xref: /freebsd/sys/security/audit/audit_arg.c (revision 8d20be1e22095c27faf8fe8b2f0d089739cc742e)
1 /*-
2  * Copyright (c) 1999-2005 Apple Inc.
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1.  Redistributions of source code must retain the above copyright
9  *     notice, this list of conditions and the following disclaimer.
10  * 2.  Redistributions in binary form must reproduce the above copyright
11  *     notice, this list of conditions and the following disclaimer in the
12  *     documentation and/or other materials provided with the distribution.
13  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
14  *     its contributors may be used to endorse or promote products derived
15  *     from this software without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27  * POSSIBILITY OF SUCH DAMAGE.
28  */
29 
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
32 
33 #include <sys/param.h>
34 #include <sys/filedesc.h>
35 #include <sys/ipc.h>
36 #include <sys/mount.h>
37 #include <sys/proc.h>
38 #include <sys/socket.h>
39 #include <sys/socketvar.h>
40 #include <sys/protosw.h>
41 #include <sys/domain.h>
42 #include <sys/sbuf.h>
43 #include <sys/systm.h>
44 #include <sys/un.h>
45 #include <sys/vnode.h>
46 
47 #include <netinet/in.h>
48 #include <netinet/in_pcb.h>
49 
50 #include <security/audit/audit.h>
51 #include <security/audit/audit_private.h>
52 
53 /*
54  * Calls to manipulate elements of the audit record structure from system
55  * call code.  Macro wrappers will prevent this functions from being entered
56  * if auditing is disabled, avoiding the function call cost.  We check the
57  * thread audit record pointer anyway, as the audit condition could change,
58  * and pre-selection may not have allocated an audit record for this event.
59  *
60  * XXXAUDIT: Should we assert, in each case, that this field of the record
61  * hasn't already been filled in?
62  */
63 void
64 audit_arg_addr(void *addr)
65 {
66 	struct kaudit_record *ar;
67 
68 	ar = currecord();
69 	if (ar == NULL)
70 		return;
71 
72 	ar->k_ar.ar_arg_addr = addr;
73 	ARG_SET_VALID(ar, ARG_ADDR);
74 }
75 
76 void
77 audit_arg_exit(int status, int retval)
78 {
79 	struct kaudit_record *ar;
80 
81 	ar = currecord();
82 	if (ar == NULL)
83 		return;
84 
85 	ar->k_ar.ar_arg_exitstatus = status;
86 	ar->k_ar.ar_arg_exitretval = retval;
87 	ARG_SET_VALID(ar, ARG_EXIT);
88 }
89 
90 void
91 audit_arg_len(int len)
92 {
93 	struct kaudit_record *ar;
94 
95 	ar = currecord();
96 	if (ar == NULL)
97 		return;
98 
99 	ar->k_ar.ar_arg_len = len;
100 	ARG_SET_VALID(ar, ARG_LEN);
101 }
102 
103 void
104 audit_arg_atfd1(int atfd)
105 {
106 	struct kaudit_record *ar;
107 
108 	ar = currecord();
109 	if (ar == NULL)
110 		return;
111 
112 	ar->k_ar.ar_arg_atfd1 = atfd;
113 	ARG_SET_VALID(ar, ARG_ATFD1);
114 }
115 
116 void
117 audit_arg_atfd2(int atfd)
118 {
119 	struct kaudit_record *ar;
120 
121 	ar = currecord();
122 	if (ar == NULL)
123 		return;
124 
