]> git.saurik.com Git - apple/xnu.git/blob - bsd/kern/kern_audit.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-792.18.15.tar.gz
[apple/xnu.git] / bsd / kern / kern_audit.c
1 /*
2 * Copyright (c) 2003-2004 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28 #include <sys/param.h>
29 #include <sys/fcntl.h>
30 #include <sys/kernel.h>
31 #include <sys/lock.h>
32 #include <sys/namei.h>
33 #include <sys/proc_internal.h>
34 #include <sys/kauth.h>
35 #include <sys/queue.h>
36 #include <sys/systm.h>
37 #include <sys/time.h>
38 #include <sys/ucred.h>
39 #include <sys/uio.h>
40 #include <sys/unistd.h>
41 #include <sys/file_internal.h>
42 #include <sys/vnode_internal.h>
43 #include <sys/user.h>
44 #include <sys/syscall.h>
45 #include <sys/malloc.h>
46 #include <sys/un.h>
47 #include <sys/sysent.h>
48 #include <sys/sysproto.h>
49 #include <sys/vfs_context.h>
50 #include <sys/domain.h>
51 #include <sys/protosw.h>
52 #include <sys/socketvar.h>
53
54 #include <bsm/audit.h>
55 #include <bsm/audit_kevents.h>
56 #include <bsm/audit_klib.h>
57 #include <bsm/audit_kernel.h>
58
59 #include <mach/host_priv.h>
60 #include <mach/host_special_ports.h>
61 #include <mach/audit_triggers_server.h>
62
63 #include <kern/host.h>
64 #include <kern/kalloc.h>
65 #include <kern/zalloc.h>
66 #include <kern/lock.h>
67 #include <kern/wait_queue.h>
68 #include <kern/sched_prim.h>
69
70 #include <net/route.h>
71
72 #include <netinet/in.h>
73 #include <netinet/in_pcb.h>
74
75 #ifdef AUDIT
76
77 /*
78 * The AUDIT_EXCESSIVELY_VERBOSE define enables a number of
79 * gratuitously noisy printf's to the console. Due to the
80 * volume, it should be left off unless you want your system
81 * to churn a lot whenever the audit record flow gets high.
82 */
83 /* #define AUDIT_EXCESSIVELY_VERBOSE */
84 #ifdef AUDIT_EXCESSIVELY_VERBOSE
85 #define AUDIT_PRINTF_ONLY
86 #define AUDIT_PRINTF(x) printf x
87 #else
88 #define AUDIT_PRINTF_ONLY __unused
89 #define AUDIT_PRINTF(X)
90 #endif
91
92 #if DIAGNOSTIC
93 #if defined(assert)
94 #undef assert()
95 #endif
96 #define assert(cond) \
97 ((void) ((cond) ? 0 : panic("%s:%d (%s)", __FILE__, __LINE__, # cond)))
98 #else
99 #include <kern/assert.h>
100 #endif /* DIAGNOSTIC */
101
102 /*
103 * Define the audit control flags.
104 */
105 int audit_enabled;
106 int audit_suspended;
107
108 /*
109 * Mutex to protect global variables shared between various threads and
110 * processes.
111 */
112 static mutex_t *audit_mtx;
113
114 /*
115 * Queue of audit records ready for delivery to disk. We insert new
116 * records at the tail, and remove records from the head. Also,
117 * a count of the number of records used for checking queue depth.
118 * In addition, a counter of records that we have allocated but are
119 * not yet in the queue, which is needed to estimate the total
120 * size of the combined set of records outstanding in the system.
121 */
122 static TAILQ_HEAD(, kaudit_record) audit_q;
123 static size_t audit_q_len;
124 static size_t audit_pre_q_len;
125
126 static wait_queue_t audit_wait_queue;
127 static zone_t audit_zone;
128
129 /*
130 * Condition variable to signal to the worker that it has work to do:
131 * either new records are in the queue, or a log replacement is taking
132 * place.
133 */
134 static int audit_worker_event;
135 #define AUDIT_WORKER_EVENT ((event_t)&audit_worker_event)
136
137 /*
138 * The audit worker thread (which is lazy started when we first
139 * rotate the audit log.
140 */
141 static thread_t audit_worker_thread = THREAD_NULL;
142
143 /*
144 * When an audit log is rotated, the actual rotation must be performed
145 * by the audit worker thread, as it may have outstanding writes on the
146 * current audit log. audit_replacement_vp holds the vnode replacing
147 * the current vnode. We can't let more than one replacement occur
148 * at a time, so if more than one thread requests a replacement, only
149 * one can have the replacement "in progress" at any given moment. If
150 * a thread tries to replace the audit vnode and discovers a replacement
151 * is already in progress (i.e., audit_replacement_flag != 0), then it
152 * will sleep on audit_replacement_cv waiting its turn to perform a
153 * replacement. When a replacement is completed, this cv is signalled
154 * by the worker thread so a waiting thread can start another replacement.
155 * We also store a credential to perform audit log write operations with.
156 */
157 static int audit_replacement_event;
158 #define AUDIT_REPLACEMENT_EVENT ((event_t)&audit_replacement_event)
159
160 static int audit_replacement_flag;
161 static struct vnode *audit_replacement_vp;
162 static kauth_cred_t audit_replacement_cred;
163
164 /*
165 * Wait queue for auditing threads that cannot commit the audit
166 * record at the present time. Also, the queue control parameter
167 * structure.
168 */
169 static int audit_commit_event;
170 #define AUDIT_COMMIT_EVENT ((event_t)&audit_commit_event)
171
172 static struct au_qctrl audit_qctrl;
173
174 /*
175 * Flags to use on audit files when opening and closing.
176 */
177 static const int audit_open_flags = FWRITE | O_APPEND;
178 static const int audit_close_flags = FWRITE | O_APPEND;
179
180 /*
181 * Global audit statistiscs.
182 */
183 static struct audit_fstat audit_fstat;
184
185 /*
186 Preselection mask for non-attributable events.
187 */
188 static struct au_mask audit_nae_mask;
189
190 /*
191 * Flags related to Kernel->user-space communication.
192 */
193 static int audit_file_rotate_wait;
194
195 /*
196 * Flags controlling behavior in low storage situations.
197 * Should we panic if a write fails? Should we fail stop
198 * if we're out of disk space? Are we currently "failing
199 * stop" due to out of disk space?
200 */
201 static int audit_panic_on_write_fail;
202 static int audit_fail_stop;
203 static int audit_in_failure;
204
205 /*
206 * When in a fail-stop mode, threads will drop into this wait queue
207 * rather than perform auditable events. They won't ever get woken
208 * up.
209 */
210 static int audit_failure_event;
211 #define AUDIT_FAILURE_EVENT ((event_t)&audit_failure_event)
212
213 /*
214 * XXX: Couldn't find the include file for this, so copied kern_exec.c's
215 * behavior.
216 */
217 extern task_t kernel_task;
218
219 static void
220 audit_free(struct kaudit_record *ar)
221 {
222 if (ar->k_ar.ar_arg_upath1 != NULL) {
223 kfree(ar->k_ar.ar_arg_upath1, MAXPATHLEN);
224 }
225 if (ar->k_ar.ar_arg_upath2 != NULL) {
226 kfree(ar->k_ar.ar_arg_upath2, MAXPATHLEN);
227
228 }
229 if (ar->k_ar.ar_arg_kpath1 != NULL) {
230 kfree(ar->k_ar.ar_arg_kpath1, MAXPATHLEN);
231
232 }
233 if (ar->k_ar.ar_arg_kpath2 != NULL) {
234 kfree(ar->k_ar.ar_arg_kpath2, MAXPATHLEN);
235
236 }
237 if (ar->k_ar.ar_arg_text != NULL) {
238 kfree(ar->k_ar.ar_arg_text, MAXPATHLEN);
239
240 }
241 if (ar->k_udata != NULL) {
242 kfree(ar->k_udata, ar->k_ulen);
243
244 }
245 zfree(audit_zone, ar);
246 }
247
248 static int
249 audit_write(struct vnode *vp, struct kaudit_record *ar, kauth_cred_t cred,
250 struct proc *p)
251 {
252 struct vfsstatfs *mnt_stat = &vp->v_mount->mnt_vfsstat;
253 int ret;
254 struct au_record *bsm;
255 /* KVV maybe we should take a context as a param to audit_write? */
256 struct vfs_context context;
257 off_t file_size;
258
259 mach_port_t audit_port;
260
261 /*
262 * First, gather statistics on the audit log file and file system
263 * so that we know how we're doing on space. In both cases,
264 * if we're unable to perform the operation, we drop the record
265 * and return. However, this is arguably an assertion failure.
266 */
267 context.vc_proc = p;
268 context.vc_ucred = cred;
269 ret = vfs_update_vfsstat(vp->v_mount, &context);
270 if (ret)
271 goto out;
272
273 /* update the global stats struct */
274 if ((ret = vnode_size(vp, &file_size, &context)) != 0)
275 goto out;
276 audit_fstat.af_currsz = file_size;
277
278 /*
279 * Send a message to the audit daemon when disk space is getting
280 * low.
281 * XXX Need to decide what to do if the trigger to the audit daemon
282 * fails.
283 */
284 if(host_get_audit_control_port(host_priv_self(), &audit_port)
285 != KERN_SUCCESS)
286 printf("Cannot get audit control port\n");
287
288 if (audit_port != MACH_PORT_NULL) {
289 uint64_t temp;
290
291 /*
292 * If we fall below percent free blocks, then trigger the
293 * audit daemon to do something about it.
294 */
295 if (audit_qctrl.aq_minfree != 0) {
296 temp = mnt_stat->f_blocks / (100 / audit_qctrl.aq_minfree);
297 if (mnt_stat->f_bfree < temp) {
298 ret = audit_triggers(audit_port,
299 AUDIT_TRIGGER_LOW_SPACE);
300 if (ret != KERN_SUCCESS) {
301 printf(
302 "Failed audit_triggers(AUDIT_TRIGGER_LOW_SPACE): %d\n", ret);
303 /*
304 * XXX: What to do here? Disable auditing?
305 * panic?
306 */
307 }
308 }
309 }
310 /* Check if the current log file is full; if so, call for
311 * a log rotate. This is not an exact comparison; we may
312 * write some records over the limit. If that's not
313 * acceptable, then add a fudge factor here.
