| audit.c (159266) | audit.c (159269) |
|---|---|
| 1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * Copyright (c) 2006 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: --- 13 unchanged lines hidden (view full) --- 22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 * | 1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * Copyright (c) 2006 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: --- 13 unchanged lines hidden (view full) --- 22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 * |
| 30 * $FreeBSD: head/sys/security/audit/audit.c 159266 2006-06-05 14:11:28Z rwatson $ | 30 * $FreeBSD: head/sys/security/audit/audit.c 159269 2006-06-05 14:48:17Z rwatson $ |
| 31 */ 32 33#include <sys/param.h> 34#include <sys/condvar.h> 35#include <sys/conf.h> 36#include <sys/file.h> 37#include <sys/filedesc.h> 38#include <sys/fcntl.h> --- 288 unchanged lines hidden (view full) --- 327} 328 329/* 330 * MPSAFE 331 */ 332void 333audit_commit(struct kaudit_record *ar, int error, int retval) 334{ | 31 */ 32 33#include <sys/param.h> 34#include <sys/condvar.h> 35#include <sys/conf.h> 36#include <sys/file.h> 37#include <sys/filedesc.h> 38#include <sys/fcntl.h> --- 288 unchanged lines hidden (view full) --- 327} 328 329/* 330 * MPSAFE 331 */ 332void 333audit_commit(struct kaudit_record *ar, int error, int retval) 334{ |
| 335 au_event_t event; 336 au_class_t class; 337 au_id_t auid; |
|
| 335 int sorf; 336 struct au_mask *aumask; 337 338 if (ar == NULL) 339 return; 340 341 /* 342 * Decide whether to commit the audit record by checking the --- 29 unchanged lines hidden (view full) --- 372 break; 373 374 case AUE_AUDITON: 375 /* Convert the auditon() command to an event */ 376 ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd); 377 break; 378 } 379 | 338 int sorf; 339 struct au_mask *aumask; 340 341 if (ar == NULL) 342 return; 343 344 /* 345 * Decide whether to commit the audit record by checking the --- 29 unchanged lines hidden (view full) --- 375 break; 376 377 case AUE_AUDITON: 378 /* Convert the auditon() command to an event */ 379 ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd); 380 break; 381 } 382 |
| 380 if (au_preselect(ar->k_ar.ar_event, aumask, sorf) != 0) 381 ar->k_ar_commit |= AR_COMMIT_KERNEL; | 383 auid = ar->k_ar.ar_subj_auid; 384 event = ar->k_ar.ar_event; 385 class = au_event_class(event); |
| 382 | 386 |
| 383 /* 384 * XXXRW: Why is this necessary? Should we ever accept a record that 385 * we're not willing to commit? 386 */ 387 if ((ar->k_ar_commit & (AR_COMMIT_USER | AR_COMMIT_KERNEL)) == 0) { | 387 ar->k_ar_commit |= AR_COMMIT_KERNEL; 388 if (au_preselect(event, class, aumask, sorf) != 0) 389 ar->k_ar_commit |= AR_PRESELECT_TRAIL; 390 if (audit_pipe_preselect(auid, event, class, sorf, 391 ar->k_ar_commit & AR_PRESELECT_TRAIL) != 0) 392 ar->k_ar_commit |= AR_PRESELECT_PIPE; 393 if ((ar->k_ar_commit & (AR_PRESELECT_TRAIL | AR_PRESELECT_PIPE)) == 394 0) { |
| 388 mtx_lock(&audit_mtx); 389 audit_pre_q_len--; 390 mtx_unlock(&audit_mtx); 391 uma_zfree(audit_record_zone, ar); 392 return; 393 } 394 395 ar->k_ar.ar_errno = error; --- 45 unchanged lines hidden (view full) --- 441 * audit_syscall_enter() is called on entry to each system call. It is 442 * responsible for deciding whether or not to audit the call (preselection), 443 * and if so, allocating a per-thread audit record. audit_new() will fill in 444 * basic thread/credential properties. 445 */ 446void 447audit_syscall_enter(unsigned short code, struct thread *td) 448{ | 395 mtx_lock(&audit_mtx); 396 audit_pre_q_len--; 397 mtx_unlock(&audit_mtx); 398 uma_zfree(audit_record_zone, ar); 399 return; 400 } 401 402 ar->k_ar.ar_errno = error; --- 45 unchanged lines hidden (view full) --- 448 * audit_syscall_enter() is called on entry to each system call. It is 449 * responsible for deciding whether or not to audit the call (preselection), 450 * and if so, allocating a per-thread audit record. audit_new() will fill in 451 * basic thread/credential properties. 452 */ 453void 454audit_syscall_enter(unsigned short code, struct thread *td) 455{ |
| 449 int audit_event; | |
| 450 struct au_mask *aumask; | 456 struct au_mask *aumask; |
| 457 au_class_t class; 458 au_event_t event; 459 au_id_t auid; |
|
| 451 452 KASSERT(td->td_ar == NULL, ("audit_syscall_enter: td->td_ar != NULL")); 453 454 /* 455 * In FreeBSD, each ABI has its own system call table, and hence 456 * mapping of system call codes to audit events. Convert the code to 457 * an audit event identifier using the process system call table 458 * reference. In Darwin, there's only one, so we use the global 459 * symbol for the system call table. 460 * 461 * XXXAUDIT: Should we audit that a bad system call was made, and if 462 * so, how? 463 */ 464 if (code >= td->td_proc->p_sysent->sv_size) 465 return; 466 | 460 461 KASSERT(td->td_ar == NULL, ("audit_syscall_enter: td->td_ar != NULL")); 462 463 /* 464 * In FreeBSD, each ABI has its own system call table, and hence 465 * mapping of system call codes to audit events. Convert the code to 466 * an audit event identifier using the process system call table 467 * reference. In Darwin, there's only one, so we use the global 468 * symbol for the system call table. 469 * 470 * XXXAUDIT: Should we audit that a bad system call was made, and if 471 * so, how? 472 */ 473 if (code >= td->td_proc->p_sysent->sv_size) 474 return; 475 |
| 467 audit_event = td->td_proc->p_sysent->sv_table[code].sy_auevent; 468 if (audit_event == AUE_NULL) | 476 event = td->td_proc->p_sysent->sv_table[code].sy_auevent; 477 if (event == AUE_NULL) |
| 469 return; 470 471 /* 472 * Check which audit mask to use; either the kernel non-attributable 473 * event mask or the process audit mask. 474 */ | 478 return; 479 480 /* 481 * Check which audit mask to use; either the kernel non-attributable 482 * event mask or the process audit mask. 483 */ |
| 475 if (td->td_proc->p_au->ai_auid == AU_DEFAUDITID) | 484 auid = td->td_proc->p_au->ai_auid; 485 if (auid == AU_DEFAUDITID) |
| 476 aumask = &audit_nae_mask; 477 else 478 aumask = &td->td_proc->p_au->ai_mask; 479 480 /* 481 * Allocate an audit record, if preselection allows it, and store 482 * in the thread for later use. 483 */ | 486 aumask = &audit_nae_mask; 487 else 488 aumask = &td->td_proc->p_au->ai_mask; 489 490 /* 491 * Allocate an audit record, if preselection allows it, and store 492 * in the thread for later use. 493 */ |
| 484 if (au_preselect(audit_event, aumask, 485 AU_PRS_FAILURE | AU_PRS_SUCCESS)) { | 494 class = au_event_class(event); 495 if (au_preselect(event, class, aumask, AU_PRS_BOTH)) { |
| 486 /* 487 * If we're out of space and need to suspend unprivileged 488 * processes, do that here rather than trying to allocate 489 * another audit record. 490 * 491 * XXXRW: We might wish to be able to continue here in the 492 * future, if the system recovers. That should be possible 493 * by means of checking the condition in a loop around 494 * cv_wait(). It might be desirable to reevaluate whether an 495 * audit record is still required for this event by 496 * re-calling au_preselect(). 497 */ 498 if (audit_in_failure && suser(td) != 0) { 499 cv_wait(&audit_fail_cv, &audit_mtx); 500 panic("audit_failing_stop: thread continued"); 501 } | 496 /* 497 * If we're out of space and need to suspend unprivileged 498 * processes, do that here rather than trying to allocate 499 * another audit record. 500 * 501 * XXXRW: We might wish to be able to continue here in the 502 * future, if the system recovers. That should be possible 503 * by means of checking the condition in a loop around 504 * cv_wait(). It might be desirable to reevaluate whether an 505 * audit record is still required for this event by 506 * re-calling au_preselect(). 507 */ 508 if (audit_in_failure && suser(td) != 0) { 509 cv_wait(&audit_fail_cv, &audit_mtx); 510 panic("audit_failing_stop: thread continued"); 511 } |
| 502 td->td_ar = audit_new(audit_event, td); 503 } else | 512 td->td_ar = audit_new(event, td); 513 } else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0)) 514 td->td_ar = audit_new(event, td); 515 else |
| 504 td->td_ar = NULL; 505} 506 507/* 508 * audit_syscall_exit() is called from the return of every system call, or in 509 * the event of exit1(), during the execution of exit1(). It is responsible 510 * for committing the audit record, if any, along with return condition. 511 */ --- 127 unchanged lines hidden --- | 516 td->td_ar = NULL; 517} 518 519/* 520 * audit_syscall_exit() is called from the return of every system call, or in 521 * the event of exit1(), during the execution of exit1(). It is responsible 522 * for committing the audit record, if any, along with return condition. 523 */ --- 127 unchanged lines hidden --- |