1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * This file contains the audit hook support code for auditing. 28 */ 29 30 #include <sys/types.h> 31 #include <sys/proc.h> 32 #include <sys/vnode.h> 33 #include <sys/vfs.h> 34 #include <sys/file.h> 35 #include <sys/user.h> 36 #include <sys/stropts.h> 37 #include <sys/systm.h> 38 #include <sys/pathname.h> 39 #include <sys/syscall.h> 40 #include <sys/fcntl.h> 41 #include <sys/ipc_impl.h> 42 #include <sys/msg_impl.h> 43 #include <sys/sem_impl.h> 44 #include <sys/shm_impl.h> 45 #include <sys/kmem.h> /* for KM_SLEEP */ 46 #include <sys/socket.h> 47 #include <sys/cmn_err.h> /* snprintf... */ 48 #include <sys/debug.h> 49 #include <sys/thread.h> 50 #include <netinet/in.h> 51 #include <c2/audit.h> /* needs to be included before user.h */ 52 #include <c2/audit_kernel.h> /* for M_DONTWAIT */ 53 #include <c2/audit_kevents.h> 54 #include <c2/audit_record.h> 55 #include <sys/strsubr.h> 56 #include <sys/tihdr.h> 57 #include <sys/tiuser.h> 58 #include <sys/timod.h> 59 #include <sys/model.h> /* for model_t */ 60 #include <sys/disp.h> /* for servicing_interrupt() */ 61 #include <sys/devpolicy.h> 62 #include <sys/crypto/ioctladmin.h> 63 #include <sys/cred.h> 64 #include <inet/kssl/kssl.h> 65 #include <net/pfpolicy.h> 66 67 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval); 68 69 static void audit_pathbuild(struct pathname *pnp); 70 71 72 /* 73 * ROUTINE: AUDIT_SAVEPATH 74 * PURPOSE: 75 * CALLBY: LOOKUPPN 76 * 77 * NOTE: We have reached the end of a path in fs/lookup.c. 78 * We get two pieces of information here: 79 * the vnode of the last component (vp) and 80 * the status of the last access (flag). 81 * TODO: 82 * QUESTION: 83 */ 84 85 /*ARGSUSED*/ 86 int 87 audit_savepath( 88 struct pathname *pnp, /* pathname to lookup */ 89 struct vnode *vp, /* vnode of the last component */ 90 int flag, /* status of the last access */ 91 cred_t *cr) /* cred of requestor */ 92 { 93 94 t_audit_data_t *tad; /* current thread */ 95 au_kcontext_t *kctx = GET_KCTX_PZ; 96 97 tad = U2A(u); 98 99 /* 100 * this event being audited or do we need path information 101 * later? This might be for a chdir/chroot or open (add path 102 * to file pointer. If the path has already been found for an 103 * open/creat then we don't need to process the path. 104 * 105 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 106 * chroot, chdir, open, creat system call processing. It determines 107 * if audit_savepath() will discard the path or we need it later. 108 * PAD_PATHFND means path already included in this audit record. It 109 * is used in cases where multiple path lookups are done per 110 * system call. The policy flag, AUDIT_PATH, controls if multiple 111 * paths are allowed. 112 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 113 * exit processing to inhibit any paths that may be added due to 114 * closes. 115 */ 116 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 117 ((tad->tad_ctrl & PAD_PATHFND) && 118 !(kctx->auk_policy & AUDIT_PATH)) || 119 (tad->tad_ctrl & PAD_NOPATH)) { 120 return (0); 121 } 122 123 tad->tad_ctrl |= PAD_NOPATH; /* prevent possible reentry */ 124 125 audit_pathbuild(pnp); 126 tad->tad_vn = vp; 127 128 /* 129 * are we auditing only if error, or if it is not open or create 130 * otherwise audit_setf will do it 131 */ 132 133 if (tad->tad_flag) { 134 if (flag && 135 (tad->tad_scid == SYS_open || 136 tad->tad_scid == SYS_open64 || 137 tad->tad_scid == SYS_openat || 138 tad->tad_scid == SYS_openat64)) { 139 tad->tad_ctrl |= PAD_TRUE_CREATE; 140 } 141 142 /* add token to audit record for this name */ 143 au_uwrite(au_to_path(tad->tad_aupath)); 144 145 /* add the attributes of the object */ 146 if (vp) { 147 /* 148 * only capture attributes when there is no error 149 * lookup will not return the vnode of the failing 150 * component. 151 * 152 * if there was a lookup error, then don't add 153 * attribute. if lookup in vn_create(), 154 * then don't add attribute, 155 * it will be added at end of vn_create(). 156 */ 157 if (!flag && !(tad->tad_ctrl & PAD_NOATTRB)) 158 audit_attributes(vp); 159 } 160 } 161 162 /* free up space if we're not going to save path (open, creat) */ 163 if ((tad->tad_ctrl & PAD_SAVPATH) == 0) { 164 if (tad->tad_aupath != NULL) { 165 au_pathrele(tad->tad_aupath); 166 tad->tad_aupath = NULL; 167 tad->tad_vn = NULL; 168 } 169 } 170 if (tad->tad_ctrl & PAD_MLD) 171 tad->tad_ctrl |= PAD_PATHFND; 172 173 tad->tad_ctrl &= ~PAD_NOPATH; /* restore */ 174 return (0); 175 } 176 177 static void 178 audit_pathbuild(struct pathname *pnp) 179 { 180 char *pp; /* pointer to path */ 181 int len; /* length of incoming segment */ 182 int newsect; /* path requires a new section */ 183 struct audit_path *pfxapp; /* prefix for path */ 184 struct audit_path *newapp; /* new audit_path */ 185 t_audit_data_t *tad; /* current thread */ 186 p_audit_data_t *pad; /* current process */ 187 188 tad = U2A(u); 189 ASSERT(tad != NULL); 190 pad = P2A(curproc); 191 ASSERT(pad != NULL); 192 193 len = (pnp->pn_path - pnp->pn_buf) + 1; /* +1 for terminator */ 194 ASSERT(len > 0); 195 196 /* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */ 197 mutex_enter(&pad->pad_lock); 198 if (tad->tad_aupath != NULL) { 199 pfxapp = tad->tad_aupath; 200 } else if ((tad->tad_ctrl & PAD_ATCALL) && pnp->pn_buf[0] != '/') { 201 ASSERT(tad->tad_atpath != NULL); 202 pfxapp = tad->tad_atpath; 203 } else if (tad->tad_ctrl & PAD_ABSPATH) { 204 pfxapp = pad->pad_root; 205 } else { 206 pfxapp = pad->pad_cwd; 207 } 208 au_pathhold(pfxapp); 209 mutex_exit(&pad->pad_lock); 210 211 /* get an expanded buffer to hold the anchored path */ 212 newsect = tad->tad_ctrl & PAD_ATTPATH; 213 newapp = au_pathdup(pfxapp, newsect, len); 214 au_pathrele(pfxapp); 215 216 pp = newapp->audp_sect[newapp->audp_cnt] - len; 217 if (!newsect) { 218 /* overlay previous NUL terminator */ 219 *(pp - 1) = '/'; 220 } 221 222 /* now add string of processed path */ 223 bcopy(pnp->pn_buf, pp, len); 224 pp[len - 1] = '\0'; 225 226 /* perform path simplification as necessary */ 227 audit_fixpath(newapp, len); 228 229 if (tad->tad_aupath) 230 au_pathrele(tad->tad_aupath); 231 tad->tad_aupath = newapp; 232 233 /* for case where multiple lookups in one syscall (rename) */ 234 tad->tad_ctrl &= ~(PAD_ABSPATH | PAD_ATTPATH); 235 } 236 237 238 239 /*ARGSUSED*/ 240 241 /* 242 * ROUTINE: AUDIT_ADDCOMPONENT 243 * PURPOSE: extend the path by the component accepted 244 * CALLBY: LOOKUPPN 245 * NOTE: This function is called only when there is an error in 246 * parsing a path component 247 * TODO: Add the error component to audit record 248 * QUESTION: what is this for 249 */ 250 251 void 252 audit_addcomponent(struct pathname *pnp) 253 { 254 au_kcontext_t *kctx = GET_KCTX_PZ; 255 t_audit_data_t *tad; 256 257 tad = U2A(u); 258 /* 259 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 260 * chroot, chdir, open, creat system call processing. It determines 261 * if audit_savepath() will discard the path or we need it later. 262 * PAD_PATHFND means path already included in this audit record. It 263 * is used in cases where multiple path lookups are done per 264 * system call. The policy flag, AUDIT_PATH, controls if multiple 265 * paths are allowed. 266 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 267 * exit processing to inhibit any paths that may be added due to 268 * closes. 