Print this page
NEX-13644 File access audit logging
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
Reviewed by: Saso Kiselkov <saso.kiselkov@nexenta.com>
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/c2/audit.c
+++ new/usr/src/uts/common/c2/audit.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
|
↓ open down ↓ |
13 lines elided |
↑ open up ↑ |
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21
22 22 /*
23 23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24 + * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
24 25 */
25 26
26 27 /*
27 28 * This file contains the audit hook support code for auditing.
28 29 */
29 30
30 31 #include <sys/types.h>
31 32 #include <sys/proc.h>
32 33 #include <sys/vnode.h>
33 34 #include <sys/vfs.h>
34 35 #include <sys/file.h>
35 36 #include <sys/user.h>
36 37 #include <sys/stropts.h>
37 38 #include <sys/systm.h>
38 39 #include <sys/pathname.h>
39 40 #include <sys/syscall.h>
40 41 #include <sys/fcntl.h>
41 42 #include <sys/ipc_impl.h>
42 43 #include <sys/msg_impl.h>
43 44 #include <sys/sem_impl.h>
44 45 #include <sys/shm_impl.h>
45 46 #include <sys/kmem.h> /* for KM_SLEEP */
46 47 #include <sys/socket.h>
47 48 #include <sys/cmn_err.h> /* snprintf... */
48 49 #include <sys/debug.h>
49 50 #include <sys/thread.h>
50 51 #include <netinet/in.h>
51 52 #include <c2/audit.h> /* needs to be included before user.h */
52 53 #include <c2/audit_kernel.h> /* for M_DONTWAIT */
53 54 #include <c2/audit_kevents.h>
|
↓ open down ↓ |
20 lines elided |
↑ open up ↑ |
54 55 #include <c2/audit_record.h>
55 56 #include <sys/strsubr.h>
56 57 #include <sys/tihdr.h>
57 58 #include <sys/tiuser.h>
58 59 #include <sys/timod.h>
59 60 #include <sys/model.h> /* for model_t */
60 61 #include <sys/disp.h> /* for servicing_interrupt() */
61 62 #include <sys/devpolicy.h>
62 63 #include <sys/crypto/ioctladmin.h>
63 64 #include <sys/cred_impl.h>
65 +#include <sys/sid.h>
64 66 #include <inet/kssl/kssl.h>
65 67 #include <net/pfpolicy.h>
66 68
67 69 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval);
68 70
69 71 static void audit_pathbuild(struct pathname *pnp);
70 72
71 73
72 74 /*
73 75 * ROUTINE: AUDIT_SAVEPATH
74 76 * PURPOSE:
75 77 * CALLBY: LOOKUPPN
76 78 *
77 79 * NOTE: We have reached the end of a path in fs/lookup.c.
78 80 * We get two pieces of information here:
79 81 * the vnode of the last component (vp) and
80 82 * the status of the last access (flag).
81 83 * TODO:
82 84 * QUESTION:
83 85 */
84 86
85 87 /*ARGSUSED*/
86 88 int
87 89 audit_savepath(
88 90 struct pathname *pnp, /* pathname to lookup */
89 91 struct vnode *vp, /* vnode of the last component */
90 92 struct vnode *pvp, /* vnode of the last parent component */
91 93 int flag, /* status of the last access */
92 94 cred_t *cr) /* cred of requestor */
93 95 {
94 96
95 97 t_audit_data_t *tad; /* current thread */
96 98 au_kcontext_t *kctx = GET_KCTX_PZ;
97 99
98 100 tad = U2A(u);
99 101
100 102 /*
101 103 * Noise elimination in audit trails - this event will be discarded if:
102 104 * - the public policy is not active AND
103 105 * - the system call is a public operation AND
104 106 * - the file was not found: VFS lookup failed with ENOENT error AND
105 107 * - the missing file would have been located in the public directory
106 108 * owned by root if it had existed
107 109 */
108 110 if (tad->tad_flag != 0 && flag == ENOENT && pvp != NULL &&
109 111 (tad->tad_ctrl & TAD_PUBLIC_EV) &&
110 112 !(kctx->auk_policy & AUDIT_PUBLIC)) {
111 113 struct vattr attr;
112 114
113 115 attr.va_mask = AT_ALL;
114 116 if (VOP_GETATTR(pvp, &attr, 0, CRED(), NULL) == 0) {
115 117 if (object_is_public(&attr)) {
116 118 tad->tad_ctrl |= TAD_NOAUDIT;
117 119 }
118 120 }
119 121 }
120 122
121 123 /*
122 124 * this event being audited or do we need path information
123 125 * later? This might be for a chdir/chroot or open (add path
124 126 * to file pointer. If the path has already been found for an
125 127 * open/creat then we don't need to process the path.
126 128 *
127 129 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
128 130 * chroot, chdir, open, creat system call processing. It determines
129 131 * if audit_savepath() will discard the path or we need it later.
130 132 * TAD_PATHFND means path already included in this audit record. It
131 133 * is used in cases where multiple path lookups are done per
132 134 * system call. The policy flag, AUDIT_PATH, controls if multiple
133 135 * paths are allowed.
134 136 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
135 137 * exit processing to inhibit any paths that may be added due to
136 138 * closes.
137 139 */
138 140 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) ||
139 141 ((tad->tad_ctrl & TAD_PATHFND) &&
140 142 !(kctx->auk_policy & AUDIT_PATH)) ||
141 143 (tad->tad_ctrl & TAD_NOPATH)) {
142 144 return (0);
143 145 }
144 146
145 147 tad->tad_ctrl |= TAD_NOPATH; /* prevent possible reentry */
146 148
147 149 audit_pathbuild(pnp);
148 150
149 151 /*
150 152 * are we auditing only if error, or if it is not open or create
151 153 * otherwise audit_setf will do it
152 154 */
153 155
154 156 if (tad->tad_flag) {
155 157 if (flag &&
156 158 (tad->tad_scid == SYS_open ||
157 159 tad->tad_scid == SYS_open64 ||
158 160 tad->tad_scid == SYS_openat ||
159 161 tad->tad_scid == SYS_openat64)) {
160 162 tad->tad_ctrl |= TAD_TRUE_CREATE;
161 163 }
162 164
163 165 /* add token to audit record for this name */
164 166 au_uwrite(au_to_path(tad->tad_aupath));
165 167
166 168 /* add the attributes of the object */
167 169 if (vp) {
168 170 /*
169 171 * only capture attributes when there is no error
170 172 * lookup will not return the vnode of the failing
171 173 * component.
172 174 *
173 175 * if there was a lookup error, then don't add
174 176 * attribute. if lookup in vn_create(),
175 177 * then don't add attribute,
176 178 * it will be added at end of vn_create().
177 179 */
178 180 if (!flag && !(tad->tad_ctrl & TAD_NOATTRB))
179 181 audit_attributes(vp);
180 182 }
181 183 }
182 184
183 185 /* free up space if we're not going to save path (open, creat) */
184 186 if ((tad->tad_ctrl & TAD_SAVPATH) == 0) {
185 187 if (tad->tad_aupath != NULL) {
186 188 au_pathrele(tad->tad_aupath);
187 189 tad->tad_aupath = NULL;
188 190 }
189 191 }
190 192 if (tad->tad_ctrl & TAD_MLD)
191 193 tad->tad_ctrl |= TAD_PATHFND;
192 194
193 195 tad->tad_ctrl &= ~TAD_NOPATH; /* restore */
194 196 return (0);
195 197 }
196 198
197 199 static void
198 200 audit_pathbuild(struct pathname *pnp)
199 201 {
200 202 char *pp; /* pointer to path */
201 203 int len; /* length of incoming segment */
202 204 int newsect; /* path requires a new section */
203 205 struct audit_path *pfxapp; /* prefix for path */
204 206 struct audit_path *newapp; /* new audit_path */
205 207 t_audit_data_t *tad; /* current thread */
206 208 p_audit_data_t *pad; /* current process */
207 209
208 210 tad = U2A(u);
209 211 ASSERT(tad != NULL);
210 212 pad = P2A(curproc);
211 213 ASSERT(pad != NULL);
212 214
213 215 len = (pnp->pn_path - pnp->pn_buf) + 1; /* +1 for terminator */
214 216 ASSERT(len > 0);
215 217
216 218 /* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */
217 219 mutex_enter(&pad->pad_lock);
218 220 if (tad->tad_aupath != NULL) {
219 221 pfxapp = tad->tad_aupath;
220 222 } else if ((tad->tad_ctrl & TAD_ATCALL) && pnp->pn_buf[0] != '/') {
221 223 ASSERT(tad->tad_atpath != NULL);
222 224 pfxapp = tad->tad_atpath;
223 225 } else if (tad->tad_ctrl & TAD_ABSPATH) {
224 226 pfxapp = pad->pad_root;
225 227 } else {
226 228 pfxapp = pad->pad_cwd;
227 229 }
228 230 au_pathhold(pfxapp);
229 231 mutex_exit(&pad->pad_lock);
230 232
231 233 /* get an expanded buffer to hold the anchored path */
232 234 newsect = tad->tad_ctrl & TAD_ATTPATH;
233 235 newapp = au_pathdup(pfxapp, newsect, len);
234 236 au_pathrele(pfxapp);
235 237
236 238 pp = newapp->audp_sect[newapp->audp_cnt] - len;
237 239 if (!newsect) {
238 240 /* overlay previous NUL terminator */
239 241 *(pp - 1) = '/';
240 242 }
241 243
242 244 /* now add string of processed path */
243 245 bcopy(pnp->pn_buf, pp, len);
244 246 pp[len - 1] = '\0';
245 247
246 248 /* perform path simplification as necessary */
247 249 audit_fixpath(newapp, len);
248 250
249 251 if (tad->tad_aupath)
250 252 au_pathrele(tad->tad_aupath);
251 253 tad->tad_aupath = newapp;
252 254
253 255 /* for case where multiple lookups in one syscall (rename) */
254 256 tad->tad_ctrl &= ~(TAD_ABSPATH | TAD_ATTPATH);
255 257 }
256 258
257 259
258 260 /*
259 261 * ROUTINE: AUDIT_ANCHORPATH
260 262 * PURPOSE:
261 263 * CALLBY: LOOKUPPN
262 264 * NOTE:
263 265 * anchor path at "/". We have seen a symbolic link or entering for the
264 266 * first time we will throw away any saved path if path is anchored.
265 267 *
266 268 * flag = 0, path is relative.
267 269 * flag = 1, path is absolute. Free any saved path and set flag to TAD_ABSPATH.
268 270 *
269 271 * If the (new) path is absolute, then we have to throw away whatever we have
270 272 * already accumulated since it is being superseded by new path which is
271 273 * anchored at the root.
272 274 * Note that if the path is relative, this function does nothing
273 275 * TODO:
274 276 * QUESTION:
275 277 */
276 278 /*ARGSUSED*/
277 279 void
278 280 audit_anchorpath(struct pathname *pnp, int flag)
279 281 {
280 282 au_kcontext_t *kctx = GET_KCTX_PZ;
281 283 t_audit_data_t *tad;
282 284
283 285 tad = U2A(u);
284 286
285 287 /*
286 288 * this event being audited or do we need path information
287 289 * later? This might be for a chdir/chroot or open (add path
288 290 * to file pointer. If the path has already been found for an
289 291 * open/creat then we don't need to process the path.
290 292 *
291 293 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
292 294 * chroot, chdir, open, creat system call processing. It determines
293 295 * if audit_savepath() will discard the path or we need it later.
294 296 * TAD_PATHFND means path already included in this audit record. It
295 297 * is used in cases where multiple path lookups are done per
296 298 * system call. The policy flag, AUDIT_PATH, controls if multiple
297 299 * paths are allowed.
298 300 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
299 301 * exit processing to inhibit any paths that may be added due to
300 302 * closes.
301 303 */
302 304 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) ||
303 305 ((tad->tad_ctrl & TAD_PATHFND) &&
304 306 !(kctx->auk_policy & AUDIT_PATH)) ||
305 307 (tad->tad_ctrl & TAD_NOPATH)) {
306 308 return;
307 309 }
308 310
309 311 if (flag) {
310 312 tad->tad_ctrl |= TAD_ABSPATH;
311 313 if (tad->tad_aupath != NULL) {
312 314 au_pathrele(tad->tad_aupath);
313 315 tad->tad_aupath = NULL;
314 316 }
315 317 }
316 318 }
317 319
318 320
319 321 /*
320 322 * symbolic link. Save previous components.
321 323 *
322 324 * the path seen so far looks like this
323 325 *
324 326 * +-----------------------+----------------+
325 327 * | path processed so far | remaining path |
326 328 * +-----------------------+----------------+
327 329 * \-----------------------/
328 330 * save this string if
329 331 * symbolic link relative
330 332 * (but don't include symlink component)
331 333 */
332 334
333 335 /*ARGSUSED*/
334 336
335 337
336 338 /*
337 339 * ROUTINE: AUDIT_SYMLINK
338 340 * PURPOSE:
339 341 * CALLBY: LOOKUPPN
340 342 * NOTE:
341 343 * TODO:
342 344 * QUESTION:
343 345 */
344 346 void
345 347 audit_symlink(struct pathname *pnp, struct pathname *sympath)
346 348 {
347 349 char *sp; /* saved initial pp */
348 350 char *cp; /* start of symlink path */
349 351 uint_t len_path; /* processed path before symlink */
350 352 t_audit_data_t *tad;
351 353 au_kcontext_t *kctx = GET_KCTX_PZ;
352 354
353 355 tad = U2A(u);
354 356
355 357 /*
356 358 * this event being audited or do we need path information
357 359 * later? This might be for a chdir/chroot or open (add path
358 360 * to file pointer. If the path has already been found for an
359 361 * open/creat then we don't need to process the path.
360 362 *
361 363 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
362 364 * chroot, chdir, open, creat system call processing. It determines
363 365 * if audit_savepath() will discard the path or we need it later.
364 366 * TAD_PATHFND means path already included in this audit record. It
365 367 * is used in cases where multiple path lookups are done per
366 368 * system call. The policy flag, AUDIT_PATH, controls if multiple
367 369 * paths are allowed.
368 370 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
369 371 * exit processing to inhibit any paths that may be added due to
370 372 * closes.
371 373 */
372 374 if ((tad->tad_flag == 0 &&
373 375 !(tad->tad_ctrl & TAD_SAVPATH)) ||
374 376 ((tad->tad_ctrl & TAD_PATHFND) &&
375 377 !(kctx->auk_policy & AUDIT_PATH)) ||
376 378 (tad->tad_ctrl & TAD_NOPATH)) {
377 379 return;
378 380 }
379 381
380 382 /*
381 383 * if symbolic link is anchored at / then do nothing.
382 384 * When we cycle back to begin: in lookuppn() we will
383 385 * call audit_anchorpath() with a flag indicating if the
384 386 * path is anchored at / or is relative. We will release
385 387 * any saved path at that point.
386 388 *
387 389 * Note In the event that an error occurs in pn_combine then
388 390 * we want to remain pointing at the component that caused the
389 391 * path to overflow the pnp structure.
390 392 */
391 393 if (sympath->pn_buf[0] == '/')
392 394 return;
393 395
394 396 /* backup over last component */
395 397 sp = cp = pnp->pn_path;
396 398 while (*--cp != '/' && cp > pnp->pn_buf)
397 399 ;
398 400
399 401 len_path = cp - pnp->pn_buf;
400 402
401 403 /* is there anything to save? */
402 404 if (len_path) {
403 405 pnp->pn_path = pnp->pn_buf;
404 406 audit_pathbuild(pnp);
405 407 pnp->pn_path = sp;
406 408 }
407 409 }
408 410
409 411 /*
410 412 * object_is_public : determine whether events for the object (corresponding to
411 413 * the specified file/directory attr) should be audited or
412 414 * ignored.
413 415 *
414 416 * returns: 1 - if audit policy and object attributes indicate that
415 417 * file/directory is effectively public. read events for
416 418 * the file should not be audited.
417 419 * 0 - otherwise
418 420 *
419 421 * The required attributes to be considered a public object are:
420 422 * - owned by root, AND
421 423 * - world-readable (permissions for other include read), AND
422 424 * - NOT world-writeable (permissions for other don't
423 425 * include write)
424 426 * (mode doesn't need to be checked for symlinks)
425 427 */
426 428 int
427 429 object_is_public(struct vattr *attr)
428 430 {
429 431 au_kcontext_t *kctx = GET_KCTX_PZ;
430 432
431 433 if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) &&
432 434 ((attr->va_type == VLNK) ||
433 435 ((attr->va_mode & (VREAD>>6)) != 0) &&
434 436 ((attr->va_mode & (VWRITE>>6)) == 0))) {
435 437 return (1);
436 438 }
437 439 return (0);
438 440 }
439 441
440 442
441 443 /*
442 444 * ROUTINE: AUDIT_ATTRIBUTES
443 445 * PURPOSE: Audit the attributes so we can tell why the error occurred
444 446 * CALLBY: AUDIT_SAVEPATH
445 447 * AUDIT_VNCREATE_FINISH
446 448 * AUS_FCHOWN...audit_event.c...audit_path.c
447 449 * NOTE:
448 450 * TODO:
449 451 * QUESTION:
450 452 */
451 453 void
452 454 audit_attributes(struct vnode *vp)
453 455 {
454 456 struct vattr attr;
455 457 struct t_audit_data *tad;
456 458
457 459 tad = U2A(u);
458 460
459 461 if (vp) {
460 462 attr.va_mask = AT_ALL;
461 463 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0)
462 464 return;
463 465
464 466 if (object_is_public(&attr) &&
465 467 (tad->tad_ctrl & TAD_PUBLIC_EV)) {
466 468 /*
467 469 * This is a public object and a "public" event
468 470 * (i.e., read only) -- either by definition
469 471 * (e.g., stat, access...) or by virtue of write access
470 472 * not being requested (e.g. mmap).
471 473 * Flag it in the tad to prevent this audit at the end.
472 474 */
473 475 tad->tad_ctrl |= TAD_NOAUDIT;
474 476 } else {
475 477 au_uwrite(au_to_attr(&attr));
476 478 audit_sec_attributes(&(u_ad), vp);
477 479 }
478 480 }
479 481 }
480 482
481 483
482 484 /*
483 485 * ROUTINE: AUDIT_EXIT
484 486 * PURPOSE:
485 487 * CALLBY: EXIT
486 488 * NOTE:
487 489 * TODO:
488 490 * QUESTION: why cmw code as offset by 2 but not here
489 491 */
490 492 /* ARGSUSED */
491 493 void
492 494 audit_exit(int code, int what)
493 495 {
494 496 struct t_audit_data *tad;
495 497 tad = U2A(u);
496 498
497 499 /*
498 500 * tad_scid will be set by audit_start even if we are not auditing
499 501 * the event.
500 502 */
501 503 if (tad->tad_scid == SYS_exit) {
502 504 /*
503 505 * if we are auditing the exit system call, then complete
504 506 * audit record generation (no return from system call).
505 507 */
506 508 if (tad->tad_flag && tad->tad_event == AUE_EXIT)
507 509 audit_finish(0, SYS_exit, 0, 0);
508 510 return;
509 511 }
510 512
511 513 /*
512 514 * Anyone auditing the system call that was aborted?
513 515 */
514 516 if (tad->tad_flag) {
515 517 au_uwrite(au_to_text("event aborted"));
516 518 audit_finish(0, tad->tad_scid, 0, 0);
517 519 }
518 520
519 521 /*
520 522 * Generate an audit record for process exit if preselected.
