1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
25 */
26
27 /*
28 * This file contains the audit hook support code for auditing.
29 */
30
31 #include <sys/types.h>
32 #include <sys/proc.h>
33 #include <sys/vnode.h>
34 #include <sys/vfs.h>
35 #include <sys/file.h>
36 #include <sys/user.h>
37 #include <sys/stropts.h>
38 #include <sys/systm.h>
39 #include <sys/pathname.h>
40 #include <sys/syscall.h>
41 #include <sys/fcntl.h>
42 #include <sys/ipc_impl.h>
43 #include <sys/msg_impl.h>
44 #include <sys/sem_impl.h>
45 #include <sys/shm_impl.h>
46 #include <sys/kmem.h> /* for KM_SLEEP */
47 #include <sys/socket.h>
48 #include <sys/cmn_err.h> /* snprintf... */
49 #include <sys/debug.h>
50 #include <sys/thread.h>
51 #include <netinet/in.h>
52 #include <c2/audit.h> /* needs to be included before user.h */
53 #include <c2/audit_kernel.h> /* for M_DONTWAIT */
54 #include <c2/audit_kevents.h>
55 #include <c2/audit_record.h>
56 #include <sys/strsubr.h>
57 #include <sys/tihdr.h>
58 #include <sys/tiuser.h>
59 #include <sys/timod.h>
60 #include <sys/model.h> /* for model_t */
61 #include <sys/disp.h> /* for servicing_interrupt() */
62 #include <sys/devpolicy.h>
63 #include <sys/crypto/ioctladmin.h>
64 #include <sys/cred_impl.h>
65 #include <sys/sid.h>
66 #include <inet/kssl/kssl.h>
67 #include <net/pfpolicy.h>
68
69 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval);
70
71 static void audit_pathbuild(struct pathname *pnp);
72
73
74 /*
75 * ROUTINE: AUDIT_SAVEPATH
76 * PURPOSE:
77 * CALLBY: LOOKUPPN
78 *
79 * NOTE: We have reached the end of a path in fs/lookup.c.
80 * We get two pieces of information here:
81 * the vnode of the last component (vp) and
82 * the status of the last access (flag).
83 * TODO:
84 * QUESTION:
85 */
86
87 /*ARGSUSED*/
88 int
89 audit_savepath(
90 struct pathname *pnp, /* pathname to lookup */
91 struct vnode *vp, /* vnode of the last component */
92 struct vnode *pvp, /* vnode of the last parent component */
93 int flag, /* status of the last access */
94 cred_t *cr) /* cred of requestor */
95 {
96
97 t_audit_data_t *tad; /* current thread */
98 au_kcontext_t *kctx = GET_KCTX_PZ;
99
100 tad = U2A(u);
101
102 /*
103 * Noise elimination in audit trails - this event will be discarded if:
104 * - the public policy is not active AND
105 * - the system call is a public operation AND
106 * - the file was not found: VFS lookup failed with ENOENT error AND
107 * - the missing file would have been located in the public directory
108 * owned by root if it had existed
109 */
110 if (tad->tad_flag != 0 && flag == ENOENT && pvp != NULL &&
111 (tad->tad_ctrl & TAD_PUBLIC_EV) &&
112 !(kctx->auk_policy & AUDIT_PUBLIC)) {
113 struct vattr attr;
114
115 attr.va_mask = AT_ALL;
116 if (VOP_GETATTR(pvp, &attr, 0, CRED(), NULL) == 0) {
117 if (object_is_public(&attr)) {
118 tad->tad_ctrl |= TAD_NOAUDIT;
119 }
120 }
121 }
122
123 /*
124 * this event being audited or do we need path information
125 * later? This might be for a chdir/chroot or open (add path
126 * to file pointer. If the path has already been found for an
127 * open/creat then we don't need to process the path.
128 *
129 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
130 * chroot, chdir, open, creat system call processing. It determines
131 * if audit_savepath() will discard the path or we need it later.
132 * TAD_PATHFND means path already included in this audit record. It
133 * is used in cases where multiple path lookups are done per
134 * system call. The policy flag, AUDIT_PATH, controls if multiple
135 * paths are allowed.
136 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
137 * exit processing to inhibit any paths that may be added due to
138 * closes.
139 */
140 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) ||
141 ((tad->tad_ctrl & TAD_PATHFND) &&
142 !(kctx->auk_policy & AUDIT_PATH)) ||
143 (tad->tad_ctrl & TAD_NOPATH)) {
144 return (0);
145 }
146
147 tad->tad_ctrl |= TAD_NOPATH; /* prevent possible reentry */
148
149 audit_pathbuild(pnp);
150
151 /*
152 * are we auditing only if error, or if it is not open or create
153 * otherwise audit_setf will do it
154 */
155
156 if (tad->tad_flag) {
157 if (flag &&
158 (tad->tad_scid == SYS_open ||
159 tad->tad_scid == SYS_open64 ||
160 tad->tad_scid == SYS_openat ||
161 tad->tad_scid == SYS_openat64)) {
162 tad->tad_ctrl |= TAD_TRUE_CREATE;
163 }
164
165 /* add token to audit record for this name */
166 au_uwrite(au_to_path(tad->tad_aupath));
167
168 /* add the attributes of the object */
169 if (vp) {
170 /*
171 * only capture attributes when there is no error
172 * lookup will not return the vnode of the failing
173 * component.
174 *
175 * if there was a lookup error, then don't add
176 * attribute. if lookup in vn_create(),
177 * then don't add attribute,
178 * it will be added at end of vn_create().
179 */
180 if (!flag && !(tad->tad_ctrl & TAD_NOATTRB))
181 audit_attributes(vp);
182 }
183 }
184
185 /* free up space if we're not going to save path (open, creat) */
186 if ((tad->tad_ctrl & TAD_SAVPATH) == 0) {
187 if (tad->tad_aupath != NULL) {
188 au_pathrele(tad->tad_aupath);
189 tad->tad_aupath = NULL;
190 }
191 }
192 if (tad->tad_ctrl & TAD_MLD)
193 tad->tad_ctrl |= TAD_PATHFND;
194
195 tad->tad_ctrl &= ~TAD_NOPATH; /* restore */
196 return (0);
197 }
198
199 static void
200 audit_pathbuild(struct pathname *pnp)
201 {
202 char *pp; /* pointer to path */
203 int len; /* length of incoming segment */
204 int newsect; /* path requires a new section */
205 struct audit_path *pfxapp; /* prefix for path */
206 struct audit_path *newapp; /* new audit_path */
207 t_audit_data_t *tad; /* current thread */
208 p_audit_data_t *pad; /* current process */
209
210 tad = U2A(u);
211 ASSERT(tad != NULL);
212 pad = P2A(curproc);
213 ASSERT(pad != NULL);
214
215 len = (pnp->pn_path - pnp->pn_buf) + 1; /* +1 for terminator */
216 ASSERT(len > 0);
217
218 /* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */
219 mutex_enter(&pad->pad_lock);
220 if (tad->tad_aupath != NULL) {
221 pfxapp = tad->tad_aupath;
222 } else if ((tad->tad_ctrl & TAD_ATCALL) && pnp->pn_buf[0] != '/') {
223 ASSERT(tad->tad_atpath != NULL);
224 pfxapp = tad->tad_atpath;
225 } else if (tad->tad_ctrl & TAD_ABSPATH) {
226 pfxapp = pad->pad_root;
227 } else {
228 pfxapp = pad->pad_cwd;
229 }
230 au_pathhold(pfxapp);
231 mutex_exit(&pad->pad_lock);
232
233 /* get an expanded buffer to hold the anchored path */
234 newsect = tad->tad_ctrl & TAD_ATTPATH;
235 newapp = au_pathdup(pfxapp, newsect, len);
236 au_pathrele(pfxapp);
237
238 pp = newapp->audp_sect[newapp->audp_cnt] - len;
239 if (!newsect) {
240 /* overlay previous NUL terminator */
241 *(pp - 1) = '/';
242 }
243
244 /* now add string of processed path */
245 bcopy(pnp->pn_buf, pp, len);
246 pp[len - 1] = '\0';
247
248 /* perform path simplification as necessary */
249 audit_fixpath(newapp, len);
250
251 if (tad->tad_aupath)
252 au_pathrele(tad->tad_aupath);
253 tad->tad_aupath = newapp;
254
255 /* for case where multiple lookups in one syscall (rename) */
256 tad->tad_ctrl &= ~(TAD_ABSPATH | TAD_ATTPATH);
257 }
258
259
260 /*
261 * ROUTINE: AUDIT_ANCHORPATH
262 * PURPOSE:
263 * CALLBY: LOOKUPPN
264 * NOTE:
265 * anchor path at "/". We have seen a symbolic link or entering for the
266 * first time we will throw away any saved path if path is anchored.
267 *
268 * flag = 0, path is relative.
269 * flag = 1, path is absolute. Free any saved path and set flag to TAD_ABSPATH.
270 *
271 * If the (new) path is absolute, then we have to throw away whatever we have
272 * already accumulated since it is being superseded by new path which is
273 * anchored at the root.
