]> git.saurik.com Git - apple/xnu.git/blob - bsd/kern/kern_audit.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-517.7.7.tar.gz
[apple/xnu.git] / bsd / kern / kern_audit.c
1 /*
2 * Copyright (c) 2004 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * The contents of this file constitute Original Code as defined in and
7 * are subject to the Apple Public Source License Version 1.1 (the
8 * "License"). You may not use this file except in compliance with the
9 * License. Please obtain a copy of the License at
10 * http://www.apple.com/publicsource and read it before using this file.
11 *
12 * This Original Code and all software distributed under the License are
13 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
14 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
16 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17 * License for the specific language governing rights and limitations
18 * under the License.
19 *
20 * @APPLE_LICENSE_HEADER_END@
21 */
22
23 #include <sys/param.h>
24 #include <sys/file.h>
25 #include <sys/fcntl.h>
26 #include <sys/kernel.h>
27 #include <sys/lock.h>
28 #include <sys/namei.h>
29 #include <sys/proc.h>
30 #include <sys/queue.h>
31 #include <sys/systm.h>
32 #include <sys/time.h>
33 #include <sys/ucred.h>
34 #include <sys/uio.h>
35 #include <sys/unistd.h>
36 #include <sys/vnode.h>
37 #include <sys/user.h>
38 #include <sys/syscall.h>
39 #include <sys/malloc.h>
40 #include <sys/un.h>
41 #include <netinet/in.h>
42 #include <sys/socketvar.h>
43 #include <sys/protosw.h>
44 #include <sys/domain.h>
45 #include <sys/mount.h>
46 #include <net/route.h>
47 #include <netinet/in_pcb.h>
48
49 #include <bsm/audit.h>
50 #include <bsm/audit_kevents.h>
51 #include <bsm/audit_klib.h>
52 #include <bsm/audit_kernel.h>
53
54 #include <mach/message.h>
55 #include <mach/port.h>
56 #include <mach/host_special_ports.h>
57 #include <mach/audit_triggers.h>
58
59 #include <kern/lock.h>
60 #include <kern/wait_queue.h>
61 #include <kern/zalloc.h>
62 #include <kern/kalloc.h>
63
64 #include <audit.h>
65
66 #ifdef AUDIT
67
68 /*
69 * The AUDIT_EXCESSIVELY_VERBOSE define enables a number of
70 * gratuitously noisy printf's to the console. Due to the
71 * volume, it should be left off unless you want your system
72 * to churn a lot whenever the audit record flow gets high.
73 */
74 /* #define AUDIT_EXCESSIVELY_VERBOSE */
75 #ifdef AUDIT_EXCESSIVELY_VERBOSE
76 #define AUDIT_PRINTF(x) printf x
77 #else
78 #define AUDIT_PRINTF(X)
79 #endif
80
81 #if DIAGNOSTIC
82 #if defined(assert)
83 #undef assert()
84 #endif
85 #define assert(cond) \
86 ((void) ((cond) ? 0 : panic("%s:%d (%s)", __FILE__, __LINE__, # cond)))
87 #else
88 #include <kern/assert.h>
89 #endif /* DIAGNOSTIC */
90
91 /*
92 * Define the audit control flags.
93 */
94 int audit_enabled;
95 int audit_suspended;
96
97 /*
98 * Mutex to protect global variables shared between various threads and
99 * processes.
100 */
101 static mutex_t *audit_mtx;
102
103 /*
104 * Queue of audit records ready for delivery to disk. We insert new
105 * records at the tail, and remove records from the head. Also,
106 * a count of the number of records used for checking queue depth.
107 * In addition, a counter of records that we have allocated but are
108 * not yet in the queue, which is needed to estimate the total
109 * size of the combined set of records outstanding in the system.
110 */
111 static TAILQ_HEAD(, kaudit_record) audit_q;
112 static int audit_q_len;
113 static int audit_pre_q_len;
114
115 static wait_queue_t audit_wait_queue;
116 static zone_t audit_zone;
117
118 /*
119 * Condition variable to signal to the worker that it has work to do:
120 * either new records are in the queue, or a log replacement is taking
121 * place.
122 */
123 static int audit_worker_event;
124 #define AUDIT_WORKER_EVENT ((event_t)&audit_worker_event)
125
126 /*
127 * When an audit log is rotated, the actual rotation must be performed
128 * by the audit worker thread, as it may have outstanding writes on the
129 * current audit log. audit_replacement_vp holds the vnode replacing
130 * the current vnode. We can't let more than one replacement occur
131 * at a time, so if more than one thread requests a replacement, only
132 * one can have the replacement "in progress" at any given moment. If
133 * a thread tries to replace the audit vnode and discovers a replacement
134 * is already in progress (i.e., audit_replacement_flag != 0), then it
135 * will sleep on audit_replacement_cv waiting its turn to perform a
136 * replacement. When a replacement is completed, this cv is signalled
137 * by the worker thread so a waiting thread can start another replacement.
138 * We also store a credential to perform audit log write operations with.
139 */
140 static int audit_replacement_event;
141 #define AUDIT_REPLACEMENT_EVENT ((event_t)&audit_replacement_event)
142
143 static int audit_replacement_flag;
144 static struct vnode *audit_replacement_vp;
145 static struct ucred *audit_replacement_cred;
146
147 /*
148 * Wait queue for auditing threads that cannot commit the audit
149 * record at the present time. Also, the queue control parameter
150 * structure.
151 */
152 static int audit_commit_event;
153 #define AUDIT_COMMIT_EVENT ((event_t)&audit_commit_event)
154
155 static struct au_qctrl audit_qctrl;
156
157 /*
158 * Flags to use on audit files when opening and closing.
159 */
160 const static int audit_open_flags = FWRITE | O_APPEND;
161 const static int audit_close_flags = FWRITE | O_APPEND;
162
163 /*
164 * Global audit statistiscs.
165 */
166 static struct audit_fstat audit_fstat;
167
168 /*
169 Preselection mask for non-attributable events.
170 */
171 static struct au_mask audit_nae_mask;
172
173 /*
174 * Flags related to Kernel->user-space communication.
175 */
176 static int audit_file_rotate_wait;
177
178 /*
179 * Flags controlling behavior in low storage situations.
180 * Should we panic if a write fails? Should we fail stop
181 * if we're out of disk space? Are we currently "failing
182 * stop" due to out of disk space?
183 */
184 static int audit_panic_on_write_fail;
185 static int audit_fail_stop;
186 static int audit_in_failure;
187
188 /*
189 * When in a fail-stop mode, threads will drop into this wait queue
190 * rather than perform auditable events. They won't ever get woken
191 * up.
192 */
193 static int audit_failure_event;
194 #define AUDIT_FAILURE_EVENT ((event_t)&audit_failure_event)
195
196 /*
197 * XXX: Couldn't find the include file for this, so copied kern_exec.c's
198 * behavior.
199 */
200 extern task_t kernel_task;
201
202 static void
203 audit_free(struct kaudit_record *ar)
204 {
205 if (ar->k_ar.ar_arg_upath1 != NULL) {
206 kfree((vm_offset_t)ar->k_ar.ar_arg_upath1, MAXPATHLEN);
207 }
208 if (ar->k_ar.ar_arg_upath2 != NULL) {
209 kfree((vm_offset_t)ar->k_ar.ar_arg_upath2, MAXPATHLEN);
210 }
211 if (ar->k_ar.ar_arg_kpath1 != NULL) {
212 kfree((vm_offset_t)ar->k_ar.ar_arg_kpath1, MAXPATHLEN);
213 }
214 if (ar->k_ar.ar_arg_kpath2 != NULL) {
215 kfree((vm_offset_t)ar->k_ar.ar_arg_kpath2, MAXPATHLEN);
216 }
217 if (ar->k_ar.ar_arg_text != NULL) {
218 kfree((vm_offset_t)ar->k_ar.ar_arg_text, MAXPATHLEN);
219 }
220 if (ar->k_udata != NULL) {
221 kfree((vm_offset_t)ar->k_udata, (vm_size_t)ar->k_ulen);
222 }
223 zfree(audit_zone, (vm_offset_t)ar);
224 }
225
226 static int
227 audit_write(struct vnode *vp, struct kaudit_record *ar, struct ucred *cred,
228 struct proc *p)
229 {
230 struct statfs *mnt_stat = &vp->v_mount->mnt_stat;
231 int ret;
232 struct au_record *bsm;
233 struct vattr vattr;
234
235 mach_port_t audit_port;
236
237 /*
238 * First, gather statistics on the audit log file and file system
239 * so that we know how we're doing on space. In both cases,
240 * if we're unable to perform the operation, we drop the record
241 * and return. However, this is arguably an assertion failure.
242 */
243 ret = VFS_STATFS(vp->v_mount, mnt_stat, p);
244 if (ret)
245 goto out;
246
247 ret = VOP_GETATTR(vp, &vattr, cred, p);
248 if (ret)
249 goto out;
250
251 /* update the global stats struct */
252 audit_fstat.af_currsz = vattr.va_size;
253
254 /*
255 * Send a message to the audit daemon when disk space is getting
256 * low.
257 * XXX Need to decide what to do if the trigger to the audit daemon
258 * fails.
259 */
260 if(host_get_audit_control_port(host_priv_self(), &audit_port)
261 != KERN_SUCCESS)
262 printf("Cannot get audit control port\n");
263
264 if (audit_port != MACH_PORT_NULL) {
265 long temp;
266
267 /*
268 * If we fall below percent free blocks, then trigger the
269 * audit daemon to do something about it.
270 */
271 if (audit_qctrl.aq_minfree != 0) {
272 temp = mnt_stat->f_blocks / (100 / audit_qctrl.aq_minfree);
273 if (mnt_stat->f_bfree < temp) {
274 ret = audit_triggers(audit_port,
275 AUDIT_TRIGGER_LOW_SPACE);
276 if (ret != KERN_SUCCESS) {
277 printf(
278 "Failed audit_triggers(AUDIT_TRIGGER_LOW_SPACE): %d\n", ret);
279 /*
280 * XXX: What to do here? Disable auditing?
