710 * ROUTINE: AUDIT_CLOSEF
711 * PURPOSE:
712 * CALLBY: CLOSEF
713 * NOTE:
714 * release per file audit resources when file structure is being released.
715 *
716 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
717 * on the audit queue if it becomes full. This means
718 * audit_closef can not be called when f_count == 0. Since
719 * f_count == 0 indicates the file structure is free, another
720 * process could attempt to use the file while we were still
721 * asleep waiting on the audit queue. This would cause the
722 * per file audit data to be corrupted when we finally do
723 * wakeup.
724 * TODO:
725 * QUESTION:
726 */
727
728 void
729 audit_closef(struct file *fp)
730 { /* AUDIT_CLOSEF */
731 f_audit_data_t *fad;
732 t_audit_data_t *tad;
733 int success;
734 au_state_t estate;
735 struct vnode *vp;
736 token_t *ad = NULL;
737 struct vattr attr;
738 au_emod_t evmod = 0;
739 const auditinfo_addr_t *ainfo;
740 cred_t *cr;
741 au_kcontext_t *kctx = GET_KCTX_PZ;
742 uint32_t auditing;
743 boolean_t audit_attr = B_FALSE;
744
745 fad = F2A(fp);
746 estate = kctx->auk_ets[AUE_CLOSE];
747 tad = U2A(u);
748 cr = CRED();
749
750 /* audit record already generated by system call envelope */
1581 * In that case, assume the running kernel data model.
1582 */
1583 if ((curthread->t_lwp == NULL) || (lwp_getdatamodel(
1584 ttolwp(curthread)) == DATAMODEL_NATIVE))
1585 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1586 else
1587 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1588 #else
1589 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1590 #endif
1591
1592 if (sy_flags == SE_64RVAL)
1593 au_write(ad, au_to_return64(err, rval));
1594 else
1595 au_write(ad, au_to_return32(err, rval));
1596
1597 }
1598
1599 /*ARGSUSED*/
1600 void
1601 audit_fdsend(fd, fp, error)
1602 int fd;
1603 struct file *fp;
1604 int error; /* ignore for now */
1605 {
1606 t_audit_data_t *tad; /* current thread */
1607 f_audit_data_t *fad; /* per file audit structure */
1608 struct vnode *vp; /* for file attributes */
1609
1610 /* is this system call being audited */
1611 tad = U2A(u);
1612 ASSERT(tad != (t_audit_data_t *)0);
1613 if (!tad->tad_flag)
1614 return;
1615
1616 fad = F2A(fp);
1617
1618 /* add path and file attributes */
1619 if (fad != NULL && fad->fad_aupath != NULL) {
1620 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1621 au_uwrite(au_to_path(fad->fad_aupath));
1622 } else {
1623 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1624 #ifdef _LP64
1656 /* Tell audit_success() and audit_finish() that we saw this case */
1657 if (!(tad->tad_evmod & sbit)) {
1658 /* Clear set first time around */
1659 priv_emptyset(target);
1660 tad->tad_evmod |= sbit;
1661 }
1662
1663 /* Save the privileges in the tad */
1664 if (priv == PRIV_ALL) {
1665 priv_fillset(target);
1666 } else {
1667 ASSERT(set != NULL || priv != PRIV_NONE);
1668 if (set != NULL)
1669 priv_union(set, target);
1670 if (priv != PRIV_NONE)
1671 priv_addset(target, priv);
1672 }
1673 }
1674
1675 /*
1676 * Audit the setpriv() system call; the operation, the set name and
1677 * the current value as well as the set argument are put in the
1678 * audit trail.
1679 */
1680 void
1681 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr)
1682 {
1683 t_audit_data_t *tad;
1684 const priv_set_t *oldpriv;
1685 priv_set_t report;
1686 const char *setname;
1687
1688 tad = U2A(u);
1689
1690 if (tad->tad_flag == 0)
1691 return;
1692
1693 oldpriv = priv_getset(ocr, set);
1694
1695 /* Generate the actual record, include the before and after */
1732 if (tad->tad_flag == 0)
1733 return;
1734
1735 for (i = 0; i < nitems; i++) {
1736 au_uwrite(au_to_arg32(2, "major", items[i].dps_maj));
1737 if (items[i].dps_minornm[0] == '\0') {
1738 au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin));
1739 au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin));
1740 } else
1741 au_uwrite(au_to_text(items[i].dps_minornm));
1742
1743 au_uwrite(au_to_privset("read", &items[i].dps_rdp,
1744 AUT_PRIV, 0));
1745 au_uwrite(au_to_privset("write", &items[i].dps_wrp,
1746 AUT_PRIV, 0));
1747 }
1748 }
1749
1750 /*ARGSUSED*/
1751 void
1752 audit_fdrecv(fd, fp)
1753 int fd;
1754 struct file *fp;
1755 {
1756 t_audit_data_t *tad; /* current thread */
1757 f_audit_data_t *fad; /* per file audit structure */
1758 struct vnode *vp; /* for file attributes */
1759
1760 /* is this system call being audited */
1761 tad = U2A(u);
1762 ASSERT(tad != (t_audit_data_t *)0);
1763 if (!tad->tad_flag)
1764 return;
1765
1766 fad = F2A(fp);
1767
1768 /* add path and file attributes */
1769 if (fad != NULL && fad->fad_aupath != NULL) {
1770 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1771 au_uwrite(au_to_path(fad->fad_aupath));
1772 } else {
1773 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1774 #ifdef _LP64
|
710 * ROUTINE: AUDIT_CLOSEF
711 * PURPOSE:
712 * CALLBY: CLOSEF
713 * NOTE:
714 * release per file audit resources when file structure is being released.
715 *
716 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
717 * on the audit queue if it becomes full. This means
718 * audit_closef can not be called when f_count == 0. Since
719 * f_count == 0 indicates the file structure is free, another
720 * process could attempt to use the file while we were still
721 * asleep waiting on the audit queue. This would cause the
722 * per file audit data to be corrupted when we finally do
723 * wakeup.
724 * TODO:
725 * QUESTION:
726 */
727
728 void
729 audit_closef(struct file *fp)
730 {
731 f_audit_data_t *fad;
732 t_audit_data_t *tad;
733 int success;
734 au_state_t estate;
735 struct vnode *vp;
736 token_t *ad = NULL;
737 struct vattr attr;
738 au_emod_t evmod = 0;
739 const auditinfo_addr_t *ainfo;
740 cred_t *cr;
741 au_kcontext_t *kctx = GET_KCTX_PZ;
742 uint32_t auditing;
743 boolean_t audit_attr = B_FALSE;
744
745 fad = F2A(fp);
746 estate = kctx->auk_ets[AUE_CLOSE];
747 tad = U2A(u);
748 cr = CRED();
749
750 /* audit record already generated by system call envelope */
1581 * In that case, assume the running kernel data model.
1582 */
1583 if ((curthread->t_lwp == NULL) || (lwp_getdatamodel(
1584 ttolwp(curthread)) == DATAMODEL_NATIVE))
1585 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1586 else
1587 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1588 #else
1589 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1590 #endif
1591
1592 if (sy_flags == SE_64RVAL)
1593 au_write(ad, au_to_return64(err, rval));
1594 else
1595 au_write(ad, au_to_return32(err, rval));
1596
1597 }
1598
1599 /*ARGSUSED*/
1600 void
1601 audit_fdsend(int fd, struct file *fp, int error)
1602 {
1603 t_audit_data_t *tad; /* current thread */
1604 f_audit_data_t *fad; /* per file audit structure */
1605 struct vnode *vp; /* for file attributes */
1606
1607 /* is this system call being audited */
1608 tad = U2A(u);
1609 ASSERT(tad != (t_audit_data_t *)0);
1610 if (!tad->tad_flag)
1611 return;
1612
1613 fad = F2A(fp);
1614
1615 /* add path and file attributes */
1616 if (fad != NULL && fad->fad_aupath != NULL) {
1617 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1618 au_uwrite(au_to_path(fad->fad_aupath));
1619 } else {
1620 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1621 #ifdef _LP64
1653 /* Tell audit_success() and audit_finish() that we saw this case */
1654 if (!(tad->tad_evmod & sbit)) {
1655 /* Clear set first time around */
1656 priv_emptyset(target);
1657 tad->tad_evmod |= sbit;
1658 }
1659
1660 /* Save the privileges in the tad */
1661 if (priv == PRIV_ALL) {
1662 priv_fillset(target);
1663 } else {
1664 ASSERT(set != NULL || priv != PRIV_NONE);
1665 if (set != NULL)
1666 priv_union(set, target);
1667 if (priv != PRIV_NONE)
1668 priv_addset(target, priv);
1669 }
1670 }
1671
1672 /*
1673 * Audit the psecflags() system call; the set name, current value, and delta
1674 * are put in the audit trail.