274 * Note that if the path is relative, this function does nothing
275 * TODO:
276 * QUESTION:
277 */
278 /*ARGSUSED*/
279 void
280 audit_anchorpath(struct pathname *pnp, int flag)
281 {
282 au_kcontext_t *kctx = GET_KCTX_PZ;
283 t_audit_data_t *tad;
284
285 tad = U2A(u);
286
287 /*
288 * this event being audited or do we need path information
289 * later? This might be for a chdir/chroot or open (add path
290 * to file pointer. If the path has already been found for an
291 * open/creat then we don't need to process the path.
292 *
293 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
294 * chroot, chdir, open, creat system call processing. It determines
295 * if audit_savepath() will discard the path or we need it later.
296 * TAD_PATHFND means path already included in this audit record. It
297 * is used in cases where multiple path lookups are done per
298 * system call. The policy flag, AUDIT_PATH, controls if multiple
299 * paths are allowed.
300 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
301 * exit processing to inhibit any paths that may be added due to
302 * closes.
303 */
304 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) ||
305 ((tad->tad_ctrl & TAD_PATHFND) &&
306 !(kctx->auk_policy & AUDIT_PATH)) ||
307 (tad->tad_ctrl & TAD_NOPATH)) {
308 return;
309 }
310
311 if (flag) {
312 tad->tad_ctrl |= TAD_ABSPATH;
313 if (tad->tad_aupath != NULL) {
314 au_pathrele(tad->tad_aupath);
315 tad->tad_aupath = NULL;
316 }
317 }
318 }
319
320
321 /*
322 * symbolic link. Save previous components.
323 *
324 * the path seen so far looks like this
325 *
326 * +-----------------------+----------------+
327 * | path processed so far | remaining path |
328 * +-----------------------+----------------+
329 * \-----------------------/
330 * save this string if
331 * symbolic link relative
332 * (but don't include symlink component)
333 */
334
335 /*ARGSUSED*/
336
337
338 /*
339 * ROUTINE: AUDIT_SYMLINK
340 * PURPOSE:
341 * CALLBY: LOOKUPPN
342 * NOTE:
343 * TODO:
344 * QUESTION:
345 */
346 void
347 audit_symlink(struct pathname *pnp, struct pathname *sympath)
348 {
349 char *sp; /* saved initial pp */
350 char *cp; /* start of symlink path */
351 uint_t len_path; /* processed path before symlink */
352 t_audit_data_t *tad;
353 au_kcontext_t *kctx = GET_KCTX_PZ;
354
355 tad = U2A(u);
356
357 /*
358 * this event being audited or do we need path information
359 * later? This might be for a chdir/chroot or open (add path
360 * to file pointer. If the path has already been found for an
361 * open/creat then we don't need to process the path.
362 *
363 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
364 * chroot, chdir, open, creat system call processing. It determines
365 * if audit_savepath() will discard the path or we need it later.
366 * TAD_PATHFND means path already included in this audit record. It
367 * is used in cases where multiple path lookups are done per
368 * system call. The policy flag, AUDIT_PATH, controls if multiple
369 * paths are allowed.
370 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
371 * exit processing to inhibit any paths that may be added due to
372 * closes.
373 */
374 if ((tad->tad_flag == 0 &&
375 !(tad->tad_ctrl & TAD_SAVPATH)) ||
376 ((tad->tad_ctrl & TAD_PATHFND) &&
377 !(kctx->auk_policy & AUDIT_PATH)) ||
378 (tad->tad_ctrl & TAD_NOPATH)) {
379 return;
380 }
381
382 /*
383 * if symbolic link is anchored at / then do nothing.
384 * When we cycle back to begin: in lookuppn() we will
385 * call audit_anchorpath() with a flag indicating if the
386 * path is anchored at / or is relative. We will release
387 * any saved path at that point.
388 *
389 * Note In the event that an error occurs in pn_combine then
390 * we want to remain pointing at the component that caused the
391 * path to overflow the pnp structure.
392 */
393 if (sympath->pn_buf[0] == '/')
394 return;
395
396 /* backup over last component */
397 sp = cp = pnp->pn_path;
398 while (*--cp != '/' && cp > pnp->pn_buf)
399 ;
400
401 len_path = cp - pnp->pn_buf;
402
403 /* is there anything to save? */
404 if (len_path) {
405 pnp->pn_path = pnp->pn_buf;
406 audit_pathbuild(pnp);
407 pnp->pn_path = sp;
408 }
409 }
410
411 /*
412 * object_is_public : determine whether events for the object (corresponding to
413 * the specified file/directory attr) should be audited or
414 * ignored.
415 *
416 * returns: 1 - if audit policy and object attributes indicate that
417 * file/directory is effectively public. read events for
418 * the file should not be audited.
419 * 0 - otherwise
420 *
421 * The required attributes to be considered a public object are:
422 * - owned by root, AND
423 * - world-readable (permissions for other include read), AND
424 * - NOT world-writeable (permissions for other don't
425 * include write)
426 * (mode doesn't need to be checked for symlinks)
427 */
428 int
429 object_is_public(struct vattr *attr)
430 {
431 au_kcontext_t *kctx = GET_KCTX_PZ;
432
433 if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) &&
434 ((attr->va_type == VLNK) ||
435 ((attr->va_mode & (VREAD>>6)) != 0) &&
436 ((attr->va_mode & (VWRITE>>6)) == 0))) {
437 return (1);
438 }
439 return (0);
440 }
441
442
443 /*
444 * ROUTINE: AUDIT_ATTRIBUTES
445 * PURPOSE: Audit the attributes so we can tell why the error occurred
446 * CALLBY: AUDIT_SAVEPATH
447 * AUDIT_VNCREATE_FINISH
448 * AUS_FCHOWN...audit_event.c...audit_path.c
449 * NOTE:
450 * TODO:
451 * QUESTION:
452 */
453 void
454 audit_attributes(struct vnode *vp)
455 {
456 struct vattr attr;
457 struct t_audit_data *tad;
458
459 tad = U2A(u);
460
461 if (vp) {
462 attr.va_mask = AT_ALL;
463 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0)
464 return;
465
466 if (object_is_public(&attr) &&
467 (tad->tad_ctrl & TAD_PUBLIC_EV)) {
468 /*
469 * This is a public object and a "public" event
470 * (i.e., read only) -- either by definition
471 * (e.g., stat, access...) or by virtue of write access
472 * not being requested (e.g. mmap).
473 * Flag it in the tad to prevent this audit at the end.
474 */
475 tad->tad_ctrl |= TAD_NOAUDIT;
476 } else {
477 au_uwrite(au_to_attr(&attr));
478 audit_sec_attributes(&(u_ad), vp);
479 }
480 }
481 }
482
483
484 /*
485 * ROUTINE: AUDIT_EXIT
486 * PURPOSE:
487 * CALLBY: EXIT
488 * NOTE:
489 * TODO:
490 * QUESTION: why cmw code as offset by 2 but not here
491 */
492 /* ARGSUSED */
493 void
494 audit_exit(int code, int what)
495 {
496 struct t_audit_data *tad;
497 tad = U2A(u);
498
499 /*
500 * tad_scid will be set by audit_start even if we are not auditing
501 * the event.
502 */
503 if (tad->tad_scid == SYS_exit) {
504 /*
505 * if we are auditing the exit system call, then complete
506 * audit record generation (no return from system call).
507 */
508 if (tad->tad_flag && tad->tad_event == AUE_EXIT)
509 audit_finish(0, SYS_exit, 0, 0);
510 return;
511 }
512
513 /*
514 * Anyone auditing the system call that was aborted?
515 */
516 if (tad->tad_flag) {
517 au_uwrite(au_to_text("event aborted"));
518 audit_finish(0, tad->tad_scid, 0, 0);
519 }
520
521 /*
522 * Generate an audit record for process exit if preselected.
