1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 /* 26 * This file contains the audit hook support code for auditing. 27 */ 28 29 #include <sys/types.h> 30 #include <sys/proc.h> 31 #include <sys/vnode.h> 32 #include <sys/vfs.h> 33 #include <sys/file.h> 34 #include <sys/user.h> 35 #include <sys/stropts.h> 36 #include <sys/systm.h> 37 #include <sys/pathname.h> 38 #include <sys/syscall.h> 39 #include <sys/fcntl.h> 40 #include <sys/ipc_impl.h> 41 #include <sys/msg_impl.h> 42 #include <sys/sem_impl.h> 43 #include <sys/shm_impl.h> 44 #include <sys/kmem.h> /* for KM_SLEEP */ 45 #include <sys/socket.h> 46 #include <sys/cmn_err.h> /* snprintf... */ 47 #include <sys/debug.h> 48 #include <sys/thread.h> 49 #include <netinet/in.h> 50 #include <c2/audit.h> /* needs to be included before user.h */ 51 #include <c2/audit_kernel.h> /* for M_DONTWAIT */ 52 #include <c2/audit_kevents.h> 53 #include <c2/audit_record.h> 54 #include <sys/strsubr.h> 55 #include <sys/tihdr.h> 56 #include <sys/tiuser.h> 57 #include <sys/timod.h> 58 #include <sys/model.h> /* for model_t */ 59 #include <sys/disp.h> /* for servicing_interrupt() */ 60 #include <sys/devpolicy.h> 61 #include <sys/crypto/ioctladmin.h> 62 #include <sys/cred_impl.h> 63 #include <inet/kssl/kssl.h> 64 #include <net/pfpolicy.h> 65 66 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval); 67 68 static void audit_pathbuild(struct pathname *pnp); 69 70 71 /* 72 * ROUTINE: AUDIT_SAVEPATH 73 * PURPOSE: 74 * CALLBY: LOOKUPPN 75 * 76 * NOTE: We have reached the end of a path in fs/lookup.c. 77 * We get two pieces of information here: 78 * the vnode of the last component (vp) and 79 * the status of the last access (flag). 80 * TODO: 81 * QUESTION: 82 */ 83 84 /*ARGSUSED*/ 85 int 86 audit_savepath( 87 struct pathname *pnp, /* pathname to lookup */ 88 struct vnode *vp, /* vnode of the last component */ 89 struct vnode *pvp, /* vnode of the last parent component */ 90 int flag, /* status of the last access */ 91 cred_t *cr) /* cred of requestor */ 92 { 93 94 t_audit_data_t *tad; /* current thread */ 95 au_kcontext_t *kctx = GET_KCTX_PZ; 96 97 tad = U2A(u); 98 99 /* 100 * Noise elimination in audit trails - this event will be discarded if: 101 * - the public policy is not active AND 102 * - the system call is a public operation AND 103 * - the file was not found: VFS lookup failed with ENOENT error AND 104 * - the missing file would have been located in the public directory 105 * owned by root if it had existed 106 */ 107 if (tad->tad_flag != 0 && flag == ENOENT && pvp != NULL && 108 (tad->tad_ctrl & TAD_PUBLIC_EV) && 109 !(kctx->auk_policy & AUDIT_PUBLIC)) { 110 struct vattr attr; 111 112 attr.va_mask = AT_ALL; 113 if (VOP_GETATTR(pvp, &attr, 0, CRED(), NULL) == 0) { 114 if (object_is_public(&attr)) { 115 tad->tad_ctrl |= TAD_NOAUDIT; 116 } 117 } 118 } 119 120 /* 121 * this event being audited or do we need path information 122 * later? This might be for a chdir/chroot or open (add path 123 * to file pointer. If the path has already been found for an 124 * open/creat then we don't need to process the path. 125 * 126 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 127 * chroot, chdir, open, creat system call processing. It determines 128 * if audit_savepath() will discard the path or we need it later. 129 * TAD_PATHFND means path already included in this audit record. It 130 * is used in cases where multiple path lookups are done per 131 * system call. The policy flag, AUDIT_PATH, controls if multiple 132 * paths are allowed. 133 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 134 * exit processing to inhibit any paths that may be added due to 135 * closes. 136 */ 137 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) || 138 ((tad->tad_ctrl & TAD_PATHFND) && 139 !(kctx->auk_policy & AUDIT_PATH)) || 140 (tad->tad_ctrl & TAD_NOPATH)) { 141 return (0); 142 } 143 144 tad->tad_ctrl |= TAD_NOPATH; /* prevent possible reentry */ 145 146 audit_pathbuild(pnp); 147 148 /* 149 * are we auditing only if error, or if it is not open or create 150 * otherwise audit_setf will do it 151 */ 152 153 if (tad->tad_flag) { 154 if (flag && 155 (tad->tad_scid == SYS_open || 156 tad->tad_scid == SYS_open64 || 157 tad->tad_scid == SYS_openat || 158 tad->tad_scid == SYS_openat64)) { 159 tad->tad_ctrl |= TAD_TRUE_CREATE; 160 } 161 162 /* add token to audit record for this name */ 163 au_uwrite(au_to_path(tad->tad_aupath)); 164 165 /* add the attributes of the object */ 166 if (vp) { 167 /* 168 * only capture attributes when there is no error 169 * lookup will not return the vnode of the failing 170 * component. 171 * 172 * if there was a lookup error, then don't add 173 * attribute. if lookup in vn_create(), 174 * then don't add attribute, 175 * it will be added at end of vn_create(). 176 */ 177 if (!flag && !(tad->tad_ctrl & TAD_NOATTRB)) 178 audit_attributes(vp); 179 } 180 } 181 182 /* free up space if we're not going to save path (open, creat) */ 183 if ((tad->tad_ctrl & TAD_SAVPATH) == 0) { 184 if (tad->tad_aupath != NULL) { 185 au_pathrele(tad->tad_aupath); 186 tad->tad_aupath = NULL; 187 } 188 } 189 if (tad->tad_ctrl & TAD_MLD) 190 tad->tad_ctrl |= TAD_PATHFND; 191 192 tad->tad_ctrl &= ~TAD_NOPATH; /* restore */ 193 return (0); 194 } 195 196 static void 197 audit_pathbuild(struct pathname *pnp) 198 { 199 char *pp; /* pointer to path */ 200 int len; /* length of incoming segment */ 201 int newsect; /* path requires a new section */ 202 struct audit_path *pfxapp; /* prefix for path */ 203 struct audit_path *newapp; /* new audit_path */ 204 t_audit_data_t *tad; /* current thread */ 205 p_audit_data_t *pad; /* current process */ 206 207 tad = U2A(u); 208 ASSERT(tad != NULL); 209 pad = P2A(curproc); 210 ASSERT(pad != NULL); 211 212 len = (pnp->pn_path - pnp->pn_buf) + 1; /* +1 for terminator */ 213 ASSERT(len > 0); 214 215 /* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */ 216 mutex_enter(&pad->pad_lock); 217 if (tad->tad_aupath != NULL) { 218 pfxapp = tad->tad_aupath; 219 } else if ((tad->tad_ctrl & TAD_ATCALL) && pnp->pn_buf[0] != '/') { 220 ASSERT(tad->tad_atpath != NULL); 221 pfxapp = tad->tad_atpath; 222 } else if (tad->tad_ctrl & TAD_ABSPATH) { 223 pfxapp = pad->pad_root; 224 } else { 225 pfxapp = pad->pad_cwd; 226 } 227 au_pathhold(pfxapp); 228 mutex_exit(&pad->pad_lock); 229 230 /* get an expanded buffer to hold the anchored path */ 231 newsect = tad->tad_ctrl & TAD_ATTPATH; 232 newapp = au_pathdup(pfxapp, newsect, len); 233 au_pathrele(pfxapp); 234 235 pp = newapp->audp_sect[newapp->audp_cnt] - len; 236 if (!newsect) { 237 /* overlay previous NUL terminator */ 238 *(pp - 1) = '/'; 239 } 240 241 /* now add string of processed path */ 242 bcopy(pnp->pn_buf, pp, len); 243 pp[len - 1] = '\0'; 244 245 /* perform path simplification as necessary */ 246 audit_fixpath(newapp, len); 247 248 if (tad->tad_aupath) 249 au_pathrele(tad->tad_aupath); 250 tad->tad_aupath = newapp; 251 252 /* for case where multiple lookups in one syscall (rename) */ 253 tad->tad_ctrl &= ~(TAD_ABSPATH | TAD_ATTPATH); 254 } 255 256 257 /* 258 * ROUTINE: AUDIT_ANCHORPATH 259 * PURPOSE: 260 * CALLBY: LOOKUPPN 261 * NOTE: 262 * anchor path at "/". We have seen a symbolic link or entering for the 263 * first time we will throw away any saved path if path is anchored. 