1675 */
1676 void
1677 audit_psecflags(proc_t *p,
1678 psecflagwhich_t which,
1679 const secflagdelta_t *psd)
1680 {
1681 t_audit_data_t *tad;
1682 secflagset_t new;
1683 const secflagset_t *old;
1684 const char *s;
1685 cred_t *cr;
1686 pid_t pid;
1687 const auditinfo_addr_t *ainfo;
1688 const psecflags_t *psec = &p->p_secflags;
1689
1690 tad = U2A(u);
1691
1692 if (tad->tad_flag == 0)
1693 return;
1694
1695 switch (which) {
1696 case PSF_EFFECTIVE:
1697 s = "effective";
1698 old = &psec->psf_effective;
1699 break;
1700 case PSF_INHERIT:
1701 s = "inherit";
1702 old = &psec->psf_inherit;
1703 break;
1704 case PSF_LOWER:
1705 s = "lower";
1706 old = &psec->psf_lower;
1707 break;
1708 case PSF_UPPER:
1709 s = "upper";
1710 old = &psec->psf_upper;
1711 break;
1712 }
1713
1714 secflags_copy(&new, old);
1715 secflags_apply_delta(&new, psd);
1716
1717 au_uwrite(au_to_secflags(s, *old));
1718 au_uwrite(au_to_secflags(s, new));
1719
1720 ASSERT(mutex_owned(&p->p_lock));
1721 mutex_enter(&p->p_crlock);
1722
1723 pid = p->p_pid;
1724 crhold(cr = p->p_cred);
1725 mutex_exit(&p->p_crlock);
1726
1727 if ((ainfo = crgetauinfo(cr)) == NULL) {
1728 crfree(cr);
1729 return;
1730 }
1731
1732 AUDIT_SETPROC_GENERIC(&(u_ad), cr, ainfo, pid);
1733
1734 crfree(cr);
1735 }
1736
1737 /*
1738 * Audit the setpriv() system call; the operation, the set name and
1739 * the current value as well as the set argument are put in the
1740 * audit trail.
1741 */
1742 void
1743 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr)
1744 {
1745 t_audit_data_t *tad;
1746 const priv_set_t *oldpriv;
1747 priv_set_t report;
1748 const char *setname;
1749
1750 tad = U2A(u);
1751
1752 if (tad->tad_flag == 0)
1753 return;
1754
1755 oldpriv = priv_getset(ocr, set);
1756
1757 /* Generate the actual record, include the before and after */
1794 if (tad->tad_flag == 0)
1795 return;
1796
1797 for (i = 0; i < nitems; i++) {
1798 au_uwrite(au_to_arg32(2, "major", items[i].dps_maj));
1799 if (items[i].dps_minornm[0] == '\0') {
1800 au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin));
1801 au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin));
1802 } else
1803 au_uwrite(au_to_text(items[i].dps_minornm));
1804
1805 au_uwrite(au_to_privset("read", &items[i].dps_rdp,
1806 AUT_PRIV, 0));
1807 au_uwrite(au_to_privset("write", &items[i].dps_wrp,
1808 AUT_PRIV, 0));
1809 }
1810 }
1811
1812 /*ARGSUSED*/
1813 void
1814 audit_fdrecv(int fd, struct file *fp)
1815 {
1816 t_audit_data_t *tad; /* current thread */
1817 f_audit_data_t *fad; /* per file audit structure */
1818 struct vnode *vp; /* for file attributes */
1819
1820 /* is this system call being audited */
1821 tad = U2A(u);
1822 ASSERT(tad != (t_audit_data_t *)0);
1823 if (!tad->tad_flag)
1824 return;
1825
1826 fad = F2A(fp);
1827
1828 /* add path and file attributes */
1829 if (fad != NULL && fad->fad_aupath != NULL) {
1830 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1831 au_uwrite(au_to_path(fad->fad_aupath));
1832 } else {
1833 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1834 #ifdef _LP64
|