269 */ 270 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 271 ((tad->tad_ctrl & PAD_PATHFND) && 272 !(kctx->auk_policy & AUDIT_PATH)) || 273 (tad->tad_ctrl & PAD_NOPATH)) { 274 return; 275 } 276 277 return; 278 279 } /* AUDIT_ADDCOMPONENT */ 280 281 282 /* 283 * ROUTINE: AUDIT_ANCHORPATH 284 * PURPOSE: 285 * CALLBY: LOOKUPPN 286 * NOTE: 287 * anchor path at "/". We have seen a symbolic link or entering for the 288 * first time we will throw away any saved path if path is anchored. 289 * 290 * flag = 0, path is relative. 291 * flag = 1, path is absolute. Free any saved path and set flag to PAD_ABSPATH. 292 * 293 * If the (new) path is absolute, then we have to throw away whatever we have 294 * already accumulated since it is being superseded by new path which is 295 * anchored at the root. 296 * Note that if the path is relative, this function does nothing 297 * TODO: 298 * QUESTION: 299 */ 300 /*ARGSUSED*/ 301 void 302 audit_anchorpath(struct pathname *pnp, int flag) 303 { 304 au_kcontext_t *kctx = GET_KCTX_PZ; 305 t_audit_data_t *tad; 306 307 tad = U2A(u); 308 309 /* 310 * this event being audited or do we need path information 311 * later? This might be for a chdir/chroot or open (add path 312 * to file pointer. If the path has already been found for an 313 * open/creat then we don't need to process the path. 314 * 315 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 316 * chroot, chdir, open, creat system call processing. It determines 317 * if audit_savepath() will discard the path or we need it later. 318 * PAD_PATHFND means path already included in this audit record. It 319 * is used in cases where multiple path lookups are done per 320 * system call. The policy flag, AUDIT_PATH, controls if multiple 321 * paths are allowed. 322 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 323 * exit processing to inhibit any paths that may be added due to 324 * closes. 325 */ 326 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 327 ((tad->tad_ctrl & PAD_PATHFND) && 328 !(kctx->auk_policy & AUDIT_PATH)) || 329 (tad->tad_ctrl & PAD_NOPATH)) { 330 return; 331 } 332 333 if (flag) { 334 tad->tad_ctrl |= PAD_ABSPATH; 335 if (tad->tad_aupath != NULL) { 336 au_pathrele(tad->tad_aupath); 337 tad->tad_aupath = NULL; 338 tad->tad_vn = NULL; 339 } 340 } 341 } 342 343 344 /* 345 * symbolic link. Save previous components. 346 * 347 * the path seen so far looks like this 348 * 349 * +-----------------------+----------------+ 350 * | path processed so far | remaining path | 351 * +-----------------------+----------------+ 352 * \-----------------------/ 353 * save this string if 354 * symbolic link relative 355 * (but don't include symlink component) 356 */ 357 358 /*ARGSUSED*/ 359 360 361 /* 362 * ROUTINE: AUDIT_SYMLINK 363 * PURPOSE: 364 * CALLBY: LOOKUPPN 365 * NOTE: 366 * TODO: 367 * QUESTION: 368 */ 369 void 370 audit_symlink(struct pathname *pnp, struct pathname *sympath) 371 { 372 char *sp; /* saved initial pp */ 373 char *cp; /* start of symlink path */ 374 uint_t len_path; /* processed path before symlink */ 375 t_audit_data_t *tad; 376 au_kcontext_t *kctx = GET_KCTX_PZ; 377 378 tad = U2A(u); 379 380 /* 381 * this event being audited or do we need path information 382 * later? This might be for a chdir/chroot or open (add path 383 * to file pointer. If the path has already been found for an 384 * open/creat then we don't need to process the path. 385 * 386 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 387 * chroot, chdir, open, creat system call processing. It determines 388 * if audit_savepath() will discard the path or we need it later. 389 * PAD_PATHFND means path already included in this audit record. It 390 * is used in cases where multiple path lookups are done per 391 * system call. The policy flag, AUDIT_PATH, controls if multiple 392 * paths are allowed. 393 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 394 * exit processing to inhibit any paths that may be added due to 395 * closes. 396 */ 397 if ((tad->tad_flag == 0 && 398 !(tad->tad_ctrl & PAD_SAVPATH)) || 399 ((tad->tad_ctrl & PAD_PATHFND) && 400 !(kctx->auk_policy & AUDIT_PATH)) || 401 (tad->tad_ctrl & PAD_NOPATH)) { 402 return; 403 } 404 405 /* 406 * if symbolic link is anchored at / then do nothing. 407 * When we cycle back to begin: in lookuppn() we will 408 * call audit_anchorpath() with a flag indicating if the 409 * path is anchored at / or is relative. We will release 410 * any saved path at that point. 411 * 412 * Note In the event that an error occurs in pn_combine then 413 * we want to remain pointing at the component that caused the 414 * path to overflow the pnp structure. 415 */ 416 if (sympath->pn_buf[0] == '/') 417 return; 418 419 /* backup over last component */ 420 sp = cp = pnp->pn_path; 421 while (*--cp != '/' && cp > pnp->pn_buf) 422 ; 423 424 len_path = cp - pnp->pn_buf; 425 426 /* is there anything to save? */ 427 if (len_path) { 428 pnp->pn_path = pnp->pn_buf; 429 audit_pathbuild(pnp); 430 pnp->pn_path = sp; 431 } 432 } 433 434 /* 435 * file_is_public : determine whether events for the file (corresponding to 436 * the specified file attr) should be audited or ignored. 437 * 438 * returns: 1 - if audit policy and file attributes indicate that 439 * file is effectively public. read events for 440 * the file should not be audited. 441 * 0 - otherwise 442 * 443 * The required attributes to be considered a public object are: 444 * - owned by root, AND 445 * - world-readable (permissions for other include read), AND 446 * - NOT world-writeable (permissions for other don't 447 * include write) 448 * (mode doesn't need to be checked for symlinks) 449 */ 450 int 451 file_is_public(struct vattr *attr) 452 { 453 au_kcontext_t *kctx = GET_KCTX_PZ; 454 455 if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) && 456 ((attr->va_type == VLNK) || 457 ((attr->va_mode & (VREAD>>6)) != 0) && 458 ((attr->va_mode & (VWRITE>>6)) == 0))) { 459 return (1); 460 } 461 return (0); 462 } 463 464 465 /* 466 * ROUTINE: AUDIT_ATTRIBUTES 467 * PURPOSE: Audit the attributes so we can tell why the error occurred 468 * CALLBY: AUDIT_SAVEPATH 469 * AUDIT_VNCREATE_FINISH 470 * AUS_FCHOWN...audit_event.c...audit_path.c 471 * NOTE: 472 * TODO: 473 * QUESTION: 474 */ 475 void 476 audit_attributes(struct vnode *vp) 477 { 478 struct vattr attr; 479 struct t_audit_data *tad; 480 481 tad = U2A(u); 482 483 if (vp) { 484 attr.va_mask = AT_ALL; 485 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0) 486 return; 487 488 if (file_is_public(&attr) && (tad->tad_ctrl & PAD_PUBLIC_EV)) { 489 /* 490 * This is a public object and a "public" event 491 * (i.e., read only) -- either by definition 492 * (e.g., stat, access...) or by virtue of write access 493 * not being requested (e.g. mmap). 494 * Flag it in the tad to prevent this audit at the end. 495 */ 496 tad->tad_ctrl |= PAD_NOAUDIT; 497 } else { 498 au_uwrite(au_to_attr(&attr)); 499 audit_sec_attributes(&(u_ad), vp); 500 } 501 } 502 } 503 504 505 /* 506 * ROUTINE: AUDIT_EXIT 507 * PURPOSE: 508 * CALLBY: EXIT 509 * NOTE: 510 * TODO: 511 * QUESTION: why cmw code as offset by 2 but not here 512 */ 513 /* ARGSUSED */ 514 void 515 audit_exit(int code, int what) 516 { 517 struct t_audit_data *tad; 518 tad = U2A(u); 519 520 /* 521 * tad_scid will be set by audit_start even if we are not auditing 522 * the event. 