]> git.saurik.com Git - apple/xnu.git/blame - bsd/kern/kern_audit.c
projects / apple / xnu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
xnu-517.11.1.tar.gz
[apple/xnu.git] / bsd / kern / kern_audit.c
CommitLineData
55e303ae 1/*
e5568f75 2 * Copyright (c) 2004 Apple Computer, Inc. All rights reserved.
55e303ae
A		 3 *
4 * @APPLE_LICENSE_HEADER_START@
e5568f75
A		 5 *
6 * The contents of this file constitute Original Code as defined in and
7 * are subject to the Apple Public Source License Version 1.1 (the
8 * "License"). You may not use this file except in compliance with the
9 * License. Please obtain a copy of the License at
10 * http://www.apple.com/publicsource and read it before using this file.
11 *
12 * This Original Code and all software distributed under the License are
13 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
55e303ae
A		 14 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
e5568f75
A		 16 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17 * License for the specific language governing rights and limitations
18 * under the License.
19 *
55e303ae
A		 20 * @APPLE_LICENSE_HEADER_END@
21 */
e5568f75 22
55e303ae 23#include <sys/param.h>
e5568f75 24#include <sys/file.h>
55e303ae
A		 25#include <sys/fcntl.h>
26#include <sys/kernel.h>
27#include <sys/lock.h>
28#include <sys/namei.h>
29#include <sys/proc.h>
30#include <sys/queue.h>
31#include <sys/systm.h>
32#include <sys/time.h>
33#include <sys/ucred.h>
34#include <sys/uio.h>
35#include <sys/unistd.h>
36#include <sys/vnode.h>
55e303ae 37#include <sys/user.h>
55e303ae
A		 38#include <sys/syscall.h>
39#include <sys/malloc.h>
40#include <sys/un.h>
e5568f75
A		 41#include <netinet/in.h>
42#include <sys/socketvar.h>
43#include <sys/protosw.h>
44#include <sys/domain.h>
45#include <sys/mount.h>
46#include <net/route.h>
47#include <netinet/in_pcb.h>
48
49#include <bsm/audit.h>
50#include <bsm/audit_kevents.h>
51#include <bsm/audit_klib.h>
52#include <bsm/audit_kernel.h>
53
54#include <mach/message.h>
55#include <mach/port.h>
56#include <mach/host_special_ports.h>
57#include <mach/audit_triggers.h>
55e303ae
A		 58
59#include <kern/lock.h>
60#include <kern/wait_queue.h>
e5568f75
A		 61#include <kern/zalloc.h>
62#include <kern/kalloc.h>
63
64#include <audit.h>
55e303ae
A		 65
66#ifdef AUDIT
67
68/*
69 * The AUDIT_EXCESSIVELY_VERBOSE define enables a number of
70 * gratuitously noisy printf's to the console. Due to the
71 * volume, it should be left off unless you want your system
72 * to churn a lot whenever the audit record flow gets high.
73 */
74/* #define AUDIT_EXCESSIVELY_VERBOSE */
75#ifdef AUDIT_EXCESSIVELY_VERBOSE
76#define AUDIT_PRINTF(x) printf x
77#else
78#define AUDIT_PRINTF(X)
79#endif
80
81#if DIAGNOSTIC
82#if defined(assert)
83#undef assert()
84#endif
85#define assert(cond) \
86 ((void) ((cond) ? 0 : panic("%s:%d (%s)", __FILE__, __LINE__, # cond)))
87#else
88#include <kern/assert.h>
89#endif /* DIAGNOSTIC */
90
91/*
92 * Define the audit control flags.
93 */
94int audit_enabled;
95int audit_suspended;
96
97/*
98 * Mutex to protect global variables shared between various threads and
99 * processes.
100 */
101static mutex_t *audit_mtx;
102
103/*
104 * Queue of audit records ready for delivery to disk. We insert new
e5568f75
A		 105 * records at the tail, and remove records from the head. Also,
106 * a count of the number of records used for checking queue depth.
107 * In addition, a counter of records that we have allocated but are
108 * not yet in the queue, which is needed to estimate the total
109 * size of the combined set of records outstanding in the system.
55e303ae 110 */
e5568f75
A		 111static TAILQ_HEAD(, kaudit_record) audit_q;
112static int audit_q_len;
113static int audit_pre_q_len;
114
115static wait_queue_t audit_wait_queue;
116static zone_t audit_zone;
55e303ae
A		 117
118/*
119 * Condition variable to signal to the worker that it has work to do:
120 * either new records are in the queue, or a log replacement is taking
121 * place.
122 */
e5568f75
A		 123static int audit_worker_event;
124#define AUDIT_WORKER_EVENT ((event_t)&audit_worker_event)
55e303ae
A		 125
126/*
127 * When an audit log is rotated, the actual rotation must be performed
128 * by the audit worker thread, as it may have outstanding writes on the
129 * current audit log. audit_replacement_vp holds the vnode replacing
130 * the current vnode. We can't let more than one replacement occur
131 * at a time, so if more than one thread requests a replacement, only
132 * one can have the replacement "in progress" at any given moment. If
133 * a thread tries to replace the audit vnode and discovers a replacement
134 * is already in progress (i.e., audit_replacement_flag != 0), then it
135 * will sleep on audit_replacement_cv waiting its turn to perform a
136 * replacement. When a replacement is completed, this cv is signalled
137 * by the worker thread so a waiting thread can start another replacement.
138 * We also store a credential to perform audit log write operations with.
139 */
e5568f75
A		 140static int audit_replacement_event;
141#define AUDIT_REPLACEMENT_EVENT ((event_t)&audit_replacement_event)
55e303ae 142
e5568f75 143static int audit_replacement_flag;
55e303ae
A		 144static struct vnode *audit_replacement_vp;
145static struct ucred *audit_replacement_cred;
146
e5568f75
A		 147/*
148 * Wait queue for auditing threads that cannot commit the audit
149 * record at the present time. Also, the queue control parameter
150 * structure.
151 */
152static int audit_commit_event;
153#define AUDIT_COMMIT_EVENT ((event_t)&audit_commit_event)
154
155static struct au_qctrl audit_qctrl;
156
55e303ae
A		 157/*
158 * Flags to use on audit files when opening and closing.
159 */
160const static int audit_open_flags = FWRITE | O_APPEND;
161const static int audit_close_flags = FWRITE | O_APPEND;
162
e5568f75
A		 163/*
164 * Global audit statistiscs.
165 */
166static struct audit_fstat audit_fstat;
167
168/*
169 Preselection mask for non-attributable events.
170 */
171static struct au_mask audit_nae_mask;
172
173/*
174 * Flags related to Kernel->user-space communication.
175 */
176static int audit_file_rotate_wait;
177
178/*
179 * Flags controlling behavior in low storage situations.
180 * Should we panic if a write fails? Should we fail stop
181 * if we're out of disk space? Are we currently "failing
182 * stop" due to out of disk space?
183 */
184static int audit_panic_on_write_fail;
185static int audit_fail_stop;
186static int audit_in_failure;
187
188/*
189 * When in a fail-stop mode, threads will drop into this wait queue
190 * rather than perform auditable events. They won't ever get woken
191 * up.
192 */
193static int audit_failure_event;
194#define AUDIT_FAILURE_EVENT ((event_t)&audit_failure_event)
195
55e303ae
A		 196/*
197 * XXX: Couldn't find the include file for this, so copied kern_exec.c's
198 * behavior.
199 */
200extern task_t kernel_task;
201
202static void
203audit_free(struct kaudit_record *ar)
204{
205 if (ar->k_ar.ar_arg_upath1 != NULL) {
e5568f75 206 kfree((vm_offset_t)ar->k_ar.ar_arg_upath1, MAXPATHLEN);
55e303ae
A		 207 }
208 if (ar->k_ar.ar_arg_upath2 != NULL) {
e5568f75 209 kfree((vm_offset_t)ar->k_ar.ar_arg_upath2, MAXPATHLEN);
55e303ae
A		 210 }
211 if (ar->k_ar.ar_arg_kpath1 != NULL) {
e5568f75 212 kfree((vm_offset_t)ar->k_ar.ar_arg_kpath1, MAXPATHLEN);
55e303ae
A		 213 }
214 if (ar->k_ar.ar_arg_kpath2 != NULL) {
e5568f75 215 kfree((vm_offset_t)ar->k_ar.ar_arg_kpath2, MAXPATHLEN);
55e303ae
A		 216 }
217 if (ar->k_ar.ar_arg_text != NULL) {
e5568f75 218 kfree((vm_offset_t)ar->k_ar.ar_arg_text, MAXPATHLEN);
55e303ae
A		 219 }
220 if (ar->k_udata != NULL) {
e5568f75 221 kfree((vm_offset_t)ar->k_udata, (vm_size_t)ar->k_ulen);
55e303ae 222 }
e5568f75 223 zfree(audit_zone, (vm_offset_t)ar);
55e303ae
A		 224}
225
226static int
227audit_write(struct vnode *vp, struct kaudit_record *ar, struct ucred *cred,
228 struct proc *p)
229{
e5568f75 230 struct statfs *mnt_stat = &vp->v_mount->mnt_stat;
55e303ae
A		 231 int ret;
232 struct au_record *bsm;
e5568f75
A		 233 struct vattr vattr;
234
235 mach_port_t audit_port;
236
237 /*
238 * First, gather statistics on the audit log file and file system
239 * so that we know how we're doing on space. In both cases,
240 * if we're unable to perform the operation, we drop the record
241 * and return. However, this is arguably an assertion failure.
242 */
243 ret = VFS_STATFS(vp->v_mount, mnt_stat, p);
244 if (ret)
245 goto out;
246
247 ret = VOP_GETATTR(vp, &vattr, cred, p);
248 if (ret)
249 goto out;
250
251 /* update the global stats struct */
252 audit_fstat.af_currsz = vattr.va_size;
253
254 /*
255 * Send a message to the audit daemon when disk space is getting
256 * low.
257 * XXX Need to decide what to do if the trigger to the audit daemon
258 * fails.
259 */
260 if(host_get_audit_control_port(host_priv_self(), &audit_port)
261 != KERN_SUCCESS)
262 printf("Cannot get audit control port\n");
263
264 if (audit_port != MACH_PORT_NULL) {
265 long temp;
266
267 /*
268 * If we fall below percent free blocks, then trigger the
269 * audit daemon to do something about it.
