audit_arg.c revision 165621 
1296341Sdelphij/*
296593Smarkm * Copyright (c) 1999-2005 Apple Computer, Inc.
396593Smarkm * All rights reserved.
4142429Snectar *
596593Smarkm * Redistribution and use in source and binary forms, with or without
696593Smarkm * modification, are permitted provided that the following conditions
796593Smarkm * are met:
896593Smarkm * 1.  Redistributions of source code must retain the above copyright
996593Smarkm *     notice, this list of conditions and the following disclaimer.
1096593Smarkm * 2.  Redistributions in binary form must reproduce the above copyright
1196593Smarkm *     notice, this list of conditions and the following disclaimer in the
1296593Smarkm *     documentation and/or other materials provided with the distribution.
1396593Smarkm * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
1496593Smarkm *     its contributors may be used to endorse or promote products derived
1596593Smarkm *     from this software without specific prior written permission.
1696593Smarkm *
1796593Smarkm * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
1896593Smarkm * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1996593Smarkm * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20215698Ssimon * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21215698Ssimon * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22215698Ssimon * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23215698Ssimon * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24215698Ssimon * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
2596593Smarkm * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
2696593Smarkm * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
2796593Smarkm * POSSIBILITY OF SUCH DAMAGE.
2896593Smarkm *
2996593Smarkm * $FreeBSD: head/sys/security/audit/audit_arg.c 165621 2006-12-29 10:37:32Z rwatson $
3096593Smarkm */
3196593Smarkm
3296593Smarkm#include <sys/param.h>
3396593Smarkm#include <sys/filedesc.h>
3496593Smarkm#include <sys/ipc.h>
3596593Smarkm#include <sys/mount.h>
3696593Smarkm#include <sys/proc.h>
3796593Smarkm#include <sys/socket.h>
3896593Smarkm#include <sys/socketvar.h>
3996593Smarkm#include <sys/protosw.h>
4096593Smarkm#include <sys/domain.h>
41279264Sdelphij#include <sys/sbuf.h>
42279264Sdelphij#include <sys/systm.h>
4396593Smarkm#include <sys/un.h>
4496593Smarkm#include <sys/vnode.h>
45215698Ssimon
46215698Ssimon#include <netinet/in.h>
47215698Ssimon#include <netinet/in_pcb.h>
48215698Ssimon
49142429Snectar#include <security/audit/audit.h>
50215698Ssimon#include <security/audit/audit_private.h>
51142429Snectar
52142429Snectar/*
53279264Sdelphij * Calls to manipulate elements of the audit record structure from system
54279264Sdelphij * call code.  Macro wrappers will prevent this functions from being
55279264Sdelphij * entered if auditing is disabled, avoiding the function call cost.  We
5696593Smarkm * check the thread audit record pointer anyway, as the audit condition
57279264Sdelphij * could change, and pre-selection may not have allocated an audit
58279264Sdelphij * record for this event.
59279264Sdelphij *
60279264Sdelphij * XXXAUDIT: Should we assert, in each case, that this field of the record
61279264Sdelphij * hasn't already been filled in?
62279264Sdelphij */
63215698Ssimonvoid
64279264Sdelphijaudit_arg_addr(void * addr)
65279264Sdelphij{
66279264Sdelphij	struct kaudit_record *ar;
67279264Sdelphij
68279264Sdelphij	ar = currecord();
69215698Ssimon	if (ar == NULL)
70279264Sdelphij		return;
7196593Smarkm
7296593Smarkm	ar->k_ar.ar_arg_addr = addr;
7396593Smarkm	ARG_SET_VALID(ar, ARG_ADDR);
7496593Smarkm}
7596593Smarkm
7696593Smarkmvoid
7796593Smarkmaudit_arg_exit(int status, int retval)
7896593Smarkm{
7996593Smarkm	struct kaudit_record *ar;
8096593Smarkm
8196593Smarkm	ar = currecord();
8296593Smarkm	if (ar == NULL)
8396593Smarkm		return;
8496593Smarkm
8596593Smarkm	ar->k_ar.ar_arg_exitstatus = status;
8696593Smarkm	ar->k_ar.ar_arg_exitretval = retval;
8796593Smarkm	ARG_SET_VALID(ar, ARG_EXIT);
8896593Smarkm}
8996593Smarkm
9096593Smarkmvoid
9196593Smarkmaudit_arg_len(int len)
9296593Smarkm{
9396593Smarkm	struct kaudit_record *ar;
9496593Smarkm
9596593Smarkm	ar = currecord();
9696593Smarkm	if (ar == NULL)
9796593Smarkm		return;
9896593Smarkm
9996593Smarkm	ar->k_ar.ar_arg_len = len;
10096593Smarkm	ARG_SET_VALID(ar, ARG_LEN);
10196593Smarkm}
10296593Smarkm
10396593Smarkmvoid
10496593Smarkmaudit_arg_fd(int fd)
10596593Smarkm{
10696593Smarkm	struct kaudit_record *ar;
10796593Smarkm
10896593Smarkm	ar = currecord();
10996593Smarkm	if (ar == NULL)
11096593Smarkm		return;
11196593Smarkm
11296593Smarkm	ar->k_ar.ar_arg_fd = fd;
11396593Smarkm	ARG_SET_VALID(ar, ARG_FD);
11496593Smarkm}
11596593Smarkm
11696593Smarkmvoid
11796593Smarkmaudit_arg_fflags(int fflags)
11896593Smarkm{
11996593Smarkm	struct kaudit_record *ar;
12096593Smarkm
12196593Smarkm	ar = currecord();
12296593Smarkm	if (ar == NULL)
12396593Smarkm		return;
12496593Smarkm
12596593Smarkm	ar->k_ar.ar_arg_fflags = fflags;
12696593Smarkm	ARG_SET_VALID(ar, ARG_FFLAGS);
12796593Smarkm}
12896593Smarkm
12996593Smarkmvoid
13096593Smarkmaudit_arg_gid(gid_t gid)
13196593Smarkm{
13296593Smarkm	struct kaudit_record *ar;
133142429Snectar
13496593Smarkm	ar = currecord();
135100946Snectar	if (ar == NULL)
136296341Sdelphij		return;
137215698Ssimon
138215698Ssimon	ar->k_ar.ar_arg_gid = gid;
139215698Ssimon	ARG_SET_VALID(ar, ARG_GID);
140215698Ssimon}
14196593Smarkm
142142429Snectarvoid
14396593Smarkmaudit_arg_uid(uid_t uid)
14496593Smarkm{
14596593Smarkm	struct kaudit_record *ar;
14696593Smarkm
147215698Ssimon	ar = currecord();
14896593Smarkm	if (ar == NULL)
14996593Smarkm		return;
15096593Smarkm
15196593Smarkm	ar->k_ar.ar_arg_uid = uid;
152279264Sdelphij	ARG_SET_VALID(ar, ARG_UID);
15396593Smarkm}
15496593Smarkm
15596593Smarkmvoid
15696593Smarkmaudit_arg_egid(gid_t egid)
15796593Smarkm{
158142429Snectar	struct kaudit_record *ar;
15996593Smarkm
16096593Smarkm	ar = currecord();
16196593Smarkm	if (ar == NULL)
162		return;
163
164	ar->k_ar.ar_arg_egid = egid;
165	ARG_SET_VALID(ar, ARG_EGID);
166}
167
168void
169audit_arg_euid(uid_t euid)
170{
171	struct kaudit_record *ar;
172
173	ar = currecord();
174	if (ar == NULL)
175		return;
176
177	ar->k_ar.ar_arg_euid = euid;
178	ARG_SET_VALID(ar, ARG_EUID);
179}
180
181void
182audit_arg_rgid(gid_t rgid)
183{
184	struct kaudit_record *ar;
185
186	ar = currecord();
187	if (ar == NULL)
188		return;
189
190	ar->k_ar.ar_arg_rgid = rgid;
191	ARG_SET_VALID(ar, ARG_RGID);
192}
193
194void
195audit_arg_ruid(uid_t ruid)
196{
197	struct kaudit_record *ar;
198
199	ar = currecord();
200	if (ar == NULL)
201		return;
202
203	ar->k_ar.ar_arg_ruid = ruid;
204	ARG_SET_VALID(ar, ARG_RUID);
205}
206
207void
208audit_arg_sgid(gid_t sgid)
209{
210	struct kaudit_record *ar;
211
212	ar = currecord();
213	if (ar == NULL)
214		return;
215
216	ar->k_ar.ar_arg_sgid = sgid;
217	ARG_SET_VALID(ar, ARG_SGID);
218}
219
220void
221audit_arg_suid(uid_t suid)
222{
223	struct kaudit_record *ar;
224
225	ar = currecord();
226	if (ar == NULL)
227		return;
228
229	ar->k_ar.ar_arg_suid = suid;
230	ARG_SET_VALID(ar, ARG_SUID);
231}
232
233void
234audit_arg_groupset(gid_t *gidset, u_int gidset_size)
235{
236	int i;
237	struct kaudit_record *ar;
238
239	ar = currecord();
240	if (ar == NULL)
241		return;
242
243	for (i = 0; i < gidset_size; i++)
244		ar->k_ar.ar_arg_groups.gidset[i] = gidset[i];
245	ar->k_ar.ar_arg_groups.gidset_size = gidset_size;
246	ARG_SET_VALID(ar, ARG_GROUPSET);
247}
248
249void
250audit_arg_login(char *login)
251{
252	struct kaudit_record *ar;
253
254	ar = currecord();
255	if (ar == NULL)
256		return;
257
258	strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME);
259	ARG_SET_VALID(ar, ARG_LOGIN);
260}
261
262void
263audit_arg_ctlname(int *name, int namelen)
264{
265	struct kaudit_record *ar;
266
267	ar = currecord();
268	if (ar == NULL)
269		return;
270
271	bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int));
272	ar->k_ar.ar_arg_len = namelen;
273	ARG_SET_VALID(ar, ARG_CTLNAME | ARG_LEN);
274}
275
276void
277audit_arg_mask(int mask)
278{
279	struct kaudit_record *ar;
280
281	ar = currecord();
282	if (ar == NULL)
283		return;
284
285	ar->k_ar.ar_arg_mask = mask;
286	ARG_SET_VALID(ar, ARG_MASK);
287}
288
289void
290audit_arg_mode(mode_t mode)
291{
292	struct kaudit_record *ar;
293
294	ar = currecord();
295	if (ar == NULL)
296		return;
297
298	ar->k_ar.ar_arg_mode = mode;
299	ARG_SET_VALID(ar, ARG_MODE);
300}
301
302void
303audit_arg_dev(int dev)
304{
305	struct kaudit_record *ar;
306
307	ar = currecord();
308	if (ar == NULL)
309		return;
310
311	ar->k_ar.ar_arg_dev = dev;
312	ARG_SET_VALID(ar, ARG_DEV);
313}
314
315void
316audit_arg_value(long value)
317{
318	struct kaudit_record *ar;
319
320	ar = currecord();
321	if (ar == NULL)
322		return;
323
324	ar->k_ar.ar_arg_value = value;
325	ARG_SET_VALID(ar, ARG_VALUE);
326}
327
328void
329audit_arg_owner(uid_t uid, gid_t gid)
330{
331	struct kaudit_record *ar;
332
333	ar = currecord();
334	if (ar == NULL)
335		return;
336
337	ar->k_ar.ar_arg_uid = uid;
338	ar->k_ar.ar_arg_gid = gid;
339	ARG_SET_VALID(ar, ARG_UID | ARG_GID);
340}
341
342void
343audit_arg_pid(pid_t pid)
344{
345	struct kaudit_record *ar;
346
347	ar = currecord();
348	if (ar == NULL)
349		return;
350
351	ar->k_ar.ar_arg_pid = pid;
352	ARG_SET_VALID(ar, ARG_PID);
353}
354
355void
356audit_arg_process(struct proc *p)
357{
358	struct kaudit_record *ar;
359
360	KASSERT(p != NULL, ("audit_arg_process: p == NULL"));
361
362	PROC_LOCK_ASSERT(p, MA_OWNED);
363
364	ar = currecord();
365	if (ar == NULL)
366		return;
367
368	ar->k_ar.ar_arg_auid = p->p_au->ai_auid;
369	ar->k_ar.ar_arg_euid = p->p_ucred->cr_uid;
370	ar->k_ar.ar_arg_egid = p->p_ucred->cr_groups[0];
371	ar->k_ar.ar_arg_ruid = p->p_ucred->cr_ruid;
372	ar->k_ar.ar_arg_rgid = p->p_ucred->cr_rgid;
373	ar->k_ar.ar_arg_asid = p->p_au->ai_asid;
374	ar->k_ar.ar_arg_termid = p->p_au->ai_termid;
375	ar->k_ar.ar_arg_pid = p->p_pid;
376	ARG_SET_VALID(ar, ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID |
377	    ARG_RGID | ARG_ASID | ARG_TERMID | ARG_PID | ARG_PROCESS);
378}
379
380void
381audit_arg_signum(u_int signum)
382{
383	struct kaudit_record *ar;
384
385	ar = currecord();
386	if (ar == NULL)
387		return;
388
389	ar->k_ar.ar_arg_signum = signum;
390	ARG_SET_VALID(ar, ARG_SIGNUM);
391}
392
393void
394audit_arg_socket(int sodomain, int sotype, int soprotocol)
395{
396	struct kaudit_record *ar;
397
398	ar = currecord();
399	if (ar == NULL)
400		return;
401
402	ar->k_ar.ar_arg_sockinfo.so_domain = sodomain;
403	ar->k_ar.ar_arg_sockinfo.so_type = sotype;
404	ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol;
405	ARG_SET_VALID(ar, ARG_SOCKINFO);
406}
407
408void
409audit_arg_sockaddr(struct thread *td, struct sockaddr *sa)
410{
411	struct kaudit_record *ar;
412
413	KASSERT(td != NULL, ("audit_arg_sockaddr: td == NULL"));
414	KASSERT(sa != NULL, ("audit_arg_sockaddr: sa == NULL"));
415
416	ar = currecord();
417	if (ar == NULL)
418		return;
419
420	bcopy(sa, &ar->k_ar.ar_arg_sockaddr, sa->sa_len);
421	switch (sa->sa_family) {
422	case AF_INET:
423		ARG_SET_VALID(ar, ARG_SADDRINET);
424		break;
425
426	case AF_INET6:
427		ARG_SET_VALID(ar, ARG_SADDRINET6);
428		break;
429
430	case AF_UNIX:
431		audit_arg_upath(td, ((struct sockaddr_un *)sa)->sun_path,
432				ARG_UPATH1);
433		ARG_SET_VALID(ar, ARG_SADDRUNIX);
434		break;
435	/* XXXAUDIT: default:? */
436	}
437}
438
439void
440audit_arg_auid(uid_t auid)
441{
442	struct kaudit_record *ar;
443
444	ar = currecord();
445	if (ar == NULL)
446		return;
447
448	ar->k_ar.ar_arg_auid = auid;
449	ARG_SET_VALID(ar, ARG_AUID);
450}
451
452void
453audit_arg_auditinfo(struct auditinfo *au_info)
454{
455	struct kaudit_record *ar;
456
457	ar = currecord();
458	if (ar == NULL)
459		return;
460
461	ar->k_ar.ar_arg_auid = au_info->ai_auid;
462	ar->k_ar.ar_arg_asid = au_info->ai_asid;
463	ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
464	ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
465	ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port;
466	ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine;
467	ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID);
468}
469
470void
471audit_arg_text(char *text)
472{
473	struct kaudit_record *ar;
474
475	KASSERT(text != NULL, ("audit_arg_text: text == NULL"));
476
477	ar = currecord();
478	if (ar == NULL)
479		return;
480
481	/* Invalidate the text string */
482	ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT);
483
484	if (ar->k_ar.ar_arg_text == NULL)
485		ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT,
486		    M_WAITOK);
487
488	strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN);
489	ARG_SET_VALID(ar, ARG_TEXT);
490}
491
492void
493audit_arg_cmd(int cmd)
494{
495	struct kaudit_record *ar;
496
497	ar = currecord();
498	if (ar == NULL)
499		return;
500
501	ar->k_ar.ar_arg_cmd = cmd;
502	ARG_SET_VALID(ar, ARG_CMD);
503}
504
505void
506audit_arg_svipc_cmd(int cmd)
507{
508	struct kaudit_record *ar;
509
510	ar = currecord();
511	if (ar == NULL)
512		return;
513
514	ar->k_ar.ar_arg_svipc_cmd = cmd;
515	ARG_SET_VALID(ar, ARG_SVIPC_CMD);
516}
517
518void
519audit_arg_svipc_perm(struct ipc_perm *perm)
520{
521	struct kaudit_record *ar;
522
523	ar = currecord();
524	if (ar == NULL)
525		return;
526
527	bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
528	    sizeof(ar->k_ar.ar_arg_svipc_perm));
529	ARG_SET_VALID(ar, ARG_SVIPC_PERM);
530}
531
532void
533audit_arg_svipc_id(int id)
534{
535	struct kaudit_record *ar;
536
537	ar = currecord();
538	if (ar == NULL)
539		return;
540
541	ar->k_ar.ar_arg_svipc_id = id;
542	ARG_SET_VALID(ar, ARG_SVIPC_ID);
543}
544
545void
546audit_arg_svipc_addr(void * addr)
547{
548	struct kaudit_record *ar;
549
550	ar = currecord();
551	if (ar == NULL)
552		return;
553
554	ar->k_ar.ar_arg_svipc_addr = addr;
555	ARG_SET_VALID(ar, ARG_SVIPC_ADDR);
556}
557
558void
559audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode)
560{
561	struct kaudit_record *ar;
562
563	ar = currecord();
564	if (ar == NULL)
565		return;
566
567	ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid;
568	ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid;
569	ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode;
570	ARG_SET_VALID(ar, ARG_POSIX_IPC_PERM);
571}
572
573void
574audit_arg_auditon(union auditon_udata *udata)
575{
576	struct kaudit_record *ar;
577
578	ar = currecord();
579	if (ar == NULL)
580		return;
581
582	bcopy((void *)udata, &ar->k_ar.ar_arg_auditon,
583	    sizeof(ar->k_ar.ar_arg_auditon));
584	ARG_SET_VALID(ar, ARG_AUDITON);
585}
586
587/*
588 * Audit information about a file, either the file's vnode info, or its
589 * socket address info.
590 */
591void
592audit_arg_file(struct proc *p, struct file *fp)
593{
594	struct kaudit_record *ar;
595	struct socket *so;
596	struct inpcb *pcb;
597	struct vnode *vp;
598	int vfslocked;
599
600	ar = currecord();
601	if (ar == NULL)
602		return;
603
604	switch (fp->f_type) {
605	case DTYPE_VNODE:
606	case DTYPE_FIFO:
607		/*
608		 * XXXAUDIT: Only possibly to record as first vnode?
609		 */
610		vp = fp->f_vnode;
611		vfslocked = VFS_LOCK_GIANT(vp->v_mount);
612		vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, curthread);
613		audit_arg_vnode(vp, ARG_VNODE1);
614		VOP_UNLOCK(vp, 0, curthread);
615		VFS_UNLOCK_GIANT(vfslocked);
616		break;
617
618	case DTYPE_SOCKET:
619		so = (struct socket *)fp->f_data;
620		SOCK_LOCK(so);
621		if (INP_CHECK_SOCKAF(so, PF_INET)) {
622			if (so->so_pcb == NULL)
623				return;
624			ar->k_ar.ar_arg_sockinfo.so_type =
625			    so->so_type;
626			ar->k_ar.ar_arg_sockinfo.so_domain =
627			    INP_SOCKAF(so);
628			ar->k_ar.ar_arg_sockinfo.so_protocol =
629			    so->so_proto->pr_protocol;
630			pcb = (struct inpcb *)so->so_pcb;
631			ar->k_ar.ar_arg_sockinfo.so_raddr =
632			    pcb->inp_faddr.s_addr;
633			ar->k_ar.ar_arg_sockinfo.so_laddr =
634			    pcb->inp_laddr.s_addr;
635			ar->k_ar.ar_arg_sockinfo.so_rport =
636			    pcb->inp_fport;
637			ar->k_ar.ar_arg_sockinfo.so_lport =
638			    pcb->inp_lport;
639			ARG_SET_VALID(ar, ARG_SOCKINFO);
640		}
641		SOCK_UNLOCK(so);
642		break;
643
644	default:
645		/* XXXAUDIT: else? */
646		break;
647	}
648
649}
650
651/*
652 * Store a path as given by the user process for auditing into the audit
653 * record stored on the user thread. This function will allocate the memory
654 * to store the path info if not already available. This memory will be freed
655 * when the audit record is freed.
656 *
657 * XXXAUDIT: Possibly assert that the memory isn't already allocated?
658 */
659void
660audit_arg_upath(struct thread *td, char *upath, u_int64_t flag)
661{
662	struct kaudit_record *ar;
663	char **pathp;
664
665	KASSERT(td != NULL, ("audit_arg_upath: td == NULL"));
666	KASSERT(upath != NULL, ("audit_arg_upath: upath == NULL"));
667
668	ar = currecord();
669	if (ar == NULL)
670		return;
671
672	KASSERT((flag == ARG_UPATH1) || (flag == ARG_UPATH2),
673	    ("audit_arg_upath: flag %llu", (unsigned long long)flag));
674	KASSERT((flag != ARG_UPATH1) || (flag != ARG_UPATH2),
675	    ("audit_arg_upath: flag %llu", (unsigned long long)flag));
676
677	if (flag == ARG_UPATH1)
678		pathp = &ar->k_ar.ar_arg_upath1;
679	else
680		pathp = &ar->k_ar.ar_arg_upath2;
681
682	if (*pathp == NULL)
683		*pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK);
684
685	canon_path(td, upath, *pathp);
686
687	ARG_SET_VALID(ar, flag);
688}
689
690/*
691 * Function to save the path and vnode attr information into the audit
692 * record.
693 *
694 * It is assumed that the caller will hold any vnode locks necessary to
695 * perform a VOP_GETATTR() on the passed vnode.
696 *
697 * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but
698 * always provides access to the generation number as we need that
699 * to construct the BSM file ID.
700 * XXX: We should accept the process argument from the caller, since
701 * it's very likely they already have a reference.
702 * XXX: Error handling in this function is poor.
703 *
704 * XXXAUDIT: Possibly KASSERT the path pointer is NULL?
705 */
706void
707audit_arg_vnode(struct vnode *vp, u_int64_t flags)
708{
709	struct kaudit_record *ar;
710	struct vattr vattr;
711	int error;
712	struct vnode_au_info *vnp;
713
714	KASSERT(vp != NULL, ("audit_arg_vnode: vp == NULL"));
715	KASSERT((flags == ARG_VNODE1) || (flags == ARG_VNODE2),
716	    ("audit_arg_vnode: flags %jd", (intmax_t)flags));
717
718	/*
719	 * Assume that if the caller is calling audit_arg_vnode() on a
720	 * non-MPSAFE vnode, then it will have acquired Giant.
721	 */
722	VFS_ASSERT_GIANT(vp->v_mount);
723	ASSERT_VOP_LOCKED(vp, "audit_arg_vnode");
724
725	ar = currecord();
726	if (ar == NULL)
727		return;
728
729	/*
730	 * XXXAUDIT: The below clears, and then resets the flags for valid
731	 * arguments.  Ideally, either the new vnode is used, or the old one
732	 * would be.
733	 */
734	if (flags & ARG_VNODE1) {
735		ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE1);
736		vnp = &ar->k_ar.ar_arg_vnode1;
737	} else {
738		ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE2);
739		vnp = &ar->k_ar.ar_arg_vnode2;
740	}
741
742	error = VOP_GETATTR(vp, &vattr, curthread->td_ucred, curthread);
743	if (error) {
744		/* XXX: How to handle this case? */
745		return;
746	}
747
748	vnp->vn_mode = vattr.va_mode;
749	vnp->vn_uid = vattr.va_uid;
750	vnp->vn_gid = vattr.va_gid;
751	vnp->vn_dev = vattr.va_rdev;
752	vnp->vn_fsid = vattr.va_fsid;
753	vnp->vn_fileid = vattr.va_fileid;
754	vnp->vn_gen = vattr.va_gen;
755	if (flags & ARG_VNODE1)
756		ARG_SET_VALID(ar, ARG_VNODE1);
757	else
758		ARG_SET_VALID(ar, ARG_VNODE2);
759}
760
761/*
762 * Audit the argument strings passed to exec.
763 */
764void
765audit_arg_argv(char *argv, int argc, int length)
766{
767	struct kaudit_record *ar;
768
769	if (audit_argv == 0)
770		return;
771
772	ar = currecord();
773	if (ar == NULL)
774		return;
775
776	ar->k_ar.ar_arg_argv = malloc(length, M_AUDITTEXT, M_WAITOK);
777	bcopy(argv, ar->k_ar.ar_arg_argv, length);
778	ar->k_ar.ar_arg_argc = argc;
779	ARG_SET_VALID(ar, ARG_ARGV);
780}
781
782/*
783 * Audit the environment strings passed to exec.
784 */
785void
786audit_arg_envv(char *envv, int envc, int length)
787{
788	struct kaudit_record *ar;
789
790	if (audit_arge == 0)
791		return;
792
793	ar = currecord();
794	if (ar == NULL)
795		return;
796
797	ar->k_ar.ar_arg_envv = malloc(length, M_AUDITTEXT, M_WAITOK);
798	bcopy(envv, ar->k_ar.ar_arg_envv, length);
799	ar->k_ar.ar_arg_envc = envc;
800	ARG_SET_VALID(ar, ARG_ENVV);
801}
802
803/*
804 * The close() system call uses it's own audit call to capture the path/vnode
805 * information because those pieces are not easily obtained within the system
806 * call itself.
807 */
808void
809audit_sysclose(struct thread *td, int fd)
810{
811	struct kaudit_record *ar;
812	struct vnode *vp;
813	struct file *fp;
814	int vfslocked;
815
816	KASSERT(td != NULL, ("audit_sysclose: td == NULL"));
817
818	ar = currecord();
819	if (ar == NULL)
820		return;
821
822	audit_arg_fd(fd);
823
824	if (getvnode(td->td_proc->p_fd, fd, &fp) != 0)
825		return;
826
827	vp = fp->f_vnode;
828	vfslocked = VFS_LOCK_GIANT(vp->v_mount);
829	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
830	audit_arg_vnode(vp, ARG_VNODE1);
831	VOP_UNLOCK(vp, 0, td);
832	VFS_UNLOCK_GIANT(vfslocked);
833	fdrop(fp, td);
834}
835