523 */ 524 if (tad->tad_scid == SYS_exit) { 525 /* 526 * if we are auditing the exit system call, then complete 527 * audit record generation (no return from system call). 528 */ 529 if (tad->tad_flag && tad->tad_event == AUE_EXIT) 530 audit_finish(0, SYS_exit, 0, 0); 531 return; 532 } 533 534 /* 535 * Anyone auditing the system call that was aborted? 536 */ 537 if (tad->tad_flag) { 538 au_uwrite(au_to_text("event aborted")); 539 audit_finish(0, tad->tad_scid, 0, 0); 540 } 541 542 /* 543 * Generate an audit record for process exit if preselected. 544 */ 545 (void) audit_start(0, SYS_exit, AUC_UNSET, 0, 0); 546 audit_finish(0, SYS_exit, 0, 0); 547 } 548 549 /* 550 * ROUTINE: AUDIT_CORE_START 551 * PURPOSE: 552 * CALLBY: PSIG 553 * NOTE: 554 * TODO: 555 */ 556 void 557 audit_core_start(int sig) 558 { 559 au_event_t event; 560 au_state_t estate; 561 t_audit_data_t *tad; 562 au_kcontext_t *kctx; 563 564 tad = U2A(u); 565 566 ASSERT(tad != (t_audit_data_t *)0); 567 568 ASSERT(tad->tad_scid == 0); 569 ASSERT(tad->tad_event == 0); 570 ASSERT(tad->tad_evmod == 0); 571 ASSERT(tad->tad_ctrl == 0); 572 ASSERT(tad->tad_flag == 0); 573 ASSERT(tad->tad_aupath == NULL); 574 575 kctx = GET_KCTX_PZ; 576 577 /* get basic event for system call */ 578 event = AUE_CORE; 579 estate = kctx->auk_ets[event]; 580 581 if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0) 582 return; 583 584 /* reset the flags for non-user attributable events */ 585 tad->tad_ctrl = PAD_CORE; 586 tad->tad_scid = 0; 587 588 /* if auditing not enabled, then don't generate an audit record */ 589 590 if (!((kctx->auk_auditstate == AUC_AUDITING || 591 kctx->auk_auditstate == AUC_INIT_AUDIT) || 592 kctx->auk_auditstate == AUC_NOSPACE)) { 593 tad->tad_flag = 0; 594 tad->tad_ctrl = 0; 595 return; 596 } 597 598 tad->tad_event = event; 599 tad->tad_evmod = 0; 600 601 ASSERT(tad->tad_ad == NULL); 602 603 au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig)); 604 } 605 606 /* 607 * ROUTINE: AUDIT_CORE_FINISH 608 * PURPOSE: 609 * CALLBY: PSIG 610 * NOTE: 611 * TODO: 612 * QUESTION: 613 */ 614 615 /*ARGSUSED*/ 616 void 617 audit_core_finish(int code) 618 { 619 int flag; 620 t_audit_data_t *tad; 621 au_kcontext_t *kctx; 622 623 tad = U2A(u); 624 625 ASSERT(tad != (t_audit_data_t *)0); 626 627 if ((flag = tad->tad_flag) == 0) { 628 tad->tad_event = 0; 629 tad->tad_evmod = 0; 630 tad->tad_ctrl = 0; 631 ASSERT(tad->tad_aupath == NULL); 632 return; 633 } 634 tad->tad_flag = 0; 635 636 kctx = GET_KCTX_PZ; 637 638 /* kludge for error 0, should use `code==CLD_DUMPED' instead */ 639 if (flag = audit_success(kctx, tad, 0, NULL)) { 640 cred_t *cr = CRED(); 641 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 642 643 ASSERT(ainfo != NULL); 644 645 /* 646 * Add subject information (no locks since our private copy of 647 * credential 648 */ 649 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 650 651 /* Add a return token (should use f argument) */ 652 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 653 654 AS_INC(as_generated, 1, kctx); 655 AS_INC(as_kernel, 1, kctx); 656 } 657 658 /* Close up everything */ 659 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod, NULL); 660 661 /* free up any space remaining with the path's */ 662 if (tad->tad_aupath != NULL) { 663 au_pathrele(tad->tad_aupath); 664 tad->tad_aupath = NULL; 665 tad->tad_vn = NULL; 666 } 667 tad->tad_event = 0; 668 tad->tad_evmod = 0; 669 tad->tad_ctrl = 0; 670 } 671 672 /*ARGSUSED*/ 673 void 674 audit_stropen(struct vnode *vp, dev_t *devp, int flag, cred_t *crp) 675 { 676 } 677 678 /*ARGSUSED*/ 679 void 680 audit_strclose(struct vnode *vp, int flag, cred_t *crp) 681 { 682 } 683 684 /*ARGSUSED*/ 685 void 686 audit_strioctl(struct vnode *vp, int cmd, intptr_t arg, int flag, 687 int copyflag, cred_t *crp, int *rvalp) 688 { 689 } 690 691 692 /*ARGSUSED*/ 693 void 694 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 695 unsigned char *pri, int *flag, int fmode) 696 { 697 struct stdata *stp; 698 t_audit_data_t *tad = U2A(u); 699 700 ASSERT(tad != (t_audit_data_t *)0); 701 702 stp = vp->v_stream; 703 704 /* lock stdata from audit_sock */ 705 mutex_enter(&stp->sd_lock); 706 707 /* proceed ONLY if user is being audited */ 708 if (!tad->tad_flag) { 709 /* 710 * this is so we will not add audit data onto 711 * a thread that is not being audited. 712 */ 713 stp->sd_t_audit_data = NULL; 714 mutex_exit(&stp->sd_lock); 715 return; 716 } 717 718 stp->sd_t_audit_data = (caddr_t)curthread; 719 mutex_exit(&stp->sd_lock); 720 } 721 722 /*ARGSUSED*/ 723 void 724 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 725 unsigned char pri, int flag, int fmode) 726 { 727 struct stdata *stp; 728 t_audit_data_t *tad = U2A(u); 729 730 ASSERT(tad != (t_audit_data_t *)0); 731 732 stp = vp->v_stream; 733 734 /* lock stdata from audit_sock */ 735 mutex_enter(&stp->sd_lock); 736 737 /* proceed ONLY if user is being audited */ 738 if (!tad->tad_flag) { 739 /* 740 * this is so we will not add audit data onto 741 * a thread that is not being audited. 742 */ 743 stp->sd_t_audit_data = NULL; 744 mutex_exit(&stp->sd_lock); 745 return; 746 } 747 748 stp->sd_t_audit_data = (caddr_t)curthread; 749 mutex_exit(&stp->sd_lock); 750 } 751 752 /* 753 * ROUTINE: AUDIT_CLOSEF 754 * PURPOSE: 755 * CALLBY: CLOSEF 756 * NOTE: 757 * release per file audit resources when file structure is being released. 758 * 759 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep 760 * on the audit queue if it becomes full. This means 761 * audit_closef can not be called when f_count == 0. Since 762 * f_count == 0 indicates the file structure is free, another 763 * process could attempt to use the file while we were still 764 * asleep waiting on the audit queue. This would cause the 765 * per file audit data to be corrupted when we finally do 766 * wakeup. 767 * TODO: 768 * QUESTION: 769 */ 770 771 void 772 audit_closef(struct file *fp) 773 { /* AUDIT_CLOSEF */ 774 f_audit_data_t *fad; 775 t_audit_data_t *tad; 776 int success; 777 au_state_t estate; 778 struct vnode *vp; 779 token_t *ad = NULL; 780 struct vattr attr; 781 au_emod_t evmod = 0; 782 const auditinfo_addr_t *ainfo; 783 int getattr_ret; 784 cred_t *cr; 785 au_kcontext_t *kctx = GET_KCTX_PZ; 786 uint32_t auditing; 787 788 fad = F2A(fp); 789 estate = kctx->auk_ets[AUE_CLOSE]; 790 tad = U2A(u); 791 cr = CRED(); 792 793 /* audit record already generated by system call envelope */ 794 if (tad->tad_event == AUE_CLOSE) { 795 /* so close audit event will have bits set */ 796 tad->tad_evmod |= (au_emod_t)fad->fad_flags; 797 return; 798 } 799 800 /* if auditing not enabled, then don't generate an audit record */ 801 auditing = (tad->tad_audit == AUC_UNSET) ? 802 kctx->auk_auditstate : tad->tad_audit; 803 if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT | AUC_NOSPACE)) 804 return; 805 806 ainfo = crgetauinfo(cr); 807 if (ainfo == NULL) 808 return; 809 810 success = ainfo->ai_mask.as_success & estate; 811 812 /* not selected for this event */ 813 if (success == 0) 814 return; 815 816 /* 817 * can't use audit_attributes here since we use a private audit area 818 * to build the audit record instead of the one off the thread. 819 */ 820 if ((vp = fp->f_vnode) != NULL) { 821 attr.va_mask = AT_ALL; 822 getattr_ret = VOP_GETATTR(vp, &attr, 0, CRED(), NULL); 823 } 824 825 /* 826 * When write was not used and the file can be considered public, 827 * then skip the audit. 828 */ 829 if ((getattr_ret == 0) && ((fp->f_flag & FWRITE) == 0)) { 830 if (file_is_public(&attr)) { 831 return; 832 } 833 } 834 835 evmod = (au_emod_t)fad->fad_flags; 836 if (fad->fad_aupath != NULL) { 837 au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath)); 838 } else { 839 #ifdef _LP64 840 au_write((caddr_t *)&(ad), au_to_arg64( 841 1, "no path: fp", (uint64_t)fp)); 842 #else 843 au_write((caddr_t *)&(ad), au_to_arg32( 844 1, "no path: fp", (uint32_t)fp)); 845 #endif 846 } 847 848 if (getattr_ret == 0) { 849 au_write((caddr_t *)&(ad), au_to_attr(&attr)); 850 audit_sec_attributes((caddr_t *)&(ad), vp); 851 } 852 853 /* Add subject information */ 854 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 855 856 /* add a return token */ 857 add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0); 858 859 AS_INC(as_generated, 1, kctx); 860 AS_INC(as_kernel, 1, kctx); 861 862 /* 863 * Close up everything 864 * Note: path space recovery handled by normal system 865 * call envelope if not at last close. 866 * Note there is no failure at this point since 867 * this represents closes due to exit of process, 868 * thus we always indicate successful closes. 869 */ 870 au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER, 871 AUE_CLOSE, evmod, NULL); 872 } 873 874 /* 875 * ROUTINE: AUDIT_SET 876 * PURPOSE: Audit the file path and file attributes. 877 * CALLBY: SETF 878 * NOTE: SETF associate a file pointer with user area's open files. 879 * TODO: 880 * call audit_finish directly ??? 881 * QUESTION: 882 */ 883 884 /*ARGSUSED*/ 885 void 886 audit_setf(file_t *fp, int fd) 887 { 888 f_audit_data_t *fad; 889 t_audit_data_t *tad; 890 891 if (fp == NULL) 892 return; 893 894 tad = T2A(curthread); 895 fad = F2A(fp); 896 897 if (!(tad->tad_scid == SYS_open || 898 tad->tad_scid == SYS_open64 || 899 tad->tad_scid == SYS_openat || 900 tad->tad_scid == SYS_openat64)) 901 return; 902 903 /* no path */ 904 if (tad->tad_aupath == 0) 905 return; 906 907 /* 908 * assign path information associated with file audit data 909 * use tad hold 910 */ 911 fad->fad_aupath = tad->tad_aupath; 912 tad->tad_aupath = NULL; 913 tad->tad_vn = NULL; 914 915 if (!(tad->tad_ctrl & PAD_TRUE_CREATE)) { 916 /* adjust event type by dropping the 'creat' part */ 917 switch (tad->tad_event) { 918 case AUE_OPEN_RC: 919 tad->tad_event = AUE_OPEN_R; 920 tad->tad_ctrl |= PAD_PUBLIC_EV; 921 break; 922 case AUE_OPEN_RTC: 923 tad->tad_event = AUE_OPEN_RT; 924 break; 925 case AUE_OPEN_WC: 926 tad->tad_event = AUE_OPEN_W; 927 break; 928 case AUE_OPEN_WTC: 929 tad->tad_event = AUE_OPEN_WT; 930 break; 931 case AUE_OPEN_RWC: 932 tad->tad_event = AUE_OPEN_RW; 933 break; 934 case AUE_OPEN_RWTC: 935 tad->tad_event = AUE_OPEN_RWT; 936 break; 937 default: 938 break; 939 } 940 } 941 } 942 943 944 /* 945 * ROUTINE: AUDIT_COPEN 946 * PURPOSE: 947 * CALLBY: COPEN 948 * NOTE: 949 * TODO: 950 * QUESTION: 951 */ 952 /*ARGSUSED*/ 953 void 954 audit_copen(int fd, file_t *fp, vnode_t *vp) 955 { 956 } 957 958 void 959 audit_ipc(int type, int id, void *vp) 960 { 961 /* if not auditing this event, then do nothing */ 962 if (ad_flag == 0) 963 return; 964 965 switch (type) { 966 case AT_IPC_MSG: 967 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 968 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 969 break; 970 case AT_IPC_SEM: 971 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 972 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 973 break; 974 case AT_IPC_SHM: 975 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 976 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 977 break; 978 } 979 } 980 981 void 982 audit_ipcget(int type, void *vp) 983 { 984 /* if not auditing this event, then do nothing */ 985 if (ad_flag == 0) 986 return; 987 988 switch (type) { 989 case NULL: 990 au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp)); 991 break; 992 case AT_IPC_MSG: 993 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 994 break; 995 case AT_IPC_SEM: 996 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 997 break; 998 case AT_IPC_SHM: 999 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 1000 break; 1001 } 1002 } 1003 1004 /* 1005 * ROUTINE: AUDIT_REBOOT 1006 * PURPOSE: 1007 * CALLBY: 1008 * NOTE: 1009 * At this point we know that the system call reboot will not return. We thus 1010 * have to complete the audit record generation and put it onto the queue. 1011 * This might be fairly useless if the auditing daemon is already dead.... 1012 * TODO: 1013 * QUESTION: who calls audit_reboot 1014 */ 1015 1016 void 1017 audit_reboot(void) 1018 { 1019 int flag; 1020 t_audit_data_t *tad; 1021 au_kcontext_t *kctx = GET_KCTX_PZ; 1022 1023 tad = U2A(u); 1024 1025 /* if not auditing this event, then do nothing */ 1026 if (tad->tad_flag == 0) 1027 return; 1028 1029 /* do preselection on success/failure */ 1030 if (flag = audit_success(kctx, tad, 0, NULL)) { 1031 /* add a process token */ 1032 1033 cred_t *cr = CRED(); 1034 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 1035 1036 if (ainfo == NULL) 1037 return; 1038 1039 /* Add subject information */ 1040 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 1041 1042 /* add a return token */ 1043 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 1044 1045 AS_INC(as_generated, 1, kctx); 1046 AS_INC(as_kernel, 1, kctx); 1047 } 1048 1049 /* 1050 * Flow control useless here since we're going 1051 * to drop everything in the queue anyway. Why 1052 * block and wait. There aint anyone left alive to 1053 * read the records remaining anyway. 1054 */ 1055 1056 /* Close up everything */ 1057 au_close(kctx, &(u_ad), flag | AU_DONTBLOCK, 1058 tad->tad_event, tad->tad_evmod, NULL); 1059 } 1060 1061 void 1062 audit_setfsat_path(int argnum) 1063 { 1064 klwp_id_t clwp = ttolwp(curthread); 1065 struct file *fp; 1066 uint32_t fd; 1067 t_audit_data_t *tad; 1068 struct f_audit_data *fad; 1069 p_audit_data_t *pad; /* current process */ 1070 struct a { 1071 long arg1; 1072 long arg2; 1073 long arg3; 1074 long arg4; 1075 long arg5; 1076 } *uap; 1077 1078 if (clwp == NULL) 1079 return; 1080 uap = (struct a *)clwp->lwp_ap; 1081 1082 tad = U2A(u); 1083 ASSERT(tad != NULL); 1084 1085 switch (tad->tad_scid) { 1086 case SYS_faccessat: 1087 case SYS_fchownat: 1088 case SYS_fstatat: 1089 case SYS_fstatat64: 1090 case SYS_openat: 1091 case SYS_openat64: 1092 case SYS_unlinkat: 1093 fd = uap->arg1; 1094 break; 1095 case SYS_renameat: 1096 if (argnum == 3) 1097 fd = uap->arg3; 1098 else 1099 fd = uap->arg1; 1100 break; 1101 case SYS_utimesys: 1102 fd = uap->arg2; 1103 break; 1104 default: 1105 return; 1106 } 1107 1108 if (tad->tad_atpath != NULL) { 1109 au_pathrele(tad->tad_atpath); 1110 tad->tad_atpath = NULL; 1111 } 1112 if (fd != AT_FDCWD) { 1113 if ((fp = getf(fd)) == NULL) { 1114 tad->tad_ctrl |= PAD_NOPATH; 1115 return; 1116 } 1117 fad = F2A(fp); 1118 ASSERT(fad); 1119 if (fad->fad_aupath == NULL) { 1120 tad->tad_ctrl |= PAD_NOPATH; 1121 releasef(fd); 1122 return; 1123 } 1124 au_pathhold(fad->fad_aupath); 1125 tad->tad_atpath = fad->fad_aupath; 1126 releasef(fd); 1127 } else { 1128 pad = P2A(curproc); 1129 mutex_enter(&pad->pad_lock); 1130 au_pathhold(pad->pad_cwd); 1131 tad->tad_atpath = pad->pad_cwd; 1132 mutex_exit(&pad->pad_lock); 1133 } 1134 } 1135 1136 void 1137 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error) 1138 { 1139 t_audit_data_t *tad; 1140 vnode_t *vp; 1141 1142 tad = U2A(u); 1143 1144 /* if not auditing this event, then do nothing */ 1145 if (tad->tad_flag == 0) 1146 return; 1147 1148 au_uwrite(au_to_text(target)); 1149 1150 if (error) 1151 return; 1152 1153 error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(), 1154 NULL, NULL, NULL); 1155 if (error == 0) { 1156 audit_attributes(vp); 1157 VN_RELE(vp); 1158 } 1159 } 1160 1161 /* 1162 * ROUTINE: AUDIT_VNCREATE_START 1163 * PURPOSE: set flag so path name lookup in create will not add attribute 1164 * CALLBY: VN_CREATE 1165 * NOTE: 1166 * TODO: 1167 * QUESTION: 1168 */ 1169 1170 void 1171 audit_vncreate_start() 1172 { 1173 t_audit_data_t *tad; 1174 1175 tad = U2A(u); 1176 tad->tad_ctrl |= PAD_NOATTRB; 1177 } 1178 1179 /* 1180 * ROUTINE: AUDIT_VNCREATE_FINISH 1181 * PURPOSE: 1182 * CALLBY: VN_CREATE 1183 * NOTE: 1184 * TODO: 1185 * QUESTION: 1186 */ 1187 void 1188 audit_vncreate_finish(struct vnode *vp, int error) 1189 { 1190 t_audit_data_t *tad; 1191 1192 if (error) 1193 return; 1194 1195 tad = U2A(u); 1196 1197 /* if not auditing this event, then do nothing */ 1198 if (tad->tad_flag == 0) 1199 return; 1200 1201 if (tad->tad_ctrl & PAD_TRUE_CREATE) { 1202 audit_attributes(vp); 1203 } 1204 1205 if (tad->tad_ctrl & PAD_CORE) { 1206 audit_attributes(vp); 1207 tad->tad_ctrl &= ~PAD_CORE; 1208 } 1209 1210 if (!error && ((tad->tad_event == AUE_MKNOD) || 1211 (tad->tad_event == AUE_MKDIR))) { 1212 audit_attributes(vp); 1213 } 1214 1215 /* for case where multiple lookups in one syscall (rename) */ 1216 tad->tad_ctrl &= ~PAD_NOATTRB; 1217 } 1218 1219 1220 1221 1222 1223 1224 1225 1226 /* 1227 * ROUTINE: AUDIT_EXEC 1228 * PURPOSE: Records the function arguments and environment variables 1229 * CALLBY: EXEC_ARGS 1230 * NOTE: 1231 * TODO: 1232 * QUESTION: 1233 */ 1234 1235 /*ARGSUSED*/ 1236 void 1237 audit_exec( 1238 const char *argstr, /* argument strings */ 1239 const char *envstr, /* environment strings */ 1240 ssize_t argc, /* total # arguments */ 1241 ssize_t envc) /* total # environment variables */ 1242 { 1243 t_audit_data_t *tad; 1244 au_kcontext_t *kctx = GET_KCTX_PZ; 1245 1246 tad = U2A(u); 1247 1248 /* if not auditing this event, then do nothing */ 1249 if (!tad->tad_flag) 1250 return; 1251 1252 /* return if not interested in argv or environment variables */ 1253 if (!(kctx->auk_policy & (AUDIT_ARGV|AUDIT_ARGE))) 1254 return; 1255 1256 if (kctx->auk_policy & AUDIT_ARGV) { 1257 au_uwrite(au_to_exec_args(argstr, argc)); 1258 } 1259 1260 if (kctx->auk_policy & AUDIT_ARGE) { 1261 au_uwrite(au_to_exec_env(envstr, envc)); 1262 } 1263 } 1264 1265 /* 1266 * ROUTINE: AUDIT_ENTERPROM 1267 * PURPOSE: 1268 * CALLBY: KBDINPUT 1269 * ZSA_XSINT 1270 * NOTE: 1271 * TODO: 1272 * QUESTION: 1273 */ 1274 void 1275 audit_enterprom(int flg) 1276 { 1277 token_t *rp = NULL; 1278 int sorf; 1279 1280 if (flg) 1281 sorf = AUM_SUCC; 1282 else 1283 sorf = AUM_FAIL; 1284 1285 AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf); 1286 1287 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1288 1289 if (flg) 1290 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1291 else 1292 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1293 1294 AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL, NULL); 1295 } 1296 1297 1298 /* 1299 * ROUTINE: AUDIT_EXITPROM 1300 * PURPOSE: 1301 * CALLBY: KBDINPUT 1302 * ZSA_XSINT 1303 * NOTE: 1304 * TODO: 1305 * QUESTION: 1306 */ 1307 void 1308 audit_exitprom(int flg) 1309 { 1310 int sorf; 1311 token_t *rp = NULL; 1312 1313 if (flg) 1314 sorf = AUM_SUCC; 1315 else 1316 sorf = AUM_FAIL; 1317 1318 AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf); 1319 1320 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1321 1322 if (flg) 1323 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1324 else 1325 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1326 1327 AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL, NULL); 1328 } 1329 1330 struct fcntla { 1331 int fdes; 1332 int cmd; 1333 intptr_t arg; 1334 }; 1335 1336 /* 1337 * ROUTINE: AUDIT_C2_REVOKE 1338 * PURPOSE: 1339 * CALLBY: FCNTL 1340 * NOTE: 1341 * TODO: 1342 * QUESTION: are we keeping this func 1343 */ 1344 1345 /*ARGSUSED*/ 1346 int 1347 audit_c2_revoke(struct fcntla *uap, rval_t *rvp) 1348 { 1349 return (0); 1350 } 1351 1352 1353 /* 1354 * ROUTINE: AUDIT_CHDIREC 1355 * PURPOSE: 1356 * CALLBY: CHDIREC 1357 * NOTE: The main function of CHDIREC 1358 * TODO: Move the audit_chdirec hook above the VN_RELE in vncalls.c 1359 * QUESTION: 1360 */ 1361 1362 /*ARGSUSED*/ 1363 void 1364 audit_chdirec(vnode_t *vp, vnode_t **vpp) 1365 { 1366 int chdir; 1367 int fchdir; 1368 struct audit_path **appp; 1369 struct file *fp; 1370 f_audit_data_t *fad; 1371 p_audit_data_t *pad = P2A(curproc); 1372 t_audit_data_t *tad = T2A(curthread); 1373 1374 struct a { 1375 long fd; 1376 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 1377 1378 if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) { 1379 chdir = tad->tad_scid == SYS_chdir; 1380 if (tad->tad_aupath) { 1381 mutex_enter(&pad->pad_lock); 1382 if (chdir) 1383 appp = &(pad->pad_cwd); 1384 else 1385 appp = &(pad->pad_root); 1386 au_pathrele(*appp); 1387 /* use tad hold */ 1388 *appp = tad->tad_aupath; 1389 tad->tad_aupath = NULL; 1390 mutex_exit(&pad->pad_lock); 1391 } 1392 } else if ((tad->tad_scid == SYS_fchdir) || 1393 (tad->tad_scid == SYS_fchroot)) { 1394 fchdir = tad->tad_scid == SYS_fchdir; 1395 if ((fp = getf(uap->fd)) == NULL) 1396 return; 1397 fad = F2A(fp); 1398 if (fad->fad_aupath) { 1399 au_pathhold(fad->fad_aupath); 1400 mutex_enter(&pad->pad_lock); 1401 if (fchdir) 1402 appp = &(pad->pad_cwd); 1403 else 1404 appp = &(pad->pad_root); 1405 au_pathrele(*appp); 1406 *appp = fad->fad_aupath; 1407 mutex_exit(&pad->pad_lock); 1408 if (tad->tad_flag) { 1409 au_uwrite(au_to_path(fad->fad_aupath)); 1410 audit_attributes(fp->f_vnode); 1411 } 1412 } 1413 releasef(uap->fd); 1414 } 1415 } 1416 1417 /* 1418 * ROUTINE: AUDIT_GETF 1419 * PURPOSE: 1420 * CALLBY: GETF_INTERNAL 1421 * NOTE: The main function of GETF_INTERNAL is to associate a given 1422 * file descriptor with a file structure and increment the 1423 * file pointer reference count. 1424 * TODO: remove pass in of fpp. 1425 * increment a reference count so that even if a thread with same process delete 1426 * the same object, it will not panic our system 1427 * QUESTION: 1428 * where to decrement the f_count????????????????? 1429 * seems like I need to set a flag if f_count incremented through audit_getf 1430 */ 1431 1432 /*ARGSUSED*/ 1433 int 1434 audit_getf(int fd) 1435 { 1436 #ifdef NOTYET 1437 t_audit_data_t *tad; 1438 1439 tad = T2A(curthread); 1440 1441 if (!(tad->tad_scid == SYS_openat || 1442 tad->tad_scid == SYS_openat64 || 1443 tad->tad_scid == SYS_open || 1444 tad->tad_scid == SYS_open64)) 1445 return (0); 1446 #endif 1447 return (0); 1448 } 1449 1450 /* 1451 * Audit hook for stream based socket and tli request. 1452 * Note that we do not have user context while executing 1453 * this code so we had to record them earlier during the 1454 * putmsg/getmsg to figure out which user we are dealing with. 1455 */ 1456 1457 /*ARGSUSED*/ 1458 void 1459 audit_sock( 1460 int type, /* type of tihdr.h header requests */ 1461 queue_t *q, /* contains the process and thread audit data */ 1462 mblk_t *mp, /* contains the tihdr.h header structures */ 1463 int from) /* timod or sockmod request */ 1464 { 1465 int32_t len; 1466 int32_t offset; 1467 struct sockaddr_in *sock_data; 1468 struct T_conn_req *conn_req; 1469 struct T_conn_ind *conn_ind; 1470 struct T_unitdata_req *unitdata_req; 1471 struct T_unitdata_ind *unitdata_ind; 1472 au_state_t estate; 1473 t_audit_data_t *tad; 1474 caddr_t saved_thread_ptr; 1475 au_mask_t amask; 1476 const auditinfo_addr_t *ainfo; 1477 au_kcontext_t *kctx; 1478 1479 if (q->q_stream == NULL) 1480 return; 1481 mutex_enter(&q->q_stream->sd_lock); 1482 /* are we being audited */ 1483 saved_thread_ptr = q->q_stream->sd_t_audit_data; 1484 /* no pointer to thread, nothing to do */ 1485 if (saved_thread_ptr == NULL) { 1486 mutex_exit(&q->q_stream->sd_lock); 1487 return; 1488 } 1489 /* only allow one addition of a record token */ 1490 q->q_stream->sd_t_audit_data = NULL; 1491 /* 1492 * thread is not the one being audited, then nothing to do 1493 * This could be the stream thread handling the module 1494 * service routine. In this case, the context for the audit 1495 * record can no longer be assumed. Simplest to just drop 1496 * the operation. 1497 */ 1498 if (curthread != (kthread_id_t)saved_thread_ptr) { 1499 mutex_exit(&q->q_stream->sd_lock); 1500 return; 1501 } 1502 if (curthread->t_sysnum >= SYS_so_socket && 1503 curthread->t_sysnum <= SYS_sockconfig) { 1504 mutex_exit(&q->q_stream->sd_lock); 1505 return; 1506 } 1507 mutex_exit(&q->q_stream->sd_lock); 1508 /* 1509 * we know that the thread that did the put/getmsg is the 1510 * one running. Now we can get the TAD and see if we should 1511 * add an audit token. 1512 */ 1513 tad = U2A(u); 1514 1515 kctx = GET_KCTX_PZ; 1516 1517 /* proceed ONLY if user is being audited */ 1518 if (!tad->tad_flag) 1519 return; 1520 1521 ainfo = crgetauinfo(CRED()); 1522 if (ainfo == NULL) 1523 return; 1524 amask = ainfo->ai_mask; 1525 1526 /* 1527 * Figure out the type of stream networking request here. 1528 * Note that getmsg and putmsg are always preselected 1529 * because during the beginning of the system call we have 1530 * not yet figure out which of the socket or tli request 1531 * we are looking at until we are here. So we need to check 1532 * against that specific request and reset the type of event. 1533 */ 1534 switch (type) { 1535 case T_CONN_REQ: /* connection request */ 1536 conn_req = (struct T_conn_req *)mp->b_rptr; 1537 if (conn_req->DEST_offset < sizeof (struct T_conn_req)) 1538 return; 1539 offset = conn_req->DEST_offset; 1540 len = conn_req->DEST_length; 1541 estate = kctx->auk_ets[AUE_SOCKCONNECT]; 1542 if (amask.as_success & estate || amask.as_failure & estate) { 1543 tad->tad_event = AUE_SOCKCONNECT; 1544 break; 1545 } else { 1546 return; 1547 } 1548 case T_CONN_IND: /* connectionless receive request */ 1549 conn_ind = (struct T_conn_ind *)mp->b_rptr; 1550 if (conn_ind->SRC_offset < sizeof (struct T_conn_ind)) 1551 return; 1552 offset = conn_ind->SRC_offset; 1553 len = conn_ind->SRC_length; 1554 estate = kctx->auk_ets[AUE_SOCKACCEPT]; 1555 if (amask.as_success & estate || amask.as_failure & estate) { 1556 tad->tad_event = AUE_SOCKACCEPT; 1557 break; 1558 } else { 1559 return; 1560 } 1561 case T_UNITDATA_REQ: /* connectionless send request */ 1562 unitdata_req = (struct T_unitdata_req *)mp->b_rptr; 1563 if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req)) 1564 return; 1565 offset = unitdata_req->DEST_offset; 1566 len = unitdata_req->DEST_length; 1567 estate = kctx->auk_ets[AUE_SOCKSEND]; 1568 if (amask.as_success & estate || amask.as_failure & estate) { 1569 tad->tad_event = AUE_SOCKSEND; 1570 break; 1571 } else { 1572 return; 1573 } 1574 case T_UNITDATA_IND: /* connectionless receive request */ 1575 unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr; 1576 if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind)) 1577 return; 1578 offset = unitdata_ind->SRC_offset; 1579 len = unitdata_ind->SRC_length; 1580 estate = kctx->auk_ets[AUE_SOCKRECEIVE]; 1581 if (amask.as_success & estate || amask.as_failure & estate) { 1582 tad->tad_event = AUE_SOCKRECEIVE; 1583 break; 1584 } else { 1585 return; 1586 } 1587 default: 1588 return; 1589 } 1590 1591 /* 1592 * we are only interested in tcp stream connections, 1593 * not unix domain stuff 1594 */ 1595 if ((len < 0) || (len > sizeof (struct sockaddr_in))) { 1596 tad->tad_event = AUE_GETMSG; 1597 return; 1598 } 1599 /* skip over TPI header and point to the ip address */ 1600 sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset); 1601 1602 switch (sock_data->sin_family) { 1603 case AF_INET: 1604 au_write(&(tad->tad_ad), au_to_sock_inet(sock_data)); 1605 break; 1606 default: /* reset to AUE_PUTMSG if not a inet request */ 1607 tad->tad_event = AUE_GETMSG; 1608 break; 1609 } 1610 } 1611 1612 void 1613 audit_lookupname() 1614 { 1615 } 1616 1617 /*ARGSUSED*/ 1618 int 1619 audit_pathcomp(struct pathname *pnp, vnode_t *cvp, cred_t *cr) 1620 { 1621 return (0); 1622 } 1623 1624 static void 1625 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval) 1626 { 1627 unsigned int sy_flags; 1628 1629 #ifdef _SYSCALL32_IMPL 1630 /* 1631 * Guard against t_lwp being NULL when this function is called 1632 * from a kernel queue instead of from a direct system call. 1633 * In that case, assume the running kernel data model. 1634 */ 1635 if ((curthread->t_lwp == NULL) || (lwp_getdatamodel( 1636 ttolwp(curthread)) == DATAMODEL_NATIVE)) 1637 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1638 else 1639 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1640 #else 1641 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1642 #endif 1643 1644 if (sy_flags == SE_64RVAL) 1645 au_write(ad, au_to_return64(err, rval)); 1646 else 1647 au_write(ad, au_to_return32(err, rval)); 1648 1649 } 1650 1651 /*ARGSUSED*/ 1652 void 1653 audit_fdsend(fd, fp, error) 1654 int fd; 1655 struct file *fp; 1656 int error; /* ignore for now */ 1657 { 1658 t_audit_data_t *tad; /* current thread */ 1659 f_audit_data_t *fad; /* per file audit structure */ 1660 struct vnode *vp; /* for file attributes */ 1661 1662 /* is this system call being audited */ 1663 tad = U2A(u); 1664 ASSERT(tad != (t_audit_data_t *)0); 1665 if (!tad->tad_flag) 1666 return; 1667 1668 fad = F2A(fp); 1669 1670 /* add path and file attributes */ 1671 if (fad != NULL && fad->fad_aupath != NULL) { 1672 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1673 au_uwrite(au_to_path(fad->fad_aupath)); 1674 } else { 1675 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1676 #ifdef _LP64 1677 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 1678 #else 1679 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 1680 #endif 1681 } 1682 vp = fp->f_vnode; /* include vnode attributes */ 1683 audit_attributes(vp); 1684 } 1685 1686 /* 1687 * Record privileges successfully used and we attempted to use but 1688 * didn't have. 1689 */ 1690 void 1691 audit_priv(int priv, const priv_set_t *set, int flag) 1692 { 1693 t_audit_data_t *tad; 1694 int sbit; 1695 priv_set_t *target; 1696 1697 /* Make sure this isn't being called in an interrupt context */ 1698 ASSERT(servicing_interrupt() == 0); 1699 1700 tad = U2A(u); 1701 1702 if (tad->tad_flag == 0) 1703 return; 1704 1705 target = flag ? &tad->tad_sprivs : &tad->tad_fprivs; 1706 sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE; 1707 1708 /* Tell audit_success() and audit_finish() that we saw this case */ 1709 if (!(tad->tad_evmod & sbit)) { 1710 /* Clear set first time around */ 1711 priv_emptyset(target); 1712 tad->tad_evmod |= sbit; 1713 } 1714 1715 /* Save the privileges in the tad */ 1716 if (priv == PRIV_ALL) { 1717 priv_fillset(target); 1718 } else { 1719 ASSERT(set != NULL || priv != PRIV_NONE); 1720 if (set != NULL) 1721 priv_union(set, target); 1722 if (priv != PRIV_NONE) 1723 priv_addset(target, priv); 1724 } 1725 } 1726 1727 /* 1728 * Audit the setpriv() system call; the operation, the set name and 1729 * the current value as well as the set argument are put in the 1730 * audit trail. 1731 */ 1732 void 1733 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr) 1734 { 1735 t_audit_data_t *tad; 1736 const priv_set_t *oldpriv; 1737 priv_set_t report; 1738 const char *setname; 1739 1740 tad = U2A(u); 1741 1742 if (tad->tad_flag == 0) 1743 return; 1744 1745 oldpriv = priv_getset(ocr, set); 1746 1747 /* Generate the actual record, include the before and after */ 1748 au_uwrite(au_to_arg32(2, "op", op)); 1749 setname = priv_getsetbynum(set); 1750 1751 switch (op) { 1752 case PRIV_OFF: 1753 /* Report privileges actually switched off */ 1754 report = *oldpriv; 1755 priv_intersect(newpriv, &report); 1756 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 1757 break; 1758 case PRIV_ON: 1759 /* Report privileges actually switched on */ 1760 report = *oldpriv; 1761 priv_inverse(&report); 1762 priv_intersect(newpriv, &report); 1763 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 1764 break; 1765 case PRIV_SET: 1766 /* Report before and after */ 1767 au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0)); 1768 au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0)); 1769 break; 1770 } 1771 } 1772 1773 /* 1774 * Dump the full device policy setting in the audit trail. 1775 */ 1776 void 1777 audit_devpolicy(int nitems, const devplcysys_t *items) 1778 { 1779 t_audit_data_t *tad; 1780 int i; 1781 1782 tad = U2A(u); 1783 1784 if (tad->tad_flag == 0) 1785 return; 1786 1787 for (i = 0; i < nitems; i++) { 1788 au_uwrite(au_to_arg32(2, "major", items[i].dps_maj)); 1789 if (items[i].dps_minornm[0] == '\0') { 1790 au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin)); 1791 au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin)); 1792 } else 1793 au_uwrite(au_to_text(items[i].dps_minornm)); 1794 1795 au_uwrite(au_to_privset("read", &items[i].dps_rdp, 1796 AUT_PRIV, 0)); 1797 au_uwrite(au_to_privset("write", &items[i].dps_wrp, 1798 AUT_PRIV, 0)); 1799 } 1800 } 1801 1802 /*ARGSUSED*/ 1803 void 1804 audit_fdrecv(fd, fp) 1805 int fd; 1806 struct file *fp; 1807 { 1808 t_audit_data_t *tad; /* current thread */ 1809 f_audit_data_t *fad; /* per file audit structure */ 1810 struct vnode *vp; /* for file attributes */ 1811 1812 /* is this system call being audited */ 1813 tad = U2A(u); 1814 ASSERT(tad != (t_audit_data_t *)0); 1815 if (!tad->tad_flag) 1816 return; 1817 1818 fad = F2A(fp); 1819 1820 /* add path and file attributes */ 1821 if (fad != NULL && fad->fad_aupath != NULL) { 1822 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 1823 au_uwrite(au_to_path(fad->fad_aupath)); 1824 } else { 1825 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 1826 #ifdef _LP64 1827 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 1828 #else 1829 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 1830 #endif 1831 } 1832 vp = fp->f_vnode; /* include vnode attributes */ 1833 audit_attributes(vp); 1834 } 1835 1836 /* 1837 * ROUTINE: AUDIT_CRYPTOADM 1838 * PURPOSE: Records arguments to administrative ioctls on /dev/cryptoadm 1839 * CALLBY: CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED, 1840 * CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG, 1841 * CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN, 1842 * CRYPTO_LOAD_DOOR 1843 * NOTE: 1844 * TODO: 1845 * QUESTION: 1846 */ 1847 1848 void 1849 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names, 1850 uint_t mech_count, uint_t device_instance, uint32_t rv, int error) 1851 { 1852 boolean_t mech_list_required = B_FALSE; 1853 cred_t *cr = CRED(); 1854 t_audit_data_t *tad; 1855 token_t *ad = NULL; 1856 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 1857 char buffer[MAXNAMELEN * 2]; 1858 au_kcontext_t *kctx = GET_KCTX_PZ; 1859 1860 tad = U2A(u); 1861 if (tad == NULL) 1862 return; 1863 1864 if (ainfo == NULL) 1865 return; 1866 1867 tad->tad_event = AUE_CRYPTOADM; 1868 1869 if (audit_success(kctx, tad, error, NULL) != AU_OK) 1870 return; 1871 1872 /* Add subject information */ 1873 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 1874 1875 switch (cmd) { 1876 case CRYPTO_LOAD_DEV_DISABLED: 1877 if (error == 0 && rv == CRYPTO_SUCCESS) { 1878 (void) snprintf(buffer, sizeof (buffer), 1879 "op=CRYPTO_LOAD_DEV_DISABLED, module=%s," 1880 " dev_instance=%d", 1881 module_name, device_instance); 1882 mech_list_required = B_TRUE; 1883 } else { 1884 (void) snprintf(buffer, sizeof (buffer), 1885 "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv); 1886 } 1887 break; 1888 1889 case CRYPTO_LOAD_SOFT_DISABLED: 1890 if (error == 0 && rv == CRYPTO_SUCCESS) { 1891 (void) snprintf(buffer, sizeof (buffer), 1892 "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s", 1893 module_name); 1894 mech_list_required = B_TRUE; 1895 } else { 1896 (void) snprintf(buffer, sizeof (buffer), 1897 "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv); 1898 } 1899 break; 1900 1901 case CRYPTO_UNLOAD_SOFT_MODULE: 1902 if (error == 0 && rv == CRYPTO_SUCCESS) { 1903 (void) snprintf(buffer, sizeof (buffer), 1904 "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s", 1905 module_name); 1906 } else { 1907 (void) snprintf(buffer, sizeof (buffer), 1908 "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv); 1909 } 1910 break; 1911 1912 case CRYPTO_LOAD_SOFT_CONFIG: 1913 if (error == 0 && rv == CRYPTO_SUCCESS) { 1914 (void) snprintf(buffer, sizeof (buffer), 1915 "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s", 1916 module_name); 1917 mech_list_required = B_TRUE; 1918 } else { 1919 (void) snprintf(buffer, sizeof (buffer), 1920 "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv); 1921 } 1922 break; 1923 1924 case CRYPTO_POOL_CREATE: 1925 (void) snprintf(buffer, sizeof (buffer), 1926 "op=CRYPTO_POOL_CREATE"); 1927 break; 1928 1929 case CRYPTO_POOL_WAIT: 1930 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT"); 1931 break; 1932 1933 case CRYPTO_POOL_RUN: 1934 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN"); 1935 break; 1936 1937 case CRYPTO_LOAD_DOOR: 1938 if (error == 0 && rv == CRYPTO_SUCCESS) 1939 (void) snprintf(buffer, sizeof (buffer), 1940 "op=CRYPTO_LOAD_DOOR"); 1941 else 1942 (void) snprintf(buffer, sizeof (buffer), 1943 "op=CRYPTO_LOAD_DOOR, return_val=%d", rv); 1944 break; 1945 1946 case CRYPTO_FIPS140_SET: 1947 (void) snprintf(buffer, sizeof (buffer), 1948 "op=CRYPTO_FIPS140_SET, fips_state=%d", rv); 1949 break; 1950 1951 default: 1952 return; 1953 } 1954 1955 au_write((caddr_t *)&ad, au_to_text(buffer)); 1956 1957 if (mech_list_required) { 1958 int i; 