]> git.saurik.com Git - apple/xnu.git/blob - bsd/kern/kern_audit.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-792.25.20.tar.gz
[apple/xnu.git] / bsd / kern / kern_audit.c
1 /*
2 * Copyright (c) 2003-2004 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * The contents of this file constitute Original Code as defined in and
7 * are subject to the Apple Public Source License Version 1.1 (the
8 * "License"). You may not use this file except in compliance with the
9 * License. Please obtain a copy of the License at
10 * http://www.apple.com/publicsource and read it before using this file.
11 *
12 * This Original Code and all software distributed under the License are
13 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
14 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
16 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17 * License for the specific language governing rights and limitations
18 * under the License.
19 *
20 * @APPLE_LICENSE_HEADER_END@
21 */
22 #include <sys/param.h>
23 #include <sys/fcntl.h>
24 #include <sys/kernel.h>
25 #include <sys/lock.h>
26 #include <sys/namei.h>
27 #include <sys/proc_internal.h>
28 #include <sys/kauth.h>
29 #include <sys/queue.h>
30 #include <sys/systm.h>
31 #include <sys/time.h>
32 #include <sys/ucred.h>
33 #include <sys/uio.h>
34 #include <sys/unistd.h>
35 #include <sys/file_internal.h>
36 #include <sys/vnode_internal.h>
37 #include <sys/user.h>
38 #include <sys/syscall.h>
39 #include <sys/malloc.h>
40 #include <sys/un.h>
41 #include <sys/sysent.h>
42 #include <sys/sysproto.h>
43 #include <sys/vfs_context.h>
44 #include <sys/domain.h>
45 #include <sys/protosw.h>
46 #include <sys/socketvar.h>
47
48 #include <bsm/audit.h>
49 #include <bsm/audit_kevents.h>
50 #include <bsm/audit_klib.h>
51 #include <bsm/audit_kernel.h>
52
53 #include <mach/host_priv.h>
54 #include <mach/host_special_ports.h>
55 #include <mach/audit_triggers_server.h>
56
57 #include <kern/host.h>
58 #include <kern/kalloc.h>
59 #include <kern/zalloc.h>
60 #include <kern/lock.h>
61 #include <kern/wait_queue.h>
62 #include <kern/sched_prim.h>
63
64 #include <net/route.h>
65
66 #include <netinet/in.h>
67 #include <netinet/in_pcb.h>
68
69 #ifdef AUDIT
70
71 /*
72 * The AUDIT_EXCESSIVELY_VERBOSE define enables a number of
73 * gratuitously noisy printf's to the console. Due to the
74 * volume, it should be left off unless you want your system
75 * to churn a lot whenever the audit record flow gets high.
76 */
77 /* #define AUDIT_EXCESSIVELY_VERBOSE */
78 #ifdef AUDIT_EXCESSIVELY_VERBOSE
79 #define AUDIT_PRINTF_ONLY
80 #define AUDIT_PRINTF(x) printf x
81 #else
82 #define AUDIT_PRINTF_ONLY __unused
83 #define AUDIT_PRINTF(X)
84 #endif
85
86 #if DIAGNOSTIC
87 #if defined(assert)
88 #undef assert()
89 #endif
90 #define assert(cond) \
91 ((void) ((cond) ? 0 : panic("%s:%d (%s)", __FILE__, __LINE__, # cond)))
92 #else
93 #include <kern/assert.h>
94 #endif /* DIAGNOSTIC */
95
96 /*
97 * Define the audit control flags.
98 */
99 int audit_enabled;
100 int audit_suspended;
101
102 /*
103 * Mutex to protect global variables shared between various threads and
104 * processes.
105 */
106 static mutex_t *audit_mtx;
107
108 /*
109 * Queue of audit records ready for delivery to disk. We insert new
110 * records at the tail, and remove records from the head. Also,
111 * a count of the number of records used for checking queue depth.
112 * In addition, a counter of records that we have allocated but are
113 * not yet in the queue, which is needed to estimate the total
114 * size of the combined set of records outstanding in the system.
115 */
116 static TAILQ_HEAD(, kaudit_record) audit_q;
117 static size_t audit_q_len;
118 static size_t audit_pre_q_len;
119
120 static wait_queue_t audit_wait_queue;
121 static zone_t audit_zone;
122
123 /*
124 * Condition variable to signal to the worker that it has work to do:
125 * either new records are in the queue, or a log replacement is taking
126 * place.
127 */
128 static int audit_worker_event;
129 #define AUDIT_WORKER_EVENT ((event_t)&audit_worker_event)
130
131 /*
132 * The audit worker thread (which is lazy started when we first
133 * rotate the audit log.
134 */
135 static thread_t audit_worker_thread = THREAD_NULL;
136
137 /*
138 * When an audit log is rotated, the actual rotation must be performed
139 * by the audit worker thread, as it may have outstanding writes on the
140 * current audit log. audit_replacement_vp holds the vnode replacing
141 * the current vnode. We can't let more than one replacement occur
142 * at a time, so if more than one thread requests a replacement, only
143 * one can have the replacement "in progress" at any given moment. If
144 * a thread tries to replace the audit vnode and discovers a replacement
145 * is already in progress (i.e., audit_replacement_flag != 0), then it
146 * will sleep on audit_replacement_cv waiting its turn to perform a
147 * replacement. When a replacement is completed, this cv is signalled
148 * by the worker thread so a waiting thread can start another replacement.
149 * We also store a credential to perform audit log write operations with.
150 */
151 static int audit_replacement_event;
152 #define AUDIT_REPLACEMENT_EVENT ((event_t)&audit_replacement_event)
153
154 static int audit_replacement_flag;
155 static struct vnode *audit_replacement_vp;
156 static kauth_cred_t audit_replacement_cred;
157
158 /*
159 * Wait queue for auditing threads that cannot commit the audit
160 * record at the present time. Also, the queue control parameter
161 * structure.
162 */
163 static int audit_commit_event;
164 #define AUDIT_COMMIT_EVENT ((event_t)&audit_commit_event)
165
166 static struct au_qctrl audit_qctrl;
167
168 /*
169 * Flags to use on audit files when opening and closing.
170 */
171 static const int audit_open_flags = FWRITE | O_APPEND;
172 static const int audit_close_flags = FWRITE | O_APPEND;
173
174 /*
175 * Global audit statistiscs.
176 */
177 static struct audit_fstat audit_fstat;
178
179 /*
180 Preselection mask for non-attributable events.
181 */
182 static struct au_mask audit_nae_mask;
183
184 /*
185 * Flags related to Kernel->user-space communication.
186 */
187 static int audit_file_rotate_wait;
188
189 /*
190 * Flags controlling behavior in low storage situations.
191 * Should we panic if a write fails? Should we fail stop
192 * if we're out of disk space? Are we currently "failing
193 * stop" due to out of disk space?
194 */
195 static int audit_panic_on_write_fail;
196 static int audit_fail_stop;
197 static int audit_in_failure;
198
199 /*
200 * When in a fail-stop mode, threads will drop into this wait queue
201 * rather than perform auditable events. They won't ever get woken
202 * up.
203 */
204 static int audit_failure_event;
205 #define AUDIT_FAILURE_EVENT ((event_t)&audit_failure_event)
206
207 /*
208 * XXX: Couldn't find the include file for this, so copied kern_exec.c's
209 * behavior.
210 */
211 extern task_t kernel_task;
212
213 static void
214 audit_free(struct kaudit_record *ar)
215 {
216 if (ar->k_ar.ar_arg_upath1 != NULL) {
217 kfree(ar->k_ar.ar_arg_upath1, MAXPATHLEN);
218 }
219 if (ar->k_ar.ar_arg_upath2 != NULL) {
220 kfree(ar->k_ar.ar_arg_upath2, MAXPATHLEN);
221
222 }
223 if (ar->k_ar.ar_arg_kpath1 != NULL) {
224 kfree(ar->k_ar.ar_arg_kpath1, MAXPATHLEN);
225
226 }
227 if (ar->k_ar.ar_arg_kpath2 != NULL) {
228 kfree(ar->k_ar.ar_arg_kpath2, MAXPATHLEN);
229
230 }
231 if (ar->k_ar.ar_arg_text != NULL) {
232 kfree(ar->k_ar.ar_arg_text, MAXPATHLEN);
233
234 }
235 if (ar->k_udata != NULL) {
236 kfree(ar->k_udata, ar->k_ulen);
237
238 }
239 zfree(audit_zone, ar);
240 }
241
242 static int
243 audit_write(struct vnode *vp, struct kaudit_record *ar, kauth_cred_t cred,
244 struct proc *p)
245 {
246 struct vfsstatfs *mnt_stat = &vp->v_mount->mnt_vfsstat;
247 int ret;
248 struct au_record *bsm;
249 /* KVV maybe we should take a context as a param to audit_write? */
250 struct vfs_context context;
251 off_t file_size;
252
253 mach_port_t audit_port;
254
255 /*
256 * First, gather statistics on the audit log file and file system
257 * so that we know how we're doing on space. In both cases,
258 * if we're unable to perform the operation, we drop the record
259 * and return. However, this is arguably an assertion failure.
260 */
261 context.vc_proc = p;
262 context.vc_ucred = cred;
263 ret = vfs_update_vfsstat(vp->v_mount, &context);
264 if (ret)
265 goto out;
266
267 /* update the global stats struct */
268 if ((ret = vnode_size(vp, &file_size, &context)) != 0)
269 goto out;
270 audit_fstat.af_currsz = file_size;
271
272 /*
273 * Send a message to the audit daemon when disk space is getting
274 * low.
275 * XXX Need to decide what to do if the trigger to the audit daemon
276 * fails.
277 */
278 if(host_get_audit_control_port(host_priv_self(), &audit_port)
279 != KERN_SUCCESS)
280 printf("Cannot get audit control port\n");
281
282 if (audit_port != MACH_PORT_NULL) {
283 uint64_t temp;
284
285 /*
286 * If we fall below percent free blocks, then trigger the
287 * audit daemon to do something about it.
288 */
289 if (audit_qctrl.aq_minfree != 0) {
290 temp = mnt_stat->f_blocks / (100 / audit_qctrl.aq_minfree);
291 if (mnt_stat->f_bfree < temp) {
292 ret = audit_triggers(audit_port,
293 AUDIT_TRIGGER_LOW_SPACE);
294 if (ret != KERN_SUCCESS) {
295 printf(
296 "Failed audit_triggers(AUDIT_TRIGGER_LOW_SPACE): %d\n", ret);
297 /*
298 * XXX: What to do here? Disable auditing?
