audit_arg.c revision 195926
1233294Sstas/*- 2102644Snectar * Copyright (c) 1999-2005 Apple Inc. 357416Smarkm * All rights reserved. 4142403Snectar * 5233294Sstas * Redistribution and use in source and binary forms, with or without 6233294Sstas * modification, are permitted provided that the following conditions 757416Smarkm * are met: 857416Smarkm * 1. Redistributions of source code must retain the above copyright 957416Smarkm * notice, this list of conditions and the following disclaimer. 1057416Smarkm * 2. Redistributions in binary form must reproduce the above copyright 1157416Smarkm * notice, this list of conditions and the following disclaimer in the 1257416Smarkm * documentation and/or other materials provided with the distribution. 1357416Smarkm * 3. Neither the name of Apple Inc. ("Apple") nor the names of 1457416Smarkm * its contributors may be used to endorse or promote products derived 1557416Smarkm * from this software without specific prior written permission. 1690926Snectar * 1790926Snectar * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18233294Sstas * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1990926Snectar * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20233294Sstas * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 2190926Snectar * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22233294Sstas * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2357416Smarkm * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2457416Smarkm * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25233294Sstas * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 2657416Smarkm * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27233294Sstas * POSSIBILITY OF SUCH DAMAGE. 28102644Snectar */ 29102644Snectar 30102644Snectar#include <sys/cdefs.h> 31127808Snectar__FBSDID("$FreeBSD: head/sys/security/audit/audit_arg.c 195926 2009-07-28 21:52:24Z rwatson $"); 3290926Snectar 33127808Snectar#include <sys/param.h> 3457416Smarkm#include <sys/filedesc.h> 3557416Smarkm#include <sys/ipc.h> 3657416Smarkm#include <sys/mount.h> 3757416Smarkm#include <sys/proc.h> 3857416Smarkm#include <sys/socket.h> 3957416Smarkm#include <sys/socketvar.h> 40178825Sdfr#include <sys/protosw.h> 4157416Smarkm#include <sys/domain.h> 42142403Snectar#include <sys/sbuf.h> 43142403Snectar#include <sys/systm.h> 44142403Snectar#include <sys/un.h> 45142403Snectar#include <sys/vnode.h> 46142403Snectar 47142403Snectar#include <netinet/in.h> 48233294Sstas#include <netinet/in_pcb.h> 49142403Snectar 50142403Snectar#include <security/audit/audit.h> 51142403Snectar#include <security/audit/audit_private.h> 52142403Snectar 53142403Snectar/* 54142403Snectar * Calls to manipulate elements of the audit record structure from system 55142403Snectar * call code. Macro wrappers will prevent this functions from being entered 56142403Snectar * if auditing is disabled, avoiding the function call cost. We check the 57142403Snectar * thread audit record pointer anyway, as the audit condition could change, 58142403Snectar * and pre-selection may not have allocated an audit record for this event. 