1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26 /*
27 * This file contains the audit hook support code for auditing.
28 */
29
30 #include <sys/types.h>
31 #include <sys/proc.h>
32 #include <sys/vnode.h>
33 #include <sys/vfs.h>
34 #include <sys/file.h>
35 #include <sys/user.h>
36 #include <sys/stropts.h>
37 #include <sys/systm.h>
38 #include <sys/pathname.h>
39 #include <sys/syscall.h>
40 #include <sys/fcntl.h>
41 #include <sys/ipc_impl.h>
42 #include <sys/msg_impl.h>
43 #include <sys/sem_impl.h>
44 #include <sys/shm_impl.h>
45 #include <sys/kmem.h> /* for KM_SLEEP */
46 #include <sys/socket.h>
47 #include <sys/cmn_err.h> /* snprintf... */
48 #include <sys/debug.h>
49 #include <sys/thread.h>
50 #include <netinet/in.h>
51 #include <c2/audit.h> /* needs to be included before user.h */
52 #include <c2/audit_kernel.h> /* for M_DONTWAIT */
53 #include <c2/audit_kevents.h>
54 #include <c2/audit_record.h>
55 #include <sys/strsubr.h>
56 #include <sys/tihdr.h>
57 #include <sys/tiuser.h>
58 #include <sys/timod.h>
59 #include <sys/model.h> /* for model_t */
60 #include <sys/disp.h> /* for servicing_interrupt() */
61 #include <sys/devpolicy.h>
62 #include <sys/crypto/ioctladmin.h>
63 #include <sys/cred_impl.h>
64 #include <inet/kssl/kssl.h>
65 #include <net/pfpolicy.h>
66
67 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval);
68
69 static void audit_pathbuild(struct pathname *pnp);
70
71
72 /*
73 * ROUTINE: AUDIT_SAVEPATH
74 * PURPOSE:
75 * CALLBY: LOOKUPPN
76 *
77 * NOTE: We have reached the end of a path in fs/lookup.c.
78 * We get two pieces of information here:
79 * the vnode of the last component (vp) and
80 * the status of the last access (flag).
81 * TODO:
82 * QUESTION:
83 */
84
85 /*ARGSUSED*/
86 int
87 audit_savepath(
88 struct pathname *pnp, /* pathname to lookup */
89 struct vnode *vp, /* vnode of the last component */
90 struct vnode *pvp, /* vnode of the last parent component */
91 int flag, /* status of the last access */
92 cred_t *cr) /* cred of requestor */
93 {
94
95 t_audit_data_t *tad; /* current thread */
96 au_kcontext_t *kctx = GET_KCTX_PZ;
97
98 tad = U2A(u);
99
100 /*
101 * Noise elimination in audit trails - this event will be discarded if:
102 * - the public policy is not active AND
103 * - the system call is a public operation AND
104 * - the file was not found: VFS lookup failed with ENOENT error AND
105 * - the missing file would have been located in the public directory
106 * owned by root if it had existed
107 */
108 if (tad->tad_flag != 0 && flag == ENOENT && pvp != NULL &&
109 (tad->tad_ctrl & TAD_PUBLIC_EV) &&
110 !(kctx->auk_policy & AUDIT_PUBLIC)) {
111 struct vattr attr;
112
113 attr.va_mask = AT_ALL;
114 if (VOP_GETATTR(pvp, &attr, 0, CRED(), NULL) == 0) {
115 if (object_is_public(&attr)) {
116 tad->tad_ctrl |= TAD_NOAUDIT;
117 }
118 }
119 }
120
121 /*
122 * this event being audited or do we need path information
123 * later? This might be for a chdir/chroot or open (add path
124 * to file pointer. If the path has already been found for an
125 * open/creat then we don't need to process the path.
126 *
127 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
128 * chroot, chdir, open, creat system call processing. It determines
129 * if audit_savepath() will discard the path or we need it later.
130 * TAD_PATHFND means path already included in this audit record. It
131 * is used in cases where multiple path lookups are done per
132 * system call. The policy flag, AUDIT_PATH, controls if multiple
133 * paths are allowed.
134 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
135 * exit processing to inhibit any paths that may be added due to
136 * closes.
137 */
138 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) ||
139 ((tad->tad_ctrl & TAD_PATHFND) &&
140 !(kctx->auk_policy & AUDIT_PATH)) ||
141 (tad->tad_ctrl & TAD_NOPATH)) {
142 return (0);
143 }
144
145 tad->tad_ctrl |= TAD_NOPATH; /* prevent possible reentry */
146
147 audit_pathbuild(pnp);
148
149 /*
150 * are we auditing only if error, or if it is not open or create
151 * otherwise audit_setf will do it
152 */
153
154 if (tad->tad_flag) {
155 if (flag &&
156 (tad->tad_scid == SYS_open ||
157 tad->tad_scid == SYS_open64 ||
158 tad->tad_scid == SYS_openat ||
159 tad->tad_scid == SYS_openat64)) {
160 tad->tad_ctrl |= TAD_TRUE_CREATE;
161 }
162
163 /* add token to audit record for this name */
164 au_uwrite(au_to_path(tad->tad_aupath));
165
166 /* add the attributes of the object */
167 if (vp) {
168 /*
169 * only capture attributes when there is no error
170 * lookup will not return the vnode of the failing
171 * component.
172 *
173 * if there was a lookup error, then don't add
174 * attribute. if lookup in vn_create(),
175 * then don't add attribute,
176 * it will be added at end of vn_create().
177 */
178 if (!flag && !(tad->tad_ctrl & TAD_NOATTRB))
179 audit_attributes(vp);
180 }
181 }
182
183 /* free up space if we're not going to save path (open, creat) */
184 if ((tad->tad_ctrl & TAD_SAVPATH) == 0) {
185 if (tad->tad_aupath != NULL) {
186 au_pathrele(tad->tad_aupath);
187 tad->tad_aupath = NULL;
188 }
189 }
190 if (tad->tad_ctrl & TAD_MLD)
191 tad->tad_ctrl |= TAD_PATHFND;
192
193 tad->tad_ctrl &= ~TAD_NOPATH; /* restore */
194 return (0);
195 }
196
197 static void
198 audit_pathbuild(struct pathname *pnp)
199 {
200 char *pp; /* pointer to path */
201 int len; /* length of incoming segment */
202 int newsect; /* path requires a new section */
203 struct audit_path *pfxapp; /* prefix for path */
204 struct audit_path *newapp; /* new audit_path */
205 t_audit_data_t *tad; /* current thread */
206 p_audit_data_t *pad; /* current process */
207
208 tad = U2A(u);
209 ASSERT(tad != NULL);
210 pad = P2A(curproc);
211 ASSERT(pad != NULL);
212
213 len = (pnp->pn_path - pnp->pn_buf) + 1; /* +1 for terminator */
214 ASSERT(len > 0);
215
216 /* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */
217 mutex_enter(&pad->pad_lock);
218 if (tad->tad_aupath != NULL) {
219 pfxapp = tad->tad_aupath;
220 } else if ((tad->tad_ctrl & TAD_ATCALL) && pnp->pn_buf[0] != '/') {
221 ASSERT(tad->tad_atpath != NULL);
222 pfxapp = tad->tad_atpath;
223 } else if (tad->tad_ctrl & TAD_ABSPATH) {
224 pfxapp = pad->pad_root;
225 } else {
226 pfxapp = pad->pad_cwd;
227 }
228 au_pathhold(pfxapp);
229 mutex_exit(&pad->pad_lock);
230
231 /* get an expanded buffer to hold the anchored path */
232 newsect = tad->tad_ctrl & TAD_ATTPATH;
233 newapp = au_pathdup(pfxapp, newsect, len);
234 au_pathrele(pfxapp);
235
236 pp = newapp->audp_sect[newapp->audp_cnt] - len;
237 if (!newsect) {
238 /* overlay previous NUL terminator */
239 *(pp - 1) = '/';
240 }
241
242 /* now add string of processed path */
243 bcopy(pnp->pn_buf, pp, len);
244 pp[len - 1] = '\0';
245
246 /* perform path simplification as necessary */
247 audit_fixpath(newapp, len);
248
249 if (tad->tad_aupath)
250 au_pathrele(tad->tad_aupath);
251 tad->tad_aupath = newapp;
252
253 /* for case where multiple lookups in one syscall (rename) */
254 tad->tad_ctrl &= ~(TAD_ABSPATH | TAD_ATTPATH);
255 }
256
257
258 /*
259 * ROUTINE: AUDIT_ANCHORPATH
260 * PURPOSE:
261 * CALLBY: LOOKUPPN
262 * NOTE:
263 * anchor path at "/". We have seen a symbolic link or entering for the
264 * first time we will throw away any saved path if path is anchored.
265 *
266 * flag = 0, path is relative.
267 * flag = 1, path is absolute. Free any saved path and set flag to TAD_ABSPATH.
