4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
27 * This file contains the audit hook support code for auditing.
30 #include <sys/types.h>
32 #include <sys/vnode.h>
36 #include <sys/stropts.h>
37 #include <sys/systm.h>
38 #include <sys/pathname.h>
39 #include <sys/syscall.h>
40 #include <sys/fcntl.h>
41 #include <sys/ipc_impl.h>
42 #include <sys/msg_impl.h>
43 #include <sys/sem_impl.h>
44 #include <sys/shm_impl.h>
45 #include <sys/kmem.h> /* for KM_SLEEP */
46 #include <sys/socket.h>
47 #include <sys/cmn_err.h> /* snprintf... */
48 #include <sys/debug.h>
49 #include <sys/thread.h>
50 #include <netinet/in.h>
51 #include <c2/audit.h> /* needs to be included before user.h */
52 #include <c2/audit_kernel.h> /* for M_DONTWAIT */
53 #include <c2/audit_kevents.h>
54 #include <c2/audit_record.h>
55 #include <sys/strsubr.h>
56 #include <sys/tihdr.h>
57 #include <sys/tiuser.h>
58 #include <sys/timod.h>
59 #include <sys/model.h> /* for model_t */
60 #include <sys/disp.h> /* for servicing_interrupt() */
61 #include <sys/devpolicy.h>
62 #include <sys/crypto/ioctladmin.h>
63 #include <sys/cred_impl.h>
64 #include <inet/kssl/kssl.h>
65 #include <net/pfpolicy.h>
67 static void add_return_token(caddr_t
*, unsigned int scid
, int err
, int rval
);
69 static void audit_pathbuild(struct pathname
*pnp
);
73 * ROUTINE: AUDIT_SAVEPATH
77 * NOTE: We have reached the end of a path in fs/lookup.c.
78 * We get two pieces of information here:
79 * the vnode of the last component (vp) and
80 * the status of the last access (flag).
88 struct pathname
*pnp
, /* pathname to lookup */
89 struct vnode
*vp
, /* vnode of the last component */
90 struct vnode
*pvp
, /* vnode of the last parent component */
91 int flag
, /* status of the last access */
92 cred_t
*cr
) /* cred of requestor */
95 t_audit_data_t
*tad
; /* current thread */
96 au_kcontext_t
*kctx
= GET_KCTX_PZ
;
101 * Noise elimination in audit trails - this event will be discarded if:
102 * - the public policy is not active AND
103 * - the system call is a public operation AND
104 * - the file was not found: VFS lookup failed with ENOENT error AND
105 * - the missing file would have been located in the public directory
106 * owned by root if it had existed
108 if (tad
->tad_flag
!= 0 && flag
== ENOENT
&& pvp
!= NULL
&&
109 (tad
->tad_ctrl
& TAD_PUBLIC_EV
) &&
110 !(kctx
->auk_policy
& AUDIT_PUBLIC
)) {
113 attr
.va_mask
= AT_ALL
;
114 if (VOP_GETATTR(pvp
, &attr
, 0, CRED(), NULL
) == 0) {
115 if (object_is_public(&attr
)) {
116 tad
->tad_ctrl
|= TAD_NOAUDIT
;
122 * this event being audited or do we need path information
123 * later? This might be for a chdir/chroot or open (add path
124 * to file pointer. If the path has already been found for an
125 * open/creat then we don't need to process the path.
127 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
128 * chroot, chdir, open, creat system call processing. It determines
129 * if audit_savepath() will discard the path or we need it later.
130 * TAD_PATHFND means path already included in this audit record. It
131 * is used in cases where multiple path lookups are done per
132 * system call. The policy flag, AUDIT_PATH, controls if multiple
134 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
135 * exit processing to inhibit any paths that may be added due to
138 if ((tad
->tad_flag
== 0 && !(tad
->tad_ctrl
& TAD_SAVPATH
)) ||
139 ((tad
->tad_ctrl
& TAD_PATHFND
) &&
140 !(kctx
->auk_policy
& AUDIT_PATH
)) ||
141 (tad
->tad_ctrl
& TAD_NOPATH
)) {
145 tad
->tad_ctrl
|= TAD_NOPATH
; /* prevent possible reentry */
147 audit_pathbuild(pnp
);
150 * are we auditing only if error, or if it is not open or create
151 * otherwise audit_setf will do it
156 (tad
->tad_scid
== SYS_open
||
157 tad
->tad_scid
== SYS_open64
||
158 tad
->tad_scid
== SYS_openat
||
159 tad
->tad_scid
== SYS_openat64
)) {
160 tad
->tad_ctrl
|= TAD_TRUE_CREATE
;
163 /* add token to audit record for this name */
164 au_uwrite(au_to_path(tad
->tad_aupath
));
166 /* add the attributes of the object */
169 * only capture attributes when there is no error
170 * lookup will not return the vnode of the failing
173 * if there was a lookup error, then don't add
174 * attribute. if lookup in vn_create(),
175 * then don't add attribute,
176 * it will be added at end of vn_create().
178 if (!flag
&& !(tad
->tad_ctrl
& TAD_NOATTRB
))
179 audit_attributes(vp
);
183 /* free up space if we're not going to save path (open, creat) */
184 if ((tad
->tad_ctrl
& TAD_SAVPATH
) == 0) {
185 if (tad
->tad_aupath
!= NULL
) {
186 au_pathrele(tad
->tad_aupath
);
187 tad
->tad_aupath
= NULL
;
190 if (tad
->tad_ctrl
& TAD_MLD
)
191 tad
->tad_ctrl
|= TAD_PATHFND
;
193 tad
->tad_ctrl
&= ~TAD_NOPATH
; /* restore */
198 audit_pathbuild(struct pathname
*pnp
)
200 char *pp
; /* pointer to path */
201 int len
; /* length of incoming segment */
202 int newsect
; /* path requires a new section */
203 struct audit_path
*pfxapp
; /* prefix for path */
204 struct audit_path
*newapp
; /* new audit_path */
205 t_audit_data_t
*tad
; /* current thread */
206 p_audit_data_t
*pad
; /* current process */
213 len
= (pnp
->pn_path
- pnp
->pn_buf
) + 1; /* +1 for terminator */
216 /* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */
217 mutex_enter(&pad
->pad_lock
);
218 if (tad
->tad_aupath
!= NULL
) {
219 pfxapp
= tad
->tad_aupath
;
220 } else if ((tad
->tad_ctrl
& TAD_ATCALL
) && pnp
->pn_buf
[0] != '/') {
221 ASSERT(tad
->tad_atpath
!= NULL
);
222 pfxapp
= tad
->tad_atpath
;
223 } else if (tad
->tad_ctrl
& TAD_ABSPATH
) {
224 pfxapp
= pad
->pad_root
;
226 pfxapp
= pad
->pad_cwd
;
229 mutex_exit(&pad
->pad_lock
);
231 /* get an expanded buffer to hold the anchored path */
232 newsect
= tad
->tad_ctrl
& TAD_ATTPATH
;
233 newapp
= au_pathdup(pfxapp
, newsect
, len
);
236 pp
= newapp
->audp_sect
[newapp
->audp_cnt
] - len
;
238 /* overlay previous NUL terminator */
242 /* now add string of processed path */
243 bcopy(pnp
->pn_buf
, pp
, len
);
246 /* perform path simplification as necessary */
247 audit_fixpath(newapp
, len
);
250 au_pathrele(tad
->tad_aupath
);
251 tad
->tad_aupath
= newapp
;
253 /* for case where multiple lookups in one syscall (rename) */
254 tad
->tad_ctrl
&= ~(TAD_ABSPATH
| TAD_ATTPATH
);
259 * ROUTINE: AUDIT_ANCHORPATH
263 * anchor path at "/". We have seen a symbolic link or entering for the
264 * first time we will throw away any saved path if path is anchored.