314 */
315 if ((audit_fstat.af_filesz != 0) &&
316 (audit_file_rotate_wait == 0) &&
317 (file_size >= audit_fstat.af_filesz)) {
318 audit_file_rotate_wait = 1;
319 ret = audit_triggers(audit_port,
320 AUDIT_TRIGGER_FILE_FULL);
321 if (ret != KERN_SUCCESS) {
322 printf(
323 "Failed audit_triggers(AUDIT_TRIGGER_FILE_FULL): %d\n", ret);
324 /* XXX what to do here? */
325 }
326 }
327 }
328
329 /*
330 * If the estimated amount of audit data in the audit event queue
331 * (plus records allocated but not yet queued) has reached the
332 * amount of free space on the disk, then we need to go into an
333 * audit fail stop state, in which we do not permit the
334 * allocation/committing of any new audit records. We continue to
335 * process packets but don't allow any activities that might
336 * generate new records. In the future, we might want to detect
337 * when space is available again and allow operation to continue,
338 * but this behavior is sufficient to meet fail stop requirements
339 * in CAPP.
340 */
341 if (audit_fail_stop &&
342 (unsigned long)
343 ((audit_q_len + audit_pre_q_len + 1) * MAX_AUDIT_RECORD_SIZE) /
344 mnt_stat->f_bsize >= (unsigned long)(mnt_stat->f_bfree)) {
345 printf(
346 "audit_worker: free space below size of audit queue, failing stop\n");
347 audit_in_failure = 1;
348 }
349
350 /*
351 * If there is a user audit record attached to the kernel record,
352 * then write the user record.
353 */
354 /* XXX Need to decide a few things here: IF the user audit
355 * record is written, but the write of the kernel record fails,
356 * what to do? Should the kernel record come before or after the
357 * user record? For now, we write the user record first, and
358 * we ignore errors.
359 */
360 if (ar->k_ar_commit & AR_COMMIT_USER) {
361 if (vnode_getwithref(vp) == 0) {
362 ret = vn_rdwr(UIO_WRITE, vp, (void *)ar->k_udata, ar->k_ulen,
363 (off_t)0, UIO_SYSSPACE32, IO_APPEND|IO_UNIT, cred, NULL, p);
364 vnode_put(vp);
365 if (ret)
366 goto out;
367 } else {
368 goto out;
369 }
370 }
371
372 /*
373 * Convert the internal kernel record to BSM format and write it
374 * out if everything's OK.
375 */
376 if (!(ar->k_ar_commit & AR_COMMIT_KERNEL)) {
377 ret = 0;
378 goto out;
379 }
380
381 ret = kaudit_to_bsm(ar, &bsm);
382 if (ret == BSM_NOAUDIT) {
383 ret = 0;
384 goto out;
385 }
386
387 /*
388 * XXX: We drop the record on BSM conversion failure, but really
389 * this is an assertion failure.
390 */
391 if (ret == BSM_FAILURE) {
392 AUDIT_PRINTF(("BSM conversion failure\n"));
393 ret = EINVAL;
394 goto out;
395 }
396
397 /* XXX This function can be called with the kernel funnel held,
398 * which is not optimal. We should break the write functionality
399 * away from the BSM record generation and have the BSM generation
400 * done before this function is called. This function will then
401 * take the BSM record as a parameter.
402 */
403 if ((ret = vnode_getwithref(vp)) == 0) {
404 ret = (vn_rdwr(UIO_WRITE, vp, (void *)bsm->data, bsm->len,
405 (off_t)0, UIO_SYSSPACE32, IO_APPEND|IO_UNIT, cred, NULL, p));
406 vnode_put(vp);
407 }
408 kau_free(bsm);
409
410 out:
411 /*
412 * When we're done processing the current record, we have to
413 * check to see if we're in a failure mode, and if so, whether
414 * this was the last record left to be drained. If we're done
415 * draining, then we fsync the vnode and panic.
416 */
417 if (audit_in_failure &&
418 audit_q_len == 0 && audit_pre_q_len == 0) {
419 (void)VNOP_FSYNC(vp, MNT_WAIT, &context);
420 panic("Audit store overflow; record queue drained.");
421 }
422
423 return (ret);
424 }
425
426 static void
427 audit_worker(void)
428 {
429 int do_replacement_signal, error, release_funnel;
430 TAILQ_HEAD(, kaudit_record) ar_worklist;
431 struct kaudit_record *ar;
432 struct vnode *audit_vp, *old_vp;
433 kauth_cred_t audit_cred;
434 kauth_cred_t old_cred;
435 struct proc *audit_p;
436
437 AUDIT_PRINTF(("audit_worker starting\n"));
438
439 TAILQ_INIT(&ar_worklist);
440 audit_cred = NOCRED;
441 audit_p = current_proc();
442 audit_vp = NULL;
443
444 /*
445 * XXX: Presumably we can assume Mach threads are started without
446 * holding the BSD kernel funnel?
447 */
448 thread_funnel_set(kernel_flock, FALSE);
449
450 mutex_lock(audit_mtx);
451 while (1) {
452 /*
453 * First priority: replace the audit log target if requested.
454 * As we actually close the vnode in the worker thread, we
455 * need to grab the funnel, which means releasing audit_mtx.
456 * In case another replacement was scheduled while the mutex
457 * we released, we loop.
458 *
459 * XXX It could well be we should drain existing records
460 * first to ensure that the timestamps and ordering
461 * are right.
462 */
463 do_replacement_signal = 0;
464 while (audit_replacement_flag != 0) {
465 old_cred = audit_cred;
466 old_vp = audit_vp;
467 audit_cred = audit_replacement_cred;
468 audit_vp = audit_replacement_vp;
469 audit_replacement_cred = NOCRED;
470 audit_replacement_vp = NULL;
471 audit_replacement_flag = 0;
472
473 audit_enabled = (audit_vp != NULL);
474
475 if (old_vp != NULL || audit_vp != NULL) {
476 mutex_unlock(audit_mtx);
477 thread_funnel_set(kernel_flock, TRUE);
478 release_funnel = 1;
479 } else
480 release_funnel = 0;
481 /*
482 * XXX: What to do about write failures here?
483 */
484 if (old_vp != NULL) {
485 AUDIT_PRINTF(("Closing old audit file\n"));
486 vn_close(old_vp, audit_close_flags, old_cred,
487 audit_p);
488 kauth_cred_unref(&old_cred);
489 old_vp = NULL;
490 AUDIT_PRINTF(("Audit file closed\n"));
491 }
492 if (audit_vp != NULL) {
493 AUDIT_PRINTF(("Opening new audit file\n"));
494 }
495 if (release_funnel) {
496 thread_funnel_set(kernel_flock, FALSE);
497 mutex_lock(audit_mtx);
498 }
499 do_replacement_signal = 1;
500 }
501 /*
502 * Signal that replacement have occurred to wake up and
503 * start any other replacements started in parallel. We can
504 * continue about our business in the mean time. We
505 * broadcast so that both new replacements can be inserted,
506 * but also so that the source(s) of replacement can return
507 * successfully.
508 */
509 if (do_replacement_signal)
510 wait_queue_wakeup_all(audit_wait_queue,
511 AUDIT_REPLACEMENT_EVENT, THREAD_AWAKENED);
512
513 /*
514 * Next, check to see if we have any records to drain into
515 * the vnode. If not, go back to waiting for an event.
516 */
517 if (TAILQ_EMPTY(&audit_q)) {
518 int ret;
519
520 AUDIT_PRINTF(("audit_worker waiting\n"));
521 ret = wait_queue_assert_wait(audit_wait_queue,
522 AUDIT_WORKER_EVENT,
523 THREAD_UNINT,
524 0);
525 mutex_unlock(audit_mtx);
526
527 assert(ret == THREAD_WAITING);
528 ret = thread_block(THREAD_CONTINUE_NULL);
529 assert(ret == THREAD_AWAKENED);
530 AUDIT_PRINTF(("audit_worker woken up\n"));
531 AUDIT_PRINTF(("audit_worker: new vp = %p; value of flag %d\n",
532 audit_replacement_vp, audit_replacement_flag));
533
534 mutex_lock(audit_mtx);
535 continue;
536 }
537
538 /*
539 * If we have records, but there's no active vnode to
540 * write to, drain the record queue. Generally, we
541 * prevent the unnecessary allocation of records
542 * elsewhere, but we need to allow for races between
543 * conditional allocation and queueing. Go back to
544 * waiting when we're done.
545 *
546 * XXX: We go out of our way to avoid calling audit_free()
547 * with the audit_mtx held, to avoid a lock order reversal
548 * as free() may grab the funnel. This will be fixed at
549 * some point.
550 */
551 if (audit_vp == NULL) {
552 while ((ar = TAILQ_FIRST(&audit_q))) {
553 TAILQ_REMOVE(&audit_q, ar, k_q);
554 audit_q_len--;
555 if (audit_q_len <= audit_qctrl.aq_lowater)
556 wait_queue_wakeup_one(
557 audit_wait_queue,
558 AUDIT_COMMIT_EVENT,
559 THREAD_AWAKENED);
560
561 TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q);
562 }
563 mutex_unlock(audit_mtx);
564 while ((ar = TAILQ_FIRST(&ar_worklist))) {
565 TAILQ_REMOVE(&ar_worklist, ar, k_q);
566 audit_free(ar);
567 }
568 mutex_lock(audit_mtx);
569 continue;
570 }
571
572 /*
573 * We have both records to write, and an active vnode
574 * to write to. Dequeue a record, and start the write.
575 * Eventually, it might make sense to dequeue several
576 * records and perform our own clustering, if the lower
577 * layers aren't doing it automatically enough.
578 *
579 * XXX: We go out of our way to avoid calling audit_free()
580 * with the audit_mtx held, to avoid a lock order reversal
581 * as free() may grab the funnel. This will be fixed at
582 * some point.
583 */
584 while ((ar = TAILQ_FIRST(&audit_q))) {
585 TAILQ_REMOVE(&audit_q, ar, k_q);
586 audit_q_len--;
587 if (audit_q_len <= audit_qctrl.aq_lowater) {
588 wait_queue_wakeup_one(audit_wait_queue,
589 AUDIT_COMMIT_EVENT, THREAD_AWAKENED);
590 }
591
592 TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q);
593 }
594 mutex_unlock(audit_mtx);
595 release_funnel = 0;
596 while ((ar = TAILQ_FIRST(&ar_worklist))) {
597 TAILQ_REMOVE(&ar_worklist, ar, k_q);
598 if (audit_vp != NULL) {
599 /*
600 * XXX: What should happen if there's a write
601 * error here?