270 */
271 if (audit_qctrl.aq_minfree != 0) {
272 temp = mnt_stat->f_blocks / (100 / audit_qctrl.aq_minfree);
273 if (mnt_stat->f_bfree < temp) {
274 ret = audit_triggers(audit_port,
275 AUDIT_TRIGGER_LOW_SPACE);
276 if (ret != KERN_SUCCESS) {
277 printf(
278 "Failed audit_triggers(AUDIT_TRIGGER_LOW_SPACE): %d\n", ret);
279 /*
280 * XXX: What to do here? Disable auditing?
281 * panic?
282 */
283 }
284 }
285 }
286 /* Check if the current log file is full; if so, call for
287 * a log rotate. This is not an exact comparison; we may
288 * write some records over the limit. If that's not
289 * acceptable, then add a fudge factor here.
290 */
291 if ((audit_fstat.af_filesz != 0) &&
292 (audit_file_rotate_wait == 0) &&
293 (vattr.va_size >= audit_fstat.af_filesz)) {
294 audit_file_rotate_wait = 1;
295 ret = audit_triggers(audit_port,
296 AUDIT_TRIGGER_FILE_FULL);
297 if (ret != KERN_SUCCESS) {
298 printf(
299 "Failed audit_triggers(AUDIT_TRIGGER_FILE_FULL): %d\n", ret);
300 /* XXX what to do here? */
301 }
302 }
303 }
304
305 /*
306 * If the estimated amount of audit data in the audit event queue
307 * (plus records allocated but not yet queued) has reached the
308 * amount of free space on the disk, then we need to go into an
309 * audit fail stop state, in which we do not permit the
310 * allocation/committing of any new audit records. We continue to
311 * process packets but don't allow any activities that might
312 * generate new records. In the future, we might want to detect
313 * when space is available again and allow operation to continue,
314 * but this behavior is sufficient to meet fail stop requirements
315 * in CAPP.
316 */
317 if (audit_fail_stop &&
318 (unsigned long)
319 ((audit_q_len + audit_pre_q_len + 1) * MAX_AUDIT_RECORD_SIZE) /
320 mnt_stat->f_bsize >= (unsigned long)(mnt_stat->f_bfree)) {
321 printf(
322 "audit_worker: free space below size of audit queue, failing stop\n");
323 audit_in_failure = 1;
324 }
55e303ae
A		 325
326 /*
327 * If there is a user audit record attached to the kernel record,
328 * then write the user record.
329 */
330 /* XXX Need to decide a few things here: IF the user audit
331 * record is written, but the write of the kernel record fails,
332 * what to do? Should the kernel record come before or after the
333 * user record? For now, we write the user record first, and
334 * we ignore errors.
335 */
e5568f75
A		 336 if (ar->k_ar_commit & AR_COMMIT_USER) {
337 ret = vn_rdwr(UIO_WRITE, vp, (void *)ar->k_udata, ar->k_ulen,
55e303ae 338 (off_t)0, UIO_SYSSPACE, IO_APPEND|IO_UNIT, cred, NULL, p);
e5568f75
A		 339 if (ret)
340 goto out;
55e303ae
A		 341 }
342
343 /*
344 * Convert the internal kernel record to BSM format and write it
345 * out if everything's OK.
346 */
e5568f75
A		 347 if (!(ar->k_ar_commit & AR_COMMIT_KERNEL)) {
348 ret = 0;
349 goto out;
350 }
351
55e303ae 352 ret = kaudit_to_bsm(ar, &bsm);
e5568f75
A		 353 if (ret == BSM_NOAUDIT) {
354 ret = 0;
355 goto out;
356 }
55e303ae 357
e5568f75
A		 358 /*
359 * XXX: We drop the record on BSM conversion failure, but really
360 * this is an assertion failure.
361 */
55e303ae
A		 362 if (ret == BSM_FAILURE) {
363 AUDIT_PRINTF(("BSM conversion failure\n"));
e5568f75
A		 364 ret = EINVAL;
365 goto out;
55e303ae
A		 366 }
367
368 /* XXX This function can be called with the kernel funnel held,
369 * which is not optimal. We should break the write functionality
370 * away from the BSM record generation and have the BSM generation
371 * done before this function is called. This function will then
372 * take the BSM record as a parameter.
373 */
374 ret = (vn_rdwr(UIO_WRITE, vp, (void *)bsm->data, bsm->len,
375 (off_t)0, UIO_SYSSPACE, IO_APPEND|IO_UNIT, cred, NULL, p));
376
377 kau_free(bsm);
378
e5568f75
A		 379out:
380 /*
381 * When we're done processing the current record, we have to
382 * check to see if we're in a failure mode, and if so, whether
383 * this was the last record left to be drained. If we're done
384 * draining, then we fsync the vnode and panic.
385 */
386 if (audit_in_failure &&
387 audit_q_len == 0 && audit_pre_q_len == 0) {
388 VOP_LOCK(vp, LK_DRAIN | LK_INTERLOCK, p);
389 (void)VOP_FSYNC(vp, cred, MNT_WAIT, p);
390 VOP_UNLOCK(vp, 0, p);
391 panic("Audit store overflow; record queue drained.");
392 }
393
55e303ae
A		 394 return (ret);
395}
396
397static void
398audit_worker()
399{
400 int do_replacement_signal, error, release_funnel;
401 TAILQ_HEAD(, kaudit_record) ar_worklist;
402 struct kaudit_record *ar, *ar_start, *ar_stop;
403 struct vnode *audit_vp, *old_vp;
e5568f75 404
55e303ae
A		 405 struct ucred *audit_cred, *old_cred;
406 struct proc *audit_p;
407
408 AUDIT_PRINTF(("audit_worker starting\n"));
409
410 TAILQ_INIT(&ar_worklist);
411 audit_cred = NULL;
412 audit_p = current_proc();
413 audit_vp = NULL;
414
415 /*
416 * XXX: Presumably we can assume Mach threads are started without
417 * holding the BSD kernel funnel?
418 */
419 thread_funnel_set(kernel_flock, FALSE);
420
421 mutex_lock(audit_mtx);
422 while (1) {
423 /*
424 * First priority: replace the audit log target if requested.
425 * As we actually close the vnode in the worker thread, we
426 * need to grab the funnel, which means releasing audit_mtx.
427 * In case another replacement was scheduled while the mutex
428 * we released, we loop.
429 *
430 * XXX It could well be we should drain existing records
431 * first to ensure that the timestamps and ordering
432 * are right.
433 */
434 do_replacement_signal = 0;
435 while (audit_replacement_flag != 0) {
436 old_cred = audit_cred;
437 old_vp = audit_vp;
438 audit_cred = audit_replacement_cred;
439 audit_vp = audit_replacement_vp;
440 audit_replacement_cred = NULL;
441 audit_replacement_vp = NULL;
442 audit_replacement_flag = 0;
443
444 audit_enabled = (audit_vp != NULL);
445
446 if (old_vp != NULL || audit_vp != NULL) {
447 mutex_unlock(audit_mtx);
448 thread_funnel_set(kernel_flock, TRUE);
449 release_funnel = 1;
450 } else
451 release_funnel = 0;
452 /*
453 * XXX: What to do about write failures here?
454 */
455 if (old_vp != NULL) {
456 AUDIT_PRINTF(("Closing old audit file\n"));
457 vn_close(old_vp, audit_close_flags, old_cred,
458 audit_p);
459 crfree(old_cred);
460 old_cred = NULL;
461 old_vp = NULL;
462 AUDIT_PRINTF(("Audit file closed\n"));
463 }
464 if (audit_vp != NULL) {
465 AUDIT_PRINTF(("Opening new audit file\n"));
466 }
467 if (release_funnel) {
468 thread_funnel_set(kernel_flock, FALSE);
469 mutex_lock(audit_mtx);
470 }
471 do_replacement_signal = 1;
472 }
473 /*
474 * Signal that replacement have occurred to wake up and
475 * start any other replacements started in parallel. We can
476 * continue about our business in the mean time. We
477 * broadcast so that both new replacements can be inserted,
478 * but also so that the source(s) of replacement can return
479 * successfully.
480 */
481 if (do_replacement_signal)
e5568f75
A		 482 wait_queue_wakeup_all(audit_wait_queue,
483 AUDIT_REPLACEMENT_EVENT, THREAD_AWAKENED);
55e303ae
A		 484
485 /*
486 * Next, check to see if we have any records to drain into
487 * the vnode. If not, go back to waiting for an event.
488 */
489 if (TAILQ_EMPTY(&audit_q)) {
490 int ret;
491
492 AUDIT_PRINTF(("audit_worker waiting\n"));
e5568f75
A		 493 ret = wait_queue_assert_wait(audit_wait_queue,
494 AUDIT_WORKER_EVENT,
495 THREAD_UNINT);
55e303ae
A		 496 mutex_unlock(audit_mtx);
497
498 assert(ret == THREAD_WAITING);
499 ret = thread_block(THREAD_CONTINUE_NULL);
500 assert(ret == THREAD_AWAKENED);
501 AUDIT_PRINTF(("audit_worker woken up\n"));
502 AUDIT_PRINTF(("audit_worker: new vp = %p; value of flag %d\n",
503 audit_replacement_vp, audit_replacement_flag));
55e303ae
A		 504 mutex_lock(audit_mtx);
505 continue;
506 }
507
508 /*
509 * If we have records, but there's no active vnode to
510 * write to, drain the record queue. Generally, we
511 * prevent the unnecessary allocation of records
512 * elsewhere, but we need to allow for races between
513 * conditional allocation and queueing. Go back to
514 * waiting when we're done.
515 *
516 * XXX: We go out of our way to avoid calling audit_free()
517 * with the audit_mtx held, to avoid a lock order reversal
518 * as free() may grab the funnel. This will be fixed at
519 * some point.
