il_7029 Udiff usr/src/uts/common/c2/audit.c

Print this page

7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

@@ -725,11 +725,11 @@
  * QUESTION:
  */
 
 void
 audit_closef(struct file *fp)
-{       /* AUDIT_CLOSEF */
+{
         f_audit_data_t *fad;
         t_audit_data_t *tad;
         int success;
         au_state_t estate;
         struct vnode *vp;

@@ -1596,14 +1596,11 @@
 
 }
 
 /*ARGSUSED*/
 void
-audit_fdsend(fd, fp, error)
-        int fd;
-        struct file *fp;
-        int error;              /* ignore for now */
+audit_fdsend(int fd, struct file *fp, int error)
 {
         t_audit_data_t *tad;    /* current thread */
         f_audit_data_t *fad;    /* per file audit structure */
         struct vnode *vp;       /* for file attributes */

@@ -1671,10 +1668,75 @@
                         priv_addset(target, priv);
         }
 }
 
 /*
+ * Audit the psecflags() system call; the set name, current value, and delta
+ * are put in the audit trail.
+ */
+void
+audit_psecflags(proc_t *p,
+    psecflagwhich_t which,
+    const secflagdelta_t *psd)
+{
+        t_audit_data_t *tad;
+        secflagset_t new;
+        const secflagset_t *old;
+        const char *s;
+        cred_t *cr;
+        pid_t pid;
+        const auditinfo_addr_t  *ainfo;
+        const psecflags_t *psec = &p->p_secflags;
+
+        tad = U2A(u);
+
+        if (tad->tad_flag == 0)
+                return;
+
+        switch (which) {
+        case PSF_EFFECTIVE:
+                s = "effective";
+                old = &psec->psf_effective;
+                break;
+        case PSF_INHERIT:
+                s = "inherit";
+                old = &psec->psf_inherit;
+                break;
+        case PSF_LOWER:
+                s = "lower";
+                old = &psec->psf_lower;
+                break;
+        case PSF_UPPER:
+                s = "upper";
+                old = &psec->psf_upper;
+                break;
+        }
+
+        secflags_copy(&new, old);
+        secflags_apply_delta(&new, psd);
+
+        au_uwrite(au_to_secflags(s, *old));
+        au_uwrite(au_to_secflags(s, new));
+
+        ASSERT(mutex_owned(&p->p_lock));
+        mutex_enter(&p->p_crlock);
+
+        pid = p->p_pid;
+        crhold(cr = p->p_cred);
+        mutex_exit(&p->p_crlock);
+
+        if ((ainfo = crgetauinfo(cr)) == NULL) {
+                crfree(cr);
+                return;
+        }
+
+        AUDIT_SETPROC_GENERIC(&(u_ad), cr, ainfo, pid);
+
+        crfree(cr);
+}
+
+/*
  * Audit the setpriv() system call; the operation, the set name and
  * the current value as well as the set argument are put in the
  * audit trail.
  */
 void

@@ -1747,13 +1809,11 @@
         }
 }
 
 /*ARGSUSED*/
 void
-audit_fdrecv(fd, fp)
-        int fd;
-        struct file *fp;
+audit_fdrecv(int fd, struct file *fp)
 {
         t_audit_data_t *tad;    /* current thread */
         f_audit_data_t *fad;    /* per file audit structure */
         struct vnode *vp;       /* for file attributes */