1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1999-2005 Apple Inc. 5 * Copyright (c) 2016-2017 Robert N. M. Watson 6 * All rights reserved. 7 * 8 * Portions of this software were developed by BAE Systems, the University of 9 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL 10 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent 11 * Computing (TC) research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 22 * its contributors may be used to endorse or promote products derived 23 * from this software without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 29 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 33 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 34 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 35 * POSSIBILITY OF SUCH DAMAGE. 36 */ 37 38 #include <sys/cdefs.h> 39 #include <sys/param.h> 40 #include <sys/filedesc.h> 41 #include <sys/capsicum.h> 42 #include <sys/ipc.h> 43 #include <sys/mount.h> 44 #include <sys/proc.h> 45 #include <sys/socket.h> 46 #include <sys/socketvar.h> 47 #include <sys/protosw.h> 48 #include <sys/domain.h> 49 #include <sys/sbuf.h> 50 #include <sys/systm.h> 51 #include <sys/un.h> 52 #include <sys/vnode.h> 53 54 #include <netinet/in.h> 55 #include <netinet/in_pcb.h> 56 57 #include <security/audit/audit.h> 58 #include <security/audit/audit_private.h> 59 60 /* 61 * Calls to manipulate elements of the audit record structure from system 62 * call code. Macro wrappers will prevent this functions from being entered 63 * if auditing is disabled, avoiding the function call cost. We check the 64 * thread audit record pointer anyway, as the audit condition could change, 65 * and pre-selection may not have allocated an audit record for this event. 66 * 67 * XXXAUDIT: Should we assert, in each case, that this field of the record 68 * hasn't already been filled in? 69 */ 70 void 71 audit_arg_addr(void *addr) 72 { 73 struct kaudit_record *ar; 74 75 ar = currecord(); 76 if (ar == NULL) 77 return; 78 79 ar->k_ar.ar_arg_addr = addr; 80 ARG_SET_VALID(ar, ARG_ADDR); 81 } 82 83 void 84 audit_arg_exit(int status, int retval) 85 { 86 struct kaudit_record *ar; 87 88 ar = currecord(); 89 if (ar == NULL) 90 return; 91 92 ar->k_ar.ar_arg_exitstatus = status; 93 ar->k_ar.ar_arg_exitretval = retval; 94 ARG_SET_VALID(ar, ARG_EXIT); 95 } 96 97 void 98 audit_arg_len(int len) 99 { 100 struct kaudit_record *ar; 101 102 ar = currecord(); 103 if (ar == NULL) 104 return; 105 106 ar->k_ar.ar_arg_len = len; 107 ARG_SET_VALID(ar, ARG_LEN); 108 } 109 110 void 111 audit_arg_atfd1(int atfd) 112 { 113 struct kaudit_record *ar; 114 115 ar = currecord(); 116 if (ar == NULL) 117 return; 118 119 ar->k_ar.ar_arg_atfd1 = atfd; 120 ARG_SET_VALID(ar, ARG_ATFD1); 121 } 122 123 void 124 audit_arg_atfd2(int atfd) 125 { 126 struct kaudit_record *ar; 127 128 ar = currecord(); 129 if (ar == NULL) 130 return; 131 132 ar->k_ar.ar_arg_atfd2 = atfd; 133 ARG_SET_VALID(ar, ARG_ATFD2); 134 } 135 136 void 137 audit_arg_fd(int fd) 138 { 139 struct kaudit_record *ar; 140 141 ar = currecord(); 142 if (ar == NULL) 143 return; 144 145 ar->k_ar.ar_arg_fd = fd; 146 ARG_SET_VALID(ar, ARG_FD); 147 } 148 149 void 150 audit_arg_fflags(int fflags) 151 { 152 struct kaudit_record *ar; 153 154 ar = currecord(); 155 if (ar == NULL) 156 return; 157 158 ar->k_ar.ar_arg_fflags = fflags; 159 ARG_SET_VALID(ar, ARG_FFLAGS); 160 } 161 162 void 163 audit_arg_gid(gid_t gid) 164 { 165 struct kaudit_record *ar; 166 167 ar = currecord(); 168 if (ar == NULL) 169 return; 170 171 ar->k_ar.ar_arg_gid = gid; 172 ARG_SET_VALID(ar, ARG_GID); 173 } 174 175 void 176 audit_arg_uid(uid_t uid) 177 { 178 struct kaudit_record *ar; 179 180 ar = currecord(); 181 if (ar == NULL) 182 return; 183 184 ar->k_ar.ar_arg_uid = uid; 185 ARG_SET_VALID(ar, ARG_UID); 186 } 187 188 void 189 audit_arg_egid(gid_t egid) 190 { 191 struct kaudit_record *ar; 192 193 ar = currecord(); 194 if (ar == NULL) 195 return; 196 197 ar->k_ar.ar_arg_egid = egid; 198 ARG_SET_VALID(ar, ARG_EGID); 199 } 200 201 void 202 audit_arg_euid(uid_t euid) 203 { 204 struct kaudit_record *ar; 205 206 ar = currecord(); 207 if (ar == NULL) 208 return; 209 210 ar->k_ar.ar_arg_euid = euid; 211 ARG_SET_VALID(ar, ARG_EUID); 212 } 213 214 void 215 audit_arg_rgid(gid_t rgid) 216 { 217 struct kaudit_record *ar; 218 219 ar = currecord(); 220 if (ar == NULL) 221 return; 222 223 ar->k_ar.ar_arg_rgid = rgid; 224 ARG_SET_VALID(ar, ARG_RGID); 225 } 226 227 void 228 audit_arg_ruid(uid_t ruid) 229 { 230 struct kaudit_record *ar; 231 232 ar = currecord(); 233 if (ar == NULL) 234 return; 235 236 ar->k_ar.ar_arg_ruid = ruid; 237 ARG_SET_VALID(ar, ARG_RUID); 238 } 239 240 void 241 audit_arg_sgid(gid_t sgid) 242 { 243 struct kaudit_record *ar; 244 245 ar = currecord(); 246 if (ar == NULL) 247 return; 248 249 ar->k_ar.ar_arg_sgid = sgid; 250 ARG_SET_VALID(ar, ARG_SGID); 251 } 252 253 void 254 audit_arg_suid(uid_t suid) 255 { 256 struct kaudit_record *ar; 257 258 ar = currecord(); 259 if (ar == NULL) 260 return; 261 262 ar->k_ar.ar_arg_suid = suid; 263 ARG_SET_VALID(ar, ARG_SUID); 264 } 265 266 void 267 audit_arg_groupset(gid_t *gidset, u_int gidset_size) 268 { 269 u_int i; 270 struct kaudit_record *ar; 271 272 KASSERT(gidset_size <= ngroups_max + 1, 273 ("audit_arg_groupset: gidset_size > (kern.ngroups + 1)")); 274 275 ar = currecord(); 276 if (ar == NULL) 277 return; 278 279 if (ar->k_ar.ar_arg_groups.gidset == NULL) 280 ar->k_ar.ar_arg_groups.gidset = malloc( 281 sizeof(gid_t) * gidset_size, M_AUDITGIDSET, M_WAITOK); 282 283 for (i = 0; i < gidset_size; i++) 284 ar->k_ar.ar_arg_groups.gidset[i] = gidset[i]; 285 ar->k_ar.ar_arg_groups.gidset_size = gidset_size; 286 ARG_SET_VALID(ar, ARG_GROUPSET); 287 } 288 289 void 290 audit_arg_login(char *login) 291 { 292 struct kaudit_record *ar; 293 294 ar = currecord(); 295 if (ar == NULL) 296 return; 297 298 strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME); 299 ARG_SET_VALID(ar, ARG_LOGIN); 300 } 301 302 void 303 audit_arg_ctlname(int *name, int namelen) 304 { 305 struct kaudit_record *ar; 306 307 ar = currecord(); 308 if (ar == NULL) 309 return; 310 311 bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int)); 312 ar->k_ar.ar_arg_len = namelen; 313 ARG_SET_VALID(ar, ARG_CTLNAME | ARG_LEN); 314 } 315 316 void 317 audit_arg_mask(int mask) 318 { 319 struct kaudit_record *ar; 320 321 ar = currecord(); 322 if (ar == NULL) 323 return; 324 325 ar->k_ar.ar_arg_mask = mask; 326 ARG_SET_VALID(ar, ARG_MASK); 327 } 328 329 void 330 