520 */
521 if (audit_vp == NULL) {
522 while ((ar = TAILQ_FIRST(&audit_q))) {
523 TAILQ_REMOVE(&audit_q, ar, k_q);
e5568f75
A		 524 audit_q_len--;
525 if (audit_q_len <= audit_qctrl.aq_lowater)
526 wait_queue_wakeup_one(
527 audit_wait_queue,
528 AUDIT_COMMIT_EVENT,
529 THREAD_AWAKENED);
530
55e303ae
A		 531 TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q);
532 }
533 mutex_unlock(audit_mtx);
534 while ((ar = TAILQ_FIRST(&ar_worklist))) {
535 TAILQ_REMOVE(&ar_worklist, ar, k_q);
536 audit_free(ar);
537 }
538 mutex_lock(audit_mtx);
539 continue;
540 }
541
542 /*
543 * We have both records to write, and an active vnode
544 * to write to. Dequeue a record, and start the write.
545 * Eventually, it might make sense to dequeue several
546 * records and perform our own clustering, if the lower
547 * layers aren't doing it automatically enough.
548 *
549 * XXX: We go out of our way to avoid calling audit_free()
550 * with the audit_mtx held, to avoid a lock order reversal
551 * as free() may grab the funnel. This will be fixed at
552 * some point.
553 */
554 while ((ar = TAILQ_FIRST(&audit_q))) {
555 TAILQ_REMOVE(&audit_q, ar, k_q);
e5568f75
A		 556 audit_q_len--;
557 if (audit_q_len <= audit_qctrl.aq_lowater) {
558 wait_queue_wakeup_one(audit_wait_queue,
559 AUDIT_COMMIT_EVENT, THREAD_AWAKENED);
560 }
561
55e303ae
A		 562 TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q);
563 }
e5568f75 564
55e303ae
A		 565 mutex_unlock(audit_mtx);
566 release_funnel = 0;
567 while ((ar = TAILQ_FIRST(&ar_worklist))) {
568 TAILQ_REMOVE(&ar_worklist, ar, k_q);
569 if (audit_vp != NULL) {
570 /*
571 * XXX: What should happen if there's a write
572 * error here?
573 */
574 if (!release_funnel) {
575 thread_funnel_set(kernel_flock, TRUE);
576 release_funnel = 1;
577 }
578 VOP_LEASE(audit_vp, audit_p, audit_cred,
579 LEASE_WRITE);
580 error = audit_write(audit_vp, ar, audit_cred,
581 audit_p);
e5568f75
A		 582 if (error && audit_panic_on_write_fail)
583 panic("audit_worker: write error %d\n",
584 error);
585 else if (error)
55e303ae
A		 586 printf("audit_worker: write error %d\n",
587 error);
588 }
589 audit_free(ar);
590 }
591 if (release_funnel)
592 thread_funnel_set(kernel_flock, FALSE);
593 mutex_lock(audit_mtx);
594 }
595}
596
597void
598audit_init(void)
599{
600
601 /* Verify that the syscall to audit event table is the same
602 * size as the system call table.
603 */
604 if (nsys_au_event != nsysent) {
605 printf("Security auditing service initialization failed, ");
606 printf("audit event table doesn't match syscall table.\n");
607 return;
608 }
609
610 printf("Security auditing service present\n");
611 TAILQ_INIT(&audit_q);
e5568f75 612 audit_q_len = 0;
55e303ae
A		 613 audit_enabled = 0;
614 audit_suspended = 0;
615 audit_replacement_cred = NULL;
616 audit_replacement_flag = 0;
e5568f75 617 audit_file_rotate_wait = 0;
55e303ae 618 audit_replacement_vp = NULL;
e5568f75
A		 619 audit_fstat.af_filesz = 0; /* '0' means unset, unbounded */
620 audit_fstat.af_currsz = 0;
621 audit_qctrl.aq_hiwater = AQ_HIWATER;
622 audit_qctrl.aq_lowater = AQ_LOWATER;
623 audit_qctrl.aq_bufsz = AQ_BUFSZ;
624 audit_qctrl.aq_minfree = AU_FS_MINFREE;
625
55e303ae
A		 626 audit_mtx = mutex_alloc(ETAP_NO_TRACE);
627 audit_wait_queue = wait_queue_alloc(SYNC_POLICY_FIFO);
e5568f75
A		 628 audit_zone = zinit(sizeof(struct kaudit_record),
629 AQ_HIWATER*sizeof(struct kaudit_record),
630 8192,
631 "audit_zone");
55e303ae
A		 632
633 /* Initialize the BSM audit subsystem. */
634 kau_init();
635
636 kernel_thread(kernel_task, audit_worker);
637}
638
639static void
640audit_rotate_vnode(struct ucred *cred, struct vnode *vp)
641{
642 int ret;
643
644 /*
645 * If other parallel log replacements have been requested, we wait
646 * until they've finished before continuing.
647 */
648 mutex_lock(audit_mtx);
649 while (audit_replacement_flag != 0) {
650
651 AUDIT_PRINTF(("audit_rotate_vnode: sleeping to wait for "
652 "flag\n"));
e5568f75
A		 653 ret = wait_queue_assert_wait(audit_wait_queue,
654 AUDIT_REPLACEMENT_EVENT,
655 THREAD_UNINT);
55e303ae
A		 656 mutex_unlock(audit_mtx);
657
658 assert(ret == THREAD_WAITING);
659 ret = thread_block(THREAD_CONTINUE_NULL);
660 assert(ret == THREAD_AWAKENED);
661 AUDIT_PRINTF(("audit_rotate_vnode: woken up (flag %d)\n",
662 audit_replacement_flag));
663
664 mutex_lock(audit_mtx);
665 }
666 audit_replacement_cred = cred;
667 audit_replacement_flag = 1;
668 audit_replacement_vp = vp;
669
670 /*
671 * Wake up the audit worker to perform the exchange once we
672 * release the mutex.
673 */
e5568f75 674 wait_queue_wakeup_one(audit_wait_queue, AUDIT_WORKER_EVENT, THREAD_AWAKENED);
55e303ae
A		 675
676 /*
677 * Wait for the audit_worker to broadcast that a replacement has
678 * taken place; we know that once this has happened, our vnode
679 * has been replaced in, so we can return successfully.
680 */
681 AUDIT_PRINTF(("audit_rotate_vnode: waiting for news of "
682 "replacement\n"));
e5568f75
A		 683 ret = wait_queue_assert_wait(audit_wait_queue,
684 AUDIT_REPLACEMENT_EVENT,
685 THREAD_UNINT);
55e303ae
A		 686 mutex_unlock(audit_mtx);
687
688 assert(ret == THREAD_WAITING);
689 ret = thread_block(THREAD_CONTINUE_NULL);
690 assert(ret == THREAD_AWAKENED);
691 AUDIT_PRINTF(("audit_rotate_vnode: change acknowledged by "
692 "audit_worker (flag " "now %d)\n", audit_replacement_flag));
e5568f75
A		 693
694 audit_file_rotate_wait = 0; /* We can now request another rotation */
55e303ae
A		 695}
696
697/*
698 * Drain the audit queue and close the log at shutdown.
699 */
700void
701audit_shutdown(void)
702{
55e303ae
A		 703 audit_rotate_vnode(NULL, NULL);
704}
705
706static __inline__ struct uthread *
707curuthread(void)
708{
55e303ae
A		 709 return (get_bsdthread_info(current_act()));
710}
711
712static __inline__ struct kaudit_record *
713currecord(void)
714{
55e303ae
A		 715 return (curuthread()->uu_ar);
716}
717
718/**********************************
719 * Begin system calls. *
720 **********************************/
721/*
722 * System call to allow a user space application to submit a BSM audit
723 * record to the kernel for inclusion in the audit log. This function
724 * does little verification on the audit record that is submitted.
725 *
726 * XXXAUDIT: Audit preselection for user records does not currently
727 * work, since we pre-select only based on the AUE_audit event type,
728 * not the event type submitted as part of the user audit data.
729 */
730struct audit_args {
731 void * record;
732 int length;
733};
734/* ARGSUSED */
735int
736audit(struct proc *p, struct audit_args *uap, register_t *retval)
737{
738 register struct pcred *pc = p->p_cred;
739 int error;
740 void * rec;
741 struct kaudit_record *ar;
e5568f75 742 struct uthread *uthr;
55e303ae
A		 743
744 error = suser(pc->pc_ucred, &p->p_acflag);
745 if (error)
746 return (error);
747
e5568f75
A		 748 if ((uap->length <= 0) || (uap->length > audit_qctrl.aq_bufsz))
749 return (EINVAL);
750
751 ar = currecord();
752
753 /* If there's no current audit record (audit() itself not audited)
754 * commit the user audit record.
755 */
756 if (ar == NULL) {
757 uthr = curuthread();
758 if (uthr == NULL) /* can this happen? */
759 return (ENOTSUP);
760
761 /* This is not very efficient; we're required to allocate
762 * a complete kernel audit record just so the user record
763 * can tag along.
764 */
765 uthr->uu_ar = audit_new(AUE_NULL, p, uthr);
766 if (uthr->uu_ar == NULL) /* auditing not on, or memory error */
767 return (ENOTSUP);
768 ar = uthr->uu_ar;
769 }
770
55e303ae
A		 771 if (uap->length > MAX_AUDIT_RECORD_SIZE)
772 return (EINVAL);
773
e5568f75 774 rec = (void *)kalloc((vm_size_t)uap->length);
55e303ae
A		 775
776 error = copyin(uap->record, rec, uap->length);
777 if (error)
778 goto free_out;
779
780 /* Verify the record */
781 if (bsm_rec_verify(rec) == 0) {
782 error = EINVAL;
783 goto free_out;
784 }
785
786 /* Attach the user audit record to the kernel audit record. Because
787 * this system call is an auditable event, we will write the user
788 * record along with the record for this audit event.
789 */
790 ar->k_udata = rec;
e5568f75 791 ar->k_ar_commit |= AR_COMMIT_USER;
55e303ae
A		 792 ar->k_ulen = uap->length;
793 return (0);
794
795free_out:
e5568f75
A		 796 /* audit_syscall_exit() will free the audit record on the thread
797 * even if we allocated it above.
798 */
799 kfree((vm_offset_t)rec, (vm_size_t)uap->length);
55e303ae
A		 800 return (error);
801}
802
803/*
804 * System call to manipulate auditing.
805 */
806struct auditon_args {
807 int cmd;
808 void * data;
809 int length;
810};
811/* ARGSUSED */
812int
813auditon(struct proc *p, struct auditon_args *uap, register_t *retval)
814{
815 register struct pcred *pc = p->p_cred;
e5568f75
A		 816 int ret;
817 int len;
818 union auditon_udata udata;
819 struct proc *tp;
55e303ae 820
e5568f75
A		 821 AUDIT_ARG(cmd, uap->cmd);
822 ret = suser(pc->pc_ucred, &p->p_acflag);
823 if (ret)
824 return (ret);
55e303ae 825
e5568f75
A		 826 len = uap->length;
827 if ((len <= 0) || (len > sizeof(union auditon_udata)))
828 return (EINVAL);
55e303ae 829
e5568f75
A		 830 memset((void *)&udata, 0, sizeof(udata));
831
832 switch (uap->cmd) {
833 /* Some of the GET commands use the arguments too */
834 case A_SETPOLICY:
835 case A_SETKMASK:
836 case A_SETQCTRL:
837 case A_SETSTAT:
838 case A_SETUMASK:
839 case A_SETSMASK:
840 case A_SETCOND:
841 case A_SETCLASS:
842 case A_SETPMASK:
843 case A_SETFSIZE:
844 case A_SETKAUDIT:
845 case A_GETCLASS:
846 case A_GETPINFO:
847 case A_GETPINFO_ADDR:
848 ret = copyin(uap->data, (void *)&udata, uap->length);
849 if (ret)
850 return (ret);
851 AUDIT_ARG(auditon, &udata);
852 break;
853 }
854
855 /* XXX Need to implement these commands by accessing the global
856 * values associated with the commands.
857 */
858 switch (uap->cmd) {
859 case A_GETPOLICY:
860 if (!audit_fail_stop)
861 udata.au_policy |= AUDIT_CNT;
862 if (audit_panic_on_write_fail)
863 udata.au_policy |= AUDIT_AHLT;
864 break;
865 case A_SETPOLICY:
866 if (udata.au_policy & ~(AUDIT_CNT|AUDIT_AHLT))
867 return (EINVAL);
868 /*
869 * XXX - Need to wake up waiters if the policy relaxes?
870 */
871 audit_fail_stop = ((udata.au_policy & AUDIT_CNT) == 0);
872 audit_panic_on_write_fail = (udata.au_policy & AUDIT_AHLT);
873 break;
874 case A_GETKMASK:
875 udata.au_mask = audit_nae_mask;
876 break;
877 case A_SETKMASK:
878 audit_nae_mask = udata.au_mask;
879 break;
880 case A_GETQCTRL:
881 udata.au_qctrl = audit_qctrl;
882 break;
883 case A_SETQCTRL:
884 if ((udata.au_qctrl.aq_hiwater > AQ_MAXHIGH) ||
885 (udata.au_qctrl.aq_lowater >= udata.au_qctrl.aq_hiwater) ||
886 (udata.au_qctrl.aq_bufsz > AQ_MAXBUFSZ) ||
887 (udata.au_qctrl.aq_minfree < 0) ||
888 (udata.au_qctrl.aq_minfree > 100))
889 return (EINVAL);
890
891 audit_qctrl = udata.au_qctrl;
892 /* XXX The queue delay value isn't used with the kernel. */
893 audit_qctrl.aq_delay = -1;
894 break;
895 case A_GETCWD:
896 return (ENOSYS);
897 break;
898 case A_GETCAR:
899 return (ENOSYS);
900 break;
901 case A_GETSTAT:
902 return (ENOSYS);
903 break;
904 case A_SETSTAT:
905 return (ENOSYS);
906 break;
907 case A_SETUMASK:
908 return (ENOSYS);
909 break;
910 case A_SETSMASK:
911 return (ENOSYS);
912 break;
913 case A_GETCOND:
914 if (audit_enabled && !audit_suspended)
915 udata.au_cond = AUC_AUDITING;
916 else
917 udata.au_cond = AUC_NOAUDIT;
918 break;
919 case A_SETCOND:
920 if (udata.au_cond == AUC_NOAUDIT)
921 audit_suspended = 1;
922 if (udata.au_cond == AUC_AUDITING)
923 audit_suspended = 0;
924 if (udata.au_cond == AUC_DISABLED) {
925 audit_suspended = 1;
926 audit_shutdown();
927 }
928 break;
929 case A_GETCLASS:
930 udata.au_evclass.ec_class =
931 au_event_class(udata.au_evclass.ec_number);
932 break;
933 case A_SETCLASS:
934 au_evclassmap_insert(udata.au_evclass.ec_number,
935 udata.au_evclass.ec_class);
936 break;
937 case A_GETPINFO:
938 if (udata.au_aupinfo.ap_pid < 1)
939 return (EINVAL);
940 if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL)
941 return (EINVAL);
942
943 udata.au_aupinfo.ap_auid = tp->p_au->ai_auid;
944 udata.au_aupinfo.ap_mask.am_success =
945 tp->p_au->ai_mask.am_success;
946 udata.au_aupinfo.ap_mask.am_failure =
947 tp->p_au->ai_mask.am_failure;
948 udata.au_aupinfo.ap_termid.machine =
949 tp->p_au->ai_termid.machine;
950 udata.au_aupinfo.ap_termid.port =
951 tp->p_au->ai_termid.port;
952 udata.au_aupinfo.ap_asid = tp->p_au->ai_asid;
953 break;
954 case A_SETPMASK:
955 if (udata.au_aupinfo.ap_pid < 1)
956 return (EINVAL);
957 if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL)
958 return (EINVAL);
959
960 tp->p_au->ai_mask.am_success =
961 udata.au_aupinfo.ap_mask.am_success;
962 tp->p_au->ai_mask.am_failure =
963 udata.au_aupinfo.ap_mask.am_failure;
964 break;
965 case A_SETFSIZE:
966 if ((udata.au_fstat.af_filesz != 0) &&
967 (udata.au_fstat.af_filesz < MIN_AUDIT_FILE_SIZE))
968 return (EINVAL);
969 audit_fstat.af_filesz = udata.au_fstat.af_filesz;
970 break;
971 case A_GETFSIZE:
972 udata.au_fstat.af_filesz = audit_fstat.af_filesz;
973 udata.au_fstat.af_currsz = audit_fstat.af_currsz;
974 break;
975 case A_GETPINFO_ADDR:
976 return (ENOSYS);
977 break;
978 case A_GETKAUDIT:
979 return (ENOSYS);
980 break;
981 case A_SETKAUDIT:
982 return (ENOSYS);
983 break;
984 }
985 /* Copy data back to userspace for the GET comands */
986 switch (uap->cmd) {
987 case A_GETPOLICY:
988 case A_GETKMASK:
989 case A_GETQCTRL:
990 case A_GETCWD:
991 case A_GETCAR:
992 case A_GETSTAT:
993 case A_GETCOND:
994 case A_GETCLASS:
995 case A_GETPINFO:
996 case A_GETFSIZE:
997 case A_GETPINFO_ADDR:
998 case A_GETKAUDIT:
999 ret = copyout((void *)&udata, uap->data, uap->length);
1000 if (ret)
1001 return (ret);
1002 break;
1003 }
1004
1005 return (0);
55e303ae
A		 1006}
1007
1008/*
1009 * System calls to manage the user audit information.
1010 * XXXAUDIT May need to lock the proc structure.
1011 */
1012struct getauid_args {
1013 au_id_t *auid;
1014};
1015/* ARGSUSED */
1016int
1017getauid(struct proc *p, struct getauid_args *uap, register_t *retval)
1018{
1019 register struct pcred *pc = p->p_cred;
1020 int error;
1021
1022 error = suser(pc->pc_ucred, &p->p_acflag);
1023 if (error)
1024 return (error);
1025
1026 error = copyout((void *)&p->p_au->ai_auid, (void *)uap->auid,
1027 sizeof(*uap->auid));
1028 if (error)
1029 return (error);
1030
1031 return (0);
1032}
1033
1034struct setauid_args {
1035 au_id_t *auid;
1036};
1037/* ARGSUSED */
1038int
1039setauid(struct proc *p, struct setauid_args *uap, register_t *retval)
1040{
1041 register struct pcred *pc = p->p_cred;
1042 int error;
1043
1044 error = suser(pc->pc_ucred, &p->p_acflag);
1045 if (error)
1046 return (error);
1047
1048 error = copyin((void *)uap->auid, (void *)&p->p_au->ai_auid,
1049 sizeof(p->p_au->ai_auid));
1050 if (error)
1051 return (error);
1052
e5568f75
A		 1053 /* propagate the change from the process to Mach task */
1054 set_security_token(p);
1055
55e303ae
A		 1056 audit_arg_auid(p->p_au->ai_auid);
1057 return (0);
1058}
1059
1060/*
1061 * System calls to get and set process audit information.
1062 */
1063struct getaudit_args {
1064 struct auditinfo *auditinfo;
1065};
1066/* ARGSUSED */
1067int
1068getaudit(struct proc *p, struct getaudit_args *uap, register_t *retval)
1069{
1070 register struct pcred *pc = p->p_cred;
1071 int error;
1072
1073 error = suser(pc->pc_ucred, &p->p_acflag);
1074 if (error)
1075 return (error);
1076 error = copyout((void *)p->p_au, (void *)uap->auditinfo,
1077 sizeof(*uap->auditinfo));
1078 if (error)
1079 return (error);
1080
1081 return (0);
1082}
1083
1084struct setaudit_args {
1085 struct auditinfo *auditinfo;
1086};
1087/* ARGSUSED */
1088int
1089setaudit(struct proc *p, struct setaudit_args *uap, register_t *retval)
1090{
1091 register struct pcred *pc = p->p_cred;
1092 int error;
1093
1094 error = suser(pc->pc_ucred, &p->p_acflag);
1095 if (error)
1096 return (error);
1097 error = copyin((void *)uap->auditinfo, (void *)p->p_au,
1098 sizeof(*p->p_au));
1099 if (error)
1100 return (error);
1101
e5568f75
A		 1102 /* propagate the change from the process to Mach task */
1103 set_security_token(p);
1104
1105 audit_arg_auditinfo(p->p_au);
1106
55e303ae
A		 1107 return (0);
1108}
1109
1110struct getaudit_addr_args {
1111 struct auditinfo_addr *auditinfo_addr;
1112 int length;
1113};
1114/* ARGSUSED */
1115int
1116getaudit_addr(struct proc *p, struct getaudit_addr_args *uap, register_t *retval)
1117{
1118 register struct pcred *pc = p->p_cred;
1119 int error;
1120
1121 error = suser(pc->pc_ucred, &p->p_acflag);
1122 if (error)
1123 return (error);
1124 return (ENOSYS);
1125}
1126
1127struct setaudit_addr_args {
1128 struct auditinfo_addr *auditinfo_addr;
1129 int length;
1130};
1131/* ARGSUSED */
1132int
1133setaudit_addr(struct proc *p, struct setaudit_addr_args *uap, register_t *retval)
1134{
1135 register struct pcred *pc = p->p_cred;
1136 int error;
1137
1138 error = suser(pc->pc_ucred, &p->p_acflag);
1139 if (error)
1140 return (error);
1141 return (ENOSYS);
1142}
1143
1144/*
1145 * Syscall to manage audit files.
1146 *
55e303ae
A		 1147 */
1148struct auditctl_args {
1149 char *path;
1150};
1151/* ARGSUSED */
1152int
1153auditctl(struct proc *p, struct auditctl_args *uap)
1154{
1155 struct kaudit_record *ar;
1156 struct nameidata nd;
1157 struct ucred *cred;
1158 struct vnode *vp;
1159 int error, flags, ret;
1160
1161 error = suser(p->p_ucred, &p->p_acflag);
1162 if (error)
1163 return (error);
1164
1165 vp = NULL;
1166 cred = NULL;
1167
1168 /*
1169 * If a path is specified, open the replacement vnode, perform
1170 * validity checks, and grab another reference to the current
1171 * credential.
1172 */
1173 if (uap->path != NULL) {
e5568f75
A		 1174 NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNPATH1,
1175 UIO_USERSPACE, uap->path, p);
55e303ae
A		 1176 flags = audit_open_flags;
1177 error = vn_open(&nd, flags, 0);
1178 if (error)
1179 goto out;
1180 VOP_UNLOCK(nd.ni_vp, 0, p);
1181 vp = nd.ni_vp;
1182 if (vp->v_type != VREG) {
1183 vn_close(vp, audit_close_flags, p->p_ucred, p);
1184 error = EINVAL;
1185 goto out;
1186 }
1187 cred = p->p_ucred;
1188 crhold(cred);
e5568f75 1189 audit_suspended = 0;
55e303ae
A		 1190 }
1191
1192 audit_rotate_vnode(cred, vp);
1193out:
1194 return (error);
1195}
1196
1197/**********************************
1198 * End of system calls. *
1199 **********************************/
1200
1201/*
1202 * MPSAFE
1203 */
1204struct kaudit_record *
1205audit_new(int event, struct proc *p, struct uthread *uthread)
1206{
1207 struct kaudit_record *ar;
1208 int no_record;
1209
1210 /*
1211 * Eventually, there may be certain classes of events that
1212 * we will audit regardless of the audit state at the time
1213 * the record is created. These events will generally
1214 * correspond to changes in the audit state. The dummy
1215 * code below is from our first prototype, but may also
1216 * be used in the final version (with modified event numbers).
1217 */
1218#if 0
1219 if (event != AUDIT_EVENT_FILESTOP && event != AUDIT_EVENT_FILESTART) {
1220#endif
1221 mutex_lock(audit_mtx);
1222 no_record = (audit_suspended || !audit_enabled);
1223 mutex_unlock(audit_mtx);
1224 if (no_record)
1225 return (NULL);
1226#if 0
1227 }
1228#endif
1229
55e303ae
A		 1230 /*
1231 * Initialize the audit record header.
55e303ae 1232 * XXX: We may want to fail-stop if allocation fails.
e5568f75
A		 1233 * XXX: The number of outstanding uncommitted audit records is
1234 * limited by the number of concurrent threads servicing system
1235 * calls in the kernel.
55e303ae 1236 */
e5568f75
A		 1237
1238 ar = (struct kaudit_record *)zalloc(audit_zone);
55e303ae
A		 1239 if (ar == NULL)
1240 return NULL;
1241
e5568f75
A		 1242 mutex_lock(audit_mtx);
1243 audit_pre_q_len++;
1244 mutex_unlock(audit_mtx);
1245
55e303ae
A		 1246 bzero(ar, sizeof(*ar));
1247 ar->k_ar.ar_magic = AUDIT_RECORD_MAGIC;
1248 ar->k_ar.ar_event = event;
1249 nanotime(&ar->k_ar.ar_starttime);
1250
1251 /* Export the subject credential. */
1252 cru2x(p->p_ucred, &ar->k_ar.ar_subj_cred);
1253 ar->k_ar.ar_subj_ruid = p->p_cred->p_ruid;
1254 ar->k_ar.ar_subj_rgid = p->p_cred->p_rgid;
1255 ar->k_ar.ar_subj_egid = p->p_ucred->cr_groups[0];
1256 ar->k_ar.ar_subj_auid = p->p_au->ai_auid;
e5568f75 1257 ar->k_ar.ar_subj_asid = p->p_au->ai_asid;
55e303ae 1258 ar->k_ar.ar_subj_pid = p->p_pid;
e5568f75
A		 1259 ar->k_ar.ar_subj_amask = p->p_au->ai_mask;
1260 ar->k_ar.ar_subj_term = p->p_au->ai_termid;
55e303ae 1261 bcopy(p->p_comm, ar->k_ar.ar_subj_comm, MAXCOMLEN);
55e303ae
A		 1262
1263 return (ar);
1264}
1265
1266/*
1267 * MPSAFE
1268 * XXXAUDIT: So far, this is unused, and should probably be GC'd.
1269 */
1270void
1271audit_abort(struct kaudit_record *ar)
1272{
1273
e5568f75
A		 1274 mutex_lock(audit_mtx);
1275 audit_pre_q_len--;
1276 mutex_unlock(audit_mtx);
55e303ae
A		 1277 audit_free(ar);
1278}
1279
1280/*
1281 * MPSAFE
1282 */
1283void
1284audit_commit(struct kaudit_record *ar, int error, int retval)
1285{
e5568f75
A		 1286 int ret;
1287 int sorf;
1288 struct au_mask *aumask;
55e303ae
A		 1289
1290 if (ar == NULL)
1291 return;
1292
e5568f75
A		 1293 /*
1294 * Decide whether to commit the audit record by checking the
1295 * error value from the system call and using the appropriate
1296 * audit mask.
1297 */
1298 if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID)
1299 aumask = &audit_nae_mask;
1300 else
1301 aumask = &ar->k_ar.ar_subj_amask;
1302
1303 if (error)
1304 sorf = AU_PRS_FAILURE;
1305 else
1306 sorf = AU_PRS_SUCCESS;
1307
1308 switch(ar->k_ar.ar_event) {
1309
1310 case AUE_OPEN_RWTC:
1311 /* The open syscall always writes a OPEN_RWTC event; limit the
1312 * to the proper type of event based on the flags and the error
1313 * value.
1314 */
1315 ar->k_ar.ar_event = flags_and_error_to_openevent(ar->k_ar.ar_arg_fflags, error);
1316 break;
1317
1318 case AUE_SYSCTL:
1319 ar->k_ar.ar_event = ctlname_to_sysctlevent(ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg);
1320 break;
1321
1322 case AUE_AUDITON:
1323 /* Convert the auditon() command to an event */
1324 ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd);
1325 break;
1326 }
1327
1328 if (au_preselect(ar->k_ar.ar_event, aumask, sorf) != 0)
1329 ar->k_ar_commit |= AR_COMMIT_KERNEL;
1330
1331 if (ar->k_ar_commit & (AR_COMMIT_USER | AR_COMMIT_KERNEL) == 0) {
1332 mutex_lock(audit_mtx);
1333 audit_pre_q_len--;
1334 mutex_unlock(audit_mtx);
1335 audit_free(ar);
1336 return;
1337 }
1338
55e303ae
A		 1339 ar->k_ar.ar_errno = error;
1340 ar->k_ar.ar_retval = retval;
1341
1342 /*
1343 * We might want to do some system-wide post-filtering
1344 * here at some point.
1345 */
1346
1347 /*
1348 * Timestamp system call end.
1349 */
1350 nanotime(&ar->k_ar.ar_endtime);
1351
55e303ae 1352 mutex_lock(audit_mtx);
e5568f75 1353
55e303ae
A		 1354 /*
1355 * Note: it could be that some records initiated while audit was
1356 * enabled should still be committed?
1357 */
1358 if (audit_suspended || !audit_enabled) {
e5568f75 1359 audit_pre_q_len--;
55e303ae
A		 1360 mutex_unlock(audit_mtx);
1361 audit_free(ar);
1362 return;
1363 }
e5568f75
A		 1364
1365 /*
1366 * Constrain the number of committed audit records based on
1367 * the configurable parameter.
1368 */
1369 while (audit_q_len >= audit_qctrl.aq_hiwater) {
1370
1371 ret = wait_queue_assert_wait(audit_wait_queue,
1372 AUDIT_COMMIT_EVENT,
1373 THREAD_UNINT);
1374 mutex_unlock(audit_mtx);
1375
1376 assert(ret == THREAD_WAITING);
1377
1378 ret = thread_block(THREAD_CONTINUE_NULL);
1379 assert(ret == THREAD_AWAKENED);
1380 mutex_lock(audit_mtx);
1381 }
1382
55e303ae 1383 TAILQ_INSERT_TAIL(&audit_q, ar, k_q);
e5568f75
A		 1384 audit_q_len++;
1385 audit_pre_q_len--;
1386 wait_queue_wakeup_one(audit_wait_queue, AUDIT_WORKER_EVENT, THREAD_AWAKENED);
55e303ae
A		 1387 mutex_unlock(audit_mtx);
1388}
1389
1390/*
1391 * Calls to set up and tear down audit structures associated with
1392 * each system call.
1393 */
1394void
1395audit_syscall_enter(unsigned short code, struct proc *proc,
1396 struct uthread *uthread)
1397{
1398 int audit_event;
e5568f75 1399 struct au_mask *aumask;
55e303ae
A		 1400
1401 audit_event = sys_au_event[code];
e5568f75
A		 1402 if (audit_event == AUE_NULL)
1403 return;
1404
1405 assert(uthread->uu_ar == NULL);
55e303ae 1406
e5568f75
A		 1407 /* Check which audit mask to use; either the kernel non-attributable
1408 * event mask or the process audit mask.
1409 */
1410 if (proc->p_au->ai_auid == AU_DEFAUDITID)
1411 aumask = &audit_nae_mask;
1412 else
1413 aumask = &proc->p_au->ai_mask;
1414
55e303ae 1415 /*
e5568f75
A		 1416 * Allocate an audit record, if preselection allows it, and store
1417 * in the BSD thread for later use.
55e303ae 1418 */
e5568f75
A		 1419 if (au_preselect(audit_event, aumask,
1420 AU_PRS_FAILURE | AU_PRS_SUCCESS)) {
1421 /*
1422 * If we're out of space and need to suspend unprivileged
1423 * processes, do that here rather than trying to allocate
1424 * another audit record.
1425 */
1426 if (audit_in_failure &&
1427 suser(proc->p_ucred, &proc->p_acflag) != 0) {
1428 int ret;
1429
1430 ret = wait_queue_assert_wait(audit_wait_queue,
1431 AUDIT_FAILURE_EVENT, THREAD_UNINT);
1432 assert(ret == THREAD_WAITING);
1433 (void)thread_block(THREAD_CONTINUE_NULL);
1434 panic("audit_failing_stop: thread continued");
55e303ae 1435 }
e5568f75
A		 1436 uthread->uu_ar = audit_new(audit_event, proc, uthread);
1437 } else
1438 uthread->uu_ar = NULL;
55e303ae
A		 1439}
1440
1441void
1442audit_syscall_exit(int error, struct proc *proc, struct uthread *uthread)
1443{
1444 int retval;
1445
1446 /*
1447 * Commit the audit record as desired; once we pass the record
1448 * into audit_commit(), the memory is owned by the audit
1449 * subsystem.
1450 * The return value from the system call is stored on the user
1451 * thread. If there was an error, the return value is set to -1,
1452 * imitating the behavior of the cerror routine.
1453 */
1454 if (error)
1455 retval = -1;
1456 else
1457 retval = uthread->uu_rval[0];
1458
1459 audit_commit(uthread->uu_ar, error, retval);
1460 if (uthread->uu_ar != NULL)
1461 AUDIT_PRINTF(("audit record committed by pid %d\n", proc->p_pid));
1462 uthread->uu_ar = NULL;
1463
1464}
1465
e5568f75
A		 1466/*
1467 * Calls to set up and tear down audit structures used during Mach
1468 * system calls.
1469 */
1470void
1471audit_mach_syscall_enter(unsigned short audit_event)
1472{
1473 struct uthread *uthread;
1474 struct proc *proc;
1475 struct au_mask *aumask;
1476
1477 if (audit_event == AUE_NULL)
1478 return;
1479
1480 uthread = curuthread();
1481 if (uthread == NULL)
1482 return;
1483
1484 proc = current_proc();
1485 if (proc == NULL)
1486 return;
1487
1488 assert(uthread->uu_ar == NULL);
1489
1490 /* Check which audit mask to use; either the kernel non-attributable
1491 * event mask or the process audit mask.
1492 */
1493 if (proc->p_au->ai_auid == AU_DEFAUDITID)
1494 aumask = &audit_nae_mask;
1495 else
1496 aumask = &proc->p_au->ai_mask;
1497
1498 /*
1499 * Allocate an audit record, if desired, and store in the BSD
1500 * thread for later use.
1501 */
1502 if (au_preselect(audit_event, aumask,
1503 AU_PRS_FAILURE | AU_PRS_SUCCESS)) {
1504 uthread->uu_ar = audit_new(audit_event, proc, uthread);
1505 } else {
1506 uthread->uu_ar = NULL;
1507 }
1508}
1509
1510void
1511audit_mach_syscall_exit(int retval, struct uthread *uthread)
1512{
1513 /* The error code from Mach system calls is the same as the
1514 * return value
1515 */
1516 /* XXX Is the above statement always true? */
1517 audit_commit(uthread->uu_ar, retval, retval);
1518 uthread->uu_ar = NULL;
1519
1520}
1521
55e303ae
A		 1522/*
1523 * Calls to manipulate elements of the audit record structure from system
1524 * call code. Macro wrappers will prevent this functions from being
1525 * entered if auditing is disabled, avoiding the function call cost. We
1526 * check the thread audit record pointer anyway, as the audit condition
1527 * could change, and pre-selection may not have allocated an audit
1528 * record for this event.
1529 */
1530void
e5568f75 1531audit_arg_addr(void * addr)
55e303ae
A		 1532{
1533 struct kaudit_record *ar;
1534
1535 ar = currecord();
1536 if (ar == NULL)
1537 return;
1538
e5568f75
A		 1539 ar->k_ar.ar_arg_addr = addr;
1540 ar->k_ar.ar_valid_arg |= ARG_ADDR;
55e303ae
A		 1541}
1542
1543void
e5568f75 1544audit_arg_len(int len)
55e303ae
A		 1545{
1546 struct kaudit_record *ar;
1547
1548 ar = currecord();
1549 if (ar == NULL)
1550 return;
1551
e5568f75
A		 1552 ar->k_ar.ar_arg_len = len;
1553 ar->k_ar.ar_valid_arg |= ARG_LEN;
55e303ae
A		 1554}
1555
1556void
1557audit_arg_fd(int fd)
1558{
1559 struct kaudit_record *ar;
1560
1561 ar = currecord();
1562 if (ar == NULL)
1563 return;
1564
1565 ar->k_ar.ar_arg_fd = fd;
1566 ar->k_ar.ar_valid_arg |= ARG_FD;
1567}
1568
1569void
1570audit_arg_fflags(int fflags)
1571{
1572 struct kaudit_record *ar;
1573
1574 ar = currecord();
1575 if (ar == NULL)
1576 return;
1577
1578 ar->k_ar.ar_arg_fflags = fflags;
1579 ar->k_ar.ar_valid_arg |= ARG_FFLAGS;
1580}
1581
1582void
1583audit_arg_gid(gid_t gid, gid_t egid, gid_t rgid, gid_t sgid)
1584{
1585 struct kaudit_record *ar;
1586
1587 ar = currecord();
1588 if (ar == NULL)
1589 return;
1590
1591 ar->k_ar.ar_arg_gid = gid;
1592 ar->k_ar.ar_arg_egid = egid;
1593 ar->k_ar.ar_arg_rgid = rgid;
1594 ar->k_ar.ar_arg_sgid = sgid;
1595 ar->k_ar.ar_valid_arg |= (ARG_GID | ARG_EGID | ARG_RGID | ARG_SGID);
1596}
1597
1598void
1599audit_arg_uid(uid_t uid, uid_t euid, uid_t ruid, uid_t suid)
1600{
1601 struct kaudit_record *ar;
1602
1603 ar = currecord();
1604 if (ar == NULL)
1605 return;
1606
1607 ar->k_ar.ar_arg_uid = uid;
1608 ar->k_ar.ar_arg_euid = euid;
1609 ar->k_ar.ar_arg_ruid = ruid;
1610 ar->k_ar.ar_arg_suid = suid;
1611 ar->k_ar.ar_valid_arg |= (ARG_UID | ARG_EUID | ARG_RUID | ARG_SUID);
1612}
1613
1614void
1615audit_arg_groupset(gid_t *gidset, u_int gidset_size)
1616{
1617 int i;
1618 struct kaudit_record *ar;
1619
1620 ar = currecord();
1621 if (ar == NULL)
1622 return;
1623
1624 for (i = 0; i < gidset_size; i++)
1625 ar->k_ar.ar_arg_groups.gidset[i] = gidset[i];
1626 ar->k_ar.ar_arg_groups.gidset_size = gidset_size;
1627 ar->k_ar.ar_valid_arg |= ARG_GROUPSET;
1628}
1629
1630void
1631audit_arg_login(char *login)
1632{
1633 struct kaudit_record *ar;
1634
1635 ar = currecord();
1636 if (ar == NULL)
1637 return;
1638
1639#if 0
1640 /*
1641 * XXX: Add strlcpy() to Darwin for improved safety.
1642 */
1643 strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME);
1644#else
1645 strcpy(ar->k_ar.ar_arg_login, login);
1646#endif
1647
1648 ar->k_ar.ar_valid_arg |= ARG_LOGIN;
1649}
1650
e5568f75
A		 1651void
1652audit_arg_ctlname(int *name, int namelen)
1653{
1654 struct kaudit_record *ar;
1655
1656 ar = currecord();
1657 if (ar == NULL)
1658 return;
1659
1660 bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int));
1661 ar->k_ar.ar_arg_len = namelen;
1662 ar->k_ar.ar_valid_arg |= (ARG_CTLNAME | ARG_LEN);
1663}
1664
55e303ae
A		 1665void
1666audit_arg_mask(int mask)
1667{
1668 struct kaudit_record *ar;
1669
1670 ar = currecord();
1671 if (ar == NULL)
1672 return;
1673
1674 ar->k_ar.ar_arg_mask = mask;
1675 ar->k_ar.ar_valid_arg |= ARG_MASK;
1676}
1677
1678void
1679audit_arg_mode(mode_t mode)
1680{
1681 struct kaudit_record *ar;
1682
1683 ar = currecord();
1684 if (ar == NULL)
1685 return;
1686
1687 ar->k_ar.ar_arg_mode = mode;
1688 ar->k_ar.ar_valid_arg |= ARG_MODE;
1689}
1690
1691void
1692audit_arg_dev(int dev)
1693{
1694 struct kaudit_record *ar;
1695
1696 ar = currecord();
1697 if (ar == NULL)
1698 return;
1699
1700 ar->k_ar.ar_arg_dev = dev;
1701 ar->k_ar.ar_valid_arg |= ARG_DEV;
1702}
1703
e5568f75
A		 1704void
1705audit_arg_value(long value)
1706{
1707 struct kaudit_record *ar;
1708
1709 ar = currecord();
1710 if (ar == NULL)
1711 return;
1712
1713 ar->k_ar.ar_arg_value = value;
1714 ar->k_ar.ar_valid_arg |= ARG_VALUE;
1715}
1716
55e303ae
A		 1717void
1718audit_arg_owner(uid_t uid, gid_t gid)
1719{
1720 struct kaudit_record *ar;
1721
1722 ar = currecord();
1723 if (ar == NULL)
1724 return;
1725
1726 ar->k_ar.ar_arg_uid = uid;
1727 ar->k_ar.ar_arg_gid = gid;
1728 ar->k_ar.ar_valid_arg |= (ARG_UID | ARG_GID);
1729}
1730
1731void
1732audit_arg_pid(pid_t pid)
1733{
1734 struct kaudit_record *ar;
e5568f75 1735 struct proc *p;
55e303ae
A		 1736
1737 ar = currecord();
1738 if (ar == NULL)
1739 return;
1740
1741 ar->k_ar.ar_arg_pid = pid;
1742 ar->k_ar.ar_valid_arg |= ARG_PID;
e5568f75
A		 1743
1744}
1745
1746void
1747audit_arg_process(struct proc *p)
1748{
1749 struct kaudit_record *ar;
1750
1751 ar = currecord();
1752 if ((ar == NULL) || (p == NULL))
1753 return;
1754
1755 /* XXX May need to lock the credentials structures */
1756 ar->k_ar.ar_arg_auid = p->p_au->ai_auid;
1757 ar->k_ar.ar_arg_euid = p->p_ucred->cr_uid;
1758 ar->k_ar.ar_arg_egid = p->p_ucred->cr_groups[0];
1759 ar->k_ar.ar_arg_ruid = p->p_cred->p_ruid;
1760 ar->k_ar.ar_arg_rgid = p->p_cred->p_rgid;
1761 ar->k_ar.ar_arg_asid = p->p_au->ai_asid;
1762
1763 ar->k_ar.ar_arg_termid = p->p_au->ai_termid;
1764
1765 ar->k_ar.ar_valid_arg |= ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID |
1766 ARG_RGID | ARG_ASID | ARG_TERMID | ARG_PROCESS;
55e303ae
A		 1767}
1768
1769void
1770audit_arg_signum(u_int signum)
1771{
1772 struct kaudit_record *ar;
1773
1774 ar = currecord();
1775 if (ar == NULL)
1776 return;
1777
1778 ar->k_ar.ar_arg_signum = signum;
1779 ar->k_ar.ar_valid_arg |= ARG_SIGNUM;
1780}
1781
1782void
1783audit_arg_socket(int sodomain, int sotype, int soprotocol)
1784{
1785
1786 struct kaudit_record *ar;
1787
1788 ar = currecord();
1789 if (ar == NULL)
1790 return;
1791
e5568f75
A		 1792 ar->k_ar.ar_arg_sockinfo.so_domain = sodomain;
1793 ar->k_ar.ar_arg_sockinfo.so_type = sotype;
1794 ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol;
55e303ae
A		 1795 ar->k_ar.ar_valid_arg |= ARG_SOCKINFO;
1796}
1797
1798void
1799audit_arg_sockaddr(struct proc *p, struct sockaddr *so)
1800{
1801 struct kaudit_record *ar;
1802
1803 ar = currecord();
1804 if (ar == NULL || p == NULL || so == NULL)
1805 return;
1806
1807 bcopy(so, &ar->k_ar.ar_arg_sockaddr, sizeof(ar->k_ar.ar_arg_sockaddr));
1808 switch (so->sa_family) {
1809 case AF_INET:
1810 ar->k_ar.ar_valid_arg |= ARG_SADDRINET;
1811 break;
1812 case AF_INET6:
1813 ar->k_ar.ar_valid_arg |= ARG_SADDRINET6;
1814 break;
1815 case AF_UNIX:
1816 audit_arg_upath(p, ((struct sockaddr_un *)so)->sun_path,
1817 ARG_UPATH1);
1818 ar->k_ar.ar_valid_arg |= ARG_SADDRUNIX;
1819 break;
1820 }
1821}
1822
1823void
1824audit_arg_auid(uid_t auid)
1825{
1826 struct kaudit_record *ar;
1827
1828 ar = currecord();
1829 if (ar == NULL)
1830 return;
1831
1832 ar->k_ar.ar_arg_auid = auid;
1833 ar->k_ar.ar_valid_arg |= ARG_AUID;
1834}
1835
e5568f75
A		 1836void
1837audit_arg_auditinfo(struct auditinfo *au_info)
1838{
1839 struct kaudit_record *ar;
1840
1841 ar = currecord();
1842 if (ar == NULL)
1843 return;
1844
1845 ar->k_ar.ar_arg_auid = au_info->ai_auid;
1846 ar->k_ar.ar_arg_asid = au_info->ai_asid;
1847 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
1848 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
1849 ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port;
1850 ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine;
1851 ar->k_ar.ar_valid_arg |= ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID;
1852}
1853
55e303ae
A		 1854void
1855audit_arg_text(char *text)
1856{
1857 struct kaudit_record *ar;
1858
1859 ar = currecord();
1860 if (ar == NULL)
1861 return;
1862
1863 /* Invalidate the text string */
1864 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT);
1865 if (text == NULL)
1866 return;
1867
1868 if (ar->k_ar.ar_arg_text == NULL) {
e5568f75 1869 ar->k_ar.ar_arg_text = (char *)kalloc(MAXPATHLEN);
55e303ae
A		 1870 if (ar->k_ar.ar_arg_text == NULL)
1871 return;
1872 }
1873
e5568f75 1874 strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN);
55e303ae
A		 1875 ar->k_ar.ar_valid_arg |= ARG_TEXT;
1876}
1877
1878void
1879audit_arg_cmd(int cmd)
1880{
1881 struct kaudit_record *ar;
1882
1883 ar = currecord();
1884 if (ar == NULL)
1885 return;
1886
1887 ar->k_ar.ar_arg_cmd = cmd;
1888 ar->k_ar.ar_valid_arg |= ARG_CMD;
1889}
1890
1891void
1892audit_arg_svipc_cmd(int cmd)
1893{
1894 struct kaudit_record *ar;
1895
1896 ar = currecord();
1897 if (ar == NULL)
1898 return;
1899
1900 ar->k_ar.ar_arg_svipc_cmd = cmd;
1901 ar->k_ar.ar_valid_arg |= ARG_SVIPC_CMD;
1902}
1903
1904void
1905audit_arg_svipc_perm(struct ipc_perm *perm)
1906{
1907 struct kaudit_record *ar;
1908
1909 ar = currecord();
1910 if (ar == NULL)
1911 return;
1912
1913 bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
1914 sizeof(ar->k_ar.ar_arg_svipc_perm));
1915 ar->k_ar.ar_valid_arg |= ARG_SVIPC_PERM;
1916}
1917
1918void
1919audit_arg_svipc_id(int id)
1920{
1921 struct kaudit_record *ar;
1922
1923 ar = currecord();
1924 if (ar == NULL)
1925 return;
1926
1927 ar->k_ar.ar_arg_svipc_id = id;
1928 ar->k_ar.ar_valid_arg |= ARG_SVIPC_ID;
1929}
1930
1931void
1932audit_arg_svipc_addr(void * addr)
1933{
1934 struct kaudit_record *ar;
1935
1936 ar = currecord();
1937 if (ar == NULL)
1938 return;
1939
1940 ar->k_ar.ar_arg_svipc_addr = addr;
1941 ar->k_ar.ar_valid_arg |= ARG_SVIPC_ADDR;
1942}
1943
e5568f75
A		 1944void
1945audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode)
1946{
1947 struct kaudit_record *ar;
1948
1949 ar = currecord();
1950 if (ar == NULL)
1951 return;
1952
1953 ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid;
1954 ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid;
1955 ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode;
1956 ar->k_ar.ar_valid_arg |= ARG_POSIX_IPC_PERM;
1957}
1958
1959void
1960audit_arg_auditon(union auditon_udata *udata)
1961{
1962 struct kaudit_record *ar;
1963
1964 ar = currecord();
1965 if (ar == NULL)
1966 return;
1967
1968 bcopy((void *)udata, &ar->k_ar.ar_arg_auditon,
1969 sizeof(ar->k_ar.ar_arg_auditon));
1970 ar->k_ar.ar_valid_arg |= ARG_AUDITON;
1971}
1972
1973/*
1974 * Audit information about a file, either the file's vnode info, or its
1975 * socket address info.
1976 */
1977void
1978audit_arg_file(struct proc *p, struct file *fp)
1979{
1980 struct kaudit_record *ar;
1981 struct socket *so;
1982 struct inpcb *pcb;
1983
1984 if (fp->f_type == DTYPE_VNODE) {
1985 audit_arg_vnpath((struct vnode *)fp->f_data, ARG_VNODE1);
1986 return;
1987 }
1988
1989 if (fp->f_type == DTYPE_SOCKET) {
1990 ar = currecord();
1991 if (ar == NULL)
1992 return;
1993 so = (struct socket *)fp->f_data;
1994 if (INP_CHECK_SOCKAF(so, PF_INET)) {
1995 if (so->so_pcb == NULL)
1996 return;
1997 ar->k_ar.ar_arg_sockinfo.so_type =
1998 so->so_type;
1999 ar->k_ar.ar_arg_sockinfo.so_domain =
2000 INP_SOCKAF(so);
2001 ar->k_ar.ar_arg_sockinfo.so_protocol =
2002 so->so_proto->pr_protocol;
2003 pcb = (struct inpcb *)so->so_pcb;
2004 ar->k_ar.ar_arg_sockinfo.so_raddr =
2005 pcb->inp_faddr.s_addr;
2006 ar->k_ar.ar_arg_sockinfo.so_laddr =
2007 pcb->inp_laddr.s_addr;
2008 ar->k_ar.ar_arg_sockinfo.so_rport =
2009 pcb->inp_fport;
2010 ar->k_ar.ar_arg_sockinfo.so_lport =
2011 pcb->inp_lport;
2012 ar->k_ar.ar_valid_arg |= ARG_SOCKINFO;
2013 }
2014 }
2015
2016}
2017
55e303ae
A		 2018/*
2019 * Initialize the audit information for the a process, presumably the first
e5568f75
A		 2020 * process in the system.