268 *
269 * If the (new) path is absolute, then we have to throw away whatever we have
270 * already accumulated since it is being superseded by new path which is
271 * anchored at the root.
272 * Note that if the path is relative, this function does nothing
273 * TODO:
274 * QUESTION:
275 */
276 /*ARGSUSED*/
277 void
278 audit_anchorpath(struct pathname *pnp, int flag)
279 {
280 au_kcontext_t *kctx = GET_KCTX_PZ;
281 t_audit_data_t *tad;
282
283 tad = U2A(u);
284
285 /*
286 * this event being audited or do we need path information
287 * later? This might be for a chdir/chroot or open (add path
288 * to file pointer. If the path has already been found for an
289 * open/creat then we don't need to process the path.
290 *
291 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
292 * chroot, chdir, open, creat system call processing. It determines
293 * if audit_savepath() will discard the path or we need it later.
294 * TAD_PATHFND means path already included in this audit record. It
295 * is used in cases where multiple path lookups are done per
296 * system call. The policy flag, AUDIT_PATH, controls if multiple
297 * paths are allowed.
298 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
299 * exit processing to inhibit any paths that may be added due to
300 * closes.
301 */
302 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) ||
303 ((tad->tad_ctrl & TAD_PATHFND) &&
304 !(kctx->auk_policy & AUDIT_PATH)) ||
305 (tad->tad_ctrl & TAD_NOPATH)) {
306 return;
307 }
308
309 if (flag) {
310 tad->tad_ctrl |= TAD_ABSPATH;
311 if (tad->tad_aupath != NULL) {
312 au_pathrele(tad->tad_aupath);
313 tad->tad_aupath = NULL;
314 }
315 }
316 }
317
318
319 /*
320 * symbolic link. Save previous components.
321 *
322 * the path seen so far looks like this
323 *
324 * +-----------------------+----------------+
325 * | path processed so far | remaining path |
326 * +-----------------------+----------------+
327 * \-----------------------/
328 * save this string if
329 * symbolic link relative
330 * (but don't include symlink component)
331 */
332
333 /*ARGSUSED*/
334
335
336 /*
337 * ROUTINE: AUDIT_SYMLINK
338 * PURPOSE:
339 * CALLBY: LOOKUPPN
340 * NOTE:
341 * TODO:
342 * QUESTION:
343 */
344 void
345 audit_symlink(struct pathname *pnp, struct pathname *sympath)
346 {
347 char *sp; /* saved initial pp */
348 char *cp; /* start of symlink path */
349 uint_t len_path; /* processed path before symlink */
350 t_audit_data_t *tad;
351 au_kcontext_t *kctx = GET_KCTX_PZ;
352
353 tad = U2A(u);
354
355 /*
356 * this event being audited or do we need path information
357 * later? This might be for a chdir/chroot or open (add path
358 * to file pointer. If the path has already been found for an
359 * open/creat then we don't need to process the path.
360 *
361 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
362 * chroot, chdir, open, creat system call processing. It determines
363 * if audit_savepath() will discard the path or we need it later.
364 * TAD_PATHFND means path already included in this audit record. It
365 * is used in cases where multiple path lookups are done per
366 * system call. The policy flag, AUDIT_PATH, controls if multiple
367 * paths are allowed.
368 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
369 * exit processing to inhibit any paths that may be added due to
370 * closes.
371 */
372 if ((tad->tad_flag == 0 &&
373 !(tad->tad_ctrl & TAD_SAVPATH)) ||
374 ((tad->tad_ctrl & TAD_PATHFND) &&
375 !(kctx->auk_policy & AUDIT_PATH)) ||
376 (tad->tad_ctrl & TAD_NOPATH)) {
377 return;
378 }
379
380 /*
381 * if symbolic link is anchored at / then do nothing.
382 * When we cycle back to begin: in lookuppn() we will
383 * call audit_anchorpath() with a flag indicating if the
384 * path is anchored at / or is relative. We will release
385 * any saved path at that point.
386 *
387 * Note In the event that an error occurs in pn_combine then
388 * we want to remain pointing at the component that caused the
389 * path to overflow the pnp structure.
390 */
391 if (sympath->pn_buf[0] == '/')
392 return;
393
394 /* backup over last component */
395 sp = cp = pnp->pn_path;
396 while (*--cp != '/' && cp > pnp->pn_buf)
397 ;
398
399 len_path = cp - pnp->pn_buf;
400
401 /* is there anything to save? */
402 if (len_path) {
403 pnp->pn_path = pnp->pn_buf;
404 audit_pathbuild(pnp);
405 pnp->pn_path = sp;
406 }
407 }
408
409 /*
410 * object_is_public : determine whether events for the object (corresponding to
411 * the specified file/directory attr) should be audited or
412 * ignored.
413 *
414 * returns: 1 - if audit policy and object attributes indicate that
415 * file/directory is effectively public. read events for
416 * the file should not be audited.
417 * 0 - otherwise
418 *
419 * The required attributes to be considered a public object are:
420 * - owned by root, AND
421 * - world-readable (permissions for other include read), AND
422 * - NOT world-writeable (permissions for other don't
423 * include write)
424 * (mode doesn't need to be checked for symlinks)
425 */
426 int
427 object_is_public(struct vattr *attr)
428 {
429 au_kcontext_t *kctx = GET_KCTX_PZ;
430
431 if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) &&
432 ((attr->va_type == VLNK) ||
433 ((attr->va_mode & (VREAD>>6)) != 0) &&
434 ((attr->va_mode & (VWRITE>>6)) == 0))) {
435 return (1);
436 }
437 return (0);
438 }
439
440
441 /*
442 * ROUTINE: AUDIT_ATTRIBUTES
443 * PURPOSE: Audit the attributes so we can tell why the error occurred
444 * CALLBY: AUDIT_SAVEPATH
445 * AUDIT_VNCREATE_FINISH
446 * AUS_FCHOWN...audit_event.c...audit_path.c
447 * NOTE:
448 * TODO:
449 * QUESTION:
450 */
451 void
452 audit_attributes(struct vnode *vp)
453 {
454 struct vattr attr;
455 struct t_audit_data *tad;
456
457 tad = U2A(u);
458
459 if (vp) {
460 attr.va_mask = AT_ALL;
461 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0)
462 return;
463
464 if (object_is_public(&attr) &&
465 (tad->tad_ctrl & TAD_PUBLIC_EV)) {
466 /*
467 * This is a public object and a "public" event
468 * (i.e., read only) -- either by definition
469 * (e.g., stat, access...) or by virtue of write access
470 * not being requested (e.g. mmap).
471 * Flag it in the tad to prevent this audit at the end.
472 */
473 tad->tad_ctrl |= TAD_NOAUDIT;
474 } else {
475 au_uwrite(au_to_attr(&attr));
476 audit_sec_attributes(&(u_ad), vp);
477 }
478 }
479 }
480
481
482 /*
483 * ROUTINE: AUDIT_EXIT
484 * PURPOSE:
485 * CALLBY: EXIT
486 * NOTE:
487 * TODO:
488 * QUESTION: why cmw code as offset by 2 but not here
489 */
490 /* ARGSUSED */
491 void
492 audit_exit(int code, int what)
493 {
494 struct t_audit_data *tad;
495 tad = U2A(u);
496
497 /*
498 * tad_scid will be set by audit_start even if we are not auditing
499 * the event.
500 */
501 if (tad->tad_scid == SYS_exit) {
502 /*
503 * if we are auditing the exit system call, then complete
504 * audit record generation (no return from system call).
505 */
506 if (tad->tad_flag && tad->tad_event == AUE_EXIT)
507 audit_finish(0, SYS_exit, 0, 0);
508 return;
509 }
510
511 /*
512 * Anyone auditing the system call that was aborted?
513 */
514 if (tad->tad_flag) {
515 au_uwrite(au_to_text("event aborted"));
516 audit_finish(0, tad->tad_scid, 0, 0);
517 }
518
519 /*
520 * Generate an audit record for process exit if preselected.
521 */
522 (void) audit_start(0, SYS_exit, AUC_UNSET, 0, 0);
523 audit_finish(0, SYS_exit, 0, 0);
524 }
525
526 /*
527 * ROUTINE: AUDIT_CORE_START
528 * PURPOSE:
529 * CALLBY: PSIG
530 * NOTE:
531 * TODO:
532 */
533 void
534 audit_core_start(int sig)
535 {
536 au_event_t event;
537 au_state_t estate;
538 t_audit_data_t *tad;
539 au_kcontext_t *kctx;
540
541 tad = U2A(u);
542
543 ASSERT(tad != (t_audit_data_t *)0);
544
545 ASSERT(tad->tad_scid == 0);
546 ASSERT(tad->tad_event == 0);
547 ASSERT(tad->tad_evmod == 0);
548 ASSERT(tad->tad_ctrl == 0);
549 ASSERT(tad->tad_flag == 0);
550 ASSERT(tad->tad_aupath == NULL);
551
552 kctx = GET_KCTX_PZ;
553
554 /* get basic event for system call */
555 event = AUE_CORE;
556 estate = kctx->auk_ets[event];
557
558 if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0)
559 return;
560
561 /* reset the flags for non-user attributable events */
562 tad->tad_ctrl = TAD_CORE;
563 tad->tad_scid = 0;
564
565 /* if auditing not enabled, then don't generate an audit record */
566
567 if (!((kctx->auk_auditstate == AUC_AUDITING ||
568 kctx->auk_auditstate == AUC_INIT_AUDIT) ||
569 kctx->auk_auditstate == AUC_NOSPACE)) {
570 tad->tad_flag = 0;
571 tad->tad_ctrl = 0;
572 return;
573 }
574
575 tad->tad_event = event;
576 tad->tad_evmod = 0;
577
578 ASSERT(tad->tad_ad == NULL);
579
580 au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig));
581 }
582
583 /*
584 * ROUTINE: AUDIT_CORE_FINISH
585 * PURPOSE:
586 * CALLBY: PSIG
587 * NOTE:
588 * TODO:
589 * QUESTION:
590 */
591
592 /*ARGSUSED*/
593 void
594 audit_core_finish(int code)
595 {
596 int flag;
597 t_audit_data_t *tad;
598 au_kcontext_t *kctx;
599
600 tad = U2A(u);
601
602 ASSERT(tad != (t_audit_data_t *)0);
603
604 if ((flag = tad->tad_flag) == 0) {
605 tad->tad_event = 0;
606 tad->tad_evmod = 0;
607 tad->tad_ctrl = 0;
608 ASSERT(tad->tad_aupath == NULL);
609 return;
610 }
611 tad->tad_flag = 0;
612
613 kctx = GET_KCTX_PZ;
614
615 /* kludge for error 0, should use `code==CLD_DUMPED' instead */
616 if (flag = audit_success(kctx, tad, 0, NULL)) {
617 cred_t *cr = CRED();
618 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
619
620 ASSERT(ainfo != NULL);
621
622 /*
623 * Add subject information (no locks since our private copy of
624 * credential
625 */
626 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
627
628 /* Add a return token (should use f argument) */
629 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
630
631 AS_INC(as_generated, 1, kctx);
632 AS_INC(as_kernel, 1, kctx);
633 }
634
635 /* Close up everything */
636 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod, NULL);
637
638 /* free up any space remaining with the path's */
639 if (tad->tad_aupath != NULL) {
640 au_pathrele(tad->tad_aupath);
641 tad->tad_aupath = NULL;
642 }
643 tad->tad_event = 0;
644 tad->tad_evmod = 0;
645 tad->tad_ctrl = 0;
646 }
647
648
649 /*ARGSUSED*/
650 void
651 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
652 unsigned char *pri, int *flag, int fmode)
653 {
654 struct stdata *stp;
655 t_audit_data_t *tad = U2A(u);
656
657 ASSERT(tad != (t_audit_data_t *)0);
658
659 stp = vp->v_stream;
660
661 /* lock stdata from audit_sock */
662 mutex_enter(&stp->sd_lock);
663
664 /* proceed ONLY if user is being audited */
665 if (!tad->tad_flag) {
666 /*
667 * this is so we will not add audit data onto
668 * a thread that is not being audited.
669 */
670 stp->sd_t_audit_data = NULL;
671 mutex_exit(&stp->sd_lock);
672 return;
673 }
674
675 stp->sd_t_audit_data = (caddr_t)curthread;
676 mutex_exit(&stp->sd_lock);
677 }
678
679 /*ARGSUSED*/
680 void
681 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
682 unsigned char pri, int flag, int fmode)
683 {
684 struct stdata *stp;
685 t_audit_data_t *tad = U2A(u);
686
687 ASSERT(tad != (t_audit_data_t *)0);
688
689 stp = vp->v_stream;
690
691 /* lock stdata from audit_sock */
692 mutex_enter(&stp->sd_lock);
693
694 /* proceed ONLY if user is being audited */
695 if (!tad->tad_flag) {
696 /*
697 * this is so we will not add audit data onto
698 * a thread that is not being audited.
699 */
700 stp->sd_t_audit_data = NULL;
701 mutex_exit(&stp->sd_lock);
702 return;
703 }
704
705 stp->sd_t_audit_data = (caddr_t)curthread;
706 mutex_exit(&stp->sd_lock);
707 }
708
709 /*
710 * ROUTINE: AUDIT_CLOSEF
711 * PURPOSE:
712 * CALLBY: CLOSEF
713 * NOTE:
714 * release per file audit resources when file structure is being released.
715 *
716 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
717 * on the audit queue if it becomes full. This means
718 * audit_closef can not be called when f_count == 0. Since
719 * f_count == 0 indicates the file structure is free, another
720 * process could attempt to use the file while we were still
721 * asleep waiting on the audit queue. This would cause the
722 * per file audit data to be corrupted when we finally do
723 * wakeup.
724 * TODO:
725 * QUESTION:
726 */
727
728 void
729 audit_closef(struct file *fp)
730 {
731 f_audit_data_t *fad;
732 t_audit_data_t *tad;
733 int success;
734 au_state_t estate;
735 struct vnode *vp;
736 token_t *ad = NULL;
737 struct vattr attr;
738 au_emod_t evmod = 0;
739 const auditinfo_addr_t *ainfo;
740 cred_t *cr;
741 au_kcontext_t *kctx = GET_KCTX_PZ;
742 uint32_t auditing;
743 boolean_t audit_attr = B_FALSE;
744
745 fad = F2A(fp);
746 estate = kctx->auk_ets[AUE_CLOSE];
747 tad = U2A(u);
748 cr = CRED();
749
750 /* audit record already generated by system call envelope */
751 if (tad->tad_event == AUE_CLOSE) {
752 /* so close audit event will have bits set */
753 tad->tad_evmod |= (au_emod_t)fad->fad_flags;
754 return;
755 }
756
757 /* if auditing not enabled, then don't generate an audit record */
758 auditing = (tad->tad_audit == AUC_UNSET) ?
759 kctx->auk_auditstate : tad->tad_audit;
760 if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT | AUC_NOSPACE))
761 return;
762
763 ainfo = crgetauinfo(cr);
764 if (ainfo == NULL)
765 return;
766
767 success = ainfo->ai_mask.as_success & estate;
768
769 /* not selected for this event */
770 if (success == 0)
771 return;
772
773 /*
774 * can't use audit_attributes here since we use a private audit area
775 * to build the audit record instead of the one off the thread.
776 */
777 if ((vp = fp->f_vnode) != NULL) {
778 attr.va_mask = AT_ALL;
779 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
780 if ((fp->f_flag & FWRITE) == 0 &&
781 object_is_public(&attr)) {
782 /*
783 * When write was not used and the file can be
784 * considered public, then skip the audit.
785 */
786 return;
787 }
788 audit_attr = B_TRUE;
789 }
790 }
791
792 evmod = (au_emod_t)fad->fad_flags;
793 if (fad->fad_aupath != NULL) {
794 au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath));
795 } else {
796 #ifdef _LP64
797 au_write((caddr_t *)&(ad), au_to_arg64(
798 1, "no path: fp", (uint64_t)fp));
799 #else
800 au_write((caddr_t *)&(ad), au_to_arg32(
801 1, "no path: fp", (uint32_t)fp));
802 #endif
803 }
804
805 if (audit_attr) {
806 au_write((caddr_t *)&(ad), au_to_attr(&attr));
807 audit_sec_attributes((caddr_t *)&(ad), vp);
808 }
809
810 /* Add subject information */
811 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
812
813 /* add a return token */
814 add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0);
815
816 AS_INC(as_generated, 1, kctx);
817 AS_INC(as_kernel, 1, kctx);
818
819 /*
820 * Close up everything
821 * Note: path space recovery handled by normal system
822 * call envelope if not at last close.
823 * Note there is no failure at this point since
824 * this represents closes due to exit of process,
825 * thus we always indicate successful closes.
826 */
827 au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER,
828 AUE_CLOSE, evmod, NULL);
829 }
830
831 /*
832 * ROUTINE: AUDIT_SET
833 * PURPOSE: Audit the file path and file attributes.
834 * CALLBY: SETF
835 * NOTE: SETF associate a file pointer with user area's open files.
836 * TODO:
837 * call audit_finish directly ???
