]> git.saurik.com Git - apple/xnu.git/blob - bsd/kern/kern_audit.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-792.6.56.tar.gz
[apple/xnu.git] / bsd / kern / kern_audit.c
1 /*
2 * Copyright (c) 2003-2004 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23 #include <sys/param.h>
24 #include <sys/fcntl.h>
25 #include <sys/kernel.h>
26 #include <sys/lock.h>
27 #include <sys/namei.h>
28 #include <sys/proc_internal.h>
29 #include <sys/kauth.h>
30 #include <sys/queue.h>
31 #include <sys/systm.h>
32 #include <sys/time.h>
33 #include <sys/ucred.h>
34 #include <sys/uio.h>
35 #include <sys/unistd.h>
36 #include <sys/file_internal.h>
37 #include <sys/vnode_internal.h>
38 #include <sys/user.h>
39 #include <sys/syscall.h>
40 #include <sys/malloc.h>
41 #include <sys/un.h>
42 #include <sys/sysent.h>
43 #include <sys/sysproto.h>
44 #include <sys/vfs_context.h>
45 #include <sys/domain.h>
46 #include <sys/protosw.h>
47 #include <sys/socketvar.h>
48
49 #include <bsm/audit.h>
50 #include <bsm/audit_kevents.h>
51 #include <bsm/audit_klib.h>
52 #include <bsm/audit_kernel.h>
53
54 #include <mach/host_priv.h>
55 #include <mach/host_special_ports.h>
56 #include <mach/audit_triggers_server.h>
57
58 #include <kern/host.h>
59 #include <kern/kalloc.h>
60 #include <kern/zalloc.h>
61 #include <kern/lock.h>
62 #include <kern/wait_queue.h>
63 #include <kern/sched_prim.h>
64
65 #include <net/route.h>
66
67 #include <netinet/in.h>
68 #include <netinet/in_pcb.h>
69
70 #ifdef AUDIT
71
72 /*
73 * The AUDIT_EXCESSIVELY_VERBOSE define enables a number of
74 * gratuitously noisy printf's to the console. Due to the
75 * volume, it should be left off unless you want your system
76 * to churn a lot whenever the audit record flow gets high.
77 */
78 /* #define AUDIT_EXCESSIVELY_VERBOSE */
79 #ifdef AUDIT_EXCESSIVELY_VERBOSE
80 #define AUDIT_PRINTF_ONLY
81 #define AUDIT_PRINTF(x) printf x
82 #else
83 #define AUDIT_PRINTF_ONLY __unused
84 #define AUDIT_PRINTF(X)
85 #endif
86
87 #if DIAGNOSTIC
88 #if defined(assert)
89 #undef assert()
90 #endif
91 #define assert(cond) \
92 ((void) ((cond) ? 0 : panic("%s:%d (%s)", __FILE__, __LINE__, # cond)))
93 #else
94 #include <kern/assert.h>
95 #endif /* DIAGNOSTIC */
96
97 /*
98 * Define the audit control flags.
99 */
100 int audit_enabled;
101 int audit_suspended;
102
103 /*
104 * Mutex to protect global variables shared between various threads and
105 * processes.
106 */
107 static mutex_t *audit_mtx;
108
109 /*
110 * Queue of audit records ready for delivery to disk. We insert new
111 * records at the tail, and remove records from the head. Also,
112 * a count of the number of records used for checking queue depth.
113 * In addition, a counter of records that we have allocated but are
114 * not yet in the queue, which is needed to estimate the total
115 * size of the combined set of records outstanding in the system.
116 */
117 static TAILQ_HEAD(, kaudit_record) audit_q;
118 static size_t audit_q_len;
119 static size_t audit_pre_q_len;
120
121 static wait_queue_t audit_wait_queue;
122 static zone_t audit_zone;
123
124 /*
125 * Condition variable to signal to the worker that it has work to do:
126 * either new records are in the queue, or a log replacement is taking
127 * place.
128 */
129 static int audit_worker_event;
130 #define AUDIT_WORKER_EVENT ((event_t)&audit_worker_event)
131
132 /*
133 * The audit worker thread (which is lazy started when we first
134 * rotate the audit log.
135 */
136 static thread_t audit_worker_thread = THREAD_NULL;
137
138 /*
139 * When an audit log is rotated, the actual rotation must be performed
140 * by the audit worker thread, as it may have outstanding writes on the
141 * current audit log. audit_replacement_vp holds the vnode replacing
142 * the current vnode. We can't let more than one replacement occur
143 * at a time, so if more than one thread requests a replacement, only
144 * one can have the replacement "in progress" at any given moment. If
145 * a thread tries to replace the audit vnode and discovers a replacement
146 * is already in progress (i.e., audit_replacement_flag != 0), then it
147 * will sleep on audit_replacement_cv waiting its turn to perform a
148 * replacement. When a replacement is completed, this cv is signalled
149 * by the worker thread so a waiting thread can start another replacement.
150 * We also store a credential to perform audit log write operations with.
151 */
152 static int audit_replacement_event;
153 #define AUDIT_REPLACEMENT_EVENT ((event_t)&audit_replacement_event)
154
155 static int audit_replacement_flag;
156 static struct vnode *audit_replacement_vp;
157 static kauth_cred_t audit_replacement_cred;
158
159 /*
160 * Wait queue for auditing threads that cannot commit the audit
161 * record at the present time. Also, the queue control parameter
162 * structure.
163 */
164 static int audit_commit_event;
165 #define AUDIT_COMMIT_EVENT ((event_t)&audit_commit_event)
166
167 static struct au_qctrl audit_qctrl;
168
169 /*
170 * Flags to use on audit files when opening and closing.
171 */
172 static const int audit_open_flags = FWRITE | O_APPEND;
173 static const int audit_close_flags = FWRITE | O_APPEND;
174
175 /*
176 * Global audit statistiscs.
177 */
178 static struct audit_fstat audit_fstat;
179
180 /*
181 Preselection mask for non-attributable events.
182 */
183 static struct au_mask audit_nae_mask;
184
185 /*
186 * Flags related to Kernel->user-space communication.
187 */
188 static int audit_file_rotate_wait;
189
190 /*
191 * Flags controlling behavior in low storage situations.
192 * Should we panic if a write fails? Should we fail stop
193 * if we're out of disk space? Are we currently "failing
194 * stop" due to out of disk space?
195 */
196 static int audit_panic_on_write_fail;
197 static int audit_fail_stop;
198 static int audit_in_failure;
199
200 /*
201 * When in a fail-stop mode, threads will drop into this wait queue
202 * rather than perform auditable events. They won't ever get woken
203 * up.
204 */
205 static int audit_failure_event;
206 #define AUDIT_FAILURE_EVENT ((event_t)&audit_failure_event)
207
208 /*
209 * XXX: Couldn't find the include file for this, so copied kern_exec.c's
210 * behavior.
211 */
212 extern task_t kernel_task;
213
214 static void
215 audit_free(struct kaudit_record *ar)
216 {
217 if (ar->k_ar.ar_arg_upath1 != NULL) {
218 kfree(ar->k_ar.ar_arg_upath1, MAXPATHLEN);
219 }
220 if (ar->k_ar.ar_arg_upath2 != NULL) {
221 kfree(ar->k_ar.ar_arg_upath2, MAXPATHLEN);
222
223 }
224 if (ar->k_ar.ar_arg_kpath1 != NULL) {
225 kfree(ar->k_ar.ar_arg_kpath1, MAXPATHLEN);
226
227 }
228 if (ar->k_ar.ar_arg_kpath2 != NULL) {
229 kfree(ar->k_ar.ar_arg_kpath2, MAXPATHLEN);
230
231 }
232 if (ar->k_ar.ar_arg_text != NULL) {
233 kfree(ar->k_ar.ar_arg_text, MAXPATHLEN);
234
235 }
236 if (ar->k_udata != NULL) {
237 kfree(ar->k_udata, ar->k_ulen);
238
239 }
240 zfree(audit_zone, ar);
241 }
242
243 static int
244 audit_write(struct vnode *vp, struct kaudit_record *ar, kauth_cred_t cred,
245 struct proc *p)
246 {
247 struct vfsstatfs *mnt_stat = &vp->v_mount->mnt_vfsstat;
248 int ret;
249 struct au_record *bsm;
250 /* KVV maybe we should take a context as a param to audit_write? */
251 struct vfs_context context;
252 off_t file_size;
253
254 mach_port_t audit_port;
255
256 /*
257 * First, gather statistics on the audit log file and file system
258 * so that we know how we're doing on space. In both cases,
259 * if we're unable to perform the operation, we drop the record
260 * and return. However, this is arguably an assertion failure.
261 */
262 context.vc_proc = p;
263 context.vc_ucred = cred;
264 ret = vfs_update_vfsstat(vp->v_mount, &context);
265 if (ret)
266 goto out;
267
268 /* update the global stats struct */
269 if ((ret = vnode_size(vp, &file_size, &context)) != 0)
270 goto out;
271 audit_fstat.af_currsz = file_size;
272
273 /*
274 * Send a message to the audit daemon when disk space is getting
275 * low.
276 * XXX Need to decide what to do if the trigger to the audit daemon
277 * fails.
278 */
279 if(host_get_audit_control_port(host_priv_self(), &audit_port)
280 != KERN_SUCCESS)
281 printf("Cannot get audit control port\n");
282
283 if (audit_port != MACH_PORT_NULL) {
284 uint64_t temp;
285
286 /*
287 * If we fall below percent free blocks, then trigger the
288 * audit daemon to do something about it.
289 */
290 if (audit_qctrl.aq_minfree != 0) {
291 temp = mnt_stat->f_blocks / (100 / audit_qctrl.aq_minfree);
292 if (mnt_stat->f_bfree < temp) {
293 ret = audit_triggers(audit_port,
294 AUDIT_TRIGGER_LOW_SPACE);
295 if (ret != KERN_SUCCESS) {
296 printf(
297 "Failed audit_triggers(AUDIT_TRIGGER_LOW_SPACE): %d\n", ret);
298 /*
299 * XXX: What to do here? Disable auditing?
300 * panic?
301 */
302 }
303 }
304 }
305 /* Check if the current log file is full; if so, call for
306 * a log rotate. This is not an exact comparison; we may
307 * write some records over the limit. If that's not
308 * acceptable, then add a fudge factor here.
309 */
310 if ((audit_fstat.af_filesz != 0) &&
311 (audit_file_rotate_wait == 0) &&
312 (file_size >= audit_fstat.af_filesz)) {
313 audit_file_rotate_wait = 1;
314 ret = audit_triggers(audit_port,
315 AUDIT_TRIGGER_FILE_FULL);
316 if (ret != KERN_SUCCESS) {
317 printf(
318 "Failed audit_triggers(AUDIT_TRIGGER_FILE_FULL): %d\n", ret);
319 /* XXX what to do here? */
320 }
321 }
322 }
323
324 /*
325 * If the estimated amount of audit data in the audit event queue
326 * (plus records allocated but not yet queued) has reached the
327 * amount of free space on the disk, then we need to go into an
328 * audit fail stop state, in which we do not permit the
329 * allocation/committing of any new audit records. We continue to
330 * process packets but don't allow any activities that might
331 * generate new records. In the future, we might want to detect
332 * when space is available again and allow operation to continue,
333 * but this behavior is sufficient to meet fail stop requirements
334 * in CAPP.
335 */
336 if (audit_fail_stop &&
337 (unsigned long)
338 ((audit_q_len + audit_pre_q_len + 1) * MAX_AUDIT_RECORD_SIZE) /
339 mnt_stat->f_bsize >= (unsigned long)(mnt_stat->f_bfree)) {
340 printf(
341 "audit_worker: free space below size of audit queue, failing stop\n");
342 audit_in_failure = 1;
343 }
344
345 /*
346 * If there is a user audit record attached to the kernel record,
347 * then write the user record.
348 */
349 /* XXX Need to decide a few things here: IF the user audit
350 * record is written, but the write of the kernel record fails,
351 * what to do? Should the kernel record come before or after the
352 * user record? For now, we write the user record first, and
353 * we ignore errors.
354 */
355 if (ar->k_ar_commit & AR_COMMIT_USER) {
356 if (vnode_getwithref(vp) == 0) {
357 ret = vn_rdwr(UIO_WRITE, vp, (void *)ar->k_udata, ar->k_ulen,
358 (off_t)0, UIO_SYSSPACE32, IO_APPEND|IO_UNIT, cred, NULL, p);
359 vnode_put(vp);
360 if (ret)
361 goto out;
362 } else {
363 goto out;
364 }
365 }
366
367 /*
368 * Convert the internal kernel record to BSM format and write it
369 * out if everything's OK.
370 */
371 if (!(ar->k_ar_commit & AR_COMMIT_KERNEL)) {
372 ret = 0;
373 goto out;
374 }
375
376 ret = kaudit_to_bsm(ar, &bsm);
377 if (ret == BSM_NOAUDIT) {
378 ret = 0;
379 goto out;
380 }
381
382 /*
383 * XXX: We drop the record on BSM conversion failure, but really
384 * this is an assertion failure.
385 */
386 if (ret == BSM_FAILURE) {
387 AUDIT_PRINTF(("BSM conversion failure\n"));
388 ret = EINVAL;
389 goto out;
390 }
391
392 /* XXX This function can be called with the kernel funnel held,
393 * which is not optimal. We should break the write functionality
394 * away from the BSM record generation and have the BSM generation
395 * done before this function is called. This function will then
396 * take the BSM record as a parameter.
397 */
398 if ((ret = vnode_getwithref(vp)) == 0) {
399 ret = (vn_rdwr(UIO_WRITE, vp, (void *)bsm->data, bsm->len,
400 (off_t)0, UIO_SYSSPACE32, IO_APPEND|IO_UNIT, cred, NULL, p));
401 vnode_put(vp);
402 }
403 kau_free(bsm);
404
405 out:
406 /*
407 * When we're done processing the current record, we have to
408 * check to see if we're in a failure mode, and if so, whether
409 * this was the last record left to be drained. If we're done
410 * draining, then we fsync the vnode and panic.
411 */
412 if (audit_in_failure &&
413 audit_q_len == 0 && audit_pre_q_len == 0) {
414 (void)VNOP_FSYNC(vp, MNT_WAIT, &context);
415 panic("Audit store overflow; record queue drained.");
416 }
417
418 return (ret);
419 }
420
421 static void
422 audit_worker(void)
423 {
424 int do_replacement_signal, error, release_funnel;
425 TAILQ_HEAD(, kaudit_record) ar_worklist;
426 struct kaudit_record *ar;
427 struct vnode *audit_vp, *old_vp;
428 kauth_cred_t audit_cred;
429 kauth_cred_t old_cred;
430 struct proc *audit_p;
431
432 AUDIT_PRINTF(("audit_worker starting\n"));
433
434 TAILQ_INIT(&ar_worklist);
435 audit_cred = NULL;
436 audit_p = current_proc();
437 audit_vp = NULL;
438
439 /*
440 * XXX: Presumably we can assume Mach threads are started without
441 * holding the BSD kernel funnel?
442 */
443 thread_funnel_set(kernel_flock, FALSE);
444
445 mutex_lock(audit_mtx);
446 while (1) {
447 /*
448 * First priority: replace the audit log target if requested.
449 * As we actually close the vnode in the worker thread, we
450 * need to grab the funnel, which means releasing audit_mtx.
451 * In case another replacement was scheduled while the mutex
452 * we released, we loop.
453 *
454 * XXX It could well be we should drain existing records
455 * first to ensure that the timestamps and ordering
456 * are right.
457 */
458 do_replacement_signal = 0;
459 while (audit_replacement_flag != 0) {
460 old_cred = audit_cred;
461 old_vp = audit_vp;
462 audit_cred = audit_replacement_cred;
463 audit_vp = audit_replacement_vp;
464 audit_replacement_cred = NULL;
465 audit_replacement_vp = NULL;
466 audit_replacement_flag = 0;
467
468 audit_enabled = (audit_vp != NULL);
469
470 if (old_vp != NULL || audit_vp != NULL) {
471 mutex_unlock(audit_mtx);
472 thread_funnel_set(kernel_flock, TRUE);
473 release_funnel = 1;
474 } else
475 release_funnel = 0;
476 /*
477 * XXX: What to do about write failures here?
478 */
479 if (old_vp != NULL) {
480 AUDIT_PRINTF(("Closing old audit file\n"));
481 vn_close(old_vp, audit_close_flags, old_cred,
482 audit_p);
483 kauth_cred_rele(old_cred);
484 old_cred = NOCRED;
485 old_vp = NULL;
486 AUDIT_PRINTF(("Audit file closed\n"));
487 }
488 if (audit_vp != NULL) {
489 AUDIT_PRINTF(("Opening new audit file\n"));
490 }
491 if (release_funnel) {
492 thread_funnel_set(kernel_flock, FALSE);
493 mutex_lock(audit_mtx);
494 }
495 do_replacement_signal = 1;
496 }
497 /*
498 * Signal that replacement have occurred to wake up and
499 * start any other replacements started in parallel. We can
500 * continue about our business in the mean time. We
501 * broadcast so that both new replacements can be inserted,
502 * but also so that the source(s) of replacement can return
503 * successfully.
504 */
505 if (do_replacement_signal)
506 wait_queue_wakeup_all(audit_wait_queue,
507 AUDIT_REPLACEMENT_EVENT, THREAD_AWAKENED);
508
509 /*
510 * Next, check to see if we have any records to drain into
511 * the vnode. If not, go back to waiting for an event.
512 */
513 if (TAILQ_EMPTY(&audit_q)) {
514 int ret;
515
516 AUDIT_PRINTF(("audit_worker waiting\n"));
517 ret = wait_queue_assert_wait(audit_wait_queue,
518 AUDIT_WORKER_EVENT,
519 THREAD_UNINT,
520 0);
521 mutex_unlock(audit_mtx);
522
523 assert(ret == THREAD_WAITING);
524 ret = thread_block(THREAD_CONTINUE_NULL);
525 assert(ret == THREAD_AWAKENED);
526 AUDIT_PRINTF(("audit_worker woken up\n"));
527 AUDIT_PRINTF(("audit_worker: new vp = %p; value of flag %d\n",
528 audit_replacement_vp, audit_replacement_flag));
529
530 mutex_lock(audit_mtx);
531 continue;
532 }
533
534 /*
535 * If we have records, but there's no active vnode to
536 * write to, drain the record queue. Generally, we
537 * prevent the unnecessary allocation of records
538 * elsewhere, but we need to allow for races between
539 * conditional allocation and queueing. Go back to
540 * waiting when we're done.
541 *
542 * XXX: We go out of our way to avoid calling audit_free()
543 * with the audit_mtx held, to avoid a lock order reversal
544 * as free() may grab the funnel. This will be fixed at
545 * some point.
546 */
547 if (audit_vp == NULL) {
548 while ((ar = TAILQ_FIRST(&audit_q))) {
549 TAILQ_REMOVE(&audit_q, ar, k_q);
550 audit_q_len--;
551 if (audit_q_len <= audit_qctrl.aq_lowater)
552 wait_queue_wakeup_one(
553 audit_wait_queue,
554 AUDIT_COMMIT_EVENT,
555 THREAD_AWAKENED);
556
557 TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q);
558 }
559 mutex_unlock(audit_mtx);
560 while ((ar = TAILQ_FIRST(&ar_worklist))) {
561 TAILQ_REMOVE(&ar_worklist, ar, k_q);
562 audit_free(ar);
563 }
564 mutex_lock(audit_mtx);
565 continue;
566 }
567
568 /*
569 * We have both records to write, and an active vnode
570 * to write to. Dequeue a record, and start the write.
571 * Eventually, it might make sense to dequeue several
572 * records and perform our own clustering, if the lower
573 * layers aren't doing it automatically enough.
574 *
575 * XXX: We go out of our way to avoid calling audit_free()
576 * with the audit_mtx held, to avoid a lock order reversal
577 * as free() may grab the funnel. This will be fixed at
578 * some point.
