1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Routines for writing audit records. 23 * 24 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 25 * Use is subject to license terms. 26 */ 27 28 #pragma ident "%Z%%M% %I% %E% SMI" 29 30 #include <sys/door.h> 31 #include <sys/param.h> 32 #include <sys/time.h> 33 #include <sys/types.h> 34 #include <sys/statvfs.h> /* for statfs */ 35 #include <sys/vnode.h> 36 #include <sys/file.h> 37 #include <sys/vfs.h> 38 #include <sys/user.h> 39 #include <sys/uio.h> 40 #include <sys/reboot.h> 41 #include <sys/kmem.h> /* for KM_SLEEP */ 42 #include <sys/resource.h> /* for RLIM_INFINITY */ 43 #include <sys/cmn_err.h> /* panic */ 44 #include <sys/systm.h> 45 #include <sys/debug.h> 46 #include <sys/sysmacros.h> 47 #include <sys/syscall.h> 48 #include <sys/zone.h> 49 50 #include <c2/audit.h> 51 #include <c2/audit_kernel.h> 52 #include <c2/audit_record.h> 53 #include <c2/audit_kevents.h> 54 #include <c2/audit_door_infc.h> 55 56 static void au_dequeue(au_kcontext_t *, au_buff_t *); 57 static void audit_async_finish_backend(void *); 58 static int audit_sync_block(au_kcontext_t *); 59 /* 60 * each of these two tables are indexed by the values AU_DBUF_COMPLETE 61 * through AU_DBUF_LAST; the content is the next state value. The 62 * first table determines the next state for a buffer which is not the 63 * end of a record and the second table determines the state for a 64 * buffer which is the end of a record. The initial state is 65 * AU_DBUF_COMPLETE. 66 */ 67 static int state_if_part[] = { 68 AU_DBUF_FIRST, AU_DBUF_MIDDLE, AU_DBUF_MIDDLE, AU_DBUF_FIRST}; 69 static int state_if_not_part[] = { 70 AU_DBUF_COMPLETE, AU_DBUF_LAST, AU_DBUF_LAST, AU_DBUF_COMPLETE}; 71 /* 72 * Write to an audit descriptor. 73 * Add the au_membuf to the descriptor chain and free the chain passed in. 74 */ 75 void 76 au_uwrite(m) 77 token_t *m; 78 { 79 au_write(&(u_ad), m); 80 } 81 82 void 83 au_write(caddr_t *d, token_t *m) 84 { 85 if (d == NULL) { 86 au_toss_token(m); 87 return; 88 } 89 if (m == (token_t *)0) { 90 printf("au_write: null token\n"); 91 return; 92 } 93 94 if (*d == NULL) 95 *d = (caddr_t)m; 96 else 97 (void) au_append_rec((au_buff_t *)*d, m, AU_PACK); 98 } 99 100 /* 101 * Close an audit descriptor. 102 * Use the second parameter to indicate if it should be written or not. 103 */ 104 void 105 au_close(au_kcontext_t *kctx, caddr_t *d, int flag, short e_type, short e_mod) 106 { 107 token_t *dchain; /* au_membuf chain which is the tokens */ 108 t_audit_data_t *tad = U2A(u); 109 110 ASSERT(tad != NULL); 111 ASSERT(d != NULL); 112 ASSERT(kctx != NULL); 113 114 if ((dchain = (token_t *)*d) == (token_t *)NULL) 115 return; 116 117 *d = NULL; 118 119 /* 120 * If async then defer; or if requested, defer the closing/queueing to 121 * syscall end, unless no syscall is active or the syscall is _exit. 122 */ 123 if ((flag & AU_DONTBLOCK) || ((flag & AU_DEFER) && 124 (tad->tad_scid != 0) && (tad->tad_scid != SYS_exit))) { 125 au_close_defer(dchain, flag, e_type, e_mod); 126 return; 127 } 128 au_close_time(kctx, dchain, flag, e_type, e_mod, NULL); 129 } 130 131 /* 132 * Defer closing/queueing of an audit descriptor. For async events, queue 133 * via softcall. Otherwise, defer by queueing the record onto the tad; at 134 * syscall end time it will be pulled off. 135 */ 136 void 137 au_close_defer(token_t *dchain, int flag, short