299 * panic?
300 */
301 }
302 }
303 }
304 /* Check if the current log file is full; if so, call for
305 * a log rotate. This is not an exact comparison; we may
306 * write some records over the limit. If that's not
307 * acceptable, then add a fudge factor here.
308 */
309 if ((audit_fstat.af_filesz != 0) &&
310 (audit_file_rotate_wait == 0) &&
311 (file_size >= audit_fstat.af_filesz)) {
312 audit_file_rotate_wait = 1;
313 ret = audit_triggers(audit_port,
314 AUDIT_TRIGGER_FILE_FULL);
315 if (ret != KERN_SUCCESS) {
316 printf(
317 "Failed audit_triggers(AUDIT_TRIGGER_FILE_FULL): %d\n", ret);
318 /* XXX what to do here? */
319 }
320 }
321 }
322
323 /*
324 * If the estimated amount of audit data in the audit event queue
325 * (plus records allocated but not yet queued) has reached the
326 * amount of free space on the disk, then we need to go into an
327 * audit fail stop state, in which we do not permit the
328 * allocation/committing of any new audit records. We continue to
329 * process packets but don't allow any activities that might
330 * generate new records. In the future, we might want to detect
331 * when space is available again and allow operation to continue,
332 * but this behavior is sufficient to meet fail stop requirements
333 * in CAPP.
334 */
335 if (audit_fail_stop &&
336 (unsigned long)
337 ((audit_q_len + audit_pre_q_len + 1) * MAX_AUDIT_RECORD_SIZE) /
338 mnt_stat->f_bsize >= (unsigned long)(mnt_stat->f_bfree)) {
339 printf(
340 "audit_worker: free space below size of audit queue, failing stop\n");
341 audit_in_failure = 1;
342 }
343
344 /*
345 * If there is a user audit record attached to the kernel record,
346 * then write the user record.
347 */
348 /* XXX Need to decide a few things here: IF the user audit
349 * record is written, but the write of the kernel record fails,
350 * what to do? Should the kernel record come before or after the
351 * user record? For now, we write the user record first, and
352 * we ignore errors.
353 */
354 if (ar->k_ar_commit & AR_COMMIT_USER) {
355 if (vnode_getwithref(vp) == 0) {
356 ret = vn_rdwr(UIO_WRITE, vp, (void *)ar->k_udata, ar->k_ulen,
357 (off_t)0, UIO_SYSSPACE32, IO_APPEND|IO_UNIT, cred, NULL, p);
358 vnode_put(vp);
359 if (ret)
360 goto out;
361 } else {
362 goto out;
363 }
364 }
365
366 /*
367 * Convert the internal kernel record to BSM format and write it
368 * out if everything's OK.
369 */
370 if (!(ar->k_ar_commit & AR_COMMIT_KERNEL)) {
371 ret = 0;
372 goto out;
373 }
374
375 ret = kaudit_to_bsm(ar, &bsm);
376 if (ret == BSM_NOAUDIT) {
377 ret = 0;
378 goto out;
379 }
380
381 /*
382 * XXX: We drop the record on BSM conversion failure, but really
383 * this is an assertion failure.
384 */
385 if (ret == BSM_FAILURE) {
386 AUDIT_PRINTF(("BSM conversion failure\n"));
387 ret = EINVAL;
388 goto out;
389 }
390
391 /* XXX This function can be called with the kernel funnel held,
392 * which is not optimal. We should break the write functionality
393 * away from the BSM record generation and have the BSM generation
394 * done before this function is called. This function will then
395 * take the BSM record as a parameter.
396 */
397 if ((ret = vnode_getwithref(vp)) == 0) {
398 ret = (vn_rdwr(UIO_WRITE, vp, (void *)bsm->data, bsm->len,
399 (off_t)0, UIO_SYSSPACE32, IO_APPEND|IO_UNIT, cred, NULL, p));
400 vnode_put(vp);
401 }
402 kau_free(bsm);
403
404 out:
405 /*
406 * When we're done processing the current record, we have to
407 * check to see if we're in a failure mode, and if so, whether
408 * this was the last record left to be drained. If we're done
409 * draining, then we fsync the vnode and panic.
410 */
411 if (audit_in_failure &&
412 audit_q_len == 0 && audit_pre_q_len == 0) {
413 (void)VNOP_FSYNC(vp, MNT_WAIT, &context);
414 panic("Audit store overflow; record queue drained.");
415 }
416
417 return (ret);
418 }
419
420 static void
421 audit_worker(void)
422 {
423 int do_replacement_signal, error, release_funnel;
424 TAILQ_HEAD(, kaudit_record) ar_worklist;
425 struct kaudit_record *ar;
426 struct vnode *audit_vp, *old_vp;
427 kauth_cred_t audit_cred;
428 kauth_cred_t old_cred;
429 struct proc *audit_p;
430
431 AUDIT_PRINTF(("audit_worker starting\n"));
432
433 TAILQ_INIT(&ar_worklist);
434 audit_cred = NOCRED;
435 audit_p = current_proc();
436 audit_vp = NULL;
437
438 /*
439 * XXX: Presumably we can assume Mach threads are started without
440 * holding the BSD kernel funnel?
441 */
442 thread_funnel_set(kernel_flock, FALSE);
443
444 mutex_lock(audit_mtx);
445 while (1) {
446 /*
447 * First priority: replace the audit log target if requested.
448 * As we actually close the vnode in the worker thread, we
449 * need to grab the funnel, which means releasing audit_mtx.
450 * In case another replacement was scheduled while the mutex
451 * we released, we loop.
452 *
453 * XXX It could well be we should drain existing records
454 * first to ensure that the timestamps and ordering
455 * are right.
456 */
457 do_replacement_signal = 0;
458 while (audit_replacement_flag != 0) {
459 old_cred = audit_cred;
460 old_vp = audit_vp;
461 audit_cred = audit_replacement_cred;
462 audit_vp = audit_replacement_vp;
463 audit_replacement_cred = NOCRED;
464 audit_replacement_vp = NULL;
465 audit_replacement_flag = 0;
466
467 audit_enabled = (audit_vp != NULL);
468
469 if (old_vp != NULL || audit_vp != NULL) {
470 mutex_unlock(audit_mtx);
471 thread_funnel_set(kernel_flock, TRUE);
472 release_funnel = 1;
473 } else
474 release_funnel = 0;
475 /*
476 * XXX: What to do about write failures here?
477 */
478 if (old_vp != NULL) {
479 AUDIT_PRINTF(("Closing old audit file\n"));
480 vn_close(old_vp, audit_close_flags, old_cred,
481 audit_p);
482 kauth_cred_unref(&old_cred);
483 old_vp = NULL;
484 AUDIT_PRINTF(("Audit file closed\n"));
485 }
486 if (audit_vp != NULL) {
487 AUDIT_PRINTF(("Opening new audit file\n"));
488 }
489 if (release_funnel) {
490 thread_funnel_set(kernel_flock, FALSE);
491 mutex_lock(audit_mtx);
492 }
493 do_replacement_signal = 1;
494 }
495 /*
496 * Signal that replacement have occurred to wake up and
497 * start any other replacements started in parallel. We can
498 * continue about our business in the mean time. We
499 * broadcast so that both new replacements can be inserted,
500 * but also so that the source(s) of replacement can return
501 * successfully.
502 */
503 if (do_replacement_signal)
504 wait_queue_wakeup_all(audit_wait_queue,
505 AUDIT_REPLACEMENT_EVENT, THREAD_AWAKENED);
506
507 /*
508 * Next, check to see if we have any records to drain into
509 * the vnode. If not, go back to waiting for an event.
510 */
511 if (TAILQ_EMPTY(&audit_q)) {
512 int ret;
513
514 AUDIT_PRINTF(("audit_worker waiting\n"));
515 ret = wait_queue_assert_wait(audit_wait_queue,
516 AUDIT_WORKER_EVENT,
517 THREAD_UNINT,
518 0);
519 mutex_unlock(audit_mtx);
520
521 assert(ret == THREAD_WAITING);
522 ret = thread_block(THREAD_CONTINUE_NULL);
523 assert(ret == THREAD_AWAKENED);
524 AUDIT_PRINTF(("audit_worker woken up\n"));
525 AUDIT_PRINTF(("audit_worker: new vp = %p; value of flag %d\n",
526 audit_replacement_vp, audit_replacement_flag));
527
528 mutex_lock(audit_mtx);
529 continue;
530 }
531
532 /*
533 * If we have records, but there's no active vnode to
534 * write to, drain the record queue. Generally, we
535 * prevent the unnecessary allocation of records
536 * elsewhere, but we need to allow for races between
537 * conditional allocation and queueing. Go back to
538 * waiting when we're done.
539 *
540 * XXX: We go out of our way to avoid calling audit_free()
541 * with the audit_mtx held, to avoid a lock order reversal
542 * as free() may grab the funnel. This will be fixed at
543 * some point.
544 */
545 if (audit_vp == NULL) {
546 while ((ar = TAILQ_FIRST(&audit_q))) {
547 TAILQ_REMOVE(&audit_q, ar, k_q);
548 audit_q_len--;
549 if (audit_q_len <= audit_qctrl.aq_lowater)
550 wait_queue_wakeup_one(
551 audit_wait_queue,
552 AUDIT_COMMIT_EVENT,
553 THREAD_AWAKENED);
554
555 TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q);
556 }
557 mutex_unlock(audit_mtx);
558 while ((ar = TAILQ_FIRST(&ar_worklist))) {
559 TAILQ_REMOVE(&ar_worklist, ar, k_q);
560 audit_free(ar);
561 }
562 mutex_lock(audit_mtx);
563 continue;
564 }
565
566 /*
567 * We have both records to write, and an active vnode
568 * to write to. Dequeue a record, and start the write.
569 * Eventually, it might make sense to dequeue several
570 * records and perform our own clustering, if the lower
571 * layers aren't doing it automatically enough.
572 *
573 * XXX: We go out of our way to avoid calling audit_free()
574 * with the audit_mtx held, to avoid a lock order reversal
575 * as free() may grab the funnel. This will be fixed at
576 * some point.
