1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * This file contains the audit hook support code for auditing. 28 */ 29 30 #include <sys/types.h> 31 #include <sys/proc.h> 32 #include <sys/vnode.h> 33 #include <sys/vfs.h> 34 #include <sys/file.h> 35 #include <sys/user.h> 36 #include <sys/stropts.h> 37 #include <sys/systm.h> 38 #include <sys/pathname.h> 39 #include <sys/syscall.h> 40 #include <sys/fcntl.h> 41 #include <sys/ipc_impl.h> 42 #include <sys/msg_impl.h> 43 #include <sys/sem_impl.h> 44 #include <sys/shm_impl.h> 45 #include <sys/kmem.h> /* for KM_SLEEP */ 46 #include <sys/socket.h> 47 #include <sys/cmn_err.h> /* snprintf... */ 48 #include <sys/debug.h> 49 #include <sys/thread.h> 50 #include <netinet/in.h> 51 #include <c2/audit.h> /* needs to be included before user.h */ 52 #include <c2/audit_kernel.h> /* for M_DONTWAIT */ 53 #include <c2/audit_kevents.h> 54 #include <c2/audit_record.h> 55 #include <sys/strsubr.h> 56 #include <sys/tihdr.h> 57 #include <sys/tiuser.h> 58 #include <sys/timod.h> 59 #include <sys/model.h> /* for model_t */ 60 #include <sys/disp.h> /* for servicing_interrupt() */ 61 #include <sys/devpolicy.h> 62 #include <sys/crypto/ioctladmin.h> 63 #include <sys/cred_impl.h> 64 #include <inet/kssl/kssl.h> 65 #include <net/pfpolicy.h> 66 67 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval); 68 69 static void audit_pathbuild(struct pathname *pnp); 70 71 /* 72 * ROUTINE: AUDIT_NEWPROC 73 * PURPOSE: initialize the child p_audit_data structure 74 * CALLBY: GETPROC 75 * NOTE: All threads for the parent process are locked at this point. 76 * We are essentially running singled threaded for this reason. 77 * GETPROC is called when system creates a new process. 78 * By the time AUDIT_NEWPROC is called, the child proc 79 * structure has already been initialized. What we need 80 * to do is to allocate the child p_audit_data and 81 * initialize it with the content of current parent process. 82 */ 83 84 void 85 audit_newproc(struct proc *cp) /* initialized child proc structure */ 86 { 87 p_audit_data_t *pad; /* child process audit data */ 88 p_audit_data_t *opad; /* parent process audit data */ 89 90 pad = kmem_cache_alloc(au_pad_cache, KM_SLEEP); 91 92 P2A(cp) = pad; 93 94 opad = P2A(curproc); 95 96 /* 97 * copy the audit data. Note that all threads of current 98 * process have been "held". Thus there is no race condition 99 * here with mutiple threads trying to alter the cwrd 100 * structure (such as releasing it). 101 * 102 * The audit context in the cred is "duplicated" for the new 103 * proc by elsewhere crhold'ing the parent's cred which it shares. 104 * 105 * We still want to hold things since auditon() [A_SETUMASK, 106 * A_SETSMASK] could be walking through the processes to 107 * update things. 108 */ 109 mutex_enter(&opad->pad_lock); /* lock opad structure during copy */ 110 pad->pad_data = opad->pad_data; /* copy parent's process audit data */ 111 au_pathhold(pad->pad_root); 112 au_pathhold(pad->pad_cwd); 113 mutex_exit(&opad->pad_lock); /* current proc will keep cwrd open */ 114 115 /* 116 * finish auditing of parent here so that it will be done 117 * before child has a chance to run. We include the child 118 * pid since the return value in the return token is a dummy 119 * one and contains no useful information (it is included to 120 * make the audit record structure consistant). 121 * 122 * tad_flag is set if auditing is on 123 */ 124 if (((t_audit_data_t *)T2A(curthread))->tad_flag) 125 au_uwrite(au_to_arg32(0, "child PID", (uint32_t)cp->p_pid)); 126 127 /* 128 * finish up audit record generation here because child process 129 * is set to run before parent process. We distinguish here 130 * between FORK, FORK1, or VFORK by the saved system call ID. 131 */ 132 audit_finish(0, ((t_audit_data_t *)T2A(curthread))->tad_scid, 0, 0); 133 } 134 135 /* 136 * ROUTINE: AUDIT_PFREE 137 * PURPOSE: deallocate the per-process udit data structure 138 * CALLBY: EXIT 139 * FORK_FAIL 140 * NOTE: all lwp except current one have stopped in SEXITLWPS 141 * why we are single threaded? 142 * . all lwp except current one have stopped in SEXITLWPS. 143 */ 144 void 145 audit_pfree(struct proc *p) /* proc structure to be freed */ 146 147 { /* AUDIT_PFREE */ 148 149 p_audit_data_t *pad; 150 151 pad = P2A(p); 152 153 /* better be a per process audit data structure */ 154 ASSERT(pad != (p_audit_data_t *)0); 155 156 if (pad == pad0) { 157 return; 158 } 159 160 /* deallocate all auditing resources for this process */ 161 au_pathrele(pad->pad_root); 162 au_pathrele(pad->pad_cwd); 163 164 /* 165 * Since the pad structure is completely overwritten after alloc, 166 * we don't bother to clear it. 167 */ 168 169 kmem_cache_free(au_pad_cache, pad); 170 } 171 172 /* 173 * ROUTINE: AUDIT_THREAD_CREATE 174 * PURPOSE: allocate per-process thread audit data structure 175 * CALLBY: THREAD_CREATE 176 * NOTE: This is called just after *t was bzero'd. 177 * We are single threaded in this routine. 178 * TODO: 179 * QUESTION: 180 */ 181 182 void 183 audit_thread_create(kthread_id_t t) 184 { 185 t_audit_data_t *tad; /* per-thread audit data */ 186 187 tad = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP); 188 189 T2A(t) = tad; /* set up thread audit data ptr */ 190 tad->tad_thread = t; /* back ptr to thread: DEBUG */ 191 } 192 193 /* 194 * ROUTINE: AUDIT_THREAD_FREE 195 * PURPOSE: free the per-thread audit data structure 196 * CALLBY: THREAD_FREE 197 * NOTE: most thread data is clear after return 198 */ 199 void 200 audit_thread_free(kthread_t *t) 201 { 202 t_audit_data_t *tad; 203 au_defer_info_t *attr; 204 205 tad = T2A(t); 206 207 /* thread audit data must still be set */ 208 209 if (tad == tad0) { 210 return; 211 } 212 213 if (tad == NULL) { 214 return; 215 } 216 217 t->t_audit_data = 0; 218 219 /* must not have any audit record residual */ 220 ASSERT(tad->tad_ad == NULL); 221 222 /* saved path must be empty */ 223 ASSERT(tad->tad_aupath == NULL); 224 225 if (tad->tad_atpath) 226 au_pathrele(tad->tad_atpath); 227 228 attr = tad->tad_defer_head; 229 while (attr != NULL) { 230 au_defer_info_t *tmp_attr = attr; 231 232 au_free_rec(attr->audi_ad); 233 234 attr = attr->audi_next; 235 kmem_free(tmp_attr, sizeof (au_defer_info_t)); 236 } 237 238 kmem_free(tad, sizeof (*tad)); 239 } 240 241 /* 242 * ROUTINE: AUDIT_SAVEPATH 243 * PURPOSE: 244 * CALLBY: LOOKUPPN 245 * 246 * NOTE: We have reached the end of a path in fs/lookup.c. 247 * We get two pieces of information here: 248 * the vnode of the last component (vp) and 249 * the status of the last access (flag). 250 * TODO: 251 * QUESTION: 252 */ 253 254 /*ARGSUSED*/ 255 int 256 audit_savepath( 257 struct pathname *pnp, /* pathname to lookup */ 258 struct vnode *vp, /* vnode of the last component */ 259 int flag, /* status of the last access */ 260 cred_t *cr) /* cred of requestor */ 261 { 262 263 t_audit_data_t *tad; /* current thread */ 264 au_kcontext_t *kctx = GET_KCTX_PZ; 265 266 tad = U2A(u); 267 268 /* 269 * this event being audited or do we need path information 270 * later? This might be for a chdir/chroot or open (add path 271 * to file pointer. If the path has already been found for an 272 * open/creat then we don't need to process the path. 273 * 274 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 275 * chroot, chdir, open, creat system call processing. It determines 276 * if audit_savepath() will discard the path or we need it later. 277 * PAD_PATHFND means path already included in this audit record. It 278 * is used in cases where multiple path lookups are done per 279 * system call. The policy flag, AUDIT_PATH, controls if multiple 280 * paths are allowed. 281 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 282 * exit processing to inhibit any paths that may be added due to 283 * closes. 284 */ 285 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 286 ((tad->tad_ctrl & PAD_PATHFND) && 287 !