e_type, short e_mod) 138 { 139 au_defer_info_t *attr; 140 t_audit_data_t *tad = U2A(u); 141 142 ASSERT(tad != NULL); 143 144 /* If not to be written, toss the record. */ 145 if ((flag & AU_OK) == 0) { 146 au_toss_token(dchain); 147 return; 148 } 149 150 attr = kmem_alloc(sizeof (au_defer_info_t), KM_NOSLEEP); 151 /* If no mem available, failing silently is the best recourse */ 152 if (attr == NULL) { 153 au_toss_token(dchain); 154 return; 155 } 156 157 attr->audi_next = NULL; 158 attr->audi_ad = dchain; 159 attr->audi_e_type = e_type; 160 attr->audi_e_mod = e_mod; 161 attr->audi_flag = flag; 162 gethrestime(&attr->audi_atime); 163 164 /* 165 * All async events must be queued via softcall to avoid possible 166 * sleeping in high interrupt context. softcall will ensure it's 167 * done on a dedicated software-level interrupt thread. 168 */ 169 if (flag & AU_DONTBLOCK) { 170 softcall(audit_async_finish_backend, attr); 171 audit_async_done(NULL, 0); 172 return; 173 } 174 175 /* 176 * If not an async event, defer by queuing onto the tad until 177 * syscall end. No locking is needed because the tad is per-thread. 178 */ 179 if (tad->tad_defer_head) 180 tad->tad_defer_tail->audi_next = attr; 181 else 182 tad->tad_defer_head = attr; 183 tad->tad_defer_tail = attr; 184 } 185 186 187 /* 188 * Save the time in the event header. If time is not specified (i.e., pointer 189 * is NULL), use the current time. This code is fairly ugly since it needs 190 * to support both 32- and 64-bit environments and can be called indirectly 191 * from both au_close() (for kernel audit) and from audit() (userland audit). 192 */ 193 /*ARGSUSED*/ 194 static void 195 au_save_time(adr_t *hadrp, timestruc_t *time, int size) 196 { 197 struct { 198 uint32_t sec; 199 uint32_t usec; 200 } tv; 201 timestruc_t now; 202 203 if (time == NULL) { 204 gethrestime(&now); 205 time = &now; 206 } 207 208 #ifdef _LP64 209 if (size) 210 adr_int64(hadrp, (int64_t *)time, 2); 211 else 212 #endif 213 { 214 tv.sec = (uint32_t)time->tv_sec; 215 tv.usec = (uint32_t)time->tv_nsec; 216 adr_int32(hadrp, (int32_t *)&tv, 2); 217 } 218 } 219 220 221 /* 222 * Close an audit descriptor. 223 * If time of event is specified, use it in the record, otherwise use the 224 * current time. 225 */ 226 void 227 au_close_time(au_kcontext_t *kctx, token_t *dchain, int flag, short e_type, 228 short e_mod, timestruc_t *etime) 229 { 230 token_t *record; /* au_membuf chain == the record */ 231 int byte_count; 232 token_t *m; /* for potential sequence token */ 233 adr_t hadr; /* handle for header token */ 234 adr_t sadr; /* handle for sequence token */ 235 size_t zone_length; /* length of zonename token */ 236 237 ASSERT(dchain != NULL); 238 239 /* If not to be written, toss the record */ 240 if ((flag & AU_OK) == 0) { 241 au_toss_token(dchain); 242 return; 243 } 244 /* if auditing not enabled, then don't generate an audit record */ 245 ASSERT(kctx != NULL); 246 247 if ((kctx->auk_auditstate != AUC_AUDITING) && 248 (kctx->auk_auditstate != AUC_INIT_AUDIT)) { 249 /* 250 * at system boot, neither is set yet we want to generate 251 * an audit record. 252 */ 253 if (e_type != AUE_SYSTEMBOOT) { 254 au_toss_token(dchain); 255 return; 256 } 257 } 258 259 /* Count up the bytes used in the record. */ 260 byte_count = au_token_size(dchain); 261 262 /* 263 * add in size of header token (always present). 