1005d3febSMarek Pospisil /*
2005d3febSMarek Pospisil * CDDL HEADER START
3005d3febSMarek Pospisil *
4005d3febSMarek Pospisil * The contents of this file are subject to the terms of the
5005d3febSMarek Pospisil * Common Development and Distribution License (the "License").
6005d3febSMarek Pospisil * You may not use this file except in compliance with the License.
7005d3febSMarek Pospisil *
8005d3febSMarek Pospisil * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9005d3febSMarek Pospisil * or http://www.opensolaris.org/os/licensing.
10005d3febSMarek Pospisil * See the License for the specific language governing permissions
11005d3febSMarek Pospisil * and limitations under the License.
12005d3febSMarek Pospisil *
13005d3febSMarek Pospisil * When distributing Covered Code, include this CDDL HEADER in each
14005d3febSMarek Pospisil * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15005d3febSMarek Pospisil * If applicable, add the following below this CDDL HEADER, with the
16005d3febSMarek Pospisil * fields enclosed by brackets "[]" replaced with your own identifying
17005d3febSMarek Pospisil * information: Portions Copyright [yyyy] [name of copyright owner]
18005d3febSMarek Pospisil *
19005d3febSMarek Pospisil * CDDL HEADER END
20005d3febSMarek Pospisil */
21005d3febSMarek Pospisil /*
22*7a6a8adfSMarek Pospisil * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
23005d3febSMarek Pospisil */
24005d3febSMarek Pospisil
25005d3febSMarek Pospisil #include <sys/param.h>
26005d3febSMarek Pospisil #include <sys/types.h>
27005d3febSMarek Pospisil #include <sys/time.h>
28005d3febSMarek Pospisil #include <sys/kmem.h>
29005d3febSMarek Pospisil #include <sys/proc.h>
30005d3febSMarek Pospisil #include <sys/vnode.h>
31005d3febSMarek Pospisil #include <sys/file.h>
32005d3febSMarek Pospisil #include <sys/user.h>
33005d3febSMarek Pospisil #include <sys/stropts.h>
34005d3febSMarek Pospisil #include <sys/systm.h>
35005d3febSMarek Pospisil #include <sys/pathname.h>
36005d3febSMarek Pospisil #include <sys/debug.h>
37005d3febSMarek Pospisil #include <sys/cred_impl.h>
38005d3febSMarek Pospisil #include <sys/zone.h>
39005d3febSMarek Pospisil #include <sys/modctl.h>
40005d3febSMarek Pospisil #include <sys/sysconf.h>
41005d3febSMarek Pospisil #include <c2/audit.h>
42005d3febSMarek Pospisil #include <c2/audit_kernel.h>
43005d3febSMarek Pospisil #include <c2/audit_kevents.h>
44005d3febSMarek Pospisil #include <c2/audit_record.h>
45005d3febSMarek Pospisil
46005d3febSMarek Pospisil
47005d3febSMarek Pospisil struct p_audit_data *pad0;
48005d3febSMarek Pospisil struct t_audit_data *tad0;
49005d3febSMarek Pospisil
50005d3febSMarek Pospisil extern uint_t num_syscall; /* size of audit_s2e table */
51005d3febSMarek Pospisil extern kmutex_t pidlock; /* proc table lock */
52005d3febSMarek Pospisil
53005d3febSMarek Pospisil
54005d3febSMarek Pospisil void
audit_init()55005d3febSMarek Pospisil audit_init()
56005d3febSMarek Pospisil {
57005d3febSMarek Pospisil kthread_t *au_thread;
58005d3febSMarek Pospisil auditinfo_addr_t *ainfo;
59005d3febSMarek Pospisil struct audit_path apempty;
60005d3febSMarek Pospisil
61005d3febSMarek Pospisil /*
62005d3febSMarek Pospisil * If the c2audit module is explicitely excluded in /etc/system,
63005d3febSMarek Pospisil * it cannot be loaded later (e.g. using modload). Make a notice
64005d3febSMarek Pospisil * that the module won't be present and do nothing.