(kctx->auk_policy & AUDIT_PATH)) || 288 (tad->tad_ctrl & PAD_NOPATH)) { 289 return (0); 290 } 291 292 tad->tad_ctrl |= PAD_NOPATH; /* prevent possible reentry */ 293 294 audit_pathbuild(pnp); 295 tad->tad_vn = vp; 296 297 /* 298 * are we auditing only if error, or if it is not open or create 299 * otherwise audit_setf will do it 300 */ 301 302 if (tad->tad_flag) { 303 if (flag && (tad->tad_scid == SYS_open || 304 tad->tad_scid == SYS_open64 || 305 tad->tad_scid == SYS_creat || 306 tad->tad_scid == SYS_creat64 || 307 tad->tad_scid == SYS_fsat)) { 308 tad->tad_ctrl |= PAD_TRUE_CREATE; 309 } 310 311 /* add token to audit record for this name */ 312 au_uwrite(au_to_path(tad->tad_aupath)); 313 314 /* add the attributes of the object */ 315 if (vp) { 316 /* 317 * only capture attributes when there is no error 318 * lookup will not return the vnode of the failing 319 * component. 320 * 321 * if there was a lookup error, then don't add 322 * attribute. if lookup in vn_create(), 323 * then don't add attribute, 324 * it will be added at end of vn_create(). 325 */ 326 if (!flag && !(tad->tad_ctrl & PAD_NOATTRB)) 327 audit_attributes(vp); 328 } 329 } 330 331 /* free up space if we're not going to save path (open, crate) */ 332 if ((tad->tad_ctrl & PAD_SAVPATH) == 0) { 333 if (tad->tad_aupath != NULL) { 334 au_pathrele(tad->tad_aupath); 335 tad->tad_aupath = NULL; 336 tad->tad_vn = NULL; 337 } 338 } 339 if (tad->tad_ctrl & PAD_MLD) 340 tad->tad_ctrl |= PAD_PATHFND; 341 342 tad->tad_ctrl &= ~PAD_NOPATH; /* restore */ 343 return (0); 344 } 345 346 static void 347 audit_pathbuild(struct pathname *pnp) 348 { 349 char *pp; /* pointer to path */ 350 int len; /* length of incoming segment */ 351 int newsect; /* path requires a new section */ 352 struct audit_path *pfxapp; /* prefix for path */ 353 struct audit_path *newapp; /* new audit_path */ 354 t_audit_data_t *tad; /* current thread */ 355 p_audit_data_t *pad; /* current process */ 356 357 tad = U2A(u); 358 ASSERT(tad != NULL); 359 pad = P2A(curproc); 360 ASSERT(pad != NULL); 361 362 len = (pnp->pn_path - pnp->pn_buf) + 1; /* +1 for terminator */ 363 ASSERT(len > 0); 364 365 /* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */ 366 mutex_enter(&pad->pad_lock); 367 if (tad->tad_aupath != NULL) { 368 pfxapp = tad->tad_aupath; 369 } else if (tad->tad_scid == SYS_fsat && pnp->pn_buf[0] != '/') { 370 ASSERT(tad->tad_atpath != NULL); 371 pfxapp = tad->tad_atpath; 372 } else if (tad->tad_ctrl & PAD_ABSPATH) { 373 pfxapp = pad->pad_root; 374 } else { 375 pfxapp = pad->pad_cwd; 376 } 377 au_pathhold(pfxapp); 378 mutex_exit(&pad->pad_lock); 379 380 /* get an expanded buffer to hold the anchored path */ 381 newsect = tad->tad_ctrl & PAD_ATPATH; 382 newapp = au_pathdup(pfxapp, newsect, len); 383 au_pathrele(pfxapp); 384 385 pp = newapp->audp_sect[newapp->audp_cnt] - len; 386 if (!newsect) { 387 /* overlay previous NUL terminator */ 388 *(pp - 1) = '/'; 389 } 390 391 /* now add string of processed path */ 392 bcopy(pnp->pn_buf, pp, len); 393 pp[len - 1] = '\0'; 394 395 /* perform path simplification as necessary */ 396 audit_fixpath(newapp, len); 397 398 if (tad->tad_aupath) 399 au_pathrele(tad->tad_aupath); 400 tad->tad_aupath = newapp; 401 402 /* for case where multiple lookups in one syscall (rename) */ 403 tad->tad_ctrl &= ~(PAD_ABSPATH | PAD_ATPATH); 404 } 405 406 407 408 /*ARGSUSED*/ 409 410 /* 411 * ROUTINE: AUDIT_ADDCOMPONENT 412 * PURPOSE: extend the path by the component accepted 413 * CALLBY: LOOKUPPN 414 * NOTE: This function is called only when there is an error in 415 * parsing a path component 416 * TODO: Add the error component to audit record 417 * QUESTION: what is this for 418 */ 419 420 void 421 audit_addcomponent(struct pathname *pnp) 422 { 423 au_kcontext_t *kctx = GET_KCTX_PZ; 424 t_audit_data_t *tad; 425 426 tad = U2A(u); 427 /* 428 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 429 * chroot, chdir, open, creat system call processing. It determines 430 * if audit_savepath() will discard the path or we need it later. 431 * PAD_PATHFND means path already included in this audit record. It 432 * is used in cases where multiple path lookups are done per 433 * system call. The policy flag, AUDIT_PATH, controls if multiple 434 * paths are allowed. 435 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 436 * exit processing to inhibit any paths that may be added due to 437 * closes. 438 */ 439 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 440 ((tad->tad_ctrl & PAD_PATHFND) && 441 !(kctx->auk_policy & AUDIT_PATH)) || 442 (tad->tad_ctrl & PAD_NOPATH)) { 443 return; 444 } 445 446 return; 447 448 } /* AUDIT_ADDCOMPONENT */ 449 450 451 452 453 454 455 456 457 /* 458 * ROUTINE: AUDIT_ANCHORPATH 459 * PURPOSE: 460 * CALLBY: LOOKUPPN 461 * NOTE: 462 * anchor path at "/". We have seen a symbolic link or entering for the 463 * first time we will throw away any saved path if path is anchored. 464 * 465 * flag = 0, path is relative. 466 * flag = 1, path is absolute. Free any saved path and set flag to PAD_ABSPATH. 467 * 468 * If the (new) path is absolute, then we have to throw away whatever we have 469 * already accumulated since it is being superseded by new path which is 470 * anchored at the root. 471 * Note that if the path is relative, this function does nothing 472 * TODO: 473 * QUESTION: 474 */ 475 /*ARGSUSED*/ 476 void 477 audit_anchorpath(struct pathname *pnp, int flag) 478 { 479 au_kcontext_t *kctx = GET_KCTX_PZ; 480 t_audit_data_t *tad; 481 482 tad = U2A(u); 483 484 /* 485 * this event being audited or do we need path information 486 * later? This might be for a chdir/chroot or open (add path 487 * to file pointer. If the path has already been found for an 488 * open/creat then we don't need to process the path. 489 * 490 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 491 * chroot, chdir, open, creat system call processing. It determines 492 * if audit_savepath() will discard the path or we need it later. 493 * PAD_PATHFND means path already included in this audit record. It 494 * is used in cases where multiple path lookups are done per 495 * system call. The policy flag, AUDIT_PATH, controls if multiple 496 * paths are allowed. 497 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 498 * exit processing to inhibit any paths that may be added due to 499 * closes. 500 */ 501 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || 502 ((tad->tad_ctrl & PAD_PATHFND) && 503 !(kctx->auk_policy & AUDIT_PATH)) || 504 (tad->tad_ctrl & PAD_NOPATH)) { 505 return; 506 } 507 508 if (flag) { 509 tad->tad_ctrl |= PAD_ABSPATH; 510 if (tad->tad_aupath != NULL) { 511 au_pathrele(tad->tad_aupath); 512 tad->tad_aupath = NULL; 513 tad->tad_vn = NULL; 514 } 515 } 516 } 517 518 519 /* 520 * symbolic link. Save previous components. 521 * 522 * the path seen so far looks like this 523 * 524 * +-----------------------+----------------+ 525 * | path processed so far | remaining path | 526 * +-----------------------+----------------+ 527 * \-----------------------/ 528 * save this string if 529 * symbolic link relative 530 * (but don't include symlink component) 531 */ 532 533 /*ARGSUSED*/ 534 535 536 /* 537 * ROUTINE: AUDIT_SYMLINK 538 * PURPOSE: 539 * CALLBY: LOOKUPPN 540 * NOTE: 541 * TODO: 542 * QUESTION: 543 */ 544 void 545 audit_symlink(struct pathname *pnp, struct pathname *sympath) 546 { 547 char *sp; /* saved initial pp */ 548 char *cp; /* start of symlink path */ 549 uint_t len_path; /* processed path before symlink */ 550 t_audit_data_t *tad; 551 au_kcontext_t *kctx = GET_KCTX_PZ; 552 553 tad = U2A(u); 554 555 /* 556 * this event being audited or do we need path information 557 * later? This might be for a chdir/chroot or open (add path 558 * to file pointer. If the path has already been found for an 559 * open/creat then we don't need to process the path. 560 * 561 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with 562 * chroot, chdir, open, creat system call processing. It determines 563 * if audit_savepath() will discard the path or we need it later. 564 * PAD_PATHFND means path already included in this audit record. It 565 * is used in cases where multiple path lookups are done per 566 * system call. The policy flag, AUDIT_PATH, controls if multiple 567 * paths are allowed. 568 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with 569 * exit processing to inhibit any paths that may be added due to 570 * closes. 571 */ 572 if ((tad->tad_flag == 0 && 573 !(tad->tad_ctrl & PAD_SAVPATH)) || 574 ((tad->tad_ctrl & PAD_PATHFND) && 575 !(kctx->auk_policy & AUDIT_PATH)) || 576 (tad->tad_ctrl & PAD_NOPATH)) { 577 return; 578 } 579 580 /* 581 * if symbolic link is anchored at / then do nothing. 582 * When we cycle back to begin: in lookuppn() we will 583 * call audit_anchorpath() with a flag indicating if the 584 * path is anchored at / or is relative. We will release 585 * any saved path at that point. 586 * 587 * Note In the event that an error occurs in pn_combine then 588 * we want to remain pointing at the component that caused the 589 * path to overflow the pnp structure. 590 */ 591 if (sympath->pn_buf[0] == '/') 592 return; 593 594 /* backup over last component */ 595 sp = cp = pnp->pn_path; 596 while (*--cp != '/' && cp > pnp->pn_buf) 597 ; 598 599 len_path = cp - pnp->pn_buf; 600 601 /* is there anything to save? */ 602 if (len_path) { 603 pnp->pn_path = pnp->pn_buf; 604 audit_pathbuild(pnp); 605 pnp->pn_path = sp; 606 } 607 } 608 609 /* 610 * file_is_public : determine whether events for the file (corresponding to 611 * the specified file attr) should be audited or ignored. 612 * 613 * returns: 1 - if audit policy and file attributes indicate that 614 * file is effectively public. read events for 615 * the file should not be audited. 616 * 0 - otherwise 617 * 618 * The required attributes to be considered a public object are: 619 * - owned by root, AND 620 * - world-readable (permissions for other include read), AND 621 * - NOT world-writeable (permissions for other don't 622 * include write) 623 * (mode doesn't need to be checked for symlinks) 624 */ 625 int 626 file_is_public(struct vattr *attr) 627 { 628 au_kcontext_t *kctx = GET_KCTX_PZ; 629 630 if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) && 631 ((attr->va_type == VLNK) || 632 ((attr->va_mode & (VREAD>>6)) != 0) && 633 ((attr->va_mode & (VWRITE>>6)) == 0))) { 634 return (1); 635 } 636 return (0); 637 } 638 639 640 /* 641 * ROUTINE: AUDIT_ATTRIBUTES 642 * PURPOSE: Audit the attributes so we can tell why the error occurred 643 * CALLBY: AUDIT_SAVEPATH 644 * AUDIT_VNCREATE_FINISH 645 * AUS_FCHOWN...audit_event.c...audit_path.c 646 * NOTE: 647 * TODO: 648 * QUESTION: 649 */ 650 void 651 audit_attributes(struct vnode *vp) 652 { 653 struct vattr attr; 654 struct t_audit_data *tad; 655 656 tad = U2A(u); 657 658 if (vp) { 659 attr.va_mask = AT_ALL; 660 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0) 661 return; 662 663 if (file_is_public(&attr) && (tad->tad_ctrl & PAD_PUBLIC_EV)) { 664 /* 665 * This is a public object and a "public" event 666 * (i.e., read only) -- either by definition 667 * (e.g., stat, access...) or by virtue of write access 668 * not being requested (e.g. mmap). 669 * Flag it in the tad to prevent this audit at the end. 670 */ 671 tad->tad_ctrl |= PAD_NOAUDIT; 672 } else { 673 au_uwrite(au_to_attr(&attr)); 674 audit_sec_attributes(&(u_ad), vp); 675 } 676 } 677 } 678 679 680 /* 681 * ROUTINE: AUDIT_FALLOC 682 * PURPOSE: allocating a new file structure 683 * CALLBY: FALLOC 684 * NOTE: file structure already initialized 685 * TODO: 686 * QUESTION: 687 */ 688 689 void 690 audit_falloc(struct file *fp) 691 { /* AUDIT_FALLOC */ 692 693 f_audit_data_t *fad; 694 695 /* allocate per file audit structure if there a'int any */ 696 ASSERT(F2A(fp) == NULL); 697 698 fad = kmem_zalloc(sizeof (struct f_audit_data), KM_SLEEP); 699 700 F2A(fp) = fad; 701 702 fad->fad_thread = curthread; /* file audit data back ptr; DEBUG */ 703 } 704 705 /* 706 * ROUTINE: AUDIT_UNFALLOC 707 * PURPOSE: deallocate file audit data structure 708 * CALLBY: CLOSEF 709 * UNFALLOC 710 * NOTE: 711 * TODO: 712 * QUESTION: 713 */ 714 715 void 716 audit_unfalloc(struct file *fp) 717 { 718 f_audit_data_t *fad; 719 720 fad = F2A(fp); 721 722 if (!fad) { 723 return; 724 } 725 if (fad->fad_aupath != NULL) { 726 au_pathrele(fad->fad_aupath); 727 } 728 fp->f_audit_data = 0; 729 kmem_free(fad, sizeof (struct f_audit_data)); 730 } 731 732 /* 733 * ROUTINE: AUDIT_EXIT 734 * PURPOSE: 735 * CALLBY: EXIT 736 * NOTE: 737 * TODO: 738 * QUESTION: why cmw code as offset by 2 but not here 739 */ 740 /* ARGSUSED */ 741 void 742 audit_exit(int code, int what) 743 { 744 struct t_audit_data *tad; 745 tad = U2A(u); 746 747 /* 748 * tad_scid will be set by audit_start even if we are not auditing 749 * the event. 750 */ 751 if (tad->tad_scid == SYS_exit) { 752 /* 753 * if we are auditing the exit system call, then complete 754 * audit record generation (no return from system call). 755 */ 756 if (tad->tad_flag && tad->tad_event == AUE_EXIT) 757 audit_finish(0, SYS_exit, 0, 0); 758 return; 759 } 760 761 /* 762 * Anyone auditing the system call that was aborted? 763 */ 764 if (tad->tad_flag) { 765 au_uwrite(au_to_text("event aborted")); 766 audit_finish(0, tad->tad_scid, 0, 0); 767 } 768 769 /* 770 * Generate an audit record for process exit if preselected. 771 */ 772 (void) audit_start(0, SYS_exit, 0, 0); 773 audit_finish(0, SYS_exit, 0, 0); 774 } 775 776 /* 777 * ROUTINE: AUDIT_CORE_START 778 * PURPOSE: 779 * CALLBY: PSIG 780 * NOTE: 781 * TODO: 782 */ 783 void 784 audit_core_start(int sig) 785 { 786 au_event_t event; 787 au_state_t estate; 788 t_audit_data_t *tad; 789 au_kcontext_t *kctx; 790 791 tad = U2A(u); 792 793 ASSERT(tad != (t_audit_data_t *)0); 794 795 ASSERT(tad->tad_scid == 0); 796 ASSERT(tad->tad_event == 0); 797 ASSERT(tad->tad_evmod == 0); 798 ASSERT(tad->tad_ctrl == 0); 799 ASSERT(tad->tad_flag == 0); 800 ASSERT(tad->tad_aupath == NULL); 801 802 kctx = GET_KCTX_PZ; 803 804 /* get basic event for system call */ 805 event = AUE_CORE; 806 estate = kctx->auk_ets[event]; 807 808 if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0) 809 return; 810 811 /* reset the flags for non-user attributable events */ 812 tad->tad_ctrl = PAD_CORE; 813 tad->tad_scid = 0; 814 815 /* if auditing not enabled, then don't generate an audit record */ 816 817 if (!((kctx->auk_auditstate == AUC_AUDITING || 818 kctx->auk_auditstate == AUC_INIT_AUDIT) || 819 kctx->auk_auditstate == AUC_NOSPACE)) { 820 tad->tad_flag = 0; 821 tad->tad_ctrl = 0; 822 return; 823 } 824 825 tad->tad_event = event; 826 tad->tad_evmod = 0; 827 828 ASSERT(tad->tad_ad == NULL); 829 830 au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig)); 831 } 832 833 /* 834 * ROUTINE: AUDIT_CORE_FINISH 835 * PURPOSE: 836 * CALLBY: PSIG 837 * NOTE: 838 * TODO: 839 * QUESTION: 840 */ 841 842 /*ARGSUSED*/ 843 void 844 audit_core_finish(int code) 845 { 846 int flag; 847 t_audit_data_t *tad; 848 au_kcontext_t *kctx; 849 850 tad = U2A(u); 851 852 ASSERT(tad != (t_audit_data_t *)0); 853 854 if ((flag = tad->tad_flag) == 0) { 855 tad->tad_event = 0; 856 tad->tad_evmod = 0; 857 tad->tad_ctrl = 0; 858 ASSERT(tad->tad_aupath == NULL); 859 return; 860 } 861 tad->tad_flag = 0; 862 863 kctx = GET_KCTX_PZ; 864 865 /* kludge for error 0, should use `code==CLD_DUMPED' instead */ 866 if (flag = audit_success(kctx, tad, 0, NULL)) { 867 cred_t *cr = CRED(); 868 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 869 870 ASSERT(ainfo != NULL); 871 872 /* 873 * Add subject information (no locks since our private copy of 874 * credential 875 */ 876 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 877 878 /* Add a return token (should use f argument) */ 879 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 880 881 AS_INC(as_generated, 1, kctx); 882 AS_INC(as_kernel, 1, kctx); 883 } 884 885 /* Close up everything */ 886 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod); 887 888 /* free up any space remaining with the path's */ 889 if (tad->tad_aupath != NULL) { 890 au_pathrele(tad->tad_aupath); 891 tad->tad_aupath = NULL; 892 tad->tad_vn = NULL; 893 } 894 tad->tad_event = 0; 895 tad->tad_evmod = 0; 896 tad->tad_ctrl = 0; 897 } 898 899 /*ARGSUSED*/ 900 void 901 audit_stropen(struct vnode *vp, dev_t *devp, int flag, cred_t *crp) 902 { 903 } 904 905 /*ARGSUSED*/ 906 void 907 audit_strclose(struct vnode *vp, int flag, cred_t *crp) 908 { 909 } 910 911 /*ARGSUSED*/ 912 void 913 audit_strioctl(struct vnode *vp, int cmd, intptr_t arg, int flag, 914 int copyflag, cred_t *crp, int *rvalp) 915 { 916 } 917 918 919 /*ARGSUSED*/ 920 void 921 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 922 unsigned char *pri, int *flag, int fmode) 923 { 924 struct stdata *stp; 925 t_audit_data_t *tad = U2A(u); 926 927 ASSERT(tad != (t_audit_data_t *)0); 928 929 stp = vp->v_stream; 930 931 /* lock stdata from audit_sock */ 932 mutex_enter(&stp->sd_lock); 933 934 /* proceed ONLY if user is being audited */ 935 if (!tad->tad_flag) { 936 /* 937 * this is so we will not add audit data onto 938 * a thread that is not being audited. 