The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/security/audit/audit.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright (c) 1999-2005 Apple Inc.
    3  * Copyright (c) 2006-2007 Robert N. M. Watson
    4  * All rights reserved.
    5  *
    6  * Redistribution and use in source and binary forms, with or without
    7  * modification, are permitted provided that the following conditions
    8  * are met:
    9  * 1.  Redistributions of source code must retain the above copyright
   10  *     notice, this list of conditions and the following disclaimer.
   11  * 2.  Redistributions in binary form must reproduce the above copyright
   12  *     notice, this list of conditions and the following disclaimer in the
   13  *     documentation and/or other materials provided with the distribution.
   14  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
   15  *     its contributors may be used to endorse or promote products derived
   16  *     from this software without specific prior written permission.
   17  *
   18  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
   19  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   21  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
   22  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   23  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   24  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   25  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
   26  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
   27  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
   28  * POSSIBILITY OF SUCH DAMAGE.
   29  */
   30 
   31 #include <sys/cdefs.h>
   32 __FBSDID("$FreeBSD: releng/10.4/sys/security/audit/audit.c 253078 2013-07-09 09:03:01Z avg $");
   33 
   34 #include <sys/param.h>
   35 #include <sys/condvar.h>
   36 #include <sys/conf.h>
   37 #include <sys/file.h>
   38 #include <sys/filedesc.h>
   39 #include <sys/fcntl.h>
   40 #include <sys/ipc.h>
   41 #include <sys/jail.h>
   42 #include <sys/kernel.h>
   43 #include <sys/kthread.h>
   44 #include <sys/malloc.h>
   45 #include <sys/mount.h>
   46 #include <sys/namei.h>
   47 #include <sys/priv.h>
   48 #include <sys/proc.h>
   49 #include <sys/queue.h>
   50 #include <sys/socket.h>
   51 #include <sys/socketvar.h>
   52 #include <sys/protosw.h>
   53 #include <sys/domain.h>
   54 #include <sys/sysctl.h>
   55 #include <sys/sysproto.h>
   56 #include <sys/sysent.h>
   57 #include <sys/systm.h>
   58 #include <sys/ucred.h>
   59 #include <sys/uio.h>
   60 #include <sys/un.h>
   61 #include <sys/unistd.h>
   62 #include <sys/vnode.h>
   63 
   64 #include <bsm/audit.h>
   65 #include <bsm/audit_internal.h>
   66 #include <bsm/audit_kevents.h>
   67 
   68 #include <netinet/in.h>
   69 #include <netinet/in_pcb.h>
   70 
   71 #include <security/audit/audit.h>
   72 #include <security/audit/audit_private.h>
   73 
   74 #include <vm/uma.h>
   75 
   76 FEATURE(audit, "BSM audit support");
   77 
   78 static uma_zone_t       audit_record_zone;
   79 static MALLOC_DEFINE(M_AUDITCRED, "audit_cred", "Audit cred storage");
   80 MALLOC_DEFINE(M_AUDITDATA, "audit_data", "Audit data storage");
   81 MALLOC_DEFINE(M_AUDITPATH, "audit_path", "Audit path storage");
   82 MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage");
   83 MALLOC_DEFINE(M_AUDITGIDSET, "audit_gidset", "Audit GID set storage");
   84 
   85 static SYSCTL_NODE(_security, OID_AUTO, audit, CTLFLAG_RW, 0,
   86     "TrustedBSD audit controls");
   87 
   88 /*
   89  * Audit control settings that are set/read by system calls and are hence
   90  * non-static.
   91  *
   92  * Define the audit control flags.
   93  */
   94 int                     audit_enabled;
   95 int                     audit_suspended;
   96 
   97 /*
   98  * Flags controlling behavior in low storage situations.  Should we panic if
   99  * a write fails?  Should we fail stop if we're out of disk space?
  100  */
  101 int                     audit_panic_on_write_fail;
  102 int                     audit_fail_stop;
  103 int                     audit_argv;
  104 int                     audit_arge;
  105 
  106 /*
  107  * Are we currently "failing stop" due to out of disk space?