audit_arg_mode(mode_t mode) 331 { 332 struct kaudit_record *ar; 333 334 ar = currecord(); 335 if (ar == NULL) 336 return; 337 338 ar->k_ar.ar_arg_mode = mode; 339 ARG_SET_VALID(ar, ARG_MODE); 340 } 341 342 void 343 audit_arg_dev(int dev) 344 { 345 struct kaudit_record *ar; 346 347 ar = currecord(); 348 if (ar == NULL) 349 return; 350 351 ar->k_ar.ar_arg_dev = dev; 352 ARG_SET_VALID(ar, ARG_DEV); 353 } 354 355 void 356 audit_arg_value(long value) 357 { 358 struct kaudit_record *ar; 359 360 ar = currecord(); 361 if (ar == NULL) 362 return; 363 364 ar->k_ar.ar_arg_value = value; 365 ARG_SET_VALID(ar, ARG_VALUE); 366 } 367 368 void 369 audit_arg_owner(uid_t uid, gid_t gid) 370 { 371 struct kaudit_record *ar; 372 373 ar = currecord(); 374 if (ar == NULL) 375 return; 376 377 ar->k_ar.ar_arg_uid = uid; 378 ar->k_ar.ar_arg_gid = gid; 379 ARG_SET_VALID(ar, ARG_UID | ARG_GID); 380 } 381 382 void 383 audit_arg_pid(pid_t pid) 384 { 385 struct kaudit_record *ar; 386 387 ar = currecord(); 388 if (ar == NULL) 389 return; 390 391 ar->k_ar.ar_arg_pid = pid; 392 ARG_SET_VALID(ar, ARG_PID); 393 } 394 395 void 396 audit_arg_process(struct proc *p) 397 { 398 struct kaudit_record *ar; 399 struct ucred *cred; 400 401 KASSERT(p != NULL, ("audit_arg_process: p == NULL")); 402 403 PROC_LOCK_ASSERT(p, MA_OWNED); 404 405 ar = currecord(); 406 if (ar == NULL) 407 return; 408 409 cred = p->p_ucred; 410 ar->k_ar.ar_arg_auid = cred->cr_audit.ai_auid; 411 ar->k_ar.ar_arg_euid = cred->cr_uid; 412 ar->k_ar.ar_arg_egid = cred->cr_groups[0]; 413 ar->k_ar.ar_arg_ruid = cred->cr_ruid; 414 ar->k_ar.ar_arg_rgid = cred->cr_rgid; 415 ar->k_ar.ar_arg_asid = cred->cr_audit.ai_asid; 416 ar->k_ar.ar_arg_termid_addr = cred->cr_audit.ai_termid; 417 ar->k_ar.ar_arg_pid = p->p_pid; 418 ARG_SET_VALID(ar, ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID | 419 ARG_RGID | ARG_ASID | ARG_TERMID_ADDR | ARG_PID | ARG_PROCESS); 420 } 421 422 void 423 audit_arg_signum(u_int signum) 424 { 425 struct kaudit_record *ar; 426 427 ar = currecord(); 428 if (ar == NULL) 429 return; 430 431 ar->k_ar.ar_arg_signum = signum; 432 ARG_SET_VALID(ar, ARG_SIGNUM); 433 } 434 435 void 436 audit_arg_socket(int sodomain, int sotype, int soprotocol) 437 { 438 struct kaudit_record *ar; 439 440 ar = currecord(); 441 if (ar == NULL) 442 return; 443 444 ar->k_ar.ar_arg_sockinfo.so_domain = sodomain; 445 ar->k_ar.ar_arg_sockinfo.so_type = sotype; 446 ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol; 447 ARG_SET_VALID(ar, ARG_SOCKINFO); 448 } 449 450 void 451 audit_arg_sockaddr(struct thread *td, int dirfd, struct sockaddr *sa) 452 { 453 struct kaudit_record *ar; 454 455 KASSERT(td != NULL, ("audit_arg_sockaddr: td == NULL")); 456 KASSERT(sa != NULL, ("audit_arg_sockaddr: sa == NULL")); 457 458 ar = currecord(); 459 if (ar == NULL) 460 return; 461 462 bcopy(sa, &ar->k_ar.ar_arg_sockaddr, sa->sa_len); 463 switch (sa->sa_family) { 464 case AF_INET: 465 ARG_SET_VALID(ar, ARG_SADDRINET); 466 break; 467 468 case AF_INET6: 469 ARG_SET_VALID(ar, ARG_SADDRINET6); 470 break; 471 472 case AF_UNIX: 473 if (dirfd != AT_FDCWD) 474 audit_arg_atfd1(dirfd); 475 audit_arg_upath1(td, dirfd, 476 ((struct sockaddr_un *)sa)->sun_path); 477 ARG_SET_VALID(ar, ARG_SADDRUNIX); 478 break; 