65005d3febSMarek Pospisil */
66005d3febSMarek Pospisil
67005d3febSMarek Pospisil if (mod_sysctl(SYS_CHECK_EXCLUDE, "c2audit") != 0) {
68005d3febSMarek Pospisil audit_active = C2AUDIT_DISABLED;
69005d3febSMarek Pospisil return;
70005d3febSMarek Pospisil }
71005d3febSMarek Pospisil
72005d3febSMarek Pospisil /* c2audit module can be loaded anytime */
73005d3febSMarek Pospisil audit_active = C2AUDIT_UNLOADED;
74005d3febSMarek Pospisil
75005d3febSMarek Pospisil /* initialize the process audit data (pad) memory allocator */
76005d3febSMarek Pospisil au_pad_init();
77005d3febSMarek Pospisil
78005d3febSMarek Pospisil /* initialize the zone audit context */
79005d3febSMarek Pospisil au_zone_setup();
80005d3febSMarek Pospisil
81005d3febSMarek Pospisil /* inital thread structure */
82005d3febSMarek Pospisil tad0 = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP);
83005d3febSMarek Pospisil
84005d3febSMarek Pospisil /* initial process structure */
85005d3febSMarek Pospisil pad0 = kmem_cache_alloc(au_pad_cache, KM_SLEEP);
86005d3febSMarek Pospisil bzero(&pad0->pad_data, sizeof (pad0->pad_data));
87005d3febSMarek Pospisil
88005d3febSMarek Pospisil curthread->t_audit_data = tad0;
89005d3febSMarek Pospisil curproc->p_audit_data = pad0;
90005d3febSMarek Pospisil
91005d3febSMarek Pospisil /*
92005d3febSMarek Pospisil * The kernel allocates a bunch of threads make sure they have
93005d3febSMarek Pospisil * a valid tad
94005d3febSMarek Pospisil */
95005d3febSMarek Pospisil
96005d3febSMarek Pospisil mutex_enter(&pidlock);
97005d3febSMarek Pospisil
98005d3febSMarek Pospisil au_thread = curthread;
99005d3febSMarek Pospisil do {
100005d3febSMarek Pospisil if (T2A(au_thread) == NULL) {
101005d3febSMarek Pospisil T2A(au_thread) = tad0;
102005d3febSMarek Pospisil }
103005d3febSMarek Pospisil au_thread = au_thread->t_next;
104005d3febSMarek Pospisil } while (au_thread != curthread);
105005d3febSMarek Pospisil
106005d3febSMarek Pospisil tad0->tad_ad = NULL;
107005d3febSMarek Pospisil mutex_exit(&pidlock);
108005d3febSMarek Pospisil
109005d3febSMarek Pospisil /*
110005d3febSMarek Pospisil * Initialize audit context in our cred (kcred).
111005d3febSMarek Pospisil * No copy-on-write needed here because it's so early in init.
112005d3febSMarek Pospisil */
113005d3febSMarek Pospisil
114005d3febSMarek Pospisil ainfo = crgetauinfo_modifiable(kcred);
115005d3febSMarek Pospisil ASSERT(ainfo != NULL);
116005d3febSMarek Pospisil bzero(ainfo, sizeof (auditinfo_addr_t));
117005d3febSMarek Pospisil ainfo->ai_auid = AU_NOAUDITID;
118005d3febSMarek Pospisil
119005d3febSMarek Pospisil /* fabricate an empty audit_path to extend */
120005d3febSMarek Pospisil apempty.audp_cnt = 0;
121005d3febSMarek Pospisil apempty.audp_sect[0] = (char *)(&apempty.audp_sect[1]);
122005d3febSMarek Pospisil pad0->pad_root = au_pathdup(&apempty, 1, 2);
123005d3febSMarek Pospisil bcopy("/", pad0->pad_root->audp_sect[0], 2);
124005d3febSMarek Pospisil au_pathhold(pad0->pad_root);
125005d3febSMarek Pospisil pad0->pad_cwd = pad0->pad_root;
126005d3febSMarek Pospisil }
127005d3febSMarek Pospisil
128005d3febSMarek Pospisil /*
129005d3febSMarek Pospisil * Check for any pending changes to the audit context for the given proc.
130005d3febSMarek Pospisil * p_crlock and pad_lock for the process are acquired here. Caller is
131005d3febSMarek Pospisil * responsible for assuring the process doesn't go away. If context is
132005d3febSMarek Pospisil * updated, the specified cralloc'ed cred will be used, otherwise it's freed.
133005d3febSMarek Pospisil * If no cred is given, it will be cralloc'ed here and caller assures that
134005d3febSMarek Pospisil * it is safe to allocate memory.
135005d3febSMarek Pospisil */
136005d3febSMarek Pospisil
137005d3febSMarek Pospisil void
audit_update_context(proc_t * p,cred_t * ncr)138005d3febSMarek Pospisil audit_update_context(proc_t *p, cred_t *ncr)
139005d3febSMarek Pospisil {
140005d3febSMarek Pospisil struct p_audit_data *pad;
141005d3febSMarek Pospisil cred_t *newcred = ncr;
142005d3febSMarek Pospisil
143005d3febSMarek Pospisil pad = P2A(p);
144005d3febSMarek Pospisil if (pad == NULL) {
145005d3febSMarek Pospisil if (newcred != NULL)
146005d3febSMarek Pospisil crfree(newcred);
147005d3febSMarek Pospisil return;
148005d3febSMarek Pospisil }
149005d3febSMarek Pospisil
150005d3febSMarek Pospisil /* If a mask update is pending, take care of it. */
151005d3febSMarek Pospisil if (pad->pad_flags & PAD_SETMASK) {
152005d3febSMarek Pospisil auditinfo_addr_t *ainfo;
153005d3febSMarek Pospisil
154005d3febSMarek Pospisil if (newcred == NULL)
155005d3febSMarek Pospisil newcred = cralloc();
156005d3febSMarek Pospisil
157005d3febSMarek Pospisil mutex_enter(&pad->pad_lock);
158005d3febSMarek Pospisil /* the condition may have been handled by the time we lock */
159005d3febSMarek Pospisil if (pad->pad_flags & PAD_SETMASK) {
160005d3febSMarek Pospisil ainfo = crgetauinfo_modifiable(newcred);
161005d3febSMarek Pospisil if (ainfo == NULL) {
162*7a6a8adfSMarek Pospisil mutex_exit(&pad->pad_lock);
163005d3febSMarek Pospisil crfree(newcred);
164005d3febSMarek Pospisil return;
165005d3febSMarek Pospisil }
166005d3febSMarek Pospisil
167005d3febSMarek Pospisil mutex_enter(&p->p_crlock);
168005d3febSMarek Pospisil crcopy_to(p->p_cred, newcred);
169005d3febSMarek Pospisil p->p_cred = newcred;
170005d3febSMarek Pospisil
171005d3febSMarek Pospisil ainfo->ai_mask = pad->pad_newmask;
172005d3febSMarek Pospisil
173005d3febSMarek Pospisil /* Unlock and cleanup. */
174005d3febSMarek Pospisil mutex_exit(&p->p_crlock);
175005d3febSMarek Pospisil pad->pad_flags &= ~PAD_SETMASK;
176005d3febSMarek Pospisil
177005d3febSMarek Pospisil /*
178005d3febSMarek Pospisil * For curproc, assure that our thread points to right
179005d3febSMarek Pospisil * cred, so CRED() will be correct. Otherwise, no need
180005d3febSMarek Pospisil * to broadcast changes (via set_proc_pre_sys), since
181005d3febSMarek Pospisil * t_pre_sys is ALWAYS on when audit is enabled... due
182005d3febSMarek Pospisil * to syscall auditing.
183005d3febSMarek Pospisil */
184005d3febSMarek Pospisil if (p == curproc)
185005d3febSMarek Pospisil crset(p, newcred);
186005d3febSMarek Pospisil else
187005d3febSMarek Pospisil crfree(newcred);
188005d3febSMarek Pospisil } else {
189005d3febSMarek Pospisil crfree(newcred);
190005d3febSMarek Pospisil }
191005d3febSMarek Pospisil mutex_exit(&pad->pad_lock);
192005d3febSMarek Pospisil } else {
193005d3febSMarek Pospisil if (newcred != NULL)
194005d3febSMarek Pospisil crfree(newcred);
195005d3febSMarek Pospisil }
196005d3febSMarek Pospisil }
197005d3febSMarek Pospisil
198005d3febSMarek Pospisil /*
199005d3febSMarek Pospisil * ROUTINE: AUDIT_NEWPROC
200005d3febSMarek Pospisil * PURPOSE: initialize the child p_audit_data structure
201005d3febSMarek Pospisil * CALLBY: GETPROC
202005d3febSMarek Pospisil * NOTE: All threads for the parent process are locked at this point.
203005d3febSMarek Pospisil * We are essentially running singled threaded for this reason.
204005d3febSMarek Pospisil * GETPROC is called when system creates a new process.
205005d3febSMarek Pospisil * By the time AUDIT_NEWPROC is called, the child proc
206005d3febSMarek Pospisil * structure has already been initialized. What we need
207005d3febSMarek Pospisil * to do is to allocate the child p_audit_data and
208005d3febSMarek Pospisil * initialize it with the content of current parent process.
209005d3febSMarek Pospisil */
210005d3febSMarek Pospisil
211005d3febSMarek Pospisil void
audit_newproc(struct proc * cp)212005d3febSMarek Pospisil audit_newproc(struct proc *cp) /* initialized child proc structure */
213005d3febSMarek Pospisil {
214005d3febSMarek Pospisil p_audit_data_t *pad; /* child process audit data */
215005d3febSMarek Pospisil p_audit_data_t *opad; /* parent process audit data */
216005d3febSMarek Pospisil
217005d3febSMarek Pospisil pad = kmem_cache_alloc(au_pad_cache, KM_SLEEP);
218005d3febSMarek Pospisil
219005d3febSMarek Pospisil P2A(cp) = pad;
220005d3febSMarek Pospisil
221005d3febSMarek Pospisil opad = P2A(curproc);
222005d3febSMarek Pospisil
223005d3febSMarek Pospisil /*
224005d3febSMarek Pospisil * copy the audit data. Note that all threads of current
225005d3febSMarek Pospisil * process have been "held". Thus there is no race condition
226005d3febSMarek Pospisil * here with mutiple threads trying to alter the cwrd
227005d3febSMarek Pospisil * structure (such as releasing it).
228005d3febSMarek Pospisil *
229005d3febSMarek Pospisil * The audit context in the cred is "duplicated" for the new
230005d3febSMarek Pospisil * proc by elsewhere crhold'ing the parent's cred which it shares.
231005d3febSMarek Pospisil *
232005d3febSMarek Pospisil * We still want to hold things since auditon() [A_SETUMASK,
233005d3febSMarek Pospisil * A_SETSMASK] could be walking through the processes to
234005d3febSMarek Pospisil * update things.
235005d3febSMarek Pospisil */
236005d3febSMarek Pospisil mutex_enter(&opad->pad_lock); /* lock opad structure during copy */
237005d3febSMarek Pospisil pad->pad_data = opad->pad_data; /* copy parent's process audit data */
238005d3febSMarek Pospisil au_pathhold(pad->pad_root);
239005d3febSMarek Pospisil au_pathhold(pad->pad_cwd);
240005d3febSMarek Pospisil mutex_exit(&opad->pad_lock); /* current proc will keep cwrd open */
241005d3febSMarek Pospisil
242005d3febSMarek Pospisil /*
243005d3febSMarek Pospisil * If we are in the limited mode, there is nothing to audit and
244005d3febSMarek Pospisil * there could not have been anything to audit, since it is not
245005d3febSMarek Pospisil * possible to switch from the full mode into the limited mode
246005d3febSMarek Pospisil * once the full mode is set.
247005d3febSMarek Pospisil */
248005d3febSMarek Pospisil if (audit_active != C2AUDIT_LOADED)
249005d3febSMarek Pospisil return;
250005d3febSMarek Pospisil
251005d3febSMarek Pospisil /*
252005d3febSMarek Pospisil * finish auditing of parent here so that it will be done
253005d3febSMarek Pospisil * before child has a chance to run. We include the child
254005d3febSMarek Pospisil * pid since the return value in the return token is a dummy
255005d3febSMarek Pospisil * one and contains no useful information (it is included to
256005d3febSMarek Pospisil * make the audit record structure consistant).
257005d3febSMarek Pospisil *
258005d3febSMarek Pospisil * tad_flag is set if auditing is on
259005d3febSMarek Pospisil */
260005d3febSMarek Pospisil if (((t_audit_data_t *)T2A(curthread))->tad_flag)
261005d3febSMarek Pospisil au_uwrite(au_to_arg32(0, "child PID", (uint32_t)cp->p_pid));
262005d3febSMarek Pospisil
263005d3febSMarek Pospisil /*
264005d3febSMarek Pospisil * finish up audit record generation here because child process
265005d3febSMarek Pospisil * is set to run before parent process. We distinguish here
266005d3febSMarek Pospisil * between FORK, FORK1, or VFORK by the saved system call ID.
267005d3febSMarek Pospisil */
268005d3febSMarek Pospisil audit_finish(0, ((t_audit_data_t *)T2A(curthread))->tad_scid, 0, 0);
269005d3febSMarek Pospisil }
270005d3febSMarek Pospisil
271005d3febSMarek Pospisil /*
272005d3febSMarek Pospisil * ROUTINE: AUDIT_PFREE
273005d3febSMarek Pospisil * PURPOSE: deallocate the per-process udit data structure
274005d3febSMarek Pospisil * CALLBY: EXIT
275005d3febSMarek Pospisil * FORK_FAIL
276005d3febSMarek Pospisil * NOTE: all lwp except current one have stopped in SEXITLWPS
277005d3febSMarek Pospisil * why we are single threaded?
278005d3febSMarek Pospisil * . all lwp except current one have stopped in SEXITLWPS.
279005d3febSMarek Pospisil */
280005d3febSMarek Pospisil
281005d3febSMarek Pospisil void
audit_pfree(struct proc * p)282005d3febSMarek Pospisil audit_pfree(struct proc *p) /* proc structure to be freed */
283005d3febSMarek Pospisil
284005d3febSMarek Pospisil { /* AUDIT_PFREE */
285005d3febSMarek Pospisil
286005d3febSMarek Pospisil p_audit_data_t *pad;
287005d3febSMarek Pospisil
288005d3febSMarek Pospisil pad = P2A(p);
289005d3febSMarek Pospisil
290005d3febSMarek Pospisil /* better be a per process audit data structure */
291005d3febSMarek Pospisil ASSERT(pad != (p_audit_data_t *)0);
292005d3febSMarek Pospisil
293005d3febSMarek Pospisil if (pad == pad0) {
294005d3febSMarek Pospisil return;
295005d3febSMarek Pospisil }
296005d3febSMarek Pospisil
297005d3febSMarek Pospisil /* deallocate all auditing resources for this process */
298005d3febSMarek Pospisil au_pathrele(pad->pad_root);
299005d3febSMarek Pospisil au_pathrele(pad->pad_cwd);
300005d3febSMarek Pospisil
301005d3febSMarek Pospisil /*
302005d3febSMarek Pospisil * Since the pad structure is completely overwritten after alloc,
303005d3febSMarek Pospisil * we don't bother to clear it.
304005d3febSMarek Pospisil */
305005d3febSMarek Pospisil
306005d3febSMarek Pospisil kmem_cache_free(au_pad_cache, pad);
307005d3febSMarek Pospisil }
308005d3febSMarek Pospisil
309005d3febSMarek Pospisil /*
310005d3febSMarek Pospisil * ROUTINE: AUDIT_THREAD_CREATE
311005d3febSMarek Pospisil * PURPOSE: allocate per-process thread audit data structure
312005d3febSMarek Pospisil * CALLBY: THREAD_CREATE
313005d3febSMarek Pospisil * NOTE: This is called just after *t was bzero'd.
314005d3febSMarek Pospisil * We are single threaded in this routine.
315005d3febSMarek Pospisil * TODO:
316005d3febSMarek Pospisil * QUESTION:
317005d3febSMarek Pospisil */
318005d3febSMarek Pospisil
319005d3febSMarek Pospisil void
audit_thread_create(kthread_id_t t)320005d3febSMarek Pospisil audit_thread_create(kthread_id_t t)
321005d3febSMarek Pospisil {
322005d3febSMarek Pospisil t_audit_data_t *tad; /* per-thread audit data */
323005d3febSMarek Pospisil
324005d3febSMarek Pospisil tad = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP);
325005d3febSMarek Pospisil
326005d3febSMarek Pospisil T2A(t) = tad; /* set up thread audit data ptr */
327005d3febSMarek Pospisil tad->tad_thread = t; /* back ptr to thread: DEBUG */
328005d3febSMarek Pospisil }
329005d3febSMarek Pospisil
330005d3febSMarek Pospisil /*
331005d3febSMarek Pospisil * ROUTINE: AUDIT_THREAD_FREE
332005d3febSMarek Pospisil * PURPOSE: free the per-thread audit data structure
333005d3febSMarek Pospisil * CALLBY: THREAD_FREE
334005d3febSMarek Pospisil * NOTE: most thread data is clear after return
335005d3febSMarek Pospisil */
336005d3febSMarek Pospisil
337005d3febSMarek Pospisil void
audit_thread_free(kthread_t * t)338005d3febSMarek Pospisil audit_thread_free(kthread_t *t)
339005d3febSMarek Pospisil {
340005d3febSMarek Pospisil t_audit_data_t *tad;
341005d3febSMarek Pospisil au_defer_info_t *attr;
342005d3febSMarek Pospisil
343005d3febSMarek Pospisil tad = T2A(t);
344005d3febSMarek Pospisil
345005d3febSMarek Pospisil /* thread audit data must still be set */
346005d3febSMarek Pospisil
347005d3febSMarek Pospisil if (tad == tad0) {
348005d3febSMarek Pospisil return;
349005d3febSMarek Pospisil }
350005d3febSMarek Pospisil
351005d3febSMarek Pospisil if (tad == NULL) {
352005d3febSMarek Pospisil return;
353005d3febSMarek Pospisil }
354005d3febSMarek Pospisil
355005d3febSMarek Pospisil t->t_audit_data = 0;
356005d3febSMarek Pospisil
357005d3febSMarek Pospisil /* must not have any audit record residual */
358005d3febSMarek Pospisil ASSERT(tad->tad_ad == NULL);
359005d3febSMarek Pospisil
360005d3febSMarek Pospisil /* saved path must be empty */
361005d3febSMarek Pospisil ASSERT(tad->tad_aupath == NULL);
362005d3febSMarek Pospisil
363005d3febSMarek Pospisil if (tad->tad_atpath)
364005d3febSMarek Pospisil au_pathrele(tad->tad_atpath);
365005d3febSMarek Pospisil
366005d3febSMarek Pospisil if (audit_active == C2AUDIT_LOADED) {
367005d3febSMarek Pospisil attr = tad->tad_defer_head;
368005d3febSMarek Pospisil while (attr != NULL) {
369005d3febSMarek Pospisil au_defer_info_t *tmp_attr = attr;
370005d3febSMarek Pospisil
371005d3febSMarek Pospisil au_free_rec(attr->audi_ad);
372005d3febSMarek Pospisil
373005d3febSMarek Pospisil attr = attr->audi_next;
374005d3febSMarek Pospisil kmem_free(tmp_attr, sizeof (au_defer_info_t));
375005d3febSMarek Pospisil }
376005d3febSMarek Pospisil }
377005d3febSMarek Pospisil
378005d3febSMarek Pospisil kmem_free(tad, sizeof (*tad));
379005d3febSMarek Pospisil }
380005d3febSMarek Pospisil
381005d3febSMarek Pospisil /*
382005d3febSMarek Pospisil * ROUTINE: AUDIT_FALLOC
383005d3febSMarek Pospisil * PURPOSE: allocating a new file structure
384005d3febSMarek Pospisil * CALLBY: FALLOC
385005d3febSMarek Pospisil * NOTE: file structure already initialized
386005d3febSMarek Pospisil * TODO:
387005d3febSMarek Pospisil * QUESTION:
388005d3febSMarek Pospisil */
389005d3febSMarek Pospisil
390005d3febSMarek Pospisil void
audit_falloc(struct file * fp)391005d3febSMarek Pospisil audit_falloc(struct file *fp)
392005d3febSMarek Pospisil { /* AUDIT_FALLOC */
393005d3febSMarek Pospisil
394005d3febSMarek Pospisil f_audit_data_t *fad;
395005d3febSMarek Pospisil
396005d3febSMarek Pospisil /* allocate per file audit structure if there a'int any */
397005d3febSMarek Pospisil ASSERT(F2A(fp) == NULL);
398005d3febSMarek Pospisil
399005d3febSMarek Pospisil fad = kmem_zalloc(sizeof (struct f_audit_data), KM_SLEEP);
400005d3febSMarek Pospisil
401005d3febSMarek Pospisil F2A(fp) = fad;
402005d3febSMarek Pospisil
403005d3febSMarek Pospisil fad->fad_thread = curthread; /* file audit data back ptr; DEBUG */
404005d3febSMarek Pospisil }
405005d3febSMarek Pospisil
406005d3febSMarek Pospisil /*
407005d3febSMarek Pospisil * ROUTINE: AUDIT_UNFALLOC
408005d3febSMarek Pospisil * PURPOSE: deallocate file audit data structure
409005d3febSMarek Pospisil * CALLBY: CLOSEF
410005d3febSMarek Pospisil * UNFALLOC
411005d3febSMarek Pospisil * NOTE:
412005d3febSMarek Pospisil * TODO:
413005d3febSMarek Pospisil * QUESTION:
414005d3febSMarek Pospisil */
415005d3febSMarek Pospisil
416005d3febSMarek Pospisil void
audit_unfalloc(struct file * fp)417005d3febSMarek Pospisil audit_unfalloc(struct file *fp)
418005d3febSMarek Pospisil {
419005d3febSMarek Pospisil f_audit_data_t *fad;
420005d3febSMarek Pospisil
421005d3febSMarek Pospisil fad = F2A(fp);
422005d3febSMarek Pospisil
423005d3febSMarek Pospisil if (!fad) {
424005d3febSMarek Pospisil return;
425005d3febSMarek Pospisil }
426005d3febSMarek Pospisil if (fad->fad_aupath != NULL) {
427005d3febSMarek Pospisil au_pathrele(fad->fad_aupath);
428005d3febSMarek Pospisil }
429005d3febSMarek Pospisil fp->f_audit_data = 0;
430005d3febSMarek Pospisil kmem_free(fad, sizeof (struct f_audit_data));
431005d3febSMarek Pospisil }
432005d3febSMarek Pospisil
433005d3febSMarek Pospisil uint32_t
audit_getstate()434005d3febSMarek Pospisil audit_getstate()
435005d3febSMarek Pospisil {
436005d3febSMarek Pospisil return (audit_active == C2AUDIT_LOADED &&
437005d3febSMarek Pospisil ((AU_AUDIT_MASK) & U2A(u)->tad_audit));
438005d3febSMarek Pospisil }
439