939 */ 940 stp->sd_t_audit_data = NULL; 941 mutex_exit(&stp->sd_lock); 942 return; 943 } 944 945 stp->sd_t_audit_data = (caddr_t)curthread; 946 mutex_exit(&stp->sd_lock); 947 } 948 949 /*ARGSUSED*/ 950 void 951 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata, 952 unsigned char pri, int flag, int fmode) 953 { 954 struct stdata *stp; 955 t_audit_data_t *tad = U2A(u); 956 957 ASSERT(tad != (t_audit_data_t *)0); 958 959 stp = vp->v_stream; 960 961 /* lock stdata from audit_sock */ 962 mutex_enter(&stp->sd_lock); 963 964 /* proceed ONLY if user is being audited */ 965 if (!tad->tad_flag) { 966 /* 967 * this is so we will not add audit data onto 968 * a thread that is not being audited. 969 */ 970 stp->sd_t_audit_data = NULL; 971 mutex_exit(&stp->sd_lock); 972 return; 973 } 974 975 stp->sd_t_audit_data = (caddr_t)curthread; 976 mutex_exit(&stp->sd_lock); 977 } 978 979 /* 980 * ROUTINE: AUDIT_CLOSEF 981 * PURPOSE: 982 * CALLBY: CLOSEF 983 * NOTE: 984 * release per file audit resources when file structure is being released. 985 * 986 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep 987 * on the audit queue if it becomes full. This means 988 * audit_closef can not be called when f_count == 0. Since 989 * f_count == 0 indicates the file structure is free, another 990 * process could attempt to use the file while we were still 991 * asleep waiting on the audit queue. This would cause the 992 * per file audit data to be corrupted when we finally do 993 * wakeup. 994 * TODO: 995 * QUESTION: 996 */ 997 998 void 999 audit_closef(struct file *fp) 1000 { /* AUDIT_CLOSEF */ 1001 f_audit_data_t *fad; 1002 t_audit_data_t *tad; 1003 int success; 1004 au_state_t estate; 1005 struct vnode *vp; 1006 token_t *ad = NULL; 1007 struct vattr attr; 1008 au_emod_t evmod = 0; 1009 const auditinfo_addr_t *ainfo; 1010 int getattr_ret; 1011 cred_t *cr; 1012 au_kcontext_t *kctx = GET_KCTX_PZ; 1013 1014 fad = F2A(fp); 1015 estate = kctx->auk_ets[AUE_CLOSE]; 1016 tad = U2A(u); 1017 cr = CRED(); 1018 1019 /* audit record already generated by system call envelope */ 1020 if (tad->tad_event == AUE_CLOSE) { 1021 /* so close audit event will have bits set */ 1022 tad->tad_evmod |= (au_emod_t)fad->fad_flags; 1023 return; 1024 } 1025 1026 /* if auditing not enabled, then don't generate an audit record */ 1027 if (!((kctx->auk_auditstate == AUC_AUDITING || 1028 kctx->auk_auditstate == AUC_INIT_AUDIT) || 1029 kctx->auk_auditstate == AUC_NOSPACE)) 1030 return; 1031 1032 ainfo = crgetauinfo(cr); 1033 if (ainfo == NULL) 1034 return; 1035 1036 success = ainfo->ai_mask.as_success & estate; 1037 1038 /* not selected for this event */ 1039 if (success == 0) 1040 return; 1041 1042 /* 1043 * can't use audit_attributes here since we use a private audit area 1044 * to build the audit record instead of the one off the thread. 1045 */ 1046 if ((vp = fp->f_vnode) != NULL) { 1047 attr.va_mask = AT_ALL; 1048 getattr_ret = VOP_GETATTR(vp, &attr, 0, CRED(), NULL); 1049 } 1050 1051 /* 1052 * When write was not used and the file can be considered public, 1053 * then skip the audit. 1054 */ 1055 if ((getattr_ret == 0) && ((fp->f_flag & FWRITE) == 0)) { 1056 if (file_is_public(&attr)) { 1057 return; 1058 } 1059 } 1060 1061 evmod = (au_emod_t)fad->fad_flags; 1062 if (fad->fad_aupath != NULL) { 1063 au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath)); 1064 } else { 1065 #ifdef _LP64 1066 au_write((caddr_t *)&(ad), au_to_arg64( 1067 1, "no path: fp", (uint64_t)fp)); 1068 #else 1069 au_write((caddr_t *)&(ad), au_to_arg32( 1070 1, "no path: fp", (uint32_t)fp)); 1071 #endif 1072 } 1073 1074 if (getattr_ret == 0) { 1075 au_write((caddr_t *)&(ad), au_to_attr(&attr)); 1076 audit_sec_attributes((caddr_t *)&(ad), vp); 1077 } 1078 1079 /* Add subject information */ 1080 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 1081 1082 /* add a return token */ 1083 add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0); 1084 1085 AS_INC(as_generated, 1, kctx); 1086 AS_INC(as_kernel, 1, kctx); 1087 1088 /* 1089 * Close up everything 1090 * Note: path space recovery handled by normal system 1091 * call envelope if not at last close. 1092 * Note there is no failure at this point since 1093 * this represents closes due to exit of process, 1094 * thus we always indicate successful closes. 1095 */ 1096 au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER, 1097 AUE_CLOSE, evmod); 1098 } 1099 1100 /* 1101 * ROUTINE: AUDIT_SET 1102 * PURPOSE: Audit the file path and file attributes. 1103 * CALLBY: SETF 1104 * NOTE: SETF associate a file pointer with user area's open files. 1105 * TODO: 1106 * call audit_finish directly ??? 1107 * QUESTION: 1108 */ 1109 1110 /*ARGSUSED*/ 1111 void 1112 audit_setf(file_t *fp, int fd) 1113 { 1114 f_audit_data_t *fad; 1115 t_audit_data_t *tad; 1116 1117 if (fp == NULL) 1118 return; 1119 1120 tad = T2A(curthread); 1121 fad = F2A(fp); 1122 1123 if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat || 1124 tad->tad_scid == SYS_open64 || tad->tad_scid == SYS_creat64 || 1125 tad->tad_scid == SYS_fsat)) 1126 return; 1127 1128 /* no path */ 1129 if (tad->tad_aupath == 0) 1130 return; 1131 1132 /* 1133 * assign path information associated with file audit data 1134 * use tad hold 1135 */ 1136 fad->fad_aupath = tad->tad_aupath; 1137 tad->tad_aupath = NULL; 1138 tad->tad_vn = NULL; 1139 1140 if (!(tad->tad_ctrl & PAD_TRUE_CREATE)) { 1141 /* adjust event type */ 1142 switch (tad->tad_event) { 1143 case AUE_OPEN_RC: 1144 tad->tad_event = AUE_OPEN_R; 1145 tad->tad_ctrl |= PAD_PUBLIC_EV; 1146 break; 1147 case AUE_OPEN_RTC: 1148 tad->tad_event = AUE_OPEN_RT; 1149 break; 1150 case AUE_OPEN_WC: 1151 tad->tad_event = AUE_OPEN_W; 1152 break; 1153 case AUE_OPEN_WTC: 1154 tad->tad_event = AUE_OPEN_WT; 1155 break; 1156 case AUE_OPEN_RWC: 1157 tad->tad_event = AUE_OPEN_RW; 1158 break; 1159 case AUE_OPEN_RWTC: 1160 tad->tad_event = AUE_OPEN_RWT; 1161 break; 1162 default: 1163 break; 1164 } 1165 } 1166 } 1167 1168 1169 /* 1170 * ROUTINE: AUDIT_COPEN 1171 * PURPOSE: 1172 * CALLBY: COPEN 1173 * NOTE: 1174 * TODO: 1175 * QUESTION: 1176 */ 1177 /*ARGSUSED*/ 1178 void 1179 audit_copen(int fd, file_t *fp, vnode_t *vp) 1180 { 1181 } 1182 1183 void 1184 audit_ipc(int type, int id, void *vp) 1185 { 1186 /* if not auditing this event, then do nothing */ 1187 if (ad_flag == 0) 1188 return; 1189 1190 switch (type) { 1191 case AT_IPC_MSG: 1192 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1193 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 1194 break; 1195 case AT_IPC_SEM: 1196 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1197 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 1198 break; 1199 case AT_IPC_SHM: 1200 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 1201 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 1202 break; 1203 } 1204 } 1205 1206 void 1207 audit_ipcget(int type, void *vp) 1208 { 1209 /* if not auditing this event, then do nothing */ 1210 if (ad_flag == 0) 1211 return; 1212 1213 switch (type) { 1214 case NULL: 1215 au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp)); 1216 break; 1217 case AT_IPC_MSG: 1218 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm))); 1219 break; 1220 case AT_IPC_SEM: 1221 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm))); 1222 break; 1223 case AT_IPC_SHM: 1224 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm))); 1225 break; 1226 } 1227 } 1228 1229 /* 1230 * ROUTINE: AUDIT_REBOOT 1231 * PURPOSE: 1232 * CALLBY: 1233 * NOTE: 1234 * At this point we know that the system call reboot will not return. We thus 1235 * have to complete the audit record generation and put it onto the queue. 