audit_arg.c revision 166845
151974Smsmith/* 265245Smsmith * Copyright (c) 1999-2005 Apple Computer, Inc. 365245Smsmith * All rights reserved. 4140687Sscottl * 551974Smsmith * Redistribution and use in source and binary forms, with or without 651974Smsmith * modification, are permitted provided that the following conditions 751974Smsmith * are met: 851974Smsmith * 1. Redistributions of source code must retain the above copyright 951974Smsmith * notice, this list of conditions and the following disclaimer. 1051974Smsmith * 2. Redistributions in binary form must reproduce the above copyright 1151974Smsmith * notice, this list of conditions and the following disclaimer in the 1251974Smsmith * documentation and/or other materials provided with the distribution. 1351974Smsmith * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 1451974Smsmith * its contributors may be used to endorse or promote products derived 1551974Smsmith * from this software without specific prior written permission. 1651974Smsmith * 1751974Smsmith * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 1851974Smsmith * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1951974Smsmith * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2051974Smsmith * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 2151974Smsmith * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2251974Smsmith * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2351974Smsmith * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2451974Smsmith * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 2551974Smsmith * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 2651974Smsmith * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27119418Sobrien * POSSIBILITY OF SUCH DAMAGE. 28139749Simp * 29106225Semoore * $FreeBSD: head/sys/security/audit/audit_arg.c 166845 2007-02-20 13:38:11Z rwatson $ 30140688Sscottl */ 31106225Semoore 32106225Semoore#include <sys/param.h> 33106225Semoore#include <sys/filedesc.h> 34106225Semoore#include <sys/ipc.h> 35106225Semoore#include <sys/mount.h> 36106225Semoore#include <sys/proc.h> 37106225Semoore#include <sys/socket.h> 38106225Semoore#include <sys/socketvar.h> 39106225Semoore#include <sys/protosw.h> 40106225Semoore#include <sys/domain.h> 41105419Semoore#include <sys/sbuf.h> 42106225Semoore#include <sys/systm.h> 43105419Semoore#include <sys/un.h> 44105419Semoore#include <sys/vnode.h> 45106225Semoore 46106225Semoore#include <netinet/in.h> 47106225Semoore#include <netinet/in_pcb.h> 48106225Semoore 49106225Semoore#include <security/audit/audit.h> 50106225Semoore#include <security/audit/audit_private.h> 51106225Semoore 52106225Semoore/* 53106225Semoore * Calls to manipulate elements of the audit record structure from system 54106225Semoore * call code. Macro wrappers will prevent this functions from being 55106225Semoore * entered if auditing is disabled, avoiding the function call cost. We 5651974Smsmith * check the thread audit record pointer anyway, as the audit condition 5751974Smsmith * could change, and pre-selection may not have allocated an audit 58119418Sobrien * record for this event. 59119418Sobrien * 60119418Sobrien * XXXAUDIT: Should we assert, in each case, that this field of the record 6151974Smsmith * hasn't already been filled in? 6265245Smsmith */ 6351974Smsmithvoid 6451974Smsmithaudit_arg_addr(void * addr) 6551974Smsmith{ 6651974Smsmith struct kaudit_record *ar; 6751974Smsmith 6851974Smsmith ar = currecord(); 69153409Sscottl if (ar == NULL) 70153409Sscottl return; 7151974Smsmith 72148850Sscottl ar->k_ar.ar_arg_addr = addr; 7351974Smsmith ARG_SET_VALID(ar, ARG_ADDR); 7451974Smsmith} 7565245Smsmith 7651974Smsmithvoid 7765245Smsmithaudit_arg_exit(int status, int retval) 78153409Sscottl{ 7951974Smsmith struct kaudit_record *ar; 8051974Smsmith 8151974Smsmith ar = currecord(); 82119277Simp if (ar == NULL) 83119277Simp return; 8465245Smsmith 8551974Smsmith ar->k_ar.ar_arg_exitstatus = status; 8651974Smsmith ar->k_ar.ar_arg_exitretval = retval; 8751974Smsmith ARG_SET_VALID(ar, ARG_EXIT); 8865245Smsmith} 8965245Smsmith 9051974Smsmithvoid 91153409Sscottlaudit_arg_len(int len) 92153409Sscottl{ 9365245Smsmith struct kaudit_record *ar; 9465245Smsmith 9565245Smsmith ar = currecord(); 9665245Smsmith if (ar == NULL) 9751974Smsmith return; 98126080Sphk 99126080Sphk ar->k_ar.ar_arg_len = len; 100111815Sphk ARG_SET_VALID(ar, ARG_LEN); 101111815Sphk} 102111815Sphk 103111815Sphkvoid 10451974Smsmithaudit_arg_fd(int fd) 10551974Smsmith{ 106158267Sambrisko struct kaudit_record *ar; 10765245Smsmith 10865245Smsmith ar = currecord(); 10965245Smsmith if (ar == NULL) 11065245Smsmith return; 11151974Smsmith 11251974Smsmith ar->k_ar.ar_arg_fd = fd; 11351974Smsmith ARG_SET_VALID(ar, ARG_FD); 11451974Smsmith} 11565245Smsmith 11665245Smsmithvoid 117153409Sscottlaudit_arg_fflags(int fflags) 11865245Smsmith{ 119106225Semoore struct kaudit_record *ar; 12051974Smsmith 12151974Smsmith ar = currecord(); 12265245Smsmith if (ar == NULL) 12351974Smsmith return; 12465245Smsmith 12565245Smsmith ar->k_ar.ar_arg_fflags = fflags; 12651974Smsmith ARG_SET_VALID(ar, ARG_FFLAGS); 12751974Smsmith} 12865245Smsmith 12951974Smsmithvoid 13065245Smsmithaudit_arg_gid(gid_t gid) 131138422Sscottl{ 132138422Sscottl struct kaudit_record *ar; 13365245Smsmith 13465245Smsmith ar = currecord(); 135175622Sscottl if (ar == NULL) 136174544Sscottl return; 137174544Sscottl 138174544Sscottl ar->k_ar.ar_arg_gid = gid; 139175622Sscottl ARG_SET_VALID(ar, ARG_GID); 14051974Smsmith} 14151974Smsmith 14251974Smsmithvoid 14351974Smsmithaudit_arg_uid(uid_t uid) 144155222Sps{ 14565245Smsmith struct kaudit_record *ar; 146107756Semoore 147138422Sscottl ar = currecord(); 14851974Smsmith if (ar == NULL) 149155222Sps return; 15065245Smsmith 151107756Semoore ar->k_ar.ar_arg_uid = uid; 15265245Smsmith ARG_SET_VALID(ar, ARG_UID); 15351974Smsmith} 15465245Smsmith 15565245Smsmithvoid 15665245Smsmithaudit_arg_egid(gid_t egid) 15765245Smsmith{ 15865245Smsmith struct kaudit_record *ar; 15951974Smsmith 16051974Smsmith ar = currecord(); 16151974Smsmith if (ar == NULL) 16265245Smsmith return; 16365245Smsmith 164107756Semoore ar->k_ar.ar_arg_egid = egid; 16565245Smsmith ARG_SET_VALID(ar, ARG_EGID); 16665245Smsmith} 167107756Semoore 16851974Smsmithvoid 169153409Sscottlaudit_arg_euid(uid_t euid) 170158267Sambrisko{ 171192450Simp struct kaudit_record *ar; 172153409Sscottl 173227293Sed ar = currecord(); 174174194Sscottl if (ar == NULL) 17551974Smsmith return; 17651974Smsmith 17765245Smsmith ar->k_ar.ar_arg_euid = euid; 17851974Smsmith ARG_SET_VALID(ar, ARG_EUID); 17951974Smsmith} 18051974Smsmith 18151974Smsmithvoid 18265245Smsmithaudit_arg_rgid(gid_t rgid) 18365245Smsmith{ 18465245Smsmith struct kaudit_record *ar; 18565245Smsmith 18651974Smsmith ar = currecord(); 18751974Smsmith if (ar == NULL) 18851974Smsmith return; 18951974Smsmith 19051974Smsmith ar->k_ar.ar_arg_rgid = rgid; 19151974Smsmith ARG_SET_VALID(ar, ARG_RGID); 19251974Smsmith} 193184573Sscottl 19451974Smsmithvoid 19565245Smsmithaudit_arg_ruid(uid_t ruid) 19665245Smsmith{ 19751974Smsmith struct kaudit_record *ar; 19851974Smsmith 19951974Smsmith ar = currecord(); 200175622Sscottl if (ar == NULL) 201175622Sscottl return; 20265245Smsmith 20359249Sphk ar->k_ar.ar_arg_ruid = ruid; 20451974Smsmith ARG_SET_VALID(ar, ARG_RUID); 20565245Smsmith} 20665245Smsmith 20765245Smsmithvoid 20851974Smsmithaudit_arg_sgid(gid_t sgid) 20951974Smsmith{ 21065245Smsmith struct kaudit_record *ar; 21151974Smsmith 21251974Smsmith ar = currecord(); 213107756Semoore if (ar == NULL) 214138422Sscottl return; 21551974Smsmith 21651974Smsmith ar->k_ar.ar_arg_sgid = sgid; 21751974Smsmith ARG_SET_VALID(ar, ARG_SGID); 218107756Semoore} 219201758Smbr 22051974Smsmithvoid 22151974Smsmithaudit_arg_suid(uid_t suid) 22265245Smsmith{ 223198546Sbrueffer struct kaudit_record *ar; 22465245Smsmith 22565245Smsmith ar = currecord(); 22651974Smsmith if (ar == NULL) 22751974Smsmith return; 228175622Sscottl 229175622Sscottl ar->k_ar.ar_arg_suid = suid; 230175622Sscottl ARG_SET_VALID(ar, ARG_SUID); 231175622Sscottl} 232175622Sscottl 23365245Smsmithvoid 23451974Smsmithaudit_arg_groupset(gid_t *gidset, u_int gidset_size) 23565245Smsmith{ 23665245Smsmith int i; 23751974Smsmith struct kaudit_record *ar; 23865245Smsmith 23951974Smsmith ar = currecord(); 240153409Sscottl if (ar == NULL) 241175622Sscottl return; 242175622Sscottl 243175622Sscottl for (i = 0; i < gidset_size; i++) 244175622Sscottl ar->k_ar.ar_arg_groups.gidset[i] = gidset[i]; 245175622Sscottl ar->k_ar.ar_arg_groups.gidset_size = gidset_size; 246175622Sscottl ARG_SET_VALID(ar, ARG_GROUPSET); 247153409Sscottl} 248153409Sscottl 249153409Sscottlvoid 250153409Sscottlaudit_arg_login(char *login) 25151974Smsmith{ 25265245Smsmith struct kaudit_record *ar; 25351974Smsmith 254184573Sscottl ar = currecord(); 255184573Sscottl if (ar == NULL) 256184573Sscottl return; 257184573Sscottl 258184573Sscottl strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME); 259184573Sscottl ARG_SET_VALID(ar, ARG_LOGIN); 260184573Sscottl} 26151974Smsmith 26251974Smsmithvoid 26365245Smsmithaudit_arg_ctlname(int *name, int namelen) 26451974Smsmith{ 26565245Smsmith struct kaudit_record *ar; 26665245Smsmith 26765245Smsmith ar = currecord(); 268158267Sambrisko if (ar == NULL) 269158267Sambrisko return; 270158267Sambrisko 27151974Smsmith bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int)); 27251974Smsmith ar->k_ar.ar_arg_len = namelen; 27365245Smsmith ARG_SET_VALID(ar, ARG_CTLNAME | ARG_LEN); 27465245Smsmith} 27551974Smsmith 27665245Smsmithvoid 27765245Smsmithaudit_arg_mask(int mask) 27865245Smsmith{ 27965245Smsmith struct kaudit_record *ar; 28065245Smsmith 28165245Smsmith ar = currecord(); 28265245Smsmith if (ar == NULL) 28351974Smsmith return; 28458883Smsmith 28565245Smsmith ar->k_ar.ar_arg_mask = mask; 28658883Smsmith ARG_SET_VALID(ar, ARG_MASK); 28765245Smsmith} 28858883Smsmith 28965245Smsmithvoid 29051974Smsmithaudit_arg_mode(mode_t mode) 29151974Smsmith{ 29251974Smsmith struct kaudit_record *ar; 29351974Smsmith 29451974Smsmith ar = currecord(); 29551974Smsmith if (ar == NULL) 29665245Smsmith return; 29765245Smsmith 29851974Smsmith ar->k_ar.ar_arg_mode = mode; 29965245Smsmith ARG_SET_VALID(ar, ARG_MODE); 30051974Smsmith} 30151974Smsmith 30251974Smsmithvoid 30365245Smsmithaudit_arg_dev(int dev) 30451974Smsmith{ 30565245Smsmith struct kaudit_record *ar; 306153409Sscottl 307153409Sscottl ar = currecord(); 308153409Sscottl if (ar == NULL) 30965245Smsmith return; 31051974Smsmith 31151974Smsmith ar->k_ar.ar_arg_dev = dev; 31265245Smsmith ARG_SET_VALID(ar, ARG_DEV); 31351974Smsmith} 31451974Smsmith 31551974Smsmithvoid 31651974Smsmithaudit_arg_value(long value) 31751974Smsmith{ 31851974Smsmith struct kaudit_record *ar; 31951974Smsmith 32051974Smsmith ar = currecord(); 32151974Smsmith if (ar == NULL) 32251974Smsmith return; 32351974Smsmith 32451974Smsmith ar->k_ar.ar_arg_value = value; 32551974Smsmith ARG_SET_VALID(ar, ARG_VALUE); 32651974Smsmith} 32751974Smsmith 32851974Smsmithvoid 32951974Smsmithaudit_arg_owner(uid_t uid, gid_t gid) 33054073Smdodd{ 33151974Smsmith struct kaudit_record *ar; 33251974Smsmith 33354073Smdodd ar = currecord(); 33451974Smsmith if (ar == NULL) 33551974Smsmith return; 33651974Smsmith 33751974Smsmith ar->k_ar.ar_arg_uid = uid; 33851974Smsmith ar->k_ar.ar_arg_gid = gid; 33951974Smsmith ARG_SET_VALID(ar, ARG_UID | ARG_GID); 34051974Smsmith} 34151974Smsmith 34251974Smsmithvoid 34351974Smsmithaudit_arg_pid(pid_t pid) 34451974Smsmith{ 34551974Smsmith struct kaudit_record *ar; 34665245Smsmith 34751974Smsmith ar = currecord(); 34851974Smsmith if (ar == NULL) 349153409Sscottl return; 350153409Sscottl 351153409Sscottl ar->k_ar.ar_arg_pid = pid; 352153409Sscottl ARG_SET_VALID(ar, ARG_PID); 353153409Sscottl} 354153409Sscottl 355153409Sscottlvoid 356153409Sscottlaudit_arg_process(struct proc *p) 357175622Sscottl{ 358175622Sscottl struct kaudit_record *ar; 359175622Sscottl 360175622Sscottl KASSERT(p != NULL, ("audit_arg_process: p == NULL")); 361175622Sscottl 362175622Sscottl PROC_LOCK_ASSERT(p, MA_OWNED); 363175622Sscottl 364175622Sscottl ar = currecord(); 365175622Sscottl if (ar == NULL) 366175622Sscottl return; 367175622Sscottl 368175622Sscottl ar->k_ar.ar_arg_auid = p->p_au->ai_auid; 369153409Sscottl ar->k_ar.ar_arg_euid = p->p_ucred->cr_uid; 370153409Sscottl ar->k_ar.ar_arg_egid = p->p_ucred->cr_groups[0]; 371153409Sscottl ar->k_ar.ar_arg_ruid = p->p_ucred->cr_ruid; 37265245Smsmith ar->k_ar.ar_arg_rgid = p->p_ucred->cr_rgid; 37365245Smsmith ar->k_ar.ar_arg_asid = p->p_au->ai_asid; 37451974Smsmith ar->k_ar.ar_arg_termid = p->p_au->ai_termid; 37565245Smsmith ar->k_ar.ar_arg_pid = p->p_pid; 37665245Smsmith ARG_SET_VALID(ar, ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID | 37751974Smsmith ARG_RGID | ARG_ASID | ARG_TERMID | ARG_PID | ARG_PROCESS); 37865245Smsmith} 37951974Smsmith 38065245Smsmithvoid 381184573Sscottlaudit_arg_signum(u_int signum) 382184573Sscottl{ 38351974Smsmith struct kaudit_record *ar; 38465245Smsmith 38565245Smsmith ar = currecord(); 38665245Smsmith if (ar == NULL) 38765245Smsmith return; 38851974Smsmith 389107756Semoore ar->k_ar.ar_arg_signum = signum; 390107756Semoore ARG_SET_VALID(ar, ARG_SIGNUM); 391130585Sphk} 392107756Semoore 393140340Sscottlvoid 394153409Sscottlaudit_arg_socket(int sodomain, int sotype, int soprotocol) 395153409Sscottl{ 396153409Sscottl struct kaudit_record *ar; 397153409Sscottl 398153409Sscottl ar = currecord(); 39951974Smsmith if (ar == NULL) 40051974Smsmith return; 40151974Smsmith 40265245Smsmith ar->k_ar.ar_arg_sockinfo.so_domain = sodomain; 40351974Smsmith ar->k_ar.ar_arg_sockinfo.so_type = sotype; 40451974Smsmith ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol; 40551974Smsmith ARG_SET_VALID(ar, ARG_SOCKINFO); 40665245Smsmith} 40751974Smsmith 40865245Smsmithvoid 40952543Smsmithaudit_arg_sockaddr(struct thread *td, struct sockaddr *sa) 410153409Sscottl{ 41165245Smsmith struct kaudit_record *ar; 41251974Smsmith 413153409Sscottl KASSERT(td != NULL, ("audit_arg_sockaddr: td == NULL")); 41451974Smsmith KASSERT(sa != NULL, ("audit_arg_sockaddr: sa == NULL")); 41551974Smsmith 41651974Smsmith ar = currecord(); 41751974Smsmith if (ar == NULL) 41851974Smsmith return; 41951974Smsmith 420104094Sphk bcopy(sa, &ar->k_ar.ar_arg_sockaddr, sa->sa_len); 421192450Simp switch (sa->sa_family) { 42251974Smsmith case AF_INET: 423183397Sed ARG_SET_VALID(ar, ARG_SADDRINET); 424196403Sjhb break; 42551974Smsmith 42665245Smsmith case AF_INET6: 42765245Smsmith ARG_SET_VALID(ar, ARG_SADDRINET6); 42851974Smsmith break; 42951974Smsmith 43051974Smsmith case AF_UNIX: 43151974Smsmith audit_arg_upath(td, ((struct sockaddr_un *)sa)->sun_path, 432153409Sscottl ARG_UPATH1); 433153409Sscottl ARG_SET_VALID(ar, ARG_SADDRUNIX); 434153409Sscottl break; 435153409Sscottl /* XXXAUDIT: default:? */ 436153409Sscottl } 437153409Sscottl} 438153409Sscottl 439153409Sscottlvoid 440153409Sscottlaudit_arg_auid(uid_t auid) 441153409Sscottl{ 442153409Sscottl struct kaudit_record *ar; 443153409Sscottl 444153409Sscottl ar = currecord(); 445153409Sscottl if (ar == NULL) 446153409Sscottl return; 447153409Sscottl 448153409Sscottl ar->k_ar.ar_arg_auid = auid; 449153409Sscottl ARG_SET_VALID(ar, ARG_AUID); 450153409Sscottl} 451153409Sscottl 452153409Sscottlvoid 453153409Sscottlaudit_arg_auditinfo(struct auditinfo *au_info) 454153409Sscottl{ 455153409Sscottl struct kaudit_record *ar; 456153409Sscottl 457153409Sscottl ar = currecord(); 458153409Sscottl if (ar == NULL) 459153409Sscottl return; 460153409Sscottl 461153409Sscottl ar->k_ar.ar_arg_auid = au_info->ai_auid; 462153409Sscottl ar->k_ar.ar_arg_asid = au_info->ai_asid; 463153409Sscottl ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success; 464153409Sscottl ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure; 465153409Sscottl ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port; 466153409Sscottl ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine; 467153409Sscottl ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID); 468153409Sscottl} 469153409Sscottl 470153409Sscottlvoid 471153409Sscottlaudit_arg_text(char *text) 472153409Sscottl{ 47351974Smsmith struct kaudit_record *ar; 47451974Smsmith 47551974Smsmith KASSERT(text != NULL, ("audit_arg_text: text == NULL")); 476104094Sphk 477192450Simp ar = currecord(); 47851974Smsmith if (ar == NULL) 479183397Sed return; 480196403Sjhb 48151974Smsmith /* Invalidate the text string */ 48265245Smsmith ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT); 48365245Smsmith 48451974Smsmith if (ar->k_ar.ar_arg_text == NULL) 48551974Smsmith ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT, 48651974Smsmith M_WAITOK); 48751974Smsmith 48851974Smsmith strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN); 48951974Smsmith ARG_SET_VALID(ar, ARG_TEXT); 49051974Smsmith} 491153409Sscottl 492153409Sscottlvoid 493153409Sscottlaudit_arg_cmd(int cmd) 494153409Sscottl{ 495153409Sscottl struct kaudit_record *ar; 496153409Sscottl 497153409Sscottl ar = currecord(); 498153409Sscottl if (ar == NULL) 499153409Sscottl return; 500153409Sscottl 501153409Sscottl ar->k_ar.ar_arg_cmd = cmd; 502153409Sscottl ARG_SET_VALID(ar, ARG_CMD); 503153409Sscottl} 504153409Sscottl 505153409Sscottlvoid 506153409Sscottlaudit_arg_svipc_cmd(int cmd) 507153409Sscottl{ 508153409Sscottl struct kaudit_record *ar; 509153409Sscottl 510153409Sscottl ar = currecord(); 511153409Sscottl if (ar == NULL) 512153409Sscottl return; 513153409Sscottl 514153409Sscottl ar->k_ar.ar_arg_svipc_cmd = cmd; 515153409Sscottl ARG_SET_VALID(ar, ARG_SVIPC_CMD); 516153409Sscottl} 517196970Sphk 518153409Sscottlvoid 519153409Sscottlaudit_arg_svipc_perm(struct ipc_perm *perm) 520153409Sscottl{ 521153409Sscottl struct kaudit_record *ar; 522153409Sscottl 523153409Sscottl ar = currecord(); 524153409Sscottl if (ar == NULL) 525234501Sjhb return; 526234501Sjhb 527234501Sjhb bcopy(perm, &ar->k_ar.ar_arg_svipc_perm, 528234501Sjhb sizeof(ar->k_ar.ar_arg_svipc_perm)); 529234501Sjhb ARG_SET_VALID(ar, ARG_SVIPC_PERM); 530234501Sjhb} 531234501Sjhb 532234501Sjhbvoid 533234501Sjhbaudit_arg_svipc_id(int id) 534234501Sjhb{ 535234501Sjhb struct kaudit_record *ar; 536241228Sjhb 537241228Sjhb ar = currecord(); 538241228Sjhb if (ar == NULL) 539241228Sjhb return; 540234501Sjhb 541234501Sjhb ar->k_ar.ar_arg_svipc_id = id; 542234501Sjhb ARG_SET_VALID(ar, ARG_SVIPC_ID); 543234501Sjhb} 544234501Sjhb 545241228Sjhbvoid 546241228Sjhbaudit_arg_svipc_addr(void * addr) 547241228Sjhb{ 548241228Sjhb struct kaudit_record *ar; 549234501Sjhb 550234501Sjhb ar = currecord(); 551234501Sjhb if (ar == NULL) 552234501Sjhb return; 553234501Sjhb 554234501Sjhb ar->k_ar.ar_arg_svipc_addr = addr; 555234501Sjhb ARG_SET_VALID(ar, ARG_SVIPC_ADDR); 556153409Sscottl} 557153409Sscottl 558192450Simpvoid 559153409Sscottlaudit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode) 560153409Sscottl{ 561153409Sscottl struct kaudit_record *ar; 562153409Sscottl 563153409Sscottl ar = currecord(); 564153409Sscottl if (ar == NULL) 565153409Sscottl return; 566153409Sscottl 567153409Sscottl ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid; 568153409Sscottl ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid; 569153409Sscottl ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode; 570153409Sscottl ARG_SET_VALID(ar, ARG_POSIX_IPC_PERM); 571153409Sscottl} 572153409Sscottl 573153409Sscottlvoid 574153409Sscottlaudit_arg_auditon(union auditon_udata *udata) 575153409Sscottl{ 576153409Sscottl struct kaudit_record *ar; 577154370Sscottl 578154370Sscottl ar = currecord(); 579153409Sscottl if (ar == NULL) 580153409Sscottl return; 581153409Sscottl 582153409Sscottl bcopy((void *)udata, &ar->k_ar.ar_arg_auditon, 583153409Sscottl sizeof(ar->k_ar.ar_arg_auditon)); 584153409Sscottl ARG_SET_VALID(ar, ARG_AUDITON); 585153409Sscottl} 586153409Sscottl 587153409Sscottl/* 588153409Sscottl * Audit information about a file, either the file's vnode info, or its 589158267Sambrisko * socket address info. 590158267Sambrisko */ 591158267Sambriskovoid 592153409Sscottlaudit_arg_file(struct proc *p, struct file *fp) 593153409Sscottl{ 594153409Sscottl struct kaudit_record *ar; 595153409Sscottl struct socket *so; 596153409Sscottl struct inpcb *pcb; 597153409Sscottl struct vnode *vp; 598153409Sscottl int vfslocked; 599153409Sscottl 600153409Sscottl ar = currecord(); 601153409Sscottl if (ar == NULL) 602153409Sscottl return; 603153409Sscottl 604153409Sscottl switch (fp->f_type) { 605153409Sscottl case DTYPE_VNODE: 606153409Sscottl case DTYPE_FIFO: 607153409Sscottl /* 608153409Sscottl * XXXAUDIT: Only possibly to record as first vnode? 609153409Sscottl */ 610153409Sscottl vp = fp->f_vnode; 611153409Sscottl vfslocked = VFS_LOCK_GIANT(vp->v_mount); 612153409Sscottl vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, curthread); 613153409Sscottl audit_arg_vnode(vp, ARG_VNODE1); 614153409Sscottl VOP_UNLOCK(vp, 0, curthread); 615153409Sscottl VFS_UNLOCK_GIANT(vfslocked); 616153409Sscottl break; 617153409Sscottl 618153409Sscottl case DTYPE_SOCKET: 619153409Sscottl so = (struct socket *)fp->f_data; 620153409Sscottl if (INP_CHECK_SOCKAF(so, PF_INET)) { 621153409Sscottl SOCK_LOCK(so); 622153409Sscottl ar->k_ar.ar_arg_sockinfo.so_type = 623174544Sscottl so->so_type; 624174544Sscottl ar->k_ar.ar_arg_sockinfo.so_domain = 625174544Sscottl INP_SOCKAF(so); 626174544Sscottl ar->k_ar.ar_arg_sockinfo.so_protocol = 627174544Sscottl so->so_proto->pr_protocol; 628174544Sscottl SOCK_UNLOCK(so); 629153409Sscottl pcb = (struct inpcb *)so->so_pcb; 630153409Sscottl INP_LOCK(pcb); 631153409Sscottl ar->k_ar.ar_arg_sockinfo.so_raddr = 632153409Sscottl pcb->inp_faddr.s_addr; 633153409Sscottl ar->k_ar.ar_arg_sockinfo.so_laddr = 634153409Sscottl pcb->inp_laddr.s_addr; 635174194Sscottl ar->k_ar.ar_arg_sockinfo.so_rport = 636153409Sscottl pcb->inp_fport; 637153409Sscottl ar->k_ar.ar_arg_sockinfo.so_lport = 638153409Sscottl pcb->inp_lport; 639153409Sscottl INP_UNLOCK(pcb); 640153409Sscottl ARG_SET_VALID(ar, ARG_SOCKINFO); 641153409Sscottl } 642153409Sscottl break; 643153409Sscottl 644153409Sscottl default: 645174544Sscottl /* XXXAUDIT: else? */ 646153409Sscottl break; 647153409Sscottl } 648153409Sscottl} 649153409Sscottl 650174544Sscottl/* 651174544Sscottl * Store a path as given by the user process for auditing into the audit 652153409Sscottl * record stored on the user thread. This function will allocate the memory 653153409Sscottl * to store the path info if not already available. This memory will be freed 654174544Sscottl * when the audit record is freed. 655153409Sscottl * 656157586Sscottl * XXXAUDIT: Possibly assert that the memory isn't already allocated? 657153409Sscottl */ 658153409Sscottlvoid 659153409Sscottlaudit_arg_upath(struct thread *td, char *upath, u_int64_t flag) 660153409Sscottl{ 661153409Sscottl struct kaudit_record *ar; 662153409Sscottl char **pathp; 663153409Sscottl 664153409Sscottl KASSERT(td != NULL, ("audit_arg_upath: td == NULL")); 665153409Sscottl KASSERT(upath != NULL, ("audit_arg_upath: upath == NULL")); 666153409Sscottl 667153409Sscottl ar = currecord(); 668153409Sscottl if (ar == NULL) 669153409Sscottl return; 670153409Sscottl 671153409Sscottl KASSERT((flag == ARG_UPATH1) || (flag == ARG_UPATH2), 672153409Sscottl ("audit_arg_upath: flag %llu", (unsigned long long)flag)); 673153409Sscottl KASSERT((flag != ARG_UPATH1) || (flag != ARG_UPATH2), 674153409Sscottl ("audit_arg_upath: flag %llu", (unsigned long long)flag)); 675153409Sscottl 676153409Sscottl if (flag == ARG_UPATH1) 677153409Sscottl pathp = &ar->k_ar.ar_arg_upath1; 678153409Sscottl else 679153409Sscottl pathp = &ar->k_ar.ar_arg_upath2; 680153409Sscottl 681153409Sscottl if (*pathp == NULL) 682153409Sscottl *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK); 683153409Sscottl 684153409Sscottl canon_path(td, upath, *pathp); 685234501Sjhb 686153409Sscottl ARG_SET_VALID(ar, flag); 687175622Sscottl} 688175622Sscottl 689153409Sscottl/* 690153409Sscottl * Function to save the path and vnode attr information into the audit 691153409Sscottl * record. 692153409Sscottl * 693153409Sscottl * It is assumed that the caller will hold any vnode locks necessary to 694153409Sscottl * perform a VOP_GETATTR() on the passed vnode. 695153409Sscottl * 696153409Sscottl * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but 697153409Sscottl * always provides access to the generation number as we need that 698153409Sscottl * to construct the BSM file ID. 699153409Sscottl * XXX: We should accept the process argument from the caller, since 700153409Sscottl * it's very likely they already have a reference. 701153409Sscottl * XXX: Error handling in this function is poor. 702153409Sscottl * 703153409Sscottl * XXXAUDIT: Possibly KASSERT the path pointer is NULL? 704153409Sscottl */ 705153409Sscottlvoid 706153409Sscottlaudit_arg_vnode(struct vnode *vp, u_int64_t flags) 707153409Sscottl{ 708157586Sscottl struct kaudit_record *ar; 709153409Sscottl struct vattr vattr; 710153409Sscottl int error; 711153409Sscottl struct vnode_au_info *vnp; 712153409Sscottl 713153409Sscottl KASSERT(vp != NULL, ("audit_arg_vnode: vp == NULL")); 714153409Sscottl KASSERT((flags == ARG_VNODE1) || (flags == ARG_VNODE2), 715234501Sjhb ("audit_arg_vnode: flags %jd", (intmax_t)flags)); 716153409Sscottl 717153409Sscottl /* 718153409Sscottl * Assume that if the caller is calling audit_arg_vnode() on a 719153409Sscottl * non-MPSAFE vnode, then it will have acquired Giant. 720153409Sscottl */ 721153409Sscottl VFS_ASSERT_GIANT(vp->v_mount); 722153409Sscottl ASSERT_VOP_LOCKED(vp, "audit_arg_vnode"); 723153409Sscottl 724153409Sscottl ar = currecord(); 725153409Sscottl if (ar == NULL) 726153409Sscottl return; 727153409Sscottl 728153409Sscottl /* 729153409Sscottl * XXXAUDIT: The below clears, and then resets the flags for valid 730153409Sscottl * arguments. Ideally, either the new vnode is used, or the old one 731153409Sscottl * would be. 732153409Sscottl */ 733153409Sscottl if (flags & ARG_VNODE1) { 734153409Sscottl ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE1); 735153409Sscottl vnp = &ar->k_ar.ar_arg_vnode1; 736153409Sscottl } else { 737153409Sscottl ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE2); 738153409Sscottl vnp = &ar->k_ar.ar_arg_vnode2; 739153409Sscottl } 740153409Sscottl 741153409Sscottl error = VOP_GETATTR(vp, &vattr, curthread->td_ucred, curthread); 742153409Sscottl if (error) { 743174194Sscottl /* XXX: How to handle this case? */ 744153409Sscottl return; 745153409Sscottl } 746153409Sscottl 747104094Sphk vnp->vn_mode = vattr.va_mode; 748192450Simp vnp->vn_uid = vattr.va_uid; 74951974Smsmith vnp->vn_gid = vattr.va_gid; 75065245Smsmith vnp->vn_dev = vattr.va_rdev; 751133870Sambrisko vnp->vn_fsid = vattr.va_fsid; 752133870Sambrisko vnp->vn_fileid = vattr.va_fileid; 753133870Sambrisko vnp->vn_gen = vattr.va_gen; 754133870Sambrisko if (flags & ARG_VNODE1) 755133870Sambrisko ARG_SET_VALID(ar, ARG_VNODE1); 756133870Sambrisko else 757133870Sambrisko ARG_SET_VALID(ar, ARG_VNODE2); 758133870Sambrisko} 75965245Smsmith 76065245Smsmith/* 761133870Sambrisko * Audit the argument strings passed to exec. 762234501Sjhb */ 763133870Sambriskovoid 764133870Sambriskoaudit_arg_argv(char *argv, int argc, int length) 765174544Sscottl{ 766143121Sscottl struct kaudit_record *ar; 767153409Sscottl 76865245Smsmith if (audit_argv == 0) 76965245Smsmith return; 77065245Smsmith 771133870Sambrisko ar = currecord(); 772133870Sambrisko if (ar == NULL) 773153409Sscottl return; 774153409Sscottl 775153409Sscottl ar->k_ar.ar_arg_argv = malloc(length, M_AUDITTEXT, M_WAITOK); 776153409Sscottl bcopy(argv, ar->k_ar.ar_arg_argv, length); 777153409Sscottl ar->k_ar.ar_arg_argc = argc; 77851974Smsmith ARG_SET_VALID(ar, ARG_ARGV); 77965245Smsmith} 78065245Smsmith 78165245Smsmith/* 782133870Sambrisko * Audit the environment strings passed to exec. 783133870Sambrisko */ 784133870Sambriskovoid 785133870Sambriskoaudit_arg_envv(char *envv, int envc, int length) 786133870Sambrisko{ 787133870Sambrisko struct kaudit_record *ar; 788133870Sambrisko 789133870Sambrisko if (audit_arge == 0) 790133870Sambrisko return; 791133870Sambrisko 792133870Sambrisko ar = currecord(); 793133870Sambrisko if (ar == NULL) 794133870Sambrisko return; 795133870Sambrisko 796133870Sambrisko ar->k_ar.ar_arg_envv = malloc(length, M_AUDITTEXT, M_WAITOK); 797133870Sambrisko bcopy(envv, ar->k_ar.ar_arg_envv, length); 79865245Smsmith ar->k_ar.ar_arg_envc = envc; 799133870Sambrisko ARG_SET_VALID(ar, ARG_ENVV); 80065245Smsmith} 80165245Smsmith 802133870Sambrisko/* 803133870Sambrisko * The close() system call uses it's own audit call to capture the path/vnode 804133870Sambrisko * information because those pieces are not easily obtained within the system 805133870Sambrisko * call itself. 806133870Sambrisko */ 807133870Sambriskovoid 808133870Sambriskoaudit_sysclose(struct thread *td, int fd) 80965245Smsmith{ 810153409Sscottl struct kaudit_record *ar; 811153409Sscottl struct vnode *vp; 812158267Sambrisko struct file *fp; 813158267Sambrisko int vfslocked; 814158267Sambrisko 815158267Sambrisko KASSERT(td != NULL, ("audit_sysclose: td == NULL")); 816153409Sscottl 817158267Sambrisko ar = currecord(); 818158267Sambrisko if (ar == NULL) 819158267Sambrisko return; 820158267Sambrisko 821158267Sambrisko audit_arg_fd(fd); 822158267Sambrisko 823158267Sambrisko if (getvnode(td->td_proc->p_fd, fd, &fp) != 0) 824158267Sambrisko return; 825158267Sambrisko 826158267Sambrisko vp = fp->f_vnode; 827158267Sambrisko vfslocked = VFS_LOCK_GIANT(vp->v_mount); 828158267Sambrisko vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); 829158267Sambrisko audit_arg_vnode(vp, ARG_VNODE1); 830158267Sambrisko VOP_UNLOCK(vp, 0, td); 831158267Sambrisko VFS_UNLOCK_GIANT(vfslocked); 832158267Sambrisko fdrop(fp, td); 833175622Sscottl} 834158267Sambrisko