1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 /* 27 * This file contains the audit hook support code for auditing. 28 */ 29 30 #include <sys/types.h> 31 #include <sys/proc.h> 32 #include <sys/vnode.h> 33 #include <sys/vfs.h> 34 #include <sys/file.h> 35 #include <sys/user.h> 36 #include <sys/stropts.h> 37 #include <sys/systm.h> 38 #include <sys/pathname.h> 39 #include <sys/syscall.h> 40 #include <sys/fcntl.h> 41 #include <sys/ipc_impl.h> 42 #include <sys/msg_impl.h> 43 #include <sys/sem_impl.h> 44 #include <sys/shm_impl.h> 45 #include <sys/kmem.h> /* for KM_SLEEP */ 46 #include <sys/socket.h> 47 #include <sys/cmn_err.h> /* snprintf... */ 48 #include <sys/debug.h> 49 #include <sys/thread.h> 50 #include <netinet/in.h> 51 #include <c2/audit.h> /* needs to be included before user.h */ 52 #include <c2/audit_kernel.h> /* for M_DONTWAIT */ 53 #include <c2/audit_kevents.h> 54 #include <c2/audit_record.h> 55 #include <sys/strsubr.h> 56 #include <sys/tihdr.h> 57 #include <sys/tiuser.h> 58 #include <sys/timod.h> 59 #include <sys/model.h> /* for model_t */ 60 #include <sys/disp.h> /* for servicing_interrupt() */ 61 #include <sys/devpolicy.h> 62 #include <sys/crypto/ioctladmin.h> 63 #include <sys/cred_impl.h> 64 #include <net/pfpolicy.h> 65 66 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval); 67 68 static void audit_pathbuild(struct pathname *pnp); 69 70 71 /* 72 * ROUTINE: AUDIT_SAVEPATH 73 * PURPOSE: 74 * CALLBY: LOOKUPPN 75 * 76 * NOTE: We have reached the end of a path in fs/lookup.c. 77 * We get two pieces of information here: 78 * the vnode of the last component (vp) and 79 * the status of the last access (flag). 80 * TODO: 81 * QUESTION: 82 */ 83 84 /*ARGSUSED*/ 85 int 86 audit_savepath( 87 struct pathname *pnp, /* pathname to lookup */ 88 struct vnode *vp, /* vnode of the last component */ 89 struct vnode *pvp, /* vnode of the last parent component */ 90 int flag, /* status of the last access */ 91 cred_t *cr) /* cred of requestor */ 92 { 93 94 t_audit_data_t *tad; /* current thread */ 95 au_kcontext_t *kctx = GET_KCTX_PZ; 96 97 tad = U2A(u); 98 99 /* 100 * Noise elimination in audit trails - this event will be discarded if: 101 * - the public policy is not active AND 102 * - the system call is a public operation AND 103 * - the file was not found: VFS lookup failed with ENOENT error AND 104 * - the missing file would have been located in the public directory 105 * owned by root if it had existed 106 */ 107 if (tad->tad_flag != 0 && flag == ENOENT && pvp != NULL && 108 (tad->tad_ctrl & TAD_PUBLIC_EV) && 109 !(kctx->auk_policy & AUDIT_PUBLIC)) { 110 struct vattr attr; 111 112 attr.va_mask = AT_ALL; 113 if (VOP_GETATTR(pvp, &attr, 0, CRED(), NULL) == 0) { 114 if (object_is_public(&attr)) { 115 tad->tad_ctrl |= TAD_NOAUDIT; 116 } 117 } 118 } 119 120 /* 121 * this event being audited or do we need path information 122 * later? This might be for a chdir/chroot or open (add path 123 * to file pointer. If the path has already been found for an 124 * open/creat then we don't need to process the path. 125 * 126 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 127 * chroot, chdir, open, creat system call processing. It determines 128 * if audit_savepath() will discard the path or we need it later. 129 * TAD_PATHFND means path already included in this audit record. It 130 * is used in cases where multiple path lookups are done per 131 * system call. The policy flag, AUDIT_PATH, controls if multiple 132 * paths are allowed. 133 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 134 * exit processing to inhibit any paths that may be added due to 135 * closes. 136 */ 137 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) || 138 ((tad->tad_ctrl & TAD_PATHFND) && 139 !(kctx->auk_policy & AUDIT_PATH)) || 140 (tad->tad_ctrl & TAD_NOPATH)) { 141 return (0); 142 } 143 144 tad->tad_ctrl |= TAD_NOPATH; /* prevent possible reentry */ 145 146 audit_pathbuild(pnp); 147 148 /* 149 * are we auditing only if error, or if it is not open or create 150 * otherwise audit_setf will do it 151 */ 152 153 if (tad->tad_flag) { 154 if (flag && 155 (tad->tad_scid == SYS_open || 156 tad->tad_scid == SYS_open64 || 157 tad->tad_scid == SYS_openat || 158 tad->tad_scid == SYS_openat64)) { 159 tad->tad_ctrl |= TAD_TRUE_CREATE; 160 } 161 162 /* add token to audit record for this name */ 163 au_uwrite(au_to_path(tad->tad_aupath)); 164 165 /* add the attributes of the object */ 166 if (vp) { 167 /* 168 * only capture attributes when there is no error 169 * lookup will not return the vnode of the failing 170 * component. 171 * 172 * if there was a lookup error, then don't add 173 * attribute. if lookup in vn_create(), 174 * then don't add attribute, 175 * it will be added at end of vn_create(). 176 */ 177 if (!flag && !(tad->tad_ctrl & TAD_NOATTRB)) 178 audit_attributes(vp); 179 } 180 } 181 182 /* free up space if we're not going to save path (open, creat) */ 183 if ((tad->tad_ctrl & TAD_SAVPATH) == 0) { 184 if (tad->tad_aupath != NULL) { 185 au_pathrele(tad->tad_aupath); 186 tad->tad_aupath = NULL; 187 } 188 } 189 if (tad->tad_ctrl & TAD_MLD) 190 tad->tad_ctrl |= TAD_PATHFND; 191 192 tad->tad_ctrl &= ~TAD_NOPATH; /* restore */ 193 return (0); 194 } 195 196 static void 197 audit_pathbuild(struct pathname *pnp) 198 { 199 char *pp; /* pointer to path */ 200 int len; /* length of incoming segment */ 201 int newsect; /* path requires a new section */ 202 struct audit_path *pfxapp; /* prefix for path */ 203 struct audit_path *newapp; /* new audit_path */ 204 t_audit_data_t *tad; /* current thread */ 205 p_audit_data_t *pad; /* current process */ 206 207 tad = U2A(u); 208 ASSERT(tad != NULL); 209 pad = P2A(curproc); 210 ASSERT(pad != NULL); 211 212 len = (pnp->pn_path - pnp->pn_buf) + 1; /* +1 for terminator */ 213 ASSERT(len > 0); 214 215 /* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */ 216 mutex_enter(&pad->pad_lock); 217 if (tad->tad_aupath != NULL) { 218 pfxapp = tad->tad_aupath; 219 } else if ((tad->tad_ctrl & TAD_ATCALL) && pnp->pn_buf[0] != '/') { 220 ASSERT(tad->tad_atpath != NULL); 221 pfxapp = tad->tad_atpath; 222 } else if (tad->tad_ctrl & TAD_ABSPATH) { 223 pfxapp = pad->pad_root; 224 } else { 225 pfxapp = pad->pad_cwd; 226 } 227 au_pathhold(pfxapp); 228 mutex_exit(&pad->pad_lock); 229 230 /* get an expanded buffer to hold the anchored path */ 231 newsect = tad->tad_ctrl & TAD_ATTPATH; 232 newapp = au_pathdup(pfxapp, newsect, len); 233 au_pathrele(pfxapp); 234 235 pp = newapp->audp_sect[newapp->audp_cnt] - len; 236 if (!newsect) { 237 /* overlay previous NUL terminator */ 238 *(pp - 1) = '/'; 239 } 240 241 /* now add string of processed path */ 242 bcopy(pnp->pn_buf, pp, len); 243 pp[len - 1] = '\0'; 244 245 /* perform path simplification as necessary */ 246 audit_fixpath(newapp, len); 247 248 if (tad->tad_aupath) 249 au_pathrele(tad->tad_aupath); 250 tad->tad_aupath = newapp; 251 252 /* for case where multiple lookups in one syscall (rename) */ 253 tad->tad_ctrl &= ~(TAD_ABSPATH | TAD_ATTPATH); 254 } 255 256 257 /* 258 * ROUTINE: AUDIT_ANCHORPATH 259 * PURPOSE: 260 * CALLBY: LOOKUPPN 261 * NOTE: 262 * anchor path at "/". We have seen a symbolic link or entering for the 263 * first time we will throw away any saved path if path is anchored. 