579 */
580 while ((ar = TAILQ_FIRST(&audit_q))) {
581 TAILQ_REMOVE(&audit_q, ar, k_q);
582 audit_q_len--;
583 if (audit_q_len <= audit_qctrl.aq_lowater) {
584 wait_queue_wakeup_one(audit_wait_queue,
585 AUDIT_COMMIT_EVENT, THREAD_AWAKENED);
586 }
587
588 TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q);
589 }
590 mutex_unlock(audit_mtx);
591 release_funnel = 0;
592 while ((ar = TAILQ_FIRST(&ar_worklist))) {
593 TAILQ_REMOVE(&ar_worklist, ar, k_q);
594 if (audit_vp != NULL) {
595 /*
596 * XXX: What should happen if there's a write
597 * error here?
598 */
599 if (!release_funnel) {
600 thread_funnel_set(kernel_flock, TRUE);
601 release_funnel = 1;
602 }
603 error = audit_write(audit_vp, ar, audit_cred,
604 audit_p);
605 if (error && audit_panic_on_write_fail) {
606 panic("audit_worker: write error %d\n",
607 error);
608 } else if (error) {
609 printf("audit_worker: write error %d\n",
610 error);
611 }
612 }
613 audit_free(ar);
614 }
615 if (release_funnel)
616 thread_funnel_set(kernel_flock, FALSE);
617 mutex_lock(audit_mtx);
618 }
619 }
620
621 void
622 audit_init(void)
623 {
624
625 /* Verify that the syscall to audit event table is the same
626 * size as the system call table.
627 */
628 if (nsys_au_event != nsysent) {
629 printf("Security auditing service initialization failed, ");
630 printf("audit event table doesn't match syscall table.\n");
631 return;
632 }
633
634 printf("Security auditing service present\n");
635 TAILQ_INIT(&audit_q);
636 audit_q_len = 0;
637 audit_enabled = 0;
638 audit_suspended = 0;
639 audit_replacement_cred = NULL;
640 audit_replacement_flag = 0;
641 audit_file_rotate_wait = 0;
642 audit_replacement_vp = NULL;
643 audit_fstat.af_filesz = 0; /* '0' means unset, unbounded */
644 audit_fstat.af_currsz = 0;
645 audit_qctrl.aq_hiwater = AQ_HIWATER;
646 audit_qctrl.aq_lowater = AQ_LOWATER;
647 audit_qctrl.aq_bufsz = AQ_BUFSZ;
648 audit_qctrl.aq_minfree = AU_FS_MINFREE;
649
650 audit_mtx = mutex_alloc(0);
651 audit_wait_queue = wait_queue_alloc(SYNC_POLICY_FIFO);
652 audit_zone = zinit(sizeof(struct kaudit_record),
653 AQ_HIWATER*sizeof(struct kaudit_record),
654 8192,
655 "audit_zone");
656
657 /* Initialize the BSM audit subsystem. */
658 kau_init();
659 }
660
661 static void
662 audit_rotate_vnode(kauth_cred_t cred, struct vnode *vp)
663 {
664 int ret;
665
666 /*
667 * If other parallel log replacements have been requested, we wait
668 * until they've finished before continuing.
669 */
670 mutex_lock(audit_mtx);
671 while (audit_replacement_flag != 0) {
672
673 AUDIT_PRINTF(("audit_rotate_vnode: sleeping to wait for "
674 "flag\n"));
675 ret = wait_queue_assert_wait(audit_wait_queue,
676 AUDIT_REPLACEMENT_EVENT,
677 THREAD_UNINT,
678 0);
679 mutex_unlock(audit_mtx);
680
681 assert(ret == THREAD_WAITING);
682 ret = thread_block(THREAD_CONTINUE_NULL);
683 assert(ret == THREAD_AWAKENED);
684 AUDIT_PRINTF(("audit_rotate_vnode: woken up (flag %d)\n",
685 audit_replacement_flag));
686
687 mutex_lock(audit_mtx);
688 }
689 audit_replacement_cred = cred;
690 audit_replacement_flag = 1;
691 audit_replacement_vp = vp;
692
693 /*
694 * Start or wake up the audit worker to perform the exchange.
695 * It will have to wait until we release the mutex.
696 */
697 if (audit_worker_thread == THREAD_NULL)
698 audit_worker_thread = kernel_thread(kernel_task,
699 audit_worker);
700 else
701 wait_queue_wakeup_one(audit_wait_queue,
702 AUDIT_WORKER_EVENT,
703 THREAD_AWAKENED);
704
705 /*
706 * Wait for the audit_worker to broadcast that a replacement has
707 * taken place; we know that once this has happened, our vnode
708 * has been replaced in, so we can return successfully.
709 */
710 AUDIT_PRINTF(("audit_rotate_vnode: waiting for news of "
711 "replacement\n"));
712 ret = wait_queue_assert_wait(audit_wait_queue,
713 AUDIT_REPLACEMENT_EVENT,
714 THREAD_UNINT,
715 0);
716 mutex_unlock(audit_mtx);
717
718 assert(ret == THREAD_WAITING);
719 ret = thread_block(THREAD_CONTINUE_NULL);
720 assert(ret == THREAD_AWAKENED);
721 AUDIT_PRINTF(("audit_rotate_vnode: change acknowledged by "
722 "audit_worker (flag " "now %d)\n", audit_replacement_flag));
723
724 audit_file_rotate_wait = 0; /* We can now request another rotation */
725 }
726
727 /*
728 * Drain the audit queue and close the log at shutdown.
729 */
730 void
731 audit_shutdown(void)
732 {
733 audit_rotate_vnode(NULL, NULL);
734 }
735
736 static __inline__ struct uthread *
737 curuthread(void)
738 {
739 return (get_bsdthread_info(current_thread()));
740 }
741
742 static __inline__ struct kaudit_record *
743 currecord(void)
744 {
745 return (curuthread()->uu_ar);
746 }
747
748 /**********************************
749 * Begin system calls. *
750 **********************************/
751 /*
752 * System call to allow a user space application to submit a BSM audit
753 * record to the kernel for inclusion in the audit log. This function
754 * does little verification on the audit record that is submitted.
755 *
756 * XXXAUDIT: Audit preselection for user records does not currently
757 * work, since we pre-select only based on the AUE_audit event type,
758 * not the event type submitted as part of the user audit data.
759 */
760 /* ARGSUSED */
761 int
762 audit(struct proc *p, struct audit_args *uap, __unused register_t *retval)
763 {
764 int error;
765 void * rec;
766 struct kaudit_record *ar;
767 struct uthread *uthr;
768
769 error = suser(kauth_cred_get(), &p->p_acflag);
770 if (error)
771 return (error);
772
773 if ((uap->length <= 0) || (uap->length > (int)audit_qctrl.aq_bufsz))
774 return (EINVAL);
775
776 ar = currecord();
777
778 /* If there's no current audit record (audit() itself not audited)
779 * commit the user audit record.
780 */
781 if (ar == NULL) {
782 uthr = curuthread();
783 if (uthr == NULL) /* can this happen? */
784 return (ENOTSUP);
785
786 /* This is not very efficient; we're required to allocate
787 * a complete kernel audit record just so the user record
788 * can tag along.
789 */
790 uthr->uu_ar = audit_new(AUE_NULL, p, uthr);
791 if (uthr->uu_ar == NULL) /* auditing not on, or memory error */
792 return (ENOTSUP);
793 ar = uthr->uu_ar;
794 }
795
796 if (uap->length > MAX_AUDIT_RECORD_SIZE)
797 return (EINVAL);
798
799 rec = (void *)kalloc((vm_size_t)uap->length);
800
801 error = copyin(uap->record, rec, uap->length);
802 if (error)
803 goto free_out;
804
805 /* Verify the record */
806 if (bsm_rec_verify(rec) == 0) {
807 error = EINVAL;
808 goto free_out;
809 }
810
811 /* Attach the user audit record to the kernel audit record. Because
812 * this system call is an auditable event, we will write the user
813 * record along with the record for this audit event.
814 */
815 ar->k_udata = rec;
816 ar->k_ar_commit |= AR_COMMIT_USER;
817 ar->k_ulen = uap->length;
818 return (0);
819
820 free_out:
821 /* audit_syscall_exit() will free the audit record on the thread
822 * even if we allocated it above.
823 */
824 kfree(rec, uap->length);
825 return (error);
826 }
827
828 /*
829 * System call to manipulate auditing.
830 */
831 /* ARGSUSED */
832 int
833 auditon(struct proc *p, __unused struct auditon_args *uap, __unused register_t *retval)
834 {
835 int ret;
836 int len;
837 union auditon_udata udata;
838 struct proc *tp;
839
840 AUDIT_ARG(cmd, uap->cmd);
841 ret = suser(kauth_cred_get(), &p->p_acflag);
842 if (ret)
843 return (ret);
844
845 len = uap->length;
846 if ((len <= 0) || (len > (int)sizeof(union auditon_udata)))
847 return (EINVAL);
848
849 memset((void *)&udata, 0, sizeof(udata));
850
851 switch (uap->cmd) {
852 /* Some of the GET commands use the arguments too */
853 case A_SETPOLICY:
854 case A_SETKMASK:
855 case A_SETQCTRL:
856 case A_SETSTAT:
857 case A_SETUMASK:
858 case A_SETSMASK:
859 case A_SETCOND:
860 case A_SETCLASS:
861 case A_SETPMASK:
862 case A_SETFSIZE:
863 case A_SETKAUDIT:
864 case A_GETCLASS:
865 case A_GETPINFO:
866 case A_GETPINFO_ADDR:
867 ret = copyin(uap->data, (void *)&udata, uap->length);
868 if (ret)
869 return (ret);
870 AUDIT_ARG(auditon, &udata);
871 break;
872 }
873
874 /* XXX Need to implement these commands by accessing the global
875 * values associated with the commands.
876 */
877 switch (uap->cmd) {
878 case A_GETPOLICY:
879 if (!audit_fail_stop)
880 udata.au_policy |= AUDIT_CNT;
881 if (audit_panic_on_write_fail)
882 udata.au_policy |= AUDIT_AHLT;
883 break;
884 case A_SETPOLICY:
885 if (udata.au_policy & ~(AUDIT_CNT|AUDIT_AHLT))
886 return (EINVAL);
887 /*
888 * XXX - Need to wake up waiters if the policy relaxes?
