 * The close() system call uses it's own audit call to capture the path/vnode 830 * information because those pieces are not easily obtained within the system 831 * call itself. 832 */ 833 void 834 audit_sysclose(struct thread *td, int fd) 835 { 836 struct kaudit_record *ar; 837 struct vnode *vp; 838 struct file *fp; 839 int vfslocked; 840 841 KASSERT(td != NULL, ("audit_sysclose: td == NULL")); 842 843 ar = currecord(); 844 if (ar == NULL) 845 return; 846 847 audit_arg_fd(fd); 848 849 if (getvnode(td->td_proc->p_fd, fd, &fp) != 0) 850 return; 851 852 vp = fp->f_vnode; 853 vfslocked = VFS_LOCK_GIANT(vp->v_mount); 854 vn_lock(vp, LK_SHARED | LK_RETRY); 855 audit_arg_vnode(vp, ARG_VNODE1); 856 VOP_UNLOCK(vp, 0); 857 VFS_UNLOCK_GIANT(vfslocked); 858 fdrop(fp, td); 859 } 860