1959 1960 if (mech_count == 0) { 1961 au_write((caddr_t *)&ad, au_to_text("mech=list empty")); 1962 } else { 1963 char *pb = buffer; 1964 size_t l = sizeof (buffer); 1965 size_t n; 1966 char space[2] = ":"; 1967 1968 n = snprintf(pb, l, "mech="); 1969 1970 for (i = 0; i < mech_count; i++) { 1971 pb += n; 1972 l -= n; 1973 if (l < 0) 1974 l = 0; 1975 1976 if (i == mech_count - 1) 1977 (void) strcpy(space, ""); 1978 1979 n = snprintf(pb, l, "%s%s", mech_names[i], 1980 space); 1981 } 1982 au_write((caddr_t *)&ad, au_to_text(buffer)); 1983 } 1984 } 1985 1986 /* add a return token */ 1987 if (error || (rv != CRYPTO_SUCCESS)) 1988 add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error); 1989 else 1990 add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv); 1991 1992 AS_INC(as_generated, 1, kctx); 1993 AS_INC(as_kernel, 1, kctx); 1994 1995 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, tad->tad_evmod, 1996 NULL); 1997 } 1998 1999 /* 2000 * Audit the kernel SSL administration command. The address and the 2001 * port number for the SSL instance, and the proxy port are put in the 2002 * audit trail. 2003 */ 2004 void 2005 audit_kssl(int cmd, void *params, int error) 2006 { 2007 cred_t *cr = CRED(); 2008 t_audit_data_t *tad; 2009 token_t *ad = NULL; 2010 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 2011 au_kcontext_t *kctx = GET_KCTX_PZ; 2012 2013 tad = U2A(u); 2014 2015 if (ainfo == NULL) 2016 return; 2017 2018 tad->tad_event = AUE_CONFIGKSSL; 2019 2020 if (audit_success(kctx, tad, error, NULL) != AU_OK) 2021 return; 2022 2023 /* Add subject information */ 2024 AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx); 2025 2026 switch (cmd) { 2027 case KSSL_ADD_ENTRY: { 2028 char buf[32]; 2029 kssl_params_t *kp = (kssl_params_t *)params; 2030 struct sockaddr_in6 *saddr = &kp->kssl_addr; 2031 2032 au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY")); 2033 au_write((caddr_t *)&ad, 2034 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr)); 2035 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 2036 saddr->sin6_port); 2037 au_write((caddr_t *)&ad, au_to_text(buf)); 2038 2039 (void) snprintf(buf, sizeof (buf), "proxy port=%d", 2040 kp->kssl_proxy_port); 2041 au_write((caddr_t *)&ad, au_to_text(buf)); 2042 break; 2043 } 2044 2045 case KSSL_DELETE_ENTRY: { 2046 char buf[32]; 2047 struct sockaddr_in6 *saddr = (struct sockaddr_in6 *)params; 2048 2049 au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY")); 2050 au_write((caddr_t *)&ad, 2051 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr)); 2052 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 2053 saddr->sin6_port); 2054 au_write((caddr_t *)&ad, au_to_text(buf)); 2055 break; 2056 } 2057 2058 default: 2059 return; 2060 } 2061 2062 /* add a return token */ 2063 add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0); 2064 2065 AS_INC(as_generated, 1, kctx); 2066 AS_INC(as_kernel, 1, kctx); 2067 2068 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, tad->tad_evmod, 2069 NULL); 2070 } 2071 2072 /* 2073 * Audit the kernel PF_POLICY administration commands. Record command, 2074 * zone, policy type (global or tunnel, active or inactive) 2075 */ 2076 /* 2077 * ROUTINE: AUDIT_PF_POLICY 2078 * PURPOSE: Records arguments to administrative ioctls on PF_POLICY socket 2079 * CALLBY: SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS, 2080 * SPD_CLONE, SPD_FLIP 2081 * NOTE: 2082 * TODO: 2083 * QUESTION: 2084 */ 2085 2086 void 2087 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun, 2088 boolean_t active, int error, pid_t pid) 2089 { 2090 const auditinfo_addr_t *ainfo; 2091 t_audit_data_t *tad; 2092 token_t *ad = NULL; 2093 au_kcontext_t *kctx = GET_KCTX_PZ; 2094 char buf[80]; 2095 int flag; 2096 2097 tad = U2A(u); 2098 if (tad == NULL) 2099 return; 2100 2101 ainfo = crgetauinfo((cred != NULL) ? cred : CRED()); 2102 if (ainfo == NULL) 2103 return; 2104 2105 /* 2106 * Initialize some variables since these are only set 2107 * with system calls. 2108 */ 2109 2110 switch (cmd) { 2111 case SPD_ADDRULE: { 2112 tad->tad_event = AUE_PF_POLICY_ADDRULE; 2113 break; 2114 } 2115 2116 case SPD_DELETERULE: { 2117 tad->tad_event = AUE_PF_POLICY_DELRULE; 2118 break; 2119 } 2120 2121 case SPD_FLUSH: { 2122 tad->tad_event = AUE_PF_POLICY_FLUSH; 2123 break; 2124 } 2125 2126 case SPD_UPDATEALGS: { 2127 tad->tad_event = AUE_PF_POLICY_ALGS; 2128 break; 2129 } 2130 2131 case SPD_CLONE: { 2132 tad->tad_event = AUE_PF_POLICY_CLONE; 2133 break; 2134 } 2135 2136 case SPD_FLIP: { 2137 tad->tad_event = AUE_PF_POLICY_FLIP; 2138 break; 2139 } 2140 2141 default: 2142 tad->tad_event = AUE_NULL; 2143 } 2144 2145 tad->tad_evmod = 0; 2146 2147 if (flag = audit_success(kctx, tad, error, cred)) { 2148 zone_t *nszone; 2149 2150 /* 2151 * For now, just audit that an event happened, 2152 * along with the error code. 2153 */ 2154 au_write((caddr_t *)&ad, 2155 au_to_arg32(1, "Policy Active?", (uint32_t)active)); 2156 au_write((caddr_t *)&ad, 2157 au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL))); 2158 2159 /* Supplemental data */ 2160 2161 /* 2162 * Generate this zone token if the target zone differs 2163 * from the administrative zone. If netstacks are expanded 2164 * to something other than a 1-1 relationship with zones, 2165 * the auditing framework should create a new token type 2166 * and audit it as a netstack instead. 2167 * Turn on general zone auditing to get the administrative zone. 2168 */ 2169 2170 nszone = zone_find_by_id(netstackid_to_zoneid( 2171 ns->netstack_stackid)); 2172 if (nszone != NULL) { 2173 if (strncmp(crgetzone(cred)->zone_name, 2174 nszone->zone_name, ZONENAME_MAX) != 0) { 2175 token_t *ztoken; 2176 2177 ztoken = au_to_zonename(0, nszone); 2178 au_write((caddr_t *)&ad, ztoken); 2179 } 2180 zone_rele(nszone); 2181 } 2182 2183 if (tun != NULL) { 2184 /* write tunnel name - tun is bounded */ 2185 (void) snprintf(buf, sizeof (buf), "tunnel_name:%s", 2186 tun); 2187 au_write((caddr_t *)&ad, au_to_text(buf)); 2188 } 2189 2190 /* Add subject information */ 2191 AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad, 2192 ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid); 2193 2194 /* add a return token */ 2195 add_return_token((caddr_t *)&ad, 0, error, 0); 2196 2197 AS_INC(as_generated, 1, kctx); 2198 AS_INC(as_kernel, 1, kctx); 2199 2200 } 2201 au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, tad->tad_evmod, 2202 NULL); 2203 2204 /* 2205 * clear the ctrl flag so that we don't have spurious collection of 2206 * audit information. 2207 */ 2208 tad->tad_scid = 0; 2209 tad->tad_event = 0; 2210 tad->tad_evmod = 0; 2211 tad->tad_ctrl = 0; 2212 } 2213 2214 /* 2215 * ROUTINE: AUDIT_SEC_ATTRIBUTES 2216 * PURPOSE: Add security attributes 2217 * CALLBY: AUDIT_ATTRIBUTES 2218 * AUDIT_CLOSEF 2219 * AUS_CLOSE 2220 * NOTE: 2221 * TODO: 2222 * QUESTION: 2223 */ 2224 2225 void 2226 audit_sec_attributes(caddr_t *ad, struct vnode *vp) 2227 { 2228 /* Dump the SL */ 2229 if (is_system_labeled()) { 2230 ts_label_t *tsl; 2231 bslabel_t *bsl; 2232 2233 tsl = getflabel(vp); 2234 if (tsl == NULL) 2235 return; /* nothing else to do */ 2236 2237 bsl = label2bslabel(tsl); 2238 if (bsl == NULL) 2239 return; /* nothing else to do */ 2240 au_write(ad, au_to_label(bsl)); 2241 label_rele(tsl); 2242 } 2243 2244 } /* AUDIT_SEC_ATTRIBUTES */ 2245