1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 /* 26 * This file contains the audit hook support code for auditing. 27 */ 28 29 #include <sys/types.h> 30 #include <sys/proc.h> 31 #include <sys/vnode.h> 32 #include <sys/vfs.h> 33 #include <sys/file.h> 34 #include <sys/user.h> 35 #include <sys/stropts.h> 36 #include <sys/systm.h> 37 #include <sys/pathname.h> 38 #include <sys/syscall.h> 39 #include <sys/fcntl.h> 40 #include <sys/ipc_impl.h> 41 #include <sys/msg_impl.h> 42 #include <sys/sem_impl.h> 43 #include <sys/shm_impl.h> 44 #include <sys/kmem.h> /* for KM_SLEEP */ 45 #include <sys/socket.h> 46 #include <sys/cmn_err.h> /* snprintf... */ 47 #include <sys/debug.h> 48 #include <sys/thread.h> 49 #include <netinet/in.h> 50 #include <c2/audit.h> /* needs to be included before user.h */ 51 #include <c2/audit_kernel.h> /* for M_DONTWAIT */ 52 #include <c2/audit_kevents.h> 53 #include <c2/audit_record.h> 54 #include <sys/strsubr.h> 55 #include <sys/tihdr.h> 56 #include <sys/tiuser.h> 57 #include <sys/timod.h> 58 #include <sys/model.h> /* for model_t */ 59 #include <sys/disp.h> /* for servicing_interrupt() */ 60 #include <sys/devpolicy.h> 61 #include <sys/crypto/ioctladmin.h> 62 #include <sys/cred_impl.h> 63 #include <inet/kssl/kssl.h> 64 #include <net/pfpolicy.h> 65 66 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval); 67 68 static void audit_pathbuild(struct pathname *pnp); 69 70 71 /* 72 * ROUTINE: AUDIT_SAVEPATH 73 * PURPOSE: 74 * CALLBY: LOOKUPPN 75 * 76 * NOTE: We have reached the end of a path in fs/lookup.c. 77 * We get two pieces of information here: 78 * the vnode of the last component (vp) and 79 * the status of the last access (flag). 80 * TODO: 81 * QUESTION: 82 */ 83 84 /*ARGSUSED*/ 85 int 86 audit_savepath( 87 struct pathname *pnp, /* pathname to lookup */ 88 struct vnode *vp, /* vnode of the last component */ 89 int flag, /* status of the last access */ 90 cred_t *cr) /* cred of requestor */ 91 { 92 93 t_audit_data_t *tad; /* current thread */ 94 au_kcontext_t *kctx = GET_KCTX_PZ; 95 96 tad = U2A(u); 97 98 /* 99 * this event being audited or do we need path information 100 * later? This might be for a chdir/chroot or open (add path 101 * to file pointer. If the path has already been found for an 102 * open/creat then we don't need to process the path. 103 * 104 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 105 * chroot, chdir, open, creat system call processing. It determines 106 * if audit_savepath() will discard the path or we need it later. 107 * PAD_PATHFND means path already included in this audit record. It 108 * is used in cases where multiple path lookups are done per 109 * system call. The policy flag, AUDIT_PATH, controls if multiple 110 * paths are allowed. 111 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 112 * exit processing to inhibit any paths that may be added due to 113 * closes. 114 */ 115 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 116 ((tad->tad_ctrl & PAD_PATHFND) && 117 !(kctx->auk_policy & AUDIT_PATH)) || 118 (tad->tad_ctrl & PAD_NOPATH)) { 119 return (0); 120 } 121 122 tad->tad_ctrl |= PAD_NOPATH; /* prevent possible reentry */ 123 124 audit_pathbuild(pnp); 125 tad->tad_vn = vp; 126 127 /* 128 * are we auditing only if error, or if it is not open or create 129 * otherwise audit_setf will do it 130 */ 131 132 if (tad->tad_flag) { 133 if (flag && 134 (tad->tad_scid == SYS_open || 135 tad->tad_scid == SYS_open64 || 136 tad->tad_scid == SYS_openat || 137 tad->tad_scid == SYS_openat64)) { 138 tad->tad_ctrl |= PAD_TRUE_CREATE; 139 } 140 141 /* add token to audit record for this name */ 142 au_uwrite(au_to_path(tad->tad_aupath)); 143 144 /* add the attributes of the object */ 145 if (vp) { 146 /* 147 * only capture attributes when there is no error 148 * lookup will not return the vnode of the failing 149 * component. 150 * 151 * if there was a lookup error, then don't add 152 * attribute. if lookup in vn_create(), 153 * then don't add attribute, 154 * it will be added at end of vn_create(). 155 */ 156 if (!flag && !(tad->tad_ctrl & PAD_NOATTRB)) 157 audit_attributes(vp); 158 } 159 } 160 161 /* free up space if we're not going to save path (open, creat) */ 162 if ((tad->tad_ctrl & PAD_SAVPATH) == 0) { 163 if (tad->tad_aupath != NULL) { 164 au_pathrele(tad->tad_aupath); 165 tad->tad_aupath = NULL; 166 tad->tad_vn = NULL; 167 } 168 } 169 if (tad->tad_ctrl & PAD_MLD) 170 tad->tad_ctrl |= PAD_PATHFND; 171 172 tad->tad_ctrl &= ~PAD_NOPATH; /* restore */ 173 return (0); 174 } 175 176 static void 177 audit_pathbuild(struct pathname *pnp) 178 { 179 char *pp; /* pointer to path */ 180 int len; /* length of incoming segment */ 181 int newsect; /* path requires a new section */ 182 struct audit_path *pfxapp; /* prefix for path */ 183 struct audit_path *newapp; /* new audit_path */ 184 t_audit_data_t *tad; /* current thread */ 185 p_audit_data_t *pad; /* current process */ 186 187 tad = U2A(u); 188 ASSERT(tad != NULL); 189 pad = P2A(curproc); 190 ASSERT(pad != NULL); 191 192 len = (pnp->pn_path - pnp->pn_buf) + 1; /* +1 for terminator */ 193 ASSERT(len > 0); 194 195 /* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */ 196 mutex_enter(&pad->pad_lock); 197 if (tad->tad_aupath != NULL) { 198 pfxapp = tad->tad_aupath; 199 } else if ((tad->tad_ctrl & PAD_ATCALL) && pnp->pn_buf[0] != '/') { 200 ASSERT(tad->tad_atpath != NULL); 201 pfxapp = tad->tad_atpath; 202 } else if (tad->tad_ctrl & PAD_ABSPATH) { 203 pfxapp = pad->pad_root; 204 } else { 205 pfxapp = pad->pad_cwd; 206 } 207 au_pathhold(pfxapp); 208 mutex_exit(&pad->pad_lock); 209 210 /* get an expanded buffer to hold the anchored path */ 211 newsect = tad->tad_ctrl & PAD_ATTPATH; 212 newapp = au_pathdup(pfxapp, newsect, len); 213 au_pathrele(pfxapp); 214 215 pp = newapp->audp_sect[newapp->audp_cnt] - len; 216 if (!newsect) { 217 /* overlay previous NUL terminator */ 218 *(pp - 1) = '/'; 219 } 220 221 /* now add string of processed path */ 222 bcopy(pnp->pn_buf, pp, len); 223 pp[len - 1] = '\0'; 224 225 /* perform path simplification as necessary */ 226 audit_fixpath(newapp, len); 227 228 if (tad->tad_aupath) 229 au_pathrele(tad->tad_aupath); 230 tad->tad_aupath = newapp; 231 232 /* for case where multiple lookups in one syscall (rename) */ 233 tad->tad_ctrl &= ~(PAD_ABSPATH | PAD_ATTPATH); 234 } 235 236 237 238 /*ARGSUSED*/ 239 240 /* 241 * ROUTINE: AUDIT_ADDCOMPONENT 242 * PURPOSE: extend the path by the component accepted 243 * CALLBY: LOOKUPPN 244 * NOTE: This function is called only when there is an error in 245 * parsing a path component 246 * TODO: Add the error component to audit record 247 * QUESTION: what is this for 248 */ 249 250 void 251 audit_addcomponent(struct pathname *pnp) 252 { 253 au_kcontext_t *kctx = GET_KCTX_PZ; 254 t_audit_data_t *tad; 255 256 tad = U2A(u); 257 /* 258 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 259 * chroot, chdir, open, creat system call processing. It determines 260 * if audit_savepath() will discard the path or we need it later. 261 * PAD_PATHFND means path already included in this audit record. It 262 * is used in cases where multiple path lookups are done per 263 * system call. The policy flag, AUDIT_PATH, controls if multiple 264 * paths are allowed. 265 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 266 * exit processing to inhibit any paths that may be added due to 267 * closes. 268 */ 269 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 270 ((tad->tad_ctrl & PAD_PATHFND) && 271 !