1 /*
2 * Copyright (c) 2003 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * Copyright (c) 1999-2003 Apple Computer, Inc. All Rights Reserved.
7 *
8 * This file contains Original Code and/or Modifications of Original Code
9 * as defined in and that are subject to the Apple Public Source License
10 * Version 2.0 (the 'License'). You may not use this file except in
11 * compliance with the License. Please obtain a copy of the License at
12 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * file.
14 *
15 * The Original Code and all software distributed under the License are
16 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
17 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
18 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
20 * Please see the License for the specific language governing rights and
21 * limitations under the License.
22 *
23 * @APPLE_LICENSE_HEADER_END@
24 */
25 #include <sys/param.h>
26 #include <sys/fcntl.h>
27 #include <sys/kernel.h>
28 #include <sys/lock.h>
29 #include <sys/namei.h>
30 #include <sys/proc.h>
31 #include <sys/queue.h>
32 #include <sys/systm.h>
33 #include <sys/time.h>
34 #include <sys/ucred.h>
35 #include <sys/uio.h>
36 #include <sys/unistd.h>
37 #include <sys/vnode.h>
38 #include <sys/audit.h>
39 #include <sys/kern_audit.h>
40 #include <sys/user.h>
41 #include <sys/bsm_kevents.h>
42 #include <sys/bsm_klib.h>
43 #include <sys/syscall.h>
44 #include <sys/malloc.h>
45 #include <sys/un.h>
46
47 #include <kern/lock.h>
48 #include <kern/wait_queue.h>
49
50 #ifdef AUDIT
51
52 /*
53 * The AUDIT_EXCESSIVELY_VERBOSE define enables a number of
54 * gratuitously noisy printf's to the console. Due to the
55 * volume, it should be left off unless you want your system
56 * to churn a lot whenever the audit record flow gets high.
57 */
58 /* #define AUDIT_EXCESSIVELY_VERBOSE */
59 #ifdef AUDIT_EXCESSIVELY_VERBOSE
60 #define AUDIT_PRINTF(x) printf x
61 #else
62 #define AUDIT_PRINTF(X)
63 #endif
64
65 #if DIAGNOSTIC
66 #if defined(assert)
67 #undef assert()
68 #endif
69 #define assert(cond) \
70 ((void) ((cond) ? 0 : panic("%s:%d (%s)", __FILE__, __LINE__, # cond)))
71 #else
72 #include <kern/assert.h>
73 #endif /* DIAGNOSTIC */
74
75 /*
76 * Define the audit control flags.
77 */
78 int audit_enabled;
79 int audit_suspended;
80
81 /*
82 * Mutex to protect global variables shared between various threads and
83 * processes.
84 */
85 static mutex_t *audit_mtx;
86
87 /*
88 * Queue of audit records ready for delivery to disk. We insert new
89 * records at the tail, and remove records from the head.
90 */
91 static TAILQ_HEAD(, kaudit_record) audit_q;
92
93 /*
94 * Condition variable to signal to the worker that it has work to do:
95 * either new records are in the queue, or a log replacement is taking
96 * place.
97 */
98 static wait_queue_t audit_wait_queue;
99
100 /*
101 * When an audit log is rotated, the actual rotation must be performed
102 * by the audit worker thread, as it may have outstanding writes on the
103 * current audit log. audit_replacement_vp holds the vnode replacing
104 * the current vnode. We can't let more than one replacement occur
105 * at a time, so if more than one thread requests a replacement, only
106 * one can have the replacement "in progress" at any given moment. If
107 * a thread tries to replace the audit vnode and discovers a replacement
108 * is already in progress (i.e., audit_replacement_flag != 0), then it
109 * will sleep on audit_replacement_cv waiting its turn to perform a
110 * replacement. When a replacement is completed, this cv is signalled
111 * by the worker thread so a waiting thread can start another replacement.
112 * We also store a credential to perform audit log write operations with.
113 */
114 static wait_queue_t audit_replacement_wait_queue;
115
116 static int audit_replacement_flag;
117 static struct vnode *audit_replacement_vp;
118 static struct ucred *audit_replacement_cred;
119
120 /*
121 * Flags to use on audit files when opening and closing.
122 */
123 const static int audit_open_flags = FWRITE | O_APPEND;
124 const static int audit_close_flags = FWRITE | O_APPEND;
125
126 /*
127 * XXX: Couldn't find the include file for this, so copied kern_exec.c's
128 * behavior.
129 */
130 extern task_t kernel_task;
131
132 static void
133 audit_free(struct kaudit_record *ar)
134 {
135 if (ar->k_ar.ar_arg_upath1 != NULL) {
136 kmem_free(kernel_map, ar->k_ar.ar_arg_upath1, MAXPATHLEN);
137 }
138 if (ar->k_ar.ar_arg_upath2 != NULL) {
139 kmem_free(kernel_map, ar->k_ar.ar_arg_upath2, MAXPATHLEN);
140 }
141 if (ar->k_ar.ar_arg_kpath1 != NULL) {
142 kmem_free(kernel_map, ar->k_ar.ar_arg_kpath1, MAXPATHLEN);
143 }
144 if (ar->k_ar.ar_arg_kpath2 != NULL) {
145 kmem_free(kernel_map, ar->k_ar.ar_arg_kpath2, MAXPATHLEN);
146 }
147 if (ar->k_ar.ar_arg_text != NULL) {
148 kmem_free(kernel_map, ar->k_ar.ar_arg_text, MAXPATHLEN);
149 }
150 if (ar->k_udata != NULL) {
151 kmem_free(kernel_map, ar->k_udata, ar->k_ulen);
152 }
153 kmem_free(kernel_map, ar, sizeof(*ar));
154 }
155
156 static int
157 audit_write(struct vnode *vp, struct kaudit_record *ar, struct ucred *cred,
158 struct proc *p)
159 {
160 int ret;
161 struct au_record *bsm;
162
163 /*
164 * If there is a user audit record attached to the kernel record,
165 * then write the user record.
166 */
167 /* XXX Need to decide a few things here: IF the user audit
168 * record is written, but the write of the kernel record fails,
169 * what to do? Should the kernel record come before or after the
170 * user record? For now, we write the user record first, and
171 * we ignore errors.
172 */
173 if (ar->k_udata != NULL) {
174 vn_rdwr(UIO_WRITE, vp, (void *)ar->k_udata, ar->k_ulen,
175 (off_t)0, UIO_SYSSPACE, IO_APPEND|IO_UNIT, cred, NULL, p);
176 }
177
178 /*
179 * Convert the internal kernel record to BSM format and write it
180 * out if everything's OK.
181 */
182 ret = kaudit_to_bsm(ar, &bsm);
183 if (ret == BSM_NOAUDIT)
184 return (0);
185
186 if (ret == BSM_FAILURE) {
187 AUDIT_PRINTF(("BSM conversion failure\n"));
188 return (-1);
189 }
190
191 /* XXX This function can be called with the kernel funnel held,
192 * which is not optimal. We should break the write functionality
193 * away from the BSM record generation and have the BSM generation
194 * done before this function is called. This function will then
195 * take the BSM record as a parameter.
196 */
197 ret = (vn_rdwr(UIO_WRITE, vp, (void *)bsm->data, bsm->len,
198 (off_t)0, UIO_SYSSPACE, IO_APPEND|IO_UNIT, cred, NULL, p));
199
200 kau_free(bsm);
201
202 return (ret);
203 }
204
205 static void
206 audit_worker()
207 {
208 int do_replacement_signal, error, release_funnel;
209 TAILQ_HEAD(, kaudit_record) ar_worklist;
210 struct kaudit_record *ar, *ar_start, *ar_stop;
211 struct vnode *audit_vp, *old_vp;
212 struct ucred *audit_cred, *old_cred;
213 struct proc *audit_p;
214
215 AUDIT_PRINTF(("audit_worker starting\n"));
216
217 TAILQ_INIT(&ar_worklist);
218 audit_cred = NULL;
219 audit_p = current_proc();
220 audit_vp = NULL;
221
222 /*
223 * XXX: Presumably we can assume Mach threads are started without
224 * holding the BSD kernel funnel?
225 */
226 thread_funnel_set(kernel_flock, FALSE);
227
228 mutex_lock(audit_mtx);
229 while (1) {
230 /*
231 * First priority: replace the audit log target if requested.
232 * As we actually close the vnode in the worker thread, we
233 * need to grab the funnel, which means releasing audit_mtx.
234 * In case another replacement was scheduled while the mutex
235 * we released, we loop.
236 *
237 * XXX It could well be we should drain existing records
238 * first to ensure that the timestamps and ordering
239 * are right.
240 */
241 do_replacement_signal = 0;
242 while (audit_replacement_flag != 0) {
243 old_cred = audit_cred;
244 old_vp = audit_vp;
245 audit_cred = audit_replacement_cred;
246 audit_vp = audit_replacement_vp;
247 audit_replacement_cred = NULL;
248 audit_replacement_vp = NULL;
249 audit_replacement_flag = 0;
250
251 audit_enabled = (audit_vp != NULL);
252
253 if (old_vp != NULL || audit_vp != NULL) {
254 mutex_unlock(audit_mtx);
255 thread_funnel_set(kernel_flock, TRUE);
256 release_funnel = 1;
257 } else
258 release_funnel = 0;
259 /*
260 * XXX: What to do about write failures here?
261 */
262 if (old_vp != NULL) {
263 AUDIT_PRINTF(("Closing old audit file\n"));
264 vn_close(old_vp, audit_close_flags, old_cred,
265 audit_p);
266 crfree(old_cred);
267 old_cred = NULL;
268 old_vp = NULL;
269 AUDIT_PRINTF(("Audit file closed\n"));
270 }
271 if (audit_vp != NULL) {
272 AUDIT_PRINTF(("Opening new audit file\n"));
273 }
274 if (release_funnel) {
275 thread_funnel_set(kernel_flock, FALSE);
276 mutex_lock(audit_mtx);
277 }
278 do_replacement_signal = 1;
279 }
280 /*
281 * Signal that replacement have occurred to wake up and
282 * start any other replacements started in parallel. We can
283 * continue about our business in the mean time. We
284 * broadcast so that both new replacements can be inserted,
285 * but also so that the source(s) of replacement can return
286 * successfully.
287 */
288 if (do_replacement_signal)
289 wait_queue_wakeup_all(audit_replacement_wait_queue,
290 0, THREAD_AWAKENED);
291
292 /*
293 * Next, check to see if we have any records to drain into
294 * the vnode. If not, go back to waiting for an event.
295 */
296 if (TAILQ_EMPTY(&audit_q)) {
297 int ret;
298
299 AUDIT_PRINTF(("audit_worker waiting\n"));
300 ret = wait_queue_assert_wait(audit_wait_queue, 0,
301 THREAD_UNINT);
302 mutex_unlock(audit_mtx);
303
304 assert(ret == THREAD_WAITING);
305 ret = thread_block(THREAD_CONTINUE_NULL);
306 assert(ret == THREAD_AWAKENED);
307 AUDIT_PRINTF(("audit_worker woken up\n"));
308 AUDIT_PRINTF(("audit_worker: new vp = %p; value of flag %d\n",
309 audit_replacement_vp, audit_replacement_flag));
310
311 mutex_lock(audit_mtx);
312 continue;
313 }
314
315 /*
316 * If we have records, but there's no active vnode to
317 * write to, drain the record queue. Generally, we
318 * prevent the unnecessary allocation of records
319 * elsewhere, but we need to allow for races between
320 * conditional allocation and queueing. Go back to
321 * waiting when we're done.
322 *
323 * XXX: We go out of our way to avoid calling audit_free()
324 * with the audit_mtx held, to avoid a lock order reversal
325 * as free() may grab the funnel. This will be fixed at
326 * some point.
327 */
328 if (audit_vp == NULL) {
329 while ((ar = TAILQ_FIRST(&audit_q))) {
330 TAILQ_REMOVE(&audit_q, ar, k_q);
331 TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q);
332 }
333 mutex_unlock(audit_mtx);
334 while ((ar = TAILQ_FIRST(&ar_worklist))) {
335 TAILQ_REMOVE(&ar_worklist, ar, k_q);
336 audit_free(ar);
337 }
338 mutex_lock(audit_mtx);
339 continue;
340 }
341
342 /*
343 * We have both records to write, and an active vnode
344 * to write to. Dequeue a record, and start the write.
345 * Eventually, it might make sense to dequeue several
346 * records and perform our own clustering, if the lower
347 * layers aren't doing it automatically enough.
348 *
349 * XXX: We go out of our way to avoid calling audit_free()
350 * with the audit_mtx held, to avoid a lock order reversal
351 * as free() may grab the funnel. This will be fixed at
352 * some point.
353 */
354 while ((ar = TAILQ_FIRST(&audit_q))) {
355 TAILQ_REMOVE(&audit_q, ar, k_q);
356 TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q);
357 }
358 mutex_unlock(audit_mtx);
359 release_funnel = 0;
360 while ((ar = TAILQ_FIRST(&ar_worklist))) {
361 TAILQ_REMOVE(&ar_worklist, ar, k_q);
362 if (audit_vp != NULL) {
363 /*
364 * XXX: What should happen if there's a write
365 * error here?
366 */
367 if (!release_funnel) {
368 thread_funnel_set(kernel_flock, TRUE);
369 release_funnel = 1;
370 }
371 VOP_LEASE(audit_vp, audit_p, audit_cred,
372 LEASE_WRITE);
373 error = audit_write(audit_vp, ar, audit_cred,
374 audit_p);
375 if (error)
376 printf("audit_worker: write error %d\n",
377 error);
378 }
379 audit_free(ar);
380 }
381 if (release_funnel)
382 thread_funnel_set(kernel_flock, FALSE);
383 mutex_lock(audit_mtx);
384 }
385 }
386
387 void
388 audit_init(void)
389 {
390
391 /* Verify that the syscall to audit event table is the same
392 * size as the system call table.
393 */
394 if (nsys_au_event != nsysent) {
395 printf("Security auditing service initialization failed, ");
396 printf("audit event table doesn't match syscall table.\n");
397 return;
398 }
399
400 printf("Security auditing service present\n");
401 TAILQ_INIT(&audit_q);
402 audit_enabled = 0;
403 audit_suspended = 0;
404 audit_replacement_cred = NULL;
405 audit_replacement_flag = 0;
406 audit_replacement_vp = NULL;
407 audit_mtx = mutex_alloc(ETAP_NO_TRACE);
408 audit_wait_queue = wait_queue_alloc(SYNC_POLICY_FIFO);
409 audit_replacement_wait_queue = wait_queue_alloc(SYNC_POLICY_FIFO);
410
411 /* Initialize the BSM audit subsystem. */
412 kau_init();
413
414 kernel_thread(kernel_task, audit_worker);
415 }
416
417 static void
418 audit_rotate_vnode(struct ucred *cred, struct vnode *vp)
419 {
420 int ret;
421
422 /*
423 * If other parallel log replacements have been requested, we wait
424 * until they've finished before continuing.
425 */
426 mutex_lock(audit_mtx);
427 while (audit_replacement_flag != 0) {
428
429 AUDIT_PRINTF(("audit_rotate_vnode: sleeping to wait for "
430 "flag\n"));
431 ret = wait_queue_assert_wait(audit_replacement_wait_queue, 0,
432 THREAD_UNINT);
433 mutex_unlock(audit_mtx);
434
435 assert(ret == THREAD_WAITING);
436 ret = thread_block(THREAD_CONTINUE_NULL);
437 assert(ret == THREAD_AWAKENED);
438 AUDIT_PRINTF(("audit_rotate_vnode: woken up (flag %d)\n",
439 audit_replacement_flag));
440
441 mutex_lock(audit_mtx);
442 }
443 audit_replacement_cred = cred;
444 audit_replacement_flag = 1;
445 audit_replacement_vp = vp;
446
447 /*
448 * Wake up the audit worker to perform the exchange once we
449 * release the mutex.
450 */
451 wait_queue_wakeup_one(audit_wait_queue, 0, THREAD_AWAKENED);
452
453 /*
454 * Wait for the audit_worker to broadcast that a replacement has
455 * taken place; we know that once this has happened, our vnode
456 * has been replaced in, so we can return successfully.
457 */
458 AUDIT_PRINTF(("audit_rotate_vnode: waiting for news of "
459 "replacement\n"));
460 ret = wait_queue_assert_wait(audit_replacement_wait_queue, 0,
461 THREAD_UNINT);
462 mutex_unlock(audit_mtx);
463
464 assert(ret == THREAD_WAITING);
465 ret = thread_block(THREAD_CONTINUE_NULL);
466 assert(ret == THREAD_AWAKENED);
467 AUDIT_PRINTF(("audit_rotate_vnode: change acknowledged by "
468 "audit_worker (flag " "now %d)\n", audit_replacement_flag));
469 }
470
471 /*
472 * Drain the audit queue and close the log at shutdown.
473 */
474 void
475 audit_shutdown(void)
476 {
477
478 audit_rotate_vnode(NULL, NULL);
479 }
480
481 static __inline__ struct uthread *
482 curuthread(void)
483 {
484
485 return (get_bsdthread_info(current_act()));
486 }
487
488 static __inline__ struct kaudit_record *
489 currecord(void)
490 {
491
492 return (curuthread()->uu_ar);
493 }
494
495 /**********************************
496 * Begin system calls. *
497 **********************************/
498 /*
499 * System call to allow a user space application to submit a BSM audit
500 * record to the kernel for inclusion in the audit log. This function
501 * does little verification on the audit record that is submitted.
502 *
503 * XXXAUDIT: Audit preselection for user records does not currently
504 * work, since we pre-select only based on the AUE_audit event type,
505 * not the event type submitted as part of the user audit data.
506 */
507 struct audit_args {
508 void * record;
509 int length;
510 };
511 /* ARGSUSED */
512 int
513 audit(struct proc *p, struct audit_args *uap, register_t *retval)
514 {
515 register struct pcred *pc = p->p_cred;
516 int error;
517 void * rec;
518 struct kaudit_record *ar;
519
520 ar = currecord();
521
522 /* XXX: What's the proper error code if a user audit record can't
523 * be written due to auditing off, or otherwise unavailable?
524 */
525 if (ar == NULL)
526 return (ENOTSUP);
527
528 error = suser(pc->pc_ucred, &p->p_acflag);
529 if (error)
530 return (error);
531
532 if (uap->length > MAX_AUDIT_RECORD_SIZE)
533 return (EINVAL);
534
535 error = kmem_alloc(kernel_map, (vm_offset_t *)&rec, uap->length);
536 if (error != KERN_SUCCESS)
537 return(ENOMEM);
538
539 error = copyin(uap->record, rec, uap->length);
540 if (error)
541 goto free_out;
542
543 /* Verify the record */
544 if (bsm_rec_verify(rec) == 0) {
545 error = EINVAL;
546 goto free_out;
547 }
548
549 /* Attach the user audit record to the kernel audit record. Because
550 * this system call is an auditable event, we will write the user
551 * record along with the record for this audit event.
552 */
553 ar->k_udata = rec;
554 ar->k_ulen = uap->length;
555 return (0);
556
557 free_out:
558 kmem_free(kernel_map, (vm_offset_t)rec, uap->length);
559 return (error);
560 }
561
562 /*
563 * System call to manipulate auditing.
564 */
565 struct auditon_args {
566 int cmd;
567 void * data;
568 int length;
569 };
570 /* ARGSUSED */
571 int
572 auditon(struct proc *p, struct auditon_args *uap, register_t *retval)
573 {
574 register struct pcred *pc = p->p_cred;
575 int error;
576
577 error = suser(pc->pc_ucred, &p->p_acflag);
578 if (error)
579 return (error);
580 return (ENOSYS);
581 }
582
583 /*
584 * System call to pass in file descriptor for audit log.
585 */
586 struct auditsvc_args {
587 int fd;
588 int limit;
589 };
590 /* ARGSUSED */
591 int
592 auditsvc(struct proc *p, struct auditsvc_args *uap, register_t *retval)
593 {
594 register struct pcred *pc = p->p_cred;
595 int error;
596
597 error = suser(pc->pc_ucred, &p->p_acflag);
598 if (error)
599 return (error);
600 return (ENOSYS);
601 }
602
603 /*
604 * System calls to manage the user audit information.
605 * XXXAUDIT May need to lock the proc structure.
606 */
607 struct getauid_args {
608 au_id_t *auid;
609 };
610 /* ARGSUSED */
611 int
612 getauid(struct proc *p, struct getauid_args *uap, register_t *retval)
613 {
614 register struct pcred *pc = p->p_cred;
615 int error;
616
617 error = suser(pc->pc_ucred, &p->p_acflag);
618 if (error)
619 return (error);
620
621 error = copyout((void *)&p->p_au->ai_auid, (void *)uap->auid,
622 sizeof(*uap->auid));
623 if (error)
624 return (error);
625
626 return (0);
627 }
628
629 struct setauid_args {
630 au_id_t *auid;
631 };
632 /* ARGSUSED */
633 int
634 setauid(struct proc *p, struct setauid_args *uap, register_t *retval)
635 {
636 register struct pcred *pc = p->p_cred;
637 int error;
638
639 error = suser(pc->pc_ucred, &p->p_acflag);
640 if (error)
641 return (error);
642
643 error = copyin((void *)uap->auid, (void *)&p->p_au->ai_auid,
644 sizeof(p->p_au->ai_auid));
645 if (error)
646 return (error);
647
648 audit_arg_auid(p->p_au->ai_auid);
649 return (0);
650 }
651
652 /*
653 * System calls to get and set process audit information.
654 */
655 struct getaudit_args {
656 struct auditinfo *auditinfo;
657 };
658 /* ARGSUSED */
659 int
660 getaudit(struct proc *p, struct getaudit_args *uap, register_t *retval)
661 {
662 register struct pcred *pc = p->p_cred;
663 int error;
664
665 error = suser(pc->pc_ucred, &p->p_acflag);
666 if (error)
667 return (error);
668 error = copyout((void *)p->p_au, (void *)uap->auditinfo,
669 sizeof(*uap->auditinfo));
670 if (error)
671 return (error);
672
673 return (0);
674 }
675
676 struct setaudit_args {
677 struct auditinfo *auditinfo;
678 };
679 /* ARGSUSED */
680 int
681 setaudit(struct proc *p, struct setaudit_args *uap, register_t *retval)
682 {
683 register struct pcred *pc = p->p_cred;
684 int error;
685
686 error = suser(pc->pc_ucred, &p->p_acflag);
687 if (error)
688 return (error);
689 error = copyin((void *)uap->auditinfo, (void *)p->p_au,
690 sizeof(*p->p_au));
691 if (error)
692 return (error);
693
694 return (0);
695 }
696
697 struct getaudit_addr_args {
698 struct auditinfo_addr *auditinfo_addr;
699 int length;
700 };
701 /* ARGSUSED */
702 int
703 getaudit_addr(struct proc *p, struct getaudit_addr_args *uap, register_t *retval)
704 {
705 register struct pcred *pc = p->p_cred;
706 int error;
707
708 error = suser(pc->pc_ucred, &p->p_acflag);
709 if (error)
710 return (error);
711 return (ENOSYS);
712 }
713
714 struct setaudit_addr_args {
715 struct auditinfo_addr *auditinfo_addr;
716 int length;
717 };
718 /* ARGSUSED */
719 int
720 setaudit_addr(struct proc *p, struct setaudit_addr_args *uap, register_t *retval)
721 {
722 register struct pcred *pc = p->p_cred;
723 int error;
724
725 error = suser(pc->pc_ucred, &p->p_acflag);
726 if (error)
727 return (error);
728 return (ENOSYS);
729 }
730
731 /*
732 * Syscall to manage audit files.
733 *
734 * XXX: Should generate an audit event.
735 */
736 struct auditctl_args {
737 char *path;
738 };
739 /* ARGSUSED */
740 int
741 auditctl(struct proc *p, struct auditctl_args *uap)
742 {
743 struct kaudit_record *ar;
744 struct nameidata nd;
745 struct ucred *cred;
746 struct vnode *vp;
747 int error, flags, ret;
748
749 error = suser(p->p_ucred, &p->p_acflag);
750 if (error)
751 return (error);
752
753 vp = NULL;
754 cred = NULL;
755
756 /*
757 * If a path is specified, open the replacement vnode, perform
758 * validity checks, and grab another reference to the current
759 * credential.
760 */
761 if (uap->path != NULL) {
762 NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE,
763 uap->path, p);
764 flags = audit_open_flags;
765 error = vn_open(&nd, flags, 0);
766 if (error)
767 goto out;
768 VOP_UNLOCK(nd.ni_vp, 0, p);
769 vp = nd.ni_vp;
770 if (vp->v_type != VREG) {
771 vn_close(vp, audit_close_flags, p->p_ucred, p);
772 error = EINVAL;
773 goto out;
774 }
775 cred = p->p_ucred;
776 crhold(cred);
777 }
778
779 audit_rotate_vnode(cred, vp);
780 out:
781 return (error);
782 }
783
784 /**********************************
785 * End of system calls. *
786 **********************************/
787
788 /*
789 * MPSAFE
790 */
791 struct kaudit_record *
792 audit_new(int event, struct proc *p, struct uthread *uthread)
793 {
794 struct kaudit_record *ar;
795 int no_record;
796
797 /*
798 * Eventually, there may be certain classes of events that
799 * we will audit regardless of the audit state at the time
800 * the record is created. These events will generally
801 * correspond to changes in the audit state. The dummy
802 * code below is from our first prototype, but may also
803 * be used in the final version (with modified event numbers).
804 */
805 #if 0
806 if (event != AUDIT_EVENT_FILESTOP && event != AUDIT_EVENT_FILESTART) {
807 #endif
808 mutex_lock(audit_mtx);
809 no_record = (audit_suspended || !audit_enabled);
810 mutex_unlock(audit_mtx);
811 if (no_record)
812 return (NULL);
813 #if 0
814 }
815 #endif
816
817 /*
818 * Eventually, we might want to have global event filtering
819 * by event type here.
820 */
821
822 /*
823 * XXX: Process-based event preselection should occur here.
824 * Currently, we only post-select.
825 */
826
827 /*
828 * Initialize the audit record header.
829 * XXX: Should probably use a zone; whatever we use must be
830 * safe to call from the non-BSD side of the house.
831 * XXX: We may want to fail-stop if allocation fails.
832 */
833 (void)kmem_alloc(kernel_map, &ar, sizeof(*ar));
834 if (ar == NULL)
835 return NULL;
836
837 bzero(ar, sizeof(*ar));
838 ar->k_ar.ar_magic = AUDIT_RECORD_MAGIC;
839 ar->k_ar.ar_event = event;
840 nanotime(&ar->k_ar.ar_starttime);
841
842 /* Export the subject credential. */
843 cru2x(p->p_ucred, &ar->k_ar.ar_subj_cred);
844 ar->k_ar.ar_subj_ruid = p->p_cred->p_ruid;
845 ar->k_ar.ar_subj_rgid = p->p_cred->p_rgid;
846 ar->k_ar.ar_subj_egid = p->p_ucred->cr_groups[0];
847 ar->k_ar.ar_subj_auid = p->p_au->ai_auid;
848 ar->k_ar.ar_subj_pid = p->p_pid;
849 bcopy(p->p_comm, ar->k_ar.ar_subj_comm, MAXCOMLEN);
850 bcopy(&p->p_au->ai_mask, &ar->k_ar.ar_subj_amask,
851 sizeof(p->p_au->ai_mask));
852
853 return (ar);
854 }
855
856 /*
857 * MPSAFE
858 * XXXAUDIT: So far, this is unused, and should probably be GC'd.
859 */
860 void
861 audit_abort(struct kaudit_record *ar)
862 {
863
864 audit_free(ar);
865 }
866
867 /*
868 * MPSAFE
869 */
870 void
871 audit_commit(struct kaudit_record *ar, int error, int retval)
872 {
873
874 if (ar == NULL)
875 return;
876
877 ar->k_ar.ar_errno = error;
878 ar->k_ar.ar_retval = retval;
879
880 /*
881 * We might want to do some system-wide post-filtering
882 * here at some point.
883 */
884
885 /*
886 * Timestamp system call end.
887 */
888 nanotime(&ar->k_ar.ar_endtime);
889
890 /*
891 * XXXAUDIT: The number of outstanding uncommitted audit records is
892 * limited by the number of concurrent threads servicing system
893 * calls in the kernel. However, there is currently no bound on
894 * the size of the committed records in the audit event queue
895 * before they are sent to disk. Probably, there should be a fixed
896 * size bound (perhaps configurable), and if that bound is reached,
897 * threads should sleep in audit_commit() until there's room.
898 */
899 mutex_lock(audit_mtx);
900 /*
901 * Note: it could be that some records initiated while audit was
902 * enabled should still be committed?
903 */
904 if (audit_suspended || !audit_enabled) {
905 mutex_unlock(audit_mtx);
906 audit_free(ar);
907 return;
908 }
909 TAILQ_INSERT_TAIL(&audit_q, ar, k_q);
910 wait_queue_wakeup_one(audit_wait_queue, 0, THREAD_AWAKENED);
911 mutex_unlock(audit_mtx);
912 }
913
914 /*
915 * Calls to set up and tear down audit structures associated with
916 * each system call.
917 */
918 void
919 audit_syscall_enter(unsigned short code, struct proc *proc,
920 struct uthread *uthread)
921 {
922 int audit_event;
923
924 assert(uthread->uu_ar == NULL);
925
926 audit_event = sys_au_event[code];
927
928 /*
929 * Allocate an audit record, if desired, and store in the BSD
930 * thread for later use.
931 */
932 if (audit_event != AUE_NULL) {
933 #if 0
934 AUDIT_PRINTF(("Allocated record type %d for syscall %d\n",
935 audit_event, code));
936 #endif
937 if (au_preselect(audit_event, &proc->p_au->ai_mask,
938 AU_PRS_FAILURE | AU_PRS_SUCCESS)) {
939 uthread->uu_ar = audit_new(audit_event, proc, uthread);
940 } else {
941 uthread->uu_ar = NULL;
942 }
943 }
944 }
945
946 void
947 audit_syscall_exit(int error, struct proc *proc, struct uthread *uthread)
948 {
949 int retval;
950
951 /*
952 * Commit the audit record as desired; once we pass the record
953 * into audit_commit(), the memory is owned by the audit
954 * subsystem.
955 * The return value from the system call is stored on the user
956 * thread. If there was an error, the return value is set to -1,
957 * imitating the behavior of the cerror routine.
958 */
959 if (error)
960 retval = -1;
961 else
962 retval = uthread->uu_rval[0];
963
964 audit_commit(uthread->uu_ar, error, retval);
965 if (uthread->uu_ar != NULL)
966 AUDIT_PRINTF(("audit record committed by pid %d\n", proc->p_pid));
967 uthread->uu_ar = NULL;
968
969 }
970
971 /*
972 * Calls to manipulate elements of the audit record structure from system
973 * call code. Macro wrappers will prevent this functions from being
974 * entered if auditing is disabled, avoiding the function call cost. We
975 * check the thread audit record pointer anyway, as the audit condition
976 * could change, and pre-selection may not have allocated an audit
977 * record for this event.
978 */
979 void
980 audit_arg_accmode(int accmode)
981 {
982 struct kaudit_record *ar;
983
984 ar = currecord();
985 if (ar == NULL)
986 return;
987
988 ar->k_ar.ar_arg_accmode = accmode;
989 ar->k_ar.ar_valid_arg |= ARG_ACCMODE;
990 }
991
992 void
993 audit_arg_cmode(int cmode)
994 {
995 struct kaudit_record *ar;
996
997 ar = currecord();
998 if (ar == NULL)
999 return;
1000
1001 ar->k_ar.ar_arg_cmode = cmode;
1002 ar->k_ar.ar_valid_arg |= ARG_CMODE;
1003 }
1004
1005 void
1006 audit_arg_fd(int fd)
1007 {
1008 struct kaudit_record *ar;
1009
1010 ar = currecord();
1011 if (ar == NULL)
1012 return;
1013
1014 ar->k_ar.ar_arg_fd = fd;
1015 ar->k_ar.ar_valid_arg |= ARG_FD;
1016 }
1017
1018 void
1019 audit_arg_fflags(int fflags)
1020 {
1021 struct kaudit_record *ar;
1022
1023 ar = currecord();
1024 if (ar == NULL)
1025 return;
1026
1027 ar->k_ar.ar_arg_fflags = fflags;
1028 ar->k_ar.ar_valid_arg |= ARG_FFLAGS;
1029 }
1030
1031 void
1032 audit_arg_gid(gid_t gid, gid_t egid, gid_t rgid, gid_t sgid)
1033 {
1034 struct kaudit_record *ar;
1035
1036 ar = currecord();
1037 if (ar == NULL)
1038 return;
1039
1040 ar->k_ar.ar_arg_gid = gid;
1041 ar->k_ar.ar_arg_egid = egid;
1042 ar->k_ar.ar_arg_rgid = rgid;
1043 ar->k_ar.ar_arg_sgid = sgid;
1044 ar->k_ar.ar_valid_arg |= (ARG_GID | ARG_EGID | ARG_RGID | ARG_SGID);
1045 }
1046
1047 void
1048 audit_arg_uid(uid_t uid, uid_t euid, uid_t ruid, uid_t suid)
1049 {
1050 struct kaudit_record *ar;
1051
1052 ar = currecord();
1053 if (ar == NULL)
1054 return;
1055
1056 ar->k_ar.ar_arg_uid = uid;
1057 ar->k_ar.ar_arg_euid = euid;
1058 ar->k_ar.ar_arg_ruid = ruid;
1059 ar->k_ar.ar_arg_suid = suid;
1060 ar->k_ar.ar_valid_arg |= (ARG_UID | ARG_EUID | ARG_RUID | ARG_SUID);
1061 }
1062
1063 void
1064 audit_arg_groupset(gid_t *gidset, u_int gidset_size)
1065 {
1066 int i;
1067 struct kaudit_record *ar;
1068
1069 ar = currecord();
1070 if (ar == NULL)
1071 return;
1072
1073 for (i = 0; i < gidset_size; i++)
1074 ar->k_ar.ar_arg_groups.gidset[i] = gidset[i];
1075 ar->k_ar.ar_arg_groups.gidset_size = gidset_size;
1076 ar->k_ar.ar_valid_arg |= ARG_GROUPSET;
1077 }
1078
1079 void
1080 audit_arg_login(char *login)
1081 {
1082 struct kaudit_record *ar;
1083
1084 ar = currecord();
1085 if (ar == NULL)
1086 return;
1087
1088 #if 0
1089 /*
1090 * XXX: Add strlcpy() to Darwin for improved safety.
1091 */
1092 strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME);
1093 #else
1094 strcpy(ar->k_ar.ar_arg_login, login);
1095 #endif
1096
1097 ar->k_ar.ar_valid_arg |= ARG_LOGIN;
1098 }
1099
1100 void
1101 audit_arg_mask(int mask)
1102 {
1103 struct kaudit_record *ar;
1104
1105 ar = currecord();
1106 if (ar == NULL)
1107 return;
1108
1109 ar->k_ar.ar_arg_mask = mask;
1110 ar->k_ar.ar_valid_arg |= ARG_MASK;
1111 }
1112
1113 void
1114 audit_arg_mode(mode_t mode)
1115 {
1116 struct kaudit_record *ar;
1117
1118 ar = currecord();
1119 if (ar == NULL)
1120 return;
1121
1122 ar->k_ar.ar_arg_mode = mode;
1123 ar->k_ar.ar_valid_arg |= ARG_MODE;
1124 }
1125
1126 void
1127 audit_arg_dev(int dev)
1128 {
1129 struct kaudit_record *ar;
1130
1131 ar = currecord();
1132 if (ar == NULL)
1133 return;
1134
1135 ar->k_ar.ar_arg_dev = dev;
1136 ar->k_ar.ar_valid_arg |= ARG_DEV;
1137 }
1138
1139 void
1140 audit_arg_owner(uid_t uid, gid_t gid)
1141 {
1142 struct kaudit_record *ar;
1143
1144 ar = currecord();
1145 if (ar == NULL)
1146 return;
1147
1148 ar->k_ar.ar_arg_uid = uid;
1149 ar->k_ar.ar_arg_gid = gid;
1150 ar->k_ar.ar_valid_arg |= (ARG_UID | ARG_GID);
1151 }
1152
1153 void
1154 audit_arg_pid(pid_t pid)
1155 {
1156 struct kaudit_record *ar;
1157
1158 ar = currecord();
1159 if (ar == NULL)
1160 return;
1161
1162 ar->k_ar.ar_arg_pid = pid;
1163 ar->k_ar.ar_valid_arg |= ARG_PID;
1164 }
1165
1166 void
1167 audit_arg_signum(u_int signum)
1168 {
1169 struct kaudit_record *ar;
1170
1171 ar = currecord();
1172 if (ar == NULL)
1173 return;
1174
1175 ar->k_ar.ar_arg_signum = signum;
1176 ar->k_ar.ar_valid_arg |= ARG_SIGNUM;
1177 }
1178
1179 void
1180 audit_arg_socket(int sodomain, int sotype, int soprotocol)
1181 {
1182
1183 struct kaudit_record *ar;
1184
1185 ar = currecord();
1186 if (ar == NULL)
1187 return;
1188
1189 ar->k_ar.ar_arg_sockinfo.sodomain = sodomain;
1190 ar->k_ar.ar_arg_sockinfo.sotype = sotype;
1191 ar->k_ar.ar_arg_sockinfo.soprotocol = soprotocol;
1192 ar->k_ar.ar_valid_arg |= ARG_SOCKINFO;
1193 }
1194
1195 void
1196 audit_arg_sockaddr(struct proc *p, struct sockaddr *so)
1197 {
1198 struct kaudit_record *ar;
1199
1200 ar = currecord();
1201 if (ar == NULL || p == NULL || so == NULL)
1202 return;
1203
1204 bcopy(so, &ar->k_ar.ar_arg_sockaddr, sizeof(ar->k_ar.ar_arg_sockaddr));
1205 switch (so->sa_family) {
1206 case AF_INET:
1207 ar->k_ar.ar_valid_arg |= ARG_SADDRINET;
1208 break;
1209 case AF_INET6:
1210 ar->k_ar.ar_valid_arg |= ARG_SADDRINET6;
1211 break;
1212 case AF_UNIX:
1213 audit_arg_upath(p, ((struct sockaddr_un *)so)->sun_path,
1214 ARG_UPATH1);
1215 ar->k_ar.ar_valid_arg |= ARG_SADDRUNIX;
1216 break;
1217 }
1218 }
1219
1220 void
1221 audit_arg_auid(uid_t auid)
1222 {
1223 struct kaudit_record *ar;
1224
1225 ar = currecord();
1226 if (ar == NULL)
1227 return;
1228
1229 ar->k_ar.ar_arg_auid = auid;
1230 ar->k_ar.ar_valid_arg |= ARG_AUID;
1231 }
1232
1233 void
1234 audit_arg_text(char *text)
1235 {
1236 struct kaudit_record *ar;
1237
1238 ar = currecord();
1239 if (ar == NULL)
1240 return;
1241
1242 /* Invalidate the text string */
1243 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT);
1244 if (text == NULL)
1245 return;
1246
1247 if (ar->k_ar.ar_arg_text == NULL) {
1248 kmem_alloc(kernel_map, &ar->k_ar.ar_arg_text, MAXPATHLEN);
1249 if (ar->k_ar.ar_arg_text == NULL)
1250 return;
1251 }
1252
1253 strcpy(ar->k_ar.ar_arg_text, text);
1254 ar->k_ar.ar_valid_arg |= ARG_TEXT;
1255 }
1256
1257 void
1258 audit_arg_cmd(int cmd)
1259 {
1260 struct kaudit_record *ar;
1261
1262 ar = currecord();
1263 if (ar == NULL)
1264 return;
1265
1266 ar->k_ar.ar_arg_cmd = cmd;
1267 ar->k_ar.ar_valid_arg |= ARG_CMD;
1268 }
1269
1270 void
1271 audit_arg_svipc_cmd(int cmd)
1272 {
1273 struct kaudit_record *ar;
1274
1275 ar = currecord();
1276 if (ar == NULL)
1277 return;
1278
1279 ar->k_ar.ar_arg_svipc_cmd = cmd;
1280 ar->k_ar.ar_valid_arg |= ARG_SVIPC_CMD;
1281 }
1282
1283 void
1284 audit_arg_svipc_perm(struct ipc_perm *perm)
1285 {
1286 struct kaudit_record *ar;
1287
1288 ar = currecord();
1289 if (ar == NULL)
1290 return;
1291
1292 bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
1293 sizeof(ar->k_ar.ar_arg_svipc_perm));
1294 ar->k_ar.ar_valid_arg |= ARG_SVIPC_PERM;
1295 }
1296
1297 void
1298 audit_arg_svipc_id(int id)
1299 {
1300 struct kaudit_record *ar;
1301
1302 ar = currecord();
1303 if (ar == NULL)
1304 return;
1305
1306 ar->k_ar.ar_arg_svipc_id = id;
1307 ar->k_ar.ar_valid_arg |= ARG_SVIPC_ID;
1308 }
1309
1310 void
1311 audit_arg_svipc_addr(void * addr)
1312 {
1313 struct kaudit_record *ar;
1314
1315 ar = currecord();
1316 if (ar == NULL)
1317 return;
1318
1319 ar->k_ar.ar_arg_svipc_addr = addr;
1320 ar->k_ar.ar_valid_arg |= ARG_SVIPC_ADDR;
1321 }
1322
1323 /*
1324 * Initialize the audit information for the a process, presumably the first
1325 * process in the system.
1326 * XXX It is not clear what the initial values should be for audit ID,
1327 * session ID, etc.
1328 */
1329 void
1330 audit_proc_init(struct proc *p)
1331 {
1332 MALLOC_ZONE(p->p_au, struct auditinfo *, sizeof(*p->p_au),
1333 M_SUBPROC, M_WAITOK);
1334
1335 bzero((void *)p->p_au, sizeof(*p->p_au));
1336 }
1337
1338 /*
1339 * Copy the audit info from the parent process to the child process when
1340 * a fork takes place.
1341 * XXX Need to check for failure from the memory allocation, in here
1342 * as well as in any functions that use the process auditing info.
1343 */
1344 void
1345 audit_proc_fork(struct proc *parent, struct proc *child)
1346 {
1347 /* Always set up the audit information pointer as this function
1348 * should only be called when the proc is new. If proc structures
1349 * are ever cached and reused, then this behavior will leak memory.
1350 */
1351 MALLOC_ZONE(child->p_au, struct auditinfo *, sizeof(*child->p_au),
1352 M_SUBPROC, M_WAITOK);
1353
1354 bcopy(parent->p_au, child->p_au, sizeof(*child->p_au));
1355 }
1356
1357 /*
1358 * Free the auditing structure for the process.
1359 */
1360 void
1361 audit_proc_free(struct proc *p)
1362 {
1363 FREE_ZONE((void *)p->p_au, sizeof(*p->p_au), M_SUBPROC);
1364 p->p_au = NULL;
1365 }
1366
1367 /*
1368 * Store a path as given by the user process for auditing into the audit
1369 * record stored on the user thread. This function will allocate the memory to
1370 * store the path info if not already available. This memory will be
1371 * freed when the audit record is freed.
1372 */
1373 void
1374 audit_arg_upath(struct proc *p, char *upath, u_int64_t flags)
1375 {
1376 struct kaudit_record *ar;
1377 char **pathp;
1378
1379 if (p == NULL || upath == NULL)
1380 return; /* nothing to do! */
1381
1382 if (flags & (ARG_UPATH1 | ARG_UPATH2) == 0)
1383 return;
1384
1385 ar = currecord();
1386 if (ar == NULL) /* This will be the case for unaudited system calls */
1387 return;
1388
1389 if (flags & ARG_UPATH1) {
1390 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_UPATH1);
1391 pathp = &ar->k_ar.ar_arg_upath1;
1392 }
1393 else {
1394 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_UPATH2);
1395 pathp = &ar->k_ar.ar_arg_upath2;
1396 }
1397
1398 if (*pathp == NULL) {
1399 kmem_alloc(kernel_map, pathp, MAXPATHLEN);
1400 if (*pathp == NULL)
1401 return;
1402 }
1403
1404 canon_path(p, upath, *pathp);
1405
1406 if (flags & ARG_UPATH1)
1407 ar->k_ar.ar_valid_arg |= ARG_UPATH1;
1408 else
1409 ar->k_ar.ar_valid_arg |= ARG_UPATH2;
1410 }
1411
1412 /*
1413 * Function to save the path and vnode attr information into the audit
1414 * record.
1415 *
1416 * It is assumed that the caller will hold any vnode locks necessary to
1417 * perform a VOP_GETATTR() on the passed vnode.
1418 *
1419 * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but
1420 * always provides access to the generation number as we need that
1421 * to construct the BSM file ID.
1422 * XXX: We should accept the process argument from the caller, since
1423 * it's very likely they already have a reference.
1424 * XXX: Error handling in this function is poor.
1425 */
1426 void
1427 audit_arg_vnpath(struct vnode *vp, u_int64_t flags)
1428 {
1429 struct kaudit_record *ar;
1430 struct vattr vattr;
1431 int error;
1432 int len;
1433 char **pathp;
1434 struct vnode_au_info *vnp;
1435 struct proc *p;
1436
1437 if (vp == NULL)
1438 return;
1439
1440 ar = currecord();
1441 if (ar == NULL) /* This will be the case for unaudited system calls */
1442 return;
1443
1444 if (flags & (ARG_VNODE1 | ARG_VNODE2) == 0)
1445 return;
1446
1447 p = current_proc();
1448
1449 if (flags & ARG_VNODE1) {
1450 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_KPATH1);
1451 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE1);
1452 pathp = &ar->k_ar.ar_arg_kpath1;
1453 vnp = &ar->k_ar.ar_arg_vnode1;
1454 }
1455 else {
1456 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_KPATH2);
1457 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE2);
1458 pathp = &ar->k_ar.ar_arg_kpath2;
1459 vnp = &ar->k_ar.ar_arg_vnode2;
1460 }
1461
1462 if (*pathp == NULL) {
1463 kmem_alloc(kernel_map, pathp, MAXPATHLEN);
1464 if (*pathp == NULL)
1465 return;
1466 }
1467
1468 /* Copy the path looked up by the vn_getpath() function */
1469 len = MAXPATHLEN;
1470 vn_getpath(vp, *pathp, &len);
1471 if (flags & ARG_VNODE1)
1472 ar->k_ar.ar_valid_arg |= ARG_KPATH1;
1473 else
1474 ar->k_ar.ar_valid_arg |= ARG_KPATH2;
1475
1476 /*
1477 * XXX: We'd assert the vnode lock here, only Darwin doesn't
1478 * appear to have vnode locking assertions.
1479 */
1480 error = VOP_GETATTR(vp, &vattr, p->p_ucred, p);
1481 if (error) {
1482 /* XXX: How to handle this case? */
1483 return;
1484 }
1485
1486 vnp->vn_mode = vattr.va_mode;
1487 vnp->vn_uid = vattr.va_uid;
1488 vnp->vn_gid = vattr.va_gid;
1489 vnp->vn_dev = vattr.va_rdev;
1490 vnp->vn_fsid = vattr.va_fsid;
1491 vnp->vn_fileid = vattr.va_fileid;
1492 vnp->vn_gen = vattr.va_gen;
1493 if (flags & ARG_VNODE1)
1494 ar->k_ar.ar_valid_arg |= ARG_VNODE1;
1495 else
1496 ar->k_ar.ar_valid_arg |= ARG_VNODE2;
1497
1498 }
1499
1500 #else /* !AUDIT */
1501
1502 void
1503 audit_init(void)
1504 {
1505
1506 }
1507
1508 void
1509 audit_shutdown(void)
1510 {
1511
1512 }
1513
1514 int
1515 audit(struct proc *p, struct audit_args *uap, register_t *retval)
1516 {
1517 return (ENOSYS);
1518 }
1519
1520 int
1521 auditon(struct proc *p, struct auditon_args *uap, register_t *retval)
1522 {
1523 return (ENOSYS);
1524 }
1525
1526 int
1527 auditsvc(struct proc *p, struct auditsvc_args *uap, register_t *retval)
1528 {
1529 return (ENOSYS);
1530 }
1531
1532 int
1533 getauid(struct proc *p, struct getauid_args *uap, register_t *retval)
1534 {
1535 return (ENOSYS);
1536 }
1537
1538 int
1539 setauid(struct proc *p, struct setauid_args *uap, register_t *retval)
1540 {
1541 return (ENOSYS);
1542 }
1543
1544 int
1545 getaudit(struct proc *p, struct getaudit_args *uap, register_t *retval)
1546 {
1547 return (ENOSYS);
1548 }
1549
1550 int
1551 setaudit(struct proc *p, struct setaudit_args *uap, register_t *retval)
1552 {
1553 return (ENOSYS);
1554 }
1555
1556 int
1557 getaudit_addr(struct proc *p, struct getaudit_addr_args *uap, register_t *retval)
1558 {
1559 return (ENOSYS);
1560 }
1561
1562 int
1563 setaudit_addr(struct proc *p, struct setaudit_addr_args *uap, register_t *retval)
1564 {
1565 return (ENOSYS);
1566 }
1567
1568 int
1569 auditctl(struct proc *p, struct auditctl_args *uap, register_t *retval)
1570 {
1571 return (ENOSYS);
1572 }
1573
1574 void
1575 audit_proc_init(struct proc *p)
1576 {
1577
1578 }
1579
1580 void
1581 audit_proc_fork(struct proc *parent, struct proc *child)
1582 {
1583
1584 }
1585
1586 void
1587 audit_proc_free(struct proc *p)
1588 {
1589
1590 }
1591
1592 #endif /* AUDIT */
Cache object: 9dbd80c88eb58e35872b94ad171fbab9
|