]> git.saurik.com Git - apple/xnu.git/blame - bsd/kern/kern_audit.c
projects / apple / xnu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
xnu-792.10.96.tar.gz
[apple/xnu.git] / bsd / kern / kern_audit.c
CommitLineData
55e303ae 1/*
91447636 2 * Copyright (c) 2003-2004 Apple Computer, Inc. All rights reserved.
55e303ae
A		 3 *
4 * @APPLE_LICENSE_HEADER_START@
37839358
A		 5 *
6 * The contents of this file constitute Original Code as defined in and
7 * are subject to the Apple Public Source License Version 1.1 (the
8 * "License"). You may not use this file except in compliance with the
9 * License. Please obtain a copy of the License at
10 * http://www.apple.com/publicsource and read it before using this file.
11 *
12 * This Original Code and all software distributed under the License are
13 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
55e303ae
A		 14 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
37839358
A		 16 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17 * License for the specific language governing rights and limitations
18 * under the License.
19 *
55e303ae
A		 20 * @APPLE_LICENSE_HEADER_END@
21 */
22#include <sys/param.h>
23#include <sys/fcntl.h>
24#include <sys/kernel.h>
25#include <sys/lock.h>
26#include <sys/namei.h>
91447636
A		 27#include <sys/proc_internal.h>
28#include <sys/kauth.h>
55e303ae
A		 29#include <sys/queue.h>
30#include <sys/systm.h>
31#include <sys/time.h>
32#include <sys/ucred.h>
33#include <sys/uio.h>
34#include <sys/unistd.h>
91447636
A		 35#include <sys/file_internal.h>
36#include <sys/vnode_internal.h>
55e303ae 37#include <sys/user.h>
55e303ae
A		 38#include <sys/syscall.h>
39#include <sys/malloc.h>
40#include <sys/un.h>
91447636
A		 41#include <sys/sysent.h>
42#include <sys/sysproto.h>
43#include <sys/vfs_context.h>
e5568f75 44#include <sys/domain.h>
91447636
A		 45#include <sys/protosw.h>
46#include <sys/socketvar.h>
e5568f75
A		 47
48#include <bsm/audit.h>
49#include <bsm/audit_kevents.h>
50#include <bsm/audit_klib.h>
51#include <bsm/audit_kernel.h>
52
91447636 53#include <mach/host_priv.h>
e5568f75 54#include <mach/host_special_ports.h>
91447636 55#include <mach/audit_triggers_server.h>
55e303ae 56
91447636
A		 57#include <kern/host.h>
58#include <kern/kalloc.h>
59#include <kern/zalloc.h>
55e303ae
A		 60#include <kern/lock.h>
61#include <kern/wait_queue.h>
91447636
A		 62#include <kern/sched_prim.h>
63
64#include <net/route.h>
e5568f75 65
91447636
A		 66#include <netinet/in.h>
67#include <netinet/in_pcb.h>
55e303ae
A		 68
69#ifdef AUDIT
70
71/*
72 * The AUDIT_EXCESSIVELY_VERBOSE define enables a number of
73 * gratuitously noisy printf's to the console. Due to the
74 * volume, it should be left off unless you want your system
75 * to churn a lot whenever the audit record flow gets high.
76 */
77/* #define AUDIT_EXCESSIVELY_VERBOSE */
78#ifdef AUDIT_EXCESSIVELY_VERBOSE
91447636 79#define AUDIT_PRINTF_ONLY
55e303ae
A		 80#define AUDIT_PRINTF(x) printf x
81#else
91447636 82#define AUDIT_PRINTF_ONLY __unused
55e303ae
A		 83#define AUDIT_PRINTF(X)
84#endif
85
86#if DIAGNOSTIC
87#if defined(assert)
88#undef assert()
89#endif
90#define assert(cond) \
91 ((void) ((cond) ? 0 : panic("%s:%d (%s)", __FILE__, __LINE__, # cond)))
92#else
93#include <kern/assert.h>
94#endif /* DIAGNOSTIC */
95
96/*
97 * Define the audit control flags.
98 */
99int audit_enabled;
100int audit_suspended;
101
102/*
103 * Mutex to protect global variables shared between various threads and
104 * processes.
105 */
106static mutex_t *audit_mtx;
107
108/*
109 * Queue of audit records ready for delivery to disk. We insert new
e5568f75
A		 110 * records at the tail, and remove records from the head. Also,
111 * a count of the number of records used for checking queue depth.
112 * In addition, a counter of records that we have allocated but are
113 * not yet in the queue, which is needed to estimate the total
114 * size of the combined set of records outstanding in the system.
55e303ae 115 */
91447636
A		 116static TAILQ_HEAD(, kaudit_record) audit_q;
117static size_t audit_q_len;
118static size_t audit_pre_q_len;
e5568f75
A		 119
120static wait_queue_t audit_wait_queue;
121static zone_t audit_zone;
55e303ae
A		 122
123/*
124 * Condition variable to signal to the worker that it has work to do:
125 * either new records are in the queue, or a log replacement is taking
126 * place.
127 */
e5568f75
A		 128static int audit_worker_event;
129#define AUDIT_WORKER_EVENT ((event_t)&audit_worker_event)
55e303ae 130
91447636
A		 131/*
132 * The audit worker thread (which is lazy started when we first
133 * rotate the audit log.
134 */
135static thread_t audit_worker_thread = THREAD_NULL;
136
55e303ae
A		 137/*
138 * When an audit log is rotated, the actual rotation must be performed
139 * by the audit worker thread, as it may have outstanding writes on the
140 * current audit log. audit_replacement_vp holds the vnode replacing
141 * the current vnode. We can't let more than one replacement occur
142 * at a time, so if more than one thread requests a replacement, only
143 * one can have the replacement "in progress" at any given moment. If
144 * a thread tries to replace the audit vnode and discovers a replacement
145 * is already in progress (i.e., audit_replacement_flag != 0), then it
146 * will sleep on audit_replacement_cv waiting its turn to perform a
147 * replacement. When a replacement is completed, this cv is signalled
148 * by the worker thread so a waiting thread can start another replacement.
149 * We also store a credential to perform audit log write operations with.
150 */
e5568f75
A		 151static int audit_replacement_event;
152#define AUDIT_REPLACEMENT_EVENT ((event_t)&audit_replacement_event)
55e303ae 153
91447636 154static int audit_replacement_flag;
55e303ae 155static struct vnode *audit_replacement_vp;
91447636 156static kauth_cred_t audit_replacement_cred;
55e303ae 157
e5568f75
A		 158/*
159 * Wait queue for auditing threads that cannot commit the audit
160 * record at the present time. Also, the queue control parameter
161 * structure.
162 */
163static int audit_commit_event;
164#define AUDIT_COMMIT_EVENT ((event_t)&audit_commit_event)
165
166static struct au_qctrl audit_qctrl;
167
55e303ae
A		 168/*
169 * Flags to use on audit files when opening and closing.
170 */
91447636
A		 171static const int audit_open_flags = FWRITE | O_APPEND;
172static const int audit_close_flags = FWRITE | O_APPEND;
55e303ae 173
e5568f75
A		 174/*
175 * Global audit statistiscs.
176 */
177static struct audit_fstat audit_fstat;
178
179/*
180 Preselection mask for non-attributable events.
181 */
182static struct au_mask audit_nae_mask;
183
184/*
185 * Flags related to Kernel->user-space communication.
186 */
187static int audit_file_rotate_wait;
188
189/*
190 * Flags controlling behavior in low storage situations.
191 * Should we panic if a write fails? Should we fail stop
192 * if we're out of disk space? Are we currently "failing
193 * stop" due to out of disk space?
194 */
195static int audit_panic_on_write_fail;
196static int audit_fail_stop;
197static int audit_in_failure;
198
199/*
200 * When in a fail-stop mode, threads will drop into this wait queue
201 * rather than perform auditable events. They won't ever get woken
202 * up.
203 */
204static int audit_failure_event;
205#define AUDIT_FAILURE_EVENT ((event_t)&audit_failure_event)
206
55e303ae
A		 207/*
208 * XXX: Couldn't find the include file for this, so copied kern_exec.c's
209 * behavior.
210 */
211extern task_t kernel_task;
212
213static void
214audit_free(struct kaudit_record *ar)
215{
216 if (ar->k_ar.ar_arg_upath1 != NULL) {
91447636 217 kfree(ar->k_ar.ar_arg_upath1, MAXPATHLEN);
55e303ae
A		 218 }
219 if (ar->k_ar.ar_arg_upath2 != NULL) {
91447636
A		 220 kfree(ar->k_ar.ar_arg_upath2, MAXPATHLEN);
221
55e303ae
A		 222 }
223 if (ar->k_ar.ar_arg_kpath1 != NULL) {
91447636
A		 224 kfree(ar->k_ar.ar_arg_kpath1, MAXPATHLEN);
225
55e303ae
A		 226 }
227 if (ar->k_ar.ar_arg_kpath2 != NULL) {
91447636
A		 228 kfree(ar->k_ar.ar_arg_kpath2, MAXPATHLEN);
229
55e303ae
A		 230 }
231 if (ar->k_ar.ar_arg_text != NULL) {
91447636
A		 232 kfree(ar->k_ar.ar_arg_text, MAXPATHLEN);
233
55e303ae
A		 234 }
235 if (ar->k_udata != NULL) {
91447636
A		 236 kfree(ar->k_udata, ar->k_ulen);
237
55e303ae 238 }
91447636 239 zfree(audit_zone, ar);
55e303ae
A		 240}
241
242static int
91447636 243audit_write(struct vnode *vp, struct kaudit_record *ar, kauth_cred_t cred,
55e303ae
A		 244 struct proc *p)
245{
91447636 246 struct vfsstatfs *mnt_stat = &vp->v_mount->mnt_vfsstat;
55e303ae
A		 247 int ret;
248 struct au_record *bsm;
91447636
A		 249 /* KVV maybe we should take a context as a param to audit_write? */
250 struct vfs_context context;
251 off_t file_size;
e5568f75
A		 252
253 mach_port_t audit_port;
254
91447636 255 /*
e5568f75
A		 256 * First, gather statistics on the audit log file and file system
257 * so that we know how we're doing on space. In both cases,
258 * if we're unable to perform the operation, we drop the record
259 * and return. However, this is arguably an assertion failure.
260 */
91447636
A		 261 context.vc_proc = p;
262 context.vc_ucred = cred;
263 ret = vfs_update_vfsstat(vp->v_mount, &context);
e5568f75
A		 264 if (ret)
265 goto out;
266
267 /* update the global stats struct */
91447636
A		 268 if ((ret = vnode_size(vp, &file_size, &context)) != 0)
269 goto out;
270 audit_fstat.af_currsz = file_size;
271
e5568f75
A		 272 /*
273 * Send a message to the audit daemon when disk space is getting
274 * low.
275 * XXX Need to decide what to do if the trigger to the audit daemon
276 * fails.
277 */
278 if(host_get_audit_control_port(host_priv_self(), &audit_port)
279 != KERN_SUCCESS)
280 printf("Cannot get audit control port\n");
281
282 if (audit_port != MACH_PORT_NULL) {
91447636 283 uint64_t temp;
e5568f75
A		 284
285 /*
286 * If we fall below percent free blocks, then trigger the
287 * audit daemon to do something about it.