  108  */
  109 int                     audit_in_failure;
  110 
  111 /*
  112  * Global audit statistics.
  113  */
  114 struct audit_fstat      audit_fstat;
  115 
  116 /*
  117  * Preselection mask for non-attributable events.
  118  */
  119 struct au_mask          audit_nae_mask;
  120 
  121 /*
  122  * Mutex to protect global variables shared between various threads and
  123  * processes.
  124  */
  125 struct mtx              audit_mtx;
  126 
  127 /*
  128  * Queue of audit records ready for delivery to disk.  We insert new records
  129  * at the tail, and remove records from the head.  Also, a count of the
  130  * number of records used for checking queue depth.  In addition, a counter
  131  * of records that we have allocated but are not yet in the queue, which is
  132  * needed to estimate the total size of the combined set of records
  133  * outstanding in the system.
  134  */
  135 struct kaudit_queue     audit_q;
  136 int                     audit_q_len;
  137 int                     audit_pre_q_len;
  138 
  139 /*
  140  * Audit queue control settings (minimum free, low/high water marks, etc.)
  141  */
  142 struct au_qctrl         audit_qctrl;
  143 
  144 /*
  145  * Condition variable to signal to the worker that it has work to do: either
  146  * new records are in the queue, or a log replacement is taking place.
  147  */
  148 struct cv               audit_worker_cv;
  149 
  150 /*
  151  * Condition variable to flag when crossing the low watermark, meaning that
  152  * threads blocked due to hitting the high watermark can wake up and continue
  153  * to commit records.
  154  */
  155 struct cv               audit_watermark_cv;
  156 
  157 /*
  158  * Condition variable for  auditing threads wait on when in fail-stop mode.
  159  * Threads wait on this CV forever (and ever), never seeing the light of day
  160  * again.
  161  */
  162 static struct cv        audit_fail_cv;
  163 
  164 /*
  165  * Kernel audit information.  This will store the current audit address
  166  * or host information that the kernel will use when it's generating
  167  * audit records.  This data is modified by the A_GET{SET}KAUDIT auditon(2)
  168  * command.
  169  */
  170 static struct auditinfo_addr    audit_kinfo;
  171 static struct rwlock            audit_kinfo_lock;
  172 
  173 #define KINFO_LOCK_INIT()       rw_init(&audit_kinfo_lock, \
  174                                     "audit_kinfo_lock")
  175 #define KINFO_RLOCK()           rw_rlock(&audit_kinfo_lock)
  176 #define KINFO_WLOCK()           rw_wlock(&audit_kinfo_lock)
  177 #define KINFO_RUNLOCK()         rw_runlock(&audit_kinfo_lock)
  178 #define KINFO_WUNLOCK()         rw_wunlock(&audit_kinfo_lock)
  179 
  180 void
  181 audit_set_kinfo(struct auditinfo_addr *ak)
  182 {
  183 
  184         KASSERT(ak->ai_termid.at_type == AU_IPv4 ||
  185             ak->ai_termid.at_type == AU_IPv6,
  186             ("audit_set_kinfo: invalid address type"));
  187 
  188         KINFO_WLOCK();
  189         audit_kinfo = *ak;
  190         KINFO_WUNLOCK();
  191 }
  192 
  193 void
  194 audit_get_kinfo(struct auditinfo_addr *ak)
  195 {
  196 
  197         KASSERT(audit_kinfo.ai_termid.at_type == AU_IPv4 ||
  198             audit_kinfo.ai_termid.at_type == AU_IPv6,
  199             ("audit_set_kinfo: invalid address type"));
  200 
  201         KINFO_RLOCK();
  202         *ak = audit_kinfo;
  203         KINFO_RUNLOCK();
  204 }
  205 
  206 /*
  207  * Construct an audit record for the passed thread.
  208  */
  209 static int
  210 audit_record_ctor(void *mem, int size, void *arg, int flags)
  211 {
  212         struct kaudit_record *ar;
  213         struct thread *td;
  214         struct ucred *cred;
  215         struct prison *pr;
  216 
  217         KASSERT(sizeof(*ar) == size, ("audit_record_ctor: wrong size"));
  218 
  219         td = arg;
  220         ar = mem;
  221         bzero(ar, sizeof(*ar));
  222         ar->k_ar.ar_magic = AUDIT_RECORD_MAGIC;
  223         nanotime(&ar->k_ar.ar_starttime);
  224 
  225         /*
  226          * Export the subject credential.
  227          */
  228         cred = td->td_ucred;
  229         cru2x(cred, &ar->k_ar.ar_subj_cred);
  230         ar->k_ar.ar_subj_ruid = cred->cr_ruid;
  231         ar->k_ar.ar_subj_rgid = cred->cr_rgid;
  232         ar->k_ar.ar_subj_egid = cred->cr_groups[0];
  233         ar->k_ar.ar_subj_auid = cred->cr_audit.ai_auid;
  234         ar->k_ar.ar_subj_asid = cred->cr_audit.ai_asid;
  235         ar->k_ar.ar_subj_pid = td->td_proc->p_pid;
  236         ar->k_ar.ar_subj_amask = cred->cr_audit.ai_mask;
  237         ar->k_ar.ar_subj_term_addr = cred->cr_audit.ai_termid;
  238         /*
  239          * If this process is jailed, make sure we capture the name of the
  240          * jail so we can use it to generate a zonename token when we covert
  241          * this record to BSM.
  242          */
  243         if (jailed(cred)) {
  244                 pr = cred->cr_prison;
  245                 (void) strlcpy(ar->k_ar.ar_jailname, pr->pr_name,
  246                     sizeof(ar->k_ar.ar_jailname));
  247         } else
  248                 ar->k_ar.ar_jailname[0] = '\0';
  249         return (0);
  250 }
  251 
  252 static void
  253 audit_record_dtor(void *mem, int size, void *arg)
  254 {
  255         struct kaudit_record *ar;
  256 
  257         KASSERT(sizeof(*ar) == size, ("audit_record_dtor: wrong size"));
  258 
  259         ar = mem;
  260         if (ar->k_ar.ar_arg_upath1 != NULL)
  261                 free(ar->k_ar.ar_arg_upath1, M_AUDITPATH);
  262         if (ar->k_ar.ar_arg_upath2 != NULL)
  263                 free(ar->k_ar.ar_arg_upath2, M_AUDITPATH);
  264         if (ar->k_ar.ar_arg_text != NULL)
  265                 free(ar->k_ar.ar_arg_text, M_AUDITTEXT);
  266         if (ar->k_udata != NULL)
  267                 free(ar->k_udata, M_AUDITDATA);
  268         if (ar->k_ar.ar_arg_argv != NULL)
  269                 free(ar->k_ar.ar_arg_argv, M_AUDITTEXT);
  270         if (ar->k_ar.ar_arg_envv != NULL)
  271                 free(ar->k_ar.ar_arg_envv, M_AUDITTEXT);
  272         if (ar->k_ar.ar_arg_groups.gidset != NULL)
  273                 free(ar->k_ar.ar_arg_groups.gidset, M_AUDITGIDSET);
  274 }
  275 
  276 /*
  277  * Initialize the Audit subsystem: configuration state, work queue,
  278  * synchronization primitives, worker thread, and trigger device node.  Also
  279  * call into the BSM assembly code to initialize it.
  280  */
  281 static void
  282 audit_init(void)
  283 {
  284 
  285         audit_enabled = 0;
  286         audit_suspended = 0;
  287         audit_panic_on_write_fail = 0;
  288         audit_fail_stop = 0;
  289         audit_in_failure = 0;
  290         audit_argv = 0;
  291         audit_arge = 0;
  292 
  293         audit_fstat.af_filesz = 0;      /* '' means unset, unbounded. */
  294         audit_fstat.af_currsz = 0;
  295         audit_nae_mask.am_success = 0;
  296         audit_nae_mask.am_failure = 0;
  297 
  298         TAILQ_INIT(&audit_q);
  299         audit_q_len = 0;
  300         audit_pre_q_len = 0;
  301         audit_qctrl.aq_hiwater = AQ_HIWATER;
  302         audit_qctrl.aq_lowater = AQ_LOWATER;
  303         audit_qctrl.aq_bufsz = AQ_BUFSZ;
  304         audit_qctrl.aq_minfree = AU_FS_MINFREE;
  305 
  306         audit_kinfo.ai_termid.at_type = AU_IPv4;
  307         audit_kinfo.ai_termid.at_addr[0] = INADDR_ANY;
  308 
  309         mtx_init(&audit_mtx, "audit_mtx", NULL, MTX_DEF);
  310         KINFO_LOCK_INIT();
  311         cv_init(&audit_worker_cv, "audit_worker_cv");
  312         cv_init(&audit_watermark_cv, "audit_watermark_cv");
  313         cv_init(&audit_fail_cv, "audit_fail_cv");
  314 
  315         audit_record_zone = uma_zcreate("audit_record",
  316             sizeof(struct kaudit_record), audit_record_ctor,
  317             audit_record_dtor, NULL, NULL, UMA_ALIGN_PTR, 0);
  318 
  319         /* Initialize the BSM audit subsystem. */
  320         kau_init();
  321 
  322         audit_trigger_init();
  323 
  324         /* Register shutdown handler. */
  325         EVENTHANDLER_REGISTER(shutdown_pre_sync, audit_shutdown, NULL,
  326             SHUTDOWN_PRI_FIRST);
  327 
  328         /* Start audit worker thread. */
  329         audit_worker_init();
  330 }
  331 
  332 SYSINIT(audit_init, SI_SUB_AUDIT, SI_ORDER_FIRST, audit_init, NULL);
  333 
  334 /*
  335  * Drain the audit queue and close the log at shutdown.  Note that this can
  336  * be called both from the system shutdown path and also from audit
  337  * configuration syscalls, so 'arg' and 'howto' are ignored.
  338  *
  339  * XXXRW: In FreeBSD 7.x and 8.x, this fails to wait for the record queue to
  340  * drain before returning, which could lead to lost records on shutdown.
  341  */
  342 void
  343 audit_shutdown(void *arg, int howto)
  344 {
  345 
  346         audit_rotate_vnode(NULL, NULL);
  347 }
  348 
  349 /*
  350  * Return the current thread's audit record, if any.
  351  */
  352 struct kaudit_record *
  353 currecord(void)
  354 {
  355 
  356         return (curthread->td_ar);
  357 }
  358 
  359 /*
  360  * XXXAUDIT: There are a number of races present in the code below due to
  361  * release and re-grab of the mutex.  The code should be revised to become
  362  * slightly less racy.
  363  *
  364  * XXXAUDIT: Shouldn't there be logic here to sleep waiting on available
  365  * pre_q space, suspending the system call until there is room?
  366  */
  367 struct kaudit_record *
  368 audit_new(int event, struct thread *td)
  369 {
  370         struct kaudit_record *ar;
  371         int no_record;
  372 
  373         mtx_lock(&audit_mtx);
  374         no_record = (audit_suspended || !audit_enabled);
  375         mtx_unlock(&audit_mtx);
  376         if (no_record)
  377                 return (NULL);
  378 
  379         /*
  380          * Note: the number of outstanding uncommitted audit records is
  381          * limited to the number of concurrent threads servicing system calls
  382          * in the kernel.
  383          */
  384         ar = uma_zalloc_arg(audit_record_zone, td, M_WAITOK);
  385         ar->k_ar.ar_event = event;
  386 
  387         mtx_lock(&audit_mtx);
  388         audit_pre_q_len++;
  389         mtx_unlock(&audit_mtx);
  390 
  391         return (ar);
  392 }
  393 
  394 void
  395 audit_free(struct kaudit_record *ar)
  396 {
  397 
  398         uma_zfree(audit_record_zone, ar);
  399 }
  400 
  401 void
  402 audit_commit(struct kaudit_record *ar, int error, int retval)
  403 {
  404         au_event_t event;
  405         au_class_t class;
  406         au_id_t auid;
  407         int sorf;
  408         struct au_mask *aumask;
  409 
  410         if (ar == NULL)
  411                 return;
  412 
  413         /*
  414          * Decide whether to commit the audit record by checking the error
  415          * value from the system call and using the appropriate audit mask.
  416          */
  417         if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID)
  418                 aumask = &audit_nae_mask;
  419         else
  420                 aumask = &ar->k_ar.ar_subj_amask;
  421 
  422         if (error)
  423                 sorf = AU_PRS_FAILURE;
  424         else
  425                 sorf = AU_PRS_SUCCESS;
  426 
  427         /*
  428          * syscalls.master sometimes contains a prototype event number, which
  429          * we will transform into a more specific event number now that we
  430          * have more complete information gathered during the system call.
  431          */
  432         switch(ar->k_ar.ar_event) {
  433         case AUE_OPEN_RWTC:
  434                 ar->k_ar.ar_event = audit_flags_and_error_to_openevent(
  435                     ar->k_ar.ar_arg_fflags, error);
  436                 break;
  437 
  438         case AUE_OPENAT_RWTC:
  439                 ar->k_ar.ar_event = audit_flags_and_error_to_openatevent(
  440                     ar->k_ar.ar_arg_fflags, error);
  441                 break;
  442 
  443         case AUE_SYSCTL:
  444                 ar->k_ar.ar_event = audit_ctlname_to_sysctlevent(
  445                     ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg);
  446                 break;
  447 
  448         case AUE_AUDITON:
  449                 /* Convert the auditon() command to an event. */
  450                 ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd);
  451                 break;
  452         }
  453 
  454         auid = ar->k_ar.ar_subj_auid;
  455         event = ar->k_ar.ar_event;
  456         class = au_event_class(event);
  457 
  458         ar->k_ar_commit |= AR_COMMIT_KERNEL;
  459         if (au_preselect(event, class, aumask, sorf) != 0)
  460                 ar->k_ar_commit |= AR_PRESELECT_TRAIL;
  461         if (audit_pipe_preselect(auid, event, class, sorf,
  462             ar->k_ar_commit & AR_PRESELECT_TRAIL) != 0)
  463                 ar->k_ar_commit |= AR_PRESELECT_PIPE;
  464         if ((ar->k_ar_commit & (AR_PRESELECT_TRAIL | AR_PRESELECT_PIPE |
  465             AR_PRESELECT_USER_TRAIL | AR_PRESELECT_USER_PIPE)) == 0) {
  466                 mtx_lock(&audit_mtx);
  467                 audit_pre_q_len--;
  468                 mtx_unlock(&audit_mtx);
  469                 audit_free(ar);
  470                 return;
  471         }
  472 
  473         ar->k_ar.ar_errno = error;
  474         ar->k_ar.ar_retval = retval;
  475         nanotime(&ar->k_ar.ar_endtime);
  476 
  477         /*
  478          * Note: it could be that some records initiated while audit was
  479          * enabled should still be committed?
  480          */
  481         mtx_lock(&audit_mtx);
  482         if (audit_suspended || !audit_enabled) {
  483                 audit_pre_q_len--;
  484                 mtx_unlock(&audit_mtx);
  485                 audit_free(ar);
  486                 return;
  487         }
  488 
  489         /*
  490          * Constrain the number of committed audit records based on the
  491          * configurable parameter.
  492          */
  493         while (audit_q_len >= audit_qctrl.aq_hiwater)
  494                 cv_wait(&audit_watermark_cv, &audit_mtx);
  495 
  496         TAILQ_INSERT_TAIL(&audit_q, ar, k_q);
  497         audit_q_len++;
  498         audit_pre_q_len--;
  499         cv_signal(&audit_worker_cv);
  500         mtx_unlock(&audit_mtx);
  501 }
  502 
  503 /*
  504  * audit_syscall_enter() is called on entry to each system call.  It is
  505  * responsible for deciding whether or not to audit the call (preselection),
  506  * and if so, allocating a per-thread audit record.  audit_new() will fill in
  507  * basic thread/credential properties.
  508  */
  509 void
  510 audit_syscall_enter(unsigned short code, struct thread *td)
  511 {
  512         struct au_mask *aumask;
  513         au_class_t class;
  514         au_event_t event;
  515         au_id_t auid;
  516 
  517         KASSERT(td->td_ar == NULL, ("audit_syscall_enter: td->td_ar != NULL"));
  518         KASSERT((td->td_pflags & TDP_AUDITREC) == 0,
  519             ("audit_syscall_enter: TDP_AUDITREC set"));
  520 
  521         /*
  522          * In FreeBSD, each ABI has its own system call table, and hence
  523          * mapping of system call codes to audit events.  Convert the code to
  524          * an audit event identifier using the process system call table
  525          * reference.  In Darwin, there's only one, so we use the global
  526          * symbol for the system call table.  No audit record is generated
  527          * for bad system calls, as no operation has been performed.
  528          */
  529         if (code >= td->td_proc->p_sysent->sv_size)
  530                 return;
  531 
  532         event = td->td_proc->p_sysent->sv_table[code].sy_auevent;
  533         if (event == AUE_NULL)
  534                 return;
  535 
  536         /*
  537          * Check which audit mask to use; either the kernel non-attributable
  538          * event mask or the process audit mask.
  539          */
  540         auid = td->td_ucred->cr_audit.ai_auid;
  541         if (auid == AU_DEFAUDITID)
  542                 aumask = &audit_nae_mask;
  543         else
  544                 aumask = &td->td_ucred->cr_audit.ai_mask;
  545 
  546         /*
  547          * Allocate an audit record, if preselection allows it, and store in
  548          * the thread for later use.
  549          */
  550         class = au_event_class(event);
  551         if (au_preselect(event, class, aumask, AU_PRS_BOTH)) {
  552                 /*
  553                  * If we're out of space and need to suspend unprivileged
  554                  * processes, do that here rather than trying to allocate
  555                  * another audit record.
  556                  *
  557                  * Note: we might wish to be able to continue here in the
  558                  * future, if the system recovers.  That should be possible
  559                  * by means of checking the condition in a loop around
  560                  * cv_wait().  It might be desirable to reevaluate whether an
  561                  * audit record is still required for this event by
  562                  * re-calling au_preselect().
  563                  */
  564                 if (audit_in_failure &&
  565                     priv_check(td, PRIV_AUDIT_FAILSTOP) != 0) {
  566                         cv_wait(&audit_fail_cv, &audit_mtx);
  567                         panic("audit_failing_stop: thread continued");
  568                 }
  569                 td->td_ar = audit_new(event, td);
  570                 if (td->td_ar != NULL)
  571                         td->td_pflags |= TDP_AUDITREC;
  572         } else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0)) {
  573                 td->td_ar = audit_new(event, td);
  574                 if (td->td_ar != NULL)
  575                         td->td_pflags |= TDP_AUDITREC;
  576         } else
  577                 td->td_ar = NULL;
  578 }
  579 
  580 /*
  581  * audit_syscall_exit() is called from the return of every system call, or in
  582  * the event of exit1(), during the execution of exit1().  It is responsible
  583  * for committing the audit record, if any, along with return condition.
  584  */
  585 void
  586 audit_syscall_exit(int error, struct thread *td)
  587 {
  588         int retval;
  589 
  590         /*
  591          * Commit the audit record as desired; once we pass the record into
  592          * audit_commit(), the memory is owned by the audit subsystem.  The
  593          * return value from the system call is stored on the user thread.
  594          * If there was an error, the return value is set to -1, imitating
  595          * the behavior of the cerror routine.
  596          */
  597         if (error)
  598                 retval = -1;
  599         else
  600                 retval = td->td_retval[0];
  601 
  602         audit_commit(td->td_ar, error, retval);
  603         td->td_ar = NULL;
  604         td->td_pflags &= ~TDP_AUDITREC;
  605 }
  606 
  607 void
  608 audit_cred_copy(struct ucred *src, struct ucred *dest)
  609 {
  610 
  611         bcopy(&src->cr_audit, &dest->cr_audit, sizeof(dest->cr_audit));
  612 }
  613 
  614 void
  615 audit_cred_destroy(struct ucred *cred)
  616 {
  617 
  618 }
  619 
  620 void
  621 audit_cred_init(struct ucred *cred)
  622 {
  623 
  624         bzero(&cred->cr_audit, sizeof(cred->cr_audit));
  625 }
  626 
  627 /*
  628  * Initialize audit information for the first kernel process (proc 0) and for
  629  * the first user process (init).
  630  */
  631 void
  632 audit_cred_kproc0(struct ucred *cred)
  633 {
  634 
  635         cred->cr_audit.ai_auid = AU_DEFAUDITID;
  636         cred->cr_audit.ai_termid.at_type = AU_IPv4;
  637 }
  638 
  639 void
  640 audit_cred_proc1(struct ucred *cred)
  641 {
  642 
  643         cred->cr_audit.ai_auid = AU_DEFAUDITID;
  644         cred->cr_audit.ai_termid.at_type = AU_IPv4;
  645 }
  646 
  647 void
  648 audit_thread_alloc(struct thread *td)
  649 {
  650 
  651         td->td_ar = NULL;
  652 }
  653 
  654 void
  655 audit_thread_free(struct thread *td)
  656 {
  657 
  658         KASSERT(td->td_ar == NULL, ("audit_thread_free: td_ar != NULL"));
  659         KASSERT((td->td_pflags & TDP_AUDITREC) == 0,
  660             ("audit_thread_free: TDP_AUDITREC set"));
  661 }
  662 
  663 void
  664 audit_proc_coredump(struct thread *td, char *path, int errcode)
  665 {
  666         struct kaudit_record *ar;
  667         struct au_mask *aumask;
  668         struct ucred *cred;
  669         au_class_t class;
  670         int ret, sorf;
  671         char **pathp;
  672         au_id_t auid;
  673 
  674         ret = 0;
  675 
  676         /*
  677          * Make sure we are using the correct preselection mask.
  678          */
  679         cred = td->td_ucred;
  680         auid = cred->cr_audit.ai_auid;
  681         if (auid == AU_DEFAUDITID)
  682                 aumask = &audit_nae_mask;
  683         else
  684                 aumask = &cred->cr_audit.ai_mask;
  685         /*
  686          * It's possible for coredump(9) generation to fail.  Make sure that
  687          * we handle this case correctly for preselection.
  688          */
  689         if (errcode != 0)
  690                 sorf = AU_PRS_FAILURE;
  691         else
  692                 sorf = AU_PRS_SUCCESS;
  693         class = au_event_class(AUE_CORE);
  694         if (au_preselect(AUE_CORE, class, aumask, sorf) == 0 &&
  695             audit_pipe_preselect(auid, AUE_CORE, class, sorf, 0) == 0)
  696                 return;
  697 
  698         /*
  699          * If we are interested in seeing this audit record, allocate it.
  700          * Where possible coredump records should contain a pathname and arg32
  701          * (signal) tokens.
  702          */
  703         ar = audit_new(AUE_CORE, td);
  704         if (ar == NULL)
  705                 return;
  706         if (path != NULL) {
  707                 pathp = &ar->k_ar.ar_arg_upath1;
  708                 *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK);
  709                 audit_canon_path(td, AT_FDCWD, path, *pathp);
  710                 ARG_SET_VALID(ar, ARG_UPATH1);
  711         }
  712         ar->k_ar.ar_arg_signum = td->td_proc->p_sig;
  713         ARG_SET_VALID(ar, ARG_SIGNUM);
  714         if (errcode != 0)
  715                 ret = 1;
  716         audit_commit(ar, errcode, ret);
  717 }

Cache object: b5611e928118463731fb2bdca19bebcc


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.