281 * panic?
282 */
283 }
284 }
285 }
286 /* Check if the current log file is full; if so, call for
287 * a log rotate. This is not an exact comparison; we may
288 * write some records over the limit. If that's not
289 * acceptable, then add a fudge factor here.
290 */
291 if ((audit_fstat.af_filesz != 0) &&
292 (audit_file_rotate_wait == 0) &&
293 (vattr.va_size >= audit_fstat.af_filesz)) {
294 audit_file_rotate_wait = 1;
295 ret = audit_triggers(audit_port,
296 AUDIT_TRIGGER_FILE_FULL);
297 if (ret != KERN_SUCCESS) {
298 printf(
299 "Failed audit_triggers(AUDIT_TRIGGER_FILE_FULL): %d\n", ret);
300 /* XXX what to do here? */
301 }
302 }
303 }
304
305 /*
306 * If the estimated amount of audit data in the audit event queue
307 * (plus records allocated but not yet queued) has reached the
308 * amount of free space on the disk, then we need to go into an
309 * audit fail stop state, in which we do not permit the
310 * allocation/committing of any new audit records. We continue to
311 * process packets but don't allow any activities that might
312 * generate new records. In the future, we might want to detect
313 * when space is available again and allow operation to continue,
314 * but this behavior is sufficient to meet fail stop requirements
315 * in CAPP.
316 */
317 if (audit_fail_stop &&
318 (unsigned long)
319 ((audit_q_len + audit_pre_q_len + 1) * MAX_AUDIT_RECORD_SIZE) /
320 mnt_stat->f_bsize >= (unsigned long)(mnt_stat->f_bfree)) {
321 printf(
322 "audit_worker: free space below size of audit queue, failing stop\n");
323 audit_in_failure = 1;
324 }
325
326 /*
327 * If there is a user audit record attached to the kernel record,
328 * then write the user record.
329 */
330 /* XXX Need to decide a few things here: IF the user audit
331 * record is written, but the write of the kernel record fails,
332 * what to do? Should the kernel record come before or after the
333 * user record? For now, we write the user record first, and
334 * we ignore errors.
335 */
336 if (ar->k_ar_commit & AR_COMMIT_USER) {
337 ret = vn_rdwr(UIO_WRITE, vp, (void *)ar->k_udata, ar->k_ulen,
338 (off_t)0, UIO_SYSSPACE, IO_APPEND|IO_UNIT, cred, NULL, p);
339 if (ret)
340 goto out;
341 }
342
343 /*
344 * Convert the internal kernel record to BSM format and write it
345 * out if everything's OK.
346 */
347 if (!(ar->k_ar_commit & AR_COMMIT_KERNEL)) {
348 ret = 0;
349 goto out;
350 }
351
352 ret = kaudit_to_bsm(ar, &bsm);
353 if (ret == BSM_NOAUDIT) {
354 ret = 0;
355 goto out;
356 }
357
358 /*
359 * XXX: We drop the record on BSM conversion failure, but really
360 * this is an assertion failure.
361 */
362 if (ret == BSM_FAILURE) {
363 AUDIT_PRINTF(("BSM conversion failure\n"));
364 ret = EINVAL;
365 goto out;
366 }
367
368 /* XXX This function can be called with the kernel funnel held,
369 * which is not optimal. We should break the write functionality
370 * away from the BSM record generation and have the BSM generation
371 * done before this function is called. This function will then
372 * take the BSM record as a parameter.
373 */
374 ret = (vn_rdwr(UIO_WRITE, vp, (void *)bsm->data, bsm->len,
375 (off_t)0, UIO_SYSSPACE, IO_APPEND|IO_UNIT, cred, NULL, p));
376
377 kau_free(bsm);
378
379 out:
380 /*
381 * When we're done processing the current record, we have to
382 * check to see if we're in a failure mode, and if so, whether
383 * this was the last record left to be drained. If we're done
384 * draining, then we fsync the vnode and panic.
385 */
386 if (audit_in_failure &&
387 audit_q_len == 0 && audit_pre_q_len == 0) {
388 VOP_LOCK(vp, LK_DRAIN | LK_INTERLOCK, p);
389 (void)VOP_FSYNC(vp, cred, MNT_WAIT, p);
390 VOP_UNLOCK(vp, 0, p);
391 panic("Audit store overflow; record queue drained.");
392 }
393
394 return (ret);
395 }
396
397 static void
398 audit_worker()
399 {
400 int do_replacement_signal, error, release_funnel;
401 TAILQ_HEAD(, kaudit_record) ar_worklist;
402 struct kaudit_record *ar, *ar_start, *ar_stop;
403 struct vnode *audit_vp, *old_vp;
404
405 struct ucred *audit_cred, *old_cred;
406 struct proc *audit_p;
407
408 AUDIT_PRINTF(("audit_worker starting\n"));
409
410 TAILQ_INIT(&ar_worklist);
411 audit_cred = NULL;
412 audit_p = current_proc();
413 audit_vp = NULL;
414
415 /*
416 * XXX: Presumably we can assume Mach threads are started without
417 * holding the BSD kernel funnel?
418 */
419 thread_funnel_set(kernel_flock, FALSE);
420
421 mutex_lock(audit_mtx);
422 while (1) {
423 /*
424 * First priority: replace the audit log target if requested.
425 * As we actually close the vnode in the worker thread, we
426 * need to grab the funnel, which means releasing audit_mtx.
427 * In case another replacement was scheduled while the mutex
428 * we released, we loop.
429 *
430 * XXX It could well be we should drain existing records
431 * first to ensure that the timestamps and ordering
432 * are right.
433 */
434 do_replacement_signal = 0;
435 while (audit_replacement_flag != 0) {
436 old_cred = audit_cred;
437 old_vp = audit_vp;
438 audit_cred = audit_replacement_cred;
439 audit_vp = audit_replacement_vp;
440 audit_replacement_cred = NULL;
441 audit_replacement_vp = NULL;
442 audit_replacement_flag = 0;
443
444 audit_enabled = (audit_vp != NULL);
445
446 if (old_vp != NULL || audit_vp != NULL) {
447 mutex_unlock(audit_mtx);
448 thread_funnel_set(kernel_flock, TRUE);
449 release_funnel = 1;
450 } else
451 release_funnel = 0;
452 /*
453 * XXX: What to do about write failures here?
454 */
455 if (old_vp != NULL) {
456 AUDIT_PRINTF(("Closing old audit file\n"));
457 vn_close(old_vp, audit_close_flags, old_cred,
458 audit_p);
459 crfree(old_cred);
460 old_cred = NULL;
461 old_vp = NULL;
462 AUDIT_PRINTF(("Audit file closed\n"));
463 }
464 if (audit_vp != NULL) {
465 AUDIT_PRINTF(("Opening new audit file\n"));
466 }
467 if (release_funnel) {
468 thread_funnel_set(kernel_flock, FALSE);
469 mutex_lock(audit_mtx);
470 }
471 do_replacement_signal = 1;
472 }
473 /*
474 * Signal that replacement have occurred to wake up and
475 * start any other replacements started in parallel. We can
476 * continue about our business in the mean time. We
477 * broadcast so that both new replacements can be inserted,
478 * but also so that the source(s) of replacement can return
479 * successfully.
480 */
481 if (do_replacement_signal)
482 wait_queue_wakeup_all(audit_wait_queue,
483 AUDIT_REPLACEMENT_EVENT, THREAD_AWAKENED);
484
485 /*
486 * Next, check to see if we have any records to drain into
487 * the vnode. If not, go back to waiting for an event.
488 */
489 if (TAILQ_EMPTY(&audit_q)) {
490 int ret;
491
492 AUDIT_PRINTF(("audit_worker waiting\n"));
493 ret = wait_queue_assert_wait(audit_wait_queue,
494 AUDIT_WORKER_EVENT,
495 THREAD_UNINT);
496 mutex_unlock(audit_mtx);
497
498 assert(ret == THREAD_WAITING);
499 ret = thread_block(THREAD_CONTINUE_NULL);
500 assert(ret == THREAD_AWAKENED);
501 AUDIT_PRINTF(("audit_worker woken up\n"));
502 AUDIT_PRINTF(("audit_worker: new vp = %p; value of flag %d\n",
503 audit_replacement_vp, audit_replacement_flag));
504 mutex_lock(audit_mtx);
505 continue;
506 }
507
508 /*
509 * If we have records, but there's no active vnode to
510 * write to, drain the record queue. Generally, we
511 * prevent the unnecessary allocation of records
512 * elsewhere, but we need to allow for races between
513 * conditional allocation and queueing. Go back to
514 * waiting when we're done.
515 *
516 * XXX: We go out of our way to avoid calling audit_free()
517 * with the audit_mtx held, to avoid a lock order reversal
518 * as free() may grab the funnel. This will be fixed at
519 * some point.
520 */
521 if (audit_vp == NULL) {
522 while ((ar = TAILQ_FIRST(&audit_q))) {
523 TAILQ_REMOVE(&audit_q, ar, k_q);
524 audit_q_len--;
525 if (audit_q_len <= audit_qctrl.aq_lowater)
526 wait_queue_wakeup_one(
527 audit_wait_queue,
528 AUDIT_COMMIT_EVENT,
529 THREAD_AWAKENED);
530
531 TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q);
532 }
533 mutex_unlock(audit_mtx);
534 while ((ar = TAILQ_FIRST(&ar_worklist))) {
535 TAILQ_REMOVE(&ar_worklist, ar, k_q);
536 audit_free(ar);
537 }
538 mutex_lock(audit_mtx);
539 continue;
540 }
541
542 /*
543 * We have both records to write, and an active vnode
544 * to write to. Dequeue a record, and start the write.
545 * Eventually, it might make sense to dequeue several
546 * records and perform our own clustering, if the lower
547 * layers aren't doing it automatically enough.
548 *
549 * XXX: We go out of our way to avoid calling audit_free()
550 * with the audit_mtx held, to avoid a lock order reversal
551 * as free() may grab the funnel. This will be fixed at
552 * some point.
553 */
554 while ((ar = TAILQ_FIRST(&audit_q))) {
555 TAILQ_REMOVE(&audit_q, ar, k_q);
556 audit_q_len--;
557 if (audit_q_len <= audit_qctrl.aq_lowater) {
558 wait_queue_wakeup_one(audit_wait_queue,
559 AUDIT_COMMIT_EVENT, THREAD_AWAKENED);
560 }
561
562 TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q);
563 }
564
565 mutex_unlock(audit_mtx);
566 release_funnel = 0;
567 while ((ar = TAILQ_FIRST(&ar_worklist))) {
568 TAILQ_REMOVE(&ar_worklist, ar, k_q);
569 if (audit_vp != NULL) {
570 /*
571 * XXX: What should happen if there's a write
572 * error here?
573 */
574 if (!release_funnel) {
575 thread_funnel_set(kernel_flock, TRUE);
576 release_funnel = 1;
577 }
578 VOP_LEASE(audit_vp, audit_p, audit_cred,
579 LEASE_WRITE);
580 error = audit_write(audit_vp, ar, audit_cred,
581 audit_p);
582 if (error && audit_panic_on_write_fail)
583 panic("audit_worker: write error %d\n",
584 error);
585 else if (error)
586 printf("audit_worker: write error %d\n",
587 error);
588 }
589 audit_free(ar);
590 }
591 if (release_funnel)
592 thread_funnel_set(kernel_flock, FALSE);
593 mutex_lock(audit_mtx);
594 }
595 }
596
597 void
598 audit_init(void)
599 {
600
601 /* Verify that the syscall to audit event table is the same
602 * size as the system call table.
603 */
604 if (nsys_au_event != nsysent) {
605 printf("Security auditing service initialization failed, ");
606 printf("audit event table doesn't match syscall table.\n");
607 return;
608 }
609
610 printf("Security auditing service present\n");
611 TAILQ_INIT(&audit_q);
612 audit_q_len = 0;
613 audit_enabled = 0;
614 audit_suspended = 0;
615 audit_replacement_cred = NULL;
616 audit_replacement_flag = 0;
617 audit_file_rotate_wait = 0;
618 audit_replacement_vp = NULL;
619 audit_fstat.af_filesz = 0; /* '0' means unset, unbounded */
620 audit_fstat.af_currsz = 0;
621 audit_qctrl.aq_hiwater = AQ_HIWATER;
622 audit_qctrl.aq_lowater = AQ_LOWATER;
623 audit_qctrl.aq_bufsz = AQ_BUFSZ;
624 audit_qctrl.aq_minfree = AU_FS_MINFREE;
625
626 audit_mtx = mutex_alloc(ETAP_NO_TRACE);
627 audit_wait_queue = wait_queue_alloc(SYNC_POLICY_FIFO);
628 audit_zone = zinit(sizeof(struct kaudit_record),
629 AQ_HIWATER*sizeof(struct kaudit_record),
630 8192,
631 "audit_zone");
632
633 /* Initialize the BSM audit subsystem. */
634 kau_init();
635
636 kernel_thread(kernel_task, audit_worker);
637 }
638
639 static void
640 audit_rotate_vnode(struct ucred *cred, struct vnode *vp)
641 {
642 int ret;
643
644 /*
645 * If other parallel log replacements have been requested, we wait
646 * until they've finished before continuing.
647 */
648 mutex_lock(audit_mtx);
649 while (audit_replacement_flag != 0) {
650
651 AUDIT_PRINTF(("audit_rotate_vnode: sleeping to wait for "
652 "flag\n"));
653 ret = wait_queue_assert_wait(audit_wait_queue,
654 AUDIT_REPLACEMENT_EVENT,
655 THREAD_UNINT);
656 mutex_unlock(audit_mtx);
657
658 assert(ret == THREAD_WAITING);
659 ret = thread_block(THREAD_CONTINUE_NULL);
660 assert(ret == THREAD_AWAKENED);
661 AUDIT_PRINTF(("audit_rotate_vnode: woken up (flag %d)\n",
662 audit_replacement_flag));
663
664 mutex_lock(audit_mtx);
665 }
666 audit_replacement_cred = cred;
667 audit_replacement_flag = 1;
668 audit_replacement_vp = vp;
669
670 /*
671 * Wake up the audit worker to perform the exchange once we
672 * release the mutex.
673 */
674 wait_queue_wakeup_one(audit_wait_queue, AUDIT_WORKER_EVENT, THREAD_AWAKENED);
675
676 /*
677 * Wait for the audit_worker to broadcast that a replacement has
678 * taken place; we know that once this has happened, our vnode
679 * has been replaced in, so we can return successfully.
680 */
681 AUDIT_PRINTF(("audit_rotate_vnode: waiting for news of "
682 "replacement\n"));
683 ret = wait_queue_assert_wait(audit_wait_queue,
684 AUDIT_REPLACEMENT_EVENT,
685 THREAD_UNINT);
686 mutex_unlock(audit_mtx);
687
688 assert(ret == THREAD_WAITING);
689 ret = thread_block(THREAD_CONTINUE_NULL);
690 assert(ret == THREAD_AWAKENED);
691 AUDIT_PRINTF(("audit_rotate_vnode: change acknowledged by "
692 "audit_worker (flag " "now %d)\n", audit_replacement_flag));
693
694 audit_file_rotate_wait = 0; /* We can now request another rotation */
695 }
696
697 /*
698 * Drain the audit queue and close the log at shutdown.
699 */
700 void
701 audit_shutdown(void)
702 {
703 audit_rotate_vnode(NULL, NULL);
704 }
705
706 static __inline__ struct uthread *
707 curuthread(void)
708 {
709 return (get_bsdthread_info(current_act()));
710 }
711
712 static __inline__ struct kaudit_record *
713 currecord(void)
714 {
715 return (curuthread()->uu_ar);
716 }
717
718 /**********************************
719 * Begin system calls. *
720 **********************************/
721 /*
722 * System call to allow a user space application to submit a BSM audit
723 * record to the kernel for inclusion in the audit log. This function
724 * does little verification on the audit record that is submitted.
725 *
726 * XXXAUDIT: Audit preselection for user records does not currently
727 * work, since we pre-select only based on the AUE_audit event type,
728 * not the event type submitted as part of the user audit data.
729 */
730 struct audit_args {
731 void * record;
732 int length;
733 };
734 /* ARGSUSED */
735 int
736 audit(struct proc *p, struct audit_args *uap, register_t *retval)
737 {
738 register struct pcred *pc = p->p_cred;
739 int error;
740 void * rec;
741 struct kaudit_record *ar;
742 struct uthread *uthr;
743
744 error = suser(pc->pc_ucred, &p->p_acflag);
745 if (error)
746 return (error);
747
748 if ((uap->length <= 0) || (uap->length > audit_qctrl.aq_bufsz))
749 return (EINVAL);
750
751 ar = currecord();
752
753 /* If there's no current audit record (audit() itself not audited)
754 * commit the user audit record.
755 */
756 if (ar == NULL) {
757 uthr = curuthread();
758 if (uthr == NULL) /* can this happen? */
759 return (ENOTSUP);
760
761 /* This is not very efficient; we're required to allocate
762 * a complete kernel audit record just so the user record
763 * can tag along.
764 */
765 uthr->uu_ar = audit_new(AUE_NULL, p, uthr);
766 if (uthr->uu_ar == NULL) /* auditing not on, or memory error */
767 return (ENOTSUP);
768 ar = uthr->uu_ar;
769 }
770
771 if (uap->length > MAX_AUDIT_RECORD_SIZE)
772 return (EINVAL);
773
774 rec = (void *)kalloc((vm_size_t)uap->length);
775
776 error = copyin(uap->record, rec, uap->length);
777 if (error)
778 goto free_out;
779
780 /* Verify the record */
781 if (bsm_rec_verify(rec) == 0) {
782 error = EINVAL;
783 goto free_out;
784 }
785
786 /* Attach the user audit record to the kernel audit record. Because
787 * this system call is an auditable event, we will write the user
788 * record along with the record for this audit event.
789 */
790 ar->k_udata = rec;
791 ar->k_ar_commit |= AR_COMMIT_USER;
792 ar->k_ulen = uap->length;
793 return (0);
794
795 free_out:
796 /* audit_syscall_exit() will free the audit record on the thread
797 * even if we allocated it above.
798 */
799 kfree((vm_offset_t)rec, (vm_size_t)uap->length);
800 return (error);
801 }
802
803 /*
804 * System call to manipulate auditing.
805 */
806 struct auditon_args {
807 int cmd;
808 void * data;
809 int length;
810 };
811 /* ARGSUSED */
812 int
813 auditon(struct proc *p, struct auditon_args *uap, register_t *retval)
814 {
815 register struct pcred *pc = p->p_cred;
816 int ret;
817 int len;
818 union auditon_udata udata;
819 struct proc *tp;
820
821 AUDIT_ARG(cmd, uap->cmd);
822 ret = suser(pc->pc_ucred, &p->p_acflag);
823 if (ret)
824 return (ret);
825
826 len = uap->length;
827 if ((len <= 0) || (len > sizeof(union auditon_udata)))
828 return (EINVAL);
829
830 memset((void *)&udata, 0, sizeof(udata));
831
832 switch (uap->cmd) {
833 /* Some of the GET commands use the arguments too */
834 case A_SETPOLICY:
835 case A_SETKMASK:
836 case A_SETQCTRL:
837 case A_SETSTAT:
838 case A_SETUMASK:
839 case A_SETSMASK:
840 case A_SETCOND:
841 case A_SETCLASS:
842 case A_SETPMASK:
843 case A_SETFSIZE:
844 case A_SETKAUDIT:
845 case A_GETCLASS:
846 case A_GETPINFO:
847 case A_GETPINFO_ADDR:
848 ret = copyin(uap->data, (void *)&udata, uap->length);
849 if (ret)
850 return (ret);
851 AUDIT_ARG(auditon, &udata);
852 break;
853 }
854
855 /* XXX Need to implement these commands by accessing the global
856 * values associated with the commands.
857 */
858 switch (uap->cmd) {
859 case A_GETPOLICY:
860 if (!audit_fail_stop)
861 udata.au_policy |= AUDIT_CNT;
862 if (audit_panic_on_write_fail)
863 udata.au_policy |= AUDIT_AHLT;
864 break;
865 case A_SETPOLICY:
866 if (udata.au_policy & ~(AUDIT_CNT|AUDIT_AHLT))
867 return (EINVAL);
868 /*
869 * XXX - Need to wake up waiters if the policy relaxes?
870 */
871 audit_fail_stop = ((udata.au_policy & AUDIT_CNT) == 0);
872 audit_panic_on_write_fail = (udata.au_policy & AUDIT_AHLT);
873 break;
874 case A_GETKMASK:
875 udata.au_mask = audit_nae_mask;
876 break;
877 case A_SETKMASK:
878 audit_nae_mask = udata.au_mask;
879 break;
880 case A_GETQCTRL:
881 udata.au_qctrl = audit_qctrl;
882 break;
883 case A_SETQCTRL:
884 if ((udata.au_qctrl.aq_hiwater > AQ_MAXHIGH) ||
885 (udata.au_qctrl.aq_lowater >= udata.au_qctrl.aq_hiwater) ||
886 (udata.au_qctrl.aq_bufsz > AQ_MAXBUFSZ) ||
887 (udata.au_qctrl.aq_minfree < 0) ||
888 (udata.au_qctrl.aq_minfree > 100))
889 return (EINVAL);
890
891 audit_qctrl = udata.au_qctrl;
892 /* XXX The queue delay value isn't used with the kernel. */
893 audit_qctrl.aq_delay = -1;
894 break;
895 case A_GETCWD:
896 return (ENOSYS);
897 break;
898 case A_GETCAR:
899 return (ENOSYS);
900 break;
901 case A_GETSTAT:
902 return (ENOSYS);
903 break;
904 case A_SETSTAT:
905 return (ENOSYS);
906 break;
907 case A_SETUMASK:
908 return (ENOSYS);
909 break;
910 case A_SETSMASK:
911 return (ENOSYS);
912 break;
913 case A_GETCOND:
914 if (audit_enabled && !audit_suspended)
915 udata.au_cond = AUC_AUDITING;
916 else
917 udata.au_cond = AUC_NOAUDIT;
918 break;
919 case A_SETCOND:
920 if (udata.au_cond == AUC_NOAUDIT)
921 audit_suspended = 1;
922 if (udata.au_cond == AUC_AUDITING)
923 audit_suspended = 0;
924 if (udata.au_cond == AUC_DISABLED) {
925 audit_suspended = 1;
926 audit_shutdown();
927 }
928 break;
929 case A_GETCLASS:
930 udata.au_evclass.ec_class =
931 au_event_class(udata.au_evclass.ec_number);
932 break;
933 case A_SETCLASS:
934 au_evclassmap_insert(udata.au_evclass.ec_number,
935 udata.au_evclass.ec_class);
936 break;
937 case A_GETPINFO:
938 if (udata.au_aupinfo.ap_pid < 1)
939 return (EINVAL);
940 if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL)
941 return (EINVAL);
942
943 udata.au_aupinfo.ap_auid = tp->p_au->ai_auid;
944 udata.au_aupinfo.ap_mask.am_success =
945 tp->p_au->ai_mask.am_success;
946 udata.au_aupinfo.ap_mask.am_failure =
947 tp->p_au->ai_mask.am_failure;
948 udata.au_aupinfo.ap_termid.machine =
949 tp->p_au->ai_termid.machine;
950 udata.au_aupinfo.ap_termid.port =
951 tp->p_au->ai_termid.port;
952 udata.au_aupinfo.ap_asid = tp->p_au->ai_asid;
953 break;
954 case A_SETPMASK:
955 if (udata.au_aupinfo.ap_pid < 1)
956 return (EINVAL);
957 if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL)
958 return (EINVAL);
959
960 tp->p_au->ai_mask.am_success =
961 udata.au_aupinfo.ap_mask.am_success;
962 tp->p_au->ai_mask.am_failure =
963 udata.au_aupinfo.ap_mask.am_failure;
964 break;
965 case A_SETFSIZE:
966 if ((udata.au_fstat.af_filesz != 0) &&
967 (udata.au_fstat.af_filesz < MIN_AUDIT_FILE_SIZE))
968 return (EINVAL);
969 audit_fstat.af_filesz = udata.au_fstat.af_filesz;
970 break;
971 case A_GETFSIZE:
972 udata.au_fstat.af_filesz = audit_fstat.af_filesz;
973 udata.au_fstat.af_currsz = audit_fstat.af_currsz;
974 break;
975 case A_GETPINFO_ADDR:
976 return (ENOSYS);
977 break;
978 case A_GETKAUDIT:
979 return (ENOSYS);
980 break;
981 case A_SETKAUDIT:
982 return (ENOSYS);
983 break;
984 }
985 /* Copy data back to userspace for the GET comands */
986 switch (uap->cmd) {
987 case A_GETPOLICY:
988 case A_GETKMASK:
989 case A_GETQCTRL:
990 case A_GETCWD:
991 case A_GETCAR:
992 case A_GETSTAT:
993 case A_GETCOND:
994 case A_GETCLASS:
995 case A_GETPINFO:
996 case A_GETFSIZE:
997 case A_GETPINFO_ADDR:
998 case A_GETKAUDIT:
999 ret = copyout((void *)&udata, uap->data, uap->length);
1000 if (ret)
1001 return (ret);
1002 break;
1003 }
1004
1005 return (0);
1006 }
1007
1008 /*
1009 * System calls to manage the user audit information.
1010 * XXXAUDIT May need to lock the proc structure.
1011 */
1012 struct getauid_args {
1013 au_id_t *auid;
1014 };
1015 /* ARGSUSED */
1016 int
1017 getauid(struct proc *p, struct getauid_args *uap, register_t *retval)
1018 {
1019 register struct pcred *pc = p->p_cred;
1020 int error;
1021
1022 error = suser(pc->pc_ucred, &p->p_acflag);
1023 if (error)
1024 return (error);
1025
1026 error = copyout((void *)&p->p_au->ai_auid, (void *)uap->auid,
1027 sizeof(*uap->auid));
1028 if (error)
1029 return (error);
1030
1031 return (0);
1032 }
1033
1034 struct setauid_args {
1035 au_id_t *auid;
1036 };
1037 /* ARGSUSED */
1038 int
1039 setauid(struct proc *p, struct setauid_args *uap, register_t *retval)
1040 {
1041 register struct pcred *pc = p->p_cred;
1042 int error;
1043
1044 error = suser(pc->pc_ucred, &p->p_acflag);
1045 if (error)
1046 return (error);
1047
1048 error = copyin((void *)uap->auid, (void *)&p->p_au->ai_auid,
1049 sizeof(p->p_au->ai_auid));
1050 if (error)
1051 return (error);
1052
1053 /* propagate the change from the process to Mach task */
1054 set_security_token(p);
1055
1056 audit_arg_auid(p->p_au->ai_auid);
1057 return (0);
1058 }
1059
1060 /*
1061 * System calls to get and set process audit information.
1062 */
1063 struct getaudit_args {
1064 struct auditinfo *auditinfo;
1065 };
1066 /* ARGSUSED */
1067 int
1068 getaudit(struct proc *p, struct getaudit_args *uap, register_t *retval)
1069 {
1070 register struct pcred *pc = p->p_cred;
1071 int error;
1072
1073 error = suser(pc->pc_ucred, &p->p_acflag);
1074 if (error)
1075 return (error);
1076 error = copyout((void *)p->p_au, (void *)uap->auditinfo,
1077 sizeof(*uap->auditinfo));
1078 if (error)
1079 return (error);
1080
1081 return (0);
1082 }
1083
1084 struct setaudit_args {
1085 struct auditinfo *auditinfo;
1086 };
1087 /* ARGSUSED */
1088 int
1089 setaudit(struct proc *p, struct setaudit_args *uap, register_t *retval)
1090 {
1091 register struct pcred *pc = p->p_cred;
1092 int error;
1093
1094 error = suser(pc->pc_ucred, &p->p_acflag);
1095 if (error)
1096 return (error);
1097 error = copyin((void *)uap->auditinfo, (void *)p->p_au,
1098 sizeof(*p->p_au));
1099 if (error)
1100 return (error);
1101
1102 /* propagate the change from the process to Mach task */
1103 set_security_token(p);
1104
1105 audit_arg_auditinfo(p->p_au);
1106
1107 return (0);
1108 }
1109
1110 struct getaudit_addr_args {
1111 struct auditinfo_addr *auditinfo_addr;
1112 int length;
1113 };
1114 /* ARGSUSED */
1115 int
1116 getaudit_addr(struct proc *p, struct getaudit_addr_args *uap, register_t *retval)
1117 {
1118 register struct pcred *pc = p->p_cred;
1119 int error;
1120
1121 error = suser(pc->pc_ucred, &p->p_acflag);
1122 if (error)
1123 return (error);
1124 return (ENOSYS);
1125 }
1126
1127 struct setaudit_addr_args {
1128 struct auditinfo_addr *auditinfo_addr;
1129 int length;
1130 };
1131 /* ARGSUSED */
1132 int
1133 setaudit_addr(struct proc *p, struct setaudit_addr_args *uap, register_t *retval)
1134 {
1135 register struct pcred *pc = p->p_cred;
1136 int error;
1137
1138 error = suser(pc->pc_ucred, &p->p_acflag);
1139 if (error)
1140 return (error);
1141 return (ENOSYS);
1142 }
1143
1144 /*
1145 * Syscall to manage audit files.