479 /* XXXAUDIT: default:? */ 480 } 481 } 482 483 void 484 audit_arg_auid(uid_t auid) 485 { 486 struct kaudit_record *ar; 487 488 ar = currecord(); 489 if (ar == NULL) 490 return; 491 492 ar->k_ar.ar_arg_auid = auid; 493 ARG_SET_VALID(ar, ARG_AUID); 494 } 495 496 void 497 audit_arg_auditinfo(struct auditinfo *au_info) 498 { 499 struct kaudit_record *ar; 500 501 ar = currecord(); 502 if (ar == NULL) 503 return; 504 505 ar->k_ar.ar_arg_auid = au_info->ai_auid; 506 ar->k_ar.ar_arg_asid = au_info->ai_asid; 507 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success; 508 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure; 509 ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port; 510 ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine; 511 ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID); 512 } 513 514 void 515 audit_arg_auditinfo_addr(struct auditinfo_addr *au_info) 516 { 517 struct kaudit_record *ar; 518 519 ar = currecord(); 520 if (ar == NULL) 521 return; 522 523 ar->k_ar.ar_arg_auid = au_info->ai_auid; 524 ar->k_ar.ar_arg_asid = au_info->ai_asid; 525 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success; 526 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure; 527 ar->k_ar.ar_arg_termid_addr.at_type = au_info->ai_termid.at_type; 528 ar->k_ar.ar_arg_termid_addr.at_port = au_info->ai_termid.at_port; 529 ar->k_ar.ar_arg_termid_addr.at_addr[0] = au_info->ai_termid.at_addr[0]; 530 ar->k_ar.ar_arg_termid_addr.at_addr[1] = au_info->ai_termid.at_addr[1]; 531 ar->k_ar.ar_arg_termid_addr.at_addr[2] = au_info->ai_termid.at_addr[2]; 532 ar->k_ar.ar_arg_termid_addr.at_addr[3] = au_info->ai_termid.at_addr[3]; 533 ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID_ADDR); 534 } 535 536 void 537 audit_arg_text(const char *text) 538 { 539 struct kaudit_record *ar; 540 541 KASSERT(text != NULL, ("audit_arg_text: text == NULL")); 542 543 ar = currecord(); 544 if (ar == NULL) 545 return; 546 547 /* Invalidate the text string */ 548 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT); 549 550 if (ar->k_ar.ar_arg_text == NULL) 551 ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT, 552 M_WAITOK); 553 554 strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN); 555 ARG_SET_VALID(ar, ARG_TEXT); 556 } 557 558 void 559 audit_arg_cmd(int cmd) 560 { 561 struct kaudit_record *ar; 562 563 ar = currecord(); 564 if (ar == NULL) 565 return; 566 567 ar->k_ar.ar_arg_cmd = cmd; 568 ARG_SET_VALID(ar, ARG_CMD); 569 } 570 571 void 572 audit_arg_svipc_cmd(int cmd) 573 { 574 struct kaudit_record *ar; 575 576 ar = currecord(); 577 if (ar == NULL) 578 return; 579 580 ar->k_ar.ar_arg_svipc_cmd = cmd; 581 ARG_SET_VALID(ar, ARG_SVIPC_CMD); 582 } 583 584 void 585 audit_arg_svipc_perm(struct ipc_perm *perm) 586 { 587 struct kaudit_record *ar; 588 589 ar = currecord(); 590 if (ar == NULL) 591 return; 592 593 bcopy(perm, &ar->k_ar.ar_arg_svipc_perm, 594 sizeof(ar->k_ar.ar_arg_svipc_perm)); 595 ARG_SET_VALID(ar, ARG_SVIPC_PERM); 596 } 597 598 void 599 audit_arg_svipc_id(int id) 600 { 601 struct kaudit_record *ar; 602 603 ar = currecord(); 604 if (ar == NULL) 605 return; 606 607 ar->k_ar.ar_arg_svipc_id = id; 608 ARG_SET_VALID(ar, ARG_SVIPC_ID); 609 } 610 611 void 612 audit_arg_svipc_addr(void * addr) 613 { 614 struct kaudit_record *ar; 615 616 ar = currecord(); 617 if (ar == NULL) 618 return; 619 620 ar->k_ar.ar_arg_svipc_addr = addr; 621 ARG_SET_VALID(ar, ARG_SVIPC_ADDR); 622 } 623 624 void 625 audit_arg_svipc_which(int which) 626 { 627 struct kaudit_record *ar; 628 629 ar = currecord(); 630 if (ar == NULL) 631 return; 632 633 ar->k_ar.ar_arg_svipc_which = which; 634 ARG_SET_VALID(ar, ARG_SVIPC_WHICH); 635 } 636 637 void 638 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode) 639 { 640 struct kaudit_record *ar; 641 642 ar = currecord(); 643 if (ar == NULL) 644 return; 645 646 ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid; 647 ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid; 648 ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode; 649 ARG_SET_VALID(ar, ARG_POSIX_IPC_PERM); 650 } 651 652 void 653 audit_arg_auditon(union auditon_udata *udata) 654 { 655 struct kaudit_record *ar; 656 657 ar = currecord(); 658 if (ar == NULL) 659 return; 660 661 bcopy((void *)udata, &ar->k_ar.ar_arg_auditon, 662 sizeof(ar->k_ar.ar_arg_auditon)); 663 ARG_SET_VALID(ar, ARG_AUDITON); 664 } 665 666 /* 667 * Audit information about a file, either the file's vnode info, or its 668 * socket address info. 669 */ 670 void 671 audit_arg_file(struct proc *p, struct file *fp) 672 { 673 struct kaudit_record *ar; 674 struct socket *so; 675 struct inpcb *pcb; 676 struct vnode *vp; 677 678 ar = currecord(); 679 if (ar == NULL) 680 return; 681 682 switch (fp->f_type) { 683 case DTYPE_VNODE: 684 case DTYPE_FIFO: 685 /* 686 * XXXAUDIT: Only possibly to record as first vnode? 687 */ 688 vp = fp->f_vnode; 689 vn_lock(vp, LK_SHARED | LK_RETRY); 690 audit_arg_vnode1(vp); 691 VOP_UNLOCK(vp); 692 break; 693 694 case DTYPE_SOCKET: 695 so = (struct socket *)fp->f_data; 696 if (INP_CHECK_SOCKAF(so, PF_INET)) { 697 SOCK_LOCK(so); 698 ar->k_ar.ar_arg_sockinfo.so_type = 699 so->so_type; 700 ar->k_ar.ar_arg_sockinfo.so_domain = 701 INP_SOCKAF(so); 702 ar->k_ar.ar_arg_sockinfo.so_protocol = 703 so->so_proto->pr_protocol; 704 SOCK_UNLOCK(so); 705 pcb = (struct inpcb *)so->so_pcb; 706 INP_RLOCK(pcb); 707 ar->k_ar.ar_arg_sockinfo.so_raddr = 708 pcb->inp_faddr.s_addr; 709 ar->k_ar.ar_arg_sockinfo.so_laddr = 710 pcb->inp_laddr.s_addr; 711 ar->k_ar.ar_arg_sockinfo.so_rport = 712 pcb->inp_fport; 713 ar->k_ar.ar_arg_sockinfo.so_lport = 714 pcb->inp_lport; 715 INP_RUNLOCK(pcb); 716 ARG_SET_VALID(ar, ARG_SOCKINFO); 717 } 718 break; 719 720 default: 721 /* XXXAUDIT: else? */ 722 break; 723 } 724 } 725 726 /* 727 * Store a path as given by the user process for auditing into the audit 728 * record stored on the user thread. This function will allocate the memory 729 * to store the path info if not already available. This memory will be 730 * freed when the audit record is freed. The path is canonlicalised with 731 * respect to the thread and directory descriptor passed. 732 */ 733 static void 734 audit_arg_upath(struct thread *td, int dirfd, char *upath, char **pathp) 735 { 736 737 if (*pathp == NULL) 738 *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK); 739 audit_canon_path(td, dirfd, upath, *pathp); 740 } 741 742 void 743 audit_arg_upath1(struct thread *td, int dirfd, char *upath) 744 { 745 struct kaudit_record *ar; 746 747 ar = currecord(); 748 if (ar == NULL) 749 return; 750 751 audit_arg_upath(td, dirfd, upath, &ar->k_ar.ar_arg_upath1); 752 ARG_SET_VALID(ar, ARG_UPATH1); 753 } 754 755 void 756 audit_arg_upath2(struct thread *td, int dirfd, char *upath) 757 { 758 struct kaudit_record *ar; 759 760 ar = currecord(); 761 if (ar == NULL) 762 return; 763 764 audit_arg_upath(td, dirfd, upath, &ar->k_ar.ar_arg_upath2); 765 ARG_SET_VALID(ar, ARG_UPATH2); 766 } 767 768 static void 769 audit_arg_upath_vp(struct thread *td, struct vnode *rdir, struct vnode *cdir, 770 char *upath, char **pathp) 771 { 772 773 if (*pathp == NULL) 774 *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK); 775 audit_canon_path_vp(td, rdir, cdir, upath, *pathp); 776 } 777 778 void 779 audit_arg_upath1_vp(struct thread *td, struct vnode *rdir, struct vnode *cdir, 780 char *upath) 781 { 782 struct kaudit_record *ar; 783 784 ar = currecord(); 785 if (ar == NULL) 786 return; 787 788 audit_arg_upath_vp(td, rdir, cdir, upath, &ar->k_ar.ar_arg_upath1); 789 ARG_SET_VALID(ar, ARG_UPATH1); 790 } 791 792 void 793 audit_arg_upath2_vp(struct thread *td, struct vnode *rdir, struct vnode *cdir, 794 char *upath) 795 { 796 struct kaudit_record *ar; 797 798 ar = currecord(); 799 if (ar == NULL) 800 return; 801 802 audit_arg_upath_vp(td, rdir, cdir, upath, &ar->k_ar.ar_arg_upath2); 803 ARG_SET_VALID(ar, ARG_UPATH2); 804 } 805 806 /* 807 * Variants on path auditing that do not canonicalise the path passed in; 808 * these are for use with filesystem-like subsystems that employ string names, 809 * but do not support a hierarchical namespace -- for example, POSIX IPC 810 * objects. The subsystem should have performed any necessary 811 * canonicalisation required to make the paths useful to audit analysis. 812 */ 813 static void 814 audit_arg_upath_canon(char *upath, char **pathp) 815 { 816 817 if (*pathp == NULL) 818 *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK); 819 (void)snprintf(*pathp, MAXPATHLEN, "%s", upath); 820 } 821 822 void 823 audit_arg_upath1_canon(char *upath) 824 { 825 struct kaudit_record *ar; 826 827 ar = currecord(); 828 if (ar == NULL) 829 return; 830 831 audit_arg_upath_canon(upath, &ar->k_ar.ar_arg_upath1); 832 ARG_SET_VALID(ar, ARG_UPATH1); 833 } 834 835 void 836 audit_arg_upath2_canon(char *upath) 837 { 838 struct kaudit_record *ar; 839 840 ar = currecord(); 841 if (ar == NULL) 842 return; 843 844 audit_arg_upath_canon(upath, &ar->k_ar.ar_arg_upath2); 845 ARG_SET_VALID(ar, ARG_UPATH2); 846 } 847 848 /* 849 * Function to save the path and vnode attr information into the audit 850 * record. 851 * 852 * It is assumed that the caller will hold any vnode locks necessary to 853 * perform a VOP_GETATTR() on the passed vnode. 854 * 855 * XXX: The attr code is very similar to vfs_default.c:vop_stdstat(), but always 856 * provides access to the generation number as we need that to construct the 857 * BSM file ID. 858 * 859 * XXX: We should accept the process argument from the caller, since it's 860 * very likely they already have a reference. 