1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * This file contains the audit hook support code for auditing. 28 */ 29 30 #pragma ident "%Z%%M% %I% %E% SMI" 31 32 #include <sys/types.h> 33 #include <sys/proc.h> 34 #include <sys/vnode.h> 35 #include <sys/vfs.h> 36 #include <sys/file.h> 37 #include <sys/user.h> 38 #include <sys/stropts.h> 39 #include <sys/systm.h> 40 #include <sys/pathname.h> 41 #include <sys/syscall.h> 42 #include <sys/fcntl.h> 43 #include <sys/ipc_impl.h> 44 #include <sys/msg_impl.h> 45 #include <sys/sem_impl.h> 46 #include <sys/shm_impl.h> 47 #include <sys/kmem.h> /* for KM_SLEEP */ 48 #include <sys/socket.h> 49 #include <sys/cmn_err.h> /* snprintf... */ 50 #include <sys/debug.h> 51 #include <sys/thread.h> 52 #include <netinet/in.h> 53 #include <c2/audit.h> /* needs to be included before user.h */ 54 #include <c2/audit_kernel.h> /* for M_DONTWAIT */ 55 #include <c2/audit_kevents.h> 56 #include <c2/audit_record.h> 57 #include <sys/strsubr.h> 58 #include <sys/tihdr.h> 59 #include <sys/tiuser.h> 60 #include <sys/timod.h> 61 #include <sys/model.h> /* for model_t */ 62 #include <sys/disp.h> /* for servicing_interrupt() */ 63 #include <sys/devpolicy.h> 64 #include <sys/crypto/ioctladmin.h> 65 #include <sys/cred_impl.h> 66 #include <inet/kssl/kssl.h> 67 #include <net/pfpolicy.h> 68 69 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval); 70 71 static void audit_pathbuild(struct pathname *pnp); 72 73 /* 74 * ROUTINE: AUDIT_NEWPROC 75 * PURPOSE: initialize the child p_audit_data structure 76 * CALLBY: GETPROC 77 * NOTE: All threads for the parent process are locked at this point. 78 * We are essentially running singled threaded for this reason. 79 * GETPROC is called when system creates a new process. 80 * By the time AUDIT_NEWPROC is called, the child proc 81 * structure has already been initialized. What we need 82 * to do is to allocate the child p_audit_data and 83 * initialize it with the content of current parent process. 84 */ 85 86 void 87 audit_newproc(struct proc *cp) /* initialized child proc structure */ 88 { 89 p_audit_data_t *pad; /* child process audit data */ 90 p_audit_data_t *opad; /* parent process audit data */ 91 92 pad = kmem_cache_alloc(au_pad_cache, KM_SLEEP); 93 94 P2A(cp) = pad; 95 96 opad = P2A(curproc); 97 98 /* 99 * copy the audit data. Note that all threads of current 100 * process have been "held". Thus there is no race condition 101 * here with mutiple threads trying to alter the cwrd 102 * structure (such as releasing it). 103 * 104 * The audit context in the cred is "duplicated" for the new 105 * proc by elsewhere crhold'ing the parent's cred which it shares. 106 * 107 * We still want to hold things since auditon() [A_SETUMASK, 108 * A_SETSMASK] could be walking through the processes to 109 * update things. 110 */ 111 mutex_enter(&opad->pad_lock); /* lock opad structure during copy */ 112 pad->pad_data = opad->pad_data; /* copy parent's process audit data */ 113 au_pathhold(pad->pad_root); 114 au_pathhold(pad->pad_cwd); 115 mutex_exit(&opad->pad_lock); /* current proc will keep cwrd open */ 116 117 /* 118 * finish auditing of parent here so that it will be done 119 * before child has a chance to run. We include the child 120 * pid since the return value in the return token is a dummy 121 * one and contains no useful information (it is included to 122 * make the audit record structure consistant). 123 * 124 * tad_flag is set if auditing is on 125 */ 126 if (((t_audit_data_t *)T2A(curthread))->tad_flag) 127 au_uwrite(au_to_arg32(0, "child PID", (uint32_t)cp->p_pid)); 128 129 /* 130 * finish up audit record generation here because child process 131 * is set to run before parent process. We distinguish here 132 * between FORK, FORK1, or VFORK by the saved system call ID. 133 */ 134 audit_finish(0, ((t_audit_data_t *)T2A(curthread))->tad_scid, 0, 0); 135 } 136 137 /* 138 * ROUTINE: AUDIT_PFREE 139 * PURPOSE: deallocate the per-process udit data structure 140 * CALLBY: EXIT 141 * FORK_FAIL 142 * NOTE: all lwp except current one have stopped in SEXITLWPS 143 * why we are single threaded? 144 * . all lwp except current one have stopped in SEXITLWPS. 145 */ 146 void 147 audit_pfree(struct proc *p) /* proc structure to be freed */ 148 149 { /* AUDIT_PFREE */ 150 151 p_audit_data_t *pad; 152 153 pad = P2A(p); 154 155 /* better be a per process audit data structure */ 156 ASSERT(pad != (p_audit_data_t *)0); 157 158 if (pad == pad0) { 159 return; 160 } 161 162 /* deallocate all auditing resources for this process */ 163 au_pathrele(pad->pad_root); 164 au_pathrele(pad->pad_cwd); 165 166 /* 167 * Since the pad structure is completely overwritten after alloc, 168 * we don't bother to clear it. 169 */ 170 171 kmem_cache_free(au_pad_cache, pad); 172 } 173 174 /* 175 * ROUTINE: AUDIT_THREAD_CREATE 176 * PURPOSE: allocate per-process thread audit data structure 177 * CALLBY: THREAD_CREATE 178 * NOTE: This is called just after *t was bzero'd. 179 * We are single threaded in this routine. 180 * TODO: 181 * QUESTION: 182 */ 183 184 void 185 audit_thread_create(kthread_id_t t) 186 { 187 t_audit_data_t *tad; /* per-thread audit data */ 188 189 tad = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP); 190 191 T2A(t) = tad; /* set up thread audit data ptr */ 192 tad->tad_thread = t; /* back ptr to thread: DEBUG */ 193 } 194 195 /* 196 * ROUTINE: AUDIT_THREAD_FREE 197 * PURPOSE: free the per-thread audit data structure 198 * CALLBY: THREAD_FREE 199 * NOTE: most thread data is clear after return 200 */ 201 void 202 audit_thread_free(kthread_t *t) 203 { 204 t_audit_data_t *tad; 205 au_defer_info_t *attr; 206 207 tad = T2A(t); 208 209 /* thread audit data must still be set */ 210 211 if (tad == tad0) { 212 return; 213 } 214 215 if (tad == NULL) { 216 return; 217 } 218 219 t->t_audit_data = 0; 220 221 /* must not have any audit record residual */ 222 ASSERT(tad->tad_ad == NULL); 223 224 /* saved path must be empty */ 225 ASSERT(tad->tad_aupath == NULL); 226 227 if (tad->tad_atpath) 228 au_pathrele(tad->tad_atpath); 229 230 attr = tad->tad_defer_head; 231 while (attr != NULL) { 232 au_defer_info_t *tmp_attr = attr; 233 234 au_free_rec(attr->audi_ad); 235 236 attr = attr->audi_next; 237 kmem_free(tmp_attr, sizeof (au_defer_info_t)); 238 } 239 240 kmem_free(tad, sizeof (*tad)); 241 } 242 243 /* 244 * ROUTINE: AUDIT_SAVEPATH 245 * PURPOSE: 246 * CALLBY: LOOKUPPN 247 * 248 * NOTE: We have reached the end of a path in fs/lookup.c. 249 * We get two pieces of information here: 250 * the vnode of the last component (vp) and 251 * the status of the last access (flag). 252 * TODO: 253 * QUESTION: 254 */ 255 256 /*ARGSUSED*/ 257 int 258 audit_savepath( 259 struct pathname *pnp, /* pathname to lookup */ 260 struct vnode *vp, /* vnode of the last component */ 261 int flag, /* status of the last access */ 262 cred_t *cr) /* cred of requestor */ 263 { 264 265 t_audit_data_t *tad; /* current thread */ 266 au_kcontext_t *kctx = GET_KCTX_PZ; 267 268 tad = U2A(u); 269 270 /* 271 * this event being audited or do we need path information 272 * later? This might be for a chdir/chroot or open (add path 273 * to file pointer. If the path has already been found for an 274 * open/creat then we don't need to process the path. 275 * 276 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 277 * chroot, chdir, open, creat system call processing. It determines 278 * if audit_savepath() will discard the path or we need it later. 279 * PAD_PATHFND means path already included in this audit record. It 280 * is used in cases where multiple path lookups are done per 281 * system call. The policy flag, AUDIT_PATH, controls if multiple 282 * paths are allowed. 283 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 284 * exit processing to inhibit any paths that may be added due to 285 * closes. 286 */ 287 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 288 ((tad->tad_ctrl & PAD_PATHFND) && 289 !(kctx->auk_policy & AUDIT_PATH)) || 290 (tad->tad_ctrl & PAD_NOPATH)) { 291 return (0); 292 } 293 294 tad->tad_ctrl |= PAD_NOPATH; /* prevent possible reentry */ 295 296 audit_pathbuild(pnp); 297 tad->tad_vn = vp; 298 299 /* 300 * are we auditing only if error, or if it is not open or create 301 * otherwise audit_setf will do it 302 */ 303 304 if (tad->tad_flag) { 305 if (flag && (tad->tad_scid == SYS_open || 306 tad->tad_scid == SYS_open64 || 307 tad->tad_scid == SYS_creat || 308 tad->tad_scid == SYS_creat64 || 309 tad->tad_scid == SYS_fsat)) { 310 tad->tad_ctrl |= PAD_TRUE_CREATE; 311 } 312 313 /* add token to audit record for this name */ 314 au_uwrite(au_to_path(tad->tad_aupath)); 315 316 /* add the attributes of the object */ 317 if (vp) { 318 /* 319 * only capture attributes when there is no error 320 * lookup will not return the vnode of the failing 321 * component. 322 * 323 * if there was a lookup error, then don't add 324 * attribute. if lookup in vn_create(), 325 * then don't add attribute, 326 * it will be added at end of vn_create(). 327 */ 328 if (!flag && !(tad->tad_ctrl & PAD_NOATTRB)) 329 audit_attributes(vp); 330 } 331 } 332 333 /* free up space if we're not going to save path (open, crate) */ 334 if ((tad->tad_ctrl & PAD_SAVPATH) == 0) { 335 if (tad->tad_aupath != NULL) { 336 au_pathrele(tad->tad_aupath); 337 tad->tad_aupath = NULL; 338 tad->tad_vn = NULL; 339 } 340 } 341 if (tad->tad_ctrl & PAD_MLD) 342 tad->tad_ctrl |= PAD_PATHFND; 343 344 tad->tad_ctrl &= ~PAD_NOPATH; /* restore */ 345 return (0); 346 } 347 348 static void 349 audit_pathbuild(struct pathname *pnp) 350 { 351 char *pp; /* pointer to path */ 352 int len; /* length of incoming segment */ 353 int newsect; /* path requires a new section */ 354 struct audit_path *pfxapp; /* prefix for path */ 355 struct audit_path *newapp; /* new audit_path */ 356 t_audit_data_t *tad; /* current thread */ 357 p_audit_data_t *pad; /* current process */ 358 359 tad = U2A(u); 360 ASSERT(tad != NULL); 361 pad = P2A(curproc); 362 ASSERT(pad != NULL); 363 364 len = (pnp->pn_path - pnp->pn_buf) + 1; /* +1 for terminator */ 365 ASSERT(len > 0); 366 367 /* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */ 368 mutex_enter(&pad->pad_lock); 369 if (tad->tad_aupath != NULL) { 370 pfxapp = tad->tad_aupath; 371 } else if (tad->tad_scid == SYS_fsat && pnp->pn_buf[0] != '/') { 372 ASSERT(tad->tad_atpath != NULL); 373 pfxapp = tad->tad_atpath; 374 } else if (tad->tad_ctrl & PAD_ABSPATH) { 375 pfxapp = pad->pad_root; 376 } else { 377 pfxapp = pad->pad_cwd; 378 } 379 au_pathhold(pfxapp); 380 mutex_exit(&pad->pad_lock); 381 382 /* get an expanded buffer to hold the anchored path */ 383 newsect = tad->tad_ctrl & PAD_ATPATH; 384 newapp = au_pathdup(pfxapp, newsect, len); 385 au_pathrele(pfxapp); 386 387 pp = newapp->audp_sect[newapp->audp_cnt] - len; 388 if (!newsect) { 389 /* overlay previous NUL terminator */ 390 *(pp - 1) = '/'; 391 } 392 393 /* now add string of processed path */ 394 bcopy(pnp->pn_buf, pp, len); 395 pp[len - 1] = '\0'; 396 397 /* perform path simplification as necessary */ 398 audit_fixpath(newapp, len); 399 400 if (tad->tad_aupath) 401 au_pathrele(tad->tad_aupath); 402 tad->tad_aupath = newapp; 403 404 /* for case where multiple lookups in one syscall (rename) */ 405 tad->tad_ctrl &= ~(PAD_ABSPATH | PAD_ATPATH); 406 } 407 408 409 410 /*ARGSUSED*/ 411 412 /* 413 * ROUTINE: AUDIT_ADDCOMPONENT 414 * PURPOSE: extend the path by the component accepted 415 * CALLBY: LOOKUPPN 416 * NOTE: This function is called only when there is an error in 417 * parsing a path component 418 * TODO: Add the error component to audit record 419 * QUESTION: what is this for 420 */ 421 422 void 423 audit_addcomponent(struct pathname *pnp) 424 { 425 au_kcontext_t *kctx = GET_KCTX_PZ; 426 t_audit_data_t *tad; 427 428 tad = U2A(u); 429 /* 430 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 431 * chroot, chdir, open, creat system call processing. It determines 432 * if audit_savepath() will discard the path or we need it later. 433 * PAD_PATHFND means path already included in this audit record. It 434 * is used in cases where multiple path lookups are done per 435 * system call. The policy flag, AUDIT_PATH, controls if multiple 436 * paths are allowed. 437 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 438 * exit processing to inhibit any paths that may be added due to 439 * closes. 440 */ 441 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 442 ((tad->tad_ctrl & PAD_PATHFND) && 443 !(kctx->auk_policy & AUDIT_PATH)) || 444 (tad->tad_ctrl & PAD_NOPATH)) { 445 return; 446 } 447 448 return; 449 450 } /* AUDIT_ADDCOMPONENT */ 451 452 453 454 455 456 457 458 459 /* 460 * ROUTINE: AUDIT_ANCHORPATH 461 * PURPOSE: 462 * CALLBY: LOOKUPPN 463 * NOTE: 464 * anchor path at "/". We have seen a symbolic link or entering for the 465 * first time we will throw away any saved path if path is anchored. 466 * 467 * flag = 0, path is relative. 468 * flag = 1, path is absolute. Free any saved path and set flag to PAD_ABSPATH. 469 * 470 * If the (new) path is absolute, then we have to throw away whatever we have 471 * already accumulated since it is being superceeded by new path which is 472 * anchored at the root. 473 * Note that if the path is relative, this function does nothing 474 * TODO: 475 * QUESTION: 476 */ 477 /*ARGSUSED*/ 478 void 479 audit_anchorpath(struct pathname *pnp, int flag) 480 { 481 au_kcontext_t *kctx = GET_KCTX_PZ; 482 t_audit_data_t *tad; 483 484 tad = U2A(u); 485 486 /* 487 * this event being audited or do we need path information 488 * later? This might be for a chdir/chroot or open (add path 489 * to file pointer. If the path has already been found for an 490 * open/creat then we don't need to process the path. 491 * 492 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 493 * chroot, chdir, open, creat system call processing. It determines 494 * if audit_savepath() will discard the path or we need it later. 495 * PAD_PATHFND means path already included in this audit record. It 496 * is used in cases where multiple path lookups are done per 497 * system call. The policy flag, AUDIT_PATH, controls if multiple 498 * paths are allowed. 499 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 500 * exit processing to inhibit any paths that may be added due to 501 * closes. 502 */ 503 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 504 ((tad->tad_ctrl & PAD_PATHFND) && 505 !(kctx->auk_policy & AUDIT_PATH)) || 506 (tad->tad_ctrl & PAD_NOPATH)) { 507 return; 508 } 509 510 if (flag) { 511 tad->tad_ctrl |= PAD_ABSPATH; 512 if (tad->tad_aupath != NULL) { 513 au_pathrele(tad->tad_aupath); 514 tad->tad_aupath = NULL; 515 tad->tad_vn = NULL; 516 } 517 } 518 } 519 520 521 /* 522 * symbolic link. Save previous components. 523 * 524 * the path seen so far looks like this 525 * 526 * +-----------------------+----------------+ 527 * | path processed so far | remaining path | 528 * +-----------------------+----------------+ 529 * \-----------------------/ 530 * save this string if 531 * symbolic link relative 532 * (but don't include symlink component) 533 */ 534 535 /*ARGSUSED*/ 536 537 538 /* 539 * ROUTINE: AUDIT_SYMLINK 540 * PURPOSE: 541 * CALLBY: LOOKUPPN 542 * NOTE: 543 * TODO: 544 * QUESTION: 545 */ 546 void 547 audit_symlink(struct pathname *pnp, struct pathname *sympath) 548 { 549 char *sp; /* saved initial pp */ 550 char *cp; /* start of symlink path */ 551 uint_t len_path; /* processed path before symlink */ 552 t_audit_data_t *tad; 553 au_kcontext_t *kctx = GET_KCTX_PZ; 554 555 tad = U2A(u); 556 557 /* 558 * this event being audited or do we need path information 559 * later? This might be for a chdir/chroot or open (add path 560 * to file pointer. If the path has already been found for an 561 * open/creat then we don't need to process the path. 562 * 563 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 564 * chroot, chdir, open, creat system call processing. It determines 565 * if audit_savepath() will discard the path or we need it later. 566 * PAD_PATHFND means path already included in this audit record. It 567 * is used in cases where multiple path lookups are done per 568 * system call. The policy flag, AUDIT_PATH, controls if multiple 569 * paths are allowed. 570 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 571 * exit processing to inhibit any paths that may be added due to 572 * closes. 573 */ 574 if ((tad->tad_flag == 0 && 575 !(tad->tad_ctrl & PAD_SAVPATH)) || 576 ((tad->tad_ctrl & PAD_PATHFND) && 577 !(kctx->auk_policy & AUDIT_PATH)) || 578 (tad->tad_ctrl & PAD_NOPATH)) { 579 return; 580 } 581 582 /* 583 * if symbolic link is anchored at / then do nothing. 584 * When we cycle back to begin: in lookuppn() we will 585 * call audit_anchorpath() with a flag indicating if the 586 * path is anchored at / or is relative. We will release 587 * any saved path at that point. 588 * 589 * Note In the event that an error occurs in pn_combine then 590 * we want to remain pointing at the component that caused the 591 * path to overflow the pnp structure. 592 */ 593 if (sympath->pn_buf[0] == '/') 594 return; 595 596 /* backup over last component */ 597 sp = cp = pnp->pn_path; 598 while (*--cp != '/' && cp > pnp->pn_buf) 599 ; 600 601 len_path = cp - pnp->pn_buf; 602 603 /* is there anything to save? */ 604 if (len_path) { 605 pnp->pn_path = pnp->pn_buf; 606 audit_pathbuild(pnp); 607 pnp->pn_path = sp; 608 } 609 } 610 611 /* 612 * file_is_public : determine whether events for the file (corresponding to 613 * the specified file attr) should be audited or ignored. 614 * 615 * returns: 1 - if audit policy and file attributes indicate that 616 * file is effectively public. read events for 617 * the file should not be audited. 618 * 0 - otherwise 619 * 620 * The required attributes to be considered a public object are: 621 * - owned by root, AND 622 * - world-readable (permissions for other include read), AND 623 * - NOT world-writeable (permissions for other don't 624 * include write) 625 * (mode doesn't need to be checked for symlinks) 626 */ 627 int 628 file_is_public(struct vattr *attr) 629 { 630 au_kcontext_t *kctx = GET_KCTX_PZ; 631 632 if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) && 633 ((attr->va_type == VLNK) || 634 ((attr->va_mode & (VREAD>>6)) != 0) && 635 ((attr->va_mode & (VWRITE>>6)) == 0))) { 636 return (1); 637 } 638 return (0); 639 } 640 641 642 /* 643 * ROUTINE: AUDIT_ATTRIBUTES 644 * PURPOSE: Audit the attributes so we can tell why the error occured 645 * CALLBY: AUDIT_SAVEPATH 646 * AUDIT_VNCREATE_FINISH 647 * AUS_FCHOWN...audit_event.c...audit_path.c 648 * NOTE: 649 * TODO: 650 * QUESTION: 651 */ 652 void 653 audit_attributes(struct vnode *vp) 654 { 655 struct vattr attr; 656 struct t_audit_data *tad; 657 658 tad = U2A(u); 659 660 if (vp) { 661 attr.va_mask = AT_ALL; 662 if (VOP_GETATTR(vp, &attr, 0, CRED()) != 0) 663 return; 664 665 if (file_is_public(&attr) && (tad->tad_ctrl & PAD_PUBLIC_EV)) { 666 /* 667 * This is a public object and a "public" event 668 * (i.e., read only) -- either by definition 669 * (e.g., stat, access...) or by virtue of write access 670 * not being requested (e.g. mmap). 671 * Flag it in the tad to prevent this audit at the end. 672 */ 673 tad->tad_ctrl |= PAD_NOAUDIT; 674 } else { 675 au_uwrite(au_to_attr(&attr)); 676 audit_sec_attributes(&(u_ad), vp); 677 } 678 } 679 } 680 681 682 /* 683 * ROUTINE: AUDIT_FALLOC 684 * PURPOSE: allocating a new file structure 685 * CALLBY: FALLOC 686 * NOTE: file structure already initialized 687 * TODO: 688 * QUESTION: 689 */ 690 691 void 692 audit_falloc(struct file *fp) 693 { /* AUDIT_FALLOC */ 694 695 f_audit_data_t *fad; 696 697 /* allocate per file audit structure if there a'int any */ 698 ASSERT(F2A(fp) == NULL); 699 700 fad = kmem_zalloc(sizeof (struct f_audit_data), KM_SLEEP); 701 702 F2A(fp) = fad; 703 704 fad->fad_thread = curthread; /* file audit data back ptr; DEBUG */ 705 } 706 707 /* 708 * ROUTINE: AUDIT_UNFALLOC 709 * PURPOSE: deallocate file audit data structure 710 * CALLBY: CLOSEF 711 * UNFALLOC 712 * NOTE: 713 * TODO: 714 * QUESTION: 715 */ 716 717 void 718 audit_unfalloc(struct file *fp) 719 { 720 f_audit_data_t *fad; 721 722 fad = F2A(fp); 723 724 if (!fad) { 725 return; 726 } 727 if (fad->fad_aupath != NULL) { 728 au_pathrele(fad->fad_aupath); 729 } 730 fp->f_audit_data = 0; 731 kmem_free(fad, sizeof (struct f_audit_data)); 732 } 733 734 /* 735 * ROUTINE: AUDIT_EXIT 736 * PURPOSE: 737 * CALLBY: EXIT 738 * NOTE: 739 * TODO: 740 * QUESTION: why cmw code as offset by 2 but not here 741 */ 742 /* ARGSUSED */ 743 void 744 audit_exit(int code, int what) 745 { 746 struct t_audit_data *tad; 747 tad = U2A(u); 748 749 /* 750 * tad_scid will be set by audit_start even if we are not auditing 751 * the event. 752 */ 753 if (tad->tad_scid == SYS_exit) { 754 /* 755 * if we are auditing the exit system call, then complete 756 * audit record generation (no return from system call). 757 */ 758 if (tad->tad_flag && tad->tad_event == AUE_EXIT) 759 audit_finish(0, SYS_exit, 0, 0); 760 return; 761 } 762 763 /* 764 * Anyone auditing the system call that was aborted? 765 */ 766 if (tad->tad_flag) { 767 au_uwrite(au_to_text("event aborted")); 768 audit_finish(0, tad->tad_scid, 0, 0); 769 } 770 771 /* 772 * Generate an audit record for process exit if preselected. 773 */ 774 (void) audit_start(0, SYS_exit, 0, 0); 775 audit_finish(0, SYS_exit, 0, 0); 776 } 777 778 /* 779 * ROUTINE: AUDIT_CORE_START 780 * PURPOSE: 781 * CALLBY: PSIG 782 * NOTE: 783 * TODO: 784 */ 785 void 786 audit_core_start(int sig) 787 { 788 au_event_t event; 789 au_state_t estate; 790 t_audit_data_t *tad; 791 au_kcontext_t *kctx; 792 793 tad = U2A(u); 794 795 ASSERT(tad != (t_audit_data_t *)0); 796 797 ASSERT(tad->tad_scid == 0); 798 ASSERT(tad->tad_event == 0); 799 ASSERT(tad->tad_evmod == 0); 800 ASSERT(tad->tad_ctrl == 0); 801 ASSERT(tad->tad_flag == 0); 802 ASSERT(tad->tad_aupath == NULL); 803 804 kctx = GET_KCTX_PZ; 805 806 /* get basic event for system call */ 807 event = AUE_CORE; 808 estate = kctx->auk_ets[event]; 809 810 if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0) 811 return; 812 813 /* reset the flags for non-user attributable events */ 814 tad->tad_ctrl = PAD_CORE; 815 tad->tad_scid = 0; 816 817 /* if auditing not enabled, then don't generate an audit record */ 818 819 if (!((kctx->auk_auditstate == AUC_AUDITING || 820 kctx->auk_auditstate == AUC_INIT_AUDIT) || 821 kctx->auk_auditstate == AUC_NOSPACE)) { 822 tad->tad_flag = 0; 823 tad->tad_ctrl = 0; 824 return; 825 } 826 827 tad->tad_event = event; 828 tad->tad_evmod = 0; 829 830 ASSERT(tad->tad_ad == NULL); 831 832 au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig)); 833 } 834 835 /* 836 * ROUTINE: AUDIT_CORE_FINISH 837 * PURPOSE: 838 * CALLBY: PSIG 839 * NOTE: 840 * TODO: 841 * QUESTION: 842 */ 843 844 /*ARGSUSED*/ 845 void 846 audit_core_finish(int code) 847 { 848 int flag; 849 t_audit_data_t *tad; 850 au_kcontext_t *kctx; 851 852 tad = U2A(u); 853 854 ASSERT(tad != (t_audit_data_t *)0); 855 856 if ((flag = tad->tad_flag) == 0) { 857 tad->tad_event = 0; 858 tad->tad_evmod = 0; 859 tad->tad_ctrl = 0; 860 ASSERT(tad->tad_aupath == NULL); 861 return; 862 } 863 tad->tad_flag = 0; 864 865 kctx = GET_KCTX_PZ; 866 867 /* kludge for error 0, should use `code==CLD_DUMPED' instead */ 868 if (flag = audit_success(kctx, tad, 0, NULL)) { 869 cred_t *cr = CRED(); 870 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 871 872 ASSERT(ainfo != NULL); 873 874 /* 875 * Add subject information (no locks since our private copy of 876 * credential 877 */ 878 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 879 880 /* Add a return token (should use f argument) */ 881 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 882 883 AS_INC(as_generated, 1, kctx); 884 AS_INC(as_kernel, 1, kctx); 885 } 886 887 /* Close up everything */ 888 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod); 889 890 /* free up any space remaining with the path's */ 891 if (tad->tad_aupath != NULL) { 892 au_pathrele(tad->tad_aupath); 893 tad->tad_aupath = NULL; 894 tad->tad_vn = NULL; 895 } 896 tad->tad_event = 0; 897 tad->tad_evmod = 0; 898 tad->tad_ctrl = 0; 899 } 900 901 /*ARGSUSED*/ 902 void 903 audit_stropen(struct vnode *vp, dev_t *devp, int flag, cred_t *crp) 904 { 905 } 906 907 /*ARGSUSED*/ 908 void 909 audit_strclose(struct vnode *vp, int flag, cred_t *crp) 910 { 911 } 912 913 /*ARGSUSED*/ 914 void 915 audit_strioctl(struct vnode *vp, int cmd, intptr_t arg, int flag, 916 int copyflag, cred_t *crp, int *rvalp) 917 { 918 } 919 920 921 /*ARGSUSED*/ 922 void 923 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 924 unsigned char *pri, int *flag, int fmode) 925 { 926 struct stdata *stp; 927 t_audit_data_t *tad = U2A(u); 928 929 ASSERT(tad != (t_audit_data_t *)0); 930 931 stp = vp->v_stream; 932 933 /* lock stdata from audit_sock */ 934 mutex_enter(&stp->sd_lock); 935 936 /* proceed ONLY if user is being audited */ 937 if (!tad->tad_flag) { 938 /* 939 * this is so we will not add audit data onto 940 * a thread that is not being audited. 941 */ 942 stp->sd_t_audit_data = NULL; 943 mutex_exit(&stp->sd_lock); 944 return; 945 } 946 947 stp->sd_t_audit_data = (caddr_t)curthread; 948 mutex_exit(&stp->sd_lock); 949 } 950 951 /*ARGSUSED*/ 952 void 953 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 954 unsigned char pri, int flag, int fmode) 955 { 956 struct stdata *stp; 957 t_audit_data_t *tad = U2A(u); 958 959 ASSERT(tad != (t_audit_data_t *)0); 960 961 stp = vp->v_stream; 962 963 /* lock stdata from audit_sock */ 964 mutex_enter(&stp->sd_lock); 965 966 /* proceed ONLY if user is being audited */ 967 if (!tad->tad_flag) { 968 /* 969 * this is so we will not add audit data onto 970 * a thread that is not being audited. 971 */ 972 stp->sd_t_audit_data = NULL; 973 mutex_exit(&stp->sd_lock); 974 return; 975 } 976 977 stp->sd_t_audit_data = (caddr_t)curthread; 978 mutex_exit(&stp->sd_lock); 979 } 980 981 /* 982 * ROUTINE: AUDIT_CLOSEF 983 * PURPOSE: 984 * CALLBY: CLOSEF 985 * NOTE: 986 * release per file audit resources when file structure is being released. 987 * 988 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep 989 * on the audit queue if it becomes full. This means 990 * audit_closef can not be called when f_count == 0. Since 991 * f_count == 0 indicates the file structure is free, another 992 * process could attempt to use the file while we were still 993 * asleep waiting on the audit queue. This would cause the 994 * per file audit data to be corrupted when we finally do 995 * wakeup. 996 * TODO: 997 * QUESTION: 998 */ 999 1000 void 1001 audit_closef(struct file *fp) 1002 { /* AUDIT_CLOSEF */ 1003 f_audit_data_t *fad; 1004 t_audit_data_t *tad; 1005 int success; 1006 au_state_t estate; 1007 struct vnode *vp; 1008 token_t *ad = NULL; 1009 struct vattr attr; 1010 short evmod = 0; 1011 const auditinfo_addr_t *ainfo; 1012 int getattr_ret; 1013 cred_t *cr; 1014 au_kcontext_t *kctx = GET_KCTX_PZ; 1015 1016 fad = F2A(fp); 1017 estate = kctx->auk_ets[AUE_CLOSE]; 1018 tad = U2A(u); 1019 cr = CRED(); 1020 1021 /* audit record already generated by system call envelope */ 1022 if (tad->tad_event == AUE_CLOSE) { 1023 /* so close audit event will have bits set */ 1024 tad->tad_evmod |= (short)fad->fad_flags; 1025 return; 1026 } 1027 1028 /* if auditing not enabled, then don't generate an audit record */ 1029 if (!((kctx->auk_auditstate == AUC_AUDITING || 1030 kctx->auk_auditstate == AUC_INIT_AUDIT) || 1031 kctx->auk_auditstate == AUC_NOSPACE)) 1032 return; 1033 1034 ainfo = crgetauinfo(cr); 1035 if (ainfo == NULL) 1036 return; 1037 1038 success = ainfo->ai_mask.as_success & estate; 1039 1040 /* not selected for this event */ 1041 if (success == 0) 1042 return; 1043 1044 /* 1045 * can't use audit_attributes here since we use a private audit area 1046 * to build the audit record instead of the one off the thread. 1047 */ 1048 if ((vp = fp->f_vnode) != NULL) { 1049 attr.va_mask = AT_ALL; 1050 getattr_ret = VOP_GETATTR(vp, &attr, 0, CRED()); 1051 } 1052 1053 /* 1054 * When write was not used and the file can be considered public, 1055 * then skip the audit. 1056 */ 1057 if ((getattr_ret == 0) && ((fp->f_flag & FWRITE) == 0)) { 1058 if (file_is_public(&attr)) { 1059 return; 1060 } 1061 } 1062 1063 evmod = (short)fad->fad_flags; 1064 if (fad->fad_aupath != NULL) { 1065 au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath)); 1066 } else { 1067 #ifdef _LP64 1068 au_write((caddr_t *)&(ad), au_to_arg64( 1069 1, "no path: fp", (uint64_t)fp)); 1070 #else 1071 au_write((caddr_t *)&(ad), au_to_arg32( 1072 1, "no path: fp", (uint32_t)fp)); 1073 #endif 1074 } 1075 1076 if (getattr_ret == 0) { 1077 au_write((caddr_t *)&(ad), au_to_attr(&attr)); 1078 audit_sec_attributes((caddr_t *)&(ad), vp); 1079 } 1080 1081 /* Add subject information */ 1082 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 1083 1084 /* add a return token */ 1085 add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0); 1086 1087 AS_INC(as_generated, 1, kctx); 1088 AS_INC(as_kernel, 1, kctx); 1089 1090 /* 1091 * Close up everything 1092 * Note: path space recovery handled by normal system 1093 * call envelope if not at last close. 1094 * Note there is no failure at this point since 1095 * this represents closes due to exit of process, 1096 * thus we always indicate successful closes. 1097 */ 1098 au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER, 1099 AUE_CLOSE, evmod); 1100 } 1101 1102 /* 1103 * ROUTINE: AUDIT_SET 1104 * PURPOSE: Audit the file path and file attributes. 1105 * CALLBY: SETF 1106 * NOTE: SETF associate a file pointer with user area's open files. 1107 * TODO: 1108 * call audit_finish directly ??? 1109 * QUESTION: 1110 */ 1111 1112 /*ARGSUSED*/ 1113 void 1114 audit_setf(file_t *fp, int fd) 1115 { 1116 f_audit_data_t *fad; 1117 t_audit_data_t *tad; 1118 1119 if (fp == NULL) 1120 return; 1121 1122 tad = T2A(curthread); 1123 fad = F2A(fp); 1124 1125 if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat || 1126 tad->tad_scid == SYS_open64 || tad->tad_scid == SYS_creat64 || 1127 tad->tad_scid == SYS_fsat)) 1128 return; 1129 1130 /* no path */ 1131 if (tad->tad_aupath == 0) 1132 return; 1133 1134 /* 1135 * assign path information associated with file audit data 1136 * use tad hold 1137 */ 1138 fad->fad_aupath = tad->tad_aupath; 1139 tad->tad_aupath = NULL; 1140 tad->tad_vn = NULL; 1141 1142 if (!(tad->tad_ctrl & PAD_TRUE_CREATE)) { 1143 /* adjust event type */ 1144 switch (tad->tad_event) { 1145 case AUE_OPEN_RC: 1146 tad->tad_event = AUE_OPEN_R; 1147 tad->tad_ctrl |= PAD_PUBLIC_EV; 1148 break; 1149 case AUE_OPEN_RTC: 1150 tad->tad_event = AUE_OPEN_RT; 1151 break; 1152 case AUE_OPEN_WC: 1153 tad->tad_event = AUE_OPEN_W; 1154 break; 1155 case AUE_OPEN_WTC: 1156 tad->tad_event = AUE_OPEN_WT; 1157 break; 1158 case AUE_OPEN_RWC: 1159 tad->tad_event = AUE_OPEN_RW; 1160 break; 1161 case AUE_OPEN_RWTC: 1162 tad->tad_event = AUE_OPEN_RWT; 1163 break; 1164 default: 1165 break; 1166 } 1167 } 1168 } 1169 1170 1171 /* 1172 * ROUTINE: AUDIT_COPEN 1173 * PURPOSE: 1174 * CALLBY: COPEN 1175 * NOTE: 1176 * TODO: 1177 * QUESTION: 1178 */ 1179 /*ARGSUSED*/ 1180 void 1181 audit_copen(int fd, file_t *fp, vnode_t *vp) 1182 { 1183 } 1184 1185 void 1186 audit_ipc(int type, int id, void *vp) 1187 { 1188 /* if not auditing this event, then do nothing */ 1189 if (ad_flag == 0) 1190 return; 1191 1192 switch (type) { 1193 case AT_IPC_MSG: 1194 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1195 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 1196 break; 1197 case AT_IPC_SEM: 1198 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1199 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 1200 break; 1201 case AT_IPC_SHM: 1202 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 1203 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 1204 break; 1205 } 1206 } 1207 1208 void 1209 audit_ipcget(int type, void *vp) 1210 { 1211 /* if not auditing this event, then do nothing */ 1212 if (ad_flag == 0) 1213 return; 1214 1215 switch (type) { 1216 case NULL: 1217 au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp)); 1218 break; 1219 case AT_IPC_MSG: 1220 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 1221 break; 1222 case AT_IPC_SEM: 1223 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 1224 break; 1225 case AT_IPC_SHM: 1226 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 1227 break; 1228 } 1229 } 1230 1231 /* 1232 * ROUTINE: AUDIT_REBOOT 1233 * PURPOSE: 1234 * CALLBY: 1235 * NOTE: 1236 * At this point we know that the system call reboot will not return. We thus 1237 * have to complete the audit record generation and put it onto the queue. 