1/*
2 * Copyright (c) 1999-2005 Apple Computer, Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 *
| 1/*
2 * Copyright (c) 1999-2005 Apple Computer, Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 *
|
30 */
31
32#include <sys/param.h>
33#include <sys/filedesc.h>
34#include <sys/ipc.h>
35#include <sys/mount.h>
36#include <sys/proc.h>
37#include <sys/socket.h>
38#include <sys/socketvar.h>
39#include <sys/protosw.h>
40#include <sys/domain.h>
41#include <sys/sbuf.h>
42#include <sys/systm.h>
43#include <sys/un.h>
44#include <sys/vnode.h>
45
46#include <netinet/in.h>
47#include <netinet/in_pcb.h>
48
49#include <security/audit/audit.h>
50#include <security/audit/audit_private.h>
51
52/*
53 * Calls to manipulate elements of the audit record structure from system
54 * call code. Macro wrappers will prevent this functions from being
55 * entered if auditing is disabled, avoiding the function call cost. We
56 * check the thread audit record pointer anyway, as the audit condition
57 * could change, and pre-selection may not have allocated an audit
58 * record for this event.
59 *
60 * XXXAUDIT: Should we assert, in each case, that this field of the record
61 * hasn't already been filled in?
62 */
63void
64audit_arg_addr(void * addr)
65{
66 struct kaudit_record *ar;
67
68 ar = currecord();
69 if (ar == NULL)
70 return;
71
72 ar->k_ar.ar_arg_addr = addr;
73 ARG_SET_VALID(ar, ARG_ADDR);
74}
75
76void
77audit_arg_exit(int status, int retval)
78{
79 struct kaudit_record *ar;
80
81 ar = currecord();
82 if (ar == NULL)
83 return;
84
85 ar->k_ar.ar_arg_exitstatus = status;
86 ar->k_ar.ar_arg_exitretval = retval;
87 ARG_SET_VALID(ar, ARG_EXIT);
88}
89
90void
91audit_arg_len(int len)
92{
93 struct kaudit_record *ar;
94
95 ar = currecord();
96 if (ar == NULL)
97 return;
98
99 ar->k_ar.ar_arg_len = len;
100 ARG_SET_VALID(ar, ARG_LEN);
101}
102
103void
104audit_arg_fd(int fd)
105{
106 struct kaudit_record *ar;
107
108 ar = currecord();
109 if (ar == NULL)
110 return;
111
112 ar->k_ar.ar_arg_fd = fd;
113 ARG_SET_VALID(ar, ARG_FD);
114}
115
116void
117audit_arg_fflags(int fflags)
118{
119 struct kaudit_record *ar;
120
121 ar = currecord();
122 if (ar == NULL)
123 return;
124
125 ar->k_ar.ar_arg_fflags = fflags;
126 ARG_SET_VALID(ar, ARG_FFLAGS);
127}
128
129void
130audit_arg_gid(gid_t gid)
131{
132 struct kaudit_record *ar;
133
134 ar = currecord();
135 if (ar == NULL)
136 return;
137
138 ar->k_ar.ar_arg_gid = gid;
139 ARG_SET_VALID(ar, ARG_GID);
140}
141
142void
143audit_arg_uid(uid_t uid)
144{
145 struct kaudit_record *ar;
146
147 ar = currecord();
148 if (ar == NULL)
149 return;
150
151 ar->k_ar.ar_arg_uid = uid;
152 ARG_SET_VALID(ar, ARG_UID);
153}
154
155void
156audit_arg_egid(gid_t egid)
157{
158 struct kaudit_record *ar;
159
160 ar = currecord();
161 if (ar == NULL)
162 return;
163
164 ar->k_ar.ar_arg_egid = egid;
165 ARG_SET_VALID(ar, ARG_EGID);
166}
167
168void
169audit_arg_euid(uid_t euid)
170{
171 struct kaudit_record *ar;
172
173 ar = currecord();
174 if (ar == NULL)
175 return;
176
177 ar->k_ar.ar_arg_euid = euid;
178 ARG_SET_VALID(ar, ARG_EUID);
179}
180
181void
182audit_arg_rgid(gid_t rgid)
183{
184 struct kaudit_record *ar;
185
186 ar = currecord();
187 if (ar == NULL)
188 return;
189
190 ar->k_ar.ar_arg_rgid = rgid;
191 ARG_SET_VALID(ar, ARG_RGID);
192}
193
194void
195audit_arg_ruid(uid_t ruid)
196{
197 struct kaudit_record *ar;
198
199 ar = currecord();
200 if (ar == NULL)
201 return;
202
203 ar->k_ar.ar_arg_ruid = ruid;
204 ARG_SET_VALID(ar, ARG_RUID);
205}
206
207void
208audit_arg_sgid(gid_t sgid)
209{
210 struct kaudit_record *ar;
211
212 ar = currecord();
213 if (ar == NULL)
214 return;
215
216 ar->k_ar.ar_arg_sgid = sgid;
217 ARG_SET_VALID(ar, ARG_SGID);
218}
219
220void
221audit_arg_suid(uid_t suid)
222{
223 struct kaudit_record *ar;
224
225 ar = currecord();
226 if (ar == NULL)
227 return;
228
229 ar->k_ar.ar_arg_suid = suid;
230 ARG_SET_VALID(ar, ARG_SUID);
231}
232
233void
234audit_arg_groupset(gid_t *gidset, u_int gidset_size)
235{
236 int i;
237 struct kaudit_record *ar;
238
239 ar = currecord();
240 if (ar == NULL)
241 return;
242
243 for (i = 0; i < gidset_size; i++)
244 ar->k_ar.ar_arg_groups.gidset[i] = gidset[i];
245 ar->k_ar.ar_arg_groups.gidset_size = gidset_size;
246 ARG_SET_VALID(ar, ARG_GROUPSET);
247}
248
249void
250audit_arg_login(char *login)
251{
252 struct kaudit_record *ar;
253
254 ar = currecord();
255 if (ar == NULL)
256 return;
257
258 strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME);
259 ARG_SET_VALID(ar, ARG_LOGIN);
260}
261
262void
263audit_arg_ctlname(int *name, int namelen)
264{
265 struct kaudit_record *ar;
266
267 ar = currecord();
268 if (ar == NULL)
269 return;
270
271 bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int));
272 ar->k_ar.ar_arg_len = namelen;
273 ARG_SET_VALID(ar, ARG_CTLNAME | ARG_LEN);
274}
275
276void
277audit_arg_mask(int mask)
278{
279 struct kaudit_record *ar;
280
281 ar = currecord();
282 if (ar == NULL)
283 return;
284
285 ar->k_ar.ar_arg_mask = mask;
286 ARG_SET_VALID(ar, ARG_MASK);
287}
288
289void
290audit_arg_mode(mode_t mode)
291{
292 struct kaudit_record *ar;
293
294 ar = currecord();
295 if (ar == NULL)
296 return;
297
298 ar->k_ar.ar_arg_mode = mode;
299 ARG_SET_VALID(ar, ARG_MODE);
300}
301
302void
303audit_arg_dev(int dev)
304{
305 struct kaudit_record *ar;
306
307 ar = currecord();
308 if (ar == NULL)
309 return;
310
311 ar->k_ar.ar_arg_dev = dev;
312 ARG_SET_VALID(ar, ARG_DEV);
313}
314
315void
316audit_arg_value(long value)
317{
318 struct kaudit_record *ar;
319
320 ar = currecord();
321 if (ar == NULL)
322 return;
323
324 ar->k_ar.ar_arg_value = value;
325 ARG_SET_VALID(ar, ARG_VALUE);
326}
327
328void
329audit_arg_owner(uid_t uid, gid_t gid)
330{
331 struct kaudit_record *ar;
332
333 ar = currecord();
334 if (ar == NULL)
335 return;
336
337 ar->k_ar.ar_arg_uid = uid;
338 ar->k_ar.ar_arg_gid = gid;
339 ARG_SET_VALID(ar, ARG_UID | ARG_GID);
340}
341
342void
343audit_arg_pid(pid_t pid)
344{
345 struct kaudit_record *ar;
346
347 ar = currecord();
348 if (ar == NULL)
349 return;
350
351 ar->k_ar.ar_arg_pid = pid;
352 ARG_SET_VALID(ar, ARG_PID);
353}
354
355void
356audit_arg_process(struct proc *p)
357{
358 struct kaudit_record *ar;
359
360 KASSERT(p != NULL, ("audit_arg_process: p == NULL"));
361
362 PROC_LOCK_ASSERT(p, MA_OWNED);
363
364 ar = currecord();
365 if (ar == NULL)
366 return;
367
368 ar->k_ar.ar_arg_auid = p->p_au->ai_auid;
369 ar->k_ar.ar_arg_euid = p->p_ucred->cr_uid;
370 ar->k_ar.ar_arg_egid = p->p_ucred->cr_groups[0];
371 ar->k_ar.ar_arg_ruid = p->p_ucred->cr_ruid;
372 ar->k_ar.ar_arg_rgid = p->p_ucred->cr_rgid;
373 ar->k_ar.ar_arg_asid = p->p_au->ai_asid;
374 ar->k_ar.ar_arg_termid = p->p_au->ai_termid;
375 ar->k_ar.ar_arg_pid = p->p_pid;
376 ARG_SET_VALID(ar, ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID |
377 ARG_RGID | ARG_ASID | ARG_TERMID | ARG_PID | ARG_PROCESS);
378}
379
380void
381audit_arg_signum(u_int signum)
382{
383 struct kaudit_record *ar;
384
385 ar = currecord();
386 if (ar == NULL)
387 return;
388
389 ar->k_ar.ar_arg_signum = signum;
390 ARG_SET_VALID(ar, ARG_SIGNUM);
391}
392
393void
394audit_arg_socket(int sodomain, int sotype, int soprotocol)
395{
396 struct kaudit_record *ar;
397
398 ar = currecord();
399 if (ar == NULL)
400 return;
401
402 ar->k_ar.ar_arg_sockinfo.so_domain = sodomain;
403 ar->k_ar.ar_arg_sockinfo.so_type = sotype;
404 ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol;
405 ARG_SET_VALID(ar, ARG_SOCKINFO);
406}
407
408void
409audit_arg_sockaddr(struct thread *td, struct sockaddr *sa)
410{
411 struct kaudit_record *ar;
412
413 KASSERT(td != NULL, ("audit_arg_sockaddr: td == NULL"));
414 KASSERT(sa != NULL, ("audit_arg_sockaddr: sa == NULL"));
415
416 ar = currecord();
417 if (ar == NULL)
418 return;
419
| 30 */
31
32#include <sys/param.h>
33#include <sys/filedesc.h>
34#include <sys/ipc.h>
35#include <sys/mount.h>
36#include <sys/proc.h>
37#include <sys/socket.h>
38#include <sys/socketvar.h>
39#include <sys/protosw.h>
40#include <sys/domain.h>
41#include <sys/sbuf.h>
42#include <sys/systm.h>
43#include <sys/un.h>
44#include <sys/vnode.h>
45
46#include <netinet/in.h>
47#include <netinet/in_pcb.h>
48
49#include <security/audit/audit.h>
50#include <security/audit/audit_private.h>
51
52/*
53 * Calls to manipulate elements of the audit record structure from system
54 * call code. Macro wrappers will prevent this functions from being
55 * entered if auditing is disabled, avoiding the function call cost. We
56 * check the thread audit record pointer anyway, as the audit condition
57 * could change, and pre-selection may not have allocated an audit
58 * record for this event.
59 *
60 * XXXAUDIT: Should we assert, in each case, that this field of the record
61 * hasn't already been filled in?
62 */
63void
64audit_arg_addr(void * addr)
65{
66 struct kaudit_record *ar;
67
68 ar = currecord();
69 if (ar == NULL)
70 return;
71
72 ar->k_ar.ar_arg_addr = addr;
73 ARG_SET_VALID(ar, ARG_ADDR);
74}
75
76void
77audit_arg_exit(int status, int retval)
78{
79 struct kaudit_record *ar;
80
81 ar = currecord();
82 if (ar == NULL)
83 return;
84
85 ar->k_ar.ar_arg_exitstatus = status;
86 ar->k_ar.ar_arg_exitretval = retval;
87 ARG_SET_VALID(ar, ARG_EXIT);
88}
89
90void
91audit_arg_len(int len)
92{
93 struct kaudit_record *ar;
94
95 ar = currecord();
96 if (ar == NULL)
97 return;
98
99 ar->k_ar.ar_arg_len = len;
100 ARG_SET_VALID(ar, ARG_LEN);
101}
102
103void
104audit_arg_fd(int fd)
105{
106 struct kaudit_record *ar;
107
108 ar = currecord();
109 if (ar == NULL)
110 return;
111
112 ar->k_ar.ar_arg_fd = fd;
113 ARG_SET_VALID(ar, ARG_FD);
114}
115
116void
117audit_arg_fflags(int fflags)
118{
119 struct kaudit_record *ar;
120
121 ar = currecord();
122 if (ar == NULL)
123 return;
124
125 ar->k_ar.ar_arg_fflags = fflags;
126 ARG_SET_VALID(ar, ARG_FFLAGS);
127}
128
129void
130audit_arg_gid(gid_t gid)
131{
132 struct kaudit_record *ar;
133
134 ar = currecord();
135 if (ar == NULL)
136 return;
137
138 ar->k_ar.ar_arg_gid = gid;
139 ARG_SET_VALID(ar, ARG_GID);
140}
141
142void
143audit_arg_uid(uid_t uid)
144{
145 struct kaudit_record *ar;
146
147 ar = currecord();
148 if (ar == NULL)
149 return;
150
151 ar->k_ar.ar_arg_uid = uid;
152 ARG_SET_VALID(ar, ARG_UID);
153}
154
155void
156audit_arg_egid(gid_t egid)
157{
158 struct kaudit_record *ar;
159
160 ar = currecord();
161 if (ar == NULL)
162 return;
163
164 ar->k_ar.ar_arg_egid = egid;
165 ARG_SET_VALID(ar, ARG_EGID);
166}
167
168void
169audit_arg_euid(uid_t euid)
170{
171 struct kaudit_record *ar;
172
173 ar = currecord();
174 if (ar == NULL)
175 return;
176
177 ar->k_ar.ar_arg_euid = euid;
178 ARG_SET_VALID(ar, ARG_EUID);
179}
180
181void
182audit_arg_rgid(gid_t rgid)
183{
184 struct kaudit_record *ar;
185
186 ar = currecord();
187 if (ar == NULL)
188 return;
189
190 ar->k_ar.ar_arg_rgid = rgid;
191 ARG_SET_VALID(ar, ARG_RGID);
192}
193
194void
195audit_arg_ruid(uid_t ruid)
196{
197 struct kaudit_record *ar;
198
199 ar = currecord();
200 if (ar == NULL)
201 return;
202
203 ar->k_ar.ar_arg_ruid = ruid;
204 ARG_SET_VALID(ar, ARG_RUID);
205}
206
207void
208audit_arg_sgid(gid_t sgid)
209{
210 struct kaudit_record *ar;
211
212 ar = currecord();
213 if (ar == NULL)
214 return;
215
216 ar->k_ar.ar_arg_sgid = sgid;
217 ARG_SET_VALID(ar, ARG_SGID);
218}
219
220void
221audit_arg_suid(uid_t suid)
222{
223 struct kaudit_record *ar;
224
225 ar = currecord();
226 if (ar == NULL)
227 return;
228
229 ar->k_ar.ar_arg_suid = suid;
230 ARG_SET_VALID(ar, ARG_SUID);
231}
232
233void
234audit_arg_groupset(gid_t *gidset, u_int gidset_size)
235{
236 int i;
237 struct kaudit_record *ar;
238
239 ar = currecord();
240 if (ar == NULL)
241 return;
242
243 for (i = 0; i < gidset_size; i++)
244 ar->k_ar.ar_arg_groups.gidset[i] = gidset[i];
245 ar->k_ar.ar_arg_groups.gidset_size = gidset_size;
246 ARG_SET_VALID(ar, ARG_GROUPSET);
247}
248
249void
250audit_arg_login(char *login)
251{
252 struct kaudit_record *ar;
253
254 ar = currecord();
255 if (ar == NULL)
256 return;
257
258 strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME);
259 ARG_SET_VALID(ar, ARG_LOGIN);
260}
261
262void
263audit_arg_ctlname(int *name, int namelen)
264{
265 struct kaudit_record *ar;
266
267 ar = currecord();
268 if (ar == NULL)
269 return;
270
271 bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int));
272 ar->k_ar.ar_arg_len = namelen;
273 ARG_SET_VALID(ar, ARG_CTLNAME | ARG_LEN);
274}
275
276void
277audit_arg_mask(int mask)
278{
279 struct kaudit_record *ar;
280
281 ar = currecord();
282 if (ar == NULL)
283 return;
284
285 ar->k_ar.ar_arg_mask = mask;
286 ARG_SET_VALID(ar, ARG_MASK);
287}
288
289void
290audit_arg_mode(mode_t mode)
291{
292 struct kaudit_record *ar;
293
294 ar = currecord();
295 if (ar == NULL)
296 return;
297
298 ar->k_ar.ar_arg_mode = mode;
299 ARG_SET_VALID(ar, ARG_MODE);
300}
301
302void
303audit_arg_dev(int dev)
304{
305 struct kaudit_record *ar;
306
307 ar = currecord();
308 if (ar == NULL)
309 return;
310
311 ar->k_ar.ar_arg_dev = dev;
312 ARG_SET_VALID(ar, ARG_DEV);
313}
314
315void
316audit_arg_value(long value)
317{
318 struct kaudit_record *ar;
319
320 ar = currecord();
321 if (ar == NULL)
322 return;
323
324 ar->k_ar.ar_arg_value = value;
325 ARG_SET_VALID(ar, ARG_VALUE);
326}
327
328void
329audit_arg_owner(uid_t uid, gid_t gid)
330{
331 struct kaudit_record *ar;
332
333 ar = currecord();
334 if (ar == NULL)
335 return;
336
337 ar->k_ar.ar_arg_uid = uid;
338 ar->k_ar.ar_arg_gid = gid;
339 ARG_SET_VALID(ar, ARG_UID | ARG_GID);
340}
341
342void
343audit_arg_pid(pid_t pid)
344{
345 struct kaudit_record *ar;
346
347 ar = currecord();
348 if (ar == NULL)
349 return;
350
351 ar->k_ar.ar_arg_pid = pid;
352 ARG_SET_VALID(ar, ARG_PID);
353}
354
355void
356audit_arg_process(struct proc *p)
357{
358 struct kaudit_record *ar;
359
360 KASSERT(p != NULL, ("audit_arg_process: p == NULL"));
361
362 PROC_LOCK_ASSERT(p, MA_OWNED);
363
364 ar = currecord();
365 if (ar == NULL)
366 return;
367
368 ar->k_ar.ar_arg_auid = p->p_au->ai_auid;
369 ar->k_ar.ar_arg_euid = p->p_ucred->cr_uid;
370 ar->k_ar.ar_arg_egid = p->p_ucred->cr_groups[0];
371 ar->k_ar.ar_arg_ruid = p->p_ucred->cr_ruid;
372 ar->k_ar.ar_arg_rgid = p->p_ucred->cr_rgid;
373 ar->k_ar.ar_arg_asid = p->p_au->ai_asid;
374 ar->k_ar.ar_arg_termid = p->p_au->ai_termid;
375 ar->k_ar.ar_arg_pid = p->p_pid;
376 ARG_SET_VALID(ar, ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID |
377 ARG_RGID | ARG_ASID | ARG_TERMID | ARG_PID | ARG_PROCESS);
378}
379
380void
381audit_arg_signum(u_int signum)
382{
383 struct kaudit_record *ar;
384
385 ar = currecord();
386 if (ar == NULL)
387 return;
388
389 ar->k_ar.ar_arg_signum = signum;
390 ARG_SET_VALID(ar, ARG_SIGNUM);
391}
392
393void
394audit_arg_socket(int sodomain, int sotype, int soprotocol)
395{
396 struct kaudit_record *ar;
397
398 ar = currecord();
399 if (ar == NULL)
400 return;
401
402 ar->k_ar.ar_arg_sockinfo.so_domain = sodomain;
403 ar->k_ar.ar_arg_sockinfo.so_type = sotype;
404 ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol;
405 ARG_SET_VALID(ar, ARG_SOCKINFO);
406}
407
408void
409audit_arg_sockaddr(struct thread *td, struct sockaddr *sa)
410{
411 struct kaudit_record *ar;
412
413 KASSERT(td != NULL, ("audit_arg_sockaddr: td == NULL"));
414 KASSERT(sa != NULL, ("audit_arg_sockaddr: sa == NULL"));
415
416 ar = currecord();
417 if (ar == NULL)
418 return;
419
|
422 switch (sa->sa_family) {
423 case AF_INET:
424 ARG_SET_VALID(ar, ARG_SADDRINET);
425 break;
426
427 case AF_INET6:
428 ARG_SET_VALID(ar, ARG_SADDRINET6);
429 break;
430
431 case AF_UNIX:
432 audit_arg_upath(td, ((struct sockaddr_un *)sa)->sun_path,
433 ARG_UPATH1);
434 ARG_SET_VALID(ar, ARG_SADDRUNIX);
435 break;
436 /* XXXAUDIT: default:? */
437 }
438}
439
440void
441audit_arg_auid(uid_t auid)
442{
443 struct kaudit_record *ar;
444
445 ar = currecord();
446 if (ar == NULL)
447 return;
448
449 ar->k_ar.ar_arg_auid = auid;
450 ARG_SET_VALID(ar, ARG_AUID);
451}
452
453void
454audit_arg_auditinfo(struct auditinfo *au_info)
455{
456 struct kaudit_record *ar;
457
458 ar = currecord();
459 if (ar == NULL)
460 return;
461
462 ar->k_ar.ar_arg_auid = au_info->ai_auid;
463 ar->k_ar.ar_arg_asid = au_info->ai_asid;
464 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
465 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
466 ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port;
467 ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine;
468 ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID);
469}
470
471void
472audit_arg_text(char *text)
473{
474 struct kaudit_record *ar;
475
476 KASSERT(text != NULL, ("audit_arg_text: text == NULL"));
477
478 ar = currecord();
479 if (ar == NULL)
480 return;
481
482 /* Invalidate the text string */
483 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT);
484
485 if (ar->k_ar.ar_arg_text == NULL)
486 ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT,
487 M_WAITOK);
488
489 strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN);
490 ARG_SET_VALID(ar, ARG_TEXT);
491}
492
493void
494audit_arg_cmd(int cmd)
495{
496 struct kaudit_record *ar;
497
498 ar = currecord();
499 if (ar == NULL)
500 return;
501
502 ar->k_ar.ar_arg_cmd = cmd;
503 ARG_SET_VALID(ar, ARG_CMD);
504}
505
506void
507audit_arg_svipc_cmd(int cmd)
508{
509 struct kaudit_record *ar;
510
511 ar = currecord();
512 if (ar == NULL)
513 return;
514
515 ar->k_ar.ar_arg_svipc_cmd = cmd;
516 ARG_SET_VALID(ar, ARG_SVIPC_CMD);
517}
518
519void
520audit_arg_svipc_perm(struct ipc_perm *perm)
521{
522 struct kaudit_record *ar;
523
524 ar = currecord();
525 if (ar == NULL)
526 return;
527
528 bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
529 sizeof(ar->k_ar.ar_arg_svipc_perm));
530 ARG_SET_VALID(ar, ARG_SVIPC_PERM);
531}
532
533void
534audit_arg_svipc_id(int id)
535{
536 struct kaudit_record *ar;
537
538 ar = currecord();
539 if (ar == NULL)
540 return;
541
542 ar->k_ar.ar_arg_svipc_id = id;
543 ARG_SET_VALID(ar, ARG_SVIPC_ID);
544}
545
546void
547audit_arg_svipc_addr(void * addr)
548{
549 struct kaudit_record *ar;
550
551 ar = currecord();
552 if (ar == NULL)
553 return;
554
555 ar->k_ar.ar_arg_svipc_addr = addr;
556 ARG_SET_VALID(ar, ARG_SVIPC_ADDR);
557}
558
559void
560audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode)
561{
562 struct kaudit_record *ar;
563
564 ar = currecord();
565 if (ar == NULL)
566 return;
567
568 ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid;
569 ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid;
570 ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode;
571 ARG_SET_VALID(ar, ARG_POSIX_IPC_PERM);
572}
573
574void
575audit_arg_auditon(union auditon_udata *udata)
576{
577 struct kaudit_record *ar;
578
579 ar = currecord();
580 if (ar == NULL)
581 return;
582
583 bcopy((void *)udata, &ar->k_ar.ar_arg_auditon,
584 sizeof(ar->k_ar.ar_arg_auditon));
585 ARG_SET_VALID(ar, ARG_AUDITON);
586}
587
588/*
589 * Audit information about a file, either the file's vnode info, or its
590 * socket address info.
591 */
592void
593audit_arg_file(struct proc *p, struct file *fp)
594{
595 struct kaudit_record *ar;
596 struct socket *so;
597 struct inpcb *pcb;
598 struct vnode *vp;
599 int vfslocked;
600
601 ar = currecord();
602 if (ar == NULL)
603 return;
604
605 switch (fp->f_type) {
606 case DTYPE_VNODE:
607 case DTYPE_FIFO:
608 /*
609 * XXXAUDIT: Only possibly to record as first vnode?
610 */
611 vp = fp->f_vnode;
612 vfslocked = VFS_LOCK_GIANT(vp->v_mount);
613 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, curthread);
614 audit_arg_vnode(vp, ARG_VNODE1);
615 VOP_UNLOCK(vp, 0, curthread);
616 VFS_UNLOCK_GIANT(vfslocked);
617 break;
618
619 case DTYPE_SOCKET:
620 so = (struct socket *)fp->f_data;
621 SOCK_LOCK(so);
622 if (INP_CHECK_SOCKAF(so, PF_INET)) {
623 if (so->so_pcb == NULL)
624 return;
625 ar->k_ar.ar_arg_sockinfo.so_type =
626 so->so_type;
627 ar->k_ar.ar_arg_sockinfo.so_domain =
628 INP_SOCKAF(so);
629 ar->k_ar.ar_arg_sockinfo.so_protocol =
630 so->so_proto->pr_protocol;
631 pcb = (struct inpcb *)so->so_pcb;
632 ar->k_ar.ar_arg_sockinfo.so_raddr =
633 pcb->inp_faddr.s_addr;
634 ar->k_ar.ar_arg_sockinfo.so_laddr =
635 pcb->inp_laddr.s_addr;
636 ar->k_ar.ar_arg_sockinfo.so_rport =
637 pcb->inp_fport;
638 ar->k_ar.ar_arg_sockinfo.so_lport =
639 pcb->inp_lport;
640 ARG_SET_VALID(ar, ARG_SOCKINFO);
641 }
642 SOCK_UNLOCK(so);
643 break;
644
645 default:
646 /* XXXAUDIT: else? */
647 break;
648 }
649
650}
651
652/*
653 * Store a path as given by the user process for auditing into the audit
654 * record stored on the user thread. This function will allocate the memory
655 * to store the path info if not already available. This memory will be freed
656 * when the audit record is freed.
657 *
658 * XXXAUDIT: Possibly assert that the memory isn't already allocated?
659 */
660void
661audit_arg_upath(struct thread *td, char *upath, u_int64_t flag)
662{
663 struct kaudit_record *ar;
664 char **pathp;
665
666 KASSERT(td != NULL, ("audit_arg_upath: td == NULL"));
667 KASSERT(upath != NULL, ("audit_arg_upath: upath == NULL"));
668
669 ar = currecord();
670 if (ar == NULL)
671 return;
672
673 /*
674 * XXXAUDIT: Witness warning for possible sleep here?
675 */
676 KASSERT((flag == ARG_UPATH1) || (flag == ARG_UPATH2),
677 ("audit_arg_upath: flag %llu", (unsigned long long)flag));
678 KASSERT((flag != ARG_UPATH1) || (flag != ARG_UPATH2),
679 ("audit_arg_upath: flag %llu", (unsigned long long)flag));
680
681 if (flag == ARG_UPATH1)
682 pathp = &ar->k_ar.ar_arg_upath1;
683 else
684 pathp = &ar->k_ar.ar_arg_upath2;
685
686 if (*pathp == NULL)
687 *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK);
688
689 canon_path(td, upath, *pathp);
690
691 ARG_SET_VALID(ar, flag);
692}
693
694/*
695 * Function to save the path and vnode attr information into the audit
696 * record.
697 *
698 * It is assumed that the caller will hold any vnode locks necessary to
699 * perform a VOP_GETATTR() on the passed vnode.
700 *
701 * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but
702 * always provides access to the generation number as we need that
703 * to construct the BSM file ID.
704 * XXX: We should accept the process argument from the caller, since
705 * it's very likely they already have a reference.
706 * XXX: Error handling in this function is poor.
707 *
708 * XXXAUDIT: Possibly KASSERT the path pointer is NULL?
709 */
710void
711audit_arg_vnode(struct vnode *vp, u_int64_t flags)
712{
713 struct kaudit_record *ar;
714 struct vattr vattr;
715 int error;
716 struct vnode_au_info *vnp;
717
718 KASSERT(vp != NULL, ("audit_arg_vnode: vp == NULL"));
719 KASSERT((flags == ARG_VNODE1) || (flags == ARG_VNODE2),
720 ("audit_arg_vnode: flags %jd", (intmax_t)flags));
721
722 /*
723 * Assume that if the caller is calling audit_arg_vnode() on a
724 * non-MPSAFE vnode, then it will have acquired Giant.
725 */
726 VFS_ASSERT_GIANT(vp->v_mount);
727 ASSERT_VOP_LOCKED(vp, "audit_arg_vnode");
728
729 ar = currecord();
730 if (ar == NULL)
731 return;
732
733 /*
734 * XXXAUDIT: The below clears, and then resets the flags for valid
735 * arguments. Ideally, either the new vnode is used, or the old one
736 * would be.
737 */
738 if (flags & ARG_VNODE1) {
739 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE1);
740 vnp = &ar->k_ar.ar_arg_vnode1;
741 } else {
742 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE2);
743 vnp = &ar->k_ar.ar_arg_vnode2;
744 }
745
746 error = VOP_GETATTR(vp, &vattr, curthread->td_ucred, curthread);
747 if (error) {
748 /* XXX: How to handle this case? */
749 return;
750 }
751
752 vnp->vn_mode = vattr.va_mode;
753 vnp->vn_uid = vattr.va_uid;
754 vnp->vn_gid = vattr.va_gid;
755 vnp->vn_dev = vattr.va_rdev;
756 vnp->vn_fsid = vattr.va_fsid;
757 vnp->vn_fileid = vattr.va_fileid;
758 vnp->vn_gen = vattr.va_gen;
759 if (flags & ARG_VNODE1)
760 ARG_SET_VALID(ar, ARG_VNODE1);
761 else
762 ARG_SET_VALID(ar, ARG_VNODE2);
763}
764
765/*
766 * Audit the argument strings passed to exec.
767 */
768void
769audit_arg_argv(char *argv, int argc, int length)
770{
771 struct kaudit_record *ar;
772
773 if (audit_argv == 0)
774 return;
775
776 ar = currecord();
777 if (ar == NULL)
778 return;
779
780 ar->k_ar.ar_arg_argv = malloc(length, M_AUDITTEXT, M_WAITOK);
781 bcopy(argv, ar->k_ar.ar_arg_argv, length);
782 ar->k_ar.ar_arg_argc = argc;
783 ARG_SET_VALID(ar, ARG_ARGV);
784}
785
786/*
787 * Audit the environment strings passed to exec.
788 */
789void
790audit_arg_envv(char *envv, int envc, int length)
791{
792 struct kaudit_record *ar;
793
794 if (audit_arge == 0)
795 return;
796
797 ar = currecord();
798 if (ar == NULL)
799 return;
800
801 ar->k_ar.ar_arg_envv = malloc(length, M_AUDITTEXT, M_WAITOK);
802 bcopy(envv, ar->k_ar.ar_arg_envv, length);
803 ar->k_ar.ar_arg_envc = envc;
804 ARG_SET_VALID(ar, ARG_ENVV);
805}
806
807/*
808 * The close() system call uses it's own audit call to capture the path/vnode
809 * information because those pieces are not easily obtained within the system
810 * call itself.
811 */
812void
813audit_sysclose(struct thread *td, int fd)
814{
815 struct kaudit_record *ar;
816 struct vnode *vp;
817 struct file *fp;
818 int vfslocked;
819
820 KASSERT(td != NULL, ("audit_sysclose: td == NULL"));
821
822 ar = currecord();
823 if (ar == NULL)
824 return;
825
826 audit_arg_fd(fd);
827
828 if (getvnode(td->td_proc->p_fd, fd, &fp) != 0)
829 return;
830
831 vp = fp->f_vnode;
832 vfslocked = VFS_LOCK_GIANT(vp->v_mount);
833 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
834 audit_arg_vnode(vp, ARG_VNODE1);
835 VOP_UNLOCK(vp, 0, td);
836 VFS_UNLOCK_GIANT(vfslocked);
837 fdrop(fp, td);
838}
| 421 switch (sa->sa_family) {
422 case AF_INET:
423 ARG_SET_VALID(ar, ARG_SADDRINET);
424 break;
425
426 case AF_INET6:
427 ARG_SET_VALID(ar, ARG_SADDRINET6);
428 break;
429
430 case AF_UNIX:
431 audit_arg_upath(td, ((struct sockaddr_un *)sa)->sun_path,
432 ARG_UPATH1);
433 ARG_SET_VALID(ar, ARG_SADDRUNIX);
434 break;
435 /* XXXAUDIT: default:? */
436 }
437}
438
439void
440audit_arg_auid(uid_t auid)
441{
442 struct kaudit_record *ar;
443
444 ar = currecord();
445 if (ar == NULL)
446 return;
447
448 ar->k_ar.ar_arg_auid = auid;
449 ARG_SET_VALID(ar, ARG_AUID);
450}
451
452void
453audit_arg_auditinfo(struct auditinfo *au_info)
454{
455 struct kaudit_record *ar;
456
457 ar = currecord();
458 if (ar == NULL)
459 return;
460
461 ar->k_ar.ar_arg_auid = au_info->ai_auid;
462 ar->k_ar.ar_arg_asid = au_info->ai_asid;
463 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
464 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
465 ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port;
466 ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine;
467 ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID);
468}
469
470void
471audit_arg_text(char *text)
472{
473 struct kaudit_record *ar;
474
475 KASSERT(text != NULL, ("audit_arg_text: text == NULL"));
476
477 ar = currecord();
478 if (ar == NULL)
479 return;
480
481 /* Invalidate the text string */
482 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT);
483
484 if (ar->k_ar.ar_arg_text == NULL)
485 ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT,
486 M_WAITOK);
487
488 strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN);
489 ARG_SET_VALID(ar, ARG_TEXT);
490}
491
492void
493audit_arg_cmd(int cmd)
494{
495 struct kaudit_record *ar;
496
497 ar = currecord();
498 if (ar == NULL)
499 return;
500
501 ar->k_ar.ar_arg_cmd = cmd;
502 ARG_SET_VALID(ar, ARG_CMD);
503}
504
505void
506audit_arg_svipc_cmd(int cmd)
507{
508 struct kaudit_record *ar;
509
510 ar = currecord();
511 if (ar == NULL)
512 return;
513
514 ar->k_ar.ar_arg_svipc_cmd = cmd;
515 ARG_SET_VALID(ar, ARG_SVIPC_CMD);
516}
517
518void
519audit_arg_svipc_perm(struct ipc_perm *perm)
520{
521 struct kaudit_record *ar;
522
523 ar = currecord();
524 if (ar == NULL)
525 return;
526
527 bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
528 sizeof(ar->k_ar.ar_arg_svipc_perm));
529 ARG_SET_VALID(ar, ARG_SVIPC_PERM);
530}
531
532void
533audit_arg_svipc_id(int id)
534{
535 struct kaudit_record *ar;
536
537 ar = currecord();
538 if (ar == NULL)
539 return;
540
541 ar->k_ar.ar_arg_svipc_id = id;
542 ARG_SET_VALID(ar, ARG_SVIPC_ID);
543}
544
545void
546audit_arg_svipc_addr(void * addr)
547{
548 struct kaudit_record *ar;
549
550 ar = currecord();
551 if (ar == NULL)
552 return;
553
554 ar->k_ar.ar_arg_svipc_addr = addr;
555 ARG_SET_VALID(ar, ARG_SVIPC_ADDR);
556}
557
558void
559audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode)
560{
561 struct kaudit_record *ar;
562
563 ar = currecord();
564 if (ar == NULL)
565 return;
566
567 ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid;
568 ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid;
569 ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode;
570 ARG_SET_VALID(ar, ARG_POSIX_IPC_PERM);
571}
572
573void
574audit_arg_auditon(union auditon_udata *udata)
575{
576 struct kaudit_record *ar;
577
578 ar = currecord();
579 if (ar == NULL)
580 return;
581
582 bcopy((void *)udata, &ar->k_ar.ar_arg_auditon,
583 sizeof(ar->k_ar.ar_arg_auditon));
584 ARG_SET_VALID(ar, ARG_AUDITON);
585}
586
587/*
588 * Audit information about a file, either the file's vnode info, or its
589 * socket address info.
590 */
591void
592audit_arg_file(struct proc *p, struct file *fp)
593{
594 struct kaudit_record *ar;
595 struct socket *so;
596 struct inpcb *pcb;
597 struct vnode *vp;
598 int vfslocked;
599
600 ar = currecord();
601 if (ar == NULL)
602 return;
603
604 switch (fp->f_type) {
605 case DTYPE_VNODE:
606 case DTYPE_FIFO:
607 /*
608 * XXXAUDIT: Only possibly to record as first vnode?
609 */
610 vp = fp->f_vnode;
611 vfslocked = VFS_LOCK_GIANT(vp->v_mount);
612 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, curthread);
613 audit_arg_vnode(vp, ARG_VNODE1);
614 VOP_UNLOCK(vp, 0, curthread);
615 VFS_UNLOCK_GIANT(vfslocked);
616 break;
617
618 case DTYPE_SOCKET:
619 so = (struct socket *)fp->f_data;
620 SOCK_LOCK(so);
621 if (INP_CHECK_SOCKAF(so, PF_INET)) {
622 if (so->so_pcb == NULL)
623 return;
624 ar->k_ar.ar_arg_sockinfo.so_type =
625 so->so_type;
626 ar->k_ar.ar_arg_sockinfo.so_domain =
627 INP_SOCKAF(so);
628 ar->k_ar.ar_arg_sockinfo.so_protocol =
629 so->so_proto->pr_protocol;
630 pcb = (struct inpcb *)so->so_pcb;
631 ar->k_ar.ar_arg_sockinfo.so_raddr =
632 pcb->inp_faddr.s_addr;
633 ar->k_ar.ar_arg_sockinfo.so_laddr =
634 pcb->inp_laddr.s_addr;
635 ar->k_ar.ar_arg_sockinfo.so_rport =
636 pcb->inp_fport;
637 ar->k_ar.ar_arg_sockinfo.so_lport =
638 pcb->inp_lport;
639 ARG_SET_VALID(ar, ARG_SOCKINFO);
640 }
641 SOCK_UNLOCK(so);
642 break;
643
644 default:
645 /* XXXAUDIT: else? */
646 break;
647 }
648
649}
650
651/*
652 * Store a path as given by the user process for auditing into the audit
653 * record stored on the user thread. This function will allocate the memory
654 * to store the path info if not already available. This memory will be freed
655 * when the audit record is freed.
656 *
657 * XXXAUDIT: Possibly assert that the memory isn't already allocated?
658 */
659void
660audit_arg_upath(struct thread *td, char *upath, u_int64_t flag)
661{
662 struct kaudit_record *ar;
663 char **pathp;
664
665 KASSERT(td != NULL, ("audit_arg_upath: td == NULL"));
666 KASSERT(upath != NULL, ("audit_arg_upath: upath == NULL"));
667
668 ar = currecord();
669 if (ar == NULL)
670 return;
671
672 /*
673 * XXXAUDIT: Witness warning for possible sleep here?
674 */
675 KASSERT((flag == ARG_UPATH1) || (flag == ARG_UPATH2),
676 ("audit_arg_upath: flag %llu", (unsigned long long)flag));
677 KASSERT((flag != ARG_UPATH1) || (flag != ARG_UPATH2),
678 ("audit_arg_upath: flag %llu", (unsigned long long)flag));
679
680 if (flag == ARG_UPATH1)
681 pathp = &ar->k_ar.ar_arg_upath1;
682 else
683 pathp = &ar->k_ar.ar_arg_upath2;
684
685 if (*pathp == NULL)
686 *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK);
687
688 canon_path(td, upath, *pathp);
689
690 ARG_SET_VALID(ar, flag);
691}
692
693/*
694 * Function to save the path and vnode attr information into the audit
695 * record.
696 *
697 * It is assumed that the caller will hold any vnode locks necessary to
698 * perform a VOP_GETATTR() on the passed vnode.
699 *
700 * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but
701 * always provides access to the generation number as we need that
702 * to construct the BSM file ID.
703 * XXX: We should accept the process argument from the caller, since
704 * it's very likely they already have a reference.
705 * XXX: Error handling in this function is poor.
706 *
707 * XXXAUDIT: Possibly KASSERT the path pointer is NULL?
708 */
709void
710audit_arg_vnode(struct vnode *vp, u_int64_t flags)
711{
712 struct kaudit_record *ar;
713 struct vattr vattr;
714 int error;
715 struct vnode_au_info *vnp;
716
717 KASSERT(vp != NULL, ("audit_arg_vnode: vp == NULL"));
718 KASSERT((flags == ARG_VNODE1) || (flags == ARG_VNODE2),
719 ("audit_arg_vnode: flags %jd", (intmax_t)flags));
720
721 /*
722 * Assume that if the caller is calling audit_arg_vnode() on a
723 * non-MPSAFE vnode, then it will have acquired Giant.
724 */
725 VFS_ASSERT_GIANT(vp->v_mount);
726 ASSERT_VOP_LOCKED(vp, "audit_arg_vnode");
727
728 ar = currecord();
729 if (ar == NULL)
730 return;
731
732 /*
733 * XXXAUDIT: The below clears, and then resets the flags for valid
734 * arguments. Ideally, either the new vnode is used, or the old one
735 * would be.
736 */
737 if (flags & ARG_VNODE1) {
738 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE1);
739 vnp = &ar->k_ar.ar_arg_vnode1;
740 } else {
741 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE2);
742 vnp = &ar->k_ar.ar_arg_vnode2;
743 }
744
745 error = VOP_GETATTR(vp, &vattr, curthread->td_ucred, curthread);
746 if (error) {
747 /* XXX: How to handle this case? */
748 return;
749 }
750
751 vnp->vn_mode = vattr.va_mode;
752 vnp->vn_uid = vattr.va_uid;
753 vnp->vn_gid = vattr.va_gid;
754 vnp->vn_dev = vattr.va_rdev;
755 vnp->vn_fsid = vattr.va_fsid;
756 vnp->vn_fileid = vattr.va_fileid;
757 vnp->vn_gen = vattr.va_gen;
758 if (flags & ARG_VNODE1)
759 ARG_SET_VALID(ar, ARG_VNODE1);
760 else
761 ARG_SET_VALID(ar, ARG_VNODE2);
762}
763
764/*
765 * Audit the argument strings passed to exec.
766 */
767void
768audit_arg_argv(char *argv, int argc, int length)
769{
770 struct kaudit_record *ar;
771
772 if (audit_argv == 0)
773 return;
774
775 ar = currecord();
776 if (ar == NULL)
777 return;
778
779 ar->k_ar.ar_arg_argv = malloc(length, M_AUDITTEXT, M_WAITOK);
780 bcopy(argv, ar->k_ar.ar_arg_argv, length);
781 ar->k_ar.ar_arg_argc = argc;
782 ARG_SET_VALID(ar, ARG_ARGV);
783}
784
785/*
786 * Audit the environment strings passed to exec.
787 */
788void
789audit_arg_envv(char *envv, int envc, int length)
790{
791 struct kaudit_record *ar;
792
793 if (audit_arge == 0)
794 return;
795
796 ar = currecord();
797 if (ar == NULL)
798 return;
799
800 ar->k_ar.ar_arg_envv = malloc(length, M_AUDITTEXT, M_WAITOK);
801 bcopy(envv, ar->k_ar.ar_arg_envv, length);
802 ar->k_ar.ar_arg_envc = envc;
803 ARG_SET_VALID(ar, ARG_ENVV);
804}
805
806/*
807 * The close() system call uses it's own audit call to capture the path/vnode
808 * information because those pieces are not easily obtained within the system
809 * call itself.
810 */
811void
812audit_sysclose(struct thread *td, int fd)
813{
814 struct kaudit_record *ar;
815 struct vnode *vp;
816 struct file *fp;
817 int vfslocked;
818
819 KASSERT(td != NULL, ("audit_sysclose: td == NULL"));
820
821 ar = currecord();
822 if (ar == NULL)
823 return;
824
825 audit_arg_fd(fd);
826
827 if (getvnode(td->td_proc->p_fd, fd, &fp) != 0)
828 return;
829
830 vp = fp->f_vnode;
831 vfslocked = VFS_LOCK_GIANT(vp->v_mount);
832 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
833 audit_arg_vnode(vp, ARG_VNODE1);
834 VOP_UNLOCK(vp, 0, td);
835 VFS_UNLOCK_GIANT(vfslocked);
836 fdrop(fp, td);
837}
|