266 * flag = 0, path is relative.
267 * flag = 1, path is absolute. Free any saved path and set flag to TAD_ABSPATH.
269 * If the (new) path is absolute, then we have to throw away whatever we have
270 * already accumulated since it is being superseded by new path which is
271 * anchored at the root.
272 * Note that if the path is relative, this function does nothing
278 audit_anchorpath(struct pathname
*pnp
, int flag
)
280 au_kcontext_t
*kctx
= GET_KCTX_PZ
;
286 * this event being audited or do we need path information
287 * later? This might be for a chdir/chroot or open (add path
288 * to file pointer. If the path has already been found for an
289 * open/creat then we don't need to process the path.
291 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
292 * chroot, chdir, open, creat system call processing. It determines
293 * if audit_savepath() will discard the path or we need it later.
294 * TAD_PATHFND means path already included in this audit record. It
295 * is used in cases where multiple path lookups are done per
296 * system call. The policy flag, AUDIT_PATH, controls if multiple
298 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
299 * exit processing to inhibit any paths that may be added due to
302 if ((tad
->tad_flag
== 0 && !(tad
->tad_ctrl
& TAD_SAVPATH
)) ||
303 ((tad
->tad_ctrl
& TAD_PATHFND
) &&
304 !(kctx
->auk_policy
& AUDIT_PATH
)) ||
305 (tad
->tad_ctrl
& TAD_NOPATH
)) {
310 tad
->tad_ctrl
|= TAD_ABSPATH
;
311 if (tad
->tad_aupath
!= NULL
) {
312 au_pathrele(tad
->tad_aupath
);
313 tad
->tad_aupath
= NULL
;
320 * symbolic link. Save previous components.
322 * the path seen so far looks like this
324 * +-----------------------+----------------+
325 * | path processed so far | remaining path |
326 * +-----------------------+----------------+
327 * \-----------------------/
328 * save this string if
329 * symbolic link relative
330 * (but don't include symlink component)
337 * ROUTINE: AUDIT_SYMLINK
345 audit_symlink(struct pathname
*pnp
, struct pathname
*sympath
)
347 char *sp
; /* saved initial pp */
348 char *cp
; /* start of symlink path */
349 uint_t len_path
; /* processed path before symlink */
351 au_kcontext_t
*kctx
= GET_KCTX_PZ
;
356 * this event being audited or do we need path information
357 * later? This might be for a chdir/chroot or open (add path
358 * to file pointer. If the path has already been found for an
359 * open/creat then we don't need to process the path.
361 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
362 * chroot, chdir, open, creat system call processing. It determines
363 * if audit_savepath() will discard the path or we need it later.
364 * TAD_PATHFND means path already included in this audit record. It
365 * is used in cases where multiple path lookups are done per
366 * system call. The policy flag, AUDIT_PATH, controls if multiple
368 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
369 * exit processing to inhibit any paths that may be added due to
372 if ((tad
->tad_flag
== 0 &&
373 !(tad
->tad_ctrl
& TAD_SAVPATH
)) ||
374 ((tad
->tad_ctrl
& TAD_PATHFND
) &&
375 !(kctx
->auk_policy
& AUDIT_PATH
)) ||
376 (tad
->tad_ctrl
& TAD_NOPATH
)) {
381 * if symbolic link is anchored at / then do nothing.
382 * When we cycle back to begin: in lookuppn() we will
383 * call audit_anchorpath() with a flag indicating if the
384 * path is anchored at / or is relative. We will release
385 * any saved path at that point.
387 * Note In the event that an error occurs in pn_combine then
388 * we want to remain pointing at the component that caused the
389 * path to overflow the pnp structure.
391 if (sympath
->pn_buf
[0] == '/')
394 /* backup over last component */
395 sp
= cp
= pnp
->pn_path
;
396 while (*--cp
!= '/' && cp
> pnp
->pn_buf
)
399 len_path
= cp
- pnp
->pn_buf
;
401 /* is there anything to save? */
403 pnp
->pn_path
= pnp
->pn_buf
;
404 audit_pathbuild(pnp
);
410 * object_is_public : determine whether events for the object (corresponding to
411 * the specified file/directory attr) should be audited or
414 * returns: 1 - if audit policy and object attributes indicate that
415 * file/directory is effectively public. read events for
416 * the file should not be audited.
419 * The required attributes to be considered a public object are:
420 * - owned by root, AND
421 * - world-readable (permissions for other include read), AND
422 * - NOT world-writeable (permissions for other don't
424 * (mode doesn't need to be checked for symlinks)
427 object_is_public(struct vattr
*attr
)
429 au_kcontext_t
*kctx
= GET_KCTX_PZ
;
431 if (!(kctx
->auk_policy
& AUDIT_PUBLIC
) && (attr
->va_uid
== 0) &&
432 ((attr
->va_type
== VLNK
) ||
433 ((attr
->va_mode
& (VREAD
>>6)) != 0) &&
434 ((attr
->va_mode
& (VWRITE
>>6)) == 0))) {
442 * ROUTINE: AUDIT_ATTRIBUTES
443 * PURPOSE: Audit the attributes so we can tell why the error occurred
444 * CALLBY: AUDIT_SAVEPATH
445 * AUDIT_VNCREATE_FINISH
446 * AUS_FCHOWN...audit_event.c...audit_path.c
452 audit_attributes(struct vnode
*vp
)
455 struct t_audit_data
*tad
;
460 attr
.va_mask
= AT_ALL
;
461 if (VOP_GETATTR(vp
, &attr
, 0, CRED(), NULL
) != 0)
464 if (object_is_public(&attr
) &&
465 (tad
->tad_ctrl
& TAD_PUBLIC_EV
)) {
467 * This is a public object and a "public" event
468 * (i.e., read only) -- either by definition
469 * (e.g., stat, access...) or by virtue of write access
470 * not being requested (e.g. mmap).
471 * Flag it in the tad to prevent this audit at the end.
473 tad
->tad_ctrl
|= TAD_NOAUDIT
;
475 au_uwrite(au_to_attr(&attr
));
476 audit_sec_attributes(&(u_ad
), vp
);
483 * ROUTINE: AUDIT_EXIT
488 * QUESTION: why cmw code as offset by 2 but not here
492 audit_exit(int code
, int what
)
494 struct t_audit_data
*tad
;
498 * tad_scid will be set by audit_start even if we are not auditing
501 if (tad
->tad_scid
== SYS_exit
) {
503 * if we are auditing the exit system call, then complete
504 * audit record generation (no return from system call).
506 if (tad
->tad_flag
&& tad
->tad_event
== AUE_EXIT
)
507 audit_finish(0, SYS_exit
, 0, 0);
512 * Anyone auditing the system call that was aborted?
515 au_uwrite(au_to_text("event aborted"));
516 audit_finish(0, tad
->tad_scid
, 0, 0);
520 * Generate an audit record for process exit if preselected.
522 (void) audit_start(0, SYS_exit
, AUC_UNSET
, 0, 0);
523 audit_finish(0, SYS_exit
, 0, 0);
527 * ROUTINE: AUDIT_CORE_START
534 audit_core_start(int sig
)
543 ASSERT(tad
!= (t_audit_data_t
*)0);
545 ASSERT(tad
->tad_scid
== 0);
546 ASSERT(tad
->tad_event
== 0);
547 ASSERT(tad
->tad_evmod
== 0);
548 ASSERT(tad
->tad_ctrl
== 0);
549 ASSERT(tad
->tad_flag
== 0);
550 ASSERT(tad
->tad_aupath
== NULL
);
554 /* get basic event for system call */
556 estate
= kctx
->auk_ets
[event
];
558 if ((tad
->tad_flag
= auditme(kctx
, tad
, estate
)) == 0)
561 /* reset the flags for non-user attributable events */
562 tad
->tad_ctrl
= TAD_CORE
;
565 /* if auditing not enabled, then don't generate an audit record */
567 if (!((kctx
->auk_auditstate
== AUC_AUDITING
||
568 kctx
->auk_auditstate
== AUC_INIT_AUDIT
) ||
569 kctx
->auk_auditstate
== AUC_NOSPACE
)) {
575 tad
->tad_event
= event
;
578 ASSERT(tad
->tad_ad
== NULL
);
580 au_write(&(u_ad
), au_to_arg32(1, "signal", (uint32_t)sig
));
584 * ROUTINE: AUDIT_CORE_FINISH
594 audit_core_finish(int code
)
602 ASSERT(tad
!= (t_audit_data_t
*)0);
604 if ((flag
= tad
->tad_flag
) == 0) {
608 ASSERT(tad
->tad_aupath
== NULL
);
615 /* kludge for error 0, should use `code==CLD_DUMPED' instead */
616 if (flag
= audit_success(kctx
, tad
, 0, NULL
)) {
618 const auditinfo_addr_t
*ainfo
= crgetauinfo(cr
);
620 ASSERT(ainfo
!= NULL
);
623 * Add subject information (no locks since our private copy of
626 AUDIT_SETSUBJ(&(u_ad
), cr
, ainfo
, kctx
);
628 /* Add a return token (should use f argument) */
629 add_return_token((caddr_t
*)&(u_ad
), tad
->tad_scid
, 0, 0);
631 AS_INC(as_generated
, 1, kctx
);
632 AS_INC(as_kernel
, 1, kctx
);
635 /* Close up everything */
636 au_close(kctx
, &(u_ad
), flag
, tad
->tad_event
, tad
->tad_evmod
, NULL
);
638 /* free up any space remaining with the path's */
639 if (tad
->tad_aupath
!= NULL
) {
640 au_pathrele(tad
->tad_aupath
);
641 tad
->tad_aupath
= NULL
;
651 audit_strgetmsg(struct vnode
*vp
, struct strbuf
*mctl
, struct strbuf
*mdata
,
652 unsigned char *pri
, int *flag
, int fmode
)
655 t_audit_data_t
*tad
= U2A(u
);
657 ASSERT(tad
!= (t_audit_data_t
*)0);
661 /* lock stdata from audit_sock */
662 mutex_enter(&stp
->sd_lock
);
664 /* proceed ONLY if user is being audited */
665 if (!tad
->tad_flag
) {
667 * this is so we will not add audit data onto
668 * a thread that is not being audited.
670 stp
->sd_t_audit_data
= NULL
;
671 mutex_exit(&stp
->sd_lock
);
675 stp
->sd_t_audit_data
= (caddr_t
)curthread
;
676 mutex_exit(&stp
->sd_lock
);
681 audit_strputmsg(struct vnode
*vp
, struct strbuf
*mctl
, struct strbuf
*mdata
,
682 unsigned char pri
, int flag
, int fmode
)
685 t_audit_data_t
*tad
= U2A(u
);
687 ASSERT(tad
!= (t_audit_data_t
*)0);
691 /* lock stdata from audit_sock */
692 mutex_enter(&stp
->sd_lock
);
694 /* proceed ONLY if user is being audited */
695 if (!tad
->tad_flag
) {
697 * this is so we will not add audit data onto
698 * a thread that is not being audited.
700 stp
->sd_t_audit_data
= NULL
;
701 mutex_exit(&stp
->sd_lock
);
705 stp
->sd_t_audit_data
= (caddr_t
)curthread
;
706 mutex_exit(&stp
->sd_lock
);
710 * ROUTINE: AUDIT_CLOSEF
714 * release per file audit resources when file structure is being released.
716 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
717 * on the audit queue if it becomes full. This means
718 * audit_closef can not be called when f_count == 0. Since
719 * f_count == 0 indicates the file structure is free, another
720 * process could attempt to use the file while we were still
721 * asleep waiting on the audit queue. This would cause the
722 * per file audit data to be corrupted when we finally do
729 audit_closef(struct file
*fp
)
739 const auditinfo_addr_t
*ainfo
;
741 au_kcontext_t
*kctx
= GET_KCTX_PZ
;
743 boolean_t audit_attr
= B_FALSE
;
746 estate
= kctx
->auk_ets
[AUE_CLOSE
];
750 /* audit record already generated by system call envelope */
751 if (tad
->tad_event
== AUE_CLOSE
) {
752 /* so close audit event will have bits set */
753 tad
->tad_evmod
|= (au_emod_t
)fad
->fad_flags
;
757 /* if auditing not enabled, then don't generate an audit record */
758 auditing
= (tad
->tad_audit
== AUC_UNSET
) ?
759 kctx
->auk_auditstate
: tad
->tad_audit
;
760 if (auditing
& ~(AUC_AUDITING
| AUC_INIT_AUDIT
| AUC_NOSPACE
))
763 ainfo
= crgetauinfo(cr
);
767 success
= ainfo
->ai_mask
.as_success
& estate
;
769 /* not selected for this event */
774 * can't use audit_attributes here since we use a private audit area
775 * to build the audit record instead of the one off the thread.
777 if ((vp
= fp
->f_vnode
) != NULL
) {
778 attr
.va_mask
= AT_ALL
;
779 if (VOP_GETATTR(vp
, &attr
, 0, CRED(), NULL
) == 0) {
780 if ((fp
->f_flag
& FWRITE
) == 0 &&
781 object_is_public(&attr
)) {
783 * When write was not used and the file can be
784 * considered public, then skip the audit.
792 evmod
= (au_emod_t
)fad
->fad_flags
;
793 if (fad
->fad_aupath
!= NULL
) {
794 au_write((caddr_t
*)&(ad
), au_to_path(fad
->fad_aupath
));
797 au_write((caddr_t
*)&(ad
), au_to_arg64(
798 1, "no path: fp", (uint64_t)fp
));
800 au_write((caddr_t
*)&(ad
), au_to_arg32(
801 1, "no path: fp", (uint32_t)fp
));
806 au_write((caddr_t
*)&(ad
), au_to_attr(&attr
));
807 audit_sec_attributes((caddr_t
*)&(ad
), vp
);
810 /* Add subject information */
811 AUDIT_SETSUBJ((caddr_t
*)&(ad
), cr
, ainfo
, kctx
);
813 /* add a return token */
814 add_return_token((caddr_t
*)&(ad
), tad
->tad_scid
, 0, 0);
816 AS_INC(as_generated
, 1, kctx
);
817 AS_INC(as_kernel
, 1, kctx
);
820 * Close up everything
821 * Note: path space recovery handled by normal system
822 * call envelope if not at last close.
823 * Note there is no failure at this point since
824 * this represents closes due to exit of process,
825 * thus we always indicate successful closes.
827 au_close(kctx
, (caddr_t
*)&(ad
), AU_OK
| AU_DEFER
,
828 AUE_CLOSE
, evmod
, NULL
);
833 * PURPOSE: Audit the file path and file attributes.
835 * NOTE: SETF associate a file pointer with user area's open files.
837 * call audit_finish directly ???
843 audit_setf(file_t
*fp
, int fd
)
851 tad
= T2A(curthread
);
854 if (!(tad
->tad_scid
== SYS_open
||
855 tad
->tad_scid
== SYS_open64
||
856 tad
->tad_scid
== SYS_openat
||
857 tad
->tad_scid
== SYS_openat64
))
861 if (tad
->tad_aupath
== 0)
865 * assign path information associated with file audit data
868 fad
->fad_aupath
= tad
->tad_aupath
;
869 tad
->tad_aupath
= NULL
;
871 if (!(tad
->tad_ctrl
& TAD_TRUE_CREATE
)) {
872 /* adjust event type by dropping the 'creat' part */
873 switch (tad
->tad_event
) {
875 tad
->tad_event
= AUE_OPEN_R
;
876 tad
->tad_ctrl
|= TAD_PUBLIC_EV
;
879 tad
->tad_event
= AUE_OPEN_RT
;
882 tad
->tad_event
= AUE_OPEN_W
;
885 tad
->tad_event
= AUE_OPEN_WT
;
888 tad
->tad_event
= AUE_OPEN_RW
;
891 tad
->tad_event
= AUE_OPEN_RWT
;
901 audit_ipc(int type
, int id
, void *vp
)
903 /* if not auditing this event, then do nothing */
909 au_uwrite(au_to_ipc(AT_IPC_MSG
, id
));
910 au_uwrite(au_to_ipc_perm(&(((kmsqid_t
*)vp
)->msg_perm
)));
913 au_uwrite(au_to_ipc(AT_IPC_SEM
, id
));
914 au_uwrite(au_to_ipc_perm(&(((ksemid_t
*)vp
)->sem_perm
)));
917 au_uwrite(au_to_ipc(AT_IPC_SHM
, id
));
918 au_uwrite(au_to_ipc_perm(&(((kshmid_t
*)vp
)->shm_perm
)));
924 audit_ipcget(int type
, void *vp
)
926 /* if not auditing this event, then do nothing */
932 au_uwrite(au_to_ipc_perm((struct kipc_perm
*)vp
));
935 au_uwrite(au_to_ipc_perm(&(((kmsqid_t
*)vp
)->msg_perm
)));
938 au_uwrite(au_to_ipc_perm(&(((ksemid_t
*)vp
)->sem_perm
)));
941 au_uwrite(au_to_ipc_perm(&(((kshmid_t
*)vp
)->shm_perm
)));
947 * ROUTINE: AUDIT_REBOOT
951 * At this point we know that the system call reboot will not return. We thus
952 * have to complete the audit record generation and put it onto the queue.
953 * This might be fairly useless if the auditing daemon is already dead....
955 * QUESTION: who calls audit_reboot
963 au_kcontext_t
*kctx
= GET_KCTX_PZ
;
967 /* if not auditing this event, then do nothing */
968 if (tad
->tad_flag
== 0)
971 /* do preselection on success/failure */
972 if (flag
= audit_success(kctx
, tad
, 0, NULL
)) {
973 /* add a process token */
976 const auditinfo_addr_t
*ainfo
= crgetauinfo(cr
);
981 /* Add subject information */
982 AUDIT_SETSUBJ(&(u_ad
), cr
, ainfo
, kctx
);
984 /* add a return token */
985 add_return_token((caddr_t
*)&(u_ad
), tad
->tad_scid
, 0, 0);
987 AS_INC(as_generated
, 1, kctx
);
988 AS_INC(as_kernel
, 1, kctx
);
992 * Flow control useless here since we're going
993 * to drop everything in the queue anyway. Why
994 * block and wait. There aint anyone left alive to
995 * read the records remaining anyway.
998 /* Close up everything */
999 au_close(kctx
, &(u_ad
), flag
| AU_DONTBLOCK
,
1000 tad
->tad_event
, tad
->tad_evmod
, NULL
);
1004 audit_setfsat_path(int argnum
)
1006 klwp_id_t clwp
= ttolwp(curthread
);
1009 t_audit_data_t
*tad
;
1010 struct f_audit_data
*fad
;
1011 p_audit_data_t
*pad
; /* current process */
1023 uap
= (struct a
*)clwp
->lwp_ap
;
1026 ASSERT(tad
!= NULL
);
1028 switch (tad
->tad_scid
) {
1038 case SYS_readlinkat
:
1061 if (tad
->tad_atpath
!= NULL
) {
1062 au_pathrele(tad
->tad_atpath
);
1063 tad
->tad_atpath
= NULL
;
1066 if (fd
!= AT_FDCWD
) {
1067 tad
->tad_ctrl
|= TAD_ATCALL
;
1069 if (tad
->tad_scid
== SYS_openat
||
1070 tad
->tad_scid
== SYS_openat64
) {
1071 fm
= (uint_t
)uap
->arg3
;
1072 if (fm
& (FXATTR
| FXATTRDIROPEN
)) {
1073 tad
->tad_ctrl
|= TAD_ATTPATH
;
1077 if ((fp
= getf(fd
)) == NULL
) {
1078 tad
->tad_ctrl
|= TAD_NOPATH
;
1083 if (fad
->fad_aupath
== NULL
) {
1084 tad
->tad_ctrl
|= TAD_NOPATH
;
1088 au_pathhold(fad
->fad_aupath
);
1089 tad
->tad_atpath
= fad
->fad_aupath
;
1092 if (tad
->tad_scid
== SYS_open
||
1093 tad
->tad_scid
== SYS_open64
) {
1094 fm
= (uint_t
)uap
->arg2
;
1096 tad
->tad_ctrl
|= TAD_ATTPATH
;
1101 mutex_enter(&pad
->pad_lock
);
1102 au_pathhold(pad
->pad_cwd
);
1103 tad
->tad_atpath
= pad
->pad_cwd
;
1104 mutex_exit(&pad
->pad_lock
);
1109 audit_symlink_create(vnode_t
*dvp
, char *sname
, char *target
, int error
)
1111 t_audit_data_t
*tad
;
1116 /* if not auditing this event, then do nothing */
1117 if (tad
->tad_flag
== 0)
1120 au_uwrite(au_to_text(target
));
1125 error
= VOP_LOOKUP(dvp
, sname
, &vp
, NULL
, 0, NULL
, CRED(),
1128 audit_attributes(vp
);
1134 * ROUTINE: AUDIT_VNCREATE_START
1135 * PURPOSE: set flag so path name lookup in create will not add attribute
1143 audit_vncreate_start()
1145 t_audit_data_t
*tad
;
1148 tad
->tad_ctrl
|= TAD_NOATTRB
;
1152 * ROUTINE: AUDIT_VNCREATE_FINISH
1160 audit_vncreate_finish(struct vnode
*vp
, int error
)
1162 t_audit_data_t
*tad
;
1169 /* if not auditing this event, then do nothing */
1170 if (tad
->tad_flag
== 0)
1173 if (tad
->tad_ctrl
& TAD_TRUE_CREATE
) {
1174 audit_attributes(vp
);
1177 if (tad
->tad_ctrl
& TAD_CORE
) {
1178 audit_attributes(vp
);
1179 tad
->tad_ctrl
&= ~TAD_CORE
;
1182 if (!error
&& ((tad
->tad_event
== AUE_MKNOD
) ||
1183 (tad
->tad_event
== AUE_MKDIR
))) {
1184 audit_attributes(vp
);
1187 /* for case where multiple lookups in one syscall (rename) */
1188 tad
->tad_ctrl
&= ~TAD_NOATTRB
;
1199 * ROUTINE: AUDIT_EXEC
1200 * PURPOSE: Records the function arguments and environment variables
1209 const char *argstr
, /* argument strings */
1210 const char *envstr
, /* environment strings */
1211 ssize_t argc
, /* total # arguments */
1212 ssize_t envc
, /* total # environment variables */
1213 cred_t
*pfcred
) /* the additional privileges in a profile */
1215 t_audit_data_t
*tad
;
1216 au_kcontext_t
*kctx
= GET_KCTX_PZ
;
1220 /* if not auditing this event, then do nothing */
1224 if (pfcred
!= NULL
) {
1225 p_audit_data_t
*pad
;
1226 cred_t
*cr
= CRED();
1227 priv_set_t pset
= CR_IPRIV(cr
);
1231 /* It's a different event. */
1232 tad
->tad_event
= AUE_PFEXEC
;
1234 /* Add the current working directory to the audit trail. */
1235 if (pad
->pad_cwd
!= NULL
)
1236 au_uwrite(au_to_path(pad
->pad_cwd
));
1239 * The new credential is not yet in place when audit_exec
1241 * Compute the additional bits available in the new credential
1242 * and the limit set.
1244 priv_inverse(&pset
);
1245 priv_intersect(&CR_IPRIV(pfcred
), &pset
);
1246 if (!priv_isemptyset(&pset
) ||
1247 !priv_isequalset(&CR_LPRIV(pfcred
), &CR_LPRIV(cr
))) {
1248 au_uwrite(au_to_privset(
1249 priv_getsetbynum(PRIV_INHERITABLE
), &pset
, AUT_PRIV
,
1251 au_uwrite(au_to_privset(priv_getsetbynum(PRIV_LIMIT
),
1252 &CR_LPRIV(pfcred
), AUT_PRIV
, 0));
1255 * Compare the uids & gids: create a process token if changed.
1257 if (crgetuid(cr
) != crgetuid(pfcred
) ||
1258 crgetruid(cr
) != crgetruid(pfcred
) ||
1259 crgetgid(cr
) != crgetgid(pfcred
) ||
1260 crgetrgid(cr
) != crgetrgid(pfcred
)) {
1261 AUDIT_SETPROC(&(u_ad
), cr
, crgetauinfo(cr
));
1265 if (pfcred
!= NULL
|| (kctx
->auk_policy
& AUDIT_ARGV
) != 0)
1266 au_uwrite(au_to_exec_args(argstr
, argc
));
1268 if (kctx
->auk_policy
& AUDIT_ARGE
)
1269 au_uwrite(au_to_exec_env(envstr
, envc
));
1273 * ROUTINE: AUDIT_ENTERPROM
1282 audit_enterprom(int flg
)
1292 AUDIT_ASYNC_START(rp
, AUE_ENTERPROM
, sorf
);
1294 au_write((caddr_t
*)&(rp
), au_to_text("kmdb"));
1297 au_write((caddr_t
*)&(rp
), au_to_return32(0, 0));
1299 au_write((caddr_t
*)&(rp
), au_to_return32(ECANCELED
, 0));
1301 AUDIT_ASYNC_FINISH(rp
, AUE_ENTERPROM
, NULL
, NULL
);
1306 * ROUTINE: AUDIT_EXITPROM
1315 audit_exitprom(int flg
)
1325 AUDIT_ASYNC_START(rp
, AUE_EXITPROM
, sorf
);
1327 au_write((caddr_t
*)&(rp
), au_to_text("kmdb"));
1330 au_write((caddr_t
*)&(rp
), au_to_return32(0, 0));
1332 au_write((caddr_t
*)&(rp
), au_to_return32(ECANCELED
, 0));
1334 AUDIT_ASYNC_FINISH(rp
, AUE_EXITPROM
, NULL
, NULL
);
1345 * ROUTINE: AUDIT_CHDIREC
1348 * NOTE: The main function of CHDIREC
1349 * TODO: Move the audit_chdirec hook above the VN_RELE in vncalls.c
1355 audit_chdirec(vnode_t
*vp
, vnode_t
**vpp
)
1359 struct audit_path
**appp
;
1361 f_audit_data_t
*fad
;
1362 p_audit_data_t
*pad
= P2A(curproc
);
1363 t_audit_data_t
*tad
= T2A(curthread
);
1367 } *uap
= (struct a
*)ttolwp(curthread
)->lwp_ap
;
1369 if ((tad
->tad_scid
== SYS_chdir
) || (tad
->tad_scid
== SYS_chroot
)) {
1370 chdir
= tad
->tad_scid
== SYS_chdir
;
1371 if (tad
->tad_aupath
) {
1372 mutex_enter(&pad
->pad_lock
);
1374 appp
= &(pad
->pad_cwd
);
1376 appp
= &(pad
->pad_root
);
1379 *appp
= tad
->tad_aupath
;
1380 tad
->tad_aupath
= NULL
;
1381 mutex_exit(&pad
->pad_lock
);
1383 } else if ((tad
->tad_scid
== SYS_fchdir
) ||
1384 (tad
->tad_scid
== SYS_fchroot
)) {
1385 fchdir
= tad
->tad_scid
== SYS_fchdir
;
1386 if ((fp
= getf(uap
->fd
)) == NULL
)
1389 if (fad
->fad_aupath
) {
1390 au_pathhold(fad
->fad_aupath
);
1391 mutex_enter(&pad
->pad_lock
);
1393 appp
= &(pad
->pad_cwd
);
1395 appp
= &(pad
->pad_root
);
1397 *appp
= fad
->fad_aupath
;
1398 mutex_exit(&pad
->pad_lock
);
1399 if (tad
->tad_flag
) {
1400 au_uwrite(au_to_path(fad
->fad_aupath
));
1401 audit_attributes(fp
->f_vnode
);
1410 * Audit hook for stream based socket and tli request.
1411 * Note that we do not have user context while executing
1412 * this code so we had to record them earlier during the
1413 * putmsg/getmsg to figure out which user we are dealing with.
1419 int type
, /* type of tihdr.h header requests */
1420 queue_t
*q
, /* contains the process and thread audit data */
1421 mblk_t
*mp
, /* contains the tihdr.h header structures */
1422 int from
) /* timod or sockmod request */
1426 struct sockaddr_in
*sock_data
;
1427 struct T_conn_req
*conn_req
;
1428 struct T_conn_ind
*conn_ind
;
1429 struct T_unitdata_req
*unitdata_req
;
1430 struct T_unitdata_ind
*unitdata_ind
;
1432 t_audit_data_t
*tad
;
1433 caddr_t saved_thread_ptr
;
1435 const auditinfo_addr_t
*ainfo
;
1436 au_kcontext_t
*kctx
;
1438 if (q
->q_stream
== NULL
)
1440 mutex_enter(&q
->q_stream
->sd_lock
);
1441 /* are we being audited */
1442 saved_thread_ptr
= q
->q_stream
->sd_t_audit_data
;
1443 /* no pointer to thread, nothing to do */
1444 if (saved_thread_ptr
== NULL
) {
1445 mutex_exit(&q
->q_stream
->sd_lock
);
1448 /* only allow one addition of a record token */
1449 q
->q_stream
->sd_t_audit_data
= NULL
;
1451 * thread is not the one being audited, then nothing to do
1452 * This could be the stream thread handling the module
1453 * service routine. In this case, the context for the audit
1454 * record can no longer be assumed. Simplest to just drop
1457 if (curthread
!= (kthread_id_t
)saved_thread_ptr
) {
1458 mutex_exit(&q
->q_stream
->sd_lock
);
1461 if (curthread
->t_sysnum
>= SYS_so_socket
&&
1462 curthread
->t_sysnum
<= SYS_sockconfig
) {
1463 mutex_exit(&q
->q_stream
->sd_lock
);
1466 mutex_exit(&q
->q_stream
->sd_lock
);
1468 * we know that the thread that did the put/getmsg is the
1469 * one running. Now we can get the TAD and see if we should
1470 * add an audit token.
1476 /* proceed ONLY if user is being audited */
1480 ainfo
= crgetauinfo(CRED());
1483 amask
= ainfo
->ai_mask
;
1486 * Figure out the type of stream networking request here.
1487 * Note that getmsg and putmsg are always preselected
1488 * because during the beginning of the system call we have
1489 * not yet figure out which of the socket or tli request
1490 * we are looking at until we are here. So we need to check
1491 * against that specific request and reset the type of event.
1494 case T_CONN_REQ
: /* connection request */
1495 conn_req
= (struct T_conn_req
*)mp
->b_rptr
;
1496 if (conn_req
->DEST_offset
< sizeof (struct T_conn_req
))
1498 offset
= conn_req
->DEST_offset
;
1499 len
= conn_req
->DEST_length
;
1500 estate
= kctx
->auk_ets
[AUE_SOCKCONNECT
];
1501 if (amask
.as_success
& estate
|| amask
.as_failure
& estate
) {
1502 tad
->tad_event
= AUE_SOCKCONNECT
;
1507 case T_CONN_IND
: /* connectionless receive request */
1508 conn_ind
= (struct T_conn_ind
*)mp
->b_rptr
;
1509 if (conn_ind
->SRC_offset
< sizeof (struct T_conn_ind
))
1511 offset
= conn_ind
->SRC_offset
;
1512 len
= conn_ind
->SRC_length
;
1513 estate
= kctx
->auk_ets
[AUE_SOCKACCEPT
];
1514 if (amask
.as_success
& estate
|| amask
.as_failure
& estate
) {
1515 tad
->tad_event
= AUE_SOCKACCEPT
;
1520 case T_UNITDATA_REQ
: /* connectionless send request */
1521 unitdata_req
= (struct T_unitdata_req
*)mp
->b_rptr
;
1522 if (unitdata_req
->DEST_offset
< sizeof (struct T_unitdata_req
))
1524 offset
= unitdata_req
->DEST_offset
;
1525 len
= unitdata_req
->DEST_length
;
1526 estate
= kctx
->auk_ets
[AUE_SOCKSEND
];
1527 if (amask
.as_success
& estate
|| amask
.as_failure
& estate
) {
1528 tad
->tad_event
= AUE_SOCKSEND
;
1533 case T_UNITDATA_IND
: /* connectionless receive request */
1534 unitdata_ind
= (struct T_unitdata_ind
*)mp
->b_rptr
;
1535 if (unitdata_ind
->SRC_offset
< sizeof (struct T_unitdata_ind
))
1537 offset
= unitdata_ind
->SRC_offset
;
1538 len
= unitdata_ind
->SRC_length
;
1539 estate
= kctx
->auk_ets
[AUE_SOCKRECEIVE
];
1540 if (amask
.as_success
& estate
|| amask
.as_failure
& estate
) {
1541 tad
->tad_event
= AUE_SOCKRECEIVE
;
1551 * we are only interested in tcp stream connections,
1552 * not unix domain stuff
1554 if ((len
< 0) || (len
> sizeof (struct sockaddr_in
))) {
1555 tad
->tad_event
= AUE_GETMSG
;
1558 /* skip over TPI header and point to the ip address */
1559 sock_data
= (struct sockaddr_in
*)((char *)mp
->b_rptr
+ offset
);
1561 switch (sock_data
->sin_family
) {
1563 au_write(&(tad
->tad_ad
), au_to_sock_inet(sock_data
));
1565 default: /* reset to AUE_PUTMSG if not a inet request */
1566 tad
->tad_event
= AUE_GETMSG
;
1573 add_return_token(caddr_t
*ad
, unsigned int scid
, int err
, int rval
)
1575 unsigned int sy_flags
;
1577 #ifdef _SYSCALL32_IMPL
1579 * Guard against t_lwp being NULL when this function is called
1580 * from a kernel queue instead of from a direct system call.
1581 * In that case, assume the running kernel data model.
1583 if ((curthread
->t_lwp
== NULL
) || (lwp_getdatamodel(
1584 ttolwp(curthread
)) == DATAMODEL_NATIVE
))
1585 sy_flags
= sysent
[scid
].sy_flags
& SE_RVAL_MASK
;
1587 sy_flags
= sysent32
[scid
].sy_flags
& SE_RVAL_MASK
;
1589 sy_flags
= sysent
[scid
].sy_flags
& SE_RVAL_MASK
;
1592 if (sy_flags
== SE_64RVAL
)
1593 au_write(ad
, au_to_return64(err
, rval
));
1595 au_write(ad
, au_to_return32(err
, rval
));
1601 audit_fdsend(fd
, fp
, error
)
1604 int error
; /* ignore for now */
1606 t_audit_data_t
*tad
; /* current thread */
1607 f_audit_data_t
*fad
; /* per file audit structure */
1608 struct vnode
*vp
; /* for file attributes */
1610 /* is this system call being audited */
1612 ASSERT(tad
!= (t_audit_data_t
*)0);
1618 /* add path and file attributes */
1619 if (fad
!= NULL
&& fad
->fad_aupath
!= NULL
) {
1620 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd
));
1621 au_uwrite(au_to_path(fad
->fad_aupath
));
1623 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd
));
1625 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp
));
1627 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp
));
1630 vp
= fp
->f_vnode
; /* include vnode attributes */
1631 audit_attributes(vp
);
1635 * Record privileges successfully used and we attempted to use but
1639 audit_priv(int priv
, const priv_set_t
*set
, int flag
)
1641 t_audit_data_t
*tad
;
1645 /* Make sure this isn't being called in an interrupt context */
1646 ASSERT(servicing_interrupt() == 0);
1650 if (tad
->tad_flag
== 0)
1653 target
= flag
? &tad
->tad_sprivs
: &tad
->tad_fprivs
;
1654 sbit
= flag
? PAD_SPRIVUSE
: PAD_FPRIVUSE
;
1656 /* Tell audit_success() and audit_finish() that we saw this case */
1657 if (!(tad
->tad_evmod
& sbit
)) {
1658 /* Clear set first time around */
1659 priv_emptyset(target
);
1660 tad
->tad_evmod
|= sbit
;
1663 /* Save the privileges in the tad */
1664 if (priv
== PRIV_ALL
) {
1665 priv_fillset(target
);
1667 ASSERT(set
!= NULL
|| priv
!= PRIV_NONE
);
1669 priv_union(set
, target
);
1670 if (priv
!= PRIV_NONE
)
1671 priv_addset(target
, priv
);
1676 * Audit the setpriv() system call; the operation, the set name and
1677 * the current value as well as the set argument are put in the
1681 audit_setppriv(int op
, int set
, const priv_set_t
*newpriv
, const cred_t
*ocr
)
1683 t_audit_data_t
*tad
;
1684 const priv_set_t
*oldpriv
;
1686 const char *setname
;
1690 if (tad
->tad_flag
== 0)
1693 oldpriv
= priv_getset(ocr
, set
);
1695 /* Generate the actual record, include the before and after */
1696 au_uwrite(au_to_arg32(2, "op", op
));
1697 setname
= priv_getsetbynum(set
);
1701 /* Report privileges actually switched off */
1703 priv_intersect(newpriv
, &report
);
1704 au_uwrite(au_to_privset(setname
, &report
, AUT_PRIV
, 0));
1707 /* Report privileges actually switched on */
1709 priv_inverse(&report
);
1710 priv_intersect(newpriv
, &report
);
1711 au_uwrite(au_to_privset(setname
, &report
, AUT_PRIV
, 0));
1714 /* Report before and after */
1715 au_uwrite(au_to_privset(setname
, oldpriv
, AUT_PRIV
, 0));
1716 au_uwrite(au_to_privset(setname
, newpriv
, AUT_PRIV
, 0));
1722 * Dump the full device policy setting in the audit trail.
1725 audit_devpolicy(int nitems
, const devplcysys_t
*items
)
1727 t_audit_data_t
*tad
;
1732 if (tad
->tad_flag
== 0)
1735 for (i
= 0; i
< nitems
; i
++) {
1736 au_uwrite(au_to_arg32(2, "major", items
[i
].dps_maj
));
1737 if (items
[i
].dps_minornm
[0] == '\0') {
1738 au_uwrite(au_to_arg32(2, "lomin", items
[i
].dps_lomin
));
1739 au_uwrite(au_to_arg32(2, "himin", items
[i
].dps_himin
));
1741 au_uwrite(au_to_text(items
[i
].dps_minornm
));
1743 au_uwrite(au_to_privset("read", &items
[i
].dps_rdp
,
1745 au_uwrite(au_to_privset("write", &items
[i
].dps_wrp
,
1752 audit_fdrecv(fd
, fp
)
1756 t_audit_data_t
*tad
; /* current thread */
1757 f_audit_data_t
*fad
; /* per file audit structure */
1758 struct vnode
*vp
; /* for file attributes */
1760 /* is this system call being audited */
1762 ASSERT(tad
!= (t_audit_data_t
*)0);
1768 /* add path and file attributes */
1769 if (fad
!= NULL
&& fad
->fad_aupath
!= NULL
) {
1770 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd
));
1771 au_uwrite(au_to_path(fad
->fad_aupath
));
1773 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd
));
1775 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp
));
1777 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp
));
1780 vp
= fp
->f_vnode
; /* include vnode attributes */
1781 audit_attributes(vp
);
1785 * ROUTINE: AUDIT_CRYPTOADM
1786 * PURPOSE: Records arguments to administrative ioctls on /dev/cryptoadm
1787 * CALLBY: CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED,
1788 * CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG,
1789 * CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN,
1797 audit_cryptoadm(int cmd
, char *module_name
, crypto_mech_name_t
*mech_names
,
1798 uint_t mech_count
, uint_t device_instance
, uint32_t rv
, int error
)
1800 boolean_t mech_list_required
= B_FALSE
;
1801 cred_t
*cr
= CRED();
1802 t_audit_data_t
*tad
;
1804 const auditinfo_addr_t
*ainfo
= crgetauinfo(cr
);
1805 char buffer
[MAXNAMELEN
* 2];
1806 au_kcontext_t
*kctx
= GET_KCTX_PZ
;
1815 tad
->tad_event
= AUE_CRYPTOADM
;
1817 if (audit_success(kctx
, tad
, error
, NULL
) != AU_OK
)
1820 /* Add subject information */
1821 AUDIT_SETSUBJ((caddr_t
*)&(ad
), cr
, ainfo
, kctx
);
1824 case CRYPTO_LOAD_DEV_DISABLED
:
1825 if (error
== 0 && rv
== CRYPTO_SUCCESS
) {
1826 (void) snprintf(buffer
, sizeof (buffer
),
1827 "op=CRYPTO_LOAD_DEV_DISABLED, module=%s,"
1829 module_name
, device_instance
);
1830 mech_list_required
= B_TRUE
;
1832 (void) snprintf(buffer
, sizeof (buffer
),
1833 "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv
);
1837 case CRYPTO_LOAD_SOFT_DISABLED
:
1838 if (error
== 0 && rv
== CRYPTO_SUCCESS
) {
1839 (void) snprintf(buffer
, sizeof (buffer
),
1840 "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s",
1842 mech_list_required
= B_TRUE
;
1844 (void) snprintf(buffer
, sizeof (buffer
),
1845 "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv
);
1849 case CRYPTO_UNLOAD_SOFT_MODULE
:
1850 if (error
== 0 && rv
== CRYPTO_SUCCESS
) {
1851 (void) snprintf(buffer
, sizeof (buffer
),
1852 "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s",
1855 (void) snprintf(buffer
, sizeof (buffer
),
1856 "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv
);
1860 case CRYPTO_LOAD_SOFT_CONFIG
:
1861 if (error
== 0 && rv
== CRYPTO_SUCCESS
) {
1862 (void) snprintf(buffer
, sizeof (buffer
),
1863 "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s",
1865 mech_list_required
= B_TRUE
;
1867 (void) snprintf(buffer
, sizeof (buffer
),
1868 "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv
);
1872 case CRYPTO_POOL_CREATE
:
1873 (void) snprintf(buffer
, sizeof (buffer
),
1874 "op=CRYPTO_POOL_CREATE");
1877 case CRYPTO_POOL_WAIT
:
1878 (void) snprintf(buffer
, sizeof (buffer
), "op=CRYPTO_POOL_WAIT");
1881 case CRYPTO_POOL_RUN
:
1882 (void) snprintf(buffer
, sizeof (buffer
), "op=CRYPTO_POOL_RUN");
1885 case CRYPTO_LOAD_DOOR
:
1886 if (error
== 0 && rv
== CRYPTO_SUCCESS
)
1887 (void) snprintf(buffer
, sizeof (buffer
),
1888 "op=CRYPTO_LOAD_DOOR");
1890 (void) snprintf(buffer
, sizeof (buffer
),
1891 "op=CRYPTO_LOAD_DOOR, return_val=%d", rv
);
1894 case CRYPTO_FIPS140_SET
:
1895 (void) snprintf(buffer
, sizeof (buffer
),
1896 "op=CRYPTO_FIPS140_SET, fips_state=%d", rv
);
1903 au_write((caddr_t
*)&ad
, au_to_text(buffer
));
1905 if (mech_list_required
) {
1908 if (mech_count
== 0) {
1909 au_write((caddr_t
*)&ad
, au_to_text("mech=list empty"));
1912 size_t l
= sizeof (buffer
);
1914 char space
[2] = ":";
1916 n
= snprintf(pb
, l
, "mech=");
1918 for (i
= 0; i
< mech_count
; i
++) {
1920 l
= (n
>= l
) ? 0 : l
- n
;
1922 if (i
== mech_count
- 1)
1923 (void) strcpy(space
, "");
1925 n
= snprintf(pb
, l
, "%s%s", mech_names
[i
],
1928 au_write((caddr_t
*)&ad
, au_to_text(buffer
));
1932 /* add a return token */
1933 if (error
|| (rv
!= CRYPTO_SUCCESS
))
1934 add_return_token((caddr_t
*)&ad
, tad
->tad_scid
, -1, error
);
1936 add_return_token((caddr_t
*)&ad
, tad
->tad_scid
, 0, rv
);
1938 AS_INC(as_generated
, 1, kctx
);
1939 AS_INC(as_kernel
, 1, kctx
);
1941 au_close(kctx
, (caddr_t
*)&ad
, AU_OK
, AUE_CRYPTOADM
, tad
->tad_evmod
,
1946 * Audit the kernel SSL administration command. The address and the
1947 * port number for the SSL instance, and the proxy port are put in the
1951 audit_kssl(int cmd
, void *params
, int error
)
1953 cred_t
*cr
= CRED();
1954 t_audit_data_t
*tad
;
1956 const auditinfo_addr_t
*ainfo
= crgetauinfo(cr
);
1957 au_kcontext_t
*kctx
= GET_KCTX_PZ
;
1964 tad
->tad_event
= AUE_CONFIGKSSL
;
1966 if (audit_success(kctx
, tad
, error
, NULL
) != AU_OK
)
1969 /* Add subject information */
1970 AUDIT_SETSUBJ((caddr_t
*)&ad
, cr
, ainfo
, kctx
);
1973 case KSSL_ADD_ENTRY
: {
1975 kssl_params_t
*kp
= (kssl_params_t
*)params
;
1976 struct sockaddr_in6
*saddr
= &kp
->kssl_addr
;
1978 au_write((caddr_t
*)&ad
, au_to_text("op=KSSL_ADD_ENTRY"));
1979 au_write((caddr_t
*)&ad
,
1980 au_to_in_addr_ex((int32_t *)&saddr
->sin6_addr
));
1981 (void) snprintf(buf
, sizeof (buf
), "SSL port=%d",
1983 au_write((caddr_t
*)&ad
, au_to_text(buf
));
1985 (void) snprintf(buf
, sizeof (buf
), "proxy port=%d",
1986 kp
->kssl_proxy_port
);
1987 au_write((caddr_t
*)&ad
, au_to_text(buf
));
1991 case KSSL_DELETE_ENTRY
: {
1993 struct sockaddr_in6
*saddr
= (struct sockaddr_in6
*)params
;
1995 au_write((caddr_t
*)&ad
, au_to_text("op=KSSL_DELETE_ENTRY"));
1996 au_write((caddr_t
*)&ad
,
1997 au_to_in_addr_ex((int32_t *)&saddr
->sin6_addr
));
1998 (void) snprintf(buf
, sizeof (buf
), "SSL port=%d",
2000 au_write((caddr_t
*)&ad
, au_to_text(buf
));
2008 /* add a return token */
2009 add_return_token((caddr_t
*)&ad
, tad
->tad_scid
, error
, 0);
2011 AS_INC(as_generated
, 1, kctx
);
2012 AS_INC(as_kernel
, 1, kctx
);
2014 au_close(kctx
, (caddr_t
*)&ad
, AU_OK
, AUE_CONFIGKSSL
, tad
->tad_evmod
,
2019 * Audit the kernel PF_POLICY administration commands. Record command,
2020 * zone, policy type (global or tunnel, active or inactive)
2023 * ROUTINE: AUDIT_PF_POLICY
2024 * PURPOSE: Records arguments to administrative ioctls on PF_POLICY socket
2025 * CALLBY: SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS,
2026 * SPD_CLONE, SPD_FLIP
2033 audit_pf_policy(int cmd
, cred_t
*cred
, netstack_t
*ns
, char *tun
,
2034 boolean_t active
, int error
, pid_t pid
)
2036 const auditinfo_addr_t
*ainfo
;
2037 t_audit_data_t
*tad
;
2039 au_kcontext_t
*kctx
= GET_KCTX_PZ
;
2047 ainfo
= crgetauinfo((cred
!= NULL
) ? cred
: CRED());
2052 * Initialize some variables since these are only set
2053 * with system calls.
2058 tad
->tad_event
= AUE_PF_POLICY_ADDRULE
;
2062 case SPD_DELETERULE
: {
2063 tad
->tad_event
= AUE_PF_POLICY_DELRULE
;
2068 tad
->tad_event
= AUE_PF_POLICY_FLUSH
;
2072 case SPD_UPDATEALGS
: {
2073 tad
->tad_event
= AUE_PF_POLICY_ALGS
;
2078 tad
->tad_event
= AUE_PF_POLICY_CLONE
;
2083 tad
->tad_event
= AUE_PF_POLICY_FLIP
;
2088 tad
->tad_event
= AUE_NULL
;
2093 if (flag
= audit_success(kctx
, tad
, error
, cred
)) {
2097 * For now, just audit that an event happened,
2098 * along with the error code.
2100 au_write((caddr_t
*)&ad
,
2101 au_to_arg32(1, "Policy Active?", (uint32_t)active
));
2102 au_write((caddr_t
*)&ad
,
2103 au_to_arg32(2, "Policy Global?", (uint32_t)(tun
== NULL
)));
2105 /* Supplemental data */
2108 * Generate this zone token if the target zone differs
2109 * from the administrative zone. If netstacks are expanded
2110 * to something other than a 1-1 relationship with zones,
2111 * the auditing framework should create a new token type
2112 * and audit it as a netstack instead.
2113 * Turn on general zone auditing to get the administrative zone.
2116 nszone
= zone_find_by_id(netstackid_to_zoneid(
2117 ns
->netstack_stackid
));
2118 if (nszone
!= NULL
) {
2119 if (strncmp(crgetzone(cred
)->zone_name
,
2120 nszone
->zone_name
, ZONENAME_MAX
) != 0) {
2123 ztoken
= au_to_zonename(0, nszone
);
2124 au_write((caddr_t
*)&ad
, ztoken
);
2130 /* write tunnel name - tun is bounded */
2131 (void) snprintf(buf
, sizeof (buf
), "tunnel_name:%s",
2133 au_write((caddr_t
*)&ad
, au_to_text(buf
));
2136 /* Add subject information */
2137 AUDIT_SETSUBJ_GENERIC((caddr_t
*)&ad
,
2138 ((cred
!= NULL
) ? cred
: CRED()), ainfo
, kctx
, pid
);
2140 /* add a return token */
2141 add_return_token((caddr_t
*)&ad
, 0, error
, 0);
2143 AS_INC(as_generated
, 1, kctx
);
2144 AS_INC(as_kernel
, 1, kctx
);
2147 au_close(kctx
, (caddr_t
*)&ad
, flag
, tad
->tad_event
, tad
->tad_evmod
,
2151 * clear the ctrl flag so that we don't have spurious collection of
2152 * audit information.
2161 * ROUTINE: AUDIT_SEC_ATTRIBUTES
2162 * PURPOSE: Add security attributes
2163 * CALLBY: AUDIT_ATTRIBUTES
2172 audit_sec_attributes(caddr_t
*ad
, struct vnode
*vp
)
2175 if (is_system_labeled()) {
2179 tsl
= getflabel(vp
);
2181 return; /* nothing else to do */
2183 bsl
= label2bslabel(tsl
);
2185 return; /* nothing else to do */
2186 au_write(ad
, au_to_label(bsl
));
2190 } /* AUDIT_SEC_ATTRIBUTES */