(kctx->auk_policy & AUDIT_PATH)) || 272 (tad->tad_ctrl & PAD_NOPATH)) { 273 return; 274 } 275 276 return; 277 278 } /* AUDIT_ADDCOMPONENT */ 279 280 281 /* 282 * ROUTINE: AUDIT_ANCHORPATH 283 * PURPOSE: 284 * CALLBY: LOOKUPPN 285 * NOTE: 286 * anchor path at "/". We have seen a symbolic link or entering for the 287 * first time we will throw away any saved path if path is anchored. 288 * 289 * flag = 0, path is relative. 290 * flag = 1, path is absolute. Free any saved path and set flag to PAD_ABSPATH. 291 * 292 * If the (new) path is absolute, then we have to throw away whatever we have 293 * already accumulated since it is being superseded by new path which is 294 * anchored at the root. 295 * Note that if the path is relative, this function does nothing 296 * TODO: 297 * QUESTION: 298 */ 299 /*ARGSUSED*/ 300 void 301 audit_anchorpath(struct pathname *pnp, int flag) 302 { 303 au_kcontext_t *kctx = GET_KCTX_PZ; 304 t_audit_data_t *tad; 305 306 tad = U2A(u); 307 308 /* 309 * this event being audited or do we need path information 310 * later? This might be for a chdir/chroot or open (add path 311 * to file pointer. If the path has already been found for an 312 * open/creat then we don't need to process the path. 313 * 314 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 315 * chroot, chdir, open, creat system call processing. It determines 316 * if audit_savepath() will discard the path or we need it later. 317 * PAD_PATHFND means path already included in this audit record. It 318 * is used in cases where multiple path lookups are done per 319 * system call. The policy flag, AUDIT_PATH, controls if multiple 320 * paths are allowed. 321 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 322 * exit processing to inhibit any paths that may be added due to 323 * closes. 324 */ 325 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 326 ((tad->tad_ctrl & PAD_PATHFND) && 327 !(kctx->auk_policy & AUDIT_PATH)) || 328 (tad->tad_ctrl & PAD_NOPATH)) { 329 return; 330 } 331 332 if (flag) { 333 tad->tad_ctrl |= PAD_ABSPATH; 334 if (tad->tad_aupath != NULL) { 335 au_pathrele(tad->tad_aupath); 336 tad->tad_aupath = NULL; 337 tad->tad_vn = NULL; 338 } 339 } 340 } 341 342 343 /* 344 * symbolic link. Save previous components. 345 * 346 * the path seen so far looks like this 347 * 348 * +-----------------------+----------------+ 349 * | path processed so far | remaining path | 350 * +-----------------------+----------------+ 351 * \-----------------------/ 352 * save this string if 353 * symbolic link relative 354 * (but don't include symlink component) 355 */ 356 357 /*ARGSUSED*/ 358 359 360 /* 361 * ROUTINE: AUDIT_SYMLINK 362 * PURPOSE: 363 * CALLBY: LOOKUPPN 364 * NOTE: 365 * TODO: 366 * QUESTION: 367 */ 368 void 369 audit_symlink(struct pathname *pnp, struct pathname *sympath) 370 { 371 char *sp; /* saved initial pp */ 372 char *cp; /* start of symlink path */ 373 uint_t len_path; /* processed path before symlink */ 374 t_audit_data_t *tad; 375 au_kcontext_t *kctx = GET_KCTX_PZ; 376 377 tad = U2A(u); 378 379 /* 380 * this event being audited or do we need path information 381 * later? This might be for a chdir/chroot or open (add path 382 * to file pointer. If the path has already been found for an 383 * open/creat then we don't need to process the path. 384 * 385 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 386 * chroot, chdir, open, creat system call processing. It determines 387 * if audit_savepath() will discard the path or we need it later. 388 * PAD_PATHFND means path already included in this audit record. It 389 * is used in cases where multiple path lookups are done per 390 * system call. The policy flag, AUDIT_PATH, controls if multiple 391 * paths are allowed. 392 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 393 * exit processing to inhibit any paths that may be added due to 394 * closes. 395 */ 396 if ((tad->tad_flag == 0 && 397 !(tad->tad_ctrl & PAD_SAVPATH)) || 398 ((tad->tad_ctrl & PAD_PATHFND) && 399 !(kctx->auk_policy & AUDIT_PATH)) || 400 (tad->tad_ctrl & PAD_NOPATH)) { 401 return; 402 } 403 404 /* 405 * if symbolic link is anchored at / then do nothing. 406 * When we cycle back to begin: in lookuppn() we will 407 * call audit_anchorpath() with a flag indicating if the 408 * path is anchored at / or is relative. We will release 409 * any saved path at that point. 410 * 411 * Note In the event that an error occurs in pn_combine then 412 * we want to remain pointing at the component that caused the 413 * path to overflow the pnp structure. 414 */ 415 if (sympath->pn_buf[0] == '/') 416 return; 417 418 /* backup over last component */ 419 sp = cp = pnp->pn_path; 420 while (*--cp != '/' && cp > pnp->pn_buf) 421 ; 422 423 len_path = cp - pnp->pn_buf; 424 425 /* is there anything to save? */ 426 if (len_path) { 427 pnp->pn_path = pnp->pn_buf; 428 audit_pathbuild(pnp); 429 pnp->pn_path = sp; 430 } 431 } 432 433 /* 434 * file_is_public : determine whether events for the file (corresponding to 435 * the specified file attr) should be audited or ignored. 436 * 437 * returns: 1 - if audit policy and file attributes indicate that 438 * file is effectively public. read events for 439 * the file should not be audited. 440 * 0 - otherwise 441 * 442 * The required attributes to be considered a public object are: 443 * - owned by root, AND 444 * - world-readable (permissions for other include read), AND 445 * - NOT world-writeable (permissions for other don't 446 * include write) 447 * (mode doesn't need to be checked for symlinks) 448 */ 449 int 450 file_is_public(struct vattr *attr) 451 { 452 au_kcontext_t *kctx = GET_KCTX_PZ; 453 454 if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) && 455 ((attr->va_type == VLNK) || 456 ((attr->va_mode & (VREAD>>6)) != 0) && 457 ((attr->va_mode & (VWRITE>>6)) == 0))) { 458 return (1); 459 } 460 return (0); 461 } 462 463 464 /* 465 * ROUTINE: AUDIT_ATTRIBUTES 466 * PURPOSE: Audit the attributes so we can tell why the error occurred 467 * CALLBY: AUDIT_SAVEPATH 468 * AUDIT_VNCREATE_FINISH 469 * AUS_FCHOWN...audit_event.c...audit_path.c 470 * NOTE: 471 * TODO: 472 * QUESTION: 473 */ 474 void 475 audit_attributes(struct vnode *vp) 476 { 477 struct vattr attr; 478 struct t_audit_data *tad; 479 480 tad = U2A(u); 481 482 if (vp) { 483 attr.va_mask = AT_ALL; 484 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0) 485 return; 486 487 if (file_is_public(&attr) && (tad->tad_ctrl & PAD_PUBLIC_EV)) { 488 /* 489 * This is a public object and a "public" event 490 * (i.e., read only) -- either by definition 491 * (e.g., stat, access...) or by virtue of write access 492 * not being requested (e.g. mmap). 493 * Flag it in the tad to prevent this audit at the end. 494 */ 495 tad->tad_ctrl |= PAD_NOAUDIT; 496 } else { 497 au_uwrite(au_to_attr(&attr)); 498 audit_sec_attributes(&(u_ad), vp); 499 } 500 } 501 } 502 503 504 /* 505 * ROUTINE: AUDIT_EXIT 506 * PURPOSE: 507 * CALLBY: EXIT 508 * NOTE: 509 * TODO: 510 * QUESTION: why cmw code as offset by 2 but not here 511 */ 512 /* ARGSUSED */ 513 void 514 audit_exit(int code, int what) 515 { 516 struct t_audit_data *tad; 517 tad = U2A(u); 518 519 /* 520 * tad_scid will be set by audit_start even if we are not auditing 521 * the event. 522 */ 523 if (tad->tad_scid == SYS_exit) { 524 /* 525 * if we are auditing the exit system call, then complete 526 * audit record generation (no return from system call). 527 */ 528 if (tad->tad_flag && tad->tad_event == AUE_EXIT) 529 audit_finish(0, SYS_exit, 0, 0); 530 return; 531 } 532 533 /* 534 * Anyone auditing the system call that was aborted? 535 */ 536 if (tad->tad_flag) { 537 au_uwrite(au_to_text("event aborted")); 538 audit_finish(0, tad->tad_scid, 0, 0); 539 } 540 541 /* 542 * Generate an audit record for process exit if preselected. 543 */ 544 (void) audit_start(0, SYS_exit, AUC_UNSET, 0, 0); 545 audit_finish(0, SYS_exit, 0, 0); 546 } 547 548 /* 549 * ROUTINE: AUDIT_CORE_START 550 * PURPOSE: 551 * CALLBY: PSIG 552 * NOTE: 553 * TODO: 554 */ 555 void 556 audit_core_start(int sig) 557 { 558 au_event_t event; 559 au_state_t estate; 560 t_audit_data_t *tad; 561 au_kcontext_t *kctx; 562 563 tad = U2A(u); 564 565 ASSERT(tad != (t_audit_data_t *)0); 566 567 ASSERT(tad->tad_scid == 0); 568 ASSERT(tad->tad_event == 0); 569 ASSERT(tad->tad_evmod == 0); 570 ASSERT(tad->tad_ctrl == 0); 571 ASSERT(tad->tad_flag == 0); 572 ASSERT(tad->tad_aupath == NULL); 573 574 kctx = GET_KCTX_PZ; 575 576 /* get basic event for system call */ 577 event = AUE_CORE; 578 estate = kctx->auk_ets[event]; 579 580 if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0) 581 return; 582 583 /* reset the flags for non-user attributable events */ 584 tad->tad_ctrl = PAD_CORE; 585 tad->tad_scid = 0; 586 587 /* if auditing not enabled, then don't generate an audit record */ 588 589 if (!((kctx->auk_auditstate == AUC_AUDITING || 590 kctx->auk_auditstate == AUC_INIT_AUDIT) || 591 kctx->auk_auditstate == AUC_NOSPACE)) { 592 tad->tad_flag = 0; 593 tad->tad_ctrl = 0; 594 return; 595 } 596 597 tad->tad_event = event; 598 tad->tad_evmod = 0; 599 600 ASSERT(tad->tad_ad == NULL); 601 602 au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig)); 603 } 604 605 /* 606 * ROUTINE: AUDIT_CORE_FINISH 607 * PURPOSE: 608 * CALLBY: PSIG 609 * NOTE: 610 * TODO: 611 * QUESTION: 612 */ 613 614 /*ARGSUSED*/ 615 void 616 audit_core_finish(int code) 617 { 618 int flag; 619 t_audit_data_t *tad; 620 au_kcontext_t *kctx; 621 622 tad = U2A(u); 623 624 ASSERT(tad != (t_audit_data_t *)0); 625 626 if ((flag = tad->tad_flag) == 0) { 627 tad->tad_event = 0; 628 tad->tad_evmod = 0; 629 tad->tad_ctrl = 0; 630 ASSERT(tad->tad_aupath == NULL); 631 return; 632 } 633 tad->tad_flag = 0; 634 635 kctx = GET_KCTX_PZ; 636 637 /* kludge for error 0, should use `code==CLD_DUMPED' instead */ 638 if (flag = audit_success(kctx, tad, 0, NULL)) { 639 cred_t *cr = CRED(); 640 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 641 642 ASSERT(ainfo != NULL); 643 644 /* 645 * Add subject information (no locks since our private copy of 646 * credential 647 */ 648 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 649 650 /* Add a return token (should use f argument) */ 651 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 652 653 AS_INC(as_generated, 1, kctx); 654 AS_INC(as_kernel, 1, kctx); 655 } 656 657 /* Close up everything */ 658 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod, NULL); 659 660 /* free up any space remaining with the path's */ 661 if (tad->tad_aupath != NULL) { 662 au_pathrele(tad->tad_aupath); 663 tad->tad_aupath = NULL; 664 tad->tad_vn = NULL; 665 } 666 tad->tad_event = 0; 667 tad->tad_evmod = 0; 668 tad->tad_ctrl = 0; 669 } 670 671 /*ARGSUSED*/ 672 void 673 audit_stropen(struct vnode *vp, dev_t *devp, int flag, cred_t *crp) 674 { 675 } 676 677 /*ARGSUSED*/ 678 void 679 audit_strclose(struct vnode *vp, int flag, cred_t *crp) 680 { 681 } 682 683 /*ARGSUSED*/ 684 void 685 audit_strioctl(struct vnode *vp, int cmd, intptr_t arg, int flag, 686 int copyflag, cred_t *crp, int *rvalp) 687 { 688 } 689 690 691 /*ARGSUSED*/ 692 void 693 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 694 unsigned char *pri, int *flag, int fmode) 695 { 696 struct stdata *stp; 697 t_audit_data_t *tad = U2A(u); 698 699 ASSERT(tad != (t_audit_data_t *)0); 700 701 stp = vp->v_stream; 702 703 /* lock stdata from audit_sock */ 704 mutex_enter(&stp->sd_lock); 705 706 /* proceed ONLY if user is being audited */ 707 if (!tad->tad_flag) { 708 /* 709 * this is so we will not add audit data onto 710 * a thread that is not being audited. 711 */ 712 stp->sd_t_audit_data = NULL; 713 mutex_exit(&stp->sd_lock); 714 return; 715 } 716 717 stp->sd_t_audit_data = (caddr_t)curthread; 718 mutex_exit(&stp->sd_lock); 719 } 720 721 /*ARGSUSED*/ 722 void 723 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 724 unsigned char pri, int flag, int fmode) 725 { 726 struct stdata *stp; 727 t_audit_data_t *tad = U2A(u); 728 729 ASSERT(tad != (t_audit_data_t *)0); 730 731 stp = vp->v_stream; 732 733 /* lock stdata from audit_sock */ 734 mutex_enter(&stp->sd_lock); 735 736 /* proceed ONLY if user is being audited */ 737 if (!tad->tad_flag) { 738 /* 739 * this is so we will not add audit data onto 740 * a thread that is not being audited. 741 */ 742 stp->sd_t_audit_data = NULL; 743 mutex_exit(&stp->sd_lock); 744 return; 745 } 746 747 stp->sd_t_audit_data = (caddr_t)curthread; 748 mutex_exit(&stp->sd_lock); 749 } 750 751 /* 752 * ROUTINE: AUDIT_CLOSEF 753 * PURPOSE: 754 * CALLBY: CLOSEF 755 * NOTE: 756 * release per file audit resources when file structure is being released. 757 * 758 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep 759 * on the audit queue if it becomes full. This means 760 * audit_closef can not be called when f_count == 0. Since 761 * f_count == 0 indicates the file structure is free, another 762 * process could attempt to use the file while we were still 763 * asleep waiting on the audit queue. This would cause the 764 * per file audit data to be corrupted when we finally do 765 * wakeup. 766 * TODO: 767 * QUESTION: 768 */ 769 770 void 771 audit_closef(struct file *fp) 772 { /* AUDIT_CLOSEF */ 773 f_audit_data_t *fad; 774 t_audit_data_t *tad; 775 int success; 776 au_state_t estate; 777 struct vnode *vp; 778 token_t *ad = NULL; 779 struct vattr attr; 780 au_emod_t evmod = 0; 781 const auditinfo_addr_t *ainfo; 782 int getattr_ret; 783 cred_t *cr; 784 au_kcontext_t *kctx = GET_KCTX_PZ; 785 uint32_t auditing; 786 787 fad = F2A(fp); 788 estate = kctx->auk_ets[AUE_CLOSE]; 789 tad = U2A(u); 790 cr = CRED(); 791 792 /* audit record already generated by system call envelope */ 793 if (tad->tad_event == AUE_CLOSE) { 794 /* so close audit event will have bits set */ 795 tad->tad_evmod |= (au_emod_t)fad->fad_flags; 796 return; 797 } 798 799 /* if auditing not enabled, then don't generate an audit record */ 800 auditing = (tad->tad_audit == AUC_UNSET) ? 801 kctx->auk_auditstate : tad->tad_audit; 802 if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT | AUC_NOSPACE)) 803 return; 804 805 ainfo = crgetauinfo(cr); 806 if (ainfo == NULL) 807 return; 808 809 success = ainfo->ai_mask.as_success & estate; 810 811 /* not selected for this event */ 812 if (success == 0) 813 return; 814 815 /* 816 * can't use audit_attributes here since we use a private audit area 817 * to build the audit record instead of the one off the thread. 818 */ 819 if ((vp = fp->f_vnode) != NULL) { 820 attr.va_mask = AT_ALL; 821 getattr_ret = VOP_GETATTR(vp, &attr, 0, CRED(), NULL); 822 } 823 824 /* 825 * When write was not used and the file can be considered public, 826 * then skip the audit. 827 */ 828 if ((getattr_ret == 0) && ((fp->f_flag & FWRITE) == 0)) { 829 if (file_is_public(&attr)) { 830 return; 831 } 832 } 833 834 evmod = (au_emod_t)fad->fad_flags; 835 if (fad->fad_aupath != NULL) { 836 au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath)); 837 } else { 838 #ifdef _LP64 839 au_write((caddr_t *)&(ad), au_to_arg64( 840 1, "no path: fp", (uint64_t)fp)); 841 #else 842 au_write((caddr_t *)&(ad), au_to_arg32( 843 1, "no path: fp", (uint32_t)fp)); 844 #endif 845 } 846 847 if (getattr_ret == 0) { 848 au_write((caddr_t *)&(ad), au_to_attr(&attr)); 849 audit_sec_attributes((caddr_t *)&(ad), vp); 850 } 851 852 /* Add subject information */ 853 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 854 855 /* add a return token */ 856 add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0); 857 858 AS_INC(as_generated, 1, kctx); 859 AS_INC(as_kernel, 1, kctx); 860 861 /* 862 * Close up everything 863 * Note: path space recovery handled by normal system 864 * call envelope if not at last close. 865 * Note there is no failure at this point since 866 * this represents closes due to exit of process, 867 * thus we always indicate successful closes. 868 */ 869 au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER, 870 AUE_CLOSE, evmod, NULL); 871 } 872 873 /* 874 * ROUTINE: AUDIT_SET 875 * PURPOSE: Audit the file path and file attributes. 876 * CALLBY: SETF 877 * NOTE: SETF associate a file pointer with user area's open files. 878 * TODO: 879 * call audit_finish directly ??? 880 * QUESTION: 881 */ 882 883 /*ARGSUSED*/ 884 void 885 audit_setf(file_t *fp, int fd) 886 { 887 f_audit_data_t *fad; 888 t_audit_data_t *tad; 889 890 if (fp == NULL) 891 return; 892 893 tad = T2A(curthread); 894 fad = F2A(fp); 895 896 if (!(tad->tad_scid == SYS_open || 897 tad->tad_scid == SYS_open64 || 898 tad->tad_scid == SYS_openat || 899 tad->tad_scid == SYS_openat64)) 900 return; 901 902 /* no path */ 903 if (tad->tad_aupath == 0) 904 return; 905 906 /* 907 * assign path information associated with file audit data 908 * use tad hold 909 */ 910 fad->fad_aupath = tad->tad_aupath; 911 tad->tad_aupath = NULL; 912 tad->tad_vn = NULL; 913 914 if (!(tad->tad_ctrl & PAD_TRUE_CREATE)) { 915 /* adjust event type by dropping the 'creat' part */ 916 switch (tad->tad_event) { 917 case AUE_OPEN_RC: 918 tad->tad_event = AUE_OPEN_R; 919 tad->tad_ctrl |= PAD_PUBLIC_EV; 920 break; 921 case AUE_OPEN_RTC: 922 tad->tad_event = AUE_OPEN_RT; 923 break; 924 case AUE_OPEN_WC: 925 tad->tad_event = AUE_OPEN_W; 926 break; 927 case AUE_OPEN_WTC: 928 tad->tad_event = AUE_OPEN_WT; 929 break; 930 case AUE_OPEN_RWC: 931 tad->tad_event = AUE_OPEN_RW; 932 break; 933 case AUE_OPEN_RWTC: 934 tad->tad_event = AUE_OPEN_RWT; 935 break; 936 default: 937 break; 938 } 939 } 940 } 941 942 943 /* 944 * ROUTINE: AUDIT_COPEN 945 * PURPOSE: 946 * CALLBY: COPEN 947 * NOTE: 948 * TODO: 949 * QUESTION: 950 */ 951 /*ARGSUSED*/ 952 void 953 audit_copen(int fd, file_t *fp, vnode_t *vp) 954 { 955 } 956 957 void 958 audit_ipc(int type, int id, void *vp) 959 { 960 /* if not auditing this event, then do nothing */ 961 if (ad_flag == 0) 962 return; 963 964 switch (type) { 965 case AT_IPC_MSG: 966 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 967 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 968 break; 969 case AT_IPC_SEM: 970 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 971 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 972 break; 973 case AT_IPC_SHM: 974 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 975 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 976 break; 977 } 978 } 979 980 void 981 audit_ipcget(int type, void *vp) 982 { 983 /* if not auditing this event, then do nothing */ 984 if (ad_flag == 0) 985 return; 986 987 switch (type) { 988 case NULL: 989 au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp)); 990 break; 991 case AT_IPC_MSG: 992 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 993 break; 994 case AT_IPC_SEM: 995 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 996 break; 997 case AT_IPC_SHM: 998 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 999 break; 1000 } 1001 } 1002 1003 /* 1004 * ROUTINE: AUDIT_REBOOT 1005 * PURPOSE: 1006 * CALLBY: 1007 * NOTE: 1008 * At this point we know that the system call reboot will not return. We thus 1009 * have to complete the audit record generation and put it onto the queue. 1010 * This might be fairly useless if the auditing daemon is already dead.... 1011 * TODO: 1012 * QUESTION: who calls audit_reboot 1013 */ 1014 1015 void 1016 audit_reboot(void) 1017 { 1018 int flag; 1019 t_audit_data_t *tad; 1020 au_kcontext_t *kctx = GET_KCTX_PZ; 1021 1022 tad = U2A(u); 1023 1024 /* if not auditing this event, then do nothing */ 1025 if (tad->tad_flag == 0) 1026 return; 1027 1028 /* do preselection on success/failure */ 1029 if (flag = audit_success(kctx, tad, 0, NULL)) { 1030 /* add a process token */ 1031 1032 cred_t *cr = CRED(); 1033 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 1034 1035 if (ainfo == NULL) 1036 return; 1037 1038 /* Add subject information */ 1039 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 1040 1041 /* add a return token */ 1042 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 1043 1044 AS_INC(as_generated, 1, kctx); 1045 AS_INC(as_kernel, 1, kctx); 1046 } 1047 1048 /* 1049 * Flow control useless here since we're going 1050 * to drop everything in the queue anyway. Why 1051 * block and wait. There aint anyone left alive to 1052 * read the records remaining anyway. 1053 */ 1054 1055 /* Close up everything */ 1056 au_close(kctx, &(u_ad), flag | AU_DONTBLOCK, 1057 tad->tad_event, tad->tad_evmod, NULL); 1058 } 1059 1060 void 1061 audit_setfsat_path(int argnum) 1062 { 1063 klwp_id_t clwp = ttolwp(curthread); 1064 struct file *fp; 1065 uint32_t fd; 1066 t_audit_data_t *tad; 1067 struct f_audit_data *fad; 1068 p_audit_data_t *pad; /* current process */ 1069 struct a { 1070 long arg1; 1071 long arg2; 1072 long arg3; 1073 long arg4; 1074 long arg5; 1075 } *uap; 1076 1077 if (clwp == NULL) 1078 return; 1079 uap = (struct a *)clwp->lwp_ap; 1080 1081 tad = U2A(u); 1082 ASSERT(tad != NULL); 1083 1084 switch (tad->tad_scid) { 1085 case SYS_faccessat: 1086 case SYS_fchownat: 1087 case SYS_fstatat: 1088 case SYS_fstatat64: 1089 case SYS_openat: 1090 case SYS_openat64: 1091 case SYS_unlinkat: 1092 fd = uap->arg1; 1093 break; 1094 case SYS_renameat: 1095 if (argnum == 3) 1096 fd = uap->arg3; 1097 else 1098 fd = uap->arg1; 1099 break; 1100 case SYS_utimesys: 1101 fd = uap->arg2; 1102 break; 1103 default: 1104 return; 1105 } 1106 1107 if (tad->tad_atpath != NULL) { 1108 au_pathrele(tad->tad_atpath); 1109 tad->tad_atpath = NULL; 1110 } 1111 if (fd != AT_FDCWD) { 1112 if ((fp = getf(fd)) == NULL) { 1113 tad->tad_ctrl |= PAD_NOPATH; 1114 return; 1115 } 1116 fad = F2A(fp); 1117 ASSERT(fad); 1118 if (fad->fad_aupath == NULL) { 1119 tad->tad_ctrl |= PAD_NOPATH; 1120 releasef(fd); 1121 return; 1122 } 1123 au_pathhold(fad->fad_aupath); 1124 tad->tad_atpath = fad->fad_aupath; 1125 releasef(fd); 1126 } else { 1127 pad = P2A(curproc); 1128 mutex_enter(&pad->pad_lock); 1129 au_pathhold(pad->pad_cwd); 1130 tad->tad_atpath = pad->pad_cwd; 1131 mutex_exit(&pad->pad_lock); 1132 } 1133 } 1134 1135 void 1136 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error) 1137 { 1138 t_audit_data_t *tad; 1139 vnode_t *vp; 1140 1141 tad = U2A(u); 1142 1143 /* if not auditing this event, then do nothing */ 1144 if (tad->tad_flag == 0) 1145 return; 1146 1147 au_uwrite(au_to_text(target)); 1148 1149 if (error) 1150 return; 1151 1152 error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(), 1153 NULL, NULL, NULL); 1154 if (error == 0) { 1155 audit_attributes(vp); 1156 VN_RELE(vp); 1157 } 1158 } 1159 1160 /* 1161 * ROUTINE: AUDIT_VNCREATE_START 1162 * PURPOSE: set flag so path name lookup in create will not add attribute 1163 * CALLBY: VN_CREATE 1164 * NOTE: 1165 * TODO: 1166 * QUESTION: 1167 */ 1168 1169 void 1170 audit_vncreate_start() 1171 { 1172 t_audit_data_t *tad; 1173 1174 tad = U2A(u); 1175 tad->tad_ctrl |= PAD_NOATTRB; 1176 } 1177 1178 /* 1179 * ROUTINE: AUDIT_VNCREATE_FINISH 1180 * PURPOSE: 1181 * CALLBY: VN_CREATE 1182 * NOTE: 1183 * TODO: 1184 * QUESTION: 1185 */ 1186 void 1187 audit_vncreate_finish(struct vnode *vp, int error) 1188 { 1189 t_audit_data_t *tad; 1190 1191 if (error) 1192 return; 1193 1194 tad = U2A(u); 1195 1196 /* if not auditing this event, then do nothing */ 1197 if (tad->tad_flag == 0) 1198 return; 1199 1200 if (tad->tad_ctrl & PAD_TRUE_CREATE) { 1201 audit_attributes(vp); 1202 } 1203 1204 if (tad->tad_ctrl & PAD_CORE) { 1205 audit_attributes(vp); 1206 tad->tad_ctrl &= ~PAD_CORE; 1207 } 1208 1209 if (!error && ((tad->tad_event == AUE_MKNOD) || 1210 (tad->tad_event == AUE_MKDIR))) { 1211 audit_attributes(vp); 1212 } 1213 1214 /* for case where multiple lookups in one syscall (rename) */ 1215 tad->tad_ctrl &= ~PAD_NOATTRB; 1216 } 1217 1218 1219 1220 1221 1222 1223 1224 1225 /* 1226 * ROUTINE: AUDIT_EXEC 1227 * PURPOSE: Records the function arguments and environment variables 1228 * CALLBY: EXEC_ARGS 1229 * NOTE: 1230 * TODO: 1231 * QUESTION: 1232 */ 1233 1234 void 1235 audit_exec( 1236 const char *argstr, /* argument strings */ 1237 const char *envstr, /* environment strings */ 1238 ssize_t argc, /* total # arguments */ 1239 ssize_t envc, /* total # environment variables */ 1240 cred_t *pfcred) /* the additional privileges in a profile */ 1241 { 1242 t_audit_data_t *tad; 1243 au_kcontext_t *kctx = GET_KCTX_PZ; 1244 1245 tad = U2A(u); 1246 1247 /* if not auditing this event, then do nothing */ 1248 if (!tad->tad_flag) 1249 return; 1250 1251 if (pfcred != NULL) { 1252 p_audit_data_t *pad; 1253 cred_t *cr = CRED(); 1254 priv_set_t pset = CR_IPRIV(cr); 1255 1256 pad = P2A(curproc); 1257 1258 /* It's a different event. */ 1259 tad->tad_event = AUE_PFEXEC; 1260 1261 /* Add the current working directory to the audit trail. */ 1262 if (pad->pad_cwd != NULL) 1263 au_uwrite(au_to_path(pad->pad_cwd)); 1264 1265 /* 1266 * The new credential is not yet in place when audit_exec 1267 * is called. 1268 * Compute the additional bits available in the new credential 1269 * and the limit set. 1270 */ 1271 priv_inverse(&pset); 1272 priv_intersect(&CR_IPRIV(pfcred), &pset); 1273 if (!priv_isemptyset(&pset) || 1274 !priv_isequalset(&CR_LPRIV(pfcred), &CR_LPRIV(cr))) { 1275 au_uwrite(au_to_privset( 1276 priv_getsetbynum(PRIV_INHERITABLE), &pset, AUT_PRIV, 1277 0)); 1278 au_uwrite(au_to_privset(priv_getsetbynum(PRIV_LIMIT), 1279 &CR_LPRIV(pfcred), AUT_PRIV, 0)); 1280 } 1281 /* 1282 * Compare the uids & gids: create a process token if changed. 1283 */ 1284 if (crgetuid(cr) != crgetuid(pfcred) || 1285 crgetruid(cr) != crgetruid(pfcred) || 1286 crgetgid(cr) != crgetgid(pfcred) || 1287 crgetrgid(cr) != crgetrgid(pfcred)) { 1288 AUDIT_SETPROC(&(u_ad), cr, crgetauinfo(cr)); 1289 } 1290 } 1291 1292 if (pfcred != NULL || (kctx->auk_policy & AUDIT_ARGV) != 0) 1293 au_uwrite(au_to_exec_args(argstr, argc)); 1294 1295 if (kctx->auk_policy & AUDIT_ARGE) 1296 au_uwrite(au_to_exec_env(envstr, envc)); 1297 } 1298 1299 /* 1300 * ROUTINE: AUDIT_ENTERPROM 1301 * PURPOSE: 1302 * CALLBY: KBDINPUT 1303 * ZSA_XSINT 1304 * NOTE: 1305 * TODO: 1306 * QUESTION: 1307 */ 1308 void 1309 audit_enterprom(int flg) 1310 { 1311 token_t *rp = NULL; 1312 int sorf; 1313 1314 if (flg) 1315 sorf = AUM_SUCC; 1316 else 1317 sorf = AUM_FAIL; 1318 1319 AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf); 1320 1321 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1322 1323 if (flg) 1324 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1325 else 1326 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1327 1328 AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL, NULL); 1329 } 1330 1331 1332 /* 1333 * ROUTINE: AUDIT_EXITPROM 1334 * PURPOSE: 1335 * CALLBY: KBDINPUT 1336 * ZSA_XSINT 1337 * NOTE: 1338 * TODO: 1339 * QUESTION: 1340 */ 1341 void 1342 audit_exitprom(int flg) 1343 { 1344 int sorf; 1345 token_t *rp = NULL; 1346 1347 if (flg) 1348 sorf = AUM_SUCC; 1349 else 1350 sorf = AUM_FAIL; 1351 1352 AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf); 1353 1354 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1355 1356 if (flg) 1357 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1358 else 1359 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1360 1361 AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL, NULL); 1362 } 1363 1364 struct fcntla { 1365 int fdes; 1366 int cmd; 1367 intptr_t arg; 1368 }; 1369 1370 /* 1371 * ROUTINE: AUDIT_C2_REVOKE 1372 * PURPOSE: 1373 * CALLBY: FCNTL 1374 * NOTE: 1375 * TODO: 1376 * QUESTION: are we keeping this func 1377 */ 1378 1379 /*ARGSUSED*/ 1380 int 1381 audit_c2_revoke(struct fcntla *uap, rval_t *rvp) 1382 { 1383 return (0); 1384 } 1385 1386 1387 /* 1388 * ROUTINE: AUDIT_CHDIREC 1389 * PURPOSE: 1390 * CALLBY: CHDIREC 1391 * NOTE: The main function of CHDIREC 1392 * TODO: Move the audit_chdirec hook above the VN_RELE in vncalls.c 1393 * QUESTION: 1394 */ 1395 1396 /*ARGSUSED*/ 1397 void 1398 audit_chdirec(vnode_t *vp, vnode_t **vpp) 1399 { 1400 int chdir; 1401 int fchdir; 1402 struct audit_path **appp; 1403 struct file *fp; 1404 f_audit_data_t *fad; 1405 p_audit_data_t *pad = P2A(curproc); 1406 t_audit_data_t *tad = T2A(curthread); 1407 1408 struct a { 1409 long fd; 1410 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 1411 1412 if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) { 1413 chdir = tad->tad_scid == SYS_chdir; 1414 if (tad->tad_aupath) { 1415 mutex_enter(&pad->pad_lock); 1416 if (chdir) 1417 appp = &(pad->pad_cwd); 1418 else 1419 appp = &(pad->pad_root); 1420 au_pathrele(*appp); 1421 /* use tad hold */ 1422 *appp = tad->tad_aupath; 1423 tad->tad_aupath = NULL; 1424 mutex_exit(&pad->pad_lock); 1425 } 1426 } else if ((tad->tad_scid == SYS_fchdir) || 1427 (tad->tad_scid == SYS_fchroot)) { 1428 fchdir = tad->tad_scid == SYS_fchdir; 1429 if ((fp = getf(uap->fd)) == NULL) 1430 return; 1431 fad = F2A(fp); 1432 if (fad->fad_aupath) { 1433 au_pathhold(fad->fad_aupath); 1434 mutex_enter(&pad->pad_lock); 1435 if (fchdir) 1436 appp = &(pad->pad_cwd); 1437 else 1438 appp = &(pad->pad_root); 1439 au_pathrele(*appp); 1440 *appp = fad->fad_aupath; 1441 mutex_exit(&pad->pad_lock); 1442 if (tad->tad_flag) { 1443 au_uwrite(au_to_path(fad->fad_aupath)); 1444 audit_attributes(fp->f_vnode); 1445 } 1446 } 1447 releasef(uap->fd); 1448 } 1449 } 1450 1451 /* 1452 * ROUTINE: AUDIT_GETF 1453 * PURPOSE: 1454 * CALLBY: GETF_INTERNAL 1455 * NOTE: The main function of GETF_INTERNAL is to associate a given 1456 * file descriptor with a file structure and increment the 1457 * file pointer reference count. 1458 * TODO: remove pass in of fpp. 1459 * increment a reference count so that even if a thread with same process delete 1460 * the same object, it will not panic our system 1461 * QUESTION: 1462 * where to decrement the f_count????????????????? 1463 * seems like I need to set a flag if f_count incremented through audit_getf 1464 */ 1465 1466 /*ARGSUSED*/ 1467 int 1468 audit_getf(int fd) 1469 { 1470 #ifdef NOTYET 1471 t_audit_data_t *tad; 1472 1473 tad = T2A(curthread); 1474 1475 if (!(tad->tad_scid == SYS_openat || 1476 tad->tad_scid == SYS_openat64 || 1477 tad->tad_scid == SYS_open || 1478 tad->tad_scid == SYS_open64)) 1479 return (0); 1480 #endif 1481 return (0); 1482 } 1483 1484 /* 1485 * Audit hook for stream based socket and tli request. 1486 * Note that we do not have user context while executing 1487 * this code so we had to record them earlier during the 1488 * putmsg/getmsg to figure out which user we are dealing with. 1489 */ 1490 1491 /*ARGSUSED*/ 1492 void 1493 audit_sock( 1494 int type, /* type of tihdr.h header requests */ 1495 queue_t *q, /* contains the process and thread audit data */ 1496 mblk_t *mp, /* contains the tihdr.h header structures */ 1497 int from) /* timod or sockmod request */ 1498 { 1499 int32_t len; 1500 int32_t offset; 1501 struct sockaddr_in *sock_data; 1502 struct T_conn_req *conn_req; 1503 struct T_conn_ind *conn_ind; 1504 struct T_unitdata_req *unitdata_req; 1505 struct T_unitdata_ind *unitdata_ind; 1506 au_state_t estate; 1507 t_audit_data_t *tad; 1508 caddr_t saved_thread_ptr; 1509 au_mask_t amask; 1510 const auditinfo_addr_t *ainfo; 1511 au_kcontext_t *kctx; 1512 1513 if (q->q_stream == NULL) 1514 return; 1515 mutex_enter(&q->q_stream->sd_lock); 1516 /* are we being audited */ 1517 saved_thread_ptr = q->q_stream->sd_t_audit_data; 1518 /* no pointer to thread, nothing to do */ 1519 if (saved_thread_ptr == NULL) { 1520 mutex_exit(&q->q_stream->sd_lock); 1521 return; 1522 } 1523 /* only allow one addition of a record token */ 1524 q->q_stream->sd_t_audit_data = NULL; 1525 /* 1526 * thread is not the one being audited, then nothing to do 1527 * This could be the stream thread handling the module 1528 * service routine. In this case, the context for the audit 1529 * record can no longer be assumed. Simplest to just drop 1530 * the operation. 1531 */ 1532 if (curthread != (kthread_id_t)saved_thread_ptr) { 1533 mutex_exit(&q->q_stream->sd_lock); 1534 return; 1535 } 1536 if (curthread->t_sysnum >= SYS_so_socket && 1537 curthread->t_sysnum <= SYS_sockconfig) { 1538 mutex_exit(&q->q_stream->sd_lock); 1539 return; 1540 } 1541 mutex_exit(&q->q_stream->sd_lock); 1542 /* 1543 * we know that the thread that did the put/getmsg is the 1544 * one running. Now we can get the TAD and see if we should 1545 * add an audit token. 1546 */ 1547 tad = U2A(u); 1548 1549 kctx = GET_KCTX_PZ; 1550 1551 /* proceed ONLY if user is being audited */ 1552 if (!tad->tad_flag) 1553 return; 1554 1555 ainfo = crgetauinfo(CRED()); 1556 if (ainfo == NULL) 1557 return; 1558 amask = ainfo->ai_mask; 1559 1560 /* 1561 * Figure out the type of stream networking request here. 1562 * Note that getmsg and putmsg are always preselected 1563 * because during the beginning of the system call we have 1564 * not yet figure out which of the socket or tli request 1565 * we are looking at until we are here. So we need to check 1566 * against that specific request and reset the type of event. 1567 */ 1568 switch (type) { 1569 case T_CONN_REQ: /* connection request */ 1570 conn_req = (struct T_conn_req *)mp->b_rptr; 1571 if (conn_req->DEST_offset < sizeof (struct T_conn_req)) 1572 return; 1573 offset = conn_req->DEST_offset; 1574 len = conn_req->DEST_length; 1575 estate = kctx->auk_ets[AUE_SOCKCONNECT]; 1576 if (amask.as_success & estate || amask.as_failure & estate) { 1577 tad->tad_event = AUE_SOCKCONNECT; 1578 break; 1579 } else { 1580 return; 1581 } 1582 case T_CONN_IND: /* connectionless receive request */ 1583 conn_ind = (struct T_conn_ind *)mp->b_rptr; 1584 if (conn_ind->SRC_offset < sizeof (struct T_conn_ind)) 1585 return; 1586 offset = conn_ind->SRC_offset; 1587 len = conn_ind->SRC_length; 1588 estate = kctx->auk_ets[AUE_SOCKACCEPT]; 1589 if (amask.as_success & estate || amask.as_failure & estate) { 1590 tad->tad_event = AUE_SOCKACCEPT; 1591 break; 1592 } else { 1593 return; 1594 } 1595 case T_UNITDATA_REQ: /* connectionless send request */ 1596 unitdata_req = (struct T_unitdata_req *)mp->b_rptr; 1597 if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req)) 1598 return; 1599 offset = unitdata_req->DEST_offset; 1600 len = unitdata_req->DEST_length; 1601 estate = kctx->auk_ets[AUE_SOCKSEND]; 1602 if (amask.as_success & estate || amask.as_failure & estate) { 1603 tad->tad_event = AUE_SOCKSEND; 1604 break; 1605 } else { 1606 return; 1607 } 1608 case T_UNITDATA_IND: /* connectionless receive request */ 1609 unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr; 1610 if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind)) 1611 return; 1612 offset = unitdata_ind->SRC_offset; 1613 len = unitdata_ind->SRC_length; 1614 estate = kctx->auk_ets[AUE_SOCKRECEIVE]; 1615 if (amask.as_success & estate || amask.as_failure & estate) { 1616 tad->tad_event = AUE_SOCKRECEIVE; 1617 break; 1618 } else { 1619 return; 1620 } 1621 default: 1622 return; 1623 } 1624 1625 /* 1626 * we are only interested in tcp stream connections, 1627 * not unix domain stuff 1628 */ 1629 if ((len < 0) || (len > sizeof (struct sockaddr_in))) { 1630 tad->tad_event = AUE_GETMSG; 1631 return; 1632 } 1633 /* skip over TPI header and point to the ip address */ 1634 sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset); 1635 1636 switch (sock_data->sin_family) { 1637 case AF_INET: 1638 au_write(&(tad->tad_ad), au_to_sock_inet(sock_data)); 1639 break; 1640 default: /* reset to AUE_PUTMSG if not a inet request */ 1641 tad->tad_event = AUE_GETMSG; 1642 break; 1643 } 1644 } 1645 1646 void 1647 audit_lookupname() 1648 { 1649 } 1650 1651 /*ARGSUSED*/ 1652 int 1653 audit_pathcomp(struct pathname *pnp, vnode_t *cvp, cred_t *cr) 1654 { 1655 return (0); 1656 } 1657 1658 static void 1659 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval) 1660 { 1661 unsigned int sy_flags; 1662 1663 #ifdef _SYSCALL32_IMPL 1664 /* 1665 * Guard against t_lwp being NULL when this function is called 1666 * from a kernel queue instead of from a direct system call. 1667 * In that case, assume the running kernel data model. 1668 */ 1669 if ((curthread->t_lwp == NULL) || (lwp_getdatamodel( 1670 ttolwp(curthread)) == DATAMODEL_NATIVE)) 1671 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1672 else 1673 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1674 #else 1675 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1676 #endif 1677 1678 if (sy_flags == SE_64RVAL) 1679 au_write(ad, au_to_return64(err, rval)); 1680 else 1681 au_write(ad, au_to_return32(err, rval)); 1682 1683 } 1684 1685 /*ARGSUSED*/ 1686 void 1687 audit_fdsend(fd, fp, error) 1688 int fd; 1689 struct file *fp; 1690 int error; /* ignore for now */ 1691 { 1692 t_audit_data_t *tad; /* current thread */ 1693 f_audit_data_t *fad; /* per file audit structure */ 1694 struct vnode *vp; /* for file attributes */ 1695 1696 /* is this system call being audited */ 1697 tad = U2A(u); 1698 ASSERT(tad != (t_audit_data_t *)0); 1699 if (!tad->tad_flag) 1700 return; 1701 1702 fad = F2A(fp); 1703 1704 /* add path and file attributes */ 1705 if (fad != NULL && fad->fad_aupath != NULL) { 1706 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1707 au_uwrite(au_to_path(fad->fad_aupath)); 1708 } else { 1709 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1710 #ifdef _LP64 1711 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 1712 #else 1713 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 1714 #endif 1715 } 1716 vp = fp->f_vnode; /* include vnode attributes */ 1717 audit_attributes(vp); 1718 } 1719 1720 /* 1721 * Record privileges successfully used and we attempted to use but 1722 * didn't have. 1723 */ 1724 void 1725 audit_priv(int priv, const priv_set_t *set, int flag) 1726 { 1727 t_audit_data_t *tad; 1728 int sbit; 1729 priv_set_t *target; 1730 1731 /* Make sure this isn't being called in an interrupt context */ 1732 ASSERT(servicing_interrupt() == 0); 1733 1734 tad = U2A(u); 1735 1736 if (tad->tad_flag == 0) 1737 return; 1738 1739 target = flag ? &tad->tad_sprivs : &tad->tad_fprivs; 1740 sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE; 1741 1742 /* Tell audit_success() and audit_finish() that we saw this case */ 1743 if (!