59142403Snectar * 60142403Snectar * XXXAUDIT: Should we assert, in each case, that this field of the record 61142403Snectar * hasn't already been filled in? 62142403Snectar */ 63233294Sstasvoid 64142403Snectaraudit_arg_addr(void *addr) 65142403Snectar{ 66142403Snectar struct kaudit_record *ar; 67142403Snectar 68178825Sdfr ar = currecord(); 69142403Snectar if (ar == NULL) 70142403Snectar return; 71142403Snectar 72142403Snectar ar->k_ar.ar_arg_addr = addr; 73142403Snectar ARG_SET_VALID(ar, ARG_ADDR); 74142403Snectar} 75142403Snectar 76142403Snectarvoid 77233294Sstasaudit_arg_exit(int status, int retval) 78233294Sstas{ 79233294Sstas struct kaudit_record *ar; 80233294Sstas 81233294Sstas ar = currecord(); 82233294Sstas if (ar == NULL) 83178825Sdfr return; 84178825Sdfr 85178825Sdfr ar->k_ar.ar_arg_exitstatus = status; 86178825Sdfr ar->k_ar.ar_arg_exitretval = retval; 87178825Sdfr ARG_SET_VALID(ar, ARG_EXIT); 88178825Sdfr} 89178825Sdfr 90233294Sstasvoid 91142403Snectaraudit_arg_len(int len) 92142403Snectar{ 93178825Sdfr struct kaudit_record *ar; 94142403Snectar 95142403Snectar ar = currecord(); 96233294Sstas if (ar == NULL) 97142403Snectar return; 98142403Snectar 99142403Snectar ar->k_ar.ar_arg_len = len; 100142403Snectar ARG_SET_VALID(ar, ARG_LEN); 101178825Sdfr} 102178825Sdfr 103178825Sdfrvoid 104178825Sdfraudit_arg_atfd1(int atfd) 105178825Sdfr{ 106178825Sdfr struct kaudit_record *ar; 107178825Sdfr 108233294Sstas ar = currecord(); 109233294Sstas if (ar == NULL) 110233294Sstas return; 111142403Snectar 112142403Snectar ar->k_ar.ar_arg_atfd1 = atfd; 113142403Snectar ARG_SET_VALID(ar, ARG_ATFD1); 114142403Snectar} 115233294Sstas 116233294Sstasvoid 117233294Sstasaudit_arg_atfd2(int atfd) 118233294Sstas{ 119233294Sstas struct kaudit_record *ar; 120233294Sstas 121233294Sstas ar = currecord(); 122233294Sstas if (ar == NULL) 123233294Sstas return; 124233294Sstas 125233294Sstas ar->k_ar.ar_arg_atfd2 = atfd; 126233294Sstas ARG_SET_VALID(ar, ARG_ATFD2); 127233294Sstas} 128233294Sstas 129233294Sstasvoid 130233294Sstasaudit_arg_fd(int fd) 131233294Sstas{ 132233294Sstas struct kaudit_record *ar; 133233294Sstas 134233294Sstas ar = currecord(); 135233294Sstas if (ar == NULL) 136233294Sstas return; 137233294Sstas 138233294Sstas ar->k_ar.ar_arg_fd = fd; 139233294Sstas ARG_SET_VALID(ar, ARG_FD); 140127808Snectar} 14157416Smarkm 14272445Sassarvoid 143127808Snectaraudit_arg_fflags(int fflags) 144233294Sstas{ 145233294Sstas struct kaudit_record *ar; 146127808Snectar 147127808Snectar ar = currecord(); 148127808Snectar if (ar == NULL) 14957416Smarkm return; 15057416Smarkm 151233294Sstas ar->k_ar.ar_arg_fflags = fflags; 152233294Sstas ARG_SET_VALID(ar, ARG_FFLAGS); 15357416Smarkm} 15457416Smarkm 15557416Smarkmvoid 156233294Sstasaudit_arg_gid(gid_t gid) 157127808Snectar{ 15890926Snectar struct kaudit_record *ar; 15972445Sassar 160127808Snectar ar = currecord(); 161127808Snectar if (ar == NULL) 162233294Sstas return; 16357416Smarkm 164127808Snectar ar->k_ar.ar_arg_gid = gid; 165233294Sstas ARG_SET_VALID(ar, ARG_GID); 16690926Snectar} 167178825Sdfr 168178825Sdfrvoid 16972445Sassaraudit_arg_uid(uid_t uid) 170233294Sstas{ 171233294Sstas struct kaudit_record *ar; 172233294Sstas 173127808Snectar ar = currecord(); 174127808Snectar if (ar == NULL) 175127808Snectar return; 176127808Snectar 177127808Snectar ar->k_ar.ar_arg_uid = uid; 178233294Sstas ARG_SET_VALID(ar, ARG_UID); 179178825Sdfr} 18057416Smarkm 18172445Sassarvoid 182178825Sdfraudit_arg_egid(gid_t egid) 183127808Snectar{ 184127808Snectar struct kaudit_record *ar; 185233294Sstas 186233294Sstas ar = currecord(); 187127808Snectar if (ar == NULL) 188127808Snectar return; 189233294Sstas 190178825Sdfr ar->k_ar.ar_arg_egid = egid; 191127808Snectar ARG_SET_VALID(ar, ARG_EGID); 192127808Snectar} 193127808Snectar 19490926Snectarvoid 195233294Sstasaudit_arg_euid(uid_t euid) 196127808Snectar{ 197178825Sdfr struct kaudit_record *ar; 19857416Smarkm 199102644Snectar ar = currecord(); 200102644Snectar if (ar == NULL) 201178825Sdfr return; 202127808Snectar 203127808Snectar ar->k_ar.ar_arg_euid = euid; 20457416Smarkm ARG_SET_VALID(ar, ARG_EUID); 20557416Smarkm} 20690926Snectar 207127808Snectarvoid 208127808Snectaraudit_arg_rgid(gid_t rgid) 209127808Snectar{ 210127808Snectar struct kaudit_record *ar; 211127808Snectar 21290926Snectar ar = currecord(); 21390926Snectar if (ar == NULL) 21490926Snectar return; 215127808Snectar 216127808Snectar ar->k_ar.ar_arg_rgid = rgid; 217127808Snectar ARG_SET_VALID(ar, ARG_RGID); 218127808Snectar} 219233294Sstas 220127808Snectarvoid 221127808Snectaraudit_arg_ruid(uid_t ruid) 222233294Sstas{ 223178825Sdfr struct kaudit_record *ar; 224127808Snectar 225127808Snectar ar = currecord(); 226127808Snectar if (ar == NULL) 227127808Snectar return; 228127808Snectar 229127808Snectar ar->k_ar.ar_arg_ruid = ruid; 230127808Snectar ARG_SET_VALID(ar, ARG_RUID); 231127808Snectar} 232178825Sdfr 233178825Sdfrvoid 234178825Sdfraudit_arg_sgid(gid_t sgid) 235178825Sdfr{ 236127808Snectar struct kaudit_record *ar; 237127808Snectar 23857416Smarkm ar = currecord(); 239127808Snectar if (ar == NULL) 240233294Sstas return; 241233294Sstas 242127808Snectar ar->k_ar.ar_arg_sgid = sgid; 243127808Snectar ARG_SET_VALID(ar, ARG_SGID); 244127808Snectar} 245127808Snectar 246127808Snectarvoid 24757416Smarkmaudit_arg_suid(uid_t suid) 248127808Snectar{ 249127808Snectar struct kaudit_record *ar; 250178825Sdfr 251127808Snectar ar = currecord(); 252127808Snectar if (ar == NULL) 25357416Smarkm return; 25457416Smarkm 255127808Snectar ar->k_ar.ar_arg_suid = suid; 256127808Snectar ARG_SET_VALID(ar, ARG_SUID); 257233294Sstas} 258127808Snectar 259127808Snectarvoid 260233294Sstasaudit_arg_groupset(gid_t *gidset, u_int gidset_size) 26157416Smarkm{ 26257416Smarkm u_int i; 263120945Snectar struct kaudit_record *ar; 264127808Snectar 265233294Sstas KASSERT(gidset_size <= NGROUPS, 266178825Sdfr ("audit_arg_groupset: gidset_size > NGROUPS")); 267233294Sstas 268233294Sstas ar = currecord(); 269233294Sstas if (ar == NULL) 27057416Smarkm return; 271233294Sstas 272127808Snectar if (ar->k_ar.ar_arg_groups.gidset == NULL) 273233294Sstas ar->k_ar.ar_arg_groups.gidset = malloc( 274233294Sstas sizeof(gid_t) * gidset_size, M_AUDITGIDSET, M_WAITOK); 27557416Smarkm 276127808Snectar for (i = 0; i < gidset_size; i++) 277127808Snectar ar->k_ar.ar_arg_groups.gidset[i] = gidset[i]; 278127808Snectar ar->k_ar.ar_arg_groups.gidset_size = gidset_size; 279127808Snectar ARG_SET_VALID(ar, ARG_GROUPSET); 280233294Sstas} 281127808Snectar 282127808Snectarvoid 283233294Sstasaudit_arg_login(char *login) 284233294Sstas{ 285233294Sstas struct kaudit_record *ar; 286233294Sstas 28757416Smarkm ar = currecord(); 288233294Sstas if (ar == NULL) 289127808Snectar return; 290127808Snectar 291233294Sstas strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME); 292233294Sstas ARG_SET_VALID(ar, ARG_LOGIN); 293102644Snectar} 29457416Smarkm 295178825Sdfrvoid 29657416Smarkmaudit_arg_ctlname(int *name, int namelen) 29757416Smarkm{ 29857416Smarkm struct kaudit_record *ar; 299178825Sdfr 30090926Snectar ar = currecord(); 30190926Snectar if (ar == NULL) 30290926Snectar return; 30390926Snectar 30457416Smarkm bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int)); 305178825Sdfr ar->k_ar.ar_arg_len = namelen; 306178825Sdfr ARG_SET_VALID(ar, ARG_CTLNAME | ARG_LEN); 307178825Sdfr} 308178825Sdfr 309178825Sdfrvoid 310233294Sstasaudit_arg_mask(int mask) 311127808Snectar{ 312233294Sstas struct kaudit_record *ar; 313233294Sstas 314127808Snectar ar = currecord(); 315233294Sstas if (ar == NULL) 316178825Sdfr return; 317178825Sdfr 318127808Snectar ar->k_ar.ar_arg_mask = mask; 319127808Snectar ARG_SET_VALID(ar, ARG_MASK); 320127808Snectar} 321127808Snectar 322127808Snectarvoid 323127808Snectaraudit_arg_mode(mode_t mode) 324178825Sdfr{ 325127808Snectar struct kaudit_record *ar; 326178825Sdfr 327178825Sdfr ar = currecord(); 328102644Snectar if (ar == NULL) 329102644Snectar return; 330102644Snectar 331178825Sdfr ar->k_ar.ar_arg_mode = mode; 332127808Snectar ARG_SET_VALID(ar, ARG_MODE); 333127808Snectar} 334127808Snectar 335127808Snectarvoid 336127808Snectaraudit_arg_dev(int dev) 337127808Snectar{ 338178825Sdfr struct kaudit_record *ar; 339127808Snectar 340127808Snectar ar = currecord(); 34172445Sassar if (ar == NULL) 342127808Snectar return; 343127808Snectar 344178825Sdfr ar->k_ar.ar_arg_dev = dev; 345127808Snectar ARG_SET_VALID(ar, ARG_DEV); 346127808Snectar} 347142403Snectar 348127808Snectarvoid 349178825Sdfraudit_arg_value(long value) 350127808Snectar{ 351127808Snectar struct kaudit_record *ar; 352178825Sdfr 353127808Snectar ar = currecord(); 354127808Snectar if (ar == NULL) 355178825Sdfr return; 356233294Sstas 357127808Snectar ar->k_ar.ar_arg_value = value; 358127808Snectar ARG_SET_VALID(ar, ARG_VALUE); 359233294Sstas} 360178825Sdfr 361178825Sdfrvoid 362233294Sstasaudit_arg_owner(uid_t