521 523 */
522 524 (void) audit_start(0, SYS_exit, AUC_UNSET, 0, 0);
523 525 audit_finish(0, SYS_exit, 0, 0);
524 526 }
525 527
526 528 /*
527 529 * ROUTINE: AUDIT_CORE_START
528 530 * PURPOSE:
529 531 * CALLBY: PSIG
530 532 * NOTE:
531 533 * TODO:
532 534 */
533 535 void
534 536 audit_core_start(int sig)
535 537 {
536 538 au_event_t event;
537 539 au_state_t estate;
538 540 t_audit_data_t *tad;
539 541 au_kcontext_t *kctx;
540 542
541 543 tad = U2A(u);
542 544
543 545 ASSERT(tad != (t_audit_data_t *)0);
544 546
545 547 ASSERT(tad->tad_scid == 0);
546 548 ASSERT(tad->tad_event == 0);
547 549 ASSERT(tad->tad_evmod == 0);
548 550 ASSERT(tad->tad_ctrl == 0);
549 551 ASSERT(tad->tad_flag == 0);
550 552 ASSERT(tad->tad_aupath == NULL);
551 553
552 554 kctx = GET_KCTX_PZ;
553 555
554 556 /* get basic event for system call */
555 557 event = AUE_CORE;
556 558 estate = kctx->auk_ets[event];
557 559
558 560 if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0)
559 561 return;
560 562
561 563 /* reset the flags for non-user attributable events */
562 564 tad->tad_ctrl = TAD_CORE;
563 565 tad->tad_scid = 0;
564 566
565 567 /* if auditing not enabled, then don't generate an audit record */
566 568
567 569 if (!((kctx->auk_auditstate == AUC_AUDITING ||
568 570 kctx->auk_auditstate == AUC_INIT_AUDIT) ||
569 571 kctx->auk_auditstate == AUC_NOSPACE)) {
570 572 tad->tad_flag = 0;
571 573 tad->tad_ctrl = 0;
572 574 return;
573 575 }
574 576
575 577 tad->tad_event = event;
576 578 tad->tad_evmod = 0;
577 579
578 580 ASSERT(tad->tad_ad == NULL);
579 581
580 582 au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig));
581 583 }
582 584
583 585 /*
584 586 * ROUTINE: AUDIT_CORE_FINISH
585 587 * PURPOSE:
586 588 * CALLBY: PSIG
587 589 * NOTE:
588 590 * TODO:
589 591 * QUESTION:
590 592 */
591 593
592 594 /*ARGSUSED*/
593 595 void
594 596 audit_core_finish(int code)
595 597 {
596 598 int flag;
597 599 t_audit_data_t *tad;
598 600 au_kcontext_t *kctx;
599 601
600 602 tad = U2A(u);
601 603
602 604 ASSERT(tad != (t_audit_data_t *)0);
603 605
604 606 if ((flag = tad->tad_flag) == 0) {
605 607 tad->tad_event = 0;
606 608 tad->tad_evmod = 0;
607 609 tad->tad_ctrl = 0;
608 610 ASSERT(tad->tad_aupath == NULL);
609 611 return;
610 612 }
611 613 tad->tad_flag = 0;
612 614
613 615 kctx = GET_KCTX_PZ;
614 616
615 617 /* kludge for error 0, should use `code==CLD_DUMPED' instead */
616 618 if (flag = audit_success(kctx, tad, 0, NULL)) {
617 619 cred_t *cr = CRED();
618 620 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
619 621
620 622 ASSERT(ainfo != NULL);
621 623
622 624 /*
623 625 * Add subject information (no locks since our private copy of
624 626 * credential
625 627 */
626 628 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
627 629
628 630 /* Add a return token (should use f argument) */
629 631 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
630 632
631 633 AS_INC(as_generated, 1, kctx);
632 634 AS_INC(as_kernel, 1, kctx);
633 635 }
634 636
635 637 /* Close up everything */
636 638 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod, NULL);
637 639
638 640 /* free up any space remaining with the path's */
639 641 if (tad->tad_aupath != NULL) {
640 642 au_pathrele(tad->tad_aupath);
641 643 tad->tad_aupath = NULL;
642 644 }
643 645 tad->tad_event = 0;
644 646 tad->tad_evmod = 0;
645 647 tad->tad_ctrl = 0;
646 648 }
647 649
648 650
649 651 /*ARGSUSED*/
650 652 void
651 653 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
652 654 unsigned char *pri, int *flag, int fmode)
653 655 {
654 656 struct stdata *stp;
655 657 t_audit_data_t *tad = U2A(u);
656 658
657 659 ASSERT(tad != (t_audit_data_t *)0);
658 660
659 661 stp = vp->v_stream;
660 662
661 663 /* lock stdata from audit_sock */
662 664 mutex_enter(&stp->sd_lock);
663 665
664 666 /* proceed ONLY if user is being audited */
665 667 if (!tad->tad_flag) {
666 668 /*
667 669 * this is so we will not add audit data onto
668 670 * a thread that is not being audited.
669 671 */
670 672 stp->sd_t_audit_data = NULL;
671 673 mutex_exit(&stp->sd_lock);
672 674 return;
673 675 }
674 676
675 677 stp->sd_t_audit_data = (caddr_t)curthread;
676 678 mutex_exit(&stp->sd_lock);
677 679 }
678 680
679 681 /*ARGSUSED*/
680 682 void
681 683 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
682 684 unsigned char pri, int flag, int fmode)
683 685 {
684 686 struct stdata *stp;
685 687 t_audit_data_t *tad = U2A(u);
686 688
687 689 ASSERT(tad != (t_audit_data_t *)0);
688 690
689 691 stp = vp->v_stream;
690 692
691 693 /* lock stdata from audit_sock */
692 694 mutex_enter(&stp->sd_lock);
693 695
694 696 /* proceed ONLY if user is being audited */
695 697 if (!tad->tad_flag) {
696 698 /*
697 699 * this is so we will not add audit data onto
698 700 * a thread that is not being audited.
|
↓ open down ↓ |
625 lines elided |
↑ open up ↑ |
699 701 */
700 702 stp->sd_t_audit_data = NULL;
701 703 mutex_exit(&stp->sd_lock);
702 704 return;
703 705 }
704 706
705 707 stp->sd_t_audit_data = (caddr_t)curthread;
706 708 mutex_exit(&stp->sd_lock);
707 709 }
708 710
711 +/*
712 + * ROUTINE: AUDIT_SACL
713 + * PURPOSE: audit ACL-based file accesses
714 + * CALLBY: SMB, NFS
715 + * NOTE:
716 + *
717 + * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
718 + * on the audit queue if it becomes full.
719 + * TODO:
720 + * QUESTION:
721 + */
722 +void
723 +audit_sacl(char *path, cred_t *cr, uint32_t desired, boolean_t success,
724 + t_audit_sacl_t *tas)
725 +{
726 + token_t *ad = NULL;
727 + au_kcontext_t *kctx = GET_KCTX_PZ;
728 + const auditinfo_addr_t *ainfo;
729 + ksid_t *ks;
730 +
731 + /* if auditing not enabled, then don't generate an audit record */
732 + if (((kctx->auk_auditstate) &
733 + ~(AUC_AUDITING | AUC_INIT_AUDIT | AUC_NOSPACE)) != 0)
734 + return;
735 +
736 + if ((success && (tas->tas_smask & desired) == 0) ||
737 + (!success && (tas->tas_fmask & desired) == 0))
738 + return;
739 +
740 + ainfo = crgetauinfo(cr);
741 + if (ainfo == NULL)
742 + return;
743 +
744 + au_write((caddr_t *)&(ad), au_to_path_string(path));
745 + au_write((caddr_t *)&(ad), au_to_access_mask(desired));
746 +
747 + /* Include the SID if it has one, in case the id is ephemeral */
748 + if ((ks = crgetsid(cr, KSID_USER)) != NULL) {
749 + au_write((caddr_t *)&(ad), au_to_wsid(ks));
750 + }
751 + AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
752 + au_close(kctx, (caddr_t *)&(ad), AU_OK, AUE_SACL,
753 + success ? 0 : PAD_FAILURE, NULL);
754 +}
755 +
709 756 /*
710 757 * ROUTINE: AUDIT_CLOSEF
711 758 * PURPOSE:
712 759 * CALLBY: CLOSEF
713 760 * NOTE:
714 761 * release per file audit resources when file structure is being released.
715 762 *
716 763 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
717 764 * on the audit queue if it becomes full. This means
718 765 * audit_closef can not be called when f_count == 0. Since
719 766 * f_count == 0 indicates the file structure is free, another
720 767 * process could attempt to use the file while we were still
721 768 * asleep waiting on the audit queue. This would cause the
722 769 * per file audit data to be corrupted when we finally do
723 770 * wakeup.
724 771 * TODO:
725 772 * QUESTION:
726 773 */
727 774
728 775 void
729 776 audit_closef(struct file *fp)
730 777 {
731 778 f_audit_data_t *fad;
732 779 t_audit_data_t *tad;
733 780 int success;
734 781 au_state_t estate;
735 782 struct vnode *vp;
736 783 token_t *ad = NULL;
737 784 struct vattr attr;
738 785 au_emod_t evmod = 0;
739 786 const auditinfo_addr_t *ainfo;
740 787 cred_t *cr;
741 788 au_kcontext_t *kctx = GET_KCTX_PZ;
742 789 uint32_t auditing;
743 790 boolean_t audit_attr = B_FALSE;
744 791
745 792 fad = F2A(fp);
746 793 estate = kctx->auk_ets[AUE_CLOSE];
747 794 tad = U2A(u);
748 795 cr = CRED();
749 796
750 797 /* audit record already generated by system call envelope */
751 798 if (tad->tad_event == AUE_CLOSE) {
752 799 /* so close audit event will have bits set */
753 800 tad->tad_evmod |= (au_emod_t)fad->fad_flags;
754 801 return;
755 802 }
756 803
757 804 /* if auditing not enabled, then don't generate an audit record */
758 805 auditing = (tad->tad_audit == AUC_UNSET) ?
759 806 kctx->auk_auditstate : tad->tad_audit;
760 807 if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT | AUC_NOSPACE))
761 808 return;
762 809
763 810 ainfo = crgetauinfo(cr);
764 811 if (ainfo == NULL)
765 812 return;
766 813
767 814 success = ainfo->ai_mask.as_success & estate;
768 815
769 816 /* not selected for this event */
770 817 if (success == 0)
771 818 return;
772 819
773 820 /*
774 821 * can't use audit_attributes here since we use a private audit area
775 822 * to build the audit record instead of the one off the thread.
776 823 */
777 824 if ((vp = fp->f_vnode) != NULL) {
778 825 attr.va_mask = AT_ALL;
779 826 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
780 827 if ((fp->f_flag & FWRITE) == 0 &&
781 828 object_is_public(&attr)) {
782 829 /*
783 830 * When write was not used and the file can be
784 831 * considered public, then skip the audit.
785 832 */
786 833 return;
787 834 }
788 835 audit_attr = B_TRUE;
789 836 }
790 837 }
791 838
792 839 evmod = (au_emod_t)fad->fad_flags;
793 840 if (fad->fad_aupath != NULL) {
794 841 au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath));
795 842 } else {
796 843 #ifdef _LP64
797 844 au_write((caddr_t *)&(ad), au_to_arg64(
798 845 1, "no path: fp", (uint64_t)fp));
799 846 #else
800 847 au_write((caddr_t *)&(ad), au_to_arg32(
801 848 1, "no path: fp", (uint32_t)fp));
802 849 #endif
803 850 }
804 851
805 852 if (audit_attr) {
806 853 au_write((caddr_t *)&(ad), au_to_attr(&attr));
807 854 audit_sec_attributes((caddr_t *)&(ad), vp);
808 855 }
809 856
810 857 /* Add subject information */
811 858 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
812 859
813 860 /* add a return token */
814 861 add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0);
815 862
816 863 AS_INC(as_generated, 1, kctx);
817 864 AS_INC(as_kernel, 1, kctx);
818 865
819 866 /*
820 867 * Close up everything
821 868 * Note: path space recovery handled by normal system
822 869 * call envelope if not at last close.
823 870 * Note there is no failure at this point since
824 871 * this represents closes due to exit of process,
825 872 * thus we always indicate successful closes.
826 873 */
827 874 au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER,
828 875 AUE_CLOSE, evmod, NULL);
829 876 }
830 877
831 878 /*
832 879 * ROUTINE: AUDIT_SET
833 880 * PURPOSE: Audit the file path and file attributes.
834 881 * CALLBY: SETF
835 882 * NOTE: SETF associate a file pointer with user area's open files.
836 883 * TODO:
837 884 * call audit_finish directly ???