1236 * This might be fairly useless if the auditing daemon is already dead.... 1237 * TODO: 1238 * QUESTION: who calls audit_reboot 1239 */ 1240 1241 void 1242 audit_reboot(void) 1243 { 1244 int flag; 1245 t_audit_data_t *tad; 1246 au_kcontext_t *kctx = GET_KCTX_PZ; 1247 1248 tad = U2A(u); 1249 1250 /* if not auditing this event, then do nothing */ 1251 if (tad->tad_flag == 0) 1252 return; 1253 1254 /* do preselection on success/failure */ 1255 if (flag = audit_success(kctx, tad, 0, NULL)) { 1256 /* add a process token */ 1257 1258 cred_t *cr = CRED(); 1259 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 1260 1261 if (ainfo == NULL) 1262 return; 1263 1264 /* Add subject information */ 1265 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx); 1266 1267 /* add a return token */ 1268 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0); 1269 1270 AS_INC(as_generated, 1, kctx); 1271 AS_INC(as_kernel, 1, kctx); 1272 } 1273 1274 /* 1275 * Flow control useless here since we're going 1276 * to drop everything in the queue anyway. Why 1277 * block and wait. There aint anyone left alive to 1278 * read the records remaining anyway. 1279 */ 1280 1281 /* Close up everything */ 1282 au_close(kctx, &(u_ad), flag | AU_DONTBLOCK, 1283 tad->tad_event, tad->tad_evmod); 1284 } 1285 1286 void 1287 audit_setfsat_path(int argnum) 1288 { 1289 klwp_id_t clwp = ttolwp(curthread); 1290 struct file *fp; 1291 uint32_t fd; 1292 t_audit_data_t *tad; 1293 struct f_audit_data *fad; 1294 p_audit_data_t *pad; /* current process */ 1295 struct a { 1296 long id; 1297 long arg1; 1298 long arg2; 1299 long arg3; 1300 long arg4; 1301 long arg5; 1302 } *uap; 1303 struct b { 1304 long arg1; 1305 long arg2; 1306 long arg3; 1307 long arg4; 1308 long arg5; 1309 } *uap1; 1310 1311 if (clwp == NULL) 1312 return; 1313 uap1 = (struct b *)&clwp->lwp_ap[1]; 1314 uap = (struct a *)clwp->lwp_ap; 1315 1316 tad = U2A(u); 1317 1318 ASSERT(tad != NULL); 1319 1320 if (tad->tad_scid != SYS_fsat) 1321 return; 1322 1323 switch (argnum) { 1324 case 1: 1325 fd = (uint32_t)uap1->arg1; 1326 break; 1327 case 2: 1328 fd = (uint32_t)uap1->arg2; 1329 break; 1330 case 3: 1331 fd = (uint32_t)uap1->arg3; 1332 break; 1333 case 4: 1334 fd = (uint32_t)uap1->arg4; 1335 break; 1336 case 5: 1337 fd = (uint32_t)uap1->arg5; 1338 break; 1339 default: 1340 return; 1341 } 1342 1343 if (uap->id == 9 && tad->tad_atpath != NULL) { /* openattrdir */ 1344 tad->tad_ctrl |= PAD_ATPATH; 1345 return; 1346 } 1347 if (tad->tad_atpath != NULL) { 1348 au_pathrele(tad->tad_atpath); 1349 tad->tad_atpath = NULL; 1350 } 1351 if (fd != AT_FDCWD) { 1352 if ((fp = getf(fd)) == NULL) { 1353 tad->tad_ctrl |= PAD_NOPATH; 1354 return; 1355 } 1356 1357 fad = F2A(fp); 1358 ASSERT(fad); 1359 if (fad->fad_aupath == NULL) { 1360 tad->tad_ctrl |= PAD_NOPATH; 1361 releasef(fd); 1362 return; 1363 } 1364 au_pathhold(fad->fad_aupath); 1365 tad->tad_atpath = fad->fad_aupath; 1366 releasef(fd); 1367 } else { 1368 pad = P2A(curproc); 1369 mutex_enter(&pad->pad_lock); 1370 au_pathhold(pad->pad_cwd); 1371 tad->tad_atpath = pad->pad_cwd; 1372 mutex_exit(&pad->pad_lock); 1373 } 1374 } 1375 1376 void 1377 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error) 1378 { 1379 t_audit_data_t *tad; 1380 vnode_t *vp; 1381 1382 tad = U2A(u); 1383 1384 /* if not auditing this event, then do nothing */ 1385 if (tad->tad_flag == 0) 1386 return; 1387 1388 au_uwrite(au_to_text(target)); 1389 1390 if (error) 1391 return; 1392 1393 error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(), 1394 NULL, NULL, NULL); 1395 if (error == 0) { 1396 audit_attributes(vp); 1397 VN_RELE(vp); 1398 } 1399 } 1400 1401 /* 1402 * ROUTINE: AUDIT_VNCREATE_START 1403 * PURPOSE: set flag so path name lookup in create will not add attribute 1404 * CALLBY: VN_CREATE 1405 * NOTE: 1406 * TODO: 1407 * QUESTION: 1408 */ 1409 1410 void 1411 audit_vncreate_start() 1412 { 1413 t_audit_data_t *tad; 1414 1415 tad = U2A(u); 1416 tad->tad_ctrl |= PAD_NOATTRB; 1417 } 1418 1419 /* 1420 * ROUTINE: AUDIT_VNCREATE_FINISH 1421 * PURPOSE: 1422 * CALLBY: VN_CREATE 1423 * NOTE: 1424 * TODO: 1425 * QUESTION: 1426 */ 1427 void 1428 audit_vncreate_finish(struct vnode *vp, int error) 1429 { 1430 t_audit_data_t *tad; 1431 1432 if (error) 1433 return; 1434 1435 tad = U2A(u); 1436 1437 /* if not auditing this event, then do nothing */ 1438 if (tad->tad_flag == 0) 1439 return; 1440 1441 if (tad->tad_ctrl & PAD_TRUE_CREATE) { 1442 audit_attributes(vp); 1443 } 1444 1445 if (tad->tad_ctrl & PAD_CORE) { 1446 audit_attributes(vp); 1447 tad->tad_ctrl &= ~PAD_CORE; 1448 } 1449 1450 if (!error && ((tad->tad_event == AUE_MKNOD) || 1451 (tad->tad_event == AUE_MKDIR))) { 1452 audit_attributes(vp); 1453 } 1454 1455 /* for case where multiple lookups in one syscall (rename) */ 1456 tad->tad_ctrl &= ~PAD_NOATTRB; 1457 } 1458 1459 1460 1461 1462 1463 1464 1465 1466 /* 1467 * ROUTINE: AUDIT_EXEC 1468 * PURPOSE: Records the function arguments and environment variables 1469 * CALLBY: EXEC_ARGS 1470 * NOTE: 1471 * TODO: 1472 * QUESTION: 1473 */ 1474 1475 /*ARGSUSED*/ 1476 void 1477 audit_exec( 1478 const char *argstr, /* argument strings */ 1479 const char *envstr, /* environment strings */ 1480 ssize_t argc, /* total # arguments */ 1481 ssize_t envc) /* total # environment variables */ 1482 { 1483 t_audit_data_t *tad; 1484 au_kcontext_t *kctx = GET_KCTX_PZ; 1485 1486 tad = U2A(u); 1487 1488 /* if not auditing this event, then do nothing */ 1489 if (!tad->tad_flag) 1490 return; 1491 1492 /* return if not interested in argv or environment variables */ 1493 if (!(kctx->auk_policy & (AUDIT_ARGV|AUDIT_ARGE))) 1494 return; 1495 1496 if (kctx->auk_policy & AUDIT_ARGV) { 1497 au_uwrite(au_to_exec_args(argstr, argc)); 1498 } 1499 1500 if (kctx->auk_policy & AUDIT_ARGE) { 1501 au_uwrite(au_to_exec_env(envstr, envc)); 1502 } 1503 } 1504 1505 /* 1506 * ROUTINE: AUDIT_ENTERPROM 1507 * PURPOSE: 1508 * CALLBY: KBDINPUT 1509 * ZSA_XSINT 1510 * NOTE: 1511 * TODO: 1512 * QUESTION: 1513 */ 1514 void 1515 audit_enterprom(int flg) 1516 { 1517 token_t *rp = NULL; 1518 int sorf; 1519 1520 if (flg) 1521 sorf = AUM_SUCC; 1522 else 1523 sorf = AUM_FAIL; 1524 1525 AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf); 1526 1527 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1528 1529 if (flg) 1530 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1531 else 1532 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1533 1534 AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL); 1535 } 1536 1537 1538 /* 1539 * ROUTINE: AUDIT_EXITPROM 1540 * PURPOSE: 1541 * CALLBY: KBDINPUT 1542 * ZSA_XSINT 1543 * NOTE: 1544 * TODO: 1545 * QUESTION: 1546 */ 1547 void 1548 audit_exitprom(int flg) 1549 { 1550 int sorf; 1551 token_t *rp = NULL; 1552 1553 if (flg) 1554 sorf = AUM_SUCC; 1555 else 1556 sorf = AUM_FAIL; 1557 1558 AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf); 1559 1560 au_write((caddr_t *)&(rp), au_to_text("kmdb")); 1561 1562 if (flg) 1563 au_write((caddr_t *)&(rp), au_to_return32(0, 0)); 1564 else 1565 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0)); 1566 1567 AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL); 1568 } 1569 1570 struct fcntla { 1571 int fdes; 1572 int cmd; 1573 intptr_t arg; 1574 }; 1575 1576 /* 1577 * ROUTINE: AUDIT_C2_REVOKE 1578 * PURPOSE: 1579 * CALLBY: FCNTL 1580 * NOTE: 1581 * TODO: 1582 * QUESTION: are we keeping this func 1583 */ 1584 1585 /*ARGSUSED*/ 1586 int 1587 audit_c2_revoke(struct fcntla *uap, rval_t *rvp) 1588 { 1589 return (0); 1590 } 1591 1592 1593 /* 1594 * ROUTINE: AUDIT_CHDIREC 1595 * PURPOSE: 1596 * CALLBY: CHDIREC 1597 * NOTE: The main function of CHDIREC 1598 * TODO: Move the audit_chdirec hook above the VN_RELE in vncalls.c 1599 * QUESTION: 1600 */ 1601 1602 /*ARGSUSED*/ 1603 void 1604 audit_chdirec(vnode_t *vp, vnode_t **vpp) 1605 { 1606 int chdir; 1607 int fchdir; 1608 struct audit_path **appp; 1609 struct file *fp; 1610 f_audit_data_t *fad; 1611 p_audit_data_t *pad = P2A(curproc); 1612 t_audit_data_t *tad = T2A(curthread); 1613 1614 struct a { 1615 long fd; 1616 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 1617 1618 if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) { 1619 chdir = tad->tad_scid == SYS_chdir; 1620 if (tad->tad_aupath) { 1621 mutex_enter(&pad->pad_lock); 1622 if (chdir) 1623 appp = &(pad->pad_cwd); 1624 else 1625 appp = &(pad->pad_root); 1626 au_pathrele(*appp); 1627 /* use tad hold */ 1628 *appp = tad->tad_aupath; 1629 tad->tad_aupath = NULL; 1630 mutex_exit(&pad->pad_lock); 1631 } 1632 } else if ((tad->tad_scid == SYS_fchdir) || 1633 (tad->tad_scid == SYS_fchroot)) { 1634 fchdir = tad->tad_scid == SYS_fchdir; 1635 if ((fp = getf(uap->fd)) == NULL) 1636 return; 1637 fad = F2A(fp); 1638 if (fad->fad_aupath) { 1639 au_pathhold(fad->fad_aupath); 1640 mutex_enter(&pad->pad_lock); 1641 if (fchdir) 1642 appp = &(pad->pad_cwd); 1643 else 1644 appp = &(pad->pad_root); 1645 au_pathrele(*appp); 1646 *appp = fad->fad_aupath; 1647 mutex_exit(&pad->pad_lock); 1648 if (tad->tad_flag) { 1649 au_uwrite(au_to_path(fad->fad_aupath)); 1650 audit_attributes(fp->f_vnode); 1651 } 1652 } 1653 releasef(uap->fd); 1654 } 1655 } 1656 1657 /* 1658 * ROUTINE: AUDIT_GETF 1659 * PURPOSE: 1660 * CALLBY: GETF_INTERNAL 1661 * NOTE: The main function of GETF_INTERNAL is to associate a given 1662 * file descriptor with a file structure and increment the 1663 * file pointer reference count. 1664 * TODO: remove pass in of fpp. 1665 * increment a reference count so that even if a thread with same process delete 1666 * the same object, it will not panic our system 1667 * QUESTION: 1668 * where to decrement the f_count????????????????? 1669 * seems like I need to set a flag if f_count incremented through audit_getf 1670 */ 1671 1672 /*ARGSUSED*/ 1673 int 1674 audit_getf(int fd) 1675 { 1676 #ifdef NOTYET 1677 t_audit_data_t *tad; 1678 1679 tad = T2A(curthread); 1680 1681 if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat)) 1682 return; 1683 #endif 1684 return (0); 1685 } 1686 1687 /* 1688 * Audit hook for stream based socket and tli request. 1689 * Note that we do not have user context while executing 1690 * this code so we had to record them earlier during the 1691 * putmsg/getmsg to figure out which user we are dealing with. 1692 */ 1693 1694 /*ARGSUSED*/ 1695 void 1696 audit_sock( 1697 int type, /* type of tihdr.h header requests */ 1698 queue_t *q, /* contains the process and thread audit data */ 1699 mblk_t *mp, /* contains the tihdr.h header structures */ 1700 int from) /* timod or sockmod request */ 1701 { 1702 int32_t len; 1703 int32_t offset; 1704 struct sockaddr_in *sock_data; 1705 struct T_conn_req *conn_req; 1706 struct T_conn_ind *conn_ind; 1707 struct T_unitdata_req *unitdata_req; 1708 struct T_unitdata_ind *unitdata_ind; 1709 au_state_t estate; 1710 t_audit_data_t *tad; 1711 caddr_t saved_thread_ptr; 1712 au_mask_t amask; 1713 const auditinfo_addr_t *ainfo; 1714 au_kcontext_t *kctx; 1715 1716 if (q->q_stream == NULL) 1717 return; 1718 mutex_enter(&q->q_stream->sd_lock); 1719 /* are we being audited */ 1720 saved_thread_ptr = q->q_stream->sd_t_audit_data; 1721 /* no pointer to thread, nothing to do */ 1722 if (saved_thread_ptr == NULL) { 1723 mutex_exit(&q->q_stream->sd_lock); 1724 return; 1725 } 1726 /* only allow one addition of a record token */ 1727 q->q_stream->sd_t_audit_data = NULL; 1728 /* 1729 * thread is not the one being audited, then nothing to do 1730 * This could be the stream thread handling the module 1731 * service routine. In this case, the context for the audit 1732 * record can no longer be assumed. Simplest to just drop 1733 * the operation. 1734 */ 1735 if (curthread != (kthread_id_t)saved_thread_ptr) { 1736 mutex_exit(&q->q_stream->sd_lock); 1737 return; 1738 } 1739 if (curthread->t_sysnum >= SYS_so_socket && 1740 curthread->t_sysnum <= SYS_sockconfig) { 1741 mutex_exit(&q->q_stream->sd_lock); 1742 return; 1743 } 1744 mutex_exit(&q->q_stream->sd_lock); 1745 /* 1746 * we know that the thread that did the put/getmsg is the 1747 * one running. Now we can get the TAD and see if we should 1748 * add an audit token. 1749 */ 1750 tad = U2A(u); 1751 1752 kctx = GET_KCTX_PZ; 1753 1754 /* proceed ONLY if user is being audited */ 1755 if (!tad->tad_flag) 1756 return; 1757 1758 ainfo = crgetauinfo(CRED()); 1759 if (ainfo == NULL) 1760 return; 1761 amask = ainfo->ai_mask; 1762 1763 /* 1764 * Figure out the type of stream networking request here. 1765 * Note that getmsg and putmsg are always preselected 1766 * because during the beginning of the system call we have 1767 * not yet figure out which of the socket or tli request 1768 * we are looking at until we are here. So we need to check 1769 * against that specific request and reset the type of event. 1770 */ 1771 switch (type) { 1772 case T_CONN_REQ: /* connection request */ 1773 conn_req = (struct T_conn_req *)mp->b_rptr; 1774 if (conn_req->DEST_offset < sizeof (struct T_conn_req)) 1775 return; 1776 offset = conn_req->DEST_offset; 1777 len = conn_req->DEST_length; 1778 estate = kctx->auk_ets[AUE_SOCKCONNECT]; 1779 if (amask.as_success & estate || amask.as_failure & estate) { 1780 tad->tad_event = AUE_SOCKCONNECT; 1781 break; 1782 } else { 1783 return; 1784 } 1785 case T_CONN_IND: /* connectionless receive request */ 1786 conn_ind = (struct T_conn_ind *)mp->b_rptr; 1787 if (conn_ind->SRC_offset < sizeof (struct T_conn_ind)) 1788 return; 1789 offset = conn_ind->SRC_offset; 1790 len = conn_ind->SRC_length; 1791 estate = kctx->auk_ets[AUE_SOCKACCEPT]; 1792 if (amask.as_success & estate || amask.as_failure & estate) { 1793 tad->tad_event = AUE_SOCKACCEPT; 1794 break; 1795 } else { 1796 return; 1797 } 1798 case T_UNITDATA_REQ: /* connectionless send request */ 1799 unitdata_req = (struct T_unitdata_req *)mp->b_rptr; 1800 if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req)) 1801 return; 1802 offset = unitdata_req->DEST_offset; 1803 len = unitdata_req->DEST_length; 1804 estate = kctx->auk_ets[AUE_SOCKSEND]; 1805 if (amask.as_success & estate || amask.as_failure & estate) { 1806 tad->tad_event = AUE_SOCKSEND; 1807 break; 1808 } else { 1809 return; 1810 } 1811 case T_UNITDATA_IND: /* connectionless receive request */ 1812 unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr; 1813 if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind)) 1814 return; 1815 offset = unitdata_ind->SRC_offset; 1816 len = unitdata_ind->SRC_length; 1817 estate = kctx->auk_ets[AUE_SOCKRECEIVE]; 1818 if (amask.as_success & estate || amask.as_failure & estate) { 1819 tad->tad_event = AUE_SOCKRECEIVE; 1820 break; 1821 } else { 1822 return; 1823 } 1824 default: 1825 return; 1826 } 1827 1828 /* 1829 * we are only interested in tcp stream connections, 1830 * not unix domain stuff 1831 */ 1832 if ((len < 0) || (len > sizeof (struct sockaddr_in))) { 1833 tad->tad_event = AUE_GETMSG; 1834 return; 1835 } 1836 /* skip over TPI header and point to the ip address */ 1837 sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset); 1838 1839 switch (sock_data->sin_family) { 1840 case AF_INET: 1841 au_write(&(tad->tad_ad), au_to_sock_inet(sock_data)); 1842 break; 1843 default: /* reset to AUE_PUTMSG if not a inet request */ 1844 tad->tad_event = AUE_GETMSG; 1845 break; 1846 } 1847 } 1848 1849 void 1850 audit_lookupname() 1851 { 1852 } 1853 1854 /*ARGSUSED*/ 1855 int 1856 audit_pathcomp(struct pathname *pnp, vnode_t *cvp, cred_t *cr) 1857 { 1858 return (0); 1859 } 1860 1861 static void 1862 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval) 1863 { 1864 unsigned int sy_flags; 1865 1866 #ifdef _SYSCALL32_IMPL 1867 /* 1868 * Guard against t_lwp being NULL when this function is called 1869 * from a kernel queue instead of from a direct system call. 1870 * In that case, assume the running kernel data model. 1871 */ 1872 if ((curthread->t_lwp == NULL) || (lwp_getdatamodel( 1873 ttolwp(curthread)) == DATAMODEL_NATIVE)) 1874 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1875 else 1876 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1877 #else 1878 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1879 #endif 1880 1881 if (sy_flags == SE_64RVAL) 1882 au_write(ad, au_to_return64(err, rval)); 1883 else 1884 au_write(ad, au_to_return32(err, rval)); 1885 1886 } 1887 1888 /*ARGSUSED*/ 1889 void 1890 audit_fdsend(fd, fp, error) 1891 int fd; 1892 struct file *fp; 1893 int error; /* ignore for now */ 1894 { 1895 t_audit_data_t *tad; /* current thread */ 1896 f_audit_data_t *fad; /* per file audit structure */ 1897 struct vnode *vp; /* for file attributes */ 1898 1899 /* is this system call being audited */ 1900 tad = U2A(u); 1901 ASSERT(tad != (t_audit_data_t *)0); 1902 if (!tad->tad_flag) 1903 return; 1904 1905 fad = F2A(fp); 1906 1907 /* add path and file attributes */ 1908 if (fad != NULL && fad->fad_aupath != NULL) { 1909 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1910 au_uwrite(au_to_path(fad->fad_aupath)); 1911 } else { 1912 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd)); 1913 #ifdef _LP64 1914 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 1915 #else 1916 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 1917 #endif 1918 } 1919 vp = fp->f_vnode; /* include vnode attributes */ 1920 audit_attributes(vp); 1921 } 1922 1923 /* 1924 * Record privileges successfully used and we attempted to use but 1925 * didn't have. 1926 */ 1927 void 1928 audit_priv(int priv, const priv_set_t *set, int flag) 1929 { 1930 t_audit_data_t *tad; 1931 int sbit; 1932 priv_set_t *target; 1933 1934 /* Make sure this isn't being called in an interrupt context */ 1935 ASSERT(servicing_interrupt() == 0); 1936 1937 tad = U2A(u); 1938 1939 if (tad->tad_flag == 0) 1940 return; 1941 1942 target = flag ? &tad->tad_sprivs : &tad->tad_fprivs; 1943 sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE; 1944 1945 /* Tell audit_success() and audit_finish() that we saw this case */ 1946 if (!(tad->tad_evmod & sbit)) { 1947 /* Clear set first time around */ 1948 priv_emptyset(target); 1949 tad->tad_evmod |= sbit; 1950 } 1951 1952 /* Save the privileges in the tad */ 1953 if (priv == PRIV_ALL) { 1954 priv_fillset(target); 1955 } else { 1956 ASSERT(set != NULL || priv != PRIV_NONE); 1957 if (set != NULL) 1958 priv_union(set, target); 1959 if (priv != PRIV_NONE) 1960 priv_addset(target, priv); 1961 } 1962 } 1963 1964 /* 1965 * Audit the setpriv() system call; the operation, the set name and 1966 * the current value as well as the set argument are put in the 1967 * audit trail. 1968 */ 1969 void 1970 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr) 1971 { 1972 t_audit_data_t *tad; 1973 const priv_set_t *oldpriv; 1974 priv_set_t report; 1975 const char *setname; 1976 1977 tad = U2A(u); 1978 1979 if (tad->tad_flag == 0) 1980 return; 1981 1982 oldpriv = priv_getset(ocr, set); 1983 1984 /* Generate the actual record, include the before and after */ 1985 au_uwrite(au_to_arg32(2, "op", op)); 1986 setname = priv_getsetbynum(set); 1987 1988 switch (op) { 1989 case PRIV_OFF: 1990 /* Report privileges actually switched off */ 1991 report = *oldpriv; 1992 priv_intersect(newpriv, &report); 1993 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 1994 break; 1995 case PRIV_ON: 1996 /* Report privileges actually switched on */ 1997 report = *oldpriv; 1998 priv_inverse(&report); 1999 priv_intersect(newpriv, &report); 2000 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0)); 2001 break; 2002 case PRIV_SET: 2003 /* Report before and after */ 2004 au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0)); 2005 au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0)); 2006 break; 2007 } 2008 } 2009 2010 /* 2011 * Dump the full device policy setting in the audit trail. 2012 */ 2013 void 2014 audit_devpolicy(int nitems, const devplcysys_t *items) 2015 { 2016 t_audit_data_t *tad; 2017 int i; 2018 2019 tad = U2A(u); 2020 2021 if (tad->tad_flag == 0) 2022 return; 2023 2024 for (i = 0; i < nitems; i++) { 2025 au_uwrite(au_to_arg32(2, "major", items[i].dps_maj)); 2026 if (items[i].dps_minornm[0] == '\0') { 2027 au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin)); 2028 au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin)); 2029 } else 2030 au_uwrite(au_to_text(items[i].dps_minornm)); 2031 2032 au_uwrite(au_to_privset("read", &items[i].dps_rdp, 2033 AUT_PRIV, 0)); 2034 au_uwrite(au_to_privset("write", &items[i].dps_wrp, 2035 AUT_PRIV, 0)); 2036 } 2037 } 2038 2039 /*ARGSUSED*/ 2040 void 2041 audit_fdrecv(fd, fp) 2042 int fd; 2043 struct file *fp; 2044 { 2045 t_audit_data_t *tad; /* current thread */ 2046 f_audit_data_t *fad; /* per file audit structure */ 2047 struct vnode *vp; /* for file attributes */ 2048 2049 /* is this system call being audited */ 2050 tad = U2A(u); 2051 ASSERT(tad != (t_audit_data_t *)0); 2052 if (!tad->tad_flag) 2053 return; 2054 2055 fad = F2A(fp); 2056 2057 /* add path and file attributes */ 2058 if (fad != NULL && fad->fad_aupath != NULL) { 2059 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 2060 au_uwrite(au_to_path(fad->fad_aupath)); 2061 } else { 2062 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd)); 2063 #ifdef _LP64 2064 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp)); 2065 #else 2066 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp)); 2067 #endif 2068 } 2069 vp = fp->f_vnode; /* include vnode attributes */ 2070 audit_attributes(vp); 2071 } 2072 2073 /* 2074 * ROUTINE: AUDIT_CRYPTOADM 2075 * PURPOSE: Records arguments to administrative ioctls on /dev/cryptoadm 2076 * CALLBY: CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED, 2077 * CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG, 2078 * CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN, 2079 * CRYPTO_LOAD_DOOR 2080 * NOTE: 2081 * TODO: 2082 * QUESTION: 2083 */ 2084 2085 void 2086 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names, 2087 uint_t mech_count, uint_t device_instance, uint32_t rv, int error) 2088 { 2089 boolean_t mech_list_required = B_FALSE; 2090 cred_t *cr = CRED(); 2091 t_audit_data_t *tad; 2092 token_t *ad = NULL; 2093 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 2094 char buffer[MAXNAMELEN * 2]; 2095 au_kcontext_t *kctx = GET_KCTX_PZ; 2096 2097 tad = U2A(u); 2098 if (tad == NULL) 2099 return; 2100 2101 if (ainfo == NULL) 2102 return; 2103 2104 tad->tad_event = AUE_CRYPTOADM; 2105 2106 if (audit_success(kctx, tad, error, NULL) != AU_OK) 2107 return; 2108 2109 /* Add subject information */ 2110 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx); 2111 2112 switch (cmd) { 2113 case CRYPTO_LOAD_DEV_DISABLED: 2114 if (error == 0 && rv == CRYPTO_SUCCESS) { 2115 (void) snprintf(buffer, sizeof (buffer), 2116 "op=CRYPTO_LOAD_DEV_DISABLED, module=%s," 2117 " dev_instance=%d", 2118 module_name, device_instance); 2119 mech_list_required = B_TRUE; 2120 } else { 2121 (void) snprintf(buffer, sizeof (buffer), 2122 "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv); 2123 } 2124 break; 2125 2126 case CRYPTO_LOAD_SOFT_DISABLED: 2127 if (error == 0 && rv == CRYPTO_SUCCESS) { 2128 (void) snprintf(buffer, sizeof (buffer), 2129 "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s", 2130 module_name); 2131 mech_list_required = B_TRUE; 2132 } else { 2133 (void) snprintf(buffer, sizeof (buffer), 2134 "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv); 2135 } 2136 break; 2137 2138 case CRYPTO_UNLOAD_SOFT_MODULE: 2139 if (error == 0 && rv == CRYPTO_SUCCESS) { 2140 (void) snprintf(buffer, sizeof (buffer), 2141 "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s", 2142 module_name); 2143 } else { 2144 (void) snprintf(buffer, sizeof (buffer), 2145 "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv); 2146 } 2147 break; 2148 2149 case CRYPTO_LOAD_SOFT_CONFIG: 2150 if (error == 0 && rv == CRYPTO_SUCCESS) { 2151 (void) snprintf(buffer, sizeof (buffer), 2152 "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s", 2153 module_name); 2154 mech_list_required = B_TRUE; 