xref: /titanic_41/usr/src/uts/common/c2/audit_io.c (revision 78ed97a7b79b59ef2ef41f190c9be35c54d90119)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Routines for writing audit records.
23  *
24  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
25  * Use is subject to license terms.
26  */
27 
28 #pragma ident	"%Z%%M%	%I%	%E% SMI"
29 
30 #include <sys/door.h>
31 #include <sys/param.h>
32 #include <sys/time.h>
33 #include <sys/types.h>
34 #include <sys/statvfs.h>	/* for statfs */
35 #include <sys/vnode.h>
36 #include <sys/file.h>
37 #include <sys/vfs.h>
38 #include <sys/user.h>
39 #include <sys/uio.h>
40 #include <sys/reboot.h>
41 #include <sys/kmem.h>		/* for KM_SLEEP */
42 #include <sys/resource.h>	/* for RLIM_INFINITY */
43 #include <sys/cmn_err.h>	/* panic */
44 #include <sys/systm.h>
45 #include <sys/debug.h>
46 #include <sys/sysmacros.h>
47 #include <sys/syscall.h>
48 #include <sys/zone.h>
49 
50 #include <c2/audit.h>
51 #include <c2/audit_kernel.h>
52 #include <c2/audit_record.h>
53 #include <c2/audit_kevents.h>
54 #include <c2/audit_door_infc.h>
55 
56 static void	au_dequeue(au_kcontext_t *, au_buff_t *);
57 static void	audit_async_finish_backend(void *);
58 static int	audit_sync_block(au_kcontext_t *);
59 /*
60  * each of these two tables are indexed by the values AU_DBUF_COMPLETE
61  * through AU_DBUF_LAST; the content is the next state value.  The
62  * first table determines the next state for a buffer which is not the
63  * end of a record and the second table determines the state for a
64  * buffer which is the end of a record.  The initial state is
65  * AU_DBUF_COMPLETE.
66  */
67 static int state_if_part[] = {
68     AU_DBUF_FIRST, AU_DBUF_MIDDLE, AU_DBUF_MIDDLE, AU_DBUF_FIRST};
69 static int state_if_not_part[] = {
70     AU_DBUF_COMPLETE, AU_DBUF_LAST, AU_DBUF_LAST, AU_DBUF_COMPLETE};
71 /*
72  * Write to an audit descriptor.
73  * Add the au_membuf to the descriptor chain and free the chain passed in.
74  */
75 void
76 au_uwrite(m)
77 	token_t *m;
78 {
79 	au_write(&(u_ad), m);
80 }
81 
82 void
83 au_write(caddr_t *d, token_t *m)
84 {
85 	if (d == NULL) {
86 		au_toss_token(m);
87 		return;
88 	}
89 	if (m == (token_t *)0) {
90 		printf("au_write: null token\n");
91 		return;
92 	}
93 
94 	if (*d == NULL)
95 		*d = (caddr_t)m;
96 	else
97 		(void) au_append_rec((au_buff_t *)*d, m, AU_PACK);
98 }
99 
100 /*
101  * Close an audit descriptor.
102  * Use the second parameter to indicate if it should be written or not.
103  */
104 void
105 au_close(au_kcontext_t *kctx, caddr_t *d, int flag, short e_type, short e_mod)
106 {
107 	token_t *dchain;	/* au_membuf chain which is the tokens */
108 	t_audit_data_t *tad = U2A(u);
109 
110 	ASSERT(tad != NULL);
111 	ASSERT(d != NULL);
112 	ASSERT(kctx != NULL);
113 
114 	if ((dchain = (token_t *)*d) == (token_t *)NULL)
115 		return;
116 
117 	*d = NULL;
118 
119 	/*
120 	 * If async then defer; or if requested, defer the closing/queueing to
121 	 * syscall end, unless no syscall is active or the syscall is _exit.
122 	 */
123 	if ((flag & AU_DONTBLOCK) || ((flag & AU_DEFER) &&
124 	    (tad->tad_scid != 0) && (tad->tad_scid != SYS_exit))) {
125 		au_close_defer(dchain, flag, e_type, e_mod);
126 		return;
127 	}
128 	au_close_time(kctx, dchain, flag, e_type, e_mod, NULL);
129 }
130 
131 /*
132  * Defer closing/queueing of an audit descriptor. For async events, queue
133  * via softcall. Otherwise, defer by queueing the record onto the tad; at
134  * syscall end time it will be pulled off.
135  */
136 void
137 au_close_defer(token_t *dchain, int flag, short e_type, short e_mod)
138 {
139 	au_defer_info_t	*attr;
140 	t_audit_data_t *tad = U2A(u);
141 
142 	ASSERT(tad != NULL);
143 
144 	/* If not to be written, toss the record. */
145 	if ((flag & AU_OK) == 0) {
146 		au_toss_token(dchain);
147 		return;
148 	}
149 
150 	attr = kmem_alloc(sizeof (au_defer_info_t), KM_NOSLEEP);
151 	/* If no mem available, failing silently is the best recourse */
152 	if (attr == NULL) {
153 		au_toss_token(dchain);
154 		return;
155 	}
156 
157 	attr->audi_next = NULL;
158 	attr->audi_ad = dchain;
159 	attr->audi_e_type = e_type;
160 	attr->audi_e_mod = e_mod;
161 	attr->audi_flag = flag;
162 	gethrestime(&attr->audi_atime);
163 
164 	/*
165 	 * All async events must be queued via softcall to avoid possible
166 	 * sleeping in high interrupt context. softcall will ensure it's
167 	 * done on a dedicated software-level interrupt thread.
168 	 */
169 	if (flag & AU_DONTBLOCK) {
170 		softcall(audit_async_finish_backend, attr);
171 		audit_async_done(NULL, 0);
172 		return;
173 	}
174 
175 	/*
176 	 * If not an async event, defer by queuing onto the tad until
177 	 * syscall end. No locking is needed because the tad is per-thread.
178 	 */
179 	if (tad->tad_defer_head)
180 		tad->tad_defer_tail->audi_next = attr;
181 	else
182 		tad->tad_defer_head = attr;
183 	tad->tad_defer_tail = attr;
184 }
185 
186 
187 /*
188  * Save the time in the event header. If time is not specified (i.e., pointer
189  * is NULL), use the current time.  This code is fairly ugly since it needs
190  * to support both 32- and 64-bit environments and can be called indirectly
191  * from both au_close() (for kernel audit) and from audit() (userland audit).
192  */
193 /*ARGSUSED*/
194 static void
195 au_save_time(adr_t *hadrp, timestruc_t *time, int size)
196 {
197 	struct {
198 		uint32_t sec;
199 		uint32_t usec;
200 	} tv;
201 	timestruc_t	now;
202 
203 	if (time == NULL) {
204 		gethrestime(&now);
205 		time = &now;
206 	}
207 
208 #ifdef _LP64
209 	if (size)
210 		adr_int64(hadrp, (int64_t *)time, 2);
211 	else
212 #endif
213 	{
214 		tv.sec = (uint32_t)time->tv_sec;
215 		tv.usec = (uint32_t)time->tv_nsec;
216 		adr_int32(hadrp, (int32_t *)&tv, 2);
217 	}
218 }
219 
220 
221 /*
222  * Close an audit descriptor.
223  * If time of event is specified, use it in the record, otherwise use the
224  * current time.
