1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 /* 26 * This file contains the audit hook support code for auditing. 27 */ 28 29 #include <sys/types.h> 30 #include <sys/proc.h> 31 #include <sys/vnode.h> 32 #include <sys/vfs.h> 33 #include <sys/file.h> 34 #include <sys/user.h> 35 #include <sys/stropts.h> 36 #include <sys/systm.h> 37 #include <sys/pathname.h> 38 #include <sys/syscall.h> 39 #include <sys/fcntl.h> 40 #include <sys/ipc_impl.h> 41 #include <sys/msg_impl.h> 42 #include <sys/sem_impl.h> 43 #include <sys/shm_impl.h> 44 #include <sys/kmem.h> /* for KM_SLEEP */ 45 #include <sys/socket.h> 46 #include <sys/cmn_err.h> /* snprintf... */ 47 #include <sys/debug.h> 48 #include <sys/thread.h> 49 #include <netinet/in.h> 50 #include <c2/audit.h> /* needs to be included before user.h */ 51 #include <c2/audit_kernel.h> /* for M_DONTWAIT */ 52 #include <c2/audit_kevents.h> 53 #include <c2/audit_record.h> 54 #include <sys/strsubr.h> 55 #include <sys/tihdr.h> 56 #include <sys/tiuser.h> 57 #include <sys/timod.h> 58 #include <sys/model.h> /* for model_t */ 59 #include <sys/disp.h> /* for servicing_interrupt() */ 60 #include <sys/devpolicy.h> 61 #include <sys/crypto/ioctladmin.h> 62 #include <sys/cred_impl.h> 63 #include <inet/kssl/kssl.h> 64 #include <net/pfpolicy.h> 65 66 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval); 67 68 static void audit_pathbuild(struct pathname *pnp); 69 70 71 /* 72 * ROUTINE: AUDIT_SAVEPATH 73 * PURPOSE: 74 * CALLBY: LOOKUPPN 75 * 76 * NOTE: We have reached the end of a path in fs/lookup.c. 77 * We get two pieces of information here: 78 * the vnode of the last component (vp) and 79 * the status of the last access (flag). 80 * TODO: 81 * QUESTION: 82 */ 83 84 /*ARGSUSED*/ 85 int 86 audit_savepath( 87 struct pathname *pnp, /* pathname to lookup */ 88 struct vnode *vp, /* vnode of the last component */ 89 struct vnode *pvp, /* vnode of the last parent component */ 90 int flag, /* status of the last access */ 91 cred_t *cr) /* cred of requestor */ 92 { 93 94 t_audit_data_t *tad; /* current thread */ 95 au_kcontext_t *kctx = GET_KCTX_PZ; 96 97 tad = U2A(u); 98 99 /* 100 * Noise elimination in audit trails - this event will be discarded if: 101 * - the public policy is not active AND 102 * - the system call is a public operation AND 103 * - the file was not found: VFS lookup failed with ENOENT error AND 104 * - the missing file would have been located in the public directory 105 * owned by root if it had existed 106 */ 107 if (tad->tad_flag != 0 && flag == ENOENT && pvp != NULL && 108 (tad->tad_ctrl & TAD_PUBLIC_EV) && 109 !(kctx->auk_policy & AUDIT_PUBLIC)) { 110 struct vattr attr; 111 112 attr.va_mask = AT_ALL; 113 if (VOP_GETATTR(pvp, &attr, 0, CRED(), NULL) == 0) { 114 if (object_is_public(&attr)) { 115 tad->tad_ctrl |= TAD_NOAUDIT; 116 } 117 } 118 } 119 120 /* 121 * this event being audited or do we need path information 122 * later? This might be for a chdir/chroot or open (add path 123 * to file pointer. If the path has already been found for an 124 * open/creat then we don't need to process the path. 125 * 126 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 127 * chroot, chdir, open, creat system call processing. It determines 128 * if audit_savepath() will discard the path or we need it later. 129 * TAD_PATHFND means path already included in this audit record. It 130 * is used in cases where multiple path lookups are done per 131 * system call. The policy flag, AUDIT_PATH, controls if multiple 132 * paths are allowed. 133 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 134 * exit processing to inhibit any paths that may be added due to 135 * closes. 136 */ 137 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) || 138 ((tad->tad_ctrl & TAD_PATHFND) && 139 !(kctx->auk_policy & AUDIT_PATH)) || 140 (tad->tad_ctrl & TAD_NOPATH)) { 141 return (0); 142 } 143 144 tad->tad_ctrl |= TAD_NOPATH; /* prevent possible reentry */ 145 146 audit_pathbuild(pnp); 147 148 /* 149 * are we auditing only if error, or if it is not open or create 150 * otherwise audit_setf will do it 151 */ 152 153 if (tad->tad_flag) { 154 if (flag && 155 (tad->tad_scid == SYS_open || 156 tad->tad_scid == SYS_open64 || 157 tad->tad_scid == SYS_openat || 158 tad->tad_scid == SYS_openat64)) { 159 tad->tad_ctrl |= TAD_TRUE_CREATE; 160 } 161 162 /* add token to audit record for this name */ 163 au_uwrite(au_to_path(tad->tad_aupath)); 164 165 /* add the attributes of the object */ 166 if (vp) { 167 /* 168 * only capture attributes when there is no error 169 * lookup will not return the vnode of the failing 170 * component. 171 * 172 * if there was a lookup error, then don't add 173 * attribute. if lookup in vn_create(), 174 * then don't add attribute, 175 * it will be added at end of vn_create(). 176 */ 177 if (!flag && !(tad->tad_ctrl & TAD_NOATTRB)) 178 audit_attributes(vp); 179 } 180 } 181 182 /* free up space if we're not going to save path (open, creat) */ 183 if ((tad->tad_ctrl & TAD_SAVPATH) == 0) { 184 if (tad->tad_aupath != NULL) { 185 au_pathrele(tad->tad_aupath); 186 tad->tad_aupath = NULL; 187 } 188 } 189 if (tad->tad_ctrl & TAD_MLD) 190 tad->tad_ctrl |= TAD_PATHFND; 191 192 tad->tad_ctrl &= ~TAD_NOPATH; /* restore */ 193 return (0); 194 } 195 196 static void 197 audit_pathbuild(struct pathname *pnp) 198 { 199 char *pp; /* pointer to path */ 200 int len; /* length of incoming segment */ 201 int newsect; /* path requires a new section */ 202 struct audit_path *pfxapp; /* prefix for path */ 203 struct audit_path *newapp; /* new audit_path */ 204 t_audit_data_t *tad; /* current thread */ 205 p_audit_data_t *pad; /* current process */ 206 207 tad = U2A(u); 208 ASSERT(tad != NULL); 209 pad = P2A(curproc); 210 ASSERT(pad != NULL); 211 212 len = (pnp->pn_path - pnp->pn_buf) + 1; /* +1 for terminator */ 213 ASSERT(len > 0); 214 215 /* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */ 216 mutex_enter(&pad->pad_lock); 217 if (tad->tad_aupath != NULL) { 218 pfxapp = tad->tad_aupath; 219 } else if ((tad->tad_ctrl & TAD_ATCALL) && pnp->pn_buf[0] != '/') { 220 ASSERT(tad->tad_atpath != NULL); 221 pfxapp = tad->tad_atpath; 222 } else if (tad->tad_ctrl & TAD_ABSPATH) { 223 pfxapp = pad->pad_root; 224 } else { 225 pfxapp = pad->pad_cwd; 226 } 227 au_pathhold(pfxapp); 228 mutex_exit(&pad->pad_lock); 229 230 /* get an expanded buffer to hold the anchored path */ 231 newsect = tad->tad_ctrl & TAD_ATTPATH; 232 newapp = au_pathdup(pfxapp, newsect, len); 233 au_pathrele(pfxapp); 234 235 pp = newapp->audp_sect[newapp->audp_cnt] - len; 236 if (!newsect) { 237 /* overlay previous NUL terminator */ 238 *(pp - 1) = '/'; 239 } 240 241 /* now add string of processed path */ 242 bcopy(pnp->pn_buf, pp, len); 243 pp[len - 1] = '\0'; 244 245 /* perform path simplification as necessary */ 246 audit_fixpath(newapp, len); 247 248 if (tad->tad_aupath) 249 au_pathrele(tad->tad_aupath); 250 tad->tad_aupath = newapp; 251 252 /* for case where multiple lookups in one syscall (rename) */ 253 tad->tad_ctrl &= ~(TAD_ABSPATH | TAD_ATTPATH); 254 } 255 256 257 /* 258 * ROUTINE: AUDIT_ANCHORPATH 259 * PURPOSE: 260 * CALLBY: LOOKUPPN 261 * NOTE: 262 * anchor path at "/". We have seen a symbolic link or entering for the 263 * first time we will throw away any saved path if path is anchored. 264 * 265 * flag = 0, path is relative. 266 * flag = 1, path is absolute. Free any saved path and set flag to TAD_ABSPATH. 267 * 268 * If the (new) path is absolute, then we have to throw away whatever we have 269 * already accumulated since it is being superseded by new path which is 270 * anchored at the root. 271 * Note that if the path is relative, this function does nothing 272 * TODO: 273 * QUESTION: 274 */ 275 /*ARGSUSED*/ 276 void 277 audit_anchorpath(struct pathname *pnp, int flag) 278 { 279 au_kcontext_t *kctx = GET_KCTX_PZ; 280 t_audit_data_t *tad; 281 282 tad = U2A(u); 283 284 /* 285 * this event being audited or do we need path information 286 * later? This might be for a chdir/chroot or open (add path 287 * to file pointer. If the path has already been found for an 288 * open/creat then we don't need to process the path. 289 * 290 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 291 * chroot, chdir, open, creat system call processing. It determines 292 * if audit_savepath() will discard the path or we need it later. 293 * TAD_PATHFND means path already included in this audit record. It 294 * is used in cases where multiple path lookups are done per 295 * system call. The policy flag, AUDIT_PATH, controls if multiple 296 * paths are allowed. 297 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 298 * exit processing to inhibit any paths that may be added due to 299 * closes. 300 */ 301 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) || 302 ((tad->tad_ctrl & TAD_PATHFND) && 303 !(kctx->auk_policy & AUDIT_PATH)) || 304 (tad->tad_ctrl & TAD_NOPATH)) { 305 return; 306 } 307 308 if (flag) { 309 tad->tad_ctrl |= TAD_ABSPATH; 310 if (tad->tad_aupath != NULL) { 311 au_pathrele(tad->tad_aupath); 312 tad->tad_aupath = NULL; 313 } 314 } 315 } 316 317 318 /* 319 * symbolic link. Save previous components. 320 * 321 * the path seen so far looks like this 322 * 323 * +-----------------------+----------------+ 324 * | path processed so far | remaining path | 325 * +-----------------------+----------------+ 326 * \-----------------------/ 327 * save this string if 328 * symbolic link relative 329 * (but don't include symlink component) 330 */ 331 332 /*ARGSUSED*/ 333 334 335 /* 336 * ROUTINE: AUDIT_SYMLINK 337 * PURPOSE: 338 * CALLBY: LOOKUPPN 339 * NOTE: 340 * TODO: 341 * QUESTION: 342 */ 343 void 344 audit_symlink(struct pathname *pnp, struct pathname *sympath) 345 { 346 char *sp; /* saved initial pp */ 347 char *cp; /* start of symlink path */ 348 uint_t len_path; /* processed path before symlink */ 349 t_audit_data_t *tad; 350 au_kcontext_t *kctx = GET_KCTX_PZ; 351 352 tad = U2A(u); 353 354 /* 355 * this event being audited or do we need path information 356 * later? This might be for a chdir/chroot or open (add path 357 * to file pointer. If the path has already been found for an 358 * open/creat then we don't need to process the path. 359 * 360 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 361 * chroot, chdir, open, creat system call processing. It determines 362 * if audit_savepath() will discard the path or we need it later. 363 * TAD_PATHFND means path already included in this audit record. It 364 * is used in cases where multiple path lookups are done per 365 * system call. The policy flag, AUDIT_PATH, controls if multiple 366 * paths are allowed. 367 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 368 * exit processing to inhibit any paths that may be added due to 369 * closes. 370 */ 371 if ((tad->tad_flag == 0 && 372 !(tad->tad_ctrl & TAD_SAVPATH)) || 373 ((tad->tad_ctrl & TAD_PATHFND) && 374 !(kctx->auk_policy & AUDIT_PATH)) || 375 (tad->tad_ctrl & TAD_NOPATH)) { 376 return; 377 } 378 379 /* 380 * if symbolic link is anchored at / then do nothing. 381 * When we cycle back to begin: in lookuppn() we will 382 * call audit_anchorpath() with a flag indicating if the 383 * path is anchored at / or is relative. We will release 384 * any saved path at that point. 385 * 386 * Note In the event that an error occurs in pn_combine then 387 * we want to remain pointing at the component that caused the 388 * path to overflow the pnp structure. 389 */ 390 if (sympath->pn_buf[0] == '/') 391 return; 392 393 /* backup over last component */ 394 sp = cp = pnp->pn_path; 395 while (*--cp != '/' && cp > pnp->pn_buf) 396 ; 397 398 len_path = cp - pnp->pn_buf; 399 400 /* is there anything to save? */ 401 if (len_path) { 402 pnp->pn_path = pnp->pn_buf; 403 audit_pathbuild(pnp); 404 pnp->pn_path = sp; 405 } 406 } 407 408 /* 409 * object_is_public : determine whether events for the object (corresponding to 410 * the specified file/directory attr) should be audited or 411 * ignored. 412 * 413 * returns: 1 - if audit policy and object attributes indicate that 414 * file/directory is effectively public. read events for 415 * the file should not be audited. 416 * 0 - otherwise 417 * 418 * The required attributes to be considered a public object are: 419 * - owned by root, AND 420 * - world-readable (permissions for other include read), AND 421 * - NOT world-writeable (permissions for other don't 422 * include write) 423 * (mode doesn't need to be checked for symlinks) 424 */ 425 int 426 object_is_public(struct vattr *attr) 427 { 428 au_kcontext_t *kctx = GET_KCTX_PZ; 429 430 if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) && 431 ((attr->va_type == VLNK) || 432 ((attr->va_mode & (VREAD>>6)) != 0) && 433 ((attr->va_mode & (VWRITE>>6)) == 0))) { 434 return (1); 435 } 436 return (0); 437 } 438 439 440 /* 441 * ROUTINE: AUDIT_ATTRIBUTES 442 * PURPOSE: Audit the attributes so we can tell why the error occurred 443 * CALLBY: AUDIT_SAVEPATH 444 * AUDIT_VNCREATE_FINISH 445 * AUS_FCHOWN...audit_event.c...audit_path.c 446 * NOTE: 447 * TODO: 448 * QUESTION: 449 */ 450 void 451 audit_attributes(struct vnode *vp) 452 { 453 struct vattr attr; 454 struct t_audit_data *tad; 455 456 tad = U2A(u); 457 458 if (vp) { 459 attr.va_mask = AT_ALL; 460 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0) 461 return; 462 463 if (object_is_public(&attr) && 464 (tad->tad_ctrl & TAD_PUBLIC_EV)) { 465 /* 466 * This is a public object and a "public" event 467 * (i.e., read only) -- either by definition 468 * (e.g., stat, access...) or by virtue of write access 469 * not being requested (e.g. mmap). 470 * Flag it in the tad to prevent this audit at the end. 471 */ 472 tad->tad_ctrl |= TAD_NOAUDIT; 473 } else { 474 au_uwrite(au_to_attr(&attr)); 475 audit_sec_attributes(&(u_ad), vp); 476 } 477 } 478 } 479 480 481 /* 482 * ROUTINE: AUDIT_EXIT 483 * PURPOSE: 484 * CALLBY: EXIT 485 * NOTE: 486 * TODO: 487 * QUESTION: why cmw code as offset by 2 but not here 488 */ 489 /* ARGSUSED */ 490 void 491 audit_exit(int code, int what) 492 { 493 struct t_audit_data *tad; 494 tad = U2A(u); 495 496 /* 497 * tad_scid will be set by audit_start even if we are not auditing 498 * the event. 499 */ 500 if (tad->tad_scid == SYS_exit) { 501 /* 502 * if we are auditing the exit system call, then complete 503 * audit record generation (no return from system call). 504 */ 505 if (tad->tad_flag && tad->tad_event == AUE_EXIT) 506 audit_finish(0, SYS_exit, 0, 0); 507 return; 508 } 509 510 /* 511 * Anyone auditing the system call that was aborted? 512 */ 513 if (tad->tad_flag) { 514 au_uwrite(au_to_text("event aborted")); 515 audit_finish(0, tad->tad_scid, 0, 0); 516 } 517 518 /* 519 * Generate an audit record for process exit if preselected. 520 */ 521 (void) audit_start(0, SYS_exit, AUC_UNSET, 0, 0); 522 audit_finish(0, SYS_exit, 0, 0); 523 } 524 525 /* 526 * ROUTINE: AUDIT_CORE_START 527 * PURPOSE: 528 * CALLBY: PSIG 529 * NOTE: 530 * TODO: 531 */ 532 void 533 audit_core_start(int sig) 534 { 535 au_event_t event; 536 au_state_t estate; 537 t_audit_data_t *tad; 538 au_kcontext_t *kctx; 539 540 tad = U2A(u); 541 542 ASSERT(tad != (t_audit_data_t *)0); 543 544 ASSERT(tad->tad_scid == 0); 545 ASSERT(tad->tad_event == 0); 546 ASSERT(tad->tad_evmod == 0); 547 ASSERT(tad->tad_ctrl == 0); 548 ASSERT(tad->tad_flag == 0); 549 ASSERT(tad->tad_aupath == NULL); 550 551 kctx = GET_KCTX_PZ; 552 553 /* get basic event for system call */ 554 event = AUE_CORE; 555 estate = kctx->auk_ets[event]; 556 557 if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0) 558 return; 559 560 /* reset the flags for non-user attributable events */ 561 tad->tad_ctrl = TAD_CORE; 562 tad->tad_scid = 0; 563 564 /* if auditing not enabled, then don't generate an audit record */ 565 566 if (!((kctx->auk_auditstate == AUC_AUDITING || 567 kctx->auk_auditstate == AUC_INIT_AUDIT) || 568 kctx->auk_auditstate == AUC_NOSPACE)) { 569 tad->tad_flag = 0; 570 tad->tad_ctrl = 0; 571 return; 572 } 573 574 tad->tad_event = event; 575 tad->tad_evmod = 0; 576 577 ASSERT(tad->tad_ad == NULL); 578 579 au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig)); 580 } 581 582 /* 583 * ROUTINE: AUDIT_CORE_FINISH 584 * PURPOSE: 585 * CALLBY: PSIG 586 * NOTE: 587 * TODO: 588 * QUESTION: 589 */ 590 591 /*ARGSUSED*/ 592 void 593 audit_core_finish(int code) 594 { 595 int flag; 596 t_audit_data_t *tad; 597 au_kcontext_t *kctx; 598 599 tad = U2A(u); 600 601 ASSERT(tad != (t_audit_data_t *)0); 602 603 if ((flag = tad->tad_flag) == 0) { 604 tad->tad_event = 0; 605 tad->tad_evmod = 0; 606 tad->tad_ctrl = 0; 607 ASSERT(tad->tad_aupath == NULL); 608 return; 609 } 610 tad->tad_flag = 0; 611 612 kctx = GET_KCTX_PZ; 613 614 /* kludge for error 0, should use `code==CLD_DUMPED' instead */ 615 if (flag = audit_success(kctx, tad, 0, NULL)) { 616 cred_t *cr = CRED(); 617 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 618 619 ASSERT(ainfo != NULL); 620 621 /* 622 * Add subject information (no locks since our private copy of 623 * credential 624 */ 625 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 626 627 /* Add a return token (should use f argument) */ 628 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 629 630 AS_INC(as_generated, 1, kctx); 631 AS_INC(as_kernel, 1, kctx); 632 } 633 634 /* Close up everything */ 635 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod, NULL); 636 637 /* free up any space remaining with the path's */ 638 if (tad->tad_aupath != NULL) { 639 au_pathrele(tad->tad_aupath); 640 tad->tad_aupath = NULL; 641 } 642 tad->tad_event = 0; 643 tad->tad_evmod = 0; 644 tad->tad_ctrl = 0; 645 } 646 647 648 /*ARGSUSED*/ 649 void 650 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 651 unsigned char *pri, int *flag, int fmode) 652 { 653 struct stdata *stp; 654 t_audit_data_t *tad = U2A(u); 655 656 ASSERT(tad != (t_audit_data_t *)0); 657 658 stp = vp->v_stream; 659 660 /* lock stdata from audit_sock */ 661 mutex_enter(&stp->sd_lock); 662 663 /* proceed ONLY if user is being audited */ 664 if (!tad->tad_flag) { 665 /* 666 * this is so we will not add audit data onto 667 * a thread that is not being audited. 668 */ 669 stp->sd_t_audit_data = NULL; 670 mutex_exit(&stp->sd_lock); 671 return; 672 } 673 674 stp->sd_t_audit_data = (caddr_t)curthread; 675 mutex_exit(&stp->sd_lock); 676 } 677 678 /*ARGSUSED*/ 679 void 680 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 681 unsigned char pri, int flag, int fmode) 682 { 683 struct stdata *stp; 684 t_audit_data_t *tad = U2A(u); 685 686 ASSERT(tad != (t_audit_data_t *)0); 687 688 stp = vp->v_stream; 689 690 /* lock stdata from audit_sock */ 691 mutex_enter(&stp->sd_lock); 692 693 /* proceed ONLY if user is being audited */ 694 if (!tad->tad_flag) { 695 /* 696 * this is so we will not add audit data onto 697 * a thread that is not being audited. 698 */ 699 stp->sd_t_audit_data = NULL; 700 mutex_exit(&stp->sd_lock); 701 return; 702 } 703 704 stp->sd_t_audit_data = (caddr_t)curthread; 705 mutex_exit(&stp->sd_lock); 706 } 707 708 /* 709 * ROUTINE: AUDIT_CLOSEF 710 * PURPOSE: 711 * CALLBY: CLOSEF 712 * NOTE: 713 * release per file audit resources when file structure is being released. 714 * 715 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep 716 * on the audit queue if it becomes full. This means 717 * audit_closef can not be called when f_count == 0. Since 718 * f_count == 0 indicates the file structure is free, another 719 * process could attempt to use the file while we were still 720 * asleep waiting on the audit queue. This would cause the 721 * per file audit data to be corrupted when we finally do 722 * wakeup. 723 * TODO: 724 * QUESTION: 725 */ 726 727 void 728 audit_closef(struct file *fp) 729 { /* AUDIT_CLOSEF */ 730 f_audit_data_t *fad; 731 t_audit_data_t *tad; 732 int success; 733 au_state_t estate; 734 struct vnode *vp; 735 token_t *ad = NULL; 736 struct vattr attr; 737 au_emod_t evmod = 0; 738 const auditinfo_addr_t *ainfo; 739 int getattr_ret; 740 cred_t *cr; 741 au_kcontext_t *kctx = GET_KCTX_PZ; 742 uint32_t auditing; 743 744 fad = F2A(fp); 745 estate = kctx->auk_ets[AUE_CLOSE]; 746 tad = U2A(u); 747 cr = CRED(); 748 749 /* audit record already generated by system call envelope */ 750 if (tad->tad_event == AUE_CLOSE) { 751 /* so close audit event will have bits set */ 752 tad->tad_evmod |= (au_emod_t)fad->fad_flags; 753 return; 754 } 755 756 /* if auditing not enabled, then don't generate an audit record */ 757 auditing = (tad->tad_audit == AUC_UNSET) ? 758 kctx->auk_auditstate : tad->tad_audit; 759 if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT | AUC_NOSPACE)) 760 return; 761 762 ainfo = crgetauinfo(cr); 763 if (ainfo == NULL) 764 return; 765 766 success = ainfo->ai_mask.as_success & estate; 767 768 /* not selected for this event */ 769 if (success == 0) 770 return; 771 772 /* 773 * can't use audit_attributes here since we use a private audit area 774 * to build the audit record instead of the one off the thread. 775 */ 776 if ((vp = fp->f_vnode) != NULL) { 777 attr.va_mask = AT_ALL; 778 getattr_ret = VOP_GETATTR(vp, &attr, 0, CRED(), NULL); 779 } 780 781 /* 782 * When write was not used and the file can be considered public, 783 * then skip the audit. 784 */ 785 if ((getattr_ret == 0) && ((fp->f_flag & FWRITE) == 0)) { 786 if (object_is_public(&attr)) { 787 return; 788 } 789 } 790 791 evmod = (au_emod_t)fad->fad_flags; 792 if (fad->fad_aupath != NULL) { 793 au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath)); 794 } else { 795 #ifdef _LP64 796 au_write((caddr_t *)&(ad), au_to_arg64( 797 1, "no path: fp", (uint64_t)fp)); 798 #else 799 au_write((caddr_t *)&(ad), au_to_arg32( 800 1, "no path: fp", (uint32_t)fp)); 801 #endif 802 } 803 804 if (getattr_ret == 0) { 805 au_write((caddr_t *)&(ad), au_to_attr(&attr)); 806 audit_sec_attributes((caddr_t *)&(ad), vp); 807 } 808 809 /* Add subject information */ 810 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 811 812 /* add a return token */ 813 add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0); 814 815 AS_INC(as_generated, 1, kctx); 816 AS_INC(as_kernel, 1, kctx); 817 818 /* 819 * Close up everything 820 * Note: path space recovery handled by normal system 821 * call envelope if not at last close. 822 * Note there is no failure at this point since 823 * this represents closes due to exit of process, 824 * thus we always indicate successful closes. 825 */ 826 au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER, 827 AUE_CLOSE, evmod, NULL); 828 } 829 830 /* 831 * ROUTINE: AUDIT_SET 832 * PURPOSE: Audit the file path and file attributes. 833 * CALLBY: SETF 834 * NOTE: SETF associate a file pointer with user area's open files. 835 * TODO: 836 * call audit_finish directly ??? 837 * QUESTION: 838 */ 839 840 /*ARGSUSED*/ 841 void 842 audit_setf(file_t *fp, int fd) 843 { 844 f_audit_data_t *fad; 845 t_audit_data_t *tad; 846 847 if (fp == NULL) 848 return; 849 850 tad = T2A(curthread); 851 fad = F2A(fp); 852 853 if (!(tad->tad_scid == SYS_open || 854 tad->tad_scid == SYS_open64 || 855 tad->tad_scid == SYS_openat || 856 tad->tad_scid == SYS_openat64)) 857 return; 858 859 /* no path */ 860 if (tad->tad_aupath == 0) 861 return; 862 863 /* 864 * assign path information associated with file audit data 865 * use tad hold 866 */ 867 fad->fad_aupath = tad->tad_aupath; 868 tad->tad_aupath = NULL; 869 870 if (!(tad->tad_ctrl & TAD_TRUE_CREATE)) { 871 /* adjust event type by dropping the 'creat' part */ 872 switch (tad->tad_event) { 873 case AUE_OPEN_RC: 874 tad->tad_event = AUE_OPEN_R; 875 tad->tad_ctrl |= TAD_PUBLIC_EV; 876 break; 877 case AUE_OPEN_RTC: 878 tad->tad_event = AUE_OPEN_RT; 879 break; 880 case AUE_OPEN_WC: 881 tad->tad_event = AUE_OPEN_W; 882 break; 883 case AUE_OPEN_WTC: 884 tad->tad_event = AUE_OPEN_WT; 885 break; 886 case AUE_OPEN_RWC: 887 tad->tad_event = AUE_OPEN_RW; 888 break; 889 case AUE_OPEN_RWTC: 890 tad->tad_event = AUE_OPEN_RWT; 891 break; 892 default: 893 break; 894 } 895 } 896 } 897 898 899 void 900 audit_ipc(int type, int id, void *vp) 901 { 902 /* if not auditing this event, then do nothing */ 903 if (ad_flag == 0) 904 return; 905 906 switch (type) { 907 case AT_IPC_MSG: 908 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 909 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 910 break; 911 case AT_IPC_SEM: 912 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 913 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 914 break; 915 case AT_IPC_SHM: 916 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 917 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 918 break; 919 } 920 } 921 922 void 923 audit_ipcget(int type, void *vp) 924 { 925 /* if not auditing this event, then do nothing */ 926 if (ad_flag == 0) 927 return; 928 929 switch (type) { 930 case NULL: 931 au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp)); 932 break; 933 case AT_IPC_MSG: 934 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 935 break; 936 case AT_IPC_SEM: 937 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 938 break; 939 case AT_IPC_SHM: 940 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 941 break; 942 } 943 } 944 945 /* 946 * ROUTINE: AUDIT_REBOOT 947 * PURPOSE: 948 * CALLBY: 949 * NOTE: 950 * At this point we know that the system call reboot will not return. We thus 951 * have to complete the audit record generation and put it onto the queue. 952 * This might be fairly useless if the auditing daemon is already dead.... 953 * TODO: 954 * QUESTION: who calls audit_reboot 955 */ 956 957 void 958 audit_reboot(void) 959 { 960 int flag; 961 t_audit_data_t *tad; 962 au_kcontext_t *kctx = GET_KCTX_PZ; 963 964 tad = U2A(u); 965 966 /* if not auditing this event, then do nothing */ 967 if (tad->tad_flag == 0) 968 return; 969 970 /* do preselection on success/failure */ 971 if (flag = audit_success(kctx, tad, 0, NULL)) { 972 /* add a process token */ 973 974 cred_t *cr = CRED(); 975 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 976 977 if (ainfo == NULL) 978 return; 979 980 /* Add subject information */ 981 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 982 983 /* add a return token */ 984 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 985 986 AS_INC(as_generated, 1, kctx); 987 AS_INC(as_kernel, 1, kctx); 988 } 989 990 /* 991 * Flow control useless here since we're going 992 * to drop everything in the queue anyway. Why 993 * block and wait. There aint anyone left alive to 994 * read the records remaining anyway. 995 */ 996 997 /* Close up everything */ 998 au_close(kctx, &(u_ad), flag | AU_DONTBLOCK, 999 tad->tad_event, tad->tad_evmod, NULL); 1000 } 1001 1002 void 1003 audit_setfsat_path(int argnum) 1004 { 1005 klwp_id_t clwp = ttolwp(curthread); 1006 struct file *fp; 1007 uint32_t fd; 1008 t_audit_data_t *tad; 1009 struct f_audit_data *fad; 1010 p_audit_data_t *pad; /* current process */ 1011 struct a { 1012 long arg1; 1013 long arg2; 1014 long arg3; 1015 long arg4; 1016 long arg5; 1017 } *uap; 1018 1019 if (clwp == NULL) 1020 return; 1021 uap = (struct a *)clwp->lwp_ap; 1022 1023 tad = U2A(u); 1024 ASSERT(tad != NULL); 1025 1026 switch (tad->tad_scid) { 1027 case SYS_faccessat: 1028 case SYS_fchownat: 1029 case SYS_fstatat: 1030 case SYS_fstatat64: 1031 case SYS_openat: 1032 case SYS_openat64: 1033 case SYS_unlinkat: 1034 fd = uap->arg1; 1035 break; 1036 case SYS_renameat: 1037 if (argnum == 3) 1038 fd = uap->arg3; 1039 else 1040 fd = uap->arg1; 1041 break; 1042 case SYS_utimesys: 1043 fd = uap->arg2; 1044 break; 1045 default: 1046 return; 1047 } 1048 1049 if (tad->tad_atpath != NULL) { 1050 au_pathrele(tad->tad_atpath); 1051 tad->tad_atpath = NULL; 1052 } 1053 if (fd != AT_FDCWD) { 1054 if ((fp = getf(fd)) == NULL) { 1055 tad->tad_ctrl |= TAD_NOPATH; 1056 return; 1057 } 1058 fad = F2A(fp); 1059 ASSERT(fad); 1060 if (fad->fad_aupath == NULL) { 1061 tad->tad_ctrl |= TAD_NOPATH; 1062 releasef(fd); 1063 return; 1064 } 1065 au_pathhold(fad->fad_aupath); 1066 tad->tad_atpath = fad->fad_aupath; 1067 releasef(fd); 1068 } else { 1069 pad = P2A(curproc); 1070 mutex_enter(&pad->pad_lock); 1071 au_pathhold(pad->pad_cwd); 1072 tad->tad_atpath = pad->pad_cwd; 1073 mutex_exit(&pad->pad_lock); 1074 } 1075 } 1076 1077 void 1078 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error) 1079 { 1080 t_audit_data_t *tad; 1081 vnode_t *vp; 1082 1083 tad = U2A(u); 1084 1085 /* if not auditing this event, then do nothing */ 1086 if (tad->tad_flag == 0) 1087 return; 1088 1089 au_uwrite(au_to_text(target)); 1090 1091 if (error) 1092 return; 1093 1094 error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(), 1095 NULL, NULL, NULL); 1096 if (error == 0) { 1097 audit_attributes(vp); 1098 VN_RELE(vp); 1099 } 1100 } 1101 1102 /* 1103 * ROUTINE: AUDIT_VNCREATE_START 1104 * PURPOSE: set flag so path name lookup in create will not add attribute 1105 * CALLBY: VN_CREATE 1106 * NOTE: 1107 * TODO: 1108 * QUESTION: 1109 */ 1110 1111 void 1112 audit_vncreate_start() 1113 { 1114 t_audit_data_t *tad; 1115 1116 tad = U2A(u); 1117 tad->tad_ctrl |= TAD_NOATTRB; 1118 } 1119 1120 /* 1121 * ROUTINE: AUDIT_VNCREATE_FINISH 1122 * PURPOSE: 1123 * CALLBY: VN_CREATE 1124 * NOTE: 1125 * TODO: 1126 * QUESTION: 1127 */ 1128 void 1129 audit_vncreate_finish(struct vnode *vp, int error) 1130 { 1131 t_audit_data_t *tad; 1132 1133 if (error) 1134 return; 1135 1136 tad = U2A(u); 1137 1138 /* if not auditing this event, then do nothing */ 1139 if (tad->tad_flag == 0) 1140 return; 1141 1142 if (tad->tad_ctrl & TAD_TRUE_CREATE) { 1143 audit_attributes(vp); 1144 } 1145 1146 if (tad->tad_ctrl & TAD_CORE) { 1147 audit_attributes(vp); 1148 tad->tad_ctrl &= ~TAD_CORE; 1149 } 1150 1151 if (!error && ((tad->tad_event == AUE_MKNOD) || 1152 (tad->tad_event == AUE_MKDIR))) { 1153 audit_attributes(vp); 1154 } 1155 1156 /* for case where multiple lookups in one syscall (rename) */ 1157 tad->tad_ctrl &= ~TAD_NOATTRB; 1158 } 1159 1160 1161 1162 1163 1164 1165 1166 1167 /* 1168 * ROUTINE: AUDIT_EXEC 1169 * PURPOSE: Records the function arguments and environment variables 1170 * CALLBY: EXEC_ARGS 1171 * NOTE: 1172 * TODO: 1173 * QUESTION: 1174 */ 1175 1176 void 1177 audit_exec( 1178 const char *argstr, /* argument strings */ 1179 const char *envstr, /* environment strings */ 1180 ssize_t argc, /* total # arguments */ 1181 ssize_t envc, /* total # environment variables */ 1182 cred_t *pfcred) /* the additional privileges in a profile */ 1183 { 1184 t_audit_data_t *tad; 1185 au_kcontext_t *kctx = GET_KCTX_PZ; 1186 1187 tad = U2A(u); 1188 1189 /* if not auditing this event, then do nothing */ 1190 if (!tad->tad_flag) 1191 return; 1192 1193 if (pfcred != NULL) { 1194 p_audit_data_t *pad; 1195 cred_t *cr = CRED(); 1196 priv_set_t pset = CR_IPRIV(cr); 1197 1198 pad = P2A(curproc); 1199 1200 /* It's a different event. */ 1201 tad->tad_event = AUE_PFEXEC; 1202 1203 /* Add the current working directory to the audit trail. */ 1204 if (pad->pad_cwd != NULL) 1205 au_uwrite(au_to_path(pad->pad_cwd)); 1206 1207 /* 1208 * The new credential is not yet in place when audit_exec 1209 * is called. 1210 * Compute the additional bits available in the new credential 1211 * and the limit set. 1212 */ 1213 priv_inverse(&pset); 1214 priv_intersect(&CR_IPRIV(pfcred), &pset); 1215 if (!priv_isemptyset(&pset) || 1216 !priv_isequalset(&CR_LPRIV(pfcred), &CR_LPRIV(cr))) { 1217 au_uwrite(au_to_privset( 1218 priv_getsetbynum(PRIV_INHERITABLE), &pset, AUT_PRIV, 1219 0)); 1220 au_uwrite(au_to_privset(priv_getsetbynum(PRIV_LIMIT), 1221 &CR_LPRIV(pfcred), AUT_PRIV, 0)); 1222 } 1223 /* 1224 * Compare the uids & gids: create a process token if changed. 1225 */ 1226 if (crgetuid(cr) != crgetuid(pfcred) || 1227 crgetruid(cr) != crgetruid(pfcred) || 1228 crgetgid(cr) != crgetgid(pfcred) || 1229 crgetrgid(cr) != crgetrgid(pfcred)) { 1230 AUDIT_SETPROC(&(u_ad), cr, crgetauinfo(cr)); 1231 } 1232 } 1233 1234 if (pfcred != NULL || (kctx->auk_policy & AUDIT_ARGV) != 0) 1235 au_uwrite(au_to_exec_args(argstr, argc)); 1236 1237 if (kctx->auk_policy & AUDIT_ARGE) 1238 au_uwrite(au_to_exec_env(envstr, envc)); 1239 } 1240 1241 /* 1242 * ROUTINE: AUDIT_ENTERPROM 1243 * PURPOSE: 1244 * CALLBY: KBDINPUT 1245 * ZSA_XSINT 1246 * NOTE: 1247 * TODO: 1248 * QUESTION: 1249 */ 1250 void 1251 audit_enterprom(int flg) 1252 { 1253 token_t *rp = NULL; 1254 int sorf; 1255 1256 if (flg) 1257 sorf = AUM_SUCC; 1258 else 1259 sorf = AUM_FAIL; 1260 1261 AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf); 1262 1263 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1264 1265 if (flg) 1266 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1267 else 1268 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1269 1270 AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL, NULL); 1271 } 1272 1273 1274 /* 1275 * ROUTINE: AUDIT_EXITPROM 1276 * PURPOSE: 1277 * CALLBY: KBDINPUT 1278 * ZSA_XSINT 1279 * NOTE: 1280 * TODO: 1281 * QUESTION: 1282 */ 1283 void 1284 audit_exitprom(int flg) 1285 { 1286 int sorf; 1287 token_t *rp = NULL; 1288 1289 if (flg) 1290 sorf = AUM_SUCC; 1291 else 1292 sorf = AUM_FAIL; 1293 1294 AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf); 1295 1296 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1297 1298 if (flg) 1299 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1300 else 1301 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1302 1303 AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL, NULL); 1304 } 1305 1306 struct fcntla { 1307 int fdes; 1308 int cmd; 1309 intptr_t arg; 1310 }; 1311 1312 1313 /* 1314 * ROUTINE: AUDIT_CHDIREC 1315 * PURPOSE: 1316 * CALLBY: CHDIREC 1317 * NOTE: The main function of CHDIREC 1318 * TODO: Move the audit_chdirec hook above the VN_RELE in vncalls.c 1319 * QUESTION: 1320 */ 1321 1322 /*ARGSUSED*/ 1323 void 1324 audit_chdirec(vnode_t *vp, vnode_t **vpp) 1325 { 1326 int chdir; 1327 int fchdir; 1328 struct audit_path **appp; 1329 struct file *fp; 1330 f_audit_data_t *fad; 1331 p_audit_data_t *pad = P2A(curproc); 1332 t_audit_data_t *tad = T2A(curthread); 1333 1334 struct a { 1335 long fd; 1336 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 1337 1338 if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) { 1339 chdir = tad->tad_scid == SYS_chdir; 1340 if (tad->tad_aupath) { 1341 mutex_enter(&pad->pad_lock); 1342 if (chdir) 1343 appp = &(pad->pad_cwd); 1344 else 1345 appp = &(pad->pad_root); 1346 au_pathrele(*appp); 1347 /* use tad hold */ 1348 *appp = tad->tad_aupath; 1349 tad->tad_aupath = NULL; 1350 mutex_exit(&pad->pad_lock); 1351 } 1352 } else if ((tad->tad_scid == SYS_fchdir) || 1353 (tad->tad_scid == SYS_fchroot)) { 1354 fchdir = tad->tad_scid == SYS_fchdir; 1355 if ((fp = getf(uap->fd)) == NULL) 1356 return; 1357 fad = F2A(fp); 1358 if (fad->fad_aupath) { 1359 au_pathhold(fad->fad_aupath); 1360 mutex_enter(&pad->pad_lock); 1361 if (fchdir) 1362 appp = &(pad->pad_cwd); 1363 else 1364 appp = &(pad->pad_root); 1365 au_pathrele(*appp); 1366 *appp = fad->fad_aupath; 1367 mutex_exit(&pad->pad_lock); 1368 if (tad->tad_flag) { 1369 au_uwrite(au_to_path(fad->fad_aupath)); 1370 audit_attributes(fp->f_vnode); 1371 } 1372 } 1373 releasef(uap->fd); 1374 } 1375 } 1376 1377 1378 /* 1379 * Audit hook for stream based socket and tli request. 1380 * Note that we do not have user context while executing 1381 * this code so we had to record them earlier during the 1382 * putmsg/getmsg to figure out which user we are dealing with. 1383 */ 1384 1385 /*ARGSUSED*/ 1386 void 1387 audit_sock( 1388 int type, /* type of tihdr.h header requests */ 1389 queue_t *q, /* contains the process and thread audit data */ 1390 mblk_t *mp, /* contains the tihdr.h header structures */ 1391 int from) /* timod or sockmod request */ 1392 { 1393 int32_t len; 1394 int32_t offset; 1395 struct sockaddr_in *sock_data; 1396 struct T_conn_req *conn_req; 1397 struct T_conn_ind *conn_ind; 1398 struct T_unitdata_req *unitdata_req; 1399 struct T_unitdata_ind *unitdata_ind; 1400 au_state_t estate; 1401 t_audit_data_t *tad; 1402 caddr_t saved_thread_ptr; 1403 au_mask_t amask; 1404 const auditinfo_addr_t *ainfo; 1405 au_kcontext_t *kctx; 1406 1407 if (q->q_stream == NULL) 1408 return; 1409 mutex_enter(&q->q_stream->sd_lock); 1410 /* are we being audited */ 1411 saved_thread_ptr = q->q_stream->sd_t_audit_data; 1412 /* no pointer to thread, nothing to do */ 1413 if (saved_thread_ptr == NULL) { 1414 mutex_exit(&q->q_stream->sd_lock); 1415 return; 1416 } 1417 /* only allow one addition of a record token */ 1418 q->q_stream->sd_t_audit_data = NULL; 1419 /* 1420 * thread is not the one being audited, then nothing to do 1421 * This could be the stream thread handling the module 1422 * service routine. In this case, the context for the audit 1423 * record can no longer be assumed. Simplest to just drop 1424 * the operation. 1425 */ 1426 if (curthread != (kthread_id_t)saved_thread_ptr) { 1427 mutex_exit(&q->q_stream->sd_lock); 1428 return; 1429 } 1430 if (curthread->t_sysnum >= SYS_so_socket && 1431 curthread->t_sysnum <= SYS_sockconfig) { 1432 mutex_exit(&q->q_stream->sd_lock); 1433 return; 1434 } 1435 mutex_exit(&q->q_stream->sd_lock); 1436 /* 1437 * we know that the thread that did the put/getmsg is the 1438 * one running. Now we can get the TAD and see if we should 1439 * add an audit token. 1440 */ 1441 tad = U2A(u); 1442 1443 kctx = GET_KCTX_PZ; 1444 1445 /* proceed ONLY if user is being audited */ 1446 if (!tad->tad_flag) 1447 return; 1448 1449 ainfo = crgetauinfo(CRED()); 1450 if (ainfo == NULL) 1451 return; 1452 amask = ainfo->ai_mask; 1453 1454 /* 1455 * Figure out the type of stream networking request here. 1456 * Note that getmsg and putmsg are always preselected 1457 * because during the beginning of the system call we have 1458 * not yet figure out which of the socket or tli request 1459 * we are looking at until we are here. So we need to check 1460 * against that specific request and reset the type of event. 1461 */ 1462 switch (type) { 1463 case T_CONN_REQ: /* connection request */ 1464 conn_req = (struct T_conn_req *)mp->b_rptr; 1465 if (conn_req->DEST_offset < sizeof (struct T_conn_req)) 1466 return; 1467 offset = conn_req->DEST_offset; 1468 len = conn_req->DEST_length; 1469 estate = kctx->auk_ets[AUE_SOCKCONNECT]; 1470 if (amask.as_success & estate || amask.as_failure & estate) { 1471 tad->tad_event = AUE_SOCKCONNECT; 1472 break; 1473 } else { 1474 return; 1475 } 1476 case T_CONN_IND: /* connectionless receive request */ 1477 conn_ind = (struct T_conn_ind *)mp->b_rptr; 1478 if (conn_ind->SRC_offset < sizeof (struct T_conn_ind)) 1479 return; 1480 offset = conn_ind->SRC_offset; 1481 len = conn_ind->SRC_length; 1482 estate = kctx->auk_ets[AUE_SOCKACCEPT]; 1483 if (amask.as_success & estate || amask.as_failure & estate) { 1484 tad->tad_event = AUE_SOCKACCEPT; 1485 break; 1486 } else { 1487 return; 1488 } 1489 case T_UNITDATA_REQ: /* connectionless send request */ 1490 unitdata_req = (struct T_unitdata_req *)mp->b_rptr; 1491 if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req)) 1492 return; 1493 offset = unitdata_req->DEST_offset; 1494 len = unitdata_req->DEST_length; 1495 estate = kctx->auk_ets[AUE_SOCKSEND]; 1496 if (amask.as_success & estate || amask.as_failure & estate) { 1497 tad->tad_event = AUE_SOCKSEND; 1498 break; 1499 } else { 1500 return; 1501 } 1502 case T_UNITDATA_IND: /* connectionless receive request */ 1503 unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr; 1504 if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind)) 1505 return; 1506 offset = unitdata_ind->SRC_offset; 1507 len = unitdata_ind->SRC_length; 1508 estate = kctx->auk_ets[AUE_SOCKRECEIVE]; 1509 if (amask.as_success & estate || amask.as_failure & estate) { 1510 tad->tad_event = AUE_SOCKRECEIVE; 1511 break; 1512 } else { 1513 return; 1514 } 1515 default: 1516 return; 1517 } 1518 1519 /* 1520 * we are only interested in tcp stream connections, 1521 * not unix domain stuff 1522 */ 1523 if ((len < 0) || (len > sizeof (struct sockaddr_in))) { 1524 tad->tad_event = AUE_GETMSG; 1525 return; 1526 } 1527 /* skip over TPI header and point to the ip address */ 1528 sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset); 1529 1530 switch (sock_data->sin_family) { 1531 case AF_INET: 1532 au_write(&(tad->tad_ad), au_to_sock_inet(sock_data)); 1533 break; 1534 default: /* reset to AUE_PUTMSG if not a inet request */ 1535 tad->tad_event = AUE_GETMSG; 1536 break; 1537 } 1538 } 1539 1540 1541 static void 1542 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval) 1543 { 1544 unsigned int sy_flags; 1545 1546 #ifdef _SYSCALL32_IMPL 1547 /* 1548 * Guard against t_lwp being NULL when this function is called 1549 * from a kernel queue instead of from a direct system call. 1550 * In that case, assume the running kernel data model. 1551 */ 1552 if ((curthread->t_lwp == NULL) || (lwp_getdatamodel( 1553 ttolwp(curthread)) == DATAMODEL_NATIVE)) 1554 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1555 else 1556 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1557 #else 1558 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1559 #endif 1560 1561 if (sy_flags == SE_64RVAL) 1562 au_write(ad, au_to_return64(err, rval)); 1563 else 1564 au_write(ad, au_to_return32(err, rval)); 1565 1566 } 1567 1568 /*ARGSUSED*/ 1569 void 1570 audit_fdsend(fd, fp, error) 1571 int fd; 1572 struct file *fp; 1573 int error; /* ignore for now */ 1574 { 1575 t_audit_data_t *tad; /* current thread */ 1576 f_audit_data_t *fad; /* per file audit structure */ 1577 struct vnode *vp; /* for file attributes */ 1578 1579 /* is this system call being audited */ 1580 tad = U2A(u); 1581 ASSERT(tad != (t_audit_data_t *)0); 1582 if (!tad->tad_flag) 1583 return; 1584 1585 fad = F2A(fp); 1586 1587 /* add path and file attributes */ 1588 if (fad != NULL && fad->fad_aupath != NULL) { 1589 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1590 au_uwrite(au_to_path(fad->fad_aupath)); 1591 } else { 1592 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1593 #ifdef _LP64 1594 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 1595 #else 1596 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 1597 #endif 1598 } 1599 vp = fp->f_vnode; /* include vnode attributes */ 1600 audit_attributes(vp); 1601 } 1602 1603 /* 1604 * Record privileges successfully used and we attempted to use but 1605 * didn't have. 1606 */ 1607 void 1608 audit_priv(int priv, const priv_set_t *set, int flag) 1609 { 1610 t_audit_data_t *tad; 1611 int sbit; 1612 priv_set_t *target; 1613 1614 /* Make sure this isn't being called in an interrupt context */ 1615 ASSERT(servicing_interrupt() == 0); 1616 1617 tad = U2A(u); 1618 1619 if (tad->tad_flag == 0) 1620 return; 1621 1622 target = flag ? &tad->tad_sprivs : &tad->tad_fprivs; 1623 sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE; 1624 1625 /* Tell audit_success() and audit_finish() that we saw this case */ 1626 if (!(tad->tad_evmod & sbit)) { 1627 /* Clear set first time around */ 1628 priv_emptyset(target); 1629 tad->tad_evmod |= sbit; 1630 } 1631 1632 /* Save the privileges in the tad */ 1633 if (priv == PRIV_ALL) { 1634 priv_fillset(target); 1635 } else { 1636 ASSERT(set != NULL || priv != PRIV_NONE); 1637 if (set != NULL) 1638 priv_union(set, target); 1639 if (priv != PRIV_NONE) 1640 priv_addset(target, priv); 1641 } 1642 } 1643 1644 /* 1645 * Audit the setpriv() system call; the operation, the set name and 1646 * the current value as well as the set argument are put in the 1647 * audit trail. 1648 */ 1649 void 1650 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr) 1651 { 1652 t_audit_data_t *tad; 1653 const priv_set_t *oldpriv; 1654 priv_set_t report; 1655 const char *setname; 1656 1657 tad = U2A(u); 1658 1659 if (tad->tad_flag == 0) 1660 return; 1661 1662 oldpriv = priv_getset(ocr, set); 1663 1664 /* Generate the actual record, include the before and after */ 1665 au_uwrite(au_to_arg32(2, "op", op)); 1666 setname = priv_getsetbynum(set); 1667 1668 switch (op) { 1669 case PRIV_OFF: 1670 /* Report privileges actually switched off */ 1671 report = *oldpriv; 1672 priv_intersect(newpriv, &report); 1673 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 1674 break; 1675 case PRIV_ON: 1676 /* Report privileges actually switched on */ 1677 report = *oldpriv; 1678 priv_inverse(&report); 1679 priv_intersect(newpriv, &report); 1680 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 1681 break; 1682 case PRIV_SET: 1683 /* Report before and after */ 1684 au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0)); 1685 au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0)); 1686 break; 1687 } 1688 } 1689 1690 /* 1691 * Dump the full device policy setting in the audit trail. 1692 */ 1693 void 1694 audit_devpolicy(int nitems, const devplcysys_t *items) 1695 { 1696 t_audit_data_t *tad; 1697 int i; 1698 1699 tad = U2A(u); 1700 1701 if (tad->tad_flag == 0) 1702 return; 1703 1704 for (i = 0; i < nitems; i++) { 1705 au_uwrite(au_to_arg32(2, "major", items[i].dps_maj)); 1706 if (items[i].dps_minornm[0] == '\0') { 1707 au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin)); 1708 au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin)); 1709 } else 1710 au_uwrite(au_to_text(items[i].dps_minornm)); 1711 1712 au_uwrite(au_to_privset("read", &items[i].dps_rdp, 1713 AUT_PRIV, 0)); 1714 au_uwrite(au_to_privset("write", &items[i].dps_wrp, 1715 AUT_PRIV, 0)); 1716 } 1717 } 1718 1719 /*ARGSUSED*/ 1720 void 1721 audit_fdrecv(fd, fp) 1722 int fd; 1723 struct file *fp; 1724 { 1725 t_audit_data_t *tad; /* current thread */ 1726 f_audit_data_t *fad; /* per file audit structure */ 1727 struct vnode *vp; /* for file attributes */ 1728 1729 /* is this system call being audited */ 1730 tad = U2A(u); 1731 ASSERT(tad != (t_audit_data_t *)0); 1732 if (!tad->tad_flag) 1733 return; 1734 1735 fad = F2A(fp); 1736 1737 /* add path and file attributes */ 1738 if (fad != NULL && fad->fad_aupath != NULL) { 1739 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 1740 au_uwrite(au_to_path(fad->fad_aupath)); 1741 } else { 1742 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 1743 #ifdef _LP64 1744 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 1745 #else 1746 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 1747 #endif 1748 } 1749 vp = fp->f_vnode; /* include vnode attributes */ 1750 audit_attributes(vp); 1751 } 1752 1753 /* 1754 * ROUTINE: AUDIT_CRYPTOADM 1755 * PURPOSE: Records arguments to administrative ioctls on /dev/cryptoadm 1756 * CALLBY: CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED, 1757 * CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG, 1758 * CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN, 1759 * CRYPTO_LOAD_DOOR 1760 * NOTE: 1761 * TODO: 1762 * QUESTION: 1763 */ 1764 1765 void 1766 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names, 1767 uint_t mech_count, uint_t device_instance, uint32_t rv, int error) 1768 { 1769 boolean_t mech_list_required = B_FALSE; 1770 cred_t *cr = CRED(); 1771 t_audit_data_t *tad; 1772 token_t *ad = NULL; 1773 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 1774 char buffer[MAXNAMELEN * 2]; 1775 au_kcontext_t *kctx = GET_KCTX_PZ; 1776 1777 tad = U2A(u); 1778 if (tad == NULL) 1779 return; 1780 1781 if (ainfo == NULL) 1782 return; 1783 1784 tad->tad_event = AUE_CRYPTOADM; 1785 1786 if (audit_success(kctx, tad, error, NULL) != AU_OK) 1787 return; 1788 1789 /* Add subject information */ 1790 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 1791 1792 switch (cmd) { 1793 case CRYPTO_LOAD_DEV_DISABLED: 1794 if (error == 0 && rv == CRYPTO_SUCCESS) { 1795 (void) snprintf(buffer, sizeof (buffer), 1796 "op=CRYPTO_LOAD_DEV_DISABLED, module=%s," 1797 " dev_instance=%d", 1798 module_name, device_instance); 1799 mech_list_required = B_TRUE; 1800 } else { 1801 (void) snprintf(buffer, sizeof (buffer), 1802 "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv); 1803 } 1804 break; 1805 1806 case CRYPTO_LOAD_SOFT_DISABLED: 1807 if (error == 0 && rv == CRYPTO_SUCCESS) { 1808 (void) snprintf(buffer, sizeof (buffer), 1809 "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s", 1810 module_name); 1811 mech_list_required = B_TRUE; 1812 } else { 1813 (void) snprintf(buffer, sizeof (buffer), 1814 "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv); 1815 } 1816 break; 1817 1818 case CRYPTO_UNLOAD_SOFT_MODULE: 1819 if (error == 0 && rv == CRYPTO_SUCCESS) { 1820 (void) snprintf(buffer, sizeof (buffer), 1821 "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s", 1822 module_name); 1823 } else { 1824 (void) snprintf(buffer, sizeof (buffer), 1825 "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv); 1826 } 1827 break; 1828 1829 case CRYPTO_LOAD_SOFT_CONFIG: 1830 if (error == 0 && rv == CRYPTO_SUCCESS) { 1831 (void) snprintf(buffer, sizeof (buffer), 1832 "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s", 1833 module_name); 1834 mech_list_required = B_TRUE; 1835 } else { 1836 (void) snprintf(buffer, sizeof (buffer), 1837 "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv); 1838 } 1839 break; 1840 1841 case CRYPTO_POOL_CREATE: 1842 (void) snprintf(buffer, sizeof (buffer), 1843 "op=CRYPTO_POOL_CREATE"); 1844 break; 1845 1846 case CRYPTO_POOL_WAIT: 1847 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT"); 1848 break; 1849 1850 case CRYPTO_POOL_RUN: 1851 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN"); 1852 break; 1853 1854 case CRYPTO_LOAD_DOOR: 1855 if (error == 0 && rv == CRYPTO_SUCCESS) 1856 (void) snprintf(buffer, sizeof (buffer), 1857 "op=CRYPTO_LOAD_DOOR"); 1858 else 1859 (void) snprintf(buffer, sizeof (buffer), 1860 "op=CRYPTO_LOAD_DOOR, return_val=%d", rv); 1861 break; 1862 1863 case CRYPTO_FIPS140_SET: 1864 (void) snprintf(buffer, sizeof (buffer), 1865 "op=CRYPTO_FIPS140_SET, fips_state=%d", rv); 1866 break; 1867 1868 default: 1869 return; 1870 } 1871 1872 au_write((caddr_t *)&ad, au_to_text(buffer)); 1873 1874 if (mech_list_required) { 1875 int i; 1876 1877 if (mech_count == 0) { 1878 au_write((caddr_t *)&ad, au_to_text("mech=list empty")); 1879 } else { 1880 char *pb = buffer; 1881 size_t l = sizeof (buffer); 1882 size_t n; 1883 char space[2] = ":"; 1884 1885 n = snprintf(pb, l, "mech="); 1886 1887 for (i = 0; i < mech_count; i++) { 1888 pb += n; 1889 l -= n; 1890 if (l < 0) 1891 l = 0; 1892 1893 if (i == mech_count - 1) 1894 (void) strcpy(space, ""); 1895 1896 n = snprintf(pb, l, "%s%s", mech_names[i], 1897 space); 1898 } 1899 au_write((caddr_t *)&ad, au_to_text(buffer)); 1900 } 1901 } 1902 1903 /* add a return token */ 1904 if (error || (rv != CRYPTO_SUCCESS)) 1905 add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error); 1906 else 1907 add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv); 1908 1909 AS_INC(as_generated, 1, kctx); 1910 AS_INC(as_kernel, 1, kctx); 1911 1912 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, tad->tad_evmod, 1913 NULL); 1914 } 1915 1916 /* 1917 * Audit the kernel SSL administration command. The address and the 1918 * port number for the SSL instance, and the proxy port are put in the 1919 * audit trail. 1920 */ 1921 void 1922 audit_kssl(int cmd, void *params, int error) 1923 { 1924 cred_t *cr = CRED(); 1925 t_audit_data_t *tad; 1926 token_t *ad = NULL; 1927 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 1928 au_kcontext_t *kctx = GET_KCTX_PZ; 1929 1930 tad = U2A(u); 1931 1932 if (ainfo == NULL) 1933 return; 1934 1935 tad->tad_event = AUE_CONFIGKSSL; 1936 1937 if (audit_success(kctx, tad, error, NULL) != AU_OK) 1938 return; 1939 1940 /* Add subject information */ 1941 AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx); 1942 1943 switch (cmd) { 1944 case KSSL_ADD_ENTRY: { 1945 char buf[32]; 1946 kssl_params_t *kp = (kssl_params_t *)params; 1947 struct sockaddr_in6 *saddr = &kp->kssl_addr; 1948 1949 au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY")); 1950 au_write((caddr_t *)&ad, 1951 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr)); 1952 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 1953 saddr->sin6_port); 1954 au_write((caddr_t *)&ad, au_to_text(buf)); 1955 1956 (void) snprintf(buf, sizeof (buf), "proxy port=%d", 1957 kp->kssl_proxy_port); 1958 au_write((caddr_t *)&ad, au_to_text(buf)); 1959 break; 1960 } 1961 1962 case KSSL_DELETE_ENTRY: { 1963 char buf[32]; 1964 struct sockaddr_in6 *saddr = (struct sockaddr_in6 *)params; 1965 1966 au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY")); 1967 au_write((caddr_t *)&ad, 1968 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr)); 1969 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 1970 saddr->sin6_port); 1971 au_write((caddr_t *)&ad, au_to_text(buf)); 1972 break; 1973 } 1974 1975 default: 1976 return; 1977 } 1978 1979 /* add a return token */ 1980 add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0); 1981 1982 AS_INC(as_generated, 1, kctx); 1983 AS_INC(as_kernel, 1, kctx); 1984 1985 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, tad->tad_evmod, 1986 NULL); 1987 } 1988 1989 /* 1990 * Audit the kernel PF_POLICY administration commands. Record command, 1991 * zone, policy type (global or tunnel, active or inactive) 1992 */ 1993 /* 1994 * ROUTINE: AUDIT_PF_POLICY 1995 * PURPOSE: Records arguments to administrative ioctls on PF_POLICY socket 1996 * CALLBY: SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS, 1997 * SPD_CLONE, SPD_FLIP 1998 * NOTE: 1999 * TODO: 2000 * QUESTION: 2001 */ 2002 2003 void 2004 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun, 2005 boolean_t active, int error, pid_t pid) 2006 { 2007 const auditinfo_addr_t *ainfo; 2008 t_audit_data_t *tad; 2009 token_t *ad = NULL; 2010 au_kcontext_t *kctx = GET_KCTX_PZ; 2011 char buf[80]; 2012 int flag; 2013 2014 tad = U2A(u); 2015 if (tad == NULL) 2016 return; 2017 2018 ainfo = crgetauinfo((cred != NULL) ? cred : CRED()); 2019 if (ainfo == NULL) 2020 return; 2021 2022 /* 2023 * Initialize some variables since these are only set 2024 * with system calls. 2025 */ 2026 2027 switch (cmd) { 2028 case SPD_ADDRULE: { 2029 tad->tad_event = AUE_PF_POLICY_ADDRULE; 2030 break; 2031 } 2032 2033 case SPD_DELETERULE: { 2034 tad->tad_event = AUE_PF_POLICY_DELRULE; 2035 break; 2036 } 2037 2038 case SPD_FLUSH: { 2039 tad->tad_event = AUE_PF_POLICY_FLUSH; 2040 break; 2041 } 2042 2043 case SPD_UPDATEALGS: { 2044 tad->tad_event = AUE_PF_POLICY_ALGS; 2045 break; 2046 } 2047 2048 case SPD_CLONE: { 2049 tad->tad_event = AUE_PF_POLICY_CLONE; 2050 break; 2051 } 2052 2053 case SPD_FLIP: { 2054 tad->tad_event = AUE_PF_POLICY_FLIP; 2055 break; 2056 } 2057 2058 default: 2059 tad->tad_event = AUE_NULL; 2060 } 2061 2062 tad->tad_evmod = 0; 2063 2064 if (flag = audit_success(kctx, tad, error, cred)) { 2065 zone_t *nszone; 2066 2067 /* 2068 * For now, just audit that an event happened, 2069 * along with the error code. 2070 */ 2071 au_write((caddr_t *)&ad, 2072 au_to_arg32(1, "Policy Active?", (uint32_t)active)); 2073 au_write((caddr_t *)&ad, 2074 au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL))); 2075 2076 /* Supplemental data */ 2077 2078 /* 2079 * Generate this zone token if the target zone differs 2080 * from the administrative zone. If netstacks are expanded 2081 * to something other than a 1-1 relationship with zones, 2082 * the auditing framework should create a new token type 2083 * and audit it as a netstack instead. 2084 * Turn on general zone auditing to get the administrative zone. 2085 */ 2086 2087 nszone = zone_find_by_id(netstackid_to_zoneid( 2088 ns->netstack_stackid)); 2089 if (nszone != NULL) { 2090 if (strncmp(crgetzone(cred)->zone_name, 2091 nszone->zone_name, ZONENAME_MAX) != 0) { 2092 token_t *ztoken; 2093 2094 ztoken = au_to_zonename(0, nszone); 2095 au_write((caddr_t *)&ad, ztoken); 2096 } 2097 zone_rele(nszone); 2098 } 2099 2100 if (tun != NULL) { 2101 /* write tunnel name - tun is bounded */ 2102 (void) snprintf(buf, sizeof (buf), "tunnel_name:%s", 2103 tun); 2104 au_write((caddr_t *)&ad, au_to_text(buf)); 2105 } 2106 2107 /* Add subject information */ 2108 AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad, 2109 ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid); 2110 2111 /* add a return token */ 2112 add_return_token((caddr_t *)&ad, 0, error, 0); 2113 2114 AS_INC(as_generated, 1, kctx); 2115 AS_INC(as_kernel, 1, kctx); 2116 2117 } 2118 au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, tad->tad_evmod, 2119 NULL); 2120 2121 /* 2122 * clear the ctrl flag so that we don't have spurious collection of 2123 * audit information. 2124 */ 2125 tad->tad_scid = 0; 2126 tad->tad_event = 0; 2127 tad->tad_evmod = 0; 2128 tad->tad_ctrl = 0; 2129 } 2130 2131 /* 2132 * ROUTINE: AUDIT_SEC_ATTRIBUTES 2133 * PURPOSE: Add security attributes 2134 * CALLBY: AUDIT_ATTRIBUTES 2135 * AUDIT_CLOSEF 2136 * AUS_CLOSE 2137 * NOTE: 2138 * TODO: 2139 * QUESTION: 2140 */ 2141 2142 void 2143 audit_sec_attributes(caddr_t *ad, struct vnode *vp) 2144 { 2145 /* Dump the SL */ 2146 if (is_system_labeled()) { 2147 ts_label_t *tsl; 2148 bslabel_t *bsl; 2149 2150 tsl = getflabel(vp); 2151 if (tsl == NULL) 2152 return; /* nothing else to do */ 2153 2154 bsl = label2bslabel(tsl); 2155 if (bsl == NULL) 2156 return; /* nothing else to do */ 2157 au_write(ad, au_to_label(bsl)); 2158 label_rele(tsl); 2159 } 2160 2161 } /* AUDIT_SEC_ATTRIBUTES */ 2162