Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/c2/audit.c
+++ new/usr/src/uts/common/c2/audit.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21
22 22 /*
23 23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24 24 */
25 25
26 26 /*
27 27 * This file contains the audit hook support code for auditing.
28 28 */
29 29
30 30 #include <sys/types.h>
31 31 #include <sys/proc.h>
32 32 #include <sys/vnode.h>
33 33 #include <sys/vfs.h>
34 34 #include <sys/file.h>
35 35 #include <sys/user.h>
36 36 #include <sys/stropts.h>
37 37 #include <sys/systm.h>
38 38 #include <sys/pathname.h>
39 39 #include <sys/syscall.h>
40 40 #include <sys/fcntl.h>
41 41 #include <sys/ipc_impl.h>
42 42 #include <sys/msg_impl.h>
43 43 #include <sys/sem_impl.h>
44 44 #include <sys/shm_impl.h>
45 45 #include <sys/kmem.h> /* for KM_SLEEP */
46 46 #include <sys/socket.h>
47 47 #include <sys/cmn_err.h> /* snprintf... */
48 48 #include <sys/debug.h>
49 49 #include <sys/thread.h>
50 50 #include <netinet/in.h>
51 51 #include <c2/audit.h> /* needs to be included before user.h */
52 52 #include <c2/audit_kernel.h> /* for M_DONTWAIT */
53 53 #include <c2/audit_kevents.h>
54 54 #include <c2/audit_record.h>
55 55 #include <sys/strsubr.h>
56 56 #include <sys/tihdr.h>
57 57 #include <sys/tiuser.h>
58 58 #include <sys/timod.h>
59 59 #include <sys/model.h> /* for model_t */
60 60 #include <sys/disp.h> /* for servicing_interrupt() */
61 61 #include <sys/devpolicy.h>
62 62 #include <sys/crypto/ioctladmin.h>
63 63 #include <sys/cred_impl.h>
64 64 #include <inet/kssl/kssl.h>
65 65 #include <net/pfpolicy.h>
66 66
67 67 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval);
68 68
69 69 static void audit_pathbuild(struct pathname *pnp);
70 70
71 71
72 72 /*
73 73 * ROUTINE: AUDIT_SAVEPATH
74 74 * PURPOSE:
75 75 * CALLBY: LOOKUPPN
76 76 *
77 77 * NOTE: We have reached the end of a path in fs/lookup.c.
78 78 * We get two pieces of information here:
79 79 * the vnode of the last component (vp) and
80 80 * the status of the last access (flag).
81 81 * TODO:
82 82 * QUESTION:
83 83 */
84 84
85 85 /*ARGSUSED*/
86 86 int
87 87 audit_savepath(
88 88 struct pathname *pnp, /* pathname to lookup */
89 89 struct vnode *vp, /* vnode of the last component */
90 90 struct vnode *pvp, /* vnode of the last parent component */
91 91 int flag, /* status of the last access */
92 92 cred_t *cr) /* cred of requestor */
93 93 {
94 94
95 95 t_audit_data_t *tad; /* current thread */
96 96 au_kcontext_t *kctx = GET_KCTX_PZ;
97 97
98 98 tad = U2A(u);
99 99
100 100 /*
101 101 * Noise elimination in audit trails - this event will be discarded if:
102 102 * - the public policy is not active AND
103 103 * - the system call is a public operation AND
104 104 * - the file was not found: VFS lookup failed with ENOENT error AND
105 105 * - the missing file would have been located in the public directory
106 106 * owned by root if it had existed
107 107 */
108 108 if (tad->tad_flag != 0 && flag == ENOENT && pvp != NULL &&
109 109 (tad->tad_ctrl & TAD_PUBLIC_EV) &&
110 110 !(kctx->auk_policy & AUDIT_PUBLIC)) {
111 111 struct vattr attr;
112 112
113 113 attr.va_mask = AT_ALL;
114 114 if (VOP_GETATTR(pvp, &attr, 0, CRED(), NULL) == 0) {
115 115 if (object_is_public(&attr)) {
116 116 tad->tad_ctrl |= TAD_NOAUDIT;
117 117 }
118 118 }
119 119 }
120 120
121 121 /*
122 122 * this event being audited or do we need path information
123 123 * later? This might be for a chdir/chroot or open (add path
124 124 * to file pointer. If the path has already been found for an
125 125 * open/creat then we don't need to process the path.
126 126 *
127 127 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
128 128 * chroot, chdir, open, creat system call processing. It determines
129 129 * if audit_savepath() will discard the path or we need it later.
130 130 * TAD_PATHFND means path already included in this audit record. It
131 131 * is used in cases where multiple path lookups are done per
132 132 * system call. The policy flag, AUDIT_PATH, controls if multiple
133 133 * paths are allowed.
134 134 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
135 135 * exit processing to inhibit any paths that may be added due to
136 136 * closes.
137 137 */
138 138 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) ||
139 139 ((tad->tad_ctrl & TAD_PATHFND) &&
140 140 !(kctx->auk_policy & AUDIT_PATH)) ||
141 141 (tad->tad_ctrl & TAD_NOPATH)) {
142 142 return (0);
143 143 }
144 144
145 145 tad->tad_ctrl |= TAD_NOPATH; /* prevent possible reentry */
146 146
147 147 audit_pathbuild(pnp);
148 148
149 149 /*
150 150 * are we auditing only if error, or if it is not open or create
151 151 * otherwise audit_setf will do it
152 152 */
153 153
154 154 if (tad->tad_flag) {
155 155 if (flag &&
156 156 (tad->tad_scid == SYS_open ||
157 157 tad->tad_scid == SYS_open64 ||
158 158 tad->tad_scid == SYS_openat ||
159 159 tad->tad_scid == SYS_openat64)) {
160 160 tad->tad_ctrl |= TAD_TRUE_CREATE;
161 161 }
162 162
163 163 /* add token to audit record for this name */
164 164 au_uwrite(au_to_path(tad->tad_aupath));
165 165
166 166 /* add the attributes of the object */
167 167 if (vp) {
168 168 /*
169 169 * only capture attributes when there is no error
170 170 * lookup will not return the vnode of the failing
171 171 * component.
172 172 *
173 173 * if there was a lookup error, then don't add
174 174 * attribute. if lookup in vn_create(),
175 175 * then don't add attribute,
176 176 * it will be added at end of vn_create().
177 177 */
178 178 if (!flag && !(tad->tad_ctrl & TAD_NOATTRB))
179 179 audit_attributes(vp);
180 180 }
181 181 }
182 182
183 183 /* free up space if we're not going to save path (open, creat) */
184 184 if ((tad->tad_ctrl & TAD_SAVPATH) == 0) {
185 185 if (tad->tad_aupath != NULL) {
186 186 au_pathrele(tad->tad_aupath);
187 187 tad->tad_aupath = NULL;
188 188 }
189 189 }
190 190 if (tad->tad_ctrl & TAD_MLD)
191 191 tad->tad_ctrl |= TAD_PATHFND;
192 192
193 193 tad->tad_ctrl &= ~TAD_NOPATH; /* restore */
194 194 return (0);
195 195 }
196 196
197 197 static void
198 198 audit_pathbuild(struct pathname *pnp)
199 199 {
200 200 char *pp; /* pointer to path */
201 201 int len; /* length of incoming segment */
202 202 int newsect; /* path requires a new section */
203 203 struct audit_path *pfxapp; /* prefix for path */
204 204 struct audit_path *newapp; /* new audit_path */
205 205 t_audit_data_t *tad; /* current thread */
206 206 p_audit_data_t *pad; /* current process */
207 207
208 208 tad = U2A(u);
209 209 ASSERT(tad != NULL);
210 210 pad = P2A(curproc);
211 211 ASSERT(pad != NULL);
212 212
213 213 len = (pnp->pn_path - pnp->pn_buf) + 1; /* +1 for terminator */
214 214 ASSERT(len > 0);
215 215
216 216 /* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */
217 217 mutex_enter(&pad->pad_lock);
218 218 if (tad->tad_aupath != NULL) {
219 219 pfxapp = tad->tad_aupath;
220 220 } else if ((tad->tad_ctrl & TAD_ATCALL) && pnp->pn_buf[0] != '/') {
221 221 ASSERT(tad->tad_atpath != NULL);
222 222 pfxapp = tad->tad_atpath;
223 223 } else if (tad->tad_ctrl & TAD_ABSPATH) {
224 224 pfxapp = pad->pad_root;
225 225 } else {
226 226 pfxapp = pad->pad_cwd;
227 227 }
228 228 au_pathhold(pfxapp);
229 229 mutex_exit(&pad->pad_lock);
230 230
231 231 /* get an expanded buffer to hold the anchored path */
232 232 newsect = tad->tad_ctrl & TAD_ATTPATH;
233 233 newapp = au_pathdup(pfxapp, newsect, len);
234 234 au_pathrele(pfxapp);
235 235
236 236 pp = newapp->audp_sect[newapp->audp_cnt] - len;
237 237 if (!newsect) {
238 238 /* overlay previous NUL terminator */
239 239 *(pp - 1) = '/';
240 240 }
241 241
242 242 /* now add string of processed path */
243 243 bcopy(pnp->pn_buf, pp, len);
244 244 pp[len - 1] = '\0';
245 245
246 246 /* perform path simplification as necessary */
247 247 audit_fixpath(newapp, len);
248 248
249 249 if (tad->tad_aupath)
250 250 au_pathrele(tad->tad_aupath);
251 251 tad->tad_aupath = newapp;
252 252
253 253 /* for case where multiple lookups in one syscall (rename) */
254 254 tad->tad_ctrl &= ~(TAD_ABSPATH | TAD_ATTPATH);
255 255 }
256 256
257 257
258 258 /*
259 259 * ROUTINE: AUDIT_ANCHORPATH
260 260 * PURPOSE:
261 261 * CALLBY: LOOKUPPN
262 262 * NOTE:
263 263 * anchor path at "/". We have seen a symbolic link or entering for the
264 264 * first time we will throw away any saved path if path is anchored.
265 265 *
266 266 * flag = 0, path is relative.
267 267 * flag = 1, path is absolute. Free any saved path and set flag to TAD_ABSPATH.
268 268 *
269 269 * If the (new) path is absolute, then we have to throw away whatever we have
270 270 * already accumulated since it is being superseded by new path which is
271 271 * anchored at the root.
272 272 * Note that if the path is relative, this function does nothing
273 273 * TODO:
274 274 * QUESTION:
275 275 */
276 276 /*ARGSUSED*/
277 277 void
278 278 audit_anchorpath(struct pathname *pnp, int flag)
279 279 {
280 280 au_kcontext_t *kctx = GET_KCTX_PZ;
281 281 t_audit_data_t *tad;
282 282
283 283 tad = U2A(u);
284 284
285 285 /*
286 286 * this event being audited or do we need path information
287 287 * later? This might be for a chdir/chroot or open (add path
288 288 * to file pointer. If the path has already been found for an
289 289 * open/creat then we don't need to process the path.
290 290 *
291 291 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
292 292 * chroot, chdir, open, creat system call processing. It determines
293 293 * if audit_savepath() will discard the path or we need it later.
294 294 * TAD_PATHFND means path already included in this audit record. It
295 295 * is used in cases where multiple path lookups are done per
296 296 * system call. The policy flag, AUDIT_PATH, controls if multiple
297 297 * paths are allowed.
298 298 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
299 299 * exit processing to inhibit any paths that may be added due to
300 300 * closes.
301 301 */
302 302 if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) ||
303 303 ((tad->tad_ctrl & TAD_PATHFND) &&
304 304 !(kctx->auk_policy & AUDIT_PATH)) ||
305 305 (tad->tad_ctrl & TAD_NOPATH)) {
306 306 return;
307 307 }
308 308
309 309 if (flag) {
310 310 tad->tad_ctrl |= TAD_ABSPATH;
311 311 if (tad->tad_aupath != NULL) {
312 312 au_pathrele(tad->tad_aupath);
313 313 tad->tad_aupath = NULL;
314 314 }
315 315 }
316 316 }
317 317
318 318
319 319 /*
320 320 * symbolic link. Save previous components.
321 321 *
322 322 * the path seen so far looks like this
323 323 *
324 324 * +-----------------------+----------------+
325 325 * | path processed so far | remaining path |
326 326 * +-----------------------+----------------+
327 327 * \-----------------------/
328 328 * save this string if
329 329 * symbolic link relative
330 330 * (but don't include symlink component)
331 331 */
332 332
333 333 /*ARGSUSED*/
334 334
335 335
336 336 /*
337 337 * ROUTINE: AUDIT_SYMLINK
338 338 * PURPOSE:
339 339 * CALLBY: LOOKUPPN
340 340 * NOTE:
341 341 * TODO:
342 342 * QUESTION:
343 343 */
344 344 void
345 345 audit_symlink(struct pathname *pnp, struct pathname *sympath)
346 346 {
347 347 char *sp; /* saved initial pp */
348 348 char *cp; /* start of symlink path */
349 349 uint_t len_path; /* processed path before symlink */
350 350 t_audit_data_t *tad;
351 351 au_kcontext_t *kctx = GET_KCTX_PZ;
352 352
353 353 tad = U2A(u);
354 354
355 355 /*
356 356 * this event being audited or do we need path information
357 357 * later? This might be for a chdir/chroot or open (add path
358 358 * to file pointer. If the path has already been found for an
359 359 * open/creat then we don't need to process the path.
360 360 *
361 361 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
362 362 * chroot, chdir, open, creat system call processing. It determines
363 363 * if audit_savepath() will discard the path or we need it later.
364 364 * TAD_PATHFND means path already included in this audit record. It
365 365 * is used in cases where multiple path lookups are done per
366 366 * system call. The policy flag, AUDIT_PATH, controls if multiple
367 367 * paths are allowed.
368 368 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
369 369 * exit processing to inhibit any paths that may be added due to
370 370 * closes.
371 371 */
372 372 if ((tad->tad_flag == 0 &&
373 373 !(tad->tad_ctrl & TAD_SAVPATH)) ||
374 374 ((tad->tad_ctrl & TAD_PATHFND) &&
375 375 !(kctx->auk_policy & AUDIT_PATH)) ||
376 376 (tad->tad_ctrl & TAD_NOPATH)) {
377 377 return;
378 378 }
379 379
380 380 /*
381 381 * if symbolic link is anchored at / then do nothing.
382 382 * When we cycle back to begin: in lookuppn() we will
383 383 * call audit_anchorpath() with a flag indicating if the
384 384 * path is anchored at / or is relative. We will release
385 385 * any saved path at that point.
386 386 *
387 387 * Note In the event that an error occurs in pn_combine then
388 388 * we want to remain pointing at the component that caused the
389 389 * path to overflow the pnp structure.
390 390 */
391 391 if (sympath->pn_buf[0] == '/')
392 392 return;
393 393
394 394 /* backup over last component */
395 395 sp = cp = pnp->pn_path;
396 396 while (*--cp != '/' && cp > pnp->pn_buf)
397 397 ;
398 398
399 399 len_path = cp - pnp->pn_buf;
400 400
401 401 /* is there anything to save? */
402 402 if (len_path) {
403 403 pnp->pn_path = pnp->pn_buf;
404 404 audit_pathbuild(pnp);
405 405 pnp->pn_path = sp;
406 406 }
407 407 }
408 408
409 409 /*
410 410 * object_is_public : determine whether events for the object (corresponding to
411 411 * the specified file/directory attr) should be audited or
412 412 * ignored.
413 413 *
414 414 * returns: 1 - if audit policy and object attributes indicate that
415 415 * file/directory is effectively public. read events for
416 416 * the file should not be audited.
417 417 * 0 - otherwise
418 418 *
419 419 * The required attributes to be considered a public object are:
420 420 * - owned by root, AND
421 421 * - world-readable (permissions for other include read), AND
422 422 * - NOT world-writeable (permissions for other don't
423 423 * include write)
424 424 * (mode doesn't need to be checked for symlinks)
425 425 */
426 426 int
427 427 object_is_public(struct vattr *attr)
428 428 {
429 429 au_kcontext_t *kctx = GET_KCTX_PZ;
430 430
431 431 if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) &&
432 432 ((attr->va_type == VLNK) ||
433 433 ((attr->va_mode & (VREAD>>6)) != 0) &&
434 434 ((attr->va_mode & (VWRITE>>6)) == 0))) {
435 435 return (1);
436 436 }
437 437 return (0);
438 438 }
439 439
440 440
441 441 /*
442 442 * ROUTINE: AUDIT_ATTRIBUTES
443 443 * PURPOSE: Audit the attributes so we can tell why the error occurred
444 444 * CALLBY: AUDIT_SAVEPATH
445 445 * AUDIT_VNCREATE_FINISH
446 446 * AUS_FCHOWN...audit_event.c...audit_path.c
447 447 * NOTE:
448 448 * TODO:
449 449 * QUESTION:
450 450 */
451 451 void
452 452 audit_attributes(struct vnode *vp)
453 453 {
454 454 struct vattr attr;
455 455 struct t_audit_data *tad;
456 456
457 457 tad = U2A(u);
458 458
459 459 if (vp) {
460 460 attr.va_mask = AT_ALL;
461 461 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0)
462 462 return;
463 463
464 464 if (object_is_public(&attr) &&
465 465 (tad->tad_ctrl & TAD_PUBLIC_EV)) {
466 466 /*
467 467 * This is a public object and a "public" event
468 468 * (i.e., read only) -- either by definition
469 469 * (e.g., stat, access...) or by virtue of write access
470 470 * not being requested (e.g. mmap).
471 471 * Flag it in the tad to prevent this audit at the end.
472 472 */
473 473 tad->tad_ctrl |= TAD_NOAUDIT;
474 474 } else {
475 475 au_uwrite(au_to_attr(&attr));
476 476 audit_sec_attributes(&(u_ad), vp);
477 477 }
478 478 }
479 479 }
480 480
481 481
482 482 /*
483 483 * ROUTINE: AUDIT_EXIT
484 484 * PURPOSE:
485 485 * CALLBY: EXIT
486 486 * NOTE:
487 487 * TODO:
488 488 * QUESTION: why cmw code as offset by 2 but not here
489 489 */
490 490 /* ARGSUSED */
491 491 void
492 492 audit_exit(int code, int what)
493 493 {
494 494 struct t_audit_data *tad;
495 495 tad = U2A(u);
496 496
497 497 /*
498 498 * tad_scid will be set by audit_start even if we are not auditing
499 499 * the event.
500 500 */
501 501 if (tad->tad_scid == SYS_exit) {
502 502 /*
503 503 * if we are auditing the exit system call, then complete
504 504 * audit record generation (no return from system call).
505 505 */
506 506 if (tad->tad_flag && tad->tad_event == AUE_EXIT)
507 507 audit_finish(0, SYS_exit, 0, 0);
508 508 return;
509 509 }
510 510
511 511 /*
512 512 * Anyone auditing the system call that was aborted?
513 513 */
514 514 if (tad->tad_flag) {
515 515 au_uwrite(au_to_text("event aborted"));
516 516 audit_finish(0, tad->tad_scid, 0, 0);
517 517 }
518 518
519 519 /*
520 520 * Generate an audit record for process exit if preselected.