889 */
890 audit_fail_stop = ((udata.au_policy & AUDIT_CNT) == 0);
891 audit_panic_on_write_fail = (udata.au_policy & AUDIT_AHLT);
892 break;
893 case A_GETKMASK:
894 udata.au_mask = audit_nae_mask;
895 break;
896 case A_SETKMASK:
897 audit_nae_mask = udata.au_mask;
898 break;
899 case A_GETQCTRL:
900 udata.au_qctrl = audit_qctrl;
901 break;
902 case A_SETQCTRL:
903 if ((udata.au_qctrl.aq_hiwater > AQ_MAXHIGH) ||
904 (udata.au_qctrl.aq_lowater >= udata.au_qctrl.aq_hiwater) ||
905 (udata.au_qctrl.aq_bufsz > AQ_MAXBUFSZ) ||
906 (udata.au_qctrl.aq_minfree < 0) ||
907 (udata.au_qctrl.aq_minfree > 100))
908 return (EINVAL);
909
910 audit_qctrl = udata.au_qctrl;
911 /* XXX The queue delay value isn't used with the kernel. */
912 audit_qctrl.aq_delay = -1;
913 break;
914 case A_GETCWD:
915 return (ENOSYS);
916 break;
917 case A_GETCAR:
918 return (ENOSYS);
919 break;
920 case A_GETSTAT:
921 return (ENOSYS);
922 break;
923 case A_SETSTAT:
924 return (ENOSYS);
925 break;
926 case A_SETUMASK:
927 return (ENOSYS);
928 break;
929 case A_SETSMASK:
930 return (ENOSYS);
931 break;
932 case A_GETCOND:
933 if (audit_enabled && !audit_suspended)
934 udata.au_cond = AUC_AUDITING;
935 else
936 udata.au_cond = AUC_NOAUDIT;
937 break;
938 case A_SETCOND:
939 if (udata.au_cond == AUC_NOAUDIT)
940 audit_suspended = 1;
941 if (udata.au_cond == AUC_AUDITING)
942 audit_suspended = 0;
943 if (udata.au_cond == AUC_DISABLED) {
944 audit_suspended = 1;
945 audit_shutdown();
946 }
947 break;
948 case A_GETCLASS:
949 udata.au_evclass.ec_class =
950 au_event_class(udata.au_evclass.ec_number);
951 break;
952 case A_SETCLASS:
953 au_evclassmap_insert(udata.au_evclass.ec_number,
954 udata.au_evclass.ec_class);
955 break;
956 case A_GETPINFO:
957 if (udata.au_aupinfo.ap_pid < 1)
958 return (EINVAL);
959 if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL)
960 return (EINVAL);
961
962 udata.au_aupinfo.ap_auid = tp->p_ucred->cr_au.ai_auid;
963 udata.au_aupinfo.ap_mask.am_success =
964 tp->p_ucred->cr_au.ai_mask.am_success;
965 udata.au_aupinfo.ap_mask.am_failure =
966 tp->p_ucred->cr_au.ai_mask.am_failure;
967 udata.au_aupinfo.ap_termid.machine =
968 tp->p_ucred->cr_au.ai_termid.machine;
969 udata.au_aupinfo.ap_termid.port =
970 tp->p_ucred->cr_au.ai_termid.port;
971 udata.au_aupinfo.ap_asid = tp->p_ucred->cr_au.ai_asid;
972 break;
973 case A_SETPMASK:
974 if (udata.au_aupinfo.ap_pid < 1)
975 return (EINVAL);
976 if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL)
977 return (EINVAL);
978
979 /*
980 * we are modifying the audit info in a credential so we need a new
981 * credential (or take another reference on an existing credential that
982 * matches our new one). We must do this because the audit info in the
983 * credential is used as part of our hash key. Get current credential
984 * in the target process and take a reference while we muck with it.
985 */
986 for (;;) {
987 kauth_cred_t my_cred, my_new_cred;
988 struct auditinfo temp_auditinfo;
989
990 my_cred = kauth_cred_proc_ref(tp);
991 /*
992 * set the credential with new info. If there is no change we get back
993 * the same credential we passed in.
994 */
995 temp_auditinfo = my_cred->cr_au;
996 temp_auditinfo.ai_mask.am_success =
997 udata.au_aupinfo.ap_mask.am_success;
998 temp_auditinfo.ai_mask.am_failure =
999 udata.au_aupinfo.ap_mask.am_failure;
1000 my_new_cred = kauth_cred_setauditinfo(my_cred, &temp_auditinfo);
1001
1002 if (my_cred != my_new_cred) {
1003 proc_lock(tp);
1004 /* need to protect for a race where another thread also changed
1005 * the credential after we took our reference. If p_ucred has
1006 * changed then we should restart this again with the new cred.
1007 */
1008 if (tp->p_ucred != my_cred) {
1009 proc_unlock(tp);
1010 kauth_cred_rele(my_cred);
1011 kauth_cred_rele(my_new_cred);
1012 /* try again */
1013 continue;
1014 }
1015 tp->p_ucred = my_new_cred;
1016 proc_unlock(tp);
1017 }
1018 /* drop our extra reference */
1019 kauth_cred_rele(my_cred);
1020 break;
1021 }
1022 break;
1023 case A_SETFSIZE:
1024 if ((udata.au_fstat.af_filesz != 0) &&
1025 (udata.au_fstat.af_filesz < MIN_AUDIT_FILE_SIZE))
1026 return (EINVAL);
1027 audit_fstat.af_filesz = udata.au_fstat.af_filesz;
1028 break;
1029 case A_GETFSIZE:
1030 udata.au_fstat.af_filesz = audit_fstat.af_filesz;
1031 udata.au_fstat.af_currsz = audit_fstat.af_currsz;
1032 break;
1033 case A_GETPINFO_ADDR:
1034 return (ENOSYS);
1035 break;
1036 case A_GETKAUDIT:
1037 return (ENOSYS);
1038 break;
1039 case A_SETKAUDIT:
1040 return (ENOSYS);
1041 break;
1042 }
1043 /* Copy data back to userspace for the GET comands */
1044 switch (uap->cmd) {
1045 case A_GETPOLICY:
1046 case A_GETKMASK:
1047 case A_GETQCTRL:
1048 case A_GETCWD:
1049 case A_GETCAR:
1050 case A_GETSTAT:
1051 case A_GETCOND:
1052 case A_GETCLASS:
1053 case A_GETPINFO:
1054 case A_GETFSIZE:
1055 case A_GETPINFO_ADDR:
1056 case A_GETKAUDIT:
1057 ret = copyout((void *)&udata, uap->data, uap->length);
1058 if (ret)
1059 return (ret);
1060 break;
1061 }
1062
1063 return (0);
1064 }
1065
1066 /*
1067 * System calls to manage the user audit information.
1068 * XXXAUDIT May need to lock the proc structure.
1069 */
1070 /* ARGSUSED */
1071 int
1072 getauid(struct proc *p, struct getauid_args *uap, __unused register_t *retval)
1073 {
1074 int error;
1075
1076 error = copyout((void *)&kauth_cred_get()->cr_au.ai_auid,
1077 uap->auid, sizeof(au_id_t));
1078 if (error)
1079 return (error);
1080
1081 return (0);
1082 }
1083
1084 /* ARGSUSED */
1085 int
1086 setauid(struct proc *p, struct setauid_args *uap, __unused register_t *retval)
1087 {
1088 int error;
1089 au_id_t temp_au_id;
1090
1091 error = suser(kauth_cred_get(), &p->p_acflag);
1092 if (error)
1093 return (error);
1094
1095 error = copyin(uap->auid,
1096 (void *)&temp_au_id,
1097 sizeof(au_id_t));
1098 if (error)
1099 return (error);
1100
1101 /*
1102 * we are modifying the audit info in a credential so we need a new
1103 * credential (or take another reference on an existing credential that
1104 * matches our new one). We must do this because the audit info in the
1105 * credential is used as part of our hash key. Get current credential
1106 * in the target process and take a reference while we muck with it.
1107 */
1108 for (;;) {
1109 kauth_cred_t my_cred, my_new_cred;
1110 struct auditinfo temp_auditinfo;
1111
1112 my_cred = kauth_cred_proc_ref(p);
1113 /*
1114 * set the credential with new info. If there is no change we get back
1115 * the same credential we passed in.
1116 */
1117 temp_auditinfo = my_cred->cr_au;
1118 temp_auditinfo.ai_auid = temp_au_id;
1119 my_new_cred = kauth_cred_setauditinfo(my_cred, &temp_auditinfo);
1120
1121 if (my_cred != my_new_cred) {
1122 proc_lock(p);
1123 /* need to protect for a race where another thread also changed
1124 * the credential after we took our reference. If p_ucred has
1125 * changed then we should restart this again with the new cred.
1126 */
1127 if (p->p_ucred != my_cred) {
1128 proc_unlock(p);
1129 kauth_cred_rele(my_cred);
1130 kauth_cred_rele(my_new_cred);
1131 /* try again */
1132 continue;
1133 }
1134 p->p_ucred = my_new_cred;
1135 proc_unlock(p);
1136 }
1137 /* drop our extra reference */
1138 kauth_cred_rele(my_cred);
1139 break;
1140 }
1141
1142 /* propagate the change from the process to Mach task */
1143 set_security_token(p);
1144
1145 audit_arg_auid(kauth_cred_get()->cr_au.ai_auid);
1146 return (0);
1147 }
1148
1149 /*
1150 * System calls to get and set process audit information.
1151 * If the caller is privileged, they get the whole set of
1152 * audit information. Otherwise, the real audit mask is
1153 * filtered out - but the rest of the information is
1154 * returned.
1155 */
1156 /* ARGSUSED */
1157 int
1158 getaudit(struct proc *p, struct getaudit_args *uap, __unused register_t *retval)
1159 {
1160 struct auditinfo ai;
1161 int error;
1162
1163 ai = kauth_cred_get()->cr_au;
1164
1165 /* only superuser gets to see the real mask */
1166 error = suser(kauth_cred_get(), &p->p_acflag);
1167 if (error) {
1168 ai.ai_mask.am_success = ~0;
1169 ai.ai_mask.am_failure = ~0;
1170 }
1171
1172 error = copyout(&ai, uap->auditinfo, sizeof(ai));
1173 if (error)
1174 return (error);
1175
1176 return (0);
1177 }
1178
1179 /* ARGSUSED */
1180 int
1181 setaudit(struct proc *p, struct setaudit_args *uap, __unused register_t *retval)
1182 {
1183 int error;
1184 struct auditinfo temp_auditinfo;
1185
1186 error = suser(kauth_cred_get(), &p->p_acflag);
1187 if (error)
1188 return (error);
1189
1190 error = copyin(uap->auditinfo,
1191 (void *)&temp_auditinfo,
1192 sizeof(temp_auditinfo));
1193 if (error)
1194 return (error);
1195
1196 /*
1197 * we are modifying the audit info in a credential so we need a new
1198 * credential (or take another reference on an existing credential that
1199 * matches our new one). We must do this because the audit info in the
1200 * credential is used as part of our hash key. Get current credential
1201 * in the target process and take a reference while we muck with it.
1202 */
1203 for (;;) {
1204 kauth_cred_t my_cred, my_new_cred;
1205
1206 my_cred = kauth_cred_proc_ref(p);
1207 /*
1208 * set the credential with new info. If there is no change we get back
1209 * the same credential we passed in.
1210 */
1211 my_new_cred = kauth_cred_setauditinfo(my_cred, &temp_auditinfo);
1212
1213 if (my_cred != my_new_cred) {
1214 proc_lock(p);
1215 /* need to protect for a race where another thread also changed
1216 * the credential after we took our reference. If p_ucred has
1217 * changed then we should restart this again with the new cred.
1218 */
1219 if (p->p_ucred != my_cred) {
1220 proc_unlock(p);
1221 kauth_cred_rele(my_cred);
1222 kauth_cred_rele(my_new_cred);
1223 /* try again */
1224 continue;
1225 }
1226 p->p_ucred = my_new_cred;
1227 proc_unlock(p);
1228 }
1229 /* drop our extra reference */
1230 kauth_cred_rele(my_cred);
1231 break;
1232 }
1233
1234 /* propagate the change from the process to Mach task */
1235 set_security_token(p);
1236
1237 audit_arg_auditinfo(&p->p_ucred->cr_au);
1238
1239 return (0);
1240 }
1241
1242 /* ARGSUSED */
1243 int
1244 getaudit_addr(struct proc *p, __unused struct getaudit_addr_args *uap, __unused register_t *retval)
1245 {
1246 return (ENOSYS);
1247 }
1248
1249 /* ARGSUSED */
1250 int
1251 setaudit_addr(struct proc *p, __unused struct setaudit_addr_args *uap, __unused register_t *retval)
1252 {
1253 int error;
1254
1255 error = suser(kauth_cred_get(), &p->p_acflag);
1256 if (error)
1257 return (error);
1258 return (ENOSYS);
1259 }
1260
1261 /*
1262 * Syscall to manage audit files.
1263 *
1264 */
1265 /* ARGSUSED */
1266 int
1267 auditctl(struct proc *p, struct auditctl_args *uap, __unused register_t *retval)
1268 {
1269 struct nameidata nd;
1270 kauth_cred_t cred;
1271 struct vnode *vp;
1272 int error, flags;
1273 struct vfs_context context;
1274
1275 context.vc_proc = p;
1276 context.vc_ucred = kauth_cred_get();
1277
1278 error = suser(kauth_cred_get(), &p->p_acflag);
1279 if (error)
1280 return (error);
1281
1282 vp = NULL;
1283 cred = NULL;
1284
1285 /*
1286 * If a path is specified, open the replacement vnode, perform
1287 * validity checks, and grab another reference to the current
1288 * credential.
1289 */
1290 if (uap->path != 0) {
1291 NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNPATH1,
1292 (IS_64BIT_PROCESS(p) ? UIO_USERSPACE64 : UIO_USERSPACE32),
1293 uap->path, &context);
1294 flags = audit_open_flags;
1295 error = vn_open(&nd, flags, 0);
1296 if (error)
1297 goto out;
1298 vp = nd.ni_vp;
1299 if (vp->v_type != VREG) {
1300 vn_close(vp, audit_close_flags, kauth_cred_get(), p);
1301 vnode_put(vp);
1302 error = EINVAL;
1303 goto out;
1304 }
1305 cred = kauth_cred_get_with_ref();
1306 audit_suspended = 0;
1307 }
1308 /*
1309 * a vp and cred of NULL is valid at this point
1310 * and indicates we're to turn off auditing...
1311 */
1312 audit_rotate_vnode(cred, vp);
1313 if (vp)
1314 vnode_put(vp);
1315 out:
1316 return (error);
1317 }
1318
1319 /**********************************
1320 * End of system calls. *
1321 **********************************/
1322
1323 /*
1324 * MPSAFE
1325 */
1326 struct kaudit_record *
1327 audit_new(int event, struct proc *p, __unused struct uthread *uthread)
1328 {
1329 struct kaudit_record *ar;
1330 int no_record;
1331
1332 /*
1333 * Eventually, there may be certain classes of events that
1334 * we will audit regardless of the audit state at the time
1335 * the record is created. These events will generally
1336 * correspond to changes in the audit state. The dummy
1337 * code below is from our first prototype, but may also
1338 * be used in the final version (with modified event numbers).
1339 */
1340 #if 0
1341 if (event != AUDIT_EVENT_FILESTOP && event != AUDIT_EVENT_FILESTART) {
1342 #endif
1343 mutex_lock(audit_mtx);
1344 no_record = (audit_suspended || !audit_enabled);
1345 mutex_unlock(audit_mtx);
1346 if (no_record)
1347 return (NULL);
1348 #if 0
1349 }
1350 #endif
1351
1352 /*
1353 * Initialize the audit record header.
1354 * XXX: We may want to fail-stop if allocation fails.
1355 * XXX: The number of outstanding uncommitted audit records is
1356 * limited by the number of concurrent threads servicing system
1357 * calls in the kernel.
1358 */
1359
1360 ar = (struct kaudit_record *)zalloc(audit_zone);
1361 if (ar == NULL)
1362 return NULL;
1363
1364 mutex_lock(audit_mtx);
1365 audit_pre_q_len++;
1366 mutex_unlock(audit_mtx);
1367
1368 bzero(ar, sizeof(*ar));
1369 ar->k_ar.ar_magic = AUDIT_RECORD_MAGIC;
1370 ar->k_ar.ar_event = event;
1371 nanotime(&ar->k_ar.ar_starttime);
1372
1373 /* Export the subject credential. */
1374 cru2x(p->p_ucred, &ar->k_ar.ar_subj_cred);
1375 ar->k_ar.ar_subj_ruid = p->p_ucred->cr_ruid;
1376 ar->k_ar.ar_subj_rgid = p->p_ucred->cr_rgid;
1377 ar->k_ar.ar_subj_egid = p->p_ucred->cr_groups[0];
1378 ar->k_ar.ar_subj_auid = p->p_ucred->cr_au.ai_auid;
1379 ar->k_ar.ar_subj_asid = p->p_ucred->cr_au.ai_asid;
1380 ar->k_ar.ar_subj_pid = p->p_pid;
1381 ar->k_ar.ar_subj_amask = p->p_ucred->cr_au.ai_mask;
1382 ar->k_ar.ar_subj_term = p->p_ucred->cr_au.ai_termid;
1383 bcopy(p->p_comm, ar->k_ar.ar_subj_comm, MAXCOMLEN);
1384
1385 return (ar);
1386 }
1387
1388 /*
1389 * MPSAFE
1390 * XXXAUDIT: So far, this is unused, and should probably be GC'd.
1391 */
1392 void
1393 audit_abort(struct kaudit_record *ar)
1394 {
1395 mutex_lock(audit_mtx);
1396 audit_pre_q_len--;
1397 mutex_unlock(audit_mtx);
1398 audit_free(ar);
1399 }
1400
1401 /*
1402 * MPSAFE
1403 */
1404 void
1405 audit_commit(struct kaudit_record *ar, int error, int retval)
1406 {
1407 int ret;
1408 int sorf;
1409 struct au_mask *aumask;
1410
1411 if (ar == NULL)
1412 return;
1413
1414 /*
1415 * Decide whether to commit the audit record by checking the
1416 * error value from the system call and using the appropriate
1417 * audit mask.
1418 */
1419 if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID)
1420 aumask = &audit_nae_mask;
1421 else
1422 aumask = &ar->k_ar.ar_subj_amask;
1423
1424 if (error)
1425 sorf = AU_PRS_FAILURE;
1426 else
1427 sorf = AU_PRS_SUCCESS;
1428
1429 switch(ar->k_ar.ar_event) {
1430
1431 case AUE_OPEN_RWTC:
1432 /* The open syscall always writes a OPEN_RWTC event; limit the
1433 * to the proper type of event based on the flags and the error
1434 * value.
1435 */
1436 ar->k_ar.ar_event = flags_and_error_to_openevent(ar->k_ar.ar_arg_fflags, error);
1437 break;
1438
1439 case AUE_SYSCTL:
1440 ar->k_ar.ar_event = ctlname_to_sysctlevent(ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg);
1441 break;
1442
1443 case AUE_AUDITON:
1444 /* Convert the auditon() command to an event */
1445 ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd);
1446 break;
1447 }
1448
1449 if (au_preselect(ar->k_ar.ar_event, aumask, sorf) != 0)
1450 ar->k_ar_commit |= AR_COMMIT_KERNEL;
1451
1452 if ((ar->k_ar_commit & (AR_COMMIT_USER | AR_COMMIT_KERNEL)) == 0) {
1453 mutex_lock(audit_mtx);
1454 audit_pre_q_len--;
1455 mutex_unlock(audit_mtx);
1456 audit_free(ar);
1457 return;
1458 }
1459
1460 ar->k_ar.ar_errno = error;
1461 ar->k_ar.ar_retval = retval;
1462
1463 /*
1464 * We might want to do some system-wide post-filtering
1465 * here at some point.
1466 */
1467
1468 /*
1469 * Timestamp system call end.
1470 */
1471 nanotime(&ar->k_ar.ar_endtime);
1472
1473 mutex_lock(audit_mtx);
1474 /*
1475 * Note: it could be that some records initiated while audit was
1476 * enabled should still be committed?
1477 */
1478 if (audit_suspended || !audit_enabled) {
1479 audit_pre_q_len--;
1480 mutex_unlock(audit_mtx);
1481 audit_free(ar);
1482 return;
1483 }
1484
1485 /*
1486 * Constrain the number of committed audit records based on
1487 * the configurable parameter.
1488 */
1489 while (audit_q_len >= audit_qctrl.aq_hiwater) {
1490
1491 ret = wait_queue_assert_wait(audit_wait_queue,
1492 AUDIT_COMMIT_EVENT,
1493 THREAD_UNINT,
1494 0);
1495 mutex_unlock(audit_mtx);
1496
1497 assert(ret == THREAD_WAITING);
1498
1499 ret = thread_block(THREAD_CONTINUE_NULL);
1500 assert(ret == THREAD_AWAKENED);
1501 mutex_lock(audit_mtx);
1502 }
1503
1504 TAILQ_INSERT_TAIL(&audit_q, ar, k_q);
1505 audit_q_len++;
1506 audit_pre_q_len--;
1507 wait_queue_wakeup_one(audit_wait_queue, AUDIT_WORKER_EVENT, THREAD_AWAKENED);
1508 mutex_unlock(audit_mtx);
1509 }
1510
1511 /*
1512 * Calls to set up and tear down audit structures associated with
1513 * each system call.
1514 */
1515 void
1516 audit_syscall_enter(unsigned short code, struct proc *proc,
1517 struct uthread *uthread)
1518 {
1519 int audit_event;
1520 struct au_mask *aumask;
1521
1522 audit_event = sys_au_event[code];
1523 if (audit_event == AUE_NULL)
1524 return;
1525
1526 assert(uthread->uu_ar == NULL);
1527
1528 /* Check which audit mask to use; either the kernel non-attributable
1529 * event mask or the process audit mask.
1530 */
1531 if (proc->p_ucred->cr_au.ai_auid == AU_DEFAUDITID)
1532 aumask = &audit_nae_mask;
1533 else
1534 aumask = &proc->p_ucred->cr_au.ai_mask;
1535
1536 /*
1537 * Allocate an audit record, if preselection allows it, and store
1538 * in the BSD thread for later use.
1539 */
1540 if (au_preselect(audit_event, aumask,
1541 AU_PRS_FAILURE | AU_PRS_SUCCESS)) {
1542 /*
1543 * If we're out of space and need to suspend unprivileged
1544 * processes, do that here rather than trying to allocate
1545 * another audit record.
1546 */
1547 if (audit_in_failure &&
1548 suser(kauth_cred_get(), &proc->p_acflag) != 0) {
1549 int ret;
1550
1551 assert(audit_worker_thread != THREAD_NULL);
1552 ret = wait_queue_assert_wait(audit_wait_queue,
1553 AUDIT_FAILURE_EVENT, THREAD_UNINT, 0);
1554 assert(ret == THREAD_WAITING);
1555 (void)thread_block(THREAD_CONTINUE_NULL);
1556 panic("audit_failing_stop: thread continued");
1557 }
1558 uthread->uu_ar = audit_new(audit_event, proc, uthread);
1559 } else {
1560 uthread->uu_ar = NULL;
1561 }
1562 }
1563
1564 void
1565 audit_syscall_exit(int error, AUDIT_PRINTF_ONLY struct proc *proc, struct uthread *uthread)
1566 {
1567 int retval;
1568
1569 /*
1570 * Commit the audit record as desired; once we pass the record
1571 * into audit_commit(), the memory is owned by the audit
1572 * subsystem.
1573 * The return value from the system call is stored on the user
1574 * thread. If there was an error, the return value is set to -1,
1575 * imitating the behavior of the cerror routine.
1576 */
1577 if (error)
1578 retval = -1;
1579 else
1580 retval = uthread->uu_rval[0];
1581
1582 audit_commit(uthread->uu_ar, error, retval);
1583 if (uthread->uu_ar != NULL) {
1584 AUDIT_PRINTF(("audit record committed by pid %d\n", proc->p_pid));
1585 }
1586 uthread->uu_ar = NULL;
1587
1588 }
1589
1590 /*
1591 * Calls to set up and tear down audit structures used during Mach
1592 * system calls.
1593 */
1594 void
1595 audit_mach_syscall_enter(unsigned short audit_event)
1596 {
1597 struct uthread *uthread;
1598 struct proc *proc;
1599 struct au_mask *aumask;
1600
1601 if (audit_event == AUE_NULL)
1602 return;
1603
1604 uthread = curuthread();
1605 if (uthread == NULL)
1606 return;
1607
1608 proc = current_proc();
1609 if (proc == NULL)
1610 return;
1611
1612 assert(uthread->uu_ar == NULL);
1613
1614 /* Check which audit mask to use; either the kernel non-attributable
1615 * event mask or the process audit mask.
1616 */
1617 if (proc->p_ucred->cr_au.ai_auid == AU_DEFAUDITID)
1618 aumask = &audit_nae_mask;
1619 else
1620 aumask = &proc->p_ucred->cr_au.ai_mask;
1621
1622 /*
1623 * Allocate an audit record, if desired, and store in the BSD
1624 * thread for later use.
1625 */
1626 if (au_preselect(audit_event, aumask,
1627 AU_PRS_FAILURE | AU_PRS_SUCCESS)) {
1628 uthread->uu_ar = audit_new(audit_event, proc, uthread);
1629 } else {
1630 uthread->uu_ar = NULL;
1631 }
1632 }
1633
1634 void
1635 audit_mach_syscall_exit(int retval, struct uthread *uthread)
1636 {
1637 /* The error code from Mach system calls is the same as the
1638 * return value
1639 */
1640 /* XXX Is the above statement always true? */
1641 audit_commit(uthread->uu_ar, retval, retval);
1642 uthread->uu_ar = NULL;
1643
1644 }
1645
1646 /*
1647 * Calls to manipulate elements of the audit record structure from system
1648 * call code. Macro wrappers will prevent this functions from being
1649 * entered if auditing is disabled, avoiding the function call cost. We
1650 * check the thread audit record pointer anyway, as the audit condition
1651 * could change, and pre-selection may not have allocated an audit
1652 * record for this event.
1653 */
1654 void
1655 audit_arg_addr(user_addr_t addr)
1656 {
1657 struct kaudit_record *ar;
1658
1659 ar = currecord();
1660 if (ar == NULL)
1661 return;
1662
1663 ar->k_ar.ar_arg_addr = CAST_DOWN(void *, addr); /* XXX */
1664 ar->k_ar.ar_valid_arg |= ARG_ADDR;
1665 }
1666
1667 void
1668 audit_arg_len(user_size_t len)
1669 {
1670 struct kaudit_record *ar;
1671
1672 ar = currecord();
1673 if (ar == NULL)
1674 return;
1675
1676 ar->k_ar.ar_arg_len = CAST_DOWN(int, len); /* XXX */
1677 ar->k_ar.ar_valid_arg |= ARG_LEN;
1678 }
1679
1680 void
1681 audit_arg_fd(int fd)
1682 {
1683 struct kaudit_record *ar;
1684
1685 ar = currecord();
1686 if (ar == NULL)
1687 return;
1688
1689 ar->k_ar.ar_arg_fd = fd;
1690 ar->k_ar.ar_valid_arg |= ARG_FD;
1691 }
1692
1693 void
1694 audit_arg_fflags(int fflags)
1695 {
1696 struct kaudit_record *ar;
1697
1698 ar = currecord();
1699 if (ar == NULL)
1700 return;
1701
1702 ar->k_ar.ar_arg_fflags = fflags;
1703 ar->k_ar.ar_valid_arg |= ARG_FFLAGS;
1704 }
1705
1706 void
1707 audit_arg_gid(gid_t gid, gid_t egid, gid_t rgid, gid_t sgid)
1708 {
1709 struct kaudit_record *ar;
1710
1711 ar = currecord();
1712 if (ar == NULL)
1713 return;
1714
1715 ar->k_ar.ar_arg_gid = gid;
1716 ar->k_ar.ar_arg_egid = egid;
1717 ar->k_ar.ar_arg_rgid = rgid;
1718 ar->k_ar.ar_arg_sgid = sgid;
1719 ar->k_ar.ar_valid_arg |= (ARG_GID | ARG_EGID | ARG_RGID | ARG_SGID);
1720 }
1721
1722 void
1723 audit_arg_uid(uid_t uid, uid_t euid, uid_t ruid, uid_t suid)
1724 {
1725 struct kaudit_record *ar;
1726
1727 ar = currecord();
1728 if (ar == NULL)
1729 return;
1730
1731 ar->k_ar.ar_arg_uid = uid;
1732 ar->k_ar.ar_arg_euid = euid;
1733 ar->k_ar.ar_arg_ruid = ruid;
1734 ar->k_ar.ar_arg_suid = suid;
1735 ar->k_ar.ar_valid_arg |= (ARG_UID | ARG_EUID | ARG_RUID | ARG_SUID);
1736 }
1737
1738 void
1739 audit_arg_groupset(const gid_t *gidset, u_int gidset_size)
1740 {
1741 uint i;
1742 struct kaudit_record *ar;
1743
1744 ar = currecord();
1745 if (ar == NULL)
1746 return;
1747
1748 for (i = 0; i < gidset_size; i++)
1749 ar->k_ar.ar_arg_groups.gidset[i] = gidset[i];
1750 ar->k_ar.ar_arg_groups.gidset_size = gidset_size;
1751 ar->k_ar.ar_valid_arg |= ARG_GROUPSET;
1752 }
1753
1754 void
1755 audit_arg_login(const char *login)
1756 {
1757 struct kaudit_record *ar;
1758
1759 ar = currecord();
1760 if (ar == NULL)
1761 return;
1762
1763 #if 0
1764 /*
1765 * XXX: Add strlcpy() to Darwin for improved safety.
1766 */
1767 strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME);
1768 #else
1769 strcpy(ar->k_ar.ar_arg_login, login);
1770 #endif
1771
1772 ar->k_ar.ar_valid_arg |= ARG_LOGIN;
1773 }
1774
1775 void
1776 audit_arg_ctlname(const int *name, int namelen)
1777 {
1778 struct kaudit_record *ar;
1779
1780 ar = currecord();
1781 if (ar == NULL)
1782 return;
1783
1784 bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int));
1785 ar->k_ar.ar_arg_len = namelen;
1786 ar->k_ar.ar_valid_arg |= (ARG_CTLNAME | ARG_LEN);
1787 }
1788
1789 void
1790 audit_arg_mask(int mask)
1791 {
1792 struct kaudit_record *ar;
1793
1794 ar = currecord();
1795 if (ar == NULL)
1796 return;
1797
1798 ar->k_ar.ar_arg_mask = mask;
1799 ar->k_ar.ar_valid_arg |= ARG_MASK;
1800 }
1801
1802 void
1803 audit_arg_mode(mode_t mode)
1804 {
1805 struct kaudit_record *ar;
1806
1807 ar = currecord();
1808 if (ar == NULL)
1809 return;
1810
1811 ar->k_ar.ar_arg_mode = mode;
1812 ar->k_ar.ar_valid_arg |= ARG_MODE;
1813 }
1814
1815 void
1816 audit_arg_dev(int dev)
1817 {
1818 struct kaudit_record *ar;
1819
1820 ar = currecord();
1821 if (ar == NULL)
1822 return;
1823
1824 ar->k_ar.ar_arg_dev = dev;
1825 ar->k_ar.ar_valid_arg |= ARG_DEV;
1826 }
1827
1828 void
1829 audit_arg_value(long value)
1830 {
1831 struct kaudit_record *ar;
1832
1833 ar = currecord();
1834 if (ar == NULL)
1835 return;
1836
1837 ar->k_ar.ar_arg_value = value;
1838 ar->k_ar.ar_valid_arg |= ARG_VALUE;
1839 }
1840
1841 void
1842 audit_arg_owner(uid_t uid, gid_t gid)
1843 {
1844 struct kaudit_record *ar;
1845
1846 ar = currecord();
1847 if (ar == NULL)
1848 return;
1849
1850 ar->k_ar.ar_arg_uid = uid;
1851 ar->k_ar.ar_arg_gid = gid;
1852 ar->k_ar.ar_valid_arg |= (ARG_UID | ARG_GID);
1853 }
1854
1855 void
1856 audit_arg_pid(pid_t pid)
1857 {
1858 struct kaudit_record *ar;
1859
1860 ar = currecord();
1861 if (ar == NULL)
1862 return;
1863
1864 ar->k_ar.ar_arg_pid = pid;
1865 ar->k_ar.ar_valid_arg |= ARG_PID;
1866 }
1867
1868 void
1869 audit_arg_process(struct proc *p)
1870 {
1871 struct kaudit_record *ar;
1872
1873 ar = currecord();
1874 if ((ar == NULL) || (p == NULL))
1875 return;
1876
1877 ar->k_ar.ar_arg_auid = p->p_ucred->cr_au.ai_auid;
1878 ar->k_ar.ar_arg_euid = p->p_ucred->cr_uid;
1879 ar->k_ar.ar_arg_egid = p->p_ucred->cr_groups[0];
1880 ar->k_ar.ar_arg_ruid = p->p_ucred->cr_ruid;
1881 ar->k_ar.ar_arg_rgid = p->p_ucred->cr_rgid;
1882 ar->k_ar.ar_arg_asid = p->p_ucred->cr_au.ai_asid;
1883 ar->k_ar.ar_arg_termid = p->p_ucred->cr_au.ai_termid;
1884
1885 ar->k_ar.ar_valid_arg |= ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID |
1886 ARG_RGID | ARG_ASID | ARG_TERMID | ARG_PROCESS;
1887 }
1888
1889 void
1890 audit_arg_signum(u_int signum)
1891 {
1892 struct kaudit_record *ar;
1893
1894 ar = currecord();
1895 if (ar == NULL)
1896 return;
1897
1898 ar->k_ar.ar_arg_signum = signum;
1899 ar->k_ar.ar_valid_arg |= ARG_SIGNUM;
1900 }
1901
1902 void
1903 audit_arg_socket(int sodomain, int sotype, int soprotocol)
1904 {
1905
1906 struct kaudit_record *ar;
1907
1908 ar = currecord();
1909 if (ar == NULL)
1910 return;
1911
1912 ar->k_ar.ar_arg_sockinfo.so_domain = sodomain;
1913 ar->k_ar.ar_arg_sockinfo.so_type = sotype;
1914 ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol;
1915 ar->k_ar.ar_valid_arg |= ARG_SOCKINFO;
1916 }
1917
1918 void
1919 audit_arg_sockaddr(struct proc *p, struct sockaddr *so)
1920 {
1921 struct kaudit_record *ar;
1922
1923 ar = currecord();
1924 if (ar == NULL || p == NULL || so == NULL)
1925 return;
1926
1927 bcopy(so, &ar->k_ar.ar_arg_sockaddr, sizeof(ar->k_ar.ar_arg_sockaddr));
1928 switch (so->sa_family) {
1929 case AF_INET:
1930 ar->k_ar.ar_valid_arg |= ARG_SADDRINET;
1931 break;
1932 case AF_INET6:
1933 ar->k_ar.ar_valid_arg |= ARG_SADDRINET6;
1934 break;
1935 case AF_UNIX:
1936 audit_arg_upath(p, ((struct sockaddr_un *)so)->sun_path,
1937 ARG_UPATH1);
1938 ar->k_ar.ar_valid_arg |= ARG_SADDRUNIX;
1939 break;
1940 }
1941 }
1942
1943 void
1944 audit_arg_auid(uid_t auid)
1945 {
1946 struct kaudit_record *ar;
1947
1948 ar = currecord();
1949 if (ar == NULL)
1950 return;
1951
1952 ar->k_ar.ar_arg_auid = auid;
1953 ar->k_ar.ar_valid_arg |= ARG_AUID;
1954 }
1955
1956 void
1957 audit_arg_auditinfo(const struct auditinfo *au_info)
1958 {
1959 struct kaudit_record *ar;
1960
1961 ar = currecord();
1962 if (ar == NULL)
1963 return;
1964
1965 ar->k_ar.ar_arg_auid = au_info->ai_auid;
1966 ar->k_ar.ar_arg_asid = au_info->ai_asid;
1967 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
1968 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
1969 ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port;
1970 ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine;
1971 ar->k_ar.ar_valid_arg |= ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID;
1972 }
1973
1974 void
1975 audit_arg_text(const char *text)
1976 {
1977 struct kaudit_record *ar;
1978
1979 ar = currecord();
1980 if (ar == NULL)
1981 return;
1982
1983 /* Invalidate the text string */
1984 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT);
1985 if (text == NULL)
1986 return;
1987
1988 if (ar->k_ar.ar_arg_text == NULL) {
1989 ar->k_ar.ar_arg_text = (char *)kalloc(MAXPATHLEN);
1990 if (ar->k_ar.ar_arg_text == NULL)
1991 return;
1992 }
1993
1994 strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN);
1995 ar->k_ar.ar_valid_arg |= ARG_TEXT;
1996 }
1997
1998 void
1999 audit_arg_cmd(int cmd)
2000 {
2001 struct kaudit_record *ar;
2002
2003 ar = currecord();
2004 if (ar == NULL)
2005 return;
2006
2007 ar->k_ar.ar_arg_cmd = cmd;
2008 ar->k_ar.ar_valid_arg |= ARG_CMD;
2009 }
2010
2011 void
2012 audit_arg_svipc_cmd(int cmd)
2013 {
2014 struct kaudit_record *ar;
2015
2016 ar = currecord();
2017 if (ar == NULL)
2018 return;
2019
2020 ar->k_ar.ar_arg_svipc_cmd = cmd;
2021 ar->k_ar.ar_valid_arg |= ARG_SVIPC_CMD;
2022 }
2023
2024 void
2025 audit_arg_svipc_perm(const struct ipc_perm *perm)
2026 {
2027 struct kaudit_record *ar;
2028
2029 ar = currecord();
2030 if (ar == NULL)
2031 return;
2032
2033 bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
2034 sizeof(ar->k_ar.ar_arg_svipc_perm));
2035 ar->k_ar.ar_valid_arg |= ARG_SVIPC_PERM;
2036 }
2037
2038 void
2039 audit_arg_svipc_id(int id)
2040 {
2041 struct kaudit_record *ar;
2042
2043 ar = currecord();
2044 if (ar == NULL)
2045 return;
2046
2047 ar->k_ar.ar_arg_svipc_id = id;
2048 ar->k_ar.ar_valid_arg |= ARG_SVIPC_ID;
2049 }
2050
2051 void
2052 audit_arg_svipc_addr(void * addr)
2053 {
2054 struct kaudit_record *ar;
2055
2056 ar = currecord();
2057 if (ar == NULL)
2058 return;
2059
2060 ar->k_ar.ar_arg_svipc_addr = addr;
2061 ar->k_ar.ar_valid_arg |= ARG_SVIPC_ADDR;
2062 }
2063
2064 void
2065 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode)
2066 {
2067 struct kaudit_record *ar;
2068
2069 ar = currecord();
2070 if (ar == NULL)
2071 return;
2072
2073 ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid;
2074 ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid;
2075 ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode;
2076 ar->k_ar.ar_valid_arg |= ARG_POSIX_IPC_PERM;
2077 }
2078
2079 void
2080 audit_arg_auditon(const union auditon_udata *udata)
2081 {
2082 struct kaudit_record *ar;
2083
2084 ar = currecord();
2085 if (ar == NULL)
2086 return;
2087
2088 bcopy((const void *)udata, &ar->k_ar.ar_arg_auditon,
2089 sizeof(ar->k_ar.ar_arg_auditon));
2090 ar->k_ar.ar_valid_arg |= ARG_AUDITON;
2091 }
2092
2093 /*
2094 * Audit information about a file, either the file's vnode info, or its
2095 * socket address info.
2096 */
2097 void
2098 audit_arg_file(__unused struct proc *p, const struct fileproc *fp)
2099 {
2100 struct kaudit_record *ar;
2101 struct socket *so;
2102 struct inpcb *pcb;
2103
2104 if (fp->f_fglob->fg_type == DTYPE_VNODE) {
2105 audit_arg_vnpath_withref((struct vnode *)fp->f_fglob->fg_data, ARG_VNODE1);
2106 return;
2107 }
2108
2109 if (fp->f_fglob->fg_type == DTYPE_SOCKET) {
2110 ar = currecord();
2111 if (ar == NULL)
2112 return;
2113 so = (struct socket *)fp->f_fglob->fg_data;
2114 if (INP_CHECK_SOCKAF(so, PF_INET)) {
2115 if (so->so_pcb == NULL)
2116 return;
2117 ar->k_ar.ar_arg_sockinfo.so_type =
2118 so->so_type;
2119 ar->k_ar.ar_arg_sockinfo.so_domain =
2120 INP_SOCKAF(so);
2121 ar->k_ar.ar_arg_sockinfo.so_protocol =
2122 so->so_proto->pr_protocol;
2123 pcb = (struct inpcb *)so->so_pcb;
2124 ar->k_ar.ar_arg_sockinfo.so_raddr =
2125 pcb->inp_faddr.s_addr;
2126 ar->k_ar.ar_arg_sockinfo.so_laddr =
2127 pcb->inp_laddr.s_addr;
2128 ar->k_ar.ar_arg_sockinfo.so_rport =
2129 pcb->inp_fport;
2130 ar->k_ar.ar_arg_sockinfo.so_lport =
2131 pcb->inp_lport;
2132 ar->k_ar.ar_valid_arg |= ARG_SOCKINFO;
2133 }
2134 }
2135
2136 }
2137
2138
2139 /*
2140 * Store a path as given by the user process for auditing into the audit
2141 * record stored on the user thread. This function will allocate the memory to
2142 * store the path info if not already available. This memory will be
2143 * freed when the audit record is freed.
2144 */
2145 void
2146 audit_arg_upath(struct proc *p, char *upath, u_int64_t flags)
2147 {
2148 struct kaudit_record *ar;
2149 char **pathp;
2150
2151 if (p == NULL || upath == NULL)
2152 return; /* nothing to do! */
2153
2154 if ((flags & (ARG_UPATH1 | ARG_UPATH2)) == 0)
2155 return;
2156
2157 ar = currecord();
2158 if (ar == NULL) /* This will be the case for unaudited system calls */
2159 return;
2160
2161 if (flags & ARG_UPATH1) {
2162 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_UPATH1);
2163 pathp = &ar->k_ar.ar_arg_upath1;
2164 }
2165 else {
2166 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_UPATH2);
2167 pathp = &ar->k_ar.ar_arg_upath2;
2168 }
2169
2170 if (*pathp == NULL) {
2171 *pathp = (char *)kalloc(MAXPATHLEN);
2172 if (*pathp == NULL)
2173 return;
2174 }
2175
2176 if (canon_path(p, upath, *pathp) == 0) {
2177 if (flags & ARG_UPATH1)
2178 ar->k_ar.ar_valid_arg |= ARG_UPATH1;
2179 else
2180 ar->k_ar.ar_valid_arg |= ARG_UPATH2;
2181 } else {
2182 kfree(*pathp, MAXPATHLEN);
2183 *pathp = NULL;
2184 }
2185 }
2186
2187 /*
2188 * Function to save the path and vnode attr information into the audit
2189 * record.
2190 *
2191 * It is assumed that the caller will hold any vnode locks necessary to
2192 * perform a VNOP_GETATTR() on the passed vnode.
2193 *
2194 * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but
2195 * always provides access to the generation number as we need that
2196 * to construct the BSM file ID.
2197 * XXX: We should accept the process argument from the caller, since
2198 * it's very likely they already have a reference.
2199 * XXX: Error handling in this function is poor.
2200 */
2201 void
2202 audit_arg_vnpath(struct vnode *vp, u_int64_t flags)
2203 {
2204 struct kaudit_record *ar;
2205 struct vnode_attr va;
2206 int error;
2207 int len;
2208 char **pathp;
2209 struct vnode_au_info *vnp;
2210 struct proc *p;
2211 struct vfs_context context;
2212
2213 if (vp == NULL)
2214 return;
2215
2216 ar = currecord();
2217 if (ar == NULL) /* This will be the case for unaudited system calls */
2218 return;
2219
2220 if ((flags & (ARG_VNODE1 | ARG_VNODE2)) == 0)
2221 return;
2222
2223 p = current_proc();
2224
2225 if (flags & ARG_VNODE1) {
2226 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_KPATH1);
2227 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE1);
2228 pathp = &ar->k_ar.ar_arg_kpath1;
2229 vnp = &ar->k_ar.ar_arg_vnode1;
2230 }
2231 else {
2232 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_KPATH2);
2233 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE2);
2234 pathp = &ar->k_ar.ar_arg_kpath2;
2235 vnp = &ar->k_ar.ar_arg_vnode2;
2236 }
2237
2238 if (*pathp == NULL) {
2239 *pathp = (char *)kalloc(MAXPATHLEN);
2240 if (*pathp == NULL)
2241 return;
2242 }
2243
2244 /*
2245 * If vn_getpath() succeeds, place it in a string buffer
2246 * attached to the audit record, and set a flag indicating
2247 * it is present.
2248 */
2249 len = MAXPATHLEN;
2250 if (vn_getpath(vp, *pathp, &len) == 0) {
2251 if (flags & ARG_VNODE1)
2252 ar->k_ar.ar_valid_arg |= ARG_KPATH1;
2253 else
2254 ar->k_ar.ar_valid_arg |= ARG_KPATH2;
2255 } else {
2256 kfree(*pathp, MAXPATHLEN);
2257 *pathp = NULL;
2258 }
2259
2260 context.vc_proc = p;
2261 context.vc_ucred = kauth_cred_get();
2262
2263 VATTR_INIT(&va);
2264 VATTR_WANTED(&va, va_mode);
2265 VATTR_WANTED(&va, va_uid);
2266 VATTR_WANTED(&va, va_gid);
2267 VATTR_WANTED(&va, va_rdev);
2268 VATTR_WANTED(&va, va_fsid);
2269 VATTR_WANTED(&va, va_fileid);
2270 VATTR_WANTED(&va, va_gen);
2271 error = vnode_getattr(vp, &va, &context);
2272 if (error) {
2273 /* XXX: How to handle this case? */
2274 return;
2275 }
2276
2277 /* XXX do we want to fall back here when these aren't supported? */
2278 vnp->vn_mode = va.va_mode;
2279 vnp->vn_uid = va.va_uid;
2280 vnp->vn_gid = va.va_gid;
2281 vnp->vn_dev = va.va_rdev;
2282 vnp->vn_fsid = va.va_fsid;
2283 vnp->vn_fileid = (u_long)va.va_fileid;
2284 vnp->vn_gen = va.va_gen;
2285 if (flags & ARG_VNODE1)
2286 ar->k_ar.ar_valid_arg |= ARG_VNODE1;
2287 else
2288 ar->k_ar.ar_valid_arg |= ARG_VNODE2;
2289
2290 }
2291
2292 void
2293 audit_arg_vnpath_withref(struct vnode *vp, u_int64_t flags)
2294 {
2295 if (vp == NULL || vnode_getwithref(vp))
2296 return;
2297 audit_arg_vnpath(vp, flags);
2298 (void)vnode_put(vp);
2299 }
2300
2301 void
2302 audit_arg_mach_port1(mach_port_name_t port)
2303 {
2304 struct kaudit_record *ar;
2305
2306 ar = currecord();
2307 if (ar == NULL)
2308 return;
2309
2310 ar->k_ar.ar_arg_mach_port1 = port;
2311 ar->k_ar.ar_valid_arg |= ARG_MACHPORT1;
2312 }
2313
2314 void
2315 audit_arg_mach_port2(mach_port_name_t port)
2316 {
2317 struct kaudit_record *ar;
2318
2319 ar = currecord();
2320 if (ar == NULL)
2321 return;
2322
2323 ar->k_ar.ar_arg_mach_port2 = port;
2324 ar->k_ar.ar_valid_arg |= ARG_MACHPORT2;
2325 }
2326
2327 /*
2328 * The close() system call uses it's own audit call to capture the
2329 * path/vnode information because those pieces are not easily obtained
2330 * within the system call itself.
2331 */
2332 void
2333 audit_sysclose(struct proc *p, int fd)
2334 {
2335 struct fileproc *fp;
2336 struct vnode *vp;
2337
2338 audit_arg_fd(fd);
2339
2340 if (fp_getfvp(p, fd, &fp, &vp) != 0)
2341 return;
2342
2343 audit_arg_vnpath_withref((struct vnode *)fp->f_fglob->fg_data, ARG_VNODE1);
2344 file_drop(fd);
2345 }
2346
2347 #else /* !AUDIT */
2348
2349 void
2350 audit_init(void)
2351 {
2352
2353 }
2354
2355 void
2356 audit_shutdown(void)
2357 {
2358
2359 }
2360
2361 int
2362 audit(struct proc *p, struct audit_args *uap, register_t *retval)
2363 {
2364 return (ENOSYS);
2365 }
2366
2367 int
2368 auditon(struct proc *p, struct auditon_args *uap, register_t *retval)
2369 {
2370 return (ENOSYS);
2371 }
2372
2373 int
2374 getauid(struct proc *p, struct getauid_args *uap, register_t *retval)
2375 {
2376 return (ENOSYS);
2377 }
2378
2379 int
2380 setauid(struct proc *p, struct setauid_args *uap, register_t *retval)
2381 {
2382 return (ENOSYS);
2383 }
2384
2385 int
2386 getaudit(struct proc *p, struct getaudit_args *uap, register_t *retval)
2387 {
2388 return (ENOSYS);
2389 }
2390
2391 int
2392 setaudit(struct proc *p, struct setaudit_args *uap, register_t *retval)
2393 {
2394 return (ENOSYS);
2395 }
2396
2397 int
2398 getaudit_addr(struct proc *p, struct getaudit_addr_args *uap, register_t *retval)
2399 {
2400 return (ENOSYS);
2401 }
2402
2403 int
2404 setaudit_addr(struct proc *p, struct setaudit_addr_args *uap, register_t *retval)
2405 {
2406 return (ENOSYS);
2407 }
2408
2409 int
2410 auditctl(struct proc *p, struct auditctl_args *uap, register_t *retval)
2411 {
2412 return (ENOSYS);
2413 }
2414
2415 #endif /* AUDIT */
mirror of XNU