838 885 * QUESTION:
839 886 */
840 887
841 888 /*ARGSUSED*/
842 889 void
843 890 audit_setf(file_t *fp, int fd)
844 891 {
845 892 f_audit_data_t *fad;
846 893 t_audit_data_t *tad;
847 894
848 895 if (fp == NULL)
849 896 return;
850 897
851 898 tad = T2A(curthread);
852 899 fad = F2A(fp);
853 900
854 901 if (!(tad->tad_scid == SYS_open ||
855 902 tad->tad_scid == SYS_open64 ||
856 903 tad->tad_scid == SYS_openat ||
857 904 tad->tad_scid == SYS_openat64))
858 905 return;
859 906
860 907 /* no path */
861 908 if (tad->tad_aupath == 0)
862 909 return;
863 910
864 911 /*
865 912 * assign path information associated with file audit data
866 913 * use tad hold
867 914 */
868 915 fad->fad_aupath = tad->tad_aupath;
869 916 tad->tad_aupath = NULL;
870 917
871 918 if (!(tad->tad_ctrl & TAD_TRUE_CREATE)) {
872 919 /* adjust event type by dropping the 'creat' part */
873 920 switch (tad->tad_event) {
874 921 case AUE_OPEN_RC:
875 922 tad->tad_event = AUE_OPEN_R;
876 923 tad->tad_ctrl |= TAD_PUBLIC_EV;
877 924 break;
878 925 case AUE_OPEN_RTC:
879 926 tad->tad_event = AUE_OPEN_RT;
880 927 break;
881 928 case AUE_OPEN_WC:
882 929 tad->tad_event = AUE_OPEN_W;
883 930 break;
884 931 case AUE_OPEN_WTC:
885 932 tad->tad_event = AUE_OPEN_WT;
886 933 break;
887 934 case AUE_OPEN_RWC:
888 935 tad->tad_event = AUE_OPEN_RW;
889 936 break;
890 937 case AUE_OPEN_RWTC:
891 938 tad->tad_event = AUE_OPEN_RWT;
892 939 break;
893 940 default:
894 941 break;
895 942 }
896 943 }
897 944 }
898 945
899 946
900 947 void
901 948 audit_ipc(int type, int id, void *vp)
902 949 {
903 950 /* if not auditing this event, then do nothing */
904 951 if (ad_flag == 0)
905 952 return;
906 953
907 954 switch (type) {
908 955 case AT_IPC_MSG:
909 956 au_uwrite(au_to_ipc(AT_IPC_MSG, id));
910 957 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
911 958 break;
912 959 case AT_IPC_SEM:
913 960 au_uwrite(au_to_ipc(AT_IPC_SEM, id));
914 961 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
915 962 break;
916 963 case AT_IPC_SHM:
917 964 au_uwrite(au_to_ipc(AT_IPC_SHM, id));
918 965 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
919 966 break;
920 967 }
921 968 }
922 969
923 970 void
924 971 audit_ipcget(int type, void *vp)
925 972 {
926 973 /* if not auditing this event, then do nothing */
927 974 if (ad_flag == 0)
928 975 return;
929 976
930 977 switch (type) {
931 978 case NULL:
932 979 au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp));
933 980 break;
934 981 case AT_IPC_MSG:
935 982 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
936 983 break;
937 984 case AT_IPC_SEM:
938 985 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
939 986 break;
940 987 case AT_IPC_SHM:
941 988 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
942 989 break;
943 990 }
944 991 }
945 992
946 993 /*
947 994 * ROUTINE: AUDIT_REBOOT
948 995 * PURPOSE:
949 996 * CALLBY:
950 997 * NOTE:
951 998 * At this point we know that the system call reboot will not return. We thus
952 999 * have to complete the audit record generation and put it onto the queue.
953 1000 * This might be fairly useless if the auditing daemon is already dead....
954 1001 * TODO:
955 1002 * QUESTION: who calls audit_reboot
956 1003 */
957 1004
958 1005 void
959 1006 audit_reboot(void)
960 1007 {
961 1008 int flag;
962 1009 t_audit_data_t *tad;
963 1010 au_kcontext_t *kctx = GET_KCTX_PZ;
964 1011
965 1012 tad = U2A(u);
966 1013
967 1014 /* if not auditing this event, then do nothing */
968 1015 if (tad->tad_flag == 0)
969 1016 return;
970 1017
971 1018 /* do preselection on success/failure */
972 1019 if (flag = audit_success(kctx, tad, 0, NULL)) {
973 1020 /* add a process token */
974 1021
975 1022 cred_t *cr = CRED();
976 1023 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
977 1024
978 1025 if (ainfo == NULL)
979 1026 return;
980 1027
981 1028 /* Add subject information */
982 1029 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
983 1030
984 1031 /* add a return token */
985 1032 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
986 1033
987 1034 AS_INC(as_generated, 1, kctx);
988 1035 AS_INC(as_kernel, 1, kctx);
989 1036 }
990 1037
991 1038 /*
992 1039 * Flow control useless here since we're going
993 1040 * to drop everything in the queue anyway. Why
994 1041 * block and wait. There aint anyone left alive to
995 1042 * read the records remaining anyway.
996 1043 */
997 1044
998 1045 /* Close up everything */
999 1046 au_close(kctx, &(u_ad), flag | AU_DONTBLOCK,
1000 1047 tad->tad_event, tad->tad_evmod, NULL);
1001 1048 }
1002 1049
1003 1050 void
1004 1051 audit_setfsat_path(int argnum)
1005 1052 {
1006 1053 klwp_id_t clwp = ttolwp(curthread);
1007 1054 struct file *fp;
1008 1055 uint32_t fd;
1009 1056 t_audit_data_t *tad;
1010 1057 struct f_audit_data *fad;
1011 1058 p_audit_data_t *pad; /* current process */
1012 1059 uint_t fm;
1013 1060 struct a {
1014 1061 long arg1;
1015 1062 long arg2;
1016 1063 long arg3;
1017 1064 long arg4;
1018 1065 long arg5;
1019 1066 } *uap;
1020 1067
1021 1068 if (clwp == NULL)
1022 1069 return;
1023 1070 uap = (struct a *)clwp->lwp_ap;
1024 1071
1025 1072 tad = U2A(u);
1026 1073 ASSERT(tad != NULL);
1027 1074
1028 1075 switch (tad->tad_scid) {
1029 1076 case SYS_faccessat:
1030 1077 case SYS_fchmodat:
1031 1078 case SYS_fchownat:
1032 1079 case SYS_fstatat:
1033 1080 case SYS_fstatat64:
1034 1081 case SYS_mkdirat:
1035 1082 case SYS_mknodat:
1036 1083 case SYS_openat:
1037 1084 case SYS_openat64:
1038 1085 case SYS_readlinkat:
1039 1086 case SYS_unlinkat:
1040 1087 fd = uap->arg1;
1041 1088 break;
1042 1089 case SYS_linkat:
1043 1090 case SYS_renameat:
1044 1091 if (argnum == 3)
1045 1092 fd = uap->arg3;
1046 1093 else
1047 1094 fd = uap->arg1;
1048 1095 break;
1049 1096 case SYS_symlinkat:
1050 1097 case SYS_utimesys:
1051 1098 fd = uap->arg2;
1052 1099 break;
1053 1100 case SYS_open:
1054 1101 case SYS_open64:
1055 1102 fd = AT_FDCWD;
1056 1103 break;
1057 1104 default:
1058 1105 return;
1059 1106 }
1060 1107
1061 1108 if (tad->tad_atpath != NULL) {
1062 1109 au_pathrele(tad->tad_atpath);
1063 1110 tad->tad_atpath = NULL;
1064 1111 }
1065 1112
1066 1113 if (fd != AT_FDCWD) {
1067 1114 tad->tad_ctrl |= TAD_ATCALL;
1068 1115
1069 1116 if (tad->tad_scid == SYS_openat ||
1070 1117 tad->tad_scid == SYS_openat64) {
1071 1118 fm = (uint_t)uap->arg3;
1072 1119 if (fm & (FXATTR | FXATTRDIROPEN)) {
1073 1120 tad->tad_ctrl |= TAD_ATTPATH;
1074 1121 }
1075 1122 }
1076 1123
1077 1124 if ((fp = getf(fd)) == NULL) {
1078 1125 tad->tad_ctrl |= TAD_NOPATH;
1079 1126 return;
1080 1127 }
1081 1128 fad = F2A(fp);
1082 1129 ASSERT(fad);
1083 1130 if (fad->fad_aupath == NULL) {
1084 1131 tad->tad_ctrl |= TAD_NOPATH;
1085 1132 releasef(fd);
1086 1133 return;
1087 1134 }
1088 1135 au_pathhold(fad->fad_aupath);
1089 1136 tad->tad_atpath = fad->fad_aupath;
1090 1137 releasef(fd);
1091 1138 } else {
1092 1139 if (tad->tad_scid == SYS_open ||
1093 1140 tad->tad_scid == SYS_open64) {
1094 1141 fm = (uint_t)uap->arg2;
1095 1142 if (fm & FXATTR) {
1096 1143 tad->tad_ctrl |= TAD_ATTPATH;
1097 1144 }
1098 1145 return;
1099 1146 }
1100 1147 pad = P2A(curproc);
1101 1148 mutex_enter(&pad->pad_lock);
1102 1149 au_pathhold(pad->pad_cwd);
1103 1150 tad->tad_atpath = pad->pad_cwd;
1104 1151 mutex_exit(&pad->pad_lock);
1105 1152 }
1106 1153 }
1107 1154
1108 1155 void
1109 1156 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error)
1110 1157 {
1111 1158 t_audit_data_t *tad;
1112 1159 vnode_t *vp;
1113 1160
1114 1161 tad = U2A(u);
1115 1162
1116 1163 /* if not auditing this event, then do nothing */
1117 1164 if (tad->tad_flag == 0)
1118 1165 return;
1119 1166
1120 1167 au_uwrite(au_to_text(target));
1121 1168
1122 1169 if (error)
1123 1170 return;
1124 1171
1125 1172 error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(),
1126 1173 NULL, NULL, NULL);
1127 1174 if (error == 0) {
1128 1175 audit_attributes(vp);
1129 1176 VN_RELE(vp);
1130 1177 }
1131 1178 }
1132 1179
1133 1180 /*
1134 1181 * ROUTINE: AUDIT_VNCREATE_START