577 */
578 while ((ar = TAILQ_FIRST(&audit_q))) {
579 TAILQ_REMOVE(&audit_q, ar, k_q);
580 audit_q_len--;
581 if (audit_q_len <= audit_qctrl.aq_lowater) {
582 wait_queue_wakeup_one(audit_wait_queue,
583 AUDIT_COMMIT_EVENT, THREAD_AWAKENED);
584 }
585
586 TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q);
587 }
588 mutex_unlock(audit_mtx);
589 release_funnel = 0;
590 while ((ar = TAILQ_FIRST(&ar_worklist))) {
591 TAILQ_REMOVE(&ar_worklist, ar, k_q);
592 if (audit_vp != NULL) {
593 /*
594 * XXX: What should happen if there's a write
595 * error here?
596 */
597 if (!release_funnel) {
598 thread_funnel_set(kernel_flock, TRUE);
599 release_funnel = 1;
600 }
601 error = audit_write(audit_vp, ar, audit_cred,
602 audit_p);
603 if (error && audit_panic_on_write_fail) {
604 panic("audit_worker: write error %d\n",
605 error);
606 } else if (error) {
607 printf("audit_worker: write error %d\n",
608 error);
609 }
610 }
611 audit_free(ar);
612 }
613 if (release_funnel)
614 thread_funnel_set(kernel_flock, FALSE);
615 mutex_lock(audit_mtx);
616 }
617 }
618
619 void
620 audit_init(void)
621 {
622
623 /* Verify that the syscall to audit event table is the same
624 * size as the system call table.
625 */
626 if (nsys_au_event != nsysent) {
627 printf("Security auditing service initialization failed, ");
628 printf("audit event table doesn't match syscall table.\n");
629 return;
630 }
631
632 printf("Security auditing service present\n");
633 TAILQ_INIT(&audit_q);
634 audit_q_len = 0;
635 audit_enabled = 0;
636 audit_suspended = 0;
637 audit_replacement_cred = NULL;
638 audit_replacement_flag = 0;
639 audit_file_rotate_wait = 0;
640 audit_replacement_vp = NULL;
641 audit_fstat.af_filesz = 0; /* '0' means unset, unbounded */
642 audit_fstat.af_currsz = 0;
643 audit_qctrl.aq_hiwater = AQ_HIWATER;
644 audit_qctrl.aq_lowater = AQ_LOWATER;
645 audit_qctrl.aq_bufsz = AQ_BUFSZ;
646 audit_qctrl.aq_minfree = AU_FS_MINFREE;
647
648 audit_mtx = mutex_alloc(0);
649 audit_wait_queue = wait_queue_alloc(SYNC_POLICY_FIFO);
650 audit_zone = zinit(sizeof(struct kaudit_record),
651 AQ_HIWATER*sizeof(struct kaudit_record),
652 8192,
653 "audit_zone");
654
655 /* Initialize the BSM audit subsystem. */
656 kau_init();
657 }
658
659 static void
660 audit_rotate_vnode(kauth_cred_t cred, struct vnode *vp)
661 {
662 int ret;
663
664 /*
665 * If other parallel log replacements have been requested, we wait
666 * until they've finished before continuing.
667 */
668 mutex_lock(audit_mtx);
669 while (audit_replacement_flag != 0) {
670
671 AUDIT_PRINTF(("audit_rotate_vnode: sleeping to wait for "
672 "flag\n"));
673 ret = wait_queue_assert_wait(audit_wait_queue,
674 AUDIT_REPLACEMENT_EVENT,
675 THREAD_UNINT,
676 0);
677 mutex_unlock(audit_mtx);
678
679 assert(ret == THREAD_WAITING);
680 ret = thread_block(THREAD_CONTINUE_NULL);
681 assert(ret == THREAD_AWAKENED);
682 AUDIT_PRINTF(("audit_rotate_vnode: woken up (flag %d)\n",
683 audit_replacement_flag));
684
685 mutex_lock(audit_mtx);
686 }
687 audit_replacement_cred = cred;
688 audit_replacement_flag = 1;
689 audit_replacement_vp = vp;
690
691 /*
692 * Start or wake up the audit worker to perform the exchange.
693 * It will have to wait until we release the mutex.
694 */
695 if (audit_worker_thread == THREAD_NULL)
696 audit_worker_thread = kernel_thread(kernel_task,
697 audit_worker);
698 else
699 wait_queue_wakeup_one(audit_wait_queue,
700 AUDIT_WORKER_EVENT,
701 THREAD_AWAKENED);
702
703 /*
704 * Wait for the audit_worker to broadcast that a replacement has
705 * taken place; we know that once this has happened, our vnode
706 * has been replaced in, so we can return successfully.
707 */
708 AUDIT_PRINTF(("audit_rotate_vnode: waiting for news of "
709 "replacement\n"));
710 ret = wait_queue_assert_wait(audit_wait_queue,
711 AUDIT_REPLACEMENT_EVENT,
712 THREAD_UNINT,
713 0);
714 mutex_unlock(audit_mtx);
715
716 assert(ret == THREAD_WAITING);
717 ret = thread_block(THREAD_CONTINUE_NULL);
718 assert(ret == THREAD_AWAKENED);
719 AUDIT_PRINTF(("audit_rotate_vnode: change acknowledged by "
720 "audit_worker (flag " "now %d)\n", audit_replacement_flag));
721
722 audit_file_rotate_wait = 0; /* We can now request another rotation */
723 }
724
725 /*
726 * Drain the audit queue and close the log at shutdown.
727 */
728 void
729 audit_shutdown(void)
730 {
731 audit_rotate_vnode(NULL, NULL);
732 }
733
734 static __inline__ struct uthread *
735 curuthread(void)
736 {
737 return (get_bsdthread_info(current_thread()));
738 }
739
740 static __inline__ struct kaudit_record *
741 currecord(void)
742 {
743 return (curuthread()->uu_ar);
744 }
745
746 /**********************************
747 * Begin system calls. *
748 **********************************/
749 /*
750 * System call to allow a user space application to submit a BSM audit
751 * record to the kernel for inclusion in the audit log. This function
752 * does little verification on the audit record that is submitted.
753 *
754 * XXXAUDIT: Audit preselection for user records does not currently
755 * work, since we pre-select only based on the AUE_audit event type,
756 * not the event type submitted as part of the user audit data.
757 */
758 /* ARGSUSED */
759 int
760 audit(struct proc *p, struct audit_args *uap, __unused register_t *retval)
761 {
762 int error;
763 void * rec;
764 struct kaudit_record *ar;
765 struct uthread *uthr;
766
767 error = suser(kauth_cred_get(), &p->p_acflag);
768 if (error)
769 return (error);
770
771 if ((uap->length <= 0) || (uap->length > (int)audit_qctrl.aq_bufsz))
772 return (EINVAL);
773
774 ar = currecord();
775
776 /* If there's no current audit record (audit() itself not audited)
777 * commit the user audit record.
778 */
779 if (ar == NULL) {
780 uthr = curuthread();
781 if (uthr == NULL) /* can this happen? */
782 return (ENOTSUP);
783
784 /* This is not very efficient; we're required to allocate
785 * a complete kernel audit record just so the user record
786 * can tag along.
787 */
788 uthr->uu_ar = audit_new(AUE_NULL, p, uthr);
789 if (uthr->uu_ar == NULL) /* auditing not on, or memory error */
790 return (ENOTSUP);
791 ar = uthr->uu_ar;
792 }
793
794 if (uap->length > MAX_AUDIT_RECORD_SIZE)
795 return (EINVAL);
796
797 rec = (void *)kalloc((vm_size_t)uap->length);
798
799 error = copyin(uap->record, rec, uap->length);
800 if (error)
801 goto free_out;
802
803 /* Verify the record */
804 if (bsm_rec_verify(rec) == 0) {
805 error = EINVAL;
806 goto free_out;
807 }
808
809 /* Attach the user audit record to the kernel audit record. Because
810 * this system call is an auditable event, we will write the user
811 * record along with the record for this audit event.
812 */
813 ar->k_udata = rec;
814 ar->k_ar_commit |= AR_COMMIT_USER;
815 ar->k_ulen = uap->length;
816 return (0);
817
818 free_out:
819 /* audit_syscall_exit() will free the audit record on the thread
820 * even if we allocated it above.
821 */
822 kfree(rec, uap->length);
823 return (error);
824 }
825
826 /*
827 * System call to manipulate auditing.
828 */
829 /* ARGSUSED */
830 int
831 auditon(struct proc *p, __unused struct auditon_args *uap, __unused register_t *retval)
832 {
833 int ret;
834 int len;
835 union auditon_udata udata;
836 struct proc *tp;
837
838 AUDIT_ARG(cmd, uap->cmd);
839 ret = suser(kauth_cred_get(), &p->p_acflag);
840 if (ret)
841 return (ret);
842
843 len = uap->length;
844 if ((len <= 0) || (len > (int)sizeof(union auditon_udata)))
845 return (EINVAL);
846
847 memset((void *)&udata, 0, sizeof(udata));
848
849 switch (uap->cmd) {
850 /* Some of the GET commands use the arguments too */
851 case A_SETPOLICY:
852 case A_SETKMASK:
853 case A_SETQCTRL:
854 case A_SETSTAT:
855 case A_SETUMASK:
856 case A_SETSMASK:
857 case A_SETCOND:
858 case A_SETCLASS:
859 case A_SETPMASK:
860 case A_SETFSIZE:
861 case A_SETKAUDIT:
862 case A_GETCLASS:
863 case A_GETPINFO:
864 case A_GETPINFO_ADDR:
865 ret = copyin(uap->data, (void *)&udata, uap->length);
866 if (ret)
867 return (ret);
868 AUDIT_ARG(auditon, &udata);
869 break;
870 }
871
872 /* XXX Need to implement these commands by accessing the global
873 * values associated with the commands.
874 */
875 switch (uap->cmd) {
876 case A_GETPOLICY:
877 if (!audit_fail_stop)
878 udata.au_policy |= AUDIT_CNT;
879 if (audit_panic_on_write_fail)
880 udata.au_policy |= AUDIT_AHLT;
881 break;
882 case A_SETPOLICY:
883 if (udata.au_policy & ~(AUDIT_CNT|AUDIT_AHLT))
884 return (EINVAL);
885 /*
886 * XXX - Need to wake up waiters if the policy relaxes?
887 */
888 audit_fail_stop = ((udata.au_policy & AUDIT_CNT) == 0);
889 audit_panic_on_write_fail = (udata.au_policy & AUDIT_AHLT);
890 break;
891 case A_GETKMASK:
892 udata.au_mask = audit_nae_mask;
893 break;
894 case A_SETKMASK:
895 audit_nae_mask = udata.au_mask;
896 break;
897 case A_GETQCTRL:
898 udata.au_qctrl = audit_qctrl;
899 break;
900 case A_SETQCTRL:
901 if ((udata.au_qctrl.aq_hiwater > AQ_MAXHIGH) ||
902 (udata.au_qctrl.aq_lowater >= udata.au_qctrl.aq_hiwater) ||
903 (udata.au_qctrl.aq_bufsz > AQ_MAXBUFSZ) ||
904 (udata.au_qctrl.aq_minfree < 0) ||
905 (udata.au_qctrl.aq_minfree > 100))
906 return (EINVAL);
907
908 audit_qctrl = udata.au_qctrl;
909 /* XXX The queue delay value isn't used with the kernel. */
910 audit_qctrl.aq_delay = -1;
911 break;
912 case A_GETCWD:
913 return (ENOSYS);
914 break;
915 case A_GETCAR:
916 return (ENOSYS);
917 break;
918 case A_GETSTAT:
919 return (ENOSYS);
920 break;
921 case A_SETSTAT:
922 return (ENOSYS);
923 break;
924 case A_SETUMASK:
925 return (ENOSYS);
926 break;
927 case A_SETSMASK:
928 return (ENOSYS);
929 break;
930 case A_GETCOND:
931 if (audit_enabled && !audit_suspended)
932 udata.au_cond = AUC_AUDITING;
933 else
934 udata.au_cond = AUC_NOAUDIT;
935 break;
936 case A_SETCOND:
937 if (udata.au_cond == AUC_NOAUDIT)
938 audit_suspended = 1;
939 if (udata.au_cond == AUC_AUDITING)
940 audit_suspended = 0;
941 if (udata.au_cond == AUC_DISABLED) {
942 audit_suspended = 1;
943 audit_shutdown();
944 }
945 break;
946 case A_GETCLASS:
947 udata.au_evclass.ec_class =
948 au_event_class(udata.au_evclass.ec_number);
949 break;
950 case A_SETCLASS:
951 au_evclassmap_insert(udata.au_evclass.ec_number,
952 udata.au_evclass.ec_class);
953 break;
954 case A_GETPINFO:
955 if (udata.au_aupinfo.ap_pid < 1)
956 return (EINVAL);
957 if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL)
958 return (EINVAL);
959
960 udata.au_aupinfo.ap_auid = tp->p_ucred->cr_au.ai_auid;
961 udata.au_aupinfo.ap_mask.am_success =
962 tp->p_ucred->cr_au.ai_mask.am_success;
963 udata.au_aupinfo.ap_mask.am_failure =
964 tp->p_ucred->cr_au.ai_mask.am_failure;
965 udata.au_aupinfo.ap_termid.machine =
966 tp->p_ucred->cr_au.ai_termid.machine;
967 udata.au_aupinfo.ap_termid.port =
968 tp->p_ucred->cr_au.ai_termid.port;
969 udata.au_aupinfo.ap_asid = tp->p_ucred->cr_au.ai_asid;
970 break;
971 case A_SETPMASK:
972 if (udata.au_aupinfo.ap_pid < 1)
973 return (EINVAL);
974 if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL)
975 return (EINVAL);
976
977 /*
978 * we are modifying the audit info in a credential so we need a new
979 * credential (or take another reference on an existing credential that
980 * matches our new one). We must do this because the audit info in the
981 * credential is used as part of our hash key. Get current credential
982 * in the target process and take a reference while we muck with it.
983 */
984 for (;;) {
985 kauth_cred_t my_cred, my_new_cred;
986 struct auditinfo temp_auditinfo;
987
988 my_cred = kauth_cred_proc_ref(tp);
989 /*
990 * Set the credential with new info. If there is no
991 * change, we get back the same credential we passed
992 * in; if there is a change, we drop the reference on
993 * the credential we passed in. The subsequent
994 * compare is safe, because it is a pointer compare
995 * rather than a contents compare.
996 */
997 temp_auditinfo = my_cred->cr_au;
998 temp_auditinfo.ai_mask.am_success =
999 udata.au_aupinfo.ap_mask.am_success;
1000 temp_auditinfo.ai_mask.am_failure =
1001 udata.au_aupinfo.ap_mask.am_failure;
1002 my_new_cred = kauth_cred_setauditinfo(my_cred, &temp_auditinfo);
1003
1004 if (my_cred != my_new_cred) {
1005 proc_lock(tp);
1006 /* need to protect for a race where another thread also changed
1007 * the credential after we took our reference. If p_ucred has
1008 * changed then we should restart this again with the new cred.
1009 */
1010 if (tp->p_ucred != my_cred) {
1011 proc_unlock(tp);
1012 kauth_cred_unref(&my_new_cred);
1013 /* try again */
1014 continue;
1015 }
1016 tp->p_ucred = my_new_cred;
1017 proc_unlock(tp);
1018 }
1019 /* drop old proc reference or our extra reference */
1020 kauth_cred_unref(&my_cred);
1021 break;
1022 }
1023 break;
1024 case A_SETFSIZE:
1025 if ((udata.au_fstat.af_filesz != 0) &&
1026 (udata.au_fstat.af_filesz < MIN_AUDIT_FILE_SIZE))
1027 return (EINVAL);
1028 audit_fstat.af_filesz = udata.au_fstat.af_filesz;
1029 break;
1030 case A_GETFSIZE:
1031 udata.au_fstat.af_filesz = audit_fstat.af_filesz;
1032 udata.au_fstat.af_currsz = audit_fstat.af_currsz;
1033 break;
1034 case A_GETPINFO_ADDR:
1035 return (ENOSYS);
1036 break;
1037 case A_GETKAUDIT:
1038 return (ENOSYS);
1039 break;
1040 case A_SETKAUDIT:
1041 return (ENOSYS);
1042 break;
1043 }
1044 /* Copy data back to userspace for the GET comands */
1045 switch (uap->cmd) {
1046 case A_GETPOLICY:
1047 case A_GETKMASK:
1048 case A_GETQCTRL:
1049 case A_GETCWD:
1050 case A_GETCAR:
1051 case A_GETSTAT:
1052 case A_GETCOND:
1053 case A_GETCLASS:
1054 case A_GETPINFO:
1055 case A_GETFSIZE:
1056 case A_GETPINFO_ADDR:
1057 case A_GETKAUDIT:
1058 ret = copyout((void *)&udata, uap->data, uap->length);
1059 if (ret)
1060 return (ret);
1061 break;
1062 }
1063
1064 return (0);
1065 }
1066
1067 /*
1068 * System calls to manage the user audit information.
1069 * XXXAUDIT May need to lock the proc structure.
1070 */
1071 /* ARGSUSED */
1072 int
1073 getauid(struct proc *p, struct getauid_args *uap, __unused register_t *retval)
1074 {
1075 int error;
1076
1077 error = copyout((void *)&kauth_cred_get()->cr_au.ai_auid,
1078 uap->auid, sizeof(au_id_t));
1079 if (error)
1080 return (error);
1081
1082 return (0);
1083 }
1084
1085 /* ARGSUSED */
1086 int
1087 setauid(struct proc *p, struct setauid_args *uap, __unused register_t *retval)
1088 {
1089 int error;
1090 au_id_t temp_au_id;
1091
1092 error = suser(kauth_cred_get(), &p->p_acflag);
1093 if (error)
1094 return (error);
1095
1096 error = copyin(uap->auid,
1097 (void *)&temp_au_id,
1098 sizeof(au_id_t));
1099 if (error)
1100 return (error);
1101
1102 /*
1103 * we are modifying the audit info in a credential so we need a new
1104 * credential (or take another reference on an existing credential that
1105 * matches our new one). We must do this because the audit info in the
1106 * credential is used as part of our hash key. Get current credential
1107 * in the target process and take a reference while we muck with it.
1108 */
1109 for (;;) {
1110 kauth_cred_t my_cred, my_new_cred;
1111 struct auditinfo temp_auditinfo;
1112
1113 my_cred = kauth_cred_proc_ref(p);
1114 /*
1115 * Set the credential with new info. If there is no change,
1116 * we get back the same credential we passed in; if there is
1117 * a change, we drop the reference on the credential we
1118 * passed in. The subsequent compare is safe, because it is
1119 * a pointer compare rather than a contents compare.
1120 */
1121 temp_auditinfo = my_cred->cr_au;
1122 temp_auditinfo.ai_auid = temp_au_id;
1123 my_new_cred = kauth_cred_setauditinfo(my_cred, &temp_auditinfo);
1124
1125 if (my_cred != my_new_cred) {
1126 proc_lock(p);
1127 /* need to protect for a race where another thread also changed
1128 * the credential after we took our reference. If p_ucred has
1129 * changed then we should restart this again with the new cred.
1130 */
1131 if (p->p_ucred != my_cred) {
1132 proc_unlock(p);
1133 kauth_cred_unref(&my_new_cred);
1134 /* try again */
1135 continue;
1136 }
1137 p->p_ucred = my_new_cred;
1138 proc_unlock(p);
1139 }
1140 /* drop old proc reference or our extra reference */
1141 kauth_cred_unref(&my_cred);
1142 break;
1143 }
1144
1145 /* propagate the change from the process to Mach task */
1146 set_security_token(p);
1147
1148 audit_arg_auid(kauth_cred_get()->cr_au.ai_auid);
1149 return (0);
1150 }
1151
1152 /*
1153 * System calls to get and set process audit information.
1154 * If the caller is privileged, they get the whole set of
1155 * audit information. Otherwise, the real audit mask is
1156 * filtered out - but the rest of the information is
1157 * returned.
1158 */
1159 /* ARGSUSED */
1160 int
1161 getaudit(struct proc *p, struct getaudit_args *uap, __unused register_t *retval)
1162 {
1163 struct auditinfo ai;
1164 int error;
1165
1166 ai = kauth_cred_get()->cr_au;
1167
1168 /* only superuser gets to see the real mask */
1169 error = suser(kauth_cred_get(), &p->p_acflag);
1170 if (error) {
1171 ai.ai_mask.am_success = ~0;
1172 ai.ai_mask.am_failure = ~0;
1173 }
1174
1175 error = copyout(&ai, uap->auditinfo, sizeof(ai));
1176 if (error)
1177 return (error);
1178
1179 return (0);
1180 }
1181
1182 /* ARGSUSED */
1183 int
1184 setaudit(struct proc *p, struct setaudit_args *uap, __unused register_t *retval)
1185 {
1186 int error;
1187 struct auditinfo temp_auditinfo;
1188 kauth_cred_t safecred;
1189
1190 error = suser(kauth_cred_get(), &p->p_acflag);
1191 if (error)
1192 return (error);
1193
1194 error = copyin(uap->auditinfo,
1195 (void *)&temp_auditinfo,
1196 sizeof(temp_auditinfo));
1197 if (error)
1198 return (error);
1199
1200 /*
1201 * we are modifying the audit info in a credential so we need a new
1202 * credential (or take another reference on an existing credential that
1203 * matches our new one). We must do this because the audit info in the
1204 * credential is used as part of our hash key. Get current credential
1205 * in the target process and take a reference while we muck with it.
1206 */
1207 for (;;) {
1208 kauth_cred_t my_cred, my_new_cred;
1209
1210 my_cred = kauth_cred_proc_ref(p);
1211 /*
1212 * Set the credential with new info. If there is no change,
1213 * we get back the same credential we passed in; if there is
1214 * a change, we drop the reference on the credential we
1215 * passed in. The subsequent compare is safe, because it is
1216 * a pointer compare rather than a contents compare.
1217 */
1218 my_new_cred = kauth_cred_setauditinfo(my_cred, &temp_auditinfo);
1219
1220 if (my_cred != my_new_cred) {
1221 proc_lock(p);
1222 /* need to protect for a race where another thread also changed
1223 * the credential after we took our reference. If p_ucred has
1224 * changed then we should restart this again with the new cred.
1225 */
1226 if (p->p_ucred != my_cred) {
1227 proc_unlock(p);
1228 kauth_cred_unref(&my_new_cred);
1229 /* try again */
1230 continue;
1231 }
1232 p->p_ucred = my_new_cred;
1233 proc_unlock(p);
1234 }
1235 /* drop old proc reference or our extra reference */
1236 kauth_cred_unref(&my_cred);
1237 break;
1238 }
1239
1240 /* propagate the change from the process to Mach task */
1241 set_security_token(p);
1242
1243 safecred = kauth_cred_proc_ref(p);
1244 audit_arg_auditinfo(&safecred->cr_au);
1245 kauth_cred_unref(&safecred);
1246
1247 return (0);
1248 }
1249
1250 /* ARGSUSED */
1251 int
1252 getaudit_addr(struct proc *p, __unused struct getaudit_addr_args *uap, __unused register_t *retval)
1253 {
1254 return (ENOSYS);
1255 }
1256
1257 /* ARGSUSED */
1258 int
1259 setaudit_addr(struct proc *p, __unused struct setaudit_addr_args *uap, __unused register_t *retval)
1260 {
1261 int error;
1262
1263 error = suser(kauth_cred_get(), &p->p_acflag);
1264 if (error)
1265 return (error);
1266 return (ENOSYS);
1267 }
1268
1269 /*
1270 * Syscall to manage audit files.
1271 *
1272 */
1273 /* ARGSUSED */
1274 int
1275 auditctl(struct proc *p, struct auditctl_args *uap, __unused register_t *retval)
1276 {
1277 struct nameidata nd;
1278 kauth_cred_t cred;
1279 struct vnode *vp;
1280 int error, flags;
1281 struct vfs_context context;
1282
1283 context.vc_proc = p;
1284 context.vc_ucred = kauth_cred_get();
1285
1286 error = suser(kauth_cred_get(), &p->p_acflag);
1287 if (error)
1288 return (error);
1289
1290 vp = NULL;
1291 cred = NULL;
1292
1293 /*
1294 * If a path is specified, open the replacement vnode, perform
1295 * validity checks, and grab another reference to the current
1296 * credential.
1297 */
1298 if (uap->path != 0) {
1299 NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNPATH1,
1300 (IS_64BIT_PROCESS(p) ? UIO_USERSPACE64 : UIO_USERSPACE32),
1301 uap->path, &context);
1302 flags = audit_open_flags;
1303 error = vn_open(&nd, flags, 0);
1304 if (error)
1305 goto out;
1306 vp = nd.ni_vp;
1307 if (vp->v_type != VREG) {
1308 vn_close(vp, audit_close_flags, kauth_cred_get(), p);
1309 vnode_put(vp);
1310 error = EINVAL;
1311 goto out;
1312 }
1313 cred = kauth_cred_get_with_ref();
1314 audit_suspended = 0;
1315 }
1316 /*
1317 * a vp and cred of NULL is valid at this point
1318 * and indicates we're to turn off auditing...
1319 */
1320 audit_rotate_vnode(cred, vp);
1321 if (vp)
1322 vnode_put(vp);
1323 out:
1324 return (error);
1325 }
1326
1327 /**********************************
1328 * End of system calls. *
1329 **********************************/
1330
1331 /*
1332 * MPSAFE
1333 */
1334 struct kaudit_record *
1335 audit_new(int event, struct proc *p, __unused struct uthread *uthread)
1336 {
1337 struct kaudit_record *ar;
1338 int no_record;
1339 kauth_cred_t safecred;
1340
1341 /*
1342 * Eventually, there may be certain classes of events that
1343 * we will audit regardless of the audit state at the time
1344 * the record is created. These events will generally
1345 * correspond to changes in the audit state. The dummy
1346 * code below is from our first prototype, but may also
1347 * be used in the final version (with modified event numbers).
1348 */
1349 #if 0
1350 if (event != AUDIT_EVENT_FILESTOP && event != AUDIT_EVENT_FILESTART) {
1351 #endif
1352 mutex_lock(audit_mtx);
1353 no_record = (audit_suspended || !audit_enabled);
1354 mutex_unlock(audit_mtx);
1355 if (no_record)
1356 return (NULL);
1357 #if 0
1358 }
1359 #endif
1360
1361 /*
1362 * Initialize the audit record header.
1363 * XXX: We may want to fail-stop if allocation fails.
1364 * XXX: The number of outstanding uncommitted audit records is
1365 * limited by the number of concurrent threads servicing system
1366 * calls in the kernel.
1367 */
1368
1369 ar = (struct kaudit_record *)zalloc(audit_zone);
1370 if (ar == NULL)
1371 return NULL;
1372
1373 mutex_lock(audit_mtx);
1374 audit_pre_q_len++;
1375 mutex_unlock(audit_mtx);
1376
1377 bzero(ar, sizeof(*ar));
1378 ar->k_ar.ar_magic = AUDIT_RECORD_MAGIC;
1379 ar->k_ar.ar_event = event;
1380 nanotime(&ar->k_ar.ar_starttime);
1381
1382 safecred = kauth_cred_proc_ref(p);
1383 /* Export the subject credential. */
1384 cru2x(safecred, &ar->k_ar.ar_subj_cred);
1385
1386 ar->k_ar.ar_subj_ruid = safecred->cr_ruid;
1387 ar->k_ar.ar_subj_rgid = safecred->cr_rgid;
1388 ar->k_ar.ar_subj_egid = safecred->cr_groups[0];
1389 ar->k_ar.ar_subj_auid = safecred->cr_au.ai_auid;
1390 ar->k_ar.ar_subj_asid = safecred->cr_au.ai_asid;
1391 ar->k_ar.ar_subj_amask = safecred->cr_au.ai_mask;
1392 ar->k_ar.ar_subj_term = safecred->cr_au.ai_termid;
1393 kauth_cred_unref(&safecred);
1394
1395 ar->k_ar.ar_subj_pid = p->p_pid;
1396 bcopy(p->p_comm, ar->k_ar.ar_subj_comm, MAXCOMLEN);
1397
1398 return (ar);
1399 }
1400
1401 /*
1402 * MPSAFE
1403 * XXXAUDIT: So far, this is unused, and should probably be GC'd.
1404 */
1405 void
1406 audit_abort(struct kaudit_record *ar)
1407 {
1408 mutex_lock(audit_mtx);
1409 audit_pre_q_len--;
1410 mutex_unlock(audit_mtx);
1411 audit_free(ar);
1412 }
1413
1414 /*
1415 * MPSAFE
1416 */
1417 void
1418 audit_commit(struct kaudit_record *ar, int error, int retval)
1419 {
1420 int ret;
1421 int sorf;
1422 struct au_mask *aumask;
1423
1424 if (ar == NULL)
1425 return;
1426
1427 /*
1428 * Decide whether to commit the audit record by checking the
1429 * error value from the system call and using the appropriate
1430 * audit mask.
1431 */
1432 if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID)
1433 aumask = &audit_nae_mask;
1434 else
1435 aumask = &ar->k_ar.ar_subj_amask;
1436
1437 if (error)
1438 sorf = AU_PRS_FAILURE;
1439 else
1440 sorf = AU_PRS_SUCCESS;
1441
1442 switch(ar->k_ar.ar_event) {
1443
1444 case AUE_OPEN_RWTC:
1445 /* The open syscall always writes a OPEN_RWTC event; limit the
1446 * to the proper type of event based on the flags and the error
1447 * value.
1448 */
1449 ar->k_ar.ar_event = flags_and_error_to_openevent(ar->k_ar.ar_arg_fflags, error);
1450 break;
1451
1452 case AUE_SYSCTL:
1453 ar->k_ar.ar_event = ctlname_to_sysctlevent(ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg);
1454 break;
1455
1456 case AUE_AUDITON:
1457 /* Convert the auditon() command to an event */
1458 ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd);
1459 break;
1460 }
1461
1462 if (au_preselect(ar->k_ar.ar_event, aumask, sorf) != 0)
1463 ar->k_ar_commit |= AR_COMMIT_KERNEL;
1464
1465 if ((ar->k_ar_commit & (AR_COMMIT_USER | AR_COMMIT_KERNEL)) == 0) {
1466 mutex_lock(audit_mtx);
1467 audit_pre_q_len--;
1468 mutex_unlock(audit_mtx);
1469 audit_free(ar);
1470 return;
1471 }
1472
1473 ar->k_ar.ar_errno = error;
1474 ar->k_ar.ar_retval = retval;
1475
1476 /*
1477 * We might want to do some system-wide post-filtering
1478 * here at some point.
1479 */
1480
1481 /*
1482 * Timestamp system call end.
1483 */
1484 nanotime(&ar->k_ar.ar_endtime);
1485
1486 mutex_lock(audit_mtx);
1487 /*
1488 * Note: it could be that some records initiated while audit was
1489 * enabled should still be committed?
1490 */
1491 if (audit_suspended || !audit_enabled) {
1492 audit_pre_q_len--;
1493 mutex_unlock(audit_mtx);
1494 audit_free(ar);
1495 return;
1496 }
1497
1498 /*
1499 * Constrain the number of committed audit records based on
1500 * the configurable parameter.
1501 */
1502 while (audit_q_len >= audit_qctrl.aq_hiwater) {
1503
1504 ret = wait_queue_assert_wait(audit_wait_queue,
1505 AUDIT_COMMIT_EVENT,
1506 THREAD_UNINT,
1507 0);
1508 mutex_unlock(audit_mtx);
1509
1510 assert(ret == THREAD_WAITING);
1511
1512 ret = thread_block(THREAD_CONTINUE_NULL);
1513 assert(ret == THREAD_AWAKENED);
1514 mutex_lock(audit_mtx);
1515 }
1516
1517 TAILQ_INSERT_TAIL(&audit_q, ar, k_q);
1518 audit_q_len++;
1519 audit_pre_q_len--;
1520 wait_queue_wakeup_one(audit_wait_queue, AUDIT_WORKER_EVENT, THREAD_AWAKENED);
1521 mutex_unlock(audit_mtx);
1522 }
1523
1524 /*
1525 * Calls to set up and tear down audit structures associated with
1526 * each system call.
1527 */
1528 void
1529 audit_syscall_enter(unsigned short code, struct proc *proc,
1530 struct uthread *uthread)
1531 {
1532 int audit_event;
1533 struct au_mask *aumask;
1534
1535 audit_event = sys_au_event[code];
1536 if (audit_event == AUE_NULL)
1537 return;
1538
1539 assert(uthread->uu_ar == NULL);
1540
1541 /* Check which audit mask to use; either the kernel non-attributable
1542 * event mask or the process audit mask.
1543 */
1544 if (proc->p_ucred->cr_au.ai_auid == AU_DEFAUDITID)
1545 aumask = &audit_nae_mask;
1546 else
1547 aumask = &proc->p_ucred->cr_au.ai_mask;
1548
1549 /*
1550 * Allocate an audit record, if preselection allows it, and store
1551 * in the BSD thread for later use.
1552 */
1553 if (au_preselect(audit_event, aumask,
1554 AU_PRS_FAILURE | AU_PRS_SUCCESS)) {
1555 /*
1556 * If we're out of space and need to suspend unprivileged
1557 * processes, do that here rather than trying to allocate
1558 * another audit record.
1559 */
1560 if (audit_in_failure &&
1561 suser(kauth_cred_get(), &proc->p_acflag) != 0) {
1562 int ret;
1563
1564 assert(audit_worker_thread != THREAD_NULL);
1565 ret = wait_queue_assert_wait(audit_wait_queue,
1566 AUDIT_FAILURE_EVENT, THREAD_UNINT, 0);
1567 assert(ret == THREAD_WAITING);
1568 (void)thread_block(THREAD_CONTINUE_NULL);
1569 panic("audit_failing_stop: thread continued");
1570 }
1571 uthread->uu_ar = audit_new(audit_event, proc, uthread);
1572 } else {
1573 uthread->uu_ar = NULL;
1574 }
1575 }
1576
1577 void
1578 audit_syscall_exit(int error, AUDIT_PRINTF_ONLY struct proc *proc, struct uthread *uthread)
1579 {
1580 int retval;
1581
1582 /*
1583 * Commit the audit record as desired; once we pass the record
1584 * into audit_commit(), the memory is owned by the audit
1585 * subsystem.
1586 * The return value from the system call is stored on the user
1587 * thread. If there was an error, the return value is set to -1,
1588 * imitating the behavior of the cerror routine.
1589 */
1590 if (error)
1591 retval = -1;
1592 else
1593 retval = uthread->uu_rval[0];
1594
1595 audit_commit(uthread->uu_ar, error, retval);
1596 if (uthread->uu_ar != NULL) {
1597 AUDIT_PRINTF(("audit record committed by pid %d\n", proc->p_pid));
1598 }
1599 uthread->uu_ar = NULL;
1600
1601 }
1602
1603 /*
1604 * Calls to set up and tear down audit structures used during Mach
1605 * system calls.
1606 */
1607 void
1608 audit_mach_syscall_enter(unsigned short audit_event)
1609 {
1610 struct uthread *uthread;
1611 struct proc *proc;
1612 struct au_mask *aumask;
1613
1614 if (audit_event == AUE_NULL)
1615 return;
1616
1617 uthread = curuthread();
1618 if (uthread == NULL)
1619 return;
1620
1621 proc = current_proc();
1622 if (proc == NULL)
1623 return;
1624
1625 assert(uthread->uu_ar == NULL);
1626
1627 /* Check which audit mask to use; either the kernel non-attributable
1628 * event mask or the process audit mask.
1629 */
1630 if (proc->p_ucred->cr_au.ai_auid == AU_DEFAUDITID)
1631 aumask = &audit_nae_mask;
1632 else
1633 aumask = &proc->p_ucred->cr_au.ai_mask;
1634
1635 /*
1636 * Allocate an audit record, if desired, and store in the BSD
1637 * thread for later use.
1638 */
1639 if (au_preselect(audit_event, aumask,
1640 AU_PRS_FAILURE | AU_PRS_SUCCESS)) {
1641 uthread->uu_ar = audit_new(audit_event, proc, uthread);
1642 } else {
1643 uthread->uu_ar = NULL;
1644 }
1645 }
1646
1647 void
1648 audit_mach_syscall_exit(int retval, struct uthread *uthread)
1649 {
1650 /* The error code from Mach system calls is the same as the
1651 * return value
1652 */
1653 /* XXX Is the above statement always true? */
1654 audit_commit(uthread->uu_ar, retval, retval);
1655 uthread->uu_ar = NULL;
1656
1657 }
1658
1659 /*
1660 * Calls to manipulate elements of the audit record structure from system
1661 * call code. Macro wrappers will prevent this functions from being
1662 * entered if auditing is disabled, avoiding the function call cost. We
1663 * check the thread audit record pointer anyway, as the audit condition
1664 * could change, and pre-selection may not have allocated an audit
1665 * record for this event.
1666 */
1667 void
1668 audit_arg_addr(user_addr_t addr)
1669 {
1670 struct kaudit_record *ar;
1671
1672 ar = currecord();
1673 if (ar == NULL)
1674 return;
1675
1676 ar->k_ar.ar_arg_addr = CAST_DOWN(void *, addr); /* XXX */
1677 ar->k_ar.ar_valid_arg |= ARG_ADDR;
1678 }
1679
1680 void
1681 audit_arg_len(user_size_t len)
1682 {
1683 struct kaudit_record *ar;
1684
1685 ar = currecord();
1686 if (ar == NULL)
1687 return;
1688
1689 ar->k_ar.ar_arg_len = CAST_DOWN(int, len); /* XXX */
1690 ar->k_ar.ar_valid_arg |= ARG_LEN;
1691 }
1692
1693 void
1694 audit_arg_fd(int fd)
1695 {
1696 struct kaudit_record *ar;
1697
1698 ar = currecord();
1699 if (ar == NULL)
1700 return;
1701
1702 ar->k_ar.ar_arg_fd = fd;
1703 ar->k_ar.ar_valid_arg |= ARG_FD;
1704 }
1705
1706 void
1707 audit_arg_fflags(int fflags)
1708 {
1709 struct kaudit_record *ar;
1710
1711 ar = currecord();
1712 if (ar == NULL)
1713 return;
1714
1715 ar->k_ar.ar_arg_fflags = fflags;
1716 ar->k_ar.ar_valid_arg |= ARG_FFLAGS;
1717 }
1718
1719 void
1720 audit_arg_gid(gid_t gid, gid_t egid, gid_t rgid, gid_t sgid)
1721 {
1722 struct kaudit_record *ar;
1723
1724 ar = currecord();
1725 if (ar == NULL)
1726 return;
1727
1728 ar->k_ar.ar_arg_gid = gid;
1729 ar->k_ar.ar_arg_egid = egid;
1730 ar->k_ar.ar_arg_rgid = rgid;
1731 ar->k_ar.ar_arg_sgid = sgid;
1732 ar->k_ar.ar_valid_arg |= (ARG_GID | ARG_EGID | ARG_RGID | ARG_SGID);
1733 }
1734
1735 void
1736 audit_arg_uid(uid_t uid, uid_t euid, uid_t ruid, uid_t suid)
1737 {
1738 struct kaudit_record *ar;
1739
1740 ar = currecord();
1741 if (ar == NULL)
1742 return;
1743
1744 ar->k_ar.ar_arg_uid = uid;
1745 ar->k_ar.ar_arg_euid = euid;
1746 ar->k_ar.ar_arg_ruid = ruid;
1747 ar->k_ar.ar_arg_suid = suid;
1748 ar->k_ar.ar_valid_arg |= (ARG_UID | ARG_EUID | ARG_RUID | ARG_SUID);
1749 }
1750
1751 void
1752 audit_arg_groupset(const gid_t *gidset, u_int gidset_size)
1753 {
1754 uint i;
1755 struct kaudit_record *ar;
1756
1757 ar = currecord();
1758 if (ar == NULL)
1759 return;
1760
1761 for (i = 0; i < gidset_size; i++)
1762 ar->k_ar.ar_arg_groups.gidset[i] = gidset[i];
1763 ar->k_ar.ar_arg_groups.gidset_size = gidset_size;
1764 ar->k_ar.ar_valid_arg |= ARG_GROUPSET;
1765 }
1766
1767 void
1768 audit_arg_login(const char *login)
1769 {
1770 struct kaudit_record *ar;
1771
1772 ar = currecord();
1773 if (ar == NULL)
1774 return;
1775
1776 #if 0
1777 /*
1778 * XXX: Add strlcpy() to Darwin for improved safety.
1779 */
1780 strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME);
1781 #else
1782 strcpy(ar->k_ar.ar_arg_login, login);
1783 #endif
1784
1785 ar->k_ar.ar_valid_arg |= ARG_LOGIN;
1786 }
1787
1788 void
1789 audit_arg_ctlname(const int *name, int namelen)
1790 {
1791 struct kaudit_record *ar;
1792
1793 ar = currecord();
1794 if (ar == NULL)
1795 return;
1796
1797 bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int));
1798 ar->k_ar.ar_arg_len = namelen;
1799 ar->k_ar.ar_valid_arg |= (ARG_CTLNAME | ARG_LEN);
1800 }
1801
1802 void
1803 audit_arg_mask(int mask)
1804 {
1805 struct kaudit_record *ar;
1806
1807 ar = currecord();
1808 if (ar == NULL)
1809 return;
1810
1811 ar->k_ar.ar_arg_mask = mask;
1812 ar->k_ar.ar_valid_arg |= ARG_MASK;
1813 }
1814
1815 void
1816 audit_arg_mode(mode_t mode)
1817 {
1818 struct kaudit_record *ar;
1819
1820 ar = currecord();
1821 if (ar == NULL)
1822 return;
1823
1824 ar->k_ar.ar_arg_mode = mode;
1825 ar->k_ar.ar_valid_arg |= ARG_MODE;
1826 }
1827
1828 void
1829 audit_arg_dev(int dev)
1830 {
1831 struct kaudit_record *ar;
1832
1833 ar = currecord();
1834 if (ar == NULL)
1835 return;
1836
1837 ar->k_ar.ar_arg_dev = dev;
1838 ar->k_ar.ar_valid_arg |= ARG_DEV;
1839 }
1840
1841 void
1842 audit_arg_value(long value)
1843 {
1844 struct kaudit_record *ar;
1845
1846 ar = currecord();
1847 if (ar == NULL)
1848 return;
1849
1850 ar->k_ar.ar_arg_value = value;
1851 ar->k_ar.ar_valid_arg |= ARG_VALUE;
1852 }
1853
1854 void
1855 audit_arg_owner(uid_t uid, gid_t gid)
1856 {
1857 struct kaudit_record *ar;
1858
1859 ar = currecord();
1860 if (ar == NULL)
1861 return;
1862
1863 ar->k_ar.ar_arg_uid = uid;
1864 ar->k_ar.ar_arg_gid = gid;
1865 ar->k_ar.ar_valid_arg |= (ARG_UID | ARG_GID);
1866 }
1867
1868 void
1869 audit_arg_pid(pid_t pid)
1870 {
1871 struct kaudit_record *ar;
1872
1873 ar = currecord();
1874 if (ar == NULL)
1875 return;
1876
1877 ar->k_ar.ar_arg_pid = pid;
1878 ar->k_ar.ar_valid_arg |= ARG_PID;
1879 }
1880
1881 void
1882 audit_arg_process(struct proc *p)
1883 {
1884 struct kaudit_record *ar;
1885
1886 ar = currecord();
1887 if ((ar == NULL) || (p == NULL))
1888 return;
1889
1890 ar->k_ar.ar_arg_auid = p->p_ucred->cr_au.ai_auid;
1891 ar->k_ar.ar_arg_euid = p->p_ucred->cr_uid;
1892 ar->k_ar.ar_arg_egid = p->p_ucred->cr_groups[0];
1893 ar->k_ar.ar_arg_ruid = p->p_ucred->cr_ruid;
1894 ar->k_ar.ar_arg_rgid = p->p_ucred->cr_rgid;
1895 ar->k_ar.ar_arg_asid = p->p_ucred->cr_au.ai_asid;
1896 ar->k_ar.ar_arg_termid = p->p_ucred->cr_au.ai_termid;
1897
1898 ar->k_ar.ar_valid_arg |= ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID |
1899 ARG_RGID | ARG_ASID | ARG_TERMID | ARG_PROCESS;
1900 }
1901
1902 void
1903 audit_arg_signum(u_int signum)
1904 {
1905 struct kaudit_record *ar;
1906
1907 ar = currecord();
1908 if (ar == NULL)
1909 return;
1910
1911 ar->k_ar.ar_arg_signum = signum;
1912 ar->k_ar.ar_valid_arg |= ARG_SIGNUM;
1913 }
1914
1915 void
1916 audit_arg_socket(int sodomain, int sotype, int soprotocol)
1917 {
1918
1919 struct kaudit_record *ar;
1920
1921 ar = currecord();
1922 if (ar == NULL)
1923 return;
1924
1925 ar->k_ar.ar_arg_sockinfo.so_domain = sodomain;
1926 ar->k_ar.ar_arg_sockinfo.so_type = sotype;
1927 ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol;
1928 ar->k_ar.ar_valid_arg |= ARG_SOCKINFO;
1929 }
1930
1931 void
1932 audit_arg_sockaddr(struct proc *p, struct sockaddr *so)
1933 {
1934 struct kaudit_record *ar;
1935
1936 ar = currecord();
1937 if (ar == NULL || p == NULL || so == NULL)
1938 return;
1939
1940 bcopy(so, &ar->k_ar.ar_arg_sockaddr, sizeof(ar->k_ar.ar_arg_sockaddr));
1941 switch (so->sa_family) {
1942 case AF_INET:
1943 ar->k_ar.ar_valid_arg |= ARG_SADDRINET;
1944 break;
1945 case AF_INET6:
1946 ar->k_ar.ar_valid_arg |= ARG_SADDRINET6;
1947 break;
1948 case AF_UNIX:
1949 audit_arg_upath(p, ((struct sockaddr_un *)so)->sun_path,
1950 ARG_UPATH1);
1951 ar->k_ar.ar_valid_arg |= ARG_SADDRUNIX;
1952 break;
1953 }
1954 }
1955
1956 void
1957 audit_arg_auid(uid_t auid)
1958 {
1959 struct kaudit_record *ar;
1960
1961 ar = currecord();
1962 if (ar == NULL)
1963 return;
1964
1965 ar->k_ar.ar_arg_auid = auid;
1966 ar->k_ar.ar_valid_arg |= ARG_AUID;
1967 }
1968
1969 void
1970 audit_arg_auditinfo(const struct auditinfo *au_info)
1971 {
1972 struct kaudit_record *ar;
1973
1974 ar = currecord();
1975 if (ar == NULL)
1976 return;
1977
1978 ar->k_ar.ar_arg_auid = au_info->ai_auid;
1979 ar->k_ar.ar_arg_asid = au_info->ai_asid;
1980 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
1981 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
1982 ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port;
1983 ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine;
1984 ar->k_ar.ar_valid_arg |= ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID;
1985 }
1986
1987 void
1988 audit_arg_text(const char *text)
1989 {
1990 struct kaudit_record *ar;
1991
1992 ar = currecord();
1993 if (ar == NULL)
1994 return;
1995
1996 /* Invalidate the text string */
1997 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT);
1998 if (text == NULL)
1999 return;
2000
2001 if (ar->k_ar.ar_arg_text == NULL) {
2002 ar->k_ar.ar_arg_text = (char *)kalloc(MAXPATHLEN);
2003 if (ar->k_ar.ar_arg_text == NULL)
2004 return;
2005 }
2006
2007 strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN);
2008 ar->k_ar.ar_valid_arg |= ARG_TEXT;
2009 }
2010
2011 void
2012 audit_arg_cmd(int cmd)
2013 {
2014 struct kaudit_record *ar;
2015
2016 ar = currecord();
2017 if (ar == NULL)
2018 return;
2019
2020 ar->k_ar.ar_arg_cmd = cmd;
2021 ar->k_ar.ar_valid_arg |= ARG_CMD;
2022 }
2023
2024 void
2025 audit_arg_svipc_cmd(int cmd)
2026 {
2027 struct kaudit_record *ar;
2028
2029 ar = currecord();
2030 if (ar == NULL)
2031 return;
2032
2033 ar->k_ar.ar_arg_svipc_cmd = cmd;
2034 ar->k_ar.ar_valid_arg |= ARG_SVIPC_CMD;
2035 }
2036
2037 void
2038 audit_arg_svipc_perm(const struct ipc_perm *perm)
2039 {
2040 struct kaudit_record *ar;
2041
2042 ar = currecord();
2043 if (ar == NULL)
2044 return;
2045
2046 bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
2047 sizeof(ar->k_ar.ar_arg_svipc_perm));
2048 ar->k_ar.ar_valid_arg |= ARG_SVIPC_PERM;
2049 }
2050
2051 void
2052 audit_arg_svipc_id(int id)
2053 {
2054 struct kaudit_record *ar;
2055
2056 ar = currecord();
2057 if (ar == NULL)
2058 return;
2059
2060 ar->k_ar.ar_arg_svipc_id = id;
2061 ar->k_ar.ar_valid_arg |= ARG_SVIPC_ID;
2062 }
2063
2064 void
2065 audit_arg_svipc_addr(void * addr)
2066 {
2067 struct kaudit_record *ar;
2068
2069 ar = currecord();
2070 if (ar == NULL)
2071 return;
2072
2073 ar->k_ar.ar_arg_svipc_addr = addr;
2074 ar->k_ar.ar_valid_arg |= ARG_SVIPC_ADDR;
2075 }
2076
2077 void
2078 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode)
2079 {
2080 struct kaudit_record *ar;
2081
2082 ar = currecord();
2083 if (ar == NULL)
2084 return;
2085
2086 ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid;
2087 ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid;
2088 ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode;
2089 ar->k_ar.ar_valid_arg |= ARG_POSIX_IPC_PERM;
2090 }
2091
2092 void
2093 audit_arg_auditon(const union auditon_udata *udata)
2094 {
2095 struct kaudit_record *ar;
2096
2097 ar = currecord();
2098 if (ar == NULL)
2099 return;
2100
2101 bcopy((const void *)udata, &ar->k_ar.ar_arg_auditon,
2102 sizeof(ar->k_ar.ar_arg_auditon));
2103 ar->k_ar.ar_valid_arg |= ARG_AUDITON;
2104 }
2105
2106 /*
2107 * Audit information about a file, either the file's vnode info, or its
2108 * socket address info.
2109 */
2110 void
2111 audit_arg_file(__unused struct proc *p, const struct fileproc *fp)
2112 {
2113 struct kaudit_record *ar;
2114 struct socket *so;
2115 struct inpcb *pcb;
2116
2117 if (fp->f_fglob->fg_type == DTYPE_VNODE) {
2118 audit_arg_vnpath_withref((struct vnode *)fp->f_fglob->fg_data, ARG_VNODE1);
2119 return;
2120 }
2121
2122 if (fp->f_fglob->fg_type == DTYPE_SOCKET) {
2123 ar = currecord();
2124 if (ar == NULL)
2125 return;
2126 so = (struct socket *)fp->f_fglob->fg_data;
2127 if (INP_CHECK_SOCKAF(so, PF_INET)) {
2128 if (so->so_pcb == NULL)
2129 return;
2130 ar->k_ar.ar_arg_sockinfo.so_type =
2131 so->so_type;
2132 ar->k_ar.ar_arg_sockinfo.so_domain =
2133 INP_SOCKAF(so);
2134 ar->k_ar.ar_arg_sockinfo.so_protocol =
2135 so->so_proto->pr_protocol;
2136 pcb = (struct inpcb *)so->so_pcb;
2137 ar->k_ar.ar_arg_sockinfo.so_raddr =
2138 pcb->inp_faddr.s_addr;
2139 ar->k_ar.ar_arg_sockinfo.so_laddr =
2140 pcb->inp_laddr.s_addr;
2141 ar->k_ar.ar_arg_sockinfo.so_rport =
2142 pcb->inp_fport;
2143 ar->k_ar.ar_arg_sockinfo.so_lport =
2144 pcb->inp_lport;
2145 ar->k_ar.ar_valid_arg |= ARG_SOCKINFO;
2146 }
2147 }
2148
2149 }
2150
2151
2152 /*
2153 * Store a path as given by the user process for auditing into the audit
2154 * record stored on the user thread. This function will allocate the memory to
2155 * store the path info if not already available. This memory will be
2156 * freed when the audit record is freed.
2157 */
2158 void
2159 audit_arg_upath(struct proc *p, char *upath, u_int64_t flags)
2160 {
2161 struct kaudit_record *ar;
2162 char **pathp;
2163
2164 if (p == NULL || upath == NULL)
2165 return; /* nothing to do! */
2166
2167 if ((flags & (ARG_UPATH1 | ARG_UPATH2)) == 0)
2168 return;
2169
2170 ar = currecord();
2171 if (ar == NULL) /* This will be the case for unaudited system calls */
2172 return;
2173
2174 if (flags & ARG_UPATH1) {
2175 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_UPATH1);
2176 pathp = &ar->k_ar.ar_arg_upath1;
2177 }
2178 else {
2179 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_UPATH2);
2180 pathp = &ar->k_ar.ar_arg_upath2;
2181 }
2182
2183 if (*pathp == NULL) {
2184 *pathp = (char *)kalloc(MAXPATHLEN);
2185 if (*pathp == NULL)
2186 return;
2187 }
2188
2189 if (canon_path(p, upath, *pathp) == 0) {
2190 if (flags & ARG_UPATH1)
2191 ar->k_ar.ar_valid_arg |= ARG_UPATH1;
2192 else
2193 ar->k_ar.ar_valid_arg |= ARG_UPATH2;
2194 } else {
2195 kfree(*pathp, MAXPATHLEN);
2196 *pathp = NULL;
2197 }
2198 }
2199
2200 /*
2201 * Function to save the path and vnode attr information into the audit
2202 * record.
2203 *
2204 * It is assumed that the caller will hold any vnode locks necessary to
2205 * perform a VNOP_GETATTR() on the passed vnode.
2206 *
2207 * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but
2208 * always provides access to the generation number as we need that
2209 * to construct the BSM file ID.
2210 * XXX: We should accept the process argument from the caller, since
2211 * it's very likely they already have a reference.
2212 * XXX: Error handling in this function is poor.
2213 */
2214 void
2215 audit_arg_vnpath(struct vnode *vp, u_int64_t flags)
2216 {
2217 struct kaudit_record *ar;
2218 struct vnode_attr va;
2219 int error;
2220 int len;
2221 char **pathp;
2222 struct vnode_au_info *vnp;
2223 struct proc *p;
2224 struct vfs_context context;
2225
2226 if (vp == NULL)
2227 return;
2228
2229 ar = currecord();
2230 if (ar == NULL) /* This will be the case for unaudited system calls */
2231 return;
2232
2233 if ((flags & (ARG_VNODE1 | ARG_VNODE2)) == 0)
2234 return;
2235
2236 p = current_proc();
2237
2238 if (flags & ARG_VNODE1) {
2239 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_KPATH1);
2240 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE1);
2241 pathp = &ar->k_ar.ar_arg_kpath1;
2242 vnp = &ar->k_ar.ar_arg_vnode1;
2243 }
2244 else {
2245 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_KPATH2);
2246 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE2);
2247 pathp = &ar->k_ar.ar_arg_kpath2;
2248 vnp = &ar->k_ar.ar_arg_vnode2;
2249 }
2250
2251 if (*pathp == NULL) {
2252 *pathp = (char *)kalloc(MAXPATHLEN);
2253 if (*pathp == NULL)
2254 return;
2255 }
2256
2257 /*
2258 * If vn_getpath() succeeds, place it in a string buffer
2259 * attached to the audit record, and set a flag indicating
2260 * it is present.
2261 */
2262 len = MAXPATHLEN;
2263 if (vn_getpath(vp, *pathp, &len) == 0) {
2264 if (flags & ARG_VNODE1)
2265 ar->k_ar.ar_valid_arg |= ARG_KPATH1;
2266 else
2267 ar->k_ar.ar_valid_arg |= ARG_KPATH2;
2268 } else {
2269 kfree(*pathp, MAXPATHLEN);
2270 *pathp = NULL;
2271 }
2272
2273 context.vc_proc = p;
2274 context.vc_ucred = kauth_cred_get();
2275
2276 VATTR_INIT(&va);
2277 VATTR_WANTED(&va, va_mode);
2278 VATTR_WANTED(&va, va_uid);
2279 VATTR_WANTED(&va, va_gid);
2280 VATTR_WANTED(&va, va_rdev);
2281 VATTR_WANTED(&va, va_fsid);
2282 VATTR_WANTED(&va, va_fileid);
2283 VATTR_WANTED(&va, va_gen);
2284 error = vnode_getattr(vp, &va, &context);
2285 if (error) {
2286 /* XXX: How to handle this case? */
2287 return;
2288 }
2289
2290 /* XXX do we want to fall back here when these aren't supported? */
2291 vnp->vn_mode = va.va_mode;
2292 vnp->vn_uid = va.va_uid;
2293 vnp->vn_gid = va.va_gid;
2294 vnp->vn_dev = va.va_rdev;
2295 vnp->vn_fsid = va.va_fsid;
2296 vnp->vn_fileid = (u_long)va.va_fileid;
2297 vnp->vn_gen = va.va_gen;
2298 if (flags & ARG_VNODE1)
2299 ar->k_ar.ar_valid_arg |= ARG_VNODE1;
2300 else
2301 ar->k_ar.ar_valid_arg |= ARG_VNODE2;
2302
2303 }
2304
2305 void
2306 audit_arg_vnpath_withref(struct vnode *vp, u_int64_t flags)
2307 {
2308 if (vp == NULL || vnode_getwithref(vp))
2309 return;
2310 audit_arg_vnpath(vp, flags);
2311 (void)vnode_put(vp);
2312 }
2313
2314 void
2315 audit_arg_mach_port1(mach_port_name_t port)
2316 {
2317 struct kaudit_record *ar;
2318
2319 ar = currecord();
2320 if (ar == NULL)
2321 return;
2322
2323 ar->k_ar.ar_arg_mach_port1 = port;
2324 ar->k_ar.ar_valid_arg |= ARG_MACHPORT1;
2325 }
2326
2327 void
2328 audit_arg_mach_port2(mach_port_name_t port)
2329 {
2330 struct kaudit_record *ar;
2331
2332 ar = currecord();
2333 if (ar == NULL)
2334 return;
2335
2336 ar->k_ar.ar_arg_mach_port2 = port;
2337 ar->k_ar.ar_valid_arg |= ARG_MACHPORT2;
2338 }
2339
2340 /*
2341 * The close() system call uses it's own audit call to capture the
2342 * path/vnode information because those pieces are not easily obtained
2343 * within the system call itself.
2344 */
2345 void
2346 audit_sysclose(struct proc *p, int fd)
2347 {
2348 struct fileproc *fp;
2349 struct vnode *vp;
2350
2351 audit_arg_fd(fd);
2352
2353 if (fp_getfvp(p, fd, &fp, &vp) != 0)
2354 return;
2355
2356 audit_arg_vnpath_withref((struct vnode *)fp->f_fglob->fg_data, ARG_VNODE1);
2357 file_drop(fd);
2358 }
2359
2360 #else /* !AUDIT */
2361
2362 void
2363 audit_init(void)
2364 {
2365
2366 }
2367
2368 void
2369 audit_shutdown(void)
2370 {
2371
2372 }
2373
2374 int
2375 audit(struct proc *p, struct audit_args *uap, register_t *retval)
2376 {
2377 return (ENOSYS);
2378 }
2379
2380 int
2381 auditon(struct proc *p, struct auditon_args *uap, register_t *retval)
2382 {
2383 return (ENOSYS);
2384 }
2385
2386 int
2387 getauid(struct proc *p, struct getauid_args *uap, register_t *retval)
2388 {
2389 return (ENOSYS);
2390 }
2391
2392 int
2393 setauid(struct proc *p, struct setauid_args *uap, register_t *retval)
2394 {
2395 return (ENOSYS);
2396 }
2397
2398 int
2399 getaudit(struct proc *p, struct getaudit_args *uap, register_t *retval)
2400 {
2401 return (ENOSYS);
2402 }
2403
2404 int
2405 setaudit(struct proc *p, struct setaudit_args *uap, register_t *retval)
2406 {
2407 return (ENOSYS);
2408 }
2409
2410 int
2411 getaudit_addr(struct proc *p, struct getaudit_addr_args *uap, register_t *retval)
2412 {
2413 return (ENOSYS);
2414 }
2415
2416 int
2417 setaudit_addr(struct proc *p, struct setaudit_addr_args *uap, register_t *retval)
2418 {
2419 return (ENOSYS);
2420 }
2421
2422 int
2423 auditctl(struct proc *p, struct auditctl_args *uap, register_t *retval)
2424 {
2425 return (ENOSYS);
2426 }
2427
2428 #endif /* AUDIT */
mirror of XNU