125 	ar->k_ar.ar_arg_atfd2 = atfd;
126 	ARG_SET_VALID(ar, ARG_ATFD2);
127 }
128 
129 void
130 audit_arg_fd(int fd)
131 {
132 	struct kaudit_record *ar;
133 
134 	ar = currecord();
135 	if (ar == NULL)
136 		return;
137 
138 	ar->k_ar.ar_arg_fd = fd;
139 	ARG_SET_VALID(ar, ARG_FD);
140 }
141 
142 void
143 audit_arg_fflags(int fflags)
144 {
145 	struct kaudit_record *ar;
146 
147 	ar = currecord();
148 	if (ar == NULL)
149 		return;
150 
151 	ar->k_ar.ar_arg_fflags = fflags;
152 	ARG_SET_VALID(ar, ARG_FFLAGS);
153 }
154 
155 void
156 audit_arg_gid(gid_t gid)
157 {
158 	struct kaudit_record *ar;
159 
160 	ar = currecord();
161 	if (ar == NULL)
162 		return;
163 
164 	ar->k_ar.ar_arg_gid = gid;
165 	ARG_SET_VALID(ar, ARG_GID);
166 }
167 
168 void
169 audit_arg_uid(uid_t uid)
170 {
171 	struct kaudit_record *ar;
172 
173 	ar = currecord();
174 	if (ar == NULL)
175 		return;
176 
177 	ar->k_ar.ar_arg_uid = uid;
178 	ARG_SET_VALID(ar, ARG_UID);
179 }
180 
181 void
182 audit_arg_egid(gid_t egid)
183 {
184 	struct kaudit_record *ar;
185 
186 	ar = currecord();
187 	if (ar == NULL)
188 		return;
189 
190 	ar->k_ar.ar_arg_egid = egid;
191 	ARG_SET_VALID(ar, ARG_EGID);
192 }
193 
194 void
195 audit_arg_euid(uid_t euid)
196 {
197 	struct kaudit_record *ar;
198 
199 	ar = currecord();
200 	if (ar == NULL)
201 		return;
202 
203 	ar->k_ar.ar_arg_euid = euid;
204 	ARG_SET_VALID(ar, ARG_EUID);
205 }
206 
207 void
208 audit_arg_rgid(gid_t rgid)
209 {
210 	struct kaudit_record *ar;
211 
212 	ar = currecord();
213 	if (ar == NULL)
214 		return;
215 
216 	ar->k_ar.ar_arg_rgid = rgid;
217 	ARG_SET_VALID(ar, ARG_RGID);
218 }
219 
220 void
221 audit_arg_ruid(uid_t ruid)
222 {
223 	struct kaudit_record *ar;
224 
225 	ar = currecord();
226 	if (ar == NULL)
227 		return;
228 
229 	ar->k_ar.ar_arg_ruid = ruid;
230 	ARG_SET_VALID(ar, ARG_RUID);
231 }
232 
233 void
234 audit_arg_sgid(gid_t sgid)
235 {
236 	struct kaudit_record *ar;
237 
238 	ar = currecord();
239 	if (ar == NULL)
240 		return;
241 
242 	ar->k_ar.ar_arg_sgid = sgid;
243 	ARG_SET_VALID(ar, ARG_SGID);
244 }
245 
246 void
247 audit_arg_suid(uid_t suid)
248 {
249 	struct kaudit_record *ar;
250 
251 	ar = currecord();
252 	if (ar == NULL)
253 		return;
254 
255 	ar->k_ar.ar_arg_suid = suid;
256 	ARG_SET_VALID(ar, ARG_SUID);
257 }
258 
259 void
260 audit_arg_groupset(gid_t *gidset, u_int gidset_size)
261 {
262 	u_int i;
263 	struct kaudit_record *ar;
264 
265 	KASSERT(gidset_size <= ngroups_max + 1,
266 	    ("audit_arg_groupset: gidset_size > (kern.ngroups + 1)"));
267 
268 	ar = currecord();
269 	if (ar == NULL)
270 		return;
271 
272 	if (ar->k_ar.ar_arg_groups.gidset == NULL)
273 		ar->k_ar.ar_arg_groups.gidset = malloc(
274 		    sizeof(gid_t) * gidset_size, M_AUDITGIDSET, M_WAITOK);
275 
276 	for (i = 0; i < gidset_size; i++)
277 		ar->k_ar.ar_arg_groups.gidset[i] = gidset[i];
278 	ar->k_ar.ar_arg_groups.gidset_size = gidset_size;
279 	ARG_SET_VALID(ar, ARG_GROUPSET);
280 }
281 
282 void
283 audit_arg_login(char *login)