2155 } else { 2156 (void) snprintf(buffer, sizeof (buffer), 2157 "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv); 2158 } 2159 break; 2160 2161 case CRYPTO_POOL_CREATE: 2162 (void) snprintf(buffer, sizeof (buffer), 2163 "op=CRYPTO_POOL_CREATE"); 2164 break; 2165 2166 case CRYPTO_POOL_WAIT: 2167 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT"); 2168 break; 2169 2170 case CRYPTO_POOL_RUN: 2171 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN"); 2172 break; 2173 2174 case CRYPTO_LOAD_DOOR: 2175 if (error == 0 && rv == CRYPTO_SUCCESS) 2176 (void) snprintf(buffer, sizeof (buffer), 2177 "op=CRYPTO_LOAD_DOOR"); 2178 else 2179 (void) snprintf(buffer, sizeof (buffer), 2180 "op=CRYPTO_LOAD_DOOR, return_val=%d", rv); 2181 break; 2182 2183 default: 2184 return; 2185 } 2186 2187 au_write((caddr_t *)&ad, au_to_text(buffer)); 2188 2189 if (mech_list_required) { 2190 int i; 2191 2192 if (mech_count == 0) { 2193 au_write((caddr_t *)&ad, au_to_text("mech=list empty")); 2194 } else { 2195 char *pb = buffer; 2196 size_t l = sizeof (buffer); 2197 size_t n; 2198 char space[2] = ":"; 2199 2200 n = snprintf(pb, l, "mech="); 2201 2202 for (i = 0; i < mech_count; i++) { 2203 pb += n; 2204 l -= n; 2205 if (l < 0) 2206 l = 0; 2207 2208 if (i == mech_count - 1) 2209 (void) strcpy(space, ""); 2210 2211 n = snprintf(pb, l, "%s%s", mech_names[i], 2212 space); 2213 } 2214 au_write((caddr_t *)&ad, au_to_text(buffer)); 2215 } 2216 } 2217 2218 /* add a return token */ 2219 if (error || (rv != CRYPTO_SUCCESS)) 2220 add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error); 2221 else 2222 add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv); 2223 2224 AS_INC(as_generated, 1, kctx); 2225 AS_INC(as_kernel, 1, kctx); 2226 2227 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, 0); 2228 } 2229 2230 /* 2231 * Audit the kernel SSL administration command. The address and the 2232 * port number for the SSL instance, and the proxy port are put in the 2233 * audit trail. 2234 */ 2235 void 2236 audit_kssl(int cmd, void *params, int error) 2237 { 2238 cred_t *cr = CRED(); 2239 t_audit_data_t *tad; 2240 token_t *ad = NULL; 2241 const auditinfo_addr_t *ainfo = crgetauinfo(cr); 2242 au_kcontext_t *kctx = GET_KCTX_PZ; 2243 2244 tad = U2A(u); 2245 2246 if (ainfo == NULL) 2247 return; 2248 2249 tad->tad_event = AUE_CONFIGKSSL; 2250 2251 if (audit_success(kctx, tad, error, NULL) != AU_OK) 2252 return; 2253 2254 /* Add subject information */ 2255 AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx); 2256 2257 switch (cmd) { 2258 case KSSL_ADD_ENTRY: { 2259 char buf[32]; 2260 kssl_params_t *kp = (kssl_params_t *)params; 2261 struct sockaddr_in *saddr = &(kp->kssl_addr); 2262 2263 au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY")); 2264 au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr))); 2265 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 2266 saddr->sin_port); 2267 au_write((caddr_t *)&ad, au_to_text(buf)); 2268 2269 (void) snprintf(buf, sizeof (buf), "proxy port=%d", 2270 kp->kssl_proxy_port); 2271 au_write((caddr_t *)&ad, au_to_text(buf)); 2272 break; 2273 } 2274 2275 case KSSL_DELETE_ENTRY: { 2276 char buf[32]; 2277 struct sockaddr_in *saddr = (struct sockaddr_in *)params; 2278 2279 au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY")); 2280 au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr))); 2281 (void) snprintf(buf, sizeof (buf), "SSL port=%d", 2282 saddr->sin_port); 2283 au_write((caddr_t *)&ad, au_to_text(buf)); 2284 break; 2285 } 2286 2287 default: 2288 return; 2289 } 2290 2291 /* add a return token */ 2292 add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0); 2293 2294 AS_INC(as_generated, 1, kctx); 2295 AS_INC(as_kernel, 1, kctx); 2296 2297 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, 0); 2298 } 2299 2300 /* 2301 * Audit the kernel PF_POLICY administration commands. Record command, 2302 * zone, policy type (global or tunnel, active or inactive) 2303 */ 2304 /* 2305 * ROUTINE: AUDIT_PF_POLICY 2306 * PURPOSE: Records arguments to administrative ioctls on PF_POLICY socket 2307 * CALLBY: SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS, 2308 * SPD_CLONE, SPD_FLIP 2309 * NOTE: 2310 * TODO: 2311 * QUESTION: 2312 */ 2313 2314 void 2315 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun, 2316 boolean_t active, int error, pid_t pid) 2317 { 2318 const auditinfo_addr_t *ainfo; 2319 t_audit_data_t *tad; 2320 token_t *ad = NULL; 2321 au_kcontext_t *kctx = GET_KCTX_PZ; 2322 char buf[80]; 2323 int flag; 2324 2325 tad = U2A(u); 2326 if (tad == NULL) 2327 return; 2328 2329 ainfo = crgetauinfo((cred != NULL) ? cred : CRED()); 2330 if (ainfo == NULL) 2331 return; 2332 2333 /* 2334 * Initialize some variables since these are only set 2335 * with system calls. 2336 */ 2337 2338 switch (cmd) { 2339 case SPD_ADDRULE: { 2340 tad->tad_event = AUE_PF_POLICY_ADDRULE; 2341 break; 2342 } 2343 2344 case SPD_DELETERULE: { 2345 tad->tad_event = AUE_PF_POLICY_DELRULE; 2346 break; 2347 } 2348 2349 case SPD_FLUSH: { 2350 tad->tad_event = AUE_PF_POLICY_FLUSH; 2351 break; 2352 } 2353 2354 case SPD_UPDATEALGS: { 2355 tad->tad_event = AUE_PF_POLICY_ALGS; 2356 break; 2357 } 2358 2359 case SPD_CLONE: { 2360 tad->tad_event = AUE_PF_POLICY_CLONE; 2361 break; 2362 } 2363 2364 case SPD_FLIP: { 2365 tad->tad_event = AUE_PF_POLICY_FLIP; 2366 break; 2367 } 2368 2369 default: 2370 tad->tad_event = AUE_NULL; 2371 } 2372 2373 tad->tad_evmod = 0; 2374 2375 if (flag = audit_success(kctx, tad, error, cred)) { 2376 zone_t *nszone; 2377 2378 /* 2379 * For now, just audit that an event happened, 2380 * along with the error code. 2381 */ 2382 au_write((caddr_t *)&ad, 2383 au_to_arg32(1, "Policy Active?", (uint32_t)active)); 2384 au_write((caddr_t *)&ad, 2385 au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL))); 2386 2387 /* Supplemental data */ 2388 2389 /* 2390 * Generate this zone token if the target zone differs 2391 * from the administrative zone. If netstacks are expanded 2392 * to something other than a 1-1 relationship with zones, 2393 * the auditing framework should create a new token type 2394 * and audit it as a netstack instead. 2395 * Turn on general zone auditing to get the administrative zone. 2396 */ 2397 2398 nszone = zone_find_by_id(netstackid_to_zoneid( 2399 ns->netstack_stackid)); 2400 if (nszone != NULL) { 2401 if (strncmp(cred->cr_zone->zone_name, nszone->zone_name, 2402 ZONENAME_MAX) != 0) { 2403 token_t *ztoken; 2404 2405 ztoken = au_to_zonename(0, nszone); 2406 au_write((caddr_t *)&ad, ztoken); 2407 } 2408 zone_rele(nszone); 2409 } 2410 2411 if (tun != NULL) { 2412 /* write tunnel name - tun is bounded */ 2413 (void) snprintf(buf, sizeof (buf), "tunnel_name:%s", 2414 tun); 2415 au_write((caddr_t *)&ad, au_to_text(buf)); 2416 } 2417 2418 /* Add subject information */ 2419 AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad, 2420 ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid); 2421 2422 /* add a return token */ 2423 add_return_token((caddr_t *)&ad, 0, error, 0); 2424 2425 AS_INC(as_generated, 1, kctx); 2426 AS_INC(as_kernel, 1, kctx); 2427 2428 } 2429 au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, 0); 2430 2431 /* 2432 * clear the ctrl flag so that we don't have spurious collection of 2433 * audit information. 2434 */ 2435 tad->tad_scid = 0; 2436 tad->tad_event = 0; 2437 tad->tad_evmod = 0; 2438 tad->tad_ctrl = 0; 2439 } 2440 2441 /* 2442 * ROUTINE: AUDIT_SEC_ATTRIBUTES 2443 * PURPOSE: Add security attributes 2444 * CALLBY: AUDIT_ATTRIBUTES 2445 * AUDIT_CLOSEF 2446 * AUS_CLOSE 2447 * NOTE: 2448 * TODO: 2449 * QUESTION: 2450 */ 2451 2452 void 2453 audit_sec_attributes(caddr_t *ad, struct vnode *vp) 2454 { 2455 /* Dump the SL */ 2456 if (is_system_labeled()) { 2457 ts_label_t *tsl; 2458 bslabel_t *bsl; 2459 2460 tsl = getflabel(vp); 2461 if (tsl == NULL) 2462 return; /* nothing else to do */ 2463 2464 bsl = label2bslabel(tsl); 2465 if (bsl == NULL) 2466 return; /* nothing else to do */ 2467 au_write(ad, au_to_label(bsl)); 2468 label_rele(tsl); 2469 } 2470 2471 } /* AUDIT_SEC_ATTRIBUTES */ 2472