2021 * XXX It is not clear what the initial values should be for session ID,
2022 * terminal ID etc.
55e303ae
A		 2023 */
2024void
2025audit_proc_init(struct proc *p)
2026{
2027 MALLOC_ZONE(p->p_au, struct auditinfo *, sizeof(*p->p_au),
2028 M_SUBPROC, M_WAITOK);
2029
2030 bzero((void *)p->p_au, sizeof(*p->p_au));
e5568f75
A		 2031
2032 p->p_au->ai_auid = AU_DEFAUDITID;
55e303ae
A		 2033}
2034
2035/*
2036 * Copy the audit info from the parent process to the child process when
2037 * a fork takes place.
2038 * XXX Need to check for failure from the memory allocation, in here
2039 * as well as in any functions that use the process auditing info.
2040 */
2041void
2042audit_proc_fork(struct proc *parent, struct proc *child)
2043{
2044 /* Always set up the audit information pointer as this function
2045 * should only be called when the proc is new. If proc structures
2046 * are ever cached and reused, then this behavior will leak memory.
2047 */
2048 MALLOC_ZONE(child->p_au, struct auditinfo *, sizeof(*child->p_au),
2049 M_SUBPROC, M_WAITOK);
2050
2051 bcopy(parent->p_au, child->p_au, sizeof(*child->p_au));
2052}
2053
2054/*
2055 * Free the auditing structure for the process.
2056 */
2057void
2058audit_proc_free(struct proc *p)
2059{
2060 FREE_ZONE((void *)p->p_au, sizeof(*p->p_au), M_SUBPROC);
2061 p->p_au = NULL;
2062}
2063
2064/*
2065 * Store a path as given by the user process for auditing into the audit
2066 * record stored on the user thread. This function will allocate the memory to
2067 * store the path info if not already available. This memory will be
2068 * freed when the audit record is freed.
2069 */
2070void
2071audit_arg_upath(struct proc *p, char *upath, u_int64_t flags)
2072{
2073 struct kaudit_record *ar;
2074 char **pathp;
2075
2076 if (p == NULL || upath == NULL)
2077 return; /* nothing to do! */
2078
2079 if (flags & (ARG_UPATH1 | ARG_UPATH2) == 0)
2080 return;
2081
2082 ar = currecord();
2083 if (ar == NULL) /* This will be the case for unaudited system calls */
2084 return;
2085
2086 if (flags & ARG_UPATH1) {
2087 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_UPATH1);
2088 pathp = &ar->k_ar.ar_arg_upath1;
2089 }
2090 else {
2091 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_UPATH2);
2092 pathp = &ar->k_ar.ar_arg_upath2;
2093 }
2094
2095 if (*pathp == NULL) {
e5568f75 2096 *pathp = (char *)kalloc(MAXPATHLEN);
55e303ae
A		 2097 if (*pathp == NULL)
2098 return;
2099 }
2100
e5568f75
A		 2101 if (canon_path(p, upath, *pathp) == 0) {
2102 if (flags & ARG_UPATH1)
2103 ar->k_ar.ar_valid_arg |= ARG_UPATH1;
2104 else
2105 ar->k_ar.ar_valid_arg |= ARG_UPATH2;
2106 } else {
2107 kfree((vm_offset_t)*pathp, MAXPATHLEN);
2108 *pathp = NULL;
2109 }
55e303ae
A		 2110}
2111
2112/*
2113 * Function to save the path and vnode attr information into the audit
2114 * record.
2115 *
2116 * It is assumed that the caller will hold any vnode locks necessary to
2117 * perform a VOP_GETATTR() on the passed vnode.
2118 *
2119 * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but
2120 * always provides access to the generation number as we need that
2121 * to construct the BSM file ID.
2122 * XXX: We should accept the process argument from the caller, since
2123 * it's very likely they already have a reference.
2124 * XXX: Error handling in this function is poor.
2125 */
2126void
2127audit_arg_vnpath(struct vnode *vp, u_int64_t flags)
2128{
2129 struct kaudit_record *ar;
2130 struct vattr vattr;
2131 int error;
2132 int len;
2133 char **pathp;
2134 struct vnode_au_info *vnp;
2135 struct proc *p;
2136
2137 if (vp == NULL)
2138 return;
2139
2140 ar = currecord();
2141 if (ar == NULL) /* This will be the case for unaudited system calls */
2142 return;
2143
2144 if (flags & (ARG_VNODE1 | ARG_VNODE2) == 0)
2145 return;
2146
2147 p = current_proc();
2148
2149 if (flags & ARG_VNODE1) {
2150 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_KPATH1);
2151 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE1);
2152 pathp = &ar->k_ar.ar_arg_kpath1;
2153 vnp = &ar->k_ar.ar_arg_vnode1;
2154 }
2155 else {
2156 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_KPATH2);
2157 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE2);
2158 pathp = &ar->k_ar.ar_arg_kpath2;
2159 vnp = &ar->k_ar.ar_arg_vnode2;
2160 }
2161
2162 if (*pathp == NULL) {
e5568f75 2163 *pathp = (char *)kalloc(MAXPATHLEN);
55e303ae
A		 2164 if (*pathp == NULL)
2165 return;
2166 }
2167
e5568f75
A		 2168 /*
2169 * If vn_getpath() succeeds, place it in a string buffer
2170 * attached to the audit record, and set a flag indicating
2171 * it is present.
2172 */
55e303ae 2173 len = MAXPATHLEN;
e5568f75
A		 2174 if (vn_getpath(vp, *pathp, &len) == 0) {
2175 if (flags & ARG_VNODE1)
2176 ar->k_ar.ar_valid_arg |= ARG_KPATH1;
2177 else
2178 ar->k_ar.ar_valid_arg |= ARG_KPATH2;
2179 } else {
2180 kfree((vm_offset_t)*pathp, MAXPATHLEN);
2181 *pathp = NULL;
2182 }
55e303ae
A		 2183
2184 /*
2185 * XXX: We'd assert the vnode lock here, only Darwin doesn't
2186 * appear to have vnode locking assertions.
2187 */
2188 error = VOP_GETATTR(vp, &vattr, p->p_ucred, p);
2189 if (error) {
2190 /* XXX: How to handle this case? */
2191 return;
2192 }
2193
2194 vnp->vn_mode = vattr.va_mode;
2195 vnp->vn_uid = vattr.va_uid;
2196 vnp->vn_gid = vattr.va_gid;
2197 vnp->vn_dev = vattr.va_rdev;
2198 vnp->vn_fsid = vattr.va_fsid;
2199 vnp->vn_fileid = vattr.va_fileid;
2200 vnp->vn_gen = vattr.va_gen;
2201 if (flags & ARG_VNODE1)
2202 ar->k_ar.ar_valid_arg |= ARG_VNODE1;
2203 else
2204 ar->k_ar.ar_valid_arg |= ARG_VNODE2;
2205
2206}
2207
e5568f75
A		 2208void
2209audit_arg_mach_port1(mach_port_t port)
2210{
2211 struct kaudit_record *ar;
2212
2213 ar = currecord();
2214 if (ar == NULL)
2215 return;
2216
2217 ar->k_ar.ar_arg_mach_port1 = port;
2218 ar->k_ar.ar_valid_arg |= ARG_MACHPORT1;
2219}
2220
2221void
2222audit_arg_mach_port2(mach_port_t port)
2223{
2224 struct kaudit_record *ar;
2225
2226 ar = currecord();
2227 if (ar == NULL)
2228 return;
2229
2230 ar->k_ar.ar_arg_mach_port2 = port;
2231 ar->k_ar.ar_valid_arg |= ARG_MACHPORT2;
2232}
2233
2234/*
2235 * The close() system call uses it's own audit call to capture the
2236 * path/vnode information because those pieces are not easily obtained
2237 * within the system call itself.
2238 */
2239void
2240audit_sysclose(struct proc *p, int fd)
2241{
2242 struct file *fp;
2243
2244 audit_arg_fd(fd);
2245
2246 if (getvnode(p, fd, &fp) != 0)
2247 return;
2248
2249 audit_arg_vnpath((struct vnode *)fp->f_data, ARG_VNODE1);
2250
2251}
2252
55e303ae
A		 2253#else /* !AUDIT */
2254
2255void
2256audit_init(void)
2257{
2258
2259}
2260
2261void
2262audit_shutdown(void)
2263{
2264
2265}
2266
2267int
2268audit(struct proc *p, struct audit_args *uap, register_t *retval)
2269{
2270 return (ENOSYS);
2271}
2272
2273int
2274auditon(struct proc *p, struct auditon_args *uap, register_t *retval)
2275{
2276 return (ENOSYS);
2277}
2278
55e303ae
A		 2279int
2280getauid(struct proc *p, struct getauid_args *uap, register_t *retval)
2281{
2282 return (ENOSYS);
2283}
2284
2285int
2286setauid(struct proc *p, struct setauid_args *uap, register_t *retval)
2287{
2288 return (ENOSYS);
2289}
2290
2291int
2292getaudit(struct proc *p, struct getaudit_args *uap, register_t *retval)
2293{
2294 return (ENOSYS);
2295}
2296
2297int
2298setaudit(struct proc *p, struct setaudit_args *uap, register_t *retval)
2299{
2300 return (ENOSYS);
2301}
2302
2303int
2304getaudit_addr(struct proc *p, struct getaudit_addr_args *uap, register_t *retval)
2305{
2306 return (ENOSYS);
2307}
2308
2309int
2310setaudit_addr(struct proc *p, struct setaudit_addr_args *uap, register_t *retval)
2311{
2312 return (ENOSYS);
2313}
2314
2315int
2316auditctl(struct proc *p, struct auditctl_args *uap, register_t *retval)
2317{
2318 return (ENOSYS);
2319}
2320
2321void
2322audit_proc_init(struct proc *p)
2323{
2324
2325}
2326
2327void
2328audit_proc_fork(struct proc *parent, struct proc *child)
2329{
2330
2331}
2332
2333void
2334audit_proc_free(struct proc *p)
2335{
2336
2337}
2338
2339#endif /* AUDIT */
mirror of XNU