264 */ 265 byte_count += sizeof (char) + sizeof (int32_t) + 266 sizeof (char) + 2 * sizeof (short) + sizeof (timestruc_t); 267 268 if (kctx->auk_hostaddr_valid) 269 byte_count += sizeof (int32_t) + 270 kctx->auk_info.ai_termid.at_type; 271 272 /* 273 * add in size of zonename token (zero if !AUDIT_ZONENAME) 274 */ 275 if (kctx->auk_policy & AUDIT_ZONENAME) { 276 zone_length = au_zonename_length(NULL); 277 byte_count += zone_length; 278 } else { 279 zone_length = 0; 280 } 281 /* add in size of (optional) trailer token */ 282 if (kctx->auk_policy & AUDIT_TRAIL) 283 byte_count += 7; 284 285 /* add in size of (optional) sequence token */ 286 if (kctx->auk_policy & AUDIT_SEQ) 287 byte_count += 5; 288 289 /* build the header */ 290 if (kctx->auk_hostaddr_valid) 291 record = au_to_header_ex(byte_count, e_type, e_mod); 292 else 293 record = au_to_header(byte_count, e_type, e_mod); 294 295 /* 296 * If timestamp was specified, save it in header now. Otherwise, 297 * save reference to header so we can update time/data later 298 * and artificially adjust pointer to the time/date field of header. 299 */ 300 adr_start(&hadr, memtod(record, char *)); 301 hadr.adr_now += sizeof (char) + sizeof (int32_t) + 302 sizeof (char) + 2 * sizeof (short); 303 if (kctx->auk_hostaddr_valid) 304 hadr.adr_now += sizeof (int32_t) + 305 kctx->auk_info.ai_termid.at_type; 306 if (etime != NULL) { 307 au_save_time(&hadr, etime, 1); 308 hadr.adr_now = (char *)NULL; 309 } 310 311 /* append body of audit record */ 312 (void) au_append_rec(record, dchain, AU_PACK); 313 314 /* add (optional) zonename token */ 315 if (zone_length > 0) { 316 m = au_to_zonename(zone_length, NULL); 317 (void) au_append_rec(record, m, AU_PACK); 318 } 319 320 /* Add an (optional) sequence token. NULL offset if none */ 321 if (kctx->auk_policy & AUDIT_SEQ) { 322 /* get the sequence token */ 323 m = au_to_seq(); 324 325 /* link to audit record (i.e. don't pack the data) */ 326 (void) au_append_rec(record, m, AU_LINK); 327 328 /* 329 * advance to count field of sequence token by skipping 330 * the token type byte. 331 */ 332 adr_start(&sadr, memtod(m, char *)); 333 sadr.adr_now += 1; 334 } else { 335 sadr.adr_now = NULL; 336 } 337 /* add (optional) trailer token */ 338 if (kctx->auk_policy & AUDIT_TRAIL) { 339 (void) au_append_rec(record, au_to_trailer(byte_count), 340 AU_PACK); 341 } 342 343 /* 344 * 1 - use 64 bit version of audit tokens for 64 bit kernels. 345 * 0 - use 32 bit version of audit tokens for 32 bit kernels. 346 */ 347 #ifdef _LP64 348 au_enqueue(kctx, record, &hadr, &sadr, 1, flag & AU_DONTBLOCK); 349 #else 350 au_enqueue(kctx, record, &hadr, &sadr, 0, flag & AU_DONTBLOCK); 351 #endif 352 AS_INC(as_totalsize, byte_count, kctx); 353 } 354 355 /*ARGSUSED*/ 356 void 357 au_enqueue(au_kcontext_t *kctx, au_buff_t *m, adr_t *hadrp, adr_t *sadrp, 358 int size, int dontblock) 359 { 360 if (kctx == NULL) 361 return; 362 363 mutex_enter(&(kctx->auk_queue.lock)); 364 365 if (!dontblock && (kctx->auk_queue.cnt >= kctx->auk_queue.hiwater) && 366 audit_sync_block(kctx)) { 367 mutex_exit(&(kctx->auk_queue.lock)); 368 au_free_rec(m); 369 return; 370 } 371 372 /* Fill in date and time if needed */ 373 if (hadrp->adr_now) { 374 au_save_time(hadrp, NULL, size); 375 } 376 377 /* address will be non-zero only if AUDIT_SEQ set */ 378 if (sadrp->adr_now) { 379 kctx->auk_sequence++; 380 adr_int32(sadrp, (int32_t *)&(kctx->auk_sequence), 1); 381 } 382 383 if (kctx->auk_queue.head) 384 kctx->auk_queue.tail->next_rec = m; 385 else 386 kctx->auk_queue.head = m; 387 388 kctx->auk_queue.tail = m; 389 390 if (++(kctx->auk_queue.cnt) > 391 kctx->auk_queue.lowater && kctx->auk_queue.rd_block) 392 cv_broadcast(&(kctx->auk_queue.read_cv)); 393 394 mutex_exit(&(kctx->auk_queue.lock)); 395 396 /* count # audit records put onto kernel audit queue */ 397 AS_INC(as_enqueue, 1, kctx); 398 } 399 400 /* 401 * Dequeue and free buffers upto and including "freeto" 402 * Keeps the queue lock long but acquires it only once when doing 403 * bulk dequeueing. 404 */ 405 static void 406 au_dequeue(au_kcontext_t *kctx, au_buff_t *freeto) 407 { 408 au_buff_t *m, *l, *lastl; 409 int n = 0; 410 411 ASSERT(kctx != NULL); 412 413 mutex_enter(&(kctx->auk_queue.lock)); 414 415 ASSERT(kctx->auk_queue.head != NULL); 416 ASSERT(freeto != NULL); 417 418 l = m = kctx->auk_queue.head; 419 420 do { 421 n++; 422 lastl = l; 423 l = l->next_rec; 424 } while (l != NULL && freeto != lastl); 425 426 kctx->auk_queue.cnt -= n; 427 lastl->next_rec = NULL; 428 kctx->auk_queue.head = l; 429 430 /* Freeto must exist in the list */ 431 ASSERT(freeto == lastl); 432 433 if (kctx->auk_queue.cnt <= kctx->auk_queue.lowater && 434 kctx->auk_queue.wt_block) 435 cv_broadcast(&(kctx->auk_queue.write_cv)); 436 437 mutex_exit(&(kctx->auk_queue.lock)); 438 439 while (m) { 440 l = m->next_rec; 441 au_free_rec(m); 442 m = l; 443 } 444 AS_INC(as_written, n, kctx); 445 } 446 447 /* 448 * audit_sync_block() 449 * If we've reached the high water mark, we look at the policy to see 450 * if we sleep or we should drop the audit record. 451 * This function is called with the auk_queue.lock held and the check 452 * performed one time already as an optimization. Caller should unlock. 453 * Returns 1 if the caller needs to free the record. 454 */ 455 static int 456 audit_sync_block(au_kcontext_t *kctx) 457 { 458 ASSERT(MUTEX_HELD(&(kctx->auk_queue.lock))); 459 /* 460 * Loop while we are at the high watermark. 461 */ 462 do { 463 if ((kctx->auk_auditstate != AUC_AUDITING) || 464 (kctx->auk_policy & AUDIT_CNT)) { 465 466 /* just count # of dropped audit records */ 467 AS_INC(as_dropped, 1, kctx); 468 469 return (1); 470 } 471 472 /* kick reader awake if its asleep */ 473 if (kctx->auk_queue.rd_block && 474 kctx->auk_queue.cnt > kctx->auk_queue.lowater) 475 cv_broadcast(&(kctx->auk_queue.read_cv)); 476 477 /* keep count of # times blocked */ 478 AS_INC(as_wblocked, 1, kctx); 479 480 /* sleep now, until woken by reader */ 481 kctx->auk_queue.wt_block++; 482 cv_wait(&(kctx->auk_queue.write_cv), &(kctx->auk_queue.lock)); 483 kctx->auk_queue.wt_block--; 484 } while (kctx->auk_queue.cnt >= kctx->auk_queue.hiwater); 485 486 return (0); 487 } 488 489 /* 490 * audit_async_block() 491 * if we've reached the high water mark, we look at the ahlt policy to see 492 * if we reboot we should drop the audit record. 493 * Returns 1 if blocked. 494 */ 495 static int 496 audit_async_block(au_kcontext_t *kctx, caddr_t *rpp) 497 { 498 ASSERT(kctx != NULL); 499 500 mutex_enter(&(kctx->auk_queue.lock)); 501 /* see if we've reached high water mark */ 502 if (kctx->auk_queue.cnt >= kctx->auk_queue.hiwater) { 503 mutex_exit(&(kctx->auk_queue.lock)); 504 505 audit_async_drop(rpp, AU_BACKEND); 506 return (1); 507 } 508 mutex_exit(&(kctx->auk_queue.lock)); 509 return (0); 510 } 511 512 /* 513 * au_door_upcall. auditdoor() may change vp without notice, so 514 * some locking seems in order. 515 * 516 */ 517 #define AGAIN_TICKS 10 518 519 static int 520 au_door_upcall(au_kcontext_t *kctx, au_dbuf_t *aubuf) 521 { 522 int rc; 523 door_arg_t darg; 524 int retry = 1; 525 int ticks_to_wait; 526 527 darg.data_ptr = (char *)aubuf; 528 darg.data_size = AU_DBUF_HEADER + aubuf->aub_size; 529 530 darg.desc_ptr = NULL; 531 darg.desc_num = 0; 532 533 while (retry == 1) { 534 /* non-zero means return results expected */ 535 darg.rbuf = (char *)aubuf; 536 darg.rsize = darg.data_size; 537 538 retry = 0; 539 mutex_enter(&(kctx->auk_svc_lock)); 540 rc = door_upcall(kctx->auk_current_vp, &darg, NULL); 541 if (rc != 0) { 542 mutex_exit(&(kctx->auk_svc_lock)); 543 if (rc == EAGAIN) 544 ticks_to_wait = AGAIN_TICKS; 545 else 546 return (rc); 547 548 mutex_enter(&(kctx->auk_eagain_mutex)); 549 (void) cv_timedwait(&(kctx->auk_eagain_cv), 550 &(kctx->auk_eagain_mutex), 551 lbolt + ticks_to_wait); 552 mutex_exit(&(kctx->auk_eagain_mutex)); 553 554 retry = 1; 555 } else 556 mutex_exit(&(kctx->auk_svc_lock)); /* no retry */ 557 } /* end while (retry == 1) */ 558 if (darg.rbuf == NULL) 559 return (-1); 560 561 /* return code from door server */ 562 return (*(int *)darg.rbuf); 563 } 564 565 /* 566 * Write an audit control message to the door handle. The message 567 * structure depends on message_code and at present the only control 568 * message defined is for a policy change. These are infrequent, 569 * so no memory is held for control messages. 570 */ 571 int 572 au_doormsg(au_kcontext_t *kctx, uint32_t message_code, void *message) 573 { 574 int rc; 575 au_dbuf_t *buf; 576 size_t alloc_size; 577 578 switch (message_code) { 579 case AU_DBUF_POLICY: 580 alloc_size = AU_DBUF_HEADER + sizeof (uint32_t); 581 buf = kmem_alloc(alloc_size, KM_SLEEP); 582 buf->aub_size = sizeof (uint32_t); 583 *(uint32_t *)buf->aub_buf = *(uint32_t *)message; 584 break; 585 case AU_DBUF_SHUTDOWN: 586 alloc_size = AU_DBUF_HEADER; 587 buf = kmem_alloc(alloc_size, KM_SLEEP); 588 buf->aub_size = 0; 589 break; 590 default: 591 return (1); 592 } 593 594 buf->aub_type = AU_DBUF_NOTIFY | message_code; 595 rc = au_door_upcall(kctx, buf); 596 kmem_free(buf, alloc_size); 597 598 return (rc); 599 } 600 601 /* 602 * Write audit information to the door handle. au_doorio is called with 603 * one or more complete audit records on the queue and outputs those 604 * records in buffers of up to auk_queue.buflen in size. 605 */ 606 int 607 au_doorio(au_kcontext_t *kctx) { 608 off_t off; /* space used in buffer */ 609 ssize_t used; /* space used in au_membuf */ 610 token_t *cAR; /* current AR being processed */ 611 token_t *cMB; /* current au_membuf being processed */ 612 token_t *sp; /* last AR processed */ 613 char *bp; /* start of free space in staging buffer */ 614 unsigned char *cp; /* ptr to data to be moved */ 615 int error; /* return from door upcall */ 616 617 /* 618 * size (data left in au_membuf - space in buffer) 619 */ 620 ssize_t sz; 621 ssize_t len; /* len of data to move, size of AR */ 622 ssize_t curr_sz = 0; /* amount of data written during now */ 623 /* 624 * partial_state is AU_DBUF_COMPLETE...LAST; see audit_door_infc.h 625 */ 626 int part = 0; /* partial audit record written */ 627 int partial_state = AU_DBUF_COMPLETE; 628 /* 629 * Has the write buffer changed length due to a auditctl(2)? 630 * Initial allocation is from audit_start.c/audit_init() 631 */ 632 if (kctx->auk_queue.bufsz != kctx->auk_queue.buflen) { 633 kmem_free(kctx->auk_dbuffer, AU_DBUF_HEADER + 634 kctx->auk_queue.buflen); 635 636 kctx->auk_dbuffer = kmem_alloc(AU_DBUF_HEADER + 637 kctx->auk_queue.bufsz, KM_SLEEP); 638 639 /* omit the 64 bit header */ 640 kctx->auk_queue.buflen = kctx->auk_queue.bufsz; 641 } 642 if (!kctx->auk_queue.head) 643 goto nodata; 644 645 sp = NULL; /* no record copied */ 646 off = 0; /* no space used in buffer */ 647 used = 0; /* no data processed in au_membuf */ 648 cAR = kctx->auk_queue.head; /* start at head of queue */ 649 cMB = cAR; /* start with first au_membuf of record */ 650 651 /* start at beginning of buffer */ 652 bp = &(kctx->auk_dbuffer->aub_buf[0]); 653 654 while (cMB) { 655 part = 1; /* indicate audit record being processed */ 656 657 cp = memtod(cMB, unsigned char *); /* buffer ptr */ 658 659 sz = (ssize_t)cMB->len - used; /* data left in au_membuf */ 660 /* len to move */ 661 len = (ssize_t)MIN(sz, kctx->auk_queue.buflen - off); 662 663 /* move the data */ 664 bcopy(cp + used, bp + off, len); 665 used += len; /* update used au_membuf */ 666 off += len; /* update offset into buffer */ 667 668 if (used >= (ssize_t)cMB->len) { 669 /* advance to next au_membuf */ 670 used = 0; 671 cMB = cMB->next_buf; 672 } 673 if (cMB == NULL) { 674 /* advance to next audit record */ 675 sp = cAR; 676 cAR = cAR->next_rec; 677 cMB = cAR; 678 part = 0; /* have a complete record */ 679 } 680 error = 0; 681 if ((kctx->auk_queue.buflen == off) || (part == 0)) { 682 if (part) 683 partial_state = state_if_part[partial_state]; 684 else 685 partial_state = 686 state_if_not_part[partial_state]; 687 688 kctx->auk_dbuffer->aub_type = partial_state; 689 kctx->auk_dbuffer->aub_size = off; 690 error = au_door_upcall(kctx, kctx->auk_dbuffer); 691 if (error != 0) 692 goto nodata; 693 /* 694 * if we've successfully written an audit record, 695 * free records up to last full record copied 696 */ 697 if (sp) 698 au_dequeue(kctx, sp); 699 700 /* Update size */ 701 curr_sz += off; 702 703 /* reset auk_dbuffer pointers */ 704 sp = NULL; 705 off = 0; 706 } 707 } /* while(cMB) */ 708 nodata: 709 return (error); 710 } 711 712 /* 713 * Clean up thread audit state to clear out asynchronous audit record 714 * generation error recovery processing. Note that this is done on a 715 * per-thread basis and thus does not need any locking. 716 */ 717 void 718 audit_async_done(caddr_t *rpp, int flags) 719 { 720 t_audit_data_t *tad = U2A(u); 721 722 /* clean up the tad unless called from softcall backend */ 723 if (!(flags & AU_BACKEND)) { 724 ASSERT(tad != NULL); 725 ASSERT(tad->tad_ctrl & PAD_ERRJMP); 726 727 tad->tad_ctrl &= ~PAD_ERRJMP; 728 tad->tad_errjmp = NULL; 729 } 730 731 /* clean out partial audit record */ 732 if ((rpp != NULL) && (*rpp != NULL)) { 733 au_toss_token((au_buff_t *)*rpp); 734 *rpp = NULL; 735 } 736 } 737 738 /* 739 * implement the audit policy for asynchronous events generated within 740 * the kernel. 741 * XXX might need locks around audit_policy check. 742 */ 743 void 744 audit_async_drop(caddr_t *rpp, int flags) 745 { 746 au_kcontext_t *kctx; 747 748 /* could not generate audit record, clean up */ 749 audit_async_done((caddr_t *)rpp, flags); 750 751 kctx = GET_KCTX_GZ; 752 753 /* just drop the record and return */ 754 if (((audit_policy & AUDIT_AHLT) == 0) || 755 (kctx->auk_auditstate == AUC_INIT_AUDIT)) { 756 /* just count # of dropped audit records */ 757 AS_INC(as_dropped, 1, kctx); 758 return; 759 } 760 761 /* 762 * There can be a lot of data in the audit queue. We 763 * will first sync the file systems then attempt to 764 * shutdown the kernel so that a memory dump is 765 * performed. 766 */ 767 sync(); 768 sync(); 769 770 /* 771 * now shut down. What a cruel world it has been 772 */ 773 panic("non-attributable halt. should dump core"); 774 /* No return */ 775 } 776 777 int 778 audit_async_start(label_t *jb, int event, int sorf) 779 { 780 t_audit_data_t *tad = U2A(u); 781 au_state_t estate; 782 int success = 0, failure = 0; 783 au_kcontext_t *kctx = GET_KCTX_GZ; 784 785 /* if audit state off, then no audit record generation */ 786 if ((kctx->auk_auditstate != AUC_AUDITING) && 787 (kctx->auk_auditstate != AUC_INIT_AUDIT)) 788 return (1); 789 790 /* 791 * preselect asynchronous event 792 * XXX should we check for out-of-range??? 793 */ 794 estate = kctx->auk_ets[event]; 795 796 if (sorf & AUM_SUCC) 797 success = kctx->auk_info.ai_mask.as_success & estate; 798 if (sorf & AUM_FAIL) 799 failure = kctx->auk_info.ai_mask.as_failure & estate; 800 801 if ((success | failure) == NULL) 802 return (1); 803 804 ASSERT(tad->tad_errjmp == NULL); 805 tad->tad_errjmp = (void *)jb; 806 tad->tad_ctrl |= PAD_ERRJMP; 807 808 return (0); 809 } 810 811 /* 812 * Complete auditing of an async event. The AU_DONTBLOCK flag to au_close will 813 * result in the backend routine being invoked from softcall, so all the real 814 * work can be done in a safe context. 815 */ 816 void 817 audit_async_finish(caddr_t *ad, int aid, int amod) 818 { 819 au_kcontext_t *kctx; 820 821 kctx = GET_KCTX_GZ; 822 823 au_close(kctx, ad, AU_DONTBLOCK | AU_OK, aid, PAD_NONATTR|amod); 824 } 825 826 /* 827 * Backend routine to complete an async audit. Invoked from softcall. 828 * (Note: the blocking and the queuing below both involve locking which can't 829 * be done safely in high interrupt context due to the chance of sleeping on 830 * the corresponding adaptive mutex. Hence the softcall.) 831 */ 832 static void 833 audit_async_finish_backend(void *addr) 834 { 835 au_kcontext_t *kctx; 836 au_defer_info_t *attr = (au_defer_info_t *)addr; 837 838 if (attr == NULL) 839 return; /* won't happen unless softcall is broken */ 840 841 kctx = GET_KCTX_GZ; 842 843 if (audit_async_block(kctx, (caddr_t *)&attr->audi_ad)) { 844 kmem_free(attr, sizeof (au_defer_info_t)); 845 return; 846 } 847 848 /* 849 * Call au_close_time to complete the audit with the saved values. 850 * 851 * For the exit-prom event, use the current time instead of the 852 * saved time as a better approximation. (Because the time saved via 853 * gethrestime during prom-exit handling would not yet be caught up 854 * after the system was idled in the debugger for a period of time.) 855 */ 856 if (attr->audi_e_type == AUE_EXITPROM) { 857 au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag, 858 attr->audi_e_type, attr->audi_e_mod, NULL); 859 } else { 860 au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag, 861 attr->audi_e_type, attr->audi_e_mod, &attr->audi_atime); 862 } 863 864 AS_INC(as_generated, 1, kctx); 865 AS_INC(as_nonattrib, 1, kctx); 866 867 kmem_free(attr, sizeof (au_defer_info_t)); 868 } 869