1135 1182 * PURPOSE: set flag so path name lookup in create will not add attribute
1136 1183 * CALLBY: VN_CREATE
1137 1184 * NOTE:
1138 1185 * TODO:
1139 1186 * QUESTION:
1140 1187 */
1141 1188
1142 1189 void
1143 1190 audit_vncreate_start()
1144 1191 {
1145 1192 t_audit_data_t *tad;
1146 1193
1147 1194 tad = U2A(u);
1148 1195 tad->tad_ctrl |= TAD_NOATTRB;
1149 1196 }
1150 1197
1151 1198 /*
1152 1199 * ROUTINE: AUDIT_VNCREATE_FINISH
1153 1200 * PURPOSE:
1154 1201 * CALLBY: VN_CREATE
1155 1202 * NOTE:
1156 1203 * TODO:
1157 1204 * QUESTION:
1158 1205 */
1159 1206 void
1160 1207 audit_vncreate_finish(struct vnode *vp, int error)
1161 1208 {
1162 1209 t_audit_data_t *tad;
1163 1210
1164 1211 if (error)
1165 1212 return;
1166 1213
1167 1214 tad = U2A(u);
1168 1215
1169 1216 /* if not auditing this event, then do nothing */
1170 1217 if (tad->tad_flag == 0)
1171 1218 return;
1172 1219
1173 1220 if (tad->tad_ctrl & TAD_TRUE_CREATE) {
1174 1221 audit_attributes(vp);
1175 1222 }
1176 1223
1177 1224 if (tad->tad_ctrl & TAD_CORE) {
1178 1225 audit_attributes(vp);
1179 1226 tad->tad_ctrl &= ~TAD_CORE;
1180 1227 }
1181 1228
1182 1229 if (!error && ((tad->tad_event == AUE_MKNOD) ||
1183 1230 (tad->tad_event == AUE_MKDIR))) {
1184 1231 audit_attributes(vp);
1185 1232 }
1186 1233
1187 1234 /* for case where multiple lookups in one syscall (rename) */
1188 1235 tad->tad_ctrl &= ~TAD_NOATTRB;
1189 1236 }
1190 1237
1191 1238
1192 1239
1193 1240
1194 1241
1195 1242
1196 1243
1197 1244
1198 1245 /*
1199 1246 * ROUTINE: AUDIT_EXEC
1200 1247 * PURPOSE: Records the function arguments and environment variables
1201 1248 * CALLBY: EXEC_ARGS
1202 1249 * NOTE:
1203 1250 * TODO:
1204 1251 * QUESTION:
1205 1252 */
1206 1253
1207 1254 void
1208 1255 audit_exec(
1209 1256 const char *argstr, /* argument strings */
1210 1257 const char *envstr, /* environment strings */
1211 1258 ssize_t argc, /* total # arguments */
1212 1259 ssize_t envc, /* total # environment variables */
1213 1260 cred_t *pfcred) /* the additional privileges in a profile */
1214 1261 {
1215 1262 t_audit_data_t *tad;
1216 1263 au_kcontext_t *kctx = GET_KCTX_PZ;
1217 1264
1218 1265 tad = U2A(u);
1219 1266
1220 1267 /* if not auditing this event, then do nothing */
1221 1268 if (!tad->tad_flag)
1222 1269 return;
1223 1270
1224 1271 if (pfcred != NULL) {
1225 1272 p_audit_data_t *pad;
1226 1273 cred_t *cr = CRED();
1227 1274 priv_set_t pset = CR_IPRIV(cr);
1228 1275
1229 1276 pad = P2A(curproc);
1230 1277
1231 1278 /* It's a different event. */
1232 1279 tad->tad_event = AUE_PFEXEC;
1233 1280
1234 1281 /* Add the current working directory to the audit trail. */
1235 1282 if (pad->pad_cwd != NULL)
1236 1283 au_uwrite(au_to_path(pad->pad_cwd));
1237 1284
1238 1285 /*
1239 1286 * The new credential is not yet in place when audit_exec
1240 1287 * is called.
1241 1288 * Compute the additional bits available in the new credential
1242 1289 * and the limit set.
1243 1290 */
1244 1291 priv_inverse(&pset);
1245 1292 priv_intersect(&CR_IPRIV(pfcred), &pset);
1246 1293 if (!priv_isemptyset(&pset) ||
1247 1294 !priv_isequalset(&CR_LPRIV(pfcred), &CR_LPRIV(cr))) {
1248 1295 au_uwrite(au_to_privset(
1249 1296 priv_getsetbynum(PRIV_INHERITABLE), &pset, AUT_PRIV,
1250 1297 0));
1251 1298 au_uwrite(au_to_privset(priv_getsetbynum(PRIV_LIMIT),
1252 1299 &CR_LPRIV(pfcred), AUT_PRIV, 0));
1253 1300 }
1254 1301 /*
1255 1302 * Compare the uids & gids: create a process token if changed.
1256 1303 */
1257 1304 if (crgetuid(cr) != crgetuid(pfcred) ||
1258 1305 crgetruid(cr) != crgetruid(pfcred) ||
1259 1306 crgetgid(cr) != crgetgid(pfcred) ||
1260 1307 crgetrgid(cr) != crgetrgid(pfcred)) {
1261 1308 AUDIT_SETPROC(&(u_ad), cr, crgetauinfo(cr));
1262 1309 }
1263 1310 }
1264 1311
1265 1312 if (pfcred != NULL || (kctx->auk_policy & AUDIT_ARGV) != 0)
1266 1313 au_uwrite(au_to_exec_args(argstr, argc));
1267 1314
1268 1315 if (kctx->auk_policy & AUDIT_ARGE)
1269 1316 au_uwrite(au_to_exec_env(envstr, envc));
1270 1317 }
1271 1318
1272 1319 /*
1273 1320 * ROUTINE: AUDIT_ENTERPROM
1274 1321 * PURPOSE:
1275 1322 * CALLBY: KBDINPUT
1276 1323 * ZSA_XSINT
1277 1324 * NOTE:
1278 1325 * TODO:
1279 1326 * QUESTION:
1280 1327 */
1281 1328 void
1282 1329 audit_enterprom(int flg)
1283 1330 {
1284 1331 token_t *rp = NULL;
1285 1332 int sorf;
1286 1333
1287 1334 if (flg)
1288 1335 sorf = AUM_SUCC;
1289 1336 else
1290 1337 sorf = AUM_FAIL;
1291 1338
1292 1339 AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf);
1293 1340
1294 1341 au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1295 1342
1296 1343 if (flg)
1297 1344 au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1298 1345 else
1299 1346 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1300 1347
1301 1348 AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL, NULL);
1302 1349 }
1303 1350
1304 1351
1305 1352 /*
1306 1353 * ROUTINE: AUDIT_EXITPROM
1307 1354 * PURPOSE:
1308 1355 * CALLBY: KBDINPUT
1309 1356 * ZSA_XSINT
1310 1357 * NOTE:
1311 1358 * TODO:
1312 1359 * QUESTION:
1313 1360 */
1314 1361 void
1315 1362 audit_exitprom(int flg)
1316 1363 {
1317 1364 int sorf;
1318 1365 token_t *rp = NULL;
1319 1366
1320 1367 if (flg)
1321 1368 sorf = AUM_SUCC;
1322 1369 else
1323 1370 sorf = AUM_FAIL;
1324 1371
1325 1372 AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf);
1326 1373
1327 1374 au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1328 1375
1329 1376 if (flg)
1330 1377 au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1331 1378 else
1332 1379 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1333 1380
1334 1381 AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL, NULL);
1335 1382 }
1336 1383
1337 1384 struct fcntla {
1338 1385 int fdes;
1339 1386 int cmd;
1340 1387 intptr_t arg;
1341 1388 };
1342 1389
1343 1390
1344 1391 /*
1345 1392 * ROUTINE: AUDIT_CHDIREC
1346 1393 * PURPOSE:
1347 1394 * CALLBY: CHDIREC
1348 1395 * NOTE: The main function of CHDIREC
1349 1396 * TODO: Move the audit_chdirec hook above the VN_RELE in vncalls.c
1350 1397 * QUESTION:
1351 1398 */
1352 1399
1353 1400 /*ARGSUSED*/
1354 1401 void
1355 1402 audit_chdirec(vnode_t *vp, vnode_t **vpp)
1356 1403 {
1357 1404 int chdir;
1358 1405 int fchdir;
1359 1406 struct audit_path **appp;
1360 1407 struct file *fp;
1361 1408 f_audit_data_t *fad;
1362 1409 p_audit_data_t *pad = P2A(curproc);
1363 1410 t_audit_data_t *tad = T2A(curthread);
1364 1411
1365 1412 struct a {
1366 1413 long fd;
1367 1414 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
1368 1415
1369 1416 if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) {
1370 1417 chdir = tad->tad_scid == SYS_chdir;
1371 1418 if (tad->tad_aupath) {
1372 1419 mutex_enter(&pad->pad_lock);
1373 1420 if (chdir)
1374 1421 appp = &(pad->pad_cwd);
1375 1422 else
1376 1423 appp = &(pad->pad_root);
1377 1424 au_pathrele(*appp);
1378 1425 /* use tad hold */
1379 1426 *appp = tad->tad_aupath;
1380 1427 tad->tad_aupath = NULL;
1381 1428 mutex_exit(&pad->pad_lock);
1382 1429 }
1383 1430 } else if ((tad->tad_scid == SYS_fchdir) ||
1384 1431 (tad->tad_scid == SYS_fchroot)) {
1385 1432 fchdir = tad->tad_scid == SYS_fchdir;
1386 1433 if ((fp = getf(uap->fd)) == NULL)
1387 1434 return;
1388 1435 fad = F2A(fp);
1389 1436 if (fad->fad_aupath) {
1390 1437 au_pathhold(fad->fad_aupath);
1391 1438 mutex_enter(&pad->pad_lock);
1392 1439 if (fchdir)
1393 1440 appp = &(pad->pad_cwd);
1394 1441 else
1395 1442 appp = &(pad->pad_root);
1396 1443 au_pathrele(*appp);
1397 1444 *appp = fad->fad_aupath;
1398 1445 mutex_exit(&pad->pad_lock);
1399 1446 if (tad->tad_flag) {
1400 1447 au_uwrite(au_to_path(fad->fad_aupath));
1401 1448 audit_attributes(fp->f_vnode);
1402 1449 }
1403 1450 }
1404 1451 releasef(uap->fd);
1405 1452 }
1406 1453 }
1407 1454
1408 1455
1409 1456 /*
1410 1457 * Audit hook for stream based socket and tli request.
1411 1458 * Note that we do not have user context while executing
1412 1459 * this code so we had to record them earlier during the
1413 1460 * putmsg/getmsg to figure out which user we are dealing with.