(tad->tad_evmod & sbit)) { 1744 /* Clear set first time around */ 1745 priv_emptyset(target); 1746 tad->tad_evmod |= sbit; 1747 } 1748 1749 /* Save the privileges in the tad */ 1750 if (priv == PRIV_ALL) { 1751 priv_fillset(target); 1752 } else { 1753 ASSERT(set != NULL || priv != PRIV_NONE); 1754 if (set != NULL) 1755 priv_union(set, target); 1756 if (priv != PRIV_NONE) 1757 priv_addset(target, priv); 1758 } 1759 } 1760 1761 /* 1762 * Audit the setpriv() system call; the operation, the set name and 1763 * the current value as well as the set argument are put in the 1764 * audit trail. 1765 */ 1766 void 1767 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr) 1768 { 1769 t_audit_data_t *tad; 1770 const priv_set_t *oldpriv; 1771 priv_set_t report; 1772 const char *setname; 1773 1774 tad = U2A(u); 1775 1776 if (tad->tad_flag == 0) 1777 return; 1778 1779 oldpriv = priv_getset(ocr, set); 1780 1781 /* Generate the actual record, include the before and after */ 1782 au_uwrite(au_to_arg32(2, "op", op)); 1783 setname = priv_getsetbynum(set); 1784 1785 switch (op) { 1786 case PRIV_OFF: 1787 /* Report privileges actually switched off */ 1788 report = *oldpriv; 1789 priv_intersect(newpriv, &report); 1790 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 1791 break; 1792 case PRIV_ON: 1793 /* Report privileges actually switched on */ 1794 report = *oldpriv; 1795 priv_inverse(&report); 1796 priv_intersect(newpriv, &report); 1797 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 1798 break; 1799 case PRIV_SET: 1800 /* Report before and after */ 1801 au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0)); 1802 au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0)); 1803 break; 1804 } 1805 } 1806 1807 /* 1808 * Dump the full device policy setting in the audit trail. 1809 */ 1810 void 1811 audit_devpolicy(int nitems, const devplcysys_t *items) 1812 { 1813 t_audit_data_t *tad; 1814 int i; 1815 1816 tad = U2A(u); 1817 1818 if (tad->tad_flag == 0) 1819 return; 1820 1821 for (i = 0; i < nitems; i++) { 1822 au_uwrite(au_to_arg32(2, "major", items[i].dps_maj)); 1823 if (items[i].dps_minornm[0] == '\0') { 1824 au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin)); 1825 au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin)); 1826 } else 1827 au_uwrite(au_to_text(items[i].dps_minornm)); 1828 1829 au_uwrite(au_to_privset("read", &items[i].dps_rdp, 1830 AUT_PRIV, 0)); 1831 au_uwrite(au_to_privset("write", &items[i].dps_wrp, 1832 AUT_PRIV, 0)); 1833 } 1834 } 1835 1836 /*ARGSUSED*/ 1837 void 1838 audit_fdrecv(fd, fp) 1839 int fd; 1840 struct file *fp; 1841 { 1842 t_audit_data_t *tad; /* current thread */ 1843 f_audit_data_t *fad; /* per file audit structure */ 1844 struct vnode *vp; /* for file attributes */ 1845 1846 /* is this system call being audited */ 1847 tad = U2A(u); 1848 ASSERT(tad != (t_audit_data_t *)0); 1849 if (!tad->tad_flag) 1850 return; 1851 1852 fad = F2A(fp); 1853 1854 /* add path and file attributes */ 1855 if (fad != NULL && fad->fad_aupath != NULL) { 1856 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 1857 au_uwrite(au_to_path(fad->fad_aupath)); 1858 } else { 1859 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 1860 #ifdef _LP64 1861 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 1862 #else 1863 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 1864 #endif 1865 } 1866 vp = fp->f_vnode; /* include vnode attributes */ 1867 audit_attributes(vp); 1868 } 1869 1870 /* 1871 * ROUTINE: AUDIT_CRYPTOADM 1872 * PURPOSE: Records arguments to administrative ioctls on /dev/cryptoadm 1873 * CALLBY: CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED, 1874 * CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG, 1875 * CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN, 1876 * CRYPTO_LOAD_DOOR 1877 * NOTE: 1878 * TODO: 1879 * QUESTION: 1880 */ 1881 1882 void 1883 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names, 1884 uint_t mech_count, uint_t device_instance, uint32_t rv, int error) 1885 { 1886 boolean_t mech_list_required = B_FALSE; 1887 cred_t *cr = CRED(); 1888 t_audit_data_t *tad; 1889 token_t *ad = NULL; 1890 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 1891 char buffer[MAXNAMELEN * 2]; 1892 au_kcontext_t *kctx = GET_KCTX_PZ; 1893 1894 tad = U2A(u); 1895 if (tad == NULL) 1896 return; 1897 1898 if (ainfo == NULL) 1899 return; 1900 1901 tad->tad_event = AUE_CRYPTOADM; 1902 1903 if (audit_success(kctx, tad, error, NULL) != AU_OK) 1904 return; 1905 1906 /* Add subject information */ 1907 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 1908 1909 switch (cmd) { 1910 case CRYPTO_LOAD_DEV_DISABLED: 1911 if (error == 0 && rv == CRYPTO_SUCCESS) { 1912 (void) snprintf(buffer, sizeof (buffer), 1913 "op=CRYPTO_LOAD_DEV_DISABLED, module=%s," 1914 " dev_instance=%d", 1915 module_name, device_instance); 1916 mech_list_required = B_TRUE; 1917 } else { 1918 (void) snprintf(buffer, sizeof (buffer), 1919 "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv); 1920 } 1921 break; 1922 1923 case CRYPTO_LOAD_SOFT_DISABLED: 1924 if (error == 0 && rv == CRYPTO_SUCCESS) { 1925 (void) snprintf(buffer, sizeof (buffer), 1926 "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s", 1927 module_name); 1928 mech_list_required = B_TRUE; 1929 } else { 1930 (void) snprintf(buffer, sizeof (buffer), 1931 "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv); 1932 } 1933 break; 1934 1935 case CRYPTO_UNLOAD_SOFT_MODULE: 1936 if (error == 0 && rv == CRYPTO_SUCCESS) { 1937 (void) snprintf(buffer, sizeof (buffer), 1938 "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s", 1939 module_name); 1940 } else { 1941 (void) snprintf(buffer, sizeof (buffer), 1942 "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv); 1943 } 1944 break; 1945 1946 case CRYPTO_LOAD_SOFT_CONFIG: 1947 if (error == 0 && rv == CRYPTO_SUCCESS) { 1948 (void) snprintf(buffer, sizeof (buffer), 1949 "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s", 1950 module_name); 1951 mech_list_required = B_TRUE; 1952 } else { 1953 (void) snprintf(buffer, sizeof (buffer), 1954 "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv); 1955 } 1956 break; 1957 1958 case CRYPTO_POOL_CREATE: 1959 (void) snprintf(buffer, sizeof (buffer), 1960 "op=CRYPTO_POOL_CREATE"); 1961 break; 1962 1963 case CRYPTO_POOL_WAIT: 1964 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT"); 1965 break; 1966 1967 case CRYPTO_POOL_RUN: 1968 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN"); 1969 break; 1970 1971 case CRYPTO_LOAD_DOOR: 1972 if (error == 0 && rv == CRYPTO_SUCCESS) 1973 (void) snprintf(buffer, sizeof (buffer), 1974 "op=CRYPTO_LOAD_DOOR"); 1975 else 1976 (void) snprintf(buffer, sizeof (buffer), 1977 "op=CRYPTO_LOAD_DOOR, return_val=%d", rv); 1978 break; 1979 1980 case CRYPTO_FIPS140_SET: 1981 (void) snprintf(buffer, sizeof (buffer), 1982 "op=CRYPTO_FIPS140_SET, fips_state=%d", rv); 1983 break; 