1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 /* 27 * This file contains the audit hook support code for auditing. 28 */ 29 30 #include <sys/types.h> 31 #include <sys/proc.h> 32 #include <sys/vnode.h> 33 #include <sys/vfs.h> 34 #include <sys/file.h> 35 #include <sys/user.h> 36 #include <sys/stropts.h> 37 #include <sys/systm.h> 38 #include <sys/pathname.h> 39 #include <sys/syscall.h> 40 #include <sys/fcntl.h> 41 #include <sys/ipc_impl.h> 42 #include <sys/msg_impl.h> 43 #include <sys/sem_impl.h> 44 #include <sys/shm_impl.h> 45 #include <sys/kmem.h> /* for KM_SLEEP */ 46 #include <sys/socket.h> 47 #include <sys/cmn_err.h> /* snprintf... */ 48 #include <sys/debug.h> 49 #include <sys/thread.h> 50 #include <netinet/in.h> 51 #include <c2/audit.h> /* needs to be included before user.h */ 52 #include <c2/audit_kernel.h> /* for M_DONTWAIT */ 53 #include <c2/audit_kevents.h> 54 #include <c2/audit_record.h> 55 #include <sys/strsubr.h> 56 #include <sys/tihdr.h> 57 #include <sys/tiuser.h> 58 #include <sys/timod.h> 59 #include <sys/model.h> /* for model_t */ 60 #include <sys/disp.h> /* for servicing_interrupt() */ 61 #include <sys/devpolicy.h> 62 #include <sys/crypto/ioctladmin.h> 63 #include <sys/cred_impl.h> 64 #include <inet/kssl/kssl.h> 65 #include <net/pfpolicy.h> 66 67 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval); 68 69 static void audit_pathbuild(struct pathname *pnp); 70 71 72 /* 73 * ROUTINE: AUDIT_SAVEPATH 74 * PURPOSE: 75 * CALLBY: LOOKUPPN 76 * 77 * NOTE: We have reached the end of a path in fs/lookup.c. 78 * We get two pieces of information here: 79 * the vnode of the last component (vp) and 80 * the status of the last access (flag). 81 * TODO: 82 * QUESTION: 83 */ 84 85 /*ARGSUSED*/ 86 int 87 audit_savepath( 88 struct pathname *pnp, /* pathname to lookup */ 89 struct vnode *vp, /* vnode of the last component */ 90 struct vnode *pvp, /* vnode of the last parent component */ 91 int flag, /* status of the last access */ 92 cred_t *cr) /* cred of requestor */ 93 { 94 95 t_audit_data_t *tad; /* current thread */ 96 au_kcontext_t *kctx = GET_KCTX_PZ; 97 98 tad = U2A(u); 99 100 /* 101 * Noise elimination in audit trails - this event will be discarded if: 102 * - the public policy is not active AND 103 * - the system call is a public operation AND 104 * - the file was not found: VFS lookup failed with ENOENT error AND 105 * - the missing file would have been located in the public directory 106 * owned by root if it had existed 107 */ 108 if (tad->tad_flag != 0 && flag == ENOENT && pvp != NULL && 109 (tad->tad_ctrl & TAD_PUBLIC_EV) && 110 !(kctx->auk_policy & AUDIT_PUBLIC)) { 111 struct vattr attr; 112 113 attr.va_mask = AT_ALL; 114 if (VOP_GETATTR(pvp, &attr, 0, CRED(), NULL) == 0) { 115 if (object_is_public(&attr)) { 116 tad->tad_ctrl |= TAD_NOAUDIT; 117 } 118 } 119 } 120 121 /* 122 * this event being audited or do we need path information 123 * later? This might be for a chdir/chroot or open (add path 124 * to file pointer. If the path has already been found for an 125 * open/creat then we don't need to process the path. 126 * 127 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 128 * chroot, chdir, open, creat system call processing. It determines 129 * if audit_savepath() will discard the path or we need it later. 130 * TAD_PATHFND means path already included in this audit record. It 131 * is used in cases where multiple path lookups are done per 132 * system call. The policy flag, AUDIT_PATH, controls if multiple 133 * paths are allowed. 134 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 135 * exit processing to inhibit any paths that may be added due to 136 * closes. 137 */ 138 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) || 139 ((tad->tad_ctrl & TAD_PATHFND) && 140 !(kctx->auk_policy & AUDIT_PATH)) || 141 (tad->tad_ctrl & TAD_NOPATH)) { 142 return (0); 143 } 144 145 tad->tad_ctrl |= TAD_NOPATH; /* prevent possible reentry */ 146 147 audit_pathbuild(pnp); 148 149 /* 150 * are we auditing only if error, or if it is not open or create 151 * otherwise audit_setf will do it 152 */ 153 154 if (tad->tad_flag) { 155 if (flag && 156 (tad->tad_scid == SYS_open || 157 tad->tad_scid == SYS_open64 || 158 tad->tad_scid == SYS_openat || 159 tad->tad_scid == SYS_openat64)) { 160 tad->tad_ctrl |= TAD_TRUE_CREATE; 161 } 162 163 /* add token to audit record for this name */ 164 au_uwrite(au_to_path(tad->tad_aupath)); 165 166 /* add the attributes of the object */ 167 if (vp) { 168 /* 169 * only capture attributes when there is no error 170 * lookup will not return the vnode of the failing 171 * component. 172 * 173 * if there was a lookup error, then don't add 174 * attribute. if lookup in vn_create(), 175 * then don't add attribute, 176 * it will be added at end of vn_create(). 177 */ 178 if (!flag && !(tad->tad_ctrl & TAD_NOATTRB)) 179 audit_attributes(vp); 180 } 181 } 182 183 /* free up space if we're not going to save path (open, creat) */ 184 if ((tad->tad_ctrl & TAD_SAVPATH) == 0) { 185 if (tad->tad_aupath != NULL) { 186 au_pathrele(tad->tad_aupath); 187 tad->tad_aupath = NULL; 188 } 189 } 190 if (tad->tad_ctrl & TAD_MLD) 191 tad->tad_ctrl |= TAD_PATHFND; 192 193 tad->tad_ctrl &= ~TAD_NOPATH; /* restore */ 194 return (0); 195 } 196 197 static void 198 audit_pathbuild(struct pathname *pnp) 199 { 200 char *pp; /* pointer to path */ 201 int len; /* length of incoming segment */ 202 int newsect; /* path requires a new section */ 203 struct audit_path *pfxapp; /* prefix for path */ 204 struct audit_path *newapp; /* new audit_path */ 205 t_audit_data_t *tad; /* current thread */ 206 p_audit_data_t *pad; /* current process */ 207 208 tad = U2A(u); 209 ASSERT(tad != NULL); 210 pad = P2A(curproc); 211 ASSERT(pad != NULL); 212 213 len = (pnp->pn_path - pnp->pn_buf) + 1; /* +1 for terminator */ 214 ASSERT(len > 0); 215 216 /* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */ 217 mutex_enter(&pad->pad_lock); 218 if (tad->tad_aupath != NULL) { 219 pfxapp = tad->tad_aupath; 220 } else if ((tad->tad_ctrl & TAD_ATCALL) && pnp->pn_buf[0] != '/') { 221 ASSERT(tad->tad_atpath != NULL); 222 pfxapp = tad->tad_atpath; 223 } else if (tad->tad_ctrl & TAD_ABSPATH) { 224 pfxapp = pad->pad_root; 225 } else { 226 pfxapp = pad->pad_cwd; 227 } 228 au_pathhold(pfxapp); 229 mutex_exit(&pad->pad_lock); 230 231 /* get an expanded buffer to hold the anchored path */ 232 newsect = tad->tad_ctrl & TAD_ATTPATH; 233 newapp = au_pathdup(pfxapp, newsect, len); 234 au_pathrele(pfxapp); 235 236 pp = newapp->audp_sect[newapp->audp_cnt] - len; 237 if (!newsect) { 238 /* overlay previous NUL terminator */ 239 *(pp - 1) = '/'; 240 } 241 242 /* now add string of processed path */ 243 bcopy(pnp->pn_buf, pp, len); 244 pp[len - 1] = '\0'; 245 246 /* perform path simplification as necessary */ 247 audit_fixpath(newapp, len); 248 249 if (tad->tad_aupath) 250 au_pathrele(tad->tad_aupath); 251 tad->tad_aupath = newapp; 252 253 /* for case where multiple lookups in one syscall (rename) */ 254 tad->tad_ctrl &= ~(TAD_ABSPATH | TAD_ATTPATH); 255 } 256 257 258 /* 259 * ROUTINE: AUDIT_ANCHORPATH 260 * PURPOSE: 261 * CALLBY: LOOKUPPN 262 * NOTE: 263 * anchor path at "/". We have seen a symbolic link or entering for the 264 * first time we will throw away any saved path if path is anchored. 265 * 266 * flag = 0, path is relative. 267 * flag = 1, path is absolute. Free any saved path and set flag to TAD_ABSPATH. 