861 * 862 * XXX: Error handling in this function is poor. 863 * 864 * XXXAUDIT: Possibly KASSERT the path pointer is NULL? 865 */ 866 static int 867 audit_arg_vnode(struct vnode *vp, struct vnode_au_info *vnp) 868 { 869 struct vattr vattr; 870 int error; 871 872 ASSERT_VOP_LOCKED(vp, "audit_arg_vnode"); 873 874 VATTR_NULL(&vattr); 875 error = VOP_GETATTR(vp, &vattr, curthread->td_ucred); 876 if (error) { 877 /* XXX: How to handle this case? */ 878 return (error); 879 } 880 881 vnp->vn_mode = vattr.va_mode; 882 vnp->vn_uid = vattr.va_uid; 883 vnp->vn_gid = vattr.va_gid; 884 vnp->vn_dev = vattr.va_rdev; 885 vnp->vn_fsid = vattr.va_fsid; 886 vnp->vn_fileid = vattr.va_fileid; 887 vnp->vn_gen = vattr.va_gen; 888 return (0); 889 } 890 891 void 892 audit_arg_vnode1(struct vnode *vp) 893 { 894 struct kaudit_record *ar; 895 int error; 896 897 ar = currecord(); 898 if (ar == NULL) 899 return; 900 901 ARG_CLEAR_VALID(ar, ARG_VNODE1); 902 error = audit_arg_vnode(vp, &ar->k_ar.ar_arg_vnode1); 903 if (error == 0) 904 ARG_SET_VALID(ar, ARG_VNODE1); 905 } 906 907 void 908 audit_arg_vnode2(struct vnode *vp) 909 { 910 struct kaudit_record *ar; 911 int error; 912 913 ar = currecord(); 914 if (ar == NULL) 915 return; 916 917 ARG_CLEAR_VALID(ar, ARG_VNODE2); 918 error = audit_arg_vnode(vp, &ar->k_ar.ar_arg_vnode2); 919 if (error == 0) 920 ARG_SET_VALID(ar, ARG_VNODE2); 921 } 922 923 /* 924 * Audit the argument strings passed to exec. 925 */ 926 void 927 audit_arg_argv(char *argv, int argc, int length) 928 { 929 struct kaudit_record *ar; 930 931 if (audit_argv == 0) 932 return; 933 934 ar = currecord(); 935 if (ar == NULL) 936 return; 937 938 ar->k_ar.ar_arg_argv = malloc(length, M_AUDITTEXT, M_WAITOK); 939 bcopy(argv, ar->k_ar.ar_arg_argv, length); 940 ar->k_ar.ar_arg_argc = argc; 941 ARG_SET_VALID(ar, ARG_ARGV); 942 } 943 944 /* 945 * Audit the environment strings passed to exec. 946 */ 947 void 948 audit_arg_envv(char *envv, int envc, int length) 949 { 950 struct kaudit_record *ar; 951 952 if (audit_arge == 0) 953 return; 954 955 ar = currecord(); 956 if (ar == NULL) 957 return; 958 959 ar->k_ar.ar_arg_envv = malloc(length, M_AUDITTEXT, M_WAITOK); 960 bcopy(envv, ar->k_ar.ar_arg_envv, length); 961 ar->k_ar.ar_arg_envc = envc; 962 ARG_SET_VALID(ar, ARG_ENVV); 963 } 964 965 void 966 audit_arg_rights(cap_rights_t *rightsp) 967 { 968 struct kaudit_record *ar; 969 970 ar = currecord(); 971 if (ar == NULL) 972 return; 973 974 ar->k_ar.ar_arg_rights = *rightsp; 975 ARG_SET_VALID(ar, ARG_RIGHTS); 976 } 977 978 void 979 audit_arg_fcntl_rights(uint32_t fcntlrights) 980 { 981 struct kaudit_record *ar; 982 983 ar = currecord(); 984 if (ar == NULL) 985 return; 986 987 ar->k_ar.ar_arg_fcntl_rights = fcntlrights; 988 ARG_SET_VALID(ar, ARG_FCNTL_RIGHTS); 989 } 990 991 /* 992 * The close() system call uses it's own audit call to capture the path/vnode 993 * information because those pieces are not easily obtained within the system 994 * call itself. 995 */ 996 void 997 audit_sysclose(struct thread *td, int fd, struct file *fp) 998 { 999 struct kaudit_record *ar; 1000 struct vnode *vp; 1001 1002 KASSERT(td != NULL, ("audit_sysclose: td == NULL")); 1003 1004 ar = currecord(); 1005 if (ar == NULL) 1006 return; 1007 1008 audit_arg_fd(fd); 1009 1010 vp = fp->f_vnode; 1011 if (vp == NULL) 1012 return; 1013 vn_lock(vp, LK_SHARED | LK_RETRY); 1014 audit_arg_vnode1(vp); 1015 VOP_UNLOCK(vp); 1016 } 1017