284 {
285 	struct kaudit_record *ar;
286 
287 	ar = currecord();
288 	if (ar == NULL)
289 		return;
290 
291 	strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME);
292 	ARG_SET_VALID(ar, ARG_LOGIN);
293 }
294 
295 void
296 audit_arg_ctlname(int *name, int namelen)
297 {
298 	struct kaudit_record *ar;
299 
300 	ar = currecord();
301 	if (ar == NULL)
302 		return;
303 
304 	bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int));
305 	ar->k_ar.ar_arg_len = namelen;
306 	ARG_SET_VALID(ar, ARG_CTLNAME | ARG_LEN);
307 }
308 
309 void
310 audit_arg_mask(int mask)
311 {
312 	struct kaudit_record *ar;
313 
314 	ar = currecord();
315 	if (ar == NULL)
316 		return;
317 
318 	ar->k_ar.ar_arg_mask = mask;
319 	ARG_SET_VALID(ar, ARG_MASK);
320 }
321 
322 void
323 audit_arg_mode(mode_t mode)
324 {
325 	struct kaudit_record *ar;
326 
327 	ar = currecord();
328 	if (ar == NULL)
329 		return;
330 
331 	ar->k_ar.ar_arg_mode = mode;
332 	ARG_SET_VALID(ar, ARG_MODE);
333 }
334 
335 void
336 audit_arg_dev(int dev)
337 {
338 	struct kaudit_record *ar;
339 
340 	ar = currecord();
341 	if (ar == NULL)
342 		return;
343 
344 	ar->k_ar.ar_arg_dev = dev;
345 	ARG_SET_VALID(ar, ARG_DEV);
346 }
347 
348 void
349 audit_arg_value(long value)
350 {
351 	struct kaudit_record *ar;
352 
353 	ar = currecord();
354 	if (ar == NULL)
355 		return;
356 
357 	ar->k_ar.ar_arg_value = value;
358 	ARG_SET_VALID(ar, ARG_VALUE);
359 }
360 
361 void
362 audit_arg_owner(uid_t uid, gid_t gid)
363 {
364 	struct kaudit_record *ar;
365 
366 	ar = currecord();
367 	if (ar == NULL)
368 		return;
369 
370 	ar->k_ar.ar_arg_uid = uid;
371 	ar->k_ar.ar_arg_gid = gid;
372 	ARG_SET_VALID(ar, ARG_UID | ARG_GID);
373 }
374 
375 void
376 audit_arg_pid(pid_t pid)
377 {
378 	struct kaudit_record *ar;
379 
380 	ar = currecord();
381 	if (ar == NULL)
382 		return;
383 
384 	ar->k_ar.ar_arg_pid = pid;
385 	ARG_SET_VALID(ar, ARG_PID);
386 }
387 
388 void
389 audit_arg_process(struct proc *p)
390 {
391 	struct kaudit_record *ar;
392 	struct ucred *cred;
393 
394 	KASSERT(p != NULL, ("audit_arg_process: p == NULL"));
395 
396 	PROC_LOCK_ASSERT(p, MA_OWNED);
397 
398 	ar = currecord();
399 	if (ar == NULL)
400 		return;
401 
402 	cred = p->p_ucred;
403 	ar->k_ar.ar_arg_auid = cred->cr_audit.ai_auid;
404 	ar->k_ar.ar_arg_euid = cred->cr_uid;
405 	ar->k_ar.ar_arg_egid = cred->cr_groups[0];
406 	ar->k_ar.ar_arg_ruid = cred->cr_ruid;
407 	ar->k_ar.ar_arg_rgid = cred->cr_rgid;
408 	ar->k_ar.ar_arg_asid = cred->cr_audit.ai_asid;
409 	ar->k_ar.ar_arg_termid_addr = cred->cr_audit.ai_termid;
410 	ar->k_ar.ar_arg_pid = p->p_pid;
411 	ARG_SET_VALID(ar, ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID |
412 	    ARG_RGID | ARG_ASID | ARG_TERMID_ADDR | ARG_PID | ARG_PROCESS);
413 }
414 
415 void
416 audit_arg_signum(u_int signum)
417 {
418 	struct kaudit_record *ar;
419 
420 	ar = currecord();
421 	if (ar == NULL)
422 		return;
423 
424 	ar->k_ar.ar_arg_signum = signum;
425 	ARG_SET_VALID(ar, ARG_SIGNUM);
426 }
427 
428 void
429 audit_arg_socket(int sodomain, int sotype, int soprotocol)
430 {
431 	struct kaudit_record *ar;
432 
433 	ar = currecord();
434 	if (ar == NULL)
435 		return;
436 
437 	ar->k_ar.ar_arg_sockinfo.so_domain = sodomain;
438 	ar->k_ar.ar_arg_sockinfo.so_type = sotype;
439 	ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol;
440 	ARG_SET_VALID(ar, ARG_SOCKINFO);
441 }
442 
443 void
444 audit_arg_sockaddr(struct thread *td, int dirfd, struct sockaddr *sa)
445 {
446 	struct kaudit_record *ar;
447 
448 	KASSERT(td != NULL, ("audit_arg_sockaddr: td == NULL"));
449 	KASSERT(sa != NULL, ("audit_arg_sockaddr: sa == NULL"));
450 
451 	ar = currecord();
452 	if (ar == NULL)
453 		return;
454 
455 	bcopy(sa, &ar->k_ar.ar_arg_sockaddr, sa->sa_len);
456 	switch (sa->sa_family) {
457 	case AF_INET:
458 		ARG_SET_VALID(ar, ARG_SADDRINET);
459 		break;
460 
461 	case AF_INET6:
462 		ARG_SET_VALID(ar, ARG_SADDRINET6);
463 		break;
464 
465 	case AF_UNIX:
466 		if (dirfd != AT_FDCWD)
467 			audit_arg_atfd1(dirfd);
468 		audit_arg_upath1(td, dirfd,
469 		    ((struct sockaddr_un *)sa)->sun_path);
470 		ARG_SET_VALID(ar, ARG_SADDRUNIX);
471 		break;
472 	/* XXXAUDIT: default:? */
473 	}
474 }
475 
476 void
477 audit_arg_auid(uid_t auid)
478 {
479 	struct kaudit_record *ar;
480 
481 	ar = currecord();
482 	if (ar == NULL)
483 		return;
484 
485 	ar->k_ar.ar_arg_auid = auid;
486 	ARG_SET_VALID(ar, ARG_AUID);
487 }
488 
489 void
490 audit_arg_auditinfo(struct auditinfo *au_info)
491 {
492 	struct kaudit_record *ar;
493 
494 	ar = currecord();
495 	if (ar == NULL)
496 		return;
497 
498 	ar->k_ar.ar_arg_auid = au_info->ai_auid;
499 	ar->k_ar.ar_arg_asid = au_info->ai_asid;
500 	ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
501 	ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
502 	ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port;
503 	ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine;
504 	ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID);
505 }
506 
507 void
508 audit_arg_auditinfo_addr(struct auditinfo_addr *au_info)
509 {
510 	struct kaudit_record *ar;
511 
512 	ar = currecord();
513 	if (ar == NULL)
514 		return;
515 
516 	ar->k_ar.ar_arg_auid = au_info->ai_auid;
517 	ar->k_ar.ar_arg_asid = au_info->ai_asid;
518 	ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
519 	ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
520 	ar->k_ar.ar_arg_termid_addr.at_type = au_info->ai_termid.at_type;
521 	ar->k_ar.ar_arg_termid_addr.at_port = au_info->ai_termid.at_port;
522 	ar->k_ar.ar_arg_termid_addr.at_addr[0] = au_info->ai_termid.at_addr[0];
523 	ar->k_ar.ar_arg_termid_addr.at_addr[1] = au_info->ai_termid.at_addr[1];
524 	ar->k_ar.ar_arg_termid_addr.at_addr[2] = au_info->ai_termid.at_addr[2];
525 	ar->k_ar.ar_arg_termid_addr.at_addr[3] = au_info->ai_termid.at_addr[3];
526 	ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID_ADDR);
527 }
528 
529 void
530 audit_arg_text(char *text)
531 {
532 	struct kaudit_record *ar;
533 
534 	KASSERT(text != NULL, ("audit_arg_text: text == NULL"));
535 
536 	ar = currecord();
537 	if (ar == NULL)
538 		return;
539 
540 	/* Invalidate the text string */
541 	ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT);
542 
543 	if (ar->k_ar.ar_arg_text == NULL)
544 		ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT,
545 		    M_WAITOK);
546 
547 	strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN);
548 	ARG_SET_VALID(ar, ARG_TEXT);
549 }
550 
551 void
552 audit_arg_cmd(int cmd)
553 {
554 	struct kaudit_record *ar;
555 
556 	ar = currecord();
557 	if (ar == NULL)
558 		return;
559 
560 	ar->k_ar.ar_arg_cmd = cmd;
561 	ARG_SET_VALID(ar, ARG_CMD);
562 }
563 
564 void
565 audit_arg_svipc_cmd(int cmd)
566 {
567 	struct kaudit_record *ar;
568 
569 	ar = currecord();
570 	if (ar == NULL)
571 		return;
572 
573 	ar->k_ar.ar_arg_svipc_cmd = cmd;
574 	ARG_SET_VALID(ar, ARG_SVIPC_CMD);
575 }
576 
577 void
578 audit_arg_svipc_perm(struct ipc_perm *perm)
579 {
580 	struct kaudit_record *ar;
581 
582 	ar = currecord();
583 	if (ar == NULL)
584 		return;
585 
586 	bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
587 	    sizeof(ar->k_ar.ar_arg_svipc_perm));
588 	ARG_SET_VALID(ar, ARG_SVIPC_PERM);
589 }
590 
591 void
592 audit_arg_svipc_id(int id)
593 {
594 	struct kaudit_record *ar;
595 
596 	ar = currecord();
597 	if (ar == NULL)
598 		return;
599 
600 	ar->k_ar.ar_arg_svipc_id = id;
601 	ARG_SET_VALID(ar, ARG_SVIPC_ID);
602 }
603 
604 void
605 audit_arg_svipc_addr(void * addr)
606 {
607 	struct kaudit_record *ar;
608 
609 	ar = currecord();
610 	if (ar == NULL)
611 		return;
612 
613 	ar->k_ar.ar_arg_svipc_addr = addr;
614 	ARG_SET_VALID(ar, ARG_SVIPC_ADDR);
615 }
616 
617 void
618 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode)
619 {
620 	struct kaudit_record *ar;
621 
622 	ar = currecord();
623 	if (ar == NULL)
624 		return;
625 
626 	ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid;
627 	ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid;
628 	ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode;
629 	ARG_SET_VALID(ar, ARG_POSIX_IPC_PERM);
630 }
631 
632 void
633 audit_arg_auditon(union auditon_udata *udata)
634 {
635 	struct kaudit_record *ar;
636 
637 	ar = currecord();
638 	if (ar == NULL)
639 		return;
640 
641 	bcopy((void *)udata, &ar->k_ar.ar_arg_auditon,
642 	    sizeof(ar->k_ar.ar_arg_auditon));
643 	ARG_SET_VALID(ar, ARG_AUDITON);
644 }
645 
646 /*
647  * Audit information about a file, either the file's vnode info, or its
648  * socket address info.
649  */
650 void
651 audit_arg_file(struct proc *p, struct file *fp)
652 {
653 	struct kaudit_record *ar;
654 	struct socket *so;
655 	struct inpcb *pcb;
656 	struct vnode *vp;
657 
658 	ar = currecord();
659 	if (ar == NULL)
660 		return;
661 
662 	switch (fp->f_type) {
663 	case DTYPE_VNODE:
664 	case DTYPE_FIFO:
665 		/*
666 		 * XXXAUDIT: Only possibly to record as first vnode?
667 		 */
668 		vp = fp->f_vnode;
669 		vn_lock(vp, LK_SHARED | LK_RETRY);
670 		audit_arg_vnode1(vp);
671 		VOP_UNLOCK(vp, 0);
672 		break;
673 
674 	case DTYPE_SOCKET:
675 		so = (struct socket *)fp->f_data;
676 		if (INP_CHECK_SOCKAF(so, PF_INET)) {
677 			SOCK_LOCK(so);
678 			ar->k_ar.ar_arg_sockinfo.so_type =
679 			    so->so_type;
680 			ar->k_ar.ar_arg_sockinfo.so_domain =
681 			    INP_SOCKAF(so);
682 			ar->k_ar.ar_arg_sockinfo.so_protocol =
683 			    so->so_proto->pr_protocol;
684 			SOCK_UNLOCK(so);
685 			pcb = (struct inpcb *)so->so_pcb;
686 			INP_RLOCK(pcb);
687 			ar->k_ar.ar_arg_sockinfo.so_raddr =
688 			    pcb->inp_faddr.s_addr;
689 			ar->k_ar.ar_arg_sockinfo.so_laddr =
690 			    pcb->inp_laddr.s_addr;
691 			ar->k_ar.ar_arg_sockinfo.so_rport =
692 			    pcb->inp_fport;
693 			ar->k_ar.ar_arg_sockinfo.so_lport =
694 			    pcb->inp_lport;
695 			INP_RUNLOCK(pcb);
696 			ARG_SET_VALID(ar, ARG_SOCKINFO);
697 		}
698 		break;
699 
700 	default:
701 		/* XXXAUDIT: else? */
702 		break;
703 	}
704 }
705 
706 /*
707  * Store a path as given by the user process for auditing into the audit
708  * record stored on the user thread.  This function will allocate the memory
709  * to store the path info if not already available.  This memory will be
710  * freed when the audit record is freed.
711  */
712 static void
713 audit_arg_upath(struct thread *td, int dirfd, char *upath, char **pathp)
714 {
715 
716 	if (*pathp == NULL)
717 		*pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK);
718 	audit_canon_path(td, dirfd, upath, *pathp);
719 }
720 
721 void
722 audit_arg_upath1(struct thread *td, int dirfd, char *upath)
723 {
724 	struct kaudit_record *ar;
725 
726 	ar = currecord();
727 	if (ar == NULL)
728 		return;
729 
730 	audit_arg_upath(td, dirfd, upath, &ar->k_ar.ar_arg_upath1);
731 	ARG_SET_VALID(ar, ARG_UPATH1);
732 }
733 
734 void
735 audit_arg_upath2(struct thread *td, int dirfd, char *upath)
736 {
737 	struct kaudit_record *ar;
738 
739 	ar = currecord();
740 	if (ar == NULL)
741 		return;
742 
743 	audit_arg_upath(td, dirfd, upath, &ar->k_ar.ar_arg_upath2);
744 	ARG_SET_VALID(ar, ARG_UPATH2);
745 }
746 
747 /*
748  * Function to save the path and vnode attr information into the audit
749  * record.
750  *
751  * It is assumed that the caller will hold any vnode locks necessary to
752  * perform a VOP_GETATTR() on the passed vnode.
753  *
754  * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but always
755  * provides access to the generation number as we need that to construct the
756  * BSM file ID.
757  *
758  * XXX: We should accept the process argument from the caller, since it's
759  * very likely they already have a reference.
760  *
761  * XXX: Error handling in this function is poor.
762  *
763  * XXXAUDIT: Possibly KASSERT the path pointer is NULL?
764  */
765 static int
766 audit_arg_vnode(struct vnode *vp, struct vnode_au_info *vnp)
767 {
768 	struct vattr vattr;
769 	int error;
770 
771 	ASSERT_VOP_LOCKED(vp, "audit_arg_vnode");
772 
773 	error = VOP_GETATTR(vp, &vattr, curthread->td_ucred);
774 	if (error) {
775 		/* XXX: How to handle this case? */
776 		return (error);
777 	}
778 
779 	vnp->vn_mode = vattr.va_mode;
780 	vnp->vn_uid = vattr.va_uid;
781 	vnp->vn_gid = vattr.va_gid;
782 	vnp->vn_dev = vattr.va_rdev;
783 	vnp->vn_fsid = vattr.va_fsid;
784 	vnp->vn_fileid = vattr.va_fileid;
785 	vnp->vn_gen = vattr.va_gen;
786 	return (0);
787 }
788 
789 void
790 audit_arg_vnode1(struct vnode *vp)
791 {
792 	struct kaudit_record *ar;
793 	int error;
794 
795 	ar = currecord();
796 	if (ar == NULL)
797 		return;
798 
799 	ARG_CLEAR_VALID(ar, ARG_VNODE1);
800 	error = audit_arg_vnode(vp, &ar->k_ar.ar_arg_vnode1);
801 	if (error == 0)
802 		ARG_SET_VALID(ar, ARG_VNODE1);
803 }
804 
805 void
806 audit_arg_vnode2(struct vnode *vp)
807 {
808 	struct kaudit_record *ar;
809 	int error;
810 
811 	ar = currecord();
812 	if (ar == NULL)
813 		return;
814 
815 	ARG_CLEAR_VALID(ar, ARG_VNODE2);
816 	error = audit_arg_vnode(vp, &ar->k_ar.ar_arg_vnode2);
817 	if (error == 0)
818 		ARG_SET_VALID(ar, ARG_VNODE2);
819 }
820 
821 /*
822  * Audit the argument strings passed to exec.
823  */
824 void
825 audit_arg_argv(char *argv, int argc, int length)
826 {
827 	struct kaudit_record *ar;
828 
829 	if (audit_argv == 0)
830 		return;
831 
832 	ar = currecord();
833 	if (ar == NULL)
834 		return;
835 
836 	ar->k_ar.ar_arg_argv = malloc(length, M_AUDITTEXT, M_WAITOK);
837 	bcopy(argv, ar->k_ar.ar_arg_argv, length);
838 	ar->k_ar.ar_arg_argc = argc;
839 	ARG_SET_VALID(ar, ARG_ARGV);
840 }
841 
842 /*
843  * Audit the environment strings passed to exec.
844  */
845 void
846 audit_arg_envv(char *envv, int envc, int length)
847 {
848 	struct kaudit_record *ar;
849 
850 	if (audit_arge == 0)
851 		return;
852 
853 	ar = currecord();
854 	if (ar == NULL)
855 		return;
856 
857 	ar->k_ar.ar_arg_envv = malloc(length, M_AUDITTEXT, M_WAITOK);
858 	bcopy(envv, ar->k_ar.ar_arg_envv, length);
859 	ar->k_ar.ar_arg_envc = envc;
860 	ARG_SET_VALID(ar, ARG_ENVV);
861 }
862 
863 void
864 audit_arg_rights(cap_rights_t *rightsp)
865 {
866 	struct kaudit_record *ar;
867 
868 	ar = currecord();
869 	if (ar == NULL)
870 		return;
871 
872 	ar->k_ar.ar_arg_rights = *rightsp;
873 	ARG_SET_VALID(ar, ARG_RIGHTS);
874 }
875 
876 void
877 audit_arg_fcntl_rights(uint32_t fcntlrights)
878 {
879 	struct kaudit_record *ar;
880 
881 	ar = currecord();
882 	if (ar == NULL)
883 		return;
884 
885 	ar->k_ar.ar_arg_fcntl_rights = fcntlrights;
886 	ARG_SET_VALID(ar, ARG_FCNTL_RIGHTS);
887 }
888 
889 /*
890  * The close() system call uses it's own audit call to capture the path/vnode
891  * information because those pieces are not easily obtained within the system
892  * call itself.
893  */
894 void
895 audit_sysclose(struct thread *td, int fd)
896 {
897 	struct kaudit_record *ar;
898 	struct vnode *vp;
899 	struct file *fp;
900 
901 	KASSERT(td != NULL, ("audit_sysclose: td == NULL"));
902 
903 	ar = currecord();
904 	if (ar == NULL)
905 		return;
906 
907 	audit_arg_fd(fd);
908 
909 	if (getvnode(td->td_proc->p_fd, fd, 0, &fp) != 0)
910 		return;
911 
912 	vp = fp->f_vnode;
913 	vn_lock(vp, LK_SHARED | LK_RETRY);
914 	audit_arg_vnode1(vp);
915 	VOP_UNLOCK(vp, 0);
916 	fdrop(fp, td);
917 }
918