1 /*- 2 * Copyright (c) 1999-2005 Apple Inc. 3 * Copyright (c) 2016-2017 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Portions of this software were developed by BAE Systems, the University of 7 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL 8 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent 9 * Computing (TC) research program. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 20 * its contributors may be used to endorse or promote products derived 21 * from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 #include <sys/cdefs.h> 37 __FBSDID("$FreeBSD$"); 38 39 #include <sys/param.h> 40 #include <sys/filedesc.h> 41 #include <sys/capsicum.h> 42 #include <sys/ipc.h> 43 #include <sys/mount.h> 44 #include <sys/proc.h> 45 #include <sys/socket.h> 46 #include <sys/socketvar.h> 47 #include <sys/protosw.h> 48 #include <sys/domain.h> 49 #include <sys/sbuf.h> 50 #include <sys/systm.h> 51 #include <sys/un.h> 52 #include <sys/vnode.h> 53 54 #include <netinet/in.h> 55 #include <netinet/in_pcb.h> 56 57 #include <security/audit/audit.h> 58 #include <security/audit/audit_private.h> 59 60 /* 61 * Calls to manipulate elements of the audit record structure from system 62 * call code. Macro wrappers will prevent this functions from being entered 63 * if auditing is disabled, avoiding the function call cost. We check the 64 * thread audit record pointer anyway, as the audit condition could change, 65 * and pre-selection may not have allocated an audit record for this event. 66 * 67 * XXXAUDIT: Should we assert, in each case, that this field of the record 68 * hasn't already been filled in? 69 */ 70 void 71 audit_arg_addr(void *addr) 72 { 73 struct kaudit_record *ar; 74 75 ar = currecord(); 76 if (ar == NULL) 77 return; 78 79 ar->k_ar.ar_arg_addr = addr; 80 ARG_SET_VALID(ar, ARG_ADDR); 81 } 82 83 void 84 audit_arg_exit(int status, int retval) 85 { 86 struct kaudit_record *ar; 87 88 ar = currecord(); 89 if (ar == NULL) 90 return; 91 92 ar->k_ar.ar_arg_exitstatus = status; 93 ar->k_ar.ar_arg_exitretval = retval; 94 ARG_SET_VALID(ar, ARG_EXIT); 95 } 96 97 void 98 audit_arg_len(int len) 99 { 100 struct kaudit_record *ar; 101 102 ar = currecord(); 103 if (ar == NULL) 104 return; 105 106 ar->k_ar.ar_arg_len = len; 107 ARG_SET_VALID(ar, ARG_LEN); 108 } 109 110 void 111 audit_arg_atfd1(int atfd) 112 { 113 struct kaudit_record *ar; 114 115 ar = currecord(); 116 if (ar == NULL) 117 return; 118 119 ar->k_ar.ar_arg_atfd1 = atfd; 120 ARG_SET_VALID(ar, ARG_ATFD1); 121 } 122 123 void 124 audit_arg_atfd2(int atfd) 125 { 126 struct kaudit_record *ar; 127 128 ar = currecord(); 129 if (ar == NULL) 130 return; 131 132 ar->k_ar.ar_arg_atfd2 = atfd; 133 ARG_SET_VALID(ar, ARG_ATFD2); 134 } 135 136 void 137 audit_arg_fd(int fd) 138 { 139 struct kaudit_record *ar; 140 141 ar = currecord(); 142 if (ar == NULL) 143 return; 144 145 ar->k_ar.ar_arg_fd = fd; 146 ARG_SET_VALID(ar, ARG_FD); 147 } 148 149 void 150 audit_arg_fflags(int fflags) 151 { 152 struct kaudit_record *ar; 153 154 ar = currecord(); 155 if (ar == NULL) 156 return; 157 158 ar->k_ar.ar_arg_fflags = fflags; 159 ARG_SET_VALID(ar, ARG_FFLAGS); 160 } 161 162 void 163 audit_arg_gid(gid_t gid) 164 { 165 struct kaudit_record *ar; 166 167 ar = currecord(); 168 if (ar == NULL) 169 return; 170 171 ar->k_ar.ar_arg_gid = gid; 172 ARG_SET_VALID(ar, ARG_GID); 173 } 174 175 void 176 audit_arg_uid(uid_t uid) 177 { 178 struct kaudit_record *ar; 179 180 ar = currecord(); 181 if (ar == NULL) 182 return; 183 184 ar->k_ar.ar_arg_uid = uid; 185 ARG_SET_VALID(ar, ARG_UID); 186 } 187 188 void 189 audit_arg_egid(gid_t egid) 190 { 191 struct kaudit_record *ar; 192 193 ar = currecord(); 194 if (ar == NULL) 195 return; 196 197 ar->k_ar.ar_arg_egid = egid; 198 ARG_SET_VALID(ar, ARG_EGID); 199 } 200 201 void 202 audit_arg_euid(uid_t euid) 203 { 204 struct kaudit_record *ar; 205 206 ar = currecord(); 207 if (ar == NULL) 208 return; 209 210 ar->k_ar.ar_arg_euid = euid; 211 ARG_SET_VALID(ar, ARG_EUID); 212 } 213 214 void 215 audit_arg_rgid(gid_t rgid) 216 { 217 struct kaudit_record *ar; 218 219 ar = currecord(); 220 if (ar == NULL) 221 return; 222 223 ar->k_ar.ar_arg_rgid = rgid; 224 ARG_SET_VALID(ar, ARG_RGID); 225 } 226 227 void 228 audit_arg_ruid(uid_t ruid) 229 { 230 struct kaudit_record *ar; 231 232 ar = currecord(); 233 if (ar == NULL) 234 return; 235 236 ar->k_ar.ar_arg_ruid = ruid; 237 ARG_SET_VALID(ar, ARG_RUID); 238 } 239 240 void 241 audit_arg_sgid(gid_t sgid) 242 { 243 struct kaudit_record *ar; 244 245 ar = currecord(); 246 if (ar == NULL) 247 return; 248 249 ar->k_ar.ar_arg_sgid = sgid; 250 ARG_SET_VALID(ar, ARG_SGID); 251 } 252 253 void 254 audit_arg_suid(uid_t suid) 255 { 256 struct kaudit_record *ar; 257 258 ar = currecord(); 259 if (ar == NULL) 260 return; 261 262 ar->k_ar.ar_arg_suid = suid; 263 ARG_SET_VALID(ar, ARG_SUID); 264 } 265 266 void 267 audit_arg_groupset(gid_t *gidset, u_int gidset_size) 268 { 269 u_int i; 270 struct kaudit_record *ar; 271 272 KASSERT(gidset_size <= ngroups_max + 1, 273 ("audit_arg_groupset: gidset_size > (kern.ngroups + 1)")); 274 275 ar = currecord(); 276 if (ar == NULL) 277 return; 278 279 if (ar->k_ar.ar_arg_groups.gidset == NULL) 280 ar->k_ar.ar_arg_groups.gidset = malloc( 281 sizeof(gid_t) * gidset_size, M_AUDITGIDSET, M_WAITOK); 282 283 for (i = 0; i < gidset_size; i++) 284 ar->k_ar.ar_arg_groups.gidset[i] = gidset[i]; 285 ar->k_ar.ar_arg_groups.gidset_size = gidset_size; 286 ARG_SET_VALID(ar, ARG_GROUPSET); 287 } 288 289 void 290 audit_arg_login(char *login) 291 { 292 struct kaudit_record *ar; 293 294 ar = currecord(); 295 if (ar == NULL) 296 return; 297 298 strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME); 299 ARG_SET_VALID(ar, ARG_LOGIN); 300 } 301 302 void 303 audit_arg_ctlname(int *name, int namelen) 304 { 305 struct kaudit_record *ar; 306 307 ar = currecord(); 308 if (ar == NULL) 309 return; 310 311 bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int)); 312 ar->k_ar.ar_arg_len = namelen; 313 ARG_SET_VALID(ar, ARG_CTLNAME | ARG_LEN); 314 } 315 316 void 317 audit_arg_mask(int mask) 318 { 319 struct kaudit_record *ar; 320 321 ar = currecord(); 322 if (ar == NULL) 323 return; 