523 */
524 (void) audit_start(0, SYS_exit, AUC_UNSET, 0, 0);
525 audit_finish(0, SYS_exit, 0, 0);
526 }
527
528 /*
529 * ROUTINE: AUDIT_CORE_START
530 * PURPOSE:
531 * CALLBY: PSIG
532 * NOTE:
533 * TODO:
534 */
535 void
536 audit_core_start(int sig)
537 {
538 au_event_t event;
539 au_state_t estate;
540 t_audit_data_t *tad;
541 au_kcontext_t *kctx;
542
543 tad = U2A(u);
544
545 ASSERT(tad != (t_audit_data_t *)0);
546
547 ASSERT(tad->tad_scid == 0);
548 ASSERT(tad->tad_event == 0);
549 ASSERT(tad->tad_evmod == 0);
550 ASSERT(tad->tad_ctrl == 0);
551 ASSERT(tad->tad_flag == 0);
552 ASSERT(tad->tad_aupath == NULL);
553
554 kctx = GET_KCTX_PZ;
555
556 /* get basic event for system call */
557 event = AUE_CORE;
558 estate = kctx->auk_ets[event];
559
560 if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0)
561 return;
562
563 /* reset the flags for non-user attributable events */
564 tad->tad_ctrl = TAD_CORE;
565 tad->tad_scid = 0;
566
567 /* if auditing not enabled, then don't generate an audit record */
568
569 if (!((kctx->auk_auditstate == AUC_AUDITING ||
570 kctx->auk_auditstate == AUC_INIT_AUDIT) ||
571 kctx->auk_auditstate == AUC_NOSPACE)) {
572 tad->tad_flag = 0;
573 tad->tad_ctrl = 0;
574 return;
575 }
576
577 tad->tad_event = event;
578 tad->tad_evmod = 0;
579
580 ASSERT(tad->tad_ad == NULL);
581
582 au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig));
583 }
584
585 /*
586 * ROUTINE: AUDIT_CORE_FINISH
587 * PURPOSE:
588 * CALLBY: PSIG
589 * NOTE:
590 * TODO:
591 * QUESTION:
592 */
593
594 /*ARGSUSED*/
595 void
596 audit_core_finish(int code)
597 {
598 int flag;
599 t_audit_data_t *tad;
600 au_kcontext_t *kctx;
601
602 tad = U2A(u);
603
604 ASSERT(tad != (t_audit_data_t *)0);
605
606 if ((flag = tad->tad_flag) == 0) {
607 tad->tad_event = 0;
608 tad->tad_evmod = 0;
609 tad->tad_ctrl = 0;
610 ASSERT(tad->tad_aupath == NULL);
611 return;
612 }
613 tad->tad_flag = 0;
614
615 kctx = GET_KCTX_PZ;
616
617 /* kludge for error 0, should use `code==CLD_DUMPED' instead */
618 if (flag = audit_success(kctx, tad, 0, NULL)) {
619 cred_t *cr = CRED();
620 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
621
622 ASSERT(ainfo != NULL);
623
624 /*
625 * Add subject information (no locks since our private copy of
626 * credential
627 */
628 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
629
630 /* Add a return token (should use f argument) */
631 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
632
633 AS_INC(as_generated, 1, kctx);
634 AS_INC(as_kernel, 1, kctx);
635 }
636
637 /* Close up everything */
638 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod, NULL);
639
640 /* free up any space remaining with the path's */
641 if (tad->tad_aupath != NULL) {
642 au_pathrele(tad->tad_aupath);
643 tad->tad_aupath = NULL;
644 }
645 tad->tad_event = 0;
646 tad->tad_evmod = 0;
647 tad->tad_ctrl = 0;
648 }
649
650
651 /*ARGSUSED*/
652 void
653 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
654 unsigned char *pri, int *flag, int fmode)
655 {
656 struct stdata *stp;
657 t_audit_data_t *tad = U2A(u);
658
659 ASSERT(tad != (t_audit_data_t *)0);
660
661 stp = vp->v_stream;
662
663 /* lock stdata from audit_sock */
664 mutex_enter(&stp->sd_lock);
665
666 /* proceed ONLY if user is being audited */
667 if (!tad->tad_flag) {
668 /*
669 * this is so we will not add audit data onto
670 * a thread that is not being audited.
671 */
672 stp->sd_t_audit_data = NULL;
673 mutex_exit(&stp->sd_lock);
674 return;
675 }
676
677 stp->sd_t_audit_data = (caddr_t)curthread;
678 mutex_exit(&stp->sd_lock);
679 }
680
681 /*ARGSUSED*/
682 void
683 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
684 unsigned char pri, int flag, int fmode)
685 {
686 struct stdata *stp;
687 t_audit_data_t *tad = U2A(u);
688
689 ASSERT(tad != (t_audit_data_t *)0);
690
691 stp = vp->v_stream;
692
693 /* lock stdata from audit_sock */
694 mutex_enter(&stp->sd_lock);
695
696 /* proceed ONLY if user is being audited */
697 if (!tad->tad_flag) {
698 /*
699 * this is so we will not add audit data onto
700 * a thread that is not being audited.
701 */
702 stp->sd_t_audit_data = NULL;
703 mutex_exit(&stp->sd_lock);
704 return;
705 }
706
707 stp->sd_t_audit_data = (caddr_t)curthread;
708 mutex_exit(&stp->sd_lock);
709 }
710
711 /*
712 * ROUTINE: AUDIT_SACL
713 * PURPOSE: audit ACL-based file accesses
714 * CALLBY: SMB, NFS
715 * NOTE:
716 *
717 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
718 * on the audit queue if it becomes full.
719 * TODO:
720 * QUESTION:
721 */
722 void
723 audit_sacl(char *path, cred_t *cr, uint32_t desired, boolean_t success,
724 t_audit_sacl_t *tas)
725 {
726 token_t *ad = NULL;
727 au_kcontext_t *kctx = GET_KCTX_PZ;
728 const auditinfo_addr_t *ainfo;
729 ksid_t *ks;
730
731 /* if auditing not enabled, then don't generate an audit record */
732 if (((kctx->auk_auditstate) &
733 ~(AUC_AUDITING | AUC_INIT_AUDIT | AUC_NOSPACE)) != 0)
734 return;
735
736 if ((success && (tas->tas_smask & desired) == 0) ||
737 (!success && (tas->tas_fmask & desired) == 0))
738 return;
739
740 ainfo = crgetauinfo(cr);
741 if (ainfo == NULL)
742 return;
743
744 au_write((caddr_t *)&(ad), au_to_path_string(path));
745 au_write((caddr_t *)&(ad), au_to_access_mask(desired));
746
747 /* Include the SID if it has one, in case the id is ephemeral */
748 if ((ks = crgetsid(cr, KSID_USER)) != NULL) {
749 au_write((caddr_t *)&(ad), au_to_wsid(ks));
750 }
751 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
752 au_close(kctx, (caddr_t *)&(ad), AU_OK, AUE_SACL,
753 success ? 0 : PAD_FAILURE, NULL);
754 }
755
756 /*
757 * ROUTINE: AUDIT_CLOSEF
758 * PURPOSE:
759 * CALLBY: CLOSEF
760 * NOTE:
761 * release per file audit resources when file structure is being released.
762 *
763 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
764 * on the audit queue if it becomes full. This means
765 * audit_closef can not be called when f_count == 0. Since
766 * f_count == 0 indicates the file structure is free, another
767 * process could attempt to use the file while we were still
768 * asleep waiting on the audit queue. This would cause the
769 * per file audit data to be corrupted when we finally do
770 * wakeup.
771 * TODO:
772 * QUESTION:
773 */
774
775 void
776 audit_closef(struct file *fp)
777 {
778 f_audit_data_t *fad;
779 t_audit_data_t *tad;
780 int success;
781 au_state_t estate;
782 struct vnode *vp;
783 token_t *ad = NULL;
784 struct vattr attr;
785 au_emod_t evmod = 0;
786 const auditinfo_addr_t *ainfo;
787 cred_t *cr;
788 au_kcontext_t *kctx = GET_KCTX_PZ;
789 uint32_t auditing;
790 boolean_t audit_attr = B_FALSE;
791
792 fad = F2A(fp);
793 estate = kctx->auk_ets[AUE_CLOSE];
794 tad = U2A(u);
795 cr = CRED();
796
797 /* audit record already generated by system call envelope */
798 if (tad->tad_event == AUE_CLOSE) {
799 /* so close audit event will have bits set */
800 tad->tad_evmod |= (au_emod_t)fad->fad_flags;
801 return;
802 }
803
804 /* if auditing not enabled, then don't generate an audit record */
805 auditing = (tad->tad_audit == AUC_UNSET) ?
806 kctx->auk_auditstate : tad->tad_audit;
807 if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT | AUC_NOSPACE))
808 return;
809
810 ainfo = crgetauinfo(cr);
811 if (ainfo == NULL)
812 return;
813
814 success = ainfo->ai_mask.as_success & estate;
815
816 /* not selected for this event */
817 if (success == 0)
818 return;
819
820 /*
821 * can't use audit_attributes here since we use a private audit area
822 * to build the audit record instead of the one off the thread.
823 */
824 if ((vp = fp->f_vnode) != NULL) {
825 attr.va_mask = AT_ALL;
826 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
827 if ((fp->f_flag & FWRITE) == 0 &&
828 object_is_public(&attr)) {
829 /*
830 * When write was not used and the file can be
831 * considered public, then skip the audit.
832 */
833 return;
834 }
835 audit_attr = B_TRUE;
836 }
837 }
838
839 evmod = (au_emod_t)fad->fad_flags;
840 if (fad->fad_aupath != NULL) {
841 au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath));
842 } else {
843 #ifdef _LP64
844 au_write((caddr_t *)&(ad), au_to_arg64(
845 1, "no path: fp", (uint64_t)fp));
846 #else
847 au_write((caddr_t *)&(ad), au_to_arg32(
848 1, "no path: fp", (uint32_t)fp));
849 #endif
850 }
851
852 if (audit_attr) {
853 au_write((caddr_t *)&(ad), au_to_attr(&attr));
854 audit_sec_attributes((caddr_t *)&(ad), vp);
855 }
856
857 /* Add subject information */
858 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
859
860 /* add a return token */
861 add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0);
862
863 AS_INC(as_generated, 1, kctx);
864 AS_INC(as_kernel, 1, kctx);
865
866 /*
867 * Close up everything
868 * Note: path space recovery handled by normal system
869 * call envelope if not at last close.
870 * Note there is no failure at this point since
871 * this represents closes due to exit of process,
872 * thus we always indicate successful closes.
873 */
874 au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER,
875 AUE_CLOSE, evmod, NULL);
876 }
877
878 /*
879 * ROUTINE: AUDIT_SET
880 * PURPOSE: Audit the file path and file attributes.
881 * CALLBY: SETF
882 * NOTE: SETF associate a file pointer with user area's open files.
883 * TODO:
884 * call audit_finish directly ???
885 * QUESTION:
886 */
887
888 /*ARGSUSED*/
889 void
890 audit_setf(file_t *fp, int fd)
891 {
892 f_audit_data_t *fad;
893 t_audit_data_t *tad;
894
895 if (fp == NULL)
896 return;
897
898 tad = T2A(curthread);
899 fad = F2A(fp);
900
901 if (!(tad->tad_scid == SYS_open ||
902 tad->tad_scid == SYS_open64 ||
903 tad->tad_scid == SYS_openat ||
904 tad->tad_scid == SYS_openat64))
905 return;
906
907 /* no path */
908 if (tad->tad_aupath == 0)
909 return;
910
911 /*
912 * assign path information associated with file audit data
913 * use tad hold
914 */
915 fad->fad_aupath = tad->tad_aupath;
916 tad->tad_aupath = NULL;
917
918 if (!(tad->tad_ctrl & TAD_TRUE_CREATE)) {
919 /* adjust event type by dropping the 'creat' part */
920 switch (tad->tad_event) {
921 case AUE_OPEN_RC:
922 tad->tad_event = AUE_OPEN_R;
923 tad->tad_ctrl |= TAD_PUBLIC_EV;
924 break;
925 case AUE_OPEN_RTC:
926 tad->tad_event = AUE_OPEN_RT;
927 break;
928 case AUE_OPEN_WC:
929 tad->tad_event = AUE_OPEN_W;
930 break;
931 case AUE_OPEN_WTC:
932 tad->tad_event = AUE_OPEN_WT;
933 break;
934 case AUE_OPEN_RWC:
935 tad->tad_event = AUE_OPEN_RW;
936 break;
937 case AUE_OPEN_RWTC:
938 tad->tad_event = AUE_OPEN_RWT;
939 break;
940 default:
941 break;
942 }
943 }
944 }
945
946
947 void
948 audit_ipc(int type, int id, void *vp)
949 {
950 /* if not auditing this event, then do nothing */
951 if (ad_flag == 0)
952 return;
953
954 switch (type) {
955 case AT_IPC_MSG:
956 au_uwrite(au_to_ipc(AT_IPC_MSG, id));
957 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
958 break;
959 case AT_IPC_SEM:
960 au_uwrite(au_to_ipc(AT_IPC_SEM, id));
961 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
962 break;
963 case AT_IPC_SHM:
964 au_uwrite(au_to_ipc(AT_IPC_SHM, id));
965 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
966 break;
967 }
968 }
969
970 void
971 audit_ipcget(int type, void *vp)
972 {
973 /* if not auditing this event, then do nothing */
974 if (ad_flag == 0)
975 return;
976
977 switch (type) {
978 case NULL:
979 au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp));
980 break;
981 case AT_IPC_MSG:
982 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
983 break;
984 case AT_IPC_SEM:
985 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
986 break;
987 case AT_IPC_SHM:
988 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
989 break;
990 }
991 }
992
993 /*
994 * ROUTINE: AUDIT_REBOOT
995 * PURPOSE:
996 * CALLBY:
997 * NOTE:
998 * At this point we know that the system call reboot will not return. We thus
999 * have to complete the audit record generation and put it onto the queue.
1000 * This might be fairly useless if the auditing daemon is already dead....
1001 * TODO:
1002 * QUESTION: who calls audit_reboot
1003 */
1004
1005 void
1006 audit_reboot(void)
1007 {
1008 int flag;
1009 t_audit_data_t *tad;
1010 au_kcontext_t *kctx = GET_KCTX_PZ;
1011
1012 tad = U2A(u);
1013
1014 /* if not auditing this event, then do nothing */
1015 if (tad->tad_flag == 0)
1016 return;
1017
1018 /* do preselection on success/failure */
1019 if (flag = audit_success(kctx, tad, 0, NULL)) {
1020 /* add a process token */
1021
1022 cred_t *cr = CRED();
1023 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
1024
1025 if (ainfo == NULL)
1026 return;
1027
1028 /* Add subject information */
1029 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
1030
1031 /* add a return token */
1032 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
1033
1034 AS_INC(as_generated, 1, kctx);
1035 AS_INC(as_kernel, 1, kctx);
1036 }
1037
1038 /*
1039 * Flow control useless here since we're going
1040 * to drop everything in the queue anyway. Why
1041 * block and wait. There aint anyone left alive to
1042 * read the records remaining anyway.
1043 */
1044
1045 /* Close up everything */
1046 au_close(kctx, &(u_ad), flag | AU_DONTBLOCK,
1047 tad->tad_event, tad->tad_evmod, NULL);
1048 }
1049
1050 void
1051 audit_setfsat_path(int argnum)
1052 {
1053 klwp_id_t clwp = ttolwp(curthread);
1054 struct file *fp;
1055 uint32_t fd;
1056 t_audit_data_t *tad;
1057 struct f_audit_data *fad;
1058 p_audit_data_t *pad; /* current process */
1059 uint_t fm;
1060 struct a {
1061 long arg1;
1062 long arg2;
1063 long arg3;
1064 long arg4;
1065 long arg5;
1066 } *uap;
1067
1068 if (clwp == NULL)
1069 return;
1070 uap = (struct a *)clwp->lwp_ap;
1071
1072 tad = U2A(u);
1073 ASSERT(tad != NULL);
1074
1075 switch (tad->tad_scid) {
1076 case SYS_faccessat:
1077 case SYS_fchmodat:
1078 case SYS_fchownat:
1079 case SYS_fstatat:
1080 case SYS_fstatat64:
1081 case SYS_mkdirat:
1082 case SYS_mknodat:
1083 case SYS_openat:
1084 case SYS_openat64:
1085 case SYS_readlinkat:
1086 case SYS_unlinkat:
1087 fd = uap->arg1;
1088 break;
1089 case SYS_linkat:
1090 case SYS_renameat:
1091 if (argnum == 3)
1092 fd = uap->arg3;
1093 else
1094 fd = uap->arg1;
1095 break;
1096 case SYS_symlinkat:
1097 case SYS_utimesys:
1098 fd = uap->arg2;
1099 break;
1100 case SYS_open:
1101 case SYS_open64:
1102 fd = AT_FDCWD;
1103 break;
1104 default:
1105 return;
1106 }
1107
1108 if (tad->tad_atpath != NULL) {
1109 au_pathrele(tad->tad_atpath);
1110 tad->tad_atpath = NULL;
1111 }
1112
1113 if (fd != AT_FDCWD) {
1114 tad->tad_ctrl |= TAD_ATCALL;
1115
1116 if (tad->tad_scid == SYS_openat ||
1117 tad->tad_scid == SYS_openat64) {
1118 fm = (uint_t)uap->arg3;
1119 if (fm & (FXATTR | FXATTRDIROPEN)) {
1120 tad->tad_ctrl |= TAD_ATTPATH;
1121 }
1122 }
1123
1124 if ((fp = getf(fd)) == NULL) {
1125 tad->tad_ctrl |= TAD_NOPATH;
1126 return;
1127 }
1128 fad = F2A(fp);
1129 ASSERT(fad);
1130 if (fad->fad_aupath == NULL) {
1131 tad->tad_ctrl |= TAD_NOPATH;
1132 releasef(fd);
1133 return;
1134 }
1135 au_pathhold(fad->fad_aupath);
1136 tad->tad_atpath = fad->fad_aupath;
1137 releasef(fd);
1138 } else {
1139 if (tad->tad_scid == SYS_open ||
1140 tad->tad_scid == SYS_open64) {
1141 fm = (uint_t)uap->arg2;
1142 if (fm & FXATTR) {
1143 tad->tad_ctrl |= TAD_ATTPATH;
1144 }
1145 return;
1146 }
1147 pad = P2A(curproc);
1148 mutex_enter(&pad->pad_lock);
1149 au_pathhold(pad->pad_cwd);
1150 tad->tad_atpath = pad->pad_cwd;
1151 mutex_exit(&pad->pad_lock);
1152 }
1153 }
1154
1155 void
1156 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error)
1157 {
1158 t_audit_data_t *tad;
1159 vnode_t *vp;
1160
1161 tad = U2A(u);
1162
1163 /* if not auditing this event, then do nothing */
1164 if (tad->tad_flag == 0)
1165 return;
1166
1167 au_uwrite(au_to_text(target));
