1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * This file contains the auditing system call code. 28 * 29 */ 30 31 #pragma ident "%Z%%M% %I% %E% SMI" 32 33 #include <sys/param.h> 34 #include <sys/systm.h> 35 #include <sys/user.h> 36 #include <sys/vnode.h> 37 #include <sys/vfs.h> 38 #include <sys/session.h> /* for session structure (auditctl(2) */ 39 #include <sys/kmem.h> /* for KM_SLEEP */ 40 #include <sys/cred_impl.h> 41 #include <sys/types.h> 42 #include <sys/proc.h> 43 #include <sys/uio.h> 44 #include <sys/file.h> 45 #include <sys/stat.h> 46 #include <sys/pathname.h> 47 #include <sys/acct.h> 48 #include <sys/stropts.h> 49 #include <sys/exec.h> 50 #include <sys/thread.h> 51 #include <sys/cmn_err.h> 52 #include <sys/debug.h> 53 #include <sys/disp.h> 54 #include <sys/kobj.h> 55 #include <sys/sysmacros.h> 56 #include <sys/policy.h> 57 #include <sys/taskq.h> 58 #include <sys/zone.h> 59 60 #include <c2/audit.h> 61 #include <c2/audit_kernel.h> 62 #include <c2/audit_record.h> 63 64 #define CLEAR_VAL -1 65 66 #define HEADER_SIZE64 1; 67 #define HEADER_SIZE32 0; 68 #define AU_MIN_FILE_SZ 0x80000 /* minumum audit file size */ 69 #define AUDIT_REC_SIZE 0x8000 /* maximum user audit record size */ 70 71 extern kmutex_t pidlock; 72 73 extern pri_t minclsyspri; /* priority for taskq */ 74 75 extern int audit_load; /* defined in audit_start.c */ 76 77 int au_auditstate = AUC_UNSET; /* global audit state */ 78 int audit_policy; /* global audit policies in force */ 79 static clock_t au_resid = 15; /* wait .15 sec before droping a rec */ 80 81 static int getauid(caddr_t); 82 static int setauid(caddr_t); 83 static int getaudit(caddr_t); 84 static int getaudit_addr(caddr_t, int); 85 static int setaudit(caddr_t); 86 static int setaudit_addr(caddr_t, int); 87 static int auditdoor(int); 88 static int auditsvc(int, int); 89 static int auditctl(int, caddr_t, int); 90 static int audit_modsysent(char *, int, int (*)()); 91 static void au_output_thread(); 92 /* 93 * This is the loadable module wrapper. 94 */ 95 #include <sys/modctl.h> 96 #include "sys/syscall.h" 97 98 static struct sysent auditsysent = { 99 6, 100 0, 101 _auditsys 102 }; 103 104 /* 105 * Module linkage information for the kernel. 106 */ 107 extern struct mod_ops mod_syscallops; 108 109 static struct modlsys modlsys = { 110 &mod_syscallops, "C2 system call", &auditsysent 111 }; 112 113 static struct modlinkage modlinkage = { 114 MODREV_1, (void *)&modlsys, 0 115 }; 116 117 int 118 _init() 119 { 120 int retval; 121 122 if (audit_load == 0) 123 return (-1); 124 125 /* 126 * We are going to do an ugly thing here. 127 * Because auditsys is already defined as a regular 128 * syscall we have to change the definition for syscall 129 * auditsys. Basically or in the SE_LOADABLE flag for 130 * auditsys. We no have a static loadable syscall. Also 131 * create an rw_lock. 132 */ 133 134 if ((audit_modsysent("c2audit", 135 SE_LOADABLE|SE_NOUNLOAD, 136 _auditsys)) == -1) 137 return (-1); 138 139 if ((retval = mod_install(&modlinkage)) != 0) 140 return (retval); 141 142 return (0); 143 } 144 145 int 146 _fini() 147 { 148 return (EBUSY); 149 } 150 151 int 152 _info(struct modinfo *modinfop) 153 { 154 return (mod_info(&modlinkage, modinfop)); 155 } 156 157 /* 158 * when auditing is updated to allow enable/disable without 159 * reboot (and when the audit stubs are removed) *most* of these 160 * calls should return an error when auditing is off -- some 161 * for local zones only. 162 */ 163 164 int 165 _auditsys(struct auditcalls *uap, rval_t *rvp) 166 { 167 int result = 0; 168 169 switch (uap->code) { 170 case BSM_GETAUID: 171 result = getauid((caddr_t)uap->a1); 172 break; 173 case BSM_SETAUID: 174 result = setauid((caddr_t)uap->a1); 175 break; 176 case BSM_GETAUDIT: 177 result = getaudit((caddr_t)uap->a1); 178 break; 179 case BSM_GETAUDIT_ADDR: 180 181 result = getaudit_addr((caddr_t)uap->a1, (int)uap->a2); 182 break; 183 case BSM_SETAUDIT: 184 result = setaudit((caddr_t)uap->a1); 185 break; 186 case BSM_SETAUDIT_ADDR: 187 result = setaudit_addr((caddr_t)uap->a1, (int)uap->a2); 188 break; 189 case BSM_AUDIT: 190 result = audit((caddr_t)uap->a1, (int)uap->a2); 191 break; 192 case BSM_AUDITSVC: 193 result = auditsvc((int)uap->a1, (int)uap->a2); 194 break; 195 case BSM_AUDITDOOR: 196 result = auditdoor((int)uap->a1); 197 break; 198 case BSM_AUDITON: 199 case BSM_AUDITCTL: 200 result = auditctl((int)uap->a1, (caddr_t)uap->a2, (int)uap->a3); 201 break; 202 default: 203 result = EINVAL; 204 } 205 rvp->r_vals = result; 206 return (result); 207 } 208 209 /* 210 * Return the audit user ID for the current process. Currently only 211 * the privileged processes may see the audit id. That may change. 212 * If copyout is unsucessful return EFAULT. 213 */ 214 static int 215 getauid(caddr_t auid_p) 216 { 217 const auditinfo_addr_t *ainfo; 218 219 if (secpolicy_audit_getattr(CRED()) != 0) 220 return (EPERM); 221 222 ainfo = crgetauinfo(CRED()); 223 if (ainfo == NULL) 224 return (EINVAL); 225 226 if (copyout(&ainfo->ai_auid, auid_p, sizeof (au_id_t))) 227 return (EFAULT); 228 229 return (0); 230 } 231 232 /* 233 * Set the audit userid, for a process. This can only be changed by 234 * privileged processes. The audit userid is inherited across forks & execs. 235 * Passed in is a pointer to the au_id_t; if copyin unsuccessful return EFAULT. 236 */ 237 static int 238 setauid(caddr_t auid_p) 239 { 240 proc_t *p; 241 au_id_t auid; 242 cred_t *newcred; 243 auditinfo_addr_t *auinfo; 244 245 if (secpolicy_audit_config(CRED()) != 0) 246 return (EPERM); 247 248 if (copyin(auid_p, &auid, sizeof (au_id_t))) { 249 return (EFAULT); 250 } 251 252 newcred = cralloc(); 253 if ((auinfo = crgetauinfo_modifiable(newcred)) == NULL) { 254 crfree(newcred); 255 return (EINVAL); 256 } 257 258 /* grab p_crlock and switch to new cred */ 259 p = curproc; 260 mutex_enter(&p->p_crlock); 261 crcopy_to(p->p_cred, newcred); 262 p->p_cred = newcred; 263 264 auinfo->ai_auid = auid; /* update the auid */ 265 266 /* unlock and broadcast the cred changes */ 267 mutex_exit(&p->p_crlock); 268 crset(p, newcred); 269 270 return (0); 271 } 272 273 /* 274 * Get the audit state information from the current process. 275 * Return EFAULT if copyout fails. 276 */ 277 static int 278 getaudit(caddr_t info_p) 279 { 280 STRUCT_DECL(auditinfo, info); 281 const auditinfo_addr_t *ainfo; 282 model_t model; 283 284 if (secpolicy_audit_getattr(CRED()) != 0) 285 return (EPERM); 286 287 model = get_udatamodel(); 288 STRUCT_INIT(info, model); 289 290 ainfo = crgetauinfo(CRED()); 291 if (ainfo == NULL) 292 return (EINVAL); 293 294 /* trying to read a process with an IPv6 address? */ 295 if (ainfo->ai_termid.at_type == AU_IPv6) 296 return (EOVERFLOW); 297 298 STRUCT_FSET(info, ai_auid, ainfo->ai_auid); 299 STRUCT_FSET(info, ai_mask, ainfo->ai_mask); 300 #ifdef _LP64 301 if (model == DATAMODEL_ILP32) { 302 dev32_t dev; 303 /* convert internal 64 bit form to 32 bit version */ 304 if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) { 305 return (EOVERFLOW); 306 } 307 STRUCT_FSET(info, ai_termid.port, dev); 308 } else 309 STRUCT_FSET(info, ai_termid.port, ainfo->ai_termid.at_port); 310 #else 311 STRUCT_FSET(info, ai_termid.port, ainfo->ai_termid.at_port); 312 #endif 313 STRUCT_FSET(info, ai_termid.machine, ainfo->ai_termid.at_addr[0]); 314 STRUCT_FSET(info, ai_asid, ainfo->ai_asid); 315 316 if (copyout(STRUCT_BUF(info), info_p, STRUCT_SIZE(info))) 317 return (EFAULT); 318 319 return (0); 320 } 321 322 /* 323 * Get the audit state information from the current process. 324 * Return EFAULT if copyout fails. 325 */ 326 static int 327 getaudit_addr(caddr_t info_p, int len) 328 { 329 STRUCT_DECL(auditinfo_addr, info); 330 const auditinfo_addr_t *ainfo; 331 model_t model; 332 333 if (secpolicy_audit_getattr(CRED()) != 0) 334 return (EPERM); 335 336 model = get_udatamodel(); 337 STRUCT_INIT(info, model); 338 339 if (len < STRUCT_SIZE(info)) 340 return (EOVERFLOW); 341 342 ainfo = crgetauinfo(CRED()); 343 344 if (ainfo == NULL) 345 return (EINVAL); 346 347 STRUCT_FSET(info, ai_auid, ainfo->ai_auid); 348 STRUCT_FSET(info, ai_mask, ainfo->ai_mask); 349 #ifdef _LP64 350 if (model == DATAMODEL_ILP32) { 351 dev32_t dev; 352 /* convert internal 64 bit form to 32 bit version */ 353 if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) { 354 return (EOVERFLOW); 355 } 356 STRUCT_FSET(info, ai_termid.at_port, dev); 357 } else 358 STRUCT_FSET(info, ai_termid.at_port, ainfo->ai_termid.at_port); 359 #else 360 STRUCT_FSET(info, ai_termid.at_port, ainfo->ai_termid.at_port); 361 #endif 362 STRUCT_FSET(info, ai_termid.at_type, ainfo->ai_termid.at_type); 363 STRUCT_FSET(info, ai_termid.at_addr[0], ainfo->ai_termid.at_addr[0]); 364 STRUCT_FSET(info, ai_termid.at_addr[1], ainfo->ai_termid.at_addr[1]); 365 STRUCT_FSET(info, ai_termid.at_addr[2], ainfo->ai_termid.at_addr[2]); 366 STRUCT_FSET(info, ai_termid.at_addr[3], ainfo->ai_termid.at_addr[3]); 367 STRUCT_FSET(info, ai_asid, ainfo->ai_asid); 368 369 if (copyout(STRUCT_BUF(info), info_p, STRUCT_SIZE(info))) 370 return (EFAULT); 371 372 return (0); 373 } 374 375 /* 376 * Set the audit state information for the current process. 377 * Return EFAULT if copyout fails. 378 */ 379 static int 380 setaudit(caddr_t info_p) 381 { 382 STRUCT_DECL(auditinfo, info); 383 proc_t *p; 384 cred_t *newcred; 385 model_t model; 386 auditinfo_addr_t *ainfo; 387 388 if (secpolicy_audit_config(CRED()) != 0) 389 return (EPERM); 390 391 model = get_udatamodel(); 392 STRUCT_INIT(info, model); 393 394 if (copyin(info_p, STRUCT_BUF(info), STRUCT_SIZE(info))) 395 return (EFAULT); 396 397 newcred = cralloc(); 398 if ((ainfo = crgetauinfo_modifiable(newcred)) == NULL) { 399 crfree(newcred); 400 return (EINVAL); 401 } 402 403 /* grab p_crlock and switch to new cred */ 404 p = curproc; 405 mutex_enter(&p->p_crlock); 406 crcopy_to(p->p_cred, newcred); 407 p->p_cred = newcred; 408 409 /* Set audit mask, id, termid and session id as specified */ 410 ainfo->ai_auid = STRUCT_FGET(info, ai_auid); 411 #ifdef _LP64 412 /* only convert to 64 bit if coming from a 32 bit binary */ 413 if (model == DATAMODEL_ILP32) 414 ainfo->ai_termid.at_port = 415 DEVEXPL(STRUCT_FGET(info, ai_termid.port)); 416 else 417 ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.port); 418 #else 419 ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.port); 420 #endif 421 ainfo->ai_termid.at_type = AU_IPv4; 422 ainfo->ai_termid.at_addr[0] = STRUCT_FGET(info, ai_termid.machine); 423 ainfo->ai_asid = STRUCT_FGET(info, ai_asid); 424 ainfo->ai_mask = STRUCT_FGET(info, ai_mask); 425 426 /* unlock and broadcast the cred changes */ 427 mutex_exit(&p->p_crlock); 428 crset(p, newcred); 429 430 return (0); 431 } 432 433 /* 434 * Set the audit state information for the current process. 435 * Return EFAULT if copyin fails. 436 */ 437 static int 438 setaudit_addr(caddr_t info_p, int len) 439 { 440 STRUCT_DECL(auditinfo_addr, info); 441 proc_t *p; 442 cred_t *newcred; 443 model_t model; 444 int i; 445 int type; 446 auditinfo_addr_t *ainfo; 447 448 if (secpolicy_audit_config(CRED()) != 0) 449 return (EPERM); 450 451 model = get_udatamodel(); 452 STRUCT_INIT(info, model); 453 454 if (len < STRUCT_SIZE(info)) 455 return (EOVERFLOW); 456 457 if (copyin(info_p, STRUCT_BUF(info), STRUCT_SIZE(info))) 458 return (EFAULT); 459 460 type = STRUCT_FGET(info, ai_termid.at_type); 461 if ((type != AU_IPv4) && (type != AU_IPv6)) 462 return (EINVAL); 463 464 newcred = cralloc(); 465 if ((ainfo = crgetauinfo_modifiable(newcred)) == NULL) { 466 crfree(newcred); 467 return (EINVAL); 468 } 469 470 /* grab p_crlock and switch to new cred */ 471 p = curproc; 472 mutex_enter(&p->p_crlock); 473 crcopy_to(p->p_cred, newcred); 474 p->p_cred = newcred; 475 476 /* Set audit mask, id, termid and session id as specified */ 477 ainfo->ai_auid = STRUCT_FGET(info, ai_auid); 478 ainfo->ai_mask = STRUCT_FGET(info, ai_mask); 479 #ifdef _LP64 480 /* only convert to 64 bit if coming from a 32 bit binary */ 481 if (model == DATAMODEL_ILP32) 482 ainfo->ai_termid.at_port = 483 DEVEXPL(STRUCT_FGET(info, ai_termid.at_port)); 484 else 485 ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.at_port); 486 #else 487 ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.at_port); 488 #endif 489 ainfo->ai_termid.at_type = type; 490 bzero(&ainfo->ai_termid.at_addr[0], sizeof (ainfo->ai_termid.at_addr)); 491 for (i = 0; i < (type/sizeof (int)); i++) 492 ainfo->ai_termid.at_addr[i] = 493 STRUCT_FGET(info, ai_termid.at_addr[i]); 494 495 if (ainfo->ai_termid.at_type == AU_IPv6 && 496 IN6_IS_ADDR_V4MAPPED(((in6_addr_t *)ainfo->ai_termid.at_addr))) { 497 ainfo->ai_termid.at_type = AU_IPv4; 498 ainfo->ai_termid.at_addr[0] = ainfo->ai_termid.at_addr[3]; 499 ainfo->ai_termid.at_addr[1] = 0; 500 ainfo->ai_termid.at_addr[2] = 0; 501 ainfo->ai_termid.at_addr[3] = 0; 502 } 503 504 ainfo->ai_asid = STRUCT_FGET(info, ai_asid); 505 506 /* unlock and broadcast the cred changes */ 507 mutex_exit(&p->p_crlock); 508 crset(p, newcred); 509 510 return (0); 511 } 512 513 /* 514 * The audit system call. Trust what the user has sent down and save it 515 * away in the audit file. User passes a complete audit record and its 516 * length. We will fill in the time stamp, check the header and the length 517 * Put a trailer and a sequence token if policy requires. 518 * In the future length might become size_t instead of an int. 519 * 520 * The call is valid whether or not AUDIT_PERZONE is set (think of 521 * login to a zone). When the local audit state (auk_auditstate) is 522 * AUC_INIT_AUDIT, records are accepted even though auditd isn't 523 * running. 524 */ 525 int 526 audit(caddr_t record, int length) 527 { 528 char c; 529 int count, l; 530 token_t *m, *n, *s, *ad; 531 int hdrlen, delta; 532 adr_t hadr; 533 adr_t sadr; 534 int size; /* 0: 32 bit utility 1: 64 bit utility */ 535 int host_len; 536 size_t zlen; 537 au_kcontext_t *kctx = GET_KCTX_PZ; 538 539 /* if auditing not enabled, then don't generate an audit record */ 540 if (kctx->auk_auditstate != AUC_AUDITING && 541 kctx->auk_auditstate != AUC_INIT_AUDIT) 542 return (0); 543 544 /* Only privileged processes can audit */ 545 if (secpolicy_audit_modify(CRED()) != 0) 546 return (EPERM); 547 548 /* Max user record size is 32K */ 549 if (length > AUDIT_REC_SIZE) 550 return (E2BIG); 551 552 /* 553 * The specified length must be at least as big as the smallest 554 * possible header token. Later after beginning to scan the 555 * header we'll determine the true minimum length according to 556 * the header type and attributes. 557 */ 558 #define AU_MIN_HEADER_LEN (sizeof (char) + sizeof (int32_t) + \ 559 sizeof (char) + sizeof (short) + sizeof (short) + \ 560 (sizeof (int32_t) * 2)) 561 562 if (length < AU_MIN_HEADER_LEN) 563 return (EINVAL); 564 565 /* Read in user's audit record */ 566 count = length; 567 m = n = s = ad = NULL; 568 while (count) { 569 m = au_getclr(); 570 if (!s) 571 s = n = m; 572 else { 573 n->next_buf = m; 574 n = m; 575 } 576 l = MIN(count, AU_BUFSIZE); 577 if (copyin(record, memtod(m, caddr_t), 578 (size_t)l)) { 579 /* copyin failed release au_membuf */ 580 au_free_rec(s); 581 return (EFAULT); 582 } 583 record += l; 584 count -= l; 585 m->len = (uchar_t)l; 586 } 587 588 /* Now attach the entire thing to ad */ 589 au_write((caddr_t *)&(ad), s); 590 591 /* validate header token type. trust everything following it */ 592 adr_start(&hadr, memtod(s, char *)); 593 (void) adr_getchar(&hadr, &c); 594 switch (c) { 595 case AUT_HEADER32: 596 /* size vers+event_ID+event_modifier fields */ 597 delta = 1 + 2 + 2; 598 hdrlen = 1 + 4 + delta + (sizeof (int32_t) * 2); 599 size = HEADER_SIZE32; 600 break; 601 602 #ifdef _LP64 603 case AUT_HEADER64: 604 /* size vers+event_ID+event_modifier fields */ 605 delta = 1 + 2 + 2; 606 hdrlen = 1 + 4 + delta + (sizeof (int64_t) * 2); 607 size = HEADER_SIZE64; 608 break; 609 #endif 610 611 case AUT_HEADER32_EX: 612 /* 613 * Skip over the length/version/type/mod fields and 614 * grab the host address type (length), then rewind. 615 * This is safe per the previous minimum length check. 616 */ 617 hadr.adr_now += 9; 618 (void) adr_getint32(&hadr, &host_len); 619 hadr.adr_now -= 9 + sizeof (int32_t); 620 621 /* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */ 622 delta = 1 + 2 + 2 + 4 + host_len; 623 hdrlen = 1 + 4 + delta + (sizeof (int32_t) * 2); 624 size = HEADER_SIZE32; 625 break; 626 627 #ifdef _LP64 628 case AUT_HEADER64_EX: 629 /* 630 * Skip over the length/version/type/mod fields and grab 631 * the host address type (length), then rewind. 632 * This is safe per the previous minimum length check. 633 */ 634 hadr.adr_now += 9; 635 (void) adr_getint32(&hadr, &host_len); 636 hadr.adr_now -= 9 + sizeof (int32_t); 637 638 /* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */ 639 delta = 1 + 2 + 2 + 4 + host_len; 640 hdrlen = 1 + 4 + delta + (sizeof (int64_t) * 2); 641 size = HEADER_SIZE64; 642 break; 643 #endif 644 645 default: 646 /* Header is wrong, reject message */ 647 au_free_rec(s); 648 return (EINVAL); 649 } 650 651 if (length < hdrlen) { 652 au_free_rec(s); 653 return (0); 654 } 655 656 /* advance over header token length field */ 657 hadr.adr_now += 4; 658 659 /* validate version */ 660 (void) adr_getchar(&hadr, &c); 661 if (c != TOKEN_VERSION) { 662 /* version is wrong, reject message */ 663 au_free_rec(s); 664 return (EINVAL); 665 } 666 667 /* backup to header length field (including version field) */ 668 hadr.adr_now -= 5; 669 670 /* 671 * add on the zonename token if policy AUDIT_ZONENAME is set 672 */ 673 if (kctx->auk_policy & AUDIT_ZONENAME) { 674 zlen = au_zonename_length(NULL); 675 if (zlen > 0) { 676 length += zlen; 677 m = au_to_zonename(zlen, NULL); 678 (void) au_append_rec(ad, m, AU_PACK); 679 } 680 } 681 /* Add an (optional) sequence token. NULL offset if none */ 682 if (kctx->auk_policy & AUDIT_SEQ) { 683 /* get the sequnce token */ 684 m = au_to_seq(); 685 686 /* sequence token 5 bytes long */ 687 length += 5; 688 689 /* link to audit record (i.e. don't pack the data) */ 690 (void) au_append_rec(ad, m, AU_LINK); 691 692 /* advance to count field of token */ 693 adr_start(&sadr, memtod(m, char *)); 694 sadr.adr_now += 1; 695 } else 696 sadr.adr_now = (char *)NULL; 697 698 /* add the (optional) trailer token */ 699 if (kctx->auk_policy & AUDIT_TRAIL) { 700 /* trailer token is 7 bytes long */ 701 length += 7; 702 703 /* append to audit record */ 704 (void) au_append_rec(ad, au_to_trailer(length), AU_PACK); 705 } 706 707 /* audit record completely assembled. set the length */ 708 adr_int32(&hadr, (int32_t *)&length, 1); 709 710 /* advance to date/time field of header */ 711 hadr.adr_now += delta; 712 713 /* We are done put it on the queue */ 714 AS_INC(as_generated, 1, kctx); 715 AS_INC(as_audit, 1, kctx); 716 717 au_enqueue(kctx, s, &hadr, &sadr, size, 0); 718 719 AS_INC(as_totalsize, length, kctx); 720 721 return (0); 722 } 723 724 static void 725 audit_dont_stop(void *kctx) 726 { 727 728 if ((((au_kcontext_t *)kctx)->auk_valid != AUK_VALID) || 729 (((au_kcontext_t *)kctx)->auk_auditstate == AUC_NOAUDIT)) 730 return; 731 732 mutex_enter(&(((au_kcontext_t *)kctx)->auk_queue.lock)); 733 cv_broadcast(&(((au_kcontext_t *)kctx)->auk_queue.write_cv)); 734 mutex_exit(&(((au_kcontext_t *)kctx)->auk_queue.lock)); 735 } 736 737 /* 738 * auditdoor starts a kernel thread to generate output from the audit 739 * queue. The thread terminates when it detects auditing being turned 740 * off, such as when auditd exits with a SIGTERM. If a subsequent 741 * auditdoor arrives while the thread is running, the door descriptor 742 * of the last auditdoor in will be used for output. auditd is responsible 743 * for insuring that multiple copies are not running. 744 */ 745 746 static int 747 auditdoor(int fd) 748 { 749 struct file *fp; 750 struct vnode *vp; 751 int error = 0; 752 int do_create = 0; 753 au_kcontext_t *kctx; 754 755 if (secpolicy_audit_config(CRED()) != 0) 756 return (EPERM); 757 758 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc)) 759 return (EINVAL); 760 761 kctx = GET_KCTX_NGZ; 762 763 /* 764 * Prevent a second audit daemon from running this code. 765 * auk_svc_busy == 2 until the output thread terminates. 766 * Multiple calls to auditdoor() are valid but a call 767 * to auditsvc() while au_output_thread() is running 768 * or a call to auditdoor() while auditsvc is running 769 * is blocked. 770 */ 771 mutex_enter(&(kctx->auk_svc_lock)); 772 if (kctx->auk_svc_busy == 1) { /* active auditsvc? */ 773 mutex_exit(&(kctx->auk_svc_lock)); 774 return (EBUSY); 775 } 776 kctx->auk_svc_busy = 2; 777 mutex_exit(&(kctx->auk_svc_lock)); 778 /* 779 * convert file pointer to file descriptor 780 * Note: fd ref count incremented here. 781 */ 782 if ((fp = (struct file *)getf(fd)) == NULL) { 783 error = EBADF; 784 goto svc_exit; 785 } 786 vp = fp->f_vnode; 787 if (vp->v_type != VDOOR) { 788 cmn_err(CE_WARN, 789 "auditdoor() did not get the expected door descriptor\n"); 790 error = EINVAL; 791 releasef(fd); 792 goto svc_exit; 793 } 794 /* 795 * If the output thread is already running, then replace the 796 * door descriptor with the new one and continue; otherwise 797 * create the thread too. Since au_output_thread makes a call 798 * to au_doorio() which also does 799 * mutex_lock(&(kctx->auk_svc_lock)), the create/dispatch is 800 * done after the unlock... 801 */ 802 mutex_enter(&(kctx->auk_svc_lock)); 803 804 if (kctx->auk_current_vp != NULL) 805 VN_RELE(kctx->auk_current_vp); 806 807 kctx->auk_current_vp = vp; 808 VN_HOLD(kctx->auk_current_vp); 809 releasef(fd); 810 811 if (!kctx->auk_output_active) { 812 kctx->auk_output_active = 1; 813 do_create = 1; 814 } 815 mutex_exit(&(kctx->auk_svc_lock)); 816 if (do_create) { 817 kctx->auk_taskq = 818 taskq_create("output_master", 1, minclsyspri, 1, 1, 0); 819 (void) taskq_dispatch(kctx->auk_taskq, 820 (task_func_t *)au_output_thread, 821 kctx, TQ_SLEEP); 822 } 823 svc_exit: 824 if (error) { 825 mutex_enter(&(kctx->auk_svc_lock)); 826 kctx->auk_svc_busy = 2; 827 mutex_exit(&(kctx->auk_svc_lock)); 828 } 829 return (error); 830 } 831 832 /* 833 * au_queue_kick -- wake up the output queue after delay ticks 834 */ 835 static void 836 au_queue_kick(void *kctx) 837 { 838 /* 839 * wakeup reader if its not running and there is something 840 * to do. It also helps that kctx still be valid... 841 */ 842 843 if ((((au_kcontext_t *)kctx)->auk_valid != AUK_VALID) || 844 (((au_kcontext_t *)kctx)->auk_auditstate == AUC_NOAUDIT)) 845 return; 846 847 if (((au_kcontext_t *)kctx)->auk_queue.cnt && 848 ((au_kcontext_t *)kctx)->auk_queue.rd_block) 849 cv_broadcast(&((au_kcontext_t *)kctx)->auk_queue.read_cv); 850 851 /* fire off timeout event to kick audit queue awake */ 852 (void) timeout(au_queue_kick, kctx, 853 ((au_kcontext_t *)kctx)->auk_queue.delay); 854 } 855 856 /* 857 * output thread 858 * 859 * this runs "forever" where "forever" means until either auk_auditstate 860 * changes from AUC_AUDITING or if the door descriptor becomes invalid. 861 * 862 * there is one thread per active zone if AUC_PERZONE is set. Since 863 * there is the possibility that a zone may go down without auditd 864 * terminating properly, a zone shutdown kills its au_output_thread() 865 * via taskq_destroy(). 866 */ 867 868 static void 869 au_output_thread(au_kcontext_t *kctx) 870 { 871 int error = 0; 872 873 (void) timeout(au_queue_kick, kctx, kctx->auk_queue.delay); 874 875 /* 876 * Wait for work, until a signal arrives, 877 * or until auditing is disabled. 878 */ 879 880 while (!error) { 881 if (kctx->auk_auditstate == AUC_AUDITING) { 882 mutex_enter(&(kctx->auk_queue.lock)); 883 while (kctx->auk_queue.head == NULL) { 884 /* safety check. kick writer awake */ 885 if (kctx->auk_queue.wt_block) 886 cv_broadcast(&(kctx->auk_queue.write_cv)); 887 888 kctx->auk_queue.rd_block = 1; 889 AS_INC(as_rblocked, 1, kctx); 890 891 cv_wait(&(kctx->auk_queue.read_cv), 892 &(kctx->auk_queue.lock)); 893 894 kctx->auk_queue.rd_block = 0; 895 896 if (kctx->auk_auditstate != AUC_AUDITING) { 897 mutex_exit(&(kctx->auk_queue.lock)); 898 (void) timeout(audit_dont_stop, kctx, au_resid); 899 goto output_exit; 900 } 901 kctx->auk_queue.rd_block = 0; 902 } 903 mutex_exit(&(kctx->auk_queue.lock)); 904 /* 905 * au_doorio() calls au_door_upcall which holds auk_svc_lock; 906 * au_doorio empties the queue before returning. 907 */ 908 909 error = au_doorio(kctx); 910 } else /* auditing turned off while we slept */ 911 break; 912 } 913 output_exit: 914 mutex_enter(&(kctx->auk_svc_lock)); 915 916 VN_RELE(kctx->auk_current_vp); 917 kctx->auk_current_vp = NULL; 918 919 kctx->auk_output_active = 0; 920 kctx->auk_svc_busy = 0; 921 922 mutex_exit(&(kctx->auk_svc_lock)); 923 } 924 925 926 /* 927 * Get the global policy flag 928 */ 929 930 static int 931 getpolicy(caddr_t data) 932 { 933 int policy; 934 au_kcontext_t *kctx = GET_KCTX_PZ; 935 936 policy = audit_policy | kctx->auk_policy; 937 938 if (copyout(&policy, data, sizeof (int))) 939 return (EFAULT); 940 return (0); 941 } 942 943 /* 944 * Set the global and local policy flags 945 * 946 * The global flags only make sense from the global zone; 947 * the local flags depend on the AUDIT_PERZONE policy: 948 * if the perzone policy is set, then policy is set separately 949 * per zone, else held only in the global zone. 950 * 951 * The initial value of a local zone's policy flag is determined 952 * by the value of the global zone's flags at the time the 953 * local zone is created. 954 * 955 * While auditconfig(1M) allows setting and unsetting policies one bit 956 * at a time, the mask passed in from auditconfig() is created by a 957 * syscall to getpolicy and then modified based on the auditconfig() 958 * cmd line, so the input policy value is used to replace the existing 959 * policy. 960 */ 961 962 963 static int 964 setpolicy(caddr_t data) 965 { 966 int policy; 967 au_kcontext_t *kctx; 968 969 if (copyin(data, &policy, sizeof (int))) 970 return (EFAULT); 971 972 kctx = GET_KCTX_NGZ; 973 974 if (INGLOBALZONE(curproc)) { 975 if (policy & ~(AUDIT_GLOBAL | AUDIT_LOCAL)) 976 return (EINVAL); 977 978 audit_policy = policy & AUDIT_GLOBAL; 979 } else { 980 if (!(audit_policy & AUDIT_PERZONE)) 981 return (EINVAL); 982 983 if (policy & ~AUDIT_LOCAL) /* global bits are a no-no */ 984 return (EINVAL); 985 } 986 kctx->auk_policy = policy & AUDIT_LOCAL; 987 988 /* 989 * auk_current_vp is NULL before auditd starts (or during early 990 * auditd starup) or if auditd is halted; in either case, 991 * notification of a policy change is not needed, since auditd 992 * reads policy as it comes up. The error return from au_doormsg() 993 * is ignored to avoid a race condition -- for example if auditd 994 * segv's, the audit state may be "auditing" but the door may 995 * be closed. Returning an error if the door is open makes it 996 * impossible for Greenline to restart auditd. 997 */ 998 if (kctx->auk_current_vp != NULL) 999 (void) au_doormsg(kctx, AU_DBUF_POLICY, &policy); 1000 1001 /* 1002 * Wake up anyone who might have blocked on full audit 1003 * partitions. audit daemons need to set AUDIT_FULL when no 1004 * space so we can tell if we should start dropping records. 1005 */ 1006 mutex_enter(&(kctx->auk_queue.lock)); 1007 1008 if ((policy & (AUDIT_CNT | AUDIT_SCNT) && 1009 (kctx->auk_queue.cnt >= kctx->auk_queue.hiwater))) 1010 cv_broadcast(&(kctx->auk_queue.write_cv)); 1011 1012 mutex_exit(&(kctx->auk_queue.lock)); 1013 1014 return (0); 1015 } 1016 1017 static int 1018 getkmask(caddr_t data) 1019 { 1020 au_kcontext_t *kctx; 1021 1022 kctx = GET_KCTX_PZ; 1023 1024 if (copyout(&kctx->auk_info.ai_mask, data, sizeof (au_mask_t))) 1025 return (EFAULT); 1026 return (0); 1027 } 1028 1029 static int 1030 setkmask(caddr_t data) 1031 { 1032 au_mask_t mask; 1033 au_kcontext_t *kctx; 1034 1035 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc)) 1036 return (EINVAL); 1037 1038 kctx = GET_KCTX_NGZ; 1039 1040 if (copyin(data, &mask, sizeof (au_mask_t))) 1041 return (EFAULT); 1042 1043 kctx->auk_info.ai_mask = mask; 1044 return (0); 1045 } 1046 1047 static int 1048 getkaudit(caddr_t info_p, int len) 1049 { 1050 STRUCT_DECL(auditinfo_addr, info); 1051 model_t model; 1052 au_kcontext_t *kctx = GET_KCTX_PZ; 1053 1054 model = get_udatamodel(); 1055 STRUCT_INIT(info, model); 1056 1057 if (len < STRUCT_SIZE(info)) 1058 return (EOVERFLOW); 1059 1060 STRUCT_FSET(info, ai_auid, kctx->auk_info.ai_auid); 1061 STRUCT_FSET(info, ai_mask, kctx->auk_info.ai_mask); 1062 #ifdef _LP64 1063 if (model == DATAMODEL_ILP32) { 1064 dev32_t dev; 1065 /* convert internal 64 bit form to 32 bit version */ 1066 if (cmpldev(&dev, kctx->auk_info.ai_termid.at_port) == 0) { 1067 return (EOVERFLOW); 1068 } 1069 STRUCT_FSET(info, ai_termid.at_port, dev); 1070 } else 1071 STRUCT_FSET(info, ai_termid.at_port, 1072 kctx->auk_info.ai_termid.at_port); 1073 #else 1074 STRUCT_FSET(info, ai_termid.at_port, 1075 kctx->auk_info.ai_termid.at_port); 1076 #endif 1077 STRUCT_FSET(info, ai_termid.at_type, 1078 kctx->auk_info.ai_termid.at_type); 1079 STRUCT_FSET(info, ai_termid.at_addr[0], 1080 kctx->auk_info.ai_termid.at_addr[0]); 1081 STRUCT_FSET(info, ai_termid.at_addr[1], 1082 kctx->auk_info.ai_termid.at_addr[1]); 1083 STRUCT_FSET(info, ai_termid.at_addr[2], 1084 kctx->auk_info.ai_termid.at_addr[2]); 1085 STRUCT_FSET(info, ai_termid.at_addr[3], 1086 kctx->auk_info.ai_termid.at_addr[3]); 1087 STRUCT_FSET(info, ai_asid, kctx->auk_info.ai_asid); 1088 1089 if (copyout(STRUCT_BUF(info), info_p, STRUCT_SIZE(info))) 1090 return (EFAULT); 1091 1092 return (0); 1093 } 1094 1095 /* 1096 * the host address for AUDIT_PERZONE == 0 is that of the global 1097 * zone and for local zones it is of the current zone. 1098 */ 1099 1100 static int 1101 setkaudit(caddr_t info_p, int len) 1102 { 1103 STRUCT_DECL(auditinfo_addr, info); 1104 model_t model; 1105 au_kcontext_t *kctx; 1106 1107 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc)) 1108 return (EINVAL); 1109 1110 kctx = GET_KCTX_NGZ; 1111 1112 model = get_udatamodel(); 1113 STRUCT_INIT(info, model); 1114 1115 if (len < STRUCT_SIZE(info)) 1116 return (EOVERFLOW); 1117 1118 if (copyin(info_p, STRUCT_BUF(info), STRUCT_SIZE(info))) 1119 return (EFAULT); 1120 1121 if ((STRUCT_FGET(info, ai_termid.at_type) != AU_IPv4) && 1122 (STRUCT_FGET(info, ai_termid.at_type) != AU_IPv6)) 1123 return (EINVAL); 1124 1125 /* Set audit mask, termid and session id as specified */ 1126 kctx->auk_info.ai_auid = STRUCT_FGET(info, ai_auid); 1127 kctx->auk_info.ai_mask = STRUCT_FGET(info, ai_mask); 1128 #ifdef _LP64 1129 /* only convert to 64 bit if coming from a 32 bit binary */ 1130 if (model == DATAMODEL_ILP32) 1131 kctx->auk_info.ai_termid.at_port = 1132 DEVEXPL(STRUCT_FGET(info, ai_termid.at_port)); 1133 else 1134 kctx->auk_info.ai_termid.at_port = 1135 STRUCT_FGET(info, ai_termid.at_port); 1136 #else 1137 kctx->auk_info.ai_termid.at_port = STRUCT_FGET(info, ai_termid.at_port); 1138 #endif 1139 kctx->auk_info.ai_termid.at_type = STRUCT_FGET(info, ai_termid.at_type); 1140 bzero(&kctx->auk_info.ai_termid.at_addr[0], 1141 sizeof (kctx->auk_info.ai_termid.at_addr)); 1142 kctx->auk_info.ai_termid.at_addr[0] = 1143 STRUCT_FGET(info, ai_termid.at_addr[0]); 1144 kctx->auk_info.ai_termid.at_addr[1] = 1145 STRUCT_FGET(info, ai_termid.at_addr[1]); 1146 kctx->auk_info.ai_termid.at_addr[2] = 1147 STRUCT_FGET(info, ai_termid.at_addr[2]); 1148 kctx->auk_info.ai_termid.at_addr[3] = 1149 STRUCT_FGET(info, ai_termid.at_addr[3]); 1150 kctx->auk_info.ai_asid = STRUCT_FGET(info, ai_asid); 1151 1152 if (kctx->auk_info.ai_termid.at_type == AU_IPv6 && 1153 IN6_IS_ADDR_V4MAPPED( 1154 ((in6_addr_t *)kctx->auk_info.ai_termid.at_addr))) { 1155 kctx->auk_info.ai_termid.at_type = AU_IPv4; 1156 kctx->auk_info.ai_termid.at_addr[0] = 1157 kctx->auk_info.ai_termid.at_addr[3]; 1158 kctx->auk_info.ai_termid.at_addr[1] = 0; 1159 kctx->auk_info.ai_termid.at_addr[2] = 0; 1160 kctx->auk_info.ai_termid.at_addr[3] = 0; 1161 } 1162 if (kctx->auk_info.ai_termid.at_type == AU_IPv6) 1163 kctx->auk_hostaddr_valid = IN6_IS_ADDR_UNSPECIFIED( 1164 (in6_addr_t *)kctx->auk_info.ai_termid.at_addr) ? 0 : 1; 1165 else 1166 kctx->auk_hostaddr_valid = 1167 (kctx->auk_info.ai_termid.at_addr[0] == 1168 htonl(INADDR_ANY)) ? 0 : 1; 1169 1170 return (0); 1171 } 1172 1173 static int 1174 getqctrl(caddr_t data) 1175 { 1176 au_kcontext_t *kctx = GET_KCTX_PZ; 1177 STRUCT_DECL(au_qctrl, qctrl); 1178 STRUCT_INIT(qctrl, get_udatamodel()); 1179 1180 mutex_enter(&(kctx->auk_queue.lock)); 1181 STRUCT_FSET(qctrl, aq_hiwater, kctx->auk_queue.hiwater); 1182 STRUCT_FSET(qctrl, aq_lowater, kctx->auk_queue.lowater); 1183 STRUCT_FSET(qctrl, aq_bufsz, kctx->auk_queue.bufsz); 1184 STRUCT_FSET(qctrl, aq_delay, kctx->auk_queue.delay); 1185 mutex_exit(&(kctx->auk_queue.lock)); 1186 1187 if (copyout(STRUCT_BUF(qctrl), data, STRUCT_SIZE(qctrl))) 1188 return (EFAULT); 1189 1190 return (0); 1191 } 1192 1193 static int 1194 setqctrl(caddr_t data) 1195 { 1196 au_kcontext_t *kctx; 1197 struct au_qctrl qctrl_tmp; 1198 STRUCT_DECL(au_qctrl, qctrl); 1199 STRUCT_INIT(qctrl, get_udatamodel()); 1200 1201 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc)) 1202 return (EINVAL); 1203 kctx = GET_KCTX_NGZ; 1204 1205 if (copyin(data, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 1206 return (EFAULT); 1207 1208 qctrl_tmp.aq_hiwater = (size_t)STRUCT_FGET(qctrl, aq_hiwater); 1209 qctrl_tmp.aq_lowater = (size_t)STRUCT_FGET(qctrl, aq_lowater); 1210 qctrl_tmp.aq_bufsz = (size_t)STRUCT_FGET(qctrl, aq_bufsz); 1211 qctrl_tmp.aq_delay = (clock_t)STRUCT_FGET(qctrl, aq_delay); 1212 1213 /* enforce sane values */ 1214 1215 if (qctrl_tmp.aq_hiwater <= qctrl_tmp.aq_lowater) 1216 return (EINVAL); 1217 1218 if (qctrl_tmp.aq_hiwater < AQ_LOWATER) 1219 return (EINVAL); 1220 1221 if (qctrl_tmp.aq_hiwater > AQ_MAXHIGH) 1222 return (EINVAL); 1223 1224 if (qctrl_tmp.aq_bufsz < AQ_BUFSZ) 1225 return (EINVAL); 1226 1227 if (qctrl_tmp.aq_bufsz > AQ_MAXBUFSZ) 1228 return (EINVAL); 1229 1230 if (qctrl_tmp.aq_delay == 0) 1231 return (EINVAL); 1232 1233 if (qctrl_tmp.aq_delay > AQ_MAXDELAY) 1234 return (EINVAL); 1235 1236 /* update everything at once so things are consistant */ 1237 mutex_enter(&(kctx->auk_queue.lock)); 1238 kctx->auk_queue.hiwater = qctrl_tmp.aq_hiwater; 1239 kctx->auk_queue.lowater = qctrl_tmp.aq_lowater; 1240 kctx->auk_queue.bufsz = qctrl_tmp.aq_bufsz; 1241 kctx->auk_queue.delay = qctrl_tmp.aq_delay; 1242 1243 if (kctx->auk_queue.rd_block && 1244 kctx->auk_queue.cnt > kctx->auk_queue.lowater) 1245 cv_broadcast(&(kctx->auk_queue.read_cv)); 1246 1247 if (kctx->auk_queue.wt_block && 1248 kctx->auk_queue.cnt < kctx->auk_queue.hiwater) 1249 cv_broadcast(&(kctx->auk_queue.write_cv)); 1250 1251 mutex_exit(&(kctx->auk_queue.lock)); 1252 1253 return (0); 1254 } 1255 1256 static int 1257 getcwd(caddr_t data, int length) 1258 { 1259 struct p_audit_data *pad; 1260 struct audit_path *app; 1261 int pathlen; 1262 1263 pad = P2A(curproc); 1264 ASSERT(pad != NULL); 1265 1266 mutex_enter(&(pad->pad_lock)); 1267 app = pad->pad_cwd; 1268 au_pathhold(app); 1269 mutex_exit(&(pad->pad_lock)); 1270 1271 pathlen = app->audp_sect[1] - app->audp_sect[0]; 1272 if (pathlen > length) { 1273 au_pathrele(app); 1274 return (E2BIG); 1275 } 1276 1277 if (copyout(app->audp_sect[0], data, pathlen)) { 1278 au_pathrele(app); 1279 return (EFAULT); 1280 } 1281 1282 au_pathrele(app); 1283 return (0); 1284 } 1285 1286 static int 1287 getcar(caddr_t data, int length) 1288 { 1289 struct p_audit_data *pad; 1290 struct audit_path *app; 1291 int pathlen; 1292 1293 pad = P2A(curproc); 1294 ASSERT(pad != NULL); 1295 1296 mutex_enter(&(pad->pad_lock)); 1297 app = pad->pad_root; 1298 au_pathhold(app); 1299 mutex_exit(&(pad->pad_lock)); 1300 1301 pathlen = app->audp_sect[1] - app->audp_sect[0]; 1302 if (pathlen > length) { 1303 au_pathrele(app); 1304 return (E2BIG); 1305 } 1306 1307 if (copyout(app->audp_sect[0], data, pathlen)) { 1308 au_pathrele(app); 1309 return (EFAULT); 1310 } 1311 1312 au_pathrele(app); 1313 return (0); 1314 } 1315 1316 static int 1317 getstat(caddr_t data) 1318 { 1319 au_kcontext_t *kctx = GET_KCTX_PZ; 1320 1321 membar_consumer(); 1322 1323 if (copyout((caddr_t)&(kctx->auk_statistics), data, sizeof (au_stat_t))) 1324 return (EFAULT); 1325 return (0); 1326 } 1327 1328 1329 static int 1330 setstat(caddr_t data) 1331 { 1332 au_kcontext_t *kctx = GET_KCTX_PZ; 1333 au_stat_t au_stat; 1334 1335 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc)) 1336 return (EINVAL); 1337 1338 if (copyin(data, &au_stat, sizeof (au_stat_t))) 1339 return (EFAULT); 1340 1341 if (au_stat.as_generated == CLEAR_VAL) 1342 kctx->auk_statistics.as_generated = 0; 1343 if (au_stat.as_nonattrib == CLEAR_VAL) 1344 kctx->auk_statistics.as_nonattrib = 0; 1345 if (au_stat.as_kernel == CLEAR_VAL) 1346 kctx->auk_statistics.as_kernel = 0; 1347 if (au_stat.as_audit == CLEAR_VAL) 1348 kctx->auk_statistics.as_audit = 0; 1349 if (au_stat.as_auditctl == CLEAR_VAL) 1350 kctx->auk_statistics.as_auditctl = 0; 1351 if (au_stat.as_enqueue == CLEAR_VAL) 1352 kctx->auk_statistics.as_enqueue = 0; 1353 if (au_stat.as_written == CLEAR_VAL) 1354 kctx->auk_statistics.as_written = 0; 1355 if (au_stat.as_wblocked == CLEAR_VAL) 1356 kctx->auk_statistics.as_wblocked = 0; 1357 if (au_stat.as_rblocked == CLEAR_VAL) 1358 kctx->auk_statistics.as_rblocked = 0; 1359 if (au_stat.as_dropped == CLEAR_VAL) 1360 kctx->auk_statistics.as_dropped = 0; 1361 if (au_stat.as_totalsize == CLEAR_VAL) 1362 kctx->auk_statistics.as_totalsize = 0; 1363 1364 membar_producer(); 1365 1366 return (0); 1367 1368 } 1369 1370 static int 1371 setumask(caddr_t data) 1372 { 1373 STRUCT_DECL(auditinfo, user_info); 1374 struct proc *p; 1375 const auditinfo_addr_t *ainfo; 1376 model_t model; 1377 1378 model = get_udatamodel(); 1379 STRUCT_INIT(user_info, model); 1380 1381 if (copyin(data, STRUCT_BUF(user_info), STRUCT_SIZE(user_info))) 1382 return (EFAULT); 1383 1384 mutex_enter(&pidlock); /* lock the process queue against updates */ 1385 for (p = practive; p != NULL; p = p->p_next) { 1386 cred_t *cr; 1387 1388 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1389 mutex_enter(&p->p_crlock); 1390 crhold(cr = p->p_cred); 1391 mutex_exit(&p->p_crlock); 1392 ainfo = crgetauinfo(cr); 1393 if (ainfo == NULL) { 1394 mutex_exit(&p->p_lock); 1395 crfree(cr); 1396 continue; 1397 } 1398 1399 if (ainfo->ai_auid == STRUCT_FGET(user_info, ai_auid)) { 1400 au_mask_t mask; 1401 int err; 1402 1403 /* 1404 * Here's a process which matches the specified auid. 1405 * If its mask doesn't already match the new mask, 1406 * save the new mask in the pad, to be picked up 1407 * next syscall. 1408 */ 1409 mask = STRUCT_FGET(user_info, ai_mask); 1410 err = bcmp(&mask, &ainfo->ai_mask, sizeof (au_mask_t)); 1411 crfree(cr); 1412 if (err != 0) { 1413 struct p_audit_data *pad = P2A(p); 1414 ASSERT(pad != NULL); 1415 1416 mutex_enter(&(pad->pad_lock)); 1417 pad->pad_flags |= PAD_SETMASK; 1418 pad->pad_newmask = mask; 1419 mutex_exit(&(pad->pad_lock)); 1420 1421 /* 1422 * No need to call set_proc_pre_sys(), since 1423 * t_pre_sys is ALWAYS on when audit is 1424 * enabled...due to syscall auditing. 1425 */ 1426 } 1427 } else { 1428 crfree(cr); 1429 } 1430 mutex_exit(&p->p_lock); 1431 } 1432 mutex_exit(&pidlock); 1433 1434 return (0); 1435 } 1436 1437 static int 1438 setsmask(caddr_t data) 1439 { 1440 STRUCT_DECL(auditinfo, user_info); 1441 struct proc *p; 1442 const auditinfo_addr_t *ainfo; 1443 model_t model; 1444 1445 model = get_udatamodel(); 1446 STRUCT_INIT(user_info, model); 1447 1448 if (copyin(data, STRUCT_BUF(user_info), STRUCT_SIZE(user_info))) 1449 return (EFAULT); 1450 1451 mutex_enter(&pidlock); /* lock the process queue against updates */ 1452 for (p = practive; p != NULL; p = p->p_next) { 1453 cred_t *cr; 1454 1455 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1456 mutex_enter(&p->p_crlock); 1457 crhold(cr = p->p_cred); 1458 mutex_exit(&p->p_crlock); 1459 ainfo = crgetauinfo(cr); 1460 if (ainfo == NULL) { 1461 mutex_exit(&p->p_lock); 1462 crfree(cr); 1463 continue; 1464 } 1465 1466 if (ainfo->ai_asid == STRUCT_FGET(user_info, ai_asid)) { 1467 au_mask_t mask; 1468 int err; 1469 1470 /* 1471 * Here's a process which matches the specified asid. 1472 * If its mask doesn't already match the new mask, 1473 * save the new mask in the pad, to be picked up 1474 * next syscall. 1475 */ 1476 mask = STRUCT_FGET(user_info, ai_mask); 1477 err = bcmp(&mask, &ainfo->ai_mask, sizeof (au_mask_t)); 1478 crfree(cr); 1479 if (err != 0) { 1480 struct p_audit_data *pad = P2A(p); 1481 ASSERT(pad != NULL); 1482 1483 mutex_enter(&(pad->pad_lock)); 1484 pad->pad_flags |= PAD_SETMASK; 1485 pad->pad_newmask = mask; 1486 mutex_exit(&(pad->pad_lock)); 1487 1488 /* 1489 * No need to call set_proc_pre_sys(), since 1490 * t_pre_sys is ALWAYS on when audit is 1491 * enabled...due to syscall auditing. 1492 */ 1493 } 1494 } else { 1495 crfree(cr); 1496 } 1497 mutex_exit(&p->p_lock); 1498 } 1499 mutex_exit(&pidlock); 1500 1501 return (0); 1502 } 1503 1504 /* 1505 * Get the current audit state of the system 1506 */ 1507 static int 1508 getcond(caddr_t data) 1509 { 1510 au_kcontext_t *kctx; 1511 1512 if (au_auditstate == AUC_DISABLED) 1513 if (copyout(&au_auditstate, data, sizeof (int))) 1514 return (EFAULT); 1515 1516 kctx = GET_KCTX_PZ; 1517 1518 if (copyout(&(kctx->auk_auditstate), data, sizeof (int))) 1519 return (EFAULT); 1520 1521 return (0); 1522 } 1523 1524 /* 1525 * Set the current audit state of the system to on (AUC_AUDITING) or 1526 * off (AUC_NOAUDIT). 1527 */ 1528 /* ARGSUSED */ 1529 static int 1530 setcond(caddr_t data) 1531 { 1532 int auditstate; 1533 au_kcontext_t *kctx; 1534 1535 if (!(audit_policy & AUDIT_PERZONE) && (!INGLOBALZONE(curproc))) 1536 return (EINVAL); 1537 1538 kctx = GET_KCTX_NGZ; 1539 1540 if (copyin(data, &auditstate, sizeof (int))) 1541 return (EFAULT); 1542 1543 switch (auditstate) { 1544 case AUC_AUDITING: /* Turn auditing on */ 1545 kctx->auk_auditstate = AUC_AUDITING; 1546 au_auditstate = AUC_ENABLED; 1547 break; 1548 1549 case AUC_NOAUDIT: /* Turn auditing off */ 1550 if (kctx->auk_auditstate == AUC_NOAUDIT) 1551 break; 1552 kctx->auk_auditstate = AUC_NOAUDIT; 1553 1554 /* clear out the audit queue */ 1555 1556 mutex_enter(&(kctx->auk_queue.lock)); 1557 if (kctx->auk_queue.wt_block) 1558 cv_broadcast(&(kctx->auk_queue.write_cv)); 1559 1560 /* unblock au_output_thread */ 1561 cv_broadcast(&(kctx->auk_queue.read_cv)); 1562 1563 mutex_exit(&(kctx->auk_queue.lock)); 1564 break; 1565 1566 default: 1567 return (EINVAL); 1568 } 1569 1570 return (0); 1571 } 1572 1573 static int 1574 getclass(caddr_t data) 1575 { 1576 au_evclass_map_t event; 1577 au_kcontext_t *kctx = GET_KCTX_PZ; 1578 1579 if (copyin(data, &event, sizeof (au_evclass_map_t))) 1580 return (EFAULT); 1581 1582 if (event.ec_number < 0 || event.ec_number > (au_naevent - 1)) 1583 return (EINVAL); 1584 1585 event.ec_class = kctx->auk_ets[event.ec_number]; 1586 1587 if (copyout(&event, data, sizeof (au_evclass_map_t))) 1588 return (EFAULT); 1589 1590 return (0); 1591 } 1592 1593 static int 1594 setclass(caddr_t data) 1595 { 1596 au_evclass_map_t event; 1597 au_kcontext_t *kctx; 1598 1599 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc)) 1600 return (EINVAL); 1601 1602 kctx = GET_KCTX_NGZ; 1603 1604 if (copyin(data, &event, sizeof (au_evclass_map_t))) 1605 return (EFAULT); 1606 1607 if (event.ec_number < 0 || event.ec_number > (au_naevent - 1)) 1608 return (EINVAL); 1609 1610 kctx->auk_ets[event.ec_number] = event.ec_class; 1611 1612 return (0); 1613 } 1614 1615 static int 1616 getpinfo(caddr_t data) 1617 { 1618 STRUCT_DECL(auditpinfo, apinfo); 1619 proc_t *proc; 1620 const auditinfo_addr_t *ainfo; 1621 model_t model; 1622 cred_t *cr, *newcred; 1623 1624 model = get_udatamodel(); 1625 STRUCT_INIT(apinfo, model); 1626 1627 if (copyin(data, STRUCT_BUF(apinfo), STRUCT_SIZE(apinfo))) 1628 return (EFAULT); 1629 1630 newcred = cralloc(); 1631 1632 mutex_enter(&pidlock); 1633 if ((proc = prfind(STRUCT_FGET(apinfo, ap_pid))) == NULL) { 1634 mutex_exit(&pidlock); 1635 crfree(newcred); 1636 return (ESRCH); /* no such process */ 1637 } 1638 mutex_enter(&proc->p_lock); /* so process doesn't go away */ 1639 mutex_exit(&pidlock); 1640 1641 audit_update_context(proc, newcred); /* make sure it's up-to-date */ 1642 1643 mutex_enter(&proc->p_crlock); 1644 crhold(cr = proc->p_cred); 1645 mutex_exit(&proc->p_crlock); 1646 mutex_exit(&proc->p_lock); 1647 1648 ainfo = crgetauinfo(cr); 1649 if (ainfo == NULL) { 1650 crfree(cr); 1651 return (EINVAL); 1652 } 1653 1654 /* designated process has an ipv6 address? */ 1655 if (ainfo->ai_termid.at_type == AU_IPv6) { 1656 crfree(cr); 1657 return (EOVERFLOW); 1658 } 1659 1660 STRUCT_FSET(apinfo, ap_auid, ainfo->ai_auid); 1661 STRUCT_FSET(apinfo, ap_asid, ainfo->ai_asid); 1662 #ifdef _LP64 1663 if (model == DATAMODEL_ILP32) { 1664 dev32_t dev; 1665 /* convert internal 64 bit form to 32 bit version */ 1666 if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) { 1667 crfree(cr); 1668 return (EOVERFLOW); 1669 } 1670 STRUCT_FSET(apinfo, ap_termid.port, dev); 1671 } else 1672 STRUCT_FSET(apinfo, ap_termid.port, ainfo->ai_termid.at_port); 1673 #else 1674 STRUCT_FSET(apinfo, ap_termid.port, ainfo->ai_termid.at_port); 1675 #endif 1676 STRUCT_FSET(apinfo, ap_termid.machine, ainfo->ai_termid.at_addr[0]); 1677 STRUCT_FSET(apinfo, ap_mask, ainfo->ai_mask); 1678 1679 crfree(cr); 1680 1681 if (copyout(STRUCT_BUF(apinfo), data, STRUCT_SIZE(apinfo))) 1682 return (EFAULT); 1683 1684 return (0); 1685 } 1686 1687 static int 1688 getpinfo_addr(caddr_t data, int len) 1689 { 1690 STRUCT_DECL(auditpinfo_addr, apinfo); 1691 proc_t *proc; 1692 const auditinfo_addr_t *ainfo; 1693 model_t model; 1694 cred_t *cr, *newcred; 1695 1696 model = get_udatamodel(); 1697 STRUCT_INIT(apinfo, model); 1698 1699 if (len < STRUCT_SIZE(apinfo)) 1700 return (EOVERFLOW); 1701 1702 if (copyin(data, STRUCT_BUF(apinfo), STRUCT_SIZE(apinfo))) 1703 return (EFAULT); 1704 1705 newcred = cralloc(); 1706 1707 mutex_enter(&pidlock); 1708 if ((proc = prfind(STRUCT_FGET(apinfo, ap_pid))) == NULL) { 1709 mutex_exit(&pidlock); 1710 crfree(newcred); 1711 return (ESRCH); 1712 } 1713 mutex_enter(&proc->p_lock); /* so process doesn't go away */ 1714 mutex_exit(&pidlock); 1715 1716 audit_update_context(proc, newcred); /* make sure it's up-to-date */ 1717 1718 mutex_enter(&proc->p_crlock); 1719 crhold(cr = proc->p_cred); 1720 mutex_exit(&proc->p_crlock); 1721 mutex_exit(&proc->p_lock); 1722 1723 ainfo = crgetauinfo(cr); 1724 if (ainfo == NULL) { 1725 crfree(cr); 1726 return (EINVAL); 1727 } 1728 1729 STRUCT_FSET(apinfo, ap_auid, ainfo->ai_auid); 1730 STRUCT_FSET(apinfo, ap_asid, ainfo->ai_asid); 1731 #ifdef _LP64 1732 if (model == DATAMODEL_ILP32) { 1733 dev32_t dev; 1734 /* convert internal 64 bit form to 32 bit version */ 1735 if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) { 1736 crfree(cr); 1737 return (EOVERFLOW); 1738 } 1739 STRUCT_FSET(apinfo, ap_termid.at_port, dev); 1740 } else 1741 STRUCT_FSET(apinfo, ap_termid.at_port, 1742 ainfo->ai_termid.at_port); 1743 #else 1744 STRUCT_FSET(apinfo, ap_termid.at_port, ainfo->ai_termid.at_port); 1745 #endif 1746 STRUCT_FSET(apinfo, ap_termid.at_type, ainfo->ai_termid.at_type); 1747 STRUCT_FSET(apinfo, ap_termid.at_addr[0], ainfo->ai_termid.at_addr[0]); 1748 STRUCT_FSET(apinfo, ap_termid.at_addr[1], ainfo->ai_termid.at_addr[1]); 1749 STRUCT_FSET(apinfo, ap_termid.at_addr[2], ainfo->ai_termid.at_addr[2]); 1750 STRUCT_FSET(apinfo, ap_termid.at_addr[3], ainfo->ai_termid.at_addr[3]); 1751 STRUCT_FSET(apinfo, ap_mask, ainfo->ai_mask); 1752 1753 crfree(cr); 1754 1755 if (copyout(STRUCT_BUF(apinfo), data, STRUCT_SIZE(apinfo))) 1756 return (EFAULT); 1757 1758 return (0); 1759 } 1760 1761 static int 1762 setpmask(caddr_t data) 1763 { 1764 STRUCT_DECL(auditpinfo, apinfo); 1765 proc_t *proc; 1766 cred_t *newcred; 1767 auditinfo_addr_t *ainfo; 1768 struct p_audit_data *pad; 1769 1770 model_t model; 1771 1772 model = get_udatamodel(); 1773 STRUCT_INIT(apinfo, model); 1774 1775 if (copyin(data, STRUCT_BUF(apinfo), STRUCT_SIZE(apinfo))) 1776 return (EFAULT); 1777 1778 mutex_enter(&pidlock); 1779 if ((proc = prfind(STRUCT_FGET(apinfo, ap_pid))) == NULL) { 1780 mutex_exit(&pidlock); 1781 return (ESRCH); 1782 } 1783 mutex_enter(&proc->p_lock); /* so process doesn't go away */ 1784 mutex_exit(&pidlock); 1785 1786 newcred = cralloc(); 1787 if ((ainfo = crgetauinfo_modifiable(newcred)) == NULL) { 1788 mutex_exit(&proc->p_lock); 1789 crfree(newcred); 1790 return (EINVAL); 1791 } 1792 1793 mutex_enter(&proc->p_crlock); 1794 crcopy_to(proc->p_cred, newcred); 1795 proc->p_cred = newcred; 1796 1797 ainfo->ai_mask = STRUCT_FGET(apinfo, ap_mask); 1798 1799 /* 1800 * Unlock. No need to broadcast changes via set_proc_pre_sys(), 1801 * since t_pre_sys is ALWAYS on when audit is enabled... due to 1802 * syscall auditing. 1803 */ 1804 crfree(newcred); 1805 mutex_exit(&proc->p_crlock); 1806 1807 /* Reset flag for any previous pending mask change; this supercedes */ 1808 pad = P2A(proc); 1809 ASSERT(pad != NULL); 1810 mutex_enter(&(pad->pad_lock)); 1811 pad->pad_flags &= ~PAD_SETMASK; 1812 mutex_exit(&(pad->pad_lock)); 1813 1814 mutex_exit(&proc->p_lock); 1815 1816 return (0); 1817 } 1818 1819 static int 1820 getfsize(caddr_t data) 1821 { 1822 au_fstat_t fstat; 1823 au_kcontext_t *kctx = GET_KCTX_PZ; 1824 1825 mutex_enter(&(kctx->auk_fstat_lock)); 1826 fstat.af_filesz = kctx->auk_file_stat.af_filesz; 1827 fstat.af_currsz = kctx->auk_file_stat.af_currsz; 1828 mutex_exit(&(kctx->auk_fstat_lock)); 1829 1830 if (copyout(&fstat, data, sizeof (au_fstat_t))) 1831 return (EFAULT); 1832 1833 return (0); 1834 } 1835 1836 static int 1837 setfsize(caddr_t data) 1838 { 1839 au_fstat_t fstat; 1840 au_kcontext_t *kctx; 1841 1842 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc)) 1843 return (EINVAL); 1844 1845 kctx = GET_KCTX_NGZ; 1846 1847 if (copyin(data, &fstat, sizeof (au_fstat_t))) 1848 return (EFAULT); 1849 1850 if ((fstat.af_filesz != 0) && (fstat.af_filesz < AU_MIN_FILE_SZ)) 1851 return (EINVAL); 1852 1853 mutex_enter(&(kctx->auk_fstat_lock)); 1854 kctx->auk_file_stat.af_filesz = fstat.af_filesz; 1855 mutex_exit(&(kctx->auk_fstat_lock)); 1856 1857 return (0); 1858 } 1859 /* 1860 * The out of control system call 1861 * This is audit kitchen sink aka auditadm, aka auditon 1862 */ 1863 static int 1864 auditctl( 1865 int cmd, 1866 caddr_t data, 1867 int length) 1868 { 1869 int result; 1870 1871 if (!audit_active) 1872 return (EINVAL); 1873 1874 switch (cmd) { 1875 case A_GETCOND: 1876 case A_GETCAR: 1877 case A_GETCLASS: 1878 case A_GETCWD: 1879 case A_GETFSIZE: 1880 case A_GETKAUDIT: 1881 case A_GETKMASK: 1882 case A_GETPINFO: 1883 case A_GETPINFO_ADDR: 1884 case A_GETPOLICY: 1885 case A_GETQCTRL: 1886 case A_GETSTAT: 1887 if (secpolicy_audit_getattr(CRED()) != 0) 1888 return (EPERM); 1889 break; 1890 default: 1891 if (secpolicy_audit_config(CRED()) != 0) 1892 return (EPERM); 1893 break; 1894 } 1895 1896 switch (cmd) { 1897 case A_GETPOLICY: 1898 result = getpolicy(data); 1899 break; 1900 case A_SETPOLICY: 1901 result = setpolicy(data); 1902 break; 1903 case A_GETKMASK: 1904 result = getkmask(data); 1905 break; 1906 case A_SETKMASK: 1907 result = setkmask(data); 1908 break; 1909 case A_GETKAUDIT: 1910 result = getkaudit(data, length); 1911 break; 1912 case A_SETKAUDIT: 1913 result = setkaudit(data, length); 1914 break; 1915 case A_GETQCTRL: 1916 result = getqctrl(data); 1917 break; 1918 case A_SETQCTRL: 1919 result = setqctrl(data); 1920 break; 1921 case A_GETCWD: 1922 result = getcwd(data, length); 1923 break; 1924 case A_GETCAR: 1925 result = getcar(data, length); 1926 break; 1927 case A_GETSTAT: 1928 result = getstat(data); 1929 break; 1930 case A_SETSTAT: 1931 result = setstat(data); 1932 break; 1933 case A_SETUMASK: 1934 result = setumask(data); 1935 break; 1936 case A_SETSMASK: 1937 result = setsmask(data); 1938 break; 1939 case A_GETCOND: 1940 result = getcond(data); 1941 break; 1942 case A_SETCOND: 1943 result = setcond(data); 1944 break; 1945 case A_GETCLASS: 1946 result = getclass(data); 1947 break; 1948 case A_SETCLASS: 1949 result = setclass(data); 1950 break; 1951 case A_GETPINFO: 1952 result = getpinfo(data); 1953 break; 1954 case A_GETPINFO_ADDR: 1955 result = getpinfo_addr(data, length); 1956 break; 1957 case A_SETPMASK: 1958 result = setpmask(data); 1959 break; 1960 case A_SETFSIZE: 1961 result = setfsize(data); 1962 break; 1963 case A_GETFSIZE: 1964 result = getfsize(data); 1965 break; 1966 default: 1967 result = EINVAL; 1968 break; 1969 } 1970 return (result); 1971 } 1972 1973 /* 1974 * auditsvc was EOL'd effective Sol 10 1975 */ 1976 static int 1977 auditsvc(int fd, int limit) 1978 { 1979 struct file *fp; 1980 struct vnode *vp; 1981 int error = 0; 1982 au_kcontext_t *kctx; 1983 1984 if (secpolicy_audit_config(CRED()) != 0) 1985 return (EPERM); 1986 1987 if (!INGLOBALZONE(curproc)) 1988 return (EINVAL); 1989 1990 kctx = GET_KCTX_GZ; 1991 1992 if (limit < 0 || 1993 (!(kctx->auk_auditstate == AUC_AUDITING || 1994 kctx->auk_auditstate == AUC_NOSPACE))) 1995 return (EINVAL); 1996 1997 /* 1998 * Prevent a second audit daemon from running this code 1999 */ 2000 mutex_enter(&(kctx->auk_svc_lock)); 2001 if (kctx->auk_svc_busy) { 2002 mutex_exit(&(kctx->auk_svc_lock)); 2003 return (EBUSY); 2004 } 2005 kctx->auk_svc_busy = 1; 2006 mutex_exit(&(kctx->auk_svc_lock)); 2007 2008 /* 2009 * convert file pointer to file descriptor 2010 * Note: fd ref count incremented here. 2011 */ 2012 if ((fp = (struct file *)getf(fd)) == NULL) { 2013 mutex_enter(&(kctx->auk_svc_lock)); 2014 kctx->auk_svc_busy = 0; 2015 mutex_exit(&(kctx->auk_svc_lock)); 2016 return (EBADF); 2017 } 2018 2019 vp = fp->f_vnode; 2020 2021 kctx->auk_file_stat.af_currsz = 0; 2022 2023 /* 2024 * Wait for work, until a signal arrives, 2025 * or until auditing is disabled. 2026 */ 2027 while (!error) { 2028 if (kctx->auk_auditstate == AUC_AUDITING) { 2029 mutex_enter(&(kctx->auk_queue.lock)); 2030 /* nothing on the audit queue */ 2031 while (kctx->auk_queue.head == NULL) { 2032 /* safety check. kick writer awake */ 2033 if (kctx->auk_queue.wt_block) 2034 cv_broadcast(&(kctx->auk_queue.write_cv)); 2035 /* sleep waiting for things to to */ 2036 kctx->auk_queue.rd_block = 1; 2037 AS_INC(as_rblocked, 1, kctx); 2038 if (!cv_wait_sig(&(kctx->auk_queue.read_cv), 2039 &(kctx->auk_queue.lock))) { 2040 /* interrupted system call */ 2041 kctx->auk_queue.rd_block = 0; 2042 mutex_exit(&(kctx->auk_queue.lock)); 2043 error = ((kctx->auk_auditstate == AUC_AUDITING) || 2044 (kctx->auk_auditstate == AUC_NOSPACE)) ? 2045 EINTR : EINVAL; 2046 mutex_enter(&(kctx->auk_svc_lock)); 2047 kctx->auk_svc_busy = 0; 2048 mutex_exit(&(kctx->auk_svc_lock)); 2049 2050 /* decrement file descriptor reference count */ 2051 releasef(fd); 2052 (void) timeout(audit_dont_stop, kctx, au_resid); 2053 return (error); 2054 } 2055 kctx->auk_queue.rd_block = 0; 2056 } 2057 mutex_exit(&(kctx->auk_queue.lock)); 2058 2059 /* do as much as we can */ 2060 error = au_doio(vp, limit); 2061 2062 /* if we ran out of space, be sure to fire off timeout */ 2063 if (error == ENOSPC) 2064 (void) timeout(audit_dont_stop, kctx, au_resid); 2065 2066 } else /* auditing turned off while we slept */ 2067 break; 2068 } 2069 2070 /* 2071 * decrement file descriptor reference count 2072 */ 2073 releasef(fd); 2074 2075 /* 2076 * If auditing has been disabled quit processing 2077 */ 2078 if (!(kctx->auk_auditstate == AUC_AUDITING || 2079 kctx->auk_auditstate == AUC_NOSPACE)) 2080 error = EINVAL; 2081 2082 mutex_enter(&(kctx->auk_svc_lock)); 2083 kctx->auk_svc_busy = 0; 2084 mutex_exit(&(kctx->auk_svc_lock)); 2085 2086 return (error); 2087 } 2088 2089 static int 2090 audit_modsysent(char *modname, int flags, int (*func)()) 2091 { 2092 struct sysent *sysp; 2093 int sysnum; 2094 krwlock_t *kl; 2095 2096 if ((sysnum = mod_getsysnum(modname)) == -1) { 2097 cmn_err(CE_WARN, "system call missing from bind file"); 2098 return (-1); 2099 } 2100 2101 kl = (krwlock_t *)kobj_zalloc(sizeof (krwlock_t), KM_SLEEP); 2102 2103 sysp = &sysent[sysnum]; 2104 sysp->sy_narg = auditsysent.sy_narg; 2105 #ifdef _LP64 2106 sysp->sy_flags = (unsigned short)flags; 2107 #else 2108 sysp->sy_flags = (unsigned char)flags; 2109 #endif 2110 sysp->sy_call = func; 2111 sysp->sy_lock = kl; 2112 2113 #ifdef _SYSCALL32_IMPL 2114 sysp = &sysent32[sysnum]; 2115 sysp->sy_narg = auditsysent.sy_narg; 2116 sysp->sy_flags = (unsigned short)flags; 2117 sysp->sy_call = func; 2118 sysp->sy_lock = kl; 2119 #endif 2120 2121 rw_init(sysp->sy_lock, NULL, RW_DEFAULT, NULL); 2122 2123 return (0); 2124 } 2125