1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * This file contains the audit hook support code for auditing. 28 */ 29 30 #pragma ident "%Z%%M% %I% %E% SMI" 31 32 #include <sys/types.h> 33 #include <sys/proc.h> 34 #include <sys/vnode.h> 35 #include <sys/vfs.h> 36 #include <sys/file.h> 37 #include <sys/user.h> 38 #include <sys/stropts.h> 39 #include <sys/systm.h> 40 #include <sys/pathname.h> 41 #include <sys/syscall.h> 42 #include <sys/fcntl.h> 43 #include <sys/ipc_impl.h> 44 #include <sys/msg_impl.h> 45 #include <sys/sem_impl.h> 46 #include <sys/shm_impl.h> 47 #include <sys/kmem.h> /* for KM_SLEEP */ 48 #include <sys/socket.h> 49 #include <sys/cmn_err.h> /* snprintf... */ 50 #include <sys/debug.h> 51 #include <sys/thread.h> 52 #include <netinet/in.h> 53 #include <c2/audit.h> /* needs to be included before user.h */ 54 #include <c2/audit_kernel.h> /* for M_DONTWAIT */ 55 #include <c2/audit_kevents.h> 56 #include <c2/audit_record.h> 57 #include <sys/strsubr.h> 58 #include <sys/tihdr.h> 59 #include <sys/tiuser.h> 60 #include <sys/timod.h> 61 #include <sys/model.h> /* for model_t */ 62 #include <sys/disp.h> /* for servicing_interrupt() */ 63 #include <sys/devpolicy.h> 64 #include <sys/crypto/ioctladmin.h> 65 #include <inet/kssl/kssl.h> 66 #include <sys/tsol/label.h> 67 68 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval); 69 70 static void audit_pathbuild(struct pathname *pnp); 71 72 /* 73 * ROUTINE: AUDIT_NEWPROC 74 * PURPOSE: initialize the child p_audit_data structure 75 * CALLBY: GETPROC 76 * NOTE: All threads for the parent process are locked at this point. 77 * We are essentially running singled threaded for this reason. 78 * GETPROC is called when system creates a new process. 79 * By the time AUDIT_NEWPROC is called, the child proc 80 * structure has already been initialized. What we need 81 * to do is to allocate the child p_audit_data and 82 * initialize it with the content of current parent process. 83 */ 84 85 void 86 audit_newproc(struct proc *cp) /* initialized child proc structure */ 87 { 88 p_audit_data_t *pad; /* child process audit data */ 89 p_audit_data_t *opad; /* parent process audit data */ 90 91 pad = kmem_cache_alloc(au_pad_cache, KM_SLEEP); 92 93 P2A(cp) = pad; 94 95 opad = P2A(curproc); 96 97 /* 98 * copy the audit data. Note that all threads of current 99 * process have been "held". Thus there is no race condition 100 * here with mutiple threads trying to alter the cwrd 101 * structure (such as releasing it). 102 * 103 * The audit context in the cred is "duplicated" for the new 104 * proc by elsewhere crhold'ing the parent's cred which it shares. 105 * 106 * We still want to hold things since auditon() [A_SETUMASK, 107 * A_SETSMASK] could be walking through the processes to 108 * update things. 109 */ 110 mutex_enter(&opad->pad_lock); /* lock opad structure during copy */ 111 pad->pad_data = opad->pad_data; /* copy parent's process audit data */ 112 au_pathhold(pad->pad_root); 113 au_pathhold(pad->pad_cwd); 114 mutex_exit(&opad->pad_lock); /* current proc will keep cwrd open */ 115 116 /* 117 * finish auditing of parent here so that it will be done 118 * before child has a chance to run. We include the child 119 * pid since the return value in the return token is a dummy 120 * one and contains no useful information (it is included to 121 * make the audit record structure consistant). 122 * 123 * tad_flag is set if auditing is on 124 */ 125 if (((t_audit_data_t *)T2A(curthread))->tad_flag) 126 au_uwrite(au_to_arg32(0, "child PID", (uint32_t)cp->p_pid)); 127 128 /* 129 * finish up audit record generation here because child process 130 * is set to run before parent process. We distinguish here 131 * between FORK, FORK1, or VFORK by the saved system call ID. 132 */ 133 audit_finish(0, ((t_audit_data_t *)T2A(curthread))->tad_scid, 0, 0); 134 } 135 136 /* 137 * ROUTINE: AUDIT_PFREE 138 * PURPOSE: deallocate the per-process udit data structure 139 * CALLBY: EXIT 140 * FORK_FAIL 141 * NOTE: all lwp except current one have stopped in SEXITLWPS 142 * why we are single threaded? 143 * . all lwp except current one have stopped in SEXITLWPS. 144 */ 145 void 146 audit_pfree(struct proc *p) /* proc structure to be freed */ 147 148 { /* AUDIT_PFREE */ 149 150 p_audit_data_t *pad; 151 152 pad = P2A(p); 153 154 /* better be a per process audit data structure */ 155 ASSERT(pad != (p_audit_data_t *)0); 156 157 if (pad == pad0) { 158 return; 159 } 160 161 /* deallocate all auditing resources for this process */ 162 au_pathrele(pad->pad_root); 163 au_pathrele(pad->pad_cwd); 164 165 /* 166 * Since the pad structure is completely overwritten after alloc, 167 * we don't bother to clear it. 168 */ 169 170 kmem_cache_free(au_pad_cache, pad); 171 } 172 173 /* 174 * ROUTINE: AUDIT_THREAD_CREATE 175 * PURPOSE: allocate per-process thread audit data structure 176 * CALLBY: THREAD_CREATE 177 * NOTE: This is called just after *t was bzero'd. 178 * We are single threaded in this routine. 179 * TODO: 180 * QUESTION: 181 */ 182 183 void 184 audit_thread_create(kthread_id_t t) 185 { 186 t_audit_data_t *tad; /* per-thread audit data */ 187 188 tad = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP); 189 190 T2A(t) = tad; /* set up thread audit data ptr */ 191 tad->tad_thread = t; /* back ptr to thread: DEBUG */ 192 } 193 194 /* 195 * ROUTINE: AUDIT_THREAD_FREE 196 * PURPOSE: free the per-thread audit data structure 197 * CALLBY: THREAD_FREE 198 * NOTE: most thread data is clear after return 199 */ 200 void 201 audit_thread_free(kthread_t *t) 202 { 203 t_audit_data_t *tad; 204 au_defer_info_t *attr; 205 206 tad = T2A(t); 207 208 /* thread audit data must still be set */ 209 210 if (tad == tad0) { 211 return; 212 } 213 214 if (tad == NULL) { 215 return; 216 } 217 218 t->t_audit_data = 0; 219 220 /* must not have any audit record residual */ 221 ASSERT(tad->tad_ad == NULL); 222 223 /* saved path must be empty */ 224 ASSERT(tad->tad_aupath == NULL); 225 226 if (tad->tad_atpath) 227 au_pathrele(tad->tad_atpath); 228 229 attr = tad->tad_defer_head; 230 while (attr != NULL) { 231 au_defer_info_t *tmp_attr = attr; 232 233 au_free_rec(attr->audi_ad); 234 235 attr = attr->audi_next; 236 kmem_free(tmp_attr, sizeof (au_defer_info_t)); 237 } 238 239 kmem_free(tad, sizeof (*tad)); 240 } 241 242 /* 243 * ROUTINE: AUDIT_SAVEPATH 244 * PURPOSE: 245 * CALLBY: LOOKUPPN 246 * 247 * NOTE: We have reached the end of a path in fs/lookup.c. 248 * We get two pieces of information here: 249 * the vnode of the last component (vp) and 250 * the status of the last access (flag). 251 * TODO: 252 * QUESTION: 253 */ 254 255 /*ARGSUSED*/ 256 int 257 audit_savepath( 258 struct pathname *pnp, /* pathname to lookup */ 259 struct vnode *vp, /* vnode of the last component */ 260 int flag, /* status of the last access */ 261 cred_t *cr) /* cred of requestor */ 262 { 263 264 t_audit_data_t *tad; /* current thread */ 265 p_audit_data_t *pad; /* current process */ 266 au_kcontext_t *kctx = SET_KCTX_PZ; 267 268 if (kctx == NULL) { 269 zone_status_t zstate = zone_status_get(curproc->p_zone); 270 ASSERT(zstate != ZONE_IS_READY); 271 return (0); 272 } 273 274 tad = U2A(u); 275 ASSERT(tad != (t_audit_data_t *)0); 276 pad = P2A(curproc); 277 ASSERT(pad != (p_audit_data_t *)0); 278 279 /* 280 * this event being audited or do we need path information 281 * later? This might be for a chdir/chroot or open (add path 282 * to file pointer. If the path has already been found for an 283 * open/creat then we don't need to process the path. 284 * 285 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 286 * chroot, chdir, open, creat system call processing. It determines 287 * if audit_savepath() will discard the path or we need it later. 288 * PAD_PATHFND means path already included in this audit record. It 289 * is used in cases where multiple path lookups are done per 290 * system call. The policy flag, AUDIT_PATH, controls if multiple 291 * paths are allowed. 292 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 293 * exit processing to inhibit any paths that may be added due to 294 * closes. 295 */ 296 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 297 ((tad->tad_ctrl & PAD_PATHFND) && 298 !(kctx->auk_policy & AUDIT_PATH)) || 299 (tad->tad_ctrl & PAD_NOPATH)) { 300 return (0); 301 } 302 303 tad->tad_ctrl |= PAD_NOPATH; /* prevent possible reentry */ 304 305 audit_pathbuild(pnp); 306 tad->tad_vn = vp; 307 308 /* 309 * are we auditing only if error, or if it is not open or create 310 * otherwise audit_setf will do it 311 */ 312 313 if (tad->tad_flag) { 314 if (flag && (tad->tad_scid == SYS_open || 315 tad->tad_scid == SYS_open64 || 316 tad->tad_scid == SYS_creat || 317 tad->tad_scid == SYS_creat64 || 318 tad->tad_scid == SYS_fsat)) { 319 tad->tad_ctrl |= PAD_TRUE_CREATE; 320 } 321 322 /* add token to audit record for this name */ 323 au_uwrite(au_to_path(tad->tad_aupath)); 324 325 /* add the attributes of the object */ 326 if (vp) { 327 /* 328 * only capture attributes when there is no error 329 * lookup will not return the vnode of the failing 330 * component. 331 * 332 * if there was a lookup error, then don't add 333 * attribute. if lookup in vn_create(), 334 * then don't add attribute, 335 * it will be added at end of vn_create(). 336 */ 337 if (!flag && !(tad->tad_ctrl & PAD_NOATTRB)) 338 audit_attributes(vp); 339 } 340 } 341 342 /* free up space if we're not going to save path (open, crate) */ 343 if ((tad->tad_ctrl & PAD_SAVPATH) == 0) { 344 if (tad->tad_aupath != NULL) { 345 au_pathrele(tad->tad_aupath); 346 tad->tad_aupath = NULL; 347 tad->tad_vn = NULL; 348 } 349 } 350 if (tad->tad_ctrl & PAD_MLD) 351 tad->tad_ctrl |= PAD_PATHFND; 352 353 tad->tad_ctrl &= ~PAD_NOPATH; /* restore */ 354 return (0); 355 } 356 357 static void 358 audit_pathbuild(struct pathname *pnp) 359 { 360 char *pp; /* pointer to path */ 361 int len; /* length of incoming segment */ 362 int newsect; /* path requires a new section */ 363 struct audit_path *pfxapp; /* prefix for path */ 364 struct audit_path *newapp; /* new audit_path */ 365 t_audit_data_t *tad; /* current thread */ 366 p_audit_data_t *pad; /* current process */ 367 368 tad = U2A(u); 369 ASSERT(tad != NULL); 370 pad = P2A(curproc); 371 ASSERT(pad != NULL); 372 373 len = (pnp->pn_path - pnp->pn_buf) + 1; /* +1 for terminator */ 374 ASSERT(len > 0); 375 376 /* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */ 377 mutex_enter(&pad->pad_lock); 378 if (tad->tad_aupath != NULL) { 379 pfxapp = tad->tad_aupath; 380 } else if (tad->tad_scid == SYS_fsat && pnp->pn_buf[0] != '/') { 381 ASSERT(tad->tad_atpath != NULL); 382 pfxapp = tad->tad_atpath; 383 } else if (tad->tad_ctrl & PAD_ABSPATH) { 384 pfxapp = pad->pad_root; 385 } else { 386 pfxapp = pad->pad_cwd; 387 } 388 au_pathhold(pfxapp); 389 mutex_exit(&pad->pad_lock); 390 391 /* get an expanded buffer to hold the anchored path */ 392 newsect = tad->tad_ctrl & PAD_ATPATH; 393 newapp = au_pathdup(pfxapp, newsect, len); 394 au_pathrele(pfxapp); 395 396 pp = newapp->audp_sect[newapp->audp_cnt] - len; 397 if (!newsect) { 398 /* overlay previous NUL terminator */ 399 *(pp - 1) = '/'; 400 } 401 402 /* now add string of processed path */ 403 bcopy(pnp->pn_buf, pp, len); 404 pp[len - 1] = '\0'; 405 406 /* perform path simplification as necessary */ 407 audit_fixpath(newapp, len); 408 409 if (tad->tad_aupath) 410 au_pathrele(tad->tad_aupath); 411 tad->tad_aupath = newapp; 412 413 /* for case where multiple lookups in one syscall (rename) */ 414 tad->tad_ctrl &= ~(PAD_ABSPATH | PAD_ATPATH); 415 } 416 417 418 419 /*ARGSUSED*/ 420 421 /* 422 * ROUTINE: AUDIT_ADDCOMPONENT 423 * PURPOSE: extend the path by the component accepted 424 * CALLBY: LOOKUPPN 425 * NOTE: This function is called only when there is an error in 426 * parsing a path component 427 * TODO: Add the error component to audit record 428 * QUESTION: what is this for 429 */ 430 431 void 432 audit_addcomponent(struct pathname *pnp) 433 { 434 au_kcontext_t *kctx = SET_KCTX_PZ; 435 t_audit_data_t *tad; 436 437 if (kctx == NULL) { 438 zone_status_t zstate = zone_status_get(curproc->p_zone); 439 ASSERT(zstate != ZONE_IS_READY); 440 return; 441 } 442 443 tad = U2A(u); 444 /* 445 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 446 * chroot, chdir, open, creat system call processing. It determines 447 * if audit_savepath() will discard the path or we need it later. 448 * PAD_PATHFND means path already included in this audit record. It 449 * is used in cases where multiple path lookups are done per 450 * system call. The policy flag, AUDIT_PATH, controls if multiple 451 * paths are allowed. 452 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 453 * exit processing to inhibit any paths that may be added due to 454 * closes. 455 */ 456 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 457 ((tad->tad_ctrl & PAD_PATHFND) && 458 !(kctx->auk_policy & AUDIT_PATH)) || 459 (tad->tad_ctrl & PAD_NOPATH)) { 460 return; 461 } 462 463 return; 464 465 } /* AUDIT_ADDCOMPONENT */ 466 467 468 469 470 471 472 473 474 /* 475 * ROUTINE: AUDIT_ANCHORPATH 476 * PURPOSE: 477 * CALLBY: LOOKUPPN 478 * NOTE: 479 * anchor path at "/". We have seen a symbolic link or entering for the 480 * first time we will throw away any saved path if path is anchored. 481 * 482 * flag = 0, path is relative. 483 * flag = 1, path is absolute. Free any saved path and set flag to PAD_ABSPATH. 484 * 485 * If the (new) path is absolute, then we have to throw away whatever we have 486 * already accumulated since it is being superceeded by new path which is 487 * anchored at the root. 488 * Note that if the path is relative, this function does nothing 489 * TODO: 490 * QUESTION: 491 */ 492 /*ARGSUSED*/ 493 void 494 audit_anchorpath(struct pathname *pnp, int flag) 495 { 496 au_kcontext_t *kctx = SET_KCTX_PZ; 497 t_audit_data_t *tad; 498 499 if (kctx == NULL) { 500 zone_status_t zstate = zone_status_get(curproc->p_zone); 501 ASSERT(zstate != ZONE_IS_READY); 502 return; 503 } 504 505 tad = U2A(u); 506 507 /* 508 * this event being audited or do we need path information 509 * later? This might be for a chdir/chroot or open (add path 510 * to file pointer. If the path has already been found for an 511 * open/creat then we don't need to process the path. 512 * 513 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 514 * chroot, chdir, open, creat system call processing. It determines 515 * if audit_savepath() will discard the path or we need it later. 516 * PAD_PATHFND means path already included in this audit record. It 517 * is used in cases where multiple path lookups are done per 518 * system call. The policy flag, AUDIT_PATH, controls if multiple 519 * paths are allowed. 520 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 521 * exit processing to inhibit any paths that may be added due to 522 * closes. 523 */ 524 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 525 ((tad->tad_ctrl & PAD_PATHFND) && 526 !(kctx->auk_policy & AUDIT_PATH)) || 527 (tad->tad_ctrl & PAD_NOPATH)) { 528 return; 529 } 530 531 if (flag) { 532 tad->tad_ctrl |= PAD_ABSPATH; 533 if (tad->tad_aupath != NULL) { 534 au_pathrele(tad->tad_aupath); 535 tad->tad_aupath = NULL; 536 tad->tad_vn = NULL; 537 } 538 } 539 } 540 541 542 /* 543 * symbolic link. Save previous components. 544 * 545 * the path seen so far looks like this 546 * 547 * +-----------------------+----------------+ 548 * | path processed so far | remaining path | 549 * +-----------------------+----------------+ 550 * \-----------------------/ 551 * save this string if 552 * symbolic link relative 553 * (but don't include symlink component) 554 */ 555 556 /*ARGSUSED*/ 557 558 559 /* 560 * ROUTINE: AUDIT_SYMLINK 561 * PURPOSE: 562 * CALLBY: LOOKUPPN 563 * NOTE: 564 * TODO: 565 * QUESTION: 566 */ 567 void 568 audit_symlink(struct pathname *pnp, struct pathname *sympath) 569 { 570 char *sp; /* saved initial pp */ 571 char *cp; /* start of symlink path */ 572 uint_t len_path; /* processed path before symlink */ 573 t_audit_data_t *tad; 574 au_kcontext_t *kctx = SET_KCTX_PZ; 575 576 if (kctx == NULL) { 577 zone_status_t zstate = zone_status_get(curproc->p_zone); 578 ASSERT(zstate != ZONE_IS_READY); 579 return; 580 } 581 582 tad = U2A(u); 583 584 /* 585 * this event being audited or do we need path information 586 * later? This might be for a chdir/chroot or open (add path 587 * to file pointer. If the path has already been found for an 588 * open/creat then we don't need to process the path. 589 * 590 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 591 * chroot, chdir, open, creat system call processing. It determines 592 * if audit_savepath() will discard the path or we need it later. 593 * PAD_PATHFND means path already included in this audit record. It 594 * is used in cases where multiple path lookups are done per 595 * system call. The policy flag, AUDIT_PATH, controls if multiple 596 * paths are allowed. 597 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 598 * exit processing to inhibit any paths that may be added due to 599 * closes. 600 */ 601 if ((tad->tad_flag == 0 && 602 !(tad->tad_ctrl & PAD_SAVPATH)) || 603 ((tad->tad_ctrl & PAD_PATHFND) && 604 !(kctx->auk_policy & AUDIT_PATH)) || 605 (tad->tad_ctrl & PAD_NOPATH)) { 606 return; 607 } 608 609 /* 610 * if symbolic link is anchored at / then do nothing. 611 * When we cycle back to begin: in lookuppn() we will 612 * call audit_anchorpath() with a flag indicating if the 613 * path is anchored at / or is relative. We will release 614 * any saved path at that point. 615 * 616 * Note In the event that an error occurs in pn_combine then 617 * we want to remain pointing at the component that caused the 618 * path to overflow the pnp structure. 619 */ 620 if (sympath->pn_buf[0] == '/') 621 return; 622 623 /* backup over last component */ 624 sp = cp = pnp->pn_path; 625 while (*--cp != '/' && cp > pnp->pn_buf) 626 ; 627 628 len_path = cp - pnp->pn_buf; 629 630 /* is there anything to save? */ 631 if (len_path) { 632 pnp->pn_path = cp; 633 audit_pathbuild(pnp); 634 pnp->pn_path = sp; 635 } 636 } 637 638 /* 639 * file_is_public : determine whether events for the file (corresponding to 640 * the specified file attr) should be audited or ignored. 641 * 642 * returns: 1 - if audit policy and file attributes indicate that 643 * file is effectively public. read events for 644 * the file should not be audited. 645 * 0 - otherwise 646 * 647 * The required attributes to be considered a public object are: 648 * - owned by root, AND 649 * - world-readable (permissions for other include read), AND 650 * - NOT world-writeable (permissions for other don't 651 * include write) 652 * (mode doesn't need to be checked for symlinks) 653 */ 654 int 655 file_is_public(struct vattr *attr) 656 { 657 au_kcontext_t *kctx = SET_KCTX_PZ; 658 659 if (kctx == NULL) { 660 zone_status_t zstate = zone_status_get(curproc->p_zone); 661 ASSERT(zstate != ZONE_IS_READY); 662 return (0); 663 } 664 665 if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) && 666 ((attr->va_type == VLNK) || 667 ((attr->va_mode & (VREAD>>6)) != 0) && 668 ((attr->va_mode & (VWRITE>>6)) == 0))) { 669 return (1); 670 } 671 return (0); 672 } 673 674 675 /* 676 * ROUTINE: AUDIT_ATTRIBUTES 677 * PURPOSE: Audit the attributes so we can tell why the error occured 678 * CALLBY: AUDIT_SAVEPATH 679 * AUDIT_VNCREATE_FINISH 680 * AUS_FCHOWN...audit_event.c...audit_path.c 681 * NOTE: 682 * TODO: 683 * QUESTION: 684 */ 685 void 686 audit_attributes(struct vnode *vp) 687 { 688 struct vattr attr; 689 struct t_audit_data *tad; 690 691 tad = U2A(u); 692 693 if (vp) { 694 attr.va_mask = AT_ALL; 695 if (VOP_GETATTR(vp, &attr, 0, CRED()) != 0) 696 return; 697 698 if (file_is_public(&attr) && (tad->tad_ctrl & PAD_PUBLIC_EV)) { 699 /* 700 * This is a public object and a "public" event 701 * (i.e., read only) -- either by definition 702 * (e.g., stat, access...) or by virtue of write access 703 * not being requested (e.g. mmap). 704 * Flag it in the tad to prevent this audit at the end. 705 */ 706 tad->tad_ctrl |= PAD_NOAUDIT; 707 } else { 708 au_uwrite(au_to_attr(&attr)); 709 audit_sec_attributes(&(u_ad), vp); 710 } 711 } 712 } 713 714 715 /* 716 * ROUTINE: AUDIT_FALLOC 717 * PURPOSE: allocating a new file structure 718 * CALLBY: FALLOC 719 * NOTE: file structure already initialized 720 * TODO: 721 * QUESTION: 722 */ 723 724 void 725 audit_falloc(struct file *fp) 726 { /* AUDIT_FALLOC */ 727 728 f_audit_data_t *fad; 729 730 /* allocate per file audit structure if there a'int any */ 731 ASSERT(F2A(fp) == NULL); 732 733 fad = kmem_zalloc(sizeof (struct f_audit_data), KM_SLEEP); 734 735 F2A(fp) = fad; 736 737 fad->fad_thread = curthread; /* file audit data back ptr; DEBUG */ 738 } 739 740 /* 741 * ROUTINE: AUDIT_UNFALLOC 742 * PURPOSE: deallocate file audit data structure 743 * CALLBY: CLOSEF 744 * UNFALLOC 745 * NOTE: 746 * TODO: 747 * QUESTION: 748 */ 749 750 void 751 audit_unfalloc(struct file *fp) 752 { 753 f_audit_data_t *fad; 754 755 fad = F2A(fp); 756 757 if (!fad) { 758 return; 759 } 760 if (fad->fad_aupath != NULL) { 761 au_pathrele(fad->fad_aupath); 762 } 763 fp->f_audit_data = 0; 764 kmem_free(fad, sizeof (struct f_audit_data)); 765 } 766 767 /* 768 * ROUTINE: AUDIT_EXIT 769 * PURPOSE: 770 * CALLBY: EXIT 771 * NOTE: 772 * TODO: 773 * QUESTION: why cmw code as offset by 2 but not here 774 */ 775 /* ARGSUSED */ 776 void 777 audit_exit(int code, int what) 778 { 779 struct t_audit_data *tad; 780 tad = U2A(u); 781 782 /* 783 * tad_scid will be set by audit_start even if we are not auditing 784 * the event. 785 */ 786 if (tad->tad_scid == SYS_exit) { 787 /* 788 * if we are auditing the exit system call, then complete 789 * audit record generation (no return from system call). 790 */ 791 if (tad->tad_flag && tad->tad_event == AUE_EXIT) 792 audit_finish(0, SYS_exit, 0, 0); 793 return; 794 } 795 796 /* 797 * Anyone auditing the system call that was aborted? 798 */ 799 if (tad->tad_flag) { 800 au_uwrite(au_to_text("event aborted")); 801 audit_finish(0, tad->tad_scid, 0, 0); 802 } 803 804 /* 805 * Generate an audit record for process exit if preselected. 806 */ 807 (void) audit_start(0, SYS_exit, 0, 0); 808 audit_finish(0, SYS_exit, 0, 0); 809 } 810 811 /* 812 * ROUTINE: AUDIT_CORE_START 813 * PURPOSE: 814 * CALLBY: PSIG 815 * NOTE: 816 * TODO: 817 */ 818 void 819 audit_core_start(int sig) 820 { 821 au_event_t event; 822 au_state_t estate; 823 t_audit_data_t *tad; 824 au_kcontext_t *kctx; 825 826 tad = U2A(u); 827 828 ASSERT(tad != (t_audit_data_t *)0); 829 830 ASSERT(tad->tad_scid == 0); 831 ASSERT(tad->tad_event == 0); 832 ASSERT(tad->tad_evmod == 0); 833 ASSERT(tad->tad_ctrl == 0); 834 ASSERT(tad->tad_flag == 0); 835 ASSERT(tad->tad_aupath == NULL); 836 837 kctx = SET_KCTX_PZ; 838 839 if (kctx == NULL) { 840 zone_status_t zstate = zone_status_get(curproc->p_zone); 841 ASSERT(zstate != ZONE_IS_READY); 842 return; 843 } 844 845 /* get basic event for system call */ 846 event = AUE_CORE; 847 estate = kctx->auk_ets[event]; 848 849 if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0) 850 return; 851 852 /* reset the flags for non-user attributable events */ 853 tad->tad_ctrl = PAD_CORE; 854 tad->tad_scid = 0; 855 856 /* if auditing not enabled, then don't generate an audit record */ 857 858 if (!((kctx->auk_auditstate == AUC_AUDITING || 859 kctx->auk_auditstate == AUC_INIT_AUDIT) || 860 kctx->auk_auditstate == AUC_NOSPACE)) { 861 tad->tad_flag = 0; 862 tad->tad_ctrl = 0; 863 return; 864 } 865 866 tad->tad_event = event; 867 tad->tad_evmod = 0; 868 869 ASSERT(tad->tad_ad == NULL); 870 871 au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig)); 872 } 873 874 /* 875 * ROUTINE: AUDIT_CORE_FINISH 876 * PURPOSE: 877 * CALLBY: PSIG 878 * NOTE: 879 * TODO: 880 * QUESTION: 881 */ 882 883 /*ARGSUSED*/ 884 void 885 audit_core_finish(int code) 886 { 887 int flag; 888 t_audit_data_t *tad; 889 au_kcontext_t *kctx; 890 891 tad = U2A(u); 892 893 ASSERT(tad != (t_audit_data_t *)0); 894 895 if ((flag = tad->tad_flag) == 0) { 896 tad->tad_event = 0; 897 tad->tad_evmod = 0; 898 tad->tad_ctrl = 0; 899 ASSERT(tad->tad_aupath == NULL); 900 return; 901 } 902 tad->tad_flag = 0; 903 904 kctx = SET_KCTX_PZ; 905 if (kctx == NULL) { 906 zone_status_t zstate = zone_status_get(curproc->p_zone); 907 ASSERT(zstate != ZONE_IS_READY); 908 return; 909 } 910 911 /* kludge for error 0, should use `code==CLD_DUMPED' instead */ 912 if (flag = audit_success(kctx, tad, 0)) { 913 cred_t *cr = CRED(); 914 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 915 916 ASSERT(ainfo != NULL); 917 918 /* 919 * Add a subject token (no locks since our private copy of 920 * credential 921 */ 922 AUDIT_SETSUBJ(&(u_ad), cr, ainfo); 923 924 /* Add an optional group token */ 925 AUDIT_SETGROUP(&(u_ad), cr, kctx); 926 927 /* Add slabel token */ 928 if (is_system_labeled()) 929 au_write(&(u_ad), au_to_label(CR_SL(cr))); 930 931 /* Add a return token (should use f argument) */ 932 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 933 934 AS_INC(as_generated, 1, kctx); 935 AS_INC(as_kernel, 1, kctx); 936 } 937 938 /* Close up everything */ 939 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod); 940 941 /* free up any space remaining with the path's */ 942 if (tad->tad_aupath != NULL) { 943 au_pathrele(tad->tad_aupath); 944 tad->tad_aupath = NULL; 945 tad->tad_vn = NULL; 946 } 947 tad->tad_event = 0; 948 tad->tad_evmod = 0; 949 tad->tad_ctrl = 0; 950 } 951 952 /*ARGSUSED*/ 953 void 954 audit_stropen(struct vnode *vp, dev_t *devp, int flag, cred_t *crp) 955 { 956 } 957 958 /*ARGSUSED*/ 959 void 960 audit_strclose(struct vnode *vp, int flag, cred_t *crp) 961 { 962 } 963 964 /*ARGSUSED*/ 965 void 966 audit_strioctl(struct vnode *vp, int cmd, intptr_t arg, int flag, 967 int copyflag, cred_t *crp, int *rvalp) 968 { 969 } 970 971 972 /*ARGSUSED*/ 973 void 974 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 975 unsigned char *pri, int *flag, int fmode) 976 { 977 struct stdata *stp; 978 t_audit_data_t *tad = U2A(u); 979 980 ASSERT(tad != (t_audit_data_t *)0); 981 982 stp = vp->v_stream; 983 984 /* lock stdata from audit_sock */ 985 mutex_enter(&stp->sd_lock); 986 987 /* proceed ONLY if user is being audited */ 988 if (!tad->tad_flag) { 989 /* 990 * this is so we will not add audit data onto 991 * a thread that is not being audited. 992 */ 993 stp->sd_t_audit_data = NULL; 994 mutex_exit(&stp->sd_lock); 995 return; 996 } 997 998 stp->sd_t_audit_data = (caddr_t)curthread; 999 mutex_exit(&stp->sd_lock); 1000 } 1001 1002 /*ARGSUSED*/ 1003 void 1004 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 1005 unsigned char pri, int flag, int fmode) 1006 { 1007 struct stdata *stp; 1008 t_audit_data_t *tad = U2A(u); 1009 1010 ASSERT(tad != (t_audit_data_t *)0); 1011 1012 stp = vp->v_stream; 1013 1014 /* lock stdata from audit_sock */ 1015 mutex_enter(&stp->sd_lock); 1016 1017 /* proceed ONLY if user is being audited */ 1018 if (!tad->tad_flag) { 1019 /* 1020 * this is so we will not add audit data onto 1021 * a thread that is not being audited. 1022 */ 1023 stp->sd_t_audit_data = NULL; 1024 mutex_exit(&stp->sd_lock); 1025 return; 1026 } 1027 1028 stp->sd_t_audit_data = (caddr_t)curthread; 1029 mutex_exit(&stp->sd_lock); 1030 } 1031 1032 /* 1033 * ROUTINE: AUDIT_CLOSEF 1034 * PURPOSE: 1035 * CALLBY: CLOSEF 1036 * NOTE: 1037 * release per file audit resources when file structure is being released. 1038 * 1039 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep 1040 * on the audit queue if it becomes full. This means 1041 * audit_closef can not be called when f_count == 0. Since 1042 * f_count == 0 indicates the file structure is free, another 1043 * process could attempt to use the file while we were still 1044 * asleep waiting on the audit queue. This would cause the 1045 * per file audit data to be corrupted when we finally do 1046 * wakeup. 1047 * TODO: 1048 * QUESTION: 1049 */ 1050 1051 void 1052 audit_closef(struct file *fp) 1053 { /* AUDIT_CLOSEF */ 1054 f_audit_data_t *fad; 1055 t_audit_data_t *tad; 1056 int success; 1057 au_state_t estate; 1058 struct vnode *vp; 1059 token_t *ad = NULL; 1060 struct vattr attr; 1061 short evmod = 0; 1062 const auditinfo_addr_t *ainfo; 1063 int getattr_ret; 1064 cred_t *cr; 1065 au_kcontext_t *kctx = SET_KCTX_PZ; 1066 1067 if (kctx == NULL) { 1068 zone_status_t zstate = zone_status_get(curproc->p_zone); 1069 ASSERT(zstate != ZONE_IS_READY); 1070 return; 1071 } 1072 1073 fad = F2A(fp); 1074 estate = kctx->auk_ets[AUE_CLOSE]; 1075 tad = U2A(u); 1076 cr = CRED(); 1077 1078 /* audit record already generated by system call envelope */ 1079 if (tad->tad_event == AUE_CLOSE) { 1080 /* so close audit event will have bits set */ 1081 tad->tad_evmod |= (short)fad->fad_flags; 1082 return; 1083 } 1084 1085 /* if auditing not enabled, then don't generate an audit record */ 1086 if (!((kctx->auk_auditstate == AUC_AUDITING || 1087 kctx->auk_auditstate == AUC_INIT_AUDIT) || 1088 kctx->auk_auditstate == AUC_NOSPACE)) 1089 return; 1090 1091 ainfo = crgetauinfo(cr); 1092 if (ainfo == NULL) 1093 return; 1094 1095 success = ainfo->ai_mask.as_success & estate; 1096 1097 /* not selected for this event */ 1098 if (success == 0) 1099 return; 1100 1101 /* 1102 * can't use audit_attributes here since we use a private audit area 1103 * to build the audit record instead of the one off the thread. 1104 */ 1105 if ((vp = fp->f_vnode) != NULL) { 1106 attr.va_mask = AT_ALL; 1107 getattr_ret = VOP_GETATTR(vp, &attr, 0, CRED()); 1108 } 1109 1110 /* 1111 * When write was not used and the file can be considered public, 1112 * then skip the audit. 1113 */ 1114 if ((getattr_ret == 0) && ((fp->f_flag & FWRITE) == 0)) { 1115 if (file_is_public(&attr)) { 1116 return; 1117 } 1118 } 1119 1120 evmod = (short)fad->fad_flags; 1121 if (fad->fad_aupath != NULL) { 1122 au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath)); 1123 } else { 1124 #ifdef _LP64 1125 au_write((caddr_t *)&(ad), au_to_arg64( 1126 1, "no path: fp", (uint64_t)fp)); 1127 #else 1128 au_write((caddr_t *)&(ad), au_to_arg32( 1129 1, "no path: fp", (uint32_t)fp)); 1130 #endif 1131 } 1132 1133 if (getattr_ret == 0) { 1134 au_write((caddr_t *)&(ad), au_to_attr(&attr)); 1135 audit_sec_attributes((caddr_t *)&(ad), vp); 1136 } 1137 1138 /* Add a subject token */ 1139 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo); 1140 1141 /* add an optional group token */ 1142 AUDIT_SETGROUP((caddr_t *)&(ad), cr, kctx); 1143 1144 /* add slabel token */ 1145 if (is_system_labeled()) 1146 au_write((caddr_t *)&(ad), au_to_label(CR_SL(cr))); 1147 1148 /* add a return token */ 1149 add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0); 1150 1151 AS_INC(as_generated, 1, kctx); 1152 AS_INC(as_kernel, 1, kctx); 1153 1154 /* 1155 * Close up everything 1156 * Note: path space recovery handled by normal system 1157 * call envelope if not at last close. 1158 * Note there is no failure at this point since 1159 * this represents closes due to exit of process, 1160 * thus we always indicate successful closes. 1161 */ 1162 au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER, 1163 AUE_CLOSE, evmod); 1164 } 1165 1166 /* 1167 * ROUTINE: AUDIT_SET 1168 * PURPOSE: Audit the file path and file attributes. 1169 * CALLBY: SETF 1170 * NOTE: SETF associate a file pointer with user area's open files. 1171 * TODO: 1172 * call audit_finish directly ??? 1173 * QUESTION: 1174 */ 1175 1176 /*ARGSUSED*/ 1177 void 1178 audit_setf(file_t *fp, int fd) 1179 { 1180 f_audit_data_t *fad; 1181 t_audit_data_t *tad; 1182 1183 if (fp == NULL) 1184 return; 1185 1186 tad = T2A(curthread); 1187 fad = F2A(fp); 1188 1189 if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat || 1190 tad->tad_scid == SYS_open64 || tad->tad_scid == SYS_creat64 || 1191 tad->tad_scid == SYS_fsat)) 1192 return; 1193 1194 /* no path */ 1195 if (tad->tad_aupath == 0) 1196 return; 1197 1198 /* 1199 * assign path information associated with file audit data 1200 * use tad hold 1201 */ 1202 fad->fad_aupath = tad->tad_aupath; 1203 tad->tad_aupath = NULL; 1204 tad->tad_vn = NULL; 1205 1206 if (!(tad->tad_ctrl & PAD_TRUE_CREATE)) { 1207 /* adjust event type */ 1208 switch (tad->tad_event) { 1209 case AUE_OPEN_RC: 1210 tad->tad_event = AUE_OPEN_R; 1211 tad->tad_ctrl |= PAD_PUBLIC_EV; 1212 break; 1213 case AUE_OPEN_RTC: 1214 tad->tad_event = AUE_OPEN_RT; 1215 break; 1216 case AUE_OPEN_WC: 1217 tad->tad_event = AUE_OPEN_W; 1218 break; 1219 case AUE_OPEN_WTC: 1220 tad->tad_event = AUE_OPEN_WT; 1221 break; 1222 case AUE_OPEN_RWC: 1223 tad->tad_event = AUE_OPEN_RW; 1224 break; 1225 case AUE_OPEN_RWTC: 1226 tad->tad_event = AUE_OPEN_RWT; 1227 break; 1228 default: 1229 break; 1230 } 1231 } 1232 } 1233 1234 1235 /* 1236 * ROUTINE: AUDIT_COPEN 1237 * PURPOSE: 1238 * CALLBY: COPEN 1239 * NOTE: 1240 * TODO: 1241 * QUESTION: 1242 */ 1243 /*ARGSUSED*/ 1244 void 1245 audit_copen(int fd, file_t *fp, vnode_t *vp) 1246 { 1247 } 1248 1249 void 1250 audit_ipc(int type, int id, void *vp) 1251 { 1252 /* if not auditing this event, then do nothing */ 1253 if (ad_flag == 0) 1254 return; 1255 1256 switch (type) { 1257 case AT_IPC_MSG: 1258 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1259 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 1260 break; 1261 case AT_IPC_SEM: 1262 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1263 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 1264 break; 1265 case AT_IPC_SHM: 1266 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 1267 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 1268 break; 1269 } 1270 } 1271 1272 void 1273 audit_ipcget(int type, void *vp) 1274 { 1275 /* if not auditing this event, then do nothing */ 1276 if (ad_flag == 0) 1277 return; 1278 1279 switch (type) { 1280 case NULL: 1281 au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp)); 1282 break; 1283 case AT_IPC_MSG: 1284 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 1285 break; 1286 case AT_IPC_SEM: 1287 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 1288 break; 1289 case AT_IPC_SHM: 1290 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 1291 break; 1292 } 1293 } 1294 1295 /* 1296 * ROUTINE: AUDIT_REBOOT 1297 * PURPOSE: 1298 * CALLBY: 1299 * NOTE: 1300 * At this point we know that the system call reboot will not return. We thus 1301 * have to complete the audit record generation and put it onto the queue. 1302 * This might be fairly useless if the auditing daemon is already dead.... 1303 * TODO: 1304 * QUESTION: who calls audit_reboot 1305 */ 1306 1307 void 1308 audit_reboot(void) 1309 { 1310 int flag; 1311 t_audit_data_t *tad; 1312 au_kcontext_t *kctx = SET_KCTX_PZ; 1313 1314 if (kctx == NULL) { 1315 zone_status_t zstate = zone_status_get(curproc->p_zone); 1316 ASSERT(zstate != ZONE_IS_READY); 1317 return; 1318 } 1319 1320 tad = U2A(u); 1321 1322 /* if not auditing this event, then do nothing */ 1323 if (tad->tad_flag == 0) 1324 return; 1325 1326 /* do preselection on success/failure */ 1327 if (flag = audit_success(kctx, tad, 0)) { 1328 /* add a process token */ 1329 1330 cred_t *cr = CRED(); 1331 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 1332 1333 if (ainfo == NULL) 1334 return; 1335 1336 AUDIT_SETSUBJ(&(u_ad), cr, ainfo); 1337 1338 /* add an optional group token */ 1339 AUDIT_SETGROUP(&(u_ad), cr, kctx); 1340 1341 /* add slabel token */ 1342 if (is_system_labeled()) 1343 au_uwrite(au_to_label(CR_SL(cr))); 1344 1345 /* add a return token */ 1346 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 1347 1348 AS_INC(as_generated, 1, kctx); 1349 AS_INC(as_kernel, 1, kctx); 1350 } 1351 1352 /* 1353 * Flow control useless here since we're going 1354 * to drop everything in the queue anyway. Why 1355 * block and wait. There aint anyone left alive to 1356 * read the records remaining anyway. 1357 */ 1358 1359 /* Close up everything */ 1360 au_close(kctx, &(u_ad), flag | AU_DONTBLOCK, 1361 tad->tad_event, tad->tad_evmod); 1362 } 1363 1364 void 1365 audit_setfsat_path(int argnum) 1366 { 1367 klwp_id_t clwp = ttolwp(curthread); 1368 struct file *fp; 1369 uint32_t fd; 1370 t_audit_data_t *tad; 1371 struct f_audit_data *fad; 1372 p_audit_data_t *pad; /* current process */ 1373 1374 struct b { 1375 long arg1; 1376 long arg2; 1377 long arg3; 1378 long arg4; 1379 long arg5; 1380 } *uap1; 1381 1382 if (clwp == NULL) 1383 return; 1384 uap1 = (struct b *)&clwp->lwp_ap[1]; 1385 1386 tad = U2A(u); 1387 1388 ASSERT(tad != NULL); 1389 1390 if (tad->tad_scid != SYS_fsat) 1391 return; 1392 1393 switch (argnum) { 1394 case 1: 1395 fd = (uint32_t)uap1->arg1; 1396 break; 1397 case 2: 1398 fd = (uint32_t)uap1->arg2; 1399 break; 1400 case 3: 1401 fd = (uint32_t)uap1->arg3; 1402 break; 1403 case 4: 1404 fd = (uint32_t)uap1->arg4; 1405 break; 1406 case 5: 1407 fd = (uint32_t)uap1->arg5; 1408 break; 1409 default: 1410 return; 1411 } 1412 1413 if (tad->tad_atpath != NULL) { 1414 au_pathrele(tad->tad_atpath); 1415 tad->tad_atpath = NULL; 1416 } 1417 if (fd != AT_FDCWD) { 1418 if ((fp = getf(fd)) == NULL) 1419 return; 1420 1421 fad = F2A(fp); 1422 ASSERT(fad); 1423 au_pathhold(fad->fad_aupath); 1424 tad->tad_atpath = fad->fad_aupath; 1425 releasef(fd); 1426 } else { 1427 pad = P2A(curproc); 1428 mutex_enter(&pad->pad_lock); 1429 au_pathhold(pad->pad_cwd); 1430 tad->tad_atpath = pad->pad_cwd; 1431 mutex_exit(&pad->pad_lock); 1432 } 1433 } 1434 1435 void 1436 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error) 1437 { 1438 t_audit_data_t *tad; 1439 vnode_t *vp; 1440 1441 tad = U2A(u); 1442 1443 /* if not auditing this event, then do nothing */ 1444 if (tad->tad_flag == 0) 1445 return; 1446 1447 au_uwrite(au_to_text(target)); 1448 1449 if (error) 1450 return; 1451 1452 error = VOP_LOOKUP(dvp, sname, &vp, NULL, NO_FOLLOW, NULL, CRED()); 1453 if (error == 0) { 1454 audit_attributes(vp); 1455 VN_RELE(vp); 1456 } 1457 } 1458 1459 /* 1460 * ROUTINE: AUDIT_VNCREATE_START 1461 * PURPOSE: set flag so path name lookup in create will not add attribute 1462 * CALLBY: VN_CREATE 1463 * NOTE: 1464 * TODO: 1465 * QUESTION: 1466 */ 1467 1468 void 1469 audit_vncreate_start() 1470 { 1471 t_audit_data_t *tad; 1472 1473 tad = U2A(u); 1474 tad->tad_ctrl |= PAD_NOATTRB; 1475 } 1476 1477 /* 1478 * ROUTINE: AUDIT_VNCREATE_FINISH 1479 * PURPOSE: 1480 * CALLBY: VN_CREATE 1481 * NOTE: 1482 * TODO: 1483 * QUESTION: 1484 */ 1485 void 1486 audit_vncreate_finish(struct vnode *vp, int error) 1487 { 1488 t_audit_data_t *tad; 1489 1490 if (error) 1491 return; 1492 1493 tad = U2A(u); 1494 1495 /* if not auditing this event, then do nothing */ 1496 if (tad->tad_flag == 0) 1497 return; 1498 1499 if (tad->tad_ctrl & PAD_TRUE_CREATE) { 1500 audit_attributes(vp); 1501 } 1502 1503 if (tad->tad_ctrl & PAD_CORE) { 1504 audit_attributes(vp); 1505 tad->tad_ctrl &= ~PAD_CORE; 1506 } 1507 1508 if (!error && ((tad->tad_event == AUE_MKNOD) || 1509 (tad->tad_event == AUE_MKDIR))) { 1510 audit_attributes(vp); 1511 } 1512 1513 /* for case where multiple lookups in one syscall (rename) */ 1514 tad->tad_ctrl &= ~PAD_NOATTRB; 1515 } 1516 1517 1518 1519 1520 1521 1522 1523 1524 /* 1525 * ROUTINE: AUDIT_EXEC 1526 * PURPOSE: Records the function arguments and environment variables 1527 * CALLBY: EXEC_ARGS 1528 * NOTE: 1529 * TODO: 1530 * QUESTION: 1531 */ 1532 1533 /*ARGSUSED*/ 1534 void 1535 audit_exec( 1536 const char *argstr, /* argument strings */ 1537 const char *envstr, /* environment strings */ 1538 ssize_t argc, /* total # arguments */ 1539 ssize_t envc) /* total # environment variables */ 1540 { 1541 t_audit_data_t *tad; 1542 au_kcontext_t *kctx = SET_KCTX_PZ; 1543 1544 ASSERT(kctx != NULL); 1545 1546 tad = U2A(u); 1547 1548 /* if not auditing this event, then do nothing */ 1549 if (!tad->tad_flag) 1550 return; 1551 1552 /* return if not interested in argv or environment variables */ 1553 if (!(kctx->auk_policy & (AUDIT_ARGV|AUDIT_ARGE))) 1554 return; 1555 1556 if (kctx->auk_policy & AUDIT_ARGV) { 1557 au_uwrite(au_to_exec_args(argstr, argc)); 1558 } 1559 1560 if (kctx->auk_policy & AUDIT_ARGE) { 1561 au_uwrite(au_to_exec_env(envstr, envc)); 1562 } 1563 } 1564 1565 /* 1566 * ROUTINE: AUDIT_ENTERPROM 1567 * PURPOSE: 1568 * CALLBY: KBDINPUT 1569 * ZSA_XSINT 1570 * NOTE: 1571 * TODO: 1572 * QUESTION: 1573 */ 1574 void 1575 audit_enterprom(int flg) 1576 { 1577 token_t *rp = NULL; 1578 int sorf; 1579 1580 if (flg) 1581 sorf = AUM_SUCC; 1582 else 1583 sorf = AUM_FAIL; 1584 1585 AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf); 1586 1587 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1588 1589 if (flg) 1590 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1591 else 1592 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1593 1594 AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL); 1595 } 1596 1597 1598 /* 1599 * ROUTINE: AUDIT_EXITPROM 1600 * PURPOSE: 1601 * CALLBY: KBDINPUT 1602 * ZSA_XSINT 1603 * NOTE: 1604 * TODO: 1605 * QUESTION: 1606 */ 1607 void 1608 audit_exitprom(int flg) 1609 { 1610 int sorf; 1611 token_t *rp = NULL; 1612 1613 if (flg) 1614 sorf = AUM_SUCC; 1615 else 1616 sorf = AUM_FAIL; 1617 1618 AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf); 1619 1620 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1621 1622 if (flg) 1623 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1624 else 1625 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1626 1627 AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL); 1628 } 1629 1630 struct fcntla { 1631 int fdes; 1632 int cmd; 1633 intptr_t arg; 1634 }; 1635 1636 /* 1637 * ROUTINE: AUDIT_C2_REVOKE 1638 * PURPOSE: 1639 * CALLBY: FCNTL 1640 * NOTE: 1641 * TODO: 1642 * QUESTION: are we keeping this func 1643 */ 1644 1645 /*ARGSUSED*/ 1646 int 1647 audit_c2_revoke(struct fcntla *uap, rval_t *rvp) 1648 { 1649 return (0); 1650 } 1651 1652 1653 /* 1654 * ROUTINE: AUDIT_CHDIREC 1655 * PURPOSE: 1656 * CALLBY: CHDIREC 1657 * NOTE: The main function of CHDIREC 1658 * TODO: Move the audit_chdirec hook above the VN_RELE in vncalls.c 1659 * QUESTION: 1660 */ 1661 1662 /*ARGSUSED*/ 1663 void 1664 audit_chdirec(vnode_t *vp, vnode_t **vpp) 1665 { 1666 int chdir; 1667 int fchdir; 1668 struct audit_path **appp; 1669 struct file *fp; 1670 f_audit_data_t *fad; 1671 p_audit_data_t *pad = P2A(curproc); 1672 t_audit_data_t *tad = T2A(curthread); 1673 1674 struct a { 1675 long fd; 1676 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 1677 1678 if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) { 1679 chdir = tad->tad_scid == SYS_chdir; 1680 if (tad->tad_aupath) { 1681 mutex_enter(&pad->pad_lock); 1682 if (chdir) 1683 appp = &(pad->pad_cwd); 1684 else 1685 appp = &(pad->pad_root); 1686 au_pathrele(*appp); 1687 /* use tad hold */ 1688 *appp = tad->tad_aupath; 1689 tad->tad_aupath = NULL; 1690 mutex_exit(&pad->pad_lock); 1691 } 1692 } else if ((tad->tad_scid == SYS_fchdir) || 1693 (tad->tad_scid == SYS_fchroot)) { 1694 fchdir = tad->tad_scid == SYS_fchdir; 1695 if ((fp = getf(uap->fd)) == NULL) 1696 return; 1697 fad = F2A(fp); 1698 if (fad->fad_aupath) { 1699 au_pathhold(fad->fad_aupath); 1700 mutex_enter(&pad->pad_lock); 1701 if (fchdir) 1702 appp = &(pad->pad_cwd); 1703 else 1704 appp = &(pad->pad_root); 1705 au_pathrele(*appp); 1706 *appp = fad->fad_aupath; 1707 mutex_exit(&pad->pad_lock); 1708 if (tad->tad_flag) { 1709 au_uwrite(au_to_path(fad->fad_aupath)); 1710 audit_attributes(fp->f_vnode); 1711 } 1712 } 1713 releasef(uap->fd); 1714 } 1715 } 1716 1717 /* 1718 * ROUTINE: AUDIT_GETF 1719 * PURPOSE: 1720 * CALLBY: GETF_INTERNAL 1721 * NOTE: The main function of GETF_INTERNAL is to associate a given 1722 * file descriptor with a file structure and increment the 1723 * file pointer reference count. 1724 * TODO: remove pass in of fpp. 1725 * increment a reference count so that even if a thread with same process delete 1726 * the same object, it will not panic our system 1727 * QUESTION: 1728 * where to decrement the f_count????????????????? 1729 * seems like I need to set a flag if f_count incrmented through audit_getf 1730 */ 1731 1732 /*ARGSUSED*/ 1733 int 1734 audit_getf(int fd) 1735 { 1736 #ifdef NOTYET 1737 t_audit_data_t *tad; 1738 1739 tad = T2A(curthread); 1740 1741 if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat)) 1742 return; 1743 #endif 1744 return (0); 1745 } 1746 1747 /* 1748 * Audit hook for stream based socket and tli request. 1749 * Note that we do not have user context while executing 1750 * this code so we had to record them earlier during the 1751 * putmsg/getmsg to figure out which user we are dealing with. 1752 */ 1753 1754 /*ARGSUSED*/ 1755 void 1756 audit_sock( 1757 int type, /* type of tihdr.h header requests */ 1758 queue_t *q, /* contains the process and thread audit data */ 1759 mblk_t *mp, /* contains the tihdr.h header structures */ 1760 int from) /* timod or sockmod request */ 1761 { 1762 int32_t len; 1763 int32_t offset; 1764 struct sockaddr_in *sock_data; 1765 struct T_conn_req *conn_req; 1766 struct T_conn_ind *conn_ind; 1767 struct T_unitdata_req *unitdata_req; 1768 struct T_unitdata_ind *unitdata_ind; 1769 au_state_t estate; 1770 t_audit_data_t *tad; 1771 caddr_t saved_thread_ptr; 1772 au_mask_t amask; 1773 const auditinfo_addr_t *ainfo; 1774 au_kcontext_t *kctx; 1775 zone_status_t zstate; 1776 1777 if (q->q_stream == NULL) 1778 return; 1779 mutex_enter(&q->q_stream->sd_lock); 1780 /* are we being audited */ 1781 saved_thread_ptr = q->q_stream->sd_t_audit_data; 1782 /* no pointer to thread, nothing to do */ 1783 if (saved_thread_ptr == NULL) { 1784 mutex_exit(&q->q_stream->sd_lock); 1785 return; 1786 } 1787 /* only allow one addition of a record token */ 1788 q->q_stream->sd_t_audit_data = NULL; 1789 /* 1790 * thread is not the one being audited, then nothing to do 1791 * This could be the stream thread handling the module 1792 * service routine. In this case, the context for the audit 1793 * record can no longer be assumed. Simplest to just drop 1794 * the operation. 1795 */ 1796 if (curthread != (kthread_id_t)saved_thread_ptr) { 1797 mutex_exit(&q->q_stream->sd_lock); 1798 return; 1799 } 1800 if (curthread->t_sysnum >= SYS_so_socket && 1801 curthread->t_sysnum <= SYS_sockconfig) { 1802 mutex_exit(&q->q_stream->sd_lock); 1803 return; 1804 } 1805 mutex_exit(&q->q_stream->sd_lock); 1806 /* 1807 * we know that the thread that did the put/getmsg is the 1808 * one running. Now we can get the TAD and see if we should 1809 * add an audit token. 1810 */ 1811 tad = U2A(u); 1812 1813 kctx = SET_KCTX_PZ; 1814 if (kctx == NULL) { 1815 zstate = zone_status_get(curproc->p_zone); 1816 ASSERT(zstate != ZONE_IS_READY); 1817 return; 1818 } 1819 1820 /* proceed ONLY if user is being audited */ 1821 if (!tad->tad_flag) 1822 return; 1823 1824 ainfo = crgetauinfo(CRED()); 1825 if (ainfo == NULL) 1826 return; 1827 amask = ainfo->ai_mask; 1828 1829 /* 1830 * Figure out the type of stream networking request here. 1831 * Note that getmsg and putmsg are always preselected 1832 * because during the beginning of the system call we have 1833 * not yet figure out which of the socket or tli request 1834 * we are looking at until we are here. So we need to check 1835 * against that specific request and reset the type of event. 1836 */ 1837 switch (type) { 1838 case T_CONN_REQ: /* connection request */ 1839 conn_req = (struct T_conn_req *)mp->b_rptr; 1840 if (conn_req->DEST_offset < sizeof (struct T_conn_req)) 1841 return; 1842 offset = conn_req->DEST_offset; 1843 len = conn_req->DEST_length; 1844 estate = kctx->auk_ets[AUE_SOCKCONNECT]; 1845 if (amask.as_success & estate || amask.as_failure & estate) { 1846 tad->tad_event = AUE_SOCKCONNECT; 1847 break; 1848 } else { 1849 return; 1850 } 1851 case T_CONN_IND: /* connectionless receive request */ 1852 conn_ind = (struct T_conn_ind *)mp->b_rptr; 1853 if (conn_ind->SRC_offset < sizeof (struct T_conn_ind)) 1854 return; 1855 offset = conn_ind->SRC_offset; 1856 len = conn_ind->SRC_length; 1857 estate = kctx->auk_ets[AUE_SOCKACCEPT]; 1858 if (amask.as_success & estate || amask.as_failure & estate) { 1859 tad->tad_event = AUE_SOCKACCEPT; 1860 break; 1861 } else { 1862 return; 1863 } 1864 case T_UNITDATA_REQ: /* connectionless send request */ 1865 unitdata_req = (struct T_unitdata_req *)mp->b_rptr; 1866 if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req)) 1867 return; 1868 offset = unitdata_req->DEST_offset; 1869 len = unitdata_req->DEST_length; 1870 estate = kctx->auk_ets[AUE_SOCKSEND]; 1871 if (amask.as_success & estate || amask.as_failure & estate) { 1872 tad->tad_event = AUE_SOCKSEND; 1873 break; 1874 } else { 1875 return; 1876 } 1877 case T_UNITDATA_IND: /* connectionless receive request */ 1878 unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr; 1879 if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind)) 1880 return; 1881 offset = unitdata_ind->SRC_offset; 1882 len = unitdata_ind->SRC_length; 1883 estate = kctx->auk_ets[AUE_SOCKRECEIVE]; 1884 if (amask.as_success & estate || amask.as_failure & estate) { 1885 tad->tad_event = AUE_SOCKRECEIVE; 1886 break; 1887 } else { 1888 return; 1889 } 1890 default: 1891 return; 1892 } 1893 1894 /* 1895 * we are only interested in tcp stream connections, 1896 * not unix domain stuff 1897 */ 1898 if ((len < 0) || (len > sizeof (struct sockaddr_in))) { 1899 tad->tad_event = AUE_GETMSG; 1900 return; 1901 } 1902 /* skip over TPI header and point to the ip address */ 1903 sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset); 1904 1905 switch (sock_data->sin_family) { 1906 case AF_INET: 1907 au_write(&(tad->tad_ad), au_to_sock_inet(sock_data)); 1908 break; 1909 default: /* reset to AUE_PUTMSG if not a inet request */ 1910 tad->tad_event = AUE_GETMSG; 1911 break; 1912 } 1913 } 1914 1915 void 1916 audit_lookupname() 1917 { 1918 } 1919 1920 /*ARGSUSED*/ 1921 int 1922 audit_pathcomp(struct pathname *pnp, vnode_t *cvp, cred_t *cr) 1923 { 1924 return (0); 1925 } 1926 1927 static void 1928 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval) 1929 { 1930 unsigned int sy_flags; 1931 1932 #ifdef _SYSCALL32_IMPL 1933 if (lwp_getdatamodel( 1934 ttolwp(curthread)) == DATAMODEL_NATIVE) 1935 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1936 else 1937 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1938 #else 1939 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1940 #endif 1941 1942 if (sy_flags == SE_64RVAL) 1943 au_write(ad, au_to_return64(err, rval)); 1944 else 1945 au_write(ad, au_to_return32(err, rval)); 1946 1947 } 1948 1949 /*ARGSUSED*/ 1950 void 1951 audit_fdsend(fd, fp, error) 1952 int fd; 1953 struct file *fp; 1954 int error; /* ignore for now */ 1955 { 1956 t_audit_data_t *tad; /* current thread */ 1957 f_audit_data_t *fad; /* per file audit structure */ 1958 struct vnode *vp; /* for file attributes */ 1959 1960 /* is this system call being audited */ 1961 tad = U2A(u); 1962 ASSERT(tad != (t_audit_data_t *)0); 1963 if (!tad->tad_flag) 1964 return; 1965 1966 fad = F2A(fp); 1967 1968 /* add path and file attributes */ 1969 if (fad != NULL && fad->fad_aupath != NULL) { 1970 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1971 au_uwrite(au_to_path(fad->fad_aupath)); 1972 } else { 1973 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1974 #ifdef _LP64 1975 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 1976 #else 1977 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 1978 #endif 1979 } 1980 vp = fp->f_vnode; /* include vnode attributes */ 1981 audit_attributes(vp); 1982 } 1983 1984 /* 1985 * Record privileges sucessfully used and we attempted to use but 1986 * didn't have. 1987 */ 1988 void 1989 audit_priv(int priv, const priv_set_t *set, int flag) 1990 { 1991 t_audit_data_t *tad; 1992 int sbit; 1993 priv_set_t *target; 1994 1995 /* Make sure this isn't being called in an interrupt context */ 1996 ASSERT(servicing_interrupt() == 0); 1997 1998 tad = U2A(u); 1999 2000 if (tad->tad_flag == 0) 2001 return; 2002 2003 target = flag ? &tad->tad_sprivs : &tad->tad_fprivs; 2004 sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE; 2005 2006 /* Tell audit_success() and audit_finish() that we saw this case */ 2007 if (!(tad->tad_evmod & sbit)) { 2008 /* Clear set first time around */ 2009 priv_emptyset(target); 2010 tad->tad_evmod |= sbit; 2011 } 2012 2013 /* Save the privileges in the tad */ 2014 if (priv == PRIV_ALL) { 2015 priv_fillset(target); 2016 } else { 2017 ASSERT(set != NULL || priv != PRIV_NONE); 2018 if (set != NULL) 2019 priv_union(set, target); 2020 if (priv != PRIV_NONE) 2021 priv_addset(target, priv); 2022 } 2023 } 2024 2025 /* 2026 * Audit the setpriv() system call; the operation, the set name and 2027 * the current value as well as the set argument are put in the 2028 * audit trail. 2029 */ 2030 void 2031 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr) 2032 { 2033 t_audit_data_t *tad; 2034 const priv_set_t *oldpriv; 2035 priv_set_t report; 2036 const char *setname; 2037 2038 tad = U2A(u); 2039 2040 if (tad->tad_flag == 0) 2041 return; 2042 2043 oldpriv = priv_getset(ocr, set); 2044 2045 /* Generate the actual record, include the before and after */ 2046 au_uwrite(au_to_arg32(2, "op", op)); 2047 setname = priv_getsetbynum(set); 2048 2049 switch (op) { 2050 case PRIV_OFF: 2051 /* Report privileges actually switched off */ 2052 report = *oldpriv; 2053 priv_intersect(newpriv, &report); 2054 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 2055 break; 2056 case PRIV_ON: 2057 /* Report privileges actually switched on */ 2058 report = *oldpriv; 2059 priv_inverse(&report); 2060 priv_intersect(newpriv, &report); 2061 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 2062 break; 2063 case PRIV_SET: 2064 /* Report before and after */ 2065 au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0)); 2066 au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0)); 2067 break; 2068 } 2069 } 2070 2071 /* 2072 * Dump the full device policy setting in the audit trail. 2073 */ 2074 void 2075 audit_devpolicy(int nitems, const devplcysys_t *items) 2076 { 2077 t_audit_data_t *tad; 2078 int i; 2079 2080 tad = U2A(u); 2081 2082 if (tad->tad_flag == 0) 2083 return; 2084 2085 for (i = 0; i < nitems; i++) { 2086 au_uwrite(au_to_arg32(2, "major", items[i].dps_maj)); 2087 if (items[i].dps_minornm[0] == '\0') { 2088 au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin)); 2089 au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin)); 2090 } else 2091 au_uwrite(au_to_text(items[i].dps_minornm)); 2092 2093 au_uwrite(au_to_privset("read", &items[i].dps_rdp, 2094 AUT_PRIV, 0)); 2095 au_uwrite(au_to_privset("write", &items[i].dps_wrp, 2096 AUT_PRIV, 0)); 2097 } 2098 } 2099 2100 /*ARGSUSED*/ 2101 void 2102 audit_fdrecv(fd, fp) 2103 int fd; 2104 struct file *fp; 2105 { 2106 t_audit_data_t *tad; /* current thread */ 2107 f_audit_data_t *fad; /* per file audit structure */ 2108 struct vnode *vp; /* for file attributes */ 2109 2110 /* is this system call being audited */ 2111 tad = U2A(u); 2112 ASSERT(tad != (t_audit_data_t *)0); 2113 if (!tad->tad_flag) 2114 return; 2115 2116 fad = F2A(fp); 2117 2118 /* add path and file attributes */ 2119 if (fad != NULL && fad->fad_aupath != NULL) { 2120 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 2121 au_uwrite(au_to_path(fad->fad_aupath)); 2122 } else { 2123 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 2124 #ifdef _LP64 2125 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 2126 #else 2127 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 2128 #endif 2129 } 2130 vp = fp->f_vnode; /* include vnode attributes */ 2131 audit_attributes(vp); 2132 } 2133 2134 /* 2135 * ROUTINE: AUDIT_CRYPTOADM 2136 * PURPOSE: Records arguments to administrative ioctls on /dev/cryptoadm 2137 * CALLBY: CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED, 2138 * CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG, 2139 * CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN, 2140 * CRYPTO_LOAD_DOOR 2141 * NOTE: 2142 * TODO: 2143 * QUESTION: 2144 */ 2145 2146 void 2147 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names, 2148 uint_t mech_count, uint_t device_instance, uint32_t rv, int error) 2149 { 2150 boolean_t mech_list_required = B_FALSE; 2151 cred_t *cr = CRED(); 2152 t_audit_data_t *tad; 2153 token_t *ad = NULL; 2154 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 2155 char buffer[MAXNAMELEN * 2]; 2156 au_kcontext_t *kctx = SET_KCTX_PZ; 2157 2158 ASSERT(kctx != NULL); 2159 2160 tad = U2A(u); 2161 if (tad == NULL) 2162 return; 2163 2164 if (ainfo == NULL) 2165 return; 2166 2167 tad->tad_event = AUE_CRYPTOADM; 2168 2169 if (audit_success(kctx, tad, error) != AU_OK) 2170 return; 2171 2172 /* Add a subject token */ 2173 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo); 2174 2175 /* add an optional group token */ 2176 AUDIT_SETGROUP((caddr_t *)&(ad), cr, kctx); 2177 2178 /* add slabel token */ 2179 if (is_system_labeled()) 2180 au_write((caddr_t *)&ad, au_to_label(CR_SL(cr))); 2181 2182 switch (cmd) { 2183 case CRYPTO_LOAD_DEV_DISABLED: 2184 if (error == 0 && rv == CRYPTO_SUCCESS) { 2185 (void) snprintf(buffer, sizeof (buffer), 2186 "op=CRYPTO_LOAD_DEV_DISABLED, module=%s," 2187 " dev_instance=%d", 2188 module_name, device_instance); 2189 mech_list_required = B_TRUE; 2190 } else { 2191 (void) snprintf(buffer, sizeof (buffer), 2192 "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv); 2193 } 2194 break; 2195 2196 case CRYPTO_LOAD_SOFT_DISABLED: 2197 if (error == 0 && rv == CRYPTO_SUCCESS) { 2198 (void) snprintf(buffer, sizeof (buffer), 2199 "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s", 2200 module_name); 2201 mech_list_required = B_TRUE; 2202 } else { 2203 (void) snprintf(buffer, sizeof (buffer), 2204 "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv); 2205 } 2206 break; 2207 2208 case CRYPTO_UNLOAD_SOFT_MODULE: 2209 if (error == 0 && rv == CRYPTO_SUCCESS) { 2210 (void) snprintf(buffer, sizeof (buffer), 2211 "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s", 2212 module_name); 2213 } else { 2214 (void) snprintf(buffer, sizeof (buffer), 2215 "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv); 2216 } 2217 break; 2218 2219 case CRYPTO_LOAD_SOFT_CONFIG: 2220 if (error == 0 && rv == CRYPTO_SUCCESS) { 2221 (void) snprintf(buffer, sizeof (buffer), 2222 "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s", 2223 module_name); 2224 mech_list_required = B_TRUE; 2225 } else { 2226 (void) snprintf(buffer, sizeof (buffer), 2227 "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv); 2228 } 2229 break; 2230 2231 case CRYPTO_POOL_CREATE: 2232 (void) snprintf(buffer, sizeof (buffer), 2233 "op=CRYPTO_POOL_CREATE"); 2234 break; 2235 2236 case CRYPTO_POOL_WAIT: 2237 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT"); 2238 break; 2239 2240 case CRYPTO_POOL_RUN: 2241 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN"); 2242 break; 2243 2244 case CRYPTO_LOAD_DOOR: 2245 if (error == 0 && rv == CRYPTO_SUCCESS) 2246 (void) snprintf(buffer, sizeof (buffer), 2247 "op=CRYPTO_LOAD_DOOR"); 2248 else 2249 (void) snprintf(buffer, sizeof (buffer), 2250 "op=CRYPTO_LOAD_DOOR, return_val=%d", rv); 2251 break; 2252 2253 default: 2254 return; 2255 } 2256 2257 au_write((caddr_t *)&ad, au_to_text(buffer)); 2258 2259 if (mech_list_required) { 2260 int i; 2261 2262 if (mech_count == 0) { 2263 au_write((caddr_t *)&ad, au_to_text("mech=list empty")); 2264 } else { 2265 char *pb = buffer; 2266 size_t l = sizeof (buffer); 2267 size_t n; 2268 char space[2] = ":"; 2269 2270 n = snprintf(pb, l, "mech="); 2271 2272 for (i = 0; i < mech_count; i++) { 2273 pb += n; 2274 l -= n; 2275 if (l < 0) 2276 l = 0; 2277 2278 if (i == mech_count - 1) 2279 (void) strcpy(space, ""); 2280 2281 n = snprintf(pb, l, "%s%s", mech_names[i], 2282 space); 2283 } 2284 au_write((caddr_t *)&ad, au_to_text(buffer)); 2285 } 2286 } 2287 2288 /* add a return token */ 2289 if (error || (rv != CRYPTO_SUCCESS)) 2290 add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error); 2291 else 2292 add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv); 2293 2294 AS_INC(as_generated, 1, kctx); 2295 AS_INC(as_kernel, 1, kctx); 2296 2297 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, 0); 2298 } 2299 2300 /* 2301 * Audit the kernel SSL administration command. The address and the 2302 * port number for the SSL instance, and the proxy port are put in the 2303 * audit trail. 2304 */ 2305 void 2306 audit_kssl(int cmd, void *params, int error) 2307 { 2308 cred_t *cr = CRED(); 2309 t_audit_data_t *tad; 2310 token_t *ad = NULL; 2311 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 2312 au_kcontext_t *kctx = SET_KCTX_PZ; 2313 2314 ASSERT(kctx != NULL); 2315 tad = U2A(u); 2316 2317 if (ainfo == NULL) 2318 return; 2319 2320 tad->tad_event = AUE_CONFIGKSSL; 2321 2322 if (audit_success(kctx, tad, error) != AU_OK) 2323 return; 2324 2325 /* Add a subject token */ 2326 AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo); 2327 2328 /* add an optional group token */ 2329 AUDIT_SETGROUP((caddr_t *)&ad, cr, kctx); 2330 2331 /* Add slabel token */ 2332 if (is_system_labeled()) 2333 au_write(&(u_ad), au_to_label(CR_SL(cr))); 2334 2335 switch (cmd) { 2336 case KSSL_ADD_ENTRY: { 2337 char buf[32]; 2338 kssl_params_t *kp = (kssl_params_t *)params; 2339 struct sockaddr_in *saddr = &(kp->kssl_addr); 2340 2341 au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY")); 2342 au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr))); 2343 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 2344 saddr->sin_port); 2345 au_write((caddr_t *)&ad, au_to_text(buf)); 2346 2347 (void) snprintf(buf, sizeof (buf), "proxy port=%d", 2348 kp->kssl_proxy_port); 2349 au_write((caddr_t *)&ad, au_to_text(buf)); 2350 break; 2351 } 2352 2353 case KSSL_DELETE_ENTRY: { 2354 char buf[32]; 2355 struct sockaddr_in *saddr = (struct sockaddr_in *)params; 2356 2357 au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY")); 2358 au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr))); 2359 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 2360 saddr->sin_port); 2361 au_write((caddr_t *)&ad, au_to_text(buf)); 2362 break; 2363 } 2364 2365 default: 2366 return; 2367 } 2368 2369 /* add a return token */ 2370 add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0); 2371 2372 AS_INC(as_generated, 1, kctx); 2373 AS_INC(as_kernel, 1, kctx); 2374 2375 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, 0); 2376 } 2377 2378 /* 2379 * ROUTINE: AUDIT_SEC_ATTRIBUTES 2380 * PURPOSE: Add security attributes 2381 * CALLBY: AUDIT_ATTRIBUTES 2382 * AUDIT_CLOSEF 2383 * AUS_CLOSE 2384 * NOTE: 2385 * TODO: 2386 * QUESTION: 2387 */ 2388 2389 void 2390 audit_sec_attributes(caddr_t *ad, struct vnode *vp) 2391 { 2392 /* Dump the SL */ 2393 if (is_system_labeled()) { 2394 ts_label_t *tsl; 2395 bslabel_t *bsl; 2396 2397 tsl = getflabel(vp); 2398 if (tsl == NULL) 2399 return; /* nothing else to do */ 2400 2401 bsl = label2bslabel(tsl); 2402 if (bsl == NULL) 2403 return; /* nothing else to do */ 2404 au_write(ad, au_to_label(bsl)); 2405 label_rele(tsl); 2406 } 2407 2408 } /* AUDIT_SEC_ATTRIBUTES */ 2409