288 */
289 if (audit_qctrl.aq_minfree != 0) {
290 temp = mnt_stat->f_blocks / (100 / audit_qctrl.aq_minfree);
291 if (mnt_stat->f_bfree < temp) {
292 ret = audit_triggers(audit_port,
293 AUDIT_TRIGGER_LOW_SPACE);
294 if (ret != KERN_SUCCESS) {
295 printf(
296 "Failed audit_triggers(AUDIT_TRIGGER_LOW_SPACE): %d\n", ret);
297 /*
298 * XXX: What to do here? Disable auditing?
299 * panic?
300 */
301 }
302 }
303 }
304 /* Check if the current log file is full; if so, call for
305 * a log rotate. This is not an exact comparison; we may
306 * write some records over the limit. If that's not
307 * acceptable, then add a fudge factor here.
308 */
309 if ((audit_fstat.af_filesz != 0) &&
310 (audit_file_rotate_wait == 0) &&
91447636 311 (file_size >= audit_fstat.af_filesz)) {
e5568f75
A		 312 audit_file_rotate_wait = 1;
313 ret = audit_triggers(audit_port,
314 AUDIT_TRIGGER_FILE_FULL);
315 if (ret != KERN_SUCCESS) {
316 printf(
317 "Failed audit_triggers(AUDIT_TRIGGER_FILE_FULL): %d\n", ret);
318 /* XXX what to do here? */
319 }
320 }
321 }
322
323 /*
324 * If the estimated amount of audit data in the audit event queue
325 * (plus records allocated but not yet queued) has reached the
326 * amount of free space on the disk, then we need to go into an
327 * audit fail stop state, in which we do not permit the
328 * allocation/committing of any new audit records. We continue to
329 * process packets but don't allow any activities that might
330 * generate new records. In the future, we might want to detect
331 * when space is available again and allow operation to continue,
332 * but this behavior is sufficient to meet fail stop requirements
333 * in CAPP.
334 */
335 if (audit_fail_stop &&
336 (unsigned long)
337 ((audit_q_len + audit_pre_q_len + 1) * MAX_AUDIT_RECORD_SIZE) /
338 mnt_stat->f_bsize >= (unsigned long)(mnt_stat->f_bfree)) {
339 printf(
340 "audit_worker: free space below size of audit queue, failing stop\n");
341 audit_in_failure = 1;
342 }
55e303ae
A		 343
344 /*
345 * If there is a user audit record attached to the kernel record,
346 * then write the user record.
347 */
348 /* XXX Need to decide a few things here: IF the user audit
349 * record is written, but the write of the kernel record fails,
350 * what to do? Should the kernel record come before or after the
351 * user record? For now, we write the user record first, and
352 * we ignore errors.
353 */
e5568f75 354 if (ar->k_ar_commit & AR_COMMIT_USER) {
91447636
A		 355 if (vnode_getwithref(vp) == 0) {
356 ret = vn_rdwr(UIO_WRITE, vp, (void *)ar->k_udata, ar->k_ulen,
357 (off_t)0, UIO_SYSSPACE32, IO_APPEND|IO_UNIT, cred, NULL, p);
358 vnode_put(vp);
359 if (ret)
360 goto out;
361 } else {
e5568f75 362 goto out;
91447636 363 }
55e303ae
A		 364 }
365
366 /*
367 * Convert the internal kernel record to BSM format and write it
368 * out if everything's OK.
369 */
e5568f75
A		 370 if (!(ar->k_ar_commit & AR_COMMIT_KERNEL)) {
371 ret = 0;
372 goto out;
373 }
374
55e303ae 375 ret = kaudit_to_bsm(ar, &bsm);
e5568f75
A		 376 if (ret == BSM_NOAUDIT) {
377 ret = 0;
378 goto out;
379 }
55e303ae 380
e5568f75
A		 381 /*
382 * XXX: We drop the record on BSM conversion failure, but really
383 * this is an assertion failure.
384 */
55e303ae
A		 385 if (ret == BSM_FAILURE) {
386 AUDIT_PRINTF(("BSM conversion failure\n"));
e5568f75
A		 387 ret = EINVAL;
388 goto out;
55e303ae
A		 389 }
390
391 /* XXX This function can be called with the kernel funnel held,
392 * which is not optimal. We should break the write functionality
393 * away from the BSM record generation and have the BSM generation
394 * done before this function is called. This function will then
395 * take the BSM record as a parameter.
396 */
91447636
A		 397 if ((ret = vnode_getwithref(vp)) == 0) {
398 ret = (vn_rdwr(UIO_WRITE, vp, (void *)bsm->data, bsm->len,
399 (off_t)0, UIO_SYSSPACE32, IO_APPEND|IO_UNIT, cred, NULL, p));
400 vnode_put(vp);
401 }
55e303ae
A		 402 kau_free(bsm);
403
e5568f75
A		 404out:
405 /*
406 * When we're done processing the current record, we have to
407 * check to see if we're in a failure mode, and if so, whether
408 * this was the last record left to be drained. If we're done
409 * draining, then we fsync the vnode and panic.
410 */
411 if (audit_in_failure &&
412 audit_q_len == 0 && audit_pre_q_len == 0) {
91447636 413 (void)VNOP_FSYNC(vp, MNT_WAIT, &context);
e5568f75
A		 414 panic("Audit store overflow; record queue drained.");
415 }
416
55e303ae
A		 417 return (ret);
418}
419
420static void
91447636 421audit_worker(void)
55e303ae
A		 422{
423 int do_replacement_signal, error, release_funnel;
424 TAILQ_HEAD(, kaudit_record) ar_worklist;
91447636 425 struct kaudit_record *ar;
55e303ae 426 struct vnode *audit_vp, *old_vp;
91447636
A		 427 kauth_cred_t audit_cred;
428 kauth_cred_t old_cred;
55e303ae
A		 429 struct proc *audit_p;
430
431 AUDIT_PRINTF(("audit_worker starting\n"));
432
433 TAILQ_INIT(&ar_worklist);
434 audit_cred = NULL;
435 audit_p = current_proc();
436 audit_vp = NULL;
437
438 /*
439 * XXX: Presumably we can assume Mach threads are started without
440 * holding the BSD kernel funnel?
441 */
442 thread_funnel_set(kernel_flock, FALSE);
443
444 mutex_lock(audit_mtx);
445 while (1) {
446 /*
447 * First priority: replace the audit log target if requested.
448 * As we actually close the vnode in the worker thread, we
449 * need to grab the funnel, which means releasing audit_mtx.
450 * In case another replacement was scheduled while the mutex
451 * we released, we loop.
452 *
453 * XXX It could well be we should drain existing records
454 * first to ensure that the timestamps and ordering
455 * are right.
456 */
457 do_replacement_signal = 0;
458 while (audit_replacement_flag != 0) {
459 old_cred = audit_cred;
460 old_vp = audit_vp;
461 audit_cred = audit_replacement_cred;
462 audit_vp = audit_replacement_vp;
463 audit_replacement_cred = NULL;
464 audit_replacement_vp = NULL;
465 audit_replacement_flag = 0;
466
467 audit_enabled = (audit_vp != NULL);
468
469 if (old_vp != NULL || audit_vp != NULL) {
470 mutex_unlock(audit_mtx);
471 thread_funnel_set(kernel_flock, TRUE);
472 release_funnel = 1;
473 } else
474 release_funnel = 0;
475 /*
476 * XXX: What to do about write failures here?
477 */
478 if (old_vp != NULL) {
479 AUDIT_PRINTF(("Closing old audit file\n"));
480 vn_close(old_vp, audit_close_flags, old_cred,
481 audit_p);
91447636
A		 482 kauth_cred_rele(old_cred);
483 old_cred = NOCRED;
55e303ae
A		 484 old_vp = NULL;
485 AUDIT_PRINTF(("Audit file closed\n"));
486 }
487 if (audit_vp != NULL) {
488 AUDIT_PRINTF(("Opening new audit file\n"));
489 }
490 if (release_funnel) {
491 thread_funnel_set(kernel_flock, FALSE);
492 mutex_lock(audit_mtx);
493 }
494 do_replacement_signal = 1;
495 }
496 /*
497 * Signal that replacement have occurred to wake up and
498 * start any other replacements started in parallel. We can
499 * continue about our business in the mean time. We
500 * broadcast so that both new replacements can be inserted,
501 * but also so that the source(s) of replacement can return
502 * successfully.
503 */
504 if (do_replacement_signal)
e5568f75
A		 505 wait_queue_wakeup_all(audit_wait_queue,
506 AUDIT_REPLACEMENT_EVENT, THREAD_AWAKENED);
55e303ae
A		 507
508 /*
509 * Next, check to see if we have any records to drain into
510 * the vnode. If not, go back to waiting for an event.
511 */
512 if (TAILQ_EMPTY(&audit_q)) {
513 int ret;
514
515 AUDIT_PRINTF(("audit_worker waiting\n"));
e5568f75
A		 516 ret = wait_queue_assert_wait(audit_wait_queue,
517 AUDIT_WORKER_EVENT,
91447636
A		 518 THREAD_UNINT,
519 0);
55e303ae
A		 520 mutex_unlock(audit_mtx);
521
522 assert(ret == THREAD_WAITING);
523 ret = thread_block(THREAD_CONTINUE_NULL);
524 assert(ret == THREAD_AWAKENED);
525 AUDIT_PRINTF(("audit_worker woken up\n"));
526 AUDIT_PRINTF(("audit_worker: new vp = %p; value of flag %d\n",
527 audit_replacement_vp, audit_replacement_flag));
91447636 528
55e303ae
A		 529 mutex_lock(audit_mtx);
530 continue;
531 }
532
533 /*
534 * If we have records, but there's no active vnode to
535 * write to, drain the record queue. Generally, we
536 * prevent the unnecessary allocation of records
537 * elsewhere, but we need to allow for races between
538 * conditional allocation and queueing. Go back to
539 * waiting when we're done.
540 *
541 * XXX: We go out of our way to avoid calling audit_free()
542 * with the audit_mtx held, to avoid a lock order reversal
543 * as free() may grab the funnel. This will be fixed at
544 * some point.
545 */
546 if (audit_vp == NULL) {
547 while ((ar = TAILQ_FIRST(&audit_q))) {
548 TAILQ_REMOVE(&audit_q, ar, k_q);
e5568f75
A		 549 audit_q_len--;
550 if (audit_q_len <= audit_qctrl.aq_lowater)
551 wait_queue_wakeup_one(
552 audit_wait_queue,
553 AUDIT_COMMIT_EVENT,
554 THREAD_AWAKENED);
555
55e303ae
A		 556 TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q);
557 }
558 mutex_unlock(audit_mtx);
559 while ((ar = TAILQ_FIRST(&ar_worklist))) {
560 TAILQ_REMOVE(&ar_worklist, ar, k_q);
561 audit_free(ar);
562 }
563 mutex_lock(audit_mtx);
564 continue;
565 }
566
567 /*
568 * We have both records to write, and an active vnode
569 * to write to. Dequeue a record, and start the write.