838 * QUESTION:
839 */
840
841 /*ARGSUSED*/
842 void
843 audit_setf(file_t *fp, int fd)
844 {
845 f_audit_data_t *fad;
846 t_audit_data_t *tad;
847
848 if (fp == NULL)
849 return;
850
851 tad = T2A(curthread);
852 fad = F2A(fp);
853
854 if (!(tad->tad_scid == SYS_open ||
855 tad->tad_scid == SYS_open64 ||
856 tad->tad_scid == SYS_openat ||
857 tad->tad_scid == SYS_openat64))
858 return;
859
860 /* no path */
861 if (tad->tad_aupath == 0)
862 return;
863
864 /*
865 * assign path information associated with file audit data
866 * use tad hold
867 */
868 fad->fad_aupath = tad->tad_aupath;
869 tad->tad_aupath = NULL;
870
871 if (!(tad->tad_ctrl & TAD_TRUE_CREATE)) {
872 /* adjust event type by dropping the 'creat' part */
873 switch (tad->tad_event) {
874 case AUE_OPEN_RC:
875 tad->tad_event = AUE_OPEN_R;
876 tad->tad_ctrl |= TAD_PUBLIC_EV;
877 break;
878 case AUE_OPEN_RTC:
879 tad->tad_event = AUE_OPEN_RT;
880 break;
881 case AUE_OPEN_WC:
882 tad->tad_event = AUE_OPEN_W;
883 break;
884 case AUE_OPEN_WTC:
885 tad->tad_event = AUE_OPEN_WT;
886 break;
887 case AUE_OPEN_RWC:
888 tad->tad_event = AUE_OPEN_RW;
889 break;
890 case AUE_OPEN_RWTC:
891 tad->tad_event = AUE_OPEN_RWT;
892 break;
893 default:
894 break;
895 }
896 }
897 }
898
899
900 void
901 audit_ipc(int type, int id, void *vp)
902 {
903 /* if not auditing this event, then do nothing */
904 if (ad_flag == 0)
905 return;
906
907 switch (type) {
908 case AT_IPC_MSG:
909 au_uwrite(au_to_ipc(AT_IPC_MSG, id));
910 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
911 break;
912 case AT_IPC_SEM:
913 au_uwrite(au_to_ipc(AT_IPC_SEM, id));
914 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
915 break;
916 case AT_IPC_SHM:
917 au_uwrite(au_to_ipc(AT_IPC_SHM, id));
918 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
919 break;
920 }
921 }
922
923 void
924 audit_ipcget(int type, void *vp)
925 {
926 /* if not auditing this event, then do nothing */
927 if (ad_flag == 0)
928 return;
929
930 switch (type) {
931 case NULL:
932 au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp));
933 break;
934 case AT_IPC_MSG:
935 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
936 break;
937 case AT_IPC_SEM:
938 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
939 break;
940 case AT_IPC_SHM:
941 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
942 break;
943 }
944 }
945
946 /*
947 * ROUTINE: AUDIT_REBOOT
948 * PURPOSE:
949 * CALLBY:
950 * NOTE:
951 * At this point we know that the system call reboot will not return. We thus
952 * have to complete the audit record generation and put it onto the queue.
953 * This might be fairly useless if the auditing daemon is already dead....
954 * TODO:
955 * QUESTION: who calls audit_reboot
956 */
957
958 void
959 audit_reboot(void)
960 {
961 int flag;
962 t_audit_data_t *tad;
963 au_kcontext_t *kctx = GET_KCTX_PZ;
964
965 tad = U2A(u);
966
967 /* if not auditing this event, then do nothing */
968 if (tad->tad_flag == 0)
969 return;
970
971 /* do preselection on success/failure */
972 if (flag = audit_success(kctx, tad, 0, NULL)) {
973 /* add a process token */
974
975 cred_t *cr = CRED();
976 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
977
978 if (ainfo == NULL)
979 return;
980
981 /* Add subject information */
982 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
983
984 /* add a return token */
985 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
986
987 AS_INC(as_generated, 1, kctx);
988 AS_INC(as_kernel, 1, kctx);
989 }
990
991 /*
992 * Flow control useless here since we're going
993 * to drop everything in the queue anyway. Why
994 * block and wait. There aint anyone left alive to
995 * read the records remaining anyway.
996 */
997
998 /* Close up everything */
999 au_close(kctx, &(u_ad), flag | AU_DONTBLOCK,
1000 tad->tad_event, tad->tad_evmod, NULL);
1001 }
1002
1003 void
1004 audit_setfsat_path(int argnum)
1005 {
1006 klwp_id_t clwp = ttolwp(curthread);
1007 struct file *fp;
1008 uint32_t fd;
1009 t_audit_data_t *tad;
1010 struct f_audit_data *fad;
1011 p_audit_data_t *pad; /* current process */
1012 uint_t fm;
1013 struct a {
1014 long arg1;
1015 long arg2;
1016 long arg3;
1017 long arg4;
1018 long arg5;
1019 } *uap;
1020
1021 if (clwp == NULL)
1022 return;
1023 uap = (struct a *)clwp->lwp_ap;
1024
1025 tad = U2A(u);
1026 ASSERT(tad != NULL);
1027
1028 switch (tad->tad_scid) {
1029 case SYS_faccessat:
1030 case SYS_fchmodat:
1031 case SYS_fchownat:
1032 case SYS_fstatat:
1033 case SYS_fstatat64:
1034 case SYS_mkdirat:
1035 case SYS_mknodat:
1036 case SYS_openat:
1037 case SYS_openat64:
1038 case SYS_readlinkat:
1039 case SYS_unlinkat:
1040 fd = uap->arg1;
1041 break;
1042 case SYS_linkat:
1043 case SYS_renameat:
1044 if (argnum == 3)
1045 fd = uap->arg3;
1046 else
1047 fd = uap->arg1;
1048 break;
1049 case SYS_symlinkat:
1050 case SYS_utimesys:
1051 fd = uap->arg2;
1052 break;
1053 case SYS_open:
1054 case SYS_open64:
1055 fd = AT_FDCWD;
1056 break;
1057 default:
1058 return;
1059 }
1060
1061 if (tad->tad_atpath != NULL) {
1062 au_pathrele(tad->tad_atpath);
1063 tad->tad_atpath = NULL;
1064 }
1065
1066 if (fd != AT_FDCWD) {
1067 tad->tad_ctrl |= TAD_ATCALL;
1068
1069 if (tad->tad_scid == SYS_openat ||
1070 tad->tad_scid == SYS_openat64) {
1071 fm = (uint_t)uap->arg3;
1072 if (fm & (FXATTR | FXATTRDIROPEN)) {
1073 tad->tad_ctrl |= TAD_ATTPATH;
1074 }
1075 }
1076
1077 if ((fp = getf(fd)) == NULL) {
1078 tad->tad_ctrl |= TAD_NOPATH;
1079 return;
1080 }
1081 fad = F2A(fp);
1082 ASSERT(fad);
1083 if (fad->fad_aupath == NULL) {
1084 tad->tad_ctrl |= TAD_NOPATH;
1085 releasef(fd);
1086 return;
1087 }
1088 au_pathhold(fad->fad_aupath);
1089 tad->tad_atpath = fad->fad_aupath;
1090 releasef(fd);
1091 } else {
1092 if (tad->tad_scid == SYS_open ||
1093 tad->tad_scid == SYS_open64) {
1094 fm = (uint_t)uap->arg2;
1095 if (fm & FXATTR) {
1096 tad->tad_ctrl |= TAD_ATTPATH;
1097 }
1098 return;
1099 }
1100 pad = P2A(curproc);
1101 mutex_enter(&pad->pad_lock);
1102 au_pathhold(pad->pad_cwd);
1103 tad->tad_atpath = pad->pad_cwd;
1104 mutex_exit(&pad->pad_lock);
1105 }
1106 }
1107
1108 void
1109 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error)
1110 {
1111 t_audit_data_t *tad;
1112 vnode_t *vp;
1113
1114 tad = U2A(u);
1115
1116 /* if not auditing this event, then do nothing */
1117 if (tad->tad_flag == 0)
1118 return;
1119
1120 au_uwrite(au_to_text(target));
1121
1122 if (error)
1123 return;
1124
1125 error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(),
1126 NULL, NULL, NULL);
1127 if (error == 0) {
1128 audit_attributes(vp);
1129 VN_RELE(vp);
1130 }
1131 }
1132
1133 /*
1134 * ROUTINE: AUDIT_VNCREATE_START
1135 * PURPOSE: set flag so path name lookup in create will not add attribute
1136 * CALLBY: VN_CREATE
1137 * NOTE:
1138 * TODO:
1139 * QUESTION:
1140 */
1141
1142 void
1143 audit_vncreate_start()
1144 {
1145 t_audit_data_t *tad;
1146
1147 tad = U2A(u);
1148 tad->tad_ctrl |= TAD_NOATTRB;
1149 }
1150
1151 /*
1152 * ROUTINE: AUDIT_VNCREATE_FINISH
1153 * PURPOSE:
1154 * CALLBY: VN_CREATE
1155 * NOTE:
1156 * TODO:
1157 * QUESTION:
1158 */
1159 void
1160 audit_vncreate_finish(struct vnode *vp, int error)
1161 {
1162 t_audit_data_t *tad;
1163
1164 if (error)
1165 return;
1166
1167 tad = U2A(u);
1168
1169 /* if not auditing this event, then do nothing */
1170 if (tad->tad_flag == 0)
1171 return;
1172
1173 if (tad->tad_ctrl & TAD_TRUE_CREATE) {
1174 audit_attributes(vp);
1175 }
1176
1177 if (tad->tad_ctrl & TAD_CORE) {
1178 audit_attributes(vp);
1179 tad->tad_ctrl &= ~TAD_CORE;
1180 }
1181
1182 if (!error && ((tad->tad_event == AUE_MKNOD) ||
1183 (tad->tad_event == AUE_MKDIR))) {
1184 audit_attributes(vp);
1185 }
1186
1187 /* for case where multiple lookups in one syscall (rename) */
1188 tad->tad_ctrl &= ~TAD_NOATTRB;
1189 }
1190
1191
1192
1193
1194
1195
1196
1197
1198 /*
1199 * ROUTINE: AUDIT_EXEC
1200 * PURPOSE: Records the function arguments and environment variables
1201 * CALLBY: EXEC_ARGS
1202 * NOTE:
1203 * TODO:
1204 * QUESTION:
1205 */
1206
1207 void
1208 audit_exec(
1209 const char *argstr, /* argument strings */
1210 const char *envstr, /* environment strings */
1211 ssize_t argc, /* total # arguments */
1212 ssize_t envc, /* total # environment variables */
1213 cred_t *pfcred) /* the additional privileges in a profile */
1214 {
1215 t_audit_data_t *tad;
1216 au_kcontext_t *kctx = GET_KCTX_PZ;
1217
1218 tad = U2A(u);
1219
1220 /* if not auditing this event, then do nothing */
1221 if (!tad->tad_flag)
1222 return;
1223
1224 if (pfcred != NULL) {
1225 p_audit_data_t *pad;
1226 cred_t *cr = CRED();
1227 priv_set_t pset = CR_IPRIV(cr);
1228
1229 pad = P2A(curproc);
1230
1231 /* It's a different event. */
1232 tad->tad_event = AUE_PFEXEC;
1233
1234 /* Add the current working directory to the audit trail. */
1235 if (pad->pad_cwd != NULL)
1236 au_uwrite(au_to_path(pad->pad_cwd));
1237
1238 /*
1239 * The new credential is not yet in place when audit_exec
1240 * is called.
1241 * Compute the additional bits available in the new credential
1242 * and the limit set.
1243 */
1244 priv_inverse(&pset);
1245 priv_intersect(&CR_IPRIV(pfcred), &pset);
1246 if (!priv_isemptyset(&pset) ||
1247 !priv_isequalset(&CR_LPRIV(pfcred), &CR_LPRIV(cr))) {
1248 au_uwrite(au_to_privset(
1249 priv_getsetbynum(PRIV_INHERITABLE), &pset, AUT_PRIV,
1250 0));
1251 au_uwrite(au_to_privset(priv_getsetbynum(PRIV_LIMIT),
1252 &CR_LPRIV(pfcred), AUT_PRIV, 0));
1253 }
1254 /*
1255 * Compare the uids & gids: create a process token if changed.
1256 */
1257 if (crgetuid(cr) != crgetuid(pfcred) ||
1258 crgetruid(cr) != crgetruid(pfcred) ||
1259 crgetgid(cr) != crgetgid(pfcred) ||
1260 crgetrgid(cr) != crgetrgid(pfcred)) {
1261 AUDIT_SETPROC(&(u_ad), cr, crgetauinfo(cr));
1262 }
1263 }
1264
1265 if (pfcred != NULL || (kctx->auk_policy & AUDIT_ARGV) != 0)
1266 au_uwrite(au_to_exec_args(argstr, argc));
1267
1268 if (kctx->auk_policy & AUDIT_ARGE)
1269 au_uwrite(au_to_exec_env(envstr, envc));
1270 }
1271
1272 /*
1273 * ROUTINE: AUDIT_ENTERPROM
1274 * PURPOSE:
1275 * CALLBY: KBDINPUT
1276 * ZSA_XSINT
1277 * NOTE:
1278 * TODO:
1279 * QUESTION:
1280 */
1281 void
1282 audit_enterprom(int flg)
1283 {
1284 token_t *rp = NULL;
1285 int sorf;
1286
1287 if (flg)
1288 sorf = AUM_SUCC;
1289 else
1290 sorf = AUM_FAIL;
1291
1292 AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf);
1293
1294 au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1295
1296 if (flg)
1297 au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1298 else
1299 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1300
1301 AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL, NULL);
1302 }
1303
1304
1305 /*
1306 * ROUTINE: AUDIT_EXITPROM
1307 * PURPOSE:
1308 * CALLBY: KBDINPUT
1309 * ZSA_XSINT
1310 * NOTE:
1311 * TODO:
1312 * QUESTION:
1313 */
1314 void
1315 audit_exitprom(int flg)
1316 {
1317 int sorf;
1318 token_t *rp = NULL;
1319
1320 if (flg)
1321 sorf = AUM_SUCC;
1322 else
1323 sorf = AUM_FAIL;
1324
1325 AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf);
1326
1327 au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1328
1329 if (flg)
1330 au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1331 else
1332 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1333
1334 AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL, NULL);
1335 }
1336
1337 struct fcntla {
1338 int fdes;
1339 int cmd;
1340 intptr_t arg;
1341 };
1342
1343
1344 /*
1345 * ROUTINE: AUDIT_CHDIREC
1346 * PURPOSE:
1347 * CALLBY: CHDIREC
1348 * NOTE: The main function of CHDIREC
1349 * TODO: Move the audit_chdirec hook above the VN_RELE in vncalls.c
1350 * QUESTION:
1351 */
1352
1353 /*ARGSUSED*/
1354 void
1355 audit_chdirec(vnode_t *vp, vnode_t **vpp)
1356 {
1357 int chdir;
1358 int fchdir;
1359 struct audit_path **appp;
1360 struct file *fp;
1361 f_audit_data_t *fad;
1362 p_audit_data_t *pad = P2A(curproc);
1363 t_audit_data_t *tad = T2A(curthread);
1364
1365 struct a {
1366 long fd;
1367 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
1368
1369 if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) {
1370 chdir = tad->tad_scid == SYS_chdir;
1371 if (tad->tad_aupath) {
1372 mutex_enter(&pad->pad_lock);
1373 if (chdir)
1374 appp = &(pad->pad_cwd);
1375 else
1376 appp = &(pad->pad_root);
1377 au_pathrele(*appp);
1378 /* use tad hold */
1379 *appp = tad->tad_aupath;
1380 tad->tad_aupath = NULL;
1381 mutex_exit(&pad->pad_lock);
1382 }
1383 } else if ((tad->tad_scid == SYS_fchdir) ||
1384 (tad->tad_scid == SYS_fchroot)) {
1385 fchdir = tad->tad_scid == SYS_fchdir;
1386 if ((fp = getf(uap->fd)) == NULL)
1387 return;
1388 fad = F2A(fp);
1389 if (fad->fad_aupath) {
1390 au_pathhold(fad->fad_aupath);
1391 mutex_enter(&pad->pad_lock);
1392 if (fchdir)
1393 appp = &(pad->pad_cwd);
1394 else
1395 appp = &(pad->pad_root);
1396 au_pathrele(*appp);
1397 *appp = fad->fad_aupath;
1398 mutex_exit(&pad->pad_lock);
1399 if (tad->tad_flag) {
1400 au_uwrite(au_to_path(fad->fad_aupath));
1401 audit_attributes(fp->f_vnode);
1402 }
1403 }
1404 releasef(uap->fd);
1405 }
1406 }
1407
1408
1409 /*
1410 * Audit hook for stream based socket and tli request.
1411 * Note that we do not have user context while executing
1412 * this code so we had to record them earlier during the
1413 * putmsg/getmsg to figure out which user we are dealing with.
1414 */
1415
1416 /*ARGSUSED*/
1417 void
1418 audit_sock(
1419 int type, /* type of tihdr.h header requests */
1420 queue_t *q, /* contains the process and thread audit data */
1421 mblk_t *mp, /* contains the tihdr.h header structures */
1422 int from) /* timod or sockmod request */
1423 {
1424 int32_t len;
1425 int32_t offset;
1426 struct sockaddr_in *sock_data;
1427 struct T_conn_req *conn_req;
1428 struct T_conn_ind *conn_ind;
1429 struct T_unitdata_req *unitdata_req;
1430 struct T_unitdata_ind *unitdata_ind;
1431 au_state_t estate;
1432 t_audit_data_t *tad;
1433 caddr_t saved_thread_ptr;
1434 au_mask_t amask;
1435 const auditinfo_addr_t *ainfo;
1436 au_kcontext_t *kctx;
1437
1438 if (q->q_stream == NULL)
1439 return;
1440 mutex_enter(&q->q_stream->sd_lock);
1441 /* are we being audited */
1442 saved_thread_ptr = q->q_stream->sd_t_audit_data;
1443 /* no pointer to thread, nothing to do */
1444 if (saved_thread_ptr == NULL) {
1445 mutex_exit(&q->q_stream->sd_lock);
1446 return;
1447 }
1448 /* only allow one addition of a record token */
1449 q->q_stream->sd_t_audit_data = NULL;
1450 /*
1451 * thread is not the one being audited, then nothing to do
1452 * This could be the stream thread handling the module
1453 * service routine. In this case, the context for the audit
1454 * record can no longer be assumed. Simplest to just drop
1455 * the operation.
1456 */
1457 if (curthread != (kthread_id_t)saved_thread_ptr) {
1458 mutex_exit(&q->q_stream->sd_lock);
1459 return;
1460 }
1461 if (curthread->t_sysnum >= SYS_so_socket &&
1462 curthread->t_sysnum <= SYS_sockconfig) {
1463 mutex_exit(&q->q_stream->sd_lock);
1464 return;
1465 }
1466 mutex_exit(&q->q_stream->sd_lock);
1467 /*
1468 * we know that the thread that did the put/getmsg is the
1469 * one running. Now we can get the TAD and see if we should
1470 * add an audit token.
1471 */
1472 tad = U2A(u);
1473
1474 kctx = GET_KCTX_PZ;
1475
1476 /* proceed ONLY if user is being audited */
1477 if (!tad->tad_flag)
1478 return;
1479
1480 ainfo = crgetauinfo(CRED());
1481 if (ainfo == NULL)
1482 return;
1483 amask = ainfo->ai_mask;
1484
1485 /*
1486 * Figure out the type of stream networking request here.
1487 * Note that getmsg and putmsg are always preselected
1488 * because during the beginning of the system call we have
1489 * not yet figure out which of the socket or tli request
1490 * we are looking at until we are here. So we need to check
1491 * against that specific request and reset the type of event.
1492 */
1493 switch (type) {
1494 case T_CONN_REQ: /* connection request */
1495 conn_req = (struct T_conn_req *)mp->b_rptr;
1496 if (conn_req->DEST_offset < sizeof (struct T_conn_req))
1497 return;
1498 offset = conn_req->DEST_offset;
1499 len = conn_req->DEST_length;
1500 estate = kctx->auk_ets[AUE_SOCKCONNECT];
1501 if (amask.as_success & estate || amask.as_failure & estate) {
1502 tad->tad_event = AUE_SOCKCONNECT;
1503 break;
1504 } else {
1505 return;
1506 }
1507 case T_CONN_IND: /* connectionless receive request */
1508 conn_ind = (struct T_conn_ind *)mp->b_rptr;
1509 if (conn_ind->SRC_offset < sizeof (struct T_conn_ind))
1510 return;
1511 offset = conn_ind->SRC_offset;
1512 len = conn_ind->SRC_length;
1513 estate = kctx->auk_ets[AUE_SOCKACCEPT];
1514 if (amask.as_success & estate || amask.as_failure & estate) {
1515 tad->tad_event = AUE_SOCKACCEPT;
1516 break;
1517 } else {
1518 return;
1519 }
1520 case T_UNITDATA_REQ: /* connectionless send request */
1521 unitdata_req = (struct T_unitdata_req *)mp->b_rptr;
1522 if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req))
1523 return;
1524 offset = unitdata_req->DEST_offset;
1525 len = unitdata_req->DEST_length;
1526 estate = kctx->auk_ets[AUE_SOCKSEND];
1527 if (amask.as_success & estate || amask.as_failure & estate) {
1528 tad->tad_event = AUE_SOCKSEND;
1529 break;
1530 } else {
1531 return;
1532 }
1533 case T_UNITDATA_IND: /* connectionless receive request */
1534 unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr;
1535 if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind))
1536 return;
1537 offset = unitdata_ind->SRC_offset;
1538 len = unitdata_ind->SRC_length;
1539 estate = kctx->auk_ets[AUE_SOCKRECEIVE];
1540 if (amask.as_success & estate || amask.as_failure & estate) {
1541 tad->tad_event = AUE_SOCKRECEIVE;
1542 break;
1543 } else {
1544 return;
1545 }
1546 default:
1547 return;
1548 }
1549
1550 /*
1551 * we are only interested in tcp stream connections,
1552 * not unix domain stuff
1553 */
1554 if ((len < 0) || (len > sizeof (struct sockaddr_in))) {
1555 tad->tad_event = AUE_GETMSG;
1556 return;
1557 }
1558 /* skip over TPI header and point to the ip address */
1559 sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset);
1560
1561 switch (sock_data->sin_family) {
1562 case AF_INET:
1563 au_write(&(tad->tad_ad), au_to_sock_inet(sock_data));
1564 break;
1565 default: /* reset to AUE_PUTMSG if not a inet request */
1566 tad->tad_event = AUE_GETMSG;
1567 break;
1568 }
1569 }
1570
1571
1572 static void
1573 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval)
1574 {
1575 unsigned int sy_flags;
1576
1577 #ifdef _SYSCALL32_IMPL
1578 /*
1579 * Guard against t_lwp being NULL when this function is called
1580 * from a kernel queue instead of from a direct system call.
1581 * In that case, assume the running kernel data model.
1582 */
1583 if ((curthread->t_lwp == NULL) || (lwp_getdatamodel(
1584 ttolwp(curthread)) == DATAMODEL_NATIVE))
1585 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1586 else
1587 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1588 #else
1589 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1590 #endif
1591
1592 if (sy_flags == SE_64RVAL)
1593 au_write(ad, au_to_return64(err, rval));
1594 else
1595 au_write(ad, au_to_return32(err, rval));
1596
1597 }
1598
1599 /*ARGSUSED*/
1600 void
1601 audit_fdsend(int fd, struct file *fp, int error)
1602 {
1603 t_audit_data_t *tad; /* current thread */
1604 f_audit_data_t *fad; /* per file audit structure */
1605 struct vnode *vp; /* for file attributes */
1606
1607 /* is this system call being audited */
1608 tad = U2A(u);
1609 ASSERT(tad != (t_audit_data_t *)0);
1610 if (!tad->tad_flag)
1611 return;
1612
1613 fad = F2A(fp);
1614
1615 /* add path and file attributes */
1616 if (fad != NULL && fad->fad_aupath != NULL) {
1617 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1618 au_uwrite(au_to_path(fad->fad_aupath));
1619 } else {
1620 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1621 #ifdef _LP64
1622 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1623 #else
1624 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1625 #endif
1626 }
1627 vp = fp->f_vnode; /* include vnode attributes */
1628 audit_attributes(vp);
1629 }
1630
1631 /*
1632 * Record privileges successfully used and we attempted to use but
1633 * didn't have.
1634 */
1635 void
1636 audit_priv(int priv, const priv_set_t *set, int flag)
1637 {
1638 t_audit_data_t *tad;
1639 int sbit;
1640 priv_set_t *target;
1641
1642 /* Make sure this isn't being called in an interrupt context */
1643 ASSERT(servicing_interrupt() == 0);
1644
1645 tad = U2A(u);
1646
1647 if (tad->tad_flag == 0)
1648 return;
1649
1650 target = flag ? &tad->tad_sprivs : &tad->tad_fprivs;
1651 sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE;
1652
1653 /* Tell audit_success() and audit_finish() that we saw this case */
1654 if (!(tad->tad_evmod & sbit)) {
1655 /* Clear set first time around */
1656 priv_emptyset(target);
1657 tad->tad_evmod |= sbit;
1658 }
1659
1660 /* Save the privileges in the tad */
1661 if (priv == PRIV_ALL) {
1662 priv_fillset(target);
1663 } else {
1664 ASSERT(set != NULL || priv != PRIV_NONE);
1665 if (set != NULL)
1666 priv_union(set, target);
1667 if (priv != PRIV_NONE)
1668 priv_addset(target, priv);
1669 }
1670 }
1671
1672 /*
1673 * Audit the psecflags() system call; the set name, current value, and delta
1674 * are put in the audit trail.
1675 */
1676 void
1677 audit_psecflags(proc_t *p,
1678 psecflagwhich_t which,
1679 const secflagdelta_t *psd)
1680 {
1681 t_audit_data_t *tad;
1682 secflagset_t new;
1683 const secflagset_t *old;
1684 const char *s;
1685 cred_t *cr;
1686 pid_t pid;
1687 const auditinfo_addr_t *ainfo;
1688 const psecflags_t *psec = &p->p_secflags;
1689
1690 tad = U2A(u);
1691
1692 if (tad->tad_flag == 0)
1693 return;
1694
1695 switch (which) {
1696 case PSF_EFFECTIVE:
1697 s = "effective";
1698 old = &psec->psf_effective;
1699 break;
1700 case PSF_INHERIT:
1701 s = "inherit";
1702 old = &psec->psf_inherit;
1703 break;
1704 case PSF_LOWER:
1705 s = "lower";
1706 old = &psec->psf_lower;
1707 break;
1708 case PSF_UPPER:
1709 s = "upper";
1710 old = &psec->psf_upper;
1711 break;
1712 }
1713
1714 secflags_copy(&new, old);
1715 secflags_apply_delta(&new, psd);
1716
1717 au_uwrite(au_to_secflags(s, *old));
1718 au_uwrite(au_to_secflags(s, new));
1719
1720 ASSERT(mutex_owned(&p->p_lock));
1721 mutex_enter(&p->p_crlock);
1722
1723 pid = p->p_pid;
1724 crhold(cr = p->p_cred);
1725 mutex_exit(&p->p_crlock);
1726
1727 if ((ainfo = crgetauinfo(cr)) == NULL) {
1728 crfree(cr);
1729 return;
1730 }
1731
1732 AUDIT_SETPROC_GENERIC(&(u_ad), cr, ainfo, pid);
1733
1734 crfree(cr);
1735 }
1736
1737 /*
1738 * Audit the setpriv() system call; the operation, the set name and
1739 * the current value as well as the set argument are put in the
1740 * audit trail.
1741 */
1742 void
1743 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr)
1744 {
1745 t_audit_data_t *tad;
1746 const priv_set_t *oldpriv;
1747 priv_set_t report;
1748 const char *setname;
1749
1750 tad = U2A(u);
1751
1752 if (tad->tad_flag == 0)
1753 return;
1754
1755 oldpriv = priv_getset(ocr, set);
1756
1757 /* Generate the actual record, include the before and after */
1758 au_uwrite(au_to_arg32(2, "op", op));
1759 setname = priv_getsetbynum(set);
1760
1761 switch (op) {
1762 case PRIV_OFF:
1763 /* Report privileges actually switched off */
1764 report = *oldpriv;
1765 priv_intersect(newpriv, &report);
1766 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1767 break;
1768 case PRIV_ON:
1769 /* Report privileges actually switched on */
1770 report = *oldpriv;
1771 priv_inverse(&report);
1772 priv_intersect(newpriv, &report);
1773 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1774 break;
1775 case PRIV_SET:
1776 /* Report before and after */
1777 au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0));
1778 au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0));
1779 break;
1780 }
1781 }
1782
1783 /*
1784 * Dump the full device policy setting in the audit trail.
1785 */
1786 void
1787 audit_devpolicy(int nitems, const devplcysys_t *items)
1788 {
1789 t_audit_data_t *tad;
1790 int i;
1791
1792 tad = U2A(u);
1793
1794 if (tad->tad_flag == 0)
1795 return;
1796
1797 for (i = 0; i < nitems; i++) {
1798 au_uwrite(au_to_arg32(2, "major", items[i].dps_maj));
1799 if (items[i].dps_minornm[0] == '\0') {
1800 au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin));
1801 au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin));
1802 } else
1803 au_uwrite(au_to_text(items[i].dps_minornm));
1804
1805 au_uwrite(au_to_privset("read", &items[i].dps_rdp,
1806 AUT_PRIV, 0));
1807 au_uwrite(au_to_privset("write", &items[i].dps_wrp,
1808 AUT_PRIV, 0));
1809 }
1810 }
1811
1812 /*ARGSUSED*/
1813 void
1814 audit_fdrecv(int fd, struct file *fp)
1815 {
1816 t_audit_data_t *tad; /* current thread */
1817 f_audit_data_t *fad; /* per file audit structure */
1818 struct vnode *vp; /* for file attributes */
1819
1820 /* is this system call being audited */
1821 tad = U2A(u);
1822 ASSERT(tad != (t_audit_data_t *)0);
1823 if (!tad->tad_flag)
1824 return;
1825
1826 fad = F2A(fp);
1827
1828 /* add path and file attributes */
1829 if (fad != NULL && fad->fad_aupath != NULL) {
1830 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1831 au_uwrite(au_to_path(fad->fad_aupath));
1832 } else {
1833 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1834 #ifdef _LP64
1835 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1836 #else
1837 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1838 #endif
1839 }
1840 vp = fp->f_vnode; /* include vnode attributes */
1841 audit_attributes(vp);
1842 }
1843
1844 /*
1845 * ROUTINE: AUDIT_CRYPTOADM
1846 * PURPOSE: Records arguments to administrative ioctls on /dev/cryptoadm
1847 * CALLBY: CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED,
1848 * CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG,
1849 * CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN,
1850 * CRYPTO_LOAD_DOOR
1851 * NOTE:
1852 * TODO:
1853 * QUESTION:
1854 */
1855
1856 void
1857 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names,
1858 uint_t mech_count, uint_t device_instance, uint32_t rv, int error)
1859 {
1860 boolean_t mech_list_required = B_FALSE;
1861 cred_t *cr = CRED();
1862 t_audit_data_t *tad;
1863 token_t *ad = NULL;
1864 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
1865 char buffer[MAXNAMELEN * 2];
1866 au_kcontext_t *kctx = GET_KCTX_PZ;
1867
1868 tad = U2A(u);
1869 if (tad == NULL)
1870 return;
1871
1872 if (ainfo == NULL)
1873 return;
1874
1875 tad->tad_event = AUE_CRYPTOADM;
1876
1877 if (audit_success(kctx, tad, error, NULL) != AU_OK)
1878 return;
1879
1880 /* Add subject information */
1881 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
1882
1883 switch (cmd) {
1884 case CRYPTO_LOAD_DEV_DISABLED:
1885 if (error == 0 && rv == CRYPTO_SUCCESS) {
1886 (void) snprintf(buffer, sizeof (buffer),
1887 "op=CRYPTO_LOAD_DEV_DISABLED, module=%s,"
1888 " dev_instance=%d",
1889 module_name, device_instance);
1890 mech_list_required = B_TRUE;
1891 } else {
1892 (void) snprintf(buffer, sizeof (buffer),
1893 "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv);
1894 }
1895 break;
1896
1897 case CRYPTO_LOAD_SOFT_DISABLED:
1898 if (error == 0 && rv == CRYPTO_SUCCESS) {
1899 (void) snprintf(buffer, sizeof (buffer),
1900 "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s",
1901 module_name);
1902 mech_list_required = B_TRUE;
1903 } else {
1904 (void) snprintf(buffer, sizeof (buffer),
1905 "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv);
1906 }
1907 break;
1908
1909 case CRYPTO_UNLOAD_SOFT_MODULE:
1910 if (error == 0 && rv == CRYPTO_SUCCESS) {
1911 (void) snprintf(buffer, sizeof (buffer),
1912 "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s",
1913 module_name);
1914 } else {
1915 (void) snprintf(buffer, sizeof (buffer),
1916 "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv);
1917 }
1918 break;
1919
1920 case CRYPTO_LOAD_SOFT_CONFIG:
1921 if (error == 0 && rv == CRYPTO_SUCCESS) {
1922 (void) snprintf(buffer, sizeof (buffer),
1923 "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s",
1924 module_name);
1925 mech_list_required = B_TRUE;
1926 } else {
1927 (void) snprintf(buffer, sizeof (buffer),
1928 "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv);
1929 }
1930 break;
1931
1932 case CRYPTO_POOL_CREATE:
1933 (void) snprintf(buffer, sizeof (buffer),
1934 "op=CRYPTO_POOL_CREATE");
1935 break;
1936
1937 case CRYPTO_POOL_WAIT:
1938 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT");
1939 break;
1940
1941 case CRYPTO_POOL_RUN:
1942 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN");
1943 break;
1944
1945 case CRYPTO_LOAD_DOOR:
1946 if (error == 0 && rv == CRYPTO_SUCCESS)
1947 (void) snprintf(buffer, sizeof (buffer),
1948 "op=CRYPTO_LOAD_DOOR");
1949 else
1950 (void) snprintf(buffer, sizeof (buffer),
1951 "op=CRYPTO_LOAD_DOOR, return_val=%d", rv);
1952 break;
1953
1954 case CRYPTO_FIPS140_SET:
1955 (void) snprintf(buffer, sizeof (buffer),
1956 "op=CRYPTO_FIPS140_SET, fips_state=%d", rv);
1957 break;
1958
1959 default:
1960 return;
1961 }
1962
1963 au_write((caddr_t *)&ad, au_to_text(buffer));
1964
1965 if (mech_list_required) {
1966 int i;
1967
1968 if (mech_count == 0) {
1969 au_write((caddr_t *)&ad, au_to_text("mech=list empty"));
1970 } else {
1971 char *pb = buffer;
1972 size_t l = sizeof (buffer);
1973 size_t n;
1974 char space[2] = ":";
1975
1976 n = snprintf(pb, l, "mech=");
1977
1978 for (i = 0; i < mech_count; i++) {
1979 pb += n;
1980 l = (n >= l) ? 0 : l - n;
1981
1982 if (i == mech_count - 1)
1983 (void) strcpy(space, "");
1984
1985 n = snprintf(pb, l, "%s%s", mech_names[i],
1986 space);
1987 }
1988 au_write((caddr_t *)&ad, au_to_text(buffer));
1989 }
1990 }
1991
1992 /* add a return token */
1993 if (error || (rv != CRYPTO_SUCCESS))
1994 add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error);
1995 else
1996 add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv);
1997
1998 AS_INC(as_generated, 1, kctx);
1999 AS_INC(as_kernel, 1, kctx);
2000
2001 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, tad->tad_evmod,
2002 NULL);
2003 }
2004
2005 /*
2006 * Audit the kernel SSL administration command. The address and the
2007 * port number for the SSL instance, and the proxy port are put in the
2008 * audit trail.
2009 */
2010 void
2011 audit_kssl(int cmd, void *params, int error)
2012 {
2013 cred_t *cr = CRED();
2014 t_audit_data_t *tad;
2015 token_t *ad = NULL;
2016 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
2017 au_kcontext_t *kctx = GET_KCTX_PZ;
2018
2019 tad = U2A(u);
2020
2021 if (ainfo == NULL)
2022 return;
2023
2024 tad->tad_event = AUE_CONFIGKSSL;
2025
2026 if (audit_success(kctx, tad, error, NULL) != AU_OK)
2027 return;
2028
2029 /* Add subject information */
2030 AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx);
2031
2032 switch (cmd) {
2033 case KSSL_ADD_ENTRY: {
2034 char buf[32];
2035 kssl_params_t *kp = (kssl_params_t *)params;
2036 struct sockaddr_in6 *saddr = &kp->kssl_addr;
2037
2038 au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY"));
2039 au_write((caddr_t *)&ad,
2040 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
2041 (void) snprintf(buf, sizeof (buf), "SSL port=%d",
2042 saddr->sin6_port);
2043 au_write((caddr_t *)&ad, au_to_text(buf));
2044
2045 (void) snprintf(buf, sizeof (buf), "proxy port=%d",
2046 kp->kssl_proxy_port);
2047 au_write((caddr_t *)&ad, au_to_text(buf));
2048 break;
2049 }
2050
2051 case KSSL_DELETE_ENTRY: {
2052 char buf[32];
2053 struct sockaddr_in6 *saddr = (struct sockaddr_in6 *)params;
2054
2055 au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY"));
2056 au_write((caddr_t *)&ad,
2057 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
2058 (void) snprintf(buf, sizeof (buf), "SSL port=%d",
2059 saddr->sin6_port);
2060 au_write((caddr_t *)&ad, au_to_text(buf));
2061 break;
2062 }
2063
2064 default:
2065 return;
2066 }
2067
2068 /* add a return token */
2069 add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0);
2070
2071 AS_INC(as_generated, 1, kctx);
2072 AS_INC(as_kernel, 1, kctx);
2073
2074 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, tad->tad_evmod,
2075 NULL);
2076 }
2077
2078 /*
2079 * Audit the kernel PF_POLICY administration commands. Record command,
2080 * zone, policy type (global or tunnel, active or inactive)
2081 */
2082 /*
2083 * ROUTINE: AUDIT_PF_POLICY
2084 * PURPOSE: Records arguments to administrative ioctls on PF_POLICY socket
2085 * CALLBY: SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS,
2086 * SPD_CLONE, SPD_FLIP
2087 * NOTE:
2088 * TODO:
2089 * QUESTION:
2090 */
2091
2092 void
2093 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun,
2094 boolean_t active, int error, pid_t pid)
2095 {
2096 const auditinfo_addr_t *ainfo;
2097 t_audit_data_t *tad;
2098 token_t *ad = NULL;
2099 au_kcontext_t *kctx = GET_KCTX_PZ;
2100 char buf[80];
2101 int flag;
2102
2103 tad = U2A(u);
2104 if (tad == NULL)
2105 return;
2106
2107 ainfo = crgetauinfo((cred != NULL) ? cred : CRED());
2108 if (ainfo == NULL)
2109 return;
2110
2111 /*
2112 * Initialize some variables since these are only set
2113 * with system calls.
2114 */
2115
2116 switch (cmd) {
2117 case SPD_ADDRULE: {
2118 tad->tad_event = AUE_PF_POLICY_ADDRULE;
2119 break;
2120 }
2121
2122 case SPD_DELETERULE: {
2123 tad->tad_event = AUE_PF_POLICY_DELRULE;
2124 break;
2125 }
2126
2127 case SPD_FLUSH: {
2128 tad->tad_event = AUE_PF_POLICY_FLUSH;
2129 break;
2130 }
2131
2132 case SPD_UPDATEALGS: {
2133 tad->tad_event = AUE_PF_POLICY_ALGS;
2134 break;
2135 }
2136
2137 case SPD_CLONE: {
2138 tad->tad_event = AUE_PF_POLICY_CLONE;
2139 break;
2140 }
2141
2142 case SPD_FLIP: {
2143 tad->tad_event = AUE_PF_POLICY_FLIP;
2144 break;
2145 }
2146
2147 default:
2148 tad->tad_event = AUE_NULL;
2149 }
2150
2151 tad->tad_evmod = 0;
2152
2153 if (flag = audit_success(kctx, tad, error, cred)) {
2154 zone_t *nszone;
2155
2156 /*
2157 * For now, just audit that an event happened,
2158 * along with the error code.
2159 */
2160 au_write((caddr_t *)&ad,
2161 au_to_arg32(1, "Policy Active?", (uint32_t)active));
2162 au_write((caddr_t *)&ad,
2163 au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL)));
2164
2165 /* Supplemental data */
2166
2167 /*
2168 * Generate this zone token if the target zone differs
2169 * from the administrative zone. If netstacks are expanded
2170 * to something other than a 1-1 relationship with zones,
2171 * the auditing framework should create a new token type
2172 * and audit it as a netstack instead.
2173 * Turn on general zone auditing to get the administrative zone.
2174 */
2175
2176 nszone = zone_find_by_id(netstackid_to_zoneid(
2177 ns->netstack_stackid));
2178 if (nszone != NULL) {
2179 if (strncmp(crgetzone(cred)->zone_name,
2180 nszone->zone_name, ZONENAME_MAX) != 0) {
2181 token_t *ztoken;
2182
2183 ztoken = au_to_zonename(0, nszone);
2184 au_write((caddr_t *)&ad, ztoken);
2185 }
2186 zone_rele(nszone);
2187 }
2188
2189 if (tun != NULL) {
2190 /* write tunnel name - tun is bounded */
2191 (void) snprintf(buf, sizeof (buf), "tunnel_name:%s",
2192 tun);
2193 au_write((caddr_t *)&ad, au_to_text(buf));
2194 }
2195
2196 /* Add subject information */
2197 AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad,
2198 ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid);
2199
2200 /* add a return token */
2201 add_return_token((caddr_t *)&ad, 0, error, 0);
2202
2203 AS_INC(as_generated, 1, kctx);
2204 AS_INC(as_kernel, 1, kctx);
2205
2206 }
2207 au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, tad->tad_evmod,
2208 NULL);
2209
2210 /*
2211 * clear the ctrl flag so that we don't have spurious collection of
2212 * audit information.
2213 */
2214 tad->tad_scid = 0;
2215 tad->tad_event = 0;
2216 tad->tad_evmod = 0;
2217 tad->tad_ctrl = 0;
2218 }
2219
2220 /*
2221 * ROUTINE: AUDIT_SEC_ATTRIBUTES
2222 * PURPOSE: Add security attributes
2223 * CALLBY: AUDIT_ATTRIBUTES
2224 * AUDIT_CLOSEF
2225 * AUS_CLOSE
2226 * NOTE:
2227 * TODO:
2228 * QUESTION:
2229 */
2230
2231 void
2232 audit_sec_attributes(caddr_t *ad, struct vnode *vp)
2233 {
2234 /* Dump the SL */
2235 if (is_system_labeled()) {
2236 ts_label_t *tsl;
2237 bslabel_t *bsl;
2238
2239 tsl = getflabel(vp);
2240 if (tsl == NULL)
2241 return; /* nothing else to do */
2242
2243 bsl = label2bslabel(tsl);
2244 if (bsl == NULL)
2245 return; /* nothing else to do */
2246 au_write(ad, au_to_label(bsl));
2247 label_rele(tsl);
2248 }
2249
2250 } /* AUDIT_SEC_ATTRIBUTES */