324 325 ar->k_ar.ar_arg_mask = mask; 326 ARG_SET_VALID(ar, ARG_MASK); 327 } 328 329 void 330 audit_arg_mode(mode_t mode) 331 { 332 struct kaudit_record *ar; 333 334 ar = currecord(); 335 if (ar == NULL) 336 return; 337 338 ar->k_ar.ar_arg_mode = mode; 339 ARG_SET_VALID(ar, ARG_MODE); 340 } 341 342 void 343 audit_arg_dev(int dev) 344 { 345 struct kaudit_record *ar; 346 347 ar = currecord(); 348 if (ar == NULL) 349 return; 350 351 ar->k_ar.ar_arg_dev = dev; 352 ARG_SET_VALID(ar, ARG_DEV); 353 } 354 355 void 356 audit_arg_value(long value) 357 { 358 struct kaudit_record *ar; 359 360 ar = currecord(); 361 if (ar == NULL) 362 return; 363 364 ar->k_ar.ar_arg_value = value; 365 ARG_SET_VALID(ar, ARG_VALUE); 366 } 367 368 void 369 audit_arg_owner(uid_t uid, gid_t gid) 370 { 371 struct kaudit_record *ar; 372 373 ar = currecord(); 374 if (ar == NULL) 375 return; 376 377 ar->k_ar.ar_arg_uid = uid; 378 ar->k_ar.ar_arg_gid = gid; 379 ARG_SET_VALID(ar, ARG_UID | ARG_GID); 380 } 381 382 void 383 audit_arg_pid(pid_t pid) 384 { 385 struct kaudit_record *ar; 386 387 ar = currecord(); 388 if (ar == NULL) 389 return; 390 391 ar->k_ar.ar_arg_pid = pid; 392 ARG_SET_VALID(ar, ARG_PID); 393 } 394 395 void 396 audit_arg_process(struct proc *p) 397 { 398 struct kaudit_record *ar; 399 struct ucred *cred; 400 401 KASSERT(p != NULL, ("audit_arg_process: p == NULL")); 402 403 PROC_LOCK_ASSERT(p, MA_OWNED); 404 405 ar = currecord(); 406 if (ar == NULL) 407 return; 408 409 cred = p->p_ucred; 410 ar->k_ar.ar_arg_auid = cred->cr_audit.ai_auid; 411 ar->k_ar.ar_arg_euid = cred->cr_uid; 412 ar->k_ar.ar_arg_egid = cred->cr_groups[0]; 413 ar->k_ar.ar_arg_ruid = cred->cr_ruid; 414 ar->k_ar.ar_arg_rgid = cred->cr_rgid; 415 ar->k_ar.ar_arg_asid = cred->cr_audit.ai_asid; 416 ar->k_ar.ar_arg_termid_addr = cred->cr_audit.ai_termid; 417 ar->k_ar.ar_arg_pid = p->p_pid; 418 ARG_SET_VALID(ar, ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID | 419 ARG_RGID | ARG_ASID | ARG_TERMID_ADDR | ARG_PID | ARG_PROCESS); 420 } 421 422 void 423 audit_arg_signum(u_int signum) 424 { 425 struct kaudit_record *ar; 426 427 ar = currecord(); 428 if (ar == NULL) 429 return; 430 431 ar->k_ar.ar_arg_signum = signum; 432 ARG_SET_VALID(ar, ARG_SIGNUM); 433 } 434 435 void 436 audit_arg_socket(int sodomain, int sotype, int soprotocol) 437 { 438 struct kaudit_record *ar; 439 440 ar = currecord(); 441 if (ar == NULL) 442 return; 443 444 ar->k_ar.ar_arg_sockinfo.so_domain = sodomain; 445 ar->k_ar.ar_arg_sockinfo.so_type = sotype; 446 ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol; 447 ARG_SET_VALID(ar, ARG_SOCKINFO); 448 } 449 450 void 451 audit_arg_sockaddr(struct thread *td, int dirfd, struct sockaddr *sa) 452 { 453 struct kaudit_record *ar; 454 455 KASSERT(td != NULL, ("audit_arg_sockaddr: td == NULL")); 456 KASSERT(sa != NULL, ("audit_arg_sockaddr: sa == NULL")); 457 458 ar = currecord(); 459 if (ar == NULL) 460 return; 461 462 bcopy(sa, &ar->k_ar.ar_arg_sockaddr, sa->sa_len); 463 switch (sa->sa_family) { 464 case AF_INET: 465 ARG_SET_VALID(ar, ARG_SADDRINET); 466 break; 467 468 case AF_INET6: 469 ARG_SET_VALID(ar, ARG_SADDRINET6); 470 break; 471 472 case AF_UNIX: 473 if (dirfd != AT_FDCWD) 474 audit_arg_atfd1(dirfd); 475 audit_arg_upath1(td, dirfd, 476 ((struct sockaddr_un *)sa)->sun_path); 477 ARG_SET_VALID(ar, ARG_SADDRUNIX); 478 break; 479 /* XXXAUDIT: default:? */ 480 } 481 } 482 483 void 484 audit_arg_auid(uid_t auid) 485 { 486 struct kaudit_record *ar; 487 488 ar = currecord(); 489 if (ar == NULL) 490 return; 491 492 ar->k_ar.ar_arg_auid = auid; 493 ARG_SET_VALID(ar, ARG_AUID); 494 } 495 496 void 497 audit_arg_auditinfo(struct auditinfo *au_info) 498 { 499 struct kaudit_record *ar; 500 501 ar = currecord(); 502 if (ar == NULL) 503 return; 504 505 ar->k_ar.ar_arg_auid = au_info->ai_auid; 506 ar->k_ar.ar_arg_asid = au_info->ai_asid; 507 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success; 508 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure; 509 ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port; 510 ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine; 511 ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID); 512 } 513 514 void 515 audit_arg_auditinfo_addr(struct auditinfo_addr *au_info) 516 { 517 struct kaudit_record *ar; 518 519 ar = currecord(); 520 if (ar == NULL) 521 return; 522 523 ar->k_ar.ar_arg_auid = au_info->ai_auid; 524 ar->k_ar.ar_arg_asid = au_info->ai_asid; 525 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success; 526 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure; 527 ar->k_ar.ar_arg_termid_addr.at_type = au_info->ai_termid.at_type; 528 ar->k_ar.ar_arg_termid_addr.at_port = au_info->ai_termid.at_port; 529 ar->k_ar.ar_arg_termid_addr.at_addr[0] = au_info->ai_termid.at_addr[0]; 530 ar->k_ar.ar_arg_termid_addr.at_addr[1] = au_info->ai_termid.at_addr[1]; 531 ar->k_ar.ar_arg_termid_addr.at_addr[2] = au_info->ai_termid.at_addr[2]; 532 ar->k_ar.ar_arg_termid_addr.at_addr[3] = au_info->ai_termid.at_addr[3]; 533 ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID_ADDR); 534 } 535 536 void 537 audit_arg_text(char *text) 538 { 539 struct kaudit_record *ar; 540 541 KASSERT(text != NULL, ("audit_arg_text: text == NULL")); 542 543 ar = currecord(); 544 if (ar == NULL) 545 return; 546 547 /* Invalidate the text string */ 548 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT); 549 550 if (ar->k_ar.ar_arg_text == NULL) 551 ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT, 552 M_WAITOK); 553 554 strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN); 555 ARG_SET_VALID(ar, ARG_TEXT); 556 } 557 558 void 559 audit_arg_cmd(int cmd) 560 { 561 struct kaudit_record *ar; 562 563 ar = currecord(); 564 if (ar == NULL) 565 return; 566 567 ar->k_ar.ar_arg_cmd = cmd; 568 ARG_SET_VALID(ar, ARG_CMD); 569 } 570 571 void 572 audit_arg_svipc_cmd(int cmd) 573 { 574 struct kaudit_record *ar; 575 576 ar = currecord(); 577 if (ar == NULL) 578 return; 579 580 ar->k_ar.ar_arg_svipc_cmd = cmd; 581 ARG_SET_VALID(ar, ARG_SVIPC_CMD); 582 } 583 584 void 585 audit_arg_svipc_perm(struct ipc_perm *perm) 586 { 587 struct kaudit_record *ar; 588 589 ar = currecord(); 590 if (ar == NULL) 591 return; 592 593 bcopy(perm, &ar->k_ar.ar_arg_svipc_perm, 594 sizeof(ar->k_ar.ar_arg_svipc_perm)); 595 ARG_SET_VALID(ar, ARG_SVIPC_PERM); 596 } 597 598 void 599 audit_arg_svipc_id(int id) 600 { 601 struct kaudit_record *ar; 602 603 ar = currecord(); 604 if (ar == NULL) 605 return; 606 607 ar->k_ar.ar_arg_svipc_id = id; 608 ARG_SET_VALID(ar, ARG_SVIPC_ID); 609 } 610 611 void 612 audit_arg_svipc_addr(void * addr) 613 { 614 struct kaudit_record *ar; 615 616 ar = currecord(); 617 if (ar == NULL) 618 return; 619 620 ar->k_ar.ar_arg_svipc_addr = addr; 621 ARG_SET_VALID(ar, ARG_SVIPC_ADDR); 622 } 623 624 void 625 audit_arg_svipc_which(int which) 626 { 627 struct kaudit_record *ar; 628 629 ar = currecord(); 630 if (ar == NULL) 631 return; 632 633 ar->k_ar.ar_arg_svipc_which = which; 634 ARG_SET_VALID(ar, ARG_SVIPC_WHICH); 635 } 636 637 void 638 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode) 639 { 640 struct kaudit_record *ar; 641 642 ar = currecord(); 643 if (ar == NULL) 644 return; 645 646 ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid; 647 ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid; 648 ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode; 649 ARG_SET_VALID(ar, ARG_POSIX_IPC_PERM); 650 } 651 652 void 653 audit_arg_auditon(union auditon_udata *udata) 654 { 655 struct kaudit_record *ar; 656 657 ar = currecord(); 658 if (ar == NULL) 659 return; 660 661 bcopy((void *)udata, &ar->k_ar.ar_arg_auditon, 662 sizeof(ar->k_ar.ar_arg_auditon)); 663 ARG_SET_VALID(ar, ARG_AUDITON); 664 } 665 666 /* 667 * Audit information about a file, either the file's vnode info, or its 668 * socket address info. 669 */ 670 void 671 audit_arg_file(struct proc *p, struct file *fp) 672 { 673 struct kaudit_record *ar; 674 struct socket *so; 675 struct inpcb *pcb; 676 struct vnode *vp; 677 678 ar = currecord(); 679 if (ar == NULL) 680 return; 681 682 switch (fp->f_type) { 683 case DTYPE_VNODE: 684 case DTYPE_FIFO: 685 /* 686 * XXXAUDIT: Only possibly to record as first vnode? 687 */ 688 vp = fp->f_vnode; 689 vn_lock(vp, LK_SHARED | LK_RETRY); 690 audit_arg_vnode1(vp); 691 VOP_UNLOCK(vp, 0); 692 break; 693 694 case DTYPE_SOCKET: 695 so = (struct socket *)fp->f_data; 696 if (INP_CHECK_SOCKAF(so, PF_INET)) { 697 SOCK_LOCK(so); 698 ar->k_ar.ar_arg_sockinfo.so_type = 699 so->so_type; 700 ar->k_ar.ar_arg_sockinfo.so_domain = 701 INP_SOCKAF(so); 702 ar->k_ar.ar_arg_sockinfo.so_protocol = 703 so->so_proto->pr_protocol; 704 SOCK_UNLOCK(so); 705 pcb = (struct inpcb *)so->so_pcb; 706 INP_RLOCK(pcb); 707 ar->k_ar.ar_arg_sockinfo.so_raddr = 708 pcb->inp_faddr.s_addr; 709 ar->k_ar.ar_arg_sockinfo.so_laddr = 710 pcb->inp_laddr.s_addr; 711 ar->k_ar.ar_arg_sockinfo.so_rport = 712 pcb->inp_fport; 713 ar->k_ar.ar_arg_sockinfo.so_lport = 714 pcb->inp_lport; 715 INP_RUNLOCK(pcb); 716 ARG_SET_VALID(ar, ARG_SOCKINFO); 717 } 718 break; 719 720 default: 721 /* XXXAUDIT: else? */ 722 break; 723 } 724 } 725 726 /* 727 * Store a path as given by the user process for auditing into the audit 728 * record stored on the user thread. This function will allocate the memory 729 * to store the path info if not already available. This memory will be 730 * freed when the audit record is freed. The path is canonlicalised with 731 * respect to the thread and directory descriptor passed. 