264 * 265 * flag = 0, path is relative. 266 * flag = 1, path is absolute. Free any saved path and set flag to TAD_ABSPATH. 267 * 268 * If the (new) path is absolute, then we have to throw away whatever we have 269 * already accumulated since it is being superseded by new path which is 270 * anchored at the root. 271 * Note that if the path is relative, this function does nothing 272 * TODO: 273 * QUESTION: 274 */ 275 /*ARGSUSED*/ 276 void 277 audit_anchorpath(struct pathname *pnp, int flag) 278 { 279 au_kcontext_t *kctx = GET_KCTX_PZ; 280 t_audit_data_t *tad; 281 282 tad = U2A(u); 283 284 /* 285 * this event being audited or do we need path information 286 * later? This might be for a chdir/chroot or open (add path 287 * to file pointer. If the path has already been found for an 288 * open/creat then we don't need to process the path. 289 * 290 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 291 * chroot, chdir, open, creat system call processing. It determines 292 * if audit_savepath() will discard the path or we need it later. 293 * TAD_PATHFND means path already included in this audit record. It 294 * is used in cases where multiple path lookups are done per 295 * system call. The policy flag, AUDIT_PATH, controls if multiple 296 * paths are allowed. 297 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 298 * exit processing to inhibit any paths that may be added due to 299 * closes. 300 */ 301 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) || 302 ((tad->tad_ctrl & TAD_PATHFND) && 303 !(kctx->auk_policy & AUDIT_PATH)) || 304 (tad->tad_ctrl & TAD_NOPATH)) { 305 return; 306 } 307 308 if (flag) { 309 tad->tad_ctrl |= TAD_ABSPATH; 310 if (tad->tad_aupath != NULL) { 311 au_pathrele(tad->tad_aupath); 312 tad->tad_aupath = NULL; 313 } 314 } 315 } 316 317 318 /* 319 * symbolic link. Save previous components. 320 * 321 * the path seen so far looks like this 322 * 323 * +-----------------------+----------------+ 324 * | path processed so far | remaining path | 325 * +-----------------------+----------------+ 326 * \-----------------------/ 327 * save this string if 328 * symbolic link relative 329 * (but don't include symlink component) 330 */ 331 332 /*ARGSUSED*/ 333 334 335 /* 336 * ROUTINE: AUDIT_SYMLINK 337 * PURPOSE: 338 * CALLBY: LOOKUPPN 339 * NOTE: 340 * TODO: 341 * QUESTION: 342 */ 343 void 344 audit_symlink(struct pathname *pnp, struct pathname *sympath) 345 { 346 char *sp; /* saved initial pp */ 347 char *cp; /* start of symlink path */ 348 uint_t len_path; /* processed path before symlink */ 349 t_audit_data_t *tad; 350 au_kcontext_t *kctx = GET_KCTX_PZ; 351 352 tad = U2A(u); 353 354 /* 355 * this event being audited or do we need path information 356 * later? This might be for a chdir/chroot or open (add path 357 * to file pointer. If the path has already been found for an 358 * open/creat then we don't need to process the path. 359 * 360 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 361 * chroot, chdir, open, creat system call processing. It determines 362 * if audit_savepath() will discard the path or we need it later. 363 * TAD_PATHFND means path already included in this audit record. It 364 * is used in cases where multiple path lookups are done per 365 * system call. The policy flag, AUDIT_PATH, controls if multiple 366 * paths are allowed. 367 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 368 * exit processing to inhibit any paths that may be added due to 369 * closes. 370 */ 371 if ((tad->tad_flag == 0 && 372 !(tad->tad_ctrl & TAD_SAVPATH)) || 373 ((tad->tad_ctrl & TAD_PATHFND) && 374 !(kctx->auk_policy & AUDIT_PATH)) || 375 (tad->tad_ctrl & TAD_NOPATH)) { 376 return; 377 } 378 379 /* 380 * if symbolic link is anchored at / then do nothing. 381 * When we cycle back to begin: in lookuppn() we will 382 * call audit_anchorpath() with a flag indicating if the 383 * path is anchored at / or is relative. We will release 384 * any saved path at that point. 385 * 386 * Note In the event that an error occurs in pn_combine then 387 * we want to remain pointing at the component that caused the 388 * path to overflow the pnp structure. 389 */ 390 if (sympath->pn_buf[0] == '/') 391 return; 392 393 /* backup over last component */ 394 sp = cp = pnp->pn_path; 395 while (*--cp != '/' && cp > pnp->pn_buf) 396 ; 397 398 len_path = cp - pnp->pn_buf; 399 400 /* is there anything to save? */ 401 if (len_path) { 402 pnp->pn_path = pnp->pn_buf; 403 audit_pathbuild(pnp); 404 pnp->pn_path = sp; 405 } 406 } 407 408 /* 409 * object_is_public : determine whether events for the object (corresponding to 410 * the specified file/directory attr) should be audited or 411 * ignored. 412 * 413 * returns: 1 - if audit policy and object attributes indicate that 414 * file/directory is effectively public. read events for 415 * the file should not be audited. 416 * 0 - otherwise 417 * 418 * The required attributes to be considered a public object are: 419 * - owned by root, AND 420 * - world-readable (permissions for other include read), AND 421 * - NOT world-writeable (permissions for other don't 422 * include write) 423 * (mode doesn't need to be checked for symlinks) 424 */ 425 int 426 object_is_public(struct vattr *attr) 427 { 428 au_kcontext_t *kctx = GET_KCTX_PZ; 429 430 if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) && 431 ((attr->va_type == VLNK) || 432 ((attr->va_mode & (VREAD>>6)) != 0) && 433 ((attr->va_mode & (VWRITE>>6)) == 0))) { 434 return (1); 435 } 436 return (0); 437 } 438 439 440 /* 441 * ROUTINE: AUDIT_ATTRIBUTES 442 * PURPOSE: Audit the attributes so we can tell why the error occurred 443 * CALLBY: AUDIT_SAVEPATH 444 * AUDIT_VNCREATE_FINISH 445 * AUS_FCHOWN...audit_event.c...audit_path.c 446 * NOTE: 447 * TODO: 448 * QUESTION: 449 */ 450 void 451 audit_attributes(struct vnode *vp) 452 { 453 struct vattr attr; 454 struct t_audit_data *tad; 455 456 tad = U2A(u); 457 458 if (vp) { 459 attr.va_mask = AT_ALL; 460 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0) 461 return; 462 463 if (object_is_public(&attr) && 464 (tad->tad_ctrl & TAD_PUBLIC_EV)) { 465 /* 466 * This is a public object and a "public" event 467 * (i.e., read only) -- either by definition 468 * (e.g., stat, access...) or by virtue of write access 469 * not being requested (e.g. mmap). 470 * Flag it in the tad to prevent this audit at the end. 471 */ 472 tad->tad_ctrl |= TAD_NOAUDIT; 473 } else { 474 au_uwrite(au_to_attr(&attr)); 475 audit_sec_attributes(&(u_ad), vp); 476 } 477 } 478 } 479 480 481 /* 482 * ROUTINE: AUDIT_EXIT 483 * PURPOSE: 484 * CALLBY: EXIT 485 * NOTE: 486 * TODO: 487 * QUESTION: why cmw code as offset by 2 but not here 488 */ 489 /* ARGSUSED */ 490 void 491 audit_exit(int code, int what) 492 { 493 struct t_audit_data *tad; 494 tad = U2A(u); 495 496 /* 497 * tad_scid will be set by audit_start even if we are not auditing 498 * the event. 499 */ 500 if (tad->tad_scid == SYS_exit) { 501 /* 502 * if we are auditing the exit system call, then complete 503 * audit record generation (no return from system call). 504 */ 505 if (tad->tad_flag && tad->tad_event == AUE_EXIT) 506 audit_finish(0, SYS_exit, 0, 0); 507 return; 508 } 509 510 /* 511 * Anyone auditing the system call that was aborted? 512 */ 513 if (tad->tad_flag) { 514 au_uwrite(au_to_text("event aborted")); 515 audit_finish(0, tad->tad_scid, 0, 0); 516 } 517 518 /* 519 * Generate an audit record for process exit if preselected. 520 */ 521 (void) audit_start(0, SYS_exit, AUC_UNSET, 0, 0); 522 audit_finish(0, SYS_exit, 0, 0); 523 } 524 525 /* 526 * ROUTINE: AUDIT_CORE_START 527 * PURPOSE: 528 * CALLBY: PSIG 529 * NOTE: 530 * TODO: 531 */ 532 void 533 audit_core_start(int sig) 534 { 535 au_event_t event; 536 au_state_t estate; 537 t_audit_data_t *tad; 538 au_kcontext_t *kctx; 539 540 tad = U2A(u); 541 542 ASSERT(tad != (t_audit_data_t *)0); 543 544 ASSERT(tad->tad_scid == 0); 545 ASSERT(tad->tad_event == 0); 546 ASSERT(tad->tad_evmod == 0); 547 ASSERT(tad->tad_ctrl == 0); 548 ASSERT(tad->tad_flag == 0); 549 ASSERT(tad->tad_aupath == NULL); 550 551 kctx = GET_KCTX_PZ; 552 553 /* get basic event for system call */ 554 event = AUE_CORE; 555 estate = kctx->auk_ets[event]; 556 557 if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0) 558 return; 559 560 /* reset the flags for non-user attributable events */ 561 tad->tad_ctrl = TAD_CORE; 562 tad->tad_scid = 0; 563 564 /* if auditing not enabled, then don't generate an audit record */ 565 566 if (!((kctx->auk_auditstate == AUC_AUDITING || 567 kctx->auk_auditstate == AUC_INIT_AUDIT) || 568 kctx->auk_auditstate == AUC_NOSPACE)) { 569 tad->tad_flag = 0; 570 tad->tad_ctrl = 0; 571 return; 572 } 573 574 tad->tad_event = event; 575 tad->tad_evmod = 0; 576 577 ASSERT(tad->tad_ad == NULL); 578 579 au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig)); 580 } 581 582 /* 583 * ROUTINE: AUDIT_CORE_FINISH 584 * PURPOSE: 585 * CALLBY: PSIG 586 * NOTE: 587 * TODO: 588 * QUESTION: 589 */ 590 591 /*ARGSUSED*/ 592 void 593 audit_core_finish(int code) 594 { 595 int flag; 596 t_audit_data_t *tad; 597 au_kcontext_t *kctx; 598 599 tad = U2A(u); 600 601 ASSERT(tad != (t_audit_data_t *)0); 602 603 if ((flag = tad->tad_flag) == 0) { 604 tad->tad_event = 0; 605 tad->tad_evmod = 0; 606 tad->tad_ctrl = 0; 607 ASSERT(tad->tad_aupath == NULL); 608 return; 609 } 610 tad->tad_flag = 0; 611 612 kctx = GET_KCTX_PZ; 613 614 /* kludge for error 0, should use `code==CLD_DUMPED' instead */ 615 if (flag = audit_success(kctx, tad, 0, NULL)) { 616 cred_t *cr = CRED(); 617 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 618 619 ASSERT(ainfo != NULL); 620 621 /* 622 * Add subject information (no locks since our private copy of 623 * credential 624 */ 625 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 626 627 /* Add a return token (should use f argument) */ 628 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 629 630 AS_INC(as_generated, 1, kctx); 631 AS_INC(as_kernel, 1, kctx); 632 } 633 634 /* Close up everything */ 635 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod, NULL); 636 637 /* free up any space remaining with the path's */ 638 if (tad->tad_aupath != NULL) { 639 au_pathrele(tad->tad_aupath); 640 tad->tad_aupath = NULL; 641 } 642 tad->tad_event = 0; 643 tad->tad_evmod = 0; 644 tad->tad_ctrl = 0; 645 } 646 647 648 /*ARGSUSED*/ 649 void 650 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 651 unsigned char *pri, int *flag, int fmode) 652 { 653 struct stdata *stp; 654 t_audit_data_t *tad = U2A(u); 655 656 ASSERT(tad != (t_audit_data_t *)0); 657 658 stp = vp->v_stream; 659 660 /* lock stdata from audit_sock */ 661 mutex_enter(&stp->sd_lock); 662 663 /* proceed ONLY if user is being audited */ 664 if (!tad->tad_flag) { 665 /* 666 * this is so we will not add audit data onto 667 * a thread that is not being audited. 668 */ 669 stp->sd_t_audit_data = NULL; 670 mutex_exit(&stp->sd_lock); 671 return; 672 } 673 674 stp->sd_t_audit_data = (caddr_t)curthread; 675 mutex_exit(&stp->sd_lock); 676 } 677 678 /*ARGSUSED*/ 679 void 680 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 681 unsigned char pri, int flag, int fmode) 682 { 683 struct stdata *stp; 684 t_audit_data_t *tad = U2A(u); 685 686 ASSERT(tad != (t_audit_data_t *)0); 687 688 stp = vp->v_stream; 689 690 /* lock stdata from audit_sock */ 691 mutex_enter(&stp->sd_lock); 692 693 /* proceed ONLY if user is being audited */ 694 if (!tad->tad_flag) { 695 /* 696 * this is so we will not add audit data onto 697 * a thread that is not being audited. 698 */ 699 stp->sd_t_audit_data = NULL; 700 mutex_exit(&stp->sd_lock); 701 return; 702 } 703 704 stp->sd_t_audit_data = (caddr_t)curthread; 705 mutex_exit(&stp->sd_lock); 706 } 707 708 /* 709 * ROUTINE: AUDIT_CLOSEF 710 * PURPOSE: 711 * CALLBY: CLOSEF 712 * NOTE: 713 * release per file audit resources when file structure is being released. 714 * 715 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep 716 * on the audit queue if it becomes full. This means 717 * audit_closef can not be called when f_count == 0. Since 718 * f_count == 0 indicates the file structure is free, another 719 * process could attempt to use the file while we were still 720 * asleep waiting on the audit queue. This would cause the 721 * per file audit data to be corrupted when we finally do 722 * wakeup. 723 * TODO: 724 * QUESTION: 725 */ 726 727 void 728 audit_closef(struct file *fp) 729 { /* AUDIT_CLOSEF */ 730 f_audit_data_t *fad; 731 t_audit_data_t *tad; 732 int success; 733 au_state_t estate; 734 struct vnode *vp; 735 token_t *ad = NULL; 736 struct vattr attr; 737 au_emod_t evmod = 0; 738 const auditinfo_addr_t *ainfo; 739 int getattr_ret; 740 cred_t *cr; 741 au_kcontext_t *kctx = GET_KCTX_PZ; 742 uint32_t auditing; 743 744 fad = F2A(fp); 745 estate = kctx->auk_ets[AUE_CLOSE]; 746 tad = U2A(u); 747 cr = CRED(); 748 749 /* audit record already generated by system call envelope */ 750 if (tad->tad_event == AUE_CLOSE) { 751 /* so close audit event will have bits set */ 752 tad->tad_evmod |= (au_emod_t)fad->fad_flags; 753 return; 754 } 755 756 /* if auditing not enabled, then don't generate an audit record */ 757 auditing = (tad->tad_audit == AUC_UNSET) ? 758 kctx->auk_auditstate : tad->tad_audit; 759 if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT | AUC_NOSPACE)) 760 return; 761 762 ainfo = crgetauinfo(cr); 763 if (ainfo == NULL) 764 return; 765 766 success = ainfo->ai_mask.as_success & estate; 767 768 /* not selected for this event */ 769 if (success == 0) 770 return; 771 772 /* 773 * can't use audit_attributes here since we use a private audit area 774 * to build the audit record instead of the one off the thread. 775 */ 776 if ((vp = fp->f_vnode) != NULL) { 777 attr.va_mask = AT_ALL; 778 getattr_ret = VOP_GETATTR(vp, &attr, 0, CRED(), NULL); 779 } 780 781 /* 782 * When write was not used and the file can be considered public, 783 * then skip the audit. 784 */ 785 if ((getattr_ret == 0) && ((fp->f_flag & FWRITE) == 0)) { 786 if (object_is_public(&attr)) { 787 return; 788 } 789 } 790 791 evmod = (au_emod_t)fad->fad_flags; 792 if (fad->fad_aupath != NULL) { 793 au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath)); 794 } else { 795 #ifdef _LP64 796 au_write((caddr_t *)&(ad), au_to_arg64( 797 1, "no path: fp", (uint64_t)fp)); 798 #else 799 au_write((caddr_t *)&(ad), au_to_arg32( 800 1, "no path: fp", (uint32_t)fp)); 801 #endif 802 } 803 804 if (getattr_ret == 0) { 805 au_write((caddr_t *)&(ad), au_to_attr(&attr)); 806 audit_sec_attributes((caddr_t *)&(ad), vp); 807 } 808 809 /* Add subject information */ 810 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 811 812 /* add a return token */ 813 add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0); 814 815 AS_INC(as_generated, 1, kctx); 816 AS_INC(as_kernel, 1, kctx); 817 818 /* 819 * Close up everything 820 * Note: path space recovery handled by normal system 821 * call envelope if not at last close. 822 * Note there is no failure at this point since 823 * this represents closes due to exit of process, 824 * thus we always indicate successful closes. 825 */ 826 au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER, 827 AUE_CLOSE, evmod, NULL); 828 } 829 830 /* 831 * ROUTINE: AUDIT_SET 832 * PURPOSE: Audit the file path and file attributes. 833 * CALLBY: SETF 834 * NOTE: SETF associate a file pointer with user area's open files. 835 * TODO: 836 * call audit_finish directly ??? 837 * QUESTION: 838 */ 839 840 /*ARGSUSED*/ 841 void 842 audit_setf(file_t *fp, int fd) 843 { 844 f_audit_data_t *fad; 845 t_audit_data_t *tad; 846 847 if (fp == NULL) 848 return; 849 850 tad = T2A(curthread); 851 fad = F2A(fp); 852 853 if (!(tad->tad_scid == SYS_open || 854 tad->tad_scid == SYS_open64 || 855 tad->tad_scid == SYS_openat || 856 tad->tad_scid == SYS_openat64)) 857 return; 858 859 /* no path */ 860 if (tad->tad_aupath == 0) 861 return; 862 863 /* 864 * assign path information associated with file audit data 865 * use tad hold 866 */ 867 fad->fad_aupath = tad->tad_aupath; 868 tad->tad_aupath = NULL; 869 870 if (!(tad->tad_ctrl & TAD_TRUE_CREATE)) { 871 /* adjust event type by dropping the 'creat' part */ 872 switch (tad->tad_event) { 873 case AUE_OPEN_RC: 874 tad->tad_event = AUE_OPEN_R; 875 tad->tad_ctrl |= TAD_PUBLIC_EV; 876 break; 877 case AUE_OPEN_RTC: 878 tad->tad_event = AUE_OPEN_RT; 879 break; 880 case AUE_OPEN_WC: 881 tad->tad_event = AUE_OPEN_W; 882 break; 883 case AUE_OPEN_WTC: 884 tad->tad_event = AUE_OPEN_WT; 885 break; 886 case AUE_OPEN_RWC: 887 tad->tad_event = AUE_OPEN_RW; 888 break; 889 case AUE_OPEN_RWTC: 890 tad->tad_event = AUE_OPEN_RWT; 891 break; 892 default: 893 break; 894 } 895 } 896 } 897 898 899 void 900 audit_ipc(int type, int id, void *vp) 901 { 902 /* if not auditing this event, then do nothing */ 903 if (ad_flag == 0) 904 return; 905 906 switch (type) { 907 case AT_IPC_MSG: 908 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 909 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 910 break; 911 case AT_IPC_SEM: 912 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 913 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 914 break; 915 case AT_IPC_SHM: 916 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 917 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 918 break; 919 } 920 } 921 922 void 923 audit_ipcget(int type, void *vp) 924 { 925 /* if not auditing this event, then do nothing */ 926 if (ad_flag == 0) 927 return; 928 929 switch (type) { 930 case NULL: 931 au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp)); 932 break; 933 case AT_IPC_MSG: 934 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 935 break; 936 case AT_IPC_SEM: 937 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 938 break; 939 case AT_IPC_SHM: 940 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 941 break; 942 } 943 } 944 945 /* 946 * ROUTINE: AUDIT_REBOOT 947 * PURPOSE: 948 * CALLBY: 949 * NOTE: 950 * At this point we know that the system call reboot will not return. We thus 951 * have to complete the audit record generation and put it onto the queue. 952 * This might be fairly useless if the auditing daemon is already dead.... 953 * TODO: 954 * QUESTION: who calls audit_reboot 955 */ 956 957 void 958 audit_reboot(void) 959 { 960 int flag; 961 t_audit_data_t *tad; 962 au_kcontext_t *kctx = GET_KCTX_PZ; 963 964 tad = U2A(u); 965 966 /* if not auditing this event, then do nothing */ 967 if (tad->tad_flag == 0) 968 return; 969 970 /* do preselection on success/failure */ 971 if (flag = audit_success(kctx, tad, 0, NULL)) { 972 /* add a process token */ 973 974 cred_t *cr = CRED(); 975 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 976 977 if (ainfo == NULL) 978 return; 979 980 /* Add subject information */ 981 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 982 983 /* add a return token */ 984 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 985 986 AS_INC(as_generated, 1, kctx); 987 AS_INC(as_kernel, 1, kctx); 988 } 989 990 /* 991 * Flow control useless here since we're going 992 * to drop everything in the queue anyway. Why 993 * block and wait. There aint anyone left alive to 994 * read the records remaining anyway. 995 */ 996 997 /* Close up everything */ 998 au_close(kctx, &(u_ad), flag | AU_DONTBLOCK, 999 tad->tad_event, tad->tad_evmod, NULL); 1000 } 1001 1002 void 1003 audit_setfsat_path(int argnum) 1004 { 1005 klwp_id_t clwp = ttolwp(curthread); 1006 struct file *fp; 1007 uint32_t fd; 1008 t_audit_data_t *tad; 1009 struct f_audit_data *fad; 1010 p_audit_data_t *pad; /* current process */ 1011 uint_t fm; 1012 struct a { 1013 long arg1; 1014 long arg2; 1015 long arg3; 1016 long arg4; 1017 long arg5; 1018 } *uap; 1019 1020 if (clwp == NULL) 1021 return; 1022 uap = (struct a *)clwp->lwp_ap; 1023 1024 tad = U2A(u); 1025 ASSERT(tad != NULL); 1026 1027 switch (tad->tad_scid) { 1028 case SYS_faccessat: 1029 case SYS_fchownat: 1030 case SYS_fstatat: 1031 case SYS_fstatat64: 1032 case SYS_openat: 1033 case SYS_openat64: 1034 case SYS_unlinkat: 1035 fd = uap->arg1; 1036 break; 1037 case SYS_renameat: 1038 if (argnum == 3) 1039 fd = uap->arg3; 1040 else 1041 fd = uap->arg1; 1042 break; 1043 case SYS_utimesys: 1044 fd = uap->arg2; 1045 break; 1046 case SYS_open: 1047 case SYS_open64: 1048 fd = AT_FDCWD; 1049 break; 1050 default: 1051 return; 1052 } 1053 1054 if (tad->tad_atpath != NULL) { 1055 au_pathrele(tad->tad_atpath); 1056 tad->tad_atpath = NULL; 1057 } 1058 1059 if (fd != AT_FDCWD) { 1060 tad->tad_ctrl |= TAD_ATCALL; 1061 1062 if (tad->tad_scid == SYS_openat || 1063 tad->tad_scid == SYS_openat64) { 1064 fm = (uint_t)uap->arg3; 1065 if (fm & (FXATTR | FXATTRDIROPEN)) { 1066 tad->tad_ctrl |= TAD_ATTPATH; 1067 } 1068 } 1069 1070 if ((fp = getf(fd)) == NULL) { 1071 tad->tad_ctrl |= TAD_NOPATH; 1072 return; 1073 } 1074 fad = F2A(fp); 1075 ASSERT(fad); 1076 if (fad->fad_aupath == NULL) { 1077 tad->tad_ctrl |= TAD_NOPATH; 1078 releasef(fd); 1079 return; 1080 } 1081 au_pathhold(fad->fad_aupath); 1082 tad->tad_atpath = fad->fad_aupath; 1083 releasef(fd); 1084 } else { 1085 if (tad->tad_scid == SYS_open || 1086 tad->tad_scid == SYS_open64) { 1087 fm = (uint_t)uap->arg2; 1088 if (fm & FXATTR) { 1089 tad->tad_ctrl |= TAD_ATTPATH; 1090 } 1091 return; 1092 } 1093 pad = P2A(curproc); 1094 mutex_enter(&pad->pad_lock); 1095 au_pathhold(pad->pad_cwd); 1096 tad->tad_atpath = pad->pad_cwd; 1097 mutex_exit(&pad->pad_lock); 1098 } 1099 } 1100 1101 void 1102 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error) 1103 { 1104 t_audit_data_t *tad; 1105 vnode_t *vp; 1106 1107 tad = U2A(u); 1108 1109 /* if not auditing this event, then do nothing */ 1110 if (tad->tad_flag == 0) 1111 return; 1112 1113 au_uwrite(au_to_text(target)); 1114 1115 if (error) 1116 return; 1117 1118 error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(), 1119 NULL, NULL, NULL); 1120 if (error == 0) { 1121 audit_attributes(vp); 1122 VN_RELE(vp); 1123 } 1124 } 1125 1126 /* 1127 * ROUTINE: AUDIT_VNCREATE_START 1128 * PURPOSE: set flag so path name lookup in create will not add attribute 1129 * CALLBY: VN_CREATE 1130 * NOTE: 1131 * TODO: 1132 * QUESTION: 1133 */ 1134 1135 void 1136 audit_vncreate_start() 1137 { 1138 t_audit_data_t *tad; 1139 1140 tad = U2A(u); 1141 tad->tad_ctrl |= TAD_NOATTRB; 1142 } 1143 1144 /* 1145 * ROUTINE: AUDIT_VNCREATE_FINISH 1146 * PURPOSE: 1147 * CALLBY: VN_CREATE 1148 * NOTE: 1149 * TODO: 1150 * QUESTION: 1151 */ 1152 void 1153 audit_vncreate_finish(struct vnode *vp, int error) 1154 { 1155 t_audit_data_t *tad; 1156 1157 if (error) 1158 return; 1159 1160 tad = U2A(u); 1161 1162 /* if not auditing this event, then do nothing */ 1163 if (tad->tad_flag == 0) 1164 return; 1165 1166 if (tad->tad_ctrl & TAD_TRUE_CREATE) { 1167 audit_attributes(vp); 1168 } 1169 1170 if (tad->tad_ctrl & TAD_CORE) { 1171 audit_attributes(vp); 1172 tad->tad_ctrl &= ~TAD_CORE; 1173 } 1174 1175 if (!error && ((tad->tad_event == AUE_MKNOD) || 1176 (tad->tad_event == AUE_MKDIR))) { 1177 audit_attributes(vp); 1178 } 1179 1180 /* for case where multiple lookups in one syscall (rename) */ 1181 tad->tad_ctrl &= ~TAD_NOATTRB; 1182 } 1183 1184 1185 1186 1187 1188 1189 1190 1191 /* 1192 * ROUTINE: AUDIT_EXEC 1193 * PURPOSE: Records the function arguments and environment variables 1194 * CALLBY: EXEC_ARGS 1195 * NOTE: 1196 * TODO: 1197 * QUESTION: 1198 */ 1199 1200 void 1201 audit_exec( 1202 const char *argstr, /* argument strings */ 1203 const char *envstr, /* environment strings */ 1204 ssize_t argc, /* total # arguments */ 1205 ssize_t envc, /* total # environment variables */ 1206 cred_t *pfcred) /* the additional privileges in a profile */ 1207 { 1208 t_audit_data_t *tad; 1209 au_kcontext_t *kctx = GET_KCTX_PZ; 1210 1211 tad = U2A(u); 1212 1213 /* if not auditing this event, then do nothing */ 1214 if (!tad->tad_flag) 1215 return; 1216 1217 if (pfcred != NULL) { 1218 p_audit_data_t *pad; 1219 cred_t *cr = CRED(); 1220 priv_set_t pset = CR_IPRIV(cr); 1221 1222 pad = P2A(curproc); 1223 1224 /* It's a different event. */ 1225 tad->tad_event = AUE_PFEXEC; 1226 1227 /* Add the current working directory to the audit trail. */ 1228 if (pad->pad_cwd != NULL) 1229 au_uwrite(au_to_path(pad->pad_cwd)); 1230 1231 /* 1232 * The new credential is not yet in place when audit_exec 1233 * is called. 1234 * Compute the additional bits available in the new credential 1235 * and the limit set. 1236 */ 1237 priv_inverse(&pset); 1238 priv_intersect(&CR_IPRIV(pfcred), &pset); 1239 if (!priv_isemptyset(&pset) || 1240 !priv_isequalset(&CR_LPRIV(pfcred), &CR_LPRIV(cr))) { 1241 au_uwrite(au_to_privset( 1242 priv_getsetbynum(PRIV_INHERITABLE), &pset, AUT_PRIV, 1243 0)); 1244 au_uwrite(au_to_privset(priv_getsetbynum(PRIV_LIMIT), 1245 &CR_LPRIV(pfcred), AUT_PRIV, 0)); 1246 } 1247 /* 1248 * Compare the uids & gids: create a process token if changed. 1249 */ 1250 if (crgetuid(cr) != crgetuid(pfcred) || 1251 crgetruid(cr) != crgetruid(pfcred) || 1252 crgetgid(cr) != crgetgid(pfcred) || 1253 crgetrgid(cr) != crgetrgid(pfcred)) { 1254 AUDIT_SETPROC(&(u_ad), cr, crgetauinfo(cr)); 1255 } 1256 } 1257 1258 if (pfcred != NULL || (kctx->auk_policy & AUDIT_ARGV) != 0) 1259 au_uwrite(au_to_exec_args(argstr, argc)); 1260 1261 if (kctx->auk_policy & AUDIT_ARGE) 1262 au_uwrite(au_to_exec_env(envstr, envc)); 1263 } 1264 1265 /* 1266 * ROUTINE: AUDIT_ENTERPROM 1267 * PURPOSE: 1268 * CALLBY: KBDINPUT 1269 * ZSA_XSINT 1270 * NOTE: 1271 * TODO: 1272 * QUESTION: 1273 */ 1274 void 1275 audit_enterprom(int flg) 1276 { 1277 token_t *rp = NULL; 1278 int sorf; 1279 1280 if (flg) 1281 sorf = AUM_SUCC; 1282 else 1283 sorf = AUM_FAIL; 1284 1285 AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf); 1286 1287 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1288 1289 if (flg) 1290 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1291 else 1292 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1293 1294 AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL, NULL); 1295 } 1296 1297 1298 /* 1299 * ROUTINE: AUDIT_EXITPROM 1300 * PURPOSE: 1301 * CALLBY: KBDINPUT 1302 * ZSA_XSINT 1303 * NOTE: 1304 * TODO: 1305 * QUESTION: 1306 */ 1307 void 1308 audit_exitprom(int flg) 1309 { 1310 int sorf; 1311 token_t *rp = NULL; 1312 1313 if (flg) 1314 sorf = AUM_SUCC; 1315 else 1316 sorf = AUM_FAIL; 1317 1318 AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf); 1319 1320 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1321 1322 if (flg) 1323 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1324 else 1325 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1326 1327 AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL, NULL); 1328 } 1329 1330 struct fcntla { 1331 int fdes; 1332 int cmd; 1333 intptr_t arg; 1334 }; 1335 1336 1337 /* 1338 * ROUTINE: AUDIT_CHDIREC 1339 * PURPOSE: 1340 * CALLBY: CHDIREC 1341 * NOTE: The main function of CHDIREC 1342 * TODO: Move the audit_chdirec hook above the VN_RELE in vncalls.c 1343 * QUESTION: 1344 */ 1345 1346 /*ARGSUSED*/ 1347 void 1348 audit_chdirec(vnode_t *vp, vnode_t **vpp) 1349 { 1350 int chdir; 1351 int fchdir; 1352 struct audit_path **appp; 1353 struct file *fp; 1354 f_audit_data_t *fad; 1355 p_audit_data_t *pad = P2A(curproc); 1356 t_audit_data_t *tad = T2A(curthread); 1357 1358 struct a { 1359 long fd; 1360 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 1361 1362 if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) { 1363 chdir = tad->tad_scid == SYS_chdir; 1364 if (tad->tad_aupath) { 1365 mutex_enter(&pad->pad_lock); 1366 if (chdir) 1367 appp = &(pad->pad_cwd); 1368 else 1369 appp = &(pad->pad_root); 1370 au_pathrele(*appp); 1371 /* use tad hold */ 1372 *appp = tad->tad_aupath; 1373 tad->tad_aupath = NULL; 1374 mutex_exit(&pad->pad_lock); 1375 } 1376 } else if ((tad->tad_scid == SYS_fchdir) || 1377 (tad->tad_scid == SYS_fchroot)) { 1378 fchdir = tad->tad_scid == SYS_fchdir; 1379 if ((fp = getf(uap->fd)) == NULL) 1380 return; 1381 fad = F2A(fp); 1382 if (fad->fad_aupath) { 1383 au_pathhold(fad->fad_aupath); 1384 mutex_enter(&pad->pad_lock); 1385 if (fchdir) 1386 appp = &(pad->pad_cwd); 1387 else 1388 appp = &(pad->pad_root); 1389 au_pathrele(*appp); 1390 *appp = fad->fad_aupath; 1391 mutex_exit(&pad->pad_lock); 1392 if (tad->tad_flag) { 1393 au_uwrite(au_to_path(fad->fad_aupath)); 1394 audit_attributes(fp->f_vnode); 1395 } 1396 } 1397 releasef(uap->fd); 1398 } 1399 } 1400 1401 1402 /* 1403 * Audit hook for stream based socket and tli request. 1404 * Note that we do not have user context while executing 1405 * this code so we had to record them earlier during the 1406 * putmsg/getmsg to figure out which user we are dealing with. 1407 */ 1408 1409 /*ARGSUSED*/ 1410 void 1411 audit_sock( 1412 int type, /* type of tihdr.h header requests */ 1413 queue_t *q, /* contains the process and thread audit data */ 1414 mblk_t *mp, /* contains the tihdr.h header structures */ 1415 int from) /* timod or sockmod request */ 1416 { 1417 int32_t len; 1418 int32_t offset; 1419 struct sockaddr_in *sock_data; 1420 struct T_conn_req *conn_req; 1421 struct T_conn_ind *conn_ind; 1422 struct T_unitdata_req *unitdata_req; 1423 struct T_unitdata_ind *unitdata_ind; 1424 au_state_t estate; 1425 t_audit_data_t *tad; 1426 caddr_t saved_thread_ptr; 1427 au_mask_t amask; 1428 const auditinfo_addr_t *ainfo; 1429 au_kcontext_t *kctx; 1430 1431 if (q->q_stream == NULL) 1432 return; 1433 mutex_enter(&q->q_stream->sd_lock); 1434 /* are we being audited */ 1435 saved_thread_ptr = q->q_stream->sd_t_audit_data; 1436 /* no pointer to thread, nothing to do */ 1437 if (saved_thread_ptr == NULL) { 1438 mutex_exit(&q->q_stream->sd_lock); 1439 return; 1440 } 1441 /* only allow one addition of a record token */ 1442 q->q_stream->sd_t_audit_data = NULL; 1443 /* 1444 * thread is not the one being audited, then nothing to do 1445 * This could be the stream thread handling the module 1446 * service routine. In this case, the context for the audit 1447 * record can no longer be assumed. Simplest to just drop 1448 * the operation. 1449 */ 1450 if (curthread != (kthread_id_t)saved_thread_ptr) { 1451 mutex_exit(&q->q_stream->sd_lock); 1452 return; 1453 } 1454 if (curthread->t_sysnum >= SYS_so_socket && 1455 curthread->t_sysnum <= SYS_sockconfig) { 1456 mutex_exit(&q->q_stream->sd_lock); 1457 return; 1458 } 1459 mutex_exit(&q->q_stream->sd_lock); 1460 /* 1461 * we know that the thread that did the put/getmsg is the 1462 * one running. Now we can get the TAD and see if we should 1463 * add an audit token. 1464 */ 1465 tad = U2A(u); 1466 1467 kctx = GET_KCTX_PZ; 1468 1469 /* proceed ONLY if user is being audited */ 1470 if (!tad->tad_flag) 1471 return; 1472 1473 ainfo = crgetauinfo(CRED()); 1474 if (ainfo == NULL) 1475 return; 1476 amask = ainfo->ai_mask; 1477 1478 /* 1479 * Figure out the type of stream networking request here. 1480 * Note that getmsg and putmsg are always preselected 1481 * because during the beginning of the system call we have 1482 * not yet figure out which of the socket or tli request 1483 * we are looking at until we are here. So we need to check 1484 * against that specific request and reset the type of event. 1485 */ 1486 switch (type) { 1487 case T_CONN_REQ: /* connection request */ 1488 conn_req = (struct T_conn_req *)mp->b_rptr; 1489 if (conn_req->DEST_offset < sizeof (struct T_conn_req)) 1490 return; 1491 offset = conn_req->DEST_offset; 1492 len = conn_req->DEST_length; 1493 estate = kctx->auk_ets[AUE_SOCKCONNECT]; 1494 if (amask.as_success & estate || amask.as_failure & estate) { 1495 tad->tad_event = AUE_SOCKCONNECT; 1496 break; 1497 } else { 1498 return; 1499 } 1500 case T_CONN_IND: /* connectionless receive request */ 1501 conn_ind = (struct T_conn_ind *)mp->b_rptr; 1502 if (conn_ind->SRC_offset < sizeof (struct T_conn_ind)) 1503 return; 1504 offset = conn_ind->SRC_offset; 1505 len = conn_ind->SRC_length; 1506 estate = kctx->auk_ets[AUE_SOCKACCEPT]; 1507 if (amask.as_success & estate || amask.as_failure & estate) { 1508 tad->tad_event = AUE_SOCKACCEPT; 1509 break; 1510 } else { 1511 return; 1512 } 1513 case T_UNITDATA_REQ: /* connectionless send request */ 1514 unitdata_req = (struct T_unitdata_req *)mp->b_rptr; 1515 if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req)) 1516 return; 1517 offset = unitdata_req->DEST_offset; 1518 len = unitdata_req->DEST_length; 1519 estate = kctx->auk_ets[AUE_SOCKSEND]; 1520 if (amask.as_success & estate || amask.as_failure & estate) { 1521 tad->tad_event = AUE_SOCKSEND; 1522 break; 1523 } else { 1524 return; 1525 } 1526 case T_UNITDATA_IND: /* connectionless receive request */ 1527 unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr; 1528 if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind)) 1529 return; 1530 offset = unitdata_ind->SRC_offset; 1531 len = unitdata_ind->SRC_length; 1532 estate = kctx->auk_ets[AUE_SOCKRECEIVE]; 1533 if (amask.as_success & estate || amask.as_failure & estate) { 1534 tad->tad_event = AUE_SOCKRECEIVE; 1535 break; 1536 } else { 1537 return; 1538 } 1539 default: 1540 return; 1541 } 1542 1543 /* 1544 * we are only interested in tcp stream connections, 1545 * not unix domain stuff 1546 */ 1547 if ((len < 0) || (len > sizeof (struct sockaddr_in))) { 1548 tad->tad_event = AUE_GETMSG; 1549 return; 1550 } 1551 /* skip over TPI header and point to the ip address */ 1552 sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset); 1553 1554 switch (sock_data->sin_family) { 1555 case AF_INET: 1556 au_write(&(tad->tad_ad), au_to_sock_inet(sock_data)); 1557 break; 1558 default: /* reset to AUE_PUTMSG if not a inet request */ 1559 tad->tad_event = AUE_GETMSG; 1560 break; 1561 } 1562 } 1563 1564 1565 static void 1566 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval) 1567 { 1568 unsigned int sy_flags; 1569 1570 #ifdef _SYSCALL32_IMPL 1571 /* 1572 * Guard against t_lwp being NULL when this function is called 1573 * from a kernel queue instead of from a direct system call. 1574 * In that case, assume the running kernel data model. 1575 */ 1576 if ((curthread->t_lwp == NULL) || (lwp_getdatamodel( 1577 ttolwp(curthread)) == DATAMODEL_NATIVE)) 1578 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1579 else 1580 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1581 #else 1582 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1583 #endif 1584 1585 if (sy_flags == SE_64RVAL) 1586 au_write(ad, au_to_return64(err, rval)); 1587 else 1588 au_write(ad, au_to_return32(err, rval)); 1589 1590 } 1591 1592 /*ARGSUSED*/ 1593 void 1594 audit_fdsend(fd, fp, error) 1595 int fd; 1596 struct file *fp; 1597 int error; /* ignore for now */ 1598 { 1599 t_audit_data_t *tad; /* current thread */ 1600 f_audit_data_t *fad; /* per file audit structure */ 1601 struct vnode *vp; /* for file attributes */ 1602 1603 /* is this system call being audited */ 1604 tad = U2A(u); 1605 ASSERT(tad != (t_audit_data_t *)0); 1606 if (!tad->tad_flag) 1607 return; 1608 1609 fad = F2A(fp); 1610 1611 /* add path and file attributes */ 1612 if (fad != NULL && fad->fad_aupath != NULL) { 1613 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1614 au_uwrite(au_to_path(fad->fad_aupath)); 1615 } else { 1616 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1617 #ifdef _LP64 1618 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 1619 #else 1620 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 1621 #endif 1622 } 1623 vp = fp->f_vnode; /* include vnode attributes */ 1624 audit_attributes(vp); 1625 } 1626 1627 /* 1628 * Record privileges successfully used and we attempted to use but 1629 * didn't have. 1630 */ 1631 void 1632 audit_priv(int priv, const priv_set_t *set, int flag) 1633 { 1634 t_audit_data_t *tad; 1635 int sbit; 1636 priv_set_t *target; 1637 1638 /* Make sure this isn't being called in an interrupt context */ 1639 ASSERT(servicing_interrupt() == 0); 1640 1641 tad = U2A(u); 1642 1643 if (tad->tad_flag == 0) 1644 return; 1645 1646 target = flag ? &tad->tad_sprivs : &tad->tad_fprivs; 1647 sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE; 1648 1649 /* Tell audit_success() and audit_finish() that we saw this case */ 1650 if (!(tad->tad_evmod & sbit)) { 1651 /* Clear set first time around */ 1652 priv_emptyset(target); 1653 tad->tad_evmod |= sbit; 1654 } 1655 1656 /* Save the privileges in the tad */ 1657 if (priv == PRIV_ALL) { 1658 priv_fillset(target); 1659 } else { 1660 ASSERT(set != NULL || priv != PRIV_NONE); 1661 if (set != NULL) 1662 priv_union(set, target); 1663 if (priv != PRIV_NONE) 1664 priv_addset(target, priv); 1665 } 1666 } 1667 1668 /* 1669 * Audit the setpriv() system call; the operation, the set name and 1670 * the current value as well as the set argument are put in the 1671 * audit trail. 1672 */ 1673 void 1674 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr) 1675 { 1676 t_audit_data_t *tad; 1677 const priv_set_t *oldpriv; 1678 priv_set_t report; 1679 const char *setname; 1680 1681 tad = U2A(u); 1682 1683 if (tad->tad_flag == 0) 1684 return; 1685 1686 oldpriv = priv_getset(ocr, set); 1687 1688 /* Generate the actual record, include the before and after */ 1689 au_uwrite(au_to_arg32(2, "op", op)); 1690 setname = priv_getsetbynum(set); 1691 1692 switch (op) { 1693 case PRIV_OFF: 1694 /* Report privileges actually switched off */ 1695 report = *oldpriv; 1696 priv_intersect(newpriv, &report); 1697 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 1698 break; 1699 case PRIV_ON: 1700 /* Report privileges actually switched on */ 1701 report = *oldpriv; 1702 priv_inverse(&report); 1703 priv_intersect(newpriv, &report); 1704 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 1705 break; 1706 case PRIV_SET: 1707 /* Report before and after */ 1708 au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0)); 1709 au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0)); 1710 break; 1711 } 1712 } 1713 1714 /* 1715 * Dump the full device policy setting in the audit trail. 1716 */ 1717 void 1718 audit_devpolicy(int nitems, const devplcysys_t *items) 1719 { 1720 t_audit_data_t *tad; 1721 int i; 1722 1723 tad = U2A(u); 1724 1725 if (tad->tad_flag == 0) 1726 return; 1727 1728 for (i = 0; i < nitems; i++) { 1729 au_uwrite(au_to_arg32(2, "major", items[i].dps_maj)); 1730 if (items[i].dps_minornm[0] == '\0') { 1731 au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin)); 1732 au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin)); 1733 } else 1734 au_uwrite(au_to_text(items[i].dps_minornm)); 1735 1736 au_uwrite(au_to_privset("read", &items[i].dps_rdp, 1737 AUT_PRIV, 0)); 1738 au_uwrite(au_to_privset("write", &items[i].dps_wrp, 1739 AUT_PRIV, 0)); 1740 } 1741 } 1742 1743 /*ARGSUSED*/ 1744 void 1745 audit_fdrecv(fd, fp) 1746 int fd; 1747 struct file *fp; 1748 { 1749 t_audit_data_t *tad; /* current thread */ 1750 f_audit_data_t *fad; /* per file audit structure */ 1751 struct vnode *vp; /* for file attributes */ 1752 1753 /* is this system call being audited */ 1754 tad = U2A(u); 1755 ASSERT(tad != (t_audit_data_t *)0); 1756 if (!tad->tad_flag) 1757 return; 1758 1759 fad = F2A(fp); 1760 1761 /* add path and file attributes */ 1762 if (fad != NULL && fad->fad_aupath != NULL) { 1763 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 1764 au_uwrite(au_to_path(fad->fad_aupath)); 1765 } else { 1766 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 1767 #ifdef _LP64 1768 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 1769 #else 1770 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 1771 #endif 1772 } 1773 vp = fp->f_vnode; /* include vnode attributes */ 1774 audit_attributes(vp); 1775 } 1776 1777 /* 1778 * ROUTINE: AUDIT_CRYPTOADM 1779 * PURPOSE: Records arguments to administrative ioctls on /dev/cryptoadm 1780 * CALLBY: CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED, 1781 * CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG, 1782 * CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN, 1783 * CRYPTO_LOAD_DOOR 1784 * NOTE: 1785 * TODO: 1786 * QUESTION: 1787 */ 1788 1789 void 1790 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names, 1791 uint_t mech_count, uint_t device_instance, uint32_t rv, int error) 1792 { 1793 boolean_t mech_list_required = B_FALSE; 1794 cred_t *cr = CRED(); 1795 t_audit_data_t *tad; 1796 token_t *ad = NULL; 1797 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 1798 char buffer[MAXNAMELEN * 2]; 1799 au_kcontext_t *kctx = GET_KCTX_PZ; 1800 1801 tad = U2A(u); 1802 if (tad == NULL) 1803 return; 1804 1805 if (ainfo == NULL) 1806 return; 1807 1808 tad->tad_event = AUE_CRYPTOADM; 1809 1810 if (audit_success(kctx, tad, error, NULL) != AU_OK) 1811 return; 1812 1813 /* Add subject information */ 1814 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 1815 1816 switch (cmd) { 1817 case CRYPTO_LOAD_DEV_DISABLED: 1818 if (error == 0 && rv == CRYPTO_SUCCESS) { 1819 (void) snprintf(buffer, sizeof (buffer), 1820 "op=CRYPTO_LOAD_DEV_DISABLED, module=%s," 1821 " dev_instance=%d", 1822 module_name, device_instance); 1823 mech_list_required = B_TRUE; 1824 } else { 1825 (void) snprintf(buffer, sizeof (buffer), 1826 "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv); 1827 } 1828 break; 1829 1830 case CRYPTO_LOAD_SOFT_DISABLED: 1831 if (error == 0 && rv == CRYPTO_SUCCESS) { 1832 (void) snprintf(buffer, sizeof (buffer), 1833 "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s", 1834 module_name); 1835 mech_list_required = B_TRUE; 1836 } else { 1837 (void) snprintf(buffer, sizeof (buffer), 1838 "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv); 1839 } 1840 break; 1841 1842 case CRYPTO_UNLOAD_SOFT_MODULE: 1843 if (error == 0 && rv == CRYPTO_SUCCESS) { 1844 (void) snprintf(buffer, sizeof (buffer), 1845 "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s", 1846 module_name); 1847 } else { 1848 (void) snprintf(buffer, sizeof (buffer), 1849 "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv); 1850 } 1851 break; 1852 1853 case CRYPTO_LOAD_SOFT_CONFIG: 1854 if (error == 0 && rv == CRYPTO_SUCCESS) { 1855 (void) snprintf(buffer, sizeof (buffer), 1856 "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s", 1857 module_name); 1858 mech_list_required = B_TRUE; 1859 } else { 1860 (void) snprintf(buffer, sizeof (buffer), 1861 "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv); 1862 } 1863 break; 1864 1865 case CRYPTO_POOL_CREATE: 1866 (void) snprintf(buffer, sizeof (buffer), 1867 "op=CRYPTO_POOL_CREATE"); 1868 break; 1869 1870 case CRYPTO_POOL_WAIT: 1871 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT"); 1872 break; 1873 1874 case CRYPTO_POOL_RUN: 1875 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN"); 1876 break; 1877 1878 case CRYPTO_LOAD_DOOR: 1879 if (error == 0 && rv == CRYPTO_SUCCESS) 1880 (void) snprintf(buffer, sizeof (buffer), 1881 "op=CRYPTO_LOAD_DOOR"); 1882 else 1883 (void) snprintf(buffer, sizeof (buffer), 1884 "op=CRYPTO_LOAD_DOOR, return_val=%d", rv); 1885 break; 1886 1887 case CRYPTO_FIPS140_SET: 1888 (void) snprintf(buffer, sizeof (buffer), 1889 "op=CRYPTO_FIPS140_SET, fips_state=%d", rv); 1890 break; 1891 1892 default: 1893 return; 1894 } 1895 1896 au_write((caddr_t *)&ad, au_to_text(buffer)); 1897 1898 if (mech_list_required) { 1899 int i; 1900 1901 if (mech_count == 0) { 1902 au_write((caddr_t *)&ad, au_to_text("mech=list empty")); 1903 } else { 1904 char *pb = buffer; 1905 size_t l = sizeof (buffer); 1906 size_t n; 1907 char space[2] = ":"; 1908 1909 n = snprintf(pb, l, "mech="); 1910 1911 for (i = 0; i < mech_count; i++) { 1912 pb += n; 1913 l -= n; 1914 if (l < 0) 1915 l = 0; 1916 1917 if (i == mech_count - 1) 1918 (void) strcpy(space, ""); 1919 1920 n = snprintf(pb, l, "%s%s", mech_names[i], 1921 space); 1922 } 1923 au_write((caddr_t *)&ad, au_to_text(buffer)); 1924 } 1925 } 1926 1927 /* add a return token */ 1928 if (error || (rv != CRYPTO_SUCCESS)) 1929 add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error); 1930 else 1931 add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv); 1932 1933 AS_INC(as_generated, 1, kctx); 1934 AS_INC(as_kernel, 1, kctx); 1935 1936 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, tad->tad_evmod, 1937 NULL); 1938 } 1939 1940 /* 1941 * Audit the kernel SSL administration command. The address and the 1942 * port number for the SSL instance, and the proxy port are put in the 1943 * audit trail. 1944 */ 1945 void 1946 audit_kssl(int cmd, void *params, int error) 1947 { 1948 cred_t *cr = CRED(); 1949 t_audit_data_t *tad; 1950 token_t *ad = NULL; 1951 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 1952 au_kcontext_t *kctx = GET_KCTX_PZ; 1953 1954 tad = U2A(u); 1955 1956 if (ainfo == NULL) 1957 return; 1958 1959 tad->tad_event = AUE_CONFIGKSSL; 1960 1961 if (audit_success(kctx, tad, error, NULL) != AU_OK) 1962 return; 1963 1964 /* Add subject information */ 1965 AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx); 1966 1967 switch (cmd) { 1968 case KSSL_ADD_ENTRY: { 1969 char buf[32]; 1970 kssl_params_t *kp = (kssl_params_t *)params; 1971 struct sockaddr_in6 *saddr = &kp->kssl_addr; 1972 1973 au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY")); 1974 au_write((caddr_t *)&ad, 1975 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr)); 1976 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 1977 saddr->sin6_port); 1978 au_write((caddr_t *)&ad, au_to_text(buf)); 1979 1980 (void) snprintf(buf, sizeof (buf), "proxy port=%d", 1981 kp->kssl_proxy_port); 1982 au_write((caddr_t *)&ad, au_to_text(buf)); 1983 break; 1984 } 1985 1986 case KSSL_DELETE_ENTRY: { 1987 char buf[32]; 1988 struct sockaddr_in6 *saddr = (struct sockaddr_in6 *)params; 1989 1990 au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY")); 1991 au_write((caddr_t *)&ad, 1992 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr)); 1993 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 1994 saddr->sin6_port); 1995 au_write((caddr_t *)&ad, au_to_text(buf)); 1996 break; 1997 } 1998 1999 default: 2000 return; 2001 } 2002 2003 /* add a return token */ 2004 add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0); 2005 2006 AS_INC(as_generated, 1, kctx); 2007 AS_INC(as_kernel, 1, kctx); 2008 2009 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, tad->tad_evmod, 2010 NULL); 2011 } 2012 2013 /* 2014 * Audit the kernel PF_POLICY administration commands. Record command, 2015 * zone, policy type (global or tunnel, active or inactive) 2016 */ 2017 /* 2018 * ROUTINE: AUDIT_PF_POLICY 2019 * PURPOSE: Records arguments to administrative ioctls on PF_POLICY socket 2020 * CALLBY: SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS, 2021 * SPD_CLONE, SPD_FLIP 2022 * NOTE: 2023 * TODO: 2024 * QUESTION: 2025 */ 2026 2027 void 2028 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun, 2029 boolean_t active, int error, pid_t pid) 2030 { 2031 const auditinfo_addr_t *ainfo; 2032 t_audit_data_t *tad; 2033 token_t *ad = NULL; 2034 au_kcontext_t *kctx = GET_KCTX_PZ; 2035 char buf[80]; 2036 int flag; 2037 2038 tad = U2A(u); 2039 if (tad == NULL) 2040 return; 2041 2042 ainfo = crgetauinfo((cred != NULL) ? cred : CRED()); 2043 if (ainfo == NULL) 2044 return; 2045 2046 /* 2047 * Initialize some variables since these are only set 2048 * with system calls. 2049 */ 2050 2051 switch (cmd) { 2052 case SPD_ADDRULE: { 2053 tad->tad_event = AUE_PF_POLICY_ADDRULE; 2054 break; 2055 } 2056 2057 case SPD_DELETERULE: { 2058 tad->tad_event = AUE_PF_POLICY_DELRULE; 2059 break; 2060 } 2061 2062 case SPD_FLUSH: { 2063 tad->tad_event = AUE_PF_POLICY_FLUSH; 2064 break; 2065 } 2066 2067 case SPD_UPDATEALGS: { 2068 tad->tad_event = AUE_PF_POLICY_ALGS; 2069 break; 2070 } 2071 2072 case SPD_CLONE: { 2073 tad->tad_event = AUE_PF_POLICY_CLONE; 2074 break; 2075 } 2076 2077 case SPD_FLIP: { 2078 tad->tad_event = AUE_PF_POLICY_FLIP; 2079 break; 2080 } 2081 2082 default: 2083 tad->tad_event = AUE_NULL; 2084 } 2085 2086 tad->tad_evmod = 0; 2087 2088 if (flag = audit_success(kctx, tad, error, cred)) { 2089 zone_t *nszone; 2090 2091 /* 2092 * For now, just audit that an event happened, 2093 * along with the error code. 2094 */ 2095 au_write((caddr_t *)&ad, 2096 au_to_arg32(1, "Policy Active?", (uint32_t)active)); 2097 au_write((caddr_t *)&ad, 2098 au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL))); 2099 2100 /* Supplemental data */ 2101 2102 /* 2103 * Generate this zone token if the target zone differs 2104 * from the administrative zone. If netstacks are expanded 2105 * to something other than a 1-1 relationship with zones, 2106 * the auditing framework should create a new token type 2107 * and audit it as a netstack instead. 2108 * Turn on general zone auditing to get the administrative zone. 2109 */ 2110 2111 nszone = zone_find_by_id(netstackid_to_zoneid( 2112 ns->netstack_stackid)); 2113 if (nszone != NULL) { 2114 if (strncmp(crgetzone(cred)->zone_name, 2115 nszone->zone_name, ZONENAME_MAX) != 0) { 2116 token_t *ztoken; 2117 2118 ztoken = au_to_zonename(0, nszone); 2119 au_write((caddr_t *)&ad, ztoken); 2120 } 2121 zone_rele(nszone); 2122 } 2123 2124 if (tun != NULL) { 2125 /* write tunnel name - tun is bounded */ 2126 (void) snprintf(buf, sizeof (buf), "tunnel_name:%s", 2127 tun); 2128 au_write((caddr_t *)&ad, au_to_text(buf)); 2129 } 2130 2131 /* Add subject information */ 2132 AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad, 2133 ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid); 2134 2135 /* add a return token */ 2136 add_return_token((caddr_t *)&ad, 0, error, 0); 2137 2138 AS_INC(as_generated, 1, kctx); 2139 AS_INC(as_kernel, 1, kctx); 2140 2141 } 2142 au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, tad->tad_evmod, 2143 NULL); 2144 2145 /* 2146 * clear the ctrl flag so that we don't have spurious collection of 2147 * audit information. 2148 */ 2149 tad->tad_scid = 0; 2150 tad->tad_event = 0; 2151 tad->tad_evmod = 0; 2152 tad->tad_ctrl = 0; 2153 } 2154 2155 /* 2156 * ROUTINE: AUDIT_SEC_ATTRIBUTES 2157 * PURPOSE: Add security attributes 2158 * CALLBY: AUDIT_ATTRIBUTES 2159 * AUDIT_CLOSEF 2160 * AUS_CLOSE 2161 * NOTE: 2162 * TODO: 2163 * QUESTION: 2164 */ 2165 2166 void 2167 audit_sec_attributes(caddr_t *ad, struct vnode *vp) 2168 { 2169 /* Dump the SL */ 2170 if (is_system_labeled()) { 2171 ts_label_t *tsl; 2172 bslabel_t *bsl; 2173 2174 tsl = getflabel(vp); 2175 if (tsl == NULL) 2176 return; /* nothing else to do */ 2177 2178 bsl = label2bslabel(tsl); 2179 if (bsl == NULL) 2180 return; /* nothing else to do */ 2181 au_write(ad, au_to_label(bsl)); 2182 label_rele(tsl); 2183 } 2184 2185 } /* AUDIT_SEC_ATTRIBUTES */ 2186