17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*45916cd2Sjpk * Common Development and Distribution License (the "License"). 6*45916cd2Sjpk * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 217c478bd9Sstevel@tonic-gate /* 22*45916cd2Sjpk * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 237c478bd9Sstevel@tonic-gate * Use is subject to license terms. 247c478bd9Sstevel@tonic-gate */ 257c478bd9Sstevel@tonic-gate 267c478bd9Sstevel@tonic-gate /* 277c478bd9Sstevel@tonic-gate * This file contains the audit hook support code for auditing. 287c478bd9Sstevel@tonic-gate */ 297c478bd9Sstevel@tonic-gate 307c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 317c478bd9Sstevel@tonic-gate 327c478bd9Sstevel@tonic-gate #include <sys/types.h> 337c478bd9Sstevel@tonic-gate #include <sys/proc.h> 347c478bd9Sstevel@tonic-gate #include <sys/vnode.h> 357c478bd9Sstevel@tonic-gate #include <sys/vfs.h> 367c478bd9Sstevel@tonic-gate #include <sys/file.h> 377c478bd9Sstevel@tonic-gate #include <sys/user.h> 387c478bd9Sstevel@tonic-gate #include <sys/stropts.h> 397c478bd9Sstevel@tonic-gate #include <sys/systm.h> 407c478bd9Sstevel@tonic-gate #include <sys/pathname.h> 417c478bd9Sstevel@tonic-gate #include <sys/syscall.h> 427c478bd9Sstevel@tonic-gate #include <sys/fcntl.h> 437c478bd9Sstevel@tonic-gate #include <sys/ipc_impl.h> 447c478bd9Sstevel@tonic-gate #include <sys/msg_impl.h> 457c478bd9Sstevel@tonic-gate #include <sys/sem_impl.h> 467c478bd9Sstevel@tonic-gate #include <sys/shm_impl.h> 477c478bd9Sstevel@tonic-gate #include <sys/kmem.h> /* for KM_SLEEP */ 487c478bd9Sstevel@tonic-gate #include <sys/socket.h> 497c478bd9Sstevel@tonic-gate #include <sys/cmn_err.h> /* snprintf... */ 507c478bd9Sstevel@tonic-gate #include <sys/debug.h> 517c478bd9Sstevel@tonic-gate #include <sys/thread.h> 527c478bd9Sstevel@tonic-gate #include <netinet/in.h> 537c478bd9Sstevel@tonic-gate #include <c2/audit.h> /* needs to be included before user.h */ 547c478bd9Sstevel@tonic-gate #include <c2/audit_kernel.h> /* for M_DONTWAIT */ 557c478bd9Sstevel@tonic-gate #include <c2/audit_kevents.h> 567c478bd9Sstevel@tonic-gate #include <c2/audit_record.h> 577c478bd9Sstevel@tonic-gate #include <sys/strsubr.h> 587c478bd9Sstevel@tonic-gate #include <sys/tihdr.h> 597c478bd9Sstevel@tonic-gate #include <sys/tiuser.h> 607c478bd9Sstevel@tonic-gate #include <sys/timod.h> 617c478bd9Sstevel@tonic-gate #include <sys/model.h> /* for model_t */ 627c478bd9Sstevel@tonic-gate #include <sys/disp.h> /* for servicing_interrupt() */ 637c478bd9Sstevel@tonic-gate #include <sys/devpolicy.h> 647c478bd9Sstevel@tonic-gate #include <sys/crypto/ioctladmin.h> 65c28749e9Skais #include <inet/kssl/kssl.h> 66*45916cd2Sjpk #include <sys/tsol/label.h> 677c478bd9Sstevel@tonic-gate 687c478bd9Sstevel@tonic-gate static void add_return_token(caddr_t *, unsigned int scid, int err, int rval); 697c478bd9Sstevel@tonic-gate 707c478bd9Sstevel@tonic-gate static void audit_pathbuild(struct pathname *pnp); 717c478bd9Sstevel@tonic-gate 727c478bd9Sstevel@tonic-gate /* 737c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_NEWPROC 747c478bd9Sstevel@tonic-gate * PURPOSE: initialize the child p_audit_data structure 757c478bd9Sstevel@tonic-gate * CALLBY: GETPROC 767c478bd9Sstevel@tonic-gate * NOTE: All threads for the parent process are locked at this point. 777c478bd9Sstevel@tonic-gate * We are essentially running singled threaded for this reason. 787c478bd9Sstevel@tonic-gate * GETPROC is called when system creates a new process. 797c478bd9Sstevel@tonic-gate * By the time AUDIT_NEWPROC is called, the child proc 807c478bd9Sstevel@tonic-gate * structure has already been initialized. What we need 817c478bd9Sstevel@tonic-gate * to do is to allocate the child p_audit_data and 827c478bd9Sstevel@tonic-gate * initialize it with the content of current parent process. 837c478bd9Sstevel@tonic-gate */ 847c478bd9Sstevel@tonic-gate 857c478bd9Sstevel@tonic-gate void 867c478bd9Sstevel@tonic-gate audit_newproc(struct proc *cp) /* initialized child proc structure */ 877c478bd9Sstevel@tonic-gate { 887c478bd9Sstevel@tonic-gate p_audit_data_t *pad; /* child process audit data */ 897c478bd9Sstevel@tonic-gate p_audit_data_t *opad; /* parent process audit data */ 907c478bd9Sstevel@tonic-gate 917c478bd9Sstevel@tonic-gate pad = kmem_cache_alloc(au_pad_cache, KM_SLEEP); 927c478bd9Sstevel@tonic-gate 937c478bd9Sstevel@tonic-gate P2A(cp) = pad; 947c478bd9Sstevel@tonic-gate 957c478bd9Sstevel@tonic-gate opad = P2A(curproc); 967c478bd9Sstevel@tonic-gate 977c478bd9Sstevel@tonic-gate /* 987c478bd9Sstevel@tonic-gate * copy the audit data. Note that all threads of current 997c478bd9Sstevel@tonic-gate * process have been "held". Thus there is no race condition 1007c478bd9Sstevel@tonic-gate * here with mutiple threads trying to alter the cwrd 1017c478bd9Sstevel@tonic-gate * structure (such as releasing it). 1027c478bd9Sstevel@tonic-gate * 1037c478bd9Sstevel@tonic-gate * The audit context in the cred is "duplicated" for the new 1047c478bd9Sstevel@tonic-gate * proc by elsewhere crhold'ing the parent's cred which it shares. 1057c478bd9Sstevel@tonic-gate * 1067c478bd9Sstevel@tonic-gate * We still want to hold things since auditon() [A_SETUMASK, 1077c478bd9Sstevel@tonic-gate * A_SETSMASK] could be walking through the processes to 1087c478bd9Sstevel@tonic-gate * update things. 1097c478bd9Sstevel@tonic-gate */ 1107c478bd9Sstevel@tonic-gate mutex_enter(&opad->pad_lock); /* lock opad structure during copy */ 1117c478bd9Sstevel@tonic-gate pad->pad_data = opad->pad_data; /* copy parent's process audit data */ 1127c478bd9Sstevel@tonic-gate au_pathhold(pad->pad_root); 1137c478bd9Sstevel@tonic-gate au_pathhold(pad->pad_cwd); 1147c478bd9Sstevel@tonic-gate mutex_exit(&opad->pad_lock); /* current proc will keep cwrd open */ 1157c478bd9Sstevel@tonic-gate 1167c478bd9Sstevel@tonic-gate /* 1177c478bd9Sstevel@tonic-gate * finish auditing of parent here so that it will be done 1187c478bd9Sstevel@tonic-gate * before child has a chance to run. We include the child 1197c478bd9Sstevel@tonic-gate * pid since the return value in the return token is a dummy 1207c478bd9Sstevel@tonic-gate * one and contains no useful information (it is included to 1217c478bd9Sstevel@tonic-gate * make the audit record structure consistant). 1227c478bd9Sstevel@tonic-gate * 1237c478bd9Sstevel@tonic-gate * tad_flag is set if auditing is on 1247c478bd9Sstevel@tonic-gate */ 1257c478bd9Sstevel@tonic-gate if (((t_audit_data_t *)T2A(curthread))->tad_flag) 1267c478bd9Sstevel@tonic-gate au_uwrite(au_to_arg32(0, "child PID", (uint32_t)cp->p_pid)); 1277c478bd9Sstevel@tonic-gate 1287c478bd9Sstevel@tonic-gate /* 1297c478bd9Sstevel@tonic-gate * finish up audit record generation here because child process 1307c478bd9Sstevel@tonic-gate * is set to run before parent process. We distinguish here 1317c478bd9Sstevel@tonic-gate * between FORK, FORK1, or VFORK by the saved system call ID. 1327c478bd9Sstevel@tonic-gate */ 1337c478bd9Sstevel@tonic-gate audit_finish(0, ((t_audit_data_t *)T2A(curthread))->tad_scid, 0, 0); 1347c478bd9Sstevel@tonic-gate } 1357c478bd9Sstevel@tonic-gate 1367c478bd9Sstevel@tonic-gate /* 1377c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_PFREE 1387c478bd9Sstevel@tonic-gate * PURPOSE: deallocate the per-process udit data structure 1397c478bd9Sstevel@tonic-gate * CALLBY: EXIT 1407c478bd9Sstevel@tonic-gate * FORK_FAIL 1417c478bd9Sstevel@tonic-gate * NOTE: all lwp except current one have stopped in SEXITLWPS 1427c478bd9Sstevel@tonic-gate * why we are single threaded? 1437c478bd9Sstevel@tonic-gate * . all lwp except current one have stopped in SEXITLWPS. 1447c478bd9Sstevel@tonic-gate */ 1457c478bd9Sstevel@tonic-gate void 1467c478bd9Sstevel@tonic-gate audit_pfree(struct proc *p) /* proc structure to be freed */ 1477c478bd9Sstevel@tonic-gate 1487c478bd9Sstevel@tonic-gate { /* AUDIT_PFREE */ 1497c478bd9Sstevel@tonic-gate 1507c478bd9Sstevel@tonic-gate p_audit_data_t *pad; 1517c478bd9Sstevel@tonic-gate 1527c478bd9Sstevel@tonic-gate pad = P2A(p); 1537c478bd9Sstevel@tonic-gate 1547c478bd9Sstevel@tonic-gate /* better be a per process audit data structure */ 1557c478bd9Sstevel@tonic-gate ASSERT(pad != (p_audit_data_t *)0); 1567c478bd9Sstevel@tonic-gate 1577c478bd9Sstevel@tonic-gate if (pad == pad0) { 1587c478bd9Sstevel@tonic-gate return; 1597c478bd9Sstevel@tonic-gate } 1607c478bd9Sstevel@tonic-gate 1617c478bd9Sstevel@tonic-gate /* deallocate all auditing resources for this process */ 1627c478bd9Sstevel@tonic-gate au_pathrele(pad->pad_root); 1637c478bd9Sstevel@tonic-gate au_pathrele(pad->pad_cwd); 1647c478bd9Sstevel@tonic-gate 1657c478bd9Sstevel@tonic-gate /* 1667c478bd9Sstevel@tonic-gate * Since the pad structure is completely overwritten after alloc, 1677c478bd9Sstevel@tonic-gate * we don't bother to clear it. 1687c478bd9Sstevel@tonic-gate */ 1697c478bd9Sstevel@tonic-gate 1707c478bd9Sstevel@tonic-gate kmem_cache_free(au_pad_cache, pad); 1717c478bd9Sstevel@tonic-gate } 1727c478bd9Sstevel@tonic-gate 1737c478bd9Sstevel@tonic-gate /* 1747c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_THREAD_CREATE 1757c478bd9Sstevel@tonic-gate * PURPOSE: allocate per-process thread audit data structure 1767c478bd9Sstevel@tonic-gate * CALLBY: THREAD_CREATE 1777c478bd9Sstevel@tonic-gate * NOTE: This is called just after *t was bzero'd. 1787c478bd9Sstevel@tonic-gate * We are single threaded in this routine. 1797c478bd9Sstevel@tonic-gate * TODO: 1807c478bd9Sstevel@tonic-gate * QUESTION: 1817c478bd9Sstevel@tonic-gate */ 1827c478bd9Sstevel@tonic-gate 1837c478bd9Sstevel@tonic-gate void 1847c478bd9Sstevel@tonic-gate audit_thread_create(kthread_id_t t) 1857c478bd9Sstevel@tonic-gate { 1867c478bd9Sstevel@tonic-gate t_audit_data_t *tad; /* per-thread audit data */ 1877c478bd9Sstevel@tonic-gate 1887c478bd9Sstevel@tonic-gate tad = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP); 1897c478bd9Sstevel@tonic-gate 1907c478bd9Sstevel@tonic-gate T2A(t) = tad; /* set up thread audit data ptr */ 1917c478bd9Sstevel@tonic-gate tad->tad_thread = t; /* back ptr to thread: DEBUG */ 1927c478bd9Sstevel@tonic-gate } 1937c478bd9Sstevel@tonic-gate 1947c478bd9Sstevel@tonic-gate /* 1957c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_THREAD_FREE 1967c478bd9Sstevel@tonic-gate * PURPOSE: free the per-thread audit data structure 1977c478bd9Sstevel@tonic-gate * CALLBY: THREAD_FREE 1987c478bd9Sstevel@tonic-gate * NOTE: most thread data is clear after return 1997c478bd9Sstevel@tonic-gate */ 2007c478bd9Sstevel@tonic-gate void 2017c478bd9Sstevel@tonic-gate audit_thread_free(kthread_t *t) 2027c478bd9Sstevel@tonic-gate { 2037c478bd9Sstevel@tonic-gate t_audit_data_t *tad; 2047c478bd9Sstevel@tonic-gate au_defer_info_t *attr; 2057c478bd9Sstevel@tonic-gate 2067c478bd9Sstevel@tonic-gate tad = T2A(t); 2077c478bd9Sstevel@tonic-gate 2087c478bd9Sstevel@tonic-gate /* thread audit data must still be set */ 2097c478bd9Sstevel@tonic-gate 2107c478bd9Sstevel@tonic-gate if (tad == tad0) { 2117c478bd9Sstevel@tonic-gate return; 2127c478bd9Sstevel@tonic-gate } 2137c478bd9Sstevel@tonic-gate 2147c478bd9Sstevel@tonic-gate if (tad == NULL) { 2157c478bd9Sstevel@tonic-gate return; 2167c478bd9Sstevel@tonic-gate } 2177c478bd9Sstevel@tonic-gate 2187c478bd9Sstevel@tonic-gate t->t_audit_data = 0; 2197c478bd9Sstevel@tonic-gate 2207c478bd9Sstevel@tonic-gate /* must not have any audit record residual */ 2217c478bd9Sstevel@tonic-gate ASSERT(tad->tad_ad == NULL); 2227c478bd9Sstevel@tonic-gate 2237c478bd9Sstevel@tonic-gate /* saved path must be empty */ 2247c478bd9Sstevel@tonic-gate ASSERT(tad->tad_aupath == NULL); 2257c478bd9Sstevel@tonic-gate 2267c478bd9Sstevel@tonic-gate if (tad->tad_atpath) 2277c478bd9Sstevel@tonic-gate au_pathrele(tad->tad_atpath); 2287c478bd9Sstevel@tonic-gate 2297c478bd9Sstevel@tonic-gate attr = tad->tad_defer_head; 2307c478bd9Sstevel@tonic-gate while (attr != NULL) { 2317c478bd9Sstevel@tonic-gate au_defer_info_t *tmp_attr = attr; 2327c478bd9Sstevel@tonic-gate 2337c478bd9Sstevel@tonic-gate au_free_rec(attr->audi_ad); 2347c478bd9Sstevel@tonic-gate 2357c478bd9Sstevel@tonic-gate attr = attr->audi_next; 2367c478bd9Sstevel@tonic-gate kmem_free(tmp_attr, sizeof (au_defer_info_t)); 2377c478bd9Sstevel@tonic-gate } 2387c478bd9Sstevel@tonic-gate 2397c478bd9Sstevel@tonic-gate kmem_free(tad, sizeof (*tad)); 2407c478bd9Sstevel@tonic-gate } 2417c478bd9Sstevel@tonic-gate 2427c478bd9Sstevel@tonic-gate /* 2437c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_SAVEPATH 2447c478bd9Sstevel@tonic-gate * PURPOSE: 2457c478bd9Sstevel@tonic-gate * CALLBY: LOOKUPPN 2467c478bd9Sstevel@tonic-gate * 2477c478bd9Sstevel@tonic-gate * NOTE: We have reached the end of a path in fs/lookup.c. 2487c478bd9Sstevel@tonic-gate * We get two pieces of information here: 2497c478bd9Sstevel@tonic-gate * the vnode of the last component (vp) and 2507c478bd9Sstevel@tonic-gate * the status of the last access (flag). 2517c478bd9Sstevel@tonic-gate * TODO: 2527c478bd9Sstevel@tonic-gate * QUESTION: 2537c478bd9Sstevel@tonic-gate */ 2547c478bd9Sstevel@tonic-gate 2557c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 2567c478bd9Sstevel@tonic-gate int 2577c478bd9Sstevel@tonic-gate audit_savepath( 2587c478bd9Sstevel@tonic-gate struct pathname *pnp, /* pathname to lookup */ 2597c478bd9Sstevel@tonic-gate struct vnode *vp, /* vnode of the last component */ 2607c478bd9Sstevel@tonic-gate int flag, /* status of the last access */ 2617c478bd9Sstevel@tonic-gate cred_t *cr) /* cred of requestor */ 2627c478bd9Sstevel@tonic-gate { 2637c478bd9Sstevel@tonic-gate 2647c478bd9Sstevel@tonic-gate t_audit_data_t *tad; /* current thread */ 2657c478bd9Sstevel@tonic-gate p_audit_data_t *pad; /* current process */ 2667c478bd9Sstevel@tonic-gate au_kcontext_t *kctx = SET_KCTX_PZ; 2677c478bd9Sstevel@tonic-gate 2687c478bd9Sstevel@tonic-gate if (kctx == NULL) { 2697c478bd9Sstevel@tonic-gate zone_status_t zstate = zone_status_get(curproc->p_zone); 2707c478bd9Sstevel@tonic-gate ASSERT(zstate != ZONE_IS_READY); 2717c478bd9Sstevel@tonic-gate return (0); 2727c478bd9Sstevel@tonic-gate } 2737c478bd9Sstevel@tonic-gate 2747c478bd9Sstevel@tonic-gate tad = U2A(u); 2757c478bd9Sstevel@tonic-gate ASSERT(tad != (t_audit_data_t *)0); 2767c478bd9Sstevel@tonic-gate pad = P2A(curproc); 2777c478bd9Sstevel@tonic-gate ASSERT(pad != (p_audit_data_t *)0); 2787c478bd9Sstevel@tonic-gate 2797c478bd9Sstevel@tonic-gate /* 2807c478bd9Sstevel@tonic-gate * this event being audited or do we need path information 2817c478bd9Sstevel@tonic-gate * later? This might be for a chdir/chroot or open (add path 2827c478bd9Sstevel@tonic-gate * to file pointer. If the path has already been found for an 2837c478bd9Sstevel@tonic-gate * open/creat then we don't need to process the path. 2847c478bd9Sstevel@tonic-gate * 2857c478bd9Sstevel@tonic-gate * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 2867c478bd9Sstevel@tonic-gate * chroot, chdir, open, creat system call processing. It determines 2877c478bd9Sstevel@tonic-gate * if audit_savepath() will discard the path or we need it later. 2887c478bd9Sstevel@tonic-gate * PAD_PATHFND means path already included in this audit record. It 2897c478bd9Sstevel@tonic-gate * is used in cases where multiple path lookups are done per 2907c478bd9Sstevel@tonic-gate * system call. The policy flag, AUDIT_PATH, controls if multiple 2917c478bd9Sstevel@tonic-gate * paths are allowed. 2927c478bd9Sstevel@tonic-gate * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 2937c478bd9Sstevel@tonic-gate * exit processing to inhibit any paths that may be added due to 2947c478bd9Sstevel@tonic-gate * closes. 2957c478bd9Sstevel@tonic-gate */ 2967c478bd9Sstevel@tonic-gate if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 2977c478bd9Sstevel@tonic-gate ((tad->tad_ctrl & PAD_PATHFND) && 2987c478bd9Sstevel@tonic-gate !(kctx->auk_policy & AUDIT_PATH)) || 2997c478bd9Sstevel@tonic-gate (tad->tad_ctrl & PAD_NOPATH)) { 3007c478bd9Sstevel@tonic-gate return (0); 3017c478bd9Sstevel@tonic-gate } 3027c478bd9Sstevel@tonic-gate 303*45916cd2Sjpk tad->tad_ctrl |= PAD_NOPATH; /* prevent possible reentry */ 304*45916cd2Sjpk 3057c478bd9Sstevel@tonic-gate audit_pathbuild(pnp); 3067c478bd9Sstevel@tonic-gate tad->tad_vn = vp; 3077c478bd9Sstevel@tonic-gate 3087c478bd9Sstevel@tonic-gate /* 3097c478bd9Sstevel@tonic-gate * are we auditing only if error, or if it is not open or create 3107c478bd9Sstevel@tonic-gate * otherwise audit_setf will do it 3117c478bd9Sstevel@tonic-gate */ 3127c478bd9Sstevel@tonic-gate 3137c478bd9Sstevel@tonic-gate if (tad->tad_flag) { 3147c478bd9Sstevel@tonic-gate if (flag && (tad->tad_scid == SYS_open || 3157c478bd9Sstevel@tonic-gate tad->tad_scid == SYS_open64 || 3167c478bd9Sstevel@tonic-gate tad->tad_scid == SYS_creat || 3177c478bd9Sstevel@tonic-gate tad->tad_scid == SYS_creat64 || 3187c478bd9Sstevel@tonic-gate tad->tad_scid == SYS_fsat)) { 3197c478bd9Sstevel@tonic-gate tad->tad_ctrl |= PAD_TRUE_CREATE; 3207c478bd9Sstevel@tonic-gate } 3217c478bd9Sstevel@tonic-gate 3227c478bd9Sstevel@tonic-gate /* add token to audit record for this name */ 3237c478bd9Sstevel@tonic-gate au_uwrite(au_to_path(tad->tad_aupath)); 3247c478bd9Sstevel@tonic-gate 3257c478bd9Sstevel@tonic-gate /* add the attributes of the object */ 3267c478bd9Sstevel@tonic-gate if (vp) { 3277c478bd9Sstevel@tonic-gate /* 3287c478bd9Sstevel@tonic-gate * only capture attributes when there is no error 3297c478bd9Sstevel@tonic-gate * lookup will not return the vnode of the failing 3307c478bd9Sstevel@tonic-gate * component. 3317c478bd9Sstevel@tonic-gate * 3327c478bd9Sstevel@tonic-gate * if there was a lookup error, then don't add 3337c478bd9Sstevel@tonic-gate * attribute. if lookup in vn_create(), 3347c478bd9Sstevel@tonic-gate * then don't add attribute, 3357c478bd9Sstevel@tonic-gate * it will be added at end of vn_create(). 3367c478bd9Sstevel@tonic-gate */ 3377c478bd9Sstevel@tonic-gate if (!flag && !(tad->tad_ctrl & PAD_NOATTRB)) 3387c478bd9Sstevel@tonic-gate audit_attributes(vp); 3397c478bd9Sstevel@tonic-gate } 3407c478bd9Sstevel@tonic-gate } 3417c478bd9Sstevel@tonic-gate 3427c478bd9Sstevel@tonic-gate /* free up space if we're not going to save path (open, crate) */ 3437c478bd9Sstevel@tonic-gate if ((tad->tad_ctrl & PAD_SAVPATH) == 0) { 3447c478bd9Sstevel@tonic-gate if (tad->tad_aupath != NULL) { 3457c478bd9Sstevel@tonic-gate au_pathrele(tad->tad_aupath); 3467c478bd9Sstevel@tonic-gate tad->tad_aupath = NULL; 3477c478bd9Sstevel@tonic-gate tad->tad_vn = NULL; 3487c478bd9Sstevel@tonic-gate } 3497c478bd9Sstevel@tonic-gate } 3507c478bd9Sstevel@tonic-gate if (tad->tad_ctrl & PAD_MLD) 3517c478bd9Sstevel@tonic-gate tad->tad_ctrl |= PAD_PATHFND; 3527c478bd9Sstevel@tonic-gate 353*45916cd2Sjpk tad->tad_ctrl &= ~PAD_NOPATH; /* restore */ 3547c478bd9Sstevel@tonic-gate return (0); 3557c478bd9Sstevel@tonic-gate } 3567c478bd9Sstevel@tonic-gate 3577c478bd9Sstevel@tonic-gate static void 3587c478bd9Sstevel@tonic-gate audit_pathbuild(struct pathname *pnp) 3597c478bd9Sstevel@tonic-gate { 3607c478bd9Sstevel@tonic-gate char *pp; /* pointer to path */ 3617c478bd9Sstevel@tonic-gate int len; /* length of incoming segment */ 3627c478bd9Sstevel@tonic-gate int newsect; /* path requires a new section */ 3637c478bd9Sstevel@tonic-gate struct audit_path *pfxapp; /* prefix for path */ 3647c478bd9Sstevel@tonic-gate struct audit_path *newapp; /* new audit_path */ 3657c478bd9Sstevel@tonic-gate t_audit_data_t *tad; /* current thread */ 3667c478bd9Sstevel@tonic-gate p_audit_data_t *pad; /* current process */ 3677c478bd9Sstevel@tonic-gate 3687c478bd9Sstevel@tonic-gate tad = U2A(u); 3697c478bd9Sstevel@tonic-gate ASSERT(tad != NULL); 3707c478bd9Sstevel@tonic-gate pad = P2A(curproc); 3717c478bd9Sstevel@tonic-gate ASSERT(pad != NULL); 3727c478bd9Sstevel@tonic-gate 3737c478bd9Sstevel@tonic-gate len = (pnp->pn_path - pnp->pn_buf) + 1; /* +1 for terminator */ 3747c478bd9Sstevel@tonic-gate ASSERT(len > 0); 3757c478bd9Sstevel@tonic-gate 3767c478bd9Sstevel@tonic-gate /* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */ 3777c478bd9Sstevel@tonic-gate mutex_enter(&pad->pad_lock); 3787c478bd9Sstevel@tonic-gate if (tad->tad_aupath != NULL) { 3797c478bd9Sstevel@tonic-gate pfxapp = tad->tad_aupath; 3807c478bd9Sstevel@tonic-gate } else if (tad->tad_scid == SYS_fsat && pnp->pn_buf[0] != '/') { 3817c478bd9Sstevel@tonic-gate ASSERT(tad->tad_atpath != NULL); 3827c478bd9Sstevel@tonic-gate pfxapp = tad->tad_atpath; 3837c478bd9Sstevel@tonic-gate } else if (tad->tad_ctrl & PAD_ABSPATH) { 3847c478bd9Sstevel@tonic-gate pfxapp = pad->pad_root; 3857c478bd9Sstevel@tonic-gate } else { 3867c478bd9Sstevel@tonic-gate pfxapp = pad->pad_cwd; 3877c478bd9Sstevel@tonic-gate } 3887c478bd9Sstevel@tonic-gate au_pathhold(pfxapp); 3897c478bd9Sstevel@tonic-gate mutex_exit(&pad->pad_lock); 3907c478bd9Sstevel@tonic-gate 3917c478bd9Sstevel@tonic-gate /* get an expanded buffer to hold the anchored path */ 3927c478bd9Sstevel@tonic-gate newsect = tad->tad_ctrl & PAD_ATPATH; 3937c478bd9Sstevel@tonic-gate newapp = au_pathdup(pfxapp, newsect, len); 3947c478bd9Sstevel@tonic-gate au_pathrele(pfxapp); 3957c478bd9Sstevel@tonic-gate 3967c478bd9Sstevel@tonic-gate pp = newapp->audp_sect[newapp->audp_cnt] - len; 3977c478bd9Sstevel@tonic-gate if (!newsect) { 3987c478bd9Sstevel@tonic-gate /* overlay previous NUL terminator */ 3997c478bd9Sstevel@tonic-gate *(pp - 1) = '/'; 4007c478bd9Sstevel@tonic-gate } 4017c478bd9Sstevel@tonic-gate 4027c478bd9Sstevel@tonic-gate /* now add string of processed path */ 4037c478bd9Sstevel@tonic-gate bcopy(pnp->pn_buf, pp, len); 4047c478bd9Sstevel@tonic-gate pp[len - 1] = '\0'; 4057c478bd9Sstevel@tonic-gate 4067c478bd9Sstevel@tonic-gate /* perform path simplification as necessary */ 4077c478bd9Sstevel@tonic-gate audit_fixpath(newapp, len); 4087c478bd9Sstevel@tonic-gate 4097c478bd9Sstevel@tonic-gate if (tad->tad_aupath) 4107c478bd9Sstevel@tonic-gate au_pathrele(tad->tad_aupath); 4117c478bd9Sstevel@tonic-gate tad->tad_aupath = newapp; 4127c478bd9Sstevel@tonic-gate 4137c478bd9Sstevel@tonic-gate /* for case where multiple lookups in one syscall (rename) */ 4147c478bd9Sstevel@tonic-gate tad->tad_ctrl &= ~(PAD_ABSPATH | PAD_ATPATH); 4157c478bd9Sstevel@tonic-gate } 4167c478bd9Sstevel@tonic-gate 4177c478bd9Sstevel@tonic-gate 4187c478bd9Sstevel@tonic-gate 4197c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 4207c478bd9Sstevel@tonic-gate 4217c478bd9Sstevel@tonic-gate /* 4227c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_ADDCOMPONENT 4237c478bd9Sstevel@tonic-gate * PURPOSE: extend the path by the component accepted 4247c478bd9Sstevel@tonic-gate * CALLBY: LOOKUPPN 4257c478bd9Sstevel@tonic-gate * NOTE: This function is called only when there is an error in 4267c478bd9Sstevel@tonic-gate * parsing a path component 4277c478bd9Sstevel@tonic-gate * TODO: Add the error component to audit record 4287c478bd9Sstevel@tonic-gate * QUESTION: what is this for 4297c478bd9Sstevel@tonic-gate */ 4307c478bd9Sstevel@tonic-gate 4317c478bd9Sstevel@tonic-gate void 4327c478bd9Sstevel@tonic-gate audit_addcomponent(struct pathname *pnp) 4337c478bd9Sstevel@tonic-gate { 4347c478bd9Sstevel@tonic-gate au_kcontext_t *kctx = SET_KCTX_PZ; 4357c478bd9Sstevel@tonic-gate t_audit_data_t *tad; 4367c478bd9Sstevel@tonic-gate 4377c478bd9Sstevel@tonic-gate if (kctx == NULL) { 4387c478bd9Sstevel@tonic-gate zone_status_t zstate = zone_status_get(curproc->p_zone); 4397c478bd9Sstevel@tonic-gate ASSERT(zstate != ZONE_IS_READY); 4407c478bd9Sstevel@tonic-gate return; 4417c478bd9Sstevel@tonic-gate } 4427c478bd9Sstevel@tonic-gate 4437c478bd9Sstevel@tonic-gate tad = U2A(u); 4447c478bd9Sstevel@tonic-gate /* 4457c478bd9Sstevel@tonic-gate * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 4467c478bd9Sstevel@tonic-gate * chroot, chdir, open, creat system call processing. It determines 4477c478bd9Sstevel@tonic-gate * if audit_savepath() will discard the path or we need it later. 4487c478bd9Sstevel@tonic-gate * PAD_PATHFND means path already included in this audit record. It 4497c478bd9Sstevel@tonic-gate * is used in cases where multiple path lookups are done per 4507c478bd9Sstevel@tonic-gate * system call. The policy flag, AUDIT_PATH, controls if multiple 4517c478bd9Sstevel@tonic-gate * paths are allowed. 4527c478bd9Sstevel@tonic-gate * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 4537c478bd9Sstevel@tonic-gate * exit processing to inhibit any paths that may be added due to 4547c478bd9Sstevel@tonic-gate * closes. 4557c478bd9Sstevel@tonic-gate */ 4567c478bd9Sstevel@tonic-gate if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 4577c478bd9Sstevel@tonic-gate ((tad->tad_ctrl & PAD_PATHFND) && 4587c478bd9Sstevel@tonic-gate !(kctx->auk_policy & AUDIT_PATH)) || 4597c478bd9Sstevel@tonic-gate (tad->tad_ctrl & PAD_NOPATH)) { 4607c478bd9Sstevel@tonic-gate return; 4617c478bd9Sstevel@tonic-gate } 4627c478bd9Sstevel@tonic-gate 4637c478bd9Sstevel@tonic-gate return; 4647c478bd9Sstevel@tonic-gate 4657c478bd9Sstevel@tonic-gate } /* AUDIT_ADDCOMPONENT */ 4667c478bd9Sstevel@tonic-gate 4677c478bd9Sstevel@tonic-gate 4687c478bd9Sstevel@tonic-gate 4697c478bd9Sstevel@tonic-gate 4707c478bd9Sstevel@tonic-gate 4717c478bd9Sstevel@tonic-gate 4727c478bd9Sstevel@tonic-gate 4737c478bd9Sstevel@tonic-gate 4747c478bd9Sstevel@tonic-gate /* 4757c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_ANCHORPATH 4767c478bd9Sstevel@tonic-gate * PURPOSE: 4777c478bd9Sstevel@tonic-gate * CALLBY: LOOKUPPN 4787c478bd9Sstevel@tonic-gate * NOTE: 4797c478bd9Sstevel@tonic-gate * anchor path at "/". We have seen a symbolic link or entering for the 4807c478bd9Sstevel@tonic-gate * first time we will throw away any saved path if path is anchored. 4817c478bd9Sstevel@tonic-gate * 4827c478bd9Sstevel@tonic-gate * flag = 0, path is relative. 4837c478bd9Sstevel@tonic-gate * flag = 1, path is absolute. Free any saved path and set flag to PAD_ABSPATH. 4847c478bd9Sstevel@tonic-gate * 4857c478bd9Sstevel@tonic-gate * If the (new) path is absolute, then we have to throw away whatever we have 4867c478bd9Sstevel@tonic-gate * already accumulated since it is being superceeded by new path which is 4877c478bd9Sstevel@tonic-gate * anchored at the root. 4887c478bd9Sstevel@tonic-gate * Note that if the path is relative, this function does nothing 4897c478bd9Sstevel@tonic-gate * TODO: 4907c478bd9Sstevel@tonic-gate * QUESTION: 4917c478bd9Sstevel@tonic-gate */ 4927c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 4937c478bd9Sstevel@tonic-gate void 4947c478bd9Sstevel@tonic-gate audit_anchorpath(struct pathname *pnp, int flag) 4957c478bd9Sstevel@tonic-gate { 4967c478bd9Sstevel@tonic-gate au_kcontext_t *kctx = SET_KCTX_PZ; 4977c478bd9Sstevel@tonic-gate t_audit_data_t *tad; 4987c478bd9Sstevel@tonic-gate 4997c478bd9Sstevel@tonic-gate if (kctx == NULL) { 5007c478bd9Sstevel@tonic-gate zone_status_t zstate = zone_status_get(curproc->p_zone); 5017c478bd9Sstevel@tonic-gate ASSERT(zstate != ZONE_IS_READY); 5027c478bd9Sstevel@tonic-gate return; 5037c478bd9Sstevel@tonic-gate } 5047c478bd9Sstevel@tonic-gate 5057c478bd9Sstevel@tonic-gate tad = U2A(u); 5067c478bd9Sstevel@tonic-gate 5077c478bd9Sstevel@tonic-gate /* 5087c478bd9Sstevel@tonic-gate * this event being audited or do we need path information 5097c478bd9Sstevel@tonic-gate * later? This might be for a chdir/chroot or open (add path 5107c478bd9Sstevel@tonic-gate * to file pointer. If the path has already been found for an 5117c478bd9Sstevel@tonic-gate * open/creat then we don't need to process the path. 5127c478bd9Sstevel@tonic-gate * 5137c478bd9Sstevel@tonic-gate * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 5147c478bd9Sstevel@tonic-gate * chroot, chdir, open, creat system call processing. It determines 5157c478bd9Sstevel@tonic-gate * if audit_savepath() will discard the path or we need it later. 5167c478bd9Sstevel@tonic-gate * PAD_PATHFND means path already included in this audit record. It 5177c478bd9Sstevel@tonic-gate * is used in cases where multiple path lookups are done per 5187c478bd9Sstevel@tonic-gate * system call. The policy flag, AUDIT_PATH, controls if multiple 5197c478bd9Sstevel@tonic-gate * paths are allowed. 5207c478bd9Sstevel@tonic-gate * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 5217c478bd9Sstevel@tonic-gate * exit processing to inhibit any paths that may be added due to 5227c478bd9Sstevel@tonic-gate * closes. 5237c478bd9Sstevel@tonic-gate */ 5247c478bd9Sstevel@tonic-gate if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 5257c478bd9Sstevel@tonic-gate ((tad->tad_ctrl & PAD_PATHFND) && 5267c478bd9Sstevel@tonic-gate !(kctx->auk_policy & AUDIT_PATH)) || 5277c478bd9Sstevel@tonic-gate (tad->tad_ctrl & PAD_NOPATH)) { 5287c478bd9Sstevel@tonic-gate return; 5297c478bd9Sstevel@tonic-gate } 5307c478bd9Sstevel@tonic-gate 5317c478bd9Sstevel@tonic-gate if (flag) { 5327c478bd9Sstevel@tonic-gate tad->tad_ctrl |= PAD_ABSPATH; 5337c478bd9Sstevel@tonic-gate if (tad->tad_aupath != NULL) { 5347c478bd9Sstevel@tonic-gate au_pathrele(tad->tad_aupath); 5357c478bd9Sstevel@tonic-gate tad->tad_aupath = NULL; 5367c478bd9Sstevel@tonic-gate tad->tad_vn = NULL; 5377c478bd9Sstevel@tonic-gate } 5387c478bd9Sstevel@tonic-gate } 5397c478bd9Sstevel@tonic-gate } 5407c478bd9Sstevel@tonic-gate 5417c478bd9Sstevel@tonic-gate 5427c478bd9Sstevel@tonic-gate /* 5437c478bd9Sstevel@tonic-gate * symbolic link. Save previous components. 5447c478bd9Sstevel@tonic-gate * 5457c478bd9Sstevel@tonic-gate * the path seen so far looks like this 5467c478bd9Sstevel@tonic-gate * 5477c478bd9Sstevel@tonic-gate * +-----------------------+----------------+ 5487c478bd9Sstevel@tonic-gate * | path processed so far | remaining path | 5497c478bd9Sstevel@tonic-gate * +-----------------------+----------------+ 5507c478bd9Sstevel@tonic-gate * \-----------------------/ 5517c478bd9Sstevel@tonic-gate * save this string if 5527c478bd9Sstevel@tonic-gate * symbolic link relative 5537c478bd9Sstevel@tonic-gate * (but don't include symlink component) 5547c478bd9Sstevel@tonic-gate */ 5557c478bd9Sstevel@tonic-gate 5567c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 5577c478bd9Sstevel@tonic-gate 5587c478bd9Sstevel@tonic-gate 5597c478bd9Sstevel@tonic-gate /* 5607c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_SYMLINK 5617c478bd9Sstevel@tonic-gate * PURPOSE: 5627c478bd9Sstevel@tonic-gate * CALLBY: LOOKUPPN 5637c478bd9Sstevel@tonic-gate * NOTE: 5647c478bd9Sstevel@tonic-gate * TODO: 5657c478bd9Sstevel@tonic-gate * QUESTION: 5667c478bd9Sstevel@tonic-gate */ 5677c478bd9Sstevel@tonic-gate void 5687c478bd9Sstevel@tonic-gate audit_symlink(struct pathname *pnp, struct pathname *sympath) 5697c478bd9Sstevel@tonic-gate { 5707c478bd9Sstevel@tonic-gate char *sp; /* saved initial pp */ 5717c478bd9Sstevel@tonic-gate char *cp; /* start of symlink path */ 5727c478bd9Sstevel@tonic-gate uint_t len_path; /* processed path before symlink */ 5737c478bd9Sstevel@tonic-gate t_audit_data_t *tad; 5747c478bd9Sstevel@tonic-gate au_kcontext_t *kctx = SET_KCTX_PZ; 5757c478bd9Sstevel@tonic-gate 5767c478bd9Sstevel@tonic-gate if (kctx == NULL) { 5777c478bd9Sstevel@tonic-gate zone_status_t zstate = zone_status_get(curproc->p_zone); 5787c478bd9Sstevel@tonic-gate ASSERT(zstate != ZONE_IS_READY); 5797c478bd9Sstevel@tonic-gate return; 5807c478bd9Sstevel@tonic-gate } 5817c478bd9Sstevel@tonic-gate 5827c478bd9Sstevel@tonic-gate tad = U2A(u); 5837c478bd9Sstevel@tonic-gate 5847c478bd9Sstevel@tonic-gate /* 5857c478bd9Sstevel@tonic-gate * this event being audited or do we need path information 5867c478bd9Sstevel@tonic-gate * later? This might be for a chdir/chroot or open (add path 5877c478bd9Sstevel@tonic-gate * to file pointer. If the path has already been found for an 5887c478bd9Sstevel@tonic-gate * open/creat then we don't need to process the path. 5897c478bd9Sstevel@tonic-gate * 5907c478bd9Sstevel@tonic-gate * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 5917c478bd9Sstevel@tonic-gate * chroot, chdir, open, creat system call processing. It determines 5927c478bd9Sstevel@tonic-gate * if audit_savepath() will discard the path or we need it later. 5937c478bd9Sstevel@tonic-gate * PAD_PATHFND means path already included in this audit record. It 5947c478bd9Sstevel@tonic-gate * is used in cases where multiple path lookups are done per 5957c478bd9Sstevel@tonic-gate * system call. The policy flag, AUDIT_PATH, controls if multiple 5967c478bd9Sstevel@tonic-gate * paths are allowed. 5977c478bd9Sstevel@tonic-gate * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 5987c478bd9Sstevel@tonic-gate * exit processing to inhibit any paths that may be added due to 5997c478bd9Sstevel@tonic-gate * closes. 6007c478bd9Sstevel@tonic-gate */ 6017c478bd9Sstevel@tonic-gate if ((tad->tad_flag == 0 && 6027c478bd9Sstevel@tonic-gate !(tad->tad_ctrl & PAD_SAVPATH)) || 6037c478bd9Sstevel@tonic-gate ((tad->tad_ctrl & PAD_PATHFND) && 6047c478bd9Sstevel@tonic-gate !(kctx->auk_policy & AUDIT_PATH)) || 6057c478bd9Sstevel@tonic-gate (tad->tad_ctrl & PAD_NOPATH)) { 6067c478bd9Sstevel@tonic-gate return; 6077c478bd9Sstevel@tonic-gate } 6087c478bd9Sstevel@tonic-gate 6097c478bd9Sstevel@tonic-gate /* 6107c478bd9Sstevel@tonic-gate * if symbolic link is anchored at / then do nothing. 6117c478bd9Sstevel@tonic-gate * When we cycle back to begin: in lookuppn() we will 6127c478bd9Sstevel@tonic-gate * call audit_anchorpath() with a flag indicating if the 6137c478bd9Sstevel@tonic-gate * path is anchored at / or is relative. We will release 6147c478bd9Sstevel@tonic-gate * any saved path at that point. 6157c478bd9Sstevel@tonic-gate * 6167c478bd9Sstevel@tonic-gate * Note In the event that an error occurs in pn_combine then 6177c478bd9Sstevel@tonic-gate * we want to remain pointing at the component that caused the 6187c478bd9Sstevel@tonic-gate * path to overflow the pnp structure. 6197c478bd9Sstevel@tonic-gate */ 6207c478bd9Sstevel@tonic-gate if (sympath->pn_buf[0] == '/') 6217c478bd9Sstevel@tonic-gate return; 6227c478bd9Sstevel@tonic-gate 6237c478bd9Sstevel@tonic-gate /* backup over last component */ 6247c478bd9Sstevel@tonic-gate sp = cp = pnp->pn_path; 6257c478bd9Sstevel@tonic-gate while (*--cp != '/' && cp > pnp->pn_buf) 6267c478bd9Sstevel@tonic-gate ; 6277c478bd9Sstevel@tonic-gate 6287c478bd9Sstevel@tonic-gate len_path = cp - pnp->pn_buf; 6297c478bd9Sstevel@tonic-gate 6307c478bd9Sstevel@tonic-gate /* is there anything to save? */ 6317c478bd9Sstevel@tonic-gate if (len_path) { 6327c478bd9Sstevel@tonic-gate pnp->pn_path = cp; 6337c478bd9Sstevel@tonic-gate audit_pathbuild(pnp); 6347c478bd9Sstevel@tonic-gate pnp->pn_path = sp; 6357c478bd9Sstevel@tonic-gate } 6367c478bd9Sstevel@tonic-gate } 6377c478bd9Sstevel@tonic-gate 6387c478bd9Sstevel@tonic-gate /* 6397c478bd9Sstevel@tonic-gate * file_is_public : determine whether events for the file (corresponding to 6407c478bd9Sstevel@tonic-gate * the specified file attr) should be audited or ignored. 6417c478bd9Sstevel@tonic-gate * 6427c478bd9Sstevel@tonic-gate * returns: 1 - if audit policy and file attributes indicate that 6437c478bd9Sstevel@tonic-gate * file is effectively public. read events for 6447c478bd9Sstevel@tonic-gate * the file should not be audited. 6457c478bd9Sstevel@tonic-gate * 0 - otherwise 6467c478bd9Sstevel@tonic-gate * 6477c478bd9Sstevel@tonic-gate * The required attributes to be considered a public object are: 6487c478bd9Sstevel@tonic-gate * - owned by root, AND 6497c478bd9Sstevel@tonic-gate * - world-readable (permissions for other include read), AND 6507c478bd9Sstevel@tonic-gate * - NOT world-writeable (permissions for other don't 6517c478bd9Sstevel@tonic-gate * include write) 6527c478bd9Sstevel@tonic-gate * (mode doesn't need to be checked for symlinks) 6537c478bd9Sstevel@tonic-gate */ 6547c478bd9Sstevel@tonic-gate int 6557c478bd9Sstevel@tonic-gate file_is_public(struct vattr *attr) 6567c478bd9Sstevel@tonic-gate { 6577c478bd9Sstevel@tonic-gate au_kcontext_t *kctx = SET_KCTX_PZ; 6587c478bd9Sstevel@tonic-gate 6597c478bd9Sstevel@tonic-gate if (kctx == NULL) { 6607c478bd9Sstevel@tonic-gate zone_status_t zstate = zone_status_get(curproc->p_zone); 6617c478bd9Sstevel@tonic-gate ASSERT(zstate != ZONE_IS_READY); 6627c478bd9Sstevel@tonic-gate return (0); 6637c478bd9Sstevel@tonic-gate } 6647c478bd9Sstevel@tonic-gate 6657c478bd9Sstevel@tonic-gate if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) && 6667c478bd9Sstevel@tonic-gate ((attr->va_type == VLNK) || 6677c478bd9Sstevel@tonic-gate ((attr->va_mode & (VREAD>>6)) != 0) && 6687c478bd9Sstevel@tonic-gate ((attr->va_mode & (VWRITE>>6)) == 0))) { 6697c478bd9Sstevel@tonic-gate return (1); 6707c478bd9Sstevel@tonic-gate } 6717c478bd9Sstevel@tonic-gate return (0); 6727c478bd9Sstevel@tonic-gate } 6737c478bd9Sstevel@tonic-gate 6747c478bd9Sstevel@tonic-gate 6757c478bd9Sstevel@tonic-gate /* 6767c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_ATTRIBUTES 6777c478bd9Sstevel@tonic-gate * PURPOSE: Audit the attributes so we can tell why the error occured 6787c478bd9Sstevel@tonic-gate * CALLBY: AUDIT_SAVEPATH 6797c478bd9Sstevel@tonic-gate * AUDIT_VNCREATE_FINISH 6807c478bd9Sstevel@tonic-gate * AUS_FCHOWN...audit_event.c...audit_path.c 6817c478bd9Sstevel@tonic-gate * NOTE: 6827c478bd9Sstevel@tonic-gate * TODO: 6837c478bd9Sstevel@tonic-gate * QUESTION: 6847c478bd9Sstevel@tonic-gate */ 6857c478bd9Sstevel@tonic-gate void 6867c478bd9Sstevel@tonic-gate audit_attributes(struct vnode *vp) 6877c478bd9Sstevel@tonic-gate { 6887c478bd9Sstevel@tonic-gate struct vattr attr; 6897c478bd9Sstevel@tonic-gate struct t_audit_data *tad; 6907c478bd9Sstevel@tonic-gate 6917c478bd9Sstevel@tonic-gate tad = U2A(u); 6927c478bd9Sstevel@tonic-gate 6937c478bd9Sstevel@tonic-gate if (vp) { 6947c478bd9Sstevel@tonic-gate attr.va_mask = AT_ALL; 6957c478bd9Sstevel@tonic-gate if (VOP_GETATTR(vp, &attr, 0, CRED()) != 0) 6967c478bd9Sstevel@tonic-gate return; 6977c478bd9Sstevel@tonic-gate 6987c478bd9Sstevel@tonic-gate if (file_is_public(&attr) && (tad->tad_ctrl & PAD_PUBLIC_EV)) { 6997c478bd9Sstevel@tonic-gate /* 7007c478bd9Sstevel@tonic-gate * This is a public object and a "public" event 7017c478bd9Sstevel@tonic-gate * (i.e., read only) -- either by definition 7027c478bd9Sstevel@tonic-gate * (e.g., stat, access...) or by virtue of write access 7037c478bd9Sstevel@tonic-gate * not being requested (e.g. mmap). 7047c478bd9Sstevel@tonic-gate * Flag it in the tad to prevent this audit at the end. 7057c478bd9Sstevel@tonic-gate */ 7067c478bd9Sstevel@tonic-gate tad->tad_ctrl |= PAD_NOAUDIT; 7077c478bd9Sstevel@tonic-gate } else { 7087c478bd9Sstevel@tonic-gate au_uwrite(au_to_attr(&attr)); 709*45916cd2Sjpk audit_sec_attributes(&(u_ad), vp); 7107c478bd9Sstevel@tonic-gate } 7117c478bd9Sstevel@tonic-gate } 7127c478bd9Sstevel@tonic-gate } 7137c478bd9Sstevel@tonic-gate 7147c478bd9Sstevel@tonic-gate 7157c478bd9Sstevel@tonic-gate /* 7167c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_FALLOC 7177c478bd9Sstevel@tonic-gate * PURPOSE: allocating a new file structure 7187c478bd9Sstevel@tonic-gate * CALLBY: FALLOC 7197c478bd9Sstevel@tonic-gate * NOTE: file structure already initialized 7207c478bd9Sstevel@tonic-gate * TODO: 7217c478bd9Sstevel@tonic-gate * QUESTION: 7227c478bd9Sstevel@tonic-gate */ 7237c478bd9Sstevel@tonic-gate 7247c478bd9Sstevel@tonic-gate void 7257c478bd9Sstevel@tonic-gate audit_falloc(struct file *fp) 7267c478bd9Sstevel@tonic-gate { /* AUDIT_FALLOC */ 7277c478bd9Sstevel@tonic-gate 7287c478bd9Sstevel@tonic-gate f_audit_data_t *fad; 7297c478bd9Sstevel@tonic-gate 7307c478bd9Sstevel@tonic-gate /* allocate per file audit structure if there a'int any */ 7317c478bd9Sstevel@tonic-gate ASSERT(F2A(fp) == NULL); 7327c478bd9Sstevel@tonic-gate 7337c478bd9Sstevel@tonic-gate fad = kmem_zalloc(sizeof (struct f_audit_data), KM_SLEEP); 7347c478bd9Sstevel@tonic-gate 7357c478bd9Sstevel@tonic-gate F2A(fp) = fad; 7367c478bd9Sstevel@tonic-gate 7377c478bd9Sstevel@tonic-gate fad->fad_thread = curthread; /* file audit data back ptr; DEBUG */ 7387c478bd9Sstevel@tonic-gate } 7397c478bd9Sstevel@tonic-gate 7407c478bd9Sstevel@tonic-gate /* 7417c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_UNFALLOC 7427c478bd9Sstevel@tonic-gate * PURPOSE: deallocate file audit data structure 7437c478bd9Sstevel@tonic-gate * CALLBY: CLOSEF 7447c478bd9Sstevel@tonic-gate * UNFALLOC 7457c478bd9Sstevel@tonic-gate * NOTE: 7467c478bd9Sstevel@tonic-gate * TODO: 7477c478bd9Sstevel@tonic-gate * QUESTION: 7487c478bd9Sstevel@tonic-gate */ 7497c478bd9Sstevel@tonic-gate 7507c478bd9Sstevel@tonic-gate void 7517c478bd9Sstevel@tonic-gate audit_unfalloc(struct file *fp) 7527c478bd9Sstevel@tonic-gate { 7537c478bd9Sstevel@tonic-gate f_audit_data_t *fad; 7547c478bd9Sstevel@tonic-gate 7557c478bd9Sstevel@tonic-gate fad = F2A(fp); 7567c478bd9Sstevel@tonic-gate 7577c478bd9Sstevel@tonic-gate if (!fad) { 7587c478bd9Sstevel@tonic-gate return; 7597c478bd9Sstevel@tonic-gate } 7607c478bd9Sstevel@tonic-gate if (fad->fad_aupath != NULL) { 7617c478bd9Sstevel@tonic-gate au_pathrele(fad->fad_aupath); 7627c478bd9Sstevel@tonic-gate } 7637c478bd9Sstevel@tonic-gate fp->f_audit_data = 0; 7647c478bd9Sstevel@tonic-gate kmem_free(fad, sizeof (struct f_audit_data)); 7657c478bd9Sstevel@tonic-gate } 7667c478bd9Sstevel@tonic-gate 7677c478bd9Sstevel@tonic-gate /* 7687c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_EXIT 7697c478bd9Sstevel@tonic-gate * PURPOSE: 7707c478bd9Sstevel@tonic-gate * CALLBY: EXIT 7717c478bd9Sstevel@tonic-gate * NOTE: 7727c478bd9Sstevel@tonic-gate * TODO: 7737c478bd9Sstevel@tonic-gate * QUESTION: why cmw code as offset by 2 but not here 7747c478bd9Sstevel@tonic-gate */ 7757c478bd9Sstevel@tonic-gate /* ARGSUSED */ 7767c478bd9Sstevel@tonic-gate void 7777c478bd9Sstevel@tonic-gate audit_exit(int code, int what) 7787c478bd9Sstevel@tonic-gate { 7797c478bd9Sstevel@tonic-gate struct t_audit_data *tad; 7807c478bd9Sstevel@tonic-gate tad = U2A(u); 7817c478bd9Sstevel@tonic-gate 7827c478bd9Sstevel@tonic-gate /* 7837c478bd9Sstevel@tonic-gate * tad_scid will be set by audit_start even if we are not auditing 7847c478bd9Sstevel@tonic-gate * the event. 7857c478bd9Sstevel@tonic-gate */ 7867c478bd9Sstevel@tonic-gate if (tad->tad_scid == SYS_exit) { 7877c478bd9Sstevel@tonic-gate /* 7887c478bd9Sstevel@tonic-gate * if we are auditing the exit system call, then complete 7897c478bd9Sstevel@tonic-gate * audit record generation (no return from system call). 7907c478bd9Sstevel@tonic-gate */ 7917c478bd9Sstevel@tonic-gate if (tad->tad_flag && tad->tad_event == AUE_EXIT) 7927c478bd9Sstevel@tonic-gate audit_finish(0, SYS_exit, 0, 0); 7937c478bd9Sstevel@tonic-gate return; 7947c478bd9Sstevel@tonic-gate } 7957c478bd9Sstevel@tonic-gate 7967c478bd9Sstevel@tonic-gate /* 7977c478bd9Sstevel@tonic-gate * Anyone auditing the system call that was aborted? 7987c478bd9Sstevel@tonic-gate */ 7997c478bd9Sstevel@tonic-gate if (tad->tad_flag) { 8007c478bd9Sstevel@tonic-gate au_uwrite(au_to_text("event aborted")); 8017c478bd9Sstevel@tonic-gate audit_finish(0, tad->tad_scid, 0, 0); 8027c478bd9Sstevel@tonic-gate } 8037c478bd9Sstevel@tonic-gate 8047c478bd9Sstevel@tonic-gate /* 8057c478bd9Sstevel@tonic-gate * Generate an audit record for process exit if preselected. 8067c478bd9Sstevel@tonic-gate */ 8077c478bd9Sstevel@tonic-gate (void) audit_start(0, SYS_exit, 0, 0); 8087c478bd9Sstevel@tonic-gate audit_finish(0, SYS_exit, 0, 0); 8097c478bd9Sstevel@tonic-gate } 8107c478bd9Sstevel@tonic-gate 8117c478bd9Sstevel@tonic-gate /* 8127c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_CORE_START 8137c478bd9Sstevel@tonic-gate * PURPOSE: 8147c478bd9Sstevel@tonic-gate * CALLBY: PSIG 8157c478bd9Sstevel@tonic-gate * NOTE: 8167c478bd9Sstevel@tonic-gate * TODO: 8177c478bd9Sstevel@tonic-gate */ 8187c478bd9Sstevel@tonic-gate void 8197c478bd9Sstevel@tonic-gate audit_core_start(int sig) 8207c478bd9Sstevel@tonic-gate { 8217c478bd9Sstevel@tonic-gate au_event_t event; 8227c478bd9Sstevel@tonic-gate au_state_t estate; 8237c478bd9Sstevel@tonic-gate t_audit_data_t *tad; 8247c478bd9Sstevel@tonic-gate au_kcontext_t *kctx; 8257c478bd9Sstevel@tonic-gate 8267c478bd9Sstevel@tonic-gate tad = U2A(u); 8277c478bd9Sstevel@tonic-gate 8287c478bd9Sstevel@tonic-gate ASSERT(tad != (t_audit_data_t *)0); 8297c478bd9Sstevel@tonic-gate 8307c478bd9Sstevel@tonic-gate ASSERT(tad->tad_scid == 0); 8317c478bd9Sstevel@tonic-gate ASSERT(tad->tad_event == 0); 8327c478bd9Sstevel@tonic-gate ASSERT(tad->tad_evmod == 0); 8337c478bd9Sstevel@tonic-gate ASSERT(tad->tad_ctrl == 0); 8347c478bd9Sstevel@tonic-gate ASSERT(tad->tad_flag == 0); 8357c478bd9Sstevel@tonic-gate ASSERT(tad->tad_aupath == NULL); 8367c478bd9Sstevel@tonic-gate 8377c478bd9Sstevel@tonic-gate kctx = SET_KCTX_PZ; 8387c478bd9Sstevel@tonic-gate 8397c478bd9Sstevel@tonic-gate if (kctx == NULL) { 8407c478bd9Sstevel@tonic-gate zone_status_t zstate = zone_status_get(curproc->p_zone); 8417c478bd9Sstevel@tonic-gate ASSERT(zstate != ZONE_IS_READY); 8427c478bd9Sstevel@tonic-gate return; 8437c478bd9Sstevel@tonic-gate } 8447c478bd9Sstevel@tonic-gate 8457c478bd9Sstevel@tonic-gate /* get basic event for system call */ 8467c478bd9Sstevel@tonic-gate event = AUE_CORE; 8477c478bd9Sstevel@tonic-gate estate = kctx->auk_ets[event]; 8487c478bd9Sstevel@tonic-gate 8497c478bd9Sstevel@tonic-gate if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0) 8507c478bd9Sstevel@tonic-gate return; 8517c478bd9Sstevel@tonic-gate 8527c478bd9Sstevel@tonic-gate /* reset the flags for non-user attributable events */ 8537c478bd9Sstevel@tonic-gate tad->tad_ctrl = PAD_CORE; 8547c478bd9Sstevel@tonic-gate tad->tad_scid = 0; 8557c478bd9Sstevel@tonic-gate 8567c478bd9Sstevel@tonic-gate /* if auditing not enabled, then don't generate an audit record */ 8577c478bd9Sstevel@tonic-gate 8587c478bd9Sstevel@tonic-gate if (!((kctx->auk_auditstate == AUC_AUDITING || 8597c478bd9Sstevel@tonic-gate kctx->auk_auditstate == AUC_INIT_AUDIT) || 8607c478bd9Sstevel@tonic-gate kctx->auk_auditstate == AUC_NOSPACE)) { 8617c478bd9Sstevel@tonic-gate tad->tad_flag = 0; 8627c478bd9Sstevel@tonic-gate tad->tad_ctrl = 0; 8637c478bd9Sstevel@tonic-gate return; 8647c478bd9Sstevel@tonic-gate } 8657c478bd9Sstevel@tonic-gate 8667c478bd9Sstevel@tonic-gate tad->tad_event = event; 8677c478bd9Sstevel@tonic-gate tad->tad_evmod = 0; 8687c478bd9Sstevel@tonic-gate 8697c478bd9Sstevel@tonic-gate ASSERT(tad->tad_ad == NULL); 8707c478bd9Sstevel@tonic-gate 8717c478bd9Sstevel@tonic-gate au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig)); 8727c478bd9Sstevel@tonic-gate } 8737c478bd9Sstevel@tonic-gate 8747c478bd9Sstevel@tonic-gate /* 8757c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_CORE_FINISH 8767c478bd9Sstevel@tonic-gate * PURPOSE: 8777c478bd9Sstevel@tonic-gate * CALLBY: PSIG 8787c478bd9Sstevel@tonic-gate * NOTE: 8797c478bd9Sstevel@tonic-gate * TODO: 8807c478bd9Sstevel@tonic-gate * QUESTION: 8817c478bd9Sstevel@tonic-gate */ 8827c478bd9Sstevel@tonic-gate 8837c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 8847c478bd9Sstevel@tonic-gate void 8857c478bd9Sstevel@tonic-gate audit_core_finish(int code) 8867c478bd9Sstevel@tonic-gate { 8877c478bd9Sstevel@tonic-gate int flag; 8887c478bd9Sstevel@tonic-gate t_audit_data_t *tad; 8897c478bd9Sstevel@tonic-gate au_kcontext_t *kctx; 8907c478bd9Sstevel@tonic-gate 8917c478bd9Sstevel@tonic-gate tad = U2A(u); 8927c478bd9Sstevel@tonic-gate 8937c478bd9Sstevel@tonic-gate ASSERT(tad != (t_audit_data_t *)0); 8947c478bd9Sstevel@tonic-gate 8957c478bd9Sstevel@tonic-gate if ((flag = tad->tad_flag) == 0) { 8967c478bd9Sstevel@tonic-gate tad->tad_event = 0; 8977c478bd9Sstevel@tonic-gate tad->tad_evmod = 0; 8987c478bd9Sstevel@tonic-gate tad->tad_ctrl = 0; 8997c478bd9Sstevel@tonic-gate ASSERT(tad->tad_aupath == NULL); 9007c478bd9Sstevel@tonic-gate return; 9017c478bd9Sstevel@tonic-gate } 9027c478bd9Sstevel@tonic-gate tad->tad_flag = 0; 9037c478bd9Sstevel@tonic-gate 9047c478bd9Sstevel@tonic-gate kctx = SET_KCTX_PZ; 9057c478bd9Sstevel@tonic-gate if (kctx == NULL) { 9067c478bd9Sstevel@tonic-gate zone_status_t zstate = zone_status_get(curproc->p_zone); 9077c478bd9Sstevel@tonic-gate ASSERT(zstate != ZONE_IS_READY); 9087c478bd9Sstevel@tonic-gate return; 9097c478bd9Sstevel@tonic-gate } 9107c478bd9Sstevel@tonic-gate 9117c478bd9Sstevel@tonic-gate /* kludge for error 0, should use `code==CLD_DUMPED' instead */ 9127c478bd9Sstevel@tonic-gate if (flag = audit_success(kctx, tad, 0)) { 9137c478bd9Sstevel@tonic-gate cred_t *cr = CRED(); 9147c478bd9Sstevel@tonic-gate const auditinfo_addr_t *ainfo = crgetauinfo(cr); 9157c478bd9Sstevel@tonic-gate 9167c478bd9Sstevel@tonic-gate ASSERT(ainfo != NULL); 9177c478bd9Sstevel@tonic-gate 9187c478bd9Sstevel@tonic-gate /* 9197c478bd9Sstevel@tonic-gate * Add a subject token (no locks since our private copy of 9207c478bd9Sstevel@tonic-gate * credential 9217c478bd9Sstevel@tonic-gate */ 9227c478bd9Sstevel@tonic-gate AUDIT_SETSUBJ(&(u_ad), cr, ainfo); 9237c478bd9Sstevel@tonic-gate 9247c478bd9Sstevel@tonic-gate /* Add an optional group token */ 9257c478bd9Sstevel@tonic-gate AUDIT_SETGROUP(&(u_ad), cr, kctx); 9267c478bd9Sstevel@tonic-gate 927*45916cd2Sjpk /* Add slabel token */ 928*45916cd2Sjpk if (is_system_labeled()) 929*45916cd2Sjpk au_write(&(u_ad), au_to_label(CR_SL(cr))); 930*45916cd2Sjpk 9317c478bd9Sstevel@tonic-gate /* Add a return token (should use f argument) */ 9327c478bd9Sstevel@tonic-gate add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 9337c478bd9Sstevel@tonic-gate 9347c478bd9Sstevel@tonic-gate AS_INC(as_generated, 1, kctx); 9357c478bd9Sstevel@tonic-gate AS_INC(as_kernel, 1, kctx); 9367c478bd9Sstevel@tonic-gate } 9377c478bd9Sstevel@tonic-gate 9387c478bd9Sstevel@tonic-gate /* Close up everything */ 9397c478bd9Sstevel@tonic-gate au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod); 9407c478bd9Sstevel@tonic-gate 9417c478bd9Sstevel@tonic-gate /* free up any space remaining with the path's */ 9427c478bd9Sstevel@tonic-gate if (tad->tad_aupath != NULL) { 9437c478bd9Sstevel@tonic-gate au_pathrele(tad->tad_aupath); 9447c478bd9Sstevel@tonic-gate tad->tad_aupath = NULL; 9457c478bd9Sstevel@tonic-gate tad->tad_vn = NULL; 9467c478bd9Sstevel@tonic-gate } 9477c478bd9Sstevel@tonic-gate tad->tad_event = 0; 9487c478bd9Sstevel@tonic-gate tad->tad_evmod = 0; 9497c478bd9Sstevel@tonic-gate tad->tad_ctrl = 0; 9507c478bd9Sstevel@tonic-gate } 9517c478bd9Sstevel@tonic-gate 9527c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 9537c478bd9Sstevel@tonic-gate void 9547c478bd9Sstevel@tonic-gate audit_stropen(struct vnode *vp, dev_t *devp, int flag, cred_t *crp) 9557c478bd9Sstevel@tonic-gate { 9567c478bd9Sstevel@tonic-gate } 9577c478bd9Sstevel@tonic-gate 9587c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 9597c478bd9Sstevel@tonic-gate void 9607c478bd9Sstevel@tonic-gate audit_strclose(struct vnode *vp, int flag, cred_t *crp) 9617c478bd9Sstevel@tonic-gate { 9627c478bd9Sstevel@tonic-gate } 9637c478bd9Sstevel@tonic-gate 9647c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 9657c478bd9Sstevel@tonic-gate void 9667c478bd9Sstevel@tonic-gate audit_strioctl(struct vnode *vp, int cmd, intptr_t arg, int flag, 9677c478bd9Sstevel@tonic-gate int copyflag, cred_t *crp, int *rvalp) 9687c478bd9Sstevel@tonic-gate { 9697c478bd9Sstevel@tonic-gate } 9707c478bd9Sstevel@tonic-gate 9717c478bd9Sstevel@tonic-gate 9727c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 9737c478bd9Sstevel@tonic-gate void 9747c478bd9Sstevel@tonic-gate audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 9757c478bd9Sstevel@tonic-gate unsigned char *pri, int *flag, int fmode) 9767c478bd9Sstevel@tonic-gate { 9777c478bd9Sstevel@tonic-gate struct stdata *stp; 9787c478bd9Sstevel@tonic-gate t_audit_data_t *tad = U2A(u); 9797c478bd9Sstevel@tonic-gate 9807c478bd9Sstevel@tonic-gate ASSERT(tad != (t_audit_data_t *)0); 9817c478bd9Sstevel@tonic-gate 9827c478bd9Sstevel@tonic-gate stp = vp->v_stream; 9837c478bd9Sstevel@tonic-gate 9847c478bd9Sstevel@tonic-gate /* lock stdata from audit_sock */ 9857c478bd9Sstevel@tonic-gate mutex_enter(&stp->sd_lock); 9867c478bd9Sstevel@tonic-gate 9877c478bd9Sstevel@tonic-gate /* proceed ONLY if user is being audited */ 9887c478bd9Sstevel@tonic-gate if (!tad->tad_flag) { 9897c478bd9Sstevel@tonic-gate /* 9907c478bd9Sstevel@tonic-gate * this is so we will not add audit data onto 9917c478bd9Sstevel@tonic-gate * a thread that is not being audited. 9927c478bd9Sstevel@tonic-gate */ 9937c478bd9Sstevel@tonic-gate stp->sd_t_audit_data = NULL; 9947c478bd9Sstevel@tonic-gate mutex_exit(&stp->sd_lock); 9957c478bd9Sstevel@tonic-gate return; 9967c478bd9Sstevel@tonic-gate } 9977c478bd9Sstevel@tonic-gate 9987c478bd9Sstevel@tonic-gate stp->sd_t_audit_data = (caddr_t)curthread; 9997c478bd9Sstevel@tonic-gate mutex_exit(&stp->sd_lock); 10007c478bd9Sstevel@tonic-gate } 10017c478bd9Sstevel@tonic-gate 10027c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 10037c478bd9Sstevel@tonic-gate void 10047c478bd9Sstevel@tonic-gate audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 10057c478bd9Sstevel@tonic-gate unsigned char pri, int flag, int fmode) 10067c478bd9Sstevel@tonic-gate { 10077c478bd9Sstevel@tonic-gate struct stdata *stp; 10087c478bd9Sstevel@tonic-gate t_audit_data_t *tad = U2A(u); 10097c478bd9Sstevel@tonic-gate 10107c478bd9Sstevel@tonic-gate ASSERT(tad != (t_audit_data_t *)0); 10117c478bd9Sstevel@tonic-gate 10127c478bd9Sstevel@tonic-gate stp = vp->v_stream; 10137c478bd9Sstevel@tonic-gate 10147c478bd9Sstevel@tonic-gate /* lock stdata from audit_sock */ 10157c478bd9Sstevel@tonic-gate mutex_enter(&stp->sd_lock); 10167c478bd9Sstevel@tonic-gate 10177c478bd9Sstevel@tonic-gate /* proceed ONLY if user is being audited */ 10187c478bd9Sstevel@tonic-gate if (!tad->tad_flag) { 10197c478bd9Sstevel@tonic-gate /* 10207c478bd9Sstevel@tonic-gate * this is so we will not add audit data onto 10217c478bd9Sstevel@tonic-gate * a thread that is not being audited. 10227c478bd9Sstevel@tonic-gate */ 10237c478bd9Sstevel@tonic-gate stp->sd_t_audit_data = NULL; 10247c478bd9Sstevel@tonic-gate mutex_exit(&stp->sd_lock); 10257c478bd9Sstevel@tonic-gate return; 10267c478bd9Sstevel@tonic-gate } 10277c478bd9Sstevel@tonic-gate 10287c478bd9Sstevel@tonic-gate stp->sd_t_audit_data = (caddr_t)curthread; 10297c478bd9Sstevel@tonic-gate mutex_exit(&stp->sd_lock); 10307c478bd9Sstevel@tonic-gate } 10317c478bd9Sstevel@tonic-gate 10327c478bd9Sstevel@tonic-gate /* 10337c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_CLOSEF 10347c478bd9Sstevel@tonic-gate * PURPOSE: 10357c478bd9Sstevel@tonic-gate * CALLBY: CLOSEF 10367c478bd9Sstevel@tonic-gate * NOTE: 10377c478bd9Sstevel@tonic-gate * release per file audit resources when file structure is being released. 10387c478bd9Sstevel@tonic-gate * 10397c478bd9Sstevel@tonic-gate * IMPORTANT NOTE: Since we generate an audit record here, we may sleep 10407c478bd9Sstevel@tonic-gate * on the audit queue if it becomes full. This means 10417c478bd9Sstevel@tonic-gate * audit_closef can not be called when f_count == 0. Since 10427c478bd9Sstevel@tonic-gate * f_count == 0 indicates the file structure is free, another 10437c478bd9Sstevel@tonic-gate * process could attempt to use the file while we were still 10447c478bd9Sstevel@tonic-gate * asleep waiting on the audit queue. This would cause the 10457c478bd9Sstevel@tonic-gate * per file audit data to be corrupted when we finally do 10467c478bd9Sstevel@tonic-gate * wakeup. 10477c478bd9Sstevel@tonic-gate * TODO: 10487c478bd9Sstevel@tonic-gate * QUESTION: 10497c478bd9Sstevel@tonic-gate */ 10507c478bd9Sstevel@tonic-gate 10517c478bd9Sstevel@tonic-gate void 10527c478bd9Sstevel@tonic-gate audit_closef(struct file *fp) 10537c478bd9Sstevel@tonic-gate { /* AUDIT_CLOSEF */ 10547c478bd9Sstevel@tonic-gate f_audit_data_t *fad; 10557c478bd9Sstevel@tonic-gate t_audit_data_t *tad; 10567c478bd9Sstevel@tonic-gate int success; 10577c478bd9Sstevel@tonic-gate au_state_t estate; 10587c478bd9Sstevel@tonic-gate struct vnode *vp; 10597c478bd9Sstevel@tonic-gate token_t *ad = NULL; 10607c478bd9Sstevel@tonic-gate struct vattr attr; 10617c478bd9Sstevel@tonic-gate short evmod = 0; 10627c478bd9Sstevel@tonic-gate const auditinfo_addr_t *ainfo; 10637c478bd9Sstevel@tonic-gate int getattr_ret; 10647c478bd9Sstevel@tonic-gate cred_t *cr; 10657c478bd9Sstevel@tonic-gate au_kcontext_t *kctx = SET_KCTX_PZ; 10667c478bd9Sstevel@tonic-gate 10677c478bd9Sstevel@tonic-gate if (kctx == NULL) { 10687c478bd9Sstevel@tonic-gate zone_status_t zstate = zone_status_get(curproc->p_zone); 10697c478bd9Sstevel@tonic-gate ASSERT(zstate != ZONE_IS_READY); 10707c478bd9Sstevel@tonic-gate return; 10717c478bd9Sstevel@tonic-gate } 10727c478bd9Sstevel@tonic-gate 10737c478bd9Sstevel@tonic-gate fad = F2A(fp); 10747c478bd9Sstevel@tonic-gate estate = kctx->auk_ets[AUE_CLOSE]; 10757c478bd9Sstevel@tonic-gate tad = U2A(u); 10767c478bd9Sstevel@tonic-gate cr = CRED(); 10777c478bd9Sstevel@tonic-gate 10787c478bd9Sstevel@tonic-gate /* audit record already generated by system call envelope */ 10797c478bd9Sstevel@tonic-gate if (tad->tad_event == AUE_CLOSE) { 10807c478bd9Sstevel@tonic-gate /* so close audit event will have bits set */ 10817c478bd9Sstevel@tonic-gate tad->tad_evmod |= (short)fad->fad_flags; 10827c478bd9Sstevel@tonic-gate return; 10837c478bd9Sstevel@tonic-gate } 10847c478bd9Sstevel@tonic-gate 10857c478bd9Sstevel@tonic-gate /* if auditing not enabled, then don't generate an audit record */ 10867c478bd9Sstevel@tonic-gate if (!((kctx->auk_auditstate == AUC_AUDITING || 10877c478bd9Sstevel@tonic-gate kctx->auk_auditstate == AUC_INIT_AUDIT) || 10887c478bd9Sstevel@tonic-gate kctx->auk_auditstate == AUC_NOSPACE)) 10897c478bd9Sstevel@tonic-gate return; 10907c478bd9Sstevel@tonic-gate 10917c478bd9Sstevel@tonic-gate ainfo = crgetauinfo(cr); 10927c478bd9Sstevel@tonic-gate if (ainfo == NULL) 10937c478bd9Sstevel@tonic-gate return; 10947c478bd9Sstevel@tonic-gate 10957c478bd9Sstevel@tonic-gate success = ainfo->ai_mask.as_success & estate; 10967c478bd9Sstevel@tonic-gate 10977c478bd9Sstevel@tonic-gate /* not selected for this event */ 10987c478bd9Sstevel@tonic-gate if (success == 0) 10997c478bd9Sstevel@tonic-gate return; 11007c478bd9Sstevel@tonic-gate 11017c478bd9Sstevel@tonic-gate /* 11027c478bd9Sstevel@tonic-gate * can't use audit_attributes here since we use a private audit area 11037c478bd9Sstevel@tonic-gate * to build the audit record instead of the one off the thread. 11047c478bd9Sstevel@tonic-gate */ 11057c478bd9Sstevel@tonic-gate if ((vp = fp->f_vnode) != NULL) { 11067c478bd9Sstevel@tonic-gate attr.va_mask = AT_ALL; 11077c478bd9Sstevel@tonic-gate getattr_ret = VOP_GETATTR(vp, &attr, 0, CRED()); 11087c478bd9Sstevel@tonic-gate } 11097c478bd9Sstevel@tonic-gate 11107c478bd9Sstevel@tonic-gate /* 11117c478bd9Sstevel@tonic-gate * When write was not used and the file can be considered public, 11127c478bd9Sstevel@tonic-gate * then skip the audit. 11137c478bd9Sstevel@tonic-gate */ 11147c478bd9Sstevel@tonic-gate if ((getattr_ret == 0) && ((fp->f_flag & FWRITE) == 0)) { 11157c478bd9Sstevel@tonic-gate if (file_is_public(&attr)) { 11167c478bd9Sstevel@tonic-gate return; 11177c478bd9Sstevel@tonic-gate } 11187c478bd9Sstevel@tonic-gate } 11197c478bd9Sstevel@tonic-gate 11207c478bd9Sstevel@tonic-gate evmod = (short)fad->fad_flags; 11217c478bd9Sstevel@tonic-gate if (fad->fad_aupath != NULL) { 11227c478bd9Sstevel@tonic-gate au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath)); 11237c478bd9Sstevel@tonic-gate } else { 11247c478bd9Sstevel@tonic-gate #ifdef _LP64 11257c478bd9Sstevel@tonic-gate au_write((caddr_t *)&(ad), au_to_arg64( 11267c478bd9Sstevel@tonic-gate 1, "no path: fp", (uint64_t)fp)); 11277c478bd9Sstevel@tonic-gate #else 11287c478bd9Sstevel@tonic-gate au_write((caddr_t *)&(ad), au_to_arg32( 11297c478bd9Sstevel@tonic-gate 1, "no path: fp", (uint32_t)fp)); 11307c478bd9Sstevel@tonic-gate #endif 11317c478bd9Sstevel@tonic-gate } 11327c478bd9Sstevel@tonic-gate 11337c478bd9Sstevel@tonic-gate if (getattr_ret == 0) { 11347c478bd9Sstevel@tonic-gate au_write((caddr_t *)&(ad), au_to_attr(&attr)); 1135*45916cd2Sjpk audit_sec_attributes((caddr_t *)&(ad), vp); 11367c478bd9Sstevel@tonic-gate } 11377c478bd9Sstevel@tonic-gate 11387c478bd9Sstevel@tonic-gate /* Add a subject token */ 11397c478bd9Sstevel@tonic-gate AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo); 11407c478bd9Sstevel@tonic-gate 11417c478bd9Sstevel@tonic-gate /* add an optional group token */ 11427c478bd9Sstevel@tonic-gate AUDIT_SETGROUP((caddr_t *)&(ad), cr, kctx); 11437c478bd9Sstevel@tonic-gate 1144*45916cd2Sjpk /* add slabel token */ 1145*45916cd2Sjpk if (is_system_labeled()) 1146*45916cd2Sjpk au_write((caddr_t *)&(ad), au_to_label(CR_SL(cr))); 1147*45916cd2Sjpk 11487c478bd9Sstevel@tonic-gate /* add a return token */ 11497c478bd9Sstevel@tonic-gate add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0); 11507c478bd9Sstevel@tonic-gate 11517c478bd9Sstevel@tonic-gate AS_INC(as_generated, 1, kctx); 11527c478bd9Sstevel@tonic-gate AS_INC(as_kernel, 1, kctx); 11537c478bd9Sstevel@tonic-gate 11547c478bd9Sstevel@tonic-gate /* 11557c478bd9Sstevel@tonic-gate * Close up everything 11567c478bd9Sstevel@tonic-gate * Note: path space recovery handled by normal system 11577c478bd9Sstevel@tonic-gate * call envelope if not at last close. 11587c478bd9Sstevel@tonic-gate * Note there is no failure at this point since 11597c478bd9Sstevel@tonic-gate * this represents closes due to exit of process, 11607c478bd9Sstevel@tonic-gate * thus we always indicate successful closes. 11617c478bd9Sstevel@tonic-gate */ 11627c478bd9Sstevel@tonic-gate au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER, 11637c478bd9Sstevel@tonic-gate AUE_CLOSE, evmod); 11647c478bd9Sstevel@tonic-gate } 11657c478bd9Sstevel@tonic-gate 11667c478bd9Sstevel@tonic-gate /* 11677c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_SET 11687c478bd9Sstevel@tonic-gate * PURPOSE: Audit the file path and file attributes. 11697c478bd9Sstevel@tonic-gate * CALLBY: SETF 11707c478bd9Sstevel@tonic-gate * NOTE: SETF associate a file pointer with user area's open files. 11717c478bd9Sstevel@tonic-gate * TODO: 11727c478bd9Sstevel@tonic-gate * call audit_finish directly ??? 11737c478bd9Sstevel@tonic-gate * QUESTION: 11747c478bd9Sstevel@tonic-gate */ 11757c478bd9Sstevel@tonic-gate 11767c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 11777c478bd9Sstevel@tonic-gate void 11787c478bd9Sstevel@tonic-gate audit_setf(file_t *fp, int fd) 11797c478bd9Sstevel@tonic-gate { 11807c478bd9Sstevel@tonic-gate f_audit_data_t *fad; 11817c478bd9Sstevel@tonic-gate t_audit_data_t *tad; 11827c478bd9Sstevel@tonic-gate 11837c478bd9Sstevel@tonic-gate if (fp == NULL) 11847c478bd9Sstevel@tonic-gate return; 11857c478bd9Sstevel@tonic-gate 11867c478bd9Sstevel@tonic-gate tad = T2A(curthread); 11877c478bd9Sstevel@tonic-gate fad = F2A(fp); 11887c478bd9Sstevel@tonic-gate 11897c478bd9Sstevel@tonic-gate if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat || 11907c478bd9Sstevel@tonic-gate tad->tad_scid == SYS_open64 || tad->tad_scid == SYS_creat64 || 11917c478bd9Sstevel@tonic-gate tad->tad_scid == SYS_fsat)) 11927c478bd9Sstevel@tonic-gate return; 11937c478bd9Sstevel@tonic-gate 11947c478bd9Sstevel@tonic-gate /* no path */ 11957c478bd9Sstevel@tonic-gate if (tad->tad_aupath == 0) 11967c478bd9Sstevel@tonic-gate return; 11977c478bd9Sstevel@tonic-gate 11987c478bd9Sstevel@tonic-gate /* 11997c478bd9Sstevel@tonic-gate * assign path information associated with file audit data 12007c478bd9Sstevel@tonic-gate * use tad hold 12017c478bd9Sstevel@tonic-gate */ 12027c478bd9Sstevel@tonic-gate fad->fad_aupath = tad->tad_aupath; 12037c478bd9Sstevel@tonic-gate tad->tad_aupath = NULL; 12047c478bd9Sstevel@tonic-gate tad->tad_vn = NULL; 12057c478bd9Sstevel@tonic-gate 12067c478bd9Sstevel@tonic-gate if (!(tad->tad_ctrl & PAD_TRUE_CREATE)) { 12077c478bd9Sstevel@tonic-gate /* adjust event type */ 12087c478bd9Sstevel@tonic-gate switch (tad->tad_event) { 12097c478bd9Sstevel@tonic-gate case AUE_OPEN_RC: 12107c478bd9Sstevel@tonic-gate tad->tad_event = AUE_OPEN_R; 12117c478bd9Sstevel@tonic-gate tad->tad_ctrl |= PAD_PUBLIC_EV; 12127c478bd9Sstevel@tonic-gate break; 12137c478bd9Sstevel@tonic-gate case AUE_OPEN_RTC: 12147c478bd9Sstevel@tonic-gate tad->tad_event = AUE_OPEN_RT; 12157c478bd9Sstevel@tonic-gate break; 12167c478bd9Sstevel@tonic-gate case AUE_OPEN_WC: 12177c478bd9Sstevel@tonic-gate tad->tad_event = AUE_OPEN_W; 12187c478bd9Sstevel@tonic-gate break; 12197c478bd9Sstevel@tonic-gate case AUE_OPEN_WTC: 12207c478bd9Sstevel@tonic-gate tad->tad_event = AUE_OPEN_WT; 12217c478bd9Sstevel@tonic-gate break; 12227c478bd9Sstevel@tonic-gate case AUE_OPEN_RWC: 12237c478bd9Sstevel@tonic-gate tad->tad_event = AUE_OPEN_RW; 12247c478bd9Sstevel@tonic-gate break; 12257c478bd9Sstevel@tonic-gate case AUE_OPEN_RWTC: 12267c478bd9Sstevel@tonic-gate tad->tad_event = AUE_OPEN_RWT; 12277c478bd9Sstevel@tonic-gate break; 12287c478bd9Sstevel@tonic-gate default: 12297c478bd9Sstevel@tonic-gate break; 12307c478bd9Sstevel@tonic-gate } 12317c478bd9Sstevel@tonic-gate } 12327c478bd9Sstevel@tonic-gate } 12337c478bd9Sstevel@tonic-gate 12347c478bd9Sstevel@tonic-gate 12357c478bd9Sstevel@tonic-gate /* 12367c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_COPEN 12377c478bd9Sstevel@tonic-gate * PURPOSE: 12387c478bd9Sstevel@tonic-gate * CALLBY: COPEN 12397c478bd9Sstevel@tonic-gate * NOTE: 12407c478bd9Sstevel@tonic-gate * TODO: 12417c478bd9Sstevel@tonic-gate * QUESTION: 12427c478bd9Sstevel@tonic-gate */ 12437c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 12447c478bd9Sstevel@tonic-gate void 12457c478bd9Sstevel@tonic-gate audit_copen(int fd, file_t *fp, vnode_t *vp) 12467c478bd9Sstevel@tonic-gate { 12477c478bd9Sstevel@tonic-gate } 12487c478bd9Sstevel@tonic-gate 12497c478bd9Sstevel@tonic-gate void 12507c478bd9Sstevel@tonic-gate audit_ipc(int type, int id, void *vp) 12517c478bd9Sstevel@tonic-gate { 12527c478bd9Sstevel@tonic-gate /* if not auditing this event, then do nothing */ 12537c478bd9Sstevel@tonic-gate if (ad_flag == 0) 12547c478bd9Sstevel@tonic-gate return; 12557c478bd9Sstevel@tonic-gate 12567c478bd9Sstevel@tonic-gate switch (type) { 12577c478bd9Sstevel@tonic-gate case AT_IPC_MSG: 12587c478bd9Sstevel@tonic-gate au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 12597c478bd9Sstevel@tonic-gate au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 12607c478bd9Sstevel@tonic-gate break; 12617c478bd9Sstevel@tonic-gate case AT_IPC_SEM: 12627c478bd9Sstevel@tonic-gate au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 12637c478bd9Sstevel@tonic-gate au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 12647c478bd9Sstevel@tonic-gate break; 12657c478bd9Sstevel@tonic-gate case AT_IPC_SHM: 12667c478bd9Sstevel@tonic-gate au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 12677c478bd9Sstevel@tonic-gate au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 12687c478bd9Sstevel@tonic-gate break; 12697c478bd9Sstevel@tonic-gate } 12707c478bd9Sstevel@tonic-gate } 12717c478bd9Sstevel@tonic-gate 12727c478bd9Sstevel@tonic-gate void 12737c478bd9Sstevel@tonic-gate audit_ipcget(int type, void *vp) 12747c478bd9Sstevel@tonic-gate { 12757c478bd9Sstevel@tonic-gate /* if not auditing this event, then do nothing */ 12767c478bd9Sstevel@tonic-gate if (ad_flag == 0) 12777c478bd9Sstevel@tonic-gate return; 12787c478bd9Sstevel@tonic-gate 12797c478bd9Sstevel@tonic-gate switch (type) { 12807c478bd9Sstevel@tonic-gate case NULL: 12817c478bd9Sstevel@tonic-gate au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp)); 12827c478bd9Sstevel@tonic-gate break; 12837c478bd9Sstevel@tonic-gate case AT_IPC_MSG: 12847c478bd9Sstevel@tonic-gate au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 12857c478bd9Sstevel@tonic-gate break; 12867c478bd9Sstevel@tonic-gate case AT_IPC_SEM: 12877c478bd9Sstevel@tonic-gate au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 12887c478bd9Sstevel@tonic-gate break; 12897c478bd9Sstevel@tonic-gate case AT_IPC_SHM: 12907c478bd9Sstevel@tonic-gate au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 12917c478bd9Sstevel@tonic-gate break; 12927c478bd9Sstevel@tonic-gate } 12937c478bd9Sstevel@tonic-gate } 12947c478bd9Sstevel@tonic-gate 12957c478bd9Sstevel@tonic-gate /* 12967c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_REBOOT 12977c478bd9Sstevel@tonic-gate * PURPOSE: 12987c478bd9Sstevel@tonic-gate * CALLBY: 12997c478bd9Sstevel@tonic-gate * NOTE: 13007c478bd9Sstevel@tonic-gate * At this point we know that the system call reboot will not return. We thus 13017c478bd9Sstevel@tonic-gate * have to complete the audit record generation and put it onto the queue. 13027c478bd9Sstevel@tonic-gate * This might be fairly useless if the auditing daemon is already dead.... 13037c478bd9Sstevel@tonic-gate * TODO: 13047c478bd9Sstevel@tonic-gate * QUESTION: who calls audit_reboot 13057c478bd9Sstevel@tonic-gate */ 13067c478bd9Sstevel@tonic-gate 13077c478bd9Sstevel@tonic-gate void 13087c478bd9Sstevel@tonic-gate audit_reboot(void) 13097c478bd9Sstevel@tonic-gate { 13107c478bd9Sstevel@tonic-gate int flag; 13117c478bd9Sstevel@tonic-gate t_audit_data_t *tad; 13127c478bd9Sstevel@tonic-gate au_kcontext_t *kctx = SET_KCTX_PZ; 13137c478bd9Sstevel@tonic-gate 13147c478bd9Sstevel@tonic-gate if (kctx == NULL) { 13157c478bd9Sstevel@tonic-gate zone_status_t zstate = zone_status_get(curproc->p_zone); 13167c478bd9Sstevel@tonic-gate ASSERT(zstate != ZONE_IS_READY); 13177c478bd9Sstevel@tonic-gate return; 13187c478bd9Sstevel@tonic-gate } 13197c478bd9Sstevel@tonic-gate 13207c478bd9Sstevel@tonic-gate tad = U2A(u); 13217c478bd9Sstevel@tonic-gate 13227c478bd9Sstevel@tonic-gate /* if not auditing this event, then do nothing */ 13237c478bd9Sstevel@tonic-gate if (tad->tad_flag == 0) 13247c478bd9Sstevel@tonic-gate return; 13257c478bd9Sstevel@tonic-gate 13267c478bd9Sstevel@tonic-gate /* do preselection on success/failure */ 13277c478bd9Sstevel@tonic-gate if (flag = audit_success(kctx, tad, 0)) { 13287c478bd9Sstevel@tonic-gate /* add a process token */ 13297c478bd9Sstevel@tonic-gate 13307c478bd9Sstevel@tonic-gate cred_t *cr = CRED(); 13317c478bd9Sstevel@tonic-gate const auditinfo_addr_t *ainfo = crgetauinfo(cr); 13327c478bd9Sstevel@tonic-gate 13337c478bd9Sstevel@tonic-gate if (ainfo == NULL) 13347c478bd9Sstevel@tonic-gate return; 13357c478bd9Sstevel@tonic-gate 13367c478bd9Sstevel@tonic-gate AUDIT_SETSUBJ(&(u_ad), cr, ainfo); 13377c478bd9Sstevel@tonic-gate 13387c478bd9Sstevel@tonic-gate /* add an optional group token */ 13397c478bd9Sstevel@tonic-gate AUDIT_SETGROUP(&(u_ad), cr, kctx); 13407c478bd9Sstevel@tonic-gate 1341*45916cd2Sjpk /* add slabel token */ 1342*45916cd2Sjpk if (is_system_labeled()) 1343*45916cd2Sjpk au_uwrite(au_to_label(CR_SL(cr))); 1344*45916cd2Sjpk 13457c478bd9Sstevel@tonic-gate /* add a return token */ 13467c478bd9Sstevel@tonic-gate add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 13477c478bd9Sstevel@tonic-gate 13487c478bd9Sstevel@tonic-gate AS_INC(as_generated, 1, kctx); 13497c478bd9Sstevel@tonic-gate AS_INC(as_kernel, 1, kctx); 13507c478bd9Sstevel@tonic-gate } 13517c478bd9Sstevel@tonic-gate 13527c478bd9Sstevel@tonic-gate /* 13537c478bd9Sstevel@tonic-gate * Flow control useless here since we're going 13547c478bd9Sstevel@tonic-gate * to drop everything in the queue anyway. Why 13557c478bd9Sstevel@tonic-gate * block and wait. There aint anyone left alive to 13567c478bd9Sstevel@tonic-gate * read the records remaining anyway. 13577c478bd9Sstevel@tonic-gate */ 13587c478bd9Sstevel@tonic-gate 13597c478bd9Sstevel@tonic-gate /* Close up everything */ 13607c478bd9Sstevel@tonic-gate au_close(kctx, &(u_ad), flag | AU_DONTBLOCK, 13617c478bd9Sstevel@tonic-gate tad->tad_event, tad->tad_evmod); 13627c478bd9Sstevel@tonic-gate } 13637c478bd9Sstevel@tonic-gate 13647c478bd9Sstevel@tonic-gate void 13657c478bd9Sstevel@tonic-gate audit_setfsat_path(int argnum) 13667c478bd9Sstevel@tonic-gate { 13677c478bd9Sstevel@tonic-gate klwp_id_t clwp = ttolwp(curthread); 13687c478bd9Sstevel@tonic-gate struct file *fp; 13697c478bd9Sstevel@tonic-gate uint32_t fd; 13707c478bd9Sstevel@tonic-gate t_audit_data_t *tad; 13717c478bd9Sstevel@tonic-gate struct f_audit_data *fad; 13727c478bd9Sstevel@tonic-gate p_audit_data_t *pad; /* current process */ 13737c478bd9Sstevel@tonic-gate 13747c478bd9Sstevel@tonic-gate struct b { 13757c478bd9Sstevel@tonic-gate long arg1; 13767c478bd9Sstevel@tonic-gate long arg2; 13777c478bd9Sstevel@tonic-gate long arg3; 13787c478bd9Sstevel@tonic-gate long arg4; 13797c478bd9Sstevel@tonic-gate long arg5; 13807c478bd9Sstevel@tonic-gate } *uap1; 13817c478bd9Sstevel@tonic-gate 13827c478bd9Sstevel@tonic-gate if (clwp == NULL) 13837c478bd9Sstevel@tonic-gate return; 13847c478bd9Sstevel@tonic-gate uap1 = (struct b *)&clwp->lwp_ap[1]; 13857c478bd9Sstevel@tonic-gate 13867c478bd9Sstevel@tonic-gate tad = U2A(u); 13877c478bd9Sstevel@tonic-gate 13887c478bd9Sstevel@tonic-gate ASSERT(tad != NULL); 13897c478bd9Sstevel@tonic-gate 13907c478bd9Sstevel@tonic-gate if (tad->tad_scid != SYS_fsat) 13917c478bd9Sstevel@tonic-gate return; 13927c478bd9Sstevel@tonic-gate 13937c478bd9Sstevel@tonic-gate switch (argnum) { 13947c478bd9Sstevel@tonic-gate case 1: 13957c478bd9Sstevel@tonic-gate fd = (uint32_t)uap1->arg1; 13967c478bd9Sstevel@tonic-gate break; 13977c478bd9Sstevel@tonic-gate case 2: 13987c478bd9Sstevel@tonic-gate fd = (uint32_t)uap1->arg2; 13997c478bd9Sstevel@tonic-gate break; 14007c478bd9Sstevel@tonic-gate case 3: 14017c478bd9Sstevel@tonic-gate fd = (uint32_t)uap1->arg3; 14027c478bd9Sstevel@tonic-gate break; 14037c478bd9Sstevel@tonic-gate case 4: 14047c478bd9Sstevel@tonic-gate fd = (uint32_t)uap1->arg4; 14057c478bd9Sstevel@tonic-gate break; 14067c478bd9Sstevel@tonic-gate case 5: 14077c478bd9Sstevel@tonic-gate fd = (uint32_t)uap1->arg5; 14087c478bd9Sstevel@tonic-gate break; 14097c478bd9Sstevel@tonic-gate default: 14107c478bd9Sstevel@tonic-gate return; 14117c478bd9Sstevel@tonic-gate } 14127c478bd9Sstevel@tonic-gate 14137c478bd9Sstevel@tonic-gate if (tad->tad_atpath != NULL) { 14147c478bd9Sstevel@tonic-gate au_pathrele(tad->tad_atpath); 14157c478bd9Sstevel@tonic-gate tad->tad_atpath = NULL; 14167c478bd9Sstevel@tonic-gate } 14177c478bd9Sstevel@tonic-gate if (fd != AT_FDCWD) { 14187c478bd9Sstevel@tonic-gate if ((fp = getf(fd)) == NULL) 14197c478bd9Sstevel@tonic-gate return; 14207c478bd9Sstevel@tonic-gate 14217c478bd9Sstevel@tonic-gate fad = F2A(fp); 14227c478bd9Sstevel@tonic-gate ASSERT(fad); 14237c478bd9Sstevel@tonic-gate au_pathhold(fad->fad_aupath); 14247c478bd9Sstevel@tonic-gate tad->tad_atpath = fad->fad_aupath; 14257c478bd9Sstevel@tonic-gate releasef(fd); 14267c478bd9Sstevel@tonic-gate } else { 14277c478bd9Sstevel@tonic-gate pad = P2A(curproc); 14287c478bd9Sstevel@tonic-gate mutex_enter(&pad->pad_lock); 14297c478bd9Sstevel@tonic-gate au_pathhold(pad->pad_cwd); 14307c478bd9Sstevel@tonic-gate tad->tad_atpath = pad->pad_cwd; 14317c478bd9Sstevel@tonic-gate mutex_exit(&pad->pad_lock); 14327c478bd9Sstevel@tonic-gate } 14337c478bd9Sstevel@tonic-gate } 14347c478bd9Sstevel@tonic-gate 14357c478bd9Sstevel@tonic-gate void 14367c478bd9Sstevel@tonic-gate audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error) 14377c478bd9Sstevel@tonic-gate { 14387c478bd9Sstevel@tonic-gate t_audit_data_t *tad; 14397c478bd9Sstevel@tonic-gate vnode_t *vp; 14407c478bd9Sstevel@tonic-gate 14417c478bd9Sstevel@tonic-gate tad = U2A(u); 14427c478bd9Sstevel@tonic-gate 14437c478bd9Sstevel@tonic-gate /* if not auditing this event, then do nothing */ 14447c478bd9Sstevel@tonic-gate if (tad->tad_flag == 0) 14457c478bd9Sstevel@tonic-gate return; 14467c478bd9Sstevel@tonic-gate 14477c478bd9Sstevel@tonic-gate au_uwrite(au_to_text(target)); 14487c478bd9Sstevel@tonic-gate 14497c478bd9Sstevel@tonic-gate if (error) 14507c478bd9Sstevel@tonic-gate return; 14517c478bd9Sstevel@tonic-gate 14527c478bd9Sstevel@tonic-gate error = VOP_LOOKUP(dvp, sname, &vp, NULL, NO_FOLLOW, NULL, CRED()); 14537c478bd9Sstevel@tonic-gate if (error == 0) { 14547c478bd9Sstevel@tonic-gate audit_attributes(vp); 14557c478bd9Sstevel@tonic-gate VN_RELE(vp); 14567c478bd9Sstevel@tonic-gate } 14577c478bd9Sstevel@tonic-gate } 14587c478bd9Sstevel@tonic-gate 14597c478bd9Sstevel@tonic-gate /* 14607c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_VNCREATE_START 14617c478bd9Sstevel@tonic-gate * PURPOSE: set flag so path name lookup in create will not add attribute 14627c478bd9Sstevel@tonic-gate * CALLBY: VN_CREATE 14637c478bd9Sstevel@tonic-gate * NOTE: 14647c478bd9Sstevel@tonic-gate * TODO: 14657c478bd9Sstevel@tonic-gate * QUESTION: 14667c478bd9Sstevel@tonic-gate */ 14677c478bd9Sstevel@tonic-gate 14687c478bd9Sstevel@tonic-gate void 14697c478bd9Sstevel@tonic-gate audit_vncreate_start() 14707c478bd9Sstevel@tonic-gate { 14717c478bd9Sstevel@tonic-gate t_audit_data_t *tad; 14727c478bd9Sstevel@tonic-gate 14737c478bd9Sstevel@tonic-gate tad = U2A(u); 14747c478bd9Sstevel@tonic-gate tad->tad_ctrl |= PAD_NOATTRB; 14757c478bd9Sstevel@tonic-gate } 14767c478bd9Sstevel@tonic-gate 14777c478bd9Sstevel@tonic-gate /* 14787c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_VNCREATE_FINISH 14797c478bd9Sstevel@tonic-gate * PURPOSE: 14807c478bd9Sstevel@tonic-gate * CALLBY: VN_CREATE 14817c478bd9Sstevel@tonic-gate * NOTE: 14827c478bd9Sstevel@tonic-gate * TODO: 14837c478bd9Sstevel@tonic-gate * QUESTION: 14847c478bd9Sstevel@tonic-gate */ 14857c478bd9Sstevel@tonic-gate void 14867c478bd9Sstevel@tonic-gate audit_vncreate_finish(struct vnode *vp, int error) 14877c478bd9Sstevel@tonic-gate { 14887c478bd9Sstevel@tonic-gate t_audit_data_t *tad; 14897c478bd9Sstevel@tonic-gate 14907c478bd9Sstevel@tonic-gate if (error) 14917c478bd9Sstevel@tonic-gate return; 14927c478bd9Sstevel@tonic-gate 14937c478bd9Sstevel@tonic-gate tad = U2A(u); 14947c478bd9Sstevel@tonic-gate 14957c478bd9Sstevel@tonic-gate /* if not auditing this event, then do nothing */ 14967c478bd9Sstevel@tonic-gate if (tad->tad_flag == 0) 14977c478bd9Sstevel@tonic-gate return; 14987c478bd9Sstevel@tonic-gate 14997c478bd9Sstevel@tonic-gate if (tad->tad_ctrl & PAD_TRUE_CREATE) { 15007c478bd9Sstevel@tonic-gate audit_attributes(vp); 15017c478bd9Sstevel@tonic-gate } 15027c478bd9Sstevel@tonic-gate 15037c478bd9Sstevel@tonic-gate if (tad->tad_ctrl & PAD_CORE) { 15047c478bd9Sstevel@tonic-gate audit_attributes(vp); 15057c478bd9Sstevel@tonic-gate tad->tad_ctrl &= ~PAD_CORE; 15067c478bd9Sstevel@tonic-gate } 15077c478bd9Sstevel@tonic-gate 15087c478bd9Sstevel@tonic-gate if (!error && ((tad->tad_event == AUE_MKNOD) || 15097c478bd9Sstevel@tonic-gate (tad->tad_event == AUE_MKDIR))) { 15107c478bd9Sstevel@tonic-gate audit_attributes(vp); 15117c478bd9Sstevel@tonic-gate } 15127c478bd9Sstevel@tonic-gate 15137c478bd9Sstevel@tonic-gate /* for case where multiple lookups in one syscall (rename) */ 15147c478bd9Sstevel@tonic-gate tad->tad_ctrl &= ~PAD_NOATTRB; 15157c478bd9Sstevel@tonic-gate } 15167c478bd9Sstevel@tonic-gate 15177c478bd9Sstevel@tonic-gate 15187c478bd9Sstevel@tonic-gate 15197c478bd9Sstevel@tonic-gate 15207c478bd9Sstevel@tonic-gate 15217c478bd9Sstevel@tonic-gate 15227c478bd9Sstevel@tonic-gate 15237c478bd9Sstevel@tonic-gate 15247c478bd9Sstevel@tonic-gate /* 15257c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_EXEC 15267c478bd9Sstevel@tonic-gate * PURPOSE: Records the function arguments and environment variables 15277c478bd9Sstevel@tonic-gate * CALLBY: EXEC_ARGS 15287c478bd9Sstevel@tonic-gate * NOTE: 15297c478bd9Sstevel@tonic-gate * TODO: 15307c478bd9Sstevel@tonic-gate * QUESTION: 15317c478bd9Sstevel@tonic-gate */ 15327c478bd9Sstevel@tonic-gate 15337c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 15347c478bd9Sstevel@tonic-gate void 15357c478bd9Sstevel@tonic-gate audit_exec( 15367c478bd9Sstevel@tonic-gate const char *argstr, /* argument strings */ 15377c478bd9Sstevel@tonic-gate const char *envstr, /* environment strings */ 15387c478bd9Sstevel@tonic-gate ssize_t argc, /* total # arguments */ 15397c478bd9Sstevel@tonic-gate ssize_t envc) /* total # environment variables */ 15407c478bd9Sstevel@tonic-gate { 15417c478bd9Sstevel@tonic-gate t_audit_data_t *tad; 15427c478bd9Sstevel@tonic-gate au_kcontext_t *kctx = SET_KCTX_PZ; 15437c478bd9Sstevel@tonic-gate 15447c478bd9Sstevel@tonic-gate ASSERT(kctx != NULL); 15457c478bd9Sstevel@tonic-gate 15467c478bd9Sstevel@tonic-gate tad = U2A(u); 15477c478bd9Sstevel@tonic-gate 15487c478bd9Sstevel@tonic-gate /* if not auditing this event, then do nothing */ 15497c478bd9Sstevel@tonic-gate if (!tad->tad_flag) 15507c478bd9Sstevel@tonic-gate return; 15517c478bd9Sstevel@tonic-gate 15527c478bd9Sstevel@tonic-gate /* return if not interested in argv or environment variables */ 15537c478bd9Sstevel@tonic-gate if (!(kctx->auk_policy & (AUDIT_ARGV|AUDIT_ARGE))) 15547c478bd9Sstevel@tonic-gate return; 15557c478bd9Sstevel@tonic-gate 15567c478bd9Sstevel@tonic-gate if (kctx->auk_policy & AUDIT_ARGV) { 15577c478bd9Sstevel@tonic-gate au_uwrite(au_to_exec_args(argstr, argc)); 15587c478bd9Sstevel@tonic-gate } 15597c478bd9Sstevel@tonic-gate 15607c478bd9Sstevel@tonic-gate if (kctx->auk_policy & AUDIT_ARGE) { 15617c478bd9Sstevel@tonic-gate au_uwrite(au_to_exec_env(envstr, envc)); 15627c478bd9Sstevel@tonic-gate } 15637c478bd9Sstevel@tonic-gate } 15647c478bd9Sstevel@tonic-gate 15657c478bd9Sstevel@tonic-gate /* 15667c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_ENTERPROM 15677c478bd9Sstevel@tonic-gate * PURPOSE: 15687c478bd9Sstevel@tonic-gate * CALLBY: KBDINPUT 15697c478bd9Sstevel@tonic-gate * ZSA_XSINT 15707c478bd9Sstevel@tonic-gate * NOTE: 15717c478bd9Sstevel@tonic-gate * TODO: 15727c478bd9Sstevel@tonic-gate * QUESTION: 15737c478bd9Sstevel@tonic-gate */ 15747c478bd9Sstevel@tonic-gate void 15757c478bd9Sstevel@tonic-gate audit_enterprom(int flg) 15767c478bd9Sstevel@tonic-gate { 15777c478bd9Sstevel@tonic-gate token_t *rp = NULL; 15787c478bd9Sstevel@tonic-gate int sorf; 15797c478bd9Sstevel@tonic-gate 15807c478bd9Sstevel@tonic-gate if (flg) 15817c478bd9Sstevel@tonic-gate sorf = AUM_SUCC; 15827c478bd9Sstevel@tonic-gate else 15837c478bd9Sstevel@tonic-gate sorf = AUM_FAIL; 15847c478bd9Sstevel@tonic-gate 15857c478bd9Sstevel@tonic-gate AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf); 15867c478bd9Sstevel@tonic-gate 15877c478bd9Sstevel@tonic-gate au_write((caddr_t *)&(rp), au_to_text("kmdb")); 15887c478bd9Sstevel@tonic-gate 15897c478bd9Sstevel@tonic-gate if (flg) 15907c478bd9Sstevel@tonic-gate au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 15917c478bd9Sstevel@tonic-gate else 15927c478bd9Sstevel@tonic-gate au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 15937c478bd9Sstevel@tonic-gate 15947c478bd9Sstevel@tonic-gate AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL); 15957c478bd9Sstevel@tonic-gate } 15967c478bd9Sstevel@tonic-gate 15977c478bd9Sstevel@tonic-gate 15987c478bd9Sstevel@tonic-gate /* 15997c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_EXITPROM 16007c478bd9Sstevel@tonic-gate * PURPOSE: 16017c478bd9Sstevel@tonic-gate * CALLBY: KBDINPUT 16027c478bd9Sstevel@tonic-gate * ZSA_XSINT 16037c478bd9Sstevel@tonic-gate * NOTE: 16047c478bd9Sstevel@tonic-gate * TODO: 16057c478bd9Sstevel@tonic-gate * QUESTION: 16067c478bd9Sstevel@tonic-gate */ 16077c478bd9Sstevel@tonic-gate void 16087c478bd9Sstevel@tonic-gate audit_exitprom(int flg) 16097c478bd9Sstevel@tonic-gate { 16107c478bd9Sstevel@tonic-gate int sorf; 16117c478bd9Sstevel@tonic-gate token_t *rp = NULL; 16127c478bd9Sstevel@tonic-gate 16137c478bd9Sstevel@tonic-gate if (flg) 16147c478bd9Sstevel@tonic-gate sorf = AUM_SUCC; 16157c478bd9Sstevel@tonic-gate else 16167c478bd9Sstevel@tonic-gate sorf = AUM_FAIL; 16177c478bd9Sstevel@tonic-gate 16187c478bd9Sstevel@tonic-gate AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf); 16197c478bd9Sstevel@tonic-gate 16207c478bd9Sstevel@tonic-gate au_write((caddr_t *)&(rp), au_to_text("kmdb")); 16217c478bd9Sstevel@tonic-gate 16227c478bd9Sstevel@tonic-gate if (flg) 16237c478bd9Sstevel@tonic-gate au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 16247c478bd9Sstevel@tonic-gate else 16257c478bd9Sstevel@tonic-gate au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 16267c478bd9Sstevel@tonic-gate 16277c478bd9Sstevel@tonic-gate AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL); 16287c478bd9Sstevel@tonic-gate } 16297c478bd9Sstevel@tonic-gate 16307c478bd9Sstevel@tonic-gate struct fcntla { 16317c478bd9Sstevel@tonic-gate int fdes; 16327c478bd9Sstevel@tonic-gate int cmd; 16337c478bd9Sstevel@tonic-gate intptr_t arg; 16347c478bd9Sstevel@tonic-gate }; 16357c478bd9Sstevel@tonic-gate 16367c478bd9Sstevel@tonic-gate /* 16377c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_C2_REVOKE 16387c478bd9Sstevel@tonic-gate * PURPOSE: 16397c478bd9Sstevel@tonic-gate * CALLBY: FCNTL 16407c478bd9Sstevel@tonic-gate * NOTE: 16417c478bd9Sstevel@tonic-gate * TODO: 16427c478bd9Sstevel@tonic-gate * QUESTION: are we keeping this func 16437c478bd9Sstevel@tonic-gate */ 16447c478bd9Sstevel@tonic-gate 16457c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 16467c478bd9Sstevel@tonic-gate int 16477c478bd9Sstevel@tonic-gate audit_c2_revoke(struct fcntla *uap, rval_t *rvp) 16487c478bd9Sstevel@tonic-gate { 16497c478bd9Sstevel@tonic-gate return (0); 16507c478bd9Sstevel@tonic-gate } 16517c478bd9Sstevel@tonic-gate 16527c478bd9Sstevel@tonic-gate 16537c478bd9Sstevel@tonic-gate /* 16547c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_CHDIREC 16557c478bd9Sstevel@tonic-gate * PURPOSE: 16567c478bd9Sstevel@tonic-gate * CALLBY: CHDIREC 16577c478bd9Sstevel@tonic-gate * NOTE: The main function of CHDIREC 16587c478bd9Sstevel@tonic-gate * TODO: Move the audit_chdirec hook above the VN_RELE in vncalls.c 16597c478bd9Sstevel@tonic-gate * QUESTION: 16607c478bd9Sstevel@tonic-gate */ 16617c478bd9Sstevel@tonic-gate 16627c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 16637c478bd9Sstevel@tonic-gate void 16647c478bd9Sstevel@tonic-gate audit_chdirec(vnode_t *vp, vnode_t **vpp) 16657c478bd9Sstevel@tonic-gate { 16667c478bd9Sstevel@tonic-gate int chdir; 16677c478bd9Sstevel@tonic-gate int fchdir; 16687c478bd9Sstevel@tonic-gate struct audit_path **appp; 16697c478bd9Sstevel@tonic-gate struct file *fp; 16707c478bd9Sstevel@tonic-gate f_audit_data_t *fad; 16717c478bd9Sstevel@tonic-gate p_audit_data_t *pad = P2A(curproc); 16727c478bd9Sstevel@tonic-gate t_audit_data_t *tad = T2A(curthread); 16737c478bd9Sstevel@tonic-gate 16747c478bd9Sstevel@tonic-gate struct a { 16757c478bd9Sstevel@tonic-gate long fd; 16767c478bd9Sstevel@tonic-gate } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 16777c478bd9Sstevel@tonic-gate 16787c478bd9Sstevel@tonic-gate if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) { 16797c478bd9Sstevel@tonic-gate chdir = tad->tad_scid == SYS_chdir; 16807c478bd9Sstevel@tonic-gate if (tad->tad_aupath) { 16817c478bd9Sstevel@tonic-gate mutex_enter(&pad->pad_lock); 16827c478bd9Sstevel@tonic-gate if (chdir) 16837c478bd9Sstevel@tonic-gate appp = &(pad->pad_cwd); 16847c478bd9Sstevel@tonic-gate else 16857c478bd9Sstevel@tonic-gate appp = &(pad->pad_root); 16867c478bd9Sstevel@tonic-gate au_pathrele(*appp); 16877c478bd9Sstevel@tonic-gate /* use tad hold */ 16887c478bd9Sstevel@tonic-gate *appp = tad->tad_aupath; 16897c478bd9Sstevel@tonic-gate tad->tad_aupath = NULL; 16907c478bd9Sstevel@tonic-gate mutex_exit(&pad->pad_lock); 16917c478bd9Sstevel@tonic-gate } 16927c478bd9Sstevel@tonic-gate } else if ((tad->tad_scid == SYS_fchdir) || 16937c478bd9Sstevel@tonic-gate (tad->tad_scid == SYS_fchroot)) { 16947c478bd9Sstevel@tonic-gate fchdir = tad->tad_scid == SYS_fchdir; 16957c478bd9Sstevel@tonic-gate if ((fp = getf(uap->fd)) == NULL) 16967c478bd9Sstevel@tonic-gate return; 16977c478bd9Sstevel@tonic-gate fad = F2A(fp); 16987c478bd9Sstevel@tonic-gate if (fad->fad_aupath) { 16997c478bd9Sstevel@tonic-gate au_pathhold(fad->fad_aupath); 17007c478bd9Sstevel@tonic-gate mutex_enter(&pad->pad_lock); 17017c478bd9Sstevel@tonic-gate if (fchdir) 17027c478bd9Sstevel@tonic-gate appp = &(pad->pad_cwd); 17037c478bd9Sstevel@tonic-gate else 17047c478bd9Sstevel@tonic-gate appp = &(pad->pad_root); 17057c478bd9Sstevel@tonic-gate au_pathrele(*appp); 17067c478bd9Sstevel@tonic-gate *appp = fad->fad_aupath; 17077c478bd9Sstevel@tonic-gate mutex_exit(&pad->pad_lock); 17087c478bd9Sstevel@tonic-gate if (tad->tad_flag) { 17097c478bd9Sstevel@tonic-gate au_uwrite(au_to_path(fad->fad_aupath)); 17107c478bd9Sstevel@tonic-gate audit_attributes(fp->f_vnode); 17117c478bd9Sstevel@tonic-gate } 17127c478bd9Sstevel@tonic-gate } 17137c478bd9Sstevel@tonic-gate releasef(uap->fd); 17147c478bd9Sstevel@tonic-gate } 17157c478bd9Sstevel@tonic-gate } 17167c478bd9Sstevel@tonic-gate 17177c478bd9Sstevel@tonic-gate /* 17187c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_GETF 17197c478bd9Sstevel@tonic-gate * PURPOSE: 17207c478bd9Sstevel@tonic-gate * CALLBY: GETF_INTERNAL 17217c478bd9Sstevel@tonic-gate * NOTE: The main function of GETF_INTERNAL is to associate a given 17227c478bd9Sstevel@tonic-gate * file descriptor with a file structure and increment the 17237c478bd9Sstevel@tonic-gate * file pointer reference count. 17247c478bd9Sstevel@tonic-gate * TODO: remove pass in of fpp. 17257c478bd9Sstevel@tonic-gate * increment a reference count so that even if a thread with same process delete 17267c478bd9Sstevel@tonic-gate * the same object, it will not panic our system 17277c478bd9Sstevel@tonic-gate * QUESTION: 17287c478bd9Sstevel@tonic-gate * where to decrement the f_count????????????????? 17297c478bd9Sstevel@tonic-gate * seems like I need to set a flag if f_count incrmented through audit_getf 17307c478bd9Sstevel@tonic-gate */ 17317c478bd9Sstevel@tonic-gate 17327c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 17337c478bd9Sstevel@tonic-gate int 17347c478bd9Sstevel@tonic-gate audit_getf(int fd) 17357c478bd9Sstevel@tonic-gate { 17367c478bd9Sstevel@tonic-gate #ifdef NOTYET 17377c478bd9Sstevel@tonic-gate t_audit_data_t *tad; 17387c478bd9Sstevel@tonic-gate 17397c478bd9Sstevel@tonic-gate tad = T2A(curthread); 17407c478bd9Sstevel@tonic-gate 17417c478bd9Sstevel@tonic-gate if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat)) 17427c478bd9Sstevel@tonic-gate return; 17437c478bd9Sstevel@tonic-gate #endif 17447c478bd9Sstevel@tonic-gate return (0); 17457c478bd9Sstevel@tonic-gate } 17467c478bd9Sstevel@tonic-gate 17477c478bd9Sstevel@tonic-gate /* 17487c478bd9Sstevel@tonic-gate * Audit hook for stream based socket and tli request. 17497c478bd9Sstevel@tonic-gate * Note that we do not have user context while executing 17507c478bd9Sstevel@tonic-gate * this code so we had to record them earlier during the 17517c478bd9Sstevel@tonic-gate * putmsg/getmsg to figure out which user we are dealing with. 17527c478bd9Sstevel@tonic-gate */ 17537c478bd9Sstevel@tonic-gate 17547c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 17557c478bd9Sstevel@tonic-gate void 17567c478bd9Sstevel@tonic-gate audit_sock( 17577c478bd9Sstevel@tonic-gate int type, /* type of tihdr.h header requests */ 17587c478bd9Sstevel@tonic-gate queue_t *q, /* contains the process and thread audit data */ 17597c478bd9Sstevel@tonic-gate mblk_t *mp, /* contains the tihdr.h header structures */ 17607c478bd9Sstevel@tonic-gate int from) /* timod or sockmod request */ 17617c478bd9Sstevel@tonic-gate { 17627c478bd9Sstevel@tonic-gate int32_t len; 17637c478bd9Sstevel@tonic-gate int32_t offset; 17647c478bd9Sstevel@tonic-gate struct sockaddr_in *sock_data; 17657c478bd9Sstevel@tonic-gate struct T_conn_req *conn_req; 17667c478bd9Sstevel@tonic-gate struct T_conn_ind *conn_ind; 17677c478bd9Sstevel@tonic-gate struct T_unitdata_req *unitdata_req; 17687c478bd9Sstevel@tonic-gate struct T_unitdata_ind *unitdata_ind; 17697c478bd9Sstevel@tonic-gate au_state_t estate; 17707c478bd9Sstevel@tonic-gate t_audit_data_t *tad; 17717c478bd9Sstevel@tonic-gate caddr_t saved_thread_ptr; 17727c478bd9Sstevel@tonic-gate au_mask_t amask; 17737c478bd9Sstevel@tonic-gate const auditinfo_addr_t *ainfo; 17747c478bd9Sstevel@tonic-gate au_kcontext_t *kctx; 17757c478bd9Sstevel@tonic-gate zone_status_t zstate; 17767c478bd9Sstevel@tonic-gate 17777c478bd9Sstevel@tonic-gate if (q->q_stream == NULL) 17787c478bd9Sstevel@tonic-gate return; 17797c478bd9Sstevel@tonic-gate mutex_enter(&q->q_stream->sd_lock); 17807c478bd9Sstevel@tonic-gate /* are we being audited */ 17817c478bd9Sstevel@tonic-gate saved_thread_ptr = q->q_stream->sd_t_audit_data; 17827c478bd9Sstevel@tonic-gate /* no pointer to thread, nothing to do */ 17837c478bd9Sstevel@tonic-gate if (saved_thread_ptr == NULL) { 17847c478bd9Sstevel@tonic-gate mutex_exit(&q->q_stream->sd_lock); 17857c478bd9Sstevel@tonic-gate return; 17867c478bd9Sstevel@tonic-gate } 17877c478bd9Sstevel@tonic-gate /* only allow one addition of a record token */ 17887c478bd9Sstevel@tonic-gate q->q_stream->sd_t_audit_data = NULL; 17897c478bd9Sstevel@tonic-gate /* 17907c478bd9Sstevel@tonic-gate * thread is not the one being audited, then nothing to do 17917c478bd9Sstevel@tonic-gate * This could be the stream thread handling the module 17927c478bd9Sstevel@tonic-gate * service routine. In this case, the context for the audit 17937c478bd9Sstevel@tonic-gate * record can no longer be assumed. Simplest to just drop 17947c478bd9Sstevel@tonic-gate * the operation. 17957c478bd9Sstevel@tonic-gate */ 17967c478bd9Sstevel@tonic-gate if (curthread != (kthread_id_t)saved_thread_ptr) { 17977c478bd9Sstevel@tonic-gate mutex_exit(&q->q_stream->sd_lock); 17987c478bd9Sstevel@tonic-gate return; 17997c478bd9Sstevel@tonic-gate } 18007c478bd9Sstevel@tonic-gate if (curthread->t_sysnum >= SYS_so_socket && 18017c478bd9Sstevel@tonic-gate curthread->t_sysnum <= SYS_sockconfig) { 18027c478bd9Sstevel@tonic-gate mutex_exit(&q->q_stream->sd_lock); 18037c478bd9Sstevel@tonic-gate return; 18047c478bd9Sstevel@tonic-gate } 18057c478bd9Sstevel@tonic-gate mutex_exit(&q->q_stream->sd_lock); 18067c478bd9Sstevel@tonic-gate /* 18077c478bd9Sstevel@tonic-gate * we know that the thread that did the put/getmsg is the 18087c478bd9Sstevel@tonic-gate * one running. Now we can get the TAD and see if we should 18097c478bd9Sstevel@tonic-gate * add an audit token. 18107c478bd9Sstevel@tonic-gate */ 18117c478bd9Sstevel@tonic-gate tad = U2A(u); 18127c478bd9Sstevel@tonic-gate 18137c478bd9Sstevel@tonic-gate kctx = SET_KCTX_PZ; 18147c478bd9Sstevel@tonic-gate if (kctx == NULL) { 18157c478bd9Sstevel@tonic-gate zstate = zone_status_get(curproc->p_zone); 18167c478bd9Sstevel@tonic-gate ASSERT(zstate != ZONE_IS_READY); 18177c478bd9Sstevel@tonic-gate return; 18187c478bd9Sstevel@tonic-gate } 18197c478bd9Sstevel@tonic-gate 18207c478bd9Sstevel@tonic-gate /* proceed ONLY if user is being audited */ 18217c478bd9Sstevel@tonic-gate if (!tad->tad_flag) 18227c478bd9Sstevel@tonic-gate return; 18237c478bd9Sstevel@tonic-gate 18247c478bd9Sstevel@tonic-gate ainfo = crgetauinfo(CRED()); 18257c478bd9Sstevel@tonic-gate if (ainfo == NULL) 18267c478bd9Sstevel@tonic-gate return; 18277c478bd9Sstevel@tonic-gate amask = ainfo->ai_mask; 18287c478bd9Sstevel@tonic-gate 18297c478bd9Sstevel@tonic-gate /* 18307c478bd9Sstevel@tonic-gate * Figure out the type of stream networking request here. 18317c478bd9Sstevel@tonic-gate * Note that getmsg and putmsg are always preselected 18327c478bd9Sstevel@tonic-gate * because during the beginning of the system call we have 18337c478bd9Sstevel@tonic-gate * not yet figure out which of the socket or tli request 18347c478bd9Sstevel@tonic-gate * we are looking at until we are here. So we need to check 18357c478bd9Sstevel@tonic-gate * against that specific request and reset the type of event. 18367c478bd9Sstevel@tonic-gate */ 18377c478bd9Sstevel@tonic-gate switch (type) { 18387c478bd9Sstevel@tonic-gate case T_CONN_REQ: /* connection request */ 18397c478bd9Sstevel@tonic-gate conn_req = (struct T_conn_req *)mp->b_rptr; 18407c478bd9Sstevel@tonic-gate if (conn_req->DEST_offset < sizeof (struct T_conn_req)) 18417c478bd9Sstevel@tonic-gate return; 18427c478bd9Sstevel@tonic-gate offset = conn_req->DEST_offset; 18437c478bd9Sstevel@tonic-gate len = conn_req->DEST_length; 18447c478bd9Sstevel@tonic-gate estate = kctx->auk_ets[AUE_SOCKCONNECT]; 18457c478bd9Sstevel@tonic-gate if (amask.as_success & estate || amask.as_failure & estate) { 18467c478bd9Sstevel@tonic-gate tad->tad_event = AUE_SOCKCONNECT; 18477c478bd9Sstevel@tonic-gate break; 18487c478bd9Sstevel@tonic-gate } else { 18497c478bd9Sstevel@tonic-gate return; 18507c478bd9Sstevel@tonic-gate } 18517c478bd9Sstevel@tonic-gate case T_CONN_IND: /* connectionless receive request */ 18527c478bd9Sstevel@tonic-gate conn_ind = (struct T_conn_ind *)mp->b_rptr; 18537c478bd9Sstevel@tonic-gate if (conn_ind->SRC_offset < sizeof (struct T_conn_ind)) 18547c478bd9Sstevel@tonic-gate return; 18557c478bd9Sstevel@tonic-gate offset = conn_ind->SRC_offset; 18567c478bd9Sstevel@tonic-gate len = conn_ind->SRC_length; 18577c478bd9Sstevel@tonic-gate estate = kctx->auk_ets[AUE_SOCKACCEPT]; 18587c478bd9Sstevel@tonic-gate if (amask.as_success & estate || amask.as_failure & estate) { 18597c478bd9Sstevel@tonic-gate tad->tad_event = AUE_SOCKACCEPT; 18607c478bd9Sstevel@tonic-gate break; 18617c478bd9Sstevel@tonic-gate } else { 18627c478bd9Sstevel@tonic-gate return; 18637c478bd9Sstevel@tonic-gate } 18647c478bd9Sstevel@tonic-gate case T_UNITDATA_REQ: /* connectionless send request */ 18657c478bd9Sstevel@tonic-gate unitdata_req = (struct T_unitdata_req *)mp->b_rptr; 18667c478bd9Sstevel@tonic-gate if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req)) 18677c478bd9Sstevel@tonic-gate return; 18687c478bd9Sstevel@tonic-gate offset = unitdata_req->DEST_offset; 18697c478bd9Sstevel@tonic-gate len = unitdata_req->DEST_length; 18707c478bd9Sstevel@tonic-gate estate = kctx->auk_ets[AUE_SOCKSEND]; 18717c478bd9Sstevel@tonic-gate if (amask.as_success & estate || amask.as_failure & estate) { 18727c478bd9Sstevel@tonic-gate tad->tad_event = AUE_SOCKSEND; 18737c478bd9Sstevel@tonic-gate break; 18747c478bd9Sstevel@tonic-gate } else { 18757c478bd9Sstevel@tonic-gate return; 18767c478bd9Sstevel@tonic-gate } 18777c478bd9Sstevel@tonic-gate case T_UNITDATA_IND: /* connectionless receive request */ 18787c478bd9Sstevel@tonic-gate unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr; 18797c478bd9Sstevel@tonic-gate if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind)) 18807c478bd9Sstevel@tonic-gate return; 18817c478bd9Sstevel@tonic-gate offset = unitdata_ind->SRC_offset; 18827c478bd9Sstevel@tonic-gate len = unitdata_ind->SRC_length; 18837c478bd9Sstevel@tonic-gate estate = kctx->auk_ets[AUE_SOCKRECEIVE]; 18847c478bd9Sstevel@tonic-gate if (amask.as_success & estate || amask.as_failure & estate) { 18857c478bd9Sstevel@tonic-gate tad->tad_event = AUE_SOCKRECEIVE; 18867c478bd9Sstevel@tonic-gate break; 18877c478bd9Sstevel@tonic-gate } else { 18887c478bd9Sstevel@tonic-gate return; 18897c478bd9Sstevel@tonic-gate } 18907c478bd9Sstevel@tonic-gate default: 18917c478bd9Sstevel@tonic-gate return; 18927c478bd9Sstevel@tonic-gate } 18937c478bd9Sstevel@tonic-gate 18947c478bd9Sstevel@tonic-gate /* 18957c478bd9Sstevel@tonic-gate * we are only interested in tcp stream connections, 18967c478bd9Sstevel@tonic-gate * not unix domain stuff 18977c478bd9Sstevel@tonic-gate */ 18987c478bd9Sstevel@tonic-gate if ((len < 0) || (len > sizeof (struct sockaddr_in))) { 18997c478bd9Sstevel@tonic-gate tad->tad_event = AUE_GETMSG; 19007c478bd9Sstevel@tonic-gate return; 19017c478bd9Sstevel@tonic-gate } 19027c478bd9Sstevel@tonic-gate /* skip over TPI header and point to the ip address */ 19037c478bd9Sstevel@tonic-gate sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset); 19047c478bd9Sstevel@tonic-gate 19057c478bd9Sstevel@tonic-gate switch (sock_data->sin_family) { 19067c478bd9Sstevel@tonic-gate case AF_INET: 19077c478bd9Sstevel@tonic-gate au_write(&(tad->tad_ad), au_to_sock_inet(sock_data)); 19087c478bd9Sstevel@tonic-gate break; 19097c478bd9Sstevel@tonic-gate default: /* reset to AUE_PUTMSG if not a inet request */ 19107c478bd9Sstevel@tonic-gate tad->tad_event = AUE_GETMSG; 19117c478bd9Sstevel@tonic-gate break; 19127c478bd9Sstevel@tonic-gate } 19137c478bd9Sstevel@tonic-gate } 19147c478bd9Sstevel@tonic-gate 19157c478bd9Sstevel@tonic-gate void 19167c478bd9Sstevel@tonic-gate audit_lookupname() 19177c478bd9Sstevel@tonic-gate { 19187c478bd9Sstevel@tonic-gate } 19197c478bd9Sstevel@tonic-gate 19207c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 19217c478bd9Sstevel@tonic-gate int 19227c478bd9Sstevel@tonic-gate audit_pathcomp(struct pathname *pnp, vnode_t *cvp, cred_t *cr) 19237c478bd9Sstevel@tonic-gate { 19247c478bd9Sstevel@tonic-gate return (0); 19257c478bd9Sstevel@tonic-gate } 19267c478bd9Sstevel@tonic-gate 19277c478bd9Sstevel@tonic-gate static void 19287c478bd9Sstevel@tonic-gate add_return_token(caddr_t *ad, unsigned int scid, int err, int rval) 19297c478bd9Sstevel@tonic-gate { 19307c478bd9Sstevel@tonic-gate unsigned int sy_flags; 19317c478bd9Sstevel@tonic-gate 19327c478bd9Sstevel@tonic-gate #ifdef _SYSCALL32_IMPL 19337c478bd9Sstevel@tonic-gate if (lwp_getdatamodel( 19347c478bd9Sstevel@tonic-gate ttolwp(curthread)) == DATAMODEL_NATIVE) 19357c478bd9Sstevel@tonic-gate sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 19367c478bd9Sstevel@tonic-gate else 19377c478bd9Sstevel@tonic-gate sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 19387c478bd9Sstevel@tonic-gate #else 19397c478bd9Sstevel@tonic-gate sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 19407c478bd9Sstevel@tonic-gate #endif 19417c478bd9Sstevel@tonic-gate 19427c478bd9Sstevel@tonic-gate if (sy_flags == SE_64RVAL) 19437c478bd9Sstevel@tonic-gate au_write(ad, au_to_return64(err, rval)); 19447c478bd9Sstevel@tonic-gate else 19457c478bd9Sstevel@tonic-gate au_write(ad, au_to_return32(err, rval)); 19467c478bd9Sstevel@tonic-gate 19477c478bd9Sstevel@tonic-gate } 19487c478bd9Sstevel@tonic-gate 19497c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 19507c478bd9Sstevel@tonic-gate void 19517c478bd9Sstevel@tonic-gate audit_fdsend(fd, fp, error) 19527c478bd9Sstevel@tonic-gate int fd; 19537c478bd9Sstevel@tonic-gate struct file *fp; 19547c478bd9Sstevel@tonic-gate int error; /* ignore for now */ 19557c478bd9Sstevel@tonic-gate { 19567c478bd9Sstevel@tonic-gate t_audit_data_t *tad; /* current thread */ 19577c478bd9Sstevel@tonic-gate f_audit_data_t *fad; /* per file audit structure */ 19587c478bd9Sstevel@tonic-gate struct vnode *vp; /* for file attributes */ 19597c478bd9Sstevel@tonic-gate 19607c478bd9Sstevel@tonic-gate /* is this system call being audited */ 19617c478bd9Sstevel@tonic-gate tad = U2A(u); 19627c478bd9Sstevel@tonic-gate ASSERT(tad != (t_audit_data_t *)0); 19637c478bd9Sstevel@tonic-gate if (!tad->tad_flag) 19647c478bd9Sstevel@tonic-gate return; 19657c478bd9Sstevel@tonic-gate 19667c478bd9Sstevel@tonic-gate fad = F2A(fp); 19677c478bd9Sstevel@tonic-gate 19687c478bd9Sstevel@tonic-gate /* add path and file attributes */ 19697c478bd9Sstevel@tonic-gate if (fad != NULL && fad->fad_aupath != NULL) { 19707c478bd9Sstevel@tonic-gate au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 19717c478bd9Sstevel@tonic-gate au_uwrite(au_to_path(fad->fad_aupath)); 19727c478bd9Sstevel@tonic-gate } else { 19737c478bd9Sstevel@tonic-gate au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 19747c478bd9Sstevel@tonic-gate #ifdef _LP64 19757c478bd9Sstevel@tonic-gate au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 19767c478bd9Sstevel@tonic-gate #else 19777c478bd9Sstevel@tonic-gate au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 19787c478bd9Sstevel@tonic-gate #endif 19797c478bd9Sstevel@tonic-gate } 19807c478bd9Sstevel@tonic-gate vp = fp->f_vnode; /* include vnode attributes */ 19817c478bd9Sstevel@tonic-gate audit_attributes(vp); 19827c478bd9Sstevel@tonic-gate } 19837c478bd9Sstevel@tonic-gate 19847c478bd9Sstevel@tonic-gate /* 19857c478bd9Sstevel@tonic-gate * Record privileges sucessfully used and we attempted to use but 19867c478bd9Sstevel@tonic-gate * didn't have. 19877c478bd9Sstevel@tonic-gate */ 19887c478bd9Sstevel@tonic-gate void 19897c478bd9Sstevel@tonic-gate audit_priv(int priv, const priv_set_t *set, int flag) 19907c478bd9Sstevel@tonic-gate { 19917c478bd9Sstevel@tonic-gate t_audit_data_t *tad; 19927c478bd9Sstevel@tonic-gate int sbit; 19937c478bd9Sstevel@tonic-gate priv_set_t *target; 19947c478bd9Sstevel@tonic-gate 19957c478bd9Sstevel@tonic-gate /* Make sure this isn't being called in an interrupt context */ 19967c478bd9Sstevel@tonic-gate ASSERT(servicing_interrupt() == 0); 19977c478bd9Sstevel@tonic-gate 19987c478bd9Sstevel@tonic-gate tad = U2A(u); 19997c478bd9Sstevel@tonic-gate 20007c478bd9Sstevel@tonic-gate if (tad->tad_flag == 0) 20017c478bd9Sstevel@tonic-gate return; 20027c478bd9Sstevel@tonic-gate 20037c478bd9Sstevel@tonic-gate target = flag ? &tad->tad_sprivs : &tad->tad_fprivs; 20047c478bd9Sstevel@tonic-gate sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE; 20057c478bd9Sstevel@tonic-gate 20067c478bd9Sstevel@tonic-gate /* Tell audit_success() and audit_finish() that we saw this case */ 20077c478bd9Sstevel@tonic-gate if (!(tad->tad_evmod & sbit)) { 20087c478bd9Sstevel@tonic-gate /* Clear set first time around */ 20097c478bd9Sstevel@tonic-gate priv_emptyset(target); 20107c478bd9Sstevel@tonic-gate tad->tad_evmod |= sbit; 20117c478bd9Sstevel@tonic-gate } 20127c478bd9Sstevel@tonic-gate 20137c478bd9Sstevel@tonic-gate /* Save the privileges in the tad */ 20147c478bd9Sstevel@tonic-gate if (priv == PRIV_ALL) { 20157c478bd9Sstevel@tonic-gate priv_fillset(target); 20167c478bd9Sstevel@tonic-gate } else { 20177c478bd9Sstevel@tonic-gate ASSERT(set != NULL || priv != PRIV_NONE); 20187c478bd9Sstevel@tonic-gate if (set != NULL) 20197c478bd9Sstevel@tonic-gate priv_union(set, target); 20207c478bd9Sstevel@tonic-gate if (priv != PRIV_NONE) 20217c478bd9Sstevel@tonic-gate priv_addset(target, priv); 20227c478bd9Sstevel@tonic-gate } 20237c478bd9Sstevel@tonic-gate } 20247c478bd9Sstevel@tonic-gate 20257c478bd9Sstevel@tonic-gate /* 20267c478bd9Sstevel@tonic-gate * Audit the setpriv() system call; the operation, the set name and 20277c478bd9Sstevel@tonic-gate * the current value as well as the set argument are put in the 20287c478bd9Sstevel@tonic-gate * audit trail. 20297c478bd9Sstevel@tonic-gate */ 20307c478bd9Sstevel@tonic-gate void 20317c478bd9Sstevel@tonic-gate audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr) 20327c478bd9Sstevel@tonic-gate { 20337c478bd9Sstevel@tonic-gate t_audit_data_t *tad; 20347c478bd9Sstevel@tonic-gate const priv_set_t *oldpriv; 20357c478bd9Sstevel@tonic-gate priv_set_t report; 20367c478bd9Sstevel@tonic-gate const char *setname; 20377c478bd9Sstevel@tonic-gate 20387c478bd9Sstevel@tonic-gate tad = U2A(u); 20397c478bd9Sstevel@tonic-gate 20407c478bd9Sstevel@tonic-gate if (tad->tad_flag == 0) 20417c478bd9Sstevel@tonic-gate return; 20427c478bd9Sstevel@tonic-gate 20437c478bd9Sstevel@tonic-gate oldpriv = priv_getset(ocr, set); 20447c478bd9Sstevel@tonic-gate 20457c478bd9Sstevel@tonic-gate /* Generate the actual record, include the before and after */ 20467c478bd9Sstevel@tonic-gate au_uwrite(au_to_arg32(2, "op", op)); 20477c478bd9Sstevel@tonic-gate setname = priv_getsetbynum(set); 20487c478bd9Sstevel@tonic-gate 20497c478bd9Sstevel@tonic-gate switch (op) { 20507c478bd9Sstevel@tonic-gate case PRIV_OFF: 20517c478bd9Sstevel@tonic-gate /* Report privileges actually switched off */ 20527c478bd9Sstevel@tonic-gate report = *oldpriv; 20537c478bd9Sstevel@tonic-gate priv_intersect(newpriv, &report); 20547c478bd9Sstevel@tonic-gate au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 20557c478bd9Sstevel@tonic-gate break; 20567c478bd9Sstevel@tonic-gate case PRIV_ON: 20577c478bd9Sstevel@tonic-gate /* Report privileges actually switched on */ 20587c478bd9Sstevel@tonic-gate report = *oldpriv; 20597c478bd9Sstevel@tonic-gate priv_inverse(&report); 20607c478bd9Sstevel@tonic-gate priv_intersect(newpriv, &report); 20617c478bd9Sstevel@tonic-gate au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 20627c478bd9Sstevel@tonic-gate break; 20637c478bd9Sstevel@tonic-gate case PRIV_SET: 20647c478bd9Sstevel@tonic-gate /* Report before and after */ 20657c478bd9Sstevel@tonic-gate au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0)); 20667c478bd9Sstevel@tonic-gate au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0)); 20677c478bd9Sstevel@tonic-gate break; 20687c478bd9Sstevel@tonic-gate } 20697c478bd9Sstevel@tonic-gate } 20707c478bd9Sstevel@tonic-gate 20717c478bd9Sstevel@tonic-gate /* 20727c478bd9Sstevel@tonic-gate * Dump the full device policy setting in the audit trail. 20737c478bd9Sstevel@tonic-gate */ 20747c478bd9Sstevel@tonic-gate void 20757c478bd9Sstevel@tonic-gate audit_devpolicy(int nitems, const devplcysys_t *items) 20767c478bd9Sstevel@tonic-gate { 20777c478bd9Sstevel@tonic-gate t_audit_data_t *tad; 20787c478bd9Sstevel@tonic-gate int i; 20797c478bd9Sstevel@tonic-gate 20807c478bd9Sstevel@tonic-gate tad = U2A(u); 20817c478bd9Sstevel@tonic-gate 20827c478bd9Sstevel@tonic-gate if (tad->tad_flag == 0) 20837c478bd9Sstevel@tonic-gate return; 20847c478bd9Sstevel@tonic-gate 20857c478bd9Sstevel@tonic-gate for (i = 0; i < nitems; i++) { 20867c478bd9Sstevel@tonic-gate au_uwrite(au_to_arg32(2, "major", items[i].dps_maj)); 20877c478bd9Sstevel@tonic-gate if (items[i].dps_minornm[0] == '\0') { 20887c478bd9Sstevel@tonic-gate au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin)); 20897c478bd9Sstevel@tonic-gate au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin)); 20907c478bd9Sstevel@tonic-gate } else 20917c478bd9Sstevel@tonic-gate au_uwrite(au_to_text(items[i].dps_minornm)); 20927c478bd9Sstevel@tonic-gate 20937c478bd9Sstevel@tonic-gate au_uwrite(au_to_privset("read", &items[i].dps_rdp, 20947c478bd9Sstevel@tonic-gate AUT_PRIV, 0)); 20957c478bd9Sstevel@tonic-gate au_uwrite(au_to_privset("write", &items[i].dps_wrp, 20967c478bd9Sstevel@tonic-gate AUT_PRIV, 0)); 20977c478bd9Sstevel@tonic-gate } 20987c478bd9Sstevel@tonic-gate } 20997c478bd9Sstevel@tonic-gate 21007c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 21017c478bd9Sstevel@tonic-gate void 21027c478bd9Sstevel@tonic-gate audit_fdrecv(fd, fp) 21037c478bd9Sstevel@tonic-gate int fd; 21047c478bd9Sstevel@tonic-gate struct file *fp; 21057c478bd9Sstevel@tonic-gate { 21067c478bd9Sstevel@tonic-gate t_audit_data_t *tad; /* current thread */ 21077c478bd9Sstevel@tonic-gate f_audit_data_t *fad; /* per file audit structure */ 21087c478bd9Sstevel@tonic-gate struct vnode *vp; /* for file attributes */ 21097c478bd9Sstevel@tonic-gate 21107c478bd9Sstevel@tonic-gate /* is this system call being audited */ 21117c478bd9Sstevel@tonic-gate tad = U2A(u); 21127c478bd9Sstevel@tonic-gate ASSERT(tad != (t_audit_data_t *)0); 21137c478bd9Sstevel@tonic-gate if (!tad->tad_flag) 21147c478bd9Sstevel@tonic-gate return; 21157c478bd9Sstevel@tonic-gate 21167c478bd9Sstevel@tonic-gate fad = F2A(fp); 21177c478bd9Sstevel@tonic-gate 21187c478bd9Sstevel@tonic-gate /* add path and file attributes */ 21197c478bd9Sstevel@tonic-gate if (fad != NULL && fad->fad_aupath != NULL) { 21207c478bd9Sstevel@tonic-gate au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 21217c478bd9Sstevel@tonic-gate au_uwrite(au_to_path(fad->fad_aupath)); 21227c478bd9Sstevel@tonic-gate } else { 21237c478bd9Sstevel@tonic-gate au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 21247c478bd9Sstevel@tonic-gate #ifdef _LP64 21257c478bd9Sstevel@tonic-gate au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 21267c478bd9Sstevel@tonic-gate #else 21277c478bd9Sstevel@tonic-gate au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 21287c478bd9Sstevel@tonic-gate #endif 21297c478bd9Sstevel@tonic-gate } 21307c478bd9Sstevel@tonic-gate vp = fp->f_vnode; /* include vnode attributes */ 21317c478bd9Sstevel@tonic-gate audit_attributes(vp); 21327c478bd9Sstevel@tonic-gate } 21337c478bd9Sstevel@tonic-gate 21347c478bd9Sstevel@tonic-gate /* 21357c478bd9Sstevel@tonic-gate * ROUTINE: AUDIT_CRYPTOADM 21367c478bd9Sstevel@tonic-gate * PURPOSE: Records arguments to administrative ioctls on /dev/cryptoadm 21377c478bd9Sstevel@tonic-gate * CALLBY: CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED, 21387c478bd9Sstevel@tonic-gate * CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG, 21397c478bd9Sstevel@tonic-gate * CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN, 21407c478bd9Sstevel@tonic-gate * CRYPTO_LOAD_DOOR 21417c478bd9Sstevel@tonic-gate * NOTE: 21427c478bd9Sstevel@tonic-gate * TODO: 21437c478bd9Sstevel@tonic-gate * QUESTION: 21447c478bd9Sstevel@tonic-gate */ 21457c478bd9Sstevel@tonic-gate 21467c478bd9Sstevel@tonic-gate void 21477c478bd9Sstevel@tonic-gate audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names, 21487c478bd9Sstevel@tonic-gate uint_t mech_count, uint_t device_instance, uint32_t rv, int error) 21497c478bd9Sstevel@tonic-gate { 21507c478bd9Sstevel@tonic-gate boolean_t mech_list_required = B_FALSE; 21517c478bd9Sstevel@tonic-gate cred_t *cr = CRED(); 21527c478bd9Sstevel@tonic-gate t_audit_data_t *tad; 21537c478bd9Sstevel@tonic-gate token_t *ad = NULL; 21547c478bd9Sstevel@tonic-gate const auditinfo_addr_t *ainfo = crgetauinfo(cr); 21557c478bd9Sstevel@tonic-gate char buffer[MAXNAMELEN * 2]; 21567c478bd9Sstevel@tonic-gate au_kcontext_t *kctx = SET_KCTX_PZ; 21577c478bd9Sstevel@tonic-gate 21587c478bd9Sstevel@tonic-gate ASSERT(kctx != NULL); 21597c478bd9Sstevel@tonic-gate 21607c478bd9Sstevel@tonic-gate tad = U2A(u); 21617c478bd9Sstevel@tonic-gate if (tad == NULL) 21627c478bd9Sstevel@tonic-gate return; 21637c478bd9Sstevel@tonic-gate 21647c478bd9Sstevel@tonic-gate if (ainfo == NULL) 21657c478bd9Sstevel@tonic-gate return; 21667c478bd9Sstevel@tonic-gate 21677c478bd9Sstevel@tonic-gate tad->tad_event = AUE_CRYPTOADM; 21687c478bd9Sstevel@tonic-gate 21697c478bd9Sstevel@tonic-gate if (audit_success(kctx, tad, error) != AU_OK) 21707c478bd9Sstevel@tonic-gate return; 21717c478bd9Sstevel@tonic-gate 21727c478bd9Sstevel@tonic-gate /* Add a subject token */ 21737c478bd9Sstevel@tonic-gate AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo); 21747c478bd9Sstevel@tonic-gate 21757c478bd9Sstevel@tonic-gate /* add an optional group token */ 21767c478bd9Sstevel@tonic-gate AUDIT_SETGROUP((caddr_t *)&(ad), cr, kctx); 21777c478bd9Sstevel@tonic-gate 2178*45916cd2Sjpk /* add slabel token */ 2179*45916cd2Sjpk if (is_system_labeled()) 2180*45916cd2Sjpk au_write((caddr_t *)&ad, au_to_label(CR_SL(cr))); 2181*45916cd2Sjpk 21827c478bd9Sstevel@tonic-gate switch (cmd) { 21837c478bd9Sstevel@tonic-gate case CRYPTO_LOAD_DEV_DISABLED: 21847c478bd9Sstevel@tonic-gate if (error == 0 && rv == CRYPTO_SUCCESS) { 21857c478bd9Sstevel@tonic-gate (void) snprintf(buffer, sizeof (buffer), 21867c478bd9Sstevel@tonic-gate "op=CRYPTO_LOAD_DEV_DISABLED, module=%s," 21877c478bd9Sstevel@tonic-gate " dev_instance=%d", 21887c478bd9Sstevel@tonic-gate module_name, device_instance); 21897c478bd9Sstevel@tonic-gate mech_list_required = B_TRUE; 21907c478bd9Sstevel@tonic-gate } else { 21917c478bd9Sstevel@tonic-gate (void) snprintf(buffer, sizeof (buffer), 21927c478bd9Sstevel@tonic-gate "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv); 21937c478bd9Sstevel@tonic-gate } 21947c478bd9Sstevel@tonic-gate break; 21957c478bd9Sstevel@tonic-gate 21967c478bd9Sstevel@tonic-gate case CRYPTO_LOAD_SOFT_DISABLED: 21977c478bd9Sstevel@tonic-gate if (error == 0 && rv == CRYPTO_SUCCESS) { 21987c478bd9Sstevel@tonic-gate (void) snprintf(buffer, sizeof (buffer), 21997c478bd9Sstevel@tonic-gate "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s", 22007c478bd9Sstevel@tonic-gate module_name); 22017c478bd9Sstevel@tonic-gate mech_list_required = B_TRUE; 22027c478bd9Sstevel@tonic-gate } else { 22037c478bd9Sstevel@tonic-gate (void) snprintf(buffer, sizeof (buffer), 22047c478bd9Sstevel@tonic-gate "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv); 22057c478bd9Sstevel@tonic-gate } 22067c478bd9Sstevel@tonic-gate break; 22077c478bd9Sstevel@tonic-gate 22087c478bd9Sstevel@tonic-gate case CRYPTO_UNLOAD_SOFT_MODULE: 22097c478bd9Sstevel@tonic-gate if (error == 0 && rv == CRYPTO_SUCCESS) { 22107c478bd9Sstevel@tonic-gate (void) snprintf(buffer, sizeof (buffer), 22117c478bd9Sstevel@tonic-gate "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s", 22127c478bd9Sstevel@tonic-gate module_name); 22137c478bd9Sstevel@tonic-gate } else { 22147c478bd9Sstevel@tonic-gate (void) snprintf(buffer, sizeof (buffer), 22157c478bd9Sstevel@tonic-gate "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv); 22167c478bd9Sstevel@tonic-gate } 22177c478bd9Sstevel@tonic-gate break; 22187c478bd9Sstevel@tonic-gate 22197c478bd9Sstevel@tonic-gate case CRYPTO_LOAD_SOFT_CONFIG: 22207c478bd9Sstevel@tonic-gate if (error == 0 && rv == CRYPTO_SUCCESS) { 22217c478bd9Sstevel@tonic-gate (void) snprintf(buffer, sizeof (buffer), 22227c478bd9Sstevel@tonic-gate "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s", 22237c478bd9Sstevel@tonic-gate module_name); 22247c478bd9Sstevel@tonic-gate mech_list_required = B_TRUE; 22257c478bd9Sstevel@tonic-gate } else { 22267c478bd9Sstevel@tonic-gate (void) snprintf(buffer, sizeof (buffer), 22277c478bd9Sstevel@tonic-gate "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv); 22287c478bd9Sstevel@tonic-gate } 22297c478bd9Sstevel@tonic-gate break; 22307c478bd9Sstevel@tonic-gate 22317c478bd9Sstevel@tonic-gate case CRYPTO_POOL_CREATE: 22327c478bd9Sstevel@tonic-gate (void) snprintf(buffer, sizeof (buffer), 22337c478bd9Sstevel@tonic-gate "op=CRYPTO_POOL_CREATE"); 22347c478bd9Sstevel@tonic-gate break; 22357c478bd9Sstevel@tonic-gate 22367c478bd9Sstevel@tonic-gate case CRYPTO_POOL_WAIT: 22377c478bd9Sstevel@tonic-gate (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT"); 22387c478bd9Sstevel@tonic-gate break; 22397c478bd9Sstevel@tonic-gate 22407c478bd9Sstevel@tonic-gate case CRYPTO_POOL_RUN: 22417c478bd9Sstevel@tonic-gate (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN"); 22427c478bd9Sstevel@tonic-gate break; 22437c478bd9Sstevel@tonic-gate 22447c478bd9Sstevel@tonic-gate case CRYPTO_LOAD_DOOR: 22457c478bd9Sstevel@tonic-gate if (error == 0 && rv == CRYPTO_SUCCESS) 22467c478bd9Sstevel@tonic-gate (void) snprintf(buffer, sizeof (buffer), 22477c478bd9Sstevel@tonic-gate "op=CRYPTO_LOAD_DOOR"); 22487c478bd9Sstevel@tonic-gate else 22497c478bd9Sstevel@tonic-gate (void) snprintf(buffer, sizeof (buffer), 22507c478bd9Sstevel@tonic-gate "op=CRYPTO_LOAD_DOOR, return_val=%d", rv); 22517c478bd9Sstevel@tonic-gate break; 22527c478bd9Sstevel@tonic-gate 22537c478bd9Sstevel@tonic-gate default: 22547c478bd9Sstevel@tonic-gate return; 22557c478bd9Sstevel@tonic-gate } 22567c478bd9Sstevel@tonic-gate 22577c478bd9Sstevel@tonic-gate au_write((caddr_t *)&ad, au_to_text(buffer)); 22587c478bd9Sstevel@tonic-gate 22597c478bd9Sstevel@tonic-gate if (mech_list_required) { 22607c478bd9Sstevel@tonic-gate int i; 22617c478bd9Sstevel@tonic-gate 22627c478bd9Sstevel@tonic-gate if (mech_count == 0) { 22637c478bd9Sstevel@tonic-gate au_write((caddr_t *)&ad, au_to_text("mech=list empty")); 22647c478bd9Sstevel@tonic-gate } else { 22657c478bd9Sstevel@tonic-gate char *pb = buffer; 22667c478bd9Sstevel@tonic-gate size_t l = sizeof (buffer); 22677c478bd9Sstevel@tonic-gate size_t n; 22687c478bd9Sstevel@tonic-gate char space[2] = ":"; 22697c478bd9Sstevel@tonic-gate 22707c478bd9Sstevel@tonic-gate n = snprintf(pb, l, "mech="); 22717c478bd9Sstevel@tonic-gate 22727c478bd9Sstevel@tonic-gate for (i = 0; i < mech_count; i++) { 22737c478bd9Sstevel@tonic-gate pb += n; 22747c478bd9Sstevel@tonic-gate l -= n; 22757c478bd9Sstevel@tonic-gate if (l < 0) 22767c478bd9Sstevel@tonic-gate l = 0; 22777c478bd9Sstevel@tonic-gate 22787c478bd9Sstevel@tonic-gate if (i == mech_count - 1) 22797c478bd9Sstevel@tonic-gate (void) strcpy(space, ""); 22807c478bd9Sstevel@tonic-gate 22817c478bd9Sstevel@tonic-gate n = snprintf(pb, l, "%s%s", mech_names[i], 22827c478bd9Sstevel@tonic-gate space); 22837c478bd9Sstevel@tonic-gate } 22847c478bd9Sstevel@tonic-gate au_write((caddr_t *)&ad, au_to_text(buffer)); 22857c478bd9Sstevel@tonic-gate } 22867c478bd9Sstevel@tonic-gate } 22877c478bd9Sstevel@tonic-gate 22887c478bd9Sstevel@tonic-gate /* add a return token */ 22897c478bd9Sstevel@tonic-gate if (error || (rv != CRYPTO_SUCCESS)) 22907c478bd9Sstevel@tonic-gate add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error); 22917c478bd9Sstevel@tonic-gate else 22927c478bd9Sstevel@tonic-gate add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv); 22937c478bd9Sstevel@tonic-gate 22947c478bd9Sstevel@tonic-gate AS_INC(as_generated, 1, kctx); 22957c478bd9Sstevel@tonic-gate AS_INC(as_kernel, 1, kctx); 22967c478bd9Sstevel@tonic-gate 22977c478bd9Sstevel@tonic-gate au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, 0); 22987c478bd9Sstevel@tonic-gate } 2299c28749e9Skais 2300c28749e9Skais /* 2301c28749e9Skais * Audit the kernel SSL administration command. The address and the 2302c28749e9Skais * port number for the SSL instance, and the proxy port are put in the 2303c28749e9Skais * audit trail. 2304c28749e9Skais */ 2305c28749e9Skais void 2306c28749e9Skais audit_kssl(int cmd, void *params, int error) 2307c28749e9Skais { 2308c28749e9Skais cred_t *cr = CRED(); 2309c28749e9Skais t_audit_data_t *tad; 2310c28749e9Skais token_t *ad = NULL; 2311c28749e9Skais const auditinfo_addr_t *ainfo = crgetauinfo(cr); 2312c28749e9Skais au_kcontext_t *kctx = SET_KCTX_PZ; 2313c28749e9Skais 2314c28749e9Skais ASSERT(kctx != NULL); 2315c28749e9Skais tad = U2A(u); 2316c28749e9Skais 2317c28749e9Skais if (ainfo == NULL) 2318c28749e9Skais return; 2319c28749e9Skais 2320c28749e9Skais tad->tad_event = AUE_CONFIGKSSL; 2321c28749e9Skais 2322c28749e9Skais if (audit_success(kctx, tad, error) != AU_OK) 2323c28749e9Skais return; 2324c28749e9Skais 2325c28749e9Skais /* Add a subject token */ 2326c28749e9Skais AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo); 2327c28749e9Skais 2328c28749e9Skais /* add an optional group token */ 2329c28749e9Skais AUDIT_SETGROUP((caddr_t *)&ad, cr, kctx); 2330c28749e9Skais 2331*45916cd2Sjpk /* Add slabel token */ 2332*45916cd2Sjpk if (is_system_labeled()) 2333*45916cd2Sjpk au_write(&(u_ad), au_to_label(CR_SL(cr))); 2334*45916cd2Sjpk 2335c28749e9Skais switch (cmd) { 2336c28749e9Skais case KSSL_ADD_ENTRY: { 2337c28749e9Skais char buf[32]; 2338c28749e9Skais kssl_params_t *kp = (kssl_params_t *)params; 2339c28749e9Skais struct sockaddr_in *saddr = &(kp->kssl_addr); 2340c28749e9Skais 2341c28749e9Skais au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY")); 2342c28749e9Skais au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr))); 2343c28749e9Skais (void) snprintf(buf, sizeof (buf), "SSL port=%d", 2344c28749e9Skais saddr->sin_port); 2345c28749e9Skais au_write((caddr_t *)&ad, au_to_text(buf)); 2346c28749e9Skais 2347c28749e9Skais (void) snprintf(buf, sizeof (buf), "proxy port=%d", 2348c28749e9Skais kp->kssl_proxy_port); 2349c28749e9Skais au_write((caddr_t *)&ad, au_to_text(buf)); 2350c28749e9Skais break; 2351c28749e9Skais } 2352c28749e9Skais 2353c28749e9Skais case KSSL_DELETE_ENTRY: { 2354c28749e9Skais char buf[32]; 2355c28749e9Skais struct sockaddr_in *saddr = (struct sockaddr_in *)params; 2356c28749e9Skais 2357c28749e9Skais au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY")); 2358c28749e9Skais au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr))); 2359c28749e9Skais (void) snprintf(buf, sizeof (buf), "SSL port=%d", 2360c28749e9Skais saddr->sin_port); 2361c28749e9Skais au_write((caddr_t *)&ad, au_to_text(buf)); 2362c28749e9Skais break; 2363c28749e9Skais } 2364c28749e9Skais 2365c28749e9Skais default: 2366c28749e9Skais return; 2367c28749e9Skais } 2368c28749e9Skais 2369c28749e9Skais /* add a return token */ 2370c28749e9Skais add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0); 2371c28749e9Skais 2372c28749e9Skais AS_INC(as_generated, 1, kctx); 2373c28749e9Skais AS_INC(as_kernel, 1, kctx); 2374c28749e9Skais 2375c28749e9Skais au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, 0); 2376c28749e9Skais } 2377*45916cd2Sjpk 2378*45916cd2Sjpk /* 2379*45916cd2Sjpk * ROUTINE: AUDIT_SEC_ATTRIBUTES 2380*45916cd2Sjpk * PURPOSE: Add security attributes 2381*45916cd2Sjpk * CALLBY: AUDIT_ATTRIBUTES 2382*45916cd2Sjpk * AUDIT_CLOSEF 2383*45916cd2Sjpk * AUS_CLOSE 2384*45916cd2Sjpk * NOTE: 2385*45916cd2Sjpk * TODO: 2386*45916cd2Sjpk * QUESTION: 2387*45916cd2Sjpk */ 2388*45916cd2Sjpk 2389*45916cd2Sjpk void 2390*45916cd2Sjpk audit_sec_attributes(caddr_t *ad, struct vnode *vp) 2391*45916cd2Sjpk { 2392*45916cd2Sjpk /* Dump the SL */ 2393*45916cd2Sjpk if (is_system_labeled()) { 2394*45916cd2Sjpk ts_label_t *tsl; 2395*45916cd2Sjpk bslabel_t *bsl; 2396*45916cd2Sjpk 2397*45916cd2Sjpk tsl = getflabel(vp); 2398*45916cd2Sjpk if (tsl == NULL) 2399*45916cd2Sjpk return; /* nothing else to do */ 2400*45916cd2Sjpk 2401*45916cd2Sjpk bsl = label2bslabel(tsl); 2402*45916cd2Sjpk if (bsl == NULL) 2403*45916cd2Sjpk return; /* nothing else to do */ 2404*45916cd2Sjpk au_write(ad, au_to_label(bsl)); 2405*45916cd2Sjpk label_rele(tsl); 2406*45916cd2Sjpk } 2407*45916cd2Sjpk 2408*45916cd2Sjpk } /* AUDIT_SEC_ATTRIBUTES */ 2409