1 /*-
2 * Copyright (c) 1999-2005 Apple Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 */
29
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
32
33 #include <sys/param.h>
34 #include <sys/filedesc.h>
35 #include <sys/ipc.h>
36 #include <sys/mount.h>
37 #include <sys/proc.h>
38 #include <sys/socket.h>
39 #include <sys/socketvar.h>
40 #include <sys/protosw.h>
41 #include <sys/domain.h>
42 #include <sys/sbuf.h>
43 #include <sys/systm.h>
44 #include <sys/un.h>
45 #include <sys/vnode.h>
46
47 #include <netinet/in.h>
48 #include <netinet/in_pcb.h>
49
50 #include <security/audit/audit.h>
51 #include <security/audit/audit_private.h>
52
53 /*
54 * Calls to manipulate elements of the audit record structure from system
55 * call code. Macro wrappers will prevent this functions from being entered
56 * if auditing is disabled, avoiding the function call cost. We check the
57 * thread audit record pointer anyway, as the audit condition could change,
58 * and pre-selection may not have allocated an audit record for this event.
59 *
60 * XXXAUDIT: Should we assert, in each case, that this field of the record
61 * hasn't already been filled in?
62 */
63 void
64 audit_arg_addr(void *addr)
65 {
66 struct kaudit_record *ar;
67
68 ar = currecord();
69 if (ar == NULL)
70 return;
71
72 ar->k_ar.ar_arg_addr = addr;
73 ARG_SET_VALID(ar, ARG_ADDR);
74 }
75
76 void
77 audit_arg_exit(int status, int retval)
78 {
79 struct kaudit_record *ar;
80
81 ar = currecord();
82 if (ar == NULL)
83 return;
84
85 ar->k_ar.ar_arg_exitstatus = status;
86 ar->k_ar.ar_arg_exitretval = retval;
87 ARG_SET_VALID(ar, ARG_EXIT);
88 }
89
90 void
91 audit_arg_len(int len)
92 {
93 struct kaudit_record *ar;
94
95 ar = currecord();
96 if (ar == NULL)
97 return;
98
99 ar->k_ar.ar_arg_len = len;
100 ARG_SET_VALID(ar, ARG_LEN);
101 }
102
103 void
104 audit_arg_atfd1(int atfd)
105 {
106 struct kaudit_record *ar;
107
108 ar = currecord();
109 if (ar == NULL)
110 return;
111
112 ar->k_ar.ar_arg_atfd1 = atfd;
113 ARG_SET_VALID(ar, ARG_ATFD1);
114 }
115
116 void
117 audit_arg_atfd2(int atfd)
118 {
119 struct kaudit_record *ar;
120
121 ar = currecord();
122 if (ar == NULL)
123 return;
124
125 ar->k_ar.ar_arg_atfd2 = atfd;
126 ARG_SET_VALID(ar, ARG_ATFD2);
127 }
128
129 void
130 audit_arg_fd(int fd)
131 {
132 struct kaudit_record *ar;
133
134 ar = currecord();
135 if (ar == NULL)
136 return;
137
138 ar->k_ar.ar_arg_fd = fd;
139 ARG_SET_VALID(ar, ARG_FD);
140 }
141
142 void
143 audit_arg_fflags(int fflags)
144 {
145 struct kaudit_record *ar;
146
147 ar = currecord();
148 if (ar == NULL)
149 return;
150
151 ar->k_ar.ar_arg_fflags = fflags;
152 ARG_SET_VALID(ar, ARG_FFLAGS);
153 }
154
155 void
156 audit_arg_gid(gid_t gid)
157 {
158 struct kaudit_record *ar;
159
160 ar = currecord();
161 if (ar == NULL)
162 return;
163
164 ar->k_ar.ar_arg_gid = gid;
165 ARG_SET_VALID(ar, ARG_GID);
166 }
167
168 void
169 audit_arg_uid(uid_t uid)
170 {
171 struct kaudit_record *ar;
172
173 ar = currecord();
174 if (ar == NULL)
175 return;
176
177 ar->k_ar.ar_arg_uid = uid;
178 ARG_SET_VALID(ar, ARG_UID);
179 }
180
181 void
182 audit_arg_egid(gid_t egid)
183 {
184 struct kaudit_record *ar;
185
186 ar = currecord();
187 if (ar == NULL)
188 return;
189
190 ar->k_ar.ar_arg_egid = egid;
191 ARG_SET_VALID(ar, ARG_EGID);
192 }
193
194 void
195 audit_arg_euid(uid_t euid)
196 {
197 struct kaudit_record *ar;
198
199 ar = currecord();
200 if (ar == NULL)
201 return;
202
203 ar->k_ar.ar_arg_euid = euid;
204 ARG_SET_VALID(ar, ARG_EUID);
205 }
206
207 void
208 audit_arg_rgid(gid_t rgid)
209 {
210 struct kaudit_record *ar;
211
212 ar = currecord();
213 if (ar == NULL)
214 return;
215
216 ar->k_ar.ar_arg_rgid = rgid;
217 ARG_SET_VALID(ar, ARG_RGID);
218 }
219
220 void
221 audit_arg_ruid(uid_t ruid)
222 {
223 struct kaudit_record *ar;
224
225 ar = currecord();
226 if (ar == NULL)
227 return;
228
229 ar->k_ar.ar_arg_ruid = ruid;
230 ARG_SET_VALID(ar, ARG_RUID);
231 }
232
233 void
234 audit_arg_sgid(gid_t sgid)
235 {
236 struct kaudit_record *ar;
237
238 ar = currecord();
239 if (ar == NULL)
240 return;
241
242 ar->k_ar.ar_arg_sgid = sgid;
243 ARG_SET_VALID(ar, ARG_SGID);
244 }
245
246 void
247 audit_arg_suid(uid_t suid)
248 {
249 struct kaudit_record *ar;
250
251 ar = currecord();
252 if (ar == NULL)
253 return;
254
255 ar->k_ar.ar_arg_suid = suid;
256 ARG_SET_VALID(ar, ARG_SUID);
257 }
258
259 void
260 audit_arg_groupset(gid_t *gidset, u_int gidset_size)
261 {
262 u_int i;
263 struct kaudit_record *ar;
264
265 KASSERT(gidset_size <= ngroups_max + 1,
266 ("audit_arg_groupset: gidset_size > (kern.ngroups + 1)"));
267
268 ar = currecord();
269 if (ar == NULL)
270 return;
271
272 if (ar->k_ar.ar_arg_groups.gidset == NULL)
273 ar->k_ar.ar_arg_groups.gidset = malloc(
274 sizeof(gid_t) * gidset_size, M_AUDITGIDSET, M_WAITOK);
275
276 for (i = 0; i < gidset_size; i++)
277 ar->k_ar.ar_arg_groups.gidset[i] = gidset[i];
278 ar->k_ar.ar_arg_groups.gidset_size = gidset_size;
279 ARG_SET_VALID(ar, ARG_GROUPSET);
280 }
281
282 void
283 audit_arg_login(char *login)
284 {
285 struct kaudit_record *ar;
286
287 ar = currecord();
288 if (ar == NULL)
289 return;
290
291 strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME);
292 ARG_SET_VALID(ar, ARG_LOGIN);
293 }
294
295 void
296 audit_arg_ctlname(int *name, int namelen)
297 {
298 struct kaudit_record *ar;
299
300 ar = currecord();
301 if (ar == NULL)
302 return;
303
304 bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int));
305 ar->k_ar.ar_arg_len = namelen;
306 ARG_SET_VALID(ar, ARG_CTLNAME | ARG_LEN);
307 }
308
309 void
310 audit_arg_mask(int mask)
311 {
312 struct kaudit_record *ar;
313
314 ar = currecord();
315 if (ar == NULL)
316 return;
317
318 ar->k_ar.ar_arg_mask = mask;
319 ARG_SET_VALID(ar, ARG_MASK);
320 }
321
322 void
323 audit_arg_mode(mode_t mode)
324 {
325 struct kaudit_record *ar;
326
327 ar = currecord();
328 if (ar == NULL)
329 return;
330
331 ar->k_ar.ar_arg_mode = mode;
332 ARG_SET_VALID(ar, ARG_MODE);
333 }
334
335 void
336 audit_arg_dev(int dev)
337 {
338 struct kaudit_record *ar;
339
340 ar = currecord();
341 if (ar == NULL)
342 return;
343
344 ar->k_ar.ar_arg_dev = dev;
345 ARG_SET_VALID(ar, ARG_DEV);
346 }
347
348 void
349 audit_arg_value(long value)
350 {
351 struct kaudit_record *ar;
352
353 ar = currecord();
354 if (ar == NULL)
355 return;
356
357 ar->k_ar.ar_arg_value = value;
358 ARG_SET_VALID(ar, ARG_VALUE);
359 }
360
361 void
362 audit_arg_owner(uid_t uid, gid_t gid)
363 {
364 struct kaudit_record *ar;
365
366 ar = currecord();
367 if (ar == NULL)
368 return;
369
370 ar->k_ar.ar_arg_uid = uid;
371 ar->k_ar.ar_arg_gid = gid;
372 ARG_SET_VALID(ar, ARG_UID | ARG_GID);
373 }
374
375 void
376 audit_arg_pid(pid_t pid)
377 {
378 struct kaudit_record *ar;
379
380 ar = currecord();
381 if (ar == NULL)
382 return;
383
384 ar->k_ar.ar_arg_pid = pid;
385 ARG_SET_VALID(ar, ARG_PID);
386 }
387
388 void
389 audit_arg_process(struct proc *p)
390 {
391 struct kaudit_record *ar;
392 struct ucred *cred;
393
394 KASSERT(p != NULL, ("audit_arg_process: p == NULL"));
395
396 PROC_LOCK_ASSERT(p, MA_OWNED);
397
398 ar = currecord();
399 if (ar == NULL)
400 return;
401
402 cred = p->p_ucred;
403 ar->k_ar.ar_arg_auid = cred->cr_audit.ai_auid;
404 ar->k_ar.ar_arg_euid = cred->cr_uid;
405 ar->k_ar.ar_arg_egid = cred->cr_groups[0];
406 ar->k_ar.ar_arg_ruid = cred->cr_ruid;
407 ar->k_ar.ar_arg_rgid = cred->cr_rgid;
408 ar->k_ar.ar_arg_asid = cred->cr_audit.ai_asid;
409 ar->k_ar.ar_arg_termid_addr = cred->cr_audit.ai_termid;
410 ar->k_ar.ar_arg_pid = p->p_pid;
411 ARG_SET_VALID(ar, ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID |
412 ARG_RGID | ARG_ASID | ARG_TERMID_ADDR | ARG_PID | ARG_PROCESS);
413 }
414
415 void
416 audit_arg_signum(u_int signum)
417 {
418 struct kaudit_record *ar;
419
420 ar = currecord();
421 if (ar == NULL)
422 return;
423
424 ar->k_ar.ar_arg_signum = signum;
425 ARG_SET_VALID(ar, ARG_SIGNUM);
426 }
427
428 void
429 audit_arg_socket(int sodomain, int sotype, int soprotocol)
430 {
431 struct kaudit_record *ar;
432
433 ar = currecord();
434 if (ar == NULL)
435 return;
436
437 ar->k_ar.ar_arg_sockinfo.so_domain = sodomain;
438 ar->k_ar.ar_arg_sockinfo.so_type = sotype;
439 ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol;
440 ARG_SET_VALID(ar, ARG_SOCKINFO);
441 }
442
443 void
444 audit_arg_sockaddr(struct thread *td, struct sockaddr *sa)
445 {
446 struct kaudit_record *ar;
447
448 KASSERT(td != NULL, ("audit_arg_sockaddr: td == NULL"));
449 KASSERT(sa != NULL, ("audit_arg_sockaddr: sa == NULL"));
450
451 ar = currecord();
452 if (ar == NULL)
453 return;
454
455 bcopy(sa, &ar->k_ar.ar_arg_sockaddr, sa->sa_len);
456 switch (sa->sa_family) {
457 case AF_INET:
458 ARG_SET_VALID(ar, ARG_SADDRINET);
459 break;
460
461 case AF_INET6:
462 ARG_SET_VALID(ar, ARG_SADDRINET6);
463 break;
464
465 case AF_UNIX:
466 audit_arg_upath1(td, AT_FDCWD,
467 ((struct sockaddr_un *)sa)->sun_path);
468 ARG_SET_VALID(ar, ARG_SADDRUNIX);
469 break;
470 /* XXXAUDIT: default:? */
471 }
472 }
473
474 void
475 audit_arg_auid(uid_t auid)
476 {
477 struct kaudit_record *ar;
478
479 ar = currecord();
480 if (ar == NULL)
481 return;
482
483 ar->k_ar.ar_arg_auid = auid;
484 ARG_SET_VALID(ar, ARG_AUID);
485 }
486
487 void
488 audit_arg_auditinfo(struct auditinfo *au_info)
489 {
490 struct kaudit_record *ar;
491
492 ar = currecord();
493 if (ar == NULL)
494 return;
495
496 ar->k_ar.ar_arg_auid = au_info->ai_auid;
497 ar->k_ar.ar_arg_asid = au_info->ai_asid;
498 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
499 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
500 ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port;
501 ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine;
502 ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID);
503 }
504
505 void
506 audit_arg_auditinfo_addr(struct auditinfo_addr *au_info)
507 {
508 struct kaudit_record *ar;
509
510 ar = currecord();
511 if (ar == NULL)
512 return;
513
514 ar->k_ar.ar_arg_auid = au_info->ai_auid;
515 ar->k_ar.ar_arg_asid = au_info->ai_asid;
516 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
517 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
518 ar->k_ar.ar_arg_termid_addr.at_type = au_info->ai_termid.at_type;
519 ar->k_ar.ar_arg_termid_addr.at_port = au_info->ai_termid.at_port;
520 ar->k_ar.ar_arg_termid_addr.at_addr[0] = au_info->ai_termid.at_addr[0];
521 ar->k_ar.ar_arg_termid_addr.at_addr[1] = au_info->ai_termid.at_addr[1];
522 ar->k_ar.ar_arg_termid_addr.at_addr[2] = au_info->ai_termid.at_addr[2];
523 ar->k_ar.ar_arg_termid_addr.at_addr[3] = au_info->ai_termid.at_addr[3];
524 ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID_ADDR);
525 }
526
527 void
528 audit_arg_text(char *text)
529 {
530 struct kaudit_record *ar;
531
532 KASSERT(text != NULL, ("audit_arg_text: text == NULL"));
533
534 ar = currecord();
535 if (ar == NULL)
536 return;
537
538 /* Invalidate the text string */
539 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT);
540
541 if (ar->k_ar.ar_arg_text == NULL)
542 ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT,
543 M_WAITOK);
544
545 strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN);
546 ARG_SET_VALID(ar, ARG_TEXT);
547 }
548
549 void
550 audit_arg_cmd(int cmd)
551 {
552 struct kaudit_record *ar;
553
554 ar = currecord();
555 if (ar == NULL)
556 return;
557
558 ar->k_ar.ar_arg_cmd = cmd;
559 ARG_SET_VALID(ar, ARG_CMD);
560 }
561
562 void
563 audit_arg_svipc_cmd(int cmd)
564 {
565 struct kaudit_record *ar;
566
567 ar = currecord();
568 if (ar == NULL)
569 return;
570
571 ar->k_ar.ar_arg_svipc_cmd = cmd;
572 ARG_SET_VALID(ar, ARG_SVIPC_CMD);
573 }
574
575 void
576 audit_arg_svipc_perm(struct ipc_perm *perm)
577 {
578 struct kaudit_record *ar;
579
580 ar = currecord();
581 if (ar == NULL)
582 return;
583
584 bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
585 sizeof(ar->k_ar.ar_arg_svipc_perm));
586 ARG_SET_VALID(ar, ARG_SVIPC_PERM);
587 }
588
589 void
590 audit_arg_svipc_id(int id)
591 {
592 struct kaudit_record *ar;
593
594 ar = currecord();
595 if (ar == NULL)
596 return;
597
598 ar->k_ar.ar_arg_svipc_id = id;
599 ARG_SET_VALID(ar, ARG_SVIPC_ID);
600 }
601
602 void
603 audit_arg_svipc_addr(void * addr)
604 {
605 struct kaudit_record *ar;
606
607 ar = currecord();
608 if (ar == NULL)
609 return;
610
611 ar->k_ar.ar_arg_svipc_addr = addr;
612 ARG_SET_VALID(ar, ARG_SVIPC_ADDR);
613 }
614
615 void
616 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode)
617 {
618 struct kaudit_record *ar;
619
620 ar = currecord();
621 if (ar == NULL)
622 return;
623
624 ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid;
625 ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid;
626 ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode;
627 ARG_SET_VALID(ar, ARG_POSIX_IPC_PERM);
628 }
629
630 void
631 audit_arg_auditon(union auditon_udata *udata)
632 {
633 struct kaudit_record *ar;
634
635 ar = currecord();
636 if (ar == NULL)
637 return;
638
639 bcopy((void *)udata, &ar->k_ar.ar_arg_auditon,
640 sizeof(ar->k_ar.ar_arg_auditon));
641 ARG_SET_VALID(ar, ARG_AUDITON);
642 }
643
644 /*
645 * Audit information about a file, either the file's vnode info, or its
646 * socket address info.
647 */
648 void
649 audit_arg_file(struct proc *p, struct file *fp)
650 {
651 struct kaudit_record *ar;
652 struct socket *so;
653 struct inpcb *pcb;
654 struct vnode *vp;
655 int vfslocked;
656
657 ar = currecord();
658 if (ar == NULL)
659 return;
660
661 switch (fp->f_type) {
662 case DTYPE_VNODE:
663 case DTYPE_FIFO:
664 /*
665 * XXXAUDIT: Only possibly to record as first vnode?
666 */
667 vp = fp->f_vnode;
668 vfslocked = VFS_LOCK_GIANT(vp->v_mount);
669 vn_lock(vp, LK_SHARED | LK_RETRY);
670 audit_arg_vnode1(vp);
671 VOP_UNLOCK(vp, 0);
672 VFS_UNLOCK_GIANT(vfslocked);
673 break;
674
675 case DTYPE_SOCKET:
676 so = (struct socket *)fp->f_data;
677 if (INP_CHECK_SOCKAF(so, PF_INET)) {
678 SOCK_LOCK(so);
679 ar->k_ar.ar_arg_sockinfo.so_type =
680 so->so_type;
681 ar->k_ar.ar_arg_sockinfo.so_domain =
682 INP_SOCKAF(so);
683 ar->k_ar.ar_arg_sockinfo.so_protocol =
684 so->so_proto->pr_protocol;
685 SOCK_UNLOCK(so);
686 pcb = (struct inpcb *)so->so_pcb;
687 INP_RLOCK(pcb);
688 ar->k_ar.ar_arg_sockinfo.so_raddr =
689 pcb->inp_faddr.s_addr;
690 ar->k_ar.ar_arg_sockinfo.so_laddr =
691 pcb->inp_laddr.s_addr;
692 ar->k_ar.ar_arg_sockinfo.so_rport =
693 pcb->inp_fport;
694 ar->k_ar.ar_arg_sockinfo.so_lport =
695 pcb->inp_lport;
696 INP_RUNLOCK(pcb);
697 ARG_SET_VALID(ar, ARG_SOCKINFO);
698 }
699 break;
700
701 default:
702 /* XXXAUDIT: else? */
703 break;
704 }
705 }
706
707 /*
708 * Store a path as given by the user process for auditing into the audit
709 * record stored on the user thread. This function will allocate the memory
710 * to store the path info if not already available. This memory will be
711 * freed when the audit record is freed.
712 */
713 static void
714 audit_arg_upath(struct thread *td, int dirfd, char *upath, char **pathp)
715 {
716
717 if (*pathp == NULL)
718 *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK);
719 audit_canon_path(td, dirfd, upath, *pathp);
720 }
721
722 void
723 audit_arg_upath1(struct thread *td, int dirfd, char *upath)
724 {
725 struct kaudit_record *ar;
726
727 ar = currecord();
728 if (ar == NULL)
729 return;
730
731 audit_arg_upath(td, dirfd, upath, &ar->k_ar.ar_arg_upath1);
732 ARG_SET_VALID(ar, ARG_UPATH1);
733 }
734
735 void
736 audit_arg_upath2(struct thread *td, int dirfd, char *upath)
737 {
738 struct kaudit_record *ar;
739
740 ar = currecord();
741 if (ar == NULL)
742 return;
743
744 audit_arg_upath(td, dirfd, upath, &ar->k_ar.ar_arg_upath2);
745 ARG_SET_VALID(ar, ARG_UPATH2);
746 }
747
748 /*
749 * Function to save the path and vnode attr information into the audit
750 * record.
751 *
752 * It is assumed that the caller will hold any vnode locks necessary to
753 * perform a VOP_GETATTR() on the passed vnode.
754 *
755 * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but always
756 * provides access to the generation number as we need that to construct the
757 * BSM file ID.
758 *
759 * XXX: We should accept the process argument from the caller, since it's
760 * very likely they already have a reference.
761 *
762 * XXX: Error handling in this function is poor.
763 *
764 * XXXAUDIT: Possibly KASSERT the path pointer is NULL?
765 */
766 static int
767 audit_arg_vnode(struct vnode *vp, struct vnode_au_info *vnp)
768 {
769 struct vattr vattr;
770 int error;
771
772 /*
773 * Assume that if the caller is calling audit_arg_vnode() on a
774 * non-MPSAFE vnode, then it will have acquired Giant.
775 */
776 VFS_ASSERT_GIANT(vp->v_mount);
777 ASSERT_VOP_LOCKED(vp, "audit_arg_vnode");
778
779 error = VOP_GETATTR(vp, &vattr, curthread->td_ucred);
780 if (error) {
781 /* XXX: How to handle this case? */
782 return (error);
783 }
784
785 vnp->vn_mode = vattr.va_mode;
786 vnp->vn_uid = vattr.va_uid;
787 vnp->vn_gid = vattr.va_gid;
788 vnp->vn_dev = vattr.va_rdev;
789 vnp->vn_fsid = vattr.va_fsid;
790 vnp->vn_fileid = vattr.va_fileid;
791 vnp->vn_gen = vattr.va_gen;
792 return (0);
793 }
794
795 void
796 audit_arg_vnode1(struct vnode *vp)
797 {
798 struct kaudit_record *ar;
799 int error;
800
801 ar = currecord();
802 if (ar == NULL)
803 return;
804
805 ARG_CLEAR_VALID(ar, ARG_VNODE1);
806 error = audit_arg_vnode(vp, &ar->k_ar.ar_arg_vnode1);
807 if (error == 0)
808 ARG_SET_VALID(ar, ARG_VNODE1);
809 }
810
811 void
812 audit_arg_vnode2(struct vnode *vp)
813 {
814 struct kaudit_record *ar;
815 int error;
816
817 ar = currecord();
818 if (ar == NULL)
819 return;
820
821 ARG_CLEAR_VALID(ar, ARG_VNODE2);
822 error = audit_arg_vnode(vp, &ar->k_ar.ar_arg_vnode2);
823 if (error == 0)
824 ARG_SET_VALID(ar, ARG_VNODE2);
825 }
826
827 /*
828 * Audit the argument strings passed to exec.
829 */
830 void
831 audit_arg_argv(char *argv, int argc, int length)
832 {
833 struct kaudit_record *ar;
834
835 if (audit_argv == 0)
836 return;
837
838 ar = currecord();
839 if (ar == NULL)
840 return;
841
842 ar->k_ar.ar_arg_argv = malloc(length, M_AUDITTEXT, M_WAITOK);
843 bcopy(argv, ar->k_ar.ar_arg_argv, length);
844 ar->k_ar.ar_arg_argc = argc;
845 ARG_SET_VALID(ar, ARG_ARGV);
846 }
847
848 /*
849 * Audit the environment strings passed to exec.
850 */
851 void
852 audit_arg_envv(char *envv, int envc, int length)
853 {
854 struct kaudit_record *ar;
855
856 if (audit_arge == 0)
857 return;
858
859 ar = currecord();
860 if (ar == NULL)
861 return;
862
863 ar->k_ar.ar_arg_envv = malloc(length, M_AUDITTEXT, M_WAITOK);
864 bcopy(envv, ar->k_ar.ar_arg_envv, length);
865 ar->k_ar.ar_arg_envc = envc;
866 ARG_SET_VALID(ar, ARG_ENVV);
867 }
868
869 void
870 audit_arg_rights(cap_rights_t rights)
871 {
872 struct kaudit_record *ar;
873
874 ar = currecord();
875 if (ar == NULL)
876 return;
877
878 ar->k_ar.ar_arg_rights = rights;
879 ARG_SET_VALID(ar, ARG_RIGHTS);
880 }
881
882 /*
883 * The close() system call uses it's own audit call to capture the path/vnode
884 * information because those pieces are not easily obtained within the system
885 * call itself.
886 */
887 void
888 audit_sysclose(struct thread *td, int fd)
889 {
890 struct kaudit_record *ar;
891 struct vnode *vp;
892 struct file *fp;
893 int vfslocked;
894
895 KASSERT(td != NULL, ("audit_sysclose: td == NULL"));
896
897 ar = currecord();
898 if (ar == NULL)
899 return;
900
901 audit_arg_fd(fd);
902
903 if (getvnode(td->td_proc->p_fd, fd, 0, &fp) != 0)
904 return;
905
906 vp = fp->f_vnode;
907 vfslocked = VFS_LOCK_GIANT(vp->v_mount);
908 vn_lock(vp, LK_SHARED | LK_RETRY);
909 audit_arg_vnode1(vp);
910 VOP_UNLOCK(vp, 0);
911 VFS_UNLOCK_GIANT(vfslocked);
912 fdrop(fp, td);
913 }
Cache object: 514b54248b4f01c4cd68666245079326
|