225  */
226 void
227 au_close_time(au_kcontext_t *kctx, token_t *dchain, int flag, short e_type,
228     short e_mod, timestruc_t *etime)
229 {
230 	token_t 	*record;	/* au_membuf chain == the record */
231 	int		byte_count;
232 	token_t 	*m;		/* for potential sequence token */
233 	adr_t		hadr;		/* handle for header token */
234 	adr_t		sadr;		/* handle for sequence token */
235 	size_t		zone_length;	/* length of zonename token */
236 
237 	ASSERT(dchain != NULL);
238 
239 	/* If not to be written, toss the record */
240 	if ((flag & AU_OK) == 0) {
241 		au_toss_token(dchain);
242 		return;
243 	}
244 	/* if auditing not enabled, then don't generate an audit record */
245 	ASSERT(kctx != NULL);
246 
247 	if ((kctx->auk_auditstate != AUC_AUDITING) &&
248 	    (kctx->auk_auditstate != AUC_INIT_AUDIT)) {
249 		/*
250 		 * at system boot, neither is set yet we want to generate
251 		 * an audit record.
252 		 */
253 		if (e_type != AUE_SYSTEMBOOT) {
254 			au_toss_token(dchain);
255 			return;
256 		}
257 	}
258 
259 	/* Count up the bytes used in the record. */
260 	byte_count = au_token_size(dchain);
261 
262 	/*
263 	 * add in size of header token (always present).
264 	 */
265 	byte_count += sizeof (char) + sizeof (int32_t) +
266 	    sizeof (char) + 2 * sizeof (short) + sizeof (timestruc_t);
267 
268 	if (kctx->auk_hostaddr_valid)
269 		byte_count += sizeof (int32_t) +
270 		    kctx->auk_info.ai_termid.at_type;
271 
272 	/*
273 	 * add in size of zonename token (zero if !AUDIT_ZONENAME)
274 	 */
275 	if (kctx->auk_policy & AUDIT_ZONENAME) {
276 		zone_length = au_zonename_length(NULL);
277 		byte_count += zone_length;
278 	} else {
279 		zone_length = 0;
280 	}
281 	/* add in size of (optional) trailer token */
282 	if (kctx->auk_policy & AUDIT_TRAIL)
283 		byte_count += 7;
284 
285 	/* add in size of (optional) sequence token */
286 	if (kctx->auk_policy & AUDIT_SEQ)
287 		byte_count += 5;
288 
289 	/* build the header */
290 	if (kctx->auk_hostaddr_valid)
291 		record = au_to_header_ex(byte_count, e_type, e_mod);
292 	else
293 		record = au_to_header(byte_count, e_type, e_mod);
294 
295 	/*
296 	 * If timestamp was specified, save it in header now. Otherwise,
297 	 * save reference to header so we can update time/data later
298 	 * and artificially adjust pointer to the time/date field of header.
299 	 */
300 	adr_start(&hadr, memtod(record, char *));
301 	hadr.adr_now += sizeof (char) + sizeof (int32_t) +
302 	    sizeof (char) + 2 * sizeof (short);
303 	if (kctx->auk_hostaddr_valid)
304 		hadr.adr_now += sizeof (int32_t) +
305 		    kctx->auk_info.ai_termid.at_type;
306 	if (etime != NULL) {
307 		au_save_time(&hadr, etime, 1);
308 		hadr.adr_now = (char *)NULL;
309 	}
310 
311 	/* append body of audit record */
312 	(void) au_append_rec(record, dchain, AU_PACK);
313 
314 	/* add (optional) zonename token */
315 	if (zone_length > 0) {
316 		m = au_to_zonename(zone_length, NULL);
317 		(void) au_append_rec(record, m, AU_PACK);
318 	}
319 
320 	/* Add an (optional) sequence token. NULL offset if none */
321 	if (kctx->auk_policy & AUDIT_SEQ) {
322 		/* get the sequence token */
323 		m = au_to_seq();
324 
325 		/* link to audit record (i.e. don't pack the data) */
326 		(void) au_append_rec(record, m, AU_LINK);
327 
328 		/*
329 		 * advance to count field of sequence token by skipping
330 		 * the token type byte.
331 		 */
332 		adr_start(&sadr, memtod(m, char *));
333 		sadr.adr_now += 1;
334 	} else {
335 		sadr.adr_now = NULL;
336 	}
337 	/* add (optional) trailer token */
338 	if (kctx->auk_policy & AUDIT_TRAIL) {
339 		(void) au_append_rec(record, au_to_trailer(byte_count),
340 		    AU_PACK);
341 	}
342 
343 	/*
344 	 * 1 - use 64 bit version of audit tokens for 64 bit kernels.
