1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * This file contains the audit hook support code for auditing. 28 */ 29 30 #pragma ident "%Z%%M% %I% %E% SMI" 31 32 #include <sys/types.h> 33 #include <sys/proc.h> 34 #include <sys/vnode.h> 35 #include <sys/vfs.h> 36 #include <sys/file.h> 37 #include <sys/user.h> 38 #include <sys/stropts.h> 39 #include <sys/systm.h> 40 #include <sys/pathname.h> 41 #include <sys/syscall.h> 42 #include <sys/fcntl.h> 43 #include <sys/ipc_impl.h> 44 #include <sys/msg_impl.h> 45 #include <sys/sem_impl.h> 46 #include <sys/shm_impl.h> 47 #include <sys/kmem.h> /* for KM_SLEEP */ 48 #include <sys/socket.h> 49 #include <sys/cmn_err.h> /* snprintf... */ 50 #include <sys/debug.h> 51 #include <sys/thread.h> 52 #include <netinet/in.h> 53 #include <c2/audit.h> /* needs to be included before user.h */ 54 #include <c2/audit_kernel.h> /* for M_DONTWAIT */ 55 #include <c2/audit_kevents.h> 56 #include <c2/audit_record.h> 57 #include <sys/strsubr.h> 58 #include <sys/tihdr.h> 59 #include <sys/tiuser.h> 60 #include <sys/timod.h> 61 #include <sys/model.h> /* for model_t */ 62 #include <sys/disp.h> /* for servicing_interrupt() */ 63 #include <sys/devpolicy.h> 64 #include <sys/crypto/ioctladmin.h> 65 #include <sys/cred_impl.h> 66 #include <inet/kssl/kssl.h> 67 #include <net/pfpolicy.h> 68 69 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval); 70 71 static void audit_pathbuild(struct pathname *pnp); 72 73 /* 74 * ROUTINE: AUDIT_NEWPROC 75 * PURPOSE: initialize the child p_audit_data structure 76 * CALLBY: GETPROC 77 * NOTE: All threads for the parent process are locked at this point. 78 * We are essentially running singled threaded for this reason. 79 * GETPROC is called when system creates a new process. 80 * By the time AUDIT_NEWPROC is called, the child proc 81 * structure has already been initialized. What we need 82 * to do is to allocate the child p_audit_data and 83 * initialize it with the content of current parent process. 84 */ 85 86 void 87 audit_newproc(struct proc *cp) /* initialized child proc structure */ 88 { 89 p_audit_data_t *pad; /* child process audit data */ 90 p_audit_data_t *opad; /* parent process audit data */ 91 92 pad = kmem_cache_alloc(au_pad_cache, KM_SLEEP); 93 94 P2A(cp) = pad; 95 96 opad = P2A(curproc); 97 98 /* 99 * copy the audit data. Note that all threads of current 100 * process have been "held". Thus there is no race condition 101 * here with mutiple threads trying to alter the cwrd 102 * structure (such as releasing it). 103 * 104 * The audit context in the cred is "duplicated" for the new 105 * proc by elsewhere crhold'ing the parent's cred which it shares. 106 * 107 * We still want to hold things since auditon() [A_SETUMASK, 108 * A_SETSMASK] could be walking through the processes to 109 * update things. 110 */ 111 mutex_enter(&opad->pad_lock); /* lock opad structure during copy */ 112 pad->pad_data = opad->pad_data; /* copy parent's process audit data */ 113 au_pathhold(pad->pad_root); 114 au_pathhold(pad->pad_cwd); 115 mutex_exit(&opad->pad_lock); /* current proc will keep cwrd open */ 116 117 /* 118 * finish auditing of parent here so that it will be done 119 * before child has a chance to run. We include the child 120 * pid since the return value in the return token is a dummy 121 * one and contains no useful information (it is included to 122 * make the audit record structure consistant). 123 * 124 * tad_flag is set if auditing is on 125 */ 126 if (((t_audit_data_t *)T2A(curthread))->tad_flag) 127 au_uwrite(au_to_arg32(0, "child PID", (uint32_t)cp->p_pid)); 128 129 /* 130 * finish up audit record generation here because child process 131 * is set to run before parent process. We distinguish here 132 * between FORK, FORK1, or VFORK by the saved system call ID. 133 */ 134 audit_finish(0, ((t_audit_data_t *)T2A(curthread))->tad_scid, 0, 0); 135 } 136 137 /* 138 * ROUTINE: AUDIT_PFREE 139 * PURPOSE: deallocate the per-process udit data structure 140 * CALLBY: EXIT 141 * FORK_FAIL 142 * NOTE: all lwp except current one have stopped in SEXITLWPS 143 * why we are single threaded? 144 * . all lwp except current one have stopped in SEXITLWPS. 145 */ 146 void 147 audit_pfree(struct proc *p) /* proc structure to be freed */ 148 149 { /* AUDIT_PFREE */ 150 151 p_audit_data_t *pad; 152 153 pad = P2A(p); 154 155 /* better be a per process audit data structure */ 156 ASSERT(pad != (p_audit_data_t *)0); 157 158 if (pad == pad0) { 159 return; 160 } 161 162 /* deallocate all auditing resources for this process */ 163 au_pathrele(pad->pad_root); 164 au_pathrele(pad->pad_cwd); 165 166 /* 167 * Since the pad structure is completely overwritten after alloc, 168 * we don't bother to clear it. 169 */ 170 171 kmem_cache_free(au_pad_cache, pad); 172 } 173 174 /* 175 * ROUTINE: AUDIT_THREAD_CREATE 176 * PURPOSE: allocate per-process thread audit data structure 177 * CALLBY: THREAD_CREATE 178 * NOTE: This is called just after *t was bzero'd. 179 * We are single threaded in this routine. 180 * TODO: 181 * QUESTION: 182 */ 183 184 void 185 audit_thread_create(kthread_id_t t) 186 { 187 t_audit_data_t *tad; /* per-thread audit data */ 188 189 tad = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP); 190 191 T2A(t) = tad; /* set up thread audit data ptr */ 192 tad->tad_thread = t; /* back ptr to thread: DEBUG */ 193 } 194 195 /* 196 * ROUTINE: AUDIT_THREAD_FREE 197 * PURPOSE: free the per-thread audit data structure 198 * CALLBY: THREAD_FREE 199 * NOTE: most thread data is clear after return 200 */ 201 void 202 audit_thread_free(kthread_t *t) 203 { 204 t_audit_data_t *tad; 205 au_defer_info_t *attr; 206 207 tad = T2A(t); 208 209 /* thread audit data must still be set */ 210 211 if (tad == tad0) { 212 return; 213 } 214 215 if (tad == NULL) { 216 return; 217 } 218 219 t->t_audit_data = 0; 220 221 /* must not have any audit record residual */ 222 ASSERT(tad->tad_ad == NULL); 223 224 /* saved path must be empty */ 225 ASSERT(tad->tad_aupath == NULL); 226 227 if (tad->tad_atpath) 228 au_pathrele(tad->tad_atpath); 229 230 attr = tad->tad_defer_head; 231 while (attr != NULL) { 232 au_defer_info_t *tmp_attr = attr; 233 234 au_free_rec(attr->audi_ad); 235 236 attr = attr->audi_next; 237 kmem_free(tmp_attr, sizeof (au_defer_info_t)); 238 } 239 240 kmem_free(tad, sizeof (*tad)); 241 } 242 243 /* 244 * ROUTINE: AUDIT_SAVEPATH 245 * PURPOSE: 246 * CALLBY: LOOKUPPN 247 * 248 * NOTE: We have reached the end of a path in fs/lookup.c. 249 * We get two pieces of information here: 250 * the vnode of the last component (vp) and 251 * the status of the last access (flag). 252 * TODO: 253 * QUESTION: 254 */ 255 256 /*ARGSUSED*/ 257 int 258 audit_savepath( 259 struct pathname *pnp, /* pathname to lookup */ 260 struct vnode *vp, /* vnode of the last component */ 261 int flag, /* status of the last access */ 262 cred_t *cr) /* cred of requestor */ 263 { 264 265 t_audit_data_t *tad; /* current thread */ 266 au_kcontext_t *kctx = GET_KCTX_PZ; 267 268 tad = U2A(u); 269 270 /* 271 * this event being audited or do we need path information 272 * later? This might be for a chdir/chroot or open (add path 273 * to file pointer. If the path has already been found for an 274 * open/creat then we don't need to process the path. 275 * 276 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 277 * chroot, chdir, open, creat system call processing. It determines 278 * if audit_savepath() will discard the path or we need it later. 279 * PAD_PATHFND means path already included in this audit record. It 280 * is used in cases where multiple path lookups are done per 281 * system call. The policy flag, AUDIT_PATH, controls if multiple 282 * paths are allowed. 283 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 284 * exit processing to inhibit any paths that may be added due to 285 * closes. 286 */ 287 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 288 ((tad->tad_ctrl & PAD_PATHFND) && 289 !(kctx->auk_policy & AUDIT_PATH)) || 290 (tad->tad_ctrl & PAD_NOPATH)) { 291 return (0); 292 } 293 294 tad->tad_ctrl |= PAD_NOPATH; /* prevent possible reentry */ 295 296 audit_pathbuild(pnp); 297 tad->tad_vn = vp; 298 299 /* 300 * are we auditing only if error, or if it is not open or create 301 * otherwise audit_setf will do it 302 */ 303 304 if (tad->tad_flag) { 305 if (flag && (tad->tad_scid == SYS_open || 306 tad->tad_scid == SYS_open64 || 307 tad->tad_scid == SYS_creat || 308 tad->tad_scid == SYS_creat64 || 309 tad->tad_scid == SYS_fsat)) { 310 tad->tad_ctrl |= PAD_TRUE_CREATE; 311 } 312 313 /* add token to audit record for this name */ 314 au_uwrite(au_to_path(tad->tad_aupath)); 315 316 /* add the attributes of the object */ 317 if (vp) { 318 /* 319 * only capture attributes when there is no error 320 * lookup will not return the vnode of the failing 321 * component. 322 * 323 * if there was a lookup error, then don't add 324 * attribute. if lookup in vn_create(), 325 * then don't add attribute, 326 * it will be added at end of vn_create(). 327 */ 328 if (!flag && !(tad->tad_ctrl & PAD_NOATTRB)) 329 audit_attributes(vp); 330 } 331 } 332 333 /* free up space if we're not going to save path (open, crate) */ 334 if ((tad->tad_ctrl & PAD_SAVPATH) == 0) { 335 if (tad->tad_aupath != NULL) { 336 au_pathrele(tad->tad_aupath); 337 tad->tad_aupath = NULL; 338 tad->tad_vn = NULL; 339 } 340 } 341 if (tad->tad_ctrl & PAD_MLD) 342 tad->tad_ctrl |= PAD_PATHFND; 343 344 tad->tad_ctrl &= ~PAD_NOPATH; /* restore */ 345 return (0); 346 } 347 348 static void 349 audit_pathbuild(struct pathname *pnp) 350 { 351 char *pp; /* pointer to path */ 352 int len; /* length of incoming segment */ 353 int newsect; /* path requires a new section */ 354 struct audit_path *pfxapp; /* prefix for path */ 355 struct audit_path *newapp; /* new audit_path */ 356 t_audit_data_t *tad; /* current thread */ 357 p_audit_data_t *pad; /* current process */ 358 359 tad = U2A(u); 360 ASSERT(tad != NULL); 361 pad = P2A(curproc); 362 ASSERT(pad != NULL); 363 364 len = (pnp->pn_path - pnp->pn_buf) + 1; /* +1 for terminator */ 365 ASSERT(len > 0); 366 367 /* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */ 368 mutex_enter(&pad->pad_lock); 369 if (tad->tad_aupath != NULL) { 370 pfxapp = tad->tad_aupath; 371 } else if (tad->tad_scid == SYS_fsat && pnp->pn_buf[0] != '/') { 372 ASSERT(tad->tad_atpath != NULL); 373 pfxapp = tad->tad_atpath; 374 } else if (tad->tad_ctrl & PAD_ABSPATH) { 375 pfxapp = pad->pad_root; 376 } else { 377 pfxapp = pad->pad_cwd; 378 } 379 au_pathhold(pfxapp); 380 mutex_exit(&pad->pad_lock); 381 382 /* get an expanded buffer to hold the anchored path */ 383 newsect = tad->tad_ctrl & PAD_ATPATH; 384 newapp = au_pathdup(pfxapp, newsect, len); 385 au_pathrele(pfxapp); 386 387 pp = newapp->audp_sect[newapp->audp_cnt] - len; 388 if (!newsect) { 389 /* overlay previous NUL terminator */ 390 *(pp - 1) = '/'; 391 } 392 393 /* now add string of processed path */ 394 bcopy(pnp->pn_buf, pp, len); 395 pp[len - 1] = '\0'; 396 397 /* perform path simplification as necessary */ 398 audit_fixpath(newapp, len); 399 400 if (tad->tad_aupath) 401 au_pathrele(tad->tad_aupath); 402 tad->tad_aupath = newapp; 403 404 /* for case where multiple lookups in one syscall (rename) */ 405 tad->tad_ctrl &= ~(PAD_ABSPATH | PAD_ATPATH); 406 } 407 408 409 410 /*ARGSUSED*/ 411 412 /* 413 * ROUTINE: AUDIT_ADDCOMPONENT 414 * PURPOSE: extend the path by the component accepted 415 * CALLBY: LOOKUPPN 416 * NOTE: This function is called only when there is an error in 417 * parsing a path component 418 * TODO: Add the error component to audit record 419 * QUESTION: what is this for 420 */ 421 422 void 423 audit_addcomponent(struct pathname *pnp) 424 { 425 au_kcontext_t *kctx = GET_KCTX_PZ; 426 t_audit_data_t *tad; 427 428 tad = U2A(u); 429 /* 430 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 431 * chroot, chdir, open, creat system call processing. It determines 432 * if audit_savepath() will discard the path or we need it later. 433 * PAD_PATHFND means path already included in this audit record. It 434 * is used in cases where multiple path lookups are done per 435 * system call. The policy flag, AUDIT_PATH, controls if multiple 436 * paths are allowed. 437 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 438 * exit processing to inhibit any paths that may be added due to 439 * closes. 440 */ 441 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 442 ((tad->tad_ctrl & PAD_PATHFND) && 443 !(kctx->auk_policy & AUDIT_PATH)) || 444 (tad->tad_ctrl & PAD_NOPATH)) { 445 return; 446 } 447 448 return; 449 450 } /* AUDIT_ADDCOMPONENT */ 451 452 453 454 455 456 457 458 459 /* 460 * ROUTINE: AUDIT_ANCHORPATH 461 * PURPOSE: 462 * CALLBY: LOOKUPPN 463 * NOTE: 464 * anchor path at "/". We have seen a symbolic link or entering for the 465 * first time we will throw away any saved path if path is anchored. 466 * 467 * flag = 0, path is relative. 468 * flag = 1, path is absolute. Free any saved path and set flag to PAD_ABSPATH. 469 * 470 * If the (new) path is absolute, then we have to throw away whatever we have 471 * already accumulated since it is being superseded by new path which is 472 * anchored at the root. 473 * Note that if the path is relative, this function does nothing 474 * TODO: 475 * QUESTION: 476 */ 477 /*ARGSUSED*/ 478 void 479 audit_anchorpath(struct pathname *pnp, int flag) 480 { 481 au_kcontext_t *kctx = GET_KCTX_PZ; 482 t_audit_data_t *tad; 483 484 tad = U2A(u); 485 486 /* 487 * this event being audited or do we need path information 488 * later? This might be for a chdir/chroot or open (add path 489 * to file pointer. If the path has already been found for an 490 * open/creat then we don't need to process the path. 491 * 492 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 493 * chroot, chdir, open, creat system call processing. It determines 494 * if audit_savepath() will discard the path or we need it later. 495 * PAD_PATHFND means path already included in this audit record. It 496 * is used in cases where multiple path lookups are done per 497 * system call. The policy flag, AUDIT_PATH, controls if multiple 498 * paths are allowed. 499 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 500 * exit processing to inhibit any paths that may be added due to 501 * closes. 502 */ 503 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 504 ((tad->tad_ctrl & PAD_PATHFND) && 505 !(kctx->auk_policy & AUDIT_PATH)) || 506 (tad->tad_ctrl & PAD_NOPATH)) { 507 return; 508 } 509 510 if (flag) { 511 tad->tad_ctrl |= PAD_ABSPATH; 512 if (tad->tad_aupath != NULL) { 513 au_pathrele(tad->tad_aupath); 514 tad->tad_aupath = NULL; 515 tad->tad_vn = NULL; 516 } 517 } 518 } 519 520 521 /* 522 * symbolic link. Save previous components. 523 * 524 * the path seen so far looks like this 525 * 526 * +-----------------------+----------------+ 527 * | path processed so far | remaining path | 528 * +-----------------------+----------------+ 529 * \-----------------------/ 530 * save this string if 531 * symbolic link relative 532 * (but don't include symlink component) 533 */ 534 535 /*ARGSUSED*/ 536 537 538 /* 539 * ROUTINE: AUDIT_SYMLINK 540 * PURPOSE: 541 * CALLBY: LOOKUPPN 542 * NOTE: 543 * TODO: 544 * QUESTION: 545 */ 546 void 547 audit_symlink(struct pathname *pnp, struct pathname *sympath) 548 { 549 char *sp; /* saved initial pp */ 550 char *cp; /* start of symlink path */ 551 uint_t len_path; /* processed path before symlink */ 552 t_audit_data_t *tad; 553 au_kcontext_t *kctx = GET_KCTX_PZ; 554 555 tad = U2A(u); 556 557 /* 558 * this event being audited or do we need path information 559 * later? This might be for a chdir/chroot or open (add path 560 * to file pointer. If the path has already been found for an 561 * open/creat then we don't need to process the path. 562 * 563 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 564 * chroot, chdir, open, creat system call processing. It determines 565 * if audit_savepath() will discard the path or we need it later. 566 * PAD_PATHFND means path already included in this audit record. It 567 * is used in cases where multiple path lookups are done per 568 * system call. The policy flag, AUDIT_PATH, controls if multiple 569 * paths are allowed. 570 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 571 * exit processing to inhibit any paths that may be added due to 572 * closes. 573 */ 574 if ((tad->tad_flag == 0 && 575 !(tad->tad_ctrl & PAD_SAVPATH)) || 576 ((tad->tad_ctrl & PAD_PATHFND) && 577 !(kctx->auk_policy & AUDIT_PATH)) || 578 (tad->tad_ctrl & PAD_NOPATH)) { 579 return; 580 } 581 582 /* 583 * if symbolic link is anchored at / then do nothing. 584 * When we cycle back to begin: in lookuppn() we will 585 * call audit_anchorpath() with a flag indicating if the 586 * path is anchored at / or is relative. We will release 587 * any saved path at that point. 588 * 589 * Note In the event that an error occurs in pn_combine then 590 * we want to remain pointing at the component that caused the 591 * path to overflow the pnp structure. 592 */ 593 if (sympath->pn_buf[0] == '/') 594 return; 595 596 /* backup over last component */ 597 sp = cp = pnp->pn_path; 598 while (*--cp != '/' && cp > pnp->pn_buf) 599 ; 600 601 len_path = cp - pnp->pn_buf; 602 603 /* is there anything to save? */ 604 if (len_path) { 605 pnp->pn_path = pnp->pn_buf; 606 audit_pathbuild(pnp); 607 pnp->pn_path = sp; 608 } 609 } 610 611 /* 612 * file_is_public : determine whether events for the file (corresponding to 613 * the specified file attr) should be audited or ignored. 614 * 615 * returns: 1 - if audit policy and file attributes indicate that 616 * file is effectively public. read events for 617 * the file should not be audited. 618 * 0 - otherwise 619 * 620 * The required attributes to be considered a public object are: 621 * - owned by root, AND 622 * - world-readable (permissions for other include read), AND 623 * - NOT world-writeable (permissions for other don't 624 * include write) 625 * (mode doesn't need to be checked for symlinks) 626 */ 627 int 628 file_is_public(struct vattr *attr) 629 { 630 au_kcontext_t *kctx = GET_KCTX_PZ; 631 632 if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) && 633 ((attr->va_type == VLNK) || 634 ((attr->va_mode & (VREAD>>6)) != 0) && 635 ((attr->va_mode & (VWRITE>>6)) == 0))) { 636 return (1); 637 } 638 return (0); 639 } 640 641 642 /* 643 * ROUTINE: AUDIT_ATTRIBUTES 644 * PURPOSE: Audit the attributes so we can tell why the error occurred 645 * CALLBY: AUDIT_SAVEPATH 646 * AUDIT_VNCREATE_FINISH 647 * AUS_FCHOWN...audit_event.c...audit_path.c 648 * NOTE: 649 * TODO: 650 * QUESTION: 651 */ 652 void 653 audit_attributes(struct vnode *vp) 654 { 655 struct vattr attr; 656 struct t_audit_data *tad; 657 658 tad = U2A(u); 659 660 if (vp) { 661 attr.va_mask = AT_ALL; 662 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0) 663 return; 664 665 if (file_is_public(&attr) && (tad->tad_ctrl & PAD_PUBLIC_EV)) { 666 /* 667 * This is a public object and a "public" event 668 * (i.e., read only) -- either by definition 669 * (e.g., stat, access...) or by virtue of write access 670 * not being requested (e.g. mmap). 671 * Flag it in the tad to prevent this audit at the end. 672 */ 673 tad->tad_ctrl |= PAD_NOAUDIT; 674 } else { 675 au_uwrite(au_to_attr(&attr)); 676 audit_sec_attributes(&(u_ad), vp); 677 } 678 } 679 } 680 681 682 /* 683 * ROUTINE: AUDIT_FALLOC 684 * PURPOSE: allocating a new file structure 685 * CALLBY: FALLOC 686 * NOTE: file structure already initialized 687 * TODO: 688 * QUESTION: 689 */ 690 691 void 692 audit_falloc(struct file *fp) 693 { /* AUDIT_FALLOC */ 694 695 f_audit_data_t *fad; 696 697 /* allocate per file audit structure if there a'int any */ 698 ASSERT(F2A(fp) == NULL); 699 700 fad = kmem_zalloc(sizeof (struct f_audit_data), KM_SLEEP); 701 702 F2A(fp) = fad; 703 704 fad->fad_thread = curthread; /* file audit data back ptr; DEBUG */ 705 } 706 707 /* 708 * ROUTINE: AUDIT_UNFALLOC 709 * PURPOSE: deallocate file audit data structure 710 * CALLBY: CLOSEF 711 * UNFALLOC 712 * NOTE: 713 * TODO: 714 * QUESTION: 715 */ 716 717 void 718 audit_unfalloc(struct file *fp) 719 { 720 f_audit_data_t *fad; 721 722 fad = F2A(fp); 723 724 if (!fad) { 725 return; 726 } 727 if (fad->fad_aupath != NULL) { 728 au_pathrele(fad->fad_aupath); 729 } 730 fp->f_audit_data = 0; 731 kmem_free(fad, sizeof (struct f_audit_data)); 732 } 733 734 /* 735 * ROUTINE: AUDIT_EXIT 736 * PURPOSE: 737 * CALLBY: EXIT 738 * NOTE: 739 * TODO: 740 * QUESTION: why cmw code as offset by 2 but not here 741 */ 742 /* ARGSUSED */ 743 void 744 audit_exit(int code, int what) 745 { 746 struct t_audit_data *tad; 747 tad = U2A(u); 748 749 /* 750 * tad_scid will be set by audit_start even if we are not auditing 751 * the event. 752 */ 753 if (tad->tad_scid == SYS_exit) { 754 /* 755 * if we are auditing the exit system call, then complete 756 * audit record generation (no return from system call). 757 */ 758 if (tad->tad_flag && tad->tad_event == AUE_EXIT) 759 audit_finish(0, SYS_exit, 0, 0); 760 return; 761 } 762 763 /* 764 * Anyone auditing the system call that was aborted? 765 */ 766 if (tad->tad_flag) { 767 au_uwrite(au_to_text("event aborted")); 768 audit_finish(0, tad->tad_scid, 0, 0); 769 } 770 771 /* 772 * Generate an audit record for process exit if preselected. 773 */ 774 (void) audit_start(0, SYS_exit, 0, 0); 775 audit_finish(0, SYS_exit, 0, 0); 776 } 777 778 /* 779 * ROUTINE: AUDIT_CORE_START 780 * PURPOSE: 781 * CALLBY: PSIG 782 * NOTE: 783 * TODO: 784 */ 785 void 786 audit_core_start(int sig) 787 { 788 au_event_t event; 789 au_state_t estate; 790 t_audit_data_t *tad; 791 au_kcontext_t *kctx; 792 793 tad = U2A(u); 794 795 ASSERT(tad != (t_audit_data_t *)0); 796 797 ASSERT(tad->tad_scid == 0); 798 ASSERT(tad->tad_event == 0); 799 ASSERT(tad->tad_evmod == 0); 800 ASSERT(tad->tad_ctrl == 0); 801 ASSERT(tad->tad_flag == 0); 802 ASSERT(tad->tad_aupath == NULL); 803 804 kctx = GET_KCTX_PZ; 805 806 /* get basic event for system call */ 807 event = AUE_CORE; 808 estate = kctx->auk_ets[event]; 809 810 if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0) 811 return; 812 813 /* reset the flags for non-user attributable events */ 814 tad->tad_ctrl = PAD_CORE; 815 tad->tad_scid = 0; 816 817 /* if auditing not enabled, then don't generate an audit record */ 818 819 if (!((kctx->auk_auditstate == AUC_AUDITING || 820 kctx->auk_auditstate == AUC_INIT_AUDIT) || 821 kctx->auk_auditstate == AUC_NOSPACE)) { 822 tad->tad_flag = 0; 823 tad->tad_ctrl = 0; 824 return; 825 } 826 827 tad->tad_event = event; 828 tad->tad_evmod = 0; 829 830 ASSERT(tad->tad_ad == NULL); 831 832 au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig)); 833 } 834 835 /* 836 * ROUTINE: AUDIT_CORE_FINISH 837 * PURPOSE: 838 * CALLBY: PSIG 839 * NOTE: 840 * TODO: 841 * QUESTION: 842 */ 843 844 /*ARGSUSED*/ 845 void 846 audit_core_finish(int code) 847 { 848 int flag; 849 t_audit_data_t *tad; 850 au_kcontext_t *kctx; 851 852 tad = U2A(u); 853 854 ASSERT(tad != (t_audit_data_t *)0); 855 856 if ((flag = tad->tad_flag) == 0) { 857 tad->tad_event = 0; 858 tad->tad_evmod = 0; 859 tad->tad_ctrl = 0; 860 ASSERT(tad->tad_aupath == NULL); 861 return; 862 } 863 tad->tad_flag = 0; 864 865 kctx = GET_KCTX_PZ; 866 867 /* kludge for error 0, should use `code==CLD_DUMPED' instead */ 868 if (flag = audit_success(kctx, tad, 0, NULL)) { 869 cred_t *cr = CRED(); 870 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 871 872 ASSERT(ainfo != NULL); 873 874 /* 875 * Add subject information (no locks since our private copy of 876 * credential 877 */ 878 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 879 880 /* Add a return token (should use f argument) */ 881 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 882 883 AS_INC(as_generated, 1, kctx); 884 AS_INC(as_kernel, 1, kctx); 885 } 886 887 /* Close up everything */ 888 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod); 889 890 /* free up any space remaining with the path's */ 891 if (tad->tad_aupath != NULL) { 892 au_pathrele(tad->tad_aupath); 893 tad->tad_aupath = NULL; 894 tad->tad_vn = NULL; 895 } 896 tad->tad_event = 0; 897 tad->tad_evmod = 0; 898 tad->tad_ctrl = 0; 899 } 900 901 /*ARGSUSED*/ 902 void 903 audit_stropen(struct vnode *vp, dev_t *devp, int flag, cred_t *crp) 904 { 905 } 906 907 /*ARGSUSED*/ 908 void 909 audit_strclose(struct vnode *vp, int flag, cred_t *crp) 910 { 911 } 912 913 /*ARGSUSED*/ 914 void 915 audit_strioctl(struct vnode *vp, int cmd, intptr_t arg, int flag, 916 int copyflag, cred_t *crp, int *rvalp) 917 { 918 } 919 920 921 /*ARGSUSED*/ 922 void 923 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 924 unsigned char *pri, int *flag, int fmode) 925 { 926 struct stdata *stp; 927 t_audit_data_t *tad = U2A(u); 928 929 ASSERT(tad != (t_audit_data_t *)0); 930 931 stp = vp->v_stream; 932 933 /* lock stdata from audit_sock */ 934 mutex_enter(&stp->sd_lock); 935 936 /* proceed ONLY if user is being audited */ 937 if (!tad->tad_flag) { 938 /* 939 * this is so we will not add audit data onto 940 * a thread that is not being audited. 941 */ 942 stp->sd_t_audit_data = NULL; 943 mutex_exit(&stp->sd_lock); 944 return; 945 } 946 947 stp->sd_t_audit_data = (caddr_t)curthread; 948 mutex_exit(&stp->sd_lock); 949 } 950 951 /*ARGSUSED*/ 952 void 953 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 954 unsigned char pri, int flag, int fmode) 955 { 956 struct stdata *stp; 957 t_audit_data_t *tad = U2A(u); 958 959 ASSERT(tad != (t_audit_data_t *)0); 960 961 stp = vp->v_stream; 962 963 /* lock stdata from audit_sock */ 964 mutex_enter(&stp->sd_lock); 965 966 /* proceed ONLY if user is being audited */ 967 if (!tad->tad_flag) { 968 /* 969 * this is so we will not add audit data onto 970 * a thread that is not being audited. 971 */ 972 stp->sd_t_audit_data = NULL; 973 mutex_exit(&stp->sd_lock); 974 return; 975 } 976 977 stp->sd_t_audit_data = (caddr_t)curthread; 978 mutex_exit(&stp->sd_lock); 979 } 980 981 /* 982 * ROUTINE: AUDIT_CLOSEF 983 * PURPOSE: 984 * CALLBY: CLOSEF 985 * NOTE: 986 * release per file audit resources when file structure is being released. 987 * 988 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep 989 * on the audit queue if it becomes full. This means 990 * audit_closef can not be called when f_count == 0. Since 991 * f_count == 0 indicates the file structure is free, another 992 * process could attempt to use the file while we were still 993 * asleep waiting on the audit queue. This would cause the 994 * per file audit data to be corrupted when we finally do 995 * wakeup. 996 * TODO: 997 * QUESTION: 998 */ 999 1000 void 1001 audit_closef(struct file *fp) 1002 { /* AUDIT_CLOSEF */ 1003 f_audit_data_t *fad; 1004 t_audit_data_t *tad; 1005 int success; 1006 au_state_t estate; 1007 struct vnode *vp; 1008 token_t *ad = NULL; 1009 struct vattr attr; 1010 short evmod = 0; 1011 const auditinfo_addr_t *ainfo; 1012 int getattr_ret; 1013 cred_t *cr; 1014 au_kcontext_t *kctx = GET_KCTX_PZ; 1015 1016 fad = F2A(fp); 1017 estate = kctx->auk_ets[AUE_CLOSE]; 1018 tad = U2A(u); 1019 cr = CRED(); 1020 1021 /* audit record already generated by system call envelope */ 1022 if (tad->tad_event == AUE_CLOSE) { 1023 /* so close audit event will have bits set */ 1024 tad->tad_evmod |= (short)fad->fad_flags; 1025 return; 1026 } 1027 1028 /* if auditing not enabled, then don't generate an audit record */ 1029 if (!((kctx->auk_auditstate == AUC_AUDITING || 1030 kctx->auk_auditstate == AUC_INIT_AUDIT) || 1031 kctx->auk_auditstate == AUC_NOSPACE)) 1032 return; 1033 1034 ainfo = crgetauinfo(cr); 1035 if (ainfo == NULL) 1036 return; 1037 1038 success = ainfo->ai_mask.as_success & estate; 1039 1040 /* not selected for this event */ 1041 if (success == 0) 1042 return; 1043 1044 /* 1045 * can't use audit_attributes here since we use a private audit area 1046 * to build the audit record instead of the one off the thread. 1047 */ 1048 if ((vp = fp->f_vnode) != NULL) { 1049 attr.va_mask = AT_ALL; 1050 getattr_ret = VOP_GETATTR(vp, &attr, 0, CRED(), NULL); 1051 } 1052 1053 /* 1054 * When write was not used and the file can be considered public, 1055 * then skip the audit. 1056 */ 1057 if ((getattr_ret == 0) && ((fp->f_flag & FWRITE) == 0)) { 1058 if (file_is_public(&attr)) { 1059 return; 1060 } 1061 } 1062 1063 evmod = (short)fad->fad_flags; 1064 if (fad->fad_aupath != NULL) { 1065 au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath)); 1066 } else { 1067 #ifdef _LP64 1068 au_write((caddr_t *)&(ad), au_to_arg64( 1069 1, "no path: fp", (uint64_t)fp)); 1070 #else 1071 au_write((caddr_t *)&(ad), au_to_arg32( 1072 1, "no path: fp", (uint32_t)fp)); 1073 #endif 1074 } 1075 1076 if (getattr_ret == 0) { 1077 au_write((caddr_t *)&(ad), au_to_attr(&attr)); 1078 audit_sec_attributes((caddr_t *)&(ad), vp); 1079 } 1080 1081 /* Add subject information */ 1082 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 1083 1084 /* add a return token */ 1085 add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0); 1086 1087 AS_INC(as_generated, 1, kctx); 1088 AS_INC(as_kernel, 1, kctx); 1089 1090 /* 1091 * Close up everything 1092 * Note: path space recovery handled by normal system 1093 * call envelope if not at last close. 1094 * Note there is no failure at this point since 1095 * this represents closes due to exit of process, 1096 * thus we always indicate successful closes. 1097 */ 1098 au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER, 1099 AUE_CLOSE, evmod); 1100 } 1101 1102 /* 1103 * ROUTINE: AUDIT_SET 1104 * PURPOSE: Audit the file path and file attributes. 1105 * CALLBY: SETF 1106 * NOTE: SETF associate a file pointer with user area's open files. 1107 * TODO: 1108 * call audit_finish directly ??? 1109 * QUESTION: 1110 */ 1111 1112 /*ARGSUSED*/ 1113 void 1114 audit_setf(file_t *fp, int fd) 1115 { 1116 f_audit_data_t *fad; 1117 t_audit_data_t *tad; 1118 1119 if (fp == NULL) 1120 return; 1121 1122 tad = T2A(curthread); 1123 fad = F2A(fp); 1124 1125 if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat || 1126 tad->tad_scid == SYS_open64 || tad->tad_scid == SYS_creat64 || 1127 tad->tad_scid == SYS_fsat)) 1128 return; 1129 1130 /* no path */ 1131 if (tad->tad_aupath == 0) 1132 return; 1133 1134 /* 1135 * assign path information associated with file audit data 1136 * use tad hold 1137 */ 1138 fad->fad_aupath = tad->tad_aupath; 1139 tad->tad_aupath = NULL; 1140 tad->tad_vn = NULL; 1141 1142 if (!(tad->tad_ctrl & PAD_TRUE_CREATE)) { 1143 /* adjust event type */ 1144 switch (tad->tad_event) { 1145 case AUE_OPEN_RC: 1146 tad->tad_event = AUE_OPEN_R; 1147 tad->tad_ctrl |= PAD_PUBLIC_EV; 1148 break; 1149 case AUE_OPEN_RTC: 1150 tad->tad_event = AUE_OPEN_RT; 1151 break; 1152 case AUE_OPEN_WC: 1153 tad->tad_event = AUE_OPEN_W; 1154 break; 1155 case AUE_OPEN_WTC: 1156 tad->tad_event = AUE_OPEN_WT; 1157 break; 1158 case AUE_OPEN_RWC: 1159 tad->tad_event = AUE_OPEN_RW; 1160 break; 1161 case AUE_OPEN_RWTC: 1162 tad->tad_event = AUE_OPEN_RWT; 1163 break; 1164 default: 1165 break; 1166 } 1167 } 1168 } 1169 1170 1171 /* 1172 * ROUTINE: AUDIT_COPEN 1173 * PURPOSE: 1174 * CALLBY: COPEN 1175 * NOTE: 1176 * TODO: 1177 * QUESTION: 1178 */ 1179 /*ARGSUSED*/ 1180 void 1181 audit_copen(int fd, file_t *fp, vnode_t *vp) 1182 { 1183 } 1184 1185 void 1186 audit_ipc(int type, int id, void *vp) 1187 { 1188 /* if not auditing this event, then do nothing */ 1189 if (ad_flag == 0) 1190 return; 1191 1192 switch (type) { 1193 case AT_IPC_MSG: 1194 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1195 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 1196 break; 1197 case AT_IPC_SEM: 1198 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1199 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 1200 break; 1201 case AT_IPC_SHM: 1202 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 1203 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 1204 break; 1205 } 1206 } 1207 1208 void 1209 audit_ipcget(int type, void *vp) 1210 { 1211 /* if not auditing this event, then do nothing */ 1212 if (ad_flag == 0) 1213 return; 1214 1215 switch (type) { 1216 case NULL: 1217 au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp)); 1218 break; 1219 case AT_IPC_MSG: 1220 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 1221 break; 1222 case AT_IPC_SEM: 1223 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 1224 break; 1225 case AT_IPC_SHM: 1226 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 1227 break; 1228 } 1229 } 1230 1231 /* 1232 * ROUTINE: AUDIT_REBOOT 1233 * PURPOSE: 1234 * CALLBY: 1235 * NOTE: 1236 * At this point we know that the system call reboot will not return. We thus 1237 * have to complete the audit record generation and put it onto the queue. 1238 * This might be fairly useless if the auditing daemon is already dead.... 1239 * TODO: 1240 * QUESTION: who calls audit_reboot 1241 */ 1242 1243 void 1244 audit_reboot(void) 1245 { 1246 int flag; 1247 t_audit_data_t *tad; 1248 au_kcontext_t *kctx = GET_KCTX_PZ; 1249 1250 tad = U2A(u); 1251 1252 /* if not auditing this event, then do nothing */ 1253 if (tad->tad_flag == 0) 1254 return; 1255 1256 /* do preselection on success/failure */ 1257 if (flag = audit_success(kctx, tad, 0, NULL)) { 1258 /* add a process token */ 1259 1260 cred_t *cr = CRED(); 1261 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 1262 1263 if (ainfo == NULL) 1264 return; 1265 1266 /* Add subject information */ 1267 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 1268 1269 /* add a return token */ 1270 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 1271 1272 AS_INC(as_generated, 1, kctx); 1273 AS_INC(as_kernel, 1, kctx); 1274 } 1275 1276 /* 1277 * Flow control useless here since we're going 1278 * to drop everything in the queue anyway. Why 1279 * block and wait. There aint anyone left alive to 1280 * read the records remaining anyway. 1281 */ 1282 1283 /* Close up everything */ 1284 au_close(kctx, &(u_ad), flag | AU_DONTBLOCK, 1285 tad->tad_event, tad->tad_evmod); 1286 } 1287 1288 void 1289 audit_setfsat_path(int argnum) 1290 { 1291 klwp_id_t clwp = ttolwp(curthread); 1292 struct file *fp; 1293 uint32_t fd; 1294 t_audit_data_t *tad; 1295 struct f_audit_data *fad; 1296 p_audit_data_t *pad; /* current process */ 1297 struct a { 1298 long id; 1299 long arg1; 1300 long arg2; 1301 long arg3; 1302 long arg4; 1303 long arg5; 1304 } *uap; 1305 struct b { 1306 long arg1; 1307 long arg2; 1308 long arg3; 1309 long arg4; 1310 long arg5; 1311 } *uap1; 1312 1313 if (clwp == NULL) 1314 return; 1315 uap1 = (struct b *)&clwp->lwp_ap[1]; 1316 uap = (struct a *)clwp->lwp_ap; 1317 1318 tad = U2A(u); 1319 1320 ASSERT(tad != NULL); 1321 1322 if (tad->tad_scid != SYS_fsat) 1323 return; 1324 1325 switch (argnum) { 1326 case 1: 1327 fd = (uint32_t)uap1->arg1; 1328 break; 1329 case 2: 1330 fd = (uint32_t)uap1->arg2; 1331 break; 1332 case 3: 1333 fd = (uint32_t)uap1->arg3; 1334 break; 1335 case 4: 1336 fd = (uint32_t)uap1->arg4; 1337 break; 1338 case 5: 1339 fd = (uint32_t)uap1->arg5; 1340 break; 1341 default: 1342 return; 1343 } 1344 1345 if (uap->id == 9 && tad->tad_atpath != NULL) { /* openattrdir */ 1346 tad->tad_ctrl |= PAD_ATPATH; 1347 return; 1348 } 1349 if (tad->tad_atpath != NULL) { 1350 au_pathrele(tad->tad_atpath); 1351 tad->tad_atpath = NULL; 1352 } 1353 if (fd != AT_FDCWD) { 1354 if ((fp = getf(fd)) == NULL) 1355 return; 1356 1357 fad = F2A(fp); 1358 ASSERT(fad); 1359 au_pathhold(fad->fad_aupath); 1360 tad->tad_atpath = fad->fad_aupath; 1361 releasef(fd); 1362 } else { 1363 pad = P2A(curproc); 1364 mutex_enter(&pad->pad_lock); 1365 au_pathhold(pad->pad_cwd); 1366 tad->tad_atpath = pad->pad_cwd; 1367 mutex_exit(&pad->pad_lock); 1368 } 1369 } 1370 1371 void 1372 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error) 1373 { 1374 t_audit_data_t *tad; 1375 vnode_t *vp; 1376 1377 tad = U2A(u); 1378 1379 /* if not auditing this event, then do nothing */ 1380 if (tad->tad_flag == 0) 1381 return; 1382 1383 au_uwrite(au_to_text(target)); 1384 1385 if (error) 1386 return; 1387 1388 error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(), 1389 NULL, NULL, NULL); 1390 if (error == 0) { 1391 audit_attributes(vp); 1392 VN_RELE(vp); 1393 } 1394 } 1395 1396 /* 1397 * ROUTINE: AUDIT_VNCREATE_START 1398 * PURPOSE: set flag so path name lookup in create will not add attribute 1399 * CALLBY: VN_CREATE 1400 * NOTE: 1401 * TODO: 1402 * QUESTION: 1403 */ 1404 1405 void 1406 audit_vncreate_start() 1407 { 1408 t_audit_data_t *tad; 1409 1410 tad = U2A(u); 1411 tad->tad_ctrl |= PAD_NOATTRB; 1412 } 1413 1414 /* 1415 * ROUTINE: AUDIT_VNCREATE_FINISH 1416 * PURPOSE: 1417 * CALLBY: VN_CREATE 1418 * NOTE: 1419 * TODO: 1420 * QUESTION: 1421 */ 1422 void 1423 audit_vncreate_finish(struct vnode *vp, int error) 1424 { 1425 t_audit_data_t *tad; 1426 1427 if (error) 1428 return; 1429 1430 tad = U2A(u); 1431 1432 /* if not auditing this event, then do nothing */ 1433 if (tad->tad_flag == 0) 1434 return; 1435 1436 if (tad->tad_ctrl & PAD_TRUE_CREATE) { 1437 audit_attributes(vp); 1438 } 1439 1440 if (tad->tad_ctrl & PAD_CORE) { 1441 audit_attributes(vp); 1442 tad->tad_ctrl &= ~PAD_CORE; 1443 } 1444 1445 if (!error && ((tad->tad_event == AUE_MKNOD) || 1446 (tad->tad_event == AUE_MKDIR))) { 1447 audit_attributes(vp); 1448 } 1449 1450 /* for case where multiple lookups in one syscall (rename) */ 1451 tad->tad_ctrl &= ~PAD_NOATTRB; 1452 } 1453 1454 1455 1456 1457 1458 1459 1460 1461 /* 1462 * ROUTINE: AUDIT_EXEC 1463 * PURPOSE: Records the function arguments and environment variables 1464 * CALLBY: EXEC_ARGS 1465 * NOTE: 1466 * TODO: 1467 * QUESTION: 1468 */ 1469 1470 /*ARGSUSED*/ 1471 void 1472 audit_exec( 1473 const char *argstr, /* argument strings */ 1474 const char *envstr, /* environment strings */ 1475 ssize_t argc, /* total # arguments */ 1476 ssize_t envc) /* total # environment variables */ 1477 { 1478 t_audit_data_t *tad; 1479 au_kcontext_t *kctx = GET_KCTX_PZ; 1480 1481 tad = U2A(u); 1482 1483 /* if not auditing this event, then do nothing */ 1484 if (!tad->tad_flag) 1485 return; 1486 1487 /* return if not interested in argv or environment variables */ 1488 if (!(kctx->auk_policy & (AUDIT_ARGV|AUDIT_ARGE))) 1489 return; 1490 1491 if (kctx->auk_policy & AUDIT_ARGV) { 1492 au_uwrite(au_to_exec_args(argstr, argc)); 1493 } 1494 1495 if (kctx->auk_policy & AUDIT_ARGE) { 1496 au_uwrite(au_to_exec_env(envstr, envc)); 1497 } 1498 } 1499 1500 /* 1501 * ROUTINE: AUDIT_ENTERPROM 1502 * PURPOSE: 1503 * CALLBY: KBDINPUT 1504 * ZSA_XSINT 1505 * NOTE: 1506 * TODO: 1507 * QUESTION: 1508 */ 1509 void 1510 audit_enterprom(int flg) 1511 { 1512 token_t *rp = NULL; 1513 int sorf; 1514 1515 if (flg) 1516 sorf = AUM_SUCC; 1517 else 1518 sorf = AUM_FAIL; 1519 1520 AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf); 1521 1522 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1523 1524 if (flg) 1525 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1526 else 1527 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1528 1529 AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL); 1530 } 1531 1532 1533 /* 1534 * ROUTINE: AUDIT_EXITPROM 1535 * PURPOSE: 1536 * CALLBY: KBDINPUT 1537 * ZSA_XSINT 1538 * NOTE: 1539 * TODO: 1540 * QUESTION: 1541 */ 1542 void 1543 audit_exitprom(int flg) 1544 { 1545 int sorf; 1546 token_t *rp = NULL; 1547 1548 if (flg) 1549 sorf = AUM_SUCC; 1550 else 1551 sorf = AUM_FAIL; 1552 1553 AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf); 1554 1555 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1556 1557 if (flg) 1558 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1559 else 1560 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1561 1562 AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL); 1563 } 1564 1565 struct fcntla { 1566 int fdes; 1567 int cmd; 1568 intptr_t arg; 1569 }; 1570 1571 /* 1572 * ROUTINE: AUDIT_C2_REVOKE 1573 * PURPOSE: 1574 * CALLBY: FCNTL 1575 * NOTE: 1576 * TODO: 1577 * QUESTION: are we keeping this func 1578 */ 1579 1580 /*ARGSUSED*/ 1581 int 1582 audit_c2_revoke(struct fcntla *uap, rval_t *rvp) 1583 { 1584 return (0); 1585 } 1586 1587 1588 /* 1589 * ROUTINE: AUDIT_CHDIREC 1590 * PURPOSE: 1591 * CALLBY: CHDIREC 1592 * NOTE: The main function of CHDIREC 1593 * TODO: Move the audit_chdirec hook above the VN_RELE in vncalls.c 1594 * QUESTION: 1595 */ 1596 1597 /*ARGSUSED*/ 1598 void 1599 audit_chdirec(vnode_t *vp, vnode_t **vpp) 1600 { 1601 int chdir; 1602 int fchdir; 1603 struct audit_path **appp; 1604 struct file *fp; 1605 f_audit_data_t *fad; 1606 p_audit_data_t *pad = P2A(curproc); 1607 t_audit_data_t *tad = T2A(curthread); 1608 1609 struct a { 1610 long fd; 1611 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 1612 1613 if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) { 1614 chdir = tad->tad_scid == SYS_chdir; 1615 if (tad->tad_aupath) { 1616 mutex_enter(&pad->pad_lock); 1617 if (chdir) 1618 appp = &(pad->pad_cwd); 1619 else 1620 appp = &(pad->pad_root); 1621 au_pathrele(*appp); 1622 /* use tad hold */ 1623 *appp = tad->tad_aupath; 1624 tad->tad_aupath = NULL; 1625 mutex_exit(&pad->pad_lock); 1626 } 1627 } else if ((tad->tad_scid == SYS_fchdir) || 1628 (tad->tad_scid == SYS_fchroot)) { 1629 fchdir = tad->tad_scid == SYS_fchdir; 1630 if ((fp = getf(uap->fd)) == NULL) 1631 return; 1632 fad = F2A(fp); 1633 if (fad->fad_aupath) { 1634 au_pathhold(fad->fad_aupath); 1635 mutex_enter(&pad->pad_lock); 1636 if (fchdir) 1637 appp = &(pad->pad_cwd); 1638 else 1639 appp = &(pad->pad_root); 1640 au_pathrele(*appp); 1641 *appp = fad->fad_aupath; 1642 mutex_exit(&pad->pad_lock); 1643 if (tad->tad_flag) { 1644 au_uwrite(au_to_path(fad->fad_aupath)); 1645 audit_attributes(fp->f_vnode); 1646 } 1647 } 1648 releasef(uap->fd); 1649 } 1650 } 1651 1652 /* 1653 * ROUTINE: AUDIT_GETF 1654 * PURPOSE: 1655 * CALLBY: GETF_INTERNAL 1656 * NOTE: The main function of GETF_INTERNAL is to associate a given 1657 * file descriptor with a file structure and increment the 1658 * file pointer reference count. 1659 * TODO: remove pass in of fpp. 1660 * increment a reference count so that even if a thread with same process delete 1661 * the same object, it will not panic our system 1662 * QUESTION: 1663 * where to decrement the f_count????????????????? 1664 * seems like I need to set a flag if f_count incremented through audit_getf 1665 */ 1666 1667 /*ARGSUSED*/ 1668 int 1669 audit_getf(int fd) 1670 { 1671 #ifdef NOTYET 1672 t_audit_data_t *tad; 1673 1674 tad = T2A(curthread); 1675 1676 if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat)) 1677 return; 1678 #endif 1679 return (0); 1680 } 1681 1682 /* 1683 * Audit hook for stream based socket and tli request. 1684 * Note that we do not have user context while executing 1685 * this code so we had to record them earlier during the 1686 * putmsg/getmsg to figure out which user we are dealing with. 1687 */ 1688 1689 /*ARGSUSED*/ 1690 void 1691 audit_sock( 1692 int type, /* type of tihdr.h header requests */ 1693 queue_t *q, /* contains the process and thread audit data */ 1694 mblk_t *mp, /* contains the tihdr.h header structures */ 1695 int from) /* timod or sockmod request */ 1696 { 1697 int32_t len; 1698 int32_t offset; 1699 struct sockaddr_in *sock_data; 1700 struct T_conn_req *conn_req; 1701 struct T_conn_ind *conn_ind; 1702 struct T_unitdata_req *unitdata_req; 1703 struct T_unitdata_ind *unitdata_ind; 1704 au_state_t estate; 1705 t_audit_data_t *tad; 1706 caddr_t saved_thread_ptr; 1707 au_mask_t amask; 1708 const auditinfo_addr_t *ainfo; 1709 au_kcontext_t *kctx; 1710 1711 if (q->q_stream == NULL) 1712 return; 1713 mutex_enter(&q->q_stream->sd_lock); 1714 /* are we being audited */ 1715 saved_thread_ptr = q->q_stream->sd_t_audit_data; 1716 /* no pointer to thread, nothing to do */ 1717 if (saved_thread_ptr == NULL) { 1718 mutex_exit(&q->q_stream->sd_lock); 1719 return; 1720 } 1721 /* only allow one addition of a record token */ 1722 q->q_stream->sd_t_audit_data = NULL; 1723 /* 1724 * thread is not the one being audited, then nothing to do 1725 * This could be the stream thread handling the module 1726 * service routine. In this case, the context for the audit 1727 * record can no longer be assumed. Simplest to just drop 1728 * the operation. 1729 */ 1730 if (curthread != (kthread_id_t)saved_thread_ptr) { 1731 mutex_exit(&q->q_stream->sd_lock); 1732 return; 1733 } 1734 if (curthread->t_sysnum >= SYS_so_socket && 1735 curthread->t_sysnum <= SYS_sockconfig) { 1736 mutex_exit(&q->q_stream->sd_lock); 1737 return; 1738 } 1739 mutex_exit(&q->q_stream->sd_lock); 1740 /* 1741 * we know that the thread that did the put/getmsg is the 1742 * one running. Now we can get the TAD and see if we should 1743 * add an audit token. 1744 */ 1745 tad = U2A(u); 1746 1747 kctx = GET_KCTX_PZ; 1748 1749 /* proceed ONLY if user is being audited */ 1750 if (!tad->tad_flag) 1751 return; 1752 1753 ainfo = crgetauinfo(CRED()); 1754 if (ainfo == NULL) 1755 return; 1756 amask = ainfo->ai_mask; 1757 1758 /* 1759 * Figure out the type of stream networking request here. 1760 * Note that getmsg and putmsg are always preselected 1761 * because during the beginning of the system call we have 1762 * not yet figure out which of the socket or tli request 1763 * we are looking at until we are here. So we need to check 1764 * against that specific request and reset the type of event. 1765 */ 1766 switch (type) { 1767 case T_CONN_REQ: /* connection request */ 1768 conn_req = (struct T_conn_req *)mp->b_rptr; 1769 if (conn_req->DEST_offset < sizeof (struct T_conn_req)) 1770 return; 1771 offset = conn_req->DEST_offset; 1772 len = conn_req->DEST_length; 1773 estate = kctx->auk_ets[AUE_SOCKCONNECT]; 1774 if (amask.as_success & estate || amask.as_failure & estate) { 1775 tad->tad_event = AUE_SOCKCONNECT; 1776 break; 1777 } else { 1778 return; 1779 } 1780 case T_CONN_IND: /* connectionless receive request */ 1781 conn_ind = (struct T_conn_ind *)mp->b_rptr; 1782 if (conn_ind->SRC_offset < sizeof (struct T_conn_ind)) 1783 return; 1784 offset = conn_ind->SRC_offset; 1785 len = conn_ind->SRC_length; 1786 estate = kctx->auk_ets[AUE_SOCKACCEPT]; 1787 if (amask.as_success & estate || amask.as_failure & estate) { 1788 tad->tad_event = AUE_SOCKACCEPT; 1789 break; 1790 } else { 1791 return; 1792 } 1793 case T_UNITDATA_REQ: /* connectionless send request */ 1794 unitdata_req = (struct T_unitdata_req *)mp->b_rptr; 1795 if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req)) 1796 return; 1797 offset = unitdata_req->DEST_offset; 1798 len = unitdata_req->DEST_length; 1799 estate = kctx->auk_ets[AUE_SOCKSEND]; 1800 if (amask.as_success & estate || amask.as_failure & estate) { 1801 tad->tad_event = AUE_SOCKSEND; 1802 break; 1803 } else { 1804 return; 1805 } 1806 case T_UNITDATA_IND: /* connectionless receive request */ 1807 unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr; 1808 if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind)) 1809 return; 1810 offset = unitdata_ind->SRC_offset; 1811 len = unitdata_ind->SRC_length; 1812 estate = kctx->auk_ets[AUE_SOCKRECEIVE]; 1813 if (amask.as_success & estate || amask.as_failure & estate) { 1814 tad->tad_event = AUE_SOCKRECEIVE; 1815 break; 1816 } else { 1817 return; 1818 } 1819 default: 1820 return; 1821 } 1822 1823 /* 1824 * we are only interested in tcp stream connections, 1825 * not unix domain stuff 1826 */ 1827 if ((len < 0) || (len > sizeof (struct sockaddr_in))) { 1828 tad->tad_event = AUE_GETMSG; 1829 return; 1830 } 1831 /* skip over TPI header and point to the ip address */ 1832 sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset); 1833 1834 switch (sock_data->sin_family) { 1835 case AF_INET: 1836 au_write(&(tad->tad_ad), au_to_sock_inet(sock_data)); 1837 break; 1838 default: /* reset to AUE_PUTMSG if not a inet request */ 1839 tad->tad_event = AUE_GETMSG; 1840 break; 1841 } 1842 } 1843 1844 void 1845 audit_lookupname() 1846 { 1847 } 1848 1849 /*ARGSUSED*/ 1850 int 1851 audit_pathcomp(struct pathname *pnp, vnode_t *cvp, cred_t *cr) 1852 { 1853 return (0); 1854 } 1855 1856 static void 1857 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval) 1858 { 1859 unsigned int sy_flags; 1860 1861 #ifdef _SYSCALL32_IMPL 1862 if (lwp_getdatamodel( 1863 ttolwp(curthread)) == DATAMODEL_NATIVE) 1864 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1865 else 1866 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1867 #else 1868 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1869 #endif 1870 1871 if (sy_flags == SE_64RVAL) 1872 au_write(ad, au_to_return64(err, rval)); 1873 else 1874 au_write(ad, au_to_return32(err, rval)); 1875 1876 } 1877 1878 /*ARGSUSED*/ 1879 void 1880 audit_fdsend(fd, fp, error) 1881 int fd; 1882 struct file *fp; 1883 int error; /* ignore for now */ 1884 { 1885 t_audit_data_t *tad; /* current thread */ 1886 f_audit_data_t *fad; /* per file audit structure */ 1887 struct vnode *vp; /* for file attributes */ 1888 1889 /* is this system call being audited */ 1890 tad = U2A(u); 1891 ASSERT(tad != (t_audit_data_t *)0); 1892 if (!tad->tad_flag) 1893 return; 1894 1895 fad = F2A(fp); 1896 1897 /* add path and file attributes */ 1898 if (fad != NULL && fad->fad_aupath != NULL) { 1899 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1900 au_uwrite(au_to_path(fad->fad_aupath)); 1901 } else { 1902 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1903 #ifdef _LP64 1904 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 1905 #else 1906 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 1907 #endif 1908 } 1909 vp = fp->f_vnode; /* include vnode attributes */ 1910 audit_attributes(vp); 1911 } 1912 1913 /* 1914 * Record privileges successfully used and we attempted to use but 1915 * didn't have. 1916 */ 1917 void 1918 audit_priv(int priv, const priv_set_t *set, int flag) 1919 { 1920 t_audit_data_t *tad; 1921 int sbit; 1922 priv_set_t *target; 1923 1924 /* Make sure this isn't being called in an interrupt context */ 1925 ASSERT(servicing_interrupt() == 0); 1926 1927 tad = U2A(u); 1928 1929 if (tad->tad_flag == 0) 1930 return; 1931 1932 target = flag ? &tad->tad_sprivs : &tad->tad_fprivs; 1933 sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE; 1934 1935 /* Tell audit_success() and audit_finish() that we saw this case */ 1936 if (!(tad->tad_evmod & sbit)) { 1937 /* Clear set first time around */ 1938 priv_emptyset(target); 1939 tad->tad_evmod |= sbit; 1940 } 1941 1942 /* Save the privileges in the tad */ 1943 if (priv == PRIV_ALL) { 1944 priv_fillset(target); 1945 } else { 1946 ASSERT(set != NULL || priv != PRIV_NONE); 1947 if (set != NULL) 1948 priv_union(set, target); 1949 if (priv != PRIV_NONE) 1950 priv_addset(target, priv); 1951 } 1952 } 1953 1954 /* 1955 * Audit the setpriv() system call; the operation, the set name and 1956 * the current value as well as the set argument are put in the 1957 * audit trail. 1958 */ 1959 void 1960 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr) 1961 { 1962 t_audit_data_t *tad; 1963 const priv_set_t *oldpriv; 1964 priv_set_t report; 1965 const char *setname; 1966 1967 tad = U2A(u); 1968 1969 if (tad->tad_flag == 0) 1970 return; 1971 1972 oldpriv = priv_getset(ocr, set); 1973 1974 /* Generate the actual record, include the before and after */ 1975 au_uwrite(au_to_arg32(2, "op", op)); 1976 setname = priv_getsetbynum(set); 1977 1978 switch (op) { 1979 case PRIV_OFF: 1980 /* Report privileges actually switched off */ 1981 report = *oldpriv; 1982 priv_intersect(newpriv, &report); 1983 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 1984 break; 1985 case PRIV_ON: 1986 /* Report privileges actually switched on */ 1987 report = *oldpriv; 1988 priv_inverse(&report); 1989 priv_intersect(newpriv, &report); 1990 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 1991 break; 1992 case PRIV_SET: 1993 /* Report before and after */ 1994 au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0)); 1995 au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0)); 1996 break; 1997 } 1998 } 1999 2000 /* 2001 * Dump the full device policy setting in the audit trail. 2002 */ 2003 void 2004 audit_devpolicy(int nitems, const devplcysys_t *items) 2005 { 2006 t_audit_data_t *tad; 2007 int i; 2008 2009 tad = U2A(u); 2010 2011 if (tad->tad_flag == 0) 2012 return; 2013 2014 for (i = 0; i < nitems; i++) { 2015 au_uwrite(au_to_arg32(2, "major", items[i].dps_maj)); 2016 if (items[i].dps_minornm[0] == '\0') { 2017 au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin)); 2018 au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin)); 2019 } else 2020 au_uwrite(au_to_text(items[i].dps_minornm)); 2021 2022 au_uwrite(au_to_privset("read", &items[i].dps_rdp, 2023 AUT_PRIV, 0)); 2024 au_uwrite(au_to_privset("write", &items[i].dps_wrp, 2025 AUT_PRIV, 0)); 2026 } 2027 } 2028 2029 /*ARGSUSED*/ 2030 void 2031 audit_fdrecv(fd, fp) 2032 int fd; 2033 struct file *fp; 2034 { 2035 t_audit_data_t *tad; /* current thread */ 2036 f_audit_data_t *fad; /* per file audit structure */ 2037 struct vnode *vp; /* for file attributes */ 2038 2039 /* is this system call being audited */ 2040 tad = U2A(u); 2041 ASSERT(tad != (t_audit_data_t *)0); 2042 if (!tad->tad_flag) 2043 return; 2044 2045 fad = F2A(fp); 2046 2047 /* add path and file attributes */ 2048 if (fad != NULL && fad->fad_aupath != NULL) { 2049 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 2050 au_uwrite(au_to_path(fad->fad_aupath)); 2051 } else { 2052 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 2053 #ifdef _LP64 2054 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 2055 #else 2056 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 2057 #endif 2058 } 2059 vp = fp->f_vnode; /* include vnode attributes */ 2060 audit_attributes(vp); 2061 } 2062 2063 /* 2064 * ROUTINE: AUDIT_CRYPTOADM 2065 * PURPOSE: Records arguments to administrative ioctls on /dev/cryptoadm 2066 * CALLBY: CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED, 2067 * CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG, 2068 * CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN, 2069 * CRYPTO_LOAD_DOOR 2070 * NOTE: 2071 * TODO: 2072 * QUESTION: 2073 */ 2074 2075 void 2076 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names, 2077 uint_t mech_count, uint_t device_instance, uint32_t rv, int error) 2078 { 2079 boolean_t mech_list_required = B_FALSE; 2080 cred_t *cr = CRED(); 2081 t_audit_data_t *tad; 2082 token_t *ad = NULL; 2083 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 2084 char buffer[MAXNAMELEN * 2]; 2085 au_kcontext_t *kctx = GET_KCTX_PZ; 2086 2087 tad = U2A(u); 2088 if (tad == NULL) 2089 return; 2090 2091 if (ainfo == NULL) 2092 return; 2093 2094 tad->tad_event = AUE_CRYPTOADM; 2095 2096 if (audit_success(kctx, tad, error, NULL) != AU_OK) 2097 return; 2098 2099 /* Add subject information */ 2100 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 2101 2102 switch (cmd) { 2103 case CRYPTO_LOAD_DEV_DISABLED: 2104 if (error == 0 && rv == CRYPTO_SUCCESS) { 2105 (void) snprintf(buffer, sizeof (buffer), 2106 "op=CRYPTO_LOAD_DEV_DISABLED, module=%s," 2107 " dev_instance=%d", 2108 module_name, device_instance); 2109 mech_list_required = B_TRUE; 2110 } else { 2111 (void) snprintf(buffer, sizeof (buffer), 2112 "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv); 2113 } 2114 break; 2115 2116 case CRYPTO_LOAD_SOFT_DISABLED: 2117 if (error == 0 && rv == CRYPTO_SUCCESS) { 2118 (void) snprintf(buffer, sizeof (buffer), 2119 "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s", 2120 module_name); 2121 mech_list_required = B_TRUE; 2122 } else { 2123 (void) snprintf(buffer, sizeof (buffer), 2124 "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv); 2125 } 2126 break; 2127 2128 case CRYPTO_UNLOAD_SOFT_MODULE: 2129 if (error == 0 && rv == CRYPTO_SUCCESS) { 2130 (void) snprintf(buffer, sizeof (buffer), 2131 "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s", 2132 module_name); 2133 } else { 2134 (void) snprintf(buffer, sizeof (buffer), 2135 "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv); 2136 } 2137 break; 2138 2139 case CRYPTO_LOAD_SOFT_CONFIG: 2140 if (error == 0 && rv == CRYPTO_SUCCESS) { 2141 (void) snprintf(buffer, sizeof (buffer), 2142 "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s", 2143 module_name); 2144 mech_list_required = B_TRUE; 2145 } else { 2146 (void) snprintf(buffer, sizeof (buffer), 2147 "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv); 2148 } 2149 break; 2150 2151 case CRYPTO_POOL_CREATE: 2152 (void) snprintf(buffer, sizeof (buffer), 2153 "op=CRYPTO_POOL_CREATE"); 2154 break; 2155 2156 case CRYPTO_POOL_WAIT: 2157 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT"); 2158 break; 2159 2160 case CRYPTO_POOL_RUN: 2161 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN"); 2162 break; 2163 2164 case CRYPTO_LOAD_DOOR: 2165 if (error == 0 && rv == CRYPTO_SUCCESS) 2166 (void) snprintf(buffer, sizeof (buffer), 2167 "op=CRYPTO_LOAD_DOOR"); 2168 else 2169 (void) snprintf(buffer, sizeof (buffer), 2170 "op=CRYPTO_LOAD_DOOR, return_val=%d", rv); 2171 break; 2172 2173 default: 2174 return; 2175 } 2176 2177 au_write((caddr_t *)&ad, au_to_text(buffer)); 2178 2179 if (mech_list_required) { 2180 int i; 2181 2182 if (mech_count == 0) { 2183 au_write((caddr_t *)&ad, au_to_text("mech=list empty")); 2184 } else { 2185 char *pb = buffer; 2186 size_t l = sizeof (buffer); 2187 size_t n; 2188 char space[2] = ":"; 2189 2190 n = snprintf(pb, l, "mech="); 2191 2192 for (i = 0; i < mech_count; i++) { 2193 pb += n; 2194 l -= n; 2195 if (l < 0) 2196 l = 0; 2197 2198 if (i == mech_count - 1) 2199 (void) strcpy(space, ""); 2200 2201 n = snprintf(pb, l, "%s%s", mech_names[i], 2202 space); 2203 } 2204 au_write((caddr_t *)&ad, au_to_text(buffer)); 2205 } 2206 } 2207 2208 /* add a return token */ 2209 if (error || (rv != CRYPTO_SUCCESS)) 2210 add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error); 2211 else 2212 add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv); 2213 2214 AS_INC(as_generated, 1, kctx); 2215 AS_INC(as_kernel, 1, kctx); 2216 2217 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, 0); 2218 } 2219 2220 /* 2221 * Audit the kernel SSL administration command. The address and the 2222 * port number for the SSL instance, and the proxy port are put in the 2223 * audit trail. 2224 */ 2225 void 2226 audit_kssl(int cmd, void *params, int error) 2227 { 2228 cred_t *cr = CRED(); 2229 t_audit_data_t *tad; 2230 token_t *ad = NULL; 2231 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 2232 au_kcontext_t *kctx = GET_KCTX_PZ; 2233 2234 tad = U2A(u); 2235 2236 if (ainfo == NULL) 2237 return; 2238 2239 tad->tad_event = AUE_CONFIGKSSL; 2240 2241 if (audit_success(kctx, tad, error, NULL) != AU_OK) 2242 return; 2243 2244 /* Add subject information */ 2245 AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx); 2246 2247 switch (cmd) { 2248 case KSSL_ADD_ENTRY: { 2249 char buf[32]; 2250 kssl_params_t *kp = (kssl_params_t *)params; 2251 struct sockaddr_in *saddr = &(kp->kssl_addr); 2252 2253 au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY")); 2254 au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr))); 2255 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 2256 saddr->sin_port); 2257 au_write((caddr_t *)&ad, au_to_text(buf)); 2258 2259 (void) snprintf(buf, sizeof (buf), "proxy port=%d", 2260 kp->kssl_proxy_port); 2261 au_write((caddr_t *)&ad, au_to_text(buf)); 2262 break; 2263 } 2264 2265 case KSSL_DELETE_ENTRY: { 2266 char buf[32]; 2267 struct sockaddr_in *saddr = (struct sockaddr_in *)params; 2268 2269 au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY")); 2270 au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr))); 2271 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 2272 saddr->sin_port); 2273 au_write((caddr_t *)&ad, au_to_text(buf)); 2274 break; 2275 } 2276 2277 default: 2278 return; 2279 } 2280 2281 /* add a return token */ 2282 add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0); 2283 2284 AS_INC(as_generated, 1, kctx); 2285 AS_INC(as_kernel, 1, kctx); 2286 2287 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, 0); 2288 } 2289 2290 /* 2291 * Audit the kernel PF_POLICY administration commands. Record command, 2292 * zone, policy type (global or tunnel, active or inactive) 2293 */ 2294 /* 2295 * ROUTINE: AUDIT_PF_POLICY 2296 * PURPOSE: Records arguments to administrative ioctls on PF_POLICY socket 2297 * CALLBY: SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS, 2298 * SPD_CLONE, SPD_FLIP 2299 * NOTE: 2300 * TODO: 2301 * QUESTION: 2302 */ 2303 2304 void 2305 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun, 2306 boolean_t active, int error, pid_t pid) 2307 { 2308 const auditinfo_addr_t *ainfo; 2309 t_audit_data_t *tad; 2310 token_t *ad = NULL; 2311 au_kcontext_t *kctx = GET_KCTX_PZ; 2312 char buf[80]; 2313 int flag; 2314 2315 tad = U2A(u); 2316 if (tad == NULL) 2317 return; 2318 2319 ainfo = crgetauinfo((cred != NULL) ? cred : CRED()); 2320 if (ainfo == NULL) 2321 return; 2322 2323 /* 2324 * Initialize some variables since these are only set 2325 * with system calls. 2326 */ 2327 2328 switch (cmd) { 2329 case SPD_ADDRULE: { 2330 tad->tad_event = AUE_PF_POLICY_ADDRULE; 2331 break; 2332 } 2333 2334 case SPD_DELETERULE: { 2335 tad->tad_event = AUE_PF_POLICY_DELRULE; 2336 break; 2337 } 2338 2339 case SPD_FLUSH: { 2340 tad->tad_event = AUE_PF_POLICY_FLUSH; 2341 break; 2342 } 2343 2344 case SPD_UPDATEALGS: { 2345 tad->tad_event = AUE_PF_POLICY_ALGS; 2346 break; 2347 } 2348 2349 case SPD_CLONE: { 2350 tad->tad_event = AUE_PF_POLICY_CLONE; 2351 break; 2352 } 2353 2354 case SPD_FLIP: { 2355 tad->tad_event = AUE_PF_POLICY_FLIP; 2356 break; 2357 } 2358 2359 default: 2360 tad->tad_event = AUE_NULL; 2361 } 2362 2363 tad->tad_evmod = 0; 2364 2365 if (flag = audit_success(kctx, tad, error, cred)) { 2366 zone_t *nszone; 2367 2368 /* 2369 * For now, just audit that an event happened, 2370 * along with the error code. 2371 */ 2372 au_write((caddr_t *)&ad, 2373 au_to_arg32(1, "Policy Active?", (uint32_t)active)); 2374 au_write((caddr_t *)&ad, 2375 au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL))); 2376 2377 /* Supplemental data */ 2378 2379 /* 2380 * Generate this zone token if the target zone differs 2381 * from the administrative zone. If netstacks are expanded 2382 * to something other than a 1-1 relationship with zones, 2383 * the auditing framework should create a new token type 2384 * and audit it as a netstack instead. 2385 * Turn on general zone auditing to get the administrative zone. 2386 */ 2387 2388 nszone = zone_find_by_id(netstackid_to_zoneid( 2389 ns->netstack_stackid)); 2390 if (strncmp(cred->cr_zone->zone_name, nszone->zone_name, 2391 ZONENAME_MAX) != 0) { 2392 token_t *ztoken; 2393 2394 ztoken = au_to_zonename(0, nszone); 2395 au_write((caddr_t *)&ad, ztoken); 2396 } 2397 2398 if (tun != NULL) { 2399 /* write tunnel name - tun is bounded */ 2400 (void) snprintf(buf, sizeof (buf), "tunnel_name:%s", 2401 tun); 2402 au_write((caddr_t *)&ad, au_to_text(buf)); 2403 } 2404 2405 /* Add subject information */ 2406 AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad, 2407 ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid); 2408 2409 /* add a return token */ 2410 add_return_token((caddr_t *)&ad, 0, error, 0); 2411 2412 AS_INC(as_generated, 1, kctx); 2413 AS_INC(as_kernel, 1, kctx); 2414 2415 } 2416 au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, 0); 2417 2418 /* 2419 * clear the ctrl flag so that we don't have spurious collection of 2420 * audit information. 2421 */ 2422 tad->tad_scid = 0; 2423 tad->tad_event = 0; 2424 tad->tad_evmod = 0; 2425 tad->tad_ctrl = 0; 2426 } 2427 2428 /* 2429 * ROUTINE: AUDIT_SEC_ATTRIBUTES 2430 * PURPOSE: Add security attributes 2431 * CALLBY: AUDIT_ATTRIBUTES 2432 * AUDIT_CLOSEF 2433 * AUS_CLOSE 2434 * NOTE: 2435 * TODO: 2436 * QUESTION: 2437 */ 2438 2439 void 2440 audit_sec_attributes(caddr_t *ad, struct vnode *vp) 2441 { 2442 /* Dump the SL */ 2443 if (is_system_labeled()) { 2444 ts_label_t *tsl; 2445 bslabel_t *bsl; 2446 2447 tsl = getflabel(vp); 2448 if (tsl == NULL) 2449 return; /* nothing else to do */ 2450 2451 bsl = label2bslabel(tsl); 2452 if (bsl == NULL) 2453 return; /* nothing else to do */ 2454 au_write(ad, au_to_label(bsl)); 2455 label_rele(tsl); 2456 } 2457 2458 } /* AUDIT_SEC_ATTRIBUTES */ 2459