1984 1985 default: 1986 return; 1987 } 1988 1989 au_write((caddr_t *)&ad, au_to_text(buffer)); 1990 1991 if (mech_list_required) { 1992 int i; 1993 1994 if (mech_count == 0) { 1995 au_write((caddr_t *)&ad, au_to_text("mech=list empty")); 1996 } else { 1997 char *pb = buffer; 1998 size_t l = sizeof (buffer); 1999 size_t n; 2000 char space[2] = ":"; 2001 2002 n = snprintf(pb, l, "mech="); 2003 2004 for (i = 0; i < mech_count; i++) { 2005 pb += n; 2006 l -= n; 2007 if (l < 0) 2008 l = 0; 2009 2010 if (i == mech_count - 1) 2011 (void) strcpy(space, ""); 2012 2013 n = snprintf(pb, l, "%s%s", mech_names[i], 2014 space); 2015 } 2016 au_write((caddr_t *)&ad, au_to_text(buffer)); 2017 } 2018 } 2019 2020 /* add a return token */ 2021 if (error || (rv != CRYPTO_SUCCESS)) 2022 add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error); 2023 else 2024 add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv); 2025 2026 AS_INC(as_generated, 1, kctx); 2027 AS_INC(as_kernel, 1, kctx); 2028 2029 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, tad->tad_evmod, 2030 NULL); 2031 } 2032 2033 /* 2034 * Audit the kernel SSL administration command. The address and the 2035 * port number for the SSL instance, and the proxy port are put in the 2036 * audit trail. 2037 */ 2038 void 2039 audit_kssl(int cmd, void *params, int error) 2040 { 2041 cred_t *cr = CRED(); 2042 t_audit_data_t *tad; 2043 token_t *ad = NULL; 2044 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 2045 au_kcontext_t *kctx = GET_KCTX_PZ; 2046 2047 tad = U2A(u); 2048 2049 if (ainfo == NULL) 2050 return; 2051 2052 tad->tad_event = AUE_CONFIGKSSL; 2053 2054 if (audit_success(kctx, tad, error, NULL) != AU_OK) 2055 return; 2056 2057 /* Add subject information */ 2058 AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx); 2059 2060 switch (cmd) { 2061 case KSSL_ADD_ENTRY: { 2062 char buf[32]; 2063 kssl_params_t *kp = (kssl_params_t *)params; 2064 struct sockaddr_in6 *saddr = &kp->kssl_addr; 2065 2066 au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY")); 2067 au_write((caddr_t *)&ad, 2068 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr)); 2069 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 2070 saddr->sin6_port); 2071 au_write((caddr_t *)&ad, au_to_text(buf)); 2072 2073 (void) snprintf(buf, sizeof (buf), "proxy port=%d", 2074 kp->kssl_proxy_port); 2075 au_write((caddr_t *)&ad, au_to_text(buf)); 2076 break; 2077 } 2078 2079 case KSSL_DELETE_ENTRY: { 2080 char buf[32]; 2081 struct sockaddr_in6 *saddr = (struct sockaddr_in6 *)params; 2082 2083 au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY")); 2084 au_write((caddr_t *)&ad, 2085 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr)); 2086 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 2087 saddr->sin6_port); 2088 au_write((caddr_t *)&ad, au_to_text(buf)); 2089 break; 2090 } 2091 2092 default: 2093 return; 2094 } 2095 2096 /* add a return token */ 2097 add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0); 2098 2099 AS_INC(as_generated, 1, kctx); 2100 AS_INC(as_kernel, 1, kctx); 2101 2102 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, tad->tad_evmod, 2103 NULL); 2104 } 2105 2106 /* 2107 * Audit the kernel PF_POLICY administration commands. Record command, 2108 * zone, policy type (global or tunnel, active or inactive) 2109 */ 2110 /* 2111 * ROUTINE: AUDIT_PF_POLICY 2112 * PURPOSE: Records arguments to administrative ioctls on PF_POLICY socket 2113 * CALLBY: SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS, 2114 * SPD_CLONE, SPD_FLIP 2115 * NOTE: 2116 * TODO: 2117 * QUESTION: 2118 */ 2119 2120 void 2121 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun, 2122 boolean_t active, int error, pid_t pid) 2123 { 2124 const auditinfo_addr_t *ainfo; 2125 t_audit_data_t *tad; 2126 token_t *ad = NULL; 2127 au_kcontext_t *kctx = GET_KCTX_PZ; 2128 char buf[80]; 2129 int flag; 2130 2131 tad = U2A(u); 2132 if (tad == NULL) 2133 return; 2134 2135 ainfo = crgetauinfo((cred != NULL) ? cred : CRED()); 2136 if (ainfo == NULL) 2137 return; 2138 2139 /* 2140 * Initialize some variables since these are only set 2141 * with system calls. 2142 */ 2143 2144 switch (cmd) { 2145 case SPD_ADDRULE: { 2146 tad->tad_event = AUE_PF_POLICY_ADDRULE; 2147 break; 2148 } 2149 2150 case SPD_DELETERULE: { 2151 tad->tad_event = AUE_PF_POLICY_DELRULE; 2152 break; 2153 } 2154 2155 case SPD_FLUSH: { 2156 tad->tad_event = AUE_PF_POLICY_FLUSH; 2157 break; 2158 } 2159 2160 case SPD_UPDATEALGS: { 2161 tad->tad_event = AUE_PF_POLICY_ALGS; 2162 break; 2163 } 2164 2165 case SPD_CLONE: { 2166 tad->tad_event = AUE_PF_POLICY_CLONE; 2167 break; 2168 } 2169 2170 case SPD_FLIP: { 2171 tad->tad_event = AUE_PF_POLICY_FLIP; 2172 break; 2173 } 2174 2175 default: 2176 tad->tad_event = AUE_NULL; 2177 } 2178 2179 tad->tad_evmod = 0; 2180 2181 if (flag = audit_success(kctx, tad, error, cred)) { 2182 zone_t *nszone; 2183 2184 /* 2185 * For now, just audit that an event happened, 2186 * along with the error code. 2187 */ 2188 au_write((caddr_t *)&ad, 2189 au_to_arg32(1, "Policy Active?", (uint32_t)active)); 2190 au_write((caddr_t *)&ad, 2191 au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL))); 2192 2193 /* Supplemental data */ 2194 2195 /* 2196 * Generate this zone token if the target zone differs 2197 * from the administrative zone. If netstacks are expanded 2198 * to something other than a 1-1 relationship with zones, 2199 * the auditing framework should create a new token type 2200 * and audit it as a netstack instead. 2201 * Turn on general zone auditing to get the administrative zone. 2202 */ 2203 2204 nszone = zone_find_by_id(netstackid_to_zoneid( 2205 ns->netstack_stackid)); 2206 if (nszone != NULL) { 2207 if (strncmp(crgetzone(cred)->zone_name, 2208 nszone->zone_name, ZONENAME_MAX) != 0) { 2209 token_t *ztoken; 2210 2211 ztoken = au_to_zonename(0, nszone); 2212 au_write((caddr_t *)&ad, ztoken); 2213 } 2214 zone_rele(nszone); 2215 } 2216 2217 if (tun != NULL) { 2218 /* write tunnel name - tun is bounded */ 2219 (void) snprintf(buf, sizeof (buf), "tunnel_name:%s", 2220 tun); 2221 au_write((caddr_t *)&ad, au_to_text(buf)); 2222 } 2223 2224 /* Add subject information */ 2225 AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad, 2226 ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid); 2227 2228 /* add a return token */ 2229 add_return_token((caddr_t *)&ad, 0, error, 0); 2230 2231 AS_INC(as_generated, 1, kctx); 2232 AS_INC(as_kernel, 1, kctx); 2233 2234 } 2235 au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, tad->tad_evmod, 2236 NULL); 2237 2238 /* 2239 * clear the ctrl flag so that we don't have spurious collection of 2240 * audit information. 2241 */ 2242 tad->tad_scid = 0; 2243 tad->tad_event = 0; 2244 tad->tad_evmod = 0; 2245 tad->tad_ctrl = 0; 2246 } 2247 2248 /* 2249 * ROUTINE: AUDIT_SEC_ATTRIBUTES 2250 * PURPOSE: Add security attributes 2251 * CALLBY: AUDIT_ATTRIBUTES 2252 * AUDIT_CLOSEF 2253 * AUS_CLOSE 2254 * NOTE: 2255 * TODO: 2256 * QUESTION: 2257 */ 2258 2259 void 2260 audit_sec_attributes(caddr_t *ad, struct vnode *vp) 2261 { 2262 /* Dump the SL */ 2263 if (is_system_labeled()) { 2264 ts_label_t *tsl; 2265 bslabel_t *bsl; 2266 2267 tsl = getflabel(vp); 2268 if (tsl == NULL) 2269 return; /* nothing else to do */ 2270 2271 bsl = label2bslabel(tsl); 2272 if (bsl == NULL) 2273 return; /* nothing else to do */ 2274 au_write(ad, au_to_label(bsl)); 2275 label_rele(tsl); 2276 } 2277 2278 } /* AUDIT_SEC_ATTRIBUTES */ 2279