1168
1169 if (error)
1170 return;
1171
1172 error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(),
1173 NULL, NULL, NULL);
1174 if (error == 0) {
1175 audit_attributes(vp);
1176 VN_RELE(vp);
1177 }
1178 }
1179
1180 /*
1181 * ROUTINE: AUDIT_VNCREATE_START
1182 * PURPOSE: set flag so path name lookup in create will not add attribute
1183 * CALLBY: VN_CREATE
1184 * NOTE:
1185 * TODO:
1186 * QUESTION:
1187 */
1188
1189 void
1190 audit_vncreate_start()
1191 {
1192 t_audit_data_t *tad;
1193
1194 tad = U2A(u);
1195 tad->tad_ctrl |= TAD_NOATTRB;
1196 }
1197
1198 /*
1199 * ROUTINE: AUDIT_VNCREATE_FINISH
1200 * PURPOSE:
1201 * CALLBY: VN_CREATE
1202 * NOTE:
1203 * TODO:
1204 * QUESTION:
1205 */
1206 void
1207 audit_vncreate_finish(struct vnode *vp, int error)
1208 {
1209 t_audit_data_t *tad;
1210
1211 if (error)
1212 return;
1213
1214 tad = U2A(u);
1215
1216 /* if not auditing this event, then do nothing */
1217 if (tad->tad_flag == 0)
1218 return;
1219
1220 if (tad->tad_ctrl & TAD_TRUE_CREATE) {
1221 audit_attributes(vp);
1222 }
1223
1224 if (tad->tad_ctrl & TAD_CORE) {
1225 audit_attributes(vp);
1226 tad->tad_ctrl &= ~TAD_CORE;
1227 }
1228
1229 if (!error && ((tad->tad_event == AUE_MKNOD) ||
1230 (tad->tad_event == AUE_MKDIR))) {
1231 audit_attributes(vp);
1232 }
1233
1234 /* for case where multiple lookups in one syscall (rename) */
1235 tad->tad_ctrl &= ~TAD_NOATTRB;
1236 }
1237
1238
1239
1240
1241
1242
1243
1244
1245 /*
1246 * ROUTINE: AUDIT_EXEC
1247 * PURPOSE: Records the function arguments and environment variables
1248 * CALLBY: EXEC_ARGS
1249 * NOTE:
1250 * TODO:
1251 * QUESTION:
1252 */
1253
1254 void
1255 audit_exec(
1256 const char *argstr, /* argument strings */
1257 const char *envstr, /* environment strings */
1258 ssize_t argc, /* total # arguments */
1259 ssize_t envc, /* total # environment variables */
1260 cred_t *pfcred) /* the additional privileges in a profile */
1261 {
1262 t_audit_data_t *tad;
1263 au_kcontext_t *kctx = GET_KCTX_PZ;
1264
1265 tad = U2A(u);
1266
1267 /* if not auditing this event, then do nothing */
1268 if (!tad->tad_flag)
1269 return;
1270
1271 if (pfcred != NULL) {
1272 p_audit_data_t *pad;
1273 cred_t *cr = CRED();
1274 priv_set_t pset = CR_IPRIV(cr);
1275
1276 pad = P2A(curproc);
1277
1278 /* It's a different event. */
1279 tad->tad_event = AUE_PFEXEC;
1280
1281 /* Add the current working directory to the audit trail. */
1282 if (pad->pad_cwd != NULL)
1283 au_uwrite(au_to_path(pad->pad_cwd));
1284
1285 /*
1286 * The new credential is not yet in place when audit_exec
1287 * is called.
1288 * Compute the additional bits available in the new credential
1289 * and the limit set.
1290 */
1291 priv_inverse(&pset);
1292 priv_intersect(&CR_IPRIV(pfcred), &pset);
1293 if (!priv_isemptyset(&pset) ||
1294 !priv_isequalset(&CR_LPRIV(pfcred), &CR_LPRIV(cr))) {
1295 au_uwrite(au_to_privset(
1296 priv_getsetbynum(PRIV_INHERITABLE), &pset, AUT_PRIV,
1297 0));
1298 au_uwrite(au_to_privset(priv_getsetbynum(PRIV_LIMIT),
1299 &CR_LPRIV(pfcred), AUT_PRIV, 0));
1300 }
1301 /*
1302 * Compare the uids & gids: create a process token if changed.
1303 */
1304 if (crgetuid(cr) != crgetuid(pfcred) ||
1305 crgetruid(cr) != crgetruid(pfcred) ||
1306 crgetgid(cr) != crgetgid(pfcred) ||
1307 crgetrgid(cr) != crgetrgid(pfcred)) {
1308 AUDIT_SETPROC(&(u_ad), cr, crgetauinfo(cr));
1309 }
1310 }
1311
1312 if (pfcred != NULL || (kctx->auk_policy & AUDIT_ARGV) != 0)
1313 au_uwrite(au_to_exec_args(argstr, argc));
1314
1315 if (kctx->auk_policy & AUDIT_ARGE)
1316 au_uwrite(au_to_exec_env(envstr, envc));
1317 }
1318
1319 /*
1320 * ROUTINE: AUDIT_ENTERPROM
1321 * PURPOSE:
1322 * CALLBY: KBDINPUT
1323 * ZSA_XSINT
1324 * NOTE:
1325 * TODO:
1326 * QUESTION:
1327 */
1328 void
1329 audit_enterprom(int flg)
1330 {
1331 token_t *rp = NULL;
1332 int sorf;
1333
1334 if (flg)
1335 sorf = AUM_SUCC;
1336 else
1337 sorf = AUM_FAIL;
1338
1339 AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf);
1340
1341 au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1342
1343 if (flg)
1344 au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1345 else
1346 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1347
1348 AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL, NULL);
1349 }
1350
1351
1352 /*
1353 * ROUTINE: AUDIT_EXITPROM
1354 * PURPOSE:
1355 * CALLBY: KBDINPUT
1356 * ZSA_XSINT
1357 * NOTE:
1358 * TODO:
1359 * QUESTION:
1360 */
1361 void
1362 audit_exitprom(int flg)
1363 {
1364 int sorf;
1365 token_t *rp = NULL;
1366
1367 if (flg)
1368 sorf = AUM_SUCC;
1369 else
1370 sorf = AUM_FAIL;
1371
1372 AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf);
1373
1374 au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1375
1376 if (flg)
1377 au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1378 else
1379 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1380
1381 AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL, NULL);
1382 }
1383
1384 struct fcntla {
1385 int fdes;
1386 int cmd;
1387 intptr_t arg;
1388 };
1389
1390
1391 /*
1392 * ROUTINE: AUDIT_CHDIREC
1393 * PURPOSE:
1394 * CALLBY: CHDIREC
1395 * NOTE: The main function of CHDIREC
1396 * TODO: Move the audit_chdirec hook above the VN_RELE in vncalls.c
1397 * QUESTION:
1398 */
1399
1400 /*ARGSUSED*/
1401 void
1402 audit_chdirec(vnode_t *vp, vnode_t **vpp)
1403 {
1404 int chdir;
1405 int fchdir;
1406 struct audit_path **appp;
1407 struct file *fp;
1408 f_audit_data_t *fad;
1409 p_audit_data_t *pad = P2A(curproc);
1410 t_audit_data_t *tad = T2A(curthread);
1411
1412 struct a {
1413 long fd;
1414 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
1415
1416 if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) {
1417 chdir = tad->tad_scid == SYS_chdir;
1418 if (tad->tad_aupath) {
1419 mutex_enter(&pad->pad_lock);
1420 if (chdir)
1421 appp = &(pad->pad_cwd);
1422 else
1423 appp = &(pad->pad_root);
1424 au_pathrele(*appp);
1425 /* use tad hold */
1426 *appp = tad->tad_aupath;
1427 tad->tad_aupath = NULL;
1428 mutex_exit(&pad->pad_lock);
1429 }
1430 } else if ((tad->tad_scid == SYS_fchdir) ||
1431 (tad->tad_scid == SYS_fchroot)) {
1432 fchdir = tad->tad_scid == SYS_fchdir;
1433 if ((fp = getf(uap->fd)) == NULL)
1434 return;
1435 fad = F2A(fp);
1436 if (fad->fad_aupath) {
1437 au_pathhold(fad->fad_aupath);
1438 mutex_enter(&pad->pad_lock);
1439 if (fchdir)
1440 appp = &(pad->pad_cwd);
1441 else
1442 appp = &(pad->pad_root);
1443 au_pathrele(*appp);
1444 *appp = fad->fad_aupath;
1445 mutex_exit(&pad->pad_lock);
1446 if (tad->tad_flag) {
1447 au_uwrite(au_to_path(fad->fad_aupath));
1448 audit_attributes(fp->f_vnode);
1449 }
1450 }
1451 releasef(uap->fd);
1452 }
1453 }
1454
1455
1456 /*
1457 * Audit hook for stream based socket and tli request.
1458 * Note that we do not have user context while executing
1459 * this code so we had to record them earlier during the
1460 * putmsg/getmsg to figure out which user we are dealing with.
1461 */
1462
1463 /*ARGSUSED*/
1464 void
1465 audit_sock(
1466 int type, /* type of tihdr.h header requests */
1467 queue_t *q, /* contains the process and thread audit data */
1468 mblk_t *mp, /* contains the tihdr.h header structures */
1469 int from) /* timod or sockmod request */
1470 {
1471 int32_t len;
1472 int32_t offset;
1473 struct sockaddr_in *sock_data;
1474 struct T_conn_req *conn_req;
1475 struct T_conn_ind *conn_ind;
1476 struct T_unitdata_req *unitdata_req;
1477 struct T_unitdata_ind *unitdata_ind;
1478 au_state_t estate;
1479 t_audit_data_t *tad;
1480 caddr_t saved_thread_ptr;
1481 au_mask_t amask;
1482 const auditinfo_addr_t *ainfo;
1483 au_kcontext_t *kctx;
1484
1485 if (q->q_stream == NULL)
1486 return;
1487 mutex_enter(&q->q_stream->sd_lock);
1488 /* are we being audited */
1489 saved_thread_ptr = q->q_stream->sd_t_audit_data;
1490 /* no pointer to thread, nothing to do */
1491 if (saved_thread_ptr == NULL) {
1492 mutex_exit(&q->q_stream->sd_lock);
1493 return;
1494 }
1495 /* only allow one addition of a record token */
1496 q->q_stream->sd_t_audit_data = NULL;
1497 /*
1498 * thread is not the one being audited, then nothing to do
1499 * This could be the stream thread handling the module
1500 * service routine. In this case, the context for the audit
1501 * record can no longer be assumed. Simplest to just drop
1502 * the operation.
1503 */
1504 if (curthread != (kthread_id_t)saved_thread_ptr) {
1505 mutex_exit(&q->q_stream->sd_lock);
1506 return;
1507 }
1508 if (curthread->t_sysnum >= SYS_so_socket &&
1509 curthread->t_sysnum <= SYS_sockconfig) {
1510 mutex_exit(&q->q_stream->sd_lock);
1511 return;
1512 }
1513 mutex_exit(&q->q_stream->sd_lock);
1514 /*
1515 * we know that the thread that did the put/getmsg is the
1516 * one running. Now we can get the TAD and see if we should
1517 * add an audit token.
1518 */
1519 tad = U2A(u);
1520
1521 kctx = GET_KCTX_PZ;
1522
1523 /* proceed ONLY if user is being audited */
1524 if (!tad->tad_flag)
1525 return;
1526
1527 ainfo = crgetauinfo(CRED());
1528 if (ainfo == NULL)
1529 return;
1530 amask = ainfo->ai_mask;
1531
1532 /*
1533 * Figure out the type of stream networking request here.
1534 * Note that getmsg and putmsg are always preselected
1535 * because during the beginning of the system call we have
1536 * not yet figure out which of the socket or tli request
1537 * we are looking at until we are here. So we need to check
1538 * against that specific request and reset the type of event.
1539 */
1540 switch (type) {
1541 case T_CONN_REQ: /* connection request */
1542 conn_req = (struct T_conn_req *)mp->b_rptr;
1543 if (conn_req->DEST_offset < sizeof (struct T_conn_req))
1544 return;
1545 offset = conn_req->DEST_offset;
1546 len = conn_req->DEST_length;
1547 estate = kctx->auk_ets[AUE_SOCKCONNECT];
1548 if (amask.as_success & estate || amask.as_failure & estate) {
1549 tad->tad_event = AUE_SOCKCONNECT;
1550 break;
1551 } else {
1552 return;
1553 }
1554 case T_CONN_IND: /* connectionless receive request */
1555 conn_ind = (struct T_conn_ind *)mp->b_rptr;
1556 if (conn_ind->SRC_offset < sizeof (struct T_conn_ind))
1557 return;
1558 offset = conn_ind->SRC_offset;
1559 len = conn_ind->SRC_length;
1560 estate = kctx->auk_ets[AUE_SOCKACCEPT];
1561 if (amask.as_success & estate || amask.as_failure & estate) {
1562 tad->tad_event = AUE_SOCKACCEPT;
1563 break;
1564 } else {
1565 return;
1566 }
1567 case T_UNITDATA_REQ: /* connectionless send request */
1568 unitdata_req = (struct T_unitdata_req *)mp->b_rptr;
1569 if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req))
1570 return;
1571 offset = unitdata_req->DEST_offset;
1572 len = unitdata_req->DEST_length;
1573 estate = kctx->auk_ets[AUE_SOCKSEND];
1574 if (amask.as_success & estate || amask.as_failure & estate) {
1575 tad->tad_event = AUE_SOCKSEND;
1576 break;
1577 } else {
1578 return;
1579 }
1580 case T_UNITDATA_IND: /* connectionless receive request */
1581 unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr;
1582 if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind))
1583 return;
1584 offset = unitdata_ind->SRC_offset;
1585 len = unitdata_ind->SRC_length;
1586 estate = kctx->auk_ets[AUE_SOCKRECEIVE];
1587 if (amask.as_success & estate || amask.as_failure & estate) {
1588 tad->tad_event = AUE_SOCKRECEIVE;
1589 break;
1590 } else {
1591 return;
1592 }
1593 default:
1594 return;
1595 }
1596
1597 /*
1598 * we are only interested in tcp stream connections,
1599 * not unix domain stuff
1600 */
1601 if ((len < 0) || (len > sizeof (struct sockaddr_in))) {
1602 tad->tad_event = AUE_GETMSG;
1603 return;
1604 }
1605 /* skip over TPI header and point to the ip address */
1606 sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset);
1607
1608 switch (sock_data->sin_family) {
1609 case AF_INET:
1610 au_write(&(tad->tad_ad), au_to_sock_inet(sock_data));
1611 break;
1612 default: /* reset to AUE_PUTMSG if not a inet request */
1613 tad->tad_event = AUE_GETMSG;
1614 break;
1615 }
1616 }
1617
1618
1619 static void
1620 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval)
1621 {
1622 unsigned int sy_flags;
1623
1624 #ifdef _SYSCALL32_IMPL
1625 /*
1626 * Guard against t_lwp being NULL when this function is called
1627 * from a kernel queue instead of from a direct system call.
1628 * In that case, assume the running kernel data model.
1629 */
1630 if ((curthread->t_lwp == NULL) || (lwp_getdatamodel(
1631 ttolwp(curthread)) == DATAMODEL_NATIVE))
1632 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1633 else
1634 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1635 #else
1636 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1637 #endif
1638
1639 if (sy_flags == SE_64RVAL)
1640 au_write(ad, au_to_return64(err, rval));
1641 else
1642 au_write(ad, au_to_return32(err, rval));
1643
1644 }
1645
1646 /*ARGSUSED*/
1647 void
1648 audit_fdsend(int fd, struct file *fp, int error)
1649 {
1650 t_audit_data_t *tad; /* current thread */
1651 f_audit_data_t *fad; /* per file audit structure */
1652 struct vnode *vp; /* for file attributes */
1653
1654 /* is this system call being audited */
1655 tad = U2A(u);
1656 ASSERT(tad != (t_audit_data_t *)0);
1657 if (!tad->tad_flag)
1658 return;
1659
1660 fad = F2A(fp);
1661
1662 /* add path and file attributes */
1663 if (fad != NULL && fad->fad_aupath != NULL) {
1664 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1665 au_uwrite(au_to_path(fad->fad_aupath));
1666 } else {
1667 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1668 #ifdef _LP64
1669 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1670 #else
1671 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1672 #endif
1673 }
1674 vp = fp->f_vnode; /* include vnode attributes */
1675 audit_attributes(vp);
1676 }
1677
1678 /*
1679 * Record privileges successfully used and we attempted to use but
1680 * didn't have.
1681 */
1682 void
1683 audit_priv(int priv, const priv_set_t *set, int flag)
1684 {
1685 t_audit_data_t *tad;
1686 int sbit;
1687 priv_set_t *target;
1688
1689 /* Make sure this isn't being called in an interrupt context */
1690 ASSERT(servicing_interrupt() == 0);
1691
1692 tad = U2A(u);
1693
1694 if (tad->tad_flag == 0)
1695 return;
1696
1697 target = flag ? &tad->tad_sprivs : &tad->tad_fprivs;
1698 sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE;
1699
1700 /* Tell audit_success() and audit_finish() that we saw this case */
1701 if (!(tad->tad_evmod & sbit)) {
1702 /* Clear set first time around */
1703 priv_emptyset(target);
1704 tad->tad_evmod |= sbit;
1705 }
1706
1707 /* Save the privileges in the tad */
1708 if (priv == PRIV_ALL) {
1709 priv_fillset(target);
1710 } else {
1711 ASSERT(set != NULL || priv != PRIV_NONE);
1712 if (set != NULL)
1713 priv_union(set, target);
1714 if (priv != PRIV_NONE)
1715 priv_addset(target, priv);
1716 }
1717 }
1718
1719 /*
1720 * Audit the psecflags() system call; the set name, current value, and delta
1721 * are put in the audit trail.