1414 1461 */
1415 1462
1416 1463 /*ARGSUSED*/
1417 1464 void
1418 1465 audit_sock(
1419 1466 int type, /* type of tihdr.h header requests */
1420 1467 queue_t *q, /* contains the process and thread audit data */
1421 1468 mblk_t *mp, /* contains the tihdr.h header structures */
1422 1469 int from) /* timod or sockmod request */
1423 1470 {
1424 1471 int32_t len;
1425 1472 int32_t offset;
1426 1473 struct sockaddr_in *sock_data;
1427 1474 struct T_conn_req *conn_req;
1428 1475 struct T_conn_ind *conn_ind;
1429 1476 struct T_unitdata_req *unitdata_req;
1430 1477 struct T_unitdata_ind *unitdata_ind;
1431 1478 au_state_t estate;
1432 1479 t_audit_data_t *tad;
1433 1480 caddr_t saved_thread_ptr;
1434 1481 au_mask_t amask;
1435 1482 const auditinfo_addr_t *ainfo;
1436 1483 au_kcontext_t *kctx;
1437 1484
1438 1485 if (q->q_stream == NULL)
1439 1486 return;
1440 1487 mutex_enter(&q->q_stream->sd_lock);
1441 1488 /* are we being audited */
1442 1489 saved_thread_ptr = q->q_stream->sd_t_audit_data;
1443 1490 /* no pointer to thread, nothing to do */
1444 1491 if (saved_thread_ptr == NULL) {
1445 1492 mutex_exit(&q->q_stream->sd_lock);
1446 1493 return;
1447 1494 }
1448 1495 /* only allow one addition of a record token */
1449 1496 q->q_stream->sd_t_audit_data = NULL;
1450 1497 /*
1451 1498 * thread is not the one being audited, then nothing to do
1452 1499 * This could be the stream thread handling the module
1453 1500 * service routine. In this case, the context for the audit
1454 1501 * record can no longer be assumed. Simplest to just drop
1455 1502 * the operation.
1456 1503 */
1457 1504 if (curthread != (kthread_id_t)saved_thread_ptr) {
1458 1505 mutex_exit(&q->q_stream->sd_lock);
1459 1506 return;
1460 1507 }
1461 1508 if (curthread->t_sysnum >= SYS_so_socket &&
1462 1509 curthread->t_sysnum <= SYS_sockconfig) {
1463 1510 mutex_exit(&q->q_stream->sd_lock);
1464 1511 return;
1465 1512 }
1466 1513 mutex_exit(&q->q_stream->sd_lock);
1467 1514 /*
1468 1515 * we know that the thread that did the put/getmsg is the
1469 1516 * one running. Now we can get the TAD and see if we should
1470 1517 * add an audit token.
1471 1518 */
1472 1519 tad = U2A(u);
1473 1520
1474 1521 kctx = GET_KCTX_PZ;
1475 1522
1476 1523 /* proceed ONLY if user is being audited */
1477 1524 if (!tad->tad_flag)
1478 1525 return;
1479 1526
1480 1527 ainfo = crgetauinfo(CRED());
1481 1528 if (ainfo == NULL)
1482 1529 return;
1483 1530 amask = ainfo->ai_mask;
1484 1531
1485 1532 /*
1486 1533 * Figure out the type of stream networking request here.
1487 1534 * Note that getmsg and putmsg are always preselected
1488 1535 * because during the beginning of the system call we have
1489 1536 * not yet figure out which of the socket or tli request
1490 1537 * we are looking at until we are here. So we need to check
1491 1538 * against that specific request and reset the type of event.
1492 1539 */
1493 1540 switch (type) {
1494 1541 case T_CONN_REQ: /* connection request */
1495 1542 conn_req = (struct T_conn_req *)mp->b_rptr;
1496 1543 if (conn_req->DEST_offset < sizeof (struct T_conn_req))
1497 1544 return;
1498 1545 offset = conn_req->DEST_offset;
1499 1546 len = conn_req->DEST_length;
1500 1547 estate = kctx->auk_ets[AUE_SOCKCONNECT];
1501 1548 if (amask.as_success & estate || amask.as_failure & estate) {
1502 1549 tad->tad_event = AUE_SOCKCONNECT;
1503 1550 break;
1504 1551 } else {
1505 1552 return;
1506 1553 }
1507 1554 case T_CONN_IND: /* connectionless receive request */
1508 1555 conn_ind = (struct T_conn_ind *)mp->b_rptr;
1509 1556 if (conn_ind->SRC_offset < sizeof (struct T_conn_ind))
1510 1557 return;
1511 1558 offset = conn_ind->SRC_offset;
1512 1559 len = conn_ind->SRC_length;
1513 1560 estate = kctx->auk_ets[AUE_SOCKACCEPT];
1514 1561 if (amask.as_success & estate || amask.as_failure & estate) {
1515 1562 tad->tad_event = AUE_SOCKACCEPT;
1516 1563 break;
1517 1564 } else {
1518 1565 return;
1519 1566 }
1520 1567 case T_UNITDATA_REQ: /* connectionless send request */
1521 1568 unitdata_req = (struct T_unitdata_req *)mp->b_rptr;
1522 1569 if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req))
1523 1570 return;
1524 1571 offset = unitdata_req->DEST_offset;
1525 1572 len = unitdata_req->DEST_length;
1526 1573 estate = kctx->auk_ets[AUE_SOCKSEND];
1527 1574 if (amask.as_success & estate || amask.as_failure & estate) {
1528 1575 tad->tad_event = AUE_SOCKSEND;
1529 1576 break;
1530 1577 } else {
1531 1578 return;
1532 1579 }
1533 1580 case T_UNITDATA_IND: /* connectionless receive request */
1534 1581 unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr;
1535 1582 if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind))
1536 1583 return;
1537 1584 offset = unitdata_ind->SRC_offset;
1538 1585 len = unitdata_ind->SRC_length;
1539 1586 estate = kctx->auk_ets[AUE_SOCKRECEIVE];
1540 1587 if (amask.as_success & estate || amask.as_failure & estate) {
1541 1588 tad->tad_event = AUE_SOCKRECEIVE;
1542 1589 break;
1543 1590 } else {
1544 1591 return;
1545 1592 }
1546 1593 default:
1547 1594 return;
1548 1595 }
1549 1596
1550 1597 /*
1551 1598 * we are only interested in tcp stream connections,
1552 1599 * not unix domain stuff
1553 1600 */
1554 1601 if ((len < 0) || (len > sizeof (struct sockaddr_in))) {
1555 1602 tad->tad_event = AUE_GETMSG;
1556 1603 return;
1557 1604 }
1558 1605 /* skip over TPI header and point to the ip address */
1559 1606 sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset);
1560 1607
1561 1608 switch (sock_data->sin_family) {
1562 1609 case AF_INET:
1563 1610 au_write(&(tad->tad_ad), au_to_sock_inet(sock_data));
1564 1611 break;
1565 1612 default: /* reset to AUE_PUTMSG if not a inet request */
1566 1613 tad->tad_event = AUE_GETMSG;
1567 1614 break;
1568 1615 }
1569 1616 }
1570 1617
1571 1618
1572 1619 static void
1573 1620 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval)
1574 1621 {
1575 1622 unsigned int sy_flags;
1576 1623
1577 1624 #ifdef _SYSCALL32_IMPL
1578 1625 /*
1579 1626 * Guard against t_lwp being NULL when this function is called
1580 1627 * from a kernel queue instead of from a direct system call.
1581 1628 * In that case, assume the running kernel data model.
1582 1629 */
1583 1630 if ((curthread->t_lwp == NULL) || (lwp_getdatamodel(
1584 1631 ttolwp(curthread)) == DATAMODEL_NATIVE))
1585 1632 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1586 1633 else
1587 1634 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1588 1635 #else
1589 1636 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1590 1637 #endif
1591 1638
1592 1639 if (sy_flags == SE_64RVAL)
1593 1640 au_write(ad, au_to_return64(err, rval));
1594 1641 else
1595 1642 au_write(ad, au_to_return32(err, rval));
1596 1643
1597 1644 }
1598 1645
1599 1646 /*ARGSUSED*/
1600 1647 void
1601 1648 audit_fdsend(int fd, struct file *fp, int error)
1602 1649 {
1603 1650 t_audit_data_t *tad; /* current thread */
1604 1651 f_audit_data_t *fad; /* per file audit structure */
1605 1652 struct vnode *vp; /* for file attributes */
1606 1653
1607 1654 /* is this system call being audited */
1608 1655 tad = U2A(u);
1609 1656 ASSERT(tad != (t_audit_data_t *)0);
1610 1657 if (!tad->tad_flag)
1611 1658 return;
1612 1659
1613 1660 fad = F2A(fp);
1614 1661
1615 1662 /* add path and file attributes */
1616 1663 if (fad != NULL && fad->fad_aupath != NULL) {
1617 1664 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1618 1665 au_uwrite(au_to_path(fad->fad_aupath));
1619 1666 } else {
1620 1667 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1621 1668 #ifdef _LP64
1622 1669 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1623 1670 #else
1624 1671 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1625 1672 #endif
1626 1673 }
1627 1674 vp = fp->f_vnode; /* include vnode attributes */
1628 1675 audit_attributes(vp);
1629 1676 }
1630 1677
1631 1678 /*
1632 1679 * Record privileges successfully used and we attempted to use but
1633 1680 * didn't have.
1634 1681 */
1635 1682 void
1636 1683 audit_priv(int priv, const priv_set_t *set, int flag)
1637 1684 {
1638 1685 t_audit_data_t *tad;
1639 1686 int sbit;
1640 1687 priv_set_t *target;
1641 1688
1642 1689 /* Make sure this isn't being called in an interrupt context */
1643 1690 ASSERT(servicing_interrupt() == 0);
1644 1691
1645 1692 tad = U2A(u);
1646 1693
1647 1694 if (tad->tad_flag == 0)
1648 1695 return;
1649 1696
1650 1697 target = flag ? &tad->tad_sprivs : &tad->tad_fprivs;
1651 1698 sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE;
1652 1699
1653 1700 /* Tell audit_success() and audit_finish() that we saw this case */
1654 1701 if (!(tad->tad_evmod & sbit)) {
1655 1702 /* Clear set first time around */
1656 1703 priv_emptyset(target);
1657 1704 tad->tad_evmod |= sbit;
1658 1705 }
1659 1706
1660 1707 /* Save the privileges in the tad */
1661 1708 if (priv == PRIV_ALL) {
1662 1709 priv_fillset(target);
1663 1710 } else {
1664 1711 ASSERT(set != NULL || priv != PRIV_NONE);
1665 1712 if (set != NULL)
1666 1713 priv_union(set, target);
1667 1714 if (priv != PRIV_NONE)
1668 1715 priv_addset(target, priv);
1669 1716 }
1670 1717 }
1671 1718
1672 1719 /*
1673 1720 * Audit the psecflags() system call; the set name, current value, and delta
1674 1721 * are put in the audit trail.
