1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 /* 27 * This file contains the audit hook support code for auditing. 28 */ 29 30 #include <sys/types.h> 31 #include <sys/proc.h> 32 #include <sys/vnode.h> 33 #include <sys/vfs.h> 34 #include <sys/file.h> 35 #include <sys/user.h> 36 #include <sys/stropts.h> 37 #include <sys/systm.h> 38 #include <sys/pathname.h> 39 #include <sys/syscall.h> 40 #include <sys/fcntl.h> 41 #include <sys/ipc_impl.h> 42 #include <sys/msg_impl.h> 43 #include <sys/sem_impl.h> 44 #include <sys/shm_impl.h> 45 #include <sys/kmem.h> /* for KM_SLEEP */ 46 #include <sys/socket.h> 47 #include <sys/cmn_err.h> /* snprintf... */ 48 #include <sys/debug.h> 49 #include <sys/thread.h> 50 #include <netinet/in.h> 51 #include <c2/audit.h> /* needs to be included before user.h */ 52 #include <c2/audit_kernel.h> /* for M_DONTWAIT */ 53 #include <c2/audit_kevents.h> 54 #include <c2/audit_record.h> 55 #include <sys/strsubr.h> 56 #include <sys/tihdr.h> 57 #include <sys/tiuser.h> 58 #include <sys/timod.h> 59 #include <sys/model.h> /* for model_t */ 60 #include <sys/disp.h> /* for servicing_interrupt() */ 61 #include <sys/devpolicy.h> 62 #include <sys/crypto/ioctladmin.h> 63 #include <sys/cred_impl.h> 64 #include <inet/kssl/kssl.h> 65 #include <net/pfpolicy.h> 66 67 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval); 68 69 static void audit_pathbuild(struct pathname *pnp); 70 71 72 /* 73 * ROUTINE: AUDIT_SAVEPATH 74 * PURPOSE: 75 * CALLBY: LOOKUPPN 76 * 77 * NOTE: We have reached the end of a path in fs/lookup.c. 78 * We get two pieces of information here: 79 * the vnode of the last component (vp) and 80 * the status of the last access (flag). 81 * TODO: 82 * QUESTION: 83 */ 84 85 /*ARGSUSED*/ 86 int 87 audit_savepath( 88 struct pathname *pnp, /* pathname to lookup */ 89 struct vnode *vp, /* vnode of the last component */ 90 struct vnode *pvp, /* vnode of the last parent component */ 91 int flag, /* status of the last access */ 92 cred_t *cr) /* cred of requestor */ 93 { 94 95 t_audit_data_t *tad; /* current thread */ 96 au_kcontext_t *kctx = GET_KCTX_PZ; 97 98 tad = U2A(u); 99 100 /* 101 * Noise elimination in audit trails - this event will be discarded if: 102 * - the public policy is not active AND 103 * - the system call is a public operation AND 104 * - the file was not found: VFS lookup failed with ENOENT error AND 105 * - the missing file would have been located in the public directory 106 * owned by root if it had existed 107 */ 108 if (tad->tad_flag != 0 && flag == ENOENT && pvp != NULL && 109 (tad->tad_ctrl & TAD_PUBLIC_EV) && 110 !(kctx->auk_policy & AUDIT_PUBLIC)) { 111 struct vattr attr; 112 113 attr.va_mask = AT_ALL; 114 if (VOP_GETATTR(pvp, &attr, 0, CRED(), NULL) == 0) { 115 if (object_is_public(&attr)) { 116 tad->tad_ctrl |= TAD_NOAUDIT; 117 } 118 } 119 } 120 121 /* 122 * this event being audited or do we need path information 123 * later? This might be for a chdir/chroot or open (add path 124 * to file pointer. If the path has already been found for an 125 * open/creat then we don't need to process the path. 126 * 127 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 128 * chroot, chdir, open, creat system call processing. It determines 129 * if audit_savepath() will discard the path or we need it later. 130 * TAD_PATHFND means path already included in this audit record. It 131 * is used in cases where multiple path lookups are done per 132 * system call. The policy flag, AUDIT_PATH, controls if multiple 133 * paths are allowed. 134 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 135 * exit processing to inhibit any paths that may be added due to 136 * closes. 137 */ 138 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) || 139 ((tad->tad_ctrl & TAD_PATHFND) && 140 !(kctx->auk_policy & AUDIT_PATH)) || 141 (tad->tad_ctrl & TAD_NOPATH)) { 142 return (0); 143 } 144 145 tad->tad_ctrl |= TAD_NOPATH; /* prevent possible reentry */ 146 147 audit_pathbuild(pnp); 148 149 /* 150 * are we auditing only if error, or if it is not open or create 151 * otherwise audit_setf will do it 152 */ 153 154 if (tad->tad_flag) { 155 if (flag && 156 (tad->tad_scid == SYS_open || 157 tad->tad_scid == SYS_open64 || 158 tad->tad_scid == SYS_openat || 159 tad->tad_scid == SYS_openat64)) { 160 tad->tad_ctrl |= TAD_TRUE_CREATE; 161 } 162 163 /* add token to audit record for this name */ 164 au_uwrite(au_to_path(tad->tad_aupath)); 165 166 /* add the attributes of the object */ 167 if (vp) { 168 /* 169 * only capture attributes when there is no error 170 * lookup will not return the vnode of the failing 171 * component. 172 * 173 * if there was a lookup error, then don't add 174 * attribute. if lookup in vn_create(), 175 * then don't add attribute, 176 * it will be added at end of vn_create(). 177 */ 178 if (!flag && !(tad->tad_ctrl & TAD_NOATTRB)) 179 audit_attributes(vp); 180 } 181 } 182 183 /* free up space if we're not going to save path (open, creat) */ 184 if ((tad->tad_ctrl & TAD_SAVPATH) == 0) { 185 if (tad->tad_aupath != NULL) { 186 au_pathrele(tad->tad_aupath); 187 tad->tad_aupath = NULL; 188 } 189 } 190 if (tad->tad_ctrl & TAD_MLD) 191 tad->tad_ctrl |= TAD_PATHFND; 192 193 tad->tad_ctrl &= ~TAD_NOPATH; /* restore */ 194 return (0); 195 } 196 197 static void 198 audit_pathbuild(struct pathname *pnp) 199 { 200 char *pp; /* pointer to path */ 201 int len; /* length of incoming segment */ 202 int newsect; /* path requires a new section */ 203 struct audit_path *pfxapp; /* prefix for path */ 204 struct audit_path *newapp; /* new audit_path */ 205 t_audit_data_t *tad; /* current thread */ 206 p_audit_data_t *pad; /* current process */ 207 208 tad = U2A(u); 209 ASSERT(tad != NULL); 210 pad = P2A(curproc); 211 ASSERT(pad != NULL); 212 213 len = (pnp->pn_path - pnp->pn_buf) + 1; /* +1 for terminator */ 214 ASSERT(len > 0); 215 216 /* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */ 217 mutex_enter(&pad->pad_lock); 218 if (tad->tad_aupath != NULL) { 219 pfxapp = tad->tad_aupath; 220 } else if ((tad->tad_ctrl & TAD_ATCALL) && pnp->pn_buf[0] != '/') { 221 ASSERT(tad->tad_atpath != NULL); 222 pfxapp = tad->tad_atpath; 223 } else if (tad->tad_ctrl & TAD_ABSPATH) { 224 pfxapp = pad->pad_root; 225 } else { 226 pfxapp = pad->pad_cwd; 227 } 228 au_pathhold(pfxapp); 229 mutex_exit(&pad->pad_lock); 230 231 /* get an expanded buffer to hold the anchored path */ 232 newsect = tad->tad_ctrl & TAD_ATTPATH; 233 newapp = au_pathdup(pfxapp, newsect, len); 234 au_pathrele(pfxapp); 235 236 pp = newapp->audp_sect[newapp->audp_cnt] - len; 237 if (!newsect) { 238 /* overlay previous NUL terminator */ 239 *(pp - 1) = '/'; 240 } 241 242 /* now add string of processed path */ 243 bcopy(pnp->pn_buf, pp, len); 244 pp[len - 1] = '\0'; 245 246 /* perform path simplification as necessary */ 247 audit_fixpath(newapp, len); 248 249 if (tad->tad_aupath) 250 au_pathrele(tad->tad_aupath); 251 tad->tad_aupath = newapp; 252 253 /* for case where multiple lookups in one syscall (rename) */ 254 tad->tad_ctrl &= ~(TAD_ABSPATH | TAD_ATTPATH); 255 } 256 257 258 /* 259 * ROUTINE: AUDIT_ANCHORPATH 260 * PURPOSE: 261 * CALLBY: LOOKUPPN 262 * NOTE: 263 * anchor path at "/". We have seen a symbolic link or entering for the 264 * first time we will throw away any saved path if path is anchored. 265 * 266 * flag = 0, path is relative. 267 * flag = 1, path is absolute. Free any saved path and set flag to TAD_ABSPATH. 268 * 269 * If the (new) path is absolute, then we have to throw away whatever we have 270 * already accumulated since it is being superseded by new path which is 271 * anchored at the root. 272 * Note that if the path is relative, this function does nothing 273 * TODO: 274 * QUESTION: 275 */ 276 /*ARGSUSED*/ 277 void 278 audit_anchorpath(struct pathname *pnp, int flag) 279 { 280 au_kcontext_t *kctx = GET_KCTX_PZ; 281 t_audit_data_t *tad; 282 283 tad = U2A(u); 284 285 /* 286 * this event being audited or do we need path information 287 * later? This might be for a chdir/chroot or open (add path 288 * to file pointer. If the path has already been found for an 289 * open/creat then we don't need to process the path. 290 * 291 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 292 * chroot, chdir, open, creat system call processing. It determines 293 * if audit_savepath() will discard the path or we need it later. 294 * TAD_PATHFND means path already included in this audit record. It 295 * is used in cases where multiple path lookups are done per 296 * system call. The policy flag, AUDIT_PATH, controls if multiple 297 * paths are allowed. 298 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 299 * exit processing to inhibit any paths that may be added due to 300 * closes. 301 */ 302 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) || 303 ((tad->tad_ctrl & TAD_PATHFND) && 304 !(kctx->auk_policy & AUDIT_PATH)) || 305 (tad->tad_ctrl & TAD_NOPATH)) { 306 return; 307 } 308 309 if (flag) { 310 tad->tad_ctrl |= TAD_ABSPATH; 311 if (tad->tad_aupath != NULL) { 312 au_pathrele(tad->tad_aupath); 313 tad->tad_aupath = NULL; 314 } 315 } 316 } 317 318 319 /* 320 * symbolic link. Save previous components. 321 * 322 * the path seen so far looks like this 323 * 324 * +-----------------------+----------------+ 325 * | path processed so far | remaining path | 326 * +-----------------------+----------------+ 327 * \-----------------------/ 328 * save this string if 329 * symbolic link relative 330 * (but don't include symlink component) 331 */ 332 333 /*ARGSUSED*/ 334 335 336 /* 337 * ROUTINE: AUDIT_SYMLINK 338 * PURPOSE: 339 * CALLBY: LOOKUPPN 340 * NOTE: 341 * TODO: 342 * QUESTION: 343 */ 344 void 345 audit_symlink(struct pathname *pnp, struct pathname *sympath) 346 { 347 char *sp; /* saved initial pp */ 348 char *cp; /* start of symlink path */ 349 uint_t len_path; /* processed path before symlink */ 350 t_audit_data_t *tad; 351 au_kcontext_t *kctx = GET_KCTX_PZ; 352 353 tad = U2A(u); 354 355 /* 356 * this event being audited or do we need path information 357 * later? This might be for a chdir/chroot or open (add path 358 * to file pointer. If the path has already been found for an 359 * open/creat then we don't need to process the path. 360 * 361 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 362 * chroot, chdir, open, creat system call processing. It determines 363 * if audit_savepath() will discard the path or we need it later. 364 * TAD_PATHFND means path already included in this audit record. It 365 * is used in cases where multiple path lookups are done per 366 * system call. The policy flag, AUDIT_PATH, controls if multiple 367 * paths are allowed. 368 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 369 * exit processing to inhibit any paths that may be added due to 370 * closes. 371 */ 372 if ((tad->tad_flag == 0 && 373 !(tad->tad_ctrl & TAD_SAVPATH)) || 374 ((tad->tad_ctrl & TAD_PATHFND) && 375 !(kctx->auk_policy & AUDIT_PATH)) || 376 (tad->tad_ctrl & TAD_NOPATH)) { 377 return; 378 } 379 380 /* 381 * if symbolic link is anchored at / then do nothing. 382 * When we cycle back to begin: in lookuppn() we will 383 * call audit_anchorpath() with a flag indicating if the 384 * path is anchored at / or is relative. We will release 385 * any saved path at that point. 386 * 387 * Note In the event that an error occurs in pn_combine then 388 * we want to remain pointing at the component that caused the 389 * path to overflow the pnp structure. 390 */ 391 if (sympath->pn_buf[0] == '/') 392 return; 393 394 /* backup over last component */ 395 sp = cp = pnp->pn_path; 396 while (*--cp != '/' && cp > pnp->pn_buf) 397 ; 398 399 len_path = cp - pnp->pn_buf; 400 401 /* is there anything to save? */ 402 if (len_path) { 403 pnp->pn_path = pnp->pn_buf; 404 audit_pathbuild(pnp); 405 pnp->pn_path = sp; 406 } 407 } 408 409 /* 410 * object_is_public : determine whether events for the object (corresponding to 411 * the specified file/directory attr) should be audited or 412 * ignored. 413 * 414 * returns: 1 - if audit policy and object attributes indicate that 415 * file/directory is effectively public. read events for 416 * the file should not be audited. 417 * 0 - otherwise 418 * 419 * The required attributes to be considered a public object are: 420 * - owned by root, AND 421 * - world-readable (permissions for other include read), AND 422 * - NOT world-writeable (permissions for other don't 423 * include write) 424 * (mode doesn't need to be checked for symlinks) 425 */ 426 int 427 object_is_public(struct vattr *attr) 428 { 429 au_kcontext_t *kctx = GET_KCTX_PZ; 430 431 if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) && 432 ((attr->va_type == VLNK) || 433 ((attr->va_mode & (VREAD>>6)) != 0) && 434 ((attr->va_mode & (VWRITE>>6)) == 0))) { 435 return (1); 436 } 437 return (0); 438 } 439 440 441 /* 442 * ROUTINE: AUDIT_ATTRIBUTES 443 * PURPOSE: Audit the attributes so we can tell why the error occurred 444 * CALLBY: AUDIT_SAVEPATH 445 * AUDIT_VNCREATE_FINISH 446 * AUS_FCHOWN...audit_event.c...audit_path.c 447 * NOTE: 448 * TODO: 449 * QUESTION: 450 */ 451 void 452 audit_attributes(struct vnode *vp) 453 { 454 struct vattr attr; 455 struct t_audit_data *tad; 456 457 tad = U2A(u); 458 459 if (vp) { 460 attr.va_mask = AT_ALL; 461 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0) 462 return; 463 464 if (object_is_public(&attr) && 465 (tad->tad_ctrl & TAD_PUBLIC_EV)) { 466 /* 467 * This is a public object and a "public" event 468 * (i.e., read only) -- either by definition 469 * (e.g., stat, access...) or by virtue of write access 470 * not being requested (e.g. mmap). 471 * Flag it in the tad to prevent this audit at the end. 472 */ 473 tad->tad_ctrl |= TAD_NOAUDIT; 474 } else { 475 au_uwrite(au_to_attr(&attr)); 476 audit_sec_attributes(&(u_ad), vp); 477 } 478 } 479 } 480 481 482 /* 483 * ROUTINE: AUDIT_EXIT 484 * PURPOSE: 485 * CALLBY: EXIT 486 * NOTE: 487 * TODO: 488 * QUESTION: why cmw code as offset by 2 but not here 489 */ 490 /* ARGSUSED */ 491 void 492 audit_exit(int code, int what) 493 { 494 struct t_audit_data *tad; 495 tad = U2A(u); 496 497 /* 498 * tad_scid will be set by audit_start even if we are not auditing 499 * the event. 500 */ 501 if (tad->tad_scid == SYS_exit) { 502 /* 503 * if we are auditing the exit system call, then complete 504 * audit record generation (no return from system call). 505 */ 506 if (tad->tad_flag && tad->tad_event == AUE_EXIT) 507 audit_finish(0, SYS_exit, 0, 0); 508 return; 509 } 510 511 /* 512 * Anyone auditing the system call that was aborted? 513 */ 514 if (tad->tad_flag) { 515 au_uwrite(au_to_text("event aborted")); 516 audit_finish(0, tad->tad_scid, 0, 0); 517 } 518 519 /* 520 * Generate an audit record for process exit if preselected. 521 */ 522 (void) audit_start(0, SYS_exit, AUC_UNSET, 0, 0); 523 audit_finish(0, SYS_exit, 0, 0); 524 } 525 526 /* 527 * ROUTINE: AUDIT_CORE_START 528 * PURPOSE: 529 * CALLBY: PSIG 530 * NOTE: 531 * TODO: 532 */ 533 void 534 audit_core_start(int sig) 535 { 536 au_event_t event; 537 au_state_t estate; 538 t_audit_data_t *tad; 539 au_kcontext_t *kctx; 540 541 tad = U2A(u); 542 543 ASSERT(tad != (t_audit_data_t *)0); 544 545 ASSERT(tad->tad_scid == 0); 546 ASSERT(tad->tad_event == 0); 547 ASSERT(tad->tad_evmod == 0); 548 ASSERT(tad->tad_ctrl == 0); 549 ASSERT(tad->tad_flag == 0); 550 ASSERT(tad->tad_aupath == NULL); 551 552 kctx = GET_KCTX_PZ; 553 554 /* get basic event for system call */ 555 event = AUE_CORE; 556 estate = kctx->auk_ets[event]; 557 558 if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0) 559 return; 560 561 /* reset the flags for non-user attributable events */ 562 tad->tad_ctrl = TAD_CORE; 563 tad->tad_scid = 0; 564 565 /* if auditing not enabled, then don't generate an audit record */ 566 567 if (!((kctx->auk_auditstate == AUC_AUDITING || 568 kctx->auk_auditstate == AUC_INIT_AUDIT) || 569 kctx->auk_auditstate == AUC_NOSPACE)) { 570 tad->tad_flag = 0; 571 tad->tad_ctrl = 0; 572 return; 573 } 574 575 tad->tad_event = event; 576 tad->tad_evmod = 0; 577 578 ASSERT(tad->tad_ad == NULL); 579 580 au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig)); 581 } 582 583 /* 584 * ROUTINE: AUDIT_CORE_FINISH 585 * PURPOSE: 586 * CALLBY: PSIG 587 * NOTE: 588 * TODO: 589 * QUESTION: 590 */ 591 592 /*ARGSUSED*/ 593 void 594 audit_core_finish(int code) 595 { 596 int flag; 597 t_audit_data_t *tad; 598 au_kcontext_t *kctx; 599 600 tad = U2A(u); 601 602 ASSERT(tad != (t_audit_data_t *)0); 603 604 if ((flag = tad->tad_flag) == 0) { 605 tad->tad_event = 0; 606 tad->tad_evmod = 0; 607 tad->tad_ctrl = 0; 608 ASSERT(tad->tad_aupath == NULL); 609 return; 610 } 611 tad->tad_flag = 0; 612 613 kctx = GET_KCTX_PZ; 614 615 /* kludge for error 0, should use `code==CLD_DUMPED' instead */ 616 if (flag = audit_success(kctx, tad, 0, NULL)) { 617 cred_t *cr = CRED(); 618 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 619 620 ASSERT(ainfo != NULL); 621 622 /* 623 * Add subject information (no locks since our private copy of 624 * credential 625 */ 626 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 627 628 /* Add a return token (should use f argument) */ 629 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 630 631 AS_INC(as_generated, 1, kctx); 632 AS_INC(as_kernel, 1, kctx); 633 } 634 635 /* Close up everything */ 636 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod, NULL); 637 638 /* free up any space remaining with the path's */ 639 if (tad->tad_aupath != NULL) { 640 au_pathrele(tad->tad_aupath); 641 tad->tad_aupath = NULL; 642 } 643 tad->tad_event = 0; 644 tad->tad_evmod = 0; 645 tad->tad_ctrl = 0; 646 } 647 648 649 /*ARGSUSED*/ 650 void 651 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 652 unsigned char *pri, int *flag, int fmode) 653 { 654 struct stdata *stp; 655 t_audit_data_t *tad = U2A(u); 656 657 ASSERT(tad != (t_audit_data_t *)0); 658 659 stp = vp->v_stream; 660 661 /* lock stdata from audit_sock */ 662 mutex_enter(&stp->sd_lock); 663 664 /* proceed ONLY if user is being audited */ 665 if (!tad->tad_flag) { 666 /* 667 * this is so we will not add audit data onto 668 * a thread that is not being audited. 669 */ 670 stp->sd_t_audit_data = NULL; 671 mutex_exit(&stp->sd_lock); 672 return; 673 } 674 675 stp->sd_t_audit_data = (caddr_t)curthread; 676 mutex_exit(&stp->sd_lock); 677 } 678 679 /*ARGSUSED*/ 680 void 681 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 682 unsigned char pri, int flag, int fmode) 683 { 684 struct stdata *stp; 685 t_audit_data_t *tad = U2A(u); 686 687 ASSERT(tad != (t_audit_data_t *)0); 688 689 stp = vp->v_stream; 690 691 /* lock stdata from audit_sock */ 692 mutex_enter(&stp->sd_lock); 693 694 /* proceed ONLY if user is being audited */ 695 if (!tad->tad_flag) { 696 /* 697 * this is so we will not add audit data onto 698 * a thread that is not being audited. 699 */ 700 stp->sd_t_audit_data = NULL; 701 mutex_exit(&stp->sd_lock); 702 return; 703 } 704 705 stp->sd_t_audit_data = (caddr_t)curthread; 706 mutex_exit(&stp->sd_lock); 707 } 708 709 /* 710 * ROUTINE: AUDIT_CLOSEF 711 * PURPOSE: 712 * CALLBY: CLOSEF 713 * NOTE: 714 * release per file audit resources when file structure is being released. 715 * 716 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep 717 * on the audit queue if it becomes full. This means 718 * audit_closef can not be called when f_count == 0. Since 719 * f_count == 0 indicates the file structure is free, another 720 * process could attempt to use the file while we were still 721 * asleep waiting on the audit queue. This would cause the 722 * per file audit data to be corrupted when we finally do 723 * wakeup. 724 * TODO: 725 * QUESTION: 726 */ 727 728 void 729 audit_closef(struct file *fp) 730 { /* AUDIT_CLOSEF */ 731 f_audit_data_t *fad; 732 t_audit_data_t *tad; 733 int success; 734 au_state_t estate; 735 struct vnode *vp; 736 token_t *ad = NULL; 737 struct vattr attr; 738 au_emod_t evmod = 0; 739 const auditinfo_addr_t *ainfo; 740 int getattr_ret; 741 cred_t *cr; 742 au_kcontext_t *kctx = GET_KCTX_PZ; 743 uint32_t auditing; 744 745 fad = F2A(fp); 746 estate = kctx->auk_ets[AUE_CLOSE]; 747 tad = U2A(u); 748 cr = CRED(); 749 750 /* audit record already generated by system call envelope */ 751 if (tad->tad_event == AUE_CLOSE) { 752 /* so close audit event will have bits set */ 753 tad->tad_evmod |= (au_emod_t)fad->fad_flags; 754 return; 755 } 756 757 /* if auditing not enabled, then don't generate an audit record */ 758 auditing = (tad->tad_audit == AUC_UNSET) ? 759 kctx->auk_auditstate : tad->tad_audit; 760 if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT | AUC_NOSPACE)) 761 return; 762 763 ainfo = crgetauinfo(cr); 764 if (ainfo == NULL) 765 return; 766 767 success = ainfo->ai_mask.as_success & estate; 768 769 /* not selected for this event */ 770 if (success == 0) 771 return; 772 773 /* 774 * can't use audit_attributes here since we use a private audit area 775 * to build the audit record instead of the one off the thread. 776 */ 777 if ((vp = fp->f_vnode) != NULL) { 778 attr.va_mask = AT_ALL; 779 getattr_ret = VOP_GETATTR(vp, &attr, 0, CRED(), NULL); 780 } 781 782 /* 783 * When write was not used and the file can be considered public, 784 * then skip the audit. 785 */ 786 if ((getattr_ret == 0) && ((fp->f_flag & FWRITE) == 0)) { 787 if (object_is_public(&attr)) { 788 return; 789 } 790 } 791 792 evmod = (au_emod_t)fad->fad_flags; 793 if (fad->fad_aupath != NULL) { 794 au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath)); 795 } else { 796 #ifdef _LP64 797 au_write((caddr_t *)&(ad), au_to_arg64( 798 1, "no path: fp", (uint64_t)fp)); 799 #else 800 au_write((caddr_t *)&(ad), au_to_arg32( 801 1, "no path: fp", (uint32_t)fp)); 802 #endif 803 } 804 805 if (getattr_ret == 0) { 806 au_write((caddr_t *)&(ad), au_to_attr(&attr)); 807 audit_sec_attributes((caddr_t *)&(ad), vp); 808 } 809 810 /* Add subject information */ 811 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 812 813 /* add a return token */ 814 add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0); 815 816 AS_INC(as_generated, 1, kctx); 817 AS_INC(as_kernel, 1, kctx); 818 819 /* 820 * Close up everything 821 * Note: path space recovery handled by normal system 822 * call envelope if not at last close. 823 * Note there is no failure at this point since 824 * this represents closes due to exit of process, 825 * thus we always indicate successful closes. 826 */ 827 au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER, 828 AUE_CLOSE, evmod, NULL); 829 } 830 831 /* 832 * ROUTINE: AUDIT_SET 833 * PURPOSE: Audit the file path and file attributes. 834 * CALLBY: SETF 835 * NOTE: SETF associate a file pointer with user area's open files. 836 * TODO: 837 * call audit_finish directly ??? 838 * QUESTION: 839 */ 840 841 /*ARGSUSED*/ 842 void 843 audit_setf(file_t *fp, int fd) 844 { 845 f_audit_data_t *fad; 846 t_audit_data_t *tad; 847 848 if (fp == NULL) 849 return; 850 851 tad = T2A(curthread); 852 fad = F2A(fp); 853 854 if (!(tad->tad_scid == SYS_open || 855 tad->tad_scid == SYS_open64 || 856 tad->tad_scid == SYS_openat || 857 tad->tad_scid == SYS_openat64)) 858 return; 859 860 /* no path */ 861 if (tad->tad_aupath == 0) 862 return; 863 864 /* 865 * assign path information associated with file audit data 866 * use tad hold 867 */ 868 fad->fad_aupath = tad->tad_aupath; 869 tad->tad_aupath = NULL; 870 871 if (!(tad->tad_ctrl & TAD_TRUE_CREATE)) { 872 /* adjust event type by dropping the 'creat' part */ 873 switch (tad->tad_event) { 874 case AUE_OPEN_RC: 875 tad->tad_event = AUE_OPEN_R; 876 tad->tad_ctrl |= TAD_PUBLIC_EV; 877 break; 878 case AUE_OPEN_RTC: 879 tad->tad_event = AUE_OPEN_RT; 880 break; 881 case AUE_OPEN_WC: 882 tad->tad_event = AUE_OPEN_W; 883 break; 884 case AUE_OPEN_WTC: 885 tad->tad_event = AUE_OPEN_WT; 886 break; 887 case AUE_OPEN_RWC: 888 tad->tad_event = AUE_OPEN_RW; 889 break; 890 case AUE_OPEN_RWTC: 891 tad->tad_event = AUE_OPEN_RWT; 892 break; 893 default: 894 break; 895 } 896 } 897 } 898 899 900 void 901 audit_ipc(int type, int id, void *vp) 902 { 903 /* if not auditing this event, then do nothing */ 904 if (ad_flag == 0) 905 return; 906 907 switch (type) { 908 case AT_IPC_MSG: 909 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 910 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 911 break; 912 case AT_IPC_SEM: 913 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 914 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 915 break; 916 case AT_IPC_SHM: 917 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 918 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 919 break; 920 } 921 } 922 923 void 924 audit_ipcget(int type, void *vp) 925 { 926 /* if not auditing this event, then do nothing */ 927 if (ad_flag == 0) 928 return; 929 930 switch (type) { 931 case NULL: 932 au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp)); 933 break; 934 case AT_IPC_MSG: 935 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 936 break; 937 case AT_IPC_SEM: 938 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 939 break; 940 case AT_IPC_SHM: 941 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 942 break; 943 } 944 } 945 946 /* 947 * ROUTINE: AUDIT_REBOOT 948 * PURPOSE: 949 * CALLBY: 950 * NOTE: 951 * At this point we know that the system call reboot will not return. We thus 952 * have to complete the audit record generation and put it onto the queue. 953 * This might be fairly useless if the auditing daemon is already dead.... 954 * TODO: 955 * QUESTION: who calls audit_reboot 956 */ 957 958 void 959 audit_reboot(void) 960 { 961 int flag; 962 t_audit_data_t *tad; 963 au_kcontext_t *kctx = GET_KCTX_PZ; 964 965 tad = U2A(u); 966 967 /* if not auditing this event, then do nothing */ 968 if (tad->tad_flag == 0) 969 return; 970 971 /* do preselection on success/failure */ 972 if (flag = audit_success(kctx, tad, 0, NULL)) { 973 /* add a process token */ 974 975 cred_t *cr = CRED(); 976 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 977 978 if (ainfo == NULL) 979 return; 980 981 /* Add subject information */ 982 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 983 984 /* add a return token */ 985 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 986 987 AS_INC(as_generated, 1, kctx); 988 AS_INC(as_kernel, 1, kctx); 989 } 990 991 /* 992 * Flow control useless here since we're going 993 * to drop everything in the queue anyway. Why 994 * block and wait. There aint anyone left alive to 995 * read the records remaining anyway. 996 */ 997 998 /* Close up everything */ 999 au_close(kctx, &(u_ad), flag | AU_DONTBLOCK, 1000 tad->tad_event, tad->tad_evmod, NULL); 1001 } 1002 1003 void 1004 audit_setfsat_path(int argnum) 1005 { 1006 klwp_id_t clwp = ttolwp(curthread); 1007 struct file *fp; 1008 uint32_t fd; 1009 t_audit_data_t *tad; 1010 struct f_audit_data *fad; 1011 p_audit_data_t *pad; /* current process */ 1012 uint_t fm; 1013 struct a { 1014 long arg1; 1015 long arg2; 1016 long arg3; 1017 long arg4; 1018 long arg5; 1019 } *uap; 1020 1021 if (clwp == NULL) 1022 return; 1023 uap = (struct a *)clwp->lwp_ap; 1024 1025 tad = U2A(u); 1026 ASSERT(tad != NULL); 1027 1028 switch (tad->tad_scid) { 1029 case SYS_faccessat: 1030 case SYS_fchmodat: 1031 case SYS_fchownat: 1032 case SYS_fstatat: 1033 case SYS_fstatat64: 1034 case SYS_mkdirat: 1035 case SYS_mknodat: 1036 case SYS_openat: 1037 case SYS_openat64: 1038 case SYS_readlinkat: 1039 case SYS_unlinkat: 1040 fd = uap->arg1; 1041 break; 1042 case SYS_linkat: 1043 case SYS_renameat: 1044 if (argnum == 3) 1045 fd = uap->arg3; 1046 else 1047 fd = uap->arg1; 1048 break; 1049 case SYS_symlinkat: 1050 case SYS_utimesys: 1051 fd = uap->arg2; 1052 break; 1053 case SYS_open: 1054 case SYS_open64: 1055 fd = AT_FDCWD; 1056 break; 1057 default: 1058 return; 1059 } 1060 1061 if (tad->tad_atpath != NULL) { 1062 au_pathrele(tad->tad_atpath); 1063 tad->tad_atpath = NULL; 1064 } 1065 1066 if (fd != AT_FDCWD) { 1067 tad->tad_ctrl |= TAD_ATCALL; 1068 1069 if (tad->tad_scid == SYS_openat || 1070 tad->tad_scid == SYS_openat64) { 1071 fm = (uint_t)uap->arg3; 1072 if (fm & (FXATTR | FXATTRDIROPEN)) { 1073 tad->tad_ctrl |= TAD_ATTPATH; 1074 } 1075 } 1076 1077 if ((fp = getf(fd)) == NULL) { 1078 tad->tad_ctrl |= TAD_NOPATH; 1079 return; 1080 } 1081 fad = F2A(fp); 1082 ASSERT(fad); 1083 if (fad->fad_aupath == NULL) { 1084 tad->tad_ctrl |= TAD_NOPATH; 1085 releasef(fd); 1086 return; 1087 } 1088 au_pathhold(fad->fad_aupath); 1089 tad->tad_atpath = fad->fad_aupath; 1090 releasef(fd); 1091 } else { 1092 if (tad->tad_scid == SYS_open || 1093 tad->tad_scid == SYS_open64) { 1094 fm = (uint_t)uap->arg2; 1095 if (fm & FXATTR) { 1096 tad->tad_ctrl |= TAD_ATTPATH; 1097 } 1098 return; 1099 } 1100 pad = P2A(curproc); 1101 mutex_enter(&pad->pad_lock); 1102 au_pathhold(pad->pad_cwd); 1103 tad->tad_atpath = pad->pad_cwd; 1104 mutex_exit(&pad->pad_lock); 1105 } 1106 } 1107 1108 void 1109 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error) 1110 { 1111 t_audit_data_t *tad; 1112 vnode_t *vp; 1113 1114 tad = U2A(u); 1115 1116 /* if not auditing this event, then do nothing */ 1117 if (tad->tad_flag == 0) 1118 return; 1119 1120 au_uwrite(au_to_text(target)); 1121 1122 if (error) 1123 return; 1124 1125 error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(), 1126 NULL, NULL, NULL); 1127 if (error == 0) { 1128 audit_attributes(vp); 1129 VN_RELE(vp); 1130 } 1131 } 1132 1133 /* 1134 * ROUTINE: AUDIT_VNCREATE_START 1135 * PURPOSE: set flag so path name lookup in create will not add attribute 1136 * CALLBY: VN_CREATE 1137 * NOTE: 1138 * TODO: 1139 * QUESTION: 1140 */ 1141 1142 void 1143 audit_vncreate_start() 1144 { 1145 t_audit_data_t *tad; 1146 1147 tad = U2A(u); 1148 tad->tad_ctrl |= TAD_NOATTRB; 1149 } 1150 1151 /* 1152 * ROUTINE: AUDIT_VNCREATE_FINISH 1153 * PURPOSE: 1154 * CALLBY: VN_CREATE 1155 * NOTE: 1156 * TODO: 1157 * QUESTION: 1158 */ 1159 void 1160 audit_vncreate_finish(struct vnode *vp, int error) 1161 { 1162 t_audit_data_t *tad; 1163 1164 if (error) 1165 return; 1166 1167 tad = U2A(u); 1168 1169 /* if not auditing this event, then do nothing */ 1170 if (tad->tad_flag == 0) 1171 return; 1172 1173 if (tad->tad_ctrl & TAD_TRUE_CREATE) { 1174 audit_attributes(vp); 1175 } 1176 1177 if (tad->tad_ctrl & TAD_CORE) { 1178 audit_attributes(vp); 1179 tad->tad_ctrl &= ~TAD_CORE; 1180 } 1181 1182 if (!error && ((tad->tad_event == AUE_MKNOD) || 1183 (tad->tad_event == AUE_MKDIR))) { 1184 audit_attributes(vp); 1185 } 1186 1187 /* for case where multiple lookups in one syscall (rename) */ 1188 tad->tad_ctrl &= ~TAD_NOATTRB; 1189 } 1190 1191 1192 1193 1194 1195 1196 1197 1198 /* 1199 * ROUTINE: AUDIT_EXEC 1200 * PURPOSE: Records the function arguments and environment variables 1201 * CALLBY: EXEC_ARGS 1202 * NOTE: 1203 * TODO: 1204 * QUESTION: 1205 */ 1206 1207 void 1208 audit_exec( 1209 const char *argstr, /* argument strings */ 1210 const char *envstr, /* environment strings */ 1211 ssize_t argc, /* total # arguments */ 1212 ssize_t envc, /* total # environment variables */ 1213 cred_t *pfcred) /* the additional privileges in a profile */ 1214 { 1215 t_audit_data_t *tad; 1216 au_kcontext_t *kctx = GET_KCTX_PZ; 1217 1218 tad = U2A(u); 1219 1220 /* if not auditing this event, then do nothing */ 1221 if (!tad->tad_flag) 1222 return; 1223 1224 if (pfcred != NULL) { 1225 p_audit_data_t *pad; 1226 cred_t *cr = CRED(); 1227 priv_set_t pset = CR_IPRIV(cr); 1228 1229 pad = P2A(curproc); 1230 1231 /* It's a different event. */ 1232 tad->tad_event = AUE_PFEXEC; 1233 1234 /* Add the current working directory to the audit trail. */ 1235 if (pad->pad_cwd != NULL) 1236 au_uwrite(au_to_path(pad->pad_cwd)); 1237 1238 /* 1239 * The new credential is not yet in place when audit_exec 1240 * is called. 1241 * Compute the additional bits available in the new credential 1242 * and the limit set. 1243 */ 1244 priv_inverse(&pset); 1245 priv_intersect(&CR_IPRIV(pfcred), &pset); 1246 if (!priv_isemptyset(&pset) || 1247 !priv_isequalset(&CR_LPRIV(pfcred), &CR_LPRIV(cr))) { 1248 au_uwrite(au_to_privset( 1249 priv_getsetbynum(PRIV_INHERITABLE), &pset, AUT_PRIV, 1250 0)); 1251 au_uwrite(au_to_privset(priv_getsetbynum(PRIV_LIMIT), 1252 &CR_LPRIV(pfcred), AUT_PRIV, 0)); 1253 } 1254 /* 1255 * Compare the uids & gids: create a process token if changed. 1256 */ 1257 if (crgetuid(cr) != crgetuid(pfcred) || 1258 crgetruid(cr) != crgetruid(pfcred) || 1259 crgetgid(cr) != crgetgid(pfcred) || 1260 crgetrgid(cr) != crgetrgid(pfcred)) { 1261 AUDIT_SETPROC(&(u_ad), cr, crgetauinfo(cr)); 1262 } 1263 } 1264 1265 if (pfcred != NULL || (kctx->auk_policy & AUDIT_ARGV) != 0) 1266 au_uwrite(au_to_exec_args(argstr, argc)); 1267 1268 if (kctx->auk_policy & AUDIT_ARGE) 1269 au_uwrite(au_to_exec_env(envstr, envc)); 1270 } 1271 1272 /* 1273 * ROUTINE: AUDIT_ENTERPROM 1274 * PURPOSE: 1275 * CALLBY: KBDINPUT 1276 * ZSA_XSINT 1277 * NOTE: 1278 * TODO: 1279 * QUESTION: 1280 */ 1281 void 1282 audit_enterprom(int flg) 1283 { 1284 token_t *rp = NULL; 1285 int sorf; 1286 1287 if (flg) 1288 sorf = AUM_SUCC; 1289 else 1290 sorf = AUM_FAIL; 1291 1292 AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf); 1293 1294 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1295 1296 if (flg) 1297 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1298 else 1299 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1300 1301 AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL, NULL); 1302 } 1303 1304 1305 /* 1306 * ROUTINE: AUDIT_EXITPROM 1307 * PURPOSE: 1308 * CALLBY: KBDINPUT 1309 * ZSA_XSINT 1310 * NOTE: 1311 * TODO: 1312 * QUESTION: 1313 */ 1314 void 1315 audit_exitprom(int flg) 1316 { 1317 int sorf; 1318 token_t *rp = NULL; 1319 1320 if (flg) 1321 sorf = AUM_SUCC; 1322 else 1323 sorf = AUM_FAIL; 1324 1325 AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf); 1326 1327 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1328 1329 if (flg) 1330 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1331 else 1332 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1333 1334 AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL, NULL); 1335 } 1336 1337 struct fcntla { 1338 int fdes; 1339 int cmd; 1340 intptr_t arg; 1341 }; 1342 1343 1344 /* 1345 * ROUTINE: AUDIT_CHDIREC 1346 * PURPOSE: 1347 * CALLBY: CHDIREC 1348 * NOTE: The main function of CHDIREC 1349 * TODO: Move the audit_chdirec hook above the VN_RELE in vncalls.c 1350 * QUESTION: 1351 */ 1352 1353 /*ARGSUSED*/ 1354 void 1355 audit_chdirec(vnode_t *vp, vnode_t **vpp) 1356 { 1357 int chdir; 1358 int fchdir; 1359 struct audit_path **appp; 1360 struct file *fp; 1361 f_audit_data_t *fad; 1362 p_audit_data_t *pad = P2A(curproc); 1363 t_audit_data_t *tad = T2A(curthread); 1364 1365 struct a { 1366 long fd; 1367 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 1368 1369 if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) { 1370 chdir = tad->tad_scid == SYS_chdir; 1371 if (tad->tad_aupath) { 1372 mutex_enter(&pad->pad_lock); 1373 if (chdir) 1374 appp = &(pad->pad_cwd); 1375 else 1376 appp = &(pad->pad_root); 1377 au_pathrele(*appp); 1378 /* use tad hold */ 1379 *appp = tad->tad_aupath; 1380 tad->tad_aupath = NULL; 1381 mutex_exit(&pad->pad_lock); 1382 } 1383 } else if ((tad->tad_scid == SYS_fchdir) || 1384 (tad->tad_scid == SYS_fchroot)) { 1385 fchdir = tad->tad_scid == SYS_fchdir; 1386 if ((fp = getf(uap->fd)) == NULL) 1387 return; 1388 fad = F2A(fp); 1389 if (fad->fad_aupath) { 1390 au_pathhold(fad->fad_aupath); 1391 mutex_enter(&pad->pad_lock); 1392 if (fchdir) 1393 appp = &(pad->pad_cwd); 1394 else 1395 appp = &(pad->pad_root); 1396 au_pathrele(*appp); 1397 *appp = fad->fad_aupath; 1398 mutex_exit(&pad->pad_lock); 1399 if (tad->tad_flag) { 1400 au_uwrite(au_to_path(fad->fad_aupath)); 1401 audit_attributes(fp->f_vnode); 1402 } 1403 } 1404 releasef(uap->fd); 1405 } 1406 } 1407 1408 1409 /* 1410 * Audit hook for stream based socket and tli request. 1411 * Note that we do not have user context while executing 1412 * this code so we had to record them earlier during the 1413 * putmsg/getmsg to figure out which user we are dealing with. 1414 */ 1415 1416 /*ARGSUSED*/ 1417 void 1418 audit_sock( 1419 int type, /* type of tihdr.h header requests */ 1420 queue_t *q, /* contains the process and thread audit data */ 1421 mblk_t *mp, /* contains the tihdr.h header structures */ 1422 int from) /* timod or sockmod request */ 1423 { 1424 int32_t len; 1425 int32_t offset; 1426 struct sockaddr_in *sock_data; 1427 struct T_conn_req *conn_req; 1428 struct T_conn_ind *conn_ind; 1429 struct T_unitdata_req *unitdata_req; 1430 struct T_unitdata_ind *unitdata_ind; 1431 au_state_t estate; 1432 t_audit_data_t *tad; 1433 caddr_t saved_thread_ptr; 1434 au_mask_t amask; 1435 const auditinfo_addr_t *ainfo; 1436 au_kcontext_t *kctx; 1437 1438 if (q->q_stream == NULL) 1439 return; 1440 mutex_enter(&q->q_stream->sd_lock); 1441 /* are we being audited */ 1442 saved_thread_ptr = q->q_stream->sd_t_audit_data; 1443 /* no pointer to thread, nothing to do */ 1444 if (saved_thread_ptr == NULL) { 1445 mutex_exit(&q->q_stream->sd_lock); 1446 return; 1447 } 1448 /* only allow one addition of a record token */ 1449 q->q_stream->sd_t_audit_data = NULL; 1450 /* 1451 * thread is not the one being audited, then nothing to do 1452 * This could be the stream thread handling the module 1453 * service routine. In this case, the context for the audit 1454 * record can no longer be assumed. Simplest to just drop 1455 * the operation. 1456 */ 1457 if (curthread != (kthread_id_t)saved_thread_ptr) { 1458 mutex_exit(&q->q_stream->sd_lock); 1459 return; 1460 } 1461 if (curthread->t_sysnum >= SYS_so_socket && 1462 curthread->t_sysnum <= SYS_sockconfig) { 1463 mutex_exit(&q->q_stream->sd_lock); 1464 return; 1465 } 1466 mutex_exit(&q->q_stream->sd_lock); 1467 /* 1468 * we know that the thread that did the put/getmsg is the 1469 * one running. Now we can get the TAD and see if we should 1470 * add an audit token. 1471 */ 1472 tad = U2A(u); 1473 1474 kctx = GET_KCTX_PZ; 1475 1476 /* proceed ONLY if user is being audited */ 1477 if (!tad->tad_flag) 1478 return; 1479 1480 ainfo = crgetauinfo(CRED()); 1481 if (ainfo == NULL) 1482 return; 1483 amask = ainfo->ai_mask; 1484 1485 /* 1486 * Figure out the type of stream networking request here. 1487 * Note that getmsg and putmsg are always preselected 1488 * because during the beginning of the system call we have 1489 * not yet figure out which of the socket or tli request 1490 * we are looking at until we are here. So we need to check 1491 * against that specific request and reset the type of event. 1492 */ 1493 switch (type) { 1494 case T_CONN_REQ: /* connection request */ 1495 conn_req = (struct T_conn_req *)mp->b_rptr; 1496 if (conn_req->DEST_offset < sizeof (struct T_conn_req)) 1497 return; 1498 offset = conn_req->DEST_offset; 1499 len = conn_req->DEST_length; 1500 estate = kctx->auk_ets[AUE_SOCKCONNECT]; 1501 if (amask.as_success & estate || amask.as_failure & estate) { 1502 tad->tad_event = AUE_SOCKCONNECT; 1503 break; 1504 } else { 1505 return; 1506 } 1507 case T_CONN_IND: /* connectionless receive request */ 1508 conn_ind = (struct T_conn_ind *)mp->b_rptr; 1509 if (conn_ind->SRC_offset < sizeof (struct T_conn_ind)) 1510 return; 1511 offset = conn_ind->SRC_offset; 1512 len = conn_ind->SRC_length; 1513 estate = kctx->auk_ets[AUE_SOCKACCEPT]; 1514 if (amask.as_success & estate || amask.as_failure & estate) { 1515 tad->tad_event = AUE_SOCKACCEPT; 1516 break; 1517 } else { 1518 return; 1519 } 1520 case T_UNITDATA_REQ: /* connectionless send request */ 1521 unitdata_req = (struct T_unitdata_req *)mp->b_rptr; 1522 if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req)) 1523 return; 1524 offset = unitdata_req->DEST_offset; 1525 len = unitdata_req->DEST_length; 1526 estate = kctx->auk_ets[AUE_SOCKSEND]; 1527 if (amask.as_success & estate || amask.as_failure & estate) { 1528 tad->tad_event = AUE_SOCKSEND; 1529 break; 1530 } else { 1531 return; 1532 } 1533 case T_UNITDATA_IND: /* connectionless receive request */ 1534 unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr; 1535 if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind)) 1536 return; 1537 offset = unitdata_ind->SRC_offset; 1538 len = unitdata_ind->SRC_length; 1539 estate = kctx->auk_ets[AUE_SOCKRECEIVE]; 1540 if (amask.as_success & estate || amask.as_failure & estate) { 1541 tad->tad_event = AUE_SOCKRECEIVE; 1542 break; 1543 } else { 1544 return; 1545 } 1546 default: 1547 return; 1548 } 1549 1550 /* 1551 * we are only interested in tcp stream connections, 1552 * not unix domain stuff 1553 */ 1554 if ((len < 0) || (len > sizeof (struct sockaddr_in))) { 1555 tad->tad_event = AUE_GETMSG; 1556 return; 1557 } 1558 /* skip over TPI header and point to the ip address */ 1559 sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset); 1560 1561 switch (sock_data->sin_family) { 1562 case AF_INET: 1563 au_write(&(tad->tad_ad), au_to_sock_inet(sock_data)); 1564 break; 1565 default: /* reset to AUE_PUTMSG if not a inet request */ 1566 tad->tad_event = AUE_GETMSG; 1567 break; 1568 } 1569 } 1570 1571 1572 static void 1573 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval) 1574 { 1575 unsigned int sy_flags; 1576 1577 #ifdef _SYSCALL32_IMPL 1578 /* 1579 * Guard against t_lwp being NULL when this function is called 1580 * from a kernel queue instead of from a direct system call. 1581 * In that case, assume the running kernel data model. 1582 */ 1583 if ((curthread->t_lwp == NULL) || (lwp_getdatamodel( 1584 ttolwp(curthread)) == DATAMODEL_NATIVE)) 1585 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1586 else 1587 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1588 #else 1589 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1590 #endif 1591 1592 if (sy_flags == SE_64RVAL) 1593 au_write(ad, au_to_return64(err, rval)); 1594 else 1595 au_write(ad, au_to_return32(err, rval)); 1596 1597 } 1598 1599 /*ARGSUSED*/ 1600 void 1601 audit_fdsend(fd, fp, error) 1602 int fd; 1603 struct file *fp; 1604 int error; /* ignore for now */ 1605 { 1606 t_audit_data_t *tad; /* current thread */ 1607 f_audit_data_t *fad; /* per file audit structure */ 1608 struct vnode *vp; /* for file attributes */ 1609 1610 /* is this system call being audited */ 1611 tad = U2A(u); 1612 ASSERT(tad != (t_audit_data_t *)0); 1613 if (!tad->tad_flag) 1614 return; 1615 1616 fad = F2A(fp); 1617 1618 /* add path and file attributes */ 1619 if (fad != NULL && fad->fad_aupath != NULL) { 1620 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1621 au_uwrite(au_to_path(fad->fad_aupath)); 1622 } else { 1623 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1624 #ifdef _LP64 1625 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 1626 #else 1627 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 1628 #endif 1629 } 1630 vp = fp->f_vnode; /* include vnode attributes */ 1631 audit_attributes(vp); 1632 } 1633 1634 /* 1635 * Record privileges successfully used and we attempted to use but 1636 * didn't have. 1637 */ 1638 void 1639 audit_priv(int priv, const priv_set_t *set, int flag) 1640 { 1641 t_audit_data_t *tad; 1642 int sbit; 1643 priv_set_t *target; 1644 1645 /* Make sure this isn't being called in an interrupt context */ 1646 ASSERT(servicing_interrupt() == 0); 1647 1648 tad = U2A(u); 1649 1650 if (tad->tad_flag == 0) 1651 return; 1652 1653 target = flag ? &tad->tad_sprivs : &tad->tad_fprivs; 1654 sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE; 1655 1656 /* Tell audit_success() and audit_finish() that we saw this case */ 1657 if (!(tad->tad_evmod & sbit)) { 1658 /* Clear set first time around */ 1659 priv_emptyset(target); 1660 tad->tad_evmod |= sbit; 1661 } 1662 1663 /* Save the privileges in the tad */ 1664 if (priv == PRIV_ALL) { 1665 priv_fillset(target); 1666 } else { 1667 ASSERT(set != NULL || priv != PRIV_NONE); 1668 if (set != NULL) 1669 priv_union(set, target); 1670 if (priv != PRIV_NONE) 1671 priv_addset(target, priv); 1672 } 1673 } 1674 1675 /* 1676 * Audit the setpriv() system call; the operation, the set name and 1677 * the current value as well as the set argument are put in the 1678 * audit trail. 1679 */ 1680 void 1681 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr) 1682 { 1683 t_audit_data_t *tad; 1684 const priv_set_t *oldpriv; 1685 priv_set_t report; 1686 const char *setname; 1687 1688 tad = U2A(u); 1689 1690 if (tad->tad_flag == 0) 1691 return; 1692 1693 oldpriv = priv_getset(ocr, set); 1694 1695 /* Generate the actual record, include the before and after */ 1696 au_uwrite(au_to_arg32(2, "op", op)); 1697 setname = priv_getsetbynum(set); 1698 1699 switch (op) { 1700 case PRIV_OFF: 1701 /* Report privileges actually switched off */ 1702 report = *oldpriv; 1703 priv_intersect(newpriv, &report); 1704 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 1705 break; 1706 case PRIV_ON: 1707 /* Report privileges actually switched on */ 1708 report = *oldpriv; 1709 priv_inverse(&report); 1710 priv_intersect(newpriv, &report); 1711 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 1712 break; 1713 case PRIV_SET: 1714 /* Report before and after */ 1715 au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0)); 1716 au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0)); 1717 break; 1718 } 1719 } 1720 1721 /* 1722 * Dump the full device policy setting in the audit trail. 1723 */ 1724 void 1725 audit_devpolicy(int nitems, const devplcysys_t *items) 1726 { 1727 t_audit_data_t *tad; 1728 int i; 1729 1730 tad = U2A(u); 1731 1732 if (tad->tad_flag == 0) 1733 return; 1734 1735 for (i = 0; i < nitems; i++) { 1736 au_uwrite(au_to_arg32(2, "major", items[i].dps_maj)); 1737 if (items[i].dps_minornm[0] == '\0') { 1738 au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin)); 1739 au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin)); 1740 } else 1741 au_uwrite(au_to_text(items[i].dps_minornm)); 1742 1743 au_uwrite(au_to_privset("read", &items[i].dps_rdp, 1744 AUT_PRIV, 0)); 1745 au_uwrite(au_to_privset("write", &items[i].dps_wrp, 1746 AUT_PRIV, 0)); 1747 } 1748 } 1749 1750 /*ARGSUSED*/ 1751 void 1752 audit_fdrecv(fd, fp) 1753 int fd; 1754 struct file *fp; 1755 { 1756 t_audit_data_t *tad; /* current thread */ 1757 f_audit_data_t *fad; /* per file audit structure */ 1758 struct vnode *vp; /* for file attributes */ 1759 1760 /* is this system call being audited */ 1761 tad = U2A(u); 1762 ASSERT(tad != (t_audit_data_t *)0); 1763 if (!tad->tad_flag) 1764 return; 1765 1766 fad = F2A(fp); 1767 1768 /* add path and file attributes */ 1769 if (fad != NULL && fad->fad_aupath != NULL) { 1770 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 1771 au_uwrite(au_to_path(fad->fad_aupath)); 1772 } else { 1773 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 1774 #ifdef _LP64 1775 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 1776 #else 1777 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 1778 #endif 1779 } 1780 vp = fp->f_vnode; /* include vnode attributes */ 1781 audit_attributes(vp); 1782 } 1783 1784 /* 1785 * ROUTINE: AUDIT_CRYPTOADM 1786 * PURPOSE: Records arguments to administrative ioctls on /dev/cryptoadm 1787 * CALLBY: CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED, 1788 * CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG, 1789 * CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN, 1790 * CRYPTO_LOAD_DOOR 1791 * NOTE: 1792 * TODO: 1793 * QUESTION: 1794 */ 1795 1796 void 1797 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names, 1798 uint_t mech_count, uint_t device_instance, uint32_t rv, int error) 1799 { 1800 boolean_t mech_list_required = B_FALSE; 1801 cred_t *cr = CRED(); 1802 t_audit_data_t *tad; 1803 token_t *ad = NULL; 1804 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 1805 char buffer[MAXNAMELEN * 2]; 1806 au_kcontext_t *kctx = GET_KCTX_PZ; 1807 1808 tad = U2A(u); 1809 if (tad == NULL) 1810 return; 1811 1812 if (ainfo == NULL) 1813 return; 1814 1815 tad->tad_event = AUE_CRYPTOADM; 1816 1817 if (audit_success(kctx, tad, error, NULL) != AU_OK) 1818 return; 1819 1820 /* Add subject information */ 1821 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 1822 1823 switch (cmd) { 1824 case CRYPTO_LOAD_DEV_DISABLED: 1825 if (error == 0 && rv == CRYPTO_SUCCESS) { 1826 (void) snprintf(buffer, sizeof (buffer), 1827 "op=CRYPTO_LOAD_DEV_DISABLED, module=%s," 1828 " dev_instance=%d", 1829 module_name, device_instance); 1830 mech_list_required = B_TRUE; 1831 } else { 1832 (void) snprintf(buffer, sizeof (buffer), 1833 "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv); 1834 } 1835 break; 1836 1837 case CRYPTO_LOAD_SOFT_DISABLED: 1838 if (error == 0 && rv == CRYPTO_SUCCESS) { 1839 (void) snprintf(buffer, sizeof (buffer), 1840 "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s", 1841 module_name); 1842 mech_list_required = B_TRUE; 1843 } else { 1844 (void) snprintf(buffer, sizeof (buffer), 1845 "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv); 1846 } 1847 break; 1848 1849 case CRYPTO_UNLOAD_SOFT_MODULE: 1850 if (error == 0 && rv == CRYPTO_SUCCESS) { 1851 (void) snprintf(buffer, sizeof (buffer), 1852 "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s", 1853 module_name); 1854 } else { 1855 (void) snprintf(buffer, sizeof (buffer), 1856 "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv); 1857 } 1858 break; 1859 1860 case CRYPTO_LOAD_SOFT_CONFIG: 1861 if (error == 0 && rv == CRYPTO_SUCCESS) { 1862 (void) snprintf(buffer, sizeof (buffer), 1863 "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s", 1864 module_name); 1865 mech_list_required = B_TRUE; 1866 } else { 1867 (void) snprintf(buffer, sizeof (buffer), 1868 "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv); 1869 } 1870 break; 1871 1872 case CRYPTO_POOL_CREATE: 1873 (void) snprintf(buffer, sizeof (buffer), 1874 "op=CRYPTO_POOL_CREATE"); 1875 break; 1876 1877 case CRYPTO_POOL_WAIT: 1878 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT"); 1879 break; 1880 1881 case CRYPTO_POOL_RUN: 1882 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN"); 1883 break; 1884 1885 case CRYPTO_LOAD_DOOR: 1886 if (error == 0 && rv == CRYPTO_SUCCESS) 1887 (void) snprintf(buffer, sizeof (buffer), 1888 "op=CRYPTO_LOAD_DOOR"); 1889 else 1890 (void) snprintf(buffer, sizeof (buffer), 1891 "op=CRYPTO_LOAD_DOOR, return_val=%d", rv); 1892 break; 1893 1894 case CRYPTO_FIPS140_SET: 1895 (void) snprintf(buffer, sizeof (buffer), 1896 "op=CRYPTO_FIPS140_SET, fips_state=%d", rv); 1897 break; 1898 1899 default: 1900 return; 1901 } 1902 1903 au_write((caddr_t *)&ad, au_to_text(buffer)); 1904 1905 if (mech_list_required) { 1906 int i; 1907 1908 if (mech_count == 0) { 1909 au_write((caddr_t *)&ad, au_to_text("mech=list empty")); 1910 } else { 1911 char *pb = buffer; 1912 size_t l = sizeof (buffer); 1913 size_t n; 1914 char space[2] = ":"; 1915 1916 n = snprintf(pb, l, "mech="); 1917 1918 for (i = 0; i < mech_count; i++) { 1919 pb += n; 1920 l -= n; 1921 if (l < 0) 1922 l = 0; 1923 1924 if (i == mech_count - 1) 1925 (void) strcpy(space, ""); 1926 1927 n = snprintf(pb, l, "%s%s", mech_names[i], 1928 space); 1929 } 1930 au_write((caddr_t *)&ad, au_to_text(buffer)); 1931 } 1932 } 1933 1934 /* add a return token */ 1935 if (error || (rv != CRYPTO_SUCCESS)) 1936 add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error); 1937 else 1938 add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv); 1939 1940 AS_INC(as_generated, 1, kctx); 1941 AS_INC(as_kernel, 1, kctx); 1942 1943 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, tad->tad_evmod, 1944 NULL); 1945 } 1946 1947 /* 1948 * Audit the kernel SSL administration command. The address and the 1949 * port number for the SSL instance, and the proxy port are put in the 1950 * audit trail. 1951 */ 1952 void 1953 audit_kssl(int cmd, void *params, int error) 1954 { 1955 cred_t *cr = CRED(); 1956 t_audit_data_t *tad; 1957 token_t *ad = NULL; 1958 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 1959 au_kcontext_t *kctx = GET_KCTX_PZ; 1960 1961 tad = U2A(u); 1962 1963 if (ainfo == NULL) 1964 return; 1965 1966 tad->tad_event = AUE_CONFIGKSSL; 1967 1968 if (audit_success(kctx, tad, error, NULL) != AU_OK) 1969 return; 1970 1971 /* Add subject information */ 1972 AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx); 1973 1974 switch (cmd) { 1975 case KSSL_ADD_ENTRY: { 1976 char buf[32]; 1977 kssl_params_t *kp = (kssl_params_t *)params; 1978 struct sockaddr_in6 *saddr = &kp->kssl_addr; 1979 1980 au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY")); 1981 au_write((caddr_t *)&ad, 1982 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr)); 1983 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 1984 saddr->sin6_port); 1985 au_write((caddr_t *)&ad, au_to_text(buf)); 1986 1987 (void) snprintf(buf, sizeof (buf), "proxy port=%d", 1988 kp->kssl_proxy_port); 1989 au_write((caddr_t *)&ad, au_to_text(buf)); 1990 break; 1991 } 1992 1993 case KSSL_DELETE_ENTRY: { 1994 char buf[32]; 1995 struct sockaddr_in6 *saddr = (struct sockaddr_in6 *)params; 1996 1997 au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY")); 1998 au_write((caddr_t *)&ad, 1999 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr)); 2000 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 2001 saddr->sin6_port); 2002 au_write((caddr_t *)&ad, au_to_text(buf)); 2003 break; 2004 } 2005 2006 default: 2007 return; 2008 } 2009 2010 /* add a return token */ 2011 add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0); 2012 2013 AS_INC(as_generated, 1, kctx); 2014 AS_INC(as_kernel, 1, kctx); 2015 2016 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, tad->tad_evmod, 2017 NULL); 2018 } 2019 2020 /* 2021 * Audit the kernel PF_POLICY administration commands. Record command, 2022 * zone, policy type (global or tunnel, active or inactive) 2023 */ 2024 /* 2025 * ROUTINE: AUDIT_PF_POLICY 2026 * PURPOSE: Records arguments to administrative ioctls on PF_POLICY socket 2027 * CALLBY: SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS, 2028 * SPD_CLONE, SPD_FLIP 2029 * NOTE: 2030 * TODO: 2031 * QUESTION: 2032 */ 2033 2034 void 2035 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun, 2036 boolean_t active, int error, pid_t pid) 2037 { 2038 const auditinfo_addr_t *ainfo; 2039 t_audit_data_t *tad; 2040 token_t *ad = NULL; 2041 au_kcontext_t *kctx = GET_KCTX_PZ; 2042 char buf[80]; 2043 int flag; 2044 2045 tad = U2A(u); 2046 if (tad == NULL) 2047 return; 2048 2049 ainfo = crgetauinfo((cred != NULL) ? cred : CRED()); 2050 if (ainfo == NULL) 2051 return; 2052 2053 /* 2054 * Initialize some variables since these are only set 2055 * with system calls. 2056 */ 2057 2058 switch (cmd) { 2059 case SPD_ADDRULE: { 2060 tad->tad_event = AUE_PF_POLICY_ADDRULE; 2061 break; 2062 } 2063 2064 case SPD_DELETERULE: { 2065 tad->tad_event = AUE_PF_POLICY_DELRULE; 2066 break; 2067 } 2068 2069 case SPD_FLUSH: { 2070 tad->tad_event = AUE_PF_POLICY_FLUSH; 2071 break; 2072 } 2073 2074 case SPD_UPDATEALGS: { 2075 tad->tad_event = AUE_PF_POLICY_ALGS; 2076 break; 2077 } 2078 2079 case SPD_CLONE: { 2080 tad->tad_event = AUE_PF_POLICY_CLONE; 2081 break; 2082 } 2083 2084 case SPD_FLIP: { 2085 tad->tad_event = AUE_PF_POLICY_FLIP; 2086 break; 2087 } 2088 2089 default: 2090 tad->tad_event = AUE_NULL; 2091 } 2092 2093 tad->tad_evmod = 0; 2094 2095 if (flag = audit_success(kctx, tad, error, cred)) { 2096 zone_t *nszone; 2097 2098 /* 2099 * For now, just audit that an event happened, 2100 * along with the error code. 2101 */ 2102 au_write((caddr_t *)&ad, 2103 au_to_arg32(1, "Policy Active?", (uint32_t)active)); 2104 au_write((caddr_t *)&ad, 2105 au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL))); 2106 2107 /* Supplemental data */ 2108 2109 /* 2110 * Generate this zone token if the target zone differs 2111 * from the administrative zone. If netstacks are expanded 2112 * to something other than a 1-1 relationship with zones, 2113 * the auditing framework should create a new token type 2114 * and audit it as a netstack instead. 2115 * Turn on general zone auditing to get the administrative zone. 2116 */ 2117 2118 nszone = zone_find_by_id(netstackid_to_zoneid( 2119 ns->netstack_stackid)); 2120 if (nszone != NULL) { 2121 if (strncmp(crgetzone(cred)->zone_name, 2122 nszone->zone_name, ZONENAME_MAX) != 0) { 2123 token_t *ztoken; 2124 2125 ztoken = au_to_zonename(0, nszone); 2126 au_write((caddr_t *)&ad, ztoken); 2127 } 2128 zone_rele(nszone); 2129 } 2130 2131 if (tun != NULL) { 2132 /* write tunnel name - tun is bounded */ 2133 (void) snprintf(buf, sizeof (buf), "tunnel_name:%s", 2134 tun); 2135 au_write((caddr_t *)&ad, au_to_text(buf)); 2136 } 2137 2138 /* Add subject information */ 2139 AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad, 2140 ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid); 2141 2142 /* add a return token */ 2143 add_return_token((caddr_t *)&ad, 0, error, 0); 2144 2145 AS_INC(as_generated, 1, kctx); 2146 AS_INC(as_kernel, 1, kctx); 2147 2148 } 2149 au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, tad->tad_evmod, 2150 NULL); 2151 2152 /* 2153 * clear the ctrl flag so that we don't have spurious collection of 2154 * audit information. 2155 */ 2156 tad->tad_scid = 0; 2157 tad->tad_event = 0; 2158 tad->tad_evmod = 0; 2159 tad->tad_ctrl = 0; 2160 } 2161 2162 /* 2163 * ROUTINE: AUDIT_SEC_ATTRIBUTES 2164 * PURPOSE: Add security attributes 2165 * CALLBY: AUDIT_ATTRIBUTES 2166 * AUDIT_CLOSEF 2167 * AUS_CLOSE 2168 * NOTE: 2169 * TODO: 2170 * QUESTION: 2171 */ 2172 2173 void 2174 audit_sec_attributes(caddr_t *ad, struct vnode *vp) 2175 { 2176 /* Dump the SL */ 2177 if (is_system_labeled()) { 2178 ts_label_t *tsl; 2179 bslabel_t *bsl; 2180 2181 tsl = getflabel(vp); 2182 if (tsl == NULL) 2183 return; /* nothing else to do */ 2184 2185 bsl = label2bslabel(tsl); 2186 if (bsl == NULL) 2187 return; /* nothing else to do */ 2188 au_write(ad, au_to_label(bsl)); 2189 label_rele(tsl); 2190 } 2191 2192 } /* AUDIT_SEC_ATTRIBUTES */ 2193