search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge commit 'b4bf0cf0458759c67920a031021a9d96cd683cfe'
[unleashed.git] / kernel / syscall / auditsys.c
blob7dfe70824cf4759c5cbd76cec4295ea45f7bf4f9
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 1994, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 #include <sys/systm.h>
26 #include <sys/errno.h>
27 #include <sys/policy.h>
28
29 #include <c2/audit.h>
30 #include <c2/audit_kernel.h>
31 #include <c2/audit_record.h>
32
33 #define CLEAR_VAL -1
34
35 extern kmutex_t pidlock;
36
37 uint32_t audit_policy; /* global audit policies in force */
38
39
40 /*ARGSUSED1*/
41 int
42 auditsys(struct auditcalls *uap, rval_t *rvp)
43 {
44 int err;
45 int result = 0;
46
47 if (audit_active == C2AUDIT_DISABLED)
48 return (ENOTSUP);
49
50 switch (uap->code) {
51 case BSM_GETAUID:
52 result = getauid((caddr_t)uap->a1);
53 break;
54 case BSM_SETAUID:
55 result = setauid((caddr_t)uap->a1);
56 break;
57 case BSM_GETAUDIT:
58 result = getaudit((caddr_t)uap->a1);
59 break;
60 case BSM_GETAUDIT_ADDR:
61 result = getaudit_addr((caddr_t)uap->a1, (int)uap->a2);
62 break;
63 case BSM_SETAUDIT:
64 result = setaudit((caddr_t)uap->a1);
65 break;
66 case BSM_SETAUDIT_ADDR:
67 result = setaudit_addr((caddr_t)uap->a1, (int)uap->a2);
68 break;
69 case BSM_AUDITCTL:
70 result = auditctl((int)uap->a1, (caddr_t)uap->a2, (int)uap->a3);
71 break;
72 case BSM_AUDIT:
73 if (audit_active == C2AUDIT_UNLOADED)
74 return (0);
75 result = audit((caddr_t)uap->a1, (int)uap->a2);
76 break;
77 case BSM_AUDITDOOR:
78 if (audit_active == C2AUDIT_LOADED) {
79 result = auditdoor((int)uap->a1);
80 break;
81 }
82 /* FALLTHROUGH */
83 default:
84 if (audit_active == C2AUDIT_LOADED) {
85 result = EINVAL;
86 break;
87 }
88 /* Return a different error when not privileged */
89 err = secpolicy_audit_config(CRED());
90 if (err == 0)
91 return (EINVAL);
92 else
93 return (err);
94 }
95 rvp->r_vals = result;
96 return (result);
97 }
98
99 /*
100 * Return the audit user ID for the current process. Currently only
101 * the privileged processes may see the audit id. That may change.
102 * If copyout is unsucessful return EFAULT.
103 */
104 int
105 getauid(caddr_t auid_p)
106 {
107 const auditinfo_addr_t *ainfo;
108
109 if (secpolicy_audit_getattr(CRED(), B_FALSE) != 0)
110 return (EPERM);
111
112 ainfo = crgetauinfo(CRED());
113 if (ainfo == NULL)
114 return (EINVAL);
115
116 if (copyout(&ainfo->ai_auid, auid_p, sizeof (au_id_t)))
117 return (EFAULT);
118
119 return (0);
120 }
121
122 /*
123 * Set the audit userid, for a process. This can only be changed by
124 * privileged processes. The audit userid is inherited across forks & execs.
125 * Passed in is a pointer to the au_id_t; if copyin unsuccessful return EFAULT.
126 */
127 int
128 setauid(caddr_t auid_p)
129 {
130 proc_t *p;
131 au_id_t auid;
132 cred_t *newcred;
133 auditinfo_addr_t *auinfo;
134
135 if (secpolicy_audit_config(CRED()) != 0)
136 return (EPERM);
137
138 if (copyin(auid_p, &auid, sizeof (au_id_t))) {
139 return (EFAULT);
140 }
141
142 newcred = cralloc();
143 if ((auinfo = crgetauinfo_modifiable(newcred)) == NULL) {
144 crfree(newcred);
145 return (EINVAL);
146 }
147
148 /* grab p_crlock and switch to new cred */
149 p = curproc;
150 mutex_enter(&p->p_crlock);
151 crcopy_to(p->p_cred, newcred);
152 p->p_cred = newcred;
153
154 auinfo->ai_auid = auid; /* update the auid */
155
156 /* unlock and broadcast the cred changes */
157 mutex_exit(&p->p_crlock);
158 crset(p, newcred);
159
160 return (0);
161 }
162
163 /*
164 * Get the audit state information from the current process.
165 * Return EFAULT if copyout fails.
166 */
167 int
168 getaudit(caddr_t info_p)
169 {
170 STRUCT_DECL(auditinfo, info);
171 const auditinfo_addr_t *ainfo;
172 model_t model;
173
174 if (secpolicy_audit_getattr(CRED(), B_FALSE) != 0)
175 return (EPERM);
176
177 model = get_udatamodel();
178 STRUCT_INIT(info, model);
179
180 ainfo = crgetauinfo(CRED());
181 if (ainfo == NULL)
182 return (EINVAL);
183
184 /* trying to read a process with an IPv6 address? */
185 if (ainfo->ai_termid.at_type == AU_IPv6)
186 return (EOVERFLOW);
187
188 STRUCT_FSET(info, ai_auid, ainfo->ai_auid);
189 STRUCT_FSET(info, ai_mask, ainfo->ai_mask);
190 #ifdef _LP64
191 if (model == DATAMODEL_ILP32) {
192 dev32_t dev;
193 /* convert internal 64 bit form to 32 bit version */
194 if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) {
195 return (EOVERFLOW);
196 }
197 STRUCT_FSET(info, ai_termid.port, dev);
198 } else
199 STRUCT_FSET(info, ai_termid.port, ainfo->ai_termid.at_port);
200 #else
201 STRUCT_FSET(info, ai_termid.port, ainfo->ai_termid.at_port);
202 #endif
203 STRUCT_FSET(info, ai_termid.machine, ainfo->ai_termid.at_addr[0]);
204 STRUCT_FSET(info, ai_asid, ainfo->ai_asid);
205
206 if (copyout(STRUCT_BUF(info), info_p, STRUCT_SIZE(info)))
207 return (EFAULT);
208
209 return (0);
210 }
211
212 /*
213 * Get the audit state information from the current process.
214 * Return EFAULT if copyout fails.
215 */
216 int
217 getaudit_addr(caddr_t info_p, int len)
218 {
219 STRUCT_DECL(auditinfo_addr, info);
220 const auditinfo_addr_t *ainfo;
221 model_t model;
222
223 if (secpolicy_audit_getattr(CRED(), B_FALSE) != 0)
224 return (EPERM);
225
226 model = get_udatamodel();
227 STRUCT_INIT(info, model);
228
229 if (len < STRUCT_SIZE(info))
230 return (EOVERFLOW);
231
232 ainfo = crgetauinfo(CRED());
233
234 if (ainfo == NULL)
235 return (EINVAL);
236
237 STRUCT_FSET(info, ai_auid, ainfo->ai_auid);
238 STRUCT_FSET(info, ai_mask, ainfo->ai_mask);
239 #ifdef _LP64
240 if (model == DATAMODEL_ILP32) {
241 dev32_t dev;
242 /* convert internal 64 bit form to 32 bit version */
243 if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) {
244 return (EOVERFLOW);
245 }
246 STRUCT_FSET(info, ai_termid.at_port, dev);
247 } else
248 STRUCT_FSET(info, ai_termid.at_port, ainfo->ai_termid.at_port);
249 #else
250 STRUCT_FSET(info, ai_termid.at_port, ainfo->ai_termid.at_port);
251 #endif
252 STRUCT_FSET(info, ai_termid.at_type, ainfo->ai_termid.at_type);
253 STRUCT_FSET(info, ai_termid.at_addr[0], ainfo->ai_termid.at_addr[0]);
254 STRUCT_FSET(info, ai_termid.at_addr[1], ainfo->ai_termid.at_addr[1]);
255 STRUCT_FSET(info, ai_termid.at_addr[2], ainfo->ai_termid.at_addr[2]);
256 STRUCT_FSET(info, ai_termid.at_addr[3], ainfo->ai_termid.at_addr[3]);
257 STRUCT_FSET(info, ai_asid, ainfo->ai_asid);
258
259 if (copyout(STRUCT_BUF(info), info_p, STRUCT_SIZE(info)))
260 return (EFAULT);
261
262 return (0);
263 }
264
265 /*
266 * Set the audit state information for the current process.
267 * Return EFAULT if copyout fails.
268 */
269 int
270 setaudit(caddr_t info_p)
271 {
272 STRUCT_DECL(auditinfo, info);
273 proc_t *p;
274 cred_t *newcred;
275 model_t model;
276 auditinfo_addr_t *ainfo;
277
278 if (secpolicy_audit_config(CRED()) != 0)
279 return (EPERM);
280
281 model = get_udatamodel();
282 STRUCT_INIT(info, model);
283
284 if (copyin(info_p, STRUCT_BUF(info), STRUCT_SIZE(info)))
285 return (EFAULT);
286
287 newcred = cralloc();
288 if ((ainfo = crgetauinfo_modifiable(newcred)) == NULL) {
289 crfree(newcred);
290 return (EINVAL);
291 }
292
293 /* grab p_crlock and switch to new cred */
294 p = curproc;
295 mutex_enter(&p->p_crlock);
296 crcopy_to(p->p_cred, newcred);
297 p->p_cred = newcred;
298
299 /* Set audit mask, id, termid and session id as specified */
300 ainfo->ai_auid = STRUCT_FGET(info, ai_auid);
301 #ifdef _LP64
302 /* only convert to 64 bit if coming from a 32 bit binary */
303 if (model == DATAMODEL_ILP32)
304 ainfo->ai_termid.at_port =
305 DEVEXPL(STRUCT_FGET(info, ai_termid.port));
306 else
307 ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.port);
308 #else
309 ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.port);
310 #endif
311 ainfo->ai_termid.at_type = AU_IPv4;
312 ainfo->ai_termid.at_addr[0] = STRUCT_FGET(info, ai_termid.machine);
313 ainfo->ai_asid = STRUCT_FGET(info, ai_asid);
314 ainfo->ai_mask = STRUCT_FGET(info, ai_mask);
315
316 /* unlock and broadcast the cred changes */
317 mutex_exit(&p->p_crlock);
318 crset(p, newcred);
319
320 return (0);
321 }
322
323 /*
324 * Set the audit state information for the current process.
325 * Return EFAULT if copyin fails.
326 */
327 int
328 setaudit_addr(caddr_t info_p, int len)
329 {
330 STRUCT_DECL(auditinfo_addr, info);
331 proc_t *p;
332 cred_t *newcred;
333 model_t model;
334 int i;
335 int type;
336 auditinfo_addr_t *ainfo;
337
338 if (secpolicy_audit_config(CRED()) != 0)
339 return (EPERM);
340
341 model = get_udatamodel();
342 STRUCT_INIT(info, model);
343
344 if (len < STRUCT_SIZE(info))
345 return (EOVERFLOW);
346
347 if (copyin(info_p, STRUCT_BUF(info), STRUCT_SIZE(info)))
348 return (EFAULT);
349
350 type = STRUCT_FGET(info, ai_termid.at_type);
351 if ((type != AU_IPv4) && (type != AU_IPv6))
352 return (EINVAL);
353
354 newcred = cralloc();
355 if ((ainfo = crgetauinfo_modifiable(newcred)) == NULL) {
356 crfree(newcred);
357 return (EINVAL);
358 }
359
360 /* grab p_crlock and switch to new cred */
361 p = curproc;
362 mutex_enter(&p->p_crlock);
363 crcopy_to(p->p_cred, newcred);
364 p->p_cred = newcred;
365
366 /* Set audit mask, id, termid and session id as specified */
367 ainfo->ai_auid = STRUCT_FGET(info, ai_auid);
368 ainfo->ai_mask = STRUCT_FGET(info, ai_mask);
369 #ifdef _LP64
370 /* only convert to 64 bit if coming from a 32 bit binary */
371 if (model == DATAMODEL_ILP32)
372 ainfo->ai_termid.at_port =
373 DEVEXPL(STRUCT_FGET(info, ai_termid.at_port));
374 else
375 ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.at_port);
376 #else
377 ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.at_port);
378 #endif
379 ainfo->ai_termid.at_type = type;
380 bzero(&ainfo->ai_termid.at_addr[0], sizeof (ainfo->ai_termid.at_addr));
381 for (i = 0; i < (type/sizeof (int)); i++)
382 ainfo->ai_termid.at_addr[i] =
383 STRUCT_FGET(info, ai_termid.at_addr[i]);
384
385 if (ainfo->ai_termid.at_type == AU_IPv6 &&
386 IN6_IS_ADDR_V4MAPPED(((in6_addr_t *)ainfo->ai_termid.at_addr))) {
387 ainfo->ai_termid.at_type = AU_IPv4;
388 ainfo->ai_termid.at_addr[0] = ainfo->ai_termid.at_addr[3];
389 ainfo->ai_termid.at_addr[1] = 0;
390 ainfo->ai_termid.at_addr[2] = 0;
391 ainfo->ai_termid.at_addr[3] = 0;
392 }
393
394 ainfo->ai_asid = STRUCT_FGET(info, ai_asid);
395
396 /* unlock and broadcast the cred changes */
397 mutex_exit(&p->p_crlock);
398 crset(p, newcred);
399
400 return (0);
401 }
402
403 /*
404 * Get the global policy flag
405 */
406 static int
407 getpolicy(caddr_t data)
408 {
409 uint32_t policy;
410 au_kcontext_t *kctx = GET_KCTX_PZ;
411
412 policy = audit_policy | kctx->auk_policy;
413
414 if (copyout(&policy, data, sizeof (policy)))
415 return (EFAULT);
416 return (0);
417 }
418
419 /*
420 * Set the global and local policy flags
421 *
422 * The global flags only make sense from the global zone;
423 * the local flags depend on the AUDIT_PERZONE policy:
424 * if the perzone policy is set, then policy is set separately
425 * per zone, else held only in the global zone.
426 *
427 * The initial value of a local zone's policy flag is determined
428 * by the value of the global zone's flags at the time the
429 * local zone is created.
430 *
431 * While auditconfig(8) allows setting and unsetting policies one bit
432 * at a time, the mask passed in from auditconfig() is created by a
433 * syscall to getpolicy and then modified based on the auditconfig()
434 * cmd line, so the input policy value is used to replace the existing
435 * policy.
436 */
437 static int
438 setpolicy(caddr_t data)
439 {
440 uint32_t policy;
441 au_kcontext_t *kctx;
442
443 if (copyin(data, &policy, sizeof (policy)))
444 return (EFAULT);
445
446 kctx = GET_KCTX_NGZ;
447
448 if (INGLOBALZONE(curproc)) {
449 if (policy & ~(AUDIT_GLOBAL | AUDIT_LOCAL))
450 return (EINVAL);
451
452 audit_policy = policy & AUDIT_GLOBAL;
453 } else {
454 if (!(audit_policy & AUDIT_PERZONE))
455 return (EINVAL);
456
457 if (policy & ~AUDIT_LOCAL) /* global bits are a no-no */
458 return (EINVAL);
459 }
460 kctx->auk_policy = policy & AUDIT_LOCAL;
461
462 /*
463 * auk_current_vp is NULL before auditd starts (or during early
464 * auditd starup) or if auditd is halted; in either case,
465 * notification of a policy change is not needed, since auditd
466 * reads policy as it comes up. The error return from au_doormsg()
467 * is ignored to avoid a race condition -- for example if auditd
468 * segv's, the audit state may be "auditing" but the door may
469 * be closed. Returning an error if the door is open makes it
470 * impossible for Greenline to restart auditd.
471 */
472 if (kctx->auk_current_vp != NULL)
473 (void) au_doormsg(kctx, AU_DBUF_POLICY, &policy);
474
475 /*
476 * Wake up anyone who might have blocked on full audit
477 * partitions. audit daemons need to set AUDIT_FULL when no
478 * space so we can tell if we should start dropping records.
479 */
480 mutex_enter(&(kctx->auk_queue.lock));
481
482 if ((policy & (AUDIT_CNT | AUDIT_SCNT) &&
483 (kctx->auk_queue.cnt >= kctx->auk_queue.hiwater)))
484 cv_broadcast(&(kctx->auk_queue.write_cv));
485
486 mutex_exit(&(kctx->auk_queue.lock));
487
488 return (0);
489 }
490
491 static int
492 getamask(caddr_t data)
493 {
494 au_kcontext_t *kctx;
495
496 kctx = GET_KCTX_PZ;
497
498 if (copyout(&kctx->auk_info.ai_amask, data, sizeof (au_mask_t)))
499 return (EFAULT);
500
501 return (0);
502 }
503
504 static int
505 setamask(caddr_t data)
506 {
507 au_mask_t mask;
508 au_kcontext_t *kctx;
509
510 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
511 return (EINVAL);
512
513 kctx = GET_KCTX_NGZ;
514
515 if (copyin(data, &mask, sizeof (au_mask_t)))
516 return (EFAULT);
517
518 kctx->auk_info.ai_amask = mask;
519 return (0);
520 }
521
522 static int
523 getkmask(caddr_t data)
524 {
525 au_kcontext_t *kctx;
526
527 kctx = GET_KCTX_PZ;
528
529 if (copyout(&kctx->auk_info.ai_namask, data, sizeof (au_mask_t)))
530 return (EFAULT);
531 return (0);
532 }
533
534 static int
535 setkmask(caddr_t data)
536 {
537 au_mask_t mask;
538 au_kcontext_t *kctx;
539
540 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
541 return (EINVAL);
542
543 kctx = GET_KCTX_NGZ;
544
545 if (copyin(data, &mask, sizeof (au_mask_t)))
546 return (EFAULT);
547
548 kctx->auk_info.ai_namask = mask;
549 return (0);
550 }
551
552 static int
553 getkaudit(caddr_t info_p, int len)
554 {
555 STRUCT_DECL(auditinfo_addr, info);
556 model_t model;
557 au_kcontext_t *kctx = GET_KCTX_PZ;
558
559 model = get_udatamodel();
560 STRUCT_INIT(info, model);
561
562 if (len < STRUCT_SIZE(info))
563 return (EOVERFLOW);
564
565 STRUCT_FSET(info, ai_auid, kctx->auk_info.ai_auid);
566 STRUCT_FSET(info, ai_mask, kctx->auk_info.ai_namask);
567 #ifdef _LP64
568 if (model == DATAMODEL_ILP32) {
569 dev32_t dev;
570 /* convert internal 64 bit form to 32 bit version */
571 if (cmpldev(&dev, kctx->auk_info.ai_termid.at_port) == 0) {
572 return (EOVERFLOW);
573 }
574 STRUCT_FSET(info, ai_termid.at_port, dev);
575 } else {
576 STRUCT_FSET(info, ai_termid.at_port,
577 kctx->auk_info.ai_termid.at_port);
578 }
579 #else
580 STRUCT_FSET(info, ai_termid.at_port,
581 kctx->auk_info.ai_termid.at_port);
582 #endif
583 STRUCT_FSET(info, ai_termid.at_type,
584 kctx->auk_info.ai_termid.at_type);
585 STRUCT_FSET(info, ai_termid.at_addr[0],
586 kctx->auk_info.ai_termid.at_addr[0]);
587 STRUCT_FSET(info, ai_termid.at_addr[1],
588 kctx->auk_info.ai_termid.at_addr[1]);
589 STRUCT_FSET(info, ai_termid.at_addr[2],
590 kctx->auk_info.ai_termid.at_addr[2]);
591 STRUCT_FSET(info, ai_termid.at_addr[3],
592 kctx->auk_info.ai_termid.at_addr[3]);
593 STRUCT_FSET(info, ai_asid, kctx->auk_info.ai_asid);
594
595 if (copyout(STRUCT_BUF(info), info_p, STRUCT_SIZE(info)))
596 return (EFAULT);
597
598 return (0);
599 }
600
601 /*
602 * the host address for AUDIT_PERZONE == 0 is that of the global
603 * zone and for local zones it is of the current zone.
604 */
605 static int
606 setkaudit(caddr_t info_p, int len)
607 {
608 STRUCT_DECL(auditinfo_addr, info);
609 model_t model;
610 au_kcontext_t *kctx;
611
612 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
613 return (EINVAL);
614
615 kctx = GET_KCTX_NGZ;
616
617 model = get_udatamodel();
618 STRUCT_INIT(info, model);
619
620 if (len < STRUCT_SIZE(info))
621 return (EOVERFLOW);
622
623 if (copyin(info_p, STRUCT_BUF(info), STRUCT_SIZE(info)))
624 return (EFAULT);
625
626 if ((STRUCT_FGET(info, ai_termid.at_type) != AU_IPv4) &&
627 (STRUCT_FGET(info, ai_termid.at_type) != AU_IPv6))
628 return (EINVAL);
629
630 /* Set audit mask, termid and session id as specified */
631 kctx->auk_info.ai_auid = STRUCT_FGET(info, ai_auid);
632 kctx->auk_info.ai_namask = STRUCT_FGET(info, ai_mask);
633 #ifdef _LP64
634 /* only convert to 64 bit if coming from a 32 bit binary */
635 if (model == DATAMODEL_ILP32)
636 kctx->auk_info.ai_termid.at_port =
637 DEVEXPL(STRUCT_FGET(info, ai_termid.at_port));
638 else
639 kctx->auk_info.ai_termid.at_port =
640 STRUCT_FGET(info, ai_termid.at_port);
641 #else
642 kctx->auk_info.ai_termid.at_port = STRUCT_FGET(info, ai_termid.at_port);
643 #endif
644 kctx->auk_info.ai_termid.at_type = STRUCT_FGET(info, ai_termid.at_type);
645 bzero(&kctx->auk_info.ai_termid.at_addr[0],
646 sizeof (kctx->auk_info.ai_termid.at_addr));
647 kctx->auk_info.ai_termid.at_addr[0] =
648 STRUCT_FGET(info, ai_termid.at_addr[0]);
649 kctx->auk_info.ai_termid.at_addr[1] =
650 STRUCT_FGET(info, ai_termid.at_addr[1]);
651 kctx->auk_info.ai_termid.at_addr[2] =
652 STRUCT_FGET(info, ai_termid.at_addr[2]);
653 kctx->auk_info.ai_termid.at_addr[3] =
654 STRUCT_FGET(info, ai_termid.at_addr[3]);
655 kctx->auk_info.ai_asid = STRUCT_FGET(info, ai_asid);
656
657 if (kctx->auk_info.ai_termid.at_type == AU_IPv6 &&
658 IN6_IS_ADDR_V4MAPPED(
659 ((in6_addr_t *)kctx->auk_info.ai_termid.at_addr))) {
660 kctx->auk_info.ai_termid.at_type = AU_IPv4;
661 kctx->auk_info.ai_termid.at_addr[0] =
662 kctx->auk_info.ai_termid.at_addr[3];
663 kctx->auk_info.ai_termid.at_addr[1] = 0;
664 kctx->auk_info.ai_termid.at_addr[2] = 0;
665 kctx->auk_info.ai_termid.at_addr[3] = 0;
666 }
667 if (kctx->auk_info.ai_termid.at_type == AU_IPv6)
668 kctx->auk_hostaddr_valid = IN6_IS_ADDR_UNSPECIFIED(
669 (in6_addr_t *)kctx->auk_info.ai_termid.at_addr) ? 0 : 1;
670 else
671 kctx->auk_hostaddr_valid =
672 (kctx->auk_info.ai_termid.at_addr[0] ==
673 htonl(INADDR_ANY)) ? 0 : 1;
674
675 return (0);
676 }
677
678 static int
679 getqctrl(caddr_t data)
680 {
681 au_kcontext_t *kctx = GET_KCTX_PZ;
682 STRUCT_DECL(au_qctrl, qctrl);
683 STRUCT_INIT(qctrl, get_udatamodel());
684
685 mutex_enter(&(kctx->auk_queue.lock));
686 STRUCT_FSET(qctrl, aq_hiwater, kctx->auk_queue.hiwater);
687 STRUCT_FSET(qctrl, aq_lowater, kctx->auk_queue.lowater);
688 STRUCT_FSET(qctrl, aq_bufsz, kctx->auk_queue.bufsz);
689 STRUCT_FSET(qctrl, aq_delay, kctx->auk_queue.delay);
690 mutex_exit(&(kctx->auk_queue.lock));
691
692 if (copyout(STRUCT_BUF(qctrl), data, STRUCT_SIZE(qctrl)))
693 return (EFAULT);
694
695 return (0);
696 }
697
698 static int
699 setqctrl(caddr_t data)
700 {
701 au_kcontext_t *kctx;
702 struct au_qctrl qctrl_tmp;
703 STRUCT_DECL(au_qctrl, qctrl);
704 STRUCT_INIT(qctrl, get_udatamodel());
705
706 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
707 return (EINVAL);
708 kctx = GET_KCTX_NGZ;
709
710 if (copyin(data, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
711 return (EFAULT);
712
713 qctrl_tmp.aq_hiwater = (size_t)STRUCT_FGET(qctrl, aq_hiwater);
714 qctrl_tmp.aq_lowater = (size_t)STRUCT_FGET(qctrl, aq_lowater);
715 qctrl_tmp.aq_bufsz = (size_t)STRUCT_FGET(qctrl, aq_bufsz);
716 qctrl_tmp.aq_delay = (clock_t)STRUCT_FGET(qctrl, aq_delay);
717
718 /* enforce sane values */
719
720 if (qctrl_tmp.aq_hiwater <= qctrl_tmp.aq_lowater)
721 return (EINVAL);
722
723 if (qctrl_tmp.aq_hiwater < AQ_LOWATER)
724 return (EINVAL);
725
726 if (qctrl_tmp.aq_hiwater > AQ_MAXHIGH)
727 return (EINVAL);
728
729 if (qctrl_tmp.aq_bufsz < AQ_BUFSZ)
730 return (EINVAL);
731
732 if (qctrl_tmp.aq_bufsz > AQ_MAXBUFSZ)
733 return (EINVAL);
734
735 if (qctrl_tmp.aq_delay == 0)
736 return (EINVAL);
737
738 if (qctrl_tmp.aq_delay > AQ_MAXDELAY)
739 return (EINVAL);
740
741 /* update everything at once so things are consistant */
742 mutex_enter(&(kctx->auk_queue.lock));
743 kctx->auk_queue.hiwater = qctrl_tmp.aq_hiwater;
744 kctx->auk_queue.lowater = qctrl_tmp.aq_lowater;
745 kctx->auk_queue.bufsz = qctrl_tmp.aq_bufsz;
746 kctx->auk_queue.delay = qctrl_tmp.aq_delay;
747
748 if (kctx->auk_queue.rd_block &&
749 kctx->auk_queue.cnt > kctx->auk_queue.lowater)
750 cv_broadcast(&(kctx->auk_queue.read_cv));
751
752 if (kctx->auk_queue.wt_block &&
753 kctx->auk_queue.cnt < kctx->auk_queue.hiwater)
754 cv_broadcast(&(kctx->auk_queue.write_cv));
755
756 mutex_exit(&(kctx->auk_queue.lock));
757
758 return (0);
759 }
760
761 static int
762 getcwd(caddr_t data, int length)
763 {
764 struct p_audit_data *pad;
765 struct audit_path *app;
766 int pathlen;
767
768 pad = P2A(curproc);
769 ASSERT(pad != NULL);
770
771 mutex_enter(&(pad->pad_lock));
772 app = pad->pad_cwd;
773 au_pathhold(app);
774 mutex_exit(&(pad->pad_lock));
775
776 pathlen = app->audp_sect[1] - app->audp_sect[0];
777 if (pathlen > length) {
778 au_pathrele(app);
779 return (E2BIG);
780 }
781
782 if (copyout(app->audp_sect[0], data, pathlen)) {
783 au_pathrele(app);
784 return (EFAULT);
785 }
786
787 au_pathrele(app);
788 return (0);
789 }
790
791 static int
792 getcar(caddr_t data, int length)
793 {
794 struct p_audit_data *pad;
795 struct audit_path *app;
796 int pathlen;
797
798 pad = P2A(curproc);
799 ASSERT(pad != NULL);
800
801 mutex_enter(&(pad->pad_lock));
802 app = pad->pad_root;
803 au_pathhold(app);
804 mutex_exit(&(pad->pad_lock));
805
806 pathlen = app->audp_sect[1] - app->audp_sect[0];
807 if (pathlen > length) {
808 au_pathrele(app);
809 return (E2BIG);
810 }
811
812 if (copyout(app->audp_sect[0], data, pathlen)) {
813 au_pathrele(app);
814 return (EFAULT);
815 }
816
817 au_pathrele(app);
818 return (0);
819 }
820
821 static int
822 getstat(caddr_t data)
823 {
824 au_kcontext_t *kctx = GET_KCTX_PZ;
825
826 membar_consumer();
827
828 if (copyout((caddr_t)&(kctx->auk_statistics), data, sizeof (au_stat_t)))
829 return (EFAULT);
830 return (0);
831 }
832
833 static int
834 setstat(caddr_t data)
835 {
836 au_kcontext_t *kctx = GET_KCTX_PZ;
837 au_stat_t au_stat;
838
839 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
840 return (EINVAL);
841
842 if (copyin(data, &au_stat, sizeof (au_stat_t)))
843 return (EFAULT);
844
845 if (au_stat.as_generated == CLEAR_VAL)
846 kctx->auk_statistics.as_generated = 0;
847 if (au_stat.as_nonattrib == CLEAR_VAL)
848 kctx->auk_statistics.as_nonattrib = 0;
849 if (au_stat.as_kernel == CLEAR_VAL)
850 kctx->auk_statistics.as_kernel = 0;
851 if (au_stat.as_audit == CLEAR_VAL)
852 kctx->auk_statistics.as_audit = 0;
853 if (au_stat.as_auditctl == CLEAR_VAL)
854 kctx->auk_statistics.as_auditctl = 0;
855 if (au_stat.as_enqueue == CLEAR_VAL)
856 kctx->auk_statistics.as_enqueue = 0;
857 if (au_stat.as_written == CLEAR_VAL)
858 kctx->auk_statistics.as_written = 0;
859 if (au_stat.as_wblocked == CLEAR_VAL)
860 kctx->auk_statistics.as_wblocked = 0;
861 if (au_stat.as_rblocked == CLEAR_VAL)
862 kctx->auk_statistics.as_rblocked = 0;
863 if (au_stat.as_dropped == CLEAR_VAL)
864 kctx->auk_statistics.as_dropped = 0;
865 if (au_stat.as_totalsize == CLEAR_VAL)
866 kctx->auk_statistics.as_totalsize = 0;
867
868 membar_producer();
869
870 return (0);
871
872 }
873
874 static int
875 setumask(caddr_t data)
876 {
877 STRUCT_DECL(auditinfo, user_info);
878 struct proc *p;
879 const auditinfo_addr_t *ainfo;
880 model_t model;
881
882 /* setumask not applicable in non-global zones without perzone policy */
883 if (!(audit_policy & AUDIT_PERZONE) && (!INGLOBALZONE(curproc)))
884 return (EINVAL);
885
886 model = get_udatamodel();
887 STRUCT_INIT(user_info, model);
888
889 if (copyin(data, STRUCT_BUF(user_info), STRUCT_SIZE(user_info)))
890 return (EFAULT);
891
892 mutex_enter(&pidlock); /* lock the process queue against updates */
893 for (p = practive; p != NULL; p = p->p_next) {
894 cred_t *cr;
895
896 /* if in non-global zone only modify processes in same zone */
897 if (!HASZONEACCESS(curproc, p->p_zone->zone_id))
898 continue;
899
900 mutex_enter(&p->p_lock); /* so process doesn't go away */
901
902 /* skip system processes and ones being created or going away */
903 if (p->p_stat == SIDL || p->p_stat == SZOMB ||
904 (p->p_flag & (SSYS | SEXITING | SEXITLWPS))) {
905 mutex_exit(&p->p_lock);
906 continue;
907 }
908
909 mutex_enter(&p->p_crlock);
910 crhold(cr = p->p_cred);
911 mutex_exit(&p->p_crlock);
912 ainfo = crgetauinfo(cr);
913 if (ainfo == NULL) {
914 mutex_exit(&p->p_lock);
915 crfree(cr);
916 continue;
917 }
918
919 if (ainfo->ai_auid == STRUCT_FGET(user_info, ai_auid)) {
920 au_mask_t mask;
921 int err;
922
923 /*
924 * Here's a process which matches the specified auid.
925 * If its mask doesn't already match the new mask,
926 * save the new mask in the pad, to be picked up
927 * next syscall.
928 */
929 mask = STRUCT_FGET(user_info, ai_mask);
930 err = bcmp(&mask, &ainfo->ai_mask, sizeof (au_mask_t));
931 crfree(cr);
932 if (err != 0) {
933 struct p_audit_data *pad = P2A(p);
934 ASSERT(pad != NULL);
935
936 mutex_enter(&(pad->pad_lock));
937 pad->pad_flags |= PAD_SETMASK;
938 pad->pad_newmask = mask;
939 mutex_exit(&(pad->pad_lock));
940
941 /*
942 * No need to call set_proc_pre_sys(), since
943 * t_pre_sys is ALWAYS on when audit is
944 * enabled...due to syscall auditing.
945 */
946 }
947 } else {
948 crfree(cr);
949 }
950 mutex_exit(&p->p_lock);
951 }
952 mutex_exit(&pidlock);
953
954 return (0);
955 }
956
957 static int
958 setsmask(caddr_t data)
959 {
960 STRUCT_DECL(auditinfo, user_info);
961 struct proc *p;
962 const auditinfo_addr_t *ainfo;
963 model_t model;
964
965 /* setsmask not applicable in non-global zones without perzone policy */
966 if (!(audit_policy & AUDIT_PERZONE) && (!INGLOBALZONE(curproc)))
967 return (EINVAL);
968
969 model = get_udatamodel();
970 STRUCT_INIT(user_info, model);
971
972 if (copyin(data, STRUCT_BUF(user_info), STRUCT_SIZE(user_info)))
973 return (EFAULT);
974
975 mutex_enter(&pidlock); /* lock the process queue against updates */
976 for (p = practive; p != NULL; p = p->p_next) {
977 cred_t *cr;
978
979 /* if in non-global zone only modify processes in same zone */
980 if (!HASZONEACCESS(curproc, p->p_zone->zone_id))
981 continue;
982
983 mutex_enter(&p->p_lock); /* so process doesn't go away */
984
985 /* skip system processes and ones being created or going away */
986 if (p->p_stat == SIDL || p->p_stat == SZOMB ||
987 (p->p_flag & (SSYS | SEXITING | SEXITLWPS))) {
988 mutex_exit(&p->p_lock);
989 continue;
990 }
991
992 mutex_enter(&p->p_crlock);
993 crhold(cr = p->p_cred);
994 mutex_exit(&p->p_crlock);
995 ainfo = crgetauinfo(cr);
996 if (ainfo == NULL) {
997 mutex_exit(&p->p_lock);
998 crfree(cr);
999 continue;
1000 }
1001
1002 if (ainfo->ai_asid == STRUCT_FGET(user_info, ai_asid)) {
1003 au_mask_t mask;
1004 int err;
1005
1006 /*
1007 * Here's a process which matches the specified asid.
1008 * If its mask doesn't already match the new mask,
1009 * save the new mask in the pad, to be picked up
1010 * next syscall.
1011 */
1012 mask = STRUCT_FGET(user_info, ai_mask);
1013 err = bcmp(&mask, &ainfo->ai_mask, sizeof (au_mask_t));
1014 crfree(cr);
1015 if (err != 0) {
1016 struct p_audit_data *pad = P2A(p);
1017 ASSERT(pad != NULL);
1018
1019 mutex_enter(&(pad->pad_lock));
1020 pad->pad_flags |= PAD_SETMASK;
1021 pad->pad_newmask = mask;
1022 mutex_exit(&(pad->pad_lock));
1023
1024 /*
1025 * No need to call set_proc_pre_sys(), since
1026 * t_pre_sys is ALWAYS on when audit is
1027 * enabled...due to syscall auditing.
1028 */
1029 }
1030 } else {
1031 crfree(cr);
1032 }
1033 mutex_exit(&p->p_lock);
1034 }
1035 mutex_exit(&pidlock);
1036
1037 return (0);
1038 }
1039
1040 /*
1041 * Get the current audit state of the system
1042 */
1043 static int
1044 getcond(caddr_t data)
1045 {
1046 au_kcontext_t *kctx = GET_KCTX_PZ;
1047
1048 if (copyout(&(kctx->auk_auditstate), data, sizeof (int)))
1049 return (EFAULT);
1050
1051 return (0);
1052 }
1053
1054 /*
1055 * Set the current audit state of the system to on (AUC_AUDITING) or
1056 * off (AUC_NOAUDIT).
1057 */
1058 /* ARGSUSED */
1059 static int
1060 setcond(caddr_t data)
1061 {
1062 int auditstate;
1063 au_kcontext_t *kctx;
1064
1065 if (!(audit_policy & AUDIT_PERZONE) && (!INGLOBALZONE(curproc)))
1066 return (EINVAL);
1067
1068 kctx = GET_KCTX_NGZ;
1069
1070 if (copyin(data, &auditstate, sizeof (int)))
1071 return (EFAULT);
1072
1073 switch (auditstate) {
1074 case AUC_AUDITING: /* Turn auditing on */
1075 if (audit_active == C2AUDIT_UNLOADED)
1076 audit_init_module();
1077 kctx->auk_auditstate = AUC_AUDITING;
1078 if (!(audit_policy & AUDIT_PERZONE) && INGLOBALZONE(curproc))
1079 set_all_zone_usr_proc_sys(ALL_ZONES);
1080 else
1081 set_all_zone_usr_proc_sys(curproc->p_zone->zone_id);
1082 break;
1083
1084 case AUC_NOAUDIT: /* Turn auditing off */
1085 if (kctx->auk_auditstate == AUC_NOAUDIT)
1086 break;
1087 kctx->auk_auditstate = AUC_NOAUDIT;
1088
1089 /* clear out the audit queue */
1090
1091 mutex_enter(&(kctx->auk_queue.lock));
1092 if (kctx->auk_queue.wt_block)
1093 cv_broadcast(&(kctx->auk_queue.write_cv));
1094
1095 /* unblock au_output_thread */
1096 cv_broadcast(&(kctx->auk_queue.read_cv));
1097
1098 mutex_exit(&(kctx->auk_queue.lock));
1099 break;
1100
1101 default:
1102 return (EINVAL);
1103 }
1104
1105 return (0);
1106 }
1107
1108 static int
1109 getclass(caddr_t data)
1110 {
1111 au_evclass_map_t event;
1112 au_kcontext_t *kctx = GET_KCTX_PZ;
1113
1114 if (copyin(data, &event, sizeof (au_evclass_map_t)))
1115 return (EFAULT);
1116
1117 if (event.ec_number > MAX_KEVENTS)
1118 return (EINVAL);
1119
1120 event.ec_class = kctx->auk_ets[event.ec_number];
1121
1122 if (copyout(&event, data, sizeof (au_evclass_map_t)))
1123 return (EFAULT);
1124
1125 return (0);
1126 }
1127
1128 static int
1129 setclass(caddr_t data)
1130 {
1131 au_evclass_map_t event;
1132 au_kcontext_t *kctx;
1133
1134 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
1135 return (EINVAL);
1136
1137 kctx = GET_KCTX_NGZ;
1138
1139 if (copyin(data, &event, sizeof (au_evclass_map_t)))
1140 return (EFAULT);
1141
1142 if (event.ec_number > MAX_KEVENTS)
1143 return (EINVAL);
1144
1145 kctx->auk_ets[event.ec_number] = event.ec_class;
1146
1147 return (0);
1148 }
1149
1150 static int
1151 getpinfo(caddr_t data)
1152 {
1153 STRUCT_DECL(auditpinfo, apinfo);
1154 proc_t *proc;
1155 const auditinfo_addr_t *ainfo;
1156 model_t model;
1157 cred_t *cr, *newcred;
1158
1159 model = get_udatamodel();
1160 STRUCT_INIT(apinfo, model);
1161
1162 if (copyin(data, STRUCT_BUF(apinfo), STRUCT_SIZE(apinfo)))
1163 return (EFAULT);
1164
1165 newcred = cralloc();
1166
1167 mutex_enter(&pidlock);
1168 if ((proc = prfind(STRUCT_FGET(apinfo, ap_pid))) == NULL) {
1169 mutex_exit(&pidlock);
1170 crfree(newcred);
1171 return (ESRCH); /* no such process */
1172 }
1173 mutex_enter(&proc->p_lock); /* so process doesn't go away */
1174 mutex_exit(&pidlock);
1175
1176 audit_update_context(proc, newcred); /* make sure it's up-to-date */
1177
1178 mutex_enter(&proc->p_crlock);
1179 crhold(cr = proc->p_cred);
1180 mutex_exit(&proc->p_crlock);
1181 mutex_exit(&proc->p_lock);
1182
1183 ainfo = crgetauinfo(cr);
1184 if (ainfo == NULL) {
1185 crfree(cr);
1186 return (EINVAL);
1187 }
1188
1189 /* designated process has an ipv6 address? */
1190 if (ainfo->ai_termid.at_type == AU_IPv6) {
1191 crfree(cr);
1192 return (EOVERFLOW);
1193 }
1194
1195 STRUCT_FSET(apinfo, ap_auid, ainfo->ai_auid);
1196 STRUCT_FSET(apinfo, ap_asid, ainfo->ai_asid);
1197 #ifdef _LP64
1198 if (model == DATAMODEL_ILP32) {
1199 dev32_t dev;
1200 /* convert internal 64 bit form to 32 bit version */
1201 if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) {
1202 crfree(cr);
1203 return (EOVERFLOW);
1204 }
1205 STRUCT_FSET(apinfo, ap_termid.port, dev);
1206 } else
1207 STRUCT_FSET(apinfo, ap_termid.port, ainfo->ai_termid.at_port);
1208 #else
1209 STRUCT_FSET(apinfo, ap_termid.port, ainfo->ai_termid.at_port);
1210 #endif
1211 STRUCT_FSET(apinfo, ap_termid.machine, ainfo->ai_termid.at_addr[0]);
1212 STRUCT_FSET(apinfo, ap_mask, ainfo->ai_mask);
1213
1214 crfree(cr);
1215
1216 if (copyout(STRUCT_BUF(apinfo), data, STRUCT_SIZE(apinfo)))
1217 return (EFAULT);
1218
1219 return (0);
1220 }
1221
1222 static int
1223 getpinfo_addr(caddr_t data, int len)
1224 {
1225 STRUCT_DECL(auditpinfo_addr, apinfo);
1226 proc_t *proc;
1227 const auditinfo_addr_t *ainfo;
1228 model_t model;
1229 cred_t *cr, *newcred;
1230
1231 model = get_udatamodel();
1232 STRUCT_INIT(apinfo, model);
1233
1234 if (len < STRUCT_SIZE(apinfo))
1235 return (EOVERFLOW);
1236
1237 if (copyin(data, STRUCT_BUF(apinfo), STRUCT_SIZE(apinfo)))
1238 return (EFAULT);
1239
1240 newcred = cralloc();
1241
1242 mutex_enter(&pidlock);
1243 if ((proc = prfind(STRUCT_FGET(apinfo, ap_pid))) == NULL) {
1244 mutex_exit(&pidlock);
1245 crfree(newcred);
1246 return (ESRCH);
1247 }
1248 mutex_enter(&proc->p_lock); /* so process doesn't go away */
1249 mutex_exit(&pidlock);
1250
1251 audit_update_context(proc, newcred); /* make sure it's up-to-date */
1252
1253 mutex_enter(&proc->p_crlock);
1254 crhold(cr = proc->p_cred);
1255 mutex_exit(&proc->p_crlock);
1256 mutex_exit(&proc->p_lock);
1257
1258 ainfo = crgetauinfo(cr);
1259 if (ainfo == NULL) {
1260 crfree(cr);
1261 return (EINVAL);
1262 }
1263
1264 STRUCT_FSET(apinfo, ap_auid, ainfo->ai_auid);
1265 STRUCT_FSET(apinfo, ap_asid, ainfo->ai_asid);
1266 #ifdef _LP64
1267 if (model == DATAMODEL_ILP32) {
1268 dev32_t dev;
1269 /* convert internal 64 bit form to 32 bit version */
1270 if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) {
1271 crfree(cr);
1272 return (EOVERFLOW);
1273 }
1274 STRUCT_FSET(apinfo, ap_termid.at_port, dev);
1275 } else
1276 STRUCT_FSET(apinfo, ap_termid.at_port,
1277 ainfo->ai_termid.at_port);
1278 #else
1279 STRUCT_FSET(apinfo, ap_termid.at_port, ainfo->ai_termid.at_port);
1280 #endif
1281 STRUCT_FSET(apinfo, ap_termid.at_type, ainfo->ai_termid.at_type);
1282 STRUCT_FSET(apinfo, ap_termid.at_addr[0], ainfo->ai_termid.at_addr[0]);
1283 STRUCT_FSET(apinfo, ap_termid.at_addr[1], ainfo->ai_termid.at_addr[1]);
1284 STRUCT_FSET(apinfo, ap_termid.at_addr[2], ainfo->ai_termid.at_addr[2]);
1285 STRUCT_FSET(apinfo, ap_termid.at_addr[3], ainfo->ai_termid.at_addr[3]);
1286 STRUCT_FSET(apinfo, ap_mask, ainfo->ai_mask);
1287
1288 crfree(cr);
1289
1290 if (copyout(STRUCT_BUF(apinfo), data, STRUCT_SIZE(apinfo)))
1291 return (EFAULT);
1292
1293 return (0);
1294 }
1295
1296 static int
1297 setpmask(caddr_t data)
1298 {
1299 STRUCT_DECL(auditpinfo, apinfo);
1300 proc_t *proc;
1301 cred_t *newcred;
1302 auditinfo_addr_t *ainfo;
1303 struct p_audit_data *pad;
1304
1305 model_t model;
1306
1307 model = get_udatamodel();
1308 STRUCT_INIT(apinfo, model);
1309
1310 if (copyin(data, STRUCT_BUF(apinfo), STRUCT_SIZE(apinfo)))
1311 return (EFAULT);
1312
1313 mutex_enter(&pidlock);
1314 if ((proc = prfind(STRUCT_FGET(apinfo, ap_pid))) == NULL) {
1315 mutex_exit(&pidlock);
1316 return (ESRCH);
1317 }
1318 mutex_enter(&proc->p_lock); /* so process doesn't go away */
1319 mutex_exit(&pidlock);
1320
1321 newcred = cralloc();
1322 if ((ainfo = crgetauinfo_modifiable(newcred)) == NULL) {
1323 mutex_exit(&proc->p_lock);
1324 crfree(newcred);
1325 return (EINVAL);
1326 }
1327
1328 mutex_enter(&proc->p_crlock);
1329 crcopy_to(proc->p_cred, newcred);
1330 proc->p_cred = newcred;
1331
1332 ainfo->ai_mask = STRUCT_FGET(apinfo, ap_mask);
1333
1334 /*
1335 * Unlock. No need to broadcast changes via set_proc_pre_sys(),
1336 * since t_pre_sys is ALWAYS on when audit is enabled... due to
1337 * syscall auditing.
1338 */
1339 crfree(newcred);
1340 mutex_exit(&proc->p_crlock);
1341
1342 /* Reset flag for any previous pending mask change; this supercedes */
1343 pad = P2A(proc);
1344 ASSERT(pad != NULL);
1345 mutex_enter(&(pad->pad_lock));
1346 pad->pad_flags &= ~PAD_SETMASK;
1347 mutex_exit(&(pad->pad_lock));
1348
1349 mutex_exit(&proc->p_lock);
1350
1351 return (0);
1352 }
1353
1354 /*
1355 * The out of control system call
1356 * This is audit kitchen sink aka auditadm, aka auditon
1357 */
1358 int
1359 auditctl(
1360 int cmd,
1361 caddr_t data,
1362 int length)
1363 {
1364 int result;
1365
1366 switch (cmd) {
1367 case A_GETAMASK:
1368 case A_GETCOND:
1369 case A_GETCAR:
1370 case A_GETCLASS:
1371 case A_GETCWD:
1372 case A_GETKAUDIT:
1373 case A_GETKMASK:
1374 case A_GETPINFO:
1375 case A_GETPINFO_ADDR:
1376 case A_GETPOLICY:
1377 case A_GETQCTRL:
1378 case A_GETSTAT:
1379 if (secpolicy_audit_getattr(CRED(), B_FALSE) != 0)
1380 return (EPERM);
1381 break;
1382 default:
1383 if (secpolicy_audit_config(CRED()) != 0)
1384 return (EPERM);
1385 break;
1386 }
1387
1388 switch (cmd) {
1389 case A_GETPOLICY:
1390 result = getpolicy(data);
1391 break;
1392 case A_SETPOLICY:
1393 result = setpolicy(data);
1394 break;
1395 case A_GETAMASK:
1396 result = getamask(data);
1397 break;
1398 case A_SETAMASK:
1399 result = setamask(data);
1400 break;
1401 case A_GETKMASK:
1402 result = getkmask(data);
1403 break;
1404 case A_SETKMASK:
1405 result = setkmask(data);
1406 break;
1407 case A_GETKAUDIT:
1408 result = getkaudit(data, length);
1409 break;
1410 case A_SETKAUDIT:
1411 result = setkaudit(data, length);
1412 break;
1413 case A_GETQCTRL:
1414 result = getqctrl(data);
1415 break;
1416 case A_SETQCTRL:
1417 result = setqctrl(data);
1418 break;
1419 case A_GETCWD:
1420 result = getcwd(data, length);
1421 break;
1422 case A_GETCAR:
1423 result = getcar(data, length);
1424 break;
1425 case A_GETSTAT:
1426 result = getstat(data);
1427 break;
1428 case A_SETSTAT:
1429 result = setstat(data);
1430 break;
1431 case A_SETUMASK:
1432 result = setumask(data);
1433 break;
1434 case A_SETSMASK:
1435 result = setsmask(data);
1436 break;
1437 case A_GETCOND:
1438 result = getcond(data);
1439 break;
1440 case A_SETCOND:
1441 result = setcond(data);
1442 break;
1443 case A_GETCLASS:
1444 result = getclass(data);
1445 break;
1446 case A_SETCLASS:
1447 result = setclass(data);
1448 break;
1449 case A_GETPINFO:
1450 result = getpinfo(data);
1451 break;
1452 case A_GETPINFO_ADDR:
1453 result = getpinfo_addr(data, length);
1454 break;
1455 case A_SETPMASK:
1456 result = setpmask(data);
1457 break;
1458 default:
1459 result = EINVAL;
1460 break;
1461 }
1462 return (result);
1463 }
Unleashed OS