2 * Copyright (c) 1999-2009 Apple Inc.
3 * Copyright (c) 2006-2007 Robert N. M. Watson
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
15 * its contributors may be used to endorse or promote products derived
16 * from this software without specific prior written permission.
18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
32 * NOTICE: This file was modified by McAfee Research in 2004 to introduce
33 * support for mandatory and extensible security protections. This notice
34 * is included in support of clause 2.2 (b) of the Apple Public License,
38 #include <sys/param.h>
39 #include <sys/fcntl.h>
40 #include <sys/kernel.h>
42 #include <sys/namei.h>
43 #include <sys/proc_internal.h>
44 #include <sys/kauth.h>
45 #include <sys/queue.h>
46 #include <sys/systm.h>
48 #include <sys/ucred.h>
50 #include <sys/unistd.h>
51 #include <sys/file_internal.h>
52 #include <sys/vnode_internal.h>
54 #include <sys/syscall.h>
55 #include <sys/malloc.h>
57 #include <sys/sysent.h>
58 #include <sys/sysproto.h>
59 #include <sys/vfs_context.h>
60 #include <sys/domain.h>
61 #include <sys/protosw.h>
62 #include <sys/socketvar.h>
64 #include <bsm/audit.h>
65 #include <bsm/audit_internal.h>
66 #include <bsm/audit_kevents.h>
68 #include <security/audit/audit.h>
69 #include <security/audit/audit_bsd.h>
70 #include <security/audit/audit_private.h>
72 #include <mach/host_priv.h>
73 #include <mach/host_special_ports.h>
74 #include <mach/audit_triggers_server.h>
76 #include <kern/host.h>
77 #include <kern/kalloc.h>
78 #include <kern/zalloc.h>
79 #include <kern/sched_prim.h>
81 #include <net/route.h>
83 #include <netinet/in.h>
84 #include <netinet/in_pcb.h>
87 MALLOC_DEFINE(M_AUDITDATA
, "audit_data", "Audit data storage");
88 MALLOC_DEFINE(M_AUDITPATH
, "audit_path", "Audit path storage");
89 MALLOC_DEFINE(M_AUDITTEXT
, "audit_text", "Audit text storage");
92 * Audit control settings that are set/read by system calls and are hence
95 * Define the audit control flags.
101 au_class_t audit_kevent_mask
;
104 * Flags controlling behavior in low storage situations. Should we panic if
105 * a write fails? Should we fail stop if we're out of disk space?
107 int audit_panic_on_write_fail
;
113 * Are we currently "failing stop" due to out of disk space?
115 int audit_in_failure
;
118 * Global audit statistics.
120 struct audit_fstat audit_fstat
;
123 * Preselection mask for non-attributable events.
125 struct au_mask audit_nae_mask
;
128 * Mutex to protect global variables shared between various threads and
131 struct mtx audit_mtx
;
134 * Queue of audit records ready for delivery to disk. We insert new records
135 * at the tail, and remove records from the head. Also, a count of the
136 * number of records used for checking queue depth. In addition, a counter
137 * of records that we have allocated but are not yet in the queue, which is
138 * needed to estimate the total size of the combined set of records
139 * outstanding in the system.
141 struct kaudit_queue audit_q
;
146 * Audit queue control settings (minimum free, low/high water marks, etc.)
148 struct au_qctrl audit_qctrl
;
151 * Condition variable to signal to the worker that it has work to do: either
152 * new records are in the queue, or a log replacement is taking place.
154 struct cv audit_worker_cv
;
157 * Condition variable to signal when the worker is done draining the audit
160 struct cv audit_drain_cv
;
163 * Condition variable to flag when crossing the low watermark, meaning that
164 * threads blocked due to hitting the high watermark can wake up and continue
167 struct cv audit_watermark_cv
;
170 * Condition variable for auditing threads wait on when in fail-stop mode.
171 * Threads wait on this CV forever (and ever), never seeing the light of day
174 static struct cv audit_fail_cv
;
176 static zone_t audit_record_zone
;
179 * Kernel audit information. This will store the current audit address
180 * or host information that the kernel will use when it's generating
181 * audit records. This data is modified by the A_GET{SET}KAUDIT auditon(2)
184 static struct auditinfo_addr audit_kinfo
;
185 static struct rwlock audit_kinfo_lock
;
187 #define KINFO_LOCK_INIT() rw_init(&audit_kinfo_lock, \
189 #define KINFO_RLOCK() rw_rlock(&audit_kinfo_lock)
190 #define KINFO_WLOCK() rw_wlock(&audit_kinfo_lock)
191 #define KINFO_RUNLOCK() rw_runlock(&audit_kinfo_lock)
192 #define KINFO_WUNLOCK() rw_wunlock(&audit_kinfo_lock)
195 audit_set_kinfo(struct auditinfo_addr
*ak
)
198 KASSERT(ak
->ai_termid
.at_type
== AU_IPv4
||
199 ak
->ai_termid
.at_type
== AU_IPv6
,
200 ("audit_set_kinfo: invalid address type"));
203 bcopy(ak
, &audit_kinfo
, sizeof(audit_kinfo
));
208 audit_get_kinfo(struct auditinfo_addr
*ak
)
211 KASSERT(audit_kinfo
.ai_termid
.at_type
== AU_IPv4
||
212 audit_kinfo
.ai_termid
.at_type
== AU_IPv6
,
213 ("audit_set_kinfo: invalid address type"));
216 bcopy(&audit_kinfo
, ak
, sizeof(*ak
));
221 * Construct an audit record for the passed thread.
224 audit_record_ctor(proc_t p
, struct kaudit_record
*ar
)
228 bzero(ar
, sizeof(*ar
));
229 ar
->k_ar
.ar_magic
= AUDIT_RECORD_MAGIC
;
230 nanotime(&ar
->k_ar
.ar_starttime
);
232 if (PROC_NULL
!= p
) {
233 cred
= kauth_cred_proc_ref(p
);
236 * Export the subject credential.
238 cru2x(cred
, &ar
->k_ar
.ar_subj_cred
);
239 ar
->k_ar
.ar_subj_ruid
= kauth_cred_getruid(cred
);
240 ar
->k_ar
.ar_subj_rgid
= kauth_cred_getrgid(cred
);
241 ar
->k_ar
.ar_subj_egid
= kauth_cred_getgid(cred
);
242 ar
->k_ar
.ar_subj_pid
= p
->p_pid
;
243 ar
->k_ar
.ar_subj_auid
= cred
->cr_audit
.as_aia_p
->ai_auid
;
244 ar
->k_ar
.ar_subj_asid
= cred
->cr_audit
.as_aia_p
->ai_asid
;
245 bcopy(&cred
->cr_audit
.as_mask
, &ar
->k_ar
.ar_subj_amask
,
246 sizeof(struct au_mask
));
247 bcopy(&cred
->cr_audit
.as_aia_p
->ai_termid
,
248 &ar
->k_ar
.ar_subj_term_addr
, sizeof(struct au_tid_addr
));
249 kauth_cred_unref(&cred
);
254 audit_record_dtor(struct kaudit_record
*ar
)
257 if (ar
->k_ar
.ar_arg_upath1
!= NULL
)
258 free(ar
->k_ar
.ar_arg_upath1
, M_AUDITPATH
);
259 if (ar
->k_ar
.ar_arg_upath2
!= NULL
)
260 free(ar
->k_ar
.ar_arg_upath2
, M_AUDITPATH
);
261 if (ar
->k_ar
.ar_arg_kpath1
!= NULL
)
262 free(ar
->k_ar
.ar_arg_kpath1
, M_AUDITPATH
);
263 if (ar
->k_ar
.ar_arg_kpath2
!= NULL
)
264 free(ar
->k_ar
.ar_arg_kpath2
, M_AUDITPATH
);
265 if (ar
->k_ar
.ar_arg_text
!= NULL
)
266 free(ar
->k_ar
.ar_arg_text
, M_AUDITTEXT
);
267 if (ar
->k_ar
.ar_arg_opaque
!= NULL
)
268 free(ar
->k_ar
.ar_arg_opaque
, M_AUDITDATA
);
269 if (ar
->k_ar
.ar_arg_data
!= NULL
)
270 free(ar
->k_ar
.ar_arg_data
, M_AUDITDATA
);
271 if (ar
->k_udata
!= NULL
)
272 free(ar
->k_udata
, M_AUDITDATA
);
273 if (ar
->k_ar
.ar_arg_argv
!= NULL
)
274 free(ar
->k_ar
.ar_arg_argv
, M_AUDITTEXT
);
275 if (ar
->k_ar
.ar_arg_envv
!= NULL
)
276 free(ar
->k_ar
.ar_arg_envv
, M_AUDITTEXT
);
280 * Initialize the Audit subsystem: configuration state, work queue,
281 * synchronization primitives, worker thread, and trigger device node. Also
282 * call into the BSM assembly code to initialize it.
290 audit_kevent_mask
= 0;
292 audit_panic_on_write_fail
= 0;
294 audit_in_failure
= 0;
298 audit_fstat
.af_filesz
= 0; /* '0' means unset, unbounded. */
299 audit_fstat
.af_currsz
= 0;
300 audit_nae_mask
.am_success
= 0;
301 audit_nae_mask
.am_failure
= 0;
303 TAILQ_INIT(&audit_q
);
306 audit_qctrl
.aq_hiwater
= AQ_HIWATER
;
307 audit_qctrl
.aq_lowater
= AQ_LOWATER
;
308 audit_qctrl
.aq_bufsz
= AQ_BUFSZ
;
309 audit_qctrl
.aq_minfree
= AU_FS_MINFREE
;
311 audit_kinfo
.ai_termid
.at_type
= AU_IPv4
;
312 audit_kinfo
.ai_termid
.at_addr
[0] = INADDR_ANY
;
314 _audit_lck_grp_init();
315 mtx_init(&audit_mtx
, "audit_mtx", NULL
, MTX_DEF
);
317 cv_init(&audit_worker_cv
, "audit_worker_cv");
318 cv_init(&audit_drain_cv
, "audit_drain_cv");
319 cv_init(&audit_watermark_cv
, "audit_watermark_cv");
320 cv_init(&audit_fail_cv
, "audit_fail_cv");
322 audit_record_zone
= zinit(sizeof(struct kaudit_record
),
323 AQ_HIWATER
*sizeof(struct kaudit_record
), 8192, "audit_zone");
327 /* Init audit session subsystem. */
328 audit_session_init();
330 /* Initialize the BSM audit subsystem. */
333 /* audit_trigger_init(); */
335 /* Start audit worker thread. */
336 (void) audit_pipe_init();
338 /* Start audit worker thread. */
343 * Drain the audit queue and close the log at shutdown. Note that this can
344 * be called both from the system shutdown path and also from audit
345 * configuration syscalls, so 'arg' and 'howto' are ignored.
351 audit_rotate_vnode(NULL
, NULL
);
355 * Return the current thread's audit record, if any.
357 struct kaudit_record
*
361 return (curthread()->uu_ar
);
365 * XXXAUDIT: There are a number of races present in the code below due to
366 * release and re-grab of the mutex. The code should be revised to become
367 * slightly less racy.
369 * XXXAUDIT: Shouldn't there be logic here to sleep waiting on available
370 * pre_q space, suspending the system call until there is room?
372 struct kaudit_record
*
373 audit_new(int event
, proc_t p
, __unused
struct uthread
*uthread
)
375 struct kaudit_record
*ar
;
380 * Override the audit_suspended and audit_enabled if it always
381 * audits session events.
383 * XXXss - This really needs to be a generalized call to a filter
384 * interface so if other things that use the audit subsystem in the
385 * future can simply plugged in.
387 audit_override
= (AUE_SESSION_START
== event
||
388 AUE_SESSION_UPDATE
== event
|| AUE_SESSION_END
== event
||
389 AUE_SESSION_CLOSE
== event
);
391 mtx_lock(&audit_mtx
);
392 no_record
= (audit_suspended
|| !audit_enabled
);
393 mtx_unlock(&audit_mtx
);
394 if (!audit_override
&& no_record
)
398 * Initialize the audit record header.
399 * XXX: We may want to fail-stop if allocation fails.
401 * Note: the number of outstanding uncommitted audit records is
402 * limited to the number of concurrent threads servicing system calls
405 ar
= zalloc(audit_record_zone
);
408 audit_record_ctor(p
, ar
);
409 ar
->k_ar
.ar_event
= event
;
412 if (PROC_NULL
!= p
) {
413 if (audit_mac_new(p
, ar
) != 0) {
414 zfree(audit_record_zone
, ar
);
418 ar
->k_ar
.ar_mac_records
= NULL
;
421 mtx_lock(&audit_mtx
);
423 mtx_unlock(&audit_mtx
);
429 audit_free(struct kaudit_record
*ar
)
432 audit_record_dtor(ar
);
434 if (NULL
!= ar
->k_ar
.ar_mac_records
)
437 zfree(audit_record_zone
, ar
);
441 audit_commit(struct kaudit_record
*ar
, int error
, int retval
)
447 struct au_mask
*aumask
;
454 * Decide whether to commit the audit record by checking the error
455 * value from the system call and using the appropriate audit mask.
457 if (ar
->k_ar
.ar_subj_auid
== AU_DEFAUDITID
)
458 aumask
= &audit_nae_mask
;
460 aumask
= &ar
->k_ar
.ar_subj_amask
;
463 sorf
= AU_PRS_FAILURE
;
465 sorf
= AU_PRS_SUCCESS
;
467 switch(ar
->k_ar
.ar_event
) {
470 * The open syscall always writes a AUE_OPEN_RWTC event;
471 * change it to the proper type of event based on the flags
472 * and the error value.
474 ar
->k_ar
.ar_event
= audit_flags_and_error_to_openevent(
475 ar
->k_ar
.ar_arg_fflags
, error
);
478 case AUE_OPEN_EXTENDED_RWTC
:
480 * The open_extended syscall always writes a
481 * AUE_OPEN_EXTENDEDRWTC event; change it to the proper type of
482 * event based on the flags and the error value.
484 ar
->k_ar
.ar_event
= audit_flags_and_error_to_openextendedevent(
485 ar
->k_ar
.ar_arg_fflags
, error
);
488 case AUE_OPENAT_RWTC
:
490 * The openat syscall always writes a
491 * AUE_OPENAT_RWTC event; change it to the proper type of
492 * event based on the flags and the error value.
494 ar
->k_ar
.ar_event
= audit_flags_and_error_to_openatevent(
495 ar
->k_ar
.ar_arg_fflags
, error
);
498 case AUE_OPENBYID_RWT
:
500 * The openbyid syscall always writes a
501 * AUE_OPENBYID_RWT event; change it to the proper type of
502 * event based on the flags and the error value.
504 ar
->k_ar
.ar_event
= audit_flags_and_error_to_openbyidevent(
505 ar
->k_ar
.ar_arg_fflags
, error
);
509 ar
->k_ar
.ar_event
= audit_ctlname_to_sysctlevent(
510 ar
->k_ar
.ar_arg_ctlname
, ar
->k_ar
.ar_valid_arg
);
514 /* Convert the auditon() command to an event. */
515 ar
->k_ar
.ar_event
= auditon_command_event(ar
->k_ar
.ar_arg_cmd
);
519 /* Convert some fcntl() commands to their own events. */
520 ar
->k_ar
.ar_event
= audit_fcntl_command_event(
521 ar
->k_ar
.ar_arg_cmd
, ar
->k_ar
.ar_arg_fflags
, error
);
525 auid
= ar
->k_ar
.ar_subj_auid
;
526 event
= ar
->k_ar
.ar_event
;
527 class = au_event_class(event
);
530 * See if we need to override the audit_suspend and audit_enabled
533 * XXXss - This check needs to be generalized so new filters can
536 audit_override
= (AUE_SESSION_START
== event
||
537 AUE_SESSION_UPDATE
== event
|| AUE_SESSION_END
== event
||
538 AUE_SESSION_CLOSE
== event
);
540 ar
->k_ar_commit
|= AR_COMMIT_KERNEL
;
541 if (au_preselect(event
, class, aumask
, sorf
) != 0)
542 ar
->k_ar_commit
|= AR_PRESELECT_TRAIL
;
543 if (audit_pipe_preselect(auid
, event
, class, sorf
,
544 ar
->k_ar_commit
& AR_PRESELECT_TRAIL
) != 0)
545 ar
->k_ar_commit
|= AR_PRESELECT_PIPE
;
546 if ((ar
->k_ar_commit
& (AR_PRESELECT_TRAIL
| AR_PRESELECT_PIPE
|
547 AR_PRESELECT_USER_TRAIL
| AR_PRESELECT_USER_PIPE
|
548 AR_PRESELECT_FILTER
)) == 0) {
549 mtx_lock(&audit_mtx
);
551 mtx_unlock(&audit_mtx
);
556 ar
->k_ar
.ar_errno
= error
;
557 ar
->k_ar
.ar_retval
= retval
;
558 nanotime(&ar
->k_ar
.ar_endtime
);
561 * Note: it could be that some records initiated while audit was
562 * enabled should still be committed?
564 mtx_lock(&audit_mtx
);
565 if (!audit_override
&& (audit_suspended
|| !audit_enabled
)) {
567 mtx_unlock(&audit_mtx
);
573 * Constrain the number of committed audit records based on the
574 * configurable parameter.
576 while (audit_q_len
>= audit_qctrl
.aq_hiwater
)
577 cv_wait(&audit_watermark_cv
, &audit_mtx
);
579 TAILQ_INSERT_TAIL(&audit_q
, ar
, k_q
);
582 cv_signal(&audit_worker_cv
);
583 mtx_unlock(&audit_mtx
);
587 * audit_syscall_enter() is called on entry to each system call. It is
588 * responsible for deciding whether or not to audit the call (preselection),
589 * and if so, allocating a per-thread audit record. audit_new() will fill in
590 * basic thread/credential properties.
593 audit_syscall_enter(unsigned int code
, proc_t proc
, struct uthread
*uthread
)
595 struct au_mask
*aumask
;
602 * In FreeBSD, each ABI has its own system call table, and hence
603 * mapping of system call codes to audit events. Convert the code to
604 * an audit event identifier using the process system call table
605 * reference. In Darwin, there's only one, so we use the global
606 * symbol for the system call table. No audit record is generated
607 * for bad system calls, as no operation has been performed.
609 * In Mac OS X, the audit events are stored in a table seperate from
610 * the syscall table(s). This table is generated by makesyscalls.sh
611 * from syscalls.master and stored in audit_kevents.c.
613 if (code
> NUM_SYSENT
)
615 event
= sys_au_event
[code
];
616 if (event
== AUE_NULL
)
619 KASSERT(uthread
->uu_ar
== NULL
,
620 ("audit_syscall_enter: uthread->uu_ar != NULL"));
623 * Check which audit mask to use; either the kernel non-attributable
624 * event mask or the process audit mask.
626 cred
= kauth_cred_proc_ref(proc
);
627 auid
= cred
->cr_audit
.as_aia_p
->ai_auid
;
628 if (auid
== AU_DEFAUDITID
)
629 aumask
= &audit_nae_mask
;
631 aumask
= &cred
->cr_audit
.as_mask
;
634 * Allocate an audit record, if preselection allows it, and store in
635 * the thread for later use.
637 class = au_event_class(event
);
640 * Note: audit_mac_syscall_enter() may call audit_new() and allocate
641 * memory for the audit record (uu_ar).
643 if (audit_mac_syscall_enter(code
, proc
, uthread
, cred
, event
) == 0)
646 if (au_preselect(event
, class, aumask
, AU_PRS_BOTH
)) {
648 * If we're out of space and need to suspend unprivileged
649 * processes, do that here rather than trying to allocate
650 * another audit record.
652 * Note: we might wish to be able to continue here in the
653 * future, if the system recovers. That should be possible
654 * by means of checking the condition in a loop around
655 * cv_wait(). It might be desirable to reevaluate whether an
656 * audit record is still required for this event by
657 * re-calling au_preselect().
659 if (audit_in_failure
&&
660 suser(cred
, &proc
->p_acflag
) != 0) {
661 cv_wait(&audit_fail_cv
, &audit_mtx
);
662 panic("audit_failing_stop: thread continued");
664 if (uthread
->uu_ar
== NULL
)
665 uthread
->uu_ar
= audit_new(event
, proc
, uthread
);
666 } else if (audit_pipe_preselect(auid
, event
, class, AU_PRS_BOTH
, 0)) {
667 if (uthread
->uu_ar
== NULL
)
668 uthread
->uu_ar
= audit_new(event
, proc
, uthread
);
672 kauth_cred_unref(&cred
);
676 * audit_syscall_exit() is called from the return of every system call, or in
677 * the event of exit1(), during the execution of exit1(). It is responsible
678 * for committing the audit record, if any, along with return condition.
680 * Note: The audit_syscall_exit() parameter list was modified to support
681 * mac_audit_check_postselect(), which requires the syscall number.
685 audit_syscall_exit(unsigned int code
, int error
, __unused proc_t proc
,
686 struct uthread
*uthread
)
689 audit_syscall_exit(int error
, __unsed proc_t proc
, struct uthread
*uthread
)
695 * Commit the audit record as desired; once we pass the record into
696 * audit_commit(), the memory is owned by the audit subsystem. The
697 * return value from the system call is stored on the user thread.
698 * If there was an error, the return value is set to -1, imitating
699 * the behavior of the cerror routine.
704 retval
= uthread
->uu_rval
[0];
707 if (audit_mac_syscall_exit(code
, uthread
, error
, retval
) != 0)
710 audit_commit(uthread
->uu_ar
, error
, retval
);
713 uthread
->uu_ar
= NULL
;
717 * Calls to set up and tear down audit structures used during Mach system
721 audit_mach_syscall_enter(unsigned short event
)
723 struct uthread
*uthread
;
725 struct au_mask
*aumask
;
730 if (event
== AUE_NULL
)
733 uthread
= curthread();
737 proc
= current_proc();
741 KASSERT(uthread
->uu_ar
== NULL
,
742 ("audit_mach_syscall_enter: uthread->uu_ar != NULL"));
744 cred
= kauth_cred_proc_ref(proc
);
745 auid
= cred
->cr_audit
.as_aia_p
->ai_auid
;
748 * Check which audit mask to use; either the kernel non-attributable
749 * event mask or the process audit mask.
751 if (auid
== AU_DEFAUDITID
)
752 aumask
= &audit_nae_mask
;
754 aumask
= &cred
->cr_audit
.as_mask
;
757 * Allocate an audit record, if desired, and store in the BSD thread
760 class = au_event_class(event
);
761 if (au_preselect(event
, class, aumask
, AU_PRS_BOTH
))
762 uthread
->uu_ar
= audit_new(event
, proc
, uthread
);
763 else if (audit_pipe_preselect(auid
, event
, class, AU_PRS_BOTH
, 0))
764 uthread
->uu_ar
= audit_new(event
, proc
, uthread
);
766 uthread
->uu_ar
= NULL
;
768 kauth_cred_unref(&cred
);
772 audit_mach_syscall_exit(int retval
, struct uthread
*uthread
)
775 * The error code from Mach system calls is the same as the
778 /* XXX Is the above statement always true? */
779 audit_commit(uthread
->uu_ar
, retval
, retval
);
780 uthread
->uu_ar
= NULL
;
784 * kau_will_audit can be used by a security policy to determine
785 * if an audit record will be stored, reducing wasted memory allocation
786 * and string handling.
792 return (audit_enabled
&& currecord() != NULL
);
796 audit_proc_coredump(proc_t proc
, char *path
, int errcode
)
798 struct kaudit_record
*ar
;
799 struct au_mask
*aumask
;
804 kauth_cred_t my_cred
;
805 struct uthread
*uthread
;
810 * Make sure we are using the correct preselection mask.
812 my_cred
= kauth_cred_proc_ref(proc
);
813 auid
= my_cred
->cr_audit
.as_aia_p
->ai_auid
;
814 if (auid
== AU_DEFAUDITID
)
815 aumask
= &audit_nae_mask
;
817 aumask
= &my_cred
->cr_audit
.as_mask
;
818 kauth_cred_unref(&my_cred
);
820 * It's possible for coredump(9) generation to fail. Make sure that
821 * we handle this case correctly for preselection.
824 sorf
= AU_PRS_FAILURE
;
826 sorf
= AU_PRS_SUCCESS
;
827 class = au_event_class(AUE_CORE
);
828 if (au_preselect(AUE_CORE
, class, aumask
, sorf
) == 0 &&
829 audit_pipe_preselect(auid
, AUE_CORE
, class, sorf
, 0) == 0)
832 * If we are interested in seeing this audit record, allocate it.
833 * Where possible coredump records should contain a pathname and arg32
836 uthread
= curthread();
837 ar
= audit_new(AUE_CORE
, proc
, uthread
);
839 pathp
= &ar
->k_ar
.ar_arg_upath1
;
840 *pathp
= malloc(MAXPATHLEN
, M_AUDITPATH
, M_WAITOK
);
841 if (audit_canon_path(vfs_context_cwd(vfs_context_current()), path
,
843 free(*pathp
, M_AUDITPATH
);
845 ARG_SET_VALID(ar
, ARG_UPATH1
);
847 ar
->k_ar
.ar_arg_signum
= proc
->p_sigacts
->ps_sig
;
848 ARG_SET_VALID(ar
, ARG_SIGNUM
);
851 audit_commit(ar
, errcode
, ret
);
853 #endif /* CONFIG_AUDIT */