268 * 269 * If the (new) path is absolute, then we have to throw away whatever we have 270 * already accumulated since it is being superseded by new path which is 271 * anchored at the root. 272 * Note that if the path is relative, this function does nothing 273 * TODO: 274 * QUESTION: 275 */ 276 /*ARGSUSED*/ 277 void 278 audit_anchorpath(struct pathname *pnp, int flag) 279 { 280 au_kcontext_t *kctx = GET_KCTX_PZ; 281 t_audit_data_t *tad; 282 283 tad = U2A(u); 284 285 /* 286 * this event being audited or do we need path information 287 * later? This might be for a chdir/chroot or open (add path 288 * to file pointer. If the path has already been found for an 289 * open/creat then we don't need to process the path. 290 * 291 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 292 * chroot, chdir, open, creat system call processing. It determines 293 * if audit_savepath() will discard the path or we need it later. 294 * TAD_PATHFND means path already included in this audit record. It 295 * is used in cases where multiple path lookups are done per 296 * system call. The policy flag, AUDIT_PATH, controls if multiple 297 * paths are allowed. 298 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 299 * exit processing to inhibit any paths that may be added due to 300 * closes. 301 */ 302 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) || 303 ((tad->tad_ctrl & TAD_PATHFND) && 304 !(kctx->auk_policy & AUDIT_PATH)) || 305 (tad->tad_ctrl & TAD_NOPATH)) { 306 return; 307 } 308 309 if (flag) { 310 tad->tad_ctrl |= TAD_ABSPATH; 311 if (tad->tad_aupath != NULL) { 312 au_pathrele(tad->tad_aupath); 313 tad->tad_aupath = NULL; 314 } 315 } 316 } 317 318 319 /* 320 * symbolic link. Save previous components. 321 * 322 * the path seen so far looks like this 323 * 324 * +-----------------------+----------------+ 325 * | path processed so far | remaining path | 326 * +-----------------------+----------------+ 327 * \-----------------------/ 328 * save this string if 329 * symbolic link relative 330 * (but don't include symlink component) 331 */ 332 333 /*ARGSUSED*/ 334 335 336 /* 337 * ROUTINE: AUDIT_SYMLINK 338 * PURPOSE: 339 * CALLBY: LOOKUPPN 340 * NOTE: 341 * TODO: 342 * QUESTION: 343 */ 344 void 345 audit_symlink(struct pathname *pnp, struct pathname *sympath) 346 { 347 char *sp; /* saved initial pp */ 348 char *cp; /* start of symlink path */ 349 uint_t len_path; /* processed path before symlink */ 350 t_audit_data_t *tad; 351 au_kcontext_t *kctx = GET_KCTX_PZ; 352 353 tad = U2A(u); 354 355 /* 356 * this event being audited or do we need path information 357 * later? This might be for a chdir/chroot or open (add path 358 * to file pointer. If the path has already been found for an 359 * open/creat then we don't need to process the path. 360 * 361 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 362 * chroot, chdir, open, creat system call processing. It determines 363 * if audit_savepath() will discard the path or we need it later. 364 * TAD_PATHFND means path already included in this audit record. It 365 * is used in cases where multiple path lookups are done per 366 * system call. The policy flag, AUDIT_PATH, controls if multiple 367 * paths are allowed. 368 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 369 * exit processing to inhibit any paths that may be added due to 370 * closes. 371 */ 372 if ((tad->tad_flag == 0 && 373 !(tad->tad_ctrl & TAD_SAVPATH)) || 374 ((tad->tad_ctrl & TAD_PATHFND) && 375 !(kctx->auk_policy & AUDIT_PATH)) || 376 (tad->tad_ctrl & TAD_NOPATH)) { 377 return; 378 } 379 380 /* 381 * if symbolic link is anchored at / then do nothing. 382 * When we cycle back to begin: in lookuppn() we will 383 * call audit_anchorpath() with a flag indicating if the 384 * path is anchored at / or is relative. We will release 385 * any saved path at that point. 386 * 387 * Note In the event that an error occurs in pn_combine then 388 * we want to remain pointing at the component that caused the 389 * path to overflow the pnp structure. 390 */ 391 if (sympath->pn_buf[0] == '/') 392 return; 393 394 /* backup over last component */ 395 sp = cp = pnp->pn_path; 396 while (*--cp != '/' && cp > pnp->pn_buf) 397 ; 398 399 len_path = cp - pnp->pn_buf; 400 401 /* is there anything to save? */ 402 if (len_path) { 403 pnp->pn_path = pnp->pn_buf; 404 audit_pathbuild(pnp); 405 pnp->pn_path = sp; 406 } 407 } 408 409 /* 410 * object_is_public : determine whether events for the object (corresponding to 411 * the specified file/directory attr) should be audited or 412 * ignored. 413 * 414 * returns: 1 - if audit policy and object attributes indicate that 415 * file/directory is effectively public. read events for 416 * the file should not be audited. 417 * 0 - otherwise 418 * 419 * The required attributes to be considered a public object are: 420 * - owned by root, AND 421 * - world-readable (permissions for other include read), AND 422 * - NOT world-writeable (permissions for other don't 423 * include write) 424 * (mode doesn't need to be checked for symlinks) 425 */ 426 int 427 object_is_public(struct vattr *attr) 428 { 429 au_kcontext_t *kctx = GET_KCTX_PZ; 430 431 if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) && 432 ((attr->va_type == VLNK) || 433 ((attr->va_mode & (VREAD>>6)) != 0) && 434 ((attr->va_mode & (VWRITE>>6)) == 0))) { 435 return (1); 436 } 437 return (0); 438 } 439 440 441 /* 442 * ROUTINE: AUDIT_ATTRIBUTES 443 * PURPOSE: Audit the attributes so we can tell why the error occurred 444 * CALLBY: AUDIT_SAVEPATH 445 * AUDIT_VNCREATE_FINISH 446 * AUS_FCHOWN...audit_event.c...audit_path.c 447 * NOTE: 448 * TODO: 449 * QUESTION: 450 */ 451 void 452 audit_attributes(struct vnode *vp) 453 { 454 struct vattr attr; 455 struct t_audit_data *tad; 456 457 tad = U2A(u); 458 459 if (vp) { 460 attr.va_mask = AT_ALL; 461 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0) 462 return; 463 464 if (object_is_public(&attr) && 465 (tad->tad_ctrl & TAD_PUBLIC_EV)) { 466 /* 467 * This is a public object and a "public" event 468 * (i.e., read only) -- either by definition 469 * (e.g., stat, access...) or by virtue of write access 470 * not being requested (e.g. mmap). 471 * Flag it in the tad to prevent this audit at the end. 472 */ 473 tad->tad_ctrl |= TAD_NOAUDIT; 474 } else { 475 au_uwrite(au_to_attr(&attr)); 476 audit_sec_attributes(&(u_ad), vp); 477 } 478 } 479 } 480 481 482 /* 483 * ROUTINE: AUDIT_EXIT 484 * PURPOSE: 485 * CALLBY: EXIT 486 * NOTE: 487 * TODO: 488 * QUESTION: why cmw code as offset by 2 but not here 489 */ 490 /* ARGSUSED */ 491 void 492 audit_exit(int code, int what) 493 { 494 struct t_audit_data *tad; 495 tad = U2A(u); 496 497 /* 498 * tad_scid will be set by audit_start even if we are not auditing 499 * the event. 500 */ 501 if (tad->tad_scid == SYS_exit) { 502 /* 503 * if we are auditing the exit system call, then complete 504 * audit record generation (no return from system call). 505 */ 506 if (tad->tad_flag && tad->tad_event == AUE_EXIT) 507 audit_finish(0, SYS_exit, 0, 0); 508 return; 509 } 510 511 /* 512 * Anyone auditing the system call that was aborted? 513 */ 514 if (tad->tad_flag) { 515 au_uwrite(au_to_text("event aborted")); 516 audit_finish(0, tad->tad_scid, 0, 0); 517 } 518 519 /* 520 * Generate an audit record for process exit if preselected. 521 */ 522 (void) audit_start(0, SYS_exit, AUC_UNSET, 0, 0); 523 audit_finish(0, SYS_exit, 0, 0); 524 } 525 526 /* 527 * ROUTINE: AUDIT_CORE_START 528 * PURPOSE: 529 * CALLBY: PSIG 530 * NOTE: 531 * TODO: 532 */ 533 void 534 audit_core_start(int sig) 535 { 536 au_event_t event; 537 au_state_t estate; 538 t_audit_data_t *tad; 539 au_kcontext_t *kctx; 540 541 tad = U2A(u); 542 543 ASSERT(tad != (t_audit_data_t *)0); 544 545 ASSERT(tad->tad_scid == 0); 546 ASSERT(tad->tad_event == 0); 547 ASSERT(tad->tad_evmod == 0); 548 ASSERT(tad->tad_ctrl == 0); 549 ASSERT(tad->tad_flag == 0); 550 ASSERT(tad->tad_aupath == NULL); 551 552 kctx = GET_KCTX_PZ; 553 554 /* get basic event for system call */ 555 event = AUE_CORE; 556 estate = kctx->auk_ets[event]; 557 558 if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0) 559 return; 560 561 /* reset the flags for non-user attributable events */ 562 tad->tad_ctrl = TAD_CORE; 563 tad->tad_scid = 0; 564 565 /* if auditing not enabled, then don't generate an audit record */ 566 567 if (!((kctx->auk_auditstate == AUC_AUDITING || 568 kctx->auk_auditstate == AUC_INIT_AUDIT) || 569 kctx->auk_auditstate == AUC_NOSPACE)) { 570 tad->tad_flag = 0; 571 tad->tad_ctrl = 0; 572 return; 573 } 574 575 tad->tad_event = event; 576 tad->tad_evmod = 0; 577 578 ASSERT(tad->tad_ad == NULL); 579 580 au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig)); 581 } 582 583 /* 584 * ROUTINE: AUDIT_CORE_FINISH 585 * PURPOSE: 586 * CALLBY: PSIG 587 * NOTE: 588 * TODO: 589 * QUESTION: 590 */ 591 592 /*ARGSUSED*/ 593 void 594 audit_core_finish(int code) 595 { 596 int flag; 597 t_audit_data_t *tad; 598 au_kcontext_t *kctx; 599 600 tad = U2A(u); 601 602 ASSERT(tad != (t_audit_data_t *)0); 603 604 if ((flag = tad->tad_flag) == 0) { 605 tad->tad_event = 0; 606 tad->tad_evmod = 0; 607 tad->tad_ctrl = 0; 608 ASSERT(tad->tad_aupath == NULL); 609 return; 610 } 611 tad->tad_flag = 0; 612 613 kctx = GET_KCTX_PZ; 614 615 /* kludge for error 0, should use `code==CLD_DUMPED' instead */ 616 if (flag = audit_success(kctx, tad, 0, NULL)) { 617 cred_t *cr = CRED(); 618 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 619 620 ASSERT(ainfo != NULL); 621 622 /* 623 * Add subject information (no locks since our private copy of 624 * credential 625 */ 626 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 627 628 /* Add a return token (should use f argument) */ 629 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 630 631 AS_INC(as_generated, 1, kctx); 632 AS_INC(as_kernel, 1, kctx); 633 } 634 635 /* Close up everything */ 636 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod, NULL); 637 638 /* free up any space remaining with the path's */ 639 if (tad->tad_aupath != NULL) { 640 au_pathrele(tad->tad_aupath); 641 tad->tad_aupath = NULL; 642 } 643 tad->tad_event = 0; 644 tad->tad_evmod = 0; 645 tad->tad_ctrl = 0; 646 } 647 648 649 /*ARGSUSED*/ 650 void 651 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 652 unsigned char *pri, int *flag, int fmode) 653 { 654 struct stdata *stp; 655 t_audit_data_t *tad = U2A(u); 656 657 ASSERT(tad != (t_audit_data_t *)0); 658 659 stp = vp->v_stream; 660 661 /* lock stdata from audit_sock */ 662 mutex_enter(&stp->sd_lock); 663 664 /* proceed ONLY if user is being audited */ 665 if (!tad->tad_flag) { 666 /* 667 * this is so we will not add audit data onto 668 * a thread that is not being audited. 669 */ 670 stp->sd_t_audit_data = NULL; 671 mutex_exit(&stp->sd_lock); 672 return; 673 } 674 675 stp->sd_t_audit_data = (caddr_t)curthread; 676 mutex_exit(&stp->sd_lock); 677 } 678 679 /*ARGSUSED*/ 680 void 681 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 682 unsigned char pri, int flag, int fmode) 683 { 684 struct stdata *stp; 685 t_audit_data_t *tad = U2A(u); 686 687 ASSERT(tad != (t_audit_data_t *)0); 688 689 stp = vp->v_stream; 690 691 /* lock stdata from audit_sock */ 692 mutex_enter(&stp->sd_lock); 693 694 /* proceed ONLY if user is being audited */ 695 if (!tad->tad_flag) { 696 /* 697 * this is so we will not add audit data onto 698 * a thread that is not being audited. 699 */ 700 stp->sd_t_audit_data = NULL; 701 mutex_exit(&stp->sd_lock); 702 return; 703 } 704 705 stp->sd_t_audit_data = (caddr_t)curthread; 706 mutex_exit(&stp->sd_lock); 707 } 708 709 /* 710 * ROUTINE: AUDIT_CLOSEF 711 * PURPOSE: 712 * CALLBY: CLOSEF 713 * NOTE: 714 * release per file audit resources when file structure is being released. 715 * 716 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep 717 * on the audit queue if it becomes full. This means 718 * audit_closef can not be called when f_count == 0. Since 719 * f_count == 0 indicates the file structure is free, another 720 * process could attempt to use the file while we were still 721 * asleep waiting on the audit queue. This would cause the 722 * per file audit data to be corrupted when we finally do 723 * wakeup. 724 * TODO: 725 * QUESTION: 726 */ 727 728 void 729 audit_closef(struct file *fp) 730 { 731 f_audit_data_t *fad; 732 t_audit_data_t *tad; 733 int success; 734 au_state_t estate; 735 struct vnode *vp; 736 token_t *ad = NULL; 737 struct vattr attr; 738 au_emod_t evmod = 0; 739 const auditinfo_addr_t *ainfo; 740 cred_t *cr; 741 au_kcontext_t *kctx = GET_KCTX_PZ; 742 uint32_t auditing; 743 boolean_t audit_attr = B_FALSE; 744 745 fad = F2A(fp); 746 estate = kctx->auk_ets[AUE_CLOSE]; 747 tad = U2A(u); 748 cr = CRED(); 749 750 /* audit record already generated by system call envelope */ 751 if (tad->tad_event == AUE_CLOSE) { 752 /* so close audit event will have bits set */ 753 tad->tad_evmod |= (au_emod_t)fad->fad_flags; 754 return; 755 } 756 757 /* if auditing not enabled, then don't generate an audit record */ 758 auditing = (tad->tad_audit == AUC_UNSET) ? 759 kctx->auk_auditstate : tad->tad_audit; 760 if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT | AUC_NOSPACE)) 761 return; 762 763 ainfo = crgetauinfo(cr); 764 if (ainfo == NULL) 765 return; 766 767 success = ainfo->ai_mask.as_success & estate; 768 769 /* not selected for this event */ 770 if (success == 0) 771 return; 772 773 /* 774 * can't use audit_attributes here since we use a private audit area 775 * to build the audit record instead of the one off the thread. 776 */ 777 if ((vp = fp->f_vnode) != NULL) { 778 attr.va_mask = AT_ALL; 779 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 780 if ((fp->f_flag & FWRITE) == 0 && 781 object_is_public(&attr)) { 782 /* 783 * When write was not used and the file can be 784 * considered public, then skip the audit. 785 */ 786 return; 787 } 788 audit_attr = B_TRUE; 789 } 790 } 791 792 evmod = (au_emod_t)fad->fad_flags; 793 if (fad->fad_aupath != NULL) { 794 au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath)); 795 } else { 796 #ifdef _LP64 797 au_write((caddr_t *)&(ad), au_to_arg64( 798 1, "no path: fp", (uint64_t)fp)); 799 #else 800 au_write((caddr_t *)&(ad), au_to_arg32( 801 1, "no path: fp", (uint32_t)fp)); 802 #endif 803 } 804 805 if (audit_attr) { 806 au_write((caddr_t *)&(ad), au_to_attr(&attr)); 807 audit_sec_attributes((caddr_t *)&(ad), vp); 808 } 809 810 /* Add subject information */ 811 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 812 813 /* add a return token */ 814 add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0); 815 816 AS_INC(as_generated, 1, kctx); 817 AS_INC(as_kernel, 1, kctx); 818 819 /* 820 * Close up everything 821 * Note: path space recovery handled by normal system 822 * call envelope if not at last close. 823 * Note there is no failure at this point since 824 * this represents closes due to exit of process, 825 * thus we always indicate successful closes. 826 */ 827 au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER, 828 AUE_CLOSE, evmod, NULL); 829 } 830 831 /* 832 * ROUTINE: AUDIT_SET 833 * PURPOSE: Audit the file path and file attributes. 834 * CALLBY: SETF 835 * NOTE: SETF associate a file pointer with user area's open files. 836 * TODO: 837 * call audit_finish directly ??? 838 * QUESTION: 839 */ 840 841 /*ARGSUSED*/ 842 void 843 audit_setf(file_t *fp, int fd) 844 { 845 f_audit_data_t *fad; 846 t_audit_data_t *tad; 847 848 if (fp == NULL) 849 return; 850 851 tad = T2A(curthread); 852 fad = F2A(fp); 853 854 if (!(tad->tad_scid == SYS_open || 855 tad->tad_scid == SYS_open64 || 856 tad->tad_scid == SYS_openat || 857 tad->tad_scid == SYS_openat64)) 858 return; 859 860 /* no path */ 861 if (tad->tad_aupath == 0) 862 return; 863 864 /* 865 * assign path information associated with file audit data 866 * use tad hold 867 */ 868 fad->fad_aupath = tad->tad_aupath; 869 tad->tad_aupath = NULL; 870 871 if (!(tad->tad_ctrl & TAD_TRUE_CREATE)) { 872 /* adjust event type by dropping the 'creat' part */ 873 switch (tad->tad_event) { 874 case AUE_OPEN_RC: 875 tad->tad_event = AUE_OPEN_R; 876 tad->tad_ctrl |= TAD_PUBLIC_EV; 877 break; 878 case AUE_OPEN_RTC: 879 tad->tad_event = AUE_OPEN_RT; 880 break; 881 case AUE_OPEN_WC: 882 tad->tad_event = AUE_OPEN_W; 883 break; 884 case AUE_OPEN_WTC: 885 tad->tad_event = AUE_OPEN_WT; 886 break; 887 case AUE_OPEN_RWC: 888 tad->tad_event = AUE_OPEN_RW; 889 break; 890 case AUE_OPEN_RWTC: 891 tad->tad_event = AUE_OPEN_RWT; 892 break; 893 default: 894 break; 895 } 896 } 897 } 898 899 900 void 901 audit_ipc(int type, int id, void *vp) 902 { 903 /* if not auditing this event, then do nothing */ 904 if (ad_flag == 0) 905 return; 906 907 switch (type) { 908 case AT_IPC_MSG: 909 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 910 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 911 break; 912 case AT_IPC_SEM: 913 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 914 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 915 break; 916 case AT_IPC_SHM: 917 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 918 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 919 break; 920 } 921 } 922 923 void 924 audit_ipcget(int type, void *vp) 925 { 926 /* if not auditing this event, then do nothing */ 927 if (ad_flag == 0) 928 return; 929 930 switch (type) { 931 case NULL: 932 au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp)); 933 break; 934 case AT_IPC_MSG: 935 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 936 break; 937 case AT_IPC_SEM: 938 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 939 break; 940 case AT_IPC_SHM: 941 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 942 break; 943 } 944 } 945 946 /* 947 * ROUTINE: AUDIT_REBOOT 948 * PURPOSE: 949 * CALLBY: 950 * NOTE: 951 * At this point we know that the system call reboot will not return. We thus 952 * have to complete the audit record generation and put it onto the queue. 953 * This might be fairly useless if the auditing daemon is already dead.... 954 * TODO: 955 * QUESTION: who calls audit_reboot 956 */ 957 958 void 959 audit_reboot(void) 960 { 961 int flag; 962 t_audit_data_t *tad; 963 au_kcontext_t *kctx = GET_KCTX_PZ; 964 965 tad = U2A(u); 966 967 /* if not auditing this event, then do nothing */ 968 if (tad->tad_flag == 0) 969 return; 970 971 /* do preselection on success/failure */ 972 if (flag = audit_success(kctx, tad, 0, NULL)) { 973 /* add a process token */ 974 975 cred_t *cr = CRED(); 976 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 977 978 if (ainfo == NULL) 979 return; 980 981 /* Add subject information */ 982 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 983 984 /* add a return token */ 985 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 986 987 AS_INC(as_generated, 1, kctx); 988 AS_INC(as_kernel, 1, kctx); 989 } 990 991 /* 992 * Flow control useless here since we're going 993 * to drop everything in the queue anyway. Why 994 * block and wait. There aint anyone left alive to 995 * read the records remaining anyway. 996 */ 997 998 /* Close up everything */ 999 au_close(kctx, &(u_ad), flag | AU_DONTBLOCK, 1000 tad->tad_event, tad->tad_evmod, NULL); 1001 } 1002 1003 void 1004 audit_setfsat_path(int argnum) 1005 { 1006 klwp_id_t clwp = ttolwp(curthread); 1007 struct file *fp; 1008 uint32_t fd; 1009 t_audit_data_t *tad; 1010 struct f_audit_data *fad; 1011 p_audit_data_t *pad; /* current process */ 1012 uint_t fm; 1013 struct a { 1014 long arg1; 1015 long arg2; 1016 long arg3; 1017 long arg4; 1018 long arg5; 1019 } *uap; 1020 1021 if (clwp == NULL) 1022 return; 1023 uap = (struct a *)clwp->lwp_ap; 1024 1025 tad = U2A(u); 1026 ASSERT(tad != NULL); 1027 1028 switch (tad->tad_scid) { 1029 case SYS_faccessat: 1030 case SYS_fchmodat: 1031 case SYS_fchownat: 1032 case SYS_fstatat: 1033 case SYS_fstatat64: 1034 case SYS_mkdirat: 1035 case SYS_mknodat: 1036 case SYS_openat: 1037 case SYS_openat64: 1038 case SYS_readlinkat: 1039 case SYS_unlinkat: 1040 fd = uap->arg1; 1041 break; 1042 case SYS_linkat: 1043 case SYS_renameat: 1044 if (argnum == 3) 1045 fd = uap->arg3; 1046 else 1047 fd = uap->arg1; 1048 break; 1049 case SYS_symlinkat: 1050 case SYS_utimesys: 1051 fd = uap->arg2; 1052 break; 1053 case SYS_open: 1054 case SYS_open64: 1055 fd = AT_FDCWD; 1056 break; 1057 default: 1058 return; 1059 } 1060 1061 if (tad->tad_atpath != NULL) { 1062 au_pathrele(tad->tad_atpath); 1063 tad->tad_atpath = NULL; 1064 } 1065 1066 if (fd != AT_FDCWD) { 1067 tad->tad_ctrl |= TAD_ATCALL; 1068 1069 if (tad->tad_scid == SYS_openat || 1070 tad->tad_scid == SYS_openat64) { 1071 fm = (uint_t)uap->arg3; 1072 if (fm & (FXATTR | FXATTRDIROPEN)) { 1073 tad->tad_ctrl |= TAD_ATTPATH; 1074 } 1075 } 1076 1077 if ((fp = getf(fd)) == NULL) { 1078 tad->tad_ctrl |= TAD_NOPATH; 1079 return; 1080 } 1081 fad = F2A(fp); 1082 ASSERT(fad); 1083 if (fad->fad_aupath == NULL) { 1084 tad->tad_ctrl |= TAD_NOPATH; 1085 releasef(fd); 1086 return; 1087 } 1088 au_pathhold(fad->fad_aupath); 1089 tad->tad_atpath = fad->fad_aupath; 1090 releasef(fd); 1091 } else { 1092 if (tad->tad_scid == SYS_open || 1093 tad->tad_scid == SYS_open64) { 1094 fm = (uint_t)uap->arg2; 1095 if (fm & FXATTR) { 1096 tad->tad_ctrl |= TAD_ATTPATH; 1097 } 1098 return; 1099 } 1100 pad = P2A(curproc); 1101 mutex_enter(&pad->pad_lock); 1102 au_pathhold(pad->pad_cwd); 1103 tad->tad_atpath = pad->pad_cwd; 1104 mutex_exit(&pad->pad_lock); 1105 } 1106 } 1107 1108 void 1109 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error) 1110 { 1111 t_audit_data_t *tad; 1112 vnode_t *vp; 1113 1114 tad = U2A(u); 1115 1116 /* if not auditing this event, then do nothing */ 1117 if (tad->tad_flag == 0) 1118 return; 1119 1120 au_uwrite(au_to_text(target)); 1121 1122 if (error) 1123 return; 1124 1125 error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(), 1126 NULL, NULL, NULL); 1127 if (error == 0) { 1128 audit_attributes(vp); 1129 VN_RELE(vp); 1130 } 1131 } 1132 1133 /* 1134 * ROUTINE: AUDIT_VNCREATE_START 1135 * PURPOSE: set flag so path name lookup in create will not add attribute 1136 * CALLBY: VN_CREATE 1137 * NOTE: 1138 * TODO: 1139 * QUESTION: 1140 */ 1141 1142 void 1143 audit_vncreate_start() 1144 { 1145 t_audit_data_t *tad; 1146 1147 tad = U2A(u); 1148 tad->tad_ctrl |= TAD_NOATTRB; 1149 } 1150 1151 /* 1152 * ROUTINE: AUDIT_VNCREATE_FINISH 1153 * PURPOSE: 1154 * CALLBY: VN_CREATE 1155 * NOTE: 1156 * TODO: 1157 * QUESTION: 1158 */ 1159 void 1160 audit_vncreate_finish(struct vnode *vp, int error) 1161 { 1162 t_audit_data_t *tad; 1163 1164 if (error) 1165 return; 1166 1167 tad = U2A(u); 1168 1169 /* if not auditing this event, then do nothing */ 1170 if (tad->tad_flag == 0) 1171 return; 1172 1173 if (tad->tad_ctrl & TAD_TRUE_CREATE) { 1174 audit_attributes(vp); 1175 } 1176 1177 if (tad->tad_ctrl & TAD_CORE) { 1178 audit_attributes(vp); 1179 tad->tad_ctrl &= ~TAD_CORE; 1180 } 1181 1182 if (!error && ((tad->tad_event == AUE_MKNOD) || 1183 (tad->tad_event == AUE_MKDIR))) { 1184 audit_attributes(vp); 1185 } 1186 1187 /* for case where multiple lookups in one syscall (rename) */ 1188 tad->tad_ctrl &= ~TAD_NOATTRB; 1189 } 1190 1191 1192 1193 1194 1195 1196 1197 1198 /* 1199 * ROUTINE: AUDIT_EXEC 1200 * PURPOSE: Records the function arguments and environment variables 1201 * CALLBY: EXEC_ARGS 1202 * NOTE: 1203 * TODO: 1204 * QUESTION: 1205 */ 1206 1207 void 1208 audit_exec( 1209 const char *argstr, /* argument strings */ 1210 const char *envstr, /* environment strings */ 1211 ssize_t argc, /* total # arguments */ 1212 ssize_t envc, /* total # environment variables */ 1213 cred_t *pfcred) /* the additional privileges in a profile */ 1214 { 1215 t_audit_data_t *tad; 1216 au_kcontext_t *kctx = GET_KCTX_PZ; 1217 1218 tad = U2A(u); 1219 1220 /* if not auditing this event, then do nothing */ 1221 if (!tad->tad_flag) 1222 return; 1223 1224 if (pfcred != NULL) { 1225 p_audit_data_t *pad; 1226 cred_t *cr = CRED(); 1227 priv_set_t pset = CR_IPRIV(cr); 1228 1229 pad = P2A(curproc); 1230 1231 /* It's a different event. */ 1232 tad->tad_event = AUE_PFEXEC; 1233 1234 /* Add the current working directory to the audit trail. */ 1235 if (pad->pad_cwd != NULL) 1236 au_uwrite(au_to_path(pad->pad_cwd)); 1237 1238 /* 1239 * The new credential is not yet in place when audit_exec 1240 * is called. 1241 * Compute the additional bits available in the new credential 1242 * and the limit set. 1243 */ 1244 priv_inverse(&pset); 1245 priv_intersect(&CR_IPRIV(pfcred), &pset); 1246 if (!priv_isemptyset(&pset) || 1247 !priv_isequalset(&CR_LPRIV(pfcred), &CR_LPRIV(cr))) { 1248 au_uwrite(au_to_privset( 1249 priv_getsetbynum(PRIV_INHERITABLE), &pset, AUT_PRIV, 1250 0)); 1251 au_uwrite(au_to_privset(priv_getsetbynum(PRIV_LIMIT), 1252 &CR_LPRIV(pfcred), AUT_PRIV, 0)); 1253 } 1254 /* 1255 * Compare the uids & gids: create a process token if changed. 1256 */ 1257 if (crgetuid(cr) != crgetuid(pfcred) || 1258 crgetruid(cr) != crgetruid(pfcred) || 1259 crgetgid(cr) != crgetgid(pfcred) || 1260 crgetrgid(cr) != crgetrgid(pfcred)) { 1261 AUDIT_SETPROC(&(u_ad), cr, crgetauinfo(cr)); 1262 } 1263 } 1264 1265 if (pfcred != NULL || (kctx->auk_policy & AUDIT_ARGV) != 0) 1266 au_uwrite(au_to_exec_args(argstr, argc)); 1267 1268 if (kctx->auk_policy & AUDIT_ARGE) 1269 au_uwrite(au_to_exec_env(envstr, envc)); 1270 } 1271 1272 /* 1273 * ROUTINE: AUDIT_ENTERPROM 1274 * PURPOSE: 1275 * CALLBY: KBDINPUT 1276 * ZSA_XSINT 1277 * NOTE: 1278 * TODO: 1279 * QUESTION: 1280 */ 1281 void 1282 audit_enterprom(int flg) 1283 { 1284 token_t *rp = NULL; 1285 int sorf; 1286 1287 if (flg) 1288 sorf = AUM_SUCC; 1289 else 1290 sorf = AUM_FAIL; 1291 1292 AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf); 1293 1294 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1295 1296 if (flg) 1297 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1298 else 1299 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1300 1301 AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL, NULL); 1302 } 1303 1304 1305 /* 1306 * ROUTINE: AUDIT_EXITPROM 1307 * PURPOSE: 1308 * CALLBY: KBDINPUT 1309 * ZSA_XSINT 1310 * NOTE: 1311 * TODO: 1312 * QUESTION: 1313 */ 1314 void 1315 audit_exitprom(int flg) 1316 { 1317 int sorf; 1318 token_t *rp = NULL; 1319 1320 if (flg) 1321 sorf = AUM_SUCC; 1322 else 1323 sorf = AUM_FAIL; 1324 1325 AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf); 1326 1327 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1328 1329 if (flg) 1330 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1331 else 1332 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1333 1334 AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL, NULL); 1335 } 1336 1337 struct fcntla { 1338 int fdes; 1339 int cmd; 1340 intptr_t arg; 1341 }; 1342 1343 1344 /* 1345 * ROUTINE: AUDIT_CHDIREC 1346 * PURPOSE: 1347 * CALLBY: CHDIREC 1348 * NOTE: The main function of CHDIREC 1349 * TODO: Move the audit_chdirec hook above the VN_RELE in vncalls.c 1350 * QUESTION: 1351 */ 1352 1353 /*ARGSUSED*/ 1354 void 1355 audit_chdirec(vnode_t *vp, vnode_t **vpp) 1356 { 1357 int chdir; 1358 int fchdir; 1359 struct audit_path **appp; 1360 struct file *fp; 1361 f_audit_data_t *fad; 1362 p_audit_data_t *pad = P2A(curproc); 1363 t_audit_data_t *tad = T2A(curthread); 1364 1365 struct a { 1366 long fd; 1367 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 1368 1369 if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) { 1370 chdir = tad->tad_scid == SYS_chdir; 1371 if (tad->tad_aupath) { 1372 mutex_enter(&pad->pad_lock); 1373 if (chdir) 1374 appp = &(pad->pad_cwd); 1375 else 1376 appp = &(pad->pad_root); 1377 au_pathrele(*appp); 1378 /* use tad hold */ 1379 *appp = tad->tad_aupath; 1380 tad->tad_aupath = NULL; 1381 mutex_exit(&pad->pad_lock); 1382 } 1383 } else if ((tad->tad_scid == SYS_fchdir) || 1384 (tad->tad_scid == SYS_fchroot)) { 1385 fchdir = tad->tad_scid == SYS_fchdir; 1386 if ((fp = getf(uap->fd)) == NULL) 1387 return; 1388 fad = F2A(fp); 1389 if (fad->fad_aupath) { 1390 au_pathhold(fad->fad_aupath); 1391 mutex_enter(&pad->pad_lock); 1392 if (fchdir) 1393 appp = &(pad->pad_cwd); 1394 else 1395 appp = &(pad->pad_root); 1396 au_pathrele(*appp); 1397 *appp = fad->fad_aupath; 1398 mutex_exit(&pad->pad_lock); 1399 if (tad->tad_flag) { 1400 au_uwrite(au_to_path(fad->fad_aupath)); 1401 audit_attributes(fp->f_vnode); 1402 } 1403 } 1404 releasef(uap->fd); 1405 } 1406 } 1407 1408 1409 /* 1410 * Audit hook for stream based socket and tli request. 1411 * Note that we do not have user context while executing 1412 * this code so we had to record them earlier during the 1413 * putmsg/getmsg to figure out which user we are dealing with. 1414 */ 1415 1416 /*ARGSUSED*/ 1417 void 1418 audit_sock( 1419 int type, /* type of tihdr.h header requests */ 1420 queue_t *q, /* contains the process and thread audit data */ 1421 mblk_t *mp, /* contains the tihdr.h header structures */ 1422 int from) /* timod or sockmod request */ 1423 { 1424 int32_t len; 1425 int32_t offset; 1426 struct sockaddr_in *sock_data; 1427 struct T_conn_req *conn_req; 1428 struct T_conn_ind *conn_ind; 1429 struct T_unitdata_req *unitdata_req; 1430 struct T_unitdata_ind *unitdata_ind; 1431 au_state_t estate; 1432 t_audit_data_t *tad; 1433 caddr_t saved_thread_ptr; 1434 au_mask_t amask; 1435 const auditinfo_addr_t *ainfo; 1436 au_kcontext_t *kctx; 1437 1438 if (q->q_stream == NULL) 1439 return; 1440 mutex_enter(&q->q_stream->sd_lock); 1441 /* are we being audited */ 1442 saved_thread_ptr = q->q_stream->sd_t_audit_data; 1443 /* no pointer to thread, nothing to do */ 1444 if (saved_thread_ptr == NULL) { 1445 mutex_exit(&q->q_stream->sd_lock); 1446 return; 1447 } 1448 /* only allow one addition of a record token */ 1449 q->q_stream->sd_t_audit_data = NULL; 1450 /* 1451 * thread is not the one being audited, then nothing to do 1452 * This could be the stream thread handling the module 1453 * service routine. In this case, the context for the audit 1454 * record can no longer be assumed. Simplest to just drop 1455 * the operation. 1456 */ 1457 if (curthread != (kthread_id_t)saved_thread_ptr) { 1458 mutex_exit(&q->q_stream->sd_lock); 1459 return; 1460 } 1461 if (curthread->t_sysnum >= SYS_so_socket && 1462 curthread->t_sysnum <= SYS_sockconfig) { 1463 mutex_exit(&q->q_stream->sd_lock); 1464 return; 1465 } 1466 mutex_exit(&q->q_stream->sd_lock); 1467 /* 1468 * we know that the thread that did the put/getmsg is the 1469 * one running. Now we can get the TAD and see if we should 1470 * add an audit token. 1471 */ 1472 tad = U2A(u); 1473 1474 kctx = GET_KCTX_PZ; 1475 1476 /* proceed ONLY if user is being audited */ 1477 if (!tad->tad_flag) 1478 return; 1479 1480 ainfo = crgetauinfo(CRED()); 1481 if (ainfo == NULL) 1482 return; 1483 amask = ainfo->ai_mask; 1484 1485 /* 1486 * Figure out the type of stream networking request here. 1487 * Note that getmsg and putmsg are always preselected 1488 * because during the beginning of the system call we have 1489 * not yet figure out which of the socket or tli request 1490 * we are looking at until we are here. So we need to check 1491 * against that specific request and reset the type of event. 1492 */ 1493 switch (type) { 1494 case T_CONN_REQ: /* connection request */ 1495 conn_req = (struct T_conn_req *)mp->b_rptr; 1496 if (conn_req->DEST_offset < sizeof (struct T_conn_req)) 1497 return; 1498 offset = conn_req->DEST_offset; 1499 len = conn_req->DEST_length; 1500 estate = kctx->auk_ets[AUE_SOCKCONNECT]; 1501 if (amask.as_success & estate || amask.as_failure & estate) { 1502 tad->tad_event = AUE_SOCKCONNECT; 1503 break; 1504 } else { 1505 return; 1506 } 1507 case T_CONN_IND: /* connectionless receive request */ 1508 conn_ind = (struct T_conn_ind *)mp->b_rptr; 1509 if (conn_ind->SRC_offset < sizeof (struct T_conn_ind)) 1510 return; 1511 offset = conn_ind->SRC_offset; 1512 len = conn_ind->SRC_length; 1513 estate = kctx->auk_ets[AUE_SOCKACCEPT]; 1514 if (amask.as_success & estate || amask.as_failure & estate) { 1515 tad->tad_event = AUE_SOCKACCEPT; 1516 break; 1517 } else { 1518 return; 1519 } 1520 case T_UNITDATA_REQ: /* connectionless send request */ 1521 unitdata_req = (struct T_unitdata_req *)mp->b_rptr; 1522 if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req)) 1523 return; 1524 offset = unitdata_req->DEST_offset; 1525 len = unitdata_req->DEST_length; 1526 estate = kctx->auk_ets[AUE_SOCKSEND]; 1527 if (amask.as_success & estate || amask.as_failure & estate) { 1528 tad->tad_event = AUE_SOCKSEND; 1529 break; 1530 } else { 1531 return; 1532 } 1533 case T_UNITDATA_IND: /* connectionless receive request */ 1534 unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr; 1535 if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind)) 1536 return; 1537 offset = unitdata_ind->SRC_offset; 1538 len = unitdata_ind->SRC_length; 1539 estate = kctx->auk_ets[AUE_SOCKRECEIVE]; 1540 if (amask.as_success & estate || amask.as_failure & estate) { 1541 tad->tad_event = AUE_SOCKRECEIVE; 1542 break; 1543 } else { 1544 return; 1545 } 1546 default: 1547 return; 1548 } 1549 1550 /* 1551 * we are only interested in tcp stream connections, 1552 * not unix domain stuff 1553 */ 1554 if ((len < 0) || (len > sizeof (struct sockaddr_in))) { 1555 tad->tad_event = AUE_GETMSG; 1556 return; 1557 } 1558 /* skip over TPI header and point to the ip address */ 1559 sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset); 1560 1561 switch (sock_data->sin_family) { 1562 case AF_INET: 1563 au_write(&(tad->tad_ad), au_to_sock_inet(sock_data)); 1564 break; 1565 default: /* reset to AUE_PUTMSG if not a inet request */ 1566 tad->tad_event = AUE_GETMSG; 1567 break; 1568 } 1569 } 1570 1571 1572 static void 1573 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval) 1574 { 1575 unsigned int sy_flags; 1576 1577 #ifdef _SYSCALL32_IMPL 1578 /* 1579 * Guard against t_lwp being NULL when this function is called 1580 * from a kernel queue instead of from a direct system call. 1581 * In that case, assume the running kernel data model. 1582 */ 1583 if ((curthread->t_lwp == NULL) || (lwp_getdatamodel( 1584 ttolwp(curthread)) == DATAMODEL_NATIVE)) 1585 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1586 else 1587 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1588 #else 1589 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1590 #endif 1591 1592 if (sy_flags == SE_64RVAL) 1593 au_write(ad, au_to_return64(err, rval)); 1594 else 1595 au_write(ad, au_to_return32(err, rval)); 1596 1597 } 1598 1599 /*ARGSUSED*/ 1600 void 1601 audit_fdsend(int fd, struct file *fp, int error) 1602 { 1603 t_audit_data_t *tad; /* current thread */ 1604 f_audit_data_t *fad; /* per file audit structure */ 1605 struct vnode *vp; /* for file attributes */ 1606 1607 /* is this system call being audited */ 1608 tad = U2A(u); 1609 ASSERT(tad != (t_audit_data_t *)0); 1610 if (!tad->tad_flag) 1611 return; 1612 1613 fad = F2A(fp); 1614 1615 /* add path and file attributes */ 1616 if (fad != NULL && fad->fad_aupath != NULL) { 1617 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1618 au_uwrite(au_to_path(fad->fad_aupath)); 1619 } else { 1620 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1621 #ifdef _LP64 1622 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 1623 #else 1624 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 1625 #endif 1626 } 1627 vp = fp->f_vnode; /* include vnode attributes */ 1628 audit_attributes(vp); 1629 } 1630 1631 /* 1632 * Record privileges successfully used and we attempted to use but 1633 * didn't have. 1634 */ 1635 void 1636 audit_priv(int priv, const priv_set_t *set, int flag) 1637 { 1638 t_audit_data_t *tad; 1639 int sbit; 1640 priv_set_t *target; 1641 1642 /* Make sure this isn't being called in an interrupt context */ 1643 ASSERT(servicing_interrupt() == 0); 1644 1645 tad = U2A(u); 1646 1647 if (tad->tad_flag == 0) 1648 return; 1649 1650 target = flag ? &tad->tad_sprivs : &tad->tad_fprivs; 1651 sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE; 1652 1653 /* Tell audit_success() and audit_finish() that we saw this case */ 1654 if (!(tad->tad_evmod & sbit)) { 1655 /* Clear set first time around */ 1656 priv_emptyset(target); 1657 tad->tad_evmod |= sbit; 1658 } 1659 1660 /* Save the privileges in the tad */ 1661 if (priv == PRIV_ALL) { 1662 priv_fillset(target); 1663 } else { 1664 ASSERT(set != NULL || priv != PRIV_NONE); 1665 if (set != NULL) 1666 priv_union(set, target); 1667 if (priv != PRIV_NONE) 1668 priv_addset(target, priv); 1669 } 1670 } 1671 1672 /* 1673 * Audit the psecflags() system call; the set name, current value, and delta 1674 * are put in the audit trail. 1675 */ 1676 void 1677 audit_psecflags(proc_t *p, 1678 psecflagwhich_t which, 1679 const secflagdelta_t *psd) 1680 { 1681 t_audit_data_t *tad; 1682 secflagset_t new; 1683 const secflagset_t *old; 1684 const char *s; 1685 cred_t *cr; 1686 pid_t pid; 1687 const auditinfo_addr_t *ainfo; 1688 const psecflags_t *psec = &p->p_secflags; 1689 1690 tad = U2A(u); 1691 1692 if (tad->tad_flag == 0) 1693 return; 1694 1695 switch (which) { 1696 case PSF_EFFECTIVE: 1697 s = "effective"; 1698 old = &psec->psf_effective; 1699 break; 1700 case PSF_INHERIT: 1701 s = "inherit"; 1702 old = &psec->psf_inherit; 1703 break; 1704 case PSF_LOWER: 1705 s = "lower"; 1706 old = &psec->psf_lower; 1707 break; 1708 case PSF_UPPER: 1709 s = "upper"; 1710 old = &psec->psf_upper; 1711 break; 1712 } 1713 1714 secflags_copy(&new, old); 1715 secflags_apply_delta(&new, psd); 1716 1717 au_uwrite(au_to_secflags(s, *old)); 1718 au_uwrite(au_to_secflags(s, new)); 1719 1720 ASSERT(mutex_owned(&p->p_lock)); 1721 mutex_enter(&p->p_crlock); 1722 1723 pid = p->p_pid; 1724 crhold(cr = p->p_cred); 1725 mutex_exit(&p->p_crlock); 1726 1727 if ((ainfo = crgetauinfo(cr)) == NULL) { 1728 crfree(cr); 1729 return; 1730 } 1731 1732 AUDIT_SETPROC_GENERIC(&(u_ad), cr, ainfo, pid); 1733 1734 crfree(cr); 1735 } 1736 1737 /* 1738 * Audit the setpriv() system call; the operation, the set name and 1739 * the current value as well as the set argument are put in the 1740 * audit trail. 1741 */ 1742 void 1743 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr) 1744 { 1745 t_audit_data_t *tad; 1746 const priv_set_t *oldpriv; 1747 priv_set_t report; 1748 const char *setname; 1749 1750 tad = U2A(u); 1751 1752 if (tad->tad_flag == 0) 1753 return; 1754 1755 oldpriv = priv_getset(ocr, set); 1756 1757 /* Generate the actual record, include the before and after */ 1758 au_uwrite(au_to_arg32(2, "op", op)); 1759 setname = priv_getsetbynum(set); 1760 1761 switch (op) { 1762 case PRIV_OFF: 1763 /* Report privileges actually switched off */ 1764 report = *oldpriv; 1765 priv_intersect(newpriv, &report); 1766 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 1767 break; 1768 case PRIV_ON: 1769 /* Report privileges actually switched on */ 1770 report = *oldpriv; 1771 priv_inverse(&report); 1772 priv_intersect(newpriv, &report); 1773 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 1774 break; 1775 case PRIV_SET: 1776 /* Report before and after */ 1777 au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0)); 1778 au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0)); 1779 break; 1780 } 1781 } 1782 1783 /* 1784 * Dump the full device policy setting in the audit trail. 1785 */ 1786 void 1787 audit_devpolicy(int nitems, const devplcysys_t *items) 1788 { 1789 t_audit_data_t *tad; 1790 int i; 1791 1792 tad = U2A(u); 1793 1794 if (tad->tad_flag == 0) 1795 return; 1796 1797 for (i = 0; i < nitems; i++) { 1798 au_uwrite(au_to_arg32(2, "major", items[i].dps_maj)); 1799 if (items[i].dps_minornm[0] == '\0') { 1800 au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin)); 1801 au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin)); 1802 } else 1803 au_uwrite(au_to_text(items[i].dps_minornm)); 1804 1805 au_uwrite(au_to_privset("read", &items[i].dps_rdp, 1806 AUT_PRIV, 0)); 1807 au_uwrite(au_to_privset("write", &items[i].dps_wrp, 1808 AUT_PRIV, 0)); 1809 } 1810 } 1811 1812 /*ARGSUSED*/ 1813 void 1814 audit_fdrecv(int fd, struct file *fp) 1815 { 1816 t_audit_data_t *tad; /* current thread */ 1817 f_audit_data_t *fad; /* per file audit structure */ 1818 struct vnode *vp; /* for file attributes */ 1819 1820 /* is this system call being audited */ 1821 tad = U2A(u); 1822 ASSERT(tad != (t_audit_data_t *)0); 1823 if (!tad->tad_flag) 1824 return; 1825 1826 fad = F2A(fp); 1827 1828 /* add path and file attributes */ 1829 if (fad != NULL && fad->fad_aupath != NULL) { 1830 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 1831 au_uwrite(au_to_path(fad->fad_aupath)); 1832 } else { 1833 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 1834 #ifdef _LP64 1835 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 1836 #else 1837 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 1838 #endif 1839 } 1840 vp = fp->f_vnode; /* include vnode attributes */ 1841 audit_attributes(vp); 1842 } 1843 1844 /* 1845 * ROUTINE: AUDIT_CRYPTOADM 1846 * PURPOSE: Records arguments to administrative ioctls on /dev/cryptoadm 1847 * CALLBY: CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED, 1848 * CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG, 1849 * CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN, 1850 * CRYPTO_LOAD_DOOR 1851 * NOTE: 1852 * TODO: 1853 * QUESTION: 1854 */ 1855 1856 void 1857 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names, 1858 uint_t mech_count, uint_t device_instance, uint32_t rv, int error) 1859 { 1860 boolean_t mech_list_required = B_FALSE; 1861 cred_t *cr = CRED(); 1862 t_audit_data_t *tad; 1863 token_t *ad = NULL; 1864 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 1865 char buffer[MAXNAMELEN * 2]; 1866 au_kcontext_t *kctx = GET_KCTX_PZ; 1867 1868 tad = U2A(u); 1869 if (tad == NULL) 1870 return; 1871 1872 if (ainfo == NULL) 1873 return; 1874 1875 tad->tad_event = AUE_CRYPTOADM; 1876 1877 if (audit_success(kctx, tad, error, NULL) != AU_OK) 1878 return; 1879 1880 /* Add subject information */ 1881 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 1882 1883 switch (cmd) { 1884 case CRYPTO_LOAD_DEV_DISABLED: 1885 if (error == 0 && rv == CRYPTO_SUCCESS) { 1886 (void) snprintf(buffer, sizeof (buffer), 1887 "op=CRYPTO_LOAD_DEV_DISABLED, module=%s," 1888 " dev_instance=%d", 1889 module_name, device_instance); 1890 mech_list_required = B_TRUE; 1891 } else { 1892 (void) snprintf(buffer, sizeof (buffer), 1893 "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv); 1894 } 1895 break; 1896 1897 case CRYPTO_LOAD_SOFT_DISABLED: 1898 if (error == 0 && rv == CRYPTO_SUCCESS) { 1899 (void) snprintf(buffer, sizeof (buffer), 1900 "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s", 1901 module_name); 1902 mech_list_required = B_TRUE; 1903 } else { 1904 (void) snprintf(buffer, sizeof (buffer), 1905 "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv); 1906 } 1907 break; 1908 1909 case CRYPTO_UNLOAD_SOFT_MODULE: 1910 if (error == 0 && rv == CRYPTO_SUCCESS) { 1911 (void) snprintf(buffer, sizeof (buffer), 1912 "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s", 1913 module_name); 1914 } else { 1915 (void) snprintf(buffer, sizeof (buffer), 1916 "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv); 1917 } 1918 break; 1919 1920 case CRYPTO_LOAD_SOFT_CONFIG: 1921 if (error == 0 && rv == CRYPTO_SUCCESS) { 1922 (void) snprintf(buffer, sizeof (buffer), 1923 "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s", 1924 module_name); 1925 mech_list_required = B_TRUE; 1926 } else { 1927 (void) snprintf(buffer, sizeof (buffer), 1928 "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv); 1929 } 1930 break; 1931 1932 case CRYPTO_POOL_CREATE: 1933 (void) snprintf(buffer, sizeof (buffer), 1934 "op=CRYPTO_POOL_CREATE"); 1935 break; 1936 1937 case CRYPTO_POOL_WAIT: 1938 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT"); 1939 break; 1940 1941 case CRYPTO_POOL_RUN: 1942 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN"); 1943 break; 1944 1945 case CRYPTO_LOAD_DOOR: 1946 if (error == 0 && rv == CRYPTO_SUCCESS) 1947 (void) snprintf(buffer, sizeof (buffer), 1948 "op=CRYPTO_LOAD_DOOR"); 1949 else 1950 (void) snprintf(buffer, sizeof (buffer), 1951 "op=CRYPTO_LOAD_DOOR, return_val=%d", rv); 1952 break; 1953 1954 case CRYPTO_FIPS140_SET: 1955 (void) snprintf(buffer, sizeof (buffer), 1956 "op=CRYPTO_FIPS140_SET, fips_state=%d", rv); 1957 break; 1958 1959 default: 1960 return; 1961 } 1962 1963 au_write((caddr_t *)&ad, au_to_text(buffer)); 1964 1965 if (mech_list_required) { 1966 int i; 1967 1968 if (mech_count == 0) { 1969 au_write((caddr_t *)&ad, au_to_text("mech=list empty")); 1970 } else { 1971 char *pb = buffer; 1972 size_t l = sizeof (buffer); 1973 size_t n; 1974 char space[2] = ":"; 1975 1976 n = snprintf(pb, l, "mech="); 1977 1978 for (i = 0; i < mech_count; i++) { 1979 pb += n; 1980 l = (n >= l) ? 0 : l - n; 1981 1982 if (i == mech_count - 1) 1983 (void) strcpy(space, ""); 1984 1985 n = snprintf(pb, l, "%s%s", mech_names[i], 1986 space); 1987 } 1988 au_write((caddr_t *)&ad, au_to_text(buffer)); 1989 } 1990 } 1991 1992 /* add a return token */ 1993 if (error || (rv != CRYPTO_SUCCESS)) 1994 add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error); 1995 else 1996 add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv); 1997 1998 AS_INC(as_generated, 1, kctx); 1999 AS_INC(as_kernel, 1, kctx); 2000 2001 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, tad->tad_evmod, 2002 NULL); 2003 } 2004 2005 /* 2006 * Audit the kernel SSL administration command. The address and the 2007 * port number for the SSL instance, and the proxy port are put in the 2008 * audit trail. 2009 */ 2010 void 2011 audit_kssl(int cmd, void *params, int error) 2012 { 2013 cred_t *cr = CRED(); 2014 t_audit_data_t *tad; 2015 token_t *ad = NULL; 2016 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 2017 au_kcontext_t *kctx = GET_KCTX_PZ; 2018 2019 tad = U2A(u); 2020 2021 if (ainfo == NULL) 2022 return; 2023 2024 tad->tad_event = AUE_CONFIGKSSL; 2025 2026 if (audit_success(kctx, tad, error, NULL) != AU_OK) 2027 return; 2028 2029 /* Add subject information */ 2030 AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx); 2031 2032 switch (cmd) { 2033 case KSSL_ADD_ENTRY: { 2034 char buf[32]; 2035 kssl_params_t *kp = (kssl_params_t *)params; 2036 struct sockaddr_in6 *saddr = &kp->kssl_addr; 2037 2038 au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY")); 2039 au_write((caddr_t *)&ad, 2040 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr)); 2041 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 2042 saddr->sin6_port); 2043 au_write((caddr_t *)&ad, au_to_text(buf)); 2044 2045 (void) snprintf(buf, sizeof (buf), "proxy port=%d", 2046 kp->kssl_proxy_port); 2047 au_write((caddr_t *)&ad, au_to_text(buf)); 2048 break; 2049 } 2050 2051 case KSSL_DELETE_ENTRY: { 2052 char buf[32]; 2053 struct sockaddr_in6 *saddr = (struct sockaddr_in6 *)params; 2054 2055 au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY")); 2056 au_write((caddr_t *)&ad, 2057 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr)); 2058 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 2059 saddr->sin6_port); 2060 au_write((caddr_t *)&ad, au_to_text(buf)); 2061 break; 2062 } 2063 2064 default: 2065 return; 2066 } 2067 2068 /* add a return token */ 2069 add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0); 2070 2071 AS_INC(as_generated, 1, kctx); 2072 AS_INC(as_kernel, 1, kctx); 2073 2074 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, tad->tad_evmod, 2075 NULL); 2076 } 2077 2078 /* 2079 * Audit the kernel PF_POLICY administration commands. Record command, 2080 * zone, policy type (global or tunnel, active or inactive) 2081 */ 2082 /* 2083 * ROUTINE: AUDIT_PF_POLICY 2084 * PURPOSE: Records arguments to administrative ioctls on PF_POLICY socket 2085 * CALLBY: SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS, 2086 * SPD_CLONE, SPD_FLIP 2087 * NOTE: 2088 * TODO: 2089 * QUESTION: 2090 */ 2091 2092 void 2093 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun, 2094 boolean_t active, int error, pid_t pid) 2095 { 2096 const auditinfo_addr_t *ainfo; 2097 t_audit_data_t *tad; 2098 token_t *ad = NULL; 2099 au_kcontext_t *kctx = GET_KCTX_PZ; 2100 char buf[80]; 2101 int flag; 2102 2103 tad = U2A(u); 2104 if (tad == NULL) 2105 return; 2106 2107 ainfo = crgetauinfo((cred != NULL) ? cred : CRED()); 2108 if (ainfo == NULL) 2109 return; 2110 2111 /* 2112 * Initialize some variables since these are only set 2113 * with system calls. 2114 */ 2115 2116 switch (cmd) { 2117 case SPD_ADDRULE: { 2118 tad->tad_event = AUE_PF_POLICY_ADDRULE; 2119 break; 2120 } 2121 2122 case SPD_DELETERULE: { 2123 tad->tad_event = AUE_PF_POLICY_DELRULE; 2124 break; 2125 } 2126 2127 case SPD_FLUSH: { 2128 tad->tad_event = AUE_PF_POLICY_FLUSH; 2129 break; 2130 } 2131 2132 case SPD_UPDATEALGS: { 2133 tad->tad_event = AUE_PF_POLICY_ALGS; 2134 break; 2135 } 2136 2137 case SPD_CLONE: { 2138 tad->tad_event = AUE_PF_POLICY_CLONE; 2139 break; 2140 } 2141 2142 case SPD_FLIP: { 2143 tad->tad_event = AUE_PF_POLICY_FLIP; 2144 break; 2145 } 2146 2147 default: 2148 tad->tad_event = AUE_NULL; 2149 } 2150 2151 tad->tad_evmod = 0; 2152 2153 if (flag = audit_success(kctx, tad, error, cred)) { 2154 zone_t *nszone; 2155 2156 /* 2157 * For now, just audit that an event happened, 2158 * along with the error code. 2159 */ 2160 au_write((caddr_t *)&ad, 2161 au_to_arg32(1, "Policy Active?", (uint32_t)active)); 2162 au_write((caddr_t *)&ad, 2163 au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL))); 2164 2165 /* Supplemental data */ 2166 2167 /* 2168 * Generate this zone token if the target zone differs 2169 * from the administrative zone. If netstacks are expanded 2170 * to something other than a 1-1 relationship with zones, 2171 * the auditing framework should create a new token type 2172 * and audit it as a netstack instead. 2173 * Turn on general zone auditing to get the administrative zone. 2174 */ 2175 2176 nszone = zone_find_by_id(netstackid_to_zoneid( 2177 ns->netstack_stackid)); 2178 if (nszone != NULL) { 2179 if (strncmp(crgetzone(cred)->zone_name, 2180 nszone->zone_name, ZONENAME_MAX) != 0) { 2181 token_t *ztoken; 2182 2183 ztoken = au_to_zonename(0, nszone); 2184 au_write((caddr_t *)&ad, ztoken); 2185 } 2186 zone_rele(nszone); 2187 } 2188 2189 if (tun != NULL) { 2190 /* write tunnel name - tun is bounded */ 2191 (void) snprintf(buf, sizeof (buf), "tunnel_name:%s", 2192 tun); 2193 au_write((caddr_t *)&ad, au_to_text(buf)); 2194 } 2195 2196 /* Add subject information */ 2197 AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad, 2198 ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid); 2199 2200 /* add a return token */ 2201 add_return_token((caddr_t *)&ad, 0, error, 0); 2202 2203 AS_INC(as_generated, 1, kctx); 2204 AS_INC(as_kernel, 1, kctx); 2205 2206 } 2207 au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, tad->tad_evmod, 2208 NULL); 2209 2210 /* 2211 * clear the ctrl flag so that we don't have spurious collection of 2212 * audit information. 2213 */ 2214 tad->tad_scid = 0; 2215 tad->tad_event = 0; 2216 tad->tad_evmod = 0; 2217 tad->tad_ctrl = 0; 2218 } 2219 2220 /* 2221 * ROUTINE: AUDIT_SEC_ATTRIBUTES 2222 * PURPOSE: Add security attributes 2223 * CALLBY: AUDIT_ATTRIBUTES 2224 * AUDIT_CLOSEF 2225 * AUS_CLOSE 2226 * NOTE: 2227 * TODO: 2228 * QUESTION: 2229 */ 2230 2231 void 2232 audit_sec_attributes(caddr_t *ad, struct vnode *vp) 2233 { 2234 /* Dump the SL */ 2235 if (is_system_labeled()) { 2236 ts_label_t *tsl; 2237 bslabel_t *bsl; 2238 2239 tsl = getflabel(vp); 2240 if (tsl == NULL) 2241 return; /* nothing else to do */ 2242 2243 bsl = label2bslabel(tsl); 2244 if (bsl == NULL) 2245 return; /* nothing else to do */ 2246 au_write(ad, au_to_label(bsl)); 2247 label_rele(tsl); 2248 } 2249 2250 } /* AUDIT_SEC_ATTRIBUTES */ 2251