570 * Eventually, it might make sense to dequeue several
571 * records and perform our own clustering, if the lower
572 * layers aren't doing it automatically enough.
573 *
574 * XXX: We go out of our way to avoid calling audit_free()
575 * with the audit_mtx held, to avoid a lock order reversal
576 * as free() may grab the funnel. This will be fixed at
577 * some point.
578 */
579 while ((ar = TAILQ_FIRST(&audit_q))) {
580 TAILQ_REMOVE(&audit_q, ar, k_q);
e5568f75
A		 581 audit_q_len--;
582 if (audit_q_len <= audit_qctrl.aq_lowater) {
583 wait_queue_wakeup_one(audit_wait_queue,
584 AUDIT_COMMIT_EVENT, THREAD_AWAKENED);
585 }
586
55e303ae
A		 587 TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q);
588 }
589 mutex_unlock(audit_mtx);
590 release_funnel = 0;
591 while ((ar = TAILQ_FIRST(&ar_worklist))) {
592 TAILQ_REMOVE(&ar_worklist, ar, k_q);
593 if (audit_vp != NULL) {
594 /*
595 * XXX: What should happen if there's a write
596 * error here?
597 */
598 if (!release_funnel) {
599 thread_funnel_set(kernel_flock, TRUE);
600 release_funnel = 1;
601 }
55e303ae
A		 602 error = audit_write(audit_vp, ar, audit_cred,
603 audit_p);
91447636 604 if (error && audit_panic_on_write_fail) {
e5568f75
A		 605 panic("audit_worker: write error %d\n",
606 error);
91447636 607 } else if (error) {
55e303ae
A		 608 printf("audit_worker: write error %d\n",
609 error);
610 }
91447636 611 }
55e303ae
A		 612 audit_free(ar);
613 }
614 if (release_funnel)
615 thread_funnel_set(kernel_flock, FALSE);
616 mutex_lock(audit_mtx);
617 }
618}
619
620void
621audit_init(void)
622{
623
624 /* Verify that the syscall to audit event table is the same
625 * size as the system call table.
626 */
627 if (nsys_au_event != nsysent) {
628 printf("Security auditing service initialization failed, ");
629 printf("audit event table doesn't match syscall table.\n");
630 return;
631 }
632
633 printf("Security auditing service present\n");
634 TAILQ_INIT(&audit_q);
e5568f75 635 audit_q_len = 0;
55e303ae
A		 636 audit_enabled = 0;
637 audit_suspended = 0;
638 audit_replacement_cred = NULL;
639 audit_replacement_flag = 0;
e5568f75 640 audit_file_rotate_wait = 0;
55e303ae 641 audit_replacement_vp = NULL;
e5568f75
A		 642 audit_fstat.af_filesz = 0; /* '0' means unset, unbounded */
643 audit_fstat.af_currsz = 0;
644 audit_qctrl.aq_hiwater = AQ_HIWATER;
645 audit_qctrl.aq_lowater = AQ_LOWATER;
646 audit_qctrl.aq_bufsz = AQ_BUFSZ;
647 audit_qctrl.aq_minfree = AU_FS_MINFREE;
648
91447636 649 audit_mtx = mutex_alloc(0);
55e303ae 650 audit_wait_queue = wait_queue_alloc(SYNC_POLICY_FIFO);
e5568f75
A		 651 audit_zone = zinit(sizeof(struct kaudit_record),
652 AQ_HIWATER*sizeof(struct kaudit_record),
653 8192,
654 "audit_zone");
55e303ae
A		 655
656 /* Initialize the BSM audit subsystem. */
657 kau_init();
55e303ae
A		 658}
659
660static void
91447636 661audit_rotate_vnode(kauth_cred_t cred, struct vnode *vp)
55e303ae
A		 662{
663 int ret;
664
665 /*
666 * If other parallel log replacements have been requested, we wait
667 * until they've finished before continuing.
668 */
669 mutex_lock(audit_mtx);
670 while (audit_replacement_flag != 0) {
671
672 AUDIT_PRINTF(("audit_rotate_vnode: sleeping to wait for "
673 "flag\n"));
e5568f75
A		 674 ret = wait_queue_assert_wait(audit_wait_queue,
675 AUDIT_REPLACEMENT_EVENT,
91447636
A		 676 THREAD_UNINT,
677 0);
55e303ae
A		 678 mutex_unlock(audit_mtx);
679
680 assert(ret == THREAD_WAITING);
681 ret = thread_block(THREAD_CONTINUE_NULL);
682 assert(ret == THREAD_AWAKENED);
683 AUDIT_PRINTF(("audit_rotate_vnode: woken up (flag %d)\n",
684 audit_replacement_flag));
685
686 mutex_lock(audit_mtx);
687 }
688 audit_replacement_cred = cred;
689 audit_replacement_flag = 1;
690 audit_replacement_vp = vp;
691
692 /*
91447636
A		 693 * Start or wake up the audit worker to perform the exchange.
694 * It will have to wait until we release the mutex.
55e303ae 695 */
91447636
A		 696 if (audit_worker_thread == THREAD_NULL)
697 audit_worker_thread = kernel_thread(kernel_task,
698 audit_worker);
699 else
700 wait_queue_wakeup_one(audit_wait_queue,
701 AUDIT_WORKER_EVENT,
702 THREAD_AWAKENED);
55e303ae
A		 703
704 /*
705 * Wait for the audit_worker to broadcast that a replacement has
706 * taken place; we know that once this has happened, our vnode
707 * has been replaced in, so we can return successfully.
708 */
709 AUDIT_PRINTF(("audit_rotate_vnode: waiting for news of "
710 "replacement\n"));
e5568f75
A		 711 ret = wait_queue_assert_wait(audit_wait_queue,
712 AUDIT_REPLACEMENT_EVENT,
91447636
A		 713 THREAD_UNINT,
714 0);
55e303ae
A		 715 mutex_unlock(audit_mtx);
716
717 assert(ret == THREAD_WAITING);
718 ret = thread_block(THREAD_CONTINUE_NULL);
719 assert(ret == THREAD_AWAKENED);
720 AUDIT_PRINTF(("audit_rotate_vnode: change acknowledged by "
721 "audit_worker (flag " "now %d)\n", audit_replacement_flag));
e5568f75
A		 722
723 audit_file_rotate_wait = 0; /* We can now request another rotation */
55e303ae
A		 724}
725
726/*
727 * Drain the audit queue and close the log at shutdown.
728 */
729void
730audit_shutdown(void)
731{
55e303ae
A		 732 audit_rotate_vnode(NULL, NULL);
733}
734
735static __inline__ struct uthread *
736curuthread(void)
737{
91447636 738 return (get_bsdthread_info(current_thread()));
55e303ae
A		 739}
740
741static __inline__ struct kaudit_record *
742currecord(void)
743{
55e303ae
A		 744 return (curuthread()->uu_ar);
745}
746
747/**********************************
748 * Begin system calls. *
749 **********************************/
750/*
751 * System call to allow a user space application to submit a BSM audit
752 * record to the kernel for inclusion in the audit log. This function
753 * does little verification on the audit record that is submitted.
754 *
755 * XXXAUDIT: Audit preselection for user records does not currently
756 * work, since we pre-select only based on the AUE_audit event type,
757 * not the event type submitted as part of the user audit data.
758 */
55e303ae
A		 759/* ARGSUSED */
760int
91447636 761audit(struct proc *p, struct audit_args *uap, __unused register_t *retval)
55e303ae 762{
55e303ae
A		 763 int error;
764 void * rec;
765 struct kaudit_record *ar;
e5568f75 766 struct uthread *uthr;
55e303ae 767
91447636 768 error = suser(kauth_cred_get(), &p->p_acflag);
55e303ae
A		 769 if (error)
770 return (error);
771
91447636 772 if ((uap->length <= 0) || (uap->length > (int)audit_qctrl.aq_bufsz))
e5568f75
A		 773 return (EINVAL);
774
775 ar = currecord();
776
777 /* If there's no current audit record (audit() itself not audited)
778 * commit the user audit record.
779 */
780 if (ar == NULL) {
781 uthr = curuthread();
782 if (uthr == NULL) /* can this happen? */
91447636 783 return (ENOTSUP);
e5568f75
A		 784
785 /* This is not very efficient; we're required to allocate
786 * a complete kernel audit record just so the user record
787 * can tag along.
788 */
789 uthr->uu_ar = audit_new(AUE_NULL, p, uthr);
790 if (uthr->uu_ar == NULL) /* auditing not on, or memory error */
791 return (ENOTSUP);
792 ar = uthr->uu_ar;
793 }
794
55e303ae
A		 795 if (uap->length > MAX_AUDIT_RECORD_SIZE)
796 return (EINVAL);
797
e5568f75 798 rec = (void *)kalloc((vm_size_t)uap->length);
55e303ae
A		 799
800 error = copyin(uap->record, rec, uap->length);
801 if (error)
802 goto free_out;
803
804 /* Verify the record */
805 if (bsm_rec_verify(rec) == 0) {
806 error = EINVAL;
807 goto free_out;
808 }
809
810 /* Attach the user audit record to the kernel audit record. Because
811 * this system call is an auditable event, we will write the user
812 * record along with the record for this audit event.
813 */
814 ar->k_udata = rec;
e5568f75 815 ar->k_ar_commit |= AR_COMMIT_USER;
55e303ae
A		 816 ar->k_ulen = uap->length;
817 return (0);
818
819free_out:
e5568f75
A		 820 /* audit_syscall_exit() will free the audit record on the thread
821 * even if we allocated it above.
822 */
91447636 823 kfree(rec, uap->length);
55e303ae
A		 824 return (error);
825}
826
827/*
828 * System call to manipulate auditing.
829 */
55e303ae
A		 830/* ARGSUSED */
831int
91447636 832auditon(struct proc *p, __unused struct auditon_args *uap, __unused register_t *retval)
55e303ae 833{
e5568f75
A		 834 int ret;
835 int len;
836 union auditon_udata udata;
837 struct proc *tp;
55e303ae 838
e5568f75 839 AUDIT_ARG(cmd, uap->cmd);
91447636 840 ret = suser(kauth_cred_get(), &p->p_acflag);
e5568f75
A		 841 if (ret)
842 return (ret);
55e303ae 843
e5568f75 844 len = uap->length;
91447636 845 if ((len <= 0) || (len > (int)sizeof(union auditon_udata)))
e5568f75 846 return (EINVAL);
55e303ae 847
e5568f75
A		 848 memset((void *)&udata, 0, sizeof(udata));
849
850 switch (uap->cmd) {
851 /* Some of the GET commands use the arguments too */
852 case A_SETPOLICY:
853 case A_SETKMASK:
854 case A_SETQCTRL:
855 case A_SETSTAT:
856 case A_SETUMASK:
857 case A_SETSMASK:
858 case A_SETCOND:
859 case A_SETCLASS:
860 case A_SETPMASK:
861 case A_SETFSIZE:
862 case A_SETKAUDIT:
863 case A_GETCLASS:
864 case A_GETPINFO:
865 case A_GETPINFO_ADDR:
866 ret = copyin(uap->data, (void *)&udata, uap->length);
867 if (ret)
868 return (ret);
869 AUDIT_ARG(auditon, &udata);
870 break;
91447636 871}
e5568f75
A		 872
873 /* XXX Need to implement these commands by accessing the global
874 * values associated with the commands.
875 */
876 switch (uap->cmd) {
877 case A_GETPOLICY:
878 if (!audit_fail_stop)
879 udata.au_policy |= AUDIT_CNT;
880 if (audit_panic_on_write_fail)
881 udata.au_policy |= AUDIT_AHLT;
882 break;
883 case A_SETPOLICY:
884 if (udata.au_policy & ~(AUDIT_CNT|AUDIT_AHLT))
885 return (EINVAL);
91447636 886/*
e5568f75 887 * XXX - Need to wake up waiters if the policy relaxes?
91447636 888 */
e5568f75
A		 889 audit_fail_stop = ((udata.au_policy & AUDIT_CNT) == 0);
890 audit_panic_on_write_fail = (udata.au_policy & AUDIT_AHLT);
891 break;
892 case A_GETKMASK:
893 udata.au_mask = audit_nae_mask;
894 break;
895 case A_SETKMASK:
896 audit_nae_mask = udata.au_mask;
897 break;
898 case A_GETQCTRL:
899 udata.au_qctrl = audit_qctrl;
900 break;
901 case A_SETQCTRL:
902 if ((udata.au_qctrl.aq_hiwater > AQ_MAXHIGH) ||
903 (udata.au_qctrl.aq_lowater >= udata.au_qctrl.aq_hiwater) ||
904 (udata.au_qctrl.aq_bufsz > AQ_MAXBUFSZ) ||
905 (udata.au_qctrl.aq_minfree < 0) ||
906 (udata.au_qctrl.aq_minfree > 100))
907 return (EINVAL);
908
909 audit_qctrl = udata.au_qctrl;
910 /* XXX The queue delay value isn't used with the kernel. */
911 audit_qctrl.aq_delay = -1;
912 break;
913 case A_GETCWD:
914 return (ENOSYS);
915 break;
916 case A_GETCAR:
917 return (ENOSYS);
918 break;
919 case A_GETSTAT:
920 return (ENOSYS);
921 break;
922 case A_SETSTAT:
923 return (ENOSYS);
924 break;
925 case A_SETUMASK:
926 return (ENOSYS);
927 break;
928 case A_SETSMASK:
929 return (ENOSYS);
930 break;
931 case A_GETCOND:
932 if (audit_enabled && !audit_suspended)
933 udata.au_cond = AUC_AUDITING;
934 else
935 udata.au_cond = AUC_NOAUDIT;
936 break;
937 case A_SETCOND:
938 if (udata.au_cond == AUC_NOAUDIT)
939 audit_suspended = 1;
940 if (udata.au_cond == AUC_AUDITING)
941 audit_suspended = 0;
942 if (udata.au_cond == AUC_DISABLED) {
943 audit_suspended = 1;
944 audit_shutdown();
945 }
946 break;
947 case A_GETCLASS:
948 udata.au_evclass.ec_class =
949 au_event_class(udata.au_evclass.ec_number);
950 break;
951 case A_SETCLASS:
952 au_evclassmap_insert(udata.au_evclass.ec_number,
953 udata.au_evclass.ec_class);
954 break;
955 case A_GETPINFO:
956 if (udata.au_aupinfo.ap_pid < 1)
957 return (EINVAL);
958 if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL)
959 return (EINVAL);
960
91447636 961 udata.au_aupinfo.ap_auid = tp->p_ucred->cr_au.ai_auid;
e5568f75 962 udata.au_aupinfo.ap_mask.am_success =
91447636 963 tp->p_ucred->cr_au.ai_mask.am_success;
e5568f75 964 udata.au_aupinfo.ap_mask.am_failure =
91447636 965 tp->p_ucred->cr_au.ai_mask.am_failure;
e5568f75 966 udata.au_aupinfo.ap_termid.machine =
91447636 967 tp->p_ucred->cr_au.ai_termid.machine;
e5568f75 968 udata.au_aupinfo.ap_termid.port =
91447636
A		 969 tp->p_ucred->cr_au.ai_termid.port;
970 udata.au_aupinfo.ap_asid = tp->p_ucred->cr_au.ai_asid;
e5568f75
A		 971 break;
972 case A_SETPMASK:
973 if (udata.au_aupinfo.ap_pid < 1)
974 return (EINVAL);
975 if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL)
976 return (EINVAL);
977
91447636
A		 978 /*
979 * we are modifying the audit info in a credential so we need a new
980 * credential (or take another reference on an existing credential that
981 * matches our new one). We must do this because the audit info in the
982 * credential is used as part of our hash key. Get current credential
983 * in the target process and take a reference while we muck with it.
984 */
985 for (;;) {
986 kauth_cred_t my_cred, my_new_cred;
987 struct auditinfo temp_auditinfo;
988
989 my_cred = kauth_cred_proc_ref(tp);
990 /*
991 * set the credential with new info. If there is no change we get back
992 * the same credential we passed in.
993 */
994 temp_auditinfo = my_cred->cr_au;
995 temp_auditinfo.ai_mask.am_success =
996 udata.au_aupinfo.ap_mask.am_success;
997 temp_auditinfo.ai_mask.am_failure =
998 udata.au_aupinfo.ap_mask.am_failure;
999 my_new_cred = kauth_cred_setauditinfo(my_cred, &temp_auditinfo);
1000
1001 if (my_cred != my_new_cred) {
1002 proc_lock(tp);
1003 /* need to protect for a race where another thread also changed
1004 * the credential after we took our reference. If p_ucred has
1005 * changed then we should restart this again with the new cred.
1006 */
1007 if (tp->p_ucred != my_cred) {
1008 proc_unlock(tp);
1009 kauth_cred_rele(my_cred);
1010 kauth_cred_rele(my_new_cred);
1011 /* try again */
1012 continue;
1013 }
1014 tp->p_ucred = my_new_cred;
1015 proc_unlock(tp);
1016 }
1017 /* drop our extra reference */
1018 kauth_cred_rele(my_cred);
1019 break;
1020 }
e5568f75
A		 1021 break;
1022 case A_SETFSIZE:
1023 if ((udata.au_fstat.af_filesz != 0) &&
1024 (udata.au_fstat.af_filesz < MIN_AUDIT_FILE_SIZE))
1025 return (EINVAL);
1026 audit_fstat.af_filesz = udata.au_fstat.af_filesz;
1027 break;
1028 case A_GETFSIZE:
1029 udata.au_fstat.af_filesz = audit_fstat.af_filesz;
1030 udata.au_fstat.af_currsz = audit_fstat.af_currsz;
1031 break;
1032 case A_GETPINFO_ADDR:
1033 return (ENOSYS);
1034 break;
1035 case A_GETKAUDIT:
1036 return (ENOSYS);
1037 break;
1038 case A_SETKAUDIT:
91447636 1039 return (ENOSYS);
e5568f75 1040 break;
91447636 1041}
e5568f75
A		 1042 /* Copy data back to userspace for the GET comands */
1043 switch (uap->cmd) {
1044 case A_GETPOLICY:
1045 case A_GETKMASK:
1046 case A_GETQCTRL:
1047 case A_GETCWD:
1048 case A_GETCAR:
1049 case A_GETSTAT:
1050 case A_GETCOND:
1051 case A_GETCLASS:
1052 case A_GETPINFO:
1053 case A_GETFSIZE:
1054 case A_GETPINFO_ADDR:
1055 case A_GETKAUDIT:
1056 ret = copyout((void *)&udata, uap->data, uap->length);
1057 if (ret)
1058 return (ret);
1059 break;
1060 }
1061
1062 return (0);
55e303ae
A		 1063}
1064
1065/*
1066 * System calls to manage the user audit information.
1067 * XXXAUDIT May need to lock the proc structure.
1068 */
55e303ae
A		 1069/* ARGSUSED */
1070int
91447636 1071getauid(struct proc *p, struct getauid_args *uap, __unused register_t *retval)
55e303ae 1072{
55e303ae
A		 1073 int error;
1074
91447636
A		 1075 error = copyout((void *)&kauth_cred_get()->cr_au.ai_auid,
1076 uap->auid, sizeof(au_id_t));
55e303ae
A		 1077 if (error)
1078 return (error);
1079
1080 return (0);
1081}
1082
55e303ae
A		 1083/* ARGSUSED */
1084int
91447636 1085setauid(struct proc *p, struct setauid_args *uap, __unused register_t *retval)
55e303ae 1086{
55e303ae 1087 int error;
91447636 1088 au_id_t temp_au_id;
55e303ae 1089
91447636 1090 error = suser(kauth_cred_get(), &p->p_acflag);
55e303ae
A		 1091 if (error)
1092 return (error);
1093
91447636
A		 1094 error = copyin(uap->auid,
1095 (void *)&temp_au_id,
1096 sizeof(au_id_t));
55e303ae
A		 1097 if (error)
1098 return (error);
1099
91447636
A		 1100 /*
1101 * we are modifying the audit info in a credential so we need a new
1102 * credential (or take another reference on an existing credential that
1103 * matches our new one). We must do this because the audit info in the
1104 * credential is used as part of our hash key. Get current credential
1105 * in the target process and take a reference while we muck with it.
1106 */
1107 for (;;) {
1108 kauth_cred_t my_cred, my_new_cred;
1109 struct auditinfo temp_auditinfo;
1110
1111 my_cred = kauth_cred_proc_ref(p);
1112 /*
1113 * set the credential with new info. If there is no change we get back
1114 * the same credential we passed in.
1115 */
1116 temp_auditinfo = my_cred->cr_au;
1117 temp_auditinfo.ai_auid = temp_au_id;
1118 my_new_cred = kauth_cred_setauditinfo(my_cred, &temp_auditinfo);
1119
1120 if (my_cred != my_new_cred) {
1121 proc_lock(p);
1122 /* need to protect for a race where another thread also changed
1123 * the credential after we took our reference. If p_ucred has
1124 * changed then we should restart this again with the new cred.
1125 */
1126 if (p->p_ucred != my_cred) {
1127 proc_unlock(p);
1128 kauth_cred_rele(my_cred);
1129 kauth_cred_rele(my_new_cred);
1130 /* try again */
1131 continue;
1132 }
1133 p->p_ucred = my_new_cred;
1134 proc_unlock(p);
1135 }
1136 /* drop our extra reference */
1137 kauth_cred_rele(my_cred);
1138 break;
1139 }
1140
e5568f75
A		 1141 /* propagate the change from the process to Mach task */
1142 set_security_token(p);
1143
91447636 1144 audit_arg_auid(kauth_cred_get()->cr_au.ai_auid);
55e303ae
A		 1145 return (0);
1146}
1147
1148/*
1149 * System calls to get and set process audit information.
a3d08fcd
A		 1150 * If the caller is privileged, they get the whole set of
1151 * audit information. Otherwise, the real audit mask is
1152 * filtered out - but the rest of the information is
1153 * returned.
55e303ae 1154 */
55e303ae
A		 1155/* ARGSUSED */
1156int
91447636 1157getaudit(struct proc *p, struct getaudit_args *uap, __unused register_t *retval)
55e303ae 1158{
91447636 1159 struct auditinfo ai;
55e303ae
A		 1160 int error;
1161
91447636
A		 1162 ai = kauth_cred_get()->cr_au;
1163
a3d08fcd 1164 /* only superuser gets to see the real mask */
91447636 1165 error = suser(kauth_cred_get(), &p->p_acflag);
a3d08fcd
A		 1166 if (error) {
1167 ai.ai_mask.am_success = ~0;
1168 ai.ai_mask.am_failure = ~0;
1169 }
1170
91447636 1171 error = copyout(&ai, uap->auditinfo, sizeof(ai));
55e303ae
A		 1172 if (error)
1173 return (error);
1174
1175 return (0);
1176}
1177
55e303ae
A		 1178/* ARGSUSED */
1179int
91447636 1180setaudit(struct proc *p, struct setaudit_args *uap, __unused register_t *retval)
55e303ae 1181{
55e303ae 1182 int error;
91447636 1183 struct auditinfo temp_auditinfo;
55e303ae 1184
91447636 1185 error = suser(kauth_cred_get(), &p->p_acflag);
55e303ae
A		 1186 if (error)
1187 return (error);
91447636
A		 1188
1189 error = copyin(uap->auditinfo,
1190 (void *)&temp_auditinfo,
1191 sizeof(temp_auditinfo));
55e303ae
A		 1192 if (error)
1193 return (error);
1194
91447636
A		 1195 /*
1196 * we are modifying the audit info in a credential so we need a new
1197 * credential (or take another reference on an existing credential that
1198 * matches our new one). We must do this because the audit info in the
1199 * credential is used as part of our hash key. Get current credential
1200 * in the target process and take a reference while we muck with it.
1201 */
1202 for (;;) {
1203 kauth_cred_t my_cred, my_new_cred;
1204
1205 my_cred = kauth_cred_proc_ref(p);
1206 /*
1207 * set the credential with new info. If there is no change we get back
1208 * the same credential we passed in.
1209 */
1210 my_new_cred = kauth_cred_setauditinfo(my_cred, &temp_auditinfo);
1211
1212 if (my_cred != my_new_cred) {
1213 proc_lock(p);
1214 /* need to protect for a race where another thread also changed
1215 * the credential after we took our reference. If p_ucred has
1216 * changed then we should restart this again with the new cred.
1217 */
1218 if (p->p_ucred != my_cred) {
1219 proc_unlock(p);
1220 kauth_cred_rele(my_cred);
1221 kauth_cred_rele(my_new_cred);
1222 /* try again */
1223 continue;
1224 }
1225 p->p_ucred = my_new_cred;
1226 proc_unlock(p);
1227 }
1228 /* drop our extra reference */
1229 kauth_cred_rele(my_cred);
1230 break;
1231 }
1232
e5568f75
A		 1233 /* propagate the change from the process to Mach task */
1234 set_security_token(p);
1235
91447636 1236 audit_arg_auditinfo(&p->p_ucred->cr_au);
e5568f75 1237
55e303ae
A		 1238 return (0);
1239}
1240
55e303ae
A		 1241/* ARGSUSED */
1242int
91447636 1243getaudit_addr(struct proc *p, __unused struct getaudit_addr_args *uap, __unused register_t *retval)
55e303ae 1244{
55e303ae
A		 1245 return (ENOSYS);
1246}
1247
55e303ae
A		 1248/* ARGSUSED */
1249int
91447636 1250setaudit_addr(struct proc *p, __unused struct setaudit_addr_args *uap, __unused register_t *retval)
55e303ae 1251{
55e303ae
A		 1252 int error;
1253
91447636 1254 error = suser(kauth_cred_get(), &p->p_acflag);
55e303ae
A		 1255 if (error)
1256 return (error);
1257 return (ENOSYS);
1258}
1259
1260/*
1261 * Syscall to manage audit files.
1262 *
55e303ae 1263 */
55e303ae
A		 1264/* ARGSUSED */
1265int
91447636 1266auditctl(struct proc *p, struct auditctl_args *uap, __unused register_t *retval)
55e303ae 1267{
55e303ae 1268 struct nameidata nd;
91447636 1269 kauth_cred_t cred;
55e303ae 1270 struct vnode *vp;
91447636
A		 1271 int error, flags;
1272 struct vfs_context context;
1273
1274 context.vc_proc = p;
1275 context.vc_ucred = kauth_cred_get();
55e303ae 1276
91447636 1277 error = suser(kauth_cred_get(), &p->p_acflag);
55e303ae
A		 1278 if (error)
1279 return (error);
1280
1281 vp = NULL;
1282 cred = NULL;
1283
1284 /*
1285 * If a path is specified, open the replacement vnode, perform
1286 * validity checks, and grab another reference to the current
1287 * credential.
1288 */
91447636 1289 if (uap->path != 0) {
e5568f75 1290 NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNPATH1,
91447636
A		 1291 (IS_64BIT_PROCESS(p) ? UIO_USERSPACE64 : UIO_USERSPACE32),
1292 uap->path, &context);
55e303ae
A		 1293 flags = audit_open_flags;
1294 error = vn_open(&nd, flags, 0);
1295 if (error)
1296 goto out;
55e303ae
A		 1297 vp = nd.ni_vp;
1298 if (vp->v_type != VREG) {
91447636
A		 1299 vn_close(vp, audit_close_flags, kauth_cred_get(), p);
1300 vnode_put(vp);
55e303ae
A		 1301 error = EINVAL;
1302 goto out;
1303 }
91447636 1304 cred = kauth_cred_get_with_ref();
e5568f75 1305 audit_suspended = 0;
55e303ae 1306 }
91447636
A		 1307 /*
1308 * a vp and cred of NULL is valid at this point
1309 * and indicates we're to turn off auditing...
1310 */
55e303ae 1311 audit_rotate_vnode(cred, vp);
91447636
A		 1312 if (vp)
1313 vnode_put(vp);
55e303ae
A		 1314out:
1315 return (error);
1316}
1317
1318/**********************************
1319 * End of system calls. *
1320 **********************************/
1321
1322/*
1323 * MPSAFE
1324 */
1325struct kaudit_record *
91447636 1326audit_new(int event, struct proc *p, __unused struct uthread *uthread)
55e303ae
A		 1327{
1328 struct kaudit_record *ar;
1329 int no_record;
1330
1331 /*
1332 * Eventually, there may be certain classes of events that
1333 * we will audit regardless of the audit state at the time
1334 * the record is created. These events will generally
1335 * correspond to changes in the audit state. The dummy
1336 * code below is from our first prototype, but may also
1337 * be used in the final version (with modified event numbers).
1338 */
1339#if 0
1340 if (event != AUDIT_EVENT_FILESTOP && event != AUDIT_EVENT_FILESTART) {
1341#endif
1342 mutex_lock(audit_mtx);
1343 no_record = (audit_suspended || !audit_enabled);
1344 mutex_unlock(audit_mtx);
1345 if (no_record)
1346 return (NULL);
1347#if 0
1348 }
1349#endif
1350
55e303ae
A		 1351 /*
1352 * Initialize the audit record header.
55e303ae 1353 * XXX: We may want to fail-stop if allocation fails.
e5568f75
A		 1354 * XXX: The number of outstanding uncommitted audit records is
1355 * limited by the number of concurrent threads servicing system
1356 * calls in the kernel.
55e303ae 1357 */
e5568f75
A		 1358
1359 ar = (struct kaudit_record *)zalloc(audit_zone);
55e303ae
A		 1360 if (ar == NULL)
1361 return NULL;
1362
e5568f75
A		 1363 mutex_lock(audit_mtx);
1364 audit_pre_q_len++;
1365 mutex_unlock(audit_mtx);
1366
55e303ae
A		 1367 bzero(ar, sizeof(*ar));
1368 ar->k_ar.ar_magic = AUDIT_RECORD_MAGIC;
1369 ar->k_ar.ar_event = event;
1370 nanotime(&ar->k_ar.ar_starttime);
1371
1372 /* Export the subject credential. */
1373 cru2x(p->p_ucred, &ar->k_ar.ar_subj_cred);
91447636
A		 1374 ar->k_ar.ar_subj_ruid = p->p_ucred->cr_ruid;
1375 ar->k_ar.ar_subj_rgid = p->p_ucred->cr_rgid;
55e303ae 1376 ar->k_ar.ar_subj_egid = p->p_ucred->cr_groups[0];
91447636
A		 1377 ar->k_ar.ar_subj_auid = p->p_ucred->cr_au.ai_auid;
1378 ar->k_ar.ar_subj_asid = p->p_ucred->cr_au.ai_asid;
55e303ae 1379 ar->k_ar.ar_subj_pid = p->p_pid;
91447636
A		 1380 ar->k_ar.ar_subj_amask = p->p_ucred->cr_au.ai_mask;
1381 ar->k_ar.ar_subj_term = p->p_ucred->cr_au.ai_termid;
55e303ae 1382 bcopy(p->p_comm, ar->k_ar.ar_subj_comm, MAXCOMLEN);
55e303ae
A		 1383
1384 return (ar);
1385}
1386
1387/*
1388 * MPSAFE
1389 * XXXAUDIT: So far, this is unused, and should probably be GC'd.
1390 */
1391void
1392audit_abort(struct kaudit_record *ar)
1393{
e5568f75
A		 1394 mutex_lock(audit_mtx);
1395 audit_pre_q_len--;
1396 mutex_unlock(audit_mtx);
55e303ae
A		 1397 audit_free(ar);
1398}
1399
1400/*
1401 * MPSAFE
1402 */
1403void
1404audit_commit(struct kaudit_record *ar, int error, int retval)
1405{
e5568f75
A		 1406 int ret;
1407 int sorf;
1408 struct au_mask *aumask;
55e303ae
A		 1409
1410 if (ar == NULL)
1411 return;
1412
e5568f75
A		 1413 /*
1414 * Decide whether to commit the audit record by checking the
1415 * error value from the system call and using the appropriate
1416 * audit mask.
1417 */
1418 if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID)
1419 aumask = &audit_nae_mask;
1420 else
1421 aumask = &ar->k_ar.ar_subj_amask;
1422
1423 if (error)
1424 sorf = AU_PRS_FAILURE;
1425 else
1426 sorf = AU_PRS_SUCCESS;
1427
1428 switch(ar->k_ar.ar_event) {
1429
1430 case AUE_OPEN_RWTC:
1431 /* The open syscall always writes a OPEN_RWTC event; limit the
1432 * to the proper type of event based on the flags and the error
1433 * value.
1434 */
1435 ar->k_ar.ar_event = flags_and_error_to_openevent(ar->k_ar.ar_arg_fflags, error);
1436 break;
1437
1438 case AUE_SYSCTL:
1439 ar->k_ar.ar_event = ctlname_to_sysctlevent(ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg);
1440 break;
1441
1442 case AUE_AUDITON:
1443 /* Convert the auditon() command to an event */
1444 ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd);
1445 break;
1446 }
1447
1448 if (au_preselect(ar->k_ar.ar_event, aumask, sorf) != 0)
1449 ar->k_ar_commit |= AR_COMMIT_KERNEL;
1450
91447636 1451 if ((ar->k_ar_commit & (AR_COMMIT_USER | AR_COMMIT_KERNEL)) == 0) {
e5568f75
A		 1452 mutex_lock(audit_mtx);
1453 audit_pre_q_len--;
1454 mutex_unlock(audit_mtx);
1455 audit_free(ar);
1456 return;
1457 }
1458
55e303ae
A		 1459 ar->k_ar.ar_errno = error;
1460 ar->k_ar.ar_retval = retval;
1461
1462 /*
1463 * We might want to do some system-wide post-filtering
1464 * here at some point.
1465 */
1466
1467 /*
1468 * Timestamp system call end.
1469 */
1470 nanotime(&ar->k_ar.ar_endtime);
1471
55e303ae
A		 1472 mutex_lock(audit_mtx);
1473 /*
1474 * Note: it could be that some records initiated while audit was
1475 * enabled should still be committed?
1476 */
1477 if (audit_suspended || !audit_enabled) {
e5568f75 1478 audit_pre_q_len--;
55e303ae
A		 1479 mutex_unlock(audit_mtx);
1480 audit_free(ar);
1481 return;
1482 }
91447636 1483
e5568f75
A		 1484 /*
1485 * Constrain the number of committed audit records based on
1486 * the configurable parameter.
1487 */
1488 while (audit_q_len >= audit_qctrl.aq_hiwater) {
1489
1490 ret = wait_queue_assert_wait(audit_wait_queue,
1491 AUDIT_COMMIT_EVENT,
91447636
A		 1492 THREAD_UNINT,
1493 0);
e5568f75
A		 1494 mutex_unlock(audit_mtx);
1495
1496 assert(ret == THREAD_WAITING);
1497
1498 ret = thread_block(THREAD_CONTINUE_NULL);
1499 assert(ret == THREAD_AWAKENED);
1500 mutex_lock(audit_mtx);
1501 }
1502
55e303ae 1503 TAILQ_INSERT_TAIL(&audit_q, ar, k_q);
e5568f75
A		 1504 audit_q_len++;
1505 audit_pre_q_len--;
1506 wait_queue_wakeup_one(audit_wait_queue, AUDIT_WORKER_EVENT, THREAD_AWAKENED);
55e303ae
A		 1507 mutex_unlock(audit_mtx);
1508}
1509
1510/*
1511 * Calls to set up and tear down audit structures associated with
1512 * each system call.
1513 */
1514void
1515audit_syscall_enter(unsigned short code, struct proc *proc,
1516 struct uthread *uthread)
1517{
1518 int audit_event;
e5568f75 1519 struct au_mask *aumask;
55e303ae
A		 1520
1521 audit_event = sys_au_event[code];
e5568f75
A		 1522 if (audit_event == AUE_NULL)
1523 return;
1524
1525 assert(uthread->uu_ar == NULL);
55e303ae 1526
e5568f75
A		 1527 /* Check which audit mask to use; either the kernel non-attributable
1528 * event mask or the process audit mask.
1529 */
91447636 1530 if (proc->p_ucred->cr_au.ai_auid == AU_DEFAUDITID)
e5568f75
A		 1531 aumask = &audit_nae_mask;
1532 else
91447636
A		 1533 aumask = &proc->p_ucred->cr_au.ai_mask;
1534
55e303ae 1535 /*
e5568f75
A		 1536 * Allocate an audit record, if preselection allows it, and store
1537 * in the BSD thread for later use.
55e303ae 1538 */
e5568f75 1539 if (au_preselect(audit_event, aumask,
91447636 1540 AU_PRS_FAILURE | AU_PRS_SUCCESS)) {
e5568f75
A		 1541 /*
1542 * If we're out of space and need to suspend unprivileged
1543 * processes, do that here rather than trying to allocate
1544 * another audit record.
1545 */
1546 if (audit_in_failure &&
91447636 1547 suser(kauth_cred_get(), &proc->p_acflag) != 0) {
e5568f75
A		 1548 int ret;
1549
91447636 1550 assert(audit_worker_thread != THREAD_NULL);
e5568f75 1551 ret = wait_queue_assert_wait(audit_wait_queue,
91447636 1552 AUDIT_FAILURE_EVENT, THREAD_UNINT, 0);
e5568f75
A		 1553 assert(ret == THREAD_WAITING);
1554 (void)thread_block(THREAD_CONTINUE_NULL);
1555 panic("audit_failing_stop: thread continued");
55e303ae 1556 }
91447636
A		 1557 uthread->uu_ar = audit_new(audit_event, proc, uthread);
1558 } else {
1559 uthread->uu_ar = NULL;
1560 }
1561 }
55e303ae
A		 1562
1563void
91447636 1564audit_syscall_exit(int error, AUDIT_PRINTF_ONLY struct proc *proc, struct uthread *uthread)
55e303ae
A		 1565{
1566 int retval;
1567
1568 /*
1569 * Commit the audit record as desired; once we pass the record
1570 * into audit_commit(), the memory is owned by the audit
1571 * subsystem.
1572 * The return value from the system call is stored on the user
1573 * thread. If there was an error, the return value is set to -1,
1574 * imitating the behavior of the cerror routine.
1575 */
1576 if (error)
1577 retval = -1;
1578 else
1579 retval = uthread->uu_rval[0];
1580
1581 audit_commit(uthread->uu_ar, error, retval);
91447636 1582 if (uthread->uu_ar != NULL) {
55e303ae 1583 AUDIT_PRINTF(("audit record committed by pid %d\n", proc->p_pid));
91447636 1584 }
55e303ae
A		 1585 uthread->uu_ar = NULL;
1586
1587}
1588
e5568f75
A		 1589/*
1590 * Calls to set up and tear down audit structures used during Mach
1591 * system calls.
1592 */
1593void
1594audit_mach_syscall_enter(unsigned short audit_event)
1595{
1596 struct uthread *uthread;
1597 struct proc *proc;
1598 struct au_mask *aumask;
1599
1600 if (audit_event == AUE_NULL)
1601 return;
1602
1603 uthread = curuthread();
1604 if (uthread == NULL)
1605 return;
1606
1607 proc = current_proc();
1608 if (proc == NULL)
1609 return;
1610
1611 assert(uthread->uu_ar == NULL);
1612
1613 /* Check which audit mask to use; either the kernel non-attributable
1614 * event mask or the process audit mask.
1615 */
91447636 1616 if (proc->p_ucred->cr_au.ai_auid == AU_DEFAUDITID)
e5568f75
A		 1617 aumask = &audit_nae_mask;
1618 else
91447636 1619 aumask = &proc->p_ucred->cr_au.ai_mask;
e5568f75
A		 1620
1621 /*
1622 * Allocate an audit record, if desired, and store in the BSD
1623 * thread for later use.
1624 */
1625 if (au_preselect(audit_event, aumask,
1626 AU_PRS_FAILURE | AU_PRS_SUCCESS)) {
1627 uthread->uu_ar = audit_new(audit_event, proc, uthread);
1628 } else {
1629 uthread->uu_ar = NULL;
1630 }
1631}
1632
1633void
1634audit_mach_syscall_exit(int retval, struct uthread *uthread)
1635{
1636 /* The error code from Mach system calls is the same as the
1637 * return value
1638 */
1639 /* XXX Is the above statement always true? */
1640 audit_commit(uthread->uu_ar, retval, retval);
1641 uthread->uu_ar = NULL;
1642
1643}
1644
55e303ae
A		 1645/*
1646 * Calls to manipulate elements of the audit record structure from system
1647 * call code. Macro wrappers will prevent this functions from being
1648 * entered if auditing is disabled, avoiding the function call cost. We
1649 * check the thread audit record pointer anyway, as the audit condition
1650 * could change, and pre-selection may not have allocated an audit
1651 * record for this event.
1652 */
1653void
91447636 1654audit_arg_addr(user_addr_t addr)
55e303ae
A		 1655{
1656 struct kaudit_record *ar;
1657
1658 ar = currecord();
1659 if (ar == NULL)
1660 return;
1661
91447636 1662 ar->k_ar.ar_arg_addr = CAST_DOWN(void *, addr); /* XXX */
e5568f75 1663 ar->k_ar.ar_valid_arg |= ARG_ADDR;
55e303ae
A		 1664}
1665
1666void
91447636 1667audit_arg_len(user_size_t len)
55e303ae
A		 1668{
1669 struct kaudit_record *ar;
1670
1671 ar = currecord();
1672 if (ar == NULL)
1673 return;
1674
91447636 1675 ar->k_ar.ar_arg_len = CAST_DOWN(int, len); /* XXX */
e5568f75 1676 ar->k_ar.ar_valid_arg |= ARG_LEN;
55e303ae
A		 1677}
1678
1679void
1680audit_arg_fd(int fd)
1681{
1682 struct kaudit_record *ar;
1683
1684 ar = currecord();
1685 if (ar == NULL)
1686 return;
1687
1688 ar->k_ar.ar_arg_fd = fd;
1689 ar->k_ar.ar_valid_arg |= ARG_FD;
1690}
1691
1692void
1693audit_arg_fflags(int fflags)
1694{
1695 struct kaudit_record *ar;
1696
1697 ar = currecord();
1698 if (ar == NULL)
1699 return;
1700
1701 ar->k_ar.ar_arg_fflags = fflags;
1702 ar->k_ar.ar_valid_arg |= ARG_FFLAGS;
1703}
1704
1705void
1706audit_arg_gid(gid_t gid, gid_t egid, gid_t rgid, gid_t sgid)
1707{
1708 struct kaudit_record *ar;
1709
1710 ar = currecord();
1711 if (ar == NULL)
1712 return;
1713
1714 ar->k_ar.ar_arg_gid = gid;
1715 ar->k_ar.ar_arg_egid = egid;
1716 ar->k_ar.ar_arg_rgid = rgid;
1717 ar->k_ar.ar_arg_sgid = sgid;
1718 ar->k_ar.ar_valid_arg |= (ARG_GID | ARG_EGID | ARG_RGID | ARG_SGID);
1719}
1720
1721void
1722audit_arg_uid(uid_t uid, uid_t euid, uid_t ruid, uid_t suid)
1723{
1724 struct kaudit_record *ar;
1725
1726 ar = currecord();
1727 if (ar == NULL)
1728 return;
1729
1730 ar->k_ar.ar_arg_uid = uid;
1731 ar->k_ar.ar_arg_euid = euid;
1732 ar->k_ar.ar_arg_ruid = ruid;
1733 ar->k_ar.ar_arg_suid = suid;
1734 ar->k_ar.ar_valid_arg |= (ARG_UID | ARG_EUID | ARG_RUID | ARG_SUID);
1735}
1736
1737void
91447636 1738audit_arg_groupset(const gid_t *gidset, u_int gidset_size)
55e303ae 1739{
91447636 1740 uint i;
55e303ae
A		 1741 struct kaudit_record *ar;
1742
1743 ar = currecord();
1744 if (ar == NULL)
1745 return;
1746
1747 for (i = 0; i < gidset_size; i++)
1748 ar->k_ar.ar_arg_groups.gidset[i] = gidset[i];
1749 ar->k_ar.ar_arg_groups.gidset_size = gidset_size;
1750 ar->k_ar.ar_valid_arg |= ARG_GROUPSET;
1751}
1752
1753void
91447636 1754audit_arg_login(const char *login)
55e303ae
A		 1755{
1756 struct kaudit_record *ar;
1757
1758 ar = currecord();
1759 if (ar == NULL)
1760 return;
1761
1762#if 0
1763 /*
1764 * XXX: Add strlcpy() to Darwin for improved safety.
1765 */
1766 strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME);
1767#else
1768 strcpy(ar->k_ar.ar_arg_login, login);
1769#endif
1770
1771 ar->k_ar.ar_valid_arg |= ARG_LOGIN;
1772}
1773
e5568f75 1774void
91447636 1775audit_arg_ctlname(const int *name, int namelen)
e5568f75
A		 1776{
1777 struct kaudit_record *ar;
1778
1779 ar = currecord();
1780 if (ar == NULL)
1781 return;
1782
1783 bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int));
1784 ar->k_ar.ar_arg_len = namelen;
1785 ar->k_ar.ar_valid_arg |= (ARG_CTLNAME | ARG_LEN);
1786}
1787
55e303ae
A		 1788void
1789audit_arg_mask(int mask)
1790{
1791 struct kaudit_record *ar;
1792
1793 ar = currecord();
1794 if (ar == NULL)
1795 return;
1796
1797 ar->k_ar.ar_arg_mask = mask;
1798 ar->k_ar.ar_valid_arg |= ARG_MASK;
1799}
1800
1801void
1802audit_arg_mode(mode_t mode)
1803{
1804 struct kaudit_record *ar;
1805
1806 ar = currecord();
1807 if (ar == NULL)
1808 return;
1809
1810 ar->k_ar.ar_arg_mode = mode;
1811 ar->k_ar.ar_valid_arg |= ARG_MODE;
1812}
1813
1814void
1815audit_arg_dev(int dev)
1816{
1817 struct kaudit_record *ar;
1818
1819 ar = currecord();
1820 if (ar == NULL)
1821 return;
1822
1823 ar->k_ar.ar_arg_dev = dev;
1824 ar->k_ar.ar_valid_arg |= ARG_DEV;
1825}
1826
e5568f75
A		 1827void
1828audit_arg_value(long value)
1829{
1830 struct kaudit_record *ar;
1831
1832 ar = currecord();
1833 if (ar == NULL)
1834 return;
1835
1836 ar->k_ar.ar_arg_value = value;
1837 ar->k_ar.ar_valid_arg |= ARG_VALUE;
1838}
1839
55e303ae
A		 1840void
1841audit_arg_owner(uid_t uid, gid_t gid)
1842{
1843 struct kaudit_record *ar;
1844
1845 ar = currecord();
1846 if (ar == NULL)
1847 return;
1848
1849 ar->k_ar.ar_arg_uid = uid;
1850 ar->k_ar.ar_arg_gid = gid;
1851 ar->k_ar.ar_valid_arg |= (ARG_UID | ARG_GID);
1852}
1853
1854void
1855audit_arg_pid(pid_t pid)
1856{
1857 struct kaudit_record *ar;
1858
1859 ar = currecord();
1860 if (ar == NULL)
1861 return;
1862
1863 ar->k_ar.ar_arg_pid = pid;
1864 ar->k_ar.ar_valid_arg |= ARG_PID;
e5568f75
A		 1865}
1866
1867void
1868audit_arg_process(struct proc *p)
1869{
1870 struct kaudit_record *ar;
1871
1872 ar = currecord();
1873 if ((ar == NULL) || (p == NULL))
1874 return;
1875
91447636 1876 ar->k_ar.ar_arg_auid = p->p_ucred->cr_au.ai_auid;
e5568f75
A		 1877 ar->k_ar.ar_arg_euid = p->p_ucred->cr_uid;
1878 ar->k_ar.ar_arg_egid = p->p_ucred->cr_groups[0];
91447636
A		 1879 ar->k_ar.ar_arg_ruid = p->p_ucred->cr_ruid;
1880 ar->k_ar.ar_arg_rgid = p->p_ucred->cr_rgid;
1881 ar->k_ar.ar_arg_asid = p->p_ucred->cr_au.ai_asid;
1882 ar->k_ar.ar_arg_termid = p->p_ucred->cr_au.ai_termid;
e5568f75
A		 1883
1884 ar->k_ar.ar_valid_arg |= ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID |
1885 ARG_RGID | ARG_ASID | ARG_TERMID | ARG_PROCESS;
55e303ae
A		 1886}
1887
1888void
1889audit_arg_signum(u_int signum)
1890{
1891 struct kaudit_record *ar;
1892
1893 ar = currecord();
1894 if (ar == NULL)
1895 return;
1896
1897 ar->k_ar.ar_arg_signum = signum;
1898 ar->k_ar.ar_valid_arg |= ARG_SIGNUM;
1899}
1900
1901void
1902audit_arg_socket(int sodomain, int sotype, int soprotocol)
1903{
1904
1905 struct kaudit_record *ar;
1906
1907 ar = currecord();
1908 if (ar == NULL)
1909 return;
1910
e5568f75
A		 1911 ar->k_ar.ar_arg_sockinfo.so_domain = sodomain;
1912 ar->k_ar.ar_arg_sockinfo.so_type = sotype;
1913 ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol;
55e303ae
A		 1914 ar->k_ar.ar_valid_arg |= ARG_SOCKINFO;
1915}
1916
1917void
1918audit_arg_sockaddr(struct proc *p, struct sockaddr *so)
1919{
1920 struct kaudit_record *ar;
1921
1922 ar = currecord();
1923 if (ar == NULL || p == NULL || so == NULL)
1924 return;
1925
1926 bcopy(so, &ar->k_ar.ar_arg_sockaddr, sizeof(ar->k_ar.ar_arg_sockaddr));
1927 switch (so->sa_family) {
1928 case AF_INET:
1929 ar->k_ar.ar_valid_arg |= ARG_SADDRINET;
1930 break;
1931 case AF_INET6:
1932 ar->k_ar.ar_valid_arg |= ARG_SADDRINET6;
1933 break;
1934 case AF_UNIX:
1935 audit_arg_upath(p, ((struct sockaddr_un *)so)->sun_path,
1936 ARG_UPATH1);
1937 ar->k_ar.ar_valid_arg |= ARG_SADDRUNIX;
1938 break;
1939 }
1940}
1941
1942void
1943audit_arg_auid(uid_t auid)
1944{
1945 struct kaudit_record *ar;
1946
1947 ar = currecord();
1948 if (ar == NULL)
1949 return;
1950
1951 ar->k_ar.ar_arg_auid = auid;
1952 ar->k_ar.ar_valid_arg |= ARG_AUID;
1953}
1954
e5568f75 1955void
91447636 1956audit_arg_auditinfo(const struct auditinfo *au_info)
e5568f75
A		 1957{
1958 struct kaudit_record *ar;
1959
1960 ar = currecord();
1961 if (ar == NULL)
1962 return;
1963
1964 ar->k_ar.ar_arg_auid = au_info->ai_auid;
1965 ar->k_ar.ar_arg_asid = au_info->ai_asid;
1966 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
1967 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
1968 ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port;
1969 ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine;
1970 ar->k_ar.ar_valid_arg |= ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID;
1971}
1972
55e303ae 1973void
91447636 1974audit_arg_text(const char *text)
55e303ae
A		 1975{
1976 struct kaudit_record *ar;
1977
1978 ar = currecord();
1979 if (ar == NULL)
1980 return;
1981
1982 /* Invalidate the text string */
1983 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT);
1984 if (text == NULL)
1985 return;
1986
1987 if (ar->k_ar.ar_arg_text == NULL) {
e5568f75 1988 ar->k_ar.ar_arg_text = (char *)kalloc(MAXPATHLEN);
55e303ae
A		 1989 if (ar->k_ar.ar_arg_text == NULL)
1990 return;
1991 }
1992
e5568f75 1993 strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN);
55e303ae
A		 1994 ar->k_ar.ar_valid_arg |= ARG_TEXT;
1995}
1996
1997void
1998audit_arg_cmd(int cmd)
1999{
2000 struct kaudit_record *ar;
2001
2002 ar = currecord();
2003 if (ar == NULL)
2004 return;
2005
2006 ar->k_ar.ar_arg_cmd = cmd;
2007 ar->k_ar.ar_valid_arg |= ARG_CMD;
2008}
2009
2010void
2011audit_arg_svipc_cmd(int cmd)
2012{
2013 struct kaudit_record *ar;
2014
2015 ar = currecord();
2016 if (ar == NULL)
2017 return;
2018
2019 ar->k_ar.ar_arg_svipc_cmd = cmd;
2020 ar->k_ar.ar_valid_arg |= ARG_SVIPC_CMD;
2021}
2022
2023void
91447636 2024audit_arg_svipc_perm(const struct ipc_perm *perm)
55e303ae
A		 2025{
2026 struct kaudit_record *ar;
2027
2028 ar = currecord();
2029 if (ar == NULL)
2030 return;
2031
2032 bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
2033 sizeof(ar->k_ar.ar_arg_svipc_perm));
2034 ar->k_ar.ar_valid_arg |= ARG_SVIPC_PERM;
2035}
2036
2037void
2038audit_arg_svipc_id(int id)
2039{
2040 struct kaudit_record *ar;
2041
2042 ar = currecord();
2043 if (ar == NULL)
2044 return;
2045
2046 ar->k_ar.ar_arg_svipc_id = id;
2047 ar->k_ar.ar_valid_arg |= ARG_SVIPC_ID;
2048}
2049
2050void
2051audit_arg_svipc_addr(void * addr)
2052{
2053 struct kaudit_record *ar;
2054
2055 ar = currecord();
2056 if (ar == NULL)
2057 return;
2058
2059 ar->k_ar.ar_arg_svipc_addr = addr;
2060 ar->k_ar.ar_valid_arg |= ARG_SVIPC_ADDR;
2061}
2062
e5568f75
A		 2063void
2064audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode)
2065{
2066 struct kaudit_record *ar;
2067
2068 ar = currecord();
2069 if (ar == NULL)
2070 return;
2071
2072 ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid;
2073 ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid;
2074 ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode;
2075 ar->k_ar.ar_valid_arg |= ARG_POSIX_IPC_PERM;
2076}
2077
2078void
91447636 2079audit_arg_auditon(const union auditon_udata *udata)
e5568f75
A		 2080{
2081 struct kaudit_record *ar;
2082
2083 ar = currecord();
2084 if (ar == NULL)
2085 return;
2086
91447636 2087 bcopy((const void *)udata, &ar->k_ar.ar_arg_auditon,
e5568f75
A		 2088 sizeof(ar->k_ar.ar_arg_auditon));
2089 ar->k_ar.ar_valid_arg |= ARG_AUDITON;
2090}
2091
91447636 2092/*
e5568f75
A		 2093 * Audit information about a file, either the file's vnode info, or its
2094 * socket address info.