602 */
603 if (!release_funnel) {
604 thread_funnel_set(kernel_flock, TRUE);
605 release_funnel = 1;
606 }
607 error = audit_write(audit_vp, ar, audit_cred,
608 audit_p);
609 if (error && audit_panic_on_write_fail) {
610 panic("audit_worker: write error %d\n",
611 error);
612 } else if (error) {
613 printf("audit_worker: write error %d\n",
614 error);
615 }
616 }
617 audit_free(ar);
618 }
619 if (release_funnel)
620 thread_funnel_set(kernel_flock, FALSE);
621 mutex_lock(audit_mtx);
622 }
623 }
624
625 void
626 audit_init(void)
627 {
628
629 /* Verify that the syscall to audit event table is the same
630 * size as the system call table.
631 */
632 if (nsys_au_event != nsysent) {
633 printf("Security auditing service initialization failed, ");
634 printf("audit event table doesn't match syscall table.\n");
635 return;
636 }
637
638 printf("Security auditing service present\n");
639 TAILQ_INIT(&audit_q);
640 audit_q_len = 0;
641 audit_enabled = 0;
642 audit_suspended = 0;
643 audit_replacement_cred = NULL;
644 audit_replacement_flag = 0;
645 audit_file_rotate_wait = 0;
646 audit_replacement_vp = NULL;
647 audit_fstat.af_filesz = 0; /* '0' means unset, unbounded */
648 audit_fstat.af_currsz = 0;
649 audit_qctrl.aq_hiwater = AQ_HIWATER;
650 audit_qctrl.aq_lowater = AQ_LOWATER;
651 audit_qctrl.aq_bufsz = AQ_BUFSZ;
652 audit_qctrl.aq_minfree = AU_FS_MINFREE;
653
654 audit_mtx = mutex_alloc(0);
655 audit_wait_queue = wait_queue_alloc(SYNC_POLICY_FIFO);
656 audit_zone = zinit(sizeof(struct kaudit_record),
657 AQ_HIWATER*sizeof(struct kaudit_record),
658 8192,
659 "audit_zone");
660
661 /* Initialize the BSM audit subsystem. */
662 kau_init();
663 }
664
665 static void
666 audit_rotate_vnode(kauth_cred_t cred, struct vnode *vp)
667 {
668 int ret;
669
670 /*
671 * If other parallel log replacements have been requested, we wait
672 * until they've finished before continuing.
673 */
674 mutex_lock(audit_mtx);
675 while (audit_replacement_flag != 0) {
676
677 AUDIT_PRINTF(("audit_rotate_vnode: sleeping to wait for "
678 "flag\n"));
679 ret = wait_queue_assert_wait(audit_wait_queue,
680 AUDIT_REPLACEMENT_EVENT,
681 THREAD_UNINT,
682 0);
683 mutex_unlock(audit_mtx);
684
685 assert(ret == THREAD_WAITING);
686 ret = thread_block(THREAD_CONTINUE_NULL);
687 assert(ret == THREAD_AWAKENED);
688 AUDIT_PRINTF(("audit_rotate_vnode: woken up (flag %d)\n",
689 audit_replacement_flag));
690
691 mutex_lock(audit_mtx);
692 }
693 audit_replacement_cred = cred;
694 audit_replacement_flag = 1;
695 audit_replacement_vp = vp;
696
697 /*
698 * Start or wake up the audit worker to perform the exchange.
699 * It will have to wait until we release the mutex.
700 */
701 if (audit_worker_thread == THREAD_NULL)
702 audit_worker_thread = kernel_thread(kernel_task,
703 audit_worker);
704 else
705 wait_queue_wakeup_one(audit_wait_queue,
706 AUDIT_WORKER_EVENT,
707 THREAD_AWAKENED);
708
709 /*
710 * Wait for the audit_worker to broadcast that a replacement has
711 * taken place; we know that once this has happened, our vnode
712 * has been replaced in, so we can return successfully.
713 */
714 AUDIT_PRINTF(("audit_rotate_vnode: waiting for news of "
715 "replacement\n"));
716 ret = wait_queue_assert_wait(audit_wait_queue,
717 AUDIT_REPLACEMENT_EVENT,
718 THREAD_UNINT,
719 0);
720 mutex_unlock(audit_mtx);
721
722 assert(ret == THREAD_WAITING);
723 ret = thread_block(THREAD_CONTINUE_NULL);
724 assert(ret == THREAD_AWAKENED);
725 AUDIT_PRINTF(("audit_rotate_vnode: change acknowledged by "
726 "audit_worker (flag " "now %d)\n", audit_replacement_flag));
727
728 audit_file_rotate_wait = 0; /* We can now request another rotation */
729 }
730
731 /*
732 * Drain the audit queue and close the log at shutdown.
733 */
734 void
735 audit_shutdown(void)
736 {
737 audit_rotate_vnode(NULL, NULL);
738 }
739
740 static __inline__ struct uthread *
741 curuthread(void)
742 {
743 return (get_bsdthread_info(current_thread()));
744 }
745
746 static __inline__ struct kaudit_record *
747 currecord(void)
748 {
749 return (curuthread()->uu_ar);
750 }
751
752 /**********************************
753 * Begin system calls. *
754 **********************************/
755 /*
756 * System call to allow a user space application to submit a BSM audit
757 * record to the kernel for inclusion in the audit log. This function
758 * does little verification on the audit record that is submitted.
759 *
760 * XXXAUDIT: Audit preselection for user records does not currently
761 * work, since we pre-select only based on the AUE_audit event type,
762 * not the event type submitted as part of the user audit data.
763 */
764 /* ARGSUSED */
765 int
766 audit(struct proc *p, struct audit_args *uap, __unused register_t *retval)
767 {
768 int error;
769 void * rec;
770 struct kaudit_record *ar;
771 struct uthread *uthr;
772
773 error = suser(kauth_cred_get(), &p->p_acflag);
774 if (error)
775 return (error);
776
777 if ((uap->length <= 0) || (uap->length > (int)audit_qctrl.aq_bufsz))
778 return (EINVAL);
779
780 ar = currecord();
781
782 /* If there's no current audit record (audit() itself not audited)
783 * commit the user audit record.
784 */
785 if (ar == NULL) {
786 uthr = curuthread();
787 if (uthr == NULL) /* can this happen? */
788 return (ENOTSUP);
789
790 /* This is not very efficient; we're required to allocate
791 * a complete kernel audit record just so the user record
792 * can tag along.
793 */
794 uthr->uu_ar = audit_new(AUE_NULL, p, uthr);
795 if (uthr->uu_ar == NULL) /* auditing not on, or memory error */
796 return (ENOTSUP);
797 ar = uthr->uu_ar;
798 }
799
800 if (uap->length > MAX_AUDIT_RECORD_SIZE)
801 return (EINVAL);
802
803 rec = (void *)kalloc((vm_size_t)uap->length);
804
805 error = copyin(uap->record, rec, uap->length);
806 if (error)
807 goto free_out;
808
809 /* Verify the record */
810 if (bsm_rec_verify(rec) == 0) {
811 error = EINVAL;
812 goto free_out;
813 }
814
815 /* Attach the user audit record to the kernel audit record. Because
816 * this system call is an auditable event, we will write the user
817 * record along with the record for this audit event.
818 */
819 ar->k_udata = rec;
820 ar->k_ar_commit |= AR_COMMIT_USER;
821 ar->k_ulen = uap->length;
822 return (0);
823
824 free_out:
825 /* audit_syscall_exit() will free the audit record on the thread
826 * even if we allocated it above.
827 */
828 kfree(rec, uap->length);
829 return (error);
830 }
831
832 /*
833 * System call to manipulate auditing.
834 */
835 /* ARGSUSED */
836 int
837 auditon(struct proc *p, __unused struct auditon_args *uap, __unused register_t *retval)
838 {
839 int ret;
840 int len;
841 union auditon_udata udata;
842 struct proc *tp;
843
844 AUDIT_ARG(cmd, uap->cmd);
845 ret = suser(kauth_cred_get(), &p->p_acflag);
846 if (ret)
847 return (ret);
848
849 len = uap->length;
850 if ((len <= 0) || (len > (int)sizeof(union auditon_udata)))
851 return (EINVAL);
852
853 memset((void *)&udata, 0, sizeof(udata));
854
855 switch (uap->cmd) {
856 /* Some of the GET commands use the arguments too */
857 case A_SETPOLICY:
858 case A_SETKMASK:
859 case A_SETQCTRL:
860 case A_SETSTAT:
861 case A_SETUMASK:
862 case A_SETSMASK:
863 case A_SETCOND:
864 case A_SETCLASS:
865 case A_SETPMASK:
866 case A_SETFSIZE:
867 case A_SETKAUDIT:
868 case A_GETCLASS:
869 case A_GETPINFO:
870 case A_GETPINFO_ADDR:
871 ret = copyin(uap->data, (void *)&udata, uap->length);
872 if (ret)
873 return (ret);
874 AUDIT_ARG(auditon, &udata);
875 break;
876 }
877
878 /* XXX Need to implement these commands by accessing the global
879 * values associated with the commands.
880 */
881 switch (uap->cmd) {
882 case A_GETPOLICY:
883 if (!audit_fail_stop)
884 udata.au_policy |= AUDIT_CNT;
885 if (audit_panic_on_write_fail)
886 udata.au_policy |= AUDIT_AHLT;
887 break;
888 case A_SETPOLICY:
889 if (udata.au_policy & ~(AUDIT_CNT|AUDIT_AHLT))
890 return (EINVAL);
891 /*
892 * XXX - Need to wake up waiters if the policy relaxes?
893 */
894 audit_fail_stop = ((udata.au_policy & AUDIT_CNT) == 0);
895 audit_panic_on_write_fail = (udata.au_policy & AUDIT_AHLT);
896 break;
897 case A_GETKMASK:
898 udata.au_mask = audit_nae_mask;
899 break;
900 case A_SETKMASK:
901 audit_nae_mask = udata.au_mask;
902 break;
903 case A_GETQCTRL:
904 udata.au_qctrl = audit_qctrl;
905 break;
906 case A_SETQCTRL:
907 if ((udata.au_qctrl.aq_hiwater > AQ_MAXHIGH) ||
908 (udata.au_qctrl.aq_lowater >= udata.au_qctrl.aq_hiwater) ||
909 (udata.au_qctrl.aq_bufsz > AQ_MAXBUFSZ) ||
910 (udata.au_qctrl.aq_minfree < 0) ||
911 (udata.au_qctrl.aq_minfree > 100))
912 return (EINVAL);
913
914 audit_qctrl = udata.au_qctrl;
915 /* XXX The queue delay value isn't used with the kernel. */
916 audit_qctrl.aq_delay = -1;
917 break;
918 case A_GETCWD:
919 return (ENOSYS);
920 break;
921 case A_GETCAR:
922 return (ENOSYS);
923 break;
924 case A_GETSTAT:
925 return (ENOSYS);
926 break;
927 case A_SETSTAT:
928 return (ENOSYS);
929 break;
930 case A_SETUMASK:
931 return (ENOSYS);
932 break;
933 case A_SETSMASK:
934 return (ENOSYS);
935 break;
936 case A_GETCOND:
937 if (audit_enabled && !audit_suspended)
938 udata.au_cond = AUC_AUDITING;
939 else
940 udata.au_cond = AUC_NOAUDIT;
941 break;
942 case A_SETCOND:
943 if (udata.au_cond == AUC_NOAUDIT)
944 audit_suspended = 1;
945 if (udata.au_cond == AUC_AUDITING)
946 audit_suspended = 0;
947 if (udata.au_cond == AUC_DISABLED) {
948 audit_suspended = 1;
949 audit_shutdown();
950 }
951 break;
952 case A_GETCLASS:
953 udata.au_evclass.ec_class =
954 au_event_class(udata.au_evclass.ec_number);
955 break;
956 case A_SETCLASS:
957 au_evclassmap_insert(udata.au_evclass.ec_number,
958 udata.au_evclass.ec_class);
959 break;
960 case A_GETPINFO:
961 if (udata.au_aupinfo.ap_pid < 1)
962 return (EINVAL);
963 if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL)
964 return (EINVAL);
965
966 udata.au_aupinfo.ap_auid = tp->p_ucred->cr_au.ai_auid;
967 udata.au_aupinfo.ap_mask.am_success =
968 tp->p_ucred->cr_au.ai_mask.am_success;
969 udata.au_aupinfo.ap_mask.am_failure =
970 tp->p_ucred->cr_au.ai_mask.am_failure;
971 udata.au_aupinfo.ap_termid.machine =
972 tp->p_ucred->cr_au.ai_termid.machine;
973 udata.au_aupinfo.ap_termid.port =
974 tp->p_ucred->cr_au.ai_termid.port;
975 udata.au_aupinfo.ap_asid = tp->p_ucred->cr_au.ai_asid;
976 break;
977 case A_SETPMASK:
978 if (udata.au_aupinfo.ap_pid < 1)
979 return (EINVAL);
980 if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL)
981 return (EINVAL);
982
983 /*
984 * we are modifying the audit info in a credential so we need a new
985 * credential (or take another reference on an existing credential that
986 * matches our new one). We must do this because the audit info in the
987 * credential is used as part of our hash key. Get current credential
988 * in the target process and take a reference while we muck with it.
989 */
990 for (;;) {
991 kauth_cred_t my_cred, my_new_cred;
992 struct auditinfo temp_auditinfo;
993
994 my_cred = kauth_cred_proc_ref(tp);
995 /*
996 * Set the credential with new info. If there is no
997 * change, we get back the same credential we passed
998 * in; if there is a change, we drop the reference on
999 * the credential we passed in. The subsequent
1000 * compare is safe, because it is a pointer compare
1001 * rather than a contents compare.
1002 */
1003 temp_auditinfo = my_cred->cr_au;
1004 temp_auditinfo.ai_mask.am_success =
1005 udata.au_aupinfo.ap_mask.am_success;
1006 temp_auditinfo.ai_mask.am_failure =
1007 udata.au_aupinfo.ap_mask.am_failure;
1008 my_new_cred = kauth_cred_setauditinfo(my_cred, &temp_auditinfo);
1009
1010 if (my_cred != my_new_cred) {
1011 proc_lock(tp);
1012 /* need to protect for a race where another thread also changed
1013 * the credential after we took our reference. If p_ucred has
1014 * changed then we should restart this again with the new cred.
1015 */
1016 if (tp->p_ucred != my_cred) {
1017 proc_unlock(tp);
1018 kauth_cred_unref(&my_new_cred);
1019 /* try again */
1020 continue;
1021 }
1022 tp->p_ucred = my_new_cred;
1023 proc_unlock(tp);
1024 }
1025 /* drop old proc reference or our extra reference */
1026 kauth_cred_unref(&my_cred);
1027 break;
1028 }
1029 break;
1030 case A_SETFSIZE:
1031 if ((udata.au_fstat.af_filesz != 0) &&
1032 (udata.au_fstat.af_filesz < MIN_AUDIT_FILE_SIZE))
1033 return (EINVAL);
1034 audit_fstat.af_filesz = udata.au_fstat.af_filesz;
1035 break;
1036 case A_GETFSIZE:
1037 udata.au_fstat.af_filesz = audit_fstat.af_filesz;
1038 udata.au_fstat.af_currsz = audit_fstat.af_currsz;
1039 break;
1040 case A_GETPINFO_ADDR:
1041 return (ENOSYS);
1042 break;
1043 case A_GETKAUDIT:
1044 return (ENOSYS);
1045 break;
1046 case A_SETKAUDIT:
1047 return (ENOSYS);
1048 break;
1049 }
1050 /* Copy data back to userspace for the GET comands */
1051 switch (uap->cmd) {
1052 case A_GETPOLICY:
1053 case A_GETKMASK:
1054 case A_GETQCTRL:
1055 case A_GETCWD:
1056 case A_GETCAR:
1057 case A_GETSTAT:
1058 case A_GETCOND:
1059 case A_GETCLASS:
1060 case A_GETPINFO:
1061 case A_GETFSIZE:
1062 case A_GETPINFO_ADDR:
1063 case A_GETKAUDIT:
1064 ret = copyout((void *)&udata, uap->data, uap->length);
1065 if (ret)
1066 return (ret);
1067 break;
1068 }
1069
1070 return (0);
1071 }
1072
1073 /*
1074 * System calls to manage the user audit information.
1075 * XXXAUDIT May need to lock the proc structure.
1076 */
1077 /* ARGSUSED */
1078 int
1079 getauid(struct proc *p, struct getauid_args *uap, __unused register_t *retval)
1080 {
1081 int error;
1082
1083 error = copyout((void *)&kauth_cred_get()->cr_au.ai_auid,
1084 uap->auid, sizeof(au_id_t));
1085 if (error)
1086 return (error);
1087
1088 return (0);
1089 }
1090
1091 /* ARGSUSED */
1092 int
1093 setauid(struct proc *p, struct setauid_args *uap, __unused register_t *retval)
1094 {
1095 int error;
1096 au_id_t temp_au_id;
1097
1098 error = suser(kauth_cred_get(), &p->p_acflag);
1099 if (error)
1100 return (error);
1101
1102 error = copyin(uap->auid,
1103 (void *)&temp_au_id,
1104 sizeof(au_id_t));
1105 if (error)
1106 return (error);
1107
1108 /*
1109 * we are modifying the audit info in a credential so we need a new
1110 * credential (or take another reference on an existing credential that
1111 * matches our new one). We must do this because the audit info in the
1112 * credential is used as part of our hash key. Get current credential
1113 * in the target process and take a reference while we muck with it.
1114 */
1115 for (;;) {
1116 kauth_cred_t my_cred, my_new_cred;
1117 struct auditinfo temp_auditinfo;
1118
1119 my_cred = kauth_cred_proc_ref(p);
1120 /*
1121 * Set the credential with new info. If there is no change,
1122 * we get back the same credential we passed in; if there is
1123 * a change, we drop the reference on the credential we
1124 * passed in. The subsequent compare is safe, because it is
1125 * a pointer compare rather than a contents compare.
1126 */
1127 temp_auditinfo = my_cred->cr_au;
1128 temp_auditinfo.ai_auid = temp_au_id;
1129 my_new_cred = kauth_cred_setauditinfo(my_cred, &temp_auditinfo);
1130
1131 if (my_cred != my_new_cred) {
1132 proc_lock(p);
1133 /* need to protect for a race where another thread also changed
1134 * the credential after we took our reference. If p_ucred has
1135 * changed then we should restart this again with the new cred.
1136 */
1137 if (p->p_ucred != my_cred) {
1138 proc_unlock(p);
1139 kauth_cred_unref(&my_new_cred);
1140 /* try again */
1141 continue;
1142 }
1143 p->p_ucred = my_new_cred;
1144 proc_unlock(p);
1145 }
1146 /* drop old proc reference or our extra reference */
1147 kauth_cred_unref(&my_cred);
1148 break;
1149 }
1150
1151 /* propagate the change from the process to Mach task */
1152 set_security_token(p);
1153
1154 audit_arg_auid(kauth_cred_get()->cr_au.ai_auid);
1155 return (0);
1156 }
1157
1158 /*
1159 * System calls to get and set process audit information.
1160 * If the caller is privileged, they get the whole set of
1161 * audit information. Otherwise, the real audit mask is
1162 * filtered out - but the rest of the information is
1163 * returned.
1164 */
1165 /* ARGSUSED */
1166 int
1167 getaudit(struct proc *p, struct getaudit_args *uap, __unused register_t *retval)
1168 {
1169 struct auditinfo ai;
1170 int error;
1171
1172 ai = kauth_cred_get()->cr_au;
1173
1174 /* only superuser gets to see the real mask */
1175 error = suser(kauth_cred_get(), &p->p_acflag);
1176 if (error) {
1177 ai.ai_mask.am_success = ~0;
1178 ai.ai_mask.am_failure = ~0;
1179 }
1180
1181 error = copyout(&ai, uap->auditinfo, sizeof(ai));
1182 if (error)
1183 return (error);
1184
1185 return (0);
1186 }
1187
1188 /* ARGSUSED */
1189 int
1190 setaudit(struct proc *p, struct setaudit_args *uap, __unused register_t *retval)
1191 {
1192 int error;
1193 struct auditinfo temp_auditinfo;
1194 kauth_cred_t safecred;
1195
1196 error = suser(kauth_cred_get(), &p->p_acflag);
1197 if (error)
1198 return (error);
1199
1200 error = copyin(uap->auditinfo,
1201 (void *)&temp_auditinfo,
1202 sizeof(temp_auditinfo));
1203 if (error)
1204 return (error);
1205
1206 /*
1207 * we are modifying the audit info in a credential so we need a new
1208 * credential (or take another reference on an existing credential that
1209 * matches our new one). We must do this because the audit info in the
1210 * credential is used as part of our hash key. Get current credential
1211 * in the target process and take a reference while we muck with it.
1212 */
1213 for (;;) {
1214 kauth_cred_t my_cred, my_new_cred;
1215
1216 my_cred = kauth_cred_proc_ref(p);
1217 /*
1218 * Set the credential with new info. If there is no change,
1219 * we get back the same credential we passed in; if there is
1220 * a change, we drop the reference on the credential we
1221 * passed in. The subsequent compare is safe, because it is
1222 * a pointer compare rather than a contents compare.
1223 */
1224 my_new_cred = kauth_cred_setauditinfo(my_cred, &temp_auditinfo);
1225
1226 if (my_cred != my_new_cred) {
1227 proc_lock(p);
1228 /* need to protect for a race where another thread also changed
1229 * the credential after we took our reference. If p_ucred has
1230 * changed then we should restart this again with the new cred.
1231 */
1232 if (p->p_ucred != my_cred) {
1233 proc_unlock(p);
1234 kauth_cred_unref(&my_new_cred);
1235 /* try again */
1236 continue;
1237 }
1238 p->p_ucred = my_new_cred;
1239 proc_unlock(p);
1240 }
1241 /* drop old proc reference or our extra reference */
1242 kauth_cred_unref(&my_cred);
1243 break;
1244 }
1245
1246 /* propagate the change from the process to Mach task */
1247 set_security_token(p);
1248
1249 safecred = kauth_cred_proc_ref(p);
1250 audit_arg_auditinfo(&safecred->cr_au);
1251 kauth_cred_unref(&safecred);
1252
1253 return (0);
1254 }
1255
1256 /* ARGSUSED */
1257 int
1258 getaudit_addr(struct proc *p, __unused struct getaudit_addr_args *uap, __unused register_t *retval)
1259 {
1260 return (ENOSYS);
1261 }
1262
1263 /* ARGSUSED */
1264 int
1265 setaudit_addr(struct proc *p, __unused struct setaudit_addr_args *uap, __unused register_t *retval)
1266 {
1267 int error;
1268
1269 error = suser(kauth_cred_get(), &p->p_acflag);
1270 if (error)
1271 return (error);
1272 return (ENOSYS);
1273 }
1274
1275 /*
1276 * Syscall to manage audit files.
1277 *
1278 */
1279 /* ARGSUSED */
1280 int
1281 auditctl(struct proc *p, struct auditctl_args *uap, __unused register_t *retval)
1282 {
1283 struct nameidata nd;
1284 kauth_cred_t cred;
1285 struct vnode *vp;
1286 int error, flags;
1287 struct vfs_context context;
1288
1289 context.vc_proc = p;
1290 context.vc_ucred = kauth_cred_get();
1291
1292 error = suser(kauth_cred_get(), &p->p_acflag);
1293 if (error)
1294 return (error);
1295
1296 vp = NULL;
1297 cred = NULL;
1298
1299 /*
1300 * If a path is specified, open the replacement vnode, perform
1301 * validity checks, and grab another reference to the current
1302 * credential.
1303 */
1304 if (uap->path != 0) {
1305 NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNPATH1,
1306 (IS_64BIT_PROCESS(p) ? UIO_USERSPACE64 : UIO_USERSPACE32),
1307 uap->path, &context);
1308 flags = audit_open_flags;
1309 error = vn_open(&nd, flags, 0);
1310 if (error)
1311 goto out;
1312 vp = nd.ni_vp;
1313 if (vp->v_type != VREG) {
1314 vn_close(vp, audit_close_flags, kauth_cred_get(), p);
1315 vnode_put(vp);
1316 error = EINVAL;
1317 goto out;
1318 }
1319 cred = kauth_cred_get_with_ref();
1320 audit_suspended = 0;
1321 }
1322 /*
1323 * a vp and cred of NULL is valid at this point
1324 * and indicates we're to turn off auditing...
1325 */
1326 audit_rotate_vnode(cred, vp);
1327 if (vp)
1328 vnode_put(vp);
1329 out:
1330 return (error);
1331 }
1332
1333 /**********************************
1334 * End of system calls. *
1335 **********************************/
1336
1337 /*
1338 * MPSAFE
1339 */
1340 struct kaudit_record *
1341 audit_new(int event, struct proc *p, __unused struct uthread *uthread)
1342 {
1343 struct kaudit_record *ar;
1344 int no_record;
1345 kauth_cred_t safecred;
1346
1347 /*
1348 * Eventually, there may be certain classes of events that
1349 * we will audit regardless of the audit state at the time
1350 * the record is created. These events will generally
1351 * correspond to changes in the audit state. The dummy
1352 * code below is from our first prototype, but may also
1353 * be used in the final version (with modified event numbers).
1354 */
1355 #if 0
1356 if (event != AUDIT_EVENT_FILESTOP && event != AUDIT_EVENT_FILESTART) {
1357 #endif
1358 mutex_lock(audit_mtx);
1359 no_record = (audit_suspended || !audit_enabled);
1360 mutex_unlock(audit_mtx);
1361 if (no_record)
1362 return (NULL);
1363 #if 0
1364 }
1365 #endif
1366
1367 /*
1368 * Initialize the audit record header.
1369 * XXX: We may want to fail-stop if allocation fails.
1370 * XXX: The number of outstanding uncommitted audit records is
1371 * limited by the number of concurrent threads servicing system
1372 * calls in the kernel.
1373 */
1374
1375 ar = (struct kaudit_record *)zalloc(audit_zone);
1376 if (ar == NULL)
1377 return NULL;
1378
1379 mutex_lock(audit_mtx);
1380 audit_pre_q_len++;
1381 mutex_unlock(audit_mtx);
1382
1383 bzero(ar, sizeof(*ar));
1384 ar->k_ar.ar_magic = AUDIT_RECORD_MAGIC;
1385 ar->k_ar.ar_event = event;
1386 nanotime(&ar->k_ar.ar_starttime);
1387
1388 safecred = kauth_cred_proc_ref(p);
1389 /* Export the subject credential. */
1390 cru2x(safecred, &ar->k_ar.ar_subj_cred);
1391
1392 ar->k_ar.ar_subj_ruid = safecred->cr_ruid;
1393 ar->k_ar.ar_subj_rgid = safecred->cr_rgid;
1394 ar->k_ar.ar_subj_egid = safecred->cr_groups[0];
1395 ar->k_ar.ar_subj_auid = safecred->cr_au.ai_auid;
1396 ar->k_ar.ar_subj_asid = safecred->cr_au.ai_asid;
1397 ar->k_ar.ar_subj_amask = safecred->cr_au.ai_mask;
1398 ar->k_ar.ar_subj_term = safecred->cr_au.ai_termid;
1399 kauth_cred_unref(&safecred);
1400
1401 ar->k_ar.ar_subj_pid = p->p_pid;
1402 bcopy(p->p_comm, ar->k_ar.ar_subj_comm, MAXCOMLEN);
1403
1404 return (ar);
1405 }
1406
1407 /*
1408 * MPSAFE
1409 * XXXAUDIT: So far, this is unused, and should probably be GC'd.
1410 */
1411 void
1412 audit_abort(struct kaudit_record *ar)
1413 {
1414 mutex_lock(audit_mtx);
1415 audit_pre_q_len--;
1416 mutex_unlock(audit_mtx);
1417 audit_free(ar);
1418 }
1419
1420 /*
1421 * MPSAFE
1422 */
1423 void
1424 audit_commit(struct kaudit_record *ar, int error, int retval)
1425 {
1426 int ret;
1427 int sorf;
1428 struct au_mask *aumask;
1429
1430 if (ar == NULL)
1431 return;
1432
1433 /*
1434 * Decide whether to commit the audit record by checking the
1435 * error value from the system call and using the appropriate
1436 * audit mask.
1437 */
1438 if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID)
1439 aumask = &audit_nae_mask;
1440 else
1441 aumask = &ar->k_ar.ar_subj_amask;
1442
1443 if (error)
1444 sorf = AU_PRS_FAILURE;
1445 else
1446 sorf = AU_PRS_SUCCESS;
1447
1448 switch(ar->k_ar.ar_event) {
1449
1450 case AUE_OPEN_RWTC:
1451 /* The open syscall always writes a OPEN_RWTC event; limit the
1452 * to the proper type of event based on the flags and the error
1453 * value.
1454 */
1455 ar->k_ar.ar_event = flags_and_error_to_openevent(ar->k_ar.ar_arg_fflags, error);
1456 break;
1457
1458 case AUE_SYSCTL:
1459 ar->k_ar.ar_event = ctlname_to_sysctlevent(ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg);
1460 break;
1461
1462 case AUE_AUDITON:
1463 /* Convert the auditon() command to an event */
1464 ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd);
1465 break;
1466 }
1467
1468 if (au_preselect(ar->k_ar.ar_event, aumask, sorf) != 0)
1469 ar->k_ar_commit |= AR_COMMIT_KERNEL;
1470
1471 if ((ar->k_ar_commit & (AR_COMMIT_USER | AR_COMMIT_KERNEL)) == 0) {
1472 mutex_lock(audit_mtx);
1473 audit_pre_q_len--;
1474 mutex_unlock(audit_mtx);
1475 audit_free(ar);
1476 return;
1477 }
1478
1479 ar->k_ar.ar_errno = error;
1480 ar->k_ar.ar_retval = retval;
1481
1482 /*
1483 * We might want to do some system-wide post-filtering
1484 * here at some point.
1485 */
1486
1487 /*
1488 * Timestamp system call end.
1489 */
1490 nanotime(&ar->k_ar.ar_endtime);
1491
1492 mutex_lock(audit_mtx);
1493 /*
1494 * Note: it could be that some records initiated while audit was
1495 * enabled should still be committed?
1496 */
1497 if (audit_suspended || !audit_enabled) {
1498 audit_pre_q_len--;
1499 mutex_unlock(audit_mtx);
1500 audit_free(ar);
1501 return;
1502 }
1503
1504 /*
1505 * Constrain the number of committed audit records based on
1506 * the configurable parameter.
1507 */
1508 while (audit_q_len >= audit_qctrl.aq_hiwater) {
1509
1510 ret = wait_queue_assert_wait(audit_wait_queue,
1511 AUDIT_COMMIT_EVENT,
1512 THREAD_UNINT,
1513 0);
1514 mutex_unlock(audit_mtx);
1515
1516 assert(ret == THREAD_WAITING);
1517
1518 ret = thread_block(THREAD_CONTINUE_NULL);
1519 assert(ret == THREAD_AWAKENED);
1520 mutex_lock(audit_mtx);
1521 }
1522
1523 TAILQ_INSERT_TAIL(&audit_q, ar, k_q);
1524 audit_q_len++;
1525 audit_pre_q_len--;
1526 wait_queue_wakeup_one(audit_wait_queue, AUDIT_WORKER_EVENT, THREAD_AWAKENED);
1527 mutex_unlock(audit_mtx);
1528 }
1529
1530 /*
1531 * Calls to set up and tear down audit structures associated with
1532 * each system call.
1533 */
1534 void
1535 audit_syscall_enter(unsigned short code, struct proc *proc,
1536 struct uthread *uthread)
1537 {
1538 int audit_event;
1539 struct au_mask *aumask;
1540
1541 audit_event = sys_au_event[code];
1542 if (audit_event == AUE_NULL)
1543 return;
1544
1545 assert(uthread->uu_ar == NULL);
1546
1547 /* Check which audit mask to use; either the kernel non-attributable
1548 * event mask or the process audit mask.
1549 */
1550 if (proc->p_ucred->cr_au.ai_auid == AU_DEFAUDITID)
1551 aumask = &audit_nae_mask;
1552 else
1553 aumask = &proc->p_ucred->cr_au.ai_mask;
1554
1555 /*
1556 * Allocate an audit record, if preselection allows it, and store
1557 * in the BSD thread for later use.
1558 */
1559 if (au_preselect(audit_event, aumask,
1560 AU_PRS_FAILURE | AU_PRS_SUCCESS)) {
1561 /*
1562 * If we're out of space and need to suspend unprivileged
1563 * processes, do that here rather than trying to allocate
1564 * another audit record.
1565 */
1566 if (audit_in_failure &&
1567 suser(kauth_cred_get(), &proc->p_acflag) != 0) {
1568 int ret;
1569
1570 assert(audit_worker_thread != THREAD_NULL);
1571 ret = wait_queue_assert_wait(audit_wait_queue,
1572 AUDIT_FAILURE_EVENT, THREAD_UNINT, 0);
1573 assert(ret == THREAD_WAITING);
1574 (void)thread_block(THREAD_CONTINUE_NULL);
1575 panic("audit_failing_stop: thread continued");
1576 }
1577 uthread->uu_ar = audit_new(audit_event, proc, uthread);
1578 } else {
1579 uthread->uu_ar = NULL;
1580 }
1581 }
1582
1583 void
1584 audit_syscall_exit(int error, AUDIT_PRINTF_ONLY struct proc *proc, struct uthread *uthread)
1585 {
1586 int retval;
1587
1588 /*
1589 * Commit the audit record as desired; once we pass the record
1590 * into audit_commit(), the memory is owned by the audit
1591 * subsystem.
1592 * The return value from the system call is stored on the user
1593 * thread. If there was an error, the return value is set to -1,
1594 * imitating the behavior of the cerror routine.
1595 */
1596 if (error)
1597 retval = -1;
1598 else
1599 retval = uthread->uu_rval[0];
1600
1601 audit_commit(uthread->uu_ar, error, retval);
1602 if (uthread->uu_ar != NULL) {
1603 AUDIT_PRINTF(("audit record committed by pid %d\n", proc->p_pid));
1604 }
1605 uthread->uu_ar = NULL;
1606
1607 }
1608
1609 /*
1610 * Calls to set up and tear down audit structures used during Mach
1611 * system calls.
1612 */
1613 void
1614 audit_mach_syscall_enter(unsigned short audit_event)
1615 {
1616 struct uthread *uthread;
1617 struct proc *proc;
1618 struct au_mask *aumask;
1619
1620 if (audit_event == AUE_NULL)
1621 return;
1622
1623 uthread = curuthread();
1624 if (uthread == NULL)
1625 return;
1626
1627 proc = current_proc();
1628 if (proc == NULL)
1629 return;
1630
1631 assert(uthread->uu_ar == NULL);
1632
1633 /* Check which audit mask to use; either the kernel non-attributable
1634 * event mask or the process audit mask.
1635 */
1636 if (proc->p_ucred->cr_au.ai_auid == AU_DEFAUDITID)
1637 aumask = &audit_nae_mask;
1638 else
1639 aumask = &proc->p_ucred->cr_au.ai_mask;
1640
1641 /*
1642 * Allocate an audit record, if desired, and store in the BSD
1643 * thread for later use.
1644 */
1645 if (au_preselect(audit_event, aumask,
1646 AU_PRS_FAILURE | AU_PRS_SUCCESS)) {
1647 uthread->uu_ar = audit_new(audit_event, proc, uthread);
1648 } else {
1649 uthread->uu_ar = NULL;
1650 }
1651 }
1652
1653 void
1654 audit_mach_syscall_exit(int retval, struct uthread *uthread)
1655 {
1656 /* The error code from Mach system calls is the same as the
1657 * return value
1658 */
1659 /* XXX Is the above statement always true? */
1660 audit_commit(uthread->uu_ar, retval, retval);
1661 uthread->uu_ar = NULL;
1662
1663 }
1664
1665 /*
1666 * Calls to manipulate elements of the audit record structure from system
1667 * call code. Macro wrappers will prevent this functions from being
1668 * entered if auditing is disabled, avoiding the function call cost. We
1669 * check the thread audit record pointer anyway, as the audit condition
1670 * could change, and pre-selection may not have allocated an audit
1671 * record for this event.
1672 */
1673 void
1674 audit_arg_addr(user_addr_t addr)
1675 {
1676 struct kaudit_record *ar;
1677
1678 ar = currecord();
1679 if (ar == NULL)
1680 return;
1681
1682 ar->k_ar.ar_arg_addr = CAST_DOWN(void *, addr); /* XXX */
1683 ar->k_ar.ar_valid_arg |= ARG_ADDR;
1684 }
1685
1686 void
1687 audit_arg_len(user_size_t len)
1688 {
1689 struct kaudit_record *ar;
1690
1691 ar = currecord();
1692 if (ar == NULL)
1693 return;
1694
1695 ar->k_ar.ar_arg_len = CAST_DOWN(int, len); /* XXX */
1696 ar->k_ar.ar_valid_arg |= ARG_LEN;
1697 }
1698
1699 void
1700 audit_arg_fd(int fd)
1701 {
1702 struct kaudit_record *ar;
1703
1704 ar = currecord();
1705 if (ar == NULL)
1706 return;
1707
1708 ar->k_ar.ar_arg_fd = fd;
1709 ar->k_ar.ar_valid_arg |= ARG_FD;
1710 }
1711
1712 void
1713 audit_arg_fflags(int fflags)
1714 {
1715 struct kaudit_record *ar;
1716
1717 ar = currecord();
1718 if (ar == NULL)
1719 return;
1720
1721 ar->k_ar.ar_arg_fflags = fflags;
1722 ar->k_ar.ar_valid_arg |= ARG_FFLAGS;
1723 }
1724
1725 void
1726 audit_arg_gid(gid_t gid, gid_t egid, gid_t rgid, gid_t sgid)
1727 {
1728 struct kaudit_record *ar;
1729
1730 ar = currecord();
1731 if (ar == NULL)
1732 return;
1733
1734 ar->k_ar.ar_arg_gid = gid;
1735 ar->k_ar.ar_arg_egid = egid;
1736 ar->k_ar.ar_arg_rgid = rgid;
1737 ar->k_ar.ar_arg_sgid = sgid;
1738 ar->k_ar.ar_valid_arg |= (ARG_GID | ARG_EGID | ARG_RGID | ARG_SGID);
1739 }
1740
1741 void
1742 audit_arg_uid(uid_t uid, uid_t euid, uid_t ruid, uid_t suid)
1743 {
1744 struct kaudit_record *ar;
1745
1746 ar = currecord();
1747 if (ar == NULL)
1748 return;
1749
1750 ar->k_ar.ar_arg_uid = uid;
1751 ar->k_ar.ar_arg_euid = euid;
1752 ar->k_ar.ar_arg_ruid = ruid;
1753 ar->k_ar.ar_arg_suid = suid;
1754 ar->k_ar.ar_valid_arg |= (ARG_UID | ARG_EUID | ARG_RUID | ARG_SUID);
1755 }
1756
1757 void
1758 audit_arg_groupset(const gid_t *gidset, u_int gidset_size)
1759 {
1760 uint i;
1761 struct kaudit_record *ar;
1762
1763 ar = currecord();
1764 if (ar == NULL)
1765 return;
1766
1767 for (i = 0; i < gidset_size; i++)
1768 ar->k_ar.ar_arg_groups.gidset[i] = gidset[i];
1769 ar->k_ar.ar_arg_groups.gidset_size = gidset_size;
1770 ar->k_ar.ar_valid_arg |= ARG_GROUPSET;
1771 }
1772
1773 void
1774 audit_arg_login(const char *login)
1775 {
1776 struct kaudit_record *ar;
1777
1778 ar = currecord();
1779 if (ar == NULL)
1780 return;
1781
1782 #if 0
1783 /*
1784 * XXX: Add strlcpy() to Darwin for improved safety.
1785 */
1786 strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME);
1787 #else
1788 strcpy(ar->k_ar.ar_arg_login, login);
1789 #endif
1790
1791 ar->k_ar.ar_valid_arg |= ARG_LOGIN;
1792 }
1793
1794 void
1795 audit_arg_ctlname(const int *name, int namelen)
1796 {
1797 struct kaudit_record *ar;
1798
1799 ar = currecord();
1800 if (ar == NULL)
1801 return;
1802
1803 bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int));
1804 ar->k_ar.ar_arg_len = namelen;
1805 ar->k_ar.ar_valid_arg |= (ARG_CTLNAME | ARG_LEN);
1806 }
1807
1808 void
1809 audit_arg_mask(int mask)
1810 {
1811 struct kaudit_record *ar;
1812
1813 ar = currecord();
1814 if (ar == NULL)
1815 return;
1816
1817 ar->k_ar.ar_arg_mask = mask;
1818 ar->k_ar.ar_valid_arg |= ARG_MASK;
1819 }
1820
1821 void
1822 audit_arg_mode(mode_t mode)
1823 {
1824 struct kaudit_record *ar;
1825
1826 ar = currecord();
1827 if (ar == NULL)
1828 return;
1829
1830 ar->k_ar.ar_arg_mode = mode;
1831 ar->k_ar.ar_valid_arg |= ARG_MODE;
1832 }
1833
1834 void
1835 audit_arg_dev(int dev)
1836 {
1837 struct kaudit_record *ar;
1838
1839 ar = currecord();
1840 if (ar == NULL)
1841 return;
1842
1843 ar->k_ar.ar_arg_dev = dev;
1844 ar->k_ar.ar_valid_arg |= ARG_DEV;
1845 }
1846
1847 void
1848 audit_arg_value(long value)
1849 {
1850 struct kaudit_record *ar;
1851
1852 ar = currecord();
1853 if (ar == NULL)
1854 return;
1855
1856 ar->k_ar.ar_arg_value = value;
1857 ar->k_ar.ar_valid_arg |= ARG_VALUE;
1858 }
1859
1860 void
1861 audit_arg_owner(uid_t uid, gid_t gid)
1862 {
1863 struct kaudit_record *ar;
1864
1865 ar = currecord();
1866 if (ar == NULL)
1867 return;
1868
1869 ar->k_ar.ar_arg_uid = uid;
1870 ar->k_ar.ar_arg_gid = gid;
1871 ar->k_ar.ar_valid_arg |= (ARG_UID | ARG_GID);
1872 }
1873
1874 void
1875 audit_arg_pid(pid_t pid)
1876 {
1877 struct kaudit_record *ar;
1878
1879 ar = currecord();
1880 if (ar == NULL)
1881 return;
1882
1883 ar->k_ar.ar_arg_pid = pid;
1884 ar->k_ar.ar_valid_arg |= ARG_PID;
1885 }
1886
1887 void
1888 audit_arg_process(struct proc *p)
1889 {
1890 struct kaudit_record *ar;
1891
1892 ar = currecord();
1893 if ((ar == NULL) || (p == NULL))
1894 return;
1895
1896 ar->k_ar.ar_arg_auid = p->p_ucred->cr_au.ai_auid;
1897 ar->k_ar.ar_arg_euid = p->p_ucred->cr_uid;
1898 ar->k_ar.ar_arg_egid = p->p_ucred->cr_groups[0];
1899 ar->k_ar.ar_arg_ruid = p->p_ucred->cr_ruid;
1900 ar->k_ar.ar_arg_rgid = p->p_ucred->cr_rgid;
1901 ar->k_ar.ar_arg_asid = p->p_ucred->cr_au.ai_asid;
1902 ar->k_ar.ar_arg_termid = p->p_ucred->cr_au.ai_termid;
1903
1904 ar->k_ar.ar_valid_arg |= ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID |
1905 ARG_RGID | ARG_ASID | ARG_TERMID | ARG_PROCESS;
1906 }
1907
1908 void
1909 audit_arg_signum(u_int signum)
1910 {
1911 struct kaudit_record *ar;
1912
1913 ar = currecord();
1914 if (ar == NULL)
1915 return;
1916
1917 ar->k_ar.ar_arg_signum = signum;
1918 ar->k_ar.ar_valid_arg |= ARG_SIGNUM;
1919 }
1920
1921 void
1922 audit_arg_socket(int sodomain, int sotype, int soprotocol)
1923 {
1924
1925 struct kaudit_record *ar;
1926
1927 ar = currecord();
1928 if (ar == NULL)
1929 return;
1930
1931 ar->k_ar.ar_arg_sockinfo.so_domain = sodomain;
1932 ar->k_ar.ar_arg_sockinfo.so_type = sotype;
1933 ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol;
1934 ar->k_ar.ar_valid_arg |= ARG_SOCKINFO;
1935 }
1936
1937 void
1938 audit_arg_sockaddr(struct proc *p, struct sockaddr *so)
1939 {
1940 struct kaudit_record *ar;
1941
1942 ar = currecord();
1943 if (ar == NULL || p == NULL || so == NULL)
1944 return;
1945
1946 bcopy(so, &ar->k_ar.ar_arg_sockaddr, sizeof(ar->k_ar.ar_arg_sockaddr));
1947 switch (so->sa_family) {
1948 case AF_INET:
1949 ar->k_ar.ar_valid_arg |= ARG_SADDRINET;
1950 break;
1951 case AF_INET6:
1952 ar->k_ar.ar_valid_arg |= ARG_SADDRINET6;
1953 break;
1954 case AF_UNIX:
1955 audit_arg_upath(p, ((struct sockaddr_un *)so)->sun_path,
1956 ARG_UPATH1);
1957 ar->k_ar.ar_valid_arg |= ARG_SADDRUNIX;
1958 break;
1959 }
1960 }
1961
1962 void
1963 audit_arg_auid(uid_t auid)
1964 {
1965 struct kaudit_record *ar;
1966
1967 ar = currecord();
1968 if (ar == NULL)
1969 return;
1970
1971 ar->k_ar.ar_arg_auid = auid;
1972 ar->k_ar.ar_valid_arg |= ARG_AUID;
1973 }
1974
1975 void
1976 audit_arg_auditinfo(const struct auditinfo *au_info)
1977 {
1978 struct kaudit_record *ar;
1979
1980 ar = currecord();
1981 if (ar == NULL)
1982 return;
1983
1984 ar->k_ar.ar_arg_auid = au_info->ai_auid;
1985 ar->k_ar.ar_arg_asid = au_info->ai_asid;
1986 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
1987 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
1988 ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port;
1989 ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine;
1990 ar->k_ar.ar_valid_arg |= ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID;
1991 }
1992
1993 void
1994 audit_arg_text(const char *text)
1995 {
1996 struct kaudit_record *ar;
1997
1998 ar = currecord();
1999 if (ar == NULL)
2000 return;
2001
2002 /* Invalidate the text string */
2003 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT);
2004 if (text == NULL)
2005 return;
2006
2007 if (ar->k_ar.ar_arg_text == NULL) {
2008 ar->k_ar.ar_arg_text = (char *)kalloc(MAXPATHLEN);
2009 if (ar->k_ar.ar_arg_text == NULL)
2010 return;
2011 }
2012
2013 strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN);
2014 ar->k_ar.ar_valid_arg |= ARG_TEXT;
2015 }
2016
2017 void
2018 audit_arg_cmd(int cmd)
2019 {
2020 struct kaudit_record *ar;
2021
2022 ar = currecord();
2023 if (ar == NULL)
2024 return;
2025
2026 ar->k_ar.ar_arg_cmd = cmd;
2027 ar->k_ar.ar_valid_arg |= ARG_CMD;
2028 }
2029
2030 void
2031 audit_arg_svipc_cmd(int cmd)
2032 {
2033 struct kaudit_record *ar;
2034
2035 ar = currecord();
2036 if (ar == NULL)
2037 return;
2038
2039 ar->k_ar.ar_arg_svipc_cmd = cmd;
2040 ar->k_ar.ar_valid_arg |= ARG_SVIPC_CMD;
2041 }
2042
2043 void
2044 audit_arg_svipc_perm(const struct ipc_perm *perm)
2045 {
2046 struct kaudit_record *ar;
2047
2048 ar = currecord();
2049 if (ar == NULL)
2050 return;
2051
2052 bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
2053 sizeof(ar->k_ar.ar_arg_svipc_perm));
2054 ar->k_ar.ar_valid_arg |= ARG_SVIPC_PERM;
2055 }
2056
2057 void
2058 audit_arg_svipc_id(int id)
2059 {
2060 struct kaudit_record *ar;
2061
2062 ar = currecord();
2063 if (ar == NULL)
2064 return;
2065
2066 ar->k_ar.ar_arg_svipc_id = id;
2067 ar->k_ar.ar_valid_arg |= ARG_SVIPC_ID;
2068 }
2069
2070 void
2071 audit_arg_svipc_addr(void * addr)
2072 {
2073 struct kaudit_record *ar;
2074
2075 ar = currecord();
2076 if (ar == NULL)
2077 return;
2078
2079 ar->k_ar.ar_arg_svipc_addr = addr;
2080 ar->k_ar.ar_valid_arg |= ARG_SVIPC_ADDR;
2081 }
2082
2083 void
2084 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode)
2085 {
2086 struct kaudit_record *ar;
2087
2088 ar = currecord();
2089 if (ar == NULL)
2090 return;
2091
2092 ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid;
2093 ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid;
2094 ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode;
2095 ar->k_ar.ar_valid_arg |= ARG_POSIX_IPC_PERM;
2096 }
2097
2098 void
2099 audit_arg_auditon(const union auditon_udata *udata)
2100 {
2101 struct kaudit_record *ar;
2102
2103 ar = currecord();
2104 if (ar == NULL)
2105 return;
2106
2107 bcopy((const void *)udata, &ar->k_ar.ar_arg_auditon,
2108 sizeof(ar->k_ar.ar_arg_auditon));
2109 ar->k_ar.ar_valid_arg |= ARG_AUDITON;
2110 }
2111
2112 /*
2113 * Audit information about a file, either the file's vnode info, or its
2114 * socket address info.
2115 */
2116 void
2117 audit_arg_file(__unused struct proc *p, const struct fileproc *fp)
2118 {
2119 struct kaudit_record *ar;
2120 struct socket *so;
2121 struct inpcb *pcb;
2122
2123 if (fp->f_fglob->fg_type == DTYPE_VNODE) {
2124 audit_arg_vnpath_withref((struct vnode *)fp->f_fglob->fg_data, ARG_VNODE1);
2125 return;
2126 }
2127
2128 if (fp->f_fglob->fg_type == DTYPE_SOCKET) {
2129 ar = currecord();
2130 if (ar == NULL)
2131 return;
2132 so = (struct socket *)fp->f_fglob->fg_data;
2133 if (INP_CHECK_SOCKAF(so, PF_INET)) {
2134 if (so->so_pcb == NULL)
2135 return;
2136 ar->k_ar.ar_arg_sockinfo.so_type =
2137 so->so_type;
2138 ar->k_ar.ar_arg_sockinfo.so_domain =
2139 INP_SOCKAF(so);
2140 ar->k_ar.ar_arg_sockinfo.so_protocol =
2141 so->so_proto->pr_protocol;
2142 pcb = (struct inpcb *)so->so_pcb;
2143 ar->k_ar.ar_arg_sockinfo.so_raddr =
2144 pcb->inp_faddr.s_addr;
2145 ar->k_ar.ar_arg_sockinfo.so_laddr =
2146 pcb->inp_laddr.s_addr;
2147 ar->k_ar.ar_arg_sockinfo.so_rport =
2148 pcb->inp_fport;
2149 ar->k_ar.ar_arg_sockinfo.so_lport =
2150 pcb->inp_lport;
2151 ar->k_ar.ar_valid_arg |= ARG_SOCKINFO;
2152 }
2153 }
2154
2155 }
2156
2157
2158 /*
2159 * Store a path as given by the user process for auditing into the audit
2160 * record stored on the user thread. This function will allocate the memory to
2161 * store the path info if not already available. This memory will be
2162 * freed when the audit record is freed.
2163 */
2164 void
2165 audit_arg_upath(struct proc *p, char *upath, u_int64_t flags)
2166 {
2167 struct kaudit_record *ar;
2168 char **pathp;
2169
2170 if (p == NULL || upath == NULL)
2171 return; /* nothing to do! */
2172
2173 if ((flags & (ARG_UPATH1 | ARG_UPATH2)) == 0)
2174 return;
2175
2176 ar = currecord();
2177 if (ar == NULL) /* This will be the case for unaudited system calls */
2178 return;
2179
2180 if (flags & ARG_UPATH1) {
2181 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_UPATH1);
2182 pathp = &ar->k_ar.ar_arg_upath1;
2183 }
2184 else {
2185 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_UPATH2);
2186 pathp = &ar->k_ar.ar_arg_upath2;
2187 }
2188
2189 if (*pathp == NULL) {
2190 *pathp = (char *)kalloc(MAXPATHLEN);
2191 if (*pathp == NULL)
2192 return;
2193 }
2194
2195 if (canon_path(p, upath, *pathp) == 0) {
2196 if (flags & ARG_UPATH1)
2197 ar->k_ar.ar_valid_arg |= ARG_UPATH1;
2198 else
2199 ar->k_ar.ar_valid_arg |= ARG_UPATH2;
2200 } else {
2201 kfree(*pathp, MAXPATHLEN);
2202 *pathp = NULL;
2203 }
2204 }
2205
2206 /*
2207 * Function to save the path and vnode attr information into the audit
2208 * record.
2209 *
2210 * It is assumed that the caller will hold any vnode locks necessary to
2211 * perform a VNOP_GETATTR() on the passed vnode.
2212 *
2213 * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but
2214 * always provides access to the generation number as we need that
2215 * to construct the BSM file ID.
2216 * XXX: We should accept the process argument from the caller, since
2217 * it's very likely they already have a reference.
2218 * XXX: Error handling in this function is poor.
2219 */
2220 void
2221 audit_arg_vnpath(struct vnode *vp, u_int64_t flags)
2222 {
2223 struct kaudit_record *ar;
2224 struct vnode_attr va;
2225 int error;
2226 int len;
2227 char **pathp;
2228 struct vnode_au_info *vnp;
2229 struct proc *p;
2230 struct vfs_context context;
2231
2232 if (vp == NULL)
2233 return;
2234
2235 ar = currecord();
2236 if (ar == NULL) /* This will be the case for unaudited system calls */
2237 return;
2238
2239 if ((flags & (ARG_VNODE1 | ARG_VNODE2)) == 0)
2240 return;
2241
2242 p = current_proc();
2243
2244 if (flags & ARG_VNODE1) {
2245 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_KPATH1);
2246 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE1);
2247 pathp = &ar->k_ar.ar_arg_kpath1;
2248 vnp = &ar->k_ar.ar_arg_vnode1;
2249 }
2250 else {
2251 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_KPATH2);
2252 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE2);
2253 pathp = &ar->k_ar.ar_arg_kpath2;
2254 vnp = &ar->k_ar.ar_arg_vnode2;
2255 }
2256
2257 if (*pathp == NULL) {
2258 *pathp = (char *)kalloc(MAXPATHLEN);
2259 if (*pathp == NULL)
2260 return;
2261 }
2262
2263 /*
2264 * If vn_getpath() succeeds, place it in a string buffer
2265 * attached to the audit record, and set a flag indicating
2266 * it is present.
2267 */
2268 len = MAXPATHLEN;
2269 if (vn_getpath(vp, *pathp, &len) == 0) {
2270 if (flags & ARG_VNODE1)
2271 ar->k_ar.ar_valid_arg |= ARG_KPATH1;
2272 else
2273 ar->k_ar.ar_valid_arg |= ARG_KPATH2;
2274 } else {
2275 kfree(*pathp, MAXPATHLEN);
2276 *pathp = NULL;
2277 }
2278
2279 context.vc_proc = p;
2280 context.vc_ucred = kauth_cred_get();
2281
2282 VATTR_INIT(&va);
2283 VATTR_WANTED(&va, va_mode);
2284 VATTR_WANTED(&va, va_uid);
2285 VATTR_WANTED(&va, va_gid);
2286 VATTR_WANTED(&va, va_rdev);
2287 VATTR_WANTED(&va, va_fsid);
2288 VATTR_WANTED(&va, va_fileid);
2289 VATTR_WANTED(&va, va_gen);
2290 error = vnode_getattr(vp, &va, &context);
2291 if (error) {
2292 /* XXX: How to handle this case? */
2293 return;
2294 }
2295
2296 /* XXX do we want to fall back here when these aren't supported? */
2297 vnp->vn_mode = va.va_mode;
2298 vnp->vn_uid = va.va_uid;
2299 vnp->vn_gid = va.va_gid;
2300 vnp->vn_dev = va.va_rdev;
2301 vnp->vn_fsid = va.va_fsid;
2302 vnp->vn_fileid = (u_long)va.va_fileid;
2303 vnp->vn_gen = va.va_gen;
2304 if (flags & ARG_VNODE1)
2305 ar->k_ar.ar_valid_arg |= ARG_VNODE1;
2306 else
2307 ar->k_ar.ar_valid_arg |= ARG_VNODE2;
2308
2309 }
2310
2311 void
2312 audit_arg_vnpath_withref(struct vnode *vp, u_int64_t flags)
2313 {
2314 if (vp == NULL || vnode_getwithref(vp))
2315 return;
2316 audit_arg_vnpath(vp, flags);
2317 (void)vnode_put(vp);
2318 }
2319
2320 void
2321 audit_arg_mach_port1(mach_port_name_t port)
2322 {
2323 struct kaudit_record *ar;
2324
2325 ar = currecord();
2326 if (ar == NULL)
2327 return;
2328
2329 ar->k_ar.ar_arg_mach_port1 = port;
2330 ar->k_ar.ar_valid_arg |= ARG_MACHPORT1;
2331 }
2332
2333 void
2334 audit_arg_mach_port2(mach_port_name_t port)
2335 {
2336 struct kaudit_record *ar;
2337
2338 ar = currecord();
2339 if (ar == NULL)
2340 return;
2341
2342 ar->k_ar.ar_arg_mach_port2 = port;
2343 ar->k_ar.ar_valid_arg |= ARG_MACHPORT2;
2344 }
2345
2346 /*
2347 * The close() system call uses it's own audit call to capture the
2348 * path/vnode information because those pieces are not easily obtained
2349 * within the system call itself.
2350 */
2351 void
2352 audit_sysclose(struct proc *p, int fd)
2353 {
2354 struct fileproc *fp;
2355 struct vnode *vp;
2356
2357 audit_arg_fd(fd);
2358
2359 if (fp_getfvp(p, fd, &fp, &vp) != 0)
2360 return;
2361
2362 audit_arg_vnpath_withref((struct vnode *)fp->f_fglob->fg_data, ARG_VNODE1);
2363 file_drop(fd);
2364 }
2365
2366 #else /* !AUDIT */
2367
2368 void
2369 audit_init(void)
2370 {
2371
2372 }
2373
2374 void
2375 audit_shutdown(void)
2376 {
2377
2378 }
2379
2380 int
2381 audit(struct proc *p, struct audit_args *uap, register_t *retval)
2382 {
2383 return (ENOSYS);
2384 }
2385
2386 int
2387 auditon(struct proc *p, struct auditon_args *uap, register_t *retval)
2388 {
2389 return (ENOSYS);
2390 }
2391
2392 int
2393 getauid(struct proc *p, struct getauid_args *uap, register_t *retval)
2394 {
2395 return (ENOSYS);
2396 }
2397
2398 int
2399 setauid(struct proc *p, struct setauid_args *uap, register_t *retval)
2400 {
2401 return (ENOSYS);
2402 }
2403
2404 int
2405 getaudit(struct proc *p, struct getaudit_args *uap, register_t *retval)
2406 {
2407 return (ENOSYS);
2408 }
2409
2410 int
2411 setaudit(struct proc *p, struct setaudit_args *uap, register_t *retval)
2412 {
2413 return (ENOSYS);
2414 }
2415
2416 int
2417 getaudit_addr(struct proc *p, struct getaudit_addr_args *uap, register_t *retval)
2418 {
2419 return (ENOSYS);
2420 }
2421
2422 int
2423 setaudit_addr(struct proc *p, struct setaudit_addr_args *uap, register_t *retval)
2424 {
2425 return (ENOSYS);
2426 }
2427
2428 int
2429 auditctl(struct proc *p, struct auditctl_args *uap, register_t *retval)
2430 {
2431 return (ENOSYS);
2432 }
2433
2434 #endif /* AUDIT */
mirror of XNU