X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/378393581903b274cb7a4d18e0d978071a6b592d..4452a7af2eac33dbad800bcc91f2399d62c18f53:/bsd/kern/kern_audit.c

diff --git a/bsd/kern/kern_audit.c b/bsd/kern/kern_audit.c
index 131047494..280dd281d 100644
--- a/bsd/kern/kern_audit.c
+++ b/bsd/kern/kern_audit.c
@@ -1,23 +1,29 @@
 /*
  * Copyright (c) 2003-2004 Apple Computer, Inc. All rights reserved.
  *
- * @APPLE_LICENSE_HEADER_START@
- *
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License").  You may not use this file except in compliance with the
- * License.  Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
- *
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
+ * 
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. The rights granted to you under the License
+ * may not be used to create, or enable the creation or redistribution of,
+ * unlawful or unlicensed copies of an Apple operating system, or to
+ * circumvent, violate, or enable the circumvention or violation of, any
+ * terms of an Apple operating system software license agreement.
+ * 
+ * Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this file.
+ * 
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
- * License for the specific language governing rights and limitations
- * under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ * 
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
  */
 #include <sys/param.h>
 #include <sys/fcntl.h>
@@ -431,7 +437,7 @@ audit_worker(void)
 	AUDIT_PRINTF(("audit_worker starting\n"));
 
 	TAILQ_INIT(&ar_worklist);
-	audit_cred = NULL;
+	audit_cred = NOCRED;
 	audit_p = current_proc();
 	audit_vp = NULL;
 
@@ -460,7 +466,7 @@ audit_worker(void)
 			old_vp = audit_vp;
 			audit_cred = audit_replacement_cred;
 			audit_vp = audit_replacement_vp;
-			audit_replacement_cred = NULL;
+			audit_replacement_cred = NOCRED;
 			audit_replacement_vp = NULL;
 			audit_replacement_flag = 0;
 
@@ -479,8 +485,7 @@ audit_worker(void)
 				AUDIT_PRINTF(("Closing old audit file\n"));
 				vn_close(old_vp, audit_close_flags, old_cred,
 				    audit_p);
-				kauth_cred_rele(old_cred);
-				old_cred = NOCRED;
+				kauth_cred_unref(&old_cred);
 				old_vp = NULL;
 				AUDIT_PRINTF(("Audit file closed\n"));
 			}
@@ -988,8 +993,12 @@ auditon(struct proc *p, __unused struct auditon_args *uap, __unused register_t *
 			
 			my_cred = kauth_cred_proc_ref(tp);
 			/* 
-			 * set the credential with new info.  If there is no change we get back 
-			 * the same credential we passed in.
+			 * Set the credential with new info.  If there is no
+			 * change, we get back the same credential we passed
+			 * in; if there is a change, we drop the reference on
+			 * the credential we passed in.  The subsequent
+			 * compare is safe, because it is a pointer compare
+			 * rather than a contents compare.
 			 */
 			temp_auditinfo = my_cred->cr_au;
 			temp_auditinfo.ai_mask.am_success = 
@@ -1006,16 +1015,15 @@ auditon(struct proc *p, __unused struct auditon_args *uap, __unused register_t *
 				 */
 				if (tp->p_ucred != my_cred) {
 					proc_unlock(tp);
-					kauth_cred_rele(my_cred);
-					kauth_cred_rele(my_new_cred);
+					kauth_cred_unref(&my_new_cred);
 					/* try again */
 					continue;
 				}
 				tp->p_ucred = my_new_cred;
 				proc_unlock(tp);
 			}
-			/* drop our extra reference */
-			kauth_cred_rele(my_cred);
+			/* drop old proc reference or our extra reference */
+			kauth_cred_unref(&my_cred);
 			break;
 		}
 		break;
@@ -1110,8 +1118,11 @@ setauid(struct proc *p, struct setauid_args *uap, __unused register_t *retval)
 		
 		my_cred = kauth_cred_proc_ref(p);
 		/* 
-		 * set the credential with new info.  If there is no change we get back 
-		 * the same credential we passed in.
+		 * Set the credential with new info.  If there is no change,
+		 * we get back the same credential we passed in; if there is
+		 * a change, we drop the reference on the credential we
+		 * passed in.  The subsequent compare is safe, because it is
+		 * a pointer compare rather than a contents compare.
 		 */
 		temp_auditinfo = my_cred->cr_au;
 		temp_auditinfo.ai_auid = temp_au_id;
@@ -1125,16 +1136,15 @@ setauid(struct proc *p, struct setauid_args *uap, __unused register_t *retval)
 			 */
 			if (p->p_ucred != my_cred) {
 				proc_unlock(p);
-				kauth_cred_rele(my_cred);
-				kauth_cred_rele(my_new_cred);
+				kauth_cred_unref(&my_new_cred);
 				/* try again */
 				continue;
 			}
 			p->p_ucred = my_new_cred;
 			proc_unlock(p);
 		}
-		/* drop our extra reference */
-		kauth_cred_rele(my_cred);
+		/* drop old proc reference or our extra reference */
+		kauth_cred_unref(&my_cred);
 		break;
 	}
 
@@ -1181,6 +1191,7 @@ setaudit(struct proc *p, struct setaudit_args *uap, __unused register_t *retval)
 {
 	int error;
 	struct auditinfo temp_auditinfo;
+	kauth_cred_t safecred;
 
 	error = suser(kauth_cred_get(), &p->p_acflag);
 	if (error)
@@ -1204,8 +1215,11 @@ setaudit(struct proc *p, struct setaudit_args *uap, __unused register_t *retval)
 		
 		my_cred = kauth_cred_proc_ref(p);
 		/* 
-		 * set the credential with new info.  If there is no change we get back 
-		 * the same credential we passed in.
+		 * Set the credential with new info.  If there is no change,
+		 * we get back the same credential we passed in; if there is
+		 * a change, we drop the reference on the credential we
+		 * passed in.  The subsequent compare is safe, because it is
+		 * a pointer compare rather than a contents compare.
 		 */
 		my_new_cred = kauth_cred_setauditinfo(my_cred, &temp_auditinfo);
 	
@@ -1217,23 +1231,24 @@ setaudit(struct proc *p, struct setaudit_args *uap, __unused register_t *retval)
 			 */
 			if (p->p_ucred != my_cred) {
 				proc_unlock(p);
-				kauth_cred_rele(my_cred);
-				kauth_cred_rele(my_new_cred);
+				kauth_cred_unref(&my_new_cred);
 				/* try again */
 				continue;
 			}
 			p->p_ucred = my_new_cred;
 			proc_unlock(p);
 		}
-		/* drop our extra reference */
-		kauth_cred_rele(my_cred);
+		/* drop old proc reference or our extra reference */
+		kauth_cred_unref(&my_cred);
 		break;
 	}
 
 	/* propagate the change from the process to Mach task */
 	set_security_token(p);
 
-	audit_arg_auditinfo(&p->p_ucred->cr_au);
+	safecred = kauth_cred_proc_ref(p);
+	audit_arg_auditinfo(&safecred->cr_au);
+	kauth_cred_unref(&safecred);
 
 	return (0);
 }
@@ -1327,6 +1342,7 @@ audit_new(int event, struct proc *p, __unused struct uthread *uthread)
 {
 	struct kaudit_record *ar;
 	int no_record;
+	kauth_cred_t safecred;
 
 	/*
 	 * Eventually, there may be certain classes of events that
@@ -1369,16 +1385,20 @@ audit_new(int event, struct proc *p, __unused struct uthread *uthread)
 	ar->k_ar.ar_event = event;
 	nanotime(&ar->k_ar.ar_starttime);
 
+	safecred = kauth_cred_proc_ref(p);
 	/* Export the subject credential. */
-	cru2x(p->p_ucred, &ar->k_ar.ar_subj_cred);
-	ar->k_ar.ar_subj_ruid = p->p_ucred->cr_ruid;
-	ar->k_ar.ar_subj_rgid = p->p_ucred->cr_rgid;
-	ar->k_ar.ar_subj_egid = p->p_ucred->cr_groups[0];
-	ar->k_ar.ar_subj_auid = p->p_ucred->cr_au.ai_auid;
-	ar->k_ar.ar_subj_asid = p->p_ucred->cr_au.ai_asid;
+	cru2x(safecred, &ar->k_ar.ar_subj_cred);
+
+	ar->k_ar.ar_subj_ruid = safecred->cr_ruid;
+	ar->k_ar.ar_subj_rgid = safecred->cr_rgid;
+	ar->k_ar.ar_subj_egid = safecred->cr_groups[0];
+	ar->k_ar.ar_subj_auid = safecred->cr_au.ai_auid;
+	ar->k_ar.ar_subj_asid = safecred->cr_au.ai_asid;
+	ar->k_ar.ar_subj_amask = safecred->cr_au.ai_mask;
+	ar->k_ar.ar_subj_term = safecred->cr_au.ai_termid;
+	kauth_cred_unref(&safecred);
+
 	ar->k_ar.ar_subj_pid = p->p_pid;
-	ar->k_ar.ar_subj_amask = p->p_ucred->cr_au.ai_mask;
-	ar->k_ar.ar_subj_term = p->p_ucred->cr_au.ai_termid;
 	bcopy(p->p_comm, ar->k_ar.ar_subj_comm, MAXCOMLEN);
 
 	return (ar);