1722 */
1723 void
1724 audit_psecflags(proc_t *p,
1725 psecflagwhich_t which,
1726 const secflagdelta_t *psd)
1727 {
1728 t_audit_data_t *tad;
1729 secflagset_t new;
1730 const secflagset_t *old;
1731 const char *s;
1732 cred_t *cr;
1733 pid_t pid;
1734 const auditinfo_addr_t *ainfo;
1735 const psecflags_t *psec = &p->p_secflags;
1736
1737 tad = U2A(u);
1738
1739 if (tad->tad_flag == 0)
1740 return;
1741
1742 switch (which) {
1743 case PSF_EFFECTIVE:
1744 s = "effective";
1745 old = &psec->psf_effective;
1746 break;
1747 case PSF_INHERIT:
1748 s = "inherit";
1749 old = &psec->psf_inherit;
1750 break;
1751 case PSF_LOWER:
1752 s = "lower";
1753 old = &psec->psf_lower;
1754 break;
1755 case PSF_UPPER:
1756 s = "upper";
1757 old = &psec->psf_upper;
1758 break;
1759 }
1760
1761 secflags_copy(&new, old);
1762 secflags_apply_delta(&new, psd);
1763
1764 au_uwrite(au_to_secflags(s, *old));
1765 au_uwrite(au_to_secflags(s, new));
1766
1767 ASSERT(mutex_owned(&p->p_lock));
1768 mutex_enter(&p->p_crlock);
1769
1770 pid = p->p_pid;
1771 crhold(cr = p->p_cred);
1772 mutex_exit(&p->p_crlock);
1773
1774 if ((ainfo = crgetauinfo(cr)) == NULL) {
1775 crfree(cr);
1776 return;
1777 }
1778
1779 AUDIT_SETPROC_GENERIC(&(u_ad), cr, ainfo, pid);
1780
1781 crfree(cr);
1782 }
1783
1784 /*
1785 * Audit the setpriv() system call; the operation, the set name and
1786 * the current value as well as the set argument are put in the
1787 * audit trail.
1788 */
1789 void
1790 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr)
1791 {
1792 t_audit_data_t *tad;
1793 const priv_set_t *oldpriv;
1794 priv_set_t report;
1795 const char *setname;
1796
1797 tad = U2A(u);
1798
1799 if (tad->tad_flag == 0)
1800 return;
1801
1802 oldpriv = priv_getset(ocr, set);
1803
1804 /* Generate the actual record, include the before and after */
1805 au_uwrite(au_to_arg32(2, "op", op));
1806 setname = priv_getsetbynum(set);
1807
1808 switch (op) {
1809 case PRIV_OFF:
1810 /* Report privileges actually switched off */
1811 report = *oldpriv;
1812 priv_intersect(newpriv, &report);
1813 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1814 break;
1815 case PRIV_ON:
1816 /* Report privileges actually switched on */
1817 report = *oldpriv;
1818 priv_inverse(&report);
1819 priv_intersect(newpriv, &report);
1820 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1821 break;
1822 case PRIV_SET:
1823 /* Report before and after */
1824 au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0));
1825 au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0));
1826 break;
1827 }
1828 }
1829
1830 /*
1831 * Dump the full device policy setting in the audit trail.
1832 */
1833 void
1834 audit_devpolicy(int nitems, const devplcysys_t *items)
1835 {
1836 t_audit_data_t *tad;
1837 int i;
1838
1839 tad = U2A(u);
1840
1841 if (tad->tad_flag == 0)
1842 return;
1843
1844 for (i = 0; i < nitems; i++) {
1845 au_uwrite(au_to_arg32(2, "major", items[i].dps_maj));
1846 if (items[i].dps_minornm[0] == '\0') {
1847 au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin));
1848 au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin));
1849 } else
1850 au_uwrite(au_to_text(items[i].dps_minornm));
1851
1852 au_uwrite(au_to_privset("read", &items[i].dps_rdp,
1853 AUT_PRIV, 0));
1854 au_uwrite(au_to_privset("write", &items[i].dps_wrp,
1855 AUT_PRIV, 0));
1856 }
1857 }
1858
1859 /*ARGSUSED*/
1860 void
1861 audit_fdrecv(int fd, struct file *fp)
1862 {
1863 t_audit_data_t *tad; /* current thread */
1864 f_audit_data_t *fad; /* per file audit structure */
1865 struct vnode *vp; /* for file attributes */
1866
1867 /* is this system call being audited */
1868 tad = U2A(u);
1869 ASSERT(tad != (t_audit_data_t *)0);
1870 if (!tad->tad_flag)
1871 return;
1872
1873 fad = F2A(fp);
1874
1875 /* add path and file attributes */
1876 if (fad != NULL && fad->fad_aupath != NULL) {
1877 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1878 au_uwrite(au_to_path(fad->fad_aupath));
1879 } else {
1880 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1881 #ifdef _LP64
1882 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1883 #else
1884 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1885 #endif
1886 }
1887 vp = fp->f_vnode; /* include vnode attributes */
1888 audit_attributes(vp);
1889 }
1890
1891 /*
1892 * ROUTINE: AUDIT_CRYPTOADM
1893 * PURPOSE: Records arguments to administrative ioctls on /dev/cryptoadm
1894 * CALLBY: CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED,
1895 * CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG,
1896 * CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN,
1897 * CRYPTO_LOAD_DOOR
1898 * NOTE:
1899 * TODO:
1900 * QUESTION:
1901 */
1902
1903 void
1904 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names,
1905 uint_t mech_count, uint_t device_instance, uint32_t rv, int error)
1906 {
1907 boolean_t mech_list_required = B_FALSE;
1908 cred_t *cr = CRED();
1909 t_audit_data_t *tad;
1910 token_t *ad = NULL;
1911 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
1912 char buffer[MAXNAMELEN * 2];
1913 au_kcontext_t *kctx = GET_KCTX_PZ;
1914
1915 tad = U2A(u);
1916 if (tad == NULL)
1917 return;
1918
1919 if (ainfo == NULL)
1920 return;
1921
1922 tad->tad_event = AUE_CRYPTOADM;
1923
1924 if (audit_success(kctx, tad, error, NULL) != AU_OK)
1925 return;
1926
1927 /* Add subject information */
1928 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
1929
1930 switch (cmd) {
1931 case CRYPTO_LOAD_DEV_DISABLED:
1932 if (error == 0 && rv == CRYPTO_SUCCESS) {
1933 (void) snprintf(buffer, sizeof (buffer),
1934 "op=CRYPTO_LOAD_DEV_DISABLED, module=%s,"
1935 " dev_instance=%d",
1936 module_name, device_instance);
1937 mech_list_required = B_TRUE;
1938 } else {
1939 (void) snprintf(buffer, sizeof (buffer),
1940 "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv);
1941 }
1942 break;
1943
1944 case CRYPTO_LOAD_SOFT_DISABLED:
1945 if (error == 0 && rv == CRYPTO_SUCCESS) {
1946 (void) snprintf(buffer, sizeof (buffer),
1947 "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s",
1948 module_name);
1949 mech_list_required = B_TRUE;
1950 } else {
1951 (void) snprintf(buffer, sizeof (buffer),
1952 "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv);
1953 }
1954 break;
1955
1956 case CRYPTO_UNLOAD_SOFT_MODULE:
1957 if (error == 0 && rv == CRYPTO_SUCCESS) {
1958 (void) snprintf(buffer, sizeof (buffer),
1959 "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s",
1960 module_name);
1961 } else {
1962 (void) snprintf(buffer, sizeof (buffer),
1963 "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv);
1964 }
1965 break;
1966
1967 case CRYPTO_LOAD_SOFT_CONFIG:
1968 if (error == 0 && rv == CRYPTO_SUCCESS) {
1969 (void) snprintf(buffer, sizeof (buffer),
1970 "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s",
1971 module_name);
1972 mech_list_required = B_TRUE;
1973 } else {
1974 (void) snprintf(buffer, sizeof (buffer),
1975 "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv);
1976 }
1977 break;
1978
1979 case CRYPTO_POOL_CREATE:
1980 (void) snprintf(buffer, sizeof (buffer),
1981 "op=CRYPTO_POOL_CREATE");
1982 break;
1983
1984 case CRYPTO_POOL_WAIT:
1985 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT");
1986 break;
1987
1988 case CRYPTO_POOL_RUN:
1989 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN");
1990 break;
1991
1992 case CRYPTO_LOAD_DOOR:
1993 if (error == 0 && rv == CRYPTO_SUCCESS)
1994 (void) snprintf(buffer, sizeof (buffer),
1995 "op=CRYPTO_LOAD_DOOR");
1996 else
1997 (void) snprintf(buffer, sizeof (buffer),
1998 "op=CRYPTO_LOAD_DOOR, return_val=%d", rv);
1999 break;
2000
2001 case CRYPTO_FIPS140_SET:
2002 (void) snprintf(buffer, sizeof (buffer),
2003 "op=CRYPTO_FIPS140_SET, fips_state=%d", rv);
2004 break;
2005
2006 default:
2007 return;
2008 }
2009
2010 au_write((caddr_t *)&ad, au_to_text(buffer));
2011
2012 if (mech_list_required) {
2013 int i;
2014
2015 if (mech_count == 0) {
2016 au_write((caddr_t *)&ad, au_to_text("mech=list empty"));
2017 } else {
2018 char *pb = buffer;
2019 size_t l = sizeof (buffer);
2020 size_t n;
2021 char space[2] = ":";
2022
2023 n = snprintf(pb, l, "mech=");
2024
2025 for (i = 0; i < mech_count; i++) {
2026 pb += n;
2027 l = (n >= l) ? 0 : l - n;
2028
2029 if (i == mech_count - 1)
2030 (void) strcpy(space, "");
2031
2032 n = snprintf(pb, l, "%s%s", mech_names[i],
2033 space);
2034 }
2035 au_write((caddr_t *)&ad, au_to_text(buffer));
2036 }
2037 }
2038
2039 /* add a return token */
2040 if (error || (rv != CRYPTO_SUCCESS))
2041 add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error);
2042 else
2043 add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv);
2044
2045 AS_INC(as_generated, 1, kctx);
2046 AS_INC(as_kernel, 1, kctx);
2047
2048 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, tad->tad_evmod,
2049 NULL);
2050 }
2051
2052 /*
2053 * Audit the kernel SSL administration command. The address and the
2054 * port number for the SSL instance, and the proxy port are put in the
2055 * audit trail.
2056 */
2057 void
2058 audit_kssl(int cmd, void *params, int error)
2059 {
2060 cred_t *cr = CRED();
2061 t_audit_data_t *tad;
2062 token_t *ad = NULL;
2063 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
2064 au_kcontext_t *kctx = GET_KCTX_PZ;
2065
2066 tad = U2A(u);
2067
2068 if (ainfo == NULL)
2069 return;
2070
2071 tad->tad_event = AUE_CONFIGKSSL;
2072
2073 if (audit_success(kctx, tad, error, NULL) != AU_OK)
2074 return;
2075
2076 /* Add subject information */
2077 AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx);
2078
2079 switch (cmd) {
2080 case KSSL_ADD_ENTRY: {
2081 char buf[32];
2082 kssl_params_t *kp = (kssl_params_t *)params;
2083 struct sockaddr_in6 *saddr = &kp->kssl_addr;
2084
2085 au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY"));
2086 au_write((caddr_t *)&ad,
2087 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
2088 (void) snprintf(buf, sizeof (buf), "SSL port=%d",
2089 saddr->sin6_port);
2090 au_write((caddr_t *)&ad, au_to_text(buf));
2091
2092 (void) snprintf(buf, sizeof (buf), "proxy port=%d",
2093 kp->kssl_proxy_port);
2094 au_write((caddr_t *)&ad, au_to_text(buf));
2095 break;
2096 }
2097
2098 case KSSL_DELETE_ENTRY: {
2099 char buf[32];
2100 struct sockaddr_in6 *saddr = (struct sockaddr_in6 *)params;
2101
2102 au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY"));
2103 au_write((caddr_t *)&ad,
2104 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
2105 (void) snprintf(buf, sizeof (buf), "SSL port=%d",
2106 saddr->sin6_port);
2107 au_write((caddr_t *)&ad, au_to_text(buf));
2108 break;
2109 }
2110
2111 default:
2112 return;
2113 }
2114
2115 /* add a return token */
2116 add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0);
2117
2118 AS_INC(as_generated, 1, kctx);
2119 AS_INC(as_kernel, 1, kctx);
2120
2121 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, tad->tad_evmod,
2122 NULL);
2123 }
2124
2125 /*
2126 * Audit the kernel PF_POLICY administration commands. Record command,
2127 * zone, policy type (global or tunnel, active or inactive)
2128 */
2129 /*
2130 * ROUTINE: AUDIT_PF_POLICY
2131 * PURPOSE: Records arguments to administrative ioctls on PF_POLICY socket
2132 * CALLBY: SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS,
2133 * SPD_CLONE, SPD_FLIP
2134 * NOTE:
2135 * TODO:
2136 * QUESTION:
2137 */
2138
2139 void
2140 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun,
2141 boolean_t active, int error, pid_t pid)
2142 {
2143 const auditinfo_addr_t *ainfo;
2144 t_audit_data_t *tad;
2145 token_t *ad = NULL;
2146 au_kcontext_t *kctx = GET_KCTX_PZ;
2147 char buf[80];
2148 int flag;
2149
2150 tad = U2A(u);
2151 if (tad == NULL)
2152 return;
2153
2154 ainfo = crgetauinfo((cred != NULL) ? cred : CRED());
2155 if (ainfo == NULL)
2156 return;
2157
2158 /*
2159 * Initialize some variables since these are only set
2160 * with system calls.
2161 */
2162
2163 switch (cmd) {
2164 case SPD_ADDRULE: {
2165 tad->tad_event = AUE_PF_POLICY_ADDRULE;
2166 break;
2167 }
2168
2169 case SPD_DELETERULE: {
2170 tad->tad_event = AUE_PF_POLICY_DELRULE;
2171 break;
2172 }
2173
2174 case SPD_FLUSH: {
2175 tad->tad_event = AUE_PF_POLICY_FLUSH;
2176 break;
2177 }
2178
2179 case SPD_UPDATEALGS: {
2180 tad->tad_event = AUE_PF_POLICY_ALGS;
2181 break;
2182 }
2183
2184 case SPD_CLONE: {
2185 tad->tad_event = AUE_PF_POLICY_CLONE;
2186 break;
2187 }
2188
2189 case SPD_FLIP: {
2190 tad->tad_event = AUE_PF_POLICY_FLIP;
2191 break;
2192 }
2193
2194 default:
2195 tad->tad_event = AUE_NULL;
2196 }
2197
2198 tad->tad_evmod = 0;
2199
2200 if (flag = audit_success(kctx, tad, error, cred)) {
2201 zone_t *nszone;
2202
2203 /*
2204 * For now, just audit that an event happened,
2205 * along with the error code.
2206 */
2207 au_write((caddr_t *)&ad,
2208 au_to_arg32(1, "Policy Active?", (uint32_t)active));
2209 au_write((caddr_t *)&ad,
2210 au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL)));
2211
2212 /* Supplemental data */
2213
2214 /*
2215 * Generate this zone token if the target zone differs
2216 * from the administrative zone. If netstacks are expanded
2217 * to something other than a 1-1 relationship with zones,
2218 * the auditing framework should create a new token type
2219 * and audit it as a netstack instead.
2220 * Turn on general zone auditing to get the administrative zone.
2221 */
2222
2223 nszone = zone_find_by_id(netstackid_to_zoneid(
2224 ns->netstack_stackid));
2225 if (nszone != NULL) {
2226 if (strncmp(crgetzone(cred)->zone_name,
2227 nszone->zone_name, ZONENAME_MAX) != 0) {
2228 token_t *ztoken;
2229
2230 ztoken = au_to_zonename(0, nszone);
2231 au_write((caddr_t *)&ad, ztoken);
2232 }
2233 zone_rele(nszone);
2234 }
2235
2236 if (tun != NULL) {
2237 /* write tunnel name - tun is bounded */
2238 (void) snprintf(buf, sizeof (buf), "tunnel_name:%s",
2239 tun);
2240 au_write((caddr_t *)&ad, au_to_text(buf));
2241 }
2242
2243 /* Add subject information */
2244 AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad,
2245 ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid);
2246
2247 /* add a return token */
2248 add_return_token((caddr_t *)&ad, 0, error, 0);
2249
2250 AS_INC(as_generated, 1, kctx);
2251 AS_INC(as_kernel, 1, kctx);
2252
2253 }
2254 au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, tad->tad_evmod,
2255 NULL);
2256
2257 /*
2258 * clear the ctrl flag so that we don't have spurious collection of
2259 * audit information.
2260 */
2261 tad->tad_scid = 0;
2262 tad->tad_event = 0;
2263 tad->tad_evmod = 0;
2264 tad->tad_ctrl = 0;
2265 }
2266
2267 /*
2268 * ROUTINE: AUDIT_SEC_ATTRIBUTES
2269 * PURPOSE: Add security attributes
2270 * CALLBY: AUDIT_ATTRIBUTES
2271 * AUDIT_CLOSEF
2272 * AUS_CLOSE
2273 * NOTE:
2274 * TODO:
2275 * QUESTION:
2276 */
2277
2278 void
2279 audit_sec_attributes(caddr_t *ad, struct vnode *vp)
2280 {
2281 /* Dump the SL */
2282 if (is_system_labeled()) {
2283 ts_label_t *tsl;
2284 bslabel_t *bsl;
2285
2286 tsl = getflabel(vp);
2287 if (tsl == NULL)
2288 return; /* nothing else to do */
2289
2290 bsl = label2bslabel(tsl);
2291 if (bsl == NULL)
2292 return; /* nothing else to do */
2293 au_write(ad, au_to_label(bsl));
2294 label_rele(tsl);
2295 }
2296
2297 } /* AUDIT_SEC_ATTRIBUTES */