1146 *
1147 */
1148 struct auditctl_args {
1149 char *path;
1150 };
1151 /* ARGSUSED */
1152 int
1153 auditctl(struct proc *p, struct auditctl_args *uap)
1154 {
1155 struct kaudit_record *ar;
1156 struct nameidata nd;
1157 struct ucred *cred;
1158 struct vnode *vp;
1159 int error, flags, ret;
1160
1161 error = suser(p->p_ucred, &p->p_acflag);
1162 if (error)
1163 return (error);
1164
1165 vp = NULL;
1166 cred = NULL;
1167
1168 /*
1169 * If a path is specified, open the replacement vnode, perform
1170 * validity checks, and grab another reference to the current
1171 * credential.
1172 */
1173 if (uap->path != NULL) {
1174 NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNPATH1,
1175 UIO_USERSPACE, uap->path, p);
1176 flags = audit_open_flags;
1177 error = vn_open(&nd, flags, 0);
1178 if (error)
1179 goto out;
1180 VOP_UNLOCK(nd.ni_vp, 0, p);
1181 vp = nd.ni_vp;
1182 if (vp->v_type != VREG) {
1183 vn_close(vp, audit_close_flags, p->p_ucred, p);
1184 error = EINVAL;
1185 goto out;
1186 }
1187 cred = p->p_ucred;
1188 crhold(cred);
1189 audit_suspended = 0;
1190 }
1191
1192 audit_rotate_vnode(cred, vp);
1193 out:
1194 return (error);
1195 }
1196
1197 /**********************************
1198 * End of system calls. *
1199 **********************************/
1200
1201 /*
1202 * MPSAFE
1203 */
1204 struct kaudit_record *
1205 audit_new(int event, struct proc *p, struct uthread *uthread)
1206 {
1207 struct kaudit_record *ar;
1208 int no_record;
1209
1210 /*
1211 * Eventually, there may be certain classes of events that
1212 * we will audit regardless of the audit state at the time
1213 * the record is created. These events will generally
1214 * correspond to changes in the audit state. The dummy
1215 * code below is from our first prototype, but may also
1216 * be used in the final version (with modified event numbers).
1217 */
1218 #if 0
1219 if (event != AUDIT_EVENT_FILESTOP && event != AUDIT_EVENT_FILESTART) {
1220 #endif
1221 mutex_lock(audit_mtx);
1222 no_record = (audit_suspended || !audit_enabled);
1223 mutex_unlock(audit_mtx);
1224 if (no_record)
1225 return (NULL);
1226 #if 0
1227 }
1228 #endif
1229
1230 /*
1231 * Initialize the audit record header.
1232 * XXX: We may want to fail-stop if allocation fails.
1233 * XXX: The number of outstanding uncommitted audit records is
1234 * limited by the number of concurrent threads servicing system
1235 * calls in the kernel.
1236 */
1237
1238 ar = (struct kaudit_record *)zalloc(audit_zone);
1239 if (ar == NULL)
1240 return NULL;
1241
1242 mutex_lock(audit_mtx);
1243 audit_pre_q_len++;
1244 mutex_unlock(audit_mtx);
1245
1246 bzero(ar, sizeof(*ar));
1247 ar->k_ar.ar_magic = AUDIT_RECORD_MAGIC;
1248 ar->k_ar.ar_event = event;
1249 nanotime(&ar->k_ar.ar_starttime);
1250
1251 /* Export the subject credential. */
1252 cru2x(p->p_ucred, &ar->k_ar.ar_subj_cred);
1253 ar->k_ar.ar_subj_ruid = p->p_cred->p_ruid;
1254 ar->k_ar.ar_subj_rgid = p->p_cred->p_rgid;
1255 ar->k_ar.ar_subj_egid = p->p_ucred->cr_groups[0];
1256 ar->k_ar.ar_subj_auid = p->p_au->ai_auid;
1257 ar->k_ar.ar_subj_asid = p->p_au->ai_asid;
1258 ar->k_ar.ar_subj_pid = p->p_pid;
1259 ar->k_ar.ar_subj_amask = p->p_au->ai_mask;
1260 ar->k_ar.ar_subj_term = p->p_au->ai_termid;
1261 bcopy(p->p_comm, ar->k_ar.ar_subj_comm, MAXCOMLEN);
1262
1263 return (ar);
1264 }
1265
1266 /*
1267 * MPSAFE
1268 * XXXAUDIT: So far, this is unused, and should probably be GC'd.
1269 */
1270 void
1271 audit_abort(struct kaudit_record *ar)
1272 {
1273
1274 mutex_lock(audit_mtx);
1275 audit_pre_q_len--;
1276 mutex_unlock(audit_mtx);
1277 audit_free(ar);
1278 }
1279
1280 /*
1281 * MPSAFE
1282 */
1283 void
1284 audit_commit(struct kaudit_record *ar, int error, int retval)
1285 {
1286 int ret;
1287 int sorf;
1288 struct au_mask *aumask;
1289
1290 if (ar == NULL)
1291 return;
1292
1293 /*
1294 * Decide whether to commit the audit record by checking the
1295 * error value from the system call and using the appropriate
1296 * audit mask.
1297 */
1298 if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID)
1299 aumask = &audit_nae_mask;
1300 else
1301 aumask = &ar->k_ar.ar_subj_amask;
1302
1303 if (error)
1304 sorf = AU_PRS_FAILURE;
1305 else
1306 sorf = AU_PRS_SUCCESS;
1307
1308 switch(ar->k_ar.ar_event) {
1309
1310 case AUE_OPEN_RWTC:
1311 /* The open syscall always writes a OPEN_RWTC event; limit the
1312 * to the proper type of event based on the flags and the error
1313 * value.
1314 */
1315 ar->k_ar.ar_event = flags_and_error_to_openevent(ar->k_ar.ar_arg_fflags, error);
1316 break;
1317
1318 case AUE_SYSCTL:
1319 ar->k_ar.ar_event = ctlname_to_sysctlevent(ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg);
1320 break;
1321
1322 case AUE_AUDITON:
1323 /* Convert the auditon() command to an event */
1324 ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd);
1325 break;
1326 }
1327
1328 if (au_preselect(ar->k_ar.ar_event, aumask, sorf) != 0)
1329 ar->k_ar_commit |= AR_COMMIT_KERNEL;
1330
1331 if (ar->k_ar_commit & (AR_COMMIT_USER | AR_COMMIT_KERNEL) == 0) {
1332 mutex_lock(audit_mtx);
1333 audit_pre_q_len--;
1334 mutex_unlock(audit_mtx);
1335 audit_free(ar);
1336 return;
1337 }
1338
1339 ar->k_ar.ar_errno = error;
1340 ar->k_ar.ar_retval = retval;
1341
1342 /*
1343 * We might want to do some system-wide post-filtering
1344 * here at some point.
1345 */
1346
1347 /*
1348 * Timestamp system call end.
1349 */
1350 nanotime(&ar->k_ar.ar_endtime);
1351
1352 mutex_lock(audit_mtx);
1353
1354 /*
1355 * Note: it could be that some records initiated while audit was
1356 * enabled should still be committed?
1357 */
1358 if (audit_suspended || !audit_enabled) {
1359 audit_pre_q_len--;
1360 mutex_unlock(audit_mtx);
1361 audit_free(ar);
1362 return;
1363 }
1364
1365 /*
1366 * Constrain the number of committed audit records based on
1367 * the configurable parameter.
1368 */
1369 while (audit_q_len >= audit_qctrl.aq_hiwater) {
1370
1371 ret = wait_queue_assert_wait(audit_wait_queue,
1372 AUDIT_COMMIT_EVENT,
1373 THREAD_UNINT);
1374 mutex_unlock(audit_mtx);
1375
1376 assert(ret == THREAD_WAITING);
1377
1378 ret = thread_block(THREAD_CONTINUE_NULL);
1379 assert(ret == THREAD_AWAKENED);
1380 mutex_lock(audit_mtx);
1381 }
1382
1383 TAILQ_INSERT_TAIL(&audit_q, ar, k_q);
1384 audit_q_len++;
1385 audit_pre_q_len--;
1386 wait_queue_wakeup_one(audit_wait_queue, AUDIT_WORKER_EVENT, THREAD_AWAKENED);
1387 mutex_unlock(audit_mtx);
1388 }
1389
1390 /*
1391 * Calls to set up and tear down audit structures associated with
1392 * each system call.
1393 */
1394 void
1395 audit_syscall_enter(unsigned short code, struct proc *proc,
1396 struct uthread *uthread)
1397 {
1398 int audit_event;
1399 struct au_mask *aumask;
1400
1401 audit_event = sys_au_event[code];
1402 if (audit_event == AUE_NULL)
1403 return;
1404
1405 assert(uthread->uu_ar == NULL);
1406
1407 /* Check which audit mask to use; either the kernel non-attributable
1408 * event mask or the process audit mask.
1409 */
1410 if (proc->p_au->ai_auid == AU_DEFAUDITID)
1411 aumask = &audit_nae_mask;
1412 else
1413 aumask = &proc->p_au->ai_mask;
1414
1415 /*
1416 * Allocate an audit record, if preselection allows it, and store
1417 * in the BSD thread for later use.
1418 */
1419 if (au_preselect(audit_event, aumask,
1420 AU_PRS_FAILURE | AU_PRS_SUCCESS)) {
1421 /*
1422 * If we're out of space and need to suspend unprivileged
1423 * processes, do that here rather than trying to allocate
1424 * another audit record.
1425 */
1426 if (audit_in_failure &&
1427 suser(proc->p_ucred, &proc->p_acflag) != 0) {
1428 int ret;
1429
1430 ret = wait_queue_assert_wait(audit_wait_queue,
1431 AUDIT_FAILURE_EVENT, THREAD_UNINT);
1432 assert(ret == THREAD_WAITING);
1433 (void)thread_block(THREAD_CONTINUE_NULL);
1434 panic("audit_failing_stop: thread continued");
1435 }
1436 uthread->uu_ar = audit_new(audit_event, proc, uthread);
1437 } else
1438 uthread->uu_ar = NULL;
1439 }
1440
1441 void
1442 audit_syscall_exit(int error, struct proc *proc, struct uthread *uthread)
1443 {
1444 int retval;
1445
1446 /*
1447 * Commit the audit record as desired; once we pass the record
1448 * into audit_commit(), the memory is owned by the audit
1449 * subsystem.
1450 * The return value from the system call is stored on the user
1451 * thread. If there was an error, the return value is set to -1,
1452 * imitating the behavior of the cerror routine.
1453 */
1454 if (error)
1455 retval = -1;
1456 else
1457 retval = uthread->uu_rval[0];
1458
1459 audit_commit(uthread->uu_ar, error, retval);
1460 if (uthread->uu_ar != NULL)
1461 AUDIT_PRINTF(("audit record committed by pid %d\n", proc->p_pid));
1462 uthread->uu_ar = NULL;
1463
1464 }
1465
1466 /*
1467 * Calls to set up and tear down audit structures used during Mach
1468 * system calls.
1469 */
1470 void
1471 audit_mach_syscall_enter(unsigned short audit_event)
1472 {
1473 struct uthread *uthread;
1474 struct proc *proc;
1475 struct au_mask *aumask;
1476
1477 if (audit_event == AUE_NULL)
1478 return;
1479
1480 uthread = curuthread();
1481 if (uthread == NULL)
1482 return;
1483
1484 proc = current_proc();
1485 if (proc == NULL)
1486 return;
1487
1488 assert(uthread->uu_ar == NULL);
1489
1490 /* Check which audit mask to use; either the kernel non-attributable
1491 * event mask or the process audit mask.
1492 */
1493 if (proc->p_au->ai_auid == AU_DEFAUDITID)
1494 aumask = &audit_nae_mask;
1495 else
1496 aumask = &proc->p_au->ai_mask;
1497
1498 /*
1499 * Allocate an audit record, if desired, and store in the BSD
1500 * thread for later use.
1501 */
1502 if (au_preselect(audit_event, aumask,
1503 AU_PRS_FAILURE | AU_PRS_SUCCESS)) {
1504 uthread->uu_ar = audit_new(audit_event, proc, uthread);
1505 } else {
1506 uthread->uu_ar = NULL;
1507 }
1508 }
1509
1510 void
1511 audit_mach_syscall_exit(int retval, struct uthread *uthread)
1512 {
1513 /* The error code from Mach system calls is the same as the
1514 * return value
1515 */
1516 /* XXX Is the above statement always true? */
1517 audit_commit(uthread->uu_ar, retval, retval);
1518 uthread->uu_ar = NULL;
1519
1520 }
1521
1522 /*
1523 * Calls to manipulate elements of the audit record structure from system
1524 * call code. Macro wrappers will prevent this functions from being
1525 * entered if auditing is disabled, avoiding the function call cost. We
1526 * check the thread audit record pointer anyway, as the audit condition
1527 * could change, and pre-selection may not have allocated an audit
1528 * record for this event.
1529 */
1530 void
1531 audit_arg_addr(void * addr)
1532 {
1533 struct kaudit_record *ar;
1534
1535 ar = currecord();
1536 if (ar == NULL)
1537 return;
1538
1539 ar->k_ar.ar_arg_addr = addr;
1540 ar->k_ar.ar_valid_arg |= ARG_ADDR;
1541 }
1542
1543 void
1544 audit_arg_len(int len)
1545 {
1546 struct kaudit_record *ar;
1547
1548 ar = currecord();
1549 if (ar == NULL)
1550 return;
1551
1552 ar->k_ar.ar_arg_len = len;
1553 ar->k_ar.ar_valid_arg |= ARG_LEN;
1554 }
1555
1556 void
1557 audit_arg_fd(int fd)
1558 {
1559 struct kaudit_record *ar;
1560
1561 ar = currecord();
1562 if (ar == NULL)
1563 return;
1564
1565 ar->k_ar.ar_arg_fd = fd;
1566 ar->k_ar.ar_valid_arg |= ARG_FD;
1567 }
1568
1569 void
1570 audit_arg_fflags(int fflags)
1571 {
1572 struct kaudit_record *ar;
1573
1574 ar = currecord();
1575 if (ar == NULL)
1576 return;
1577
1578 ar->k_ar.ar_arg_fflags = fflags;
1579 ar->k_ar.ar_valid_arg |= ARG_FFLAGS;
1580 }
1581
1582 void
1583 audit_arg_gid(gid_t gid, gid_t egid, gid_t rgid, gid_t sgid)
1584 {
1585 struct kaudit_record *ar;
1586
1587 ar = currecord();
1588 if (ar == NULL)
1589 return;
1590
1591 ar->k_ar.ar_arg_gid = gid;
1592 ar->k_ar.ar_arg_egid = egid;
1593 ar->k_ar.ar_arg_rgid = rgid;
1594 ar->k_ar.ar_arg_sgid = sgid;
1595 ar->k_ar.ar_valid_arg |= (ARG_GID | ARG_EGID | ARG_RGID | ARG_SGID);
1596 }
1597
1598 void
1599 audit_arg_uid(uid_t uid, uid_t euid, uid_t ruid, uid_t suid)
1600 {
1601 struct kaudit_record *ar;
1602
1603 ar = currecord();
1604 if (ar == NULL)
1605 return;
1606
1607 ar->k_ar.ar_arg_uid = uid;
1608 ar->k_ar.ar_arg_euid = euid;
1609 ar->k_ar.ar_arg_ruid = ruid;
1610 ar->k_ar.ar_arg_suid = suid;
1611 ar->k_ar.ar_valid_arg |= (ARG_UID | ARG_EUID | ARG_RUID | ARG_SUID);
1612 }
1613
1614 void
1615 audit_arg_groupset(gid_t *gidset, u_int gidset_size)
1616 {
1617 int i;
1618 struct kaudit_record *ar;
1619
1620 ar = currecord();
1621 if (ar == NULL)
1622 return;
1623
1624 for (i = 0; i < gidset_size; i++)
1625 ar->k_ar.ar_arg_groups.gidset[i] = gidset[i];
1626 ar->k_ar.ar_arg_groups.gidset_size = gidset_size;
1627 ar->k_ar.ar_valid_arg |= ARG_GROUPSET;
1628 }
1629
1630 void
1631 audit_arg_login(char *login)
1632 {
1633 struct kaudit_record *ar;
1634
1635 ar = currecord();
1636 if (ar == NULL)
1637 return;
1638
1639 #if 0
1640 /*
1641 * XXX: Add strlcpy() to Darwin for improved safety.
1642 */
1643 strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME);
1644 #else
1645 strcpy(ar->k_ar.ar_arg_login, login);
1646 #endif
1647
1648 ar->k_ar.ar_valid_arg |= ARG_LOGIN;
1649 }
1650
1651 void
1652 audit_arg_ctlname(int *name, int namelen)
1653 {
1654 struct kaudit_record *ar;
1655
1656 ar = currecord();
1657 if (ar == NULL)
1658 return;
1659
1660 bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int));
1661 ar->k_ar.ar_arg_len = namelen;
1662 ar->k_ar.ar_valid_arg |= (ARG_CTLNAME | ARG_LEN);
1663 }
1664
1665 void
1666 audit_arg_mask(int mask)
1667 {
1668 struct kaudit_record *ar;
1669
1670 ar = currecord();
1671 if (ar == NULL)
1672 return;
1673
1674 ar->k_ar.ar_arg_mask = mask;
1675 ar->k_ar.ar_valid_arg |= ARG_MASK;
1676 }
1677
1678 void
1679 audit_arg_mode(mode_t mode)
1680 {
1681 struct kaudit_record *ar;
1682
1683 ar = currecord();
1684 if (ar == NULL)
1685 return;
1686
1687 ar->k_ar.ar_arg_mode = mode;
1688 ar->k_ar.ar_valid_arg |= ARG_MODE;
1689 }
1690
1691 void
1692 audit_arg_dev(int dev)
1693 {
1694 struct kaudit_record *ar;
1695
1696 ar = currecord();
1697 if (ar == NULL)
1698 return;
1699
1700 ar->k_ar.ar_arg_dev = dev;
1701 ar->k_ar.ar_valid_arg |= ARG_DEV;
1702 }
1703
1704 void
1705 audit_arg_value(long value)
1706 {
1707 struct kaudit_record *ar;
1708
1709 ar = currecord();
1710 if (ar == NULL)
1711 return;
1712
1713 ar->k_ar.ar_arg_value = value;
1714 ar->k_ar.ar_valid_arg |= ARG_VALUE;
1715 }
1716
1717 void
1718 audit_arg_owner(uid_t uid, gid_t gid)
1719 {
1720 struct kaudit_record *ar;
1721
1722 ar = currecord();
1723 if (ar == NULL)
1724 return;
1725
1726 ar->k_ar.ar_arg_uid = uid;
1727 ar->k_ar.ar_arg_gid = gid;
1728 ar->k_ar.ar_valid_arg |= (ARG_UID | ARG_GID);
1729 }
1730
1731 void
1732 audit_arg_pid(pid_t pid)
1733 {
1734 struct kaudit_record *ar;
1735 struct proc *p;
1736
1737 ar = currecord();
1738 if (ar == NULL)
1739 return;
1740
1741 ar->k_ar.ar_arg_pid = pid;
1742 ar->k_ar.ar_valid_arg |= ARG_PID;
1743
1744 }
1745
1746 void
1747 audit_arg_process(struct proc *p)
1748 {
1749 struct kaudit_record *ar;
1750
1751 ar = currecord();
1752 if ((ar == NULL) || (p == NULL))
1753 return;
1754
1755 /* XXX May need to lock the credentials structures */
1756 ar->k_ar.ar_arg_auid = p->p_au->ai_auid;
1757 ar->k_ar.ar_arg_euid = p->p_ucred->cr_uid;
1758 ar->k_ar.ar_arg_egid = p->p_ucred->cr_groups[0];
1759 ar->k_ar.ar_arg_ruid = p->p_cred->p_ruid;
1760 ar->k_ar.ar_arg_rgid = p->p_cred->p_rgid;
1761 ar->k_ar.ar_arg_asid = p->p_au->ai_asid;
1762
1763 ar->k_ar.ar_arg_termid = p->p_au->ai_termid;
1764
1765 ar->k_ar.ar_valid_arg |= ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID |
1766 ARG_RGID | ARG_ASID | ARG_TERMID | ARG_PROCESS;
1767 }
1768
1769 void
1770 audit_arg_signum(u_int signum)
1771 {
1772 struct kaudit_record *ar;
1773
1774 ar = currecord();
1775 if (ar == NULL)
1776 return;
1777
1778 ar->k_ar.ar_arg_signum = signum;
1779 ar->k_ar.ar_valid_arg |= ARG_SIGNUM;
1780 }
1781
1782 void
1783 audit_arg_socket(int sodomain, int sotype, int soprotocol)
1784 {
1785
1786 struct kaudit_record *ar;
1787
1788 ar = currecord();
1789 if (ar == NULL)
1790 return;
1791
1792 ar->k_ar.ar_arg_sockinfo.so_domain = sodomain;
1793 ar->k_ar.ar_arg_sockinfo.so_type = sotype;
1794 ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol;
1795 ar->k_ar.ar_valid_arg |= ARG_SOCKINFO;
1796 }
1797
1798 void
1799 audit_arg_sockaddr(struct proc *p, struct sockaddr *so)
1800 {
1801 struct kaudit_record *ar;
1802
1803 ar = currecord();
1804 if (ar == NULL || p == NULL || so == NULL)
1805 return;
1806
1807 bcopy(so, &ar->k_ar.ar_arg_sockaddr, sizeof(ar->k_ar.ar_arg_sockaddr));
1808 switch (so->sa_family) {
1809 case AF_INET:
1810 ar->k_ar.ar_valid_arg |= ARG_SADDRINET;
1811 break;
1812 case AF_INET6:
1813 ar->k_ar.ar_valid_arg |= ARG_SADDRINET6;
1814 break;
1815 case AF_UNIX:
1816 audit_arg_upath(p, ((struct sockaddr_un *)so)->sun_path,
1817 ARG_UPATH1);
1818 ar->k_ar.ar_valid_arg |= ARG_SADDRUNIX;
1819 break;
1820 }
1821 }
1822
1823 void
1824 audit_arg_auid(uid_t auid)
1825 {
1826 struct kaudit_record *ar;
1827
1828 ar = currecord();
1829 if (ar == NULL)
1830 return;
1831
1832 ar->k_ar.ar_arg_auid = auid;
1833 ar->k_ar.ar_valid_arg |= ARG_AUID;
1834 }
1835
1836 void
1837 audit_arg_auditinfo(struct auditinfo *au_info)
1838 {
1839 struct kaudit_record *ar;
1840
1841 ar = currecord();
1842 if (ar == NULL)
1843 return;
1844
1845 ar->k_ar.ar_arg_auid = au_info->ai_auid;
1846 ar->k_ar.ar_arg_asid = au_info->ai_asid;
1847 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
1848 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
1849 ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port;
1850 ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine;
1851 ar->k_ar.ar_valid_arg |= ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID;
1852 }
1853
1854 void
1855 audit_arg_text(char *text)
1856 {
1857 struct kaudit_record *ar;
1858
1859 ar = currecord();
1860 if (ar == NULL)
1861 return;
1862
1863 /* Invalidate the text string */
1864 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT);
1865 if (text == NULL)
1866 return;
1867
1868 if (ar->k_ar.ar_arg_text == NULL) {
1869 ar->k_ar.ar_arg_text = (char *)kalloc(MAXPATHLEN);
1870 if (ar->k_ar.ar_arg_text == NULL)
1871 return;
1872 }
1873
1874 strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN);
1875 ar->k_ar.ar_valid_arg |= ARG_TEXT;
1876 }
1877
1878 void
1879 audit_arg_cmd(int cmd)
1880 {
1881 struct kaudit_record *ar;
1882
1883 ar = currecord();
1884 if (ar == NULL)
1885 return;
1886
1887 ar->k_ar.ar_arg_cmd = cmd;
1888 ar->k_ar.ar_valid_arg |= ARG_CMD;
1889 }
1890
1891 void
1892 audit_arg_svipc_cmd(int cmd)
1893 {
1894 struct kaudit_record *ar;
1895
1896 ar = currecord();
1897 if (ar == NULL)
1898 return;
1899
1900 ar->k_ar.ar_arg_svipc_cmd = cmd;
1901 ar->k_ar.ar_valid_arg |= ARG_SVIPC_CMD;
1902 }
1903
1904 void
1905 audit_arg_svipc_perm(struct ipc_perm *perm)
1906 {
1907 struct kaudit_record *ar;
1908
1909 ar = currecord();
1910 if (ar == NULL)
1911 return;
1912
1913 bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
1914 sizeof(ar->k_ar.ar_arg_svipc_perm));
1915 ar->k_ar.ar_valid_arg |= ARG_SVIPC_PERM;
1916 }
1917
1918 void
1919 audit_arg_svipc_id(int id)
1920 {
1921 struct kaudit_record *ar;
1922
1923 ar = currecord();
1924 if (ar == NULL)
1925 return;
1926
1927 ar->k_ar.ar_arg_svipc_id = id;
1928 ar->k_ar.ar_valid_arg |= ARG_SVIPC_ID;
1929 }
1930
1931 void
1932 audit_arg_svipc_addr(void * addr)
1933 {
1934 struct kaudit_record *ar;
1935
1936 ar = currecord();
1937 if (ar == NULL)
1938 return;
1939
1940 ar->k_ar.ar_arg_svipc_addr = addr;
1941 ar->k_ar.ar_valid_arg |= ARG_SVIPC_ADDR;
1942 }
1943
1944 void
1945 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode)
1946 {
1947 struct kaudit_record *ar;
1948
1949 ar = currecord();
1950 if (ar == NULL)
1951 return;
1952
1953 ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid;
1954 ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid;
1955 ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode;
1956 ar->k_ar.ar_valid_arg |= ARG_POSIX_IPC_PERM;
1957 }
1958
1959 void
1960 audit_arg_auditon(union auditon_udata *udata)
1961 {
1962 struct kaudit_record *ar;
1963
1964 ar = currecord();
1965 if (ar == NULL)
1966 return;
1967
1968 bcopy((void *)udata, &ar->k_ar.ar_arg_auditon,
1969 sizeof(ar->k_ar.ar_arg_auditon));
1970 ar->k_ar.ar_valid_arg |= ARG_AUDITON;
1971 }
1972
1973 /*
1974 * Audit information about a file, either the file's vnode info, or its
1975 * socket address info.
1976 */
1977 void
1978 audit_arg_file(struct proc *p, struct file *fp)
1979 {
1980 struct kaudit_record *ar;
1981 struct socket *so;
1982 struct inpcb *pcb;
1983
1984 if (fp->f_type == DTYPE_VNODE) {
1985 audit_arg_vnpath((struct vnode *)fp->f_data, ARG_VNODE1);
1986 return;
1987 }
1988
1989 if (fp->f_type == DTYPE_SOCKET) {
1990 ar = currecord();
1991 if (ar == NULL)
1992 return;
1993 so = (struct socket *)fp->f_data;
1994 if (INP_CHECK_SOCKAF(so, PF_INET)) {
1995 if (so->so_pcb == NULL)
1996 return;
1997 ar->k_ar.ar_arg_sockinfo.so_type =
1998 so->so_type;
1999 ar->k_ar.ar_arg_sockinfo.so_domain =
2000 INP_SOCKAF(so);
2001 ar->k_ar.ar_arg_sockinfo.so_protocol =
2002 so->so_proto->pr_protocol;
2003 pcb = (struct inpcb *)so->so_pcb;
2004 ar->k_ar.ar_arg_sockinfo.so_raddr =
2005 pcb->inp_faddr.s_addr;
2006 ar->k_ar.ar_arg_sockinfo.so_laddr =
2007 pcb->inp_laddr.s_addr;
2008 ar->k_ar.ar_arg_sockinfo.so_rport =
2009 pcb->inp_fport;
2010 ar->k_ar.ar_arg_sockinfo.so_lport =
2011 pcb->inp_lport;
2012 ar->k_ar.ar_valid_arg |= ARG_SOCKINFO;
2013 }
2014 }
2015
2016 }
2017
2018 /*
2019 * Initialize the audit information for the a process, presumably the first
2020 * process in the system.
2021 * XXX It is not clear what the initial values should be for session ID,
2022 * terminal ID etc.
2023 */
2024 void
2025 audit_proc_init(struct proc *p)
2026 {
2027 MALLOC_ZONE(p->p_au, struct auditinfo *, sizeof(*p->p_au),
2028 M_SUBPROC, M_WAITOK);
2029
2030 bzero((void *)p->p_au, sizeof(*p->p_au));
2031
2032 p->p_au->ai_auid = AU_DEFAUDITID;
2033 }
2034
2035 /*
2036 * Copy the audit info from the parent process to the child process when
2037 * a fork takes place.
2038 * XXX Need to check for failure from the memory allocation, in here
2039 * as well as in any functions that use the process auditing info.
2040 */
2041 void
2042 audit_proc_fork(struct proc *parent, struct proc *child)
2043 {
2044 /* Always set up the audit information pointer as this function
2045 * should only be called when the proc is new. If proc structures
2046 * are ever cached and reused, then this behavior will leak memory.
2047 */
2048 MALLOC_ZONE(child->p_au, struct auditinfo *, sizeof(*child->p_au),
2049 M_SUBPROC, M_WAITOK);
2050
2051 bcopy(parent->p_au, child->p_au, sizeof(*child->p_au));
2052 }
2053
2054 /*
2055 * Free the auditing structure for the process.
2056 */
2057 void
2058 audit_proc_free(struct proc *p)
2059 {
2060 FREE_ZONE((void *)p->p_au, sizeof(*p->p_au), M_SUBPROC);
2061 p->p_au = NULL;
2062 }
2063
2064 /*
2065 * Store a path as given by the user process for auditing into the audit
2066 * record stored on the user thread. This function will allocate the memory to
2067 * store the path info if not already available. This memory will be
2068 * freed when the audit record is freed.
2069 */
2070 void
2071 audit_arg_upath(struct proc *p, char *upath, u_int64_t flags)
2072 {
2073 struct kaudit_record *ar;
2074 char **pathp;
2075
2076 if (p == NULL || upath == NULL)
2077 return; /* nothing to do! */
2078
2079 if (flags & (ARG_UPATH1 | ARG_UPATH2) == 0)
2080 return;
2081
2082 ar = currecord();
2083 if (ar == NULL) /* This will be the case for unaudited system calls */
2084 return;
2085
2086 if (flags & ARG_UPATH1) {
2087 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_UPATH1);
2088 pathp = &ar->k_ar.ar_arg_upath1;
2089 }
2090 else {
2091 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_UPATH2);
2092 pathp = &ar->k_ar.ar_arg_upath2;
2093 }
2094
2095 if (*pathp == NULL) {
2096 *pathp = (char *)kalloc(MAXPATHLEN);
2097 if (*pathp == NULL)
2098 return;
2099 }
2100
2101 if (canon_path(p, upath, *pathp) == 0) {
2102 if (flags & ARG_UPATH1)
2103 ar->k_ar.ar_valid_arg |= ARG_UPATH1;
2104 else
2105 ar->k_ar.ar_valid_arg |= ARG_UPATH2;
2106 } else {
2107 kfree((vm_offset_t)*pathp, MAXPATHLEN);
2108 *pathp = NULL;
2109 }
2110 }
2111
2112 /*
2113 * Function to save the path and vnode attr information into the audit
2114 * record.
2115 *
2116 * It is assumed that the caller will hold any vnode locks necessary to
2117 * perform a VOP_GETATTR() on the passed vnode.
2118 *
2119 * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but
2120 * always provides access to the generation number as we need that
2121 * to construct the BSM file ID.
2122 * XXX: We should accept the process argument from the caller, since
2123 * it's very likely they already have a reference.
2124 * XXX: Error handling in this function is poor.
2125 */
2126 void
2127 audit_arg_vnpath(struct vnode *vp, u_int64_t flags)
2128 {
2129 struct kaudit_record *ar;
2130 struct vattr vattr;
2131 int error;
2132 int len;
2133 char **pathp;
2134 struct vnode_au_info *vnp;
2135 struct proc *p;
2136
2137 if (vp == NULL)
2138 return;
2139
2140 ar = currecord();
2141 if (ar == NULL) /* This will be the case for unaudited system calls */
2142 return;
2143
2144 if (flags & (ARG_VNODE1 | ARG_VNODE2) == 0)
2145 return;
2146
2147 p = current_proc();
2148
2149 if (flags & ARG_VNODE1) {
2150 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_KPATH1);
2151 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE1);
2152 pathp = &ar->k_ar.ar_arg_kpath1;
2153 vnp = &ar->k_ar.ar_arg_vnode1;
2154 }
2155 else {
2156 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_KPATH2);
2157 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE2);
2158 pathp = &ar->k_ar.ar_arg_kpath2;
2159 vnp = &ar->k_ar.ar_arg_vnode2;
2160 }
2161
2162 if (*pathp == NULL) {
2163 *pathp = (char *)kalloc(MAXPATHLEN);
2164 if (*pathp == NULL)
2165 return;
2166 }
2167
2168 /*
2169 * If vn_getpath() succeeds, place it in a string buffer
2170 * attached to the audit record, and set a flag indicating
2171 * it is present.
2172 */
2173 len = MAXPATHLEN;
2174 if (vn_getpath(vp, *pathp, &len) == 0) {
2175 if (flags & ARG_VNODE1)
2176 ar->k_ar.ar_valid_arg |= ARG_KPATH1;
2177 else
2178 ar->k_ar.ar_valid_arg |= ARG_KPATH2;
2179 } else {
2180 kfree((vm_offset_t)*pathp, MAXPATHLEN);
2181 *pathp = NULL;
2182 }
2183
2184 /*
2185 * XXX: We'd assert the vnode lock here, only Darwin doesn't
2186 * appear to have vnode locking assertions.
2187 */
2188 error = VOP_GETATTR(vp, &vattr, p->p_ucred, p);
2189 if (error) {
2190 /* XXX: How to handle this case? */
2191 return;
2192 }
2193
2194 vnp->vn_mode = vattr.va_mode;
2195 vnp->vn_uid = vattr.va_uid;
2196 vnp->vn_gid = vattr.va_gid;
2197 vnp->vn_dev = vattr.va_rdev;
2198 vnp->vn_fsid = vattr.va_fsid;
2199 vnp->vn_fileid = vattr.va_fileid;
2200 vnp->vn_gen = vattr.va_gen;
2201 if (flags & ARG_VNODE1)
2202 ar->k_ar.ar_valid_arg |= ARG_VNODE1;
2203 else
2204 ar->k_ar.ar_valid_arg |= ARG_VNODE2;
2205
2206 }
2207
2208 void
2209 audit_arg_mach_port1(mach_port_t port)
2210 {
2211 struct kaudit_record *ar;
2212
2213 ar = currecord();
2214 if (ar == NULL)
2215 return;
2216
2217 ar->k_ar.ar_arg_mach_port1 = port;
2218 ar->k_ar.ar_valid_arg |= ARG_MACHPORT1;
2219 }
2220
2221 void
2222 audit_arg_mach_port2(mach_port_t port)
2223 {
2224 struct kaudit_record *ar;
2225
2226 ar = currecord();
2227 if (ar == NULL)
2228 return;
2229
2230 ar->k_ar.ar_arg_mach_port2 = port;
2231 ar->k_ar.ar_valid_arg |= ARG_MACHPORT2;
2232 }
2233
2234 /*
2235 * The close() system call uses it's own audit call to capture the
2236 * path/vnode information because those pieces are not easily obtained
2237 * within the system call itself.
2238 */
2239 void
2240 audit_sysclose(struct proc *p, int fd)
2241 {
2242 struct file *fp;
2243
2244 audit_arg_fd(fd);
2245
2246 if (getvnode(p, fd, &fp) != 0)
2247 return;
2248
2249 audit_arg_vnpath((struct vnode *)fp->f_data, ARG_VNODE1);
2250
2251 }
2252
2253 #else /* !AUDIT */
2254
2255 void
2256 audit_init(void)
2257 {
2258
2259 }
2260
2261 void
2262 audit_shutdown(void)
2263 {
2264
2265 }
2266
2267 int
2268 audit(struct proc *p, struct audit_args *uap, register_t *retval)
2269 {
2270 return (ENOSYS);
2271 }
2272
2273 int
2274 auditon(struct proc *p, struct auditon_args *uap, register_t *retval)
2275 {
2276 return (ENOSYS);
2277 }
2278
2279 int
2280 getauid(struct proc *p, struct getauid_args *uap, register_t *retval)
2281 {
2282 return (ENOSYS);
2283 }
2284
2285 int
2286 setauid(struct proc *p, struct setauid_args *uap, register_t *retval)
2287 {
2288 return (ENOSYS);
2289 }
2290
2291 int
2292 getaudit(struct proc *p, struct getaudit_args *uap, register_t *retval)
2293 {
2294 return (ENOSYS);
2295 }
2296
2297 int
2298 setaudit(struct proc *p, struct setaudit_args *uap, register_t *retval)
2299 {
2300 return (ENOSYS);
2301 }
2302
2303 int
2304 getaudit_addr(struct proc *p, struct getaudit_addr_args *uap, register_t *retval)
2305 {
2306 return (ENOSYS);
2307 }
2308
2309 int
2310 setaudit_addr(struct proc *p, struct setaudit_addr_args *uap, register_t *retval)
2311 {
2312 return (ENOSYS);
2313 }
2314
2315 int
2316 auditctl(struct proc *p, struct auditctl_args *uap, register_t *retval)
2317 {
2318 return (ENOSYS);
2319 }
2320
2321 void
2322 audit_proc_init(struct proc *p)
2323 {
2324
2325 }
2326
2327 void
2328 audit_proc_fork(struct proc *parent, struct proc *child)
2329 {
2330
2331 }
2332
2333 void
2334 audit_proc_free(struct proc *p)
2335 {
2336
2337 }
2338
2339 #endif /* AUDIT */
mirror of XNU