345 	 * 0 - use 32 bit version of audit tokens for 32 bit kernels.
346 	 */
347 #ifdef _LP64
348 	au_enqueue(kctx, record, &hadr, &sadr, 1, flag & AU_DONTBLOCK);
349 #else
350 	au_enqueue(kctx, record, &hadr, &sadr, 0, flag & AU_DONTBLOCK);
351 #endif
352 	AS_INC(as_totalsize, byte_count, kctx);
353 }
354 
355 /*ARGSUSED*/
356 void
357 au_enqueue(au_kcontext_t *kctx, au_buff_t *m, adr_t *hadrp, adr_t *sadrp,
358     int size, int dontblock)
359 {
360 	if (kctx == NULL)
361 		return;
362 
363 	mutex_enter(&(kctx->auk_queue.lock));
364 
365 	if (!dontblock && (kctx->auk_queue.cnt >= kctx->auk_queue.hiwater) &&
366 	    audit_sync_block(kctx)) {
367 		mutex_exit(&(kctx->auk_queue.lock));
368 		au_free_rec(m);
369 		return;
370 	}
371 
372 	/* Fill in date and time if needed */
373 	if (hadrp->adr_now) {
374 		au_save_time(hadrp, NULL, size);
375 	}
376 
377 	/* address will be non-zero only if AUDIT_SEQ set */
378 	if (sadrp->adr_now) {
379 		kctx->auk_sequence++;
380 		adr_int32(sadrp, (int32_t *)&(kctx->auk_sequence), 1);
381 	}
382 
383 	if (kctx->auk_queue.head)
384 		kctx->auk_queue.tail->next_rec = m;
385 	else
386 		kctx->auk_queue.head = m;
387 
388 	kctx->auk_queue.tail = m;
389 
390 	if (++(kctx->auk_queue.cnt) >
391 	    kctx->auk_queue.lowater && kctx->auk_queue.rd_block)
392 		cv_broadcast(&(kctx->auk_queue.read_cv));
393 
394 	mutex_exit(&(kctx->auk_queue.lock));
395 
396 	/* count # audit records put onto kernel audit queue */
397 	AS_INC(as_enqueue, 1, kctx);
398 }
399 
400 /*
401  * Dequeue and free buffers upto and including "freeto"
402  * Keeps the queue lock long but acquires it only once when doing
403  * bulk dequeueing.
404  */
405 static void
406 au_dequeue(au_kcontext_t *kctx, au_buff_t *freeto)
407 {
408 	au_buff_t *m, *l, *lastl;
409 	int n = 0;
410 
411 	ASSERT(kctx != NULL);
412 
413 	mutex_enter(&(kctx->auk_queue.lock));
414 
415 	ASSERT(kctx->auk_queue.head != NULL);
416 	ASSERT(freeto != NULL);
417 
418 	l = m = kctx->auk_queue.head;
419 
420 	do {
421 		n++;
422 		lastl = l;
423 		l = l->next_rec;
424 	} while (l != NULL && freeto != lastl);
425 
426 	kctx->auk_queue.cnt -= n;
427 	lastl->next_rec = NULL;
428 	kctx->auk_queue.head = l;
429 
430 	/* Freeto must exist in the list */
431 	ASSERT(freeto == lastl);
432 
433 	if (kctx->auk_queue.cnt <= kctx->auk_queue.lowater &&
434 	    kctx->auk_queue.wt_block)
435 		cv_broadcast(&(kctx->auk_queue.write_cv));
436 
437 	mutex_exit(&(kctx->auk_queue.lock));
438 
439 	while (m) {
440 		l = m->next_rec;
441 		au_free_rec(m);
442 		m = l;
443 	}
444 	AS_INC(as_written, n, kctx);
445 }
446 
447 /*
448  * audit_sync_block()
449  * If we've reached the high water mark, we look at the policy to see
450  * if we sleep or we should drop the audit record.
451  * This function is called with the auk_queue.lock held and the check
452  * performed one time already as an optimization.  Caller should unlock.
453  * Returns 1 if the caller needs to free the record.
454  */
455 static int
456 audit_sync_block(au_kcontext_t *kctx)
457 {
458 	ASSERT(MUTEX_HELD(&(kctx->auk_queue.lock)));
459 	/*
460 	 * Loop while we are at the high watermark.
461 	 */
462 	do {
463 		if ((kctx->auk_auditstate != AUC_AUDITING) ||
464 		    (kctx->auk_policy & AUDIT_CNT)) {
465 
466 			/* just count # of dropped audit records */
467 			AS_INC(as_dropped, 1, kctx);
468 
469 			return (1);
470 		}
471 
472 		/* kick reader awake if its asleep */
473 		if (kctx->auk_queue.rd_block &&
474 		    kctx->auk_queue.cnt > kctx->auk_queue.lowater)
475 			cv_broadcast(&(kctx->auk_queue.read_cv));
476 
477 		/* keep count of # times blocked */
478 		AS_INC(as_wblocked, 1, kctx);
479 
480 		/* sleep now, until woken by reader */
481 		kctx->auk_queue.wt_block++;
482 		cv_wait(&(kctx->auk_queue.write_cv), &(kctx->auk_queue.lock));
483 		kctx->auk_queue.wt_block--;
484 	} while (kctx->auk_queue.cnt >= kctx->auk_queue.hiwater);
485 
486 	return (0);
487 }
488 
489 /*
490  * audit_async_block()
491  * if we've reached the high water mark, we look at the ahlt policy to see
492  * if we reboot we should drop the audit record.
493  * Returns 1 if blocked.
494  */
495 static int
496 audit_async_block(au_kcontext_t *kctx, caddr_t *rpp)
497 {
498 	ASSERT(kctx != NULL);
499 
500 	mutex_enter(&(kctx->auk_queue.lock));
501 	/* see if we've reached high water mark */
502 	if (kctx->auk_queue.cnt >= kctx->auk_queue.hiwater) {
503 		mutex_exit(&(kctx->auk_queue.lock));
504 
505 		audit_async_drop(rpp, AU_BACKEND);
506 		return (1);
507 	}
508 	mutex_exit(&(kctx->auk_queue.lock));
509 	return (0);
510 }
511 
512 /*
513  * au_door_upcall.  auditdoor() may change vp without notice, so
514  * some locking seems in order.
515  *
516  */
517 #define	AGAIN_TICKS	10
518 
519 static int
520 au_door_upcall(au_kcontext_t *kctx, au_dbuf_t *aubuf)
521 {
522 	int		rc;
523 	door_arg_t	darg;
524 	int		retry = 1;
525 	int		ticks_to_wait;
526 
527 	darg.data_ptr = (char *)aubuf;
528 	darg.data_size = AU_DBUF_HEADER + aubuf->aub_size;
529 
530 	darg.desc_ptr = NULL;
531 	darg.desc_num = 0;
532 
533 	while (retry == 1) {
534 		/* non-zero means return results expected */
535 		darg.rbuf = (char *)aubuf;
536 		darg.rsize = darg.data_size;
537 
538 		retry = 0;
539 		mutex_enter(&(kctx->auk_svc_lock));
540 		rc = door_upcall(kctx->auk_current_vp, &darg, NULL);
541 		if (rc != 0) {
542 			mutex_exit(&(kctx->auk_svc_lock));
543 			if (rc == EAGAIN)
544 				ticks_to_wait = AGAIN_TICKS;
545 			else
546 				return (rc);
547 
548 			mutex_enter(&(kctx->auk_eagain_mutex));
549 			(void) cv_timedwait(&(kctx->auk_eagain_cv),
550 			    &(kctx->auk_eagain_mutex),
551 			    lbolt + ticks_to_wait);
552 			mutex_exit(&(kctx->auk_eagain_mutex));
553 
554 			retry = 1;
555 		} else
556 			mutex_exit(&(kctx->auk_svc_lock));	/* no retry */
557 	}	/* end while (retry == 1) */
558 	if (darg.rbuf == NULL)
559 		return (-1);
560 
561 	/* return code from door server */
562 	return (*(int *)darg.rbuf);
563 }
564 
565 /*
566  * Write an audit control message to the door handle.  The message
567  * structure depends on message_code and at present the only control
568  * message defined is for a policy change.  These are infrequent,
569  * so no memory is held for control messages.
570  */
571 int
572 au_doormsg(au_kcontext_t *kctx, uint32_t message_code, void *message)
573 {
574 	int		rc;
575 	au_dbuf_t	*buf;
576 	size_t		alloc_size;
577 
578 	switch (message_code) {
579 	case AU_DBUF_POLICY:
580 		alloc_size = AU_DBUF_HEADER + sizeof (uint32_t);
581 		buf = kmem_alloc(alloc_size, KM_SLEEP);
582 		buf->aub_size = sizeof (uint32_t);
583 		*(uint32_t *)buf->aub_buf = *(uint32_t *)message;
584 		break;
585 	case AU_DBUF_SHUTDOWN:
586 		alloc_size = AU_DBUF_HEADER;
587 		buf = kmem_alloc(alloc_size, KM_SLEEP);
588 		buf->aub_size = 0;
589 		break;
590 	default:
591 		return (1);
592 	}
593 
594 	buf->aub_type = AU_DBUF_NOTIFY | message_code;
595 	rc = au_door_upcall(kctx, buf);
596 	kmem_free(buf, alloc_size);
597 
598 	return (rc);
599 }
600 
601 /*
602  * Write audit information to the door handle.  au_doorio is called with
603  * one or more complete audit records on the queue and outputs those
604  * records in buffers of up to auk_queue.buflen in size.
605  */
606 int
607 au_doorio(au_kcontext_t *kctx) {
608 	off_t		off;	/* space used in buffer */
609 	ssize_t		used;	/* space used in au_membuf */
610 	token_t		*cAR;	/* current AR being processed */
611 	token_t		*cMB;	/* current au_membuf being processed */
612 	token_t		*sp;	/* last AR processed */
613 	char		*bp;	/* start of free space in staging buffer */
614 	unsigned char	*cp;	/* ptr to data to be moved */
615 	int		error;  /* return from door upcall */
616 
617 	/*
618 	 * size (data left in au_membuf - space in buffer)
619 	 */
620 	ssize_t		sz;
621 	ssize_t		len;	/* len of data to move, size of AR */
622 	ssize_t		curr_sz = 0;	/* amount of data written during now */
623 	/*
624 	 * partial_state is AU_DBUF_COMPLETE...LAST; see audit_door_infc.h
625 	 */
626 	int		part    = 0;	/* partial audit record written */
627 	int		partial_state = AU_DBUF_COMPLETE;
628 	/*
629 	 * Has the write buffer changed length due to a auditctl(2)?
630 	 * Initial allocation is from audit_start.c/audit_init()
631 	 */
632 	if (kctx->auk_queue.bufsz != kctx->auk_queue.buflen) {
633 		kmem_free(kctx->auk_dbuffer, AU_DBUF_HEADER +
634 		    kctx->auk_queue.buflen);
635 
636 		kctx->auk_dbuffer = kmem_alloc(AU_DBUF_HEADER +
637 		    kctx->auk_queue.bufsz, KM_SLEEP);
638 
639 		/* omit the 64 bit header */
640 		kctx->auk_queue.buflen = kctx->auk_queue.bufsz;
641 	}
642 	if (!kctx->auk_queue.head)
643 		goto nodata;
644 
645 	sp   = NULL;	/* no record copied */
646 	off  = 0;	/* no space used in buffer */
647 	used = 0;	/* no data processed in au_membuf */
648 	cAR  = kctx->auk_queue.head;	/* start at head of queue */
649 	cMB  = cAR;	/* start with first au_membuf of record */
650 
651 	/* start at beginning of buffer */
652 	bp   = &(kctx->auk_dbuffer->aub_buf[0]);
653 
654 	while (cMB) {
655 		part = 1;	/* indicate audit record being processed */
656 
657 		cp  = memtod(cMB, unsigned char *); /* buffer ptr */
658 
659 		sz  = (ssize_t)cMB->len - used;	/* data left in au_membuf */
660 		/* len to move */
661 		len = (ssize_t)MIN(sz, kctx->auk_queue.buflen - off);
662 
663 		/* move the data */
664 		bcopy(cp + used, bp + off, len);
665 		used += len; /* update used au_membuf */
666 		off  += len; /* update offset into buffer */
667 
668 		if (used >= (ssize_t)cMB->len) {
669 			/* advance to next au_membuf */
670 			used = 0;
671 			cMB  = cMB->next_buf;
672 		}
673 		if (cMB == NULL) {
674 			/* advance to next audit record */
675 			sp   = cAR;
676 			cAR  = cAR->next_rec;
677 			cMB  = cAR;
678 			part = 0;	/* have a complete record */
679 		}
680 		error = 0;
681 		if ((kctx->auk_queue.buflen == off) || (part == 0)) {
682 			if (part)
683 				partial_state = state_if_part[partial_state];
684 			else
685 				partial_state =
686 				    state_if_not_part[partial_state];
687 
688 			kctx->auk_dbuffer->aub_type = partial_state;
689 			kctx->auk_dbuffer->aub_size = off;
690 			error = au_door_upcall(kctx, kctx->auk_dbuffer);
691 			if (error != 0)
692 				goto nodata;
693 			/*
694 			 * if we've successfully written an audit record,
695 			 * free records up to last full record copied
696 			 */
697 			if (sp)
698 				au_dequeue(kctx, sp);
699 
700 				/* Update size */
701 			curr_sz += off;
702 
703 				/* reset auk_dbuffer pointers */
704 			sp = NULL;
705 			off  = 0;
706 		}
707 	}	/* while(cMB) */
708 nodata:
709 	return (error);
710 }
711 
712 /*
713  * Clean up thread audit state to clear out asynchronous audit record
714  * generation error recovery processing. Note that this is done on a
715  * per-thread basis and thus does not need any locking.
716  */
717 void
718 audit_async_done(caddr_t *rpp, int flags)
719 {
720 	t_audit_data_t *tad = U2A(u);
721 
722 	/* clean up the tad unless called from softcall backend */
723 	if (!(flags & AU_BACKEND)) {
724 		ASSERT(tad != NULL);
725 		ASSERT(tad->tad_ctrl & PAD_ERRJMP);
726 
727 		tad->tad_ctrl &= ~PAD_ERRJMP;
728 		tad->tad_errjmp = NULL;
729 	}
730 
731 	/* clean out partial audit record */
732 	if ((rpp != NULL) && (*rpp != NULL)) {
733 		au_toss_token((au_buff_t *)*rpp);
734 		*rpp = NULL;
735 	}
736 }
737 
738 /*
739  * implement the audit policy for asynchronous events generated within
740  * the kernel.
741  * XXX might need locks around audit_policy check.
742  */
743 void
744 audit_async_drop(caddr_t *rpp, int flags)
745 {
746 	au_kcontext_t	*kctx;
747 
748 	/* could not generate audit record, clean up */
749 	audit_async_done((caddr_t *)rpp, flags);
750 
751 	kctx = GET_KCTX_GZ;
752 
753 	/* just drop the record and return */
754 	if (((audit_policy & AUDIT_AHLT) == 0) ||
755 	    (kctx->auk_auditstate == AUC_INIT_AUDIT)) {
756 		/* just count # of dropped audit records */
757 		AS_INC(as_dropped, 1, kctx);
758 		return;
759 	}
760 
761 	/*
762 	 * There can be a lot of data in the audit queue. We
763 	 * will first sync the file systems then attempt to
764 	 * shutdown the kernel so that a memory dump is
765 	 * performed.
766 	 */
767 	sync();
768 	sync();
769 
770 	/*
771 	 * now shut down. What a cruel world it has been
772 	 */
773 	panic("non-attributable halt. should dump core");
774 	/* No return */
775 }
776 
777 int
778 audit_async_start(label_t *jb, int event, int sorf)
779 {
780 	t_audit_data_t *tad = U2A(u);
781 	au_state_t estate;
782 	int success = 0, failure = 0;
783 	au_kcontext_t	*kctx = GET_KCTX_GZ;
784 
785 	/* if audit state off, then no audit record generation */
786 	if ((kctx->auk_auditstate != AUC_AUDITING) &&
787 	    (kctx->auk_auditstate != AUC_INIT_AUDIT))
788 		return (1);
789 
790 	/*
791 	 * preselect asynchronous event
792 	 * XXX should we check for out-of-range???
793 	 */
794 	estate = kctx->auk_ets[event];
795 
796 	if (sorf & AUM_SUCC)
797 		success = kctx->auk_info.ai_mask.as_success & estate;
798 	if (sorf & AUM_FAIL)
799 		failure = kctx->auk_info.ai_mask.as_failure & estate;
800 
801 	if ((success | failure) == NULL)
802 		return (1);
803 
804 	ASSERT(tad->tad_errjmp == NULL);
805 	tad->tad_errjmp = (void *)jb;
806 	tad->tad_ctrl |= PAD_ERRJMP;
807 
808 	return (0);
809 }
810 
811 /*
812  * Complete auditing of an async event. The AU_DONTBLOCK flag to au_close will
813  * result in the backend routine being invoked from softcall, so all the real
814  * work can be done in a safe context.
815  */
816 void
817 audit_async_finish(caddr_t *ad, int aid, int amod)
818 {
819 	au_kcontext_t	*kctx;
820 
821 	kctx  = GET_KCTX_GZ;
822 
823 	au_close(kctx, ad, AU_DONTBLOCK | AU_OK, aid, PAD_NONATTR|amod);
824 }
825 
826 /*
827  * Backend routine to complete an async audit. Invoked from softcall.
828  * (Note: the blocking and the queuing below both involve locking which can't
829  * be done safely in high interrupt context due to the chance of sleeping on
830  * the corresponding adaptive mutex. Hence the softcall.)
831  */
832 static void
833 audit_async_finish_backend(void *addr)
834 {
835 	au_kcontext_t	*kctx;
836 	au_defer_info_t	*attr = (au_defer_info_t *)addr;
837 
838 	if (attr == NULL)
839 		return;		/* won't happen unless softcall is broken */
840 
841 	kctx  = GET_KCTX_GZ;
842 
843 	if (audit_async_block(kctx, (caddr_t *)&attr->audi_ad)) {
844 		kmem_free(attr, sizeof (au_defer_info_t));
845 		return;
846 	}
847 
848 	/*
849 	 * Call au_close_time to complete the audit with the saved values.
850 	 *
851 	 * For the exit-prom event, use the current time instead of the
852 	 * saved time as a better approximation. (Because the time saved via
853 	 * gethrestime during prom-exit handling would not yet be caught up
854 	 * after the system was idled in the debugger for a period of time.)
855 	 */
856 	if (attr->audi_e_type == AUE_EXITPROM) {
857 		au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag,
858 		    attr->audi_e_type, attr->audi_e_mod, NULL);
859 	} else {
860 		au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag,
861 		    attr->audi_e_type, attr->audi_e_mod, &attr->audi_atime);
862 	}
863 
864 	AS_INC(as_generated, 1, kctx);
865 	AS_INC(as_nonattrib, 1, kctx);
866 
867 	kmem_free(attr, sizeof (au_defer_info_t));
868 }
869