521 521 */
522 522 (void) audit_start(0, SYS_exit, AUC_UNSET, 0, 0);
523 523 audit_finish(0, SYS_exit, 0, 0);
524 524 }
525 525
526 526 /*
527 527 * ROUTINE: AUDIT_CORE_START
528 528 * PURPOSE:
529 529 * CALLBY: PSIG
530 530 * NOTE:
531 531 * TODO:
532 532 */
533 533 void
534 534 audit_core_start(int sig)
535 535 {
536 536 au_event_t event;
537 537 au_state_t estate;
538 538 t_audit_data_t *tad;
539 539 au_kcontext_t *kctx;
540 540
541 541 tad = U2A(u);
542 542
543 543 ASSERT(tad != (t_audit_data_t *)0);
544 544
545 545 ASSERT(tad->tad_scid == 0);
546 546 ASSERT(tad->tad_event == 0);
547 547 ASSERT(tad->tad_evmod == 0);
548 548 ASSERT(tad->tad_ctrl == 0);
549 549 ASSERT(tad->tad_flag == 0);
550 550 ASSERT(tad->tad_aupath == NULL);
551 551
552 552 kctx = GET_KCTX_PZ;
553 553
554 554 /* get basic event for system call */
555 555 event = AUE_CORE;
556 556 estate = kctx->auk_ets[event];
557 557
558 558 if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0)
559 559 return;
560 560
561 561 /* reset the flags for non-user attributable events */
562 562 tad->tad_ctrl = TAD_CORE;
563 563 tad->tad_scid = 0;
564 564
565 565 /* if auditing not enabled, then don't generate an audit record */
566 566
567 567 if (!((kctx->auk_auditstate == AUC_AUDITING ||
568 568 kctx->auk_auditstate == AUC_INIT_AUDIT) ||
569 569 kctx->auk_auditstate == AUC_NOSPACE)) {
570 570 tad->tad_flag = 0;
571 571 tad->tad_ctrl = 0;
572 572 return;
573 573 }
574 574
575 575 tad->tad_event = event;
576 576 tad->tad_evmod = 0;
577 577
578 578 ASSERT(tad->tad_ad == NULL);
579 579
580 580 au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig));
581 581 }
582 582
583 583 /*
584 584 * ROUTINE: AUDIT_CORE_FINISH
585 585 * PURPOSE:
586 586 * CALLBY: PSIG
587 587 * NOTE:
588 588 * TODO:
589 589 * QUESTION:
590 590 */
591 591
592 592 /*ARGSUSED*/
593 593 void
594 594 audit_core_finish(int code)
595 595 {
596 596 int flag;
597 597 t_audit_data_t *tad;
598 598 au_kcontext_t *kctx;
599 599
600 600 tad = U2A(u);
601 601
602 602 ASSERT(tad != (t_audit_data_t *)0);
603 603
604 604 if ((flag = tad->tad_flag) == 0) {
605 605 tad->tad_event = 0;
606 606 tad->tad_evmod = 0;
607 607 tad->tad_ctrl = 0;
608 608 ASSERT(tad->tad_aupath == NULL);
609 609 return;
610 610 }
611 611 tad->tad_flag = 0;
612 612
613 613 kctx = GET_KCTX_PZ;
614 614
615 615 /* kludge for error 0, should use `code==CLD_DUMPED' instead */
616 616 if (flag = audit_success(kctx, tad, 0, NULL)) {
617 617 cred_t *cr = CRED();
618 618 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
619 619
620 620 ASSERT(ainfo != NULL);
621 621
622 622 /*
623 623 * Add subject information (no locks since our private copy of
624 624 * credential
625 625 */
626 626 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
627 627
628 628 /* Add a return token (should use f argument) */
629 629 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
630 630
631 631 AS_INC(as_generated, 1, kctx);
632 632 AS_INC(as_kernel, 1, kctx);
633 633 }
634 634
635 635 /* Close up everything */
636 636 au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod, NULL);
637 637
638 638 /* free up any space remaining with the path's */
639 639 if (tad->tad_aupath != NULL) {
640 640 au_pathrele(tad->tad_aupath);
641 641 tad->tad_aupath = NULL;
642 642 }
643 643 tad->tad_event = 0;
644 644 tad->tad_evmod = 0;
645 645 tad->tad_ctrl = 0;
646 646 }
647 647
648 648
649 649 /*ARGSUSED*/
650 650 void
651 651 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
652 652 unsigned char *pri, int *flag, int fmode)
653 653 {
654 654 struct stdata *stp;
655 655 t_audit_data_t *tad = U2A(u);
656 656
657 657 ASSERT(tad != (t_audit_data_t *)0);
658 658
659 659 stp = vp->v_stream;
660 660
661 661 /* lock stdata from audit_sock */
662 662 mutex_enter(&stp->sd_lock);
663 663
664 664 /* proceed ONLY if user is being audited */
665 665 if (!tad->tad_flag) {
666 666 /*
667 667 * this is so we will not add audit data onto
668 668 * a thread that is not being audited.
669 669 */
670 670 stp->sd_t_audit_data = NULL;
671 671 mutex_exit(&stp->sd_lock);
672 672 return;
673 673 }
674 674
675 675 stp->sd_t_audit_data = (caddr_t)curthread;
676 676 mutex_exit(&stp->sd_lock);
677 677 }
678 678
679 679 /*ARGSUSED*/
680 680 void
681 681 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
682 682 unsigned char pri, int flag, int fmode)
683 683 {
684 684 struct stdata *stp;
685 685 t_audit_data_t *tad = U2A(u);
686 686
687 687 ASSERT(tad != (t_audit_data_t *)0);
688 688
689 689 stp = vp->v_stream;
690 690
691 691 /* lock stdata from audit_sock */
692 692 mutex_enter(&stp->sd_lock);
693 693
694 694 /* proceed ONLY if user is being audited */
695 695 if (!tad->tad_flag) {
696 696 /*
697 697 * this is so we will not add audit data onto
698 698 * a thread that is not being audited.
699 699 */
700 700 stp->sd_t_audit_data = NULL;
701 701 mutex_exit(&stp->sd_lock);
702 702 return;
703 703 }
704 704
705 705 stp->sd_t_audit_data = (caddr_t)curthread;
706 706 mutex_exit(&stp->sd_lock);
707 707 }
708 708
709 709 /*
710 710 * ROUTINE: AUDIT_CLOSEF
711 711 * PURPOSE:
712 712 * CALLBY: CLOSEF
713 713 * NOTE:
714 714 * release per file audit resources when file structure is being released.
715 715 *
716 716 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
717 717 * on the audit queue if it becomes full. This means
718 718 * audit_closef can not be called when f_count == 0. Since
719 719 * f_count == 0 indicates the file structure is free, another
|
↓ open down ↓ |
719 lines elided |
↑ open up ↑ |
720 720 * process could attempt to use the file while we were still
721 721 * asleep waiting on the audit queue. This would cause the
722 722 * per file audit data to be corrupted when we finally do
723 723 * wakeup.
724 724 * TODO:
725 725 * QUESTION:
726 726 */
727 727
728 728 void
729 729 audit_closef(struct file *fp)
730 -{ /* AUDIT_CLOSEF */
730 +{
731 731 f_audit_data_t *fad;
732 732 t_audit_data_t *tad;
733 733 int success;
734 734 au_state_t estate;
735 735 struct vnode *vp;
736 736 token_t *ad = NULL;
737 737 struct vattr attr;
738 738 au_emod_t evmod = 0;
739 739 const auditinfo_addr_t *ainfo;
740 740 cred_t *cr;
741 741 au_kcontext_t *kctx = GET_KCTX_PZ;
742 742 uint32_t auditing;
743 743 boolean_t audit_attr = B_FALSE;
744 744
745 745 fad = F2A(fp);
746 746 estate = kctx->auk_ets[AUE_CLOSE];
747 747 tad = U2A(u);
748 748 cr = CRED();
749 749
750 750 /* audit record already generated by system call envelope */
751 751 if (tad->tad_event == AUE_CLOSE) {
752 752 /* so close audit event will have bits set */
753 753 tad->tad_evmod |= (au_emod_t)fad->fad_flags;
754 754 return;
755 755 }
756 756
757 757 /* if auditing not enabled, then don't generate an audit record */
758 758 auditing = (tad->tad_audit == AUC_UNSET) ?
759 759 kctx->auk_auditstate : tad->tad_audit;
760 760 if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT | AUC_NOSPACE))
761 761 return;
762 762
763 763 ainfo = crgetauinfo(cr);
764 764 if (ainfo == NULL)
765 765 return;
766 766
767 767 success = ainfo->ai_mask.as_success & estate;
768 768
769 769 /* not selected for this event */
770 770 if (success == 0)
771 771 return;
772 772
773 773 /*
774 774 * can't use audit_attributes here since we use a private audit area
775 775 * to build the audit record instead of the one off the thread.
776 776 */
777 777 if ((vp = fp->f_vnode) != NULL) {
778 778 attr.va_mask = AT_ALL;
779 779 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
780 780 if ((fp->f_flag & FWRITE) == 0 &&
781 781 object_is_public(&attr)) {
782 782 /*
783 783 * When write was not used and the file can be
784 784 * considered public, then skip the audit.
785 785 */
786 786 return;
787 787 }
|
↓ open down ↓ |
47 lines elided |
↑ open up ↑ |
788 788 audit_attr = B_TRUE;
789 789 }
790 790 }
791 791
792 792 evmod = (au_emod_t)fad->fad_flags;
793 793 if (fad->fad_aupath != NULL) {
794 794 au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath));
795 795 } else {
796 796 #ifdef _LP64
797 797 au_write((caddr_t *)&(ad), au_to_arg64(
798 - 1, "no path: fp", (uint64_t)fp));
798 + 1, "no path: fp", (uint64_t)fp));
799 799 #else
800 800 au_write((caddr_t *)&(ad), au_to_arg32(
801 - 1, "no path: fp", (uint32_t)fp));
801 + 1, "no path: fp", (uint32_t)fp));
802 802 #endif
803 803 }
804 804
805 805 if (audit_attr) {
806 806 au_write((caddr_t *)&(ad), au_to_attr(&attr));
807 807 audit_sec_attributes((caddr_t *)&(ad), vp);
808 808 }
809 809
810 810 /* Add subject information */
811 811 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
812 812
813 813 /* add a return token */
814 814 add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0);
815 815
816 816 AS_INC(as_generated, 1, kctx);
817 817 AS_INC(as_kernel, 1, kctx);
818 818
819 819 /*
820 820 * Close up everything
821 821 * Note: path space recovery handled by normal system
822 822 * call envelope if not at last close.
823 823 * Note there is no failure at this point since
824 824 * this represents closes due to exit of process,
825 825 * thus we always indicate successful closes.
826 826 */
827 827 au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER,
828 828 AUE_CLOSE, evmod, NULL);
829 829 }
830 830
831 831 /*
832 832 * ROUTINE: AUDIT_SET
833 833 * PURPOSE: Audit the file path and file attributes.
834 834 * CALLBY: SETF
835 835 * NOTE: SETF associate a file pointer with user area's open files.
836 836 * TODO:
837 837 * call audit_finish directly ???
838 838 * QUESTION:
839 839 */
840 840
841 841 /*ARGSUSED*/
842 842 void
843 843 audit_setf(file_t *fp, int fd)
844 844 {
845 845 f_audit_data_t *fad;
846 846 t_audit_data_t *tad;
847 847
848 848 if (fp == NULL)
849 849 return;
850 850
851 851 tad = T2A(curthread);
852 852 fad = F2A(fp);
853 853
854 854 if (!(tad->tad_scid == SYS_open ||
855 855 tad->tad_scid == SYS_open64 ||
856 856 tad->tad_scid == SYS_openat ||
857 857 tad->tad_scid == SYS_openat64))
858 858 return;
859 859
860 860 /* no path */
861 861 if (tad->tad_aupath == 0)
862 862 return;
863 863
864 864 /*
865 865 * assign path information associated with file audit data
866 866 * use tad hold
867 867 */
868 868 fad->fad_aupath = tad->tad_aupath;
869 869 tad->tad_aupath = NULL;
870 870
871 871 if (!(tad->tad_ctrl & TAD_TRUE_CREATE)) {
872 872 /* adjust event type by dropping the 'creat' part */
873 873 switch (tad->tad_event) {
874 874 case AUE_OPEN_RC:
875 875 tad->tad_event = AUE_OPEN_R;
876 876 tad->tad_ctrl |= TAD_PUBLIC_EV;
877 877 break;
878 878 case AUE_OPEN_RTC:
879 879 tad->tad_event = AUE_OPEN_RT;
880 880 break;
881 881 case AUE_OPEN_WC:
882 882 tad->tad_event = AUE_OPEN_W;
883 883 break;
884 884 case AUE_OPEN_WTC:
885 885 tad->tad_event = AUE_OPEN_WT;
886 886 break;
887 887 case AUE_OPEN_RWC:
888 888 tad->tad_event = AUE_OPEN_RW;
889 889 break;
890 890 case AUE_OPEN_RWTC:
891 891 tad->tad_event = AUE_OPEN_RWT;
892 892 break;
893 893 default:
894 894 break;
895 895 }
896 896 }
897 897 }
898 898
899 899
900 900 void
901 901 audit_ipc(int type, int id, void *vp)
902 902 {
903 903 /* if not auditing this event, then do nothing */
904 904 if (ad_flag == 0)
905 905 return;
906 906
907 907 switch (type) {
908 908 case AT_IPC_MSG:
909 909 au_uwrite(au_to_ipc(AT_IPC_MSG, id));
910 910 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
911 911 break;
912 912 case AT_IPC_SEM:
913 913 au_uwrite(au_to_ipc(AT_IPC_SEM, id));
914 914 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
915 915 break;
916 916 case AT_IPC_SHM:
917 917 au_uwrite(au_to_ipc(AT_IPC_SHM, id));
918 918 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
919 919 break;
920 920 }
921 921 }
922 922
923 923 void
924 924 audit_ipcget(int type, void *vp)
925 925 {
926 926 /* if not auditing this event, then do nothing */
927 927 if (ad_flag == 0)
928 928 return;
929 929
930 930 switch (type) {
931 931 case NULL:
932 932 au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp));
933 933 break;
934 934 case AT_IPC_MSG:
935 935 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
936 936 break;
937 937 case AT_IPC_SEM:
938 938 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
939 939 break;
940 940 case AT_IPC_SHM:
941 941 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
942 942 break;
943 943 }
944 944 }
945 945
946 946 /*
947 947 * ROUTINE: AUDIT_REBOOT
948 948 * PURPOSE:
949 949 * CALLBY:
950 950 * NOTE:
951 951 * At this point we know that the system call reboot will not return. We thus
952 952 * have to complete the audit record generation and put it onto the queue.
953 953 * This might be fairly useless if the auditing daemon is already dead....
954 954 * TODO:
955 955 * QUESTION: who calls audit_reboot
956 956 */
957 957
958 958 void
959 959 audit_reboot(void)
960 960 {
961 961 int flag;
962 962 t_audit_data_t *tad;
963 963 au_kcontext_t *kctx = GET_KCTX_PZ;
964 964
965 965 tad = U2A(u);
966 966
967 967 /* if not auditing this event, then do nothing */
968 968 if (tad->tad_flag == 0)
969 969 return;
970 970
971 971 /* do preselection on success/failure */
972 972 if (flag = audit_success(kctx, tad, 0, NULL)) {
973 973 /* add a process token */
974 974
975 975 cred_t *cr = CRED();
976 976 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
977 977
978 978 if (ainfo == NULL)
979 979 return;
980 980
981 981 /* Add subject information */
982 982 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
983 983
984 984 /* add a return token */
985 985 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
986 986
987 987 AS_INC(as_generated, 1, kctx);
988 988 AS_INC(as_kernel, 1, kctx);
989 989 }
990 990
991 991 /*
992 992 * Flow control useless here since we're going
993 993 * to drop everything in the queue anyway. Why
994 994 * block and wait. There aint anyone left alive to
995 995 * read the records remaining anyway.
996 996 */
997 997
998 998 /* Close up everything */
999 999 au_close(kctx, &(u_ad), flag | AU_DONTBLOCK,
1000 1000 tad->tad_event, tad->tad_evmod, NULL);
1001 1001 }
1002 1002
1003 1003 void
1004 1004 audit_setfsat_path(int argnum)
1005 1005 {
1006 1006 klwp_id_t clwp = ttolwp(curthread);
1007 1007 struct file *fp;
1008 1008 uint32_t fd;
1009 1009 t_audit_data_t *tad;
1010 1010 struct f_audit_data *fad;
1011 1011 p_audit_data_t *pad; /* current process */
1012 1012 uint_t fm;
1013 1013 struct a {
1014 1014 long arg1;
1015 1015 long arg2;
1016 1016 long arg3;
1017 1017 long arg4;
1018 1018 long arg5;
1019 1019 } *uap;
1020 1020
1021 1021 if (clwp == NULL)
1022 1022 return;
1023 1023 uap = (struct a *)clwp->lwp_ap;
1024 1024
1025 1025 tad = U2A(u);
1026 1026 ASSERT(tad != NULL);
1027 1027
1028 1028 switch (tad->tad_scid) {
1029 1029 case SYS_faccessat:
1030 1030 case SYS_fchmodat:
1031 1031 case SYS_fchownat:
1032 1032 case SYS_fstatat:
1033 1033 case SYS_fstatat64:
1034 1034 case SYS_mkdirat:
1035 1035 case SYS_mknodat:
1036 1036 case SYS_openat:
1037 1037 case SYS_openat64:
1038 1038 case SYS_readlinkat:
1039 1039 case SYS_unlinkat:
1040 1040 fd = uap->arg1;
1041 1041 break;
1042 1042 case SYS_linkat:
1043 1043 case SYS_renameat:
1044 1044 if (argnum == 3)
1045 1045 fd = uap->arg3;
1046 1046 else
1047 1047 fd = uap->arg1;
1048 1048 break;
1049 1049 case SYS_symlinkat:
1050 1050 case SYS_utimesys:
1051 1051 fd = uap->arg2;
1052 1052 break;
1053 1053 case SYS_open:
1054 1054 case SYS_open64:
1055 1055 fd = AT_FDCWD;
1056 1056 break;
1057 1057 default:
1058 1058 return;
1059 1059 }
1060 1060
1061 1061 if (tad->tad_atpath != NULL) {
1062 1062 au_pathrele(tad->tad_atpath);
1063 1063 tad->tad_atpath = NULL;
1064 1064 }
1065 1065
1066 1066 if (fd != AT_FDCWD) {
1067 1067 tad->tad_ctrl |= TAD_ATCALL;
1068 1068
1069 1069 if (tad->tad_scid == SYS_openat ||
1070 1070 tad->tad_scid == SYS_openat64) {
1071 1071 fm = (uint_t)uap->arg3;
1072 1072 if (fm & (FXATTR | FXATTRDIROPEN)) {
1073 1073 tad->tad_ctrl |= TAD_ATTPATH;
1074 1074 }
1075 1075 }
1076 1076
1077 1077 if ((fp = getf(fd)) == NULL) {
1078 1078 tad->tad_ctrl |= TAD_NOPATH;
1079 1079 return;
1080 1080 }
1081 1081 fad = F2A(fp);
1082 1082 ASSERT(fad);
1083 1083 if (fad->fad_aupath == NULL) {
1084 1084 tad->tad_ctrl |= TAD_NOPATH;
1085 1085 releasef(fd);
1086 1086 return;
1087 1087 }
1088 1088 au_pathhold(fad->fad_aupath);
1089 1089 tad->tad_atpath = fad->fad_aupath;
1090 1090 releasef(fd);
1091 1091 } else {
1092 1092 if (tad->tad_scid == SYS_open ||
1093 1093 tad->tad_scid == SYS_open64) {
1094 1094 fm = (uint_t)uap->arg2;
1095 1095 if (fm & FXATTR) {
1096 1096 tad->tad_ctrl |= TAD_ATTPATH;
1097 1097 }
1098 1098 return;
1099 1099 }
1100 1100 pad = P2A(curproc);
1101 1101 mutex_enter(&pad->pad_lock);
1102 1102 au_pathhold(pad->pad_cwd);
1103 1103 tad->tad_atpath = pad->pad_cwd;
1104 1104 mutex_exit(&pad->pad_lock);
1105 1105 }
1106 1106 }
1107 1107
1108 1108 void
1109 1109 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error)
1110 1110 {
1111 1111 t_audit_data_t *tad;
1112 1112 vnode_t *vp;
1113 1113
1114 1114 tad = U2A(u);
1115 1115
1116 1116 /* if not auditing this event, then do nothing */
1117 1117 if (tad->tad_flag == 0)
1118 1118 return;
1119 1119
1120 1120 au_uwrite(au_to_text(target));
1121 1121
1122 1122 if (error)
1123 1123 return;
1124 1124
1125 1125 error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(),
1126 1126 NULL, NULL, NULL);
1127 1127 if (error == 0) {
1128 1128 audit_attributes(vp);
1129 1129 VN_RELE(vp);
1130 1130 }
1131 1131 }
1132 1132
1133 1133 /*
1134 1134 * ROUTINE: AUDIT_VNCREATE_START
1135 1135 * PURPOSE: set flag so path name lookup in create will not add attribute
1136 1136 * CALLBY: VN_CREATE
1137 1137 * NOTE:
1138 1138 * TODO:
1139 1139 * QUESTION:
1140 1140 */
1141 1141
1142 1142 void
1143 1143 audit_vncreate_start()
1144 1144 {
1145 1145 t_audit_data_t *tad;
1146 1146
1147 1147 tad = U2A(u);
1148 1148 tad->tad_ctrl |= TAD_NOATTRB;
1149 1149 }
1150 1150
1151 1151 /*
1152 1152 * ROUTINE: AUDIT_VNCREATE_FINISH
1153 1153 * PURPOSE:
1154 1154 * CALLBY: VN_CREATE
1155 1155 * NOTE:
1156 1156 * TODO:
1157 1157 * QUESTION:
1158 1158 */
1159 1159 void
1160 1160 audit_vncreate_finish(struct vnode *vp, int error)
1161 1161 {
1162 1162 t_audit_data_t *tad;
1163 1163
1164 1164 if (error)
1165 1165 return;
1166 1166
1167 1167 tad = U2A(u);
1168 1168
1169 1169 /* if not auditing this event, then do nothing */
1170 1170 if (tad->tad_flag == 0)
1171 1171 return;
1172 1172
1173 1173 if (tad->tad_ctrl & TAD_TRUE_CREATE) {
1174 1174 audit_attributes(vp);
1175 1175 }
1176 1176
1177 1177 if (tad->tad_ctrl & TAD_CORE) {
1178 1178 audit_attributes(vp);
1179 1179 tad->tad_ctrl &= ~TAD_CORE;
1180 1180 }
1181 1181
1182 1182 if (!error && ((tad->tad_event == AUE_MKNOD) ||
1183 1183 (tad->tad_event == AUE_MKDIR))) {
1184 1184 audit_attributes(vp);
1185 1185 }
1186 1186
1187 1187 /* for case where multiple lookups in one syscall (rename) */
1188 1188 tad->tad_ctrl &= ~TAD_NOATTRB;
1189 1189 }
1190 1190
1191 1191
1192 1192
1193 1193
1194 1194
1195 1195
1196 1196
1197 1197
1198 1198 /*
1199 1199 * ROUTINE: AUDIT_EXEC
1200 1200 * PURPOSE: Records the function arguments and environment variables
1201 1201 * CALLBY: EXEC_ARGS
1202 1202 * NOTE:
1203 1203 * TODO:
1204 1204 * QUESTION:
1205 1205 */
1206 1206
1207 1207 void
1208 1208 audit_exec(
1209 1209 const char *argstr, /* argument strings */
1210 1210 const char *envstr, /* environment strings */
1211 1211 ssize_t argc, /* total # arguments */
1212 1212 ssize_t envc, /* total # environment variables */
1213 1213 cred_t *pfcred) /* the additional privileges in a profile */
1214 1214 {
1215 1215 t_audit_data_t *tad;
1216 1216 au_kcontext_t *kctx = GET_KCTX_PZ;
1217 1217
1218 1218 tad = U2A(u);
1219 1219
1220 1220 /* if not auditing this event, then do nothing */
1221 1221 if (!tad->tad_flag)
1222 1222 return;
1223 1223
1224 1224 if (pfcred != NULL) {
1225 1225 p_audit_data_t *pad;
1226 1226 cred_t *cr = CRED();
1227 1227 priv_set_t pset = CR_IPRIV(cr);
1228 1228
1229 1229 pad = P2A(curproc);
1230 1230
1231 1231 /* It's a different event. */
1232 1232 tad->tad_event = AUE_PFEXEC;
1233 1233
1234 1234 /* Add the current working directory to the audit trail. */
1235 1235 if (pad->pad_cwd != NULL)
1236 1236 au_uwrite(au_to_path(pad->pad_cwd));
1237 1237
1238 1238 /*
1239 1239 * The new credential is not yet in place when audit_exec
1240 1240 * is called.
1241 1241 * Compute the additional bits available in the new credential
1242 1242 * and the limit set.
1243 1243 */
1244 1244 priv_inverse(&pset);
1245 1245 priv_intersect(&CR_IPRIV(pfcred), &pset);
1246 1246 if (!priv_isemptyset(&pset) ||
1247 1247 !priv_isequalset(&CR_LPRIV(pfcred), &CR_LPRIV(cr))) {
1248 1248 au_uwrite(au_to_privset(
1249 1249 priv_getsetbynum(PRIV_INHERITABLE), &pset, AUT_PRIV,
1250 1250 0));
1251 1251 au_uwrite(au_to_privset(priv_getsetbynum(PRIV_LIMIT),
1252 1252 &CR_LPRIV(pfcred), AUT_PRIV, 0));
1253 1253 }
1254 1254 /*
1255 1255 * Compare the uids & gids: create a process token if changed.
1256 1256 */
1257 1257 if (crgetuid(cr) != crgetuid(pfcred) ||
1258 1258 crgetruid(cr) != crgetruid(pfcred) ||
1259 1259 crgetgid(cr) != crgetgid(pfcred) ||
1260 1260 crgetrgid(cr) != crgetrgid(pfcred)) {
1261 1261 AUDIT_SETPROC(&(u_ad), cr, crgetauinfo(cr));
1262 1262 }
1263 1263 }
1264 1264
1265 1265 if (pfcred != NULL || (kctx->auk_policy & AUDIT_ARGV) != 0)
1266 1266 au_uwrite(au_to_exec_args(argstr, argc));
1267 1267
1268 1268 if (kctx->auk_policy & AUDIT_ARGE)
1269 1269 au_uwrite(au_to_exec_env(envstr, envc));
1270 1270 }
1271 1271
1272 1272 /*
1273 1273 * ROUTINE: AUDIT_ENTERPROM
1274 1274 * PURPOSE:
1275 1275 * CALLBY: KBDINPUT
1276 1276 * ZSA_XSINT
1277 1277 * NOTE:
1278 1278 * TODO:
1279 1279 * QUESTION:
1280 1280 */
1281 1281 void
1282 1282 audit_enterprom(int flg)
1283 1283 {
1284 1284 token_t *rp = NULL;
1285 1285 int sorf;
1286 1286
1287 1287 if (flg)
1288 1288 sorf = AUM_SUCC;
1289 1289 else
1290 1290 sorf = AUM_FAIL;
1291 1291
1292 1292 AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf);
1293 1293
1294 1294 au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1295 1295
1296 1296 if (flg)
1297 1297 au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1298 1298 else
1299 1299 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1300 1300
1301 1301 AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL, NULL);
1302 1302 }
1303 1303
1304 1304
1305 1305 /*
1306 1306 * ROUTINE: AUDIT_EXITPROM
1307 1307 * PURPOSE:
1308 1308 * CALLBY: KBDINPUT
1309 1309 * ZSA_XSINT
1310 1310 * NOTE:
1311 1311 * TODO:
1312 1312 * QUESTION:
1313 1313 */
1314 1314 void
1315 1315 audit_exitprom(int flg)
1316 1316 {
1317 1317 int sorf;
1318 1318 token_t *rp = NULL;
1319 1319
1320 1320 if (flg)
1321 1321 sorf = AUM_SUCC;
1322 1322 else
1323 1323 sorf = AUM_FAIL;
1324 1324
1325 1325 AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf);
1326 1326
1327 1327 au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1328 1328
1329 1329 if (flg)
1330 1330 au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1331 1331 else
1332 1332 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1333 1333
1334 1334 AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL, NULL);
1335 1335 }
1336 1336
1337 1337 struct fcntla {
1338 1338 int fdes;
1339 1339 int cmd;
1340 1340 intptr_t arg;
1341 1341 };
1342 1342
1343 1343
1344 1344 /*
1345 1345 * ROUTINE: AUDIT_CHDIREC
1346 1346 * PURPOSE:
1347 1347 * CALLBY: CHDIREC
1348 1348 * NOTE: The main function of CHDIREC
1349 1349 * TODO: Move the audit_chdirec hook above the VN_RELE in vncalls.c
1350 1350 * QUESTION:
1351 1351 */
1352 1352
1353 1353 /*ARGSUSED*/
1354 1354 void
1355 1355 audit_chdirec(vnode_t *vp, vnode_t **vpp)
1356 1356 {
1357 1357 int chdir;
1358 1358 int fchdir;
1359 1359 struct audit_path **appp;
1360 1360 struct file *fp;
1361 1361 f_audit_data_t *fad;
1362 1362 p_audit_data_t *pad = P2A(curproc);
1363 1363 t_audit_data_t *tad = T2A(curthread);
1364 1364
1365 1365 struct a {
1366 1366 long fd;
1367 1367 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
1368 1368
1369 1369 if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) {
1370 1370 chdir = tad->tad_scid == SYS_chdir;
1371 1371 if (tad->tad_aupath) {
1372 1372 mutex_enter(&pad->pad_lock);
1373 1373 if (chdir)
1374 1374 appp = &(pad->pad_cwd);
1375 1375 else
1376 1376 appp = &(pad->pad_root);
1377 1377 au_pathrele(*appp);
1378 1378 /* use tad hold */
1379 1379 *appp = tad->tad_aupath;
1380 1380 tad->tad_aupath = NULL;
1381 1381 mutex_exit(&pad->pad_lock);
1382 1382 }
1383 1383 } else if ((tad->tad_scid == SYS_fchdir) ||
1384 1384 (tad->tad_scid == SYS_fchroot)) {
1385 1385 fchdir = tad->tad_scid == SYS_fchdir;
1386 1386 if ((fp = getf(uap->fd)) == NULL)
1387 1387 return;
1388 1388 fad = F2A(fp);
1389 1389 if (fad->fad_aupath) {
1390 1390 au_pathhold(fad->fad_aupath);
1391 1391 mutex_enter(&pad->pad_lock);
1392 1392 if (fchdir)
1393 1393 appp = &(pad->pad_cwd);
1394 1394 else
1395 1395 appp = &(pad->pad_root);
1396 1396 au_pathrele(*appp);
1397 1397 *appp = fad->fad_aupath;
1398 1398 mutex_exit(&pad->pad_lock);
1399 1399 if (tad->tad_flag) {
1400 1400 au_uwrite(au_to_path(fad->fad_aupath));
1401 1401 audit_attributes(fp->f_vnode);
1402 1402 }
1403 1403 }
1404 1404 releasef(uap->fd);
1405 1405 }
1406 1406 }
1407 1407
1408 1408
1409 1409 /*
1410 1410 * Audit hook for stream based socket and tli request.
1411 1411 * Note that we do not have user context while executing
1412 1412 * this code so we had to record them earlier during the
1413 1413 * putmsg/getmsg to figure out which user we are dealing with.
1414 1414 */
1415 1415
1416 1416 /*ARGSUSED*/
1417 1417 void
1418 1418 audit_sock(
1419 1419 int type, /* type of tihdr.h header requests */
1420 1420 queue_t *q, /* contains the process and thread audit data */
1421 1421 mblk_t *mp, /* contains the tihdr.h header structures */
1422 1422 int from) /* timod or sockmod request */
1423 1423 {
1424 1424 int32_t len;
1425 1425 int32_t offset;
1426 1426 struct sockaddr_in *sock_data;
1427 1427 struct T_conn_req *conn_req;
1428 1428 struct T_conn_ind *conn_ind;
1429 1429 struct T_unitdata_req *unitdata_req;
1430 1430 struct T_unitdata_ind *unitdata_ind;
1431 1431 au_state_t estate;
1432 1432 t_audit_data_t *tad;
1433 1433 caddr_t saved_thread_ptr;
1434 1434 au_mask_t amask;
1435 1435 const auditinfo_addr_t *ainfo;
1436 1436 au_kcontext_t *kctx;
1437 1437
1438 1438 if (q->q_stream == NULL)
1439 1439 return;
1440 1440 mutex_enter(&q->q_stream->sd_lock);
1441 1441 /* are we being audited */
1442 1442 saved_thread_ptr = q->q_stream->sd_t_audit_data;
1443 1443 /* no pointer to thread, nothing to do */
1444 1444 if (saved_thread_ptr == NULL) {
1445 1445 mutex_exit(&q->q_stream->sd_lock);
1446 1446 return;
1447 1447 }
1448 1448 /* only allow one addition of a record token */
1449 1449 q->q_stream->sd_t_audit_data = NULL;
1450 1450 /*
1451 1451 * thread is not the one being audited, then nothing to do
1452 1452 * This could be the stream thread handling the module
1453 1453 * service routine. In this case, the context for the audit
1454 1454 * record can no longer be assumed. Simplest to just drop
1455 1455 * the operation.
1456 1456 */
1457 1457 if (curthread != (kthread_id_t)saved_thread_ptr) {
1458 1458 mutex_exit(&q->q_stream->sd_lock);
1459 1459 return;
1460 1460 }
1461 1461 if (curthread->t_sysnum >= SYS_so_socket &&
1462 1462 curthread->t_sysnum <= SYS_sockconfig) {
1463 1463 mutex_exit(&q->q_stream->sd_lock);
1464 1464 return;
1465 1465 }
1466 1466 mutex_exit(&q->q_stream->sd_lock);
1467 1467 /*
1468 1468 * we know that the thread that did the put/getmsg is the
1469 1469 * one running. Now we can get the TAD and see if we should
1470 1470 * add an audit token.
1471 1471 */
1472 1472 tad = U2A(u);
1473 1473
1474 1474 kctx = GET_KCTX_PZ;
1475 1475
1476 1476 /* proceed ONLY if user is being audited */
1477 1477 if (!tad->tad_flag)
1478 1478 return;
1479 1479
1480 1480 ainfo = crgetauinfo(CRED());
1481 1481 if (ainfo == NULL)
1482 1482 return;
1483 1483 amask = ainfo->ai_mask;
1484 1484
1485 1485 /*
1486 1486 * Figure out the type of stream networking request here.
1487 1487 * Note that getmsg and putmsg are always preselected
1488 1488 * because during the beginning of the system call we have
1489 1489 * not yet figure out which of the socket or tli request
1490 1490 * we are looking at until we are here. So we need to check
1491 1491 * against that specific request and reset the type of event.
1492 1492 */
1493 1493 switch (type) {
1494 1494 case T_CONN_REQ: /* connection request */
1495 1495 conn_req = (struct T_conn_req *)mp->b_rptr;
1496 1496 if (conn_req->DEST_offset < sizeof (struct T_conn_req))
1497 1497 return;
1498 1498 offset = conn_req->DEST_offset;
1499 1499 len = conn_req->DEST_length;
1500 1500 estate = kctx->auk_ets[AUE_SOCKCONNECT];
1501 1501 if (amask.as_success & estate || amask.as_failure & estate) {
1502 1502 tad->tad_event = AUE_SOCKCONNECT;
1503 1503 break;
1504 1504 } else {
1505 1505 return;
1506 1506 }
1507 1507 case T_CONN_IND: /* connectionless receive request */
1508 1508 conn_ind = (struct T_conn_ind *)mp->b_rptr;
1509 1509 if (conn_ind->SRC_offset < sizeof (struct T_conn_ind))
1510 1510 return;
1511 1511 offset = conn_ind->SRC_offset;
1512 1512 len = conn_ind->SRC_length;
1513 1513 estate = kctx->auk_ets[AUE_SOCKACCEPT];
1514 1514 if (amask.as_success & estate || amask.as_failure & estate) {
1515 1515 tad->tad_event = AUE_SOCKACCEPT;
1516 1516 break;
1517 1517 } else {
1518 1518 return;
1519 1519 }
1520 1520 case T_UNITDATA_REQ: /* connectionless send request */
1521 1521 unitdata_req = (struct T_unitdata_req *)mp->b_rptr;
1522 1522 if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req))
1523 1523 return;
1524 1524 offset = unitdata_req->DEST_offset;
1525 1525 len = unitdata_req->DEST_length;
1526 1526 estate = kctx->auk_ets[AUE_SOCKSEND];
1527 1527 if (amask.as_success & estate || amask.as_failure & estate) {
1528 1528 tad->tad_event = AUE_SOCKSEND;
1529 1529 break;
1530 1530 } else {
1531 1531 return;
1532 1532 }
1533 1533 case T_UNITDATA_IND: /* connectionless receive request */
1534 1534 unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr;
1535 1535 if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind))
1536 1536 return;
1537 1537 offset = unitdata_ind->SRC_offset;
1538 1538 len = unitdata_ind->SRC_length;
1539 1539 estate = kctx->auk_ets[AUE_SOCKRECEIVE];
1540 1540 if (amask.as_success & estate || amask.as_failure & estate) {
1541 1541 tad->tad_event = AUE_SOCKRECEIVE;
1542 1542 break;
1543 1543 } else {
1544 1544 return;
1545 1545 }
1546 1546 default:
1547 1547 return;
1548 1548 }
1549 1549
1550 1550 /*
1551 1551 * we are only interested in tcp stream connections,
1552 1552 * not unix domain stuff
1553 1553 */
1554 1554 if ((len < 0) || (len > sizeof (struct sockaddr_in))) {
1555 1555 tad->tad_event = AUE_GETMSG;
1556 1556 return;
1557 1557 }
1558 1558 /* skip over TPI header and point to the ip address */
1559 1559 sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset);
1560 1560
1561 1561 switch (sock_data->sin_family) {
1562 1562 case AF_INET:
1563 1563 au_write(&(tad->tad_ad), au_to_sock_inet(sock_data));
1564 1564 break;
1565 1565 default: /* reset to AUE_PUTMSG if not a inet request */
1566 1566 tad->tad_event = AUE_GETMSG;
1567 1567 break;
1568 1568 }
1569 1569 }
1570 1570
1571 1571
1572 1572 static void
1573 1573 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval)
1574 1574 {
1575 1575 unsigned int sy_flags;
1576 1576
1577 1577 #ifdef _SYSCALL32_IMPL
1578 1578 /*
1579 1579 * Guard against t_lwp being NULL when this function is called
1580 1580 * from a kernel queue instead of from a direct system call.
1581 1581 * In that case, assume the running kernel data model.
1582 1582 */
1583 1583 if ((curthread->t_lwp == NULL) || (lwp_getdatamodel(
1584 1584 ttolwp(curthread)) == DATAMODEL_NATIVE))
1585 1585 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1586 1586 else
1587 1587 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1588 1588 #else
1589 1589 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1590 1590 #endif
|
↓ open down ↓ |
779 lines elided |
↑ open up ↑ |
1591 1591
1592 1592 if (sy_flags == SE_64RVAL)
1593 1593 au_write(ad, au_to_return64(err, rval));
1594 1594 else
1595 1595 au_write(ad, au_to_return32(err, rval));
1596 1596
1597 1597 }
1598 1598
1599 1599 /*ARGSUSED*/
1600 1600 void
1601 -audit_fdsend(fd, fp, error)
1602 - int fd;
1603 - struct file *fp;
1604 - int error; /* ignore for now */
1601 +audit_fdsend(int fd, struct file *fp, int error)
1605 1602 {
1606 1603 t_audit_data_t *tad; /* current thread */
1607 1604 f_audit_data_t *fad; /* per file audit structure */
1608 1605 struct vnode *vp; /* for file attributes */
1609 1606
1610 1607 /* is this system call being audited */
1611 1608 tad = U2A(u);
1612 1609 ASSERT(tad != (t_audit_data_t *)0);
1613 1610 if (!tad->tad_flag)
1614 1611 return;
1615 1612
1616 1613 fad = F2A(fp);
1617 1614
1618 1615 /* add path and file attributes */
1619 1616 if (fad != NULL && fad->fad_aupath != NULL) {
1620 1617 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1621 1618 au_uwrite(au_to_path(fad->fad_aupath));
1622 1619 } else {
1623 1620 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1624 1621 #ifdef _LP64
1625 1622 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1626 1623 #else
1627 1624 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1628 1625 #endif
1629 1626 }
1630 1627 vp = fp->f_vnode; /* include vnode attributes */
1631 1628 audit_attributes(vp);
1632 1629 }
1633 1630
1634 1631 /*
1635 1632 * Record privileges successfully used and we attempted to use but
1636 1633 * didn't have.
1637 1634 */
1638 1635 void
1639 1636 audit_priv(int priv, const priv_set_t *set, int flag)
1640 1637 {
1641 1638 t_audit_data_t *tad;
1642 1639 int sbit;
1643 1640 priv_set_t *target;
1644 1641
1645 1642 /* Make sure this isn't being called in an interrupt context */
1646 1643 ASSERT(servicing_interrupt() == 0);
1647 1644
1648 1645 tad = U2A(u);
1649 1646
1650 1647 if (tad->tad_flag == 0)
1651 1648 return;
1652 1649
1653 1650 target = flag ? &tad->tad_sprivs : &tad->tad_fprivs;
1654 1651 sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE;
1655 1652
1656 1653 /* Tell audit_success() and audit_finish() that we saw this case */
1657 1654 if (!(tad->tad_evmod & sbit)) {
1658 1655 /* Clear set first time around */
1659 1656 priv_emptyset(target);
1660 1657 tad->tad_evmod |= sbit;
1661 1658 }
1662 1659
1663 1660 /* Save the privileges in the tad */
1664 1661 if (priv == PRIV_ALL) {
1665 1662 priv_fillset(target);
|
↓ open down ↓ |
51 lines elided |
↑ open up ↑ |
1666 1663 } else {
1667 1664 ASSERT(set != NULL || priv != PRIV_NONE);
1668 1665 if (set != NULL)
1669 1666 priv_union(set, target);
1670 1667 if (priv != PRIV_NONE)
1671 1668 priv_addset(target, priv);
1672 1669 }
1673 1670 }
1674 1671
1675 1672 /*
1673 + * Audit the psecflags() system call; the set name, current value, and delta
1674 + * are put in the audit trail.
1675 + */
1676 +void
1677 +audit_psecflags(proc_t *p,
1678 + psecflagwhich_t which,
1679 + const secflagdelta_t *psd)
1680 +{
1681 + t_audit_data_t *tad;
1682 + secflagset_t new;
1683 + const secflagset_t *old;
1684 + const char *s;
1685 + cred_t *cr;
1686 + pid_t pid;
1687 + const auditinfo_addr_t *ainfo;
1688 + const psecflags_t *psec = &p->p_secflags;
1689 +
1690 + tad = U2A(u);
1691 +
1692 + if (tad->tad_flag == 0)
1693 + return;
1694 +
1695 + switch (which) {
1696 + case PSF_EFFECTIVE:
1697 + s = "effective";
1698 + old = &psec->psf_effective;
1699 + break;
1700 + case PSF_INHERIT:
1701 + s = "inherit";
1702 + old = &psec->psf_inherit;
1703 + break;
1704 + case PSF_LOWER:
1705 + s = "lower";
1706 + old = &psec->psf_lower;
1707 + break;
1708 + case PSF_UPPER:
1709 + s = "upper";
1710 + old = &psec->psf_upper;
1711 + break;
1712 + }
1713 +
1714 + secflags_copy(&new, old);
1715 + secflags_apply_delta(&new, psd);
1716 +
1717 + au_uwrite(au_to_secflags(s, *old));
1718 + au_uwrite(au_to_secflags(s, new));
1719 +
1720 + ASSERT(mutex_owned(&p->p_lock));
1721 + mutex_enter(&p->p_crlock);
1722 +
1723 + pid = p->p_pid;
1724 + crhold(cr = p->p_cred);
1725 + mutex_exit(&p->p_crlock);
1726 +
1727 + if ((ainfo = crgetauinfo(cr)) == NULL) {
1728 + crfree(cr);
1729 + return;
1730 + }
1731 +
1732 + AUDIT_SETPROC_GENERIC(&(u_ad), cr, ainfo, pid);
1733 +
1734 + crfree(cr);
1735 +}
1736 +
1737 +/*
1676 1738 * Audit the setpriv() system call; the operation, the set name and
1677 1739 * the current value as well as the set argument are put in the
1678 1740 * audit trail.
1679 1741 */
1680 1742 void
1681 1743 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr)
1682 1744 {
1683 1745 t_audit_data_t *tad;
1684 1746 const priv_set_t *oldpriv;
1685 1747 priv_set_t report;
1686 1748 const char *setname;
1687 1749
1688 1750 tad = U2A(u);
1689 1751
1690 1752 if (tad->tad_flag == 0)
1691 1753 return;
1692 1754
1693 1755 oldpriv = priv_getset(ocr, set);
1694 1756
1695 1757 /* Generate the actual record, include the before and after */
1696 1758 au_uwrite(au_to_arg32(2, "op", op));
1697 1759 setname = priv_getsetbynum(set);
1698 1760
1699 1761 switch (op) {
1700 1762 case PRIV_OFF:
1701 1763 /* Report privileges actually switched off */
1702 1764 report = *oldpriv;
1703 1765 priv_intersect(newpriv, &report);
1704 1766 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1705 1767 break;
1706 1768 case PRIV_ON:
1707 1769 /* Report privileges actually switched on */
1708 1770 report = *oldpriv;
1709 1771 priv_inverse(&report);
1710 1772 priv_intersect(newpriv, &report);
1711 1773 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1712 1774 break;
1713 1775 case PRIV_SET:
1714 1776 /* Report before and after */
1715 1777 au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0));
1716 1778 au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0));
1717 1779 break;
1718 1780 }
1719 1781 }
1720 1782
1721 1783 /*
1722 1784 * Dump the full device policy setting in the audit trail.
1723 1785 */
1724 1786 void
1725 1787 audit_devpolicy(int nitems, const devplcysys_t *items)
1726 1788 {
1727 1789 t_audit_data_t *tad;
1728 1790 int i;
1729 1791
1730 1792 tad = U2A(u);
1731 1793
1732 1794 if (tad->tad_flag == 0)
1733 1795 return;
1734 1796
1735 1797 for (i = 0; i < nitems; i++) {
1736 1798 au_uwrite(au_to_arg32(2, "major", items[i].dps_maj));
1737 1799 if (items[i].dps_minornm[0] == '\0') {
1738 1800 au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin));
1739 1801 au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin));
1740 1802 } else
1741 1803 au_uwrite(au_to_text(items[i].dps_minornm));
|
↓ open down ↓ |
56 lines elided |
↑ open up ↑ |
1742 1804
1743 1805 au_uwrite(au_to_privset("read", &items[i].dps_rdp,
1744 1806 AUT_PRIV, 0));
1745 1807 au_uwrite(au_to_privset("write", &items[i].dps_wrp,
1746 1808 AUT_PRIV, 0));
1747 1809 }
1748 1810 }
1749 1811
1750 1812 /*ARGSUSED*/
1751 1813 void
1752 -audit_fdrecv(fd, fp)
1753 - int fd;
1754 - struct file *fp;
1814 +audit_fdrecv(int fd, struct file *fp)
1755 1815 {
1756 1816 t_audit_data_t *tad; /* current thread */
1757 1817 f_audit_data_t *fad; /* per file audit structure */
1758 1818 struct vnode *vp; /* for file attributes */
1759 1819
1760 1820 /* is this system call being audited */
1761 1821 tad = U2A(u);
1762 1822 ASSERT(tad != (t_audit_data_t *)0);
1763 1823 if (!tad->tad_flag)
1764 1824 return;
1765 1825
1766 1826 fad = F2A(fp);
1767 1827
1768 1828 /* add path and file attributes */
1769 1829 if (fad != NULL && fad->fad_aupath != NULL) {
1770 1830 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1771 1831 au_uwrite(au_to_path(fad->fad_aupath));
1772 1832 } else {
1773 1833 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1774 1834 #ifdef _LP64
1775 1835 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1776 1836 #else
1777 1837 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1778 1838 #endif
1779 1839 }
1780 1840 vp = fp->f_vnode; /* include vnode attributes */
1781 1841 audit_attributes(vp);
1782 1842 }
1783 1843
1784 1844 /*
1785 1845 * ROUTINE: AUDIT_CRYPTOADM
1786 1846 * PURPOSE: Records arguments to administrative ioctls on /dev/cryptoadm
1787 1847 * CALLBY: CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED,
1788 1848 * CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG,
1789 1849 * CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN,
1790 1850 * CRYPTO_LOAD_DOOR
1791 1851 * NOTE:
1792 1852 * TODO:
1793 1853 * QUESTION:
1794 1854 */
1795 1855
1796 1856 void
1797 1857 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names,
1798 1858 uint_t mech_count, uint_t device_instance, uint32_t rv, int error)
1799 1859 {
1800 1860 boolean_t mech_list_required = B_FALSE;
1801 1861 cred_t *cr = CRED();
1802 1862 t_audit_data_t *tad;
1803 1863 token_t *ad = NULL;
1804 1864 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
1805 1865 char buffer[MAXNAMELEN * 2];
1806 1866 au_kcontext_t *kctx = GET_KCTX_PZ;
1807 1867
1808 1868 tad = U2A(u);
1809 1869 if (tad == NULL)
1810 1870 return;
1811 1871
1812 1872 if (ainfo == NULL)
1813 1873 return;
1814 1874
1815 1875 tad->tad_event = AUE_CRYPTOADM;
1816 1876
1817 1877 if (audit_success(kctx, tad, error, NULL) != AU_OK)
1818 1878 return;
1819 1879
1820 1880 /* Add subject information */
1821 1881 AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
1822 1882
1823 1883 switch (cmd) {
1824 1884 case CRYPTO_LOAD_DEV_DISABLED:
1825 1885 if (error == 0 && rv == CRYPTO_SUCCESS) {
1826 1886 (void) snprintf(buffer, sizeof (buffer),
1827 1887 "op=CRYPTO_LOAD_DEV_DISABLED, module=%s,"
1828 1888 " dev_instance=%d",
1829 1889 module_name, device_instance);
1830 1890 mech_list_required = B_TRUE;
1831 1891 } else {
1832 1892 (void) snprintf(buffer, sizeof (buffer),
1833 1893 "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv);
1834 1894 }
1835 1895 break;
1836 1896
1837 1897 case CRYPTO_LOAD_SOFT_DISABLED:
1838 1898 if (error == 0 && rv == CRYPTO_SUCCESS) {
1839 1899 (void) snprintf(buffer, sizeof (buffer),
1840 1900 "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s",
1841 1901 module_name);
1842 1902 mech_list_required = B_TRUE;
1843 1903 } else {
1844 1904 (void) snprintf(buffer, sizeof (buffer),
1845 1905 "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv);
1846 1906 }
1847 1907 break;
1848 1908
1849 1909 case CRYPTO_UNLOAD_SOFT_MODULE:
1850 1910 if (error == 0 && rv == CRYPTO_SUCCESS) {
1851 1911 (void) snprintf(buffer, sizeof (buffer),
1852 1912 "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s",
1853 1913 module_name);
1854 1914 } else {
1855 1915 (void) snprintf(buffer, sizeof (buffer),
1856 1916 "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv);
1857 1917 }
1858 1918 break;
1859 1919
1860 1920 case CRYPTO_LOAD_SOFT_CONFIG:
1861 1921 if (error == 0 && rv == CRYPTO_SUCCESS) {
1862 1922 (void) snprintf(buffer, sizeof (buffer),
1863 1923 "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s",
1864 1924 module_name);
1865 1925 mech_list_required = B_TRUE;
1866 1926 } else {
1867 1927 (void) snprintf(buffer, sizeof (buffer),
1868 1928 "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv);
1869 1929 }
1870 1930 break;
1871 1931
1872 1932 case CRYPTO_POOL_CREATE:
1873 1933 (void) snprintf(buffer, sizeof (buffer),
1874 1934 "op=CRYPTO_POOL_CREATE");
1875 1935 break;
1876 1936
1877 1937 case CRYPTO_POOL_WAIT:
1878 1938 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT");
1879 1939 break;
1880 1940
1881 1941 case CRYPTO_POOL_RUN:
1882 1942 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN");
1883 1943 break;
1884 1944
1885 1945 case CRYPTO_LOAD_DOOR:
1886 1946 if (error == 0 && rv == CRYPTO_SUCCESS)
1887 1947 (void) snprintf(buffer, sizeof (buffer),
1888 1948 "op=CRYPTO_LOAD_DOOR");
1889 1949 else
1890 1950 (void) snprintf(buffer, sizeof (buffer),
1891 1951 "op=CRYPTO_LOAD_DOOR, return_val=%d", rv);
1892 1952 break;
1893 1953
1894 1954 case CRYPTO_FIPS140_SET:
1895 1955 (void) snprintf(buffer, sizeof (buffer),
1896 1956 "op=CRYPTO_FIPS140_SET, fips_state=%d", rv);
1897 1957 break;
1898 1958
1899 1959 default:
1900 1960 return;
1901 1961 }
1902 1962
1903 1963 au_write((caddr_t *)&ad, au_to_text(buffer));
1904 1964
1905 1965 if (mech_list_required) {
1906 1966 int i;
1907 1967
1908 1968 if (mech_count == 0) {
1909 1969 au_write((caddr_t *)&ad, au_to_text("mech=list empty"));
1910 1970 } else {
1911 1971 char *pb = buffer;
1912 1972 size_t l = sizeof (buffer);
1913 1973 size_t n;
1914 1974 char space[2] = ":";
1915 1975
1916 1976 n = snprintf(pb, l, "mech=");
1917 1977
1918 1978 for (i = 0; i < mech_count; i++) {
1919 1979 pb += n;
1920 1980 l = (n >= l) ? 0 : l - n;
1921 1981
1922 1982 if (i == mech_count - 1)
1923 1983 (void) strcpy(space, "");
1924 1984
1925 1985 n = snprintf(pb, l, "%s%s", mech_names[i],
1926 1986 space);
1927 1987 }
1928 1988 au_write((caddr_t *)&ad, au_to_text(buffer));
1929 1989 }
1930 1990 }
1931 1991
1932 1992 /* add a return token */
1933 1993 if (error || (rv != CRYPTO_SUCCESS))
1934 1994 add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error);
1935 1995 else
1936 1996 add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv);
1937 1997
1938 1998 AS_INC(as_generated, 1, kctx);
1939 1999 AS_INC(as_kernel, 1, kctx);
1940 2000
1941 2001 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, tad->tad_evmod,
1942 2002 NULL);
1943 2003 }
1944 2004
1945 2005 /*
1946 2006 * Audit the kernel SSL administration command. The address and the
1947 2007 * port number for the SSL instance, and the proxy port are put in the
1948 2008 * audit trail.
1949 2009 */
1950 2010 void
1951 2011 audit_kssl(int cmd, void *params, int error)
1952 2012 {
1953 2013 cred_t *cr = CRED();
1954 2014 t_audit_data_t *tad;
1955 2015 token_t *ad = NULL;
1956 2016 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
1957 2017 au_kcontext_t *kctx = GET_KCTX_PZ;
1958 2018
1959 2019 tad = U2A(u);
1960 2020
1961 2021 if (ainfo == NULL)
1962 2022 return;
1963 2023
1964 2024 tad->tad_event = AUE_CONFIGKSSL;
1965 2025
1966 2026 if (audit_success(kctx, tad, error, NULL) != AU_OK)
1967 2027 return;
1968 2028
1969 2029 /* Add subject information */
1970 2030 AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx);
1971 2031
1972 2032 switch (cmd) {
1973 2033 case KSSL_ADD_ENTRY: {
1974 2034 char buf[32];
1975 2035 kssl_params_t *kp = (kssl_params_t *)params;
1976 2036 struct sockaddr_in6 *saddr = &kp->kssl_addr;
1977 2037
1978 2038 au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY"));
1979 2039 au_write((caddr_t *)&ad,
1980 2040 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
1981 2041 (void) snprintf(buf, sizeof (buf), "SSL port=%d",
1982 2042 saddr->sin6_port);
1983 2043 au_write((caddr_t *)&ad, au_to_text(buf));
1984 2044
1985 2045 (void) snprintf(buf, sizeof (buf), "proxy port=%d",
1986 2046 kp->kssl_proxy_port);
1987 2047 au_write((caddr_t *)&ad, au_to_text(buf));
1988 2048 break;
1989 2049 }
1990 2050
1991 2051 case KSSL_DELETE_ENTRY: {
1992 2052 char buf[32];
1993 2053 struct sockaddr_in6 *saddr = (struct sockaddr_in6 *)params;
1994 2054
1995 2055 au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY"));
1996 2056 au_write((caddr_t *)&ad,
1997 2057 au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
1998 2058 (void) snprintf(buf, sizeof (buf), "SSL port=%d",
1999 2059 saddr->sin6_port);
2000 2060 au_write((caddr_t *)&ad, au_to_text(buf));
2001 2061 break;
2002 2062 }
2003 2063
2004 2064 default:
2005 2065 return;
2006 2066 }
2007 2067
2008 2068 /* add a return token */
2009 2069 add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0);
2010 2070
2011 2071 AS_INC(as_generated, 1, kctx);
2012 2072 AS_INC(as_kernel, 1, kctx);
2013 2073
2014 2074 au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, tad->tad_evmod,
2015 2075 NULL);
2016 2076 }
2017 2077
2018 2078 /*
2019 2079 * Audit the kernel PF_POLICY administration commands. Record command,
2020 2080 * zone, policy type (global or tunnel, active or inactive)
2021 2081 */
2022 2082 /*
2023 2083 * ROUTINE: AUDIT_PF_POLICY
2024 2084 * PURPOSE: Records arguments to administrative ioctls on PF_POLICY socket
2025 2085 * CALLBY: SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS,
2026 2086 * SPD_CLONE, SPD_FLIP
2027 2087 * NOTE:
2028 2088 * TODO:
2029 2089 * QUESTION:
2030 2090 */
2031 2091
2032 2092 void
2033 2093 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun,
2034 2094 boolean_t active, int error, pid_t pid)
2035 2095 {
2036 2096 const auditinfo_addr_t *ainfo;
2037 2097 t_audit_data_t *tad;
2038 2098 token_t *ad = NULL;
2039 2099 au_kcontext_t *kctx = GET_KCTX_PZ;
2040 2100 char buf[80];
2041 2101 int flag;
2042 2102
2043 2103 tad = U2A(u);
2044 2104 if (tad == NULL)
2045 2105 return;
2046 2106
2047 2107 ainfo = crgetauinfo((cred != NULL) ? cred : CRED());
2048 2108 if (ainfo == NULL)
2049 2109 return;
2050 2110
2051 2111 /*
2052 2112 * Initialize some variables since these are only set
2053 2113 * with system calls.
2054 2114 */
2055 2115
2056 2116 switch (cmd) {
2057 2117 case SPD_ADDRULE: {
2058 2118 tad->tad_event = AUE_PF_POLICY_ADDRULE;
2059 2119 break;
2060 2120 }
2061 2121
2062 2122 case SPD_DELETERULE: {
2063 2123 tad->tad_event = AUE_PF_POLICY_DELRULE;
2064 2124 break;
2065 2125 }
2066 2126
2067 2127 case SPD_FLUSH: {
2068 2128 tad->tad_event = AUE_PF_POLICY_FLUSH;
2069 2129 break;
2070 2130 }
2071 2131
2072 2132 case SPD_UPDATEALGS: {
2073 2133 tad->tad_event = AUE_PF_POLICY_ALGS;
2074 2134 break;
2075 2135 }
2076 2136
2077 2137 case SPD_CLONE: {
2078 2138 tad->tad_event = AUE_PF_POLICY_CLONE;
2079 2139 break;
2080 2140 }
2081 2141
2082 2142 case SPD_FLIP: {
2083 2143 tad->tad_event = AUE_PF_POLICY_FLIP;
2084 2144 break;
2085 2145 }
2086 2146
2087 2147 default:
2088 2148 tad->tad_event = AUE_NULL;
2089 2149 }
2090 2150
2091 2151 tad->tad_evmod = 0;
2092 2152
2093 2153 if (flag = audit_success(kctx, tad, error, cred)) {
2094 2154 zone_t *nszone;
2095 2155
2096 2156 /*
2097 2157 * For now, just audit that an event happened,
2098 2158 * along with the error code.
2099 2159 */
2100 2160 au_write((caddr_t *)&ad,
2101 2161 au_to_arg32(1, "Policy Active?", (uint32_t)active));
2102 2162 au_write((caddr_t *)&ad,
2103 2163 au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL)));
2104 2164
2105 2165 /* Supplemental data */
2106 2166
2107 2167 /*
2108 2168 * Generate this zone token if the target zone differs
2109 2169 * from the administrative zone. If netstacks are expanded
2110 2170 * to something other than a 1-1 relationship with zones,
2111 2171 * the auditing framework should create a new token type
2112 2172 * and audit it as a netstack instead.
2113 2173 * Turn on general zone auditing to get the administrative zone.
2114 2174 */
2115 2175
2116 2176 nszone = zone_find_by_id(netstackid_to_zoneid(
2117 2177 ns->netstack_stackid));
2118 2178 if (nszone != NULL) {
2119 2179 if (strncmp(crgetzone(cred)->zone_name,
2120 2180 nszone->zone_name, ZONENAME_MAX) != 0) {
2121 2181 token_t *ztoken;
2122 2182
2123 2183 ztoken = au_to_zonename(0, nszone);
2124 2184 au_write((caddr_t *)&ad, ztoken);
2125 2185 }
2126 2186 zone_rele(nszone);
2127 2187 }
2128 2188
2129 2189 if (tun != NULL) {
2130 2190 /* write tunnel name - tun is bounded */
2131 2191 (void) snprintf(buf, sizeof (buf), "tunnel_name:%s",
2132 2192 tun);
2133 2193 au_write((caddr_t *)&ad, au_to_text(buf));
2134 2194 }
2135 2195
2136 2196 /* Add subject information */
2137 2197 AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad,
2138 2198 ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid);
2139 2199
2140 2200 /* add a return token */
2141 2201 add_return_token((caddr_t *)&ad, 0, error, 0);
2142 2202
2143 2203 AS_INC(as_generated, 1, kctx);
2144 2204 AS_INC(as_kernel, 1, kctx);
2145 2205
2146 2206 }
2147 2207 au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, tad->tad_evmod,
2148 2208 NULL);
2149 2209
2150 2210 /*
2151 2211 * clear the ctrl flag so that we don't have spurious collection of
2152 2212 * audit information.
2153 2213 */
2154 2214 tad->tad_scid = 0;
2155 2215 tad->tad_event = 0;
2156 2216 tad->tad_evmod = 0;
2157 2217 tad->tad_ctrl = 0;
2158 2218 }
2159 2219
2160 2220 /*
2161 2221 * ROUTINE: AUDIT_SEC_ATTRIBUTES
2162 2222 * PURPOSE: Add security attributes
2163 2223 * CALLBY: AUDIT_ATTRIBUTES
2164 2224 * AUDIT_CLOSEF
2165 2225 * AUS_CLOSE
2166 2226 * NOTE:
2167 2227 * TODO:
2168 2228 * QUESTION:
2169 2229 */
2170 2230
2171 2231 void
2172 2232 audit_sec_attributes(caddr_t *ad, struct vnode *vp)
2173 2233 {
2174 2234 /* Dump the SL */
2175 2235 if (is_system_labeled()) {
2176 2236 ts_label_t *tsl;
2177 2237 bslabel_t *bsl;
2178 2238
2179 2239 tsl = getflabel(vp);
2180 2240 if (tsl == NULL)
2181 2241 return; /* nothing else to do */
2182 2242
2183 2243 bsl = label2bslabel(tsl);
2184 2244 if (bsl == NULL)
2185 2245 return; /* nothing else to do */
2186 2246 au_write(ad, au_to_label(bsl));
2187 2247 label_rele(tsl);
2188 2248 }
2189 2249
2190 2250 } /* AUDIT_SEC_ATTRIBUTES */
|
↓ open down ↓ |
426 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX