1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Routines for writing audit records. 23 * 24 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 25 * Use is subject to license terms. 26 */ 27 28 #pragma ident "%Z%%M% %I% %E% SMI" 29 30 #include <sys/door.h> 31 #include <sys/param.h> 32 #include <sys/time.h> 33 #include <sys/types.h> 34 #include <sys/statvfs.h> /* for statfs */ 35 #include <sys/vnode.h> 36 #include <sys/file.h> 37 #include <sys/vfs.h> 38 #include <sys/user.h> 39 #include <sys/uio.h> 40 #include <sys/reboot.h> 41 #include <sys/kmem.h> /* for KM_SLEEP */ 42 #include <sys/resource.h> /* for RLIM_INFINITY */ 43 #include <sys/cmn_err.h> /* panic */ 44 #include <sys/systm.h> 45 #include <sys/debug.h> 46 #include <sys/sysmacros.h> 47 #include <sys/syscall.h> 48 #include <sys/zone.h> 49 50 #include <c2/audit.h> 51 #include <c2/audit_kernel.h> 52 #include <c2/audit_record.h> 53 #include <c2/audit_kevents.h> 54 #include <c2/audit_door_infc.h> 55 56 static void au_dequeue(au_kcontext_t *, au_buff_t *); 57 static void audit_async_finish_backend(void *); 58 static int audit_sync_block(au_kcontext_t *); 59 /* 60 * each of these two tables are indexed by the values AU_DBUF_COMPLETE 61 * through AU_DBUF_LAST; the content is the next state value. The 62 * first table determines the next state for a buffer which is not the 63 * end of a record and the second table determines the state for a 64 * buffer which is the end of a record. The initial state is 65 * AU_DBUF_COMPLETE. 66 */ 67 static int state_if_part[] = { 68 AU_DBUF_FIRST, AU_DBUF_MIDDLE, AU_DBUF_MIDDLE, AU_DBUF_FIRST}; 69 static int state_if_not_part[] = { 70 AU_DBUF_COMPLETE, AU_DBUF_LAST, AU_DBUF_LAST, AU_DBUF_COMPLETE}; 71 /* 72 * Write to an audit descriptor. 73 * Add the au_membuf to the descriptor chain and free the chain passed in. 74 */ 75 void 76 au_uwrite(m) 77 token_t *m; 78 { 79 au_write(&(u_ad), m); 80 } 81 82 void 83 au_write(caddr_t *d, token_t *m) 84 { 85 if (d == NULL) { 86 au_toss_token(m); 87 return; 88 } 89 if (m == (token_t *)0) { 90 printf("au_write: null token\n"); 91 return; 92 } 93 94 if (*d == NULL) 95 *d = (caddr_t)m; 96 else 97 (void) au_append_rec((au_buff_t *)*d, m, AU_PACK); 98 } 99 #define AU_INTERVAL 120 100 101 /* 102 * Write audit information to the disk. 103 * Called from auditsvc(); EOL'd as of Sol 10. 104 * Local zones are not allowed; the caller (auditsvc()) enforces the 105 * restriction. 106 */ 107 int 108 au_doio(vp, limit) 109 110 struct vnode *vp; 111 int limit; 112 113 { /* AU_DOIO */ 114 115 off_t off; /* space used in buffer */ 116 size_t used; /* space used in au_membuf */ 117 token_t *cAR; /* current AR being processed */ 118 token_t *cMB; /* current au_membuf being processed */ 119 token_t *sp; /* last AR processed */ 120 char *bp; /* start of free space in staging buffer */ 121 unsigned char *cp; /* ptr to data to be moved */ 122 au_kcontext_t *kctx; 123 /* 124 * size (data left in au_membuf - space in buffer) 125 */ 126 ssize_t sz; 127 ssize_t len; /* len of data to move, size of AR */ 128 int error; /* error return */ 129 ssize_t left; /* data not xfered by write to disk */ 130 statvfs64_t sb; /* buffer for statfs */ 131 size_t curr_sz = 0; /* amount of data written during now */ 132 int part = 0; /* partial audit record written */ 133 int partial = 0; /* flag to force partial AR to file */ 134 /* 0 - idle, ignore */ 135 /* 1 - force write of audit record */ 136 /* 2 - finished writing AR, commit */ 137 138 kctx = GET_KCTX_GZ; 139 140 /* 141 * Check to ensure enough free space on audit device. 142 */ 143 bzero(&sb, sizeof (statvfs64_t)); 144 (void) VFS_STATVFS(vp->v_vfsp, &sb); 145 /* 146 * Large Files: We do not convert any of this part of kernel 147 * to be large file aware. Original behaviour should be 148 * maintained. This function is called from audit_svc and 149 * it already checks for negative values of limit. 150 */ 151 152 if (sb.f_blocks && (fsblkcnt64_t)limit > sb.f_bavail) 153 return (ENOSPC); 154 155 if (kctx->auk_file_stat.af_filesz && 156 (kctx->auk_file_stat.af_currsz >= 157 kctx->auk_file_stat.af_filesz)) 158 return (EFBIG); 159 160 /* 161 * has the write buffer changed length due to a auditctl(2)? 162 * (remember that auk_buffer is an element of auk_dbuffer) 163 */ 164 if (kctx->auk_queue.bufsz != kctx->auk_queue.buflen) { 165 166 kmem_free(kctx->auk_buffer, kctx->auk_queue.buflen); 167 168 /* bad, should not sleep here. Testing only */ 169 kctx->auk_buffer = kmem_alloc(kctx->auk_queue.bufsz, KM_SLEEP); 170 171 kctx->auk_queue.buflen = kctx->auk_queue.bufsz; 172 } 173 174 if (!kctx->auk_queue.head) { 175 goto nodata; 176 } 177 sp = (token_t *)0; /* no AR copied */ 178 off = 0; /* no space used in buffer */ 179 used = 0; /* no data processed in au_membuf */ 180 cAR = kctx->auk_queue.head; /* start at head of queue */ 181 cMB = cAR; /* start with first au_membuf of record */ 182 bp = &(kctx->auk_buffer[0]); /* start at beginning of buffer */ 183 184 while (cMB) { 185 ASSERT(kctx->auk_queue.head != NULL); 186 187 /* indicate audit record being processed */ 188 part = 1; 189 190 /* pointer to buffer data */ 191 cp = memtod(cMB, unsigned char *); 192 /* data left in au_membuf */ 193 sz = (ssize_t)cMB->len - used; 194 /* len to move */ 195 len = (ssize_t)MIN(sz, kctx->auk_queue.buflen - off); 196 197 /* move the data */ 198 bcopy(cp + used, bp + off, len); 199 used += len; /* update used au_membuf */ 200 off += len; /* update offset into buffer */ 201 202 if (used >= (ssize_t)cMB->len) { 203 /* advance to next au_membuf */ 204 used = 0; 205 cMB = cMB->next_buf; 206 } 207 if (cMB == (au_buff_t *)0) { 208 /* advance to next AR */ 209 sp = cAR; 210 cAR = cAR->next_rec; 211 cMB = cAR; 212 /* reached end of an audit record */ 213 part = 0; 214 /* force abort at end of audit record? */ 215 if (partial == 1) 216 partial = 2; 217 } 218 /* 219 * If we've reached end of buffer, or have run out of 220 * audit records on the queue or we've processed a 221 * partial audit record to complete the audit file, 222 * then its time to flush the holding buffer to the 223 * audit trail. 224 */ 225 if ((kctx->auk_queue.buflen == off) || 226 (cAR == (au_buff_t *)0) || 227 (partial == 2)) { 228 229 left = 0; 230 /* 231 * Largefiles: We purposely pass a value of 232 * MAXOFF_T as we do not want any of the 233 * auditing files to exceed 2GB. May be we will 234 * support this in future. 235 */ 236 error = vn_rdwr(UIO_WRITE, vp, kctx->auk_buffer, 237 off, 0LL, UIO_SYSSPACE, FAPPEND, 238 (rlim64_t)MAXOFF_T, CRED(), &left); 239 240 /* error on write */ 241 if (error != 0) { 242 if (error == EDQUOT) 243 error = ENOSPC; 244 return (error); 245 } 246 247 /* end of file system? */ 248 if (left) { 249 au_buff_t *b = NULL; 250 251 sz = off - left; /* how much written */ 252 253 /* update space counters */ 254 kctx->auk_file_stat.af_currsz += sz; 255 256 /* which AR are done */ 257 cAR = kctx->auk_queue.head; 258 while (sz) { 259 cp = memtod(cAR, unsigned char *); 260 len = (ssize_t)((cp[1]<<24 | cp[2]<<16 | 261 cp[3]<<8 | cp[4]) & 262 0xffffffffU); 263 264 if (len > sz) 265 break; 266 b = cAR; 267 cAR = cAR->next_rec; 268 sz -= len; 269 } 270 if (b != NULL) 271 au_dequeue(kctx, b); 272 273 return (ENOSPC); 274 275 } else { /* still space in file system */ 276 /* if we've written an AR */ 277 if (sp) { 278 /* 279 * free records up to last one copied. 280 */ 281 au_dequeue(kctx, sp); 282 } 283 /* Update sizes */ 284 curr_sz += off; 285 kctx->auk_file_stat.af_currsz += (uint_t)off; 286 287 /* reset auk_buffer pointers */ 288 sp = (token_t *)0; 289 off = 0; 290 bp = &(kctx->auk_buffer[0]); 291 292 /* check exit conditions */ 293 if (sb.f_blocks) { 294 ulong_t blks_used; 295 blks_used = (curr_sz / sb.f_bsize); 296 if ((fsblkcnt64_t)limit > 297 (sb.f_bavail - (fsblkcnt64_t)blks_used)) { 298 /* 299 * if we haven't put out a 300 * complete audit record, 301 * continue to process the 302 * audit queue until we reach 303 * the end of the record. 304 */ 305 if (part && (partial == 0)) { 306 partial = 1; 307 continue; 308 } 309 /* 310 * exit if complete record 311 */ 312 if (partial != 1) 313 return (ENOSPC); 314 } 315 } 316 if (kctx->auk_file_stat.af_filesz && 317 (kctx->auk_file_stat.af_currsz 318 >= kctx->auk_file_stat.af_filesz)) { 319 /* 320 * force a complete audit 321 * record to the trail. 322 */ 323 if (partial == 0) 324 partial = 1; 325 /* 326 * Written data to AR boundry. 327 */ 328 if (partial != 1) 329 return (EFBIG); 330 } 331 } 332 } 333 } /* while(cMB) */ 334 335 nodata: 336 return (0); 337 } 338 339 /* 340 * Close an audit descriptor. 341 * Use the second parameter to indicate if it should be written or not. 342 */ 343 void 344 au_close(au_kcontext_t *kctx, caddr_t *d, int flag, short e_type, short e_mod) 345 { 346 token_t *dchain; /* au_membuf chain which is the tokens */ 347 t_audit_data_t *tad = U2A(u); 348 349 ASSERT(tad != NULL); 350 ASSERT(d != NULL); 351 ASSERT(kctx != NULL); 352 353 if ((dchain = (token_t *)*d) == (token_t *)NULL) 354 return; 355 356 *d = NULL; 357 358 /* 359 * If async then defer; or if requested, defer the closing/queueing to 360 * syscall end, unless no syscall is active or the syscall is _exit. 361 */ 362 if ((flag & AU_DONTBLOCK) || ((flag & AU_DEFER) && 363 (tad->tad_scid != 0) && (tad->tad_scid != SYS_exit))) { 364 au_close_defer(dchain, flag, e_type, e_mod); 365 return; 366 } 367 au_close_time(kctx, dchain, flag, e_type, e_mod, NULL); 368 } 369 370 /* 371 * Defer closing/queueing of an audit descriptor. For async events, queue 372 * via softcall. Otherwise, defer by queueing the record onto the tad; at 373 * syscall end time it will be pulled off. 374 */ 375 void 376 au_close_defer(token_t *dchain, int flag, short e_type, short e_mod) 377 { 378 au_defer_info_t *attr; 379 t_audit_data_t *tad = U2A(u); 380 381 ASSERT(tad != NULL); 382 383 /* If not to be written, toss the record. */ 384 if ((flag & AU_OK) == 0) { 385 au_toss_token(dchain); 386 return; 387 } 388 389 attr = kmem_alloc(sizeof (au_defer_info_t), KM_NOSLEEP); 390 /* If no mem available, failing silently is the best recourse */ 391 if (attr == NULL) { 392 au_toss_token(dchain); 393 return; 394 } 395 396 attr->audi_next = NULL; 397 attr->audi_ad = dchain; 398 attr->audi_e_type = e_type; 399 attr->audi_e_mod = e_mod; 400 attr->audi_flag = flag; 401 gethrestime(&attr->audi_atime); 402 403 /* 404 * All async events must be queued via softcall to avoid possible 405 * sleeping in high interrupt context. softcall will ensure it's 406 * done on a dedicated software-level interrupt thread. 407 */ 408 if (flag & AU_DONTBLOCK) { 409 softcall(audit_async_finish_backend, attr); 410 audit_async_done(NULL, 0); 411 return; 412 } 413 414 /* 415 * If not an async event, defer by queuing onto the tad until 416 * syscall end. No locking is needed because the tad is per-thread. 417 */ 418 if (tad->tad_defer_head) 419 tad->tad_defer_tail->audi_next = attr; 420 else 421 tad->tad_defer_head = attr; 422 tad->tad_defer_tail = attr; 423 } 424 425 426 /* 427 * Save the time in the event header. If time is not specified (i.e., pointer 428 * is NULL), use the current time. This code is fairly ugly since it needs 429 * to support both 32- and 64-bit environments and can be called indirectly 430 * from both au_close() (for kernel audit) and from audit() (userland audit). 431 */ 432 /*ARGSUSED*/ 433 static void 434 au_save_time(adr_t *hadrp, timestruc_t *time, int size) 435 { 436 struct { 437 uint32_t sec; 438 uint32_t usec; 439 } tv; 440 timestruc_t now; 441 442 if (time == NULL) { 443 gethrestime(&now); 444 time = &now; 445 } 446 447 #ifdef _LP64 448 if (size) 449 adr_int64(hadrp, (int64_t *)time, 2); 450 else 451 #endif 452 { 453 tv.sec = (uint32_t)time->tv_sec; 454 tv.usec = (uint32_t)time->tv_nsec; 455 adr_int32(hadrp, (int32_t *)&tv, 2); 456 } 457 } 458 459 460 /* 461 * Close an audit descriptor. 462 * If time of event is specified, use it in the record, otherwise use the 463 * current time. 464 */ 465 void 466 au_close_time(au_kcontext_t *kctx, token_t *dchain, int flag, short e_type, 467 short e_mod, timestruc_t *etime) 468 { 469 token_t *record; /* au_membuf chain == the record */ 470 int byte_count; 471 token_t *m; /* for potential sequence token */ 472 adr_t hadr; /* handle for header token */ 473 adr_t sadr; /* handle for sequence token */ 474 size_t zone_length; /* length of zonename token */ 475 476 ASSERT(dchain != NULL); 477 478 /* If not to be written, toss the record */ 479 if ((flag & AU_OK) == 0) { 480 au_toss_token(dchain); 481 return; 482 } 483 /* if auditing not enabled, then don't generate an audit record */ 484 ASSERT(kctx != NULL); 485 486 if ((kctx->auk_auditstate != AUC_AUDITING) && 487 (kctx->auk_auditstate != AUC_INIT_AUDIT)) { 488 /* 489 * at system boot, neither is set yet we want to generate 490 * an audit record. 491 */ 492 if (e_type != AUE_SYSTEMBOOT) { 493 au_toss_token(dchain); 494 return; 495 } 496 } 497 498 /* Count up the bytes used in the record. */ 499 byte_count = au_token_size(dchain); 500 501 /* 502 * add in size of header token (always present). 503 */ 504 byte_count += sizeof (char) + sizeof (int32_t) + 505 sizeof (char) + 2 * sizeof (short) + sizeof (timestruc_t); 506 507 if (kctx->auk_hostaddr_valid) 508 byte_count += sizeof (int32_t) + kctx->auk_info.ai_termid.at_type; 509 510 /* 511 * add in size of zonename token (zero if !AUDIT_ZONENAME) 512 */ 513 if (kctx->auk_policy & AUDIT_ZONENAME) { 514 zone_length = au_zonename_length(NULL); 515 byte_count += zone_length; 516 } else { 517 zone_length = 0; 518 } 519 /* add in size of (optional) trailer token */ 520 if (kctx->auk_policy & AUDIT_TRAIL) 521 byte_count += 7; 522 523 /* add in size of (optional) sequence token */ 524 if (kctx->auk_policy & AUDIT_SEQ) 525 byte_count += 5; 526 527 /* build the header */ 528 if (kctx->auk_hostaddr_valid) 529 record = au_to_header_ex(byte_count, e_type, e_mod); 530 else 531 record = au_to_header(byte_count, e_type, e_mod); 532 533 /* 534 * If timestamp was specified, save it in header now. Otherwise, 535 * save reference to header so we can update time/data later 536 * and artificially adjust pointer to the time/date field of header. 537 */ 538 adr_start(&hadr, memtod(record, char *)); 539 hadr.adr_now += sizeof (char) + sizeof (int32_t) + 540 sizeof (char) + 2 * sizeof (short); 541 if (kctx->auk_hostaddr_valid) 542 hadr.adr_now += sizeof (int32_t) + 543 kctx->auk_info.ai_termid.at_type; 544 if (etime != NULL) { 545 au_save_time(&hadr, etime, 1); 546 hadr.adr_now = (char *)NULL; 547 } 548 549 /* append body of audit record */ 550 (void) au_append_rec(record, dchain, AU_PACK); 551 552 /* add (optional) zonename token */ 553 if (zone_length > 0) { 554 m = au_to_zonename(zone_length, NULL); 555 (void) au_append_rec(record, m, AU_PACK); 556 } 557 558 /* Add an (optional) sequence token. NULL offset if none */ 559 if (kctx->auk_policy & AUDIT_SEQ) { 560 /* get the sequence token */ 561 m = au_to_seq(); 562 563 /* link to audit record (i.e. don't pack the data) */ 564 (void) au_append_rec(record, m, AU_LINK); 565 566 /* 567 * advance to count field of sequence token by skipping 568 * the token type byte. 569 */ 570 adr_start(&sadr, memtod(m, char *)); 571 sadr.adr_now += 1; 572 } else { 573 sadr.adr_now = NULL; 574 } 575 /* add (optional) trailer token */ 576 if (kctx->auk_policy & AUDIT_TRAIL) { 577 (void) au_append_rec(record, au_to_trailer(byte_count), 578 AU_PACK); 579 } 580 581 /* 582 * 1 - use 64 bit version of audit tokens for 64 bit kernels. 583 * 0 - use 32 bit version of audit tokens for 32 bit kernels. 584 */ 585 #ifdef _LP64 586 au_enqueue(kctx, record, &hadr, &sadr, 1, flag & AU_DONTBLOCK); 587 #else 588 au_enqueue(kctx, record, &hadr, &sadr, 0, flag & AU_DONTBLOCK); 589 #endif 590 AS_INC(as_totalsize, byte_count, kctx); 591 } 592 593 /*ARGSUSED*/ 594 void 595 au_enqueue(au_kcontext_t *kctx, au_buff_t *m, adr_t *hadrp, adr_t *sadrp, 596 int size, int dontblock) 597 { 598 if (kctx == NULL) 599 return; 600 601 mutex_enter(&(kctx->auk_queue.lock)); 602 603 if (!dontblock && (kctx->auk_queue.cnt >= kctx->auk_queue.hiwater) && 604 audit_sync_block(kctx)) { 605 mutex_exit(&(kctx->auk_queue.lock)); 606 au_free_rec(m); 607 return; 608 } 609 610 /* Fill in date and time if needed */ 611 if (hadrp->adr_now) { 612 au_save_time(hadrp, NULL, size); 613 } 614 615 /* address will be non-zero only if AUDIT_SEQ set */ 616 if (sadrp->adr_now) { 617 kctx->auk_sequence++; 618 adr_int32(sadrp, (int32_t *)&(kctx->auk_sequence), 1); 619 } 620 621 if (kctx->auk_queue.head) 622 kctx->auk_queue.tail->next_rec = m; 623 else 624 kctx->auk_queue.head = m; 625 626 kctx->auk_queue.tail = m; 627 628 if (++(kctx->auk_queue.cnt) > 629 kctx->auk_queue.lowater && kctx->auk_queue.rd_block) 630 cv_broadcast(&(kctx->auk_queue.read_cv)); 631 632 mutex_exit(&(kctx->auk_queue.lock)); 633 634 /* count # audit records put onto kernel audit queue */ 635 AS_INC(as_enqueue, 1, kctx); 636 } 637 638 /* 639 * Dequeue and free buffers upto and including "freeto" 640 * Keeps the queue lock long but acquires it only once when doing 641 * bulk dequeueing. 642 */ 643 static void 644 au_dequeue(au_kcontext_t *kctx, au_buff_t *freeto) 645 { 646 au_buff_t *m, *l, *lastl; 647 int n = 0; 648 649 ASSERT(kctx != NULL); 650 651 mutex_enter(&(kctx->auk_queue.lock)); 652 653 ASSERT(kctx->auk_queue.head != NULL); 654 ASSERT(freeto != NULL); 655 656 l = m = kctx->auk_queue.head; 657 658 do { 659 n++; 660 lastl = l; 661 l = l->next_rec; 662 } while (l != NULL && freeto != lastl); 663 664 kctx->auk_queue.cnt -= n; 665 lastl->next_rec = NULL; 666 kctx->auk_queue.head = l; 667 668 /* Freeto must exist in the list */ 669 ASSERT(freeto == lastl); 670 671 if (kctx->auk_queue.cnt <= kctx->auk_queue.lowater && 672 kctx->auk_queue.wt_block) 673 cv_broadcast(&(kctx->auk_queue.write_cv)); 674 675 mutex_exit(&(kctx->auk_queue.lock)); 676 677 while (m) { 678 l = m->next_rec; 679 au_free_rec(m); 680 m = l; 681 } 682 AS_INC(as_written, n, kctx); 683 } 684 685 /* 686 * audit_sync_block() 687 * If we've reached the high water mark, we look at the policy to see 688 * if we sleep or we should drop the audit record. 689 * This function is called with the auk_queue.lock held and the check 690 * performed one time already as an optimization. Caller should unlock. 691 * Returns 1 if the caller needs to free the record. 692 */ 693 static int 694 audit_sync_block(au_kcontext_t *kctx) 695 { 696 ASSERT(MUTEX_HELD(&(kctx->auk_queue.lock))); 697 /* 698 * Loop while we are at the high watermark. 699 */ 700 do { 701 if ((kctx->auk_auditstate != AUC_AUDITING) || 702 (kctx->auk_policy & AUDIT_CNT)) { 703 704 /* just count # of dropped audit records */ 705 AS_INC(as_dropped, 1, kctx); 706 707 return (1); 708 } 709 710 /* kick reader awake if its asleep */ 711 if (kctx->auk_queue.rd_block && 712 kctx->auk_queue.cnt > kctx->auk_queue.lowater) 713 cv_broadcast(&(kctx->auk_queue.read_cv)); 714 715 /* keep count of # times blocked */ 716 AS_INC(as_wblocked, 1, kctx); 717 718 /* sleep now, until woken by reader */ 719 kctx->auk_queue.wt_block++; 720 cv_wait(&(kctx->auk_queue.write_cv), &(kctx->auk_queue.lock)); 721 kctx->auk_queue.wt_block--; 722 } while (kctx->auk_queue.cnt >= kctx->auk_queue.hiwater); 723 724 return (0); 725 } 726 727 /* 728 * audit_async_block() 729 * if we've reached the high water mark, we look at the ahlt policy to see 730 * if we reboot we should drop the audit record. 731 * Returns 1 if blocked. 732 */ 733 static int 734 audit_async_block(au_kcontext_t *kctx, caddr_t *rpp) 735 { 736 ASSERT(kctx != NULL); 737 738 mutex_enter(&(kctx->auk_queue.lock)); 739 /* see if we've reached high water mark */ 740 if (kctx->auk_queue.cnt >= kctx->auk_queue.hiwater) { 741 mutex_exit(&(kctx->auk_queue.lock)); 742 743 audit_async_drop(rpp, AU_BACKEND); 744 return (1); 745 } 746 mutex_exit(&(kctx->auk_queue.lock)); 747 return (0); 748 } 749 750 /* 751 * au_door_upcall. auditdoor() may change vp without notice, so 752 * some locking seems in order. 753 * 754 */ 755 #define AGAIN_TICKS 10 756 757 static int 758 au_door_upcall(au_kcontext_t *kctx, au_dbuf_t *aubuf) 759 { 760 int rc; 761 door_arg_t darg; 762 int retry = 1; 763 int ticks_to_wait; 764 765 darg.data_ptr = (char *)aubuf; 766 darg.data_size = AU_DBUF_HEADER + aubuf->aub_size; 767 768 darg.desc_ptr = NULL; 769 darg.desc_num = 0; 770 771 while (retry == 1) { 772 /* non-zero means return results expected */ 773 darg.rbuf = (char *)aubuf; 774 darg.rsize = darg.data_size; 775 776 retry = 0; 777 mutex_enter(&(kctx->auk_svc_lock)); 778 if ((rc = door_upcall(kctx->auk_current_vp, &darg)) != 0) { 779 mutex_exit(&(kctx->auk_svc_lock)); 780 if (rc == EAGAIN) 781 ticks_to_wait = AGAIN_TICKS; 782 else 783 return (rc); 784 785 mutex_enter(&(kctx->auk_eagain_mutex)); 786 (void) cv_timedwait(&(kctx->auk_eagain_cv), 787 &(kctx->auk_eagain_mutex), 788 lbolt + ticks_to_wait); 789 mutex_exit(&(kctx->auk_eagain_mutex)); 790 791 retry = 1; 792 } else 793 mutex_exit(&(kctx->auk_svc_lock)); /* no retry */ 794 } /* end while (retry == 1) */ 795 if (darg.rbuf == NULL) 796 return (-1); 797 798 /* return code from door server */ 799 return (*(int *)darg.rbuf); 800 } 801 802 /* 803 * Write an audit control message to the door handle. The message 804 * structure depends on message_code and at present the only control 805 * message defined is for a policy change. These are infrequent, 806 * so no memory is held for control messages. 807 */ 808 int 809 au_doormsg(au_kcontext_t *kctx, uint32_t message_code, void *message) 810 { 811 int rc; 812 au_dbuf_t *buf; 813 size_t alloc_size; 814 815 switch (message_code) { 816 case AU_DBUF_POLICY: 817 alloc_size = AU_DBUF_HEADER + sizeof (uint32_t); 818 buf = kmem_alloc(alloc_size, KM_SLEEP); 819 buf->aub_size = sizeof (uint32_t); 820 *(uint32_t *)buf->aub_buf = *(uint32_t *)message; 821 break; 822 case AU_DBUF_SHUTDOWN: 823 alloc_size = AU_DBUF_HEADER; 824 buf = kmem_alloc(alloc_size, KM_SLEEP); 825 buf->aub_size = 0; 826 break; 827 default: 828 return (1); 829 } 830 831 buf->aub_type = AU_DBUF_NOTIFY | message_code; 832 rc = au_door_upcall(kctx, buf); 833 kmem_free(buf, alloc_size); 834 835 return (rc); 836 } 837 838 /* 839 * Write audit information to the door handle. au_doorio is called with 840 * one or more complete audit records on the queue and outputs those 841 * records in buffers of up to auk_queue.buflen in size. 842 */ 843 int 844 au_doorio(au_kcontext_t *kctx) { 845 off_t off; /* space used in buffer */ 846 ssize_t used; /* space used in au_membuf */ 847 token_t *cAR; /* current AR being processed */ 848 token_t *cMB; /* current au_membuf being processed */ 849 token_t *sp; /* last AR processed */ 850 char *bp; /* start of free space in staging buffer */ 851 unsigned char *cp; /* ptr to data to be moved */ 852 int error; /* return from door upcall */ 853 854 /* 855 * size (data left in au_membuf - space in buffer) 856 */ 857 ssize_t sz; 858 ssize_t len; /* len of data to move, size of AR */ 859 ssize_t curr_sz = 0; /* amount of data written during now */ 860 /* 861 * partial_state is AU_DBUF_COMPLETE...LAST; see audit_door_infc.h 862 */ 863 int part = 0; /* partial audit record written */ 864 int partial_state = AU_DBUF_COMPLETE; 865 /* 866 * Has the write buffer changed length due to a auditctl(2)? 867 * Initial allocation is from audit_start.c/audit_init() 868 */ 869 if (kctx->auk_queue.bufsz != kctx->auk_queue.buflen) { 870 kmem_free(kctx->auk_dbuffer, AU_DBUF_HEADER + 871 kctx->auk_queue.buflen); 872 873 kctx->auk_dbuffer = kmem_alloc(AU_DBUF_HEADER + 874 kctx->auk_queue.bufsz, KM_SLEEP); 875 876 /* omit the 64 bit header */ 877 kctx->auk_queue.buflen = kctx->auk_queue.bufsz; 878 } 879 if (!kctx->auk_queue.head) 880 goto nodata; 881 882 sp = NULL; /* no record copied */ 883 off = 0; /* no space used in buffer */ 884 used = 0; /* no data processed in au_membuf */ 885 cAR = kctx->auk_queue.head; /* start at head of queue */ 886 cMB = cAR; /* start with first au_membuf of record */ 887 888 /* start at beginning of buffer */ 889 bp = &(kctx->auk_dbuffer->aub_buf[0]); 890 891 while (cMB) { 892 part = 1; /* indicate audit record being processed */ 893 894 cp = memtod(cMB, unsigned char *); /* buffer ptr */ 895 896 sz = (ssize_t)cMB->len - used; /* data left in au_membuf */ 897 /* len to move */ 898 len = (ssize_t)MIN(sz, kctx->auk_queue.buflen - off); 899 900 /* move the data */ 901 bcopy(cp + used, bp + off, len); 902 used += len; /* update used au_membuf */ 903 off += len; /* update offset into buffer */ 904 905 if (used >= (ssize_t)cMB->len) { 906 /* advance to next au_membuf */ 907 used = 0; 908 cMB = cMB->next_buf; 909 } 910 if (cMB == NULL) { 911 /* advance to next audit record */ 912 sp = cAR; 913 cAR = cAR->next_rec; 914 cMB = cAR; 915 part = 0; /* have a complete record */ 916 } 917 error = 0; 918 if ((kctx->auk_queue.buflen == off) || (part == 0)) { 919 if (part) 920 partial_state = state_if_part[partial_state]; 921 else 922 partial_state = 923 state_if_not_part[partial_state]; 924 925 kctx->auk_dbuffer->aub_type = partial_state; 926 kctx->auk_dbuffer->aub_size = off; 927 error = au_door_upcall(kctx, kctx->auk_dbuffer); 928 if (error != 0) 929 goto nodata; 930 /* 931 * if we've successfully written an audit record, 932 * free records up to last full record copied 933 */ 934 if (sp) 935 au_dequeue(kctx, sp); 936 937 /* Update size */ 938 curr_sz += off; 939 940 /* reset auk_dbuffer pointers */ 941 sp = NULL; 942 off = 0; 943 } 944 } /* while(cMB) */ 945 nodata: 946 return (error); 947 } 948 949 /* 950 * Clean up thread audit state to clear out asynchronous audit record 951 * generation error recovery processing. Note that this is done on a 952 * per-thread basis and thus does not need any locking. 953 */ 954 void 955 audit_async_done(caddr_t *rpp, int flags) 956 { 957 t_audit_data_t *tad = U2A(u); 958 959 /* clean up the tad unless called from softcall backend */ 960 if (!(flags & AU_BACKEND)) { 961 ASSERT(tad != NULL); 962 ASSERT(tad->tad_ctrl & PAD_ERRJMP); 963 964 tad->tad_ctrl &= ~PAD_ERRJMP; 965 tad->tad_errjmp = NULL; 966 } 967 968 /* clean out partial audit record */ 969 if ((rpp != NULL) && (*rpp != NULL)) { 970 au_toss_token((au_buff_t *)*rpp); 971 *rpp = NULL; 972 } 973 } 974 975 /* 976 * implement the audit policy for asynchronous events generated within 977 * the kernel. 978 * XXX might need locks around audit_policy check. 979 */ 980 void 981 audit_async_drop(caddr_t *rpp, int flags) 982 { 983 au_kcontext_t *kctx; 984 985 /* could not generate audit record, clean up */ 986 audit_async_done((caddr_t *)rpp, flags); 987 988 kctx = GET_KCTX_GZ; 989 990 /* just drop the record and return */ 991 if (((audit_policy & AUDIT_AHLT) == 0) || 992 (kctx->auk_auditstate == AUC_INIT_AUDIT)) { 993 /* just count # of dropped audit records */ 994 AS_INC(as_dropped, 1, kctx); 995 return; 996 } 997 998 /* 999 * There can be a lot of data in the audit queue. We 1000 * will first sync the file systems then attempt to 1001 * shutdown the kernel so that a memory dump is 1002 * performed. 1003 */ 1004 sync(); 1005 sync(); 1006 1007 /* 1008 * now shut down. What a cruel world it has been 1009 */ 1010 panic("non-attributable halt. should dump core"); 1011 /* No return */ 1012 } 1013 1014 int 1015 audit_async_start(label_t *jb, int event, int sorf) 1016 { 1017 t_audit_data_t *tad = U2A(u); 1018 au_state_t estate; 1019 int success = 0, failure = 0; 1020 au_kcontext_t *kctx = GET_KCTX_GZ; 1021 1022 /* if audit state off, then no audit record generation */ 1023 if ((kctx->auk_auditstate != AUC_AUDITING) && 1024 (kctx->auk_auditstate != AUC_INIT_AUDIT)) 1025 return (1); 1026 1027 /* 1028 * preselect asynchronous event 1029 * XXX should we check for out-of-range??? 1030 */ 1031 estate = kctx->auk_ets[event]; 1032 1033 if (sorf & AUM_SUCC) 1034 success = kctx->auk_info.ai_mask.as_success & estate; 1035 if (sorf & AUM_FAIL) 1036 failure = kctx->auk_info.ai_mask.as_failure & estate; 1037 1038 if ((success | failure) == NULL) 1039 return (1); 1040 1041 ASSERT(tad->tad_errjmp == NULL); 1042 tad->tad_errjmp = (void *)jb; 1043 tad->tad_ctrl |= PAD_ERRJMP; 1044 1045 return (0); 1046 } 1047 1048 /* 1049 * Complete auditing of an async event. The AU_DONTBLOCK flag to au_close will 1050 * result in the backend routine being invoked from softcall, so all the real 1051 * work can be done in a safe context. 1052 */ 1053 void 1054 audit_async_finish(caddr_t *ad, int aid, int amod) 1055 { 1056 au_kcontext_t *kctx; 1057 1058 kctx = GET_KCTX_GZ; 1059 1060 au_close(kctx, ad, AU_DONTBLOCK | AU_OK, aid, PAD_NONATTR|amod); 1061 } 1062 1063 /* 1064 * Backend routine to complete an async audit. Invoked from softcall. 1065 * (Note: the blocking and the queuing below both involve locking which can't 1066 * be done safely in high interrupt context due to the chance of sleeping on 1067 * the corresponding adaptive mutex. Hence the softcall.) 1068 */ 1069 static void 1070 audit_async_finish_backend(void *addr) 1071 { 1072 au_kcontext_t *kctx; 1073 au_defer_info_t *attr = (au_defer_info_t *)addr; 1074 1075 if (attr == NULL) 1076 return; /* won't happen unless softcall is broken */ 1077 1078 kctx = GET_KCTX_GZ; 1079 1080 if (audit_async_block(kctx, (caddr_t *)&attr->audi_ad)) { 1081 kmem_free(attr, sizeof (au_defer_info_t)); 1082 return; 1083 } 1084 1085 /* 1086 * Call au_close_time to complete the audit with the saved values. 1087 * 1088 * For the exit-prom event, use the current time instead of the 1089 * saved time as a better approximation. (Because the time saved via 1090 * gethrestime during prom-exit handling would not yet be caught up 1091 * after the system was idled in the debugger for a period of time.) 1092 */ 1093 if (attr->audi_e_type == AUE_EXITPROM) { 1094 au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag, 1095 attr->audi_e_type, attr->audi_e_mod, NULL); 1096 } else { 1097 au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag, 1098 attr->audi_e_type, attr->audi_e_mod, &attr->audi_atime); 1099 } 1100 1101 AS_INC(as_generated, 1, kctx); 1102 AS_INC(as_nonattrib, 1, kctx); 1103 1104 kmem_free(attr, sizeof (au_defer_info_t)); 1105 } 1106