1675 1722 */
1676 1723 void
1677 1724 audit_psecflags(proc_t *p,
1678 1725 psecflagwhich_t which,
1679 1726 const secflagdelta_t *psd)
1680 1727 {
1681 1728 t_audit_data_t *tad;
1682 1729 secflagset_t new;
1683 1730 const secflagset_t *old;
1684 1731 const char *s;
1685 1732 cred_t *cr;
1686 1733 pid_t pid;
1687 1734 const auditinfo_addr_t *ainfo;
1688 1735 const psecflags_t *psec = &p->p_secflags;
1689 1736
1690 1737 tad = U2A(u);
1691 1738
1692 1739 if (tad->tad_flag == 0)
1693 1740 return;
1694 1741
1695 1742 switch (which) {
1696 1743 case PSF_EFFECTIVE:
1697 1744 s = "effective";
1698 1745 old = &psec->psf_effective;
1699 1746 break;
1700 1747 case PSF_INHERIT:
1701 1748 s = "inherit";
1702 1749 old = &psec->psf_inherit;
1703 1750 break;
1704 1751 case PSF_LOWER:
1705 1752 s = "lower";
1706 1753 old = &psec->psf_lower;
1707 1754 break;
1708 1755 case PSF_UPPER:
1709 1756 s = "upper";
1710 1757 old = &psec->psf_upper;
1711 1758 break;
1712 1759 }
1713 1760
1714 1761 secflags_copy(&new, old);
1715 1762 secflags_apply_delta(&new, psd);
1716 1763
1717 1764 au_uwrite(au_to_secflags(s, *old));
1718 1765 au_uwrite(au_to_secflags(s, new));
1719 1766
1720 1767 ASSERT(mutex_owned(&p->p_lock));
1721 1768 mutex_enter(&p->p_crlock);
1722 1769
1723 1770 pid = p->p_pid;
1724 1771 crhold(cr = p->p_cred);
1725 1772 mutex_exit(&p->p_crlock);
1726 1773
1727 1774 if ((ainfo = crgetauinfo(cr)) == NULL) {
1728 1775 crfree(cr);
1729 1776 return;
1730 1777 }
1731 1778
1732 1779 AUDIT_SETPROC_GENERIC(&(u_ad), cr, ainfo, pid);
1733 1780
1734 1781 crfree(cr);
1735 1782 }
1736 1783
1737 1784 /*
1738 1785 * Audit the setpriv() system call; the operation, the set name and
1739 1786 * the current value as well as the set argument are put in the
1740 1787 * audit trail.
1741 1788 */
1742 1789 void
1743 1790 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr)
1744 1791 {
1745 1792 t_audit_data_t *tad;
1746 1793 const priv_set_t *oldpriv;
1747 1794 priv_set_t report;
1748 1795 const char *setname;
1749 1796
1750 1797 tad = U2A(u);
1751 1798
1752 1799 if (tad->tad_flag == 0)
1753 1800 return;
1754 1801
1755 1802 oldpriv = priv_getset(ocr, set);
1756 1803
1757 1804 /* Generate the actual record, include the before and after */
1758 1805 au_uwrite(au_to_arg32(2, "op", op));
1759 1806 setname = priv_getsetbynum(set);
1760 1807
1761 1808 switch (op) {
1762 1809 case PRIV_OFF:
1763 1810 /* Report privileges actually switched off */
1764 1811 report = *oldpriv;
1765 1812 priv_intersect(newpriv, &report);
1766 1813 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1767 1814 break;
1768 1815 case PRIV_ON:
1769 1816 /* Report privileges actually switched on */
1770 1817 report = *oldpriv;
1771 1818 priv_inverse(&report);
1772 1819 priv_intersect(newpriv, &report);
1773 1820 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1774 1821 break;
1775 1822 case PRIV_SET:
1776 1823 /* Report before and after */
1777 1824 au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0));
1778 1825 au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0));
1779 1826 break;
1780 1827 }
1781 1828 }
1782 1829
1783 1830 /*
1784 1831 * Dump the full device policy setting in the audit trail.
1785 1832 */
1786 1833 void
1787 1834 audit_devpolicy(int nitems, const devplcysys_t *items)
1788 1835 {
1789 1836 t_audit_data_t *tad;
1790 1837 int i;
1791 1838
1792 1839 tad = U2A(u);
1793 1840
1794 1841 if (tad->tad_flag == 0)
1795 1842 return;
1796 1843
1797 1844 for (i = 0; i < nitems; i++) {
1798 1845 au_uwrite(au_to_arg32(2, "major", items[i].dps_maj));
1799 1846 if (items[i].dps_minornm[0] == '\0') {
1800 1847 au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin));
1801 1848 au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin));
1802 1849 } else
1803 1850 au_uwrite(au_to_text(items[i].dps_minornm));
1804 1851
1805 1852 au_uwrite(au_to_privset("read", &items[i].dps_rdp,
1806 1853 AUT_PRIV, 0));
1807 1854 au_uwrite(au_to_privset("write", &items[i].dps_wrp,
1808 1855 AUT_PRIV, 0));
1809 1856 }
1810 1857 }
1811 1858
1812 1859 /*ARGSUSED*/
1813 1860 void
1814 1861 audit_fdrecv(int fd, struct file *fp)
1815 1862 {
1816 1863 t_audit_data_t *tad; /* current thread */
1817 1864 f_audit_data_t *fad; /* per file audit structure */
1818 1865 struct vnode *vp; /* for file attributes */
1819 1866
1820 1867 /* is this system call being audited */
1821 1868 tad = U2A(u);
1822 1869 ASSERT(tad != (t_audit_data_t *)0);
1823 1870 if (!tad->tad_flag)
1824 1871 return;
1825 1872
1826 1873 fad = F2A(fp);
1827 1874
1828 1875 /* add path and file attributes */
1829 1876 if (fad != NULL && fad->fad_aupath != NULL) {
1830 1877 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1831 1878 au_uwrite(au_to_path(fad->fad_aupath));
1832 1879 } else {
1833 1880 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1834 1881 #ifdef _LP64
1835 1882 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1836 1883 #else
1837 1884 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1838 1885 #endif
1839 1886 }
1840 1887 vp = fp->f_vnode; /* include vnode attributes */
1841 1888 audit_attributes(vp);
1842 1889 }
1843 1890
1844 1891 /*
1845 1892 * ROUTINE: AUDIT_CRYPTOADM
1846 1893 * PURPOSE: Records arguments to administrative ioctls on /dev/cryptoadm
1847 1894 * CALLBY: CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED,
1848 1895 * CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG,
1849 1896 * CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN,
1850 1897 * CRYPTO_LOAD_DOOR
1851 1898 * NOTE:
1852 1899 * TODO:
1853 1900 * QUESTION:
1854 1901 */
1855 1902
1856 1903 void
1857 1904 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names,
1858 1905 uint_t mech_count, uint_t device_instance, uint32_t rv, int error)
1859 1906 {
1860 1907 boolean_t mech_list_required = B_FALSE;
1861 1908 cred_t *cr = CRED();
1862 1909 t_audit_data_t *tad;
1863 1910 token_t *ad = NULL;
1864 1911 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
1865 1912 char buffer[MAXNAMELEN * 2];
1866 1913 au_kcontext_t *kctx = GET_KCTX_PZ;
1867 1914
1868 1915 tad = U2A(u);
1869 1916 if (tad == NULL)
1870 1917 return;
1871 1918
1872 1919 if (ainfo == NULL)
1873 1920 return;
1874 1921
1875 1922 tad->tad_event = AUE_CRYPTOADM;
1876 1923
1877 1924 if (audit_success(kctx, tad, error, NULL) != AU_OK)
1878 1925 return;
1879 1926
1880 1927 /* Add subject information */
1881 1928 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
1882 1929
1883 1930 switch (cmd) {
1884 1931 case CRYPTO_LOAD_DEV_DISABLED:
1885 1932 if (error == 0 && rv == CRYPTO_SUCCESS) {
1886 1933 (void) snprintf(buffer, sizeof (buffer),
1887 1934 "op=CRYPTO_LOAD_DEV_DISABLED, module=%s,"
1888 1935 " dev_instance=%d",
1889 1936 module_name, device_instance);
1890 1937 mech_list_required = B_TRUE;
1891 1938 } else {
1892 1939 (void) snprintf(buffer, sizeof (buffer),
1893 1940 "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv);
1894 1941 }
1895 1942 break;
1896 1943
1897 1944 case CRYPTO_LOAD_SOFT_DISABLED:
1898 1945 if (error == 0 && rv == CRYPTO_SUCCESS) {
1899 1946 (void) snprintf(buffer, sizeof (buffer),
1900 1947 "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s",
1901 1948 module_name);
1902 1949 mech_list_required = B_TRUE;
1903 1950 } else {
1904 1951 (void) snprintf(buffer, sizeof (buffer),
1905 1952 "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv);
1906 1953 }
1907 1954 break;
1908 1955
1909 1956 case CRYPTO_UNLOAD_SOFT_MODULE:
1910 1957 if (error == 0 && rv == CRYPTO_SUCCESS) {
1911 1958 (void) snprintf(buffer, sizeof (buffer),
1912 1959 "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s",
1913 1960 module_name);
1914 1961 } else {
1915 1962 (void) snprintf(buffer, sizeof (buffer),
1916 1963 "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv);
1917 1964 }
1918 1965 break;
1919 1966
1920 1967 case CRYPTO_LOAD_SOFT_CONFIG:
1921 1968 if (error == 0 && rv == CRYPTO_SUCCESS) {
1922 1969 (void) snprintf(buffer, sizeof (buffer),
1923 1970 "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s",
1924 1971 module_name);
1925 1972 mech_list_required = B_TRUE;
1926 1973 } else {
1927 1974 (void) snprintf(buffer, sizeof (buffer),
1928 1975 "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv);
1929 1976 }
1930 1977 break;
1931 1978
1932 1979 case CRYPTO_POOL_CREATE:
1933 1980 (void) snprintf(buffer, sizeof (buffer),
1934 1981 "op=CRYPTO_POOL_CREATE");
1935 1982 break;
1936 1983
1937 1984 case CRYPTO_POOL_WAIT:
1938 1985 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT");
1939 1986 break;
1940 1987
1941 1988 case CRYPTO_POOL_RUN:
1942 1989 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN");
1943 1990 break;
1944 1991
1945 1992 case CRYPTO_LOAD_DOOR:
1946 1993 if (error == 0 && rv == CRYPTO_SUCCESS)
1947 1994 (void) snprintf(buffer, sizeof (buffer),
1948 1995 "op=CRYPTO_LOAD_DOOR");
1949 1996 else
1950 1997 (void) snprintf(buffer, sizeof (buffer),
1951 1998 "op=CRYPTO_LOAD_DOOR, return_val=%d", rv);
1952 1999 break;
1953 2000
1954 2001 case CRYPTO_FIPS140_SET:
1955 2002 (void) snprintf(buffer, sizeof (buffer),
1956 2003 "op=CRYPTO_FIPS140_SET, fips_state=%d", rv);
1957 2004 break;
1958 2005
1959 2006 default:
1960 2007 return;
1961 2008 }
1962 2009
1963 2010 au_write((caddr_t *)&ad, au_to_text(buffer));
1964 2011
1965 2012 if (mech_list_required) {
1966 2013 int i;
1967 2014
1968 2015 if (mech_count == 0) {
1969 2016 au_write((caddr_t *)&ad, au_to_text("mech=list empty"));
1970 2017 } else {
1971 2018 char *pb = buffer;
1972 2019 size_t l = sizeof (buffer);
1973 2020 size_t n;
1974 2021 char space[2] = ":";
1975 2022
1976 2023 n = snprintf(pb, l, "mech=");
1977 2024
1978 2025 for (i = 0; i < mech_count; i++) {
1979 2026 pb += n;
1980 2027 l = (n >= l) ? 0 : l - n;
1981 2028
1982 2029 if (i == mech_count - 1)
1983 2030 (void) strcpy(space, "");
1984 2031
1985 2032 n = snprintf(pb, l, "%s%s", mech_names[i],
1986 2033 space);
1987 2034 }
1988 2035 au_write((caddr_t *)&ad, au_to_text(buffer));
1989 2036 }
1990 2037 }
1991 2038
1992 2039 /* add a return token */
1993 2040 if (error || (rv != CRYPTO_SUCCESS))
1994 2041 add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error);
1995 2042 else
1996 2043 add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv);
1997 2044
1998 2045 AS_INC(as_generated, 1, kctx);
1999 2046 AS_INC(as_kernel, 1, kctx);
2000 2047
2001 2048 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, tad->tad_evmod,
2002 2049 NULL);
2003 2050 }
2004 2051
2005 2052 /*
2006 2053 * Audit the kernel SSL administration command. The address and the
2007 2054 * port number for the SSL instance, and the proxy port are put in the
2008 2055 * audit trail.
2009 2056 */
2010 2057 void
2011 2058 audit_kssl(int cmd, void *params, int error)
2012 2059 {
2013 2060 cred_t *cr = CRED();
2014 2061 t_audit_data_t *tad;
2015 2062 token_t *ad = NULL;
2016 2063 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
2017 2064 au_kcontext_t *kctx = GET_KCTX_PZ;
2018 2065
2019 2066 tad = U2A(u);
2020 2067
2021 2068 if (ainfo == NULL)
2022 2069 return;
2023 2070
2024 2071 tad->tad_event = AUE_CONFIGKSSL;
2025 2072
2026 2073 if (audit_success(kctx, tad, error, NULL) != AU_OK)
2027 2074 return;
2028 2075
2029 2076 /* Add subject information */
2030 2077 AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx);
2031 2078
2032 2079 switch (cmd) {
2033 2080 case KSSL_ADD_ENTRY: {
2034 2081 char buf[32];
2035 2082 kssl_params_t *kp = (kssl_params_t *)params;
2036 2083 struct sockaddr_in6 *saddr = &kp->kssl_addr;
2037 2084
2038 2085 au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY"));
2039 2086 au_write((caddr_t *)&ad,
2040 2087 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
2041 2088 (void) snprintf(buf, sizeof (buf), "SSL port=%d",
2042 2089 saddr->sin6_port);
2043 2090 au_write((caddr_t *)&ad, au_to_text(buf));
2044 2091
2045 2092 (void) snprintf(buf, sizeof (buf), "proxy port=%d",
2046 2093 kp->kssl_proxy_port);
2047 2094 au_write((caddr_t *)&ad, au_to_text(buf));
2048 2095 break;
2049 2096 }
2050 2097
2051 2098 case KSSL_DELETE_ENTRY: {
2052 2099 char buf[32];
2053 2100 struct sockaddr_in6 *saddr = (struct sockaddr_in6 *)params;
2054 2101
2055 2102 au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY"));
2056 2103 au_write((caddr_t *)&ad,
2057 2104 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
2058 2105 (void) snprintf(buf, sizeof (buf), "SSL port=%d",
2059 2106 saddr->sin6_port);
2060 2107 au_write((caddr_t *)&ad, au_to_text(buf));
2061 2108 break;
2062 2109 }
2063 2110
2064 2111 default:
2065 2112 return;
2066 2113 }
2067 2114
2068 2115 /* add a return token */
2069 2116 add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0);
2070 2117
2071 2118 AS_INC(as_generated, 1, kctx);
2072 2119 AS_INC(as_kernel, 1, kctx);
2073 2120
2074 2121 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, tad->tad_evmod,
2075 2122 NULL);
2076 2123 }
2077 2124
2078 2125 /*
2079 2126 * Audit the kernel PF_POLICY administration commands. Record command,
2080 2127 * zone, policy type (global or tunnel, active or inactive)
2081 2128 */
2082 2129 /*
2083 2130 * ROUTINE: AUDIT_PF_POLICY
2084 2131 * PURPOSE: Records arguments to administrative ioctls on PF_POLICY socket
2085 2132 * CALLBY: SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS,
2086 2133 * SPD_CLONE, SPD_FLIP
2087 2134 * NOTE:
2088 2135 * TODO:
2089 2136 * QUESTION:
2090 2137 */
2091 2138
2092 2139 void
2093 2140 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun,
2094 2141 boolean_t active, int error, pid_t pid)
2095 2142 {
2096 2143 const auditinfo_addr_t *ainfo;
2097 2144 t_audit_data_t *tad;
2098 2145 token_t *ad = NULL;
2099 2146 au_kcontext_t *kctx = GET_KCTX_PZ;
2100 2147 char buf[80];
2101 2148 int flag;
2102 2149
2103 2150 tad = U2A(u);
2104 2151 if (tad == NULL)
2105 2152 return;
2106 2153
2107 2154 ainfo = crgetauinfo((cred != NULL) ? cred : CRED());
2108 2155 if (ainfo == NULL)
2109 2156 return;
2110 2157
2111 2158 /*
2112 2159 * Initialize some variables since these are only set
2113 2160 * with system calls.
2114 2161 */
2115 2162
2116 2163 switch (cmd) {
2117 2164 case SPD_ADDRULE: {
2118 2165 tad->tad_event = AUE_PF_POLICY_ADDRULE;
2119 2166 break;
2120 2167 }
2121 2168
2122 2169 case SPD_DELETERULE: {
2123 2170 tad->tad_event = AUE_PF_POLICY_DELRULE;
2124 2171 break;
2125 2172 }
2126 2173
2127 2174 case SPD_FLUSH: {
2128 2175 tad->tad_event = AUE_PF_POLICY_FLUSH;
2129 2176 break;
2130 2177 }
2131 2178
2132 2179 case SPD_UPDATEALGS: {
2133 2180 tad->tad_event = AUE_PF_POLICY_ALGS;
2134 2181 break;
2135 2182 }
2136 2183
2137 2184 case SPD_CLONE: {
2138 2185 tad->tad_event = AUE_PF_POLICY_CLONE;
2139 2186 break;
2140 2187 }
2141 2188
2142 2189 case SPD_FLIP: {
2143 2190 tad->tad_event = AUE_PF_POLICY_FLIP;
2144 2191 break;
2145 2192 }
2146 2193
2147 2194 default:
2148 2195 tad->tad_event = AUE_NULL;
2149 2196 }
2150 2197
2151 2198 tad->tad_evmod = 0;
2152 2199
2153 2200 if (flag = audit_success(kctx, tad, error, cred)) {
2154 2201 zone_t *nszone;
2155 2202
2156 2203 /*
2157 2204 * For now, just audit that an event happened,
2158 2205 * along with the error code.
2159 2206 */
2160 2207 au_write((caddr_t *)&ad,
2161 2208 au_to_arg32(1, "Policy Active?", (uint32_t)active));
2162 2209 au_write((caddr_t *)&ad,
2163 2210 au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL)));
2164 2211
2165 2212 /* Supplemental data */
2166 2213
2167 2214 /*
2168 2215 * Generate this zone token if the target zone differs
2169 2216 * from the administrative zone. If netstacks are expanded
2170 2217 * to something other than a 1-1 relationship with zones,
2171 2218 * the auditing framework should create a new token type
2172 2219 * and audit it as a netstack instead.
2173 2220 * Turn on general zone auditing to get the administrative zone.
2174 2221 */
2175 2222
2176 2223 nszone = zone_find_by_id(netstackid_to_zoneid(
2177 2224 ns->netstack_stackid));
2178 2225 if (nszone != NULL) {
2179 2226 if (strncmp(crgetzone(cred)->zone_name,
2180 2227 nszone->zone_name, ZONENAME_MAX) != 0) {
2181 2228 token_t *ztoken;
2182 2229
2183 2230 ztoken = au_to_zonename(0, nszone);
2184 2231 au_write((caddr_t *)&ad, ztoken);
2185 2232 }
2186 2233 zone_rele(nszone);
2187 2234 }
2188 2235
2189 2236 if (tun != NULL) {
2190 2237 /* write tunnel name - tun is bounded */
2191 2238 (void) snprintf(buf, sizeof (buf), "tunnel_name:%s",
2192 2239 tun);
2193 2240 au_write((caddr_t *)&ad, au_to_text(buf));
2194 2241 }
2195 2242
2196 2243 /* Add subject information */
2197 2244 AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad,
2198 2245 ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid);
2199 2246
2200 2247 /* add a return token */
2201 2248 add_return_token((caddr_t *)&ad, 0, error, 0);
2202 2249
2203 2250 AS_INC(as_generated, 1, kctx);
2204 2251 AS_INC(as_kernel, 1, kctx);
2205 2252
2206 2253 }
2207 2254 au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, tad->tad_evmod,
2208 2255 NULL);
2209 2256
2210 2257 /*
2211 2258 * clear the ctrl flag so that we don't have spurious collection of
2212 2259 * audit information.
2213 2260 */
2214 2261 tad->tad_scid = 0;
2215 2262 tad->tad_event = 0;
2216 2263 tad->tad_evmod = 0;
2217 2264 tad->tad_ctrl = 0;
2218 2265 }
2219 2266
2220 2267 /*
2221 2268 * ROUTINE: AUDIT_SEC_ATTRIBUTES
2222 2269 * PURPOSE: Add security attributes
2223 2270 * CALLBY: AUDIT_ATTRIBUTES
2224 2271 * AUDIT_CLOSEF
2225 2272 * AUS_CLOSE
2226 2273 * NOTE:
2227 2274 * TODO:
2228 2275 * QUESTION:
2229 2276 */
2230 2277
2231 2278 void
2232 2279 audit_sec_attributes(caddr_t *ad, struct vnode *vp)
2233 2280 {
2234 2281 /* Dump the SL */
2235 2282 if (is_system_labeled()) {
2236 2283 ts_label_t *tsl;
2237 2284 bslabel_t *bsl;
2238 2285
2239 2286 tsl = getflabel(vp);
2240 2287 if (tsl == NULL)
2241 2288 return; /* nothing else to do */
2242 2289
2243 2290 bsl = label2bslabel(tsl);
2244 2291 if (bsl == NULL)
2245 2292 return; /* nothing else to do */
2246 2293 au_write(ad, au_to_label(bsl));
2247 2294 label_rele(tsl);
2248 2295 }
2249 2296
2250 2297 } /* AUDIT_SEC_ATTRIBUTES */
|
↓ open down ↓ |
1532 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX