1 /*-
2 * Copyright (c) 1999-2005 Apple Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 */
29
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD: releng/7.3/sys/security/audit/audit_arg.c 188735 2009-02-17 21:59:54Z jhb $");
32
33 #include <sys/param.h>
34 #include <sys/filedesc.h>
35 #include <sys/ipc.h>
36 #include <sys/mount.h>
37 #include <sys/proc.h>
38 #include <sys/socket.h>
39 #include <sys/socketvar.h>
40 #include <sys/protosw.h>
41 #include <sys/domain.h>
42 #include <sys/sbuf.h>
43 #include <sys/systm.h>
44 #include <sys/un.h>
45 #include <sys/vnode.h>
46
47 #include <netinet/in.h>
48 #include <netinet/in_pcb.h>
49
50 #include <security/audit/audit.h>
51 #include <security/audit/audit_private.h>
52
53 /*
54 * Calls to manipulate elements of the audit record structure from system
55 * call code. Macro wrappers will prevent this functions from being entered
56 * if auditing is disabled, avoiding the function call cost. We check the
57 * thread audit record pointer anyway, as the audit condition could change,
58 * and pre-selection may not have allocated an audit record for this event.
59 *
60 * XXXAUDIT: Should we assert, in each case, that this field of the record
61 * hasn't already been filled in?
62 */
63 void
64 audit_arg_addr(void *addr)
65 {
66 struct kaudit_record *ar;
67
68 ar = currecord();
69 if (ar == NULL)
70 return;
71
72 ar->k_ar.ar_arg_addr = addr;
73 ARG_SET_VALID(ar, ARG_ADDR);
74 }
75
76 void
77 audit_arg_exit(int status, int retval)
78 {
79 struct kaudit_record *ar;
80
81 ar = currecord();
82 if (ar == NULL)
83 return;
84
85 ar->k_ar.ar_arg_exitstatus = status;
86 ar->k_ar.ar_arg_exitretval = retval;
87 ARG_SET_VALID(ar, ARG_EXIT);
88 }
89
90 void
91 audit_arg_len(int len)
92 {
93 struct kaudit_record *ar;
94
95 ar = currecord();
96 if (ar == NULL)
97 return;
98
99 ar->k_ar.ar_arg_len = len;
100 ARG_SET_VALID(ar, ARG_LEN);
101 }
102
103 void
104 audit_arg_fd(int fd)
105 {
106 struct kaudit_record *ar;
107
108 ar = currecord();
109 if (ar == NULL)
110 return;
111
112 ar->k_ar.ar_arg_fd = fd;
113 ARG_SET_VALID(ar, ARG_FD);
114 }
115
116 void
117 audit_arg_fflags(int fflags)
118 {
119 struct kaudit_record *ar;
120
121 ar = currecord();
122 if (ar == NULL)
123 return;
124
125 ar->k_ar.ar_arg_fflags = fflags;
126 ARG_SET_VALID(ar, ARG_FFLAGS);
127 }
128
129 void
130 audit_arg_gid(gid_t gid)
131 {
132 struct kaudit_record *ar;
133
134 ar = currecord();
135 if (ar == NULL)
136 return;
137
138 ar->k_ar.ar_arg_gid = gid;
139 ARG_SET_VALID(ar, ARG_GID);
140 }
141
142 void
143 audit_arg_uid(uid_t uid)
144 {
145 struct kaudit_record *ar;
146
147 ar = currecord();
148 if (ar == NULL)
149 return;
150
151 ar->k_ar.ar_arg_uid = uid;
152 ARG_SET_VALID(ar, ARG_UID);
153 }
154
155 void
156 audit_arg_egid(gid_t egid)
157 {
158 struct kaudit_record *ar;
159
160 ar = currecord();
161 if (ar == NULL)
162 return;
163
164 ar->k_ar.ar_arg_egid = egid;
165 ARG_SET_VALID(ar, ARG_EGID);
166 }
167
168 void
169 audit_arg_euid(uid_t euid)
170 {
171 struct kaudit_record *ar;
172
173 ar = currecord();
174 if (ar == NULL)
175 return;
176
177 ar->k_ar.ar_arg_euid = euid;
178 ARG_SET_VALID(ar, ARG_EUID);
179 }
180
181 void
182 audit_arg_rgid(gid_t rgid)
183 {
184 struct kaudit_record *ar;
185
186 ar = currecord();
187 if (ar == NULL)
188 return;
189
190 ar->k_ar.ar_arg_rgid = rgid;
191 ARG_SET_VALID(ar, ARG_RGID);
192 }
193
194 void
195 audit_arg_ruid(uid_t ruid)
196 {
197 struct kaudit_record *ar;
198
199 ar = currecord();
200 if (ar == NULL)
201 return;
202
203 ar->k_ar.ar_arg_ruid = ruid;
204 ARG_SET_VALID(ar, ARG_RUID);
205 }
206
207 void
208 audit_arg_sgid(gid_t sgid)
209 {
210 struct kaudit_record *ar;
211
212 ar = currecord();
213 if (ar == NULL)
214 return;
215
216 ar->k_ar.ar_arg_sgid = sgid;
217 ARG_SET_VALID(ar, ARG_SGID);
218 }
219
220 void
221 audit_arg_suid(uid_t suid)
222 {
223 struct kaudit_record *ar;
224
225 ar = currecord();
226 if (ar == NULL)
227 return;
228
229 ar->k_ar.ar_arg_suid = suid;
230 ARG_SET_VALID(ar, ARG_SUID);
231 }
232
233 void
234 audit_arg_groupset(gid_t *gidset, u_int gidset_size)
235 {
236 u_int i;
237 struct kaudit_record *ar;
238
239 ar = currecord();
240 if (ar == NULL)
241 return;
242
243 for (i = 0; i < gidset_size; i++)
244 ar->k_ar.ar_arg_groups.gidset[i] = gidset[i];
245 ar->k_ar.ar_arg_groups.gidset_size = gidset_size;
246 ARG_SET_VALID(ar, ARG_GROUPSET);
247 }
248
249 void
250 audit_arg_login(char *login)
251 {
252 struct kaudit_record *ar;
253
254 ar = currecord();
255 if (ar == NULL)
256 return;
257
258 strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME);
259 ARG_SET_VALID(ar, ARG_LOGIN);
260 }
261
262 void
263 audit_arg_ctlname(int *name, int namelen)
264 {
265 struct kaudit_record *ar;
266
267 ar = currecord();
268 if (ar == NULL)
269 return;
270
271 bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int));
272 ar->k_ar.ar_arg_len = namelen;
273 ARG_SET_VALID(ar, ARG_CTLNAME | ARG_LEN);
274 }
275
276 void
277 audit_arg_mask(int mask)
278 {
279 struct kaudit_record *ar;
280
281 ar = currecord();
282 if (ar == NULL)
283 return;
284
285 ar->k_ar.ar_arg_mask = mask;
286 ARG_SET_VALID(ar, ARG_MASK);
287 }
288
289 void
290 audit_arg_mode(mode_t mode)
291 {
292 struct kaudit_record *ar;
293
294 ar = currecord();
295 if (ar == NULL)
296 return;
297
298 ar->k_ar.ar_arg_mode = mode;
299 ARG_SET_VALID(ar, ARG_MODE);
300 }
301
302 void
303 audit_arg_dev(int dev)
304 {
305 struct kaudit_record *ar;
306
307 ar = currecord();
308 if (ar == NULL)
309 return;
310
311 ar->k_ar.ar_arg_dev = dev;
312 ARG_SET_VALID(ar, ARG_DEV);
313 }
314
315 void
316 audit_arg_value(long value)
317 {
318 struct kaudit_record *ar;
319
320 ar = currecord();
321 if (ar == NULL)
322 return;
323
324 ar->k_ar.ar_arg_value = value;
325 ARG_SET_VALID(ar, ARG_VALUE);
326 }
327
328 void
329 audit_arg_owner(uid_t uid, gid_t gid)
330 {
331 struct kaudit_record *ar;
332
333 ar = currecord();
334 if (ar == NULL)
335 return;
336
337 ar->k_ar.ar_arg_uid = uid;
338 ar->k_ar.ar_arg_gid = gid;
339 ARG_SET_VALID(ar, ARG_UID | ARG_GID);
340 }
341
342 void
343 audit_arg_pid(pid_t pid)
344 {
345 struct kaudit_record *ar;
346
347 ar = currecord();
348 if (ar == NULL)
349 return;
350
351 ar->k_ar.ar_arg_pid = pid;
352 ARG_SET_VALID(ar, ARG_PID);
353 }
354
355 void
356 audit_arg_process(struct proc *p)
357 {
358 struct kaudit_record *ar;
359 struct ucred *cred;
360
361 KASSERT(p != NULL, ("audit_arg_process: p == NULL"));
362
363 PROC_LOCK_ASSERT(p, MA_OWNED);
364
365 ar = currecord();
366 if (ar == NULL)
367 return;
368
369 cred = p->p_ucred;
370 ar->k_ar.ar_arg_auid = cred->cr_audit.ai_auid;
371 ar->k_ar.ar_arg_euid = cred->cr_uid;
372 ar->k_ar.ar_arg_egid = cred->cr_groups[0];
373 ar->k_ar.ar_arg_ruid = cred->cr_ruid;
374 ar->k_ar.ar_arg_rgid = cred->cr_rgid;
375 ar->k_ar.ar_arg_asid = cred->cr_audit.ai_asid;
376 ar->k_ar.ar_arg_termid_addr = cred->cr_audit.ai_termid;
377 ar->k_ar.ar_arg_pid = p->p_pid;
378 ARG_SET_VALID(ar, ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID |
379 ARG_RGID | ARG_ASID | ARG_TERMID_ADDR | ARG_PID | ARG_PROCESS);
380 }
381
382 void
383 audit_arg_signum(u_int signum)
384 {
385 struct kaudit_record *ar;
386
387 ar = currecord();
388 if (ar == NULL)
389 return;
390
391 ar->k_ar.ar_arg_signum = signum;
392 ARG_SET_VALID(ar, ARG_SIGNUM);
393 }
394
395 void
396 audit_arg_socket(int sodomain, int sotype, int soprotocol)
397 {
398 struct kaudit_record *ar;
399
400 ar = currecord();
401 if (ar == NULL)
402 return;
403
404 ar->k_ar.ar_arg_sockinfo.so_domain = sodomain;
405 ar->k_ar.ar_arg_sockinfo.so_type = sotype;
406 ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol;
407 ARG_SET_VALID(ar, ARG_SOCKINFO);
408 }
409
410 void
411 audit_arg_sockaddr(struct thread *td, struct sockaddr *sa)
412 {
413 struct kaudit_record *ar;
414
415 KASSERT(td != NULL, ("audit_arg_sockaddr: td == NULL"));
416 KASSERT(sa != NULL, ("audit_arg_sockaddr: sa == NULL"));
417
418 ar = currecord();
419 if (ar == NULL)
420 return;
421
422 bcopy(sa, &ar->k_ar.ar_arg_sockaddr, sa->sa_len);
423 switch (sa->sa_family) {
424 case AF_INET:
425 ARG_SET_VALID(ar, ARG_SADDRINET);
426 break;
427
428 case AF_INET6:
429 ARG_SET_VALID(ar, ARG_SADDRINET6);
430 break;
431
432 case AF_UNIX:
433 audit_arg_upath(td, ((struct sockaddr_un *)sa)->sun_path,
434 ARG_UPATH1);
435 ARG_SET_VALID(ar, ARG_SADDRUNIX);
436 break;
437 /* XXXAUDIT: default:? */
438 }
439 }
440
441 void
442 audit_arg_auid(uid_t auid)
443 {
444 struct kaudit_record *ar;
445
446 ar = currecord();
447 if (ar == NULL)
448 return;
449
450 ar->k_ar.ar_arg_auid = auid;
451 ARG_SET_VALID(ar, ARG_AUID);
452 }
453
454 void
455 audit_arg_auditinfo(struct auditinfo *au_info)
456 {
457 struct kaudit_record *ar;
458
459 ar = currecord();
460 if (ar == NULL)
461 return;
462
463 ar->k_ar.ar_arg_auid = au_info->ai_auid;
464 ar->k_ar.ar_arg_asid = au_info->ai_asid;
465 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
466 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
467 ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port;
468 ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine;
469 ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID);
470 }
471
472 void
473 audit_arg_auditinfo_addr(struct auditinfo_addr *au_info)
474 {
475 struct kaudit_record *ar;
476
477 ar = currecord();
478 if (ar == NULL)
479 return;
480
481 ar->k_ar.ar_arg_auid = au_info->ai_auid;
482 ar->k_ar.ar_arg_asid = au_info->ai_asid;
483 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
484 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
485 ar->k_ar.ar_arg_termid_addr.at_type = au_info->ai_termid.at_type;
486 ar->k_ar.ar_arg_termid_addr.at_port = au_info->ai_termid.at_port;
487 ar->k_ar.ar_arg_termid_addr.at_addr[0] = au_info->ai_termid.at_addr[0];
488 ar->k_ar.ar_arg_termid_addr.at_addr[1] = au_info->ai_termid.at_addr[1];
489 ar->k_ar.ar_arg_termid_addr.at_addr[2] = au_info->ai_termid.at_addr[2];
490 ar->k_ar.ar_arg_termid_addr.at_addr[3] = au_info->ai_termid.at_addr[3];
491 ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID_ADDR);
492 }
493
494 void
495 audit_arg_text(char *text)
496 {
497 struct kaudit_record *ar;
498
499 KASSERT(text != NULL, ("audit_arg_text: text == NULL"));
500
501 ar = currecord();
502 if (ar == NULL)
503 return;
504
505 /* Invalidate the text string */
506 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT);
507
508 if (ar->k_ar.ar_arg_text == NULL)
509 ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT,
510 M_WAITOK);
511
512 strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN);
513 ARG_SET_VALID(ar, ARG_TEXT);
514 }
515
516 void
517 audit_arg_cmd(int cmd)
518 {
519 struct kaudit_record *ar;
520
521 ar = currecord();
522 if (ar == NULL)
523 return;
524
525 ar->k_ar.ar_arg_cmd = cmd;
526 ARG_SET_VALID(ar, ARG_CMD);
527 }
528
529 void
530 audit_arg_svipc_cmd(int cmd)
531 {
532 struct kaudit_record *ar;
533
534 ar = currecord();
535 if (ar == NULL)
536 return;
537
538 ar->k_ar.ar_arg_svipc_cmd = cmd;
539 ARG_SET_VALID(ar, ARG_SVIPC_CMD);
540 }
541
542 void
543 audit_arg_svipc_perm(struct ipc_perm *perm)
544 {
545 struct kaudit_record *ar;
546
547 ar = currecord();
548 if (ar == NULL)
549 return;
550
551 bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
552 sizeof(ar->k_ar.ar_arg_svipc_perm));
553 ARG_SET_VALID(ar, ARG_SVIPC_PERM);
554 }
555
556 void
557 audit_arg_svipc_id(int id)
558 {
559 struct kaudit_record *ar;
560
561 ar = currecord();
562 if (ar == NULL)
563 return;
564
565 ar->k_ar.ar_arg_svipc_id = id;
566 ARG_SET_VALID(ar, ARG_SVIPC_ID);
567 }
568
569 void
570 audit_arg_svipc_addr(void * addr)
571 {
572 struct kaudit_record *ar;
573
574 ar = currecord();
575 if (ar == NULL)
576 return;
577
578 ar->k_ar.ar_arg_svipc_addr = addr;
579 ARG_SET_VALID(ar, ARG_SVIPC_ADDR);
580 }
581
582 void
583 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode)
584 {
585 struct kaudit_record *ar;
586
587 ar = currecord();
588 if (ar == NULL)
589 return;
590
591 ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid;
592 ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid;
593 ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode;
594 ARG_SET_VALID(ar, ARG_POSIX_IPC_PERM);
595 }
596
597 void
598 audit_arg_auditon(union auditon_udata *udata)
599 {
600 struct kaudit_record *ar;
601
602 ar = currecord();
603 if (ar == NULL)
604 return;
605
606 bcopy((void *)udata, &ar->k_ar.ar_arg_auditon,
607 sizeof(ar->k_ar.ar_arg_auditon));
608 ARG_SET_VALID(ar, ARG_AUDITON);
609 }
610
611 /*
612 * Audit information about a file, either the file's vnode info, or its
613 * socket address info.
614 */
615 void
616 audit_arg_file(struct proc *p, struct file *fp)
617 {
618 struct kaudit_record *ar;
619 struct socket *so;
620 struct inpcb *pcb;
621 struct vnode *vp;
622 int vfslocked;
623
624 ar = currecord();
625 if (ar == NULL)
626 return;
627
628 switch (fp->f_type) {
629 case DTYPE_VNODE:
630 case DTYPE_FIFO:
631 /*
632 * XXXAUDIT: Only possibly to record as first vnode?
633 */
634 vp = fp->f_vnode;
635 vfslocked = VFS_LOCK_GIANT(vp->v_mount);
636 vn_lock(vp, LK_SHARED | LK_RETRY, curthread);
637 audit_arg_vnode(vp, ARG_VNODE1);
638 VOP_UNLOCK(vp, 0, curthread);
639 VFS_UNLOCK_GIANT(vfslocked);
640 break;
641
642 case DTYPE_SOCKET:
643 so = (struct socket *)fp->f_data;
644 if (INP_CHECK_SOCKAF(so, PF_INET)) {
645 SOCK_LOCK(so);
646 ar->k_ar.ar_arg_sockinfo.so_type =
647 so->so_type;
648 ar->k_ar.ar_arg_sockinfo.so_domain =
649 INP_SOCKAF(so);
650 ar->k_ar.ar_arg_sockinfo.so_protocol =
651 so->so_proto->pr_protocol;
652 SOCK_UNLOCK(so);
653 pcb = (struct inpcb *)so->so_pcb;
654 INP_RLOCK(pcb);
655 ar->k_ar.ar_arg_sockinfo.so_raddr =
656 pcb->inp_faddr.s_addr;
657 ar->k_ar.ar_arg_sockinfo.so_laddr =
658 pcb->inp_laddr.s_addr;
659 ar->k_ar.ar_arg_sockinfo.so_rport =
660 pcb->inp_fport;
661 ar->k_ar.ar_arg_sockinfo.so_lport =
662 pcb->inp_lport;
663 INP_RUNLOCK(pcb);
664 ARG_SET_VALID(ar, ARG_SOCKINFO);
665 }
666 break;
667
668 default:
669 /* XXXAUDIT: else? */
670 break;
671 }
672 }
673
674 /*
675 * Store a path as given by the user process for auditing into the audit
676 * record stored on the user thread. This function will allocate the memory
677 * to store the path info if not already available. This memory will be
678 * freed when the audit record is freed.
679 *
680 * XXXAUDIT: Possibly assert that the memory isn't already allocated?
681 */
682 void
683 audit_arg_upath(struct thread *td, char *upath, u_int64_t flag)
684 {
685 struct kaudit_record *ar;
686 char **pathp;
687
688 KASSERT(td != NULL, ("audit_arg_upath: td == NULL"));
689 KASSERT(upath != NULL, ("audit_arg_upath: upath == NULL"));
690
691 ar = currecord();
692 if (ar == NULL)
693 return;
694
695 KASSERT((flag == ARG_UPATH1) || (flag == ARG_UPATH2),
696 ("audit_arg_upath: flag %llu", (unsigned long long)flag));
697 KASSERT((flag != ARG_UPATH1) || (flag != ARG_UPATH2),
698 ("audit_arg_upath: flag %llu", (unsigned long long)flag));
699
700 if (flag == ARG_UPATH1)
701 pathp = &ar->k_ar.ar_arg_upath1;
702 else
703 pathp = &ar->k_ar.ar_arg_upath2;
704
705 if (*pathp == NULL)
706 *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK);
707
708 audit_canon_path(td, upath, *pathp);
709
710 ARG_SET_VALID(ar, flag);
711 }
712
713 /*
714 * Function to save the path and vnode attr information into the audit
715 * record.
716 *
717 * It is assumed that the caller will hold any vnode locks necessary to
718 * perform a VOP_GETATTR() on the passed vnode.
719 *
720 * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but always
721 * provides access to the generation number as we need that to construct the
722 * BSM file ID.
723 *
724 * XXX: We should accept the process argument from the caller, since it's
725 * very likely they already have a reference.
726 *
727 * XXX: Error handling in this function is poor.
728 *
729 * XXXAUDIT: Possibly KASSERT the path pointer is NULL?
730 */
731 void
732 audit_arg_vnode(struct vnode *vp, u_int64_t flags)
733 {
734 struct kaudit_record *ar;
735 struct vattr vattr;
736 int error;
737 struct vnode_au_info *vnp;
738
739 KASSERT(vp != NULL, ("audit_arg_vnode: vp == NULL"));
740 KASSERT((flags == ARG_VNODE1) || (flags == ARG_VNODE2),
741 ("audit_arg_vnode: flags %jd", (intmax_t)flags));
742
743 /*
744 * Assume that if the caller is calling audit_arg_vnode() on a
745 * non-MPSAFE vnode, then it will have acquired Giant.
746 */
747 VFS_ASSERT_GIANT(vp->v_mount);
748 ASSERT_VOP_LOCKED(vp, "audit_arg_vnode");
749
750 ar = currecord();
751 if (ar == NULL)
752 return;
753
754 /*
755 * XXXAUDIT: The below clears, and then resets the flags for valid
756 * arguments. Ideally, either the new vnode is used, or the old one
757 * would be.
758 */
759 if (flags & ARG_VNODE1) {
760 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE1);
761 vnp = &ar->k_ar.ar_arg_vnode1;
762 } else {
763 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE2);
764 vnp = &ar->k_ar.ar_arg_vnode2;
765 }
766
767 error = VOP_GETATTR(vp, &vattr, curthread->td_ucred, curthread);
768 if (error) {
769 /* XXX: How to handle this case? */
770 return;
771 }
772
773 vnp->vn_mode = vattr.va_mode;
774 vnp->vn_uid = vattr.va_uid;
775 vnp->vn_gid = vattr.va_gid;
776 vnp->vn_dev = vattr.va_rdev;
777 vnp->vn_fsid = vattr.va_fsid;
778 vnp->vn_fileid = vattr.va_fileid;
779 vnp->vn_gen = vattr.va_gen;
780 if (flags & ARG_VNODE1)
781 ARG_SET_VALID(ar, ARG_VNODE1);
782 else
783 ARG_SET_VALID(ar, ARG_VNODE2);
784 }
785
786 /*
787 * Audit the argument strings passed to exec.
788 */
789 void
790 audit_arg_argv(char *argv, int argc, int length)
791 {
792 struct kaudit_record *ar;
793
794 if (audit_argv == 0)
795 return;
796
797 ar = currecord();
798 if (ar == NULL)
799 return;
800
801 ar->k_ar.ar_arg_argv = malloc(length, M_AUDITTEXT, M_WAITOK);
802 bcopy(argv, ar->k_ar.ar_arg_argv, length);
803 ar->k_ar.ar_arg_argc = argc;
804 ARG_SET_VALID(ar, ARG_ARGV);
805 }
806
807 /*
808 * Audit the environment strings passed to exec.
809 */
810 void
811 audit_arg_envv(char *envv, int envc, int length)
812 {
813 struct kaudit_record *ar;
814
815 if (audit_arge == 0)
816 return;
817
818 ar = currecord();
819 if (ar == NULL)
820 return;
821
822 ar->k_ar.ar_arg_envv = malloc(length, M_AUDITTEXT, M_WAITOK);
823 bcopy(envv, ar->k_ar.ar_arg_envv, length);
824 ar->k_ar.ar_arg_envc = envc;
825 ARG_SET_VALID(ar, ARG_ENVV);
826 }
827
828 /*
829 * The close() system call uses it's own audit call to capture the path/vnode
830 * information because those pieces are not easily obtained within the system
831 * call itself.
832 */
833 void
834 audit_sysclose(struct thread *td, int fd)
835 {
836 struct kaudit_record *ar;
837 struct vnode *vp;
838 struct file *fp;
839 int vfslocked;
840
841 KASSERT(td != NULL, ("audit_sysclose: td == NULL"));
842
843 ar = currecord();
844 if (ar == NULL)
845 return;
846
847 audit_arg_fd(fd);
848
849 if (getvnode(td->td_proc->p_fd, fd, &fp) != 0)
850 return;
851
852 vp = fp->f_vnode;
853 vfslocked = VFS_LOCK_GIANT(vp->v_mount);
854 vn_lock(vp, LK_SHARED | LK_RETRY, td);
855 audit_arg_vnode(vp, ARG_VNODE1);
856 VOP_UNLOCK(vp, 0, td);
857 VFS_UNLOCK_GIANT(vfslocked);
858 fdrop(fp, td);
859 }
Cache object: ce0f021b550264a8d216a0a94c6ba2a4
|