1238 * This might be fairly useless if the auditing daemon is already dead.... 1239 * TODO: 1240 * QUESTION: who calls audit_reboot 1241 */ 1242 1243 void 1244 audit_reboot(void) 1245 { 1246 int flag; 1247 t_audit_data_t *tad; 1248 au_kcontext_t *kctx = GET_KCTX_PZ; 1249 1250 tad = U2A(u); 1251 1252 /* if not auditing this event, then do nothing */ 1253 if (tad->tad_flag == 0) 1254 return; 1255 1256 /* do preselection on success/failure */ 1257 if (flag = audit_success(kctx, tad, 0, NULL)) { 1258 /* add a process token */ 1259 1260 cred_t *cr = CRED(); 1261 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 1262 1263 if (ainfo == NULL) 1264 return; 1265 1266 /* Add subject information */ 1267 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 1268 1269 /* add a return token */ 1270 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 1271 1272 AS_INC(as_generated, 1, kctx); 1273 AS_INC(as_kernel, 1, kctx); 1274 } 1275 1276 /* 1277 * Flow control useless here since we're going 1278 * to drop everything in the queue anyway. Why 1279 * block and wait. There aint anyone left alive to 1280 * read the records remaining anyway. 1281 */ 1282 1283 /* Close up everything */ 1284 au_close(kctx, &(u_ad), flag | AU_DONTBLOCK, 1285 tad->tad_event, tad->tad_evmod); 1286 } 1287 1288 void 1289 audit_setfsat_path(int argnum) 1290 { 1291 klwp_id_t clwp = ttolwp(curthread); 1292 struct file *fp; 1293 uint32_t fd; 1294 t_audit_data_t *tad; 1295 struct f_audit_data *fad; 1296 p_audit_data_t *pad; /* current process */ 1297 1298 struct b { 1299 long arg1; 1300 long arg2; 1301 long arg3; 1302 long arg4; 1303 long arg5; 1304 } *uap1; 1305 1306 if (clwp == NULL) 1307 return; 1308 uap1 = (struct b *)&clwp->lwp_ap[1]; 1309 1310 tad = U2A(u); 1311 1312 ASSERT(tad != NULL); 1313 1314 if (tad->tad_scid != SYS_fsat) 1315 return; 1316 1317 switch (argnum) { 1318 case 1: 1319 fd = (uint32_t)uap1->arg1; 1320 break; 1321 case 2: 1322 fd = (uint32_t)uap1->arg2; 1323 break; 1324 case 3: 1325 fd = (uint32_t)uap1->arg3; 1326 break; 1327 case 4: 1328 fd = (uint32_t)uap1->arg4; 1329 break; 1330 case 5: 1331 fd = (uint32_t)uap1->arg5; 1332 break; 1333 default: 1334 return; 1335 } 1336 1337 if (tad->tad_atpath != NULL) { 1338 au_pathrele(tad->tad_atpath); 1339 tad->tad_atpath = NULL; 1340 } 1341 if (fd != AT_FDCWD) { 1342 if ((fp = getf(fd)) == NULL) 1343 return; 1344 1345 fad = F2A(fp); 1346 ASSERT(fad); 1347 au_pathhold(fad->fad_aupath); 1348 tad->tad_atpath = fad->fad_aupath; 1349 releasef(fd); 1350 } else { 1351 pad = P2A(curproc); 1352 mutex_enter(&pad->pad_lock); 1353 au_pathhold(pad->pad_cwd); 1354 tad->tad_atpath = pad->pad_cwd; 1355 mutex_exit(&pad->pad_lock); 1356 } 1357 } 1358 1359 void 1360 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error) 1361 { 1362 t_audit_data_t *tad; 1363 vnode_t *vp; 1364 1365 tad = U2A(u); 1366 1367 /* if not auditing this event, then do nothing */ 1368 if (tad->tad_flag == 0) 1369 return; 1370 1371 au_uwrite(au_to_text(target)); 1372 1373 if (error) 1374 return; 1375 1376 error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED()); 1377 if (error == 0) { 1378 audit_attributes(vp); 1379 VN_RELE(vp); 1380 } 1381 } 1382 1383 /* 1384 * ROUTINE: AUDIT_VNCREATE_START 1385 * PURPOSE: set flag so path name lookup in create will not add attribute 1386 * CALLBY: VN_CREATE 1387 * NOTE: 1388 * TODO: 1389 * QUESTION: 1390 */ 1391 1392 void 1393 audit_vncreate_start() 1394 { 1395 t_audit_data_t *tad; 1396 1397 tad = U2A(u); 1398 tad->tad_ctrl |= PAD_NOATTRB; 1399 } 1400 1401 /* 1402 * ROUTINE: AUDIT_VNCREATE_FINISH 1403 * PURPOSE: 1404 * CALLBY: VN_CREATE 1405 * NOTE: 1406 * TODO: 1407 * QUESTION: 1408 */ 1409 void 1410 audit_vncreate_finish(struct vnode *vp, int error) 1411 { 1412 t_audit_data_t *tad; 1413 1414 if (error) 1415 return; 1416 1417 tad = U2A(u); 1418 1419 /* if not auditing this event, then do nothing */ 1420 if (tad->tad_flag == 0) 1421 return; 1422 1423 if (tad->tad_ctrl & PAD_TRUE_CREATE) { 1424 audit_attributes(vp); 1425 } 1426 1427 if (tad->tad_ctrl & PAD_CORE) { 1428 audit_attributes(vp); 1429 tad->tad_ctrl &= ~PAD_CORE; 1430 } 1431 1432 if (!error && ((tad->tad_event == AUE_MKNOD) || 1433 (tad->tad_event == AUE_MKDIR))) { 1434 audit_attributes(vp); 1435 } 1436 1437 /* for case where multiple lookups in one syscall (rename) */ 1438 tad->tad_ctrl &= ~PAD_NOATTRB; 1439 } 1440 1441 1442 1443 1444 1445 1446 1447 1448 /* 1449 * ROUTINE: AUDIT_EXEC 1450 * PURPOSE: Records the function arguments and environment variables 1451 * CALLBY: EXEC_ARGS 1452 * NOTE: 1453 * TODO: 1454 * QUESTION: 1455 */ 1456 1457 /*ARGSUSED*/ 1458 void 1459 audit_exec( 1460 const char *argstr, /* argument strings */ 1461 const char *envstr, /* environment strings */ 1462 ssize_t argc, /* total # arguments */ 1463 ssize_t envc) /* total # environment variables */ 1464 { 1465 t_audit_data_t *tad; 1466 au_kcontext_t *kctx = GET_KCTX_PZ; 1467 1468 tad = U2A(u); 1469 1470 /* if not auditing this event, then do nothing */ 1471 if (!tad->tad_flag) 1472 return; 1473 1474 /* return if not interested in argv or environment variables */ 1475 if (!(kctx->auk_policy & (AUDIT_ARGV|AUDIT_ARGE))) 1476 return; 1477 1478 if (kctx->auk_policy & AUDIT_ARGV) { 1479 au_uwrite(au_to_exec_args(argstr, argc)); 1480 } 1481 1482 if (kctx->auk_policy & AUDIT_ARGE) { 1483 au_uwrite(au_to_exec_env(envstr, envc)); 1484 } 1485 } 1486 1487 /* 1488 * ROUTINE: AUDIT_ENTERPROM 1489 * PURPOSE: 1490 * CALLBY: KBDINPUT 1491 * ZSA_XSINT 1492 * NOTE: 1493 * TODO: 1494 * QUESTION: 1495 */ 1496 void 1497 audit_enterprom(int flg) 1498 { 1499 token_t *rp = NULL; 1500 int sorf; 1501 1502 if (flg) 1503 sorf = AUM_SUCC; 1504 else 1505 sorf = AUM_FAIL; 1506 1507 AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf); 1508 1509 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1510 1511 if (flg) 1512 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1513 else 1514 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1515 1516 AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL); 1517 } 1518 1519 1520 /* 1521 * ROUTINE: AUDIT_EXITPROM 1522 * PURPOSE: 1523 * CALLBY: KBDINPUT 1524 * ZSA_XSINT 1525 * NOTE: 1526 * TODO: 1527 * QUESTION: 1528 */ 1529 void 1530 audit_exitprom(int flg) 1531 { 1532 int sorf; 1533 token_t *rp = NULL; 1534 1535 if (flg) 1536 sorf = AUM_SUCC; 1537 else 1538 sorf = AUM_FAIL; 1539 1540 AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf); 1541 1542 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1543 1544 if (flg) 1545 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1546 else 1547 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1548 1549 AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL); 1550 } 1551 1552 struct fcntla { 1553 int fdes; 1554 int cmd; 1555 intptr_t arg; 1556 }; 1557 1558 /* 1559 * ROUTINE: AUDIT_C2_REVOKE 1560 * PURPOSE: 1561 * CALLBY: FCNTL 1562 * NOTE: 1563 * TODO: 1564 * QUESTION: are we keeping this func 1565 */ 1566 1567 /*ARGSUSED*/ 1568 int 1569 audit_c2_revoke(struct fcntla *uap, rval_t *rvp) 1570 { 1571 return (0); 1572 } 1573 1574 1575 /* 1576 * ROUTINE: AUDIT_CHDIREC 1577 * PURPOSE: 1578 * CALLBY: CHDIREC 1579 * NOTE: The main function of CHDIREC 1580 * TODO: Move the audit_chdirec hook above the VN_RELE in vncalls.c 1581 * QUESTION: 1582 */ 1583 1584 /*ARGSUSED*/ 1585 void 1586 audit_chdirec(vnode_t *vp, vnode_t **vpp) 1587 { 1588 int chdir; 1589 int fchdir; 1590 struct audit_path **appp; 1591 struct file *fp; 1592 f_audit_data_t *fad; 1593 p_audit_data_t *pad = P2A(curproc); 1594 t_audit_data_t *tad = T2A(curthread); 1595 1596 struct a { 1597 long fd; 1598 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 1599 1600 if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) { 1601 chdir = tad->tad_scid == SYS_chdir; 1602 if (tad->tad_aupath) { 1603 mutex_enter(&pad->pad_lock); 1604 if (chdir) 1605 appp = &(pad->pad_cwd); 1606 else 1607 appp = &(pad->pad_root); 1608 au_pathrele(*appp); 1609 /* use tad hold */ 1610 *appp = tad->tad_aupath; 1611 tad->tad_aupath = NULL; 1612 mutex_exit(&pad->pad_lock); 1613 } 1614 } else if ((tad->tad_scid == SYS_fchdir) || 1615 (tad->tad_scid == SYS_fchroot)) { 1616 fchdir = tad->tad_scid == SYS_fchdir; 1617 if ((fp = getf(uap->fd)) == NULL) 1618 return; 1619 fad = F2A(fp); 1620 if (fad->fad_aupath) { 1621 au_pathhold(fad->fad_aupath); 1622 mutex_enter(&pad->pad_lock); 1623 if (fchdir) 1624 appp = &(pad->pad_cwd); 1625 else 1626 appp = &(pad->pad_root); 1627 au_pathrele(*appp); 1628 *appp = fad->fad_aupath; 1629 mutex_exit(&pad->pad_lock); 1630 if (tad->tad_flag) { 1631 au_uwrite(au_to_path(fad->fad_aupath)); 1632 audit_attributes(fp->f_vnode); 1633 } 1634 } 1635 releasef(uap->fd); 1636 } 1637 } 1638 1639 /* 1640 * ROUTINE: AUDIT_GETF 1641 * PURPOSE: 1642 * CALLBY: GETF_INTERNAL 1643 * NOTE: The main function of GETF_INTERNAL is to associate a given 1644 * file descriptor with a file structure and increment the 1645 * file pointer reference count. 1646 * TODO: remove pass in of fpp. 1647 * increment a reference count so that even if a thread with same process delete 1648 * the same object, it will not panic our system 1649 * QUESTION: 1650 * where to decrement the f_count????????????????? 1651 * seems like I need to set a flag if f_count incrmented through audit_getf 1652 */ 1653 1654 /*ARGSUSED*/ 1655 int 1656 audit_getf(int fd) 1657 { 1658 #ifdef NOTYET 1659 t_audit_data_t *tad; 1660 1661 tad = T2A(curthread); 1662 1663 if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat)) 1664 return; 1665 #endif 1666 return (0); 1667 } 1668 1669 /* 1670 * Audit hook for stream based socket and tli request. 1671 * Note that we do not have user context while executing 1672 * this code so we had to record them earlier during the 1673 * putmsg/getmsg to figure out which user we are dealing with. 1674 */ 1675 1676 /*ARGSUSED*/ 1677 void 1678 audit_sock( 1679 int type, /* type of tihdr.h header requests */ 1680 queue_t *q, /* contains the process and thread audit data */ 1681 mblk_t *mp, /* contains the tihdr.h header structures */ 1682 int from) /* timod or sockmod request */ 1683 { 1684 int32_t len; 1685 int32_t offset; 1686 struct sockaddr_in *sock_data; 1687 struct T_conn_req *conn_req; 1688 struct T_conn_ind *conn_ind; 1689 struct T_unitdata_req *unitdata_req; 1690 struct T_unitdata_ind *unitdata_ind; 1691 au_state_t estate; 1692 t_audit_data_t *tad; 1693 caddr_t saved_thread_ptr; 1694 au_mask_t amask; 1695 const auditinfo_addr_t *ainfo; 1696 au_kcontext_t *kctx; 1697 1698 if (q->q_stream == NULL) 1699 return; 1700 mutex_enter(&q->q_stream->sd_lock); 1701 /* are we being audited */ 1702 saved_thread_ptr = q->q_stream->sd_t_audit_data; 1703 /* no pointer to thread, nothing to do */ 1704 if (saved_thread_ptr == NULL) { 1705 mutex_exit(&q->q_stream->sd_lock); 1706 return; 1707 } 1708 /* only allow one addition of a record token */ 1709 q->q_stream->sd_t_audit_data = NULL; 1710 /* 1711 * thread is not the one being audited, then nothing to do 1712 * This could be the stream thread handling the module 1713 * service routine. In this case, the context for the audit 1714 * record can no longer be assumed. Simplest to just drop 1715 * the operation. 1716 */ 1717 if (curthread != (kthread_id_t)saved_thread_ptr) { 1718 mutex_exit(&q->q_stream->sd_lock); 1719 return; 1720 } 1721 if (curthread->t_sysnum >= SYS_so_socket && 1722 curthread->t_sysnum <= SYS_sockconfig) { 1723 mutex_exit(&q->q_stream->sd_lock); 1724 return; 1725 } 1726 mutex_exit(&q->q_stream->sd_lock); 1727 /* 1728 * we know that the thread that did the put/getmsg is the 1729 * one running. Now we can get the TAD and see if we should 1730 * add an audit token. 1731 */ 1732 tad = U2A(u); 1733 1734 kctx = GET_KCTX_PZ; 1735 1736 /* proceed ONLY if user is being audited */ 1737 if (!tad->tad_flag) 1738 return; 1739 1740 ainfo = crgetauinfo(CRED()); 1741 if (ainfo == NULL) 1742 return; 1743 amask = ainfo->ai_mask; 1744 1745 /* 1746 * Figure out the type of stream networking request here. 1747 * Note that getmsg and putmsg are always preselected 1748 * because during the beginning of the system call we have 1749 * not yet figure out which of the socket or tli request 1750 * we are looking at until we are here. So we need to check 1751 * against that specific request and reset the type of event. 1752 */ 1753 switch (type) { 1754 case T_CONN_REQ: /* connection request */ 1755 conn_req = (struct T_conn_req *)mp->b_rptr; 1756 if (conn_req->DEST_offset < sizeof (struct T_conn_req)) 1757 return; 1758 offset = conn_req->DEST_offset; 1759 len = conn_req->DEST_length; 1760 estate = kctx->auk_ets[AUE_SOCKCONNECT]; 1761 if (amask.as_success & estate || amask.as_failure & estate) { 1762 tad->tad_event = AUE_SOCKCONNECT; 1763 break; 1764 } else { 1765 return; 1766 } 1767 case T_CONN_IND: /* connectionless receive request */ 1768 conn_ind = (struct T_conn_ind *)mp->b_rptr; 1769 if (conn_ind->SRC_offset < sizeof (struct T_conn_ind)) 1770 return; 1771 offset = conn_ind->SRC_offset; 1772 len = conn_ind->SRC_length; 1773 estate = kctx->auk_ets[AUE_SOCKACCEPT]; 1774 if (amask.as_success & estate || amask.as_failure & estate) { 1775 tad->tad_event = AUE_SOCKACCEPT; 1776 break; 1777 } else { 1778 return; 1779 } 1780 case T_UNITDATA_REQ: /* connectionless send request */ 1781 unitdata_req = (struct T_unitdata_req *)mp->b_rptr; 1782 if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req)) 1783 return; 1784 offset = unitdata_req->DEST_offset; 1785 len = unitdata_req->DEST_length; 1786 estate = kctx->auk_ets[AUE_SOCKSEND]; 1787 if (amask.as_success & estate || amask.as_failure & estate) { 1788 tad->tad_event = AUE_SOCKSEND; 1789 break; 1790 } else { 1791 return; 1792 } 1793 case T_UNITDATA_IND: /* connectionless receive request */ 1794 unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr; 1795 if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind)) 1796 return; 1797 offset = unitdata_ind->SRC_offset; 1798 len = unitdata_ind->SRC_length; 1799 estate = kctx->auk_ets[AUE_SOCKRECEIVE]; 1800 if (amask.as_success & estate || amask.as_failure & estate) { 1801 tad->tad_event = AUE_SOCKRECEIVE; 1802 break; 1803 } else { 1804 return; 1805 } 1806 default: 1807 return; 1808 } 1809 1810 /* 1811 * we are only interested in tcp stream connections, 1812 * not unix domain stuff 1813 */ 1814 if ((len < 0) || (len > sizeof (struct sockaddr_in))) { 1815 tad->tad_event = AUE_GETMSG; 1816 return; 1817 } 1818 /* skip over TPI header and point to the ip address */ 1819 sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset); 1820 1821 switch (sock_data->sin_family) { 1822 case AF_INET: 1823 au_write(&(tad->tad_ad), au_to_sock_inet(sock_data)); 1824 break; 1825 default: /* reset to AUE_PUTMSG if not a inet request */ 1826 tad->tad_event = AUE_GETMSG; 1827 break; 1828 } 1829 } 1830 1831 void 1832 audit_lookupname() 1833 { 1834 } 1835 1836 /*ARGSUSED*/ 1837 int 1838 audit_pathcomp(struct pathname *pnp, vnode_t *cvp, cred_t *cr) 1839 { 1840 return (0); 1841 } 1842 1843 static void 1844 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval) 1845 { 1846 unsigned int sy_flags; 1847 1848 #ifdef _SYSCALL32_IMPL 1849 if (lwp_getdatamodel( 1850 ttolwp(curthread)) == DATAMODEL_NATIVE) 1851 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1852 else 1853 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1854 #else 1855 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1856 #endif 1857 1858 if (sy_flags == SE_64RVAL) 1859 au_write(ad, au_to_return64(err, rval)); 1860 else 1861 au_write(ad, au_to_return32(err, rval)); 1862 1863 } 1864 1865 /*ARGSUSED*/ 1866 void 1867 audit_fdsend(fd, fp, error) 1868 int fd; 1869 struct file *fp; 1870 int error; /* ignore for now */ 1871 { 1872 t_audit_data_t *tad; /* current thread */ 1873 f_audit_data_t *fad; /* per file audit structure */ 1874 struct vnode *vp; /* for file attributes */ 1875 1876 /* is this system call being audited */ 1877 tad = U2A(u); 1878 ASSERT(tad != (t_audit_data_t *)0); 1879 if (!tad->tad_flag) 1880 return; 1881 1882 fad = F2A(fp); 1883 1884 /* add path and file attributes */ 1885 if (fad != NULL && fad->fad_aupath != NULL) { 1886 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1887 au_uwrite(au_to_path(fad->fad_aupath)); 1888 } else { 1889 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1890 #ifdef _LP64 1891 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 1892 #else 1893 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 1894 #endif 1895 } 1896 vp = fp->f_vnode; /* include vnode attributes */ 1897 audit_attributes(vp); 1898 } 1899 1900 /* 1901 * Record privileges sucessfully used and we attempted to use but 1902 * didn't have. 1903 */ 1904 void 1905 audit_priv(int priv, const priv_set_t *set, int flag) 1906 { 1907 t_audit_data_t *tad; 1908 int sbit; 1909 priv_set_t *target; 1910 1911 /* Make sure this isn't being called in an interrupt context */ 1912 ASSERT(servicing_interrupt() == 0); 1913 1914 tad = U2A(u); 1915 1916 if (tad->tad_flag == 0) 1917 return; 1918 1919 target = flag ? &tad->tad_sprivs : &tad->tad_fprivs; 1920 sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE; 1921 1922 /* Tell audit_success() and audit_finish() that we saw this case */ 1923 if (!(tad->tad_evmod & sbit)) { 1924 /* Clear set first time around */ 1925 priv_emptyset(target); 1926 tad->tad_evmod |= sbit; 1927 } 1928 1929 /* Save the privileges in the tad */ 1930 if (priv == PRIV_ALL) { 1931 priv_fillset(target); 1932 } else { 1933 ASSERT(set != NULL || priv != PRIV_NONE); 1934 if (set != NULL) 1935 priv_union(set, target); 1936 if (priv != PRIV_NONE) 1937 priv_addset(target, priv); 1938 } 1939 } 1940 1941 /* 1942 * Audit the setpriv() system call; the operation, the set name and 1943 * the current value as well as the set argument are put in the 1944 * audit trail. 1945 */ 1946 void 1947 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr) 1948 { 1949 t_audit_data_t *tad; 1950 const priv_set_t *oldpriv; 1951 priv_set_t report; 1952 const char *setname; 1953 1954 tad = U2A(u); 1955 1956 if (tad->tad_flag == 0) 1957 return; 1958 1959 oldpriv = priv_getset(ocr, set); 1960 1961 /* Generate the actual record, include the before and after */ 1962 au_uwrite(au_to_arg32(2, "op", op)); 1963 setname = priv_getsetbynum(set); 1964 1965 switch (op) { 1966 case PRIV_OFF: 1967 /* Report privileges actually switched off */ 1968 report = *oldpriv; 1969 priv_intersect(newpriv, &report); 1970 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 1971 break; 1972 case PRIV_ON: 1973 /* Report privileges actually switched on */ 1974 report = *oldpriv; 1975 priv_inverse(&report); 1976 priv_intersect(newpriv, &report); 1977 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 1978 break; 1979 case PRIV_SET: 1980 /* Report before and after */ 1981 au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0)); 1982 au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0)); 1983 break; 1984 } 1985 } 1986 1987 /* 1988 * Dump the full device policy setting in the audit trail. 1989 */ 1990 void 1991 audit_devpolicy(int nitems, const devplcysys_t *items) 1992 { 1993 t_audit_data_t *tad; 1994 int i; 1995 1996 tad = U2A(u); 1997 1998 if (tad->tad_flag == 0) 1999 return; 2000 2001 for (i = 0; i < nitems; i++) { 2002 au_uwrite(au_to_arg32(2, "major", items[i].dps_maj)); 2003 if (items[i].dps_minornm[0] == '\0') { 2004 au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin)); 2005 au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin)); 2006 } else 2007 au_uwrite(au_to_text(items[i].dps_minornm)); 2008 2009 au_uwrite(au_to_privset("read", &items[i].dps_rdp, 2010 AUT_PRIV, 0)); 2011 au_uwrite(au_to_privset("write", &items[i].dps_wrp, 2012 AUT_PRIV, 0)); 2013 } 2014 } 2015 2016 /*ARGSUSED*/ 2017 void 2018 audit_fdrecv(fd, fp) 2019 int fd; 2020 struct file *fp; 2021 { 2022 t_audit_data_t *tad; /* current thread */ 2023 f_audit_data_t *fad; /* per file audit structure */ 2024 struct vnode *vp; /* for file attributes */ 2025 2026 /* is this system call being audited */ 2027 tad = U2A(u); 2028 ASSERT(tad != (t_audit_data_t *)0); 2029 if (!tad->tad_flag) 2030 return; 2031 2032 fad = F2A(fp); 2033 2034 /* add path and file attributes */ 2035 if (fad != NULL && fad->fad_aupath != NULL) { 2036 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 2037 au_uwrite(au_to_path(fad->fad_aupath)); 2038 } else { 2039 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 2040 #ifdef _LP64 2041 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 2042 #else 2043 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 2044 #endif 2045 } 2046 vp = fp->f_vnode; /* include vnode attributes */ 2047 audit_attributes(vp); 2048 } 2049 2050 /* 2051 * ROUTINE: AUDIT_CRYPTOADM 2052 * PURPOSE: Records arguments to administrative ioctls on /dev/cryptoadm 2053 * CALLBY: CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED, 2054 * CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG, 2055 * CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN, 2056 * CRYPTO_LOAD_DOOR 2057 * NOTE: 2058 * TODO: 2059 * QUESTION: 2060 */ 2061 2062 void 2063 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names, 2064 uint_t mech_count, uint_t device_instance, uint32_t rv, int error) 2065 { 2066 boolean_t mech_list_required = B_FALSE; 2067 cred_t *cr = CRED(); 2068 t_audit_data_t *tad; 2069 token_t *ad = NULL; 2070 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 2071 char buffer[MAXNAMELEN * 2]; 2072 au_kcontext_t *kctx = GET_KCTX_PZ; 2073 2074 tad = U2A(u); 2075 if (tad == NULL) 2076 return; 2077 2078 if (ainfo == NULL) 2079 return; 2080 2081 tad->tad_event = AUE_CRYPTOADM; 2082 2083 if (audit_success(kctx, tad, error, NULL) != AU_OK) 2084 return; 2085 2086 /* Add subject information */ 2087 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 2088 2089 switch (cmd) { 2090 case CRYPTO_LOAD_DEV_DISABLED: 2091 if (error == 0 && rv == CRYPTO_SUCCESS) { 2092 (void) snprintf(buffer, sizeof (buffer), 2093 "op=CRYPTO_LOAD_DEV_DISABLED, module=%s," 2094 " dev_instance=%d", 2095 module_name, device_instance); 2096 mech_list_required = B_TRUE; 2097 } else { 2098 (void) snprintf(buffer, sizeof (buffer), 2099 "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv); 2100 } 2101 break; 2102 2103 case CRYPTO_LOAD_SOFT_DISABLED: 2104 if (error == 0 && rv == CRYPTO_SUCCESS) { 2105 (void) snprintf(buffer, sizeof (buffer), 2106 "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s", 2107 module_name); 2108 mech_list_required = B_TRUE; 2109 } else { 2110 (void) snprintf(buffer, sizeof (buffer), 2111 "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv); 2112 } 2113 break; 2114 2115 case CRYPTO_UNLOAD_SOFT_MODULE: 2116 if (error == 0 && rv == CRYPTO_SUCCESS) { 2117 (void) snprintf(buffer, sizeof (buffer), 2118 "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s", 2119 module_name); 2120 } else { 2121 (void) snprintf(buffer, sizeof (buffer), 2122 "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv); 2123 } 2124 break; 2125 2126 case CRYPTO_LOAD_SOFT_CONFIG: 2127 if (error == 0 && rv == CRYPTO_SUCCESS) { 2128 (void) snprintf(buffer, sizeof (buffer), 2129 "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s", 2130 module_name); 2131 mech_list_required = B_TRUE; 2132 } else { 2133 (void) snprintf(buffer, sizeof (buffer), 2134 "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv); 2135 } 2136 break; 2137 2138 case CRYPTO_POOL_CREATE: 2139 (void) snprintf(buffer, sizeof (buffer), 2140 "op=CRYPTO_POOL_CREATE"); 2141 break; 2142 2143 case CRYPTO_POOL_WAIT: 2144 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT"); 2145 break; 2146 2147 case CRYPTO_POOL_RUN: 2148 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN"); 2149 break; 2150 2151 case CRYPTO_LOAD_DOOR: 2152 if (error == 0 && rv == CRYPTO_SUCCESS) 2153 (void) snprintf(buffer, sizeof (buffer), 2154 "op=CRYPTO_LOAD_DOOR"); 2155 else 2156 (void) snprintf(buffer, sizeof (buffer), 2157 "op=CRYPTO_LOAD_DOOR, return_val=%d", rv); 2158 break; 2159 2160 default: 2161 return; 2162 } 2163 2164 au_write((caddr_t *)&ad, au_to_text(buffer)); 2165 2166 if (mech_list_required) { 2167 int i; 2168 2169 if (mech_count == 0) { 2170 au_write((caddr_t *)&ad, au_to_text("mech=list empty")); 2171 } else { 2172 char *pb = buffer; 2173 size_t l = sizeof (buffer); 2174 size_t n; 2175 char space[2] = ":"; 2176 2177 n = snprintf(pb, l, "mech="); 2178 2179 for (i = 0; i < mech_count; i++) { 2180 pb += n; 2181 l -= n; 2182 if (l < 0) 2183 l = 0; 2184 2185 if (i == mech_count - 1) 2186 (void) strcpy(space, ""); 2187 2188 n = snprintf(pb, l, "%s%s", mech_names[i], 2189 space); 2190 } 2191 au_write((caddr_t *)&ad, au_to_text(buffer)); 2192 } 2193 } 2194 2195 /* add a return token */ 2196 if (error || (rv != CRYPTO_SUCCESS)) 2197 add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error); 2198 else 2199 add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv); 2200 2201 AS_INC(as_generated, 1, kctx); 2202 AS_INC(as_kernel, 1, kctx); 2203 2204 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, 0); 2205 } 2206 2207 /* 2208 * Audit the kernel SSL administration command. The address and the 2209 * port number for the SSL instance, and the proxy port are put in the 2210 * audit trail. 2211 */ 2212 void 2213 audit_kssl(int cmd, void *params, int error) 2214 { 2215 cred_t *cr = CRED(); 2216 t_audit_data_t *tad; 2217 token_t *ad = NULL; 2218 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 2219 au_kcontext_t *kctx = GET_KCTX_PZ; 2220 2221 tad = U2A(u); 2222 2223 if (ainfo == NULL) 2224 return; 2225 2226 tad->tad_event = AUE_CONFIGKSSL; 2227 2228 if (audit_success(kctx, tad, error, NULL) != AU_OK) 2229 return; 2230 2231 /* Add subject information */ 2232 AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx); 2233 2234 switch (cmd) { 2235 case KSSL_ADD_ENTRY: { 2236 char buf[32]; 2237 kssl_params_t *kp = (kssl_params_t *)params; 2238 struct sockaddr_in *saddr = &(kp->kssl_addr); 2239 2240 au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY")); 2241 au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr))); 2242 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 2243 saddr->sin_port); 2244 au_write((caddr_t *)&ad, au_to_text(buf)); 2245 2246 (void) snprintf(buf, sizeof (buf), "proxy port=%d", 2247 kp->kssl_proxy_port); 2248 au_write((caddr_t *)&ad, au_to_text(buf)); 2249 break; 2250 } 2251 2252 case KSSL_DELETE_ENTRY: { 2253 char buf[32]; 2254 struct sockaddr_in *saddr = (struct sockaddr_in *)params; 2255 2256 au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY")); 2257 au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr))); 2258 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 2259 saddr->sin_port); 2260 au_write((caddr_t *)&ad, au_to_text(buf)); 2261 break; 2262 } 2263 2264 default: 2265 return; 2266 } 2267 2268 /* add a return token */ 2269 add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0); 2270 2271 AS_INC(as_generated, 1, kctx); 2272 AS_INC(as_kernel, 1, kctx); 2273 2274 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, 0); 2275 } 2276 2277 /* 2278 * Audit the kernel PF_POLICY administration commands. Record command, 2279 * zone, policy type (global or tunnel, active or inactive) 2280 */ 2281 /* 2282 * ROUTINE: AUDIT_PF_POLICY 2283 * PURPOSE: Records arguments to administrative ioctls on PF_POLICY socket 2284 * CALLBY: SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS, 2285 * SPD_CLONE, SPD_FLIP 2286 * NOTE: 2287 * TODO: 2288 * QUESTION: 2289 */ 2290 2291 void 2292 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun, 2293 boolean_t active, int error, pid_t pid) 2294 { 2295 const auditinfo_addr_t *ainfo; 2296 t_audit_data_t *tad; 2297 token_t *ad = NULL; 2298 au_kcontext_t *kctx = GET_KCTX_PZ; 2299 char buf[80]; 2300 int flag; 2301 2302 tad = U2A(u); 2303 if (tad == NULL) 2304 return; 2305 2306 ainfo = crgetauinfo((cred != NULL) ? cred : CRED()); 2307 if (ainfo == NULL) 2308 return; 2309 2310 /* 2311 * Initialize some variables since these are only set 2312 * with system calls. 2313 */ 2314 2315 switch (cmd) { 2316 case SPD_ADDRULE: { 2317 tad->tad_event = AUE_PF_POLICY_ADDRULE; 2318 break; 2319 } 2320 2321 case SPD_DELETERULE: { 2322 tad->tad_event = AUE_PF_POLICY_DELRULE; 2323 break; 2324 } 2325 2326 case SPD_FLUSH: { 2327 tad->tad_event = AUE_PF_POLICY_FLUSH; 2328 break; 2329 } 2330 2331 case SPD_UPDATEALGS: { 2332 tad->tad_event = AUE_PF_POLICY_ALGS; 2333 break; 2334 } 2335 2336 case SPD_CLONE: { 2337 tad->tad_event = AUE_PF_POLICY_CLONE; 2338 break; 2339 } 2340 2341 case SPD_FLIP: { 2342 tad->tad_event = AUE_PF_POLICY_FLIP; 2343 break; 2344 } 2345 2346 default: 2347 tad->tad_event = AUE_NULL; 2348 } 2349 2350 tad->tad_evmod = 0; 2351 2352 if (flag = audit_success(kctx, tad, error, cred)) { 2353 zone_t *nszone; 2354 2355 /* 2356 * For now, just audit that an event happened, 2357 * along with the error code. 2358 */ 2359 au_write((caddr_t *)&ad, 2360 au_to_arg32(1, "Policy Active?", (uint32_t)active)); 2361 au_write((caddr_t *)&ad, 2362 au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL))); 2363 2364 /* Supplemental data */ 2365 2366 /* 2367 * Generate this zone token if the target zone differs 2368 * from the administrative zone. If netstacks are expanded 2369 * to something other than a 1-1 relationship with zones, 2370 * the auditing framework should create a new token type 2371 * and audit it as a netstack instead. 2372 * Turn on general zone auditing to get the administrative zone. 2373 */ 2374 2375 nszone = zone_find_by_id(netstackid_to_zoneid( 2376 ns->netstack_stackid)); 2377 if (strncmp(cred->cr_zone->zone_name, nszone->zone_name, 2378 ZONENAME_MAX) != 0) { 2379 token_t *ztoken; 2380 2381 ztoken = au_to_zonename(0, nszone); 2382 au_write((caddr_t *)&ad, ztoken); 2383 } 2384 2385 if (tun != NULL) { 2386 /* write tunnel name - tun is bounded */ 2387 (void) snprintf(buf, sizeof (buf), "tunnel_name:%s", 2388 tun); 2389 au_write((caddr_t *)&ad, au_to_text(buf)); 2390 } 2391 2392 /* Add subject information */ 2393 AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad, 2394 ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid); 2395 2396 /* add a return token */ 2397 add_return_token((caddr_t *)&ad, 0, error, 0); 2398 2399 AS_INC(as_generated, 1, kctx); 2400 AS_INC(as_kernel, 1, kctx); 2401 2402 } 2403 au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, 0); 2404 2405 /* 2406 * clear the ctrl flag so that we don't have spurious collection of 2407 * audit information. 2408 */ 2409 tad->tad_scid = 0; 2410 tad->tad_event = 0; 2411 tad->tad_evmod = 0; 2412 tad->tad_ctrl = 0; 2413 } 2414 2415 /* 2416 * ROUTINE: AUDIT_SEC_ATTRIBUTES 2417 * PURPOSE: Add security attributes 2418 * CALLBY: AUDIT_ATTRIBUTES 2419 * AUDIT_CLOSEF 2420 * AUS_CLOSE 2421 * NOTE: 2422 * TODO: 2423 * QUESTION: 2424 */ 2425 2426 void 2427 audit_sec_attributes(caddr_t *ad, struct vnode *vp) 2428 { 2429 /* Dump the SL */ 2430 if (is_system_labeled()) { 2431 ts_label_t *tsl; 2432 bslabel_t *bsl; 2433 2434 tsl = getflabel(vp); 2435 if (tsl == NULL) 2436 return; /* nothing else to do */ 2437 2438 bsl = label2bslabel(tsl); 2439 if (bsl == NULL) 2440 return; /* nothing else to do */ 2441 au_write(ad, au_to_label(bsl)); 2442 label_rele(tsl); 2443 } 2444 2445 } /* AUDIT_SEC_ATTRIBUTES */ 2446