264 * 265 * flag = 0, path is relative. 266 * flag = 1, path is absolute. Free any saved path and set flag to TAD_ABSPATH. 267 * 268 * If the (new) path is absolute, then we have to throw away whatever we have 269 * already accumulated since it is being superseded by new path which is 270 * anchored at the root. 271 * Note that if the path is relative, this function does nothing 272 * TODO: 273 * QUESTION: 274 */ 275 /*ARGSUSED*/ 276 void 277 audit_anchorpath(struct pathname *pnp, int flag) 278 { 279 au_kcontext_t *kctx = GET_KCTX_PZ; 280 t_audit_data_t *tad; 281 282 tad = U2A(u); 283 284 /* 285 * this event being audited or do we need path information 286 * later? This might be for a chdir/chroot or open (add path 287 * to file pointer. If the path has already been found for an 288 * open/creat then we don't need to process the path. 289 * 290 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 291 * chroot, chdir, open, creat system call processing. It determines 292 * if audit_savepath() will discard the path or we need it later. 293 * TAD_PATHFND means path already included in this audit record. It 294 * is used in cases where multiple path lookups are done per 295 * system call. The policy flag, AUDIT_PATH, controls if multiple 296 * paths are allowed. 297 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 298 * exit processing to inhibit any paths that may be added due to 299 * closes. 300 */ 301 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) || 302 ((tad->tad_ctrl & TAD_PATHFND) && 303 !(kctx->auk_policy & AUDIT_PATH)) || 304 (tad->tad_ctrl & TAD_NOPATH)) { 305 return; 306 } 307 308 if (flag) { 309 tad->tad_ctrl |= TAD_ABSPATH; 310 if (tad->tad_aupath != NULL) { 311 au_pathrele(tad->tad_aupath); 312 tad->tad_aupath = NULL; 313 } 314 } 315 } 316 317 318 /* 319 * symbolic link. Save previous components. 320 * 321 * the path seen so far looks like this 322 * 323 * +-----------------------+----------------+ 324 * | path processed so far | remaining path | 325 * +-----------------------+----------------+ 326 * \-----------------------/ 327 * save this string if 328 * symbolic link relative 329 * (but don't include symlink component) 330 */ 331 332 /*ARGSUSED*/ 333 334 335 /* 336 * ROUTINE: AUDIT_SYMLINK 337 * PURPOSE: 338 * CALLBY: LOOKUPPN 339 * NOTE: 340 * TODO: 341 * QUESTION: 342 */ 343 void 344 audit_symlink(struct pathname *pnp, struct pathname *sympath) 345 { 346 char *sp; /* saved initial pp */ 347 char *cp; /* start of symlink path */ 348 uint_t len_path; /* processed path before symlink */ 349 t_audit_data_t *tad; 350 au_kcontext_t *kctx = GET_KCTX_PZ; 351 352 tad = U2A(u); 353 354 /* 355 * this event being audited or do we need path information 356 * later? This might be for a chdir/chroot or open (add path 357 * to file pointer. If the path has already been found for an 358 * open/creat then we don't need to process the path. 359 * 360 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 361 * chroot, chdir, open, creat system call processing. It determines 362 * if audit_savepath() will discard the path or we need it later. 363 * TAD_PATHFND means path already included in this audit record. It 364 * is used in cases where multiple path lookups are done per 365 * system call. The policy flag, AUDIT_PATH, controls if multiple 366 * paths are allowed. 367 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 368 * exit processing to inhibit any paths that may be added due to 369 * closes. 370 */ 371 if ((tad->tad_flag == 0 && 372 !(tad->tad_ctrl & TAD_SAVPATH)) || 373 ((tad->tad_ctrl & TAD_PATHFND) && 374 !(kctx->auk_policy & AUDIT_PATH)) || 375 (tad->tad_ctrl & TAD_NOPATH)) { 376 return; 377 } 378 379 /* 380 * if symbolic link is anchored at / then do nothing. 381 * When we cycle back to begin: in lookuppn() we will 382 * call audit_anchorpath() with a flag indicating if the 383 * path is anchored at / or is relative. We will release 384 * any saved path at that point. 385 * 386 * Note In the event that an error occurs in pn_combine then 387 * we want to remain pointing at the component that caused the 388 * path to overflow the pnp structure. 389 */ 390 if (sympath->pn_buf[0] == '/') 391 return; 392 393 /* backup over last component */ 394 sp = cp = pnp->pn_path; 395 while (*--cp != '/' && cp > pnp->pn_buf) 396 ; 397 398 len_path = cp - pnp->pn_buf; 399 400 /* is there anything to save? */ 401 if (len_path) { 402 pnp->pn_path = pnp->pn_buf; 403 audit_pathbuild(pnp); 404 pnp->pn_path = sp; 405 } 406 } 407 408 /* 409 * object_is_public : determine whether events for the object (corresponding to 410 * the specified file/directory attr) should be audited or 411 * ignored. 412 * 413 * returns: 1 - if audit policy and object attributes indicate that 414 * file/directory is effectively public. read events for 415 * the file should not be audited. 416 * 0 - otherwise 417 * 418 * The required attributes to be considered a public object are: 419 * - owned by root, AND 420 * - world-readable (permissions for other include read), AND 421 * - NOT world-writeable (permissions for other don't 422 * include write) 423 * (mode doesn't need to be checked for symlinks) 424 */ 425 int 426 object_is_public(struct vattr *attr) 427 { 428 au_kcontext_t *kctx = GET_KCTX_PZ; 429 430 if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) && 431 ((attr->va_type == VLNK) || 432 ((attr->va_mode & (VREAD>>6)) != 0) && 433 ((attr->va_mode & (VWRITE>>6)) == 0))) { 434 return (1); 435 } 436 return (0); 437 } 438 439 440 /* 441 * ROUTINE: AUDIT_ATTRIBUTES 442 * PURPOSE: Audit the attributes so we can tell why the error occurred 443 * CALLBY: AUDIT_SAVEPATH 444 * AUDIT_VNCREATE_FINISH 445 * AUS_FCHOWN...audit_event.c...audit_path.c 446 * NOTE: 447 * TODO: 448 * QUESTION: 449 */ 450 void 451 audit_attributes(struct vnode *vp) 452 { 453 struct vattr attr; 454 struct t_audit_data *tad; 455 456 tad = U2A(u); 457 458 if (vp) { 459 attr.va_mask = AT_ALL; 460 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0) 461 return; 462 463 if (object_is_public(&attr) && 464 (tad->tad_ctrl & TAD_PUBLIC_EV)) { 465 /* 466 * This is a public object and a "public" event 467 * (i.e., read only) -- either by definition 468 * (e.g., stat, access...) or by virtue of write access 469 * not being requested (e.g. mmap). 470 * Flag it in the tad to prevent this audit at the end. 471 */ 472 tad->tad_ctrl |= TAD_NOAUDIT; 473 } else { 474 au_uwrite(au_to_attr(&attr)); 475 audit_sec_attributes(&(u_ad), vp); 476 } 477 } 478 } 479 480 481 /* 482 * ROUTINE: AUDIT_EXIT 483 * PURPOSE: 484 * CALLBY: EXIT 485 * NOTE: 486 * TODO: 487 * QUESTION: why cmw code as offset by 2 but not here 488 */ 489 /* ARGSUSED */ 490 void 491 audit_exit(int code, int what) 492 { 493 struct t_audit_data *tad; 494 tad = U2A(u); 495 496 /* 497 * tad_scid will be set by audit_start even if we are not auditing 498 * the event. 499 */ 500 if (tad->tad_scid == SYS_exit) { 501 /* 502 * if we are auditing the exit system call, then complete 503 * audit record generation (no return from system call). 504 */ 505 if (tad->tad_flag && tad->tad_event == AUE_EXIT) 506 audit_finish(0, SYS_exit, 0, 0); 507 return; 508 } 509 510 /* 511 * Anyone auditing the system call that was aborted? 512 */ 513 if (tad->tad_flag) { 514 au_uwrite(au_to_text("event aborted")); 515 audit_finish(0, tad->tad_scid, 0, 0); 516 } 517 518 /* 519 * Generate an audit record for process exit if preselected. 520 */ 521 (void) audit_start(0, SYS_exit, AUC_UNSET, 0, 0); 522 audit_finish(0, SYS_exit, 0, 0); 523 } 524 525 /* 526 * ROUTINE: AUDIT_CORE_START 527 * PURPOSE: 528 * CALLBY: PSIG 529 * NOTE: 530 * TODO: 531 */ 532 void 533 audit_core_start(int sig) 534 { 535 au_event_t event; 536 au_state_t estate; 537 t_audit_data_t *tad; 538 au_kcontext_t *kctx; 539 540 tad = U2A(u); 541 542 ASSERT(tad != (t_audit_data_t *)0); 543 544 ASSERT(tad->tad_scid == 0); 545 ASSERT(tad->tad_event == 0); 546 ASSERT(tad->tad_evmod == 0); 547 ASSERT(tad->tad_ctrl == 0); 548 ASSERT(tad->tad_flag == 0); 549 ASSERT(tad->tad_aupath == NULL); 550 551 kctx = GET_KCTX_PZ; 552 553 /* get basic event for system call */ 554 event = AUE_CORE; 555 estate = kctx->auk_ets[event]; 556 557 if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0) 558 return; 559 560 /* reset the flags for non-user attributable events */ 561 tad->tad_ctrl = TAD_CORE; 562 tad->tad_scid = 0; 563 564 /* if auditing not enabled, then don't generate an audit record */ 565 566 if (!((kctx->auk_auditstate == AUC_AUDITING || 567 kctx->auk_auditstate == AUC_INIT_AUDIT) || 568 kctx->auk_auditstate == AUC_NOSPACE)) { 569 tad->tad_flag = 0; 570 tad->tad_ctrl = 0; 571 return; 572 } 573 574 tad->tad_event = event; 575 tad->tad_evmod = 0; 576 577 ASSERT(tad->tad_ad == NULL); 578 579 au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig)); 580 } 581 582 /* 583 * ROUTINE: AUDIT_CORE_FINISH 584 * PURPOSE: 585 * CALLBY: PSIG 586 * NOTE: 587 * TODO: 588 * QUESTION: 589 */ 590 591 /*ARGSUSED*/ 592 void 593 audit_core_finish(int code) 594 { 595 int flag; 596 t_audit_data_t *tad; 597 au_kcontext_t *kctx; 598 599 tad = U2A(u); 600 601 ASSERT(tad != (t_audit_data_t *)0); 602 603 if ((flag = tad->tad_flag) == 0) { 604 tad->tad_event = 0; 605 tad->tad_evmod = 0; 606 tad->tad_ctrl = 0; 607 ASSERT(tad->tad_aupath == NULL); 608 return; 609 } 610 tad->tad_flag = 0; 611 612 kctx = GET_KCTX_PZ; 613 614 /* kludge for error 0, should use `code==CLD_DUMPED' instead */ 615 if (flag = audit_success(kctx, tad, 0, NULL)) { 616 cred_t *cr = CRED(); 617 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 618 619 ASSERT(ainfo != NULL); 620 621 /* 622 * Add subject information (no locks since our private copy of 623 * credential 624 */ 625 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 626 627 /* Add a return token (should use f argument) */ 628 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 629 630 AS_INC(as_generated, 1, kctx); 631 AS_INC(as_kernel, 1, kctx); 632 } 633 634 /* Close up everything */ 635 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod, NULL); 636 637 /* free up any space remaining with the path's */ 638 if (tad->tad_aupath != NULL) { 639 au_pathrele(tad->tad_aupath); 640 tad->tad_aupath = NULL; 641 } 642 tad->tad_event = 0; 643 tad->tad_evmod = 0; 644 tad->tad_ctrl = 0; 645 } 646 647 648 /*ARGSUSED*/ 649 void 650 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 651 unsigned char *pri, int *flag, int fmode) 652 { 653 struct stdata *stp; 654 t_audit_data_t *tad = U2A(u); 655 656 ASSERT(tad != (t_audit_data_t *)0); 657 658 stp = vp->v_stream; 659 660 /* lock stdata from audit_sock */ 661 mutex_enter(&stp->sd_lock); 662 663 /* proceed ONLY if user is being audited */ 664 if (!tad->tad_flag) { 665 /* 666 * this is so we will not add audit data onto 667 * a thread that is not being audited. 668 */ 669 stp->sd_t_audit_data = NULL; 670 mutex_exit(&stp->sd_lock); 671 return; 672 } 673 674 stp->sd_t_audit_data = (caddr_t)curthread; 675 mutex_exit(&stp->sd_lock); 676 } 677 678 /*ARGSUSED*/ 679 void 680 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 681 unsigned char pri, int flag, int fmode) 682 { 683 struct stdata *stp; 684 t_audit_data_t *tad = U2A(u); 685 686 ASSERT(tad != (t_audit_data_t *)0); 687 688 stp = vp->v_stream; 689 690 /* lock stdata from audit_sock */ 691 mutex_enter(&stp->sd_lock); 692 693 /* proceed ONLY if user is being audited */ 694 if (!tad->tad_flag) { 695 /* 696 * this is so we will not add audit data onto 697 * a thread that is not being audited. 698 */ 699 stp->sd_t_audit_data = NULL; 700 mutex_exit(&stp->sd_lock); 701 return; 702 } 703 704 stp->sd_t_audit_data = (caddr_t)curthread; 705 mutex_exit(&stp->sd_lock); 706 } 707 708 /* 709 * ROUTINE: AUDIT_CLOSEF 710 * PURPOSE: 711 * CALLBY: CLOSEF 712 * NOTE: 713 * release per file audit resources when file structure is being released. 714 * 715 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep 716 * on the audit queue if it becomes full. This means 717 * audit_closef can not be called when f_count == 0. Since 718 * f_count == 0 indicates the file structure is free, another 719 * process could attempt to use the file while we were still 720 * asleep waiting on the audit queue. This would cause the 721 * per file audit data to be corrupted when we finally do 722 * wakeup. 723 * TODO: 724 * QUESTION: 725 */ 726 727 void 728 audit_closef(struct file *fp) 729 { 730 f_audit_data_t *fad; 731 t_audit_data_t *tad; 732 int success; 733 au_state_t estate; 734 struct vnode *vp; 735 token_t *ad = NULL; 736 struct vattr attr; 737 au_emod_t evmod = 0; 738 const auditinfo_addr_t *ainfo; 739 cred_t *cr; 740 au_kcontext_t *kctx = GET_KCTX_PZ; 741 uint32_t auditing; 742 boolean_t audit_attr = B_FALSE; 743 744 fad = F2A(fp); 745 estate = kctx->auk_ets[AUE_CLOSE]; 746 tad = U2A(u); 747 cr = CRED(); 748 749 /* audit record already generated by system call envelope */ 750 if (tad->tad_event == AUE_CLOSE) { 751 /* so close audit event will have bits set */ 752 tad->tad_evmod |= (au_emod_t)fad->fad_flags; 753 return; 754 } 755 756 /* if auditing not enabled, then don't generate an audit record */ 757 auditing = (tad->tad_audit == AUC_UNSET) ? 758 kctx->auk_auditstate : tad->tad_audit; 759 if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT | AUC_NOSPACE)) 760 return; 761 762 ainfo = crgetauinfo(cr); 763 if (ainfo == NULL) 764 return; 765 766 success = ainfo->ai_mask.as_success & estate; 767 768 /* not selected for this event */ 769 if (success == 0) 770 return; 771 772 /* 773 * can't use audit_attributes here since we use a private audit area 774 * to build the audit record instead of the one off the thread. 775 */ 776 if ((vp = fp->f_vnode) != NULL) { 777 attr.va_mask = AT_ALL; 778 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 779 if ((fp->f_flag & FWRITE) == 0 && 780 object_is_public(&attr)) { 781 /* 782 * When write was not used and the file can be 783 * considered public, then skip the audit. 784 */ 785 return; 786 } 787 audit_attr = B_TRUE; 788 } 789 } 790 791 evmod = (au_emod_t)fad->fad_flags; 792 if (fad->fad_aupath != NULL) { 793 au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath)); 794 } else { 795 #ifdef _LP64 796 au_write((caddr_t *)&(ad), au_to_arg64( 797 1, "no path: fp", (uint64_t)fp)); 798 #else 799 au_write((caddr_t *)&(ad), au_to_arg32( 800 1, "no path: fp", (uint32_t)fp)); 801 #endif 802 } 803 804 if (audit_attr) { 805 au_write((caddr_t *)&(ad), au_to_attr(&attr)); 806 audit_sec_attributes((caddr_t *)&(ad), vp); 807 } 808 809 /* Add subject information */ 810 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 811 812 /* add a return token */ 813 add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0); 814 815 AS_INC(as_generated, 1, kctx); 816 AS_INC(as_kernel, 1, kctx); 817 818 /* 819 * Close up everything 820 * Note: path space recovery handled by normal system 821 * call envelope if not at last close. 822 * Note there is no failure at this point since 823 * this represents closes due to exit of process, 824 * thus we always indicate successful closes. 825 */ 826 au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER, 827 AUE_CLOSE, evmod, NULL); 828 } 829 830 /* 831 * ROUTINE: AUDIT_SET 832 * PURPOSE: Audit the file path and file attributes. 833 * CALLBY: SETF 834 * NOTE: SETF associate a file pointer with user area's open files. 835 * TODO: 836 * call audit_finish directly ??? 837 * QUESTION: 838 */ 839 840 /*ARGSUSED*/ 841 void 842 audit_setf(file_t *fp, int fd) 843 { 844 f_audit_data_t *fad; 845 t_audit_data_t *tad; 846 847 if (fp == NULL) 848 return; 849 850 tad = T2A(curthread); 851 fad = F2A(fp); 852 853 if (!(tad->tad_scid == SYS_open || 854 tad->tad_scid == SYS_open64 || 855 tad->tad_scid == SYS_openat || 856 tad->tad_scid == SYS_openat64)) 857 return; 858 859 /* no path */ 860 if (tad->tad_aupath == 0) 861 return; 862 863 /* 864 * assign path information associated with file audit data 865 * use tad hold 866 */ 867 fad->fad_aupath = tad->tad_aupath; 868 tad->tad_aupath = NULL; 869 870 if (!(tad->tad_ctrl & TAD_TRUE_CREATE)) { 871 /* adjust event type by dropping the 'creat' part */ 872 switch (tad->tad_event) { 873 case AUE_OPEN_RC: 874 tad->tad_event = AUE_OPEN_R; 875 tad->tad_ctrl |= TAD_PUBLIC_EV; 876 break; 877 case AUE_OPEN_RTC: 878 tad->tad_event = AUE_OPEN_RT; 879 break; 880 case AUE_OPEN_WC: 881 tad->tad_event = AUE_OPEN_W; 882 break; 883 case AUE_OPEN_WTC: 884 tad->tad_event = AUE_OPEN_WT; 885 break; 886 case AUE_OPEN_RWC: 887 tad->tad_event = AUE_OPEN_RW; 888 break; 889 case AUE_OPEN_RWTC: 890 tad->tad_event = AUE_OPEN_RWT; 891 break; 892 default: 893 break; 894 } 895 } 896 } 897 898 899 void 900 audit_ipc(int type, int id, void *vp) 901 { 902 /* if not auditing this event, then do nothing */ 903 if (ad_flag == 0) 904 return; 905 906 switch (type) { 907 case AT_IPC_MSG: 908 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 909 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 910 break; 911 case AT_IPC_SEM: 912 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 913 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 914 break; 915 case AT_IPC_SHM: 916 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 917 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 918 break; 919 } 920 } 921 922 void 923 audit_ipcget(int type, void *vp) 924 { 925 /* if not auditing this event, then do nothing */ 926 if (ad_flag == 0) 927 return; 928 929 switch (type) { 930 case 0: 931 au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp)); 932 break; 933 case AT_IPC_MSG: 934 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 935 break; 936 case AT_IPC_SEM: 937 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 938 break; 939 case AT_IPC_SHM: 940 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 941 break; 942 } 943 } 944 945 /* 946 * ROUTINE: AUDIT_REBOOT 947 * PURPOSE: 948 * CALLBY: 949 * NOTE: 950 * At this point we know that the system call reboot will not return. We thus 951 * have to complete the audit record generation and put it onto the queue. 952 * This might be fairly useless if the auditing daemon is already dead.... 953 * TODO: 954 * QUESTION: who calls audit_reboot 955 */ 956 957 void 958 audit_reboot(void) 959 { 960 int flag; 961 t_audit_data_t *tad; 962 au_kcontext_t *kctx = GET_KCTX_PZ; 963 964 tad = U2A(u); 965 966 /* if not auditing this event, then do nothing */ 967 if (tad->tad_flag == 0) 968 return; 969 970 /* do preselection on success/failure */ 971 if (flag = audit_success(kctx, tad, 0, NULL)) { 972 /* add a process token */ 973 974 cred_t *cr = CRED(); 975 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 976 977 if (ainfo == NULL) 978 return; 979 980 /* Add subject information */ 981 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 982 983 /* add a return token */ 984 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 985 986 AS_INC(as_generated, 1, kctx); 987 AS_INC(as_kernel, 1, kctx); 988 } 989 990 /* 991 * Flow control useless here since we're going 992 * to drop everything in the queue anyway. Why 993 * block and wait. There aint anyone left alive to 994 * read the records remaining anyway. 995 */ 996 997 /* Close up everything */ 998 au_close(kctx, &(u_ad), flag | AU_DONTBLOCK, 999 tad->tad_event, tad->tad_evmod, NULL); 1000 } 1001 1002 void 1003 audit_setfsat_path(int argnum) 1004 { 1005 klwp_id_t clwp = ttolwp(curthread); 1006 struct file *fp; 1007 uint32_t fd; 1008 t_audit_data_t *tad; 1009 struct f_audit_data *fad; 1010 p_audit_data_t *pad; /* current process */ 1011 uint_t fm; 1012 struct a { 1013 long arg1; 1014 long arg2; 1015 long arg3; 1016 long arg4; 1017 long arg5; 1018 } *uap; 1019 1020 if (clwp == NULL) 1021 return; 1022 uap = (struct a *)clwp->lwp_ap; 1023 1024 tad = U2A(u); 1025 ASSERT(tad != NULL); 1026 1027 switch (tad->tad_scid) { 1028 case SYS_faccessat: 1029 case SYS_fchmodat: 1030 case SYS_fchownat: 1031 case SYS_fstatat: 1032 case SYS_fstatat64: 1033 case SYS_mkdirat: 1034 case SYS_mknodat: 1035 case SYS_openat: 1036 case SYS_openat64: 1037 case SYS_readlinkat: 1038 case SYS_unlinkat: 1039 fd = uap->arg1; 1040 break; 1041 case SYS_linkat: 1042 case SYS_renameat: 1043 if (argnum == 3) 1044 fd = uap->arg3; 1045 else 1046 fd = uap->arg1; 1047 break; 1048 case SYS_symlinkat: 1049 case SYS_utimesys: 1050 fd = uap->arg2; 1051 break; 1052 case SYS_open: 1053 case SYS_open64: 1054 fd = AT_FDCWD; 1055 break; 1056 default: 1057 return; 1058 } 1059 1060 if (tad->tad_atpath != NULL) { 1061 au_pathrele(tad->tad_atpath); 1062 tad->tad_atpath = NULL; 1063 } 1064 1065 if (fd != AT_FDCWD) { 1066 tad->tad_ctrl |= TAD_ATCALL; 1067 1068 if (tad->tad_scid == SYS_openat || 1069 tad->tad_scid == SYS_openat64) { 1070 fm = (uint_t)uap->arg3; 1071 if (fm & (FXATTR | FXATTRDIROPEN)) { 1072 tad->tad_ctrl |= TAD_ATTPATH; 1073 } 1074 } 1075 1076 if ((fp = getf(fd)) == NULL) { 1077 tad->tad_ctrl |= TAD_NOPATH; 1078 return; 1079 } 1080 fad = F2A(fp); 1081 ASSERT(fad); 1082 if (fad->fad_aupath == NULL) { 1083 tad->tad_ctrl |= TAD_NOPATH; 1084 releasef(fd); 1085 return; 1086 } 1087 au_pathhold(fad->fad_aupath); 1088 tad->tad_atpath = fad->fad_aupath; 1089 releasef(fd); 1090 } else { 1091 if (tad->tad_scid == SYS_open || 1092 tad->tad_scid == SYS_open64) { 1093 fm = (uint_t)uap->arg2; 1094 if (fm & FXATTR) { 1095 tad->tad_ctrl |= TAD_ATTPATH; 1096 } 1097 return; 1098 } 1099 pad = P2A(curproc); 1100 mutex_enter(&pad->pad_lock); 1101 au_pathhold(pad->pad_cwd); 1102 tad->tad_atpath = pad->pad_cwd; 1103 mutex_exit(&pad->pad_lock); 1104 } 1105 } 1106 1107 void 1108 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error) 1109 { 1110 t_audit_data_t *tad; 1111 vnode_t *vp; 1112 1113 tad = U2A(u); 1114 1115 /* if not auditing this event, then do nothing */ 1116 if (tad->tad_flag == 0) 1117 return; 1118 1119 au_uwrite(au_to_text(target)); 1120 1121 if (error) 1122 return; 1123 1124 error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(), 1125 NULL, NULL, NULL); 1126 if (error == 0) { 1127 audit_attributes(vp); 1128 VN_RELE(vp); 1129 } 1130 } 1131 1132 /* 1133 * ROUTINE: AUDIT_VNCREATE_START 1134 * PURPOSE: set flag so path name lookup in create will not add attribute 1135 * CALLBY: VN_CREATE 1136 * NOTE: 1137 * TODO: 1138 * QUESTION: 1139 */ 1140 1141 void 1142 audit_vncreate_start() 1143 { 1144 t_audit_data_t *tad; 1145 1146 tad = U2A(u); 1147 tad->tad_ctrl |= TAD_NOATTRB; 1148 } 1149 1150 /* 1151 * ROUTINE: AUDIT_VNCREATE_FINISH 1152 * PURPOSE: 1153 * CALLBY: VN_CREATE 1154 * NOTE: 1155 * TODO: 1156 * QUESTION: 1157 */ 1158 void 1159 audit_vncreate_finish(struct vnode *vp, int error) 1160 { 1161 t_audit_data_t *tad; 1162 1163 if (error) 1164 return; 1165 1166 tad = U2A(u); 1167 1168 /* if not auditing this event, then do nothing */ 1169 if (tad->tad_flag == 0) 1170 return; 1171 1172 if (tad->tad_ctrl & TAD_TRUE_CREATE) { 1173 audit_attributes(vp); 1174 } 1175 1176 if (tad->tad_ctrl & TAD_CORE) { 1177 audit_attributes(vp); 1178 tad->tad_ctrl &= ~TAD_CORE; 1179 } 1180 1181 if (!error && ((tad->tad_event == AUE_MKNOD) || 1182 (tad->tad_event == AUE_MKDIR))) { 1183 audit_attributes(vp); 1184 } 1185 1186 /* for case where multiple lookups in one syscall (rename) */ 1187 tad->tad_ctrl &= ~TAD_NOATTRB; 1188 } 1189 1190 1191 1192 1193 1194 1195 1196 1197 /* 1198 * ROUTINE: AUDIT_EXEC 1199 * PURPOSE: Records the function arguments and environment variables 1200 * CALLBY: EXEC_ARGS 1201 * NOTE: 1202 * TODO: 1203 * QUESTION: 1204 */ 1205 1206 void 1207 audit_exec( 1208 const char *argstr, /* argument strings */ 1209 const char *envstr, /* environment strings */ 1210 ssize_t argc, /* total # arguments */ 1211 ssize_t envc, /* total # environment variables */ 1212 cred_t *pfcred) /* the additional privileges in a profile */ 1213 { 1214 t_audit_data_t *tad; 1215 au_kcontext_t *kctx = GET_KCTX_PZ; 1216 1217 tad = U2A(u); 1218 1219 /* if not auditing this event, then do nothing */ 1220 if (!tad->tad_flag) 1221 return; 1222 1223 if (pfcred != NULL) { 1224 p_audit_data_t *pad; 1225 cred_t *cr = CRED(); 1226 priv_set_t pset = CR_IPRIV(cr); 1227 1228 pad = P2A(curproc); 1229 1230 /* It's a different event. */ 1231 tad->tad_event = AUE_PFEXEC; 1232 1233 /* Add the current working directory to the audit trail. */ 1234 if (pad->pad_cwd != NULL) 1235 au_uwrite(au_to_path(pad->pad_cwd)); 1236 1237 /* 1238 * The new credential is not yet in place when audit_exec 1239 * is called. 1240 * Compute the additional bits available in the new credential 1241 * and the limit set. 1242 */ 1243 priv_inverse(&pset); 1244 priv_intersect(&CR_IPRIV(pfcred), &pset); 1245 if (!priv_isemptyset(&pset) || 1246 !priv_isequalset(&CR_LPRIV(pfcred), &CR_LPRIV(cr))) { 1247 au_uwrite(au_to_privset( 1248 priv_getsetbynum(PRIV_INHERITABLE), &pset, AUT_PRIV, 1249 0)); 1250 au_uwrite(au_to_privset(priv_getsetbynum(PRIV_LIMIT), 1251 &CR_LPRIV(pfcred), AUT_PRIV, 0)); 1252 } 1253 /* 1254 * Compare the uids & gids: create a process token if changed. 1255 */ 1256 if (crgetuid(cr) != crgetuid(pfcred) || 1257 crgetruid(cr) != crgetruid(pfcred) || 1258 crgetgid(cr) != crgetgid(pfcred) || 1259 crgetrgid(cr) != crgetrgid(pfcred)) { 1260 AUDIT_SETPROC(&(u_ad), cr, crgetauinfo(cr)); 1261 } 1262 } 1263 1264 if (pfcred != NULL || (kctx->auk_policy & AUDIT_ARGV) != 0) 1265 au_uwrite(au_to_exec_args(argstr, argc)); 1266 1267 if (kctx->auk_policy & AUDIT_ARGE) 1268 au_uwrite(au_to_exec_env(envstr, envc)); 1269 } 1270 1271 /* 1272 * ROUTINE: AUDIT_ENTERPROM 1273 * PURPOSE: 1274 * CALLBY: KBDINPUT 1275 * ZSA_XSINT 1276 * NOTE: 1277 * TODO: 1278 * QUESTION: 1279 */ 1280 void 1281 audit_enterprom(int flg) 1282 { 1283 token_t *rp = NULL; 1284 int sorf; 1285 1286 if (flg) 1287 sorf = AUM_SUCC; 1288 else 1289 sorf = AUM_FAIL; 1290 1291 AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf); 1292 1293 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1294 1295 if (flg) 1296 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1297 else 1298 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1299 1300 AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, 0, NULL); 1301 } 1302 1303 1304 /* 1305 * ROUTINE: AUDIT_EXITPROM 1306 * PURPOSE: 1307 * CALLBY: KBDINPUT 1308 * ZSA_XSINT 1309 * NOTE: 1310 * TODO: 1311 * QUESTION: 1312 */ 1313 void 1314 audit_exitprom(int flg) 1315 { 1316 int sorf; 1317 token_t *rp = NULL; 1318 1319 if (flg) 1320 sorf = AUM_SUCC; 1321 else 1322 sorf = AUM_FAIL; 1323 1324 AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf); 1325 1326 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1327 1328 if (flg) 1329 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1330 else 1331 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1332 1333 AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, 0, NULL); 1334 } 1335 1336 struct fcntla { 1337 int fdes; 1338 int cmd; 1339 intptr_t arg; 1340 }; 1341 1342 1343 /* 1344 * ROUTINE: AUDIT_CHDIREC 1345 * PURPOSE: 1346 * CALLBY: CHDIREC 1347 * NOTE: The main function of CHDIREC 1348 * TODO: Move the audit_chdirec hook above the VN_RELE in vncalls.c 1349 * QUESTION: 1350 */ 1351 1352 /*ARGSUSED*/ 1353 void 1354 audit_chdirec(vnode_t *vp, vnode_t **vpp) 1355 { 1356 int chdir; 1357 int fchdir; 1358 struct audit_path **appp; 1359 struct file *fp; 1360 f_audit_data_t *fad; 1361 p_audit_data_t *pad = P2A(curproc); 1362 t_audit_data_t *tad = T2A(curthread); 1363 1364 struct a { 1365 long fd; 1366 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 1367 1368 if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) { 1369 chdir = tad->tad_scid == SYS_chdir; 1370 if (tad->tad_aupath) { 1371 mutex_enter(&pad->pad_lock); 1372 if (chdir) 1373 appp = &(pad->pad_cwd); 1374 else 1375 appp = &(pad->pad_root); 1376 au_pathrele(*appp); 1377 /* use tad hold */ 1378 *appp = tad->tad_aupath; 1379 tad->tad_aupath = NULL; 1380 mutex_exit(&pad->pad_lock); 1381 } 1382 } else if ((tad->tad_scid == SYS_fchdir) || 1383 (tad->tad_scid == SYS_fchroot)) { 1384 fchdir = tad->tad_scid == SYS_fchdir; 1385 if ((fp = getf(uap->fd)) == NULL) 1386 return; 1387 fad = F2A(fp); 1388 if (fad->fad_aupath) { 1389 au_pathhold(fad->fad_aupath); 1390 mutex_enter(&pad->pad_lock); 1391 if (fchdir) 1392 appp = &(pad->pad_cwd); 1393 else 1394 appp = &(pad->pad_root); 1395 au_pathrele(*appp); 1396 *appp = fad->fad_aupath; 1397 mutex_exit(&pad->pad_lock); 1398 if (tad->tad_flag) { 1399 au_uwrite(au_to_path(fad->fad_aupath)); 1400 audit_attributes(fp->f_vnode); 1401 } 1402 } 1403 releasef(uap->fd); 1404 } 1405 } 1406 1407 1408 /* 1409 * Audit hook for stream based socket and tli request. 1410 * Note that we do not have user context while executing 1411 * this code so we had to record them earlier during the 1412 * putmsg/getmsg to figure out which user we are dealing with. 1413 */ 1414 1415 /*ARGSUSED*/ 1416 void 1417 audit_sock( 1418 int type, /* type of tihdr.h header requests */ 1419 queue_t *q, /* contains the process and thread audit data */ 1420 mblk_t *mp, /* contains the tihdr.h header structures */ 1421 int from) /* timod or sockmod request */ 1422 { 1423 int32_t len; 1424 int32_t offset; 1425 struct sockaddr_in *sock_data; 1426 struct T_conn_req *conn_req; 1427 struct T_conn_ind *conn_ind; 1428 struct T_unitdata_req *unitdata_req; 1429 struct T_unitdata_ind *unitdata_ind; 1430 au_state_t estate; 1431 t_audit_data_t *tad; 1432 caddr_t saved_thread_ptr; 1433 au_mask_t amask; 1434 const auditinfo_addr_t *ainfo; 1435 au_kcontext_t *kctx; 1436 1437 if (q->q_stream == NULL) 1438 return; 1439 mutex_enter(&q->q_stream->sd_lock); 1440 /* are we being audited */ 1441 saved_thread_ptr = q->q_stream->sd_t_audit_data; 1442 /* no pointer to thread, nothing to do */ 1443 if (saved_thread_ptr == NULL) { 1444 mutex_exit(&q->q_stream->sd_lock); 1445 return; 1446 } 1447 /* only allow one addition of a record token */ 1448 q->q_stream->sd_t_audit_data = NULL; 1449 /* 1450 * thread is not the one being audited, then nothing to do 1451 * This could be the stream thread handling the module 1452 * service routine. In this case, the context for the audit 1453 * record can no longer be assumed. Simplest to just drop 1454 * the operation. 1455 */ 1456 if (curthread != (kthread_id_t)saved_thread_ptr) { 1457 mutex_exit(&q->q_stream->sd_lock); 1458 return; 1459 } 1460 if (curthread->t_sysnum >= SYS_so_socket && 1461 curthread->t_sysnum <= SYS_sockconfig) { 1462 mutex_exit(&q->q_stream->sd_lock); 1463 return; 1464 } 1465 mutex_exit(&q->q_stream->sd_lock); 1466 /* 1467 * we know that the thread that did the put/getmsg is the 1468 * one running. Now we can get the TAD and see if we should 1469 * add an audit token. 1470 */ 1471 tad = U2A(u); 1472 1473 kctx = GET_KCTX_PZ; 1474 1475 /* proceed ONLY if user is being audited */ 1476 if (!tad->tad_flag) 1477 return; 1478 1479 ainfo = crgetauinfo(CRED()); 1480 if (ainfo == NULL) 1481 return; 1482 amask = ainfo->ai_mask; 1483 1484 /* 1485 * Figure out the type of stream networking request here. 1486 * Note that getmsg and putmsg are always preselected 1487 * because during the beginning of the system call we have 1488 * not yet figure out which of the socket or tli request 1489 * we are looking at until we are here. So we need to check 1490 * against that specific request and reset the type of event. 1491 */ 1492 switch (type) { 1493 case T_CONN_REQ: /* connection request */ 1494 conn_req = (struct T_conn_req *)mp->b_rptr; 1495 if (conn_req->DEST_offset < sizeof (struct T_conn_req)) 1496 return; 1497 offset = conn_req->DEST_offset; 1498 len = conn_req->DEST_length; 1499 estate = kctx->auk_ets[AUE_SOCKCONNECT]; 1500 if (amask.as_success & estate || amask.as_failure & estate) { 1501 tad->tad_event = AUE_SOCKCONNECT; 1502 break; 1503 } else { 1504 return; 1505 } 1506 case T_CONN_IND: /* connectionless receive request */ 1507 conn_ind = (struct T_conn_ind *)mp->b_rptr; 1508 if (conn_ind->SRC_offset < sizeof (struct T_conn_ind)) 1509 return; 1510 offset = conn_ind->SRC_offset; 1511 len = conn_ind->SRC_length; 1512 estate = kctx->auk_ets[AUE_SOCKACCEPT]; 1513 if (amask.as_success & estate || amask.as_failure & estate) { 1514 tad->tad_event = AUE_SOCKACCEPT; 1515 break; 1516 } else { 1517 return; 1518 } 1519 case T_UNITDATA_REQ: /* connectionless send request */ 1520 unitdata_req = (struct T_unitdata_req *)mp->b_rptr; 1521 if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req)) 1522 return; 1523 offset = unitdata_req->DEST_offset; 1524 len = unitdata_req->DEST_length; 1525 estate = kctx->auk_ets[AUE_SOCKSEND]; 1526 if (amask.as_success & estate || amask.as_failure & estate) { 1527 tad->tad_event = AUE_SOCKSEND; 1528 break; 1529 } else { 1530 return; 1531 } 1532 case T_UNITDATA_IND: /* connectionless receive request */ 1533 unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr; 1534 if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind)) 1535 return; 1536 offset = unitdata_ind->SRC_offset; 1537 len = unitdata_ind->SRC_length; 1538 estate = kctx->auk_ets[AUE_SOCKRECEIVE]; 1539 if (amask.as_success & estate || amask.as_failure & estate) { 1540 tad->tad_event = AUE_SOCKRECEIVE; 1541 break; 1542 } else { 1543 return; 1544 } 1545 default: 1546 return; 1547 } 1548 1549 /* 1550 * we are only interested in tcp stream connections, 1551 * not unix domain stuff 1552 */ 1553 if ((len < 0) || (len > sizeof (struct sockaddr_in))) { 1554 tad->tad_event = AUE_GETMSG; 1555 return; 1556 } 1557 /* skip over TPI header and point to the ip address */ 1558 sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset); 1559 1560 switch (sock_data->sin_family) { 1561 case AF_INET: 1562 au_write(&(tad->tad_ad), au_to_sock_inet(sock_data)); 1563 break; 1564 default: /* reset to AUE_PUTMSG if not a inet request */ 1565 tad->tad_event = AUE_GETMSG; 1566 break; 1567 } 1568 } 1569 1570 1571 static void 1572 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval) 1573 { 1574 unsigned int sy_flags; 1575 1576 #ifdef _SYSCALL32_IMPL 1577 /* 1578 * Guard against t_lwp being NULL when this function is called 1579 * from a kernel queue instead of from a direct system call. 1580 * In that case, assume the running kernel data model. 1581 */ 1582 if ((curthread->t_lwp == NULL) || (lwp_getdatamodel( 1583 ttolwp(curthread)) == DATAMODEL_NATIVE)) 1584 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1585 else 1586 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1587 #else 1588 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1589 #endif 1590 1591 if (sy_flags == SE_64RVAL) 1592 au_write(ad, au_to_return64(err, rval)); 1593 else 1594 au_write(ad, au_to_return32(err, rval)); 1595 1596 } 1597 1598 /*ARGSUSED*/ 1599 void 1600 audit_fdsend(int fd, struct file *fp, int error) 1601 { 1602 t_audit_data_t *tad; /* current thread */ 1603 f_audit_data_t *fad; /* per file audit structure */ 1604 struct vnode *vp; /* for file attributes */ 1605 1606 /* is this system call being audited */ 1607 tad = U2A(u); 1608 ASSERT(tad != (t_audit_data_t *)0); 1609 if (!tad->tad_flag) 1610 return; 1611 1612 fad = F2A(fp); 1613 1614 /* add path and file attributes */ 1615 if (fad != NULL && fad->fad_aupath != NULL) { 1616 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1617 au_uwrite(au_to_path(fad->fad_aupath)); 1618 } else { 1619 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1620 #ifdef _LP64 1621 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 1622 #else 1623 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 1624 #endif 1625 } 1626 vp = fp->f_vnode; /* include vnode attributes */ 1627 audit_attributes(vp); 1628 } 1629 1630 /* 1631 * Record privileges successfully used and we attempted to use but 1632 * didn't have. 1633 */ 1634 void 1635 audit_priv(int priv, const priv_set_t *set, int flag) 1636 { 1637 t_audit_data_t *tad; 1638 int sbit; 1639 priv_set_t *target; 1640 1641 /* Make sure this isn't being called in an interrupt context */ 1642 ASSERT(servicing_interrupt() == 0); 1643 1644 tad = U2A(u); 1645 1646 if (tad->tad_flag == 0) 1647 return; 1648 1649 target = flag ? &tad->tad_sprivs : &tad->tad_fprivs; 1650 sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE; 1651 1652 /* Tell audit_success() and audit_finish() that we saw this case */ 1653 if (!(tad->tad_evmod & sbit)) { 1654 /* Clear set first time around */ 1655 priv_emptyset(target); 1656 tad->tad_evmod |= sbit; 1657 } 1658 1659 /* Save the privileges in the tad */ 1660 if (priv == PRIV_ALL) { 1661 priv_fillset(target); 1662 } else { 1663 ASSERT(set != NULL || priv != PRIV_NONE); 1664 if (set != NULL) 1665 priv_union(set, target); 1666 if (priv != PRIV_NONE) 1667 priv_addset(target, priv); 1668 } 1669 } 1670 1671 /* 1672 * Audit the psecflags() system call; the set name, current value, and delta 1673 * are put in the audit trail. 1674 */ 1675 void 1676 audit_psecflags(proc_t *p, 1677 psecflagwhich_t which, 1678 const secflagdelta_t *psd) 1679 { 1680 t_audit_data_t *tad; 1681 secflagset_t new; 1682 const secflagset_t *old; 1683 const char *s; 1684 cred_t *cr; 1685 pid_t pid; 1686 const auditinfo_addr_t *ainfo; 1687 const psecflags_t *psec = &p->p_secflags; 1688 1689 tad = U2A(u); 1690 1691 if (tad->tad_flag == 0) 1692 return; 1693 1694 switch (which) { 1695 case PSF_EFFECTIVE: 1696 s = "effective"; 1697 old = &psec->psf_effective; 1698 break; 1699 case PSF_INHERIT: 1700 s = "inherit"; 1701 old = &psec->psf_inherit; 1702 break; 1703 case PSF_LOWER: 1704 s = "lower"; 1705 old = &psec->psf_lower; 1706 break; 1707 case PSF_UPPER: 1708 s = "upper"; 1709 old = &psec->psf_upper; 1710 break; 1711 } 1712 1713 secflags_copy(&new, old); 1714 secflags_apply_delta(&new, psd); 1715 1716 au_uwrite(au_to_secflags(s, *old)); 1717 au_uwrite(au_to_secflags(s, new)); 1718 1719 ASSERT(mutex_owned(&p->p_lock)); 1720 mutex_enter(&p->p_crlock); 1721 1722 pid = p->p_pid; 1723 crhold(cr = p->p_cred); 1724 mutex_exit(&p->p_crlock); 1725 1726 if ((ainfo = crgetauinfo(cr)) == NULL) { 1727 crfree(cr); 1728 return; 1729 } 1730 1731 AUDIT_SETPROC_GENERIC(&(u_ad), cr, ainfo, pid); 1732 1733 crfree(cr); 1734 } 1735 1736 /* 1737 * Audit the setpriv() system call; the operation, the set name and 1738 * the current value as well as the set argument are put in the 1739 * audit trail. 1740 */ 1741 void 1742 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr) 1743 { 1744 t_audit_data_t *tad; 1745 const priv_set_t *oldpriv; 1746 priv_set_t report; 1747 const char *setname; 1748 1749 tad = U2A(u); 1750 1751 if (tad->tad_flag == 0) 1752 return; 1753 1754 oldpriv = priv_getset(ocr, set); 1755 1756 /* Generate the actual record, include the before and after */ 1757 au_uwrite(au_to_arg32(2, "op", op)); 1758 setname = priv_getsetbynum(set); 1759 1760 switch (op) { 1761 case PRIV_OFF: 1762 /* Report privileges actually switched off */ 1763 report = *oldpriv; 1764 priv_intersect(newpriv, &report); 1765 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 1766 break; 1767 case PRIV_ON: 1768 /* Report privileges actually switched on */ 1769 report = *oldpriv; 1770 priv_inverse(&report); 1771 priv_intersect(newpriv, &report); 1772 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 1773 break; 1774 case PRIV_SET: 1775 /* Report before and after */ 1776 au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0)); 1777 au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0)); 1778 break; 1779 } 1780 } 1781 1782 /* 1783 * Dump the full device policy setting in the audit trail. 1784 */ 1785 void 1786 audit_devpolicy(int nitems, const devplcysys_t *items) 1787 { 1788 t_audit_data_t *tad; 1789 int i; 1790 1791 tad = U2A(u); 1792 1793 if (tad->tad_flag == 0) 1794 return; 1795 1796 for (i = 0; i < nitems; i++) { 1797 au_uwrite(au_to_arg32(2, "major", items[i].dps_maj)); 1798 if (items[i].dps_minornm[0] == '\0') { 1799 au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin)); 1800 au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin)); 1801 } else 1802 au_uwrite(au_to_text(items[i].dps_minornm)); 1803 1804 au_uwrite(au_to_privset("read", &items[i].dps_rdp, 1805 AUT_PRIV, 0)); 1806 au_uwrite(au_to_privset("write", &items[i].dps_wrp, 1807 AUT_PRIV, 0)); 1808 } 1809 } 1810 1811 /*ARGSUSED*/ 1812 void 1813 audit_fdrecv(int fd, struct file *fp) 1814 { 1815 t_audit_data_t *tad; /* current thread */ 1816 f_audit_data_t *fad; /* per file audit structure */ 1817 struct vnode *vp; /* for file attributes */ 1818 1819 /* is this system call being audited */ 1820 tad = U2A(u); 1821 ASSERT(tad != (t_audit_data_t *)0); 1822 if (!tad->tad_flag) 1823 return; 1824 1825 fad = F2A(fp); 1826 1827 /* add path and file attributes */ 1828 if (fad != NULL && fad->fad_aupath != NULL) { 1829 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 1830 au_uwrite(au_to_path(fad->fad_aupath)); 1831 } else { 1832 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 1833 #ifdef _LP64 1834 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 1835 #else 1836 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 1837 #endif 1838 } 1839 vp = fp->f_vnode; /* include vnode attributes */ 1840 audit_attributes(vp); 1841 } 1842 1843 /* 1844 * ROUTINE: AUDIT_CRYPTOADM 1845 * PURPOSE: Records arguments to administrative ioctls on /dev/cryptoadm 1846 * CALLBY: CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED, 1847 * CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG, 1848 * CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN, 1849 * CRYPTO_LOAD_DOOR 1850 * NOTE: 1851 * TODO: 1852 * QUESTION: 1853 */ 1854 1855 void 1856 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names, 1857 uint_t mech_count, uint_t device_instance, uint32_t rv, int error) 1858 { 1859 boolean_t mech_list_required = B_FALSE; 1860 cred_t *cr = CRED(); 1861 t_audit_data_t *tad; 1862 token_t *ad = NULL; 1863 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 1864 char buffer[MAXNAMELEN * 2]; 1865 au_kcontext_t *kctx = GET_KCTX_PZ; 1866 1867 tad = U2A(u); 1868 if (tad == NULL) 1869 return; 1870 1871 if (ainfo == NULL) 1872 return; 1873 1874 tad->tad_event = AUE_CRYPTOADM; 1875 1876 if (audit_success(kctx, tad, error, NULL) != AU_OK) 1877 return; 1878 1879 /* Add subject information */ 1880 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 1881 1882 switch (cmd) { 1883 case CRYPTO_LOAD_DEV_DISABLED: 1884 if (error == 0 && rv == CRYPTO_SUCCESS) { 1885 (void) snprintf(buffer, sizeof (buffer), 1886 "op=CRYPTO_LOAD_DEV_DISABLED, module=%s," 1887 " dev_instance=%d", 1888 module_name, device_instance); 1889 mech_list_required = B_TRUE; 1890 } else { 1891 (void) snprintf(buffer, sizeof (buffer), 1892 "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv); 1893 } 1894 break; 1895 1896 case CRYPTO_LOAD_SOFT_DISABLED: 1897 if (error == 0 && rv == CRYPTO_SUCCESS) { 1898 (void) snprintf(buffer, sizeof (buffer), 1899 "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s", 1900 module_name); 1901 mech_list_required = B_TRUE; 1902 } else { 1903 (void) snprintf(buffer, sizeof (buffer), 1904 "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv); 1905 } 1906 break; 1907 1908 case CRYPTO_UNLOAD_SOFT_MODULE: 1909 if (error == 0 && rv == CRYPTO_SUCCESS) { 1910 (void) snprintf(buffer, sizeof (buffer), 1911 "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s", 1912 module_name); 1913 } else { 1914 (void) snprintf(buffer, sizeof (buffer), 1915 "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv); 1916 } 1917 break; 1918 1919 case CRYPTO_LOAD_SOFT_CONFIG: 1920 if (error == 0 && rv == CRYPTO_SUCCESS) { 1921 (void) snprintf(buffer, sizeof (buffer), 1922 "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s", 1923 module_name); 1924 mech_list_required = B_TRUE; 1925 } else { 1926 (void) snprintf(buffer, sizeof (buffer), 1927 "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv); 1928 } 1929 break; 1930 1931 case CRYPTO_POOL_CREATE: 1932 (void) snprintf(buffer, sizeof (buffer), 1933 "op=CRYPTO_POOL_CREATE"); 1934 break; 1935 1936 case CRYPTO_POOL_WAIT: 1937 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT"); 1938 break; 1939 1940 case CRYPTO_POOL_RUN: 1941 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN"); 1942 break; 1943 1944 case CRYPTO_LOAD_DOOR: 1945 if (error == 0 && rv == CRYPTO_SUCCESS) 1946 (void) snprintf(buffer, sizeof (buffer), 1947 "op=CRYPTO_LOAD_DOOR"); 1948 else 1949 (void) snprintf(buffer, sizeof (buffer), 1950 "op=CRYPTO_LOAD_DOOR, return_val=%d", rv); 1951 break; 1952 1953 case CRYPTO_FIPS140_SET: 1954 (void) snprintf(buffer, sizeof (buffer), 1955 "op=CRYPTO_FIPS140_SET, fips_state=%d", rv); 1956 break; 1957 1958 default: 1959 return; 1960 } 1961 1962 au_write((caddr_t *)&ad, au_to_text(buffer)); 1963 1964 if (mech_list_required) { 1965 int i; 1966 1967 if (mech_count == 0) { 1968 au_write((caddr_t *)&ad, au_to_text("mech=list empty")); 1969 } else { 1970 char *pb = buffer; 1971 size_t l = sizeof (buffer); 1972 size_t n; 1973 char space[2] = ":"; 1974 1975 n = snprintf(pb, l, "mech="); 1976 1977 for (i = 0; i < mech_count; i++) { 1978 pb += n; 1979 l = (n >= l) ? 0 : l - n; 1980 1981 if (i == mech_count - 1) 1982 (void) strcpy(space, ""); 1983 1984 n = snprintf(pb, l, "%s%s", mech_names[i], 1985 space); 1986 } 1987 au_write((caddr_t *)&ad, au_to_text(buffer)); 1988 } 1989 } 1990 1991 /* add a return token */ 1992 if (error || (rv != CRYPTO_SUCCESS)) 1993 add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error); 1994 else 1995 add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv); 1996 1997 AS_INC(as_generated, 1, kctx); 1998 AS_INC(as_kernel, 1, kctx); 1999 2000 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, tad->tad_evmod, 2001 NULL); 2002 } 2003 2004 /* 2005 * Audit the kernel PF_POLICY administration commands. Record command, 2006 * zone, policy type (global or tunnel, active or inactive) 2007 */ 2008 /* 2009 * ROUTINE: AUDIT_PF_POLICY 2010 * PURPOSE: Records arguments to administrative ioctls on PF_POLICY socket 2011 * CALLBY: SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS, 2012 * SPD_CLONE, SPD_FLIP 2013 * NOTE: 2014 * TODO: 2015 * QUESTION: 2016 */ 2017 2018 void 2019 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun, 2020 boolean_t active, int error, pid_t pid) 2021 { 2022 const auditinfo_addr_t *ainfo; 2023 t_audit_data_t *tad; 2024 token_t *ad = NULL; 2025 au_kcontext_t *kctx = GET_KCTX_PZ; 2026 char buf[80]; 2027 int flag; 2028 2029 tad = U2A(u); 2030 if (tad == NULL) 2031 return; 2032 2033 ainfo = crgetauinfo((cred != NULL) ? cred : CRED()); 2034 if (ainfo == NULL) 2035 return; 2036 2037 /* 2038 * Initialize some variables since these are only set 2039 * with system calls. 2040 */ 2041 2042 switch (cmd) { 2043 case SPD_ADDRULE: { 2044 tad->tad_event = AUE_PF_POLICY_ADDRULE; 2045 break; 2046 } 2047 2048 case SPD_DELETERULE: { 2049 tad->tad_event = AUE_PF_POLICY_DELRULE; 2050 break; 2051 } 2052 2053 case SPD_FLUSH: { 2054 tad->tad_event = AUE_PF_POLICY_FLUSH; 2055 break; 2056 } 2057 2058 case SPD_UPDATEALGS: { 2059 tad->tad_event = AUE_PF_POLICY_ALGS; 2060 break; 2061 } 2062 2063 case SPD_CLONE: { 2064 tad->tad_event = AUE_PF_POLICY_CLONE; 2065 break; 2066 } 2067 2068 case SPD_FLIP: { 2069 tad->tad_event = AUE_PF_POLICY_FLIP; 2070 break; 2071 } 2072 2073 default: 2074 tad->tad_event = AUE_NULL; 2075 } 2076 2077 tad->tad_evmod = 0; 2078 2079 if (flag = audit_success(kctx, tad, error, cred)) { 2080 zone_t *nszone; 2081 2082 /* 2083 * For now, just audit that an event happened, 2084 * along with the error code. 2085 */ 2086 au_write((caddr_t *)&ad, 2087 au_to_arg32(1, "Policy Active?", (uint32_t)active)); 2088 au_write((caddr_t *)&ad, 2089 au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL))); 2090 2091 /* Supplemental data */ 2092 2093 /* 2094 * Generate this zone token if the target zone differs 2095 * from the administrative zone. If netstacks are expanded 2096 * to something other than a 1-1 relationship with zones, 2097 * the auditing framework should create a new token type 2098 * and audit it as a netstack instead. 2099 * Turn on general zone auditing to get the administrative zone. 2100 */ 2101 2102 nszone = zone_find_by_id(netstackid_to_zoneid( 2103 ns->netstack_stackid)); 2104 if (nszone != NULL) { 2105 if (strncmp(crgetzone(cred)->zone_name, 2106 nszone->zone_name, ZONENAME_MAX) != 0) { 2107 token_t *ztoken; 2108 2109 ztoken = au_to_zonename(0, nszone); 2110 au_write((caddr_t *)&ad, ztoken); 2111 } 2112 zone_rele(nszone); 2113 } 2114 2115 if (tun != NULL) { 2116 /* write tunnel name - tun is bounded */ 2117 (void) snprintf(buf, sizeof (buf), "tunnel_name:%s", 2118 tun); 2119 au_write((caddr_t *)&ad, au_to_text(buf)); 2120 } 2121 2122 /* Add subject information */ 2123 AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad, 2124 ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid); 2125 2126 /* add a return token */ 2127 add_return_token((caddr_t *)&ad, 0, error, 0); 2128 2129 AS_INC(as_generated, 1, kctx); 2130 AS_INC(as_kernel, 1, kctx); 2131 2132 } 2133 au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, tad->tad_evmod, 2134 NULL); 2135 2136 /* 2137 * clear the ctrl flag so that we don't have spurious collection of 2138 * audit information. 2139 */ 2140 tad->tad_scid = 0; 2141 tad->tad_event = 0; 2142 tad->tad_evmod = 0; 2143 tad->tad_ctrl = 0; 2144 } 2145 2146 /* 2147 * ROUTINE: AUDIT_SEC_ATTRIBUTES 2148 * PURPOSE: Add security attributes 2149 * CALLBY: AUDIT_ATTRIBUTES 2150 * AUDIT_CLOSEF 2151 * AUS_CLOSE 2152 * NOTE: 2153 * TODO: 2154 * QUESTION: 2155 */ 2156 2157 void 2158 audit_sec_attributes(caddr_t *ad, struct vnode *vp) 2159 { 2160 /* Dump the SL */ 2161 if (is_system_labeled()) { 2162 ts_label_t *tsl; 2163 bslabel_t *bsl; 2164 2165 tsl = getflabel(vp); 2166 if (tsl == NULL) 2167 return; /* nothing else to do */ 2168 2169 bsl = label2bslabel(tsl); 2170 if (bsl == NULL) 2171 return; /* nothing else to do */ 2172 au_write(ad, au_to_label(bsl)); 2173 label_rele(tsl); 2174 } 2175 2176 } /* AUDIT_SEC_ATTRIBUTES */ 2177