Print this page
7127 remove -Wno-missing-braces from Makefile.uts
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/c2/audit_syscalls.c
+++ new/usr/src/uts/common/c2/audit_syscalls.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 24 */
25 25
26 26 /*
27 27 * This file contains the auditing system call code.
28 28 *
29 29 */
30 30
31 31 #include <sys/param.h>
32 32 #include <sys/systm.h>
33 33 #include <sys/user.h>
34 34 #include <sys/vnode.h>
35 35 #include <sys/vfs.h>
36 36 #include <sys/session.h> /* for session structure (auditctl(2) */
37 37 #include <sys/kmem.h> /* for KM_SLEEP */
38 38 #include <sys/cred.h>
39 39 #include <sys/types.h>
40 40 #include <sys/proc.h>
41 41 #include <sys/uio.h>
42 42 #include <sys/file.h>
43 43 #include <sys/stat.h>
44 44 #include <sys/pathname.h>
45 45 #include <sys/acct.h>
46 46 #include <sys/stropts.h>
47 47 #include <sys/exec.h>
48 48 #include <sys/thread.h>
49 49 #include <sys/cmn_err.h>
50 50 #include <sys/debug.h>
51 51 #include <sys/disp.h>
52 52 #include <sys/kobj.h>
53 53 #include <sys/sysmacros.h>
54 54 #include <sys/policy.h>
55 55 #include <sys/taskq.h>
56 56 #include <sys/zone.h>
57 57
58 58 #include <c2/audit.h>
59 59 #include <c2/audit_kernel.h>
60 60 #include <c2/audit_record.h>
61 61
62 62 #define HEADER_SIZE64 1;
63 63 #define HEADER_SIZE32 0;
64 64 #define AU_MIN_FILE_SZ 0x80000 /* minumum audit file size */
65 65 #define AUDIT_REC_SIZE 0x8000 /* maximum user audit record size */
66 66
67 67 extern pri_t minclsyspri; /* priority for taskq */
68 68
69 69 static clock_t au_resid = 15; /* wait .15 sec before droping a rec */
70 70
71 71 static void au_output_thread();
72 72
73 73 /*
74 74 * This is the loadable module wrapper.
75 75 */
|
↓ open down ↓ |
75 lines elided |
↑ open up ↑ |
76 76 #include <sys/modctl.h>
77 77
78 78 /*
79 79 * Module linkage information for the kernel.
80 80 */
81 81 static struct modlmisc modlmisc = {
82 82 &mod_miscops, "Solaris Auditing (C2)"
83 83 };
84 84
85 85 static struct modlinkage modlinkage = {
86 - MODREV_1, (void *)&modlmisc, 0
86 + MODREV_1, { (void *)&modlmisc, NULL }
87 87 };
88 88
89 89 int
90 90 _init()
91 91 {
92 92 return (mod_install(&modlinkage));
93 93 }
94 94
95 95 int
96 96 _fini()
97 97 {
98 98 return (EBUSY);
99 99 }
100 100
101 101 int
102 102 _info(struct modinfo *modinfop)
103 103 {
104 104 return (mod_info(&modlinkage, modinfop));
105 105 }
106 106
107 107 /*
108 108 * The audit system call. Trust what the user has sent down and save it
109 109 * away in the audit file. User passes a complete audit record and its
110 110 * length. We will fill in the time stamp, check the header and the length
111 111 * Put a trailer and a sequence token if policy requires.
112 112 * In the future length might become size_t instead of an int.
113 113 *
114 114 * The call is valid whether or not AUDIT_PERZONE is set (think of
115 115 * login to a zone). When the local audit state (auk_auditstate) is
116 116 * AUC_INIT_AUDIT, records are accepted even though auditd isn't
117 117 * running.
118 118 */
119 119 int
120 120 audit(caddr_t record, int length)
121 121 {
122 122 char c;
123 123 int count, l;
124 124 token_t *m, *n, *s, *ad;
125 125 int hdrlen, delta;
126 126 adr_t hadr;
127 127 adr_t sadr;
128 128 int size; /* 0: 32 bit utility 1: 64 bit utility */
129 129 int host_len;
130 130 size_t zlen;
131 131 au_kcontext_t *kctx = GET_KCTX_PZ;
132 132 uint32_t auditing;
133 133
134 134 /* if auditing not enabled, then don't generate an audit record */
135 135 auditing = (U2A(u)->tad_audit != AUC_UNSET) ?
136 136 U2A(u)->tad_audit : kctx->auk_auditstate;
137 137 if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT))
138 138 return (0);
139 139
140 140 /* Only privileged processes can audit */
141 141 if (secpolicy_audit_modify(CRED()) != 0)
142 142 return (EPERM);
143 143
144 144 /* Max user record size is 32K */
145 145 if (length > AUDIT_REC_SIZE)
146 146 return (E2BIG);
147 147
148 148 /*
149 149 * The specified length must be at least as big as the smallest
150 150 * possible header token. Later after beginning to scan the
151 151 * header we'll determine the true minimum length according to
152 152 * the header type and attributes.
153 153 */
154 154 #define AU_MIN_HEADER_LEN (sizeof (char) + sizeof (int32_t) + \
155 155 sizeof (char) + sizeof (short) + sizeof (short) + \
156 156 (sizeof (int32_t) * 2))
157 157
158 158 if (length < AU_MIN_HEADER_LEN)
159 159 return (EINVAL);
160 160
161 161 /* Read in user's audit record */
162 162 count = length;
163 163 m = n = s = ad = NULL;
164 164 while (count) {
165 165 m = au_getclr();
166 166 if (!s)
167 167 s = n = m;
168 168 else {
169 169 n->next_buf = m;
170 170 n = m;
171 171 }
172 172 l = MIN(count, AU_BUFSIZE);
173 173 if (copyin(record, memtod(m, caddr_t), (size_t)l)) {
174 174 /* copyin failed release au_membuf */
175 175 au_free_rec(s);
176 176 return (EFAULT);
177 177 }
178 178 record += l;
179 179 count -= l;
180 180 m->len = (uchar_t)l;
181 181 }
182 182
183 183 /* Now attach the entire thing to ad */
184 184 au_write((caddr_t *)&(ad), s);
185 185
186 186 /* validate header token type. trust everything following it */
187 187 adr_start(&hadr, memtod(s, char *));
188 188 (void) adr_getchar(&hadr, &c);
189 189 switch (c) {
190 190 case AUT_HEADER32:
191 191 /* size vers+event_ID+event_modifier fields */
192 192 delta = 1 + 2 + 2;
193 193 hdrlen = 1 + 4 + delta + (sizeof (int32_t) * 2);
194 194 size = HEADER_SIZE32;
195 195 break;
196 196
197 197 #ifdef _LP64
198 198 case AUT_HEADER64:
199 199 /* size vers+event_ID+event_modifier fields */
200 200 delta = 1 + 2 + 2;
201 201 hdrlen = 1 + 4 + delta + (sizeof (int64_t) * 2);
202 202 size = HEADER_SIZE64;
203 203 break;
204 204 #endif
205 205
206 206 case AUT_HEADER32_EX:
207 207 /*
208 208 * Skip over the length/version/type/mod fields and
209 209 * grab the host address type (length), then rewind.
210 210 * This is safe per the previous minimum length check.
211 211 */
212 212 hadr.adr_now += 9;
213 213 (void) adr_getint32(&hadr, &host_len);
214 214 hadr.adr_now -= 9 + sizeof (int32_t);
215 215
216 216 /* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */
217 217 delta = 1 + 2 + 2 + 4 + host_len;
218 218 hdrlen = 1 + 4 + delta + (sizeof (int32_t) * 2);
219 219 size = HEADER_SIZE32;
220 220 break;
221 221
222 222 #ifdef _LP64
223 223 case AUT_HEADER64_EX:
224 224 /*
225 225 * Skip over the length/version/type/mod fields and grab
226 226 * the host address type (length), then rewind.
227 227 * This is safe per the previous minimum length check.
228 228 */
229 229 hadr.adr_now += 9;
230 230 (void) adr_getint32(&hadr, &host_len);
231 231 hadr.adr_now -= 9 + sizeof (int32_t);
232 232
233 233 /* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */
234 234 delta = 1 + 2 + 2 + 4 + host_len;
235 235 hdrlen = 1 + 4 + delta + (sizeof (int64_t) * 2);
236 236 size = HEADER_SIZE64;
237 237 break;
238 238 #endif
239 239
240 240 default:
241 241 /* Header is wrong, reject message */
242 242 au_free_rec(s);
243 243 return (EINVAL);
244 244 }
245 245
246 246 if (length < hdrlen) {
247 247 au_free_rec(s);
248 248 return (0);
249 249 }
250 250
251 251 /* advance over header token length field */
252 252 hadr.adr_now += 4;
253 253
254 254 /* validate version */
255 255 (void) adr_getchar(&hadr, &c);
256 256 if (c != TOKEN_VERSION) {
257 257 /* version is wrong, reject message */
258 258 au_free_rec(s);
259 259 return (EINVAL);
260 260 }
261 261
262 262 /* backup to header length field (including version field) */
263 263 hadr.adr_now -= 5;
264 264
265 265 /*
266 266 * add on the zonename token if policy AUDIT_ZONENAME is set
267 267 */
268 268 if (kctx->auk_policy & AUDIT_ZONENAME) {
269 269 zlen = au_zonename_length(NULL);
270 270 if (zlen > 0) {
271 271 length += zlen;
272 272 m = au_to_zonename(zlen, NULL);
273 273 (void) au_append_rec(ad, m, AU_PACK);
274 274 }
275 275 }
276 276 /* Add an (optional) sequence token. NULL offset if none */
277 277 if (kctx->auk_policy & AUDIT_SEQ) {
278 278 /* get the sequnce token */
279 279 m = au_to_seq();
280 280
281 281 /* sequence token 5 bytes long */
282 282 length += 5;
283 283
284 284 /* link to audit record (i.e. don't pack the data) */
285 285 (void) au_append_rec(ad, m, AU_LINK);
286 286
287 287 /* advance to count field of token */
288 288 adr_start(&sadr, memtod(m, char *));
289 289 sadr.adr_now += 1;
290 290 } else
291 291 sadr.adr_now = (char *)NULL;
292 292
293 293 /* add the (optional) trailer token */
294 294 if (kctx->auk_policy & AUDIT_TRAIL) {
295 295 /* trailer token is 7 bytes long */
296 296 length += 7;
297 297
298 298 /* append to audit record */
299 299 (void) au_append_rec(ad, au_to_trailer(length), AU_PACK);
300 300 }
301 301
302 302 /* audit record completely assembled. set the length */
303 303 adr_int32(&hadr, (int32_t *)&length, 1);
304 304
305 305 /* advance to date/time field of header */
306 306 hadr.adr_now += delta;
307 307
308 308 /* We are done put it on the queue */
309 309 AS_INC(as_generated, 1, kctx);
310 310 AS_INC(as_audit, 1, kctx);
311 311
312 312 au_enqueue(kctx, s, &hadr, &sadr, size, 0);
313 313
314 314 AS_INC(as_totalsize, length, kctx);
315 315
316 316 return (0);
317 317 }
318 318
319 319 /*
320 320 * auditdoor starts a kernel thread to generate output from the audit
321 321 * queue. The thread terminates when it detects auditing being turned
322 322 * off, such as when auditd exits with a SIGTERM. If a subsequent
323 323 * auditdoor arrives while the thread is running, the door descriptor
324 324 * of the last auditdoor in will be used for output. auditd is responsible
325 325 * for insuring that multiple copies are not running.
326 326 */
327 327
328 328 int
329 329 auditdoor(int fd)
330 330 {
331 331 struct file *fp;
332 332 struct vnode *vp;
333 333 int do_create = 0;
334 334 au_kcontext_t *kctx;
335 335
336 336 if (secpolicy_audit_config(CRED()) != 0)
337 337 return (EPERM);
338 338
339 339 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
340 340 return (EINVAL);
341 341
342 342 kctx = GET_KCTX_NGZ;
343 343
344 344 /*
345 345 * convert file pointer to file descriptor
346 346 * Note: fd ref count incremented here.
347 347 */
348 348 if ((fp = (struct file *)getf(fd)) == NULL) {
349 349 return (EBADF);
350 350 }
351 351 vp = fp->f_vnode;
352 352 if (vp->v_type != VDOOR) {
353 353 cmn_err(CE_WARN,
354 354 "auditdoor() did not get the expected door descriptor\n");
355 355 releasef(fd);
356 356 return (EINVAL);
357 357 }
358 358 /*
359 359 * If the output thread is already running, then replace the
360 360 * door descriptor with the new one and continue; otherwise
361 361 * create the thread too. Since au_output_thread makes a call
362 362 * to au_doorio() which also does
363 363 * mutex_lock(&(kctx->auk_svc_lock)), the create/dispatch is
364 364 * done after the unlock...
365 365 */
366 366 mutex_enter(&(kctx->auk_svc_lock));
367 367
368 368 if (kctx->auk_current_vp != NULL)
369 369 VN_RELE(kctx->auk_current_vp);
370 370
371 371 kctx->auk_current_vp = vp;
372 372 VN_HOLD(kctx->auk_current_vp);
373 373 releasef(fd);
374 374
375 375 if (!kctx->auk_output_active) {
376 376 kctx->auk_output_active = 1;
377 377 do_create = 1;
378 378 }
379 379 mutex_exit(&(kctx->auk_svc_lock));
380 380 if (do_create) {
381 381 kctx->auk_taskq =
382 382 taskq_create("output_master", 1, minclsyspri, 1, 1, 0);
383 383 (void) taskq_dispatch(kctx->auk_taskq,
384 384 (task_func_t *)au_output_thread,
385 385 kctx, TQ_SLEEP);
386 386 }
387 387 return (0);
388 388 }
389 389
390 390 static void
391 391 audit_dont_stop(void *kctx)
392 392 {
393 393
394 394 if ((((au_kcontext_t *)kctx)->auk_valid != AUK_VALID) ||
395 395 (((au_kcontext_t *)kctx)->auk_auditstate == AUC_NOAUDIT))
396 396 return;
397 397
398 398 mutex_enter(&(((au_kcontext_t *)kctx)->auk_queue.lock));
399 399 cv_broadcast(&(((au_kcontext_t *)kctx)->auk_queue.write_cv));
400 400 mutex_exit(&(((au_kcontext_t *)kctx)->auk_queue.lock));
401 401 }
402 402
403 403 /*
404 404 * au_queue_kick -- wake up the output queue after delay ticks
405 405 */
406 406 static void
407 407 au_queue_kick(void *kctx)
408 408 {
409 409 /*
410 410 * wakeup reader if its not running and there is something
411 411 * to do. It also helps that kctx still be valid...
412 412 */
413 413
414 414 if ((((au_kcontext_t *)kctx)->auk_valid != AUK_VALID) ||
415 415 (((au_kcontext_t *)kctx)->auk_auditstate == AUC_NOAUDIT))
416 416 return;
417 417
418 418 if (((au_kcontext_t *)kctx)->auk_queue.cnt &&
419 419 ((au_kcontext_t *)kctx)->auk_queue.rd_block)
420 420 cv_broadcast(&((au_kcontext_t *)kctx)->auk_queue.read_cv);
421 421
422 422 /* fire off timeout event to kick audit queue awake */
423 423 (void) timeout(au_queue_kick, kctx,
424 424 ((au_kcontext_t *)kctx)->auk_queue.delay);
425 425 }
426 426
427 427 /*
428 428 * output thread
429 429 *
430 430 * this runs "forever" where "forever" means until either auk_auditstate
431 431 * changes from AUC_AUDITING or if the door descriptor becomes invalid.
432 432 *
433 433 * there is one thread per active zone if AUC_PERZONE is set. Since
434 434 * there is the possibility that a zone may go down without auditd
435 435 * terminating properly, a zone shutdown kills its au_output_thread()
436 436 * via taskq_destroy().
437 437 */
438 438
439 439 static void
440 440 au_output_thread(au_kcontext_t *kctx)
441 441 {
442 442 int error = 0;
443 443
444 444 (void) timeout(au_queue_kick, kctx, kctx->auk_queue.delay);
445 445
446 446 /*
447 447 * Wait for work, until a signal arrives,
448 448 * or until auditing is disabled.
449 449 */
450 450
451 451 while (!error) {
452 452 if (kctx->auk_auditstate == AUC_AUDITING) {
453 453 mutex_enter(&(kctx->auk_queue.lock));
454 454 while (kctx->auk_queue.head == NULL) {
455 455 /* safety check. kick writer awake */
456 456 if (kctx->auk_queue.wt_block) {
457 457 cv_broadcast(&(kctx->
458 458 auk_queue.write_cv));
459 459 }
460 460
461 461 kctx->auk_queue.rd_block = 1;
462 462 AS_INC(as_rblocked, 1, kctx);
463 463
464 464 cv_wait(&(kctx->auk_queue.read_cv),
465 465 &(kctx->auk_queue.lock));
466 466 kctx->auk_queue.rd_block = 0;
467 467
468 468 if (kctx->auk_auditstate != AUC_AUDITING) {
469 469 mutex_exit(&(kctx->auk_queue.lock));
470 470 (void) timeout(audit_dont_stop, kctx,
471 471 au_resid);
472 472 goto output_exit;
473 473 }
474 474 kctx->auk_queue.rd_block = 0;
475 475 }
476 476 mutex_exit(&(kctx->auk_queue.lock));
477 477 /*
478 478 * au_doorio() calls au_door_upcall which holds
479 479 * auk_svc_lock; au_doorio empties the queue before
480 480 * returning.
481 481 */
482 482
483 483 error = au_doorio(kctx);
484 484 } else {
485 485 /* auditing turned off while we slept */
486 486 break;
487 487 }
488 488 }
489 489 output_exit:
490 490 mutex_enter(&(kctx->auk_svc_lock));
491 491
492 492 VN_RELE(kctx->auk_current_vp);
493 493 kctx->auk_current_vp = NULL;
494 494
495 495 kctx->auk_output_active = 0;
496 496
497 497 mutex_exit(&(kctx->auk_svc_lock));
498 498 }
|
↓ open down ↓ |
402 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX