1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * This file contains the audit hook support code for auditing. 28 */ 29 30 #pragma ident "%Z%%M% %I% %E% SMI" 31 32 #include <sys/types.h> 33 #include <sys/proc.h> 34 #include <sys/vnode.h> 35 #include <sys/vfs.h> 36 #include <sys/file.h> 37 #include <sys/user.h> 38 #include <sys/stropts.h> 39 #include <sys/systm.h> 40 #include <sys/pathname.h> 41 #include <sys/syscall.h> 42 #include <sys/fcntl.h> 43 #include <sys/ipc_impl.h> 44 #include <sys/msg_impl.h> 45 #include <sys/sem_impl.h> 46 #include <sys/shm_impl.h> 47 #include <sys/kmem.h> /* for KM_SLEEP */ 48 #include <sys/socket.h> 49 #include <sys/cmn_err.h> /* snprintf... */ 50 #include <sys/debug.h> 51 #include <sys/thread.h> 52 #include <netinet/in.h> 53 #include <c2/audit.h> /* needs to be included before user.h */ 54 #include <c2/audit_kernel.h> /* for M_DONTWAIT */ 55 #include <c2/audit_kevents.h> 56 #include <c2/audit_record.h> 57 #include <sys/strsubr.h> 58 #include <sys/tihdr.h> 59 #include <sys/tiuser.h> 60 #include <sys/timod.h> 61 #include <sys/model.h> /* for model_t */ 62 #include <sys/disp.h> /* for servicing_interrupt() */ 63 #include <sys/devpolicy.h> 64 #include <sys/crypto/ioctladmin.h> 65 #include <inet/kssl/kssl.h> 66 67 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval); 68 69 static void audit_pathbuild(struct pathname *pnp); 70 71 /* 72 * ROUTINE: AUDIT_NEWPROC 73 * PURPOSE: initialize the child p_audit_data structure 74 * CALLBY: GETPROC 75 * NOTE: All threads for the parent process are locked at this point. 76 * We are essentially running singled threaded for this reason. 77 * GETPROC is called when system creates a new process. 78 * By the time AUDIT_NEWPROC is called, the child proc 79 * structure has already been initialized. What we need 80 * to do is to allocate the child p_audit_data and 81 * initialize it with the content of current parent process. 82 */ 83 84 void 85 audit_newproc(struct proc *cp) /* initialized child proc structure */ 86 { 87 p_audit_data_t *pad; /* child process audit data */ 88 p_audit_data_t *opad; /* parent process audit data */ 89 90 pad = kmem_cache_alloc(au_pad_cache, KM_SLEEP); 91 92 P2A(cp) = pad; 93 94 opad = P2A(curproc); 95 96 /* 97 * copy the audit data. Note that all threads of current 98 * process have been "held". Thus there is no race condition 99 * here with mutiple threads trying to alter the cwrd 100 * structure (such as releasing it). 101 * 102 * The audit context in the cred is "duplicated" for the new 103 * proc by elsewhere crhold'ing the parent's cred which it shares. 104 * 105 * We still want to hold things since auditon() [A_SETUMASK, 106 * A_SETSMASK] could be walking through the processes to 107 * update things. 108 */ 109 mutex_enter(&opad->pad_lock); /* lock opad structure during copy */ 110 pad->pad_data = opad->pad_data; /* copy parent's process audit data */ 111 au_pathhold(pad->pad_root); 112 au_pathhold(pad->pad_cwd); 113 mutex_exit(&opad->pad_lock); /* current proc will keep cwrd open */ 114 115 /* 116 * finish auditing of parent here so that it will be done 117 * before child has a chance to run. We include the child 118 * pid since the return value in the return token is a dummy 119 * one and contains no useful information (it is included to 120 * make the audit record structure consistant). 121 * 122 * tad_flag is set if auditing is on 123 */ 124 if (((t_audit_data_t *)T2A(curthread))->tad_flag) 125 au_uwrite(au_to_arg32(0, "child PID", (uint32_t)cp->p_pid)); 126 127 /* 128 * finish up audit record generation here because child process 129 * is set to run before parent process. We distinguish here 130 * between FORK, FORK1, or VFORK by the saved system call ID. 131 */ 132 audit_finish(0, ((t_audit_data_t *)T2A(curthread))->tad_scid, 0, 0); 133 } 134 135 /* 136 * ROUTINE: AUDIT_PFREE 137 * PURPOSE: deallocate the per-process udit data structure 138 * CALLBY: EXIT 139 * FORK_FAIL 140 * NOTE: all lwp except current one have stopped in SEXITLWPS 141 * why we are single threaded? 142 * . all lwp except current one have stopped in SEXITLWPS. 143 */ 144 void 145 audit_pfree(struct proc *p) /* proc structure to be freed */ 146 147 { /* AUDIT_PFREE */ 148 149 p_audit_data_t *pad; 150 151 pad = P2A(p); 152 153 /* better be a per process audit data structure */ 154 ASSERT(pad != (p_audit_data_t *)0); 155 156 if (pad == pad0) { 157 return; 158 } 159 160 /* deallocate all auditing resources for this process */ 161 au_pathrele(pad->pad_root); 162 au_pathrele(pad->pad_cwd); 163 164 /* 165 * Since the pad structure is completely overwritten after alloc, 166 * we don't bother to clear it. 167 */ 168 169 kmem_cache_free(au_pad_cache, pad); 170 } 171 172 /* 173 * ROUTINE: AUDIT_THREAD_CREATE 174 * PURPOSE: allocate per-process thread audit data structure 175 * CALLBY: THREAD_CREATE 176 * NOTE: This is called just after *t was bzero'd. 177 * We are single threaded in this routine. 178 * TODO: 179 * QUESTION: 180 */ 181 182 void 183 audit_thread_create(kthread_id_t t) 184 { 185 t_audit_data_t *tad; /* per-thread audit data */ 186 187 tad = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP); 188 189 T2A(t) = tad; /* set up thread audit data ptr */ 190 tad->tad_thread = t; /* back ptr to thread: DEBUG */ 191 } 192 193 /* 194 * ROUTINE: AUDIT_THREAD_FREE 195 * PURPOSE: free the per-thread audit data structure 196 * CALLBY: THREAD_FREE 197 * NOTE: most thread data is clear after return 198 */ 199 void 200 audit_thread_free(kthread_t *t) 201 { 202 t_audit_data_t *tad; 203 au_defer_info_t *attr; 204 205 tad = T2A(t); 206 207 /* thread audit data must still be set */ 208 209 if (tad == tad0) { 210 return; 211 } 212 213 if (tad == NULL) { 214 return; 215 } 216 217 t->t_audit_data = 0; 218 219 /* must not have any audit record residual */ 220 ASSERT(tad->tad_ad == NULL); 221 222 /* saved path must be empty */ 223 ASSERT(tad->tad_aupath == NULL); 224 225 if (tad->tad_atpath) 226 au_pathrele(tad->tad_atpath); 227 228 attr = tad->tad_defer_head; 229 while (attr != NULL) { 230 au_defer_info_t *tmp_attr = attr; 231 232 au_free_rec(attr->audi_ad); 233 234 attr = attr->audi_next; 235 kmem_free(tmp_attr, sizeof (au_defer_info_t)); 236 } 237 238 kmem_free(tad, sizeof (*tad)); 239 } 240 241 /* 242 * ROUTINE: AUDIT_SAVEPATH 243 * PURPOSE: 244 * CALLBY: LOOKUPPN 245 * 246 * NOTE: We have reached the end of a path in fs/lookup.c. 247 * We get two pieces of information here: 248 * the vnode of the last component (vp) and 249 * the status of the last access (flag). 250 * TODO: 251 * QUESTION: 252 */ 253 254 /*ARGSUSED*/ 255 int 256 audit_savepath( 257 struct pathname *pnp, /* pathname to lookup */ 258 struct vnode *vp, /* vnode of the last component */ 259 int flag, /* status of the last access */ 260 cred_t *cr) /* cred of requestor */ 261 { 262 263 t_audit_data_t *tad; /* current thread */ 264 p_audit_data_t *pad; /* current process */ 265 au_kcontext_t *kctx = SET_KCTX_PZ; 266 267 if (kctx == NULL) { 268 zone_status_t zstate = zone_status_get(curproc->p_zone); 269 ASSERT(zstate != ZONE_IS_READY); 270 return (0); 271 } 272 273 tad = U2A(u); 274 ASSERT(tad != (t_audit_data_t *)0); 275 pad = P2A(curproc); 276 ASSERT(pad != (p_audit_data_t *)0); 277 278 /* 279 * this event being audited or do we need path information 280 * later? This might be for a chdir/chroot or open (add path 281 * to file pointer. If the path has already been found for an 282 * open/creat then we don't need to process the path. 283 * 284 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 285 * chroot, chdir, open, creat system call processing. It determines 286 * if audit_savepath() will discard the path or we need it later. 287 * PAD_PATHFND means path already included in this audit record. It 288 * is used in cases where multiple path lookups are done per 289 * system call. The policy flag, AUDIT_PATH, controls if multiple 290 * paths are allowed. 291 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 292 * exit processing to inhibit any paths that may be added due to 293 * closes. 294 */ 295 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 296 ((tad->tad_ctrl & PAD_PATHFND) && 297 !(kctx->auk_policy & AUDIT_PATH)) || 298 (tad->tad_ctrl & PAD_NOPATH)) { 299 return (0); 300 } 301 302 tad->tad_ctrl |= PAD_NOPATH; /* prevent possible reentry */ 303 304 audit_pathbuild(pnp); 305 tad->tad_vn = vp; 306 307 /* 308 * are we auditing only if error, or if it is not open or create 309 * otherwise audit_setf will do it 310 */ 311 312 if (tad->tad_flag) { 313 if (flag && (tad->tad_scid == SYS_open || 314 tad->tad_scid == SYS_open64 || 315 tad->tad_scid == SYS_creat || 316 tad->tad_scid == SYS_creat64 || 317 tad->tad_scid == SYS_fsat)) { 318 tad->tad_ctrl |= PAD_TRUE_CREATE; 319 } 320 321 /* add token to audit record for this name */ 322 au_uwrite(au_to_path(tad->tad_aupath)); 323 324 /* add the attributes of the object */ 325 if (vp) { 326 /* 327 * only capture attributes when there is no error 328 * lookup will not return the vnode of the failing 329 * component. 330 * 331 * if there was a lookup error, then don't add 332 * attribute. if lookup in vn_create(), 333 * then don't add attribute, 334 * it will be added at end of vn_create(). 335 */ 336 if (!flag && !(tad->tad_ctrl & PAD_NOATTRB)) 337 audit_attributes(vp); 338 } 339 } 340 341 /* free up space if we're not going to save path (open, crate) */ 342 if ((tad->tad_ctrl & PAD_SAVPATH) == 0) { 343 if (tad->tad_aupath != NULL) { 344 au_pathrele(tad->tad_aupath); 345 tad->tad_aupath = NULL; 346 tad->tad_vn = NULL; 347 } 348 } 349 if (tad->tad_ctrl & PAD_MLD) 350 tad->tad_ctrl |= PAD_PATHFND; 351 352 tad->tad_ctrl &= ~PAD_NOPATH; /* restore */ 353 return (0); 354 } 355 356 static void 357 audit_pathbuild(struct pathname *pnp) 358 { 359 char *pp; /* pointer to path */ 360 int len; /* length of incoming segment */ 361 int newsect; /* path requires a new section */ 362 struct audit_path *pfxapp; /* prefix for path */ 363 struct audit_path *newapp; /* new audit_path */ 364 t_audit_data_t *tad; /* current thread */ 365 p_audit_data_t *pad; /* current process */ 366 367 tad = U2A(u); 368 ASSERT(tad != NULL); 369 pad = P2A(curproc); 370 ASSERT(pad != NULL); 371 372 len = (pnp->pn_path - pnp->pn_buf) + 1; /* +1 for terminator */ 373 ASSERT(len > 0); 374 375 /* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */ 376 mutex_enter(&pad->pad_lock); 377 if (tad->tad_aupath != NULL) { 378 pfxapp = tad->tad_aupath; 379 } else if (tad->tad_scid == SYS_fsat && pnp->pn_buf[0] != '/') { 380 ASSERT(tad->tad_atpath != NULL); 381 pfxapp = tad->tad_atpath; 382 } else if (tad->tad_ctrl & PAD_ABSPATH) { 383 pfxapp = pad->pad_root; 384 } else { 385 pfxapp = pad->pad_cwd; 386 } 387 au_pathhold(pfxapp); 388 mutex_exit(&pad->pad_lock); 389 390 /* get an expanded buffer to hold the anchored path */ 391 newsect = tad->tad_ctrl & PAD_ATPATH; 392 newapp = au_pathdup(pfxapp, newsect, len); 393 au_pathrele(pfxapp); 394 395 pp = newapp->audp_sect[newapp->audp_cnt] - len; 396 if (!newsect) { 397 /* overlay previous NUL terminator */ 398 *(pp - 1) = '/'; 399 } 400 401 /* now add string of processed path */ 402 bcopy(pnp->pn_buf, pp, len); 403 pp[len - 1] = '\0'; 404 405 /* perform path simplification as necessary */ 406 audit_fixpath(newapp, len); 407 408 if (tad->tad_aupath) 409 au_pathrele(tad->tad_aupath); 410 tad->tad_aupath = newapp; 411 412 /* for case where multiple lookups in one syscall (rename) */ 413 tad->tad_ctrl &= ~(PAD_ABSPATH | PAD_ATPATH); 414 } 415 416 417 418 /*ARGSUSED*/ 419 420 /* 421 * ROUTINE: AUDIT_ADDCOMPONENT 422 * PURPOSE: extend the path by the component accepted 423 * CALLBY: LOOKUPPN 424 * NOTE: This function is called only when there is an error in 425 * parsing a path component 426 * TODO: Add the error component to audit record 427 * QUESTION: what is this for 428 */ 429 430 void 431 audit_addcomponent(struct pathname *pnp) 432 { 433 au_kcontext_t *kctx = SET_KCTX_PZ; 434 t_audit_data_t *tad; 435 436 if (kctx == NULL) { 437 zone_status_t zstate = zone_status_get(curproc->p_zone); 438 ASSERT(zstate != ZONE_IS_READY); 439 return; 440 } 441 442 tad = U2A(u); 443 /* 444 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 445 * chroot, chdir, open, creat system call processing. It determines 446 * if audit_savepath() will discard the path or we need it later. 447 * PAD_PATHFND means path already included in this audit record. It 448 * is used in cases where multiple path lookups are done per 449 * system call. The policy flag, AUDIT_PATH, controls if multiple 450 * paths are allowed. 451 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 452 * exit processing to inhibit any paths that may be added due to 453 * closes. 454 */ 455 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 456 ((tad->tad_ctrl & PAD_PATHFND) && 457 !(kctx->auk_policy & AUDIT_PATH)) || 458 (tad->tad_ctrl & PAD_NOPATH)) { 459 return; 460 } 461 462 return; 463 464 } /* AUDIT_ADDCOMPONENT */ 465 466 467 468 469 470 471 472 473 /* 474 * ROUTINE: AUDIT_ANCHORPATH 475 * PURPOSE: 476 * CALLBY: LOOKUPPN 477 * NOTE: 478 * anchor path at "/". We have seen a symbolic link or entering for the 479 * first time we will throw away any saved path if path is anchored. 480 * 481 * flag = 0, path is relative. 482 * flag = 1, path is absolute. Free any saved path and set flag to PAD_ABSPATH. 483 * 484 * If the (new) path is absolute, then we have to throw away whatever we have 485 * already accumulated since it is being superceeded by new path which is 486 * anchored at the root. 487 * Note that if the path is relative, this function does nothing 488 * TODO: 489 * QUESTION: 490 */ 491 /*ARGSUSED*/ 492 void 493 audit_anchorpath(struct pathname *pnp, int flag) 494 { 495 au_kcontext_t *kctx = SET_KCTX_PZ; 496 t_audit_data_t *tad; 497 498 if (kctx == NULL) { 499 zone_status_t zstate = zone_status_get(curproc->p_zone); 500 ASSERT(zstate != ZONE_IS_READY); 501 return; 502 } 503 504 tad = U2A(u); 505 506 /* 507 * this event being audited or do we need path information 508 * later? This might be for a chdir/chroot or open (add path 509 * to file pointer. If the path has already been found for an 510 * open/creat then we don't need to process the path. 511 * 512 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 513 * chroot, chdir, open, creat system call processing. It determines 514 * if audit_savepath() will discard the path or we need it later. 515 * PAD_PATHFND means path already included in this audit record. It 516 * is used in cases where multiple path lookups are done per 517 * system call. The policy flag, AUDIT_PATH, controls if multiple 518 * paths are allowed. 519 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 520 * exit processing to inhibit any paths that may be added due to 521 * closes. 522 */ 523 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 524 ((tad->tad_ctrl & PAD_PATHFND) && 525 !(kctx->auk_policy & AUDIT_PATH)) || 526 (tad->tad_ctrl & PAD_NOPATH)) { 527 return; 528 } 529 530 if (flag) { 531 tad->tad_ctrl |= PAD_ABSPATH; 532 if (tad->tad_aupath != NULL) { 533 au_pathrele(tad->tad_aupath); 534 tad->tad_aupath = NULL; 535 tad->tad_vn = NULL; 536 } 537 } 538 } 539 540 541 /* 542 * symbolic link. Save previous components. 543 * 544 * the path seen so far looks like this 545 * 546 * +-----------------------+----------------+ 547 * | path processed so far | remaining path | 548 * +-----------------------+----------------+ 549 * \-----------------------/ 550 * save this string if 551 * symbolic link relative 552 * (but don't include symlink component) 553 */ 554 555 /*ARGSUSED*/ 556 557 558 /* 559 * ROUTINE: AUDIT_SYMLINK 560 * PURPOSE: 561 * CALLBY: LOOKUPPN 562 * NOTE: 563 * TODO: 564 * QUESTION: 565 */ 566 void 567 audit_symlink(struct pathname *pnp, struct pathname *sympath) 568 { 569 char *sp; /* saved initial pp */ 570 char *cp; /* start of symlink path */ 571 uint_t len_path; /* processed path before symlink */ 572 t_audit_data_t *tad; 573 au_kcontext_t *kctx = SET_KCTX_PZ; 574 575 if (kctx == NULL) { 576 zone_status_t zstate = zone_status_get(curproc->p_zone); 577 ASSERT(zstate != ZONE_IS_READY); 578 return; 579 } 580 581 tad = U2A(u); 582 583 /* 584 * this event being audited or do we need path information 585 * later? This might be for a chdir/chroot or open (add path 586 * to file pointer. If the path has already been found for an 587 * open/creat then we don't need to process the path. 588 * 589 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 590 * chroot, chdir, open, creat system call processing. It determines 591 * if audit_savepath() will discard the path or we need it later. 592 * PAD_PATHFND means path already included in this audit record. It 593 * is used in cases where multiple path lookups are done per 594 * system call. The policy flag, AUDIT_PATH, controls if multiple 595 * paths are allowed. 596 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 597 * exit processing to inhibit any paths that may be added due to 598 * closes. 599 */ 600 if ((tad->tad_flag == 0 && 601 !(tad->tad_ctrl & PAD_SAVPATH)) || 602 ((tad->tad_ctrl & PAD_PATHFND) && 603 !(kctx->auk_policy & AUDIT_PATH)) || 604 (tad->tad_ctrl & PAD_NOPATH)) { 605 return; 606 } 607 608 /* 609 * if symbolic link is anchored at / then do nothing. 610 * When we cycle back to begin: in lookuppn() we will 611 * call audit_anchorpath() with a flag indicating if the 612 * path is anchored at / or is relative. We will release 613 * any saved path at that point. 614 * 615 * Note In the event that an error occurs in pn_combine then 616 * we want to remain pointing at the component that caused the 617 * path to overflow the pnp structure. 618 */ 619 if (sympath->pn_buf[0] == '/') 620 return; 621 622 /* backup over last component */ 623 sp = cp = pnp->pn_path; 624 while (*--cp != '/' && cp > pnp->pn_buf) 625 ; 626 627 len_path = cp - pnp->pn_buf; 628 629 /* is there anything to save? */ 630 if (len_path) { 631 pnp->pn_path = pnp->pn_buf; 632 audit_pathbuild(pnp); 633 pnp->pn_path = sp; 634 } 635 } 636 637 /* 638 * file_is_public : determine whether events for the file (corresponding to 639 * the specified file attr) should be audited or ignored. 640 * 641 * returns: 1 - if audit policy and file attributes indicate that 642 * file is effectively public. read events for 643 * the file should not be audited. 644 * 0 - otherwise 645 * 646 * The required attributes to be considered a public object are: 647 * - owned by root, AND 648 * - world-readable (permissions for other include read), AND 649 * - NOT world-writeable (permissions for other don't 650 * include write) 651 * (mode doesn't need to be checked for symlinks) 652 */ 653 int 654 file_is_public(struct vattr *attr) 655 { 656 au_kcontext_t *kctx = SET_KCTX_PZ; 657 658 if (kctx == NULL) { 659 zone_status_t zstate = zone_status_get(curproc->p_zone); 660 ASSERT(zstate != ZONE_IS_READY); 661 return (0); 662 } 663 664 if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) && 665 ((attr->va_type == VLNK) || 666 ((attr->va_mode & (VREAD>>6)) != 0) && 667 ((attr->va_mode & (VWRITE>>6)) == 0))) { 668 return (1); 669 } 670 return (0); 671 } 672 673 674 /* 675 * ROUTINE: AUDIT_ATTRIBUTES 676 * PURPOSE: Audit the attributes so we can tell why the error occured 677 * CALLBY: AUDIT_SAVEPATH 678 * AUDIT_VNCREATE_FINISH 679 * AUS_FCHOWN...audit_event.c...audit_path.c 680 * NOTE: 681 * TODO: 682 * QUESTION: 683 */ 684 void 685 audit_attributes(struct vnode *vp) 686 { 687 struct vattr attr; 688 struct t_audit_data *tad; 689 690 tad = U2A(u); 691 692 if (vp) { 693 attr.va_mask = AT_ALL; 694 if (VOP_GETATTR(vp, &attr, 0, CRED()) != 0) 695 return; 696 697 if (file_is_public(&attr) && (tad->tad_ctrl & PAD_PUBLIC_EV)) { 698 /* 699 * This is a public object and a "public" event 700 * (i.e., read only) -- either by definition 701 * (e.g., stat, access...) or by virtue of write access 702 * not being requested (e.g. mmap). 703 * Flag it in the tad to prevent this audit at the end. 704 */ 705 tad->tad_ctrl |= PAD_NOAUDIT; 706 } else { 707 au_uwrite(au_to_attr(&attr)); 708 audit_sec_attributes(&(u_ad), vp); 709 } 710 } 711 } 712 713 714 /* 715 * ROUTINE: AUDIT_FALLOC 716 * PURPOSE: allocating a new file structure 717 * CALLBY: FALLOC 718 * NOTE: file structure already initialized 719 * TODO: 720 * QUESTION: 721 */ 722 723 void 724 audit_falloc(struct file *fp) 725 { /* AUDIT_FALLOC */ 726 727 f_audit_data_t *fad; 728 729 /* allocate per file audit structure if there a'int any */ 730 ASSERT(F2A(fp) == NULL); 731 732 fad = kmem_zalloc(sizeof (struct f_audit_data), KM_SLEEP); 733 734 F2A(fp) = fad; 735 736 fad->fad_thread = curthread; /* file audit data back ptr; DEBUG */ 737 } 738 739 /* 740 * ROUTINE: AUDIT_UNFALLOC 741 * PURPOSE: deallocate file audit data structure 742 * CALLBY: CLOSEF 743 * UNFALLOC 744 * NOTE: 745 * TODO: 746 * QUESTION: 747 */ 748 749 void 750 audit_unfalloc(struct file *fp) 751 { 752 f_audit_data_t *fad; 753 754 fad = F2A(fp); 755 756 if (!fad) { 757 return; 758 } 759 if (fad->fad_aupath != NULL) { 760 au_pathrele(fad->fad_aupath); 761 } 762 fp->f_audit_data = 0; 763 kmem_free(fad, sizeof (struct f_audit_data)); 764 } 765 766 /* 767 * ROUTINE: AUDIT_EXIT 768 * PURPOSE: 769 * CALLBY: EXIT 770 * NOTE: 771 * TODO: 772 * QUESTION: why cmw code as offset by 2 but not here 773 */ 774 /* ARGSUSED */ 775 void 776 audit_exit(int code, int what) 777 { 778 struct t_audit_data *tad; 779 tad = U2A(u); 780 781 /* 782 * tad_scid will be set by audit_start even if we are not auditing 783 * the event. 784 */ 785 if (tad->tad_scid == SYS_exit) { 786 /* 787 * if we are auditing the exit system call, then complete 788 * audit record generation (no return from system call). 789 */ 790 if (tad->tad_flag && tad->tad_event == AUE_EXIT) 791 audit_finish(0, SYS_exit, 0, 0); 792 return; 793 } 794 795 /* 796 * Anyone auditing the system call that was aborted? 797 */ 798 if (tad->tad_flag) { 799 au_uwrite(au_to_text("event aborted")); 800 audit_finish(0, tad->tad_scid, 0, 0); 801 } 802 803 /* 804 * Generate an audit record for process exit if preselected. 805 */ 806 (void) audit_start(0, SYS_exit, 0, 0); 807 audit_finish(0, SYS_exit, 0, 0); 808 } 809 810 /* 811 * ROUTINE: AUDIT_CORE_START 812 * PURPOSE: 813 * CALLBY: PSIG 814 * NOTE: 815 * TODO: 816 */ 817 void 818 audit_core_start(int sig) 819 { 820 au_event_t event; 821 au_state_t estate; 822 t_audit_data_t *tad; 823 au_kcontext_t *kctx; 824 825 tad = U2A(u); 826 827 ASSERT(tad != (t_audit_data_t *)0); 828 829 ASSERT(tad->tad_scid == 0); 830 ASSERT(tad->tad_event == 0); 831 ASSERT(tad->tad_evmod == 0); 832 ASSERT(tad->tad_ctrl == 0); 833 ASSERT(tad->tad_flag == 0); 834 ASSERT(tad->tad_aupath == NULL); 835 836 kctx = SET_KCTX_PZ; 837 838 if (kctx == NULL) { 839 zone_status_t zstate = zone_status_get(curproc->p_zone); 840 ASSERT(zstate != ZONE_IS_READY); 841 return; 842 } 843 844 /* get basic event for system call */ 845 event = AUE_CORE; 846 estate = kctx->auk_ets[event]; 847 848 if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0) 849 return; 850 851 /* reset the flags for non-user attributable events */ 852 tad->tad_ctrl = PAD_CORE; 853 tad->tad_scid = 0; 854 855 /* if auditing not enabled, then don't generate an audit record */ 856 857 if (!((kctx->auk_auditstate == AUC_AUDITING || 858 kctx->auk_auditstate == AUC_INIT_AUDIT) || 859 kctx->auk_auditstate == AUC_NOSPACE)) { 860 tad->tad_flag = 0; 861 tad->tad_ctrl = 0; 862 return; 863 } 864 865 tad->tad_event = event; 866 tad->tad_evmod = 0; 867 868 ASSERT(tad->tad_ad == NULL); 869 870 au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig)); 871 } 872 873 /* 874 * ROUTINE: AUDIT_CORE_FINISH 875 * PURPOSE: 876 * CALLBY: PSIG 877 * NOTE: 878 * TODO: 879 * QUESTION: 880 */ 881 882 /*ARGSUSED*/ 883 void 884 audit_core_finish(int code) 885 { 886 int flag; 887 t_audit_data_t *tad; 888 au_kcontext_t *kctx; 889 890 tad = U2A(u); 891 892 ASSERT(tad != (t_audit_data_t *)0); 893 894 if ((flag = tad->tad_flag) == 0) { 895 tad->tad_event = 0; 896 tad->tad_evmod = 0; 897 tad->tad_ctrl = 0; 898 ASSERT(tad->tad_aupath == NULL); 899 return; 900 } 901 tad->tad_flag = 0; 902 903 kctx = SET_KCTX_PZ; 904 if (kctx == NULL) { 905 zone_status_t zstate = zone_status_get(curproc->p_zone); 906 ASSERT(zstate != ZONE_IS_READY); 907 return; 908 } 909 910 /* kludge for error 0, should use `code==CLD_DUMPED' instead */ 911 if (flag = audit_success(kctx, tad, 0)) { 912 cred_t *cr = CRED(); 913 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 914 915 ASSERT(ainfo != NULL); 916 917 /* 918 * Add subject information (no locks since our private copy of 919 * credential 920 */ 921 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 922 923 /* Add a return token (should use f argument) */ 924 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 925 926 AS_INC(as_generated, 1, kctx); 927 AS_INC(as_kernel, 1, kctx); 928 } 929 930 /* Close up everything */ 931 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod); 932 933 /* free up any space remaining with the path's */ 934 if (tad->tad_aupath != NULL) { 935 au_pathrele(tad->tad_aupath); 936 tad->tad_aupath = NULL; 937 tad->tad_vn = NULL; 938 } 939 tad->tad_event = 0; 940 tad->tad_evmod = 0; 941 tad->tad_ctrl = 0; 942 } 943 944 /*ARGSUSED*/ 945 void 946 audit_stropen(struct vnode *vp, dev_t *devp, int flag, cred_t *crp) 947 { 948 } 949 950 /*ARGSUSED*/ 951 void 952 audit_strclose(struct vnode *vp, int flag, cred_t *crp) 953 { 954 } 955 956 /*ARGSUSED*/ 957 void 958 audit_strioctl(struct vnode *vp, int cmd, intptr_t arg, int flag, 959 int copyflag, cred_t *crp, int *rvalp) 960 { 961 } 962 963 964 /*ARGSUSED*/ 965 void 966 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 967 unsigned char *pri, int *flag, int fmode) 968 { 969 struct stdata *stp; 970 t_audit_data_t *tad = U2A(u); 971 972 ASSERT(tad != (t_audit_data_t *)0); 973 974 stp = vp->v_stream; 975 976 /* lock stdata from audit_sock */ 977 mutex_enter(&stp->sd_lock); 978 979 /* proceed ONLY if user is being audited */ 980 if (!tad->tad_flag) { 981 /* 982 * this is so we will not add audit data onto 983 * a thread that is not being audited. 984 */ 985 stp->sd_t_audit_data = NULL; 986 mutex_exit(&stp->sd_lock); 987 return; 988 } 989 990 stp->sd_t_audit_data = (caddr_t)curthread; 991 mutex_exit(&stp->sd_lock); 992 } 993 994 /*ARGSUSED*/ 995 void 996 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 997 unsigned char pri, int flag, int fmode) 998 { 999 struct stdata *stp; 1000 t_audit_data_t *tad = U2A(u); 1001 1002 ASSERT(tad != (t_audit_data_t *)0); 1003 1004 stp = vp->v_stream; 1005 1006 /* lock stdata from audit_sock */ 1007 mutex_enter(&stp->sd_lock); 1008 1009 /* proceed ONLY if user is being audited */ 1010 if (!tad->tad_flag) { 1011 /* 1012 * this is so we will not add audit data onto 1013 * a thread that is not being audited. 1014 */ 1015 stp->sd_t_audit_data = NULL; 1016 mutex_exit(&stp->sd_lock); 1017 return; 1018 } 1019 1020 stp->sd_t_audit_data = (caddr_t)curthread; 1021 mutex_exit(&stp->sd_lock); 1022 } 1023 1024 /* 1025 * ROUTINE: AUDIT_CLOSEF 1026 * PURPOSE: 1027 * CALLBY: CLOSEF 1028 * NOTE: 1029 * release per file audit resources when file structure is being released. 1030 * 1031 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep 1032 * on the audit queue if it becomes full. This means 1033 * audit_closef can not be called when f_count == 0. Since 1034 * f_count == 0 indicates the file structure is free, another 1035 * process could attempt to use the file while we were still 1036 * asleep waiting on the audit queue. This would cause the 1037 * per file audit data to be corrupted when we finally do 1038 * wakeup. 1039 * TODO: 1040 * QUESTION: 1041 */ 1042 1043 void 1044 audit_closef(struct file *fp) 1045 { /* AUDIT_CLOSEF */ 1046 f_audit_data_t *fad; 1047 t_audit_data_t *tad; 1048 int success; 1049 au_state_t estate; 1050 struct vnode *vp; 1051 token_t *ad = NULL; 1052 struct vattr attr; 1053 short evmod = 0; 1054 const auditinfo_addr_t *ainfo; 1055 int getattr_ret; 1056 cred_t *cr; 1057 au_kcontext_t *kctx = SET_KCTX_PZ; 1058 1059 if (kctx == NULL) { 1060 zone_status_t zstate = zone_status_get(curproc->p_zone); 1061 ASSERT(zstate != ZONE_IS_READY); 1062 return; 1063 } 1064 1065 fad = F2A(fp); 1066 estate = kctx->auk_ets[AUE_CLOSE]; 1067 tad = U2A(u); 1068 cr = CRED(); 1069 1070 /* audit record already generated by system call envelope */ 1071 if (tad->tad_event == AUE_CLOSE) { 1072 /* so close audit event will have bits set */ 1073 tad->tad_evmod |= (short)fad->fad_flags; 1074 return; 1075 } 1076 1077 /* if auditing not enabled, then don't generate an audit record */ 1078 if (!((kctx->auk_auditstate == AUC_AUDITING || 1079 kctx->auk_auditstate == AUC_INIT_AUDIT) || 1080 kctx->auk_auditstate == AUC_NOSPACE)) 1081 return; 1082 1083 ainfo = crgetauinfo(cr); 1084 if (ainfo == NULL) 1085 return; 1086 1087 success = ainfo->ai_mask.as_success & estate; 1088 1089 /* not selected for this event */ 1090 if (success == 0) 1091 return; 1092 1093 /* 1094 * can't use audit_attributes here since we use a private audit area 1095 * to build the audit record instead of the one off the thread. 1096 */ 1097 if ((vp = fp->f_vnode) != NULL) { 1098 attr.va_mask = AT_ALL; 1099 getattr_ret = VOP_GETATTR(vp, &attr, 0, CRED()); 1100 } 1101 1102 /* 1103 * When write was not used and the file can be considered public, 1104 * then skip the audit. 1105 */ 1106 if ((getattr_ret == 0) && ((fp->f_flag & FWRITE) == 0)) { 1107 if (file_is_public(&attr)) { 1108 return; 1109 } 1110 } 1111 1112 evmod = (short)fad->fad_flags; 1113 if (fad->fad_aupath != NULL) { 1114 au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath)); 1115 } else { 1116 #ifdef _LP64 1117 au_write((caddr_t *)&(ad), au_to_arg64( 1118 1, "no path: fp", (uint64_t)fp)); 1119 #else 1120 au_write((caddr_t *)&(ad), au_to_arg32( 1121 1, "no path: fp", (uint32_t)fp)); 1122 #endif 1123 } 1124 1125 if (getattr_ret == 0) { 1126 au_write((caddr_t *)&(ad), au_to_attr(&attr)); 1127 audit_sec_attributes((caddr_t *)&(ad), vp); 1128 } 1129 1130 /* Add subject information */ 1131 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 1132 1133 /* add a return token */ 1134 add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0); 1135 1136 AS_INC(as_generated, 1, kctx); 1137 AS_INC(as_kernel, 1, kctx); 1138 1139 /* 1140 * Close up everything 1141 * Note: path space recovery handled by normal system 1142 * call envelope if not at last close. 1143 * Note there is no failure at this point since 1144 * this represents closes due to exit of process, 1145 * thus we always indicate successful closes. 1146 */ 1147 au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER, 1148 AUE_CLOSE, evmod); 1149 } 1150 1151 /* 1152 * ROUTINE: AUDIT_SET 1153 * PURPOSE: Audit the file path and file attributes. 1154 * CALLBY: SETF 1155 * NOTE: SETF associate a file pointer with user area's open files. 1156 * TODO: 1157 * call audit_finish directly ??? 1158 * QUESTION: 1159 */ 1160 1161 /*ARGSUSED*/ 1162 void 1163 audit_setf(file_t *fp, int fd) 1164 { 1165 f_audit_data_t *fad; 1166 t_audit_data_t *tad; 1167 1168 if (fp == NULL) 1169 return; 1170 1171 tad = T2A(curthread); 1172 fad = F2A(fp); 1173 1174 if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat || 1175 tad->tad_scid == SYS_open64 || tad->tad_scid == SYS_creat64 || 1176 tad->tad_scid == SYS_fsat)) 1177 return; 1178 1179 /* no path */ 1180 if (tad->tad_aupath == 0) 1181 return; 1182 1183 /* 1184 * assign path information associated with file audit data 1185 * use tad hold 1186 */ 1187 fad->fad_aupath = tad->tad_aupath; 1188 tad->tad_aupath = NULL; 1189 tad->tad_vn = NULL; 1190 1191 if (!(tad->tad_ctrl & PAD_TRUE_CREATE)) { 1192 /* adjust event type */ 1193 switch (tad->tad_event) { 1194 case AUE_OPEN_RC: 1195 tad->tad_event = AUE_OPEN_R; 1196 tad->tad_ctrl |= PAD_PUBLIC_EV; 1197 break; 1198 case AUE_OPEN_RTC: 1199 tad->tad_event = AUE_OPEN_RT; 1200 break; 1201 case AUE_OPEN_WC: 1202 tad->tad_event = AUE_OPEN_W; 1203 break; 1204 case AUE_OPEN_WTC: 1205 tad->tad_event = AUE_OPEN_WT; 1206 break; 1207 case AUE_OPEN_RWC: 1208 tad->tad_event = AUE_OPEN_RW; 1209 break; 1210 case AUE_OPEN_RWTC: 1211 tad->tad_event = AUE_OPEN_RWT; 1212 break; 1213 default: 1214 break; 1215 } 1216 } 1217 } 1218 1219 1220 /* 1221 * ROUTINE: AUDIT_COPEN 1222 * PURPOSE: 1223 * CALLBY: COPEN 1224 * NOTE: 1225 * TODO: 1226 * QUESTION: 1227 */ 1228 /*ARGSUSED*/ 1229 void 1230 audit_copen(int fd, file_t *fp, vnode_t *vp) 1231 { 1232 } 1233 1234 void 1235 audit_ipc(int type, int id, void *vp) 1236 { 1237 /* if not auditing this event, then do nothing */ 1238 if (ad_flag == 0) 1239 return; 1240 1241 switch (type) { 1242 case AT_IPC_MSG: 1243 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1244 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 1245 break; 1246 case AT_IPC_SEM: 1247 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1248 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 1249 break; 1250 case AT_IPC_SHM: 1251 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 1252 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 1253 break; 1254 } 1255 } 1256 1257 void 1258 audit_ipcget(int type, void *vp) 1259 { 1260 /* if not auditing this event, then do nothing */ 1261 if (ad_flag == 0) 1262 return; 1263 1264 switch (type) { 1265 case NULL: 1266 au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp)); 1267 break; 1268 case AT_IPC_MSG: 1269 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 1270 break; 1271 case AT_IPC_SEM: 1272 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 1273 break; 1274 case AT_IPC_SHM: 1275 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 1276 break; 1277 } 1278 } 1279 1280 /* 1281 * ROUTINE: AUDIT_REBOOT 1282 * PURPOSE: 1283 * CALLBY: 1284 * NOTE: 1285 * At this point we know that the system call reboot will not return. We thus 1286 * have to complete the audit record generation and put it onto the queue. 1287 * This might be fairly useless if the auditing daemon is already dead.... 1288 * TODO: 1289 * QUESTION: who calls audit_reboot 1290 */ 1291 1292 void 1293 audit_reboot(void) 1294 { 1295 int flag; 1296 t_audit_data_t *tad; 1297 au_kcontext_t *kctx = SET_KCTX_PZ; 1298 1299 if (kctx == NULL) { 1300 zone_status_t zstate = zone_status_get(curproc->p_zone); 1301 ASSERT(zstate != ZONE_IS_READY); 1302 return; 1303 } 1304 1305 tad = U2A(u); 1306 1307 /* if not auditing this event, then do nothing */ 1308 if (tad->tad_flag == 0) 1309 return; 1310 1311 /* do preselection on success/failure */ 1312 if (flag = audit_success(kctx, tad, 0)) { 1313 /* add a process token */ 1314 1315 cred_t *cr = CRED(); 1316 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 1317 1318 if (ainfo == NULL) 1319 return; 1320 1321 /* Add subject information */ 1322 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 1323 1324 /* add a return token */ 1325 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 1326 1327 AS_INC(as_generated, 1, kctx); 1328 AS_INC(as_kernel, 1, kctx); 1329 } 1330 1331 /* 1332 * Flow control useless here since we're going 1333 * to drop everything in the queue anyway. Why 1334 * block and wait. There aint anyone left alive to 1335 * read the records remaining anyway. 1336 */ 1337 1338 /* Close up everything */ 1339 au_close(kctx, &(u_ad), flag | AU_DONTBLOCK, 1340 tad->tad_event, tad->tad_evmod); 1341 } 1342 1343 void 1344 audit_setfsat_path(int argnum) 1345 { 1346 klwp_id_t clwp = ttolwp(curthread); 1347 struct file *fp; 1348 uint32_t fd; 1349 t_audit_data_t *tad; 1350 struct f_audit_data *fad; 1351 p_audit_data_t *pad; /* current process */ 1352 1353 struct b { 1354 long arg1; 1355 long arg2; 1356 long arg3; 1357 long arg4; 1358 long arg5; 1359 } *uap1; 1360 1361 if (clwp == NULL) 1362 return; 1363 uap1 = (struct b *)&clwp->lwp_ap[1]; 1364 1365 tad = U2A(u); 1366 1367 ASSERT(tad != NULL); 1368 1369 if (tad->tad_scid != SYS_fsat) 1370 return; 1371 1372 switch (argnum) { 1373 case 1: 1374 fd = (uint32_t)uap1->arg1; 1375 break; 1376 case 2: 1377 fd = (uint32_t)uap1->arg2; 1378 break; 1379 case 3: 1380 fd = (uint32_t)uap1->arg3; 1381 break; 1382 case 4: 1383 fd = (uint32_t)uap1->arg4; 1384 break; 1385 case 5: 1386 fd = (uint32_t)uap1->arg5; 1387 break; 1388 default: 1389 return; 1390 } 1391 1392 if (tad->tad_atpath != NULL) { 1393 au_pathrele(tad->tad_atpath); 1394 tad->tad_atpath = NULL; 1395 } 1396 if (fd != AT_FDCWD) { 1397 if ((fp = getf(fd)) == NULL) 1398 return; 1399 1400 fad = F2A(fp); 1401 ASSERT(fad); 1402 au_pathhold(fad->fad_aupath); 1403 tad->tad_atpath = fad->fad_aupath; 1404 releasef(fd); 1405 } else { 1406 pad = P2A(curproc); 1407 mutex_enter(&pad->pad_lock); 1408 au_pathhold(pad->pad_cwd); 1409 tad->tad_atpath = pad->pad_cwd; 1410 mutex_exit(&pad->pad_lock); 1411 } 1412 } 1413 1414 void 1415 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error) 1416 { 1417 t_audit_data_t *tad; 1418 vnode_t *vp; 1419 1420 tad = U2A(u); 1421 1422 /* if not auditing this event, then do nothing */ 1423 if (tad->tad_flag == 0) 1424 return; 1425 1426 au_uwrite(au_to_text(target)); 1427 1428 if (error) 1429 return; 1430 1431 error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED()); 1432 if (error == 0) { 1433 audit_attributes(vp); 1434 VN_RELE(vp); 1435 } 1436 } 1437 1438 /* 1439 * ROUTINE: AUDIT_VNCREATE_START 1440 * PURPOSE: set flag so path name lookup in create will not add attribute 1441 * CALLBY: VN_CREATE 1442 * NOTE: 1443 * TODO: 1444 * QUESTION: 1445 */ 1446 1447 void 1448 audit_vncreate_start() 1449 { 1450 t_audit_data_t *tad; 1451 1452 tad = U2A(u); 1453 tad->tad_ctrl |= PAD_NOATTRB; 1454 } 1455 1456 /* 1457 * ROUTINE: AUDIT_VNCREATE_FINISH 1458 * PURPOSE: 1459 * CALLBY: VN_CREATE 1460 * NOTE: 1461 * TODO: 1462 * QUESTION: 1463 */ 1464 void 1465 audit_vncreate_finish(struct vnode *vp, int error) 1466 { 1467 t_audit_data_t *tad; 1468 1469 if (error) 1470 return; 1471 1472 tad = U2A(u); 1473 1474 /* if not auditing this event, then do nothing */ 1475 if (tad->tad_flag == 0) 1476 return; 1477 1478 if (tad->tad_ctrl & PAD_TRUE_CREATE) { 1479 audit_attributes(vp); 1480 } 1481 1482 if (tad->tad_ctrl & PAD_CORE) { 1483 audit_attributes(vp); 1484 tad->tad_ctrl &= ~PAD_CORE; 1485 } 1486 1487 if (!error && ((tad->tad_event == AUE_MKNOD) || 1488 (tad->tad_event == AUE_MKDIR))) { 1489 audit_attributes(vp); 1490 } 1491 1492 /* for case where multiple lookups in one syscall (rename) */ 1493 tad->tad_ctrl &= ~PAD_NOATTRB; 1494 } 1495 1496 1497 1498 1499 1500 1501 1502 1503 /* 1504 * ROUTINE: AUDIT_EXEC 1505 * PURPOSE: Records the function arguments and environment variables 1506 * CALLBY: EXEC_ARGS 1507 * NOTE: 1508 * TODO: 1509 * QUESTION: 1510 */ 1511 1512 /*ARGSUSED*/ 1513 void 1514 audit_exec( 1515 const char *argstr, /* argument strings */ 1516 const char *envstr, /* environment strings */ 1517 ssize_t argc, /* total # arguments */ 1518 ssize_t envc) /* total # environment variables */ 1519 { 1520 t_audit_data_t *tad; 1521 au_kcontext_t *kctx = SET_KCTX_PZ; 1522 1523 ASSERT(kctx != NULL); 1524 1525 tad = U2A(u); 1526 1527 /* if not auditing this event, then do nothing */ 1528 if (!tad->tad_flag) 1529 return; 1530 1531 /* return if not interested in argv or environment variables */ 1532 if (!(kctx->auk_policy & (AUDIT_ARGV|AUDIT_ARGE))) 1533 return; 1534 1535 if (kctx->auk_policy & AUDIT_ARGV) { 1536 au_uwrite(au_to_exec_args(argstr, argc)); 1537 } 1538 1539 if (kctx->auk_policy & AUDIT_ARGE) { 1540 au_uwrite(au_to_exec_env(envstr, envc)); 1541 } 1542 } 1543 1544 /* 1545 * ROUTINE: AUDIT_ENTERPROM 1546 * PURPOSE: 1547 * CALLBY: KBDINPUT 1548 * ZSA_XSINT 1549 * NOTE: 1550 * TODO: 1551 * QUESTION: 1552 */ 1553 void 1554 audit_enterprom(int flg) 1555 { 1556 token_t *rp = NULL; 1557 int sorf; 1558 1559 if (flg) 1560 sorf = AUM_SUCC; 1561 else 1562 sorf = AUM_FAIL; 1563 1564 AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf); 1565 1566 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1567 1568 if (flg) 1569 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1570 else 1571 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1572 1573 AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL); 1574 } 1575 1576 1577 /* 1578 * ROUTINE: AUDIT_EXITPROM 1579 * PURPOSE: 1580 * CALLBY: KBDINPUT 1581 * ZSA_XSINT 1582 * NOTE: 1583 * TODO: 1584 * QUESTION: 1585 */ 1586 void 1587 audit_exitprom(int flg) 1588 { 1589 int sorf; 1590 token_t *rp = NULL; 1591 1592 if (flg) 1593 sorf = AUM_SUCC; 1594 else 1595 sorf = AUM_FAIL; 1596 1597 AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf); 1598 1599 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1600 1601 if (flg) 1602 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1603 else 1604 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1605 1606 AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL); 1607 } 1608 1609 struct fcntla { 1610 int fdes; 1611 int cmd; 1612 intptr_t arg; 1613 }; 1614 1615 /* 1616 * ROUTINE: AUDIT_C2_REVOKE 1617 * PURPOSE: 1618 * CALLBY: FCNTL 1619 * NOTE: 1620 * TODO: 1621 * QUESTION: are we keeping this func 1622 */ 1623 1624 /*ARGSUSED*/ 1625 int 1626 audit_c2_revoke(struct fcntla *uap, rval_t *rvp) 1627 { 1628 return (0); 1629 } 1630 1631 1632 /* 1633 * ROUTINE: AUDIT_CHDIREC 1634 * PURPOSE: 1635 * CALLBY: CHDIREC 1636 * NOTE: The main function of CHDIREC 1637 * TODO: Move the audit_chdirec hook above the VN_RELE in vncalls.c 1638 * QUESTION: 1639 */ 1640 1641 /*ARGSUSED*/ 1642 void 1643 audit_chdirec(vnode_t *vp, vnode_t **vpp) 1644 { 1645 int chdir; 1646 int fchdir; 1647 struct audit_path **appp; 1648 struct file *fp; 1649 f_audit_data_t *fad; 1650 p_audit_data_t *pad = P2A(curproc); 1651 t_audit_data_t *tad = T2A(curthread); 1652 1653 struct a { 1654 long fd; 1655 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 1656 1657 if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) { 1658 chdir = tad->tad_scid == SYS_chdir; 1659 if (tad->tad_aupath) { 1660 mutex_enter(&pad->pad_lock); 1661 if (chdir) 1662 appp = &(pad->pad_cwd); 1663 else 1664 appp = &(pad->pad_root); 1665 au_pathrele(*appp); 1666 /* use tad hold */ 1667 *appp = tad->tad_aupath; 1668 tad->tad_aupath = NULL; 1669 mutex_exit(&pad->pad_lock); 1670 } 1671 } else if ((tad->tad_scid == SYS_fchdir) || 1672 (tad->tad_scid == SYS_fchroot)) { 1673 fchdir = tad->tad_scid == SYS_fchdir; 1674 if ((fp = getf(uap->fd)) == NULL) 1675 return; 1676 fad = F2A(fp); 1677 if (fad->fad_aupath) { 1678 au_pathhold(fad->fad_aupath); 1679 mutex_enter(&pad->pad_lock); 1680 if (fchdir) 1681 appp = &(pad->pad_cwd); 1682 else 1683 appp = &(pad->pad_root); 1684 au_pathrele(*appp); 1685 *appp = fad->fad_aupath; 1686 mutex_exit(&pad->pad_lock); 1687 if (tad->tad_flag) { 1688 au_uwrite(au_to_path(fad->fad_aupath)); 1689 audit_attributes(fp->f_vnode); 1690 } 1691 } 1692 releasef(uap->fd); 1693 } 1694 } 1695 1696 /* 1697 * ROUTINE: AUDIT_GETF 1698 * PURPOSE: 1699 * CALLBY: GETF_INTERNAL 1700 * NOTE: The main function of GETF_INTERNAL is to associate a given 1701 * file descriptor with a file structure and increment the 1702 * file pointer reference count. 1703 * TODO: remove pass in of fpp. 1704 * increment a reference count so that even if a thread with same process delete 1705 * the same object, it will not panic our system 1706 * QUESTION: 1707 * where to decrement the f_count????????????????? 1708 * seems like I need to set a flag if f_count incrmented through audit_getf 1709 */ 1710 1711 /*ARGSUSED*/ 1712 int 1713 audit_getf(int fd) 1714 { 1715 #ifdef NOTYET 1716 t_audit_data_t *tad; 1717 1718 tad = T2A(curthread); 1719 1720 if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat)) 1721 return; 1722 #endif 1723 return (0); 1724 } 1725 1726 /* 1727 * Audit hook for stream based socket and tli request. 1728 * Note that we do not have user context while executing 1729 * this code so we had to record them earlier during the 1730 * putmsg/getmsg to figure out which user we are dealing with. 1731 */ 1732 1733 /*ARGSUSED*/ 1734 void 1735 audit_sock( 1736 int type, /* type of tihdr.h header requests */ 1737 queue_t *q, /* contains the process and thread audit data */ 1738 mblk_t *mp, /* contains the tihdr.h header structures */ 1739 int from) /* timod or sockmod request */ 1740 { 1741 int32_t len; 1742 int32_t offset; 1743 struct sockaddr_in *sock_data; 1744 struct T_conn_req *conn_req; 1745 struct T_conn_ind *conn_ind; 1746 struct T_unitdata_req *unitdata_req; 1747 struct T_unitdata_ind *unitdata_ind; 1748 au_state_t estate; 1749 t_audit_data_t *tad; 1750 caddr_t saved_thread_ptr; 1751 au_mask_t amask; 1752 const auditinfo_addr_t *ainfo; 1753 au_kcontext_t *kctx; 1754 zone_status_t zstate; 1755 1756 if (q->q_stream == NULL) 1757 return; 1758 mutex_enter(&q->q_stream->sd_lock); 1759 /* are we being audited */ 1760 saved_thread_ptr = q->q_stream->sd_t_audit_data; 1761 /* no pointer to thread, nothing to do */ 1762 if (saved_thread_ptr == NULL) { 1763 mutex_exit(&q->q_stream->sd_lock); 1764 return; 1765 } 1766 /* only allow one addition of a record token */ 1767 q->q_stream->sd_t_audit_data = NULL; 1768 /* 1769 * thread is not the one being audited, then nothing to do 1770 * This could be the stream thread handling the module 1771 * service routine. In this case, the context for the audit 1772 * record can no longer be assumed. Simplest to just drop 1773 * the operation. 1774 */ 1775 if (curthread != (kthread_id_t)saved_thread_ptr) { 1776 mutex_exit(&q->q_stream->sd_lock); 1777 return; 1778 } 1779 if (curthread->t_sysnum >= SYS_so_socket && 1780 curthread->t_sysnum <= SYS_sockconfig) { 1781 mutex_exit(&q->q_stream->sd_lock); 1782 return; 1783 } 1784 mutex_exit(&q->q_stream->sd_lock); 1785 /* 1786 * we know that the thread that did the put/getmsg is the 1787 * one running. Now we can get the TAD and see if we should 1788 * add an audit token. 1789 */ 1790 tad = U2A(u); 1791 1792 kctx = SET_KCTX_PZ; 1793 if (kctx == NULL) { 1794 zstate = zone_status_get(curproc->p_zone); 1795 ASSERT(zstate != ZONE_IS_READY); 1796 return; 1797 } 1798 1799 /* proceed ONLY if user is being audited */ 1800 if (!tad->tad_flag) 1801 return; 1802 1803 ainfo = crgetauinfo(CRED()); 1804 if (ainfo == NULL) 1805 return; 1806 amask = ainfo->ai_mask; 1807 1808 /* 1809 * Figure out the type of stream networking request here. 1810 * Note that getmsg and putmsg are always preselected 1811 * because during the beginning of the system call we have 1812 * not yet figure out which of the socket or tli request 1813 * we are looking at until we are here. So we need to check 1814 * against that specific request and reset the type of event. 1815 */ 1816 switch (type) { 1817 case T_CONN_REQ: /* connection request */ 1818 conn_req = (struct T_conn_req *)mp->b_rptr; 1819 if (conn_req->DEST_offset < sizeof (struct T_conn_req)) 1820 return; 1821 offset = conn_req->DEST_offset; 1822 len = conn_req->DEST_length; 1823 estate = kctx->auk_ets[AUE_SOCKCONNECT]; 1824 if (amask.as_success & estate || amask.as_failure & estate) { 1825 tad->tad_event = AUE_SOCKCONNECT; 1826 break; 1827 } else { 1828 return; 1829 } 1830 case T_CONN_IND: /* connectionless receive request */ 1831 conn_ind = (struct T_conn_ind *)mp->b_rptr; 1832 if (conn_ind->SRC_offset < sizeof (struct T_conn_ind)) 1833 return; 1834 offset = conn_ind->SRC_offset; 1835 len = conn_ind->SRC_length; 1836 estate = kctx->auk_ets[AUE_SOCKACCEPT]; 1837 if (amask.as_success & estate || amask.as_failure & estate) { 1838 tad->tad_event = AUE_SOCKACCEPT; 1839 break; 1840 } else { 1841 return; 1842 } 1843 case T_UNITDATA_REQ: /* connectionless send request */ 1844 unitdata_req = (struct T_unitdata_req *)mp->b_rptr; 1845 if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req)) 1846 return; 1847 offset = unitdata_req->DEST_offset; 1848 len = unitdata_req->DEST_length; 1849 estate = kctx->auk_ets[AUE_SOCKSEND]; 1850 if (amask.as_success & estate || amask.as_failure & estate) { 1851 tad->tad_event = AUE_SOCKSEND; 1852 break; 1853 } else { 1854 return; 1855 } 1856 case T_UNITDATA_IND: /* connectionless receive request */ 1857 unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr; 1858 if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind)) 1859 return; 1860 offset = unitdata_ind->SRC_offset; 1861 len = unitdata_ind->SRC_length; 1862 estate = kctx->auk_ets[AUE_SOCKRECEIVE]; 1863 if (amask.as_success & estate || amask.as_failure & estate) { 1864 tad->tad_event = AUE_SOCKRECEIVE; 1865 break; 1866 } else { 1867 return; 1868 } 1869 default: 1870 return; 1871 } 1872 1873 /* 1874 * we are only interested in tcp stream connections, 1875 * not unix domain stuff 1876 */ 1877 if ((len < 0) || (len > sizeof (struct sockaddr_in))) { 1878 tad->tad_event = AUE_GETMSG; 1879 return; 1880 } 1881 /* skip over TPI header and point to the ip address */ 1882 sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset); 1883 1884 switch (sock_data->sin_family) { 1885 case AF_INET: 1886 au_write(&(tad->tad_ad), au_to_sock_inet(sock_data)); 1887 break; 1888 default: /* reset to AUE_PUTMSG if not a inet request */ 1889 tad->tad_event = AUE_GETMSG; 1890 break; 1891 } 1892 } 1893 1894 void 1895 audit_lookupname() 1896 { 1897 } 1898 1899 /*ARGSUSED*/ 1900 int 1901 audit_pathcomp(struct pathname *pnp, vnode_t *cvp, cred_t *cr) 1902 { 1903 return (0); 1904 } 1905 1906 static void 1907 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval) 1908 { 1909 unsigned int sy_flags; 1910 1911 #ifdef _SYSCALL32_IMPL 1912 if (lwp_getdatamodel( 1913 ttolwp(curthread)) == DATAMODEL_NATIVE) 1914 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1915 else 1916 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1917 #else 1918 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1919 #endif 1920 1921 if (sy_flags == SE_64RVAL) 1922 au_write(ad, au_to_return64(err, rval)); 1923 else 1924 au_write(ad, au_to_return32(err, rval)); 1925 1926 } 1927 1928 /*ARGSUSED*/ 1929 void 1930 audit_fdsend(fd, fp, error) 1931 int fd; 1932 struct file *fp; 1933 int error; /* ignore for now */ 1934 { 1935 t_audit_data_t *tad; /* current thread */ 1936 f_audit_data_t *fad; /* per file audit structure */ 1937 struct vnode *vp; /* for file attributes */ 1938 1939 /* is this system call being audited */ 1940 tad = U2A(u); 1941 ASSERT(tad != (t_audit_data_t *)0); 1942 if (!tad->tad_flag) 1943 return; 1944 1945 fad = F2A(fp); 1946 1947 /* add path and file attributes */ 1948 if (fad != NULL && fad->fad_aupath != NULL) { 1949 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1950 au_uwrite(au_to_path(fad->fad_aupath)); 1951 } else { 1952 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1953 #ifdef _LP64 1954 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 1955 #else 1956 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 1957 #endif 1958 } 1959 vp = fp->f_vnode; /* include vnode attributes */ 1960 audit_attributes(vp); 1961 } 1962 1963 /* 1964 * Record privileges sucessfully used and we attempted to use but 1965 * didn't have. 1966 */ 1967 void 1968 audit_priv(int priv, const priv_set_t *set, int flag) 1969 { 1970 t_audit_data_t *tad; 1971 int sbit; 1972 priv_set_t *target; 1973 1974 /* Make sure this isn't being called in an interrupt context */ 1975 ASSERT(servicing_interrupt() == 0); 1976 1977 tad = U2A(u); 1978 1979 if (tad->tad_flag == 0) 1980 return; 1981 1982 target = flag ? &tad->tad_sprivs : &tad->tad_fprivs; 1983 sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE; 1984 1985 /* Tell audit_success() and audit_finish() that we saw this case */ 1986 if (!(tad->tad_evmod & sbit)) { 1987 /* Clear set first time around */ 1988 priv_emptyset(target); 1989 tad->tad_evmod |= sbit; 1990 } 1991 1992 /* Save the privileges in the tad */ 1993 if (priv == PRIV_ALL) { 1994 priv_fillset(target); 1995 } else { 1996 ASSERT(set != NULL || priv != PRIV_NONE); 1997 if (set != NULL) 1998 priv_union(set, target); 1999 if (priv != PRIV_NONE) 2000 priv_addset(target, priv); 2001 } 2002 } 2003 2004 /* 2005 * Audit the setpriv() system call; the operation, the set name and 2006 * the current value as well as the set argument are put in the 2007 * audit trail. 2008 */ 2009 void 2010 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr) 2011 { 2012 t_audit_data_t *tad; 2013 const priv_set_t *oldpriv; 2014 priv_set_t report; 2015 const char *setname; 2016 2017 tad = U2A(u); 2018 2019 if (tad->tad_flag == 0) 2020 return; 2021 2022 oldpriv = priv_getset(ocr, set); 2023 2024 /* Generate the actual record, include the before and after */ 2025 au_uwrite(au_to_arg32(2, "op", op)); 2026 setname = priv_getsetbynum(set); 2027 2028 switch (op) { 2029 case PRIV_OFF: 2030 /* Report privileges actually switched off */ 2031 report = *oldpriv; 2032 priv_intersect(newpriv, &report); 2033 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 2034 break; 2035 case PRIV_ON: 2036 /* Report privileges actually switched on */ 2037 report = *oldpriv; 2038 priv_inverse(&report); 2039 priv_intersect(newpriv, &report); 2040 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 2041 break; 2042 case PRIV_SET: 2043 /* Report before and after */ 2044 au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0)); 2045 au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0)); 2046 break; 2047 } 2048 } 2049 2050 /* 2051 * Dump the full device policy setting in the audit trail. 2052 */ 2053 void 2054 audit_devpolicy(int nitems, const devplcysys_t *items) 2055 { 2056 t_audit_data_t *tad; 2057 int i; 2058 2059 tad = U2A(u); 2060 2061 if (tad->tad_flag == 0) 2062 return; 2063 2064 for (i = 0; i < nitems; i++) { 2065 au_uwrite(au_to_arg32(2, "major", items[i].dps_maj)); 2066 if (items[i].dps_minornm[0] == '\0') { 2067 au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin)); 2068 au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin)); 2069 } else 2070 au_uwrite(au_to_text(items[i].dps_minornm)); 2071 2072 au_uwrite(au_to_privset("read", &items[i].dps_rdp, 2073 AUT_PRIV, 0)); 2074 au_uwrite(au_to_privset("write", &items[i].dps_wrp, 2075 AUT_PRIV, 0)); 2076 } 2077 } 2078 2079 /*ARGSUSED*/ 2080 void 2081 audit_fdrecv(fd, fp) 2082 int fd; 2083 struct file *fp; 2084 { 2085 t_audit_data_t *tad; /* current thread */ 2086 f_audit_data_t *fad; /* per file audit structure */ 2087 struct vnode *vp; /* for file attributes */ 2088 2089 /* is this system call being audited */ 2090 tad = U2A(u); 2091 ASSERT(tad != (t_audit_data_t *)0); 2092 if (!tad->tad_flag) 2093 return; 2094 2095 fad = F2A(fp); 2096 2097 /* add path and file attributes */ 2098 if (fad != NULL && fad->fad_aupath != NULL) { 2099 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 2100 au_uwrite(au_to_path(fad->fad_aupath)); 2101 } else { 2102 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 2103 #ifdef _LP64 2104 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 2105 #else 2106 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 2107 #endif 2108 } 2109 vp = fp->f_vnode; /* include vnode attributes */ 2110 audit_attributes(vp); 2111 } 2112 2113 /* 2114 * ROUTINE: AUDIT_CRYPTOADM 2115 * PURPOSE: Records arguments to administrative ioctls on /dev/cryptoadm 2116 * CALLBY: CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED, 2117 * CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG, 2118 * CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN, 2119 * CRYPTO_LOAD_DOOR 2120 * NOTE: 2121 * TODO: 2122 * QUESTION: 2123 */ 2124 2125 void 2126 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names, 2127 uint_t mech_count, uint_t device_instance, uint32_t rv, int error) 2128 { 2129 boolean_t mech_list_required = B_FALSE; 2130 cred_t *cr = CRED(); 2131 t_audit_data_t *tad; 2132 token_t *ad = NULL; 2133 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 2134 char buffer[MAXNAMELEN * 2]; 2135 au_kcontext_t *kctx = SET_KCTX_PZ; 2136 2137 ASSERT(kctx != NULL); 2138 2139 tad = U2A(u); 2140 if (tad == NULL) 2141 return; 2142 2143 if (ainfo == NULL) 2144 return; 2145 2146 tad->tad_event = AUE_CRYPTOADM; 2147 2148 if (audit_success(kctx, tad, error) != AU_OK) 2149 return; 2150 2151 /* Add subject information */ 2152 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 2153 2154 switch (cmd) { 2155 case CRYPTO_LOAD_DEV_DISABLED: 2156 if (error == 0 && rv == CRYPTO_SUCCESS) { 2157 (void) snprintf(buffer, sizeof (buffer), 2158 "op=CRYPTO_LOAD_DEV_DISABLED, module=%s," 2159 " dev_instance=%d", 2160 module_name, device_instance); 2161 mech_list_required = B_TRUE; 2162 } else { 2163 (void) snprintf(buffer, sizeof (buffer), 2164 "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv); 2165 } 2166 break; 2167 2168 case CRYPTO_LOAD_SOFT_DISABLED: 2169 if (error == 0 && rv == CRYPTO_SUCCESS) { 2170 (void) snprintf(buffer, sizeof (buffer), 2171 "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s", 2172 module_name); 2173 mech_list_required = B_TRUE; 2174 } else { 2175 (void) snprintf(buffer, sizeof (buffer), 2176 "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv); 2177 } 2178 break; 2179 2180 case CRYPTO_UNLOAD_SOFT_MODULE: 2181 if (error == 0 && rv == CRYPTO_SUCCESS) { 2182 (void) snprintf(buffer, sizeof (buffer), 2183 "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s", 2184 module_name); 2185 } else { 2186 (void) snprintf(buffer, sizeof (buffer), 2187 "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv); 2188 } 2189 break; 2190 2191 case CRYPTO_LOAD_SOFT_CONFIG: 2192 if (error == 0 && rv == CRYPTO_SUCCESS) { 2193 (void) snprintf(buffer, sizeof (buffer), 2194 "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s", 2195 module_name); 2196 mech_list_required = B_TRUE; 2197 } else { 2198 (void) snprintf(buffer, sizeof (buffer), 2199 "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv); 2200 } 2201 break; 2202 2203 case CRYPTO_POOL_CREATE: 2204 (void) snprintf(buffer, sizeof (buffer), 2205 "op=CRYPTO_POOL_CREATE"); 2206 break; 2207 2208 case CRYPTO_POOL_WAIT: 2209 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT"); 2210 break; 2211 2212 case CRYPTO_POOL_RUN: 2213 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN"); 2214 break; 2215 2216 case CRYPTO_LOAD_DOOR: 2217 if (error == 0 && rv == CRYPTO_SUCCESS) 2218 (void) snprintf(buffer, sizeof (buffer), 2219 "op=CRYPTO_LOAD_DOOR"); 2220 else 2221 (void) snprintf(buffer, sizeof (buffer), 2222 "op=CRYPTO_LOAD_DOOR, return_val=%d", rv); 2223 break; 2224 2225 default: 2226 return; 2227 } 2228 2229 au_write((caddr_t *)&ad, au_to_text(buffer)); 2230 2231 if (mech_list_required) { 2232 int i; 2233 2234 if (mech_count == 0) { 2235 au_write((caddr_t *)&ad, au_to_text("mech=list empty")); 2236 } else { 2237 char *pb = buffer; 2238 size_t l = sizeof (buffer); 2239 size_t n; 2240 char space[2] = ":"; 2241 2242 n = snprintf(pb, l, "mech="); 2243 2244 for (i = 0; i < mech_count; i++) { 2245 pb += n; 2246 l -= n; 2247 if (l < 0) 2248 l = 0; 2249 2250 if (i == mech_count - 1) 2251 (void) strcpy(space, ""); 2252 2253 n = snprintf(pb, l, "%s%s", mech_names[i], 2254 space); 2255 } 2256 au_write((caddr_t *)&ad, au_to_text(buffer)); 2257 } 2258 } 2259 2260 /* add a return token */ 2261 if (error || (rv != CRYPTO_SUCCESS)) 2262 add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error); 2263 else 2264 add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv); 2265 2266 AS_INC(as_generated, 1, kctx); 2267 AS_INC(as_kernel, 1, kctx); 2268 2269 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, 0); 2270 } 2271 2272 /* 2273 * Audit the kernel SSL administration command. The address and the 2274 * port number for the SSL instance, and the proxy port are put in the 2275 * audit trail. 2276 */ 2277 void 2278 audit_kssl(int cmd, void *params, int error) 2279 { 2280 cred_t *cr = CRED(); 2281 t_audit_data_t *tad; 2282 token_t *ad = NULL; 2283 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 2284 au_kcontext_t *kctx = SET_KCTX_PZ; 2285 2286 ASSERT(kctx != NULL); 2287 tad = U2A(u); 2288 2289 if (ainfo == NULL) 2290 return; 2291 2292 tad->tad_event = AUE_CONFIGKSSL; 2293 2294 if (audit_success(kctx, tad, error) != AU_OK) 2295 return; 2296 2297 /* Add subject information */ 2298 AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx); 2299 2300 switch (cmd) { 2301 case KSSL_ADD_ENTRY: { 2302 char buf[32]; 2303 kssl_params_t *kp = (kssl_params_t *)params; 2304 struct sockaddr_in *saddr = &(kp->kssl_addr); 2305 2306 au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY")); 2307 au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr))); 2308 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 2309 saddr->sin_port); 2310 au_write((caddr_t *)&ad, au_to_text(buf)); 2311 2312 (void) snprintf(buf, sizeof (buf), "proxy port=%d", 2313 kp->kssl_proxy_port); 2314 au_write((caddr_t *)&ad, au_to_text(buf)); 2315 break; 2316 } 2317 2318 case KSSL_DELETE_ENTRY: { 2319 char buf[32]; 2320 struct sockaddr_in *saddr = (struct sockaddr_in *)params; 2321 2322 au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY")); 2323 au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr))); 2324 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 2325 saddr->sin_port); 2326 au_write((caddr_t *)&ad, au_to_text(buf)); 2327 break; 2328 } 2329 2330 default: 2331 return; 2332 } 2333 2334 /* add a return token */ 2335 add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0); 2336 2337 AS_INC(as_generated, 1, kctx); 2338 AS_INC(as_kernel, 1, kctx); 2339 2340 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, 0); 2341 } 2342 2343 /* 2344 * ROUTINE: AUDIT_SEC_ATTRIBUTES 2345 * PURPOSE: Add security attributes 2346 * CALLBY: AUDIT_ATTRIBUTES 2347 * AUDIT_CLOSEF 2348 * AUS_CLOSE 2349 * NOTE: 2350 * TODO: 2351 * QUESTION: 2352 */ 2353 2354 void 2355 audit_sec_attributes(caddr_t *ad, struct vnode *vp) 2356 { 2357 /* Dump the SL */ 2358 if (is_system_labeled()) { 2359 ts_label_t *tsl; 2360 bslabel_t *bsl; 2361 2362 tsl = getflabel(vp); 2363 if (tsl == NULL) 2364 return; /* nothing else to do */ 2365 2366 bsl = label2bslabel(tsl); 2367 if (bsl == NULL) 2368 return; /* nothing else to do */ 2369 au_write(ad, au_to_label(bsl)); 2370 label_rele(tsl); 2371 } 2372 2373 } /* AUDIT_SEC_ATTRIBUTES */ 2374