2095 */
2096void
91447636 2097audit_arg_file(__unused struct proc *p, const struct fileproc *fp)
e5568f75
A		 2098{
2099 struct kaudit_record *ar;
2100 struct socket *so;
2101 struct inpcb *pcb;
2102
91447636
A		 2103 if (fp->f_fglob->fg_type == DTYPE_VNODE) {
2104 audit_arg_vnpath_withref((struct vnode *)fp->f_fglob->fg_data, ARG_VNODE1);
e5568f75
A		 2105 return;
2106 }
2107
91447636 2108 if (fp->f_fglob->fg_type == DTYPE_SOCKET) {
e5568f75
A		 2109 ar = currecord();
2110 if (ar == NULL)
2111 return;
91447636 2112 so = (struct socket *)fp->f_fglob->fg_data;
e5568f75
A		 2113 if (INP_CHECK_SOCKAF(so, PF_INET)) {
2114 if (so->so_pcb == NULL)
2115 return;
2116 ar->k_ar.ar_arg_sockinfo.so_type =
2117 so->so_type;
2118 ar->k_ar.ar_arg_sockinfo.so_domain =
2119 INP_SOCKAF(so);
2120 ar->k_ar.ar_arg_sockinfo.so_protocol =
2121 so->so_proto->pr_protocol;
2122 pcb = (struct inpcb *)so->so_pcb;
2123 ar->k_ar.ar_arg_sockinfo.so_raddr =
2124 pcb->inp_faddr.s_addr;
2125 ar->k_ar.ar_arg_sockinfo.so_laddr =
2126 pcb->inp_laddr.s_addr;
2127 ar->k_ar.ar_arg_sockinfo.so_rport =
2128 pcb->inp_fport;
2129 ar->k_ar.ar_arg_sockinfo.so_lport =
2130 pcb->inp_lport;
2131 ar->k_ar.ar_valid_arg |= ARG_SOCKINFO;
2132 }
2133 }
2134
2135}
2136
55e303ae
A		 2137
2138/*
2139 * Store a path as given by the user process for auditing into the audit
2140 * record stored on the user thread. This function will allocate the memory to
2141 * store the path info if not already available. This memory will be
2142 * freed when the audit record is freed.
2143 */
2144void
2145audit_arg_upath(struct proc *p, char *upath, u_int64_t flags)
2146{
2147 struct kaudit_record *ar;
2148 char **pathp;
2149
2150 if (p == NULL || upath == NULL)
2151 return; /* nothing to do! */
2152
91447636 2153 if ((flags & (ARG_UPATH1 | ARG_UPATH2)) == 0)
55e303ae
A		 2154 return;
2155
2156 ar = currecord();
2157 if (ar == NULL) /* This will be the case for unaudited system calls */
2158 return;
2159
2160 if (flags & ARG_UPATH1) {
2161 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_UPATH1);
2162 pathp = &ar->k_ar.ar_arg_upath1;
2163 }
2164 else {
2165 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_UPATH2);
2166 pathp = &ar->k_ar.ar_arg_upath2;
2167 }
2168
2169 if (*pathp == NULL) {
e5568f75 2170 *pathp = (char *)kalloc(MAXPATHLEN);
55e303ae
A		 2171 if (*pathp == NULL)
2172 return;
2173 }
2174
e5568f75
A		 2175 if (canon_path(p, upath, *pathp) == 0) {
2176 if (flags & ARG_UPATH1)
2177 ar->k_ar.ar_valid_arg |= ARG_UPATH1;
2178 else
2179 ar->k_ar.ar_valid_arg |= ARG_UPATH2;
91447636
A		 2180 } else {
2181 kfree(*pathp, MAXPATHLEN);
2182 *pathp = NULL;
e5568f75 2183 }
55e303ae
A		 2184}
2185
2186/*
2187 * Function to save the path and vnode attr information into the audit
2188 * record.
2189 *
2190 * It is assumed that the caller will hold any vnode locks necessary to
91447636 2191 * perform a VNOP_GETATTR() on the passed vnode.
55e303ae
A		 2192 *
2193 * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but
2194 * always provides access to the generation number as we need that
2195 * to construct the BSM file ID.
2196 * XXX: We should accept the process argument from the caller, since
2197 * it's very likely they already have a reference.
2198 * XXX: Error handling in this function is poor.
2199 */
2200void
2201audit_arg_vnpath(struct vnode *vp, u_int64_t flags)
2202{
2203 struct kaudit_record *ar;
91447636 2204 struct vnode_attr va;
55e303ae
A		 2205 int error;
2206 int len;
2207 char **pathp;
2208 struct vnode_au_info *vnp;
2209 struct proc *p;
91447636 2210 struct vfs_context context;
55e303ae
A		 2211
2212 if (vp == NULL)
2213 return;
2214
2215 ar = currecord();
2216 if (ar == NULL) /* This will be the case for unaudited system calls */
2217 return;
2218
91447636 2219 if ((flags & (ARG_VNODE1 | ARG_VNODE2)) == 0)
55e303ae
A		 2220 return;
2221
2222 p = current_proc();
2223
2224 if (flags & ARG_VNODE1) {
2225 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_KPATH1);
2226 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE1);
2227 pathp = &ar->k_ar.ar_arg_kpath1;
2228 vnp = &ar->k_ar.ar_arg_vnode1;
2229 }
2230 else {
2231 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_KPATH2);
2232 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE2);
2233 pathp = &ar->k_ar.ar_arg_kpath2;
2234 vnp = &ar->k_ar.ar_arg_vnode2;
2235 }
2236
2237 if (*pathp == NULL) {
e5568f75 2238 *pathp = (char *)kalloc(MAXPATHLEN);
55e303ae
A		 2239 if (*pathp == NULL)
2240 return;
2241 }
2242
e5568f75
A		 2243 /*
2244 * If vn_getpath() succeeds, place it in a string buffer
2245 * attached to the audit record, and set a flag indicating
2246 * it is present.
2247 */
55e303ae 2248 len = MAXPATHLEN;
e5568f75 2249 if (vn_getpath(vp, *pathp, &len) == 0) {
91447636
A		 2250 if (flags & ARG_VNODE1)
2251 ar->k_ar.ar_valid_arg |= ARG_KPATH1;
2252 else
2253 ar->k_ar.ar_valid_arg |= ARG_KPATH2;
e5568f75 2254 } else {
91447636 2255 kfree(*pathp, MAXPATHLEN);
e5568f75
A		 2256 *pathp = NULL;
2257 }
55e303ae 2258
91447636
A		 2259 context.vc_proc = p;
2260 context.vc_ucred = kauth_cred_get();
2261
2262 VATTR_INIT(&va);
2263 VATTR_WANTED(&va, va_mode);
2264 VATTR_WANTED(&va, va_uid);
2265 VATTR_WANTED(&va, va_gid);
2266 VATTR_WANTED(&va, va_rdev);
2267 VATTR_WANTED(&va, va_fsid);
2268 VATTR_WANTED(&va, va_fileid);
2269 VATTR_WANTED(&va, va_gen);
2270 error = vnode_getattr(vp, &va, &context);
55e303ae
A		 2271 if (error) {
2272 /* XXX: How to handle this case? */
2273 return;
2274 }
2275
91447636
A		 2276 /* XXX do we want to fall back here when these aren't supported? */
2277 vnp->vn_mode = va.va_mode;
2278 vnp->vn_uid = va.va_uid;
2279 vnp->vn_gid = va.va_gid;
2280 vnp->vn_dev = va.va_rdev;
2281 vnp->vn_fsid = va.va_fsid;
2282 vnp->vn_fileid = (u_long)va.va_fileid;
2283 vnp->vn_gen = va.va_gen;
55e303ae
A		 2284 if (flags & ARG_VNODE1)
2285 ar->k_ar.ar_valid_arg |= ARG_VNODE1;
2286 else
2287 ar->k_ar.ar_valid_arg |= ARG_VNODE2;
2288
2289}
2290
e5568f75 2291void
91447636
A		 2292audit_arg_vnpath_withref(struct vnode *vp, u_int64_t flags)
2293{
2294 if (vp == NULL || vnode_getwithref(vp))
2295 return;
2296 audit_arg_vnpath(vp, flags);
2297 (void)vnode_put(vp);
2298}
2299
2300void
2301audit_arg_mach_port1(mach_port_name_t port)
e5568f75
A		 2302{
2303 struct kaudit_record *ar;
2304
2305 ar = currecord();
2306 if (ar == NULL)
2307 return;
2308
2309 ar->k_ar.ar_arg_mach_port1 = port;
2310 ar->k_ar.ar_valid_arg |= ARG_MACHPORT1;
2311}
2312
2313void
91447636 2314audit_arg_mach_port2(mach_port_name_t port)
e5568f75
A		 2315{
2316 struct kaudit_record *ar;
2317
2318 ar = currecord();
2319 if (ar == NULL)
2320 return;
2321
2322 ar->k_ar.ar_arg_mach_port2 = port;
2323 ar->k_ar.ar_valid_arg |= ARG_MACHPORT2;
2324}
2325
2326/*
2327 * The close() system call uses it's own audit call to capture the
2328 * path/vnode information because those pieces are not easily obtained
2329 * within the system call itself.
2330 */
2331void
2332audit_sysclose(struct proc *p, int fd)
2333{
91447636
A		 2334 struct fileproc *fp;
2335 struct vnode *vp;
e5568f75
A		 2336
2337 audit_arg_fd(fd);
2338
91447636 2339 if (fp_getfvp(p, fd, &fp, &vp) != 0)
e5568f75
A		 2340 return;
2341
91447636
A		 2342 audit_arg_vnpath_withref((struct vnode *)fp->f_fglob->fg_data, ARG_VNODE1);
2343 file_drop(fd);
e5568f75
A		 2344}
2345
55e303ae
A		 2346#else /* !AUDIT */
2347
2348void
2349audit_init(void)
2350{
2351
2352}
2353
2354void
2355audit_shutdown(void)
2356{
2357
2358}
2359
2360int
2361audit(struct proc *p, struct audit_args *uap, register_t *retval)
2362{
2363 return (ENOSYS);
2364}
2365
2366int
2367auditon(struct proc *p, struct auditon_args *uap, register_t *retval)
2368{
2369 return (ENOSYS);
2370}
2371
55e303ae
A		 2372int
2373getauid(struct proc *p, struct getauid_args *uap, register_t *retval)
2374{
2375 return (ENOSYS);
2376}
2377
2378int
2379setauid(struct proc *p, struct setauid_args *uap, register_t *retval)
2380{
2381 return (ENOSYS);
2382}
2383
2384int
2385getaudit(struct proc *p, struct getaudit_args *uap, register_t *retval)
2386{
2387 return (ENOSYS);
2388}
2389
2390int
2391setaudit(struct proc *p, struct setaudit_args *uap, register_t *retval)
2392{
2393 return (ENOSYS);
2394}
2395
2396int
2397getaudit_addr(struct proc *p, struct getaudit_addr_args *uap, register_t *retval)
2398{
2399 return (ENOSYS);
2400}
2401
2402int
2403setaudit_addr(struct proc *p, struct setaudit_addr_args *uap, register_t *retval)
2404{
2405 return (ENOSYS);
2406}
2407
2408int
2409auditctl(struct proc *p, struct auditctl_args *uap, register_t *retval)
2410{
2411 return (ENOSYS);
2412}
2413
55e303ae 2414#endif /* AUDIT */
mirror of XNU