732 */ 733 static void 734 audit_arg_upath(struct thread *td, int dirfd, char *upath, char **pathp) 735 { 736 737 if (*pathp == NULL) 738 *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK); 739 audit_canon_path(td, dirfd, upath, *pathp); 740 } 741 742 void 743 audit_arg_upath1(struct thread *td, int dirfd, char *upath) 744 { 745 struct kaudit_record *ar; 746 747 ar = currecord(); 748 if (ar == NULL) 749 return; 750 751 audit_arg_upath(td, dirfd, upath, &ar->k_ar.ar_arg_upath1); 752 ARG_SET_VALID(ar, ARG_UPATH1); 753 } 754 755 void 756 audit_arg_upath2(struct thread *td, int dirfd, char *upath) 757 { 758 struct kaudit_record *ar; 759 760 ar = currecord(); 761 if (ar == NULL) 762 return; 763 764 audit_arg_upath(td, dirfd, upath, &ar->k_ar.ar_arg_upath2); 765 ARG_SET_VALID(ar, ARG_UPATH2); 766 } 767 768 /* 769 * Variants on path auditing that do not canonicalise the path passed in; 770 * these are for use with filesystem-like subsystems that employ string names, 771 * but do not support a hierarchical namespace -- for example, POSIX IPC 772 * objects. The subsystem should have performed any necessary 773 * canonicalisation required to make the paths useful to audit analysis. 774 */ 775 static void 776 audit_arg_upath_canon(char *upath, char **pathp) 777 { 778 779 if (*pathp == NULL) 780 *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK); 781 (void)snprintf(*pathp, MAXPATHLEN, "%s", upath); 782 } 783 784 void 785 audit_arg_upath1_canon(char *upath) 786 { 787 struct kaudit_record *ar; 788 789 ar = currecord(); 790 if (ar == NULL) 791 return; 792 793 audit_arg_upath_canon(upath, &ar->k_ar.ar_arg_upath1); 794 ARG_SET_VALID(ar, ARG_UPATH1); 795 } 796 797 void 798 audit_arg_upath2_canon(char *upath) 799 { 800 struct kaudit_record *ar; 801 802 ar = currecord(); 803 if (ar == NULL) 804 return; 805 806 audit_arg_upath_canon(upath, &ar->k_ar.ar_arg_upath2); 807 ARG_SET_VALID(ar, ARG_UPATH2); 808 } 809 810 /* 811 * Function to save the path and vnode attr information into the audit 812 * record. 813 * 814 * It is assumed that the caller will hold any vnode locks necessary to 815 * perform a VOP_GETATTR() on the passed vnode. 816 * 817 * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but always 818 * provides access to the generation number as we need that to construct the 819 * BSM file ID. 820 * 821 * XXX: We should accept the process argument from the caller, since it's 822 * very likely they already have a reference. 823 * 824 * XXX: Error handling in this function is poor. 825 * 826 * XXXAUDIT: Possibly KASSERT the path pointer is NULL? 827 */ 828 static int 829 audit_arg_vnode(struct vnode *vp, struct vnode_au_info *vnp) 830 { 831 struct vattr vattr; 832 int error; 833 834 ASSERT_VOP_LOCKED(vp, "audit_arg_vnode"); 835 836 error = VOP_GETATTR(vp, &vattr, curthread->td_ucred); 837 if (error) { 838 /* XXX: How to handle this case? */ 839 return (error); 840 } 841 842 vnp->vn_mode = vattr.va_mode; 843 vnp->vn_uid = vattr.va_uid; 844 vnp->vn_gid = vattr.va_gid; 845 vnp->vn_dev = vattr.va_rdev; 846 vnp->vn_fsid = vattr.va_fsid; 847 vnp->vn_fileid = vattr.va_fileid; 848 vnp->vn_gen = vattr.va_gen; 849 return (0); 850 } 851 852 void 853 audit_arg_vnode1(struct vnode *vp) 854 { 855 struct kaudit_record *ar; 856 int error; 857 858 ar = currecord(); 859 if (ar == NULL) 860 return; 861 862 ARG_CLEAR_VALID(ar, ARG_VNODE1); 863 error = audit_arg_vnode(vp, &ar->k_ar.ar_arg_vnode1); 864 if (error == 0) 865 ARG_SET_VALID(ar, ARG_VNODE1); 866 } 867 868 void 869 audit_arg_vnode2(struct vnode *vp) 870 { 871 struct kaudit_record *ar; 872 int error; 873 874 ar = currecord(); 875 if (ar == NULL) 876 return; 877 878 ARG_CLEAR_VALID(ar, ARG_VNODE2); 879 error = audit_arg_vnode(vp, &ar->k_ar.ar_arg_vnode2); 880 if (error == 0) 881 ARG_SET_VALID(ar, ARG_VNODE2); 882 } 883 884 /* 885 * Audit the argument strings passed to exec. 886 */ 887 void 888 audit_arg_argv(char *argv, int argc, int length) 889 { 890 struct kaudit_record *ar; 891 892 if (audit_argv == 0) 893 return; 894 895 ar = currecord(); 896 if (ar == NULL) 897 return; 898 899 ar->k_ar.ar_arg_argv = malloc(length, M_AUDITTEXT, M_WAITOK); 900 bcopy(argv, ar->k_ar.ar_arg_argv, length); 901 ar->k_ar.ar_arg_argc = argc; 902 ARG_SET_VALID(ar, ARG_ARGV); 903 } 904 905 /* 906 * Audit the environment strings passed to exec. 907 */ 908 void 909 audit_arg_envv(char *envv, int envc, int length) 910 { 911 struct kaudit_record *ar; 912 913 if (audit_arge == 0) 914 return; 915 916 ar = currecord(); 917 if (ar == NULL) 918 return; 919 920 ar->k_ar.ar_arg_envv = malloc(length, M_AUDITTEXT, M_WAITOK); 921 bcopy(envv, ar->k_ar.ar_arg_envv, length); 922 ar->k_ar.ar_arg_envc = envc; 923 ARG_SET_VALID(ar, ARG_ENVV); 924 } 925 926 void 927 audit_arg_rights(cap_rights_t *rightsp) 928 { 929 struct kaudit_record *ar; 930 931 ar = currecord(); 932 if (ar == NULL) 933 return; 934 935 ar->k_ar.ar_arg_rights = *rightsp; 936 ARG_SET_VALID(ar, ARG_RIGHTS); 937 } 938 939 void 940 audit_arg_fcntl_rights(uint32_t fcntlrights) 941 { 942 struct kaudit_record *ar; 943 944 ar = currecord(); 945 if (ar == NULL) 946 return; 947 948 ar->k_ar.ar_arg_fcntl_rights = fcntlrights; 949 ARG_SET_VALID(ar, ARG_FCNTL_RIGHTS); 950 } 951 952 /* 953 * The close() system call uses it's own audit call to capture the path/vnode 954 * information because those pieces are not easily obtained within the system 955 * call itself. 956 */ 957 void 958 audit_sysclose(struct thread *td, int fd) 959 { 960 cap_rights_t rights; 961 struct kaudit_record *ar; 962 struct vnode *vp; 963 struct file *fp; 964 965 KASSERT(td != NULL, ("audit_sysclose: td == NULL")); 966 967 ar = currecord(); 968 if (ar == NULL) 969 return; 970 971 audit_arg_fd(fd); 972 973 if (getvnode(td, fd, cap_rights_init(&rights), &fp) != 0) 974 return; 975 976 vp = fp->f_vnode; 977 vn_lock(vp, LK_SHARED | LK_RETRY); 978 audit_arg_vnode1(vp); 979 VOP_UNLOCK(vp, 0); 980 fdrop(fp, td); 981 } 982