uid, gid_t gid) 363233294Sstas{ 364233294Sstas struct kaudit_record *ar; 365102644Snectar 36690926Snectar ar = currecord(); 36772445Sassar if (ar == NULL) 36857416Smarkm return; 369233294Sstas 37057416Smarkm ar->k_ar.ar_arg_uid = uid; 37157416Smarkm ar->k_ar.ar_arg_gid = gid; 37257416Smarkm ARG_SET_VALID(ar, ARG_UID | ARG_GID); 37357416Smarkm} 37457416Smarkm 37557416Smarkmvoid 376233294Sstasaudit_arg_pid(pid_t pid) 37757416Smarkm{ 378120945Snectar struct kaudit_record *ar; 37990926Snectar 38072445Sassar ar = currecord(); 38157416Smarkm if (ar == NULL) 38290926Snectar return; 383233294Sstas 38490926Snectar ar->k_ar.ar_arg_pid = pid; 38557416Smarkm ARG_SET_VALID(ar, ARG_PID); 386233294Sstas} 38790926Snectar 38857416Smarkmvoid 38957416Smarkmaudit_arg_process(struct proc *p) 390233294Sstas{ 391142403Snectar struct kaudit_record *ar; 392142403Snectar struct ucred *cred; 393142403Snectar 394142403Snectar KASSERT(p != NULL, ("audit_arg_process: p == NULL")); 395233294Sstas 396233294Sstas PROC_LOCK_ASSERT(p, MA_OWNED); 397142403Snectar 398142403Snectar ar = currecord(); 399142403Snectar if (ar == NULL) 400233294Sstas return; 401233294Sstas 402233294Sstas cred = p->p_ucred; 403142403Snectar ar->k_ar.ar_arg_auid = cred->cr_audit.ai_auid; 404142403Snectar ar->k_ar.ar_arg_euid = cred->cr_uid; 405142403Snectar ar->k_ar.ar_arg_egid = cred->cr_groups[0]; 406142403Snectar ar->k_ar.ar_arg_ruid = cred->cr_ruid; 407142403Snectar ar->k_ar.ar_arg_rgid = cred->cr_rgid; 408142403Snectar ar->k_ar.ar_arg_asid = cred->cr_audit.ai_asid; 409142403Snectar ar->k_ar.ar_arg_termid_addr = cred->cr_audit.ai_termid; 410142403Snectar ar->k_ar.ar_arg_pid = p->p_pid; 411142403Snectar ARG_SET_VALID(ar, ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID | 41257416Smarkm ARG_RGID | ARG_ASID | ARG_TERMID_ADDR | ARG_PID | ARG_PROCESS); 413142403Snectar} 414142403Snectar 415142403Snectarvoid 416142403Snectaraudit_arg_signum(u_int signum) 417142403Snectar{ 418142403Snectar struct kaudit_record *ar; 419142403Snectar 420233294Sstas ar = currecord(); 421142403Snectar if (ar == NULL) 42290926Snectar return; 42390926Snectar 42457416Smarkm ar->k_ar.ar_arg_signum = signum; 42590926Snectar ARG_SET_VALID(ar, ARG_SIGNUM); 42690926Snectar} 42757416Smarkm 42857416Smarkmvoid 42957416Smarkmaudit_arg_socket(int sodomain, int sotype, int soprotocol) 43057416Smarkm{ 43157416Smarkm struct kaudit_record *ar; 43257416Smarkm 43357416Smarkm ar = currecord(); 43490926Snectar if (ar == NULL) 435233294Sstas return; 436178825Sdfr 437178825Sdfr ar->k_ar.ar_arg_sockinfo.so_domain = sodomain; 438178825Sdfr ar->k_ar.ar_arg_sockinfo.so_type = sotype; 439178825Sdfr ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol; 440178825Sdfr ARG_SET_VALID(ar, ARG_SOCKINFO); 441178825Sdfr} 44257416Smarkm 44357416Smarkmvoid 44457416Smarkmaudit_arg_sockaddr(struct thread *td, struct sockaddr *sa) 44557416Smarkm{ 44657416Smarkm struct kaudit_record *ar; 44757416Smarkm 44857416Smarkm KASSERT(td != NULL, ("audit_arg_sockaddr: td == NULL")); 44957416Smarkm KASSERT(sa != NULL, ("audit_arg_sockaddr: sa == NULL")); 45057416Smarkm 45157416Smarkm ar = currecord(); 452233294Sstas if (ar == NULL) 453178825Sdfr return; 45457416Smarkm 45557416Smarkm bcopy(sa, &ar->k_ar.ar_arg_sockaddr, sa->sa_len); 45657416Smarkm switch (sa->sa_family) { 45757416Smarkm case AF_INET: 45857416Smarkm ARG_SET_VALID(ar, ARG_SADDRINET); 459178825Sdfr break; 460233294Sstas 461178825Sdfr case AF_INET6: 462178825Sdfr ARG_SET_VALID(ar, ARG_SADDRINET6); 463178825Sdfr break; 464178825Sdfr 465178825Sdfr case AF_UNIX: 466178825Sdfr audit_arg_upath(td, ((struct sockaddr_un *)sa)->sun_path, 46757416Smarkm ARG_UPATH1); 46878527Sassar ARG_SET_VALID(ar, ARG_SADDRUNIX); 46978527Sassar break; 47078527Sassar /* XXXAUDIT: default:? */ 47178527Sassar } 47278527Sassar} 47378527Sassar 47478527Sassarvoid 47578527Sassaraudit_arg_auid(uid_t auid) 47657416Smarkm{ 47778527Sassar struct kaudit_record *ar; 47857416Smarkm 47957416Smarkm ar = currecord(); 48057416Smarkm if (ar == NULL) 48157416Smarkm return; 48257416Smarkm 48357416Smarkm ar->k_ar.ar_arg_auid = auid; 48457416Smarkm ARG_SET_VALID(ar, ARG_AUID); 48557416Smarkm} 486233294Sstas 487178825Sdfrvoid 48857416Smarkmaudit_arg_auditinfo(struct auditinfo *au_info) 48957416Smarkm{ 49057416Smarkm struct kaudit_record *ar; 491233294Sstas 49257416Smarkm ar = currecord(); 493127808Snectar if (ar == NULL) 494127808Snectar return; 495233294Sstas 496127808Snectar ar->k_ar.ar_arg_auid = au_info->ai_auid; 49757416Smarkm ar->k_ar.ar_arg_asid = au_info->ai_asid; 49872445Sassar ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success; 499102644Snectar ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure; 50072445Sassar ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port; 50172445Sassar ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine; 50272445Sassar ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID); 503233294Sstas} 504233294Sstas 505102644Snectarvoid 506142403Snectaraudit_arg_auditinfo_addr(struct auditinfo_addr *au_info) 50757416Smarkm{ 50872445Sassar struct kaudit_record *ar; 50972445Sassar 510233294Sstas ar = currecord(); 51157416Smarkm if (ar == NULL) 512178825Sdfr return; 513127808Snectar 514178825Sdfr ar->k_ar.ar_arg_auid = au_info->ai_auid; 515127808Snectar ar->k_ar.ar_arg_asid = au_info->ai_asid; 516127808Snectar ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success; 517178825Sdfr ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure; 518127808Snectar ar->k_ar.ar_arg_termid_addr.at_type = au_info->ai_termid.at_type; 51957416Smarkm ar->k_ar.ar_arg_termid_addr.at_port = au_info->ai_termid.at_port; 52090926Snectar ar->k_ar.ar_arg_termid_addr.at_addr[0] = au_info->ai_termid.at_addr[0]; 521178825Sdfr ar->k_ar.ar_arg_termid_addr.at_addr[1] = au_info->ai_termid.at_addr[1]; 522233294Sstas ar->k_ar.ar_arg_termid_addr.at_addr[2] = au_info->ai_termid.at_addr[2]; 52390926Snectar ar->k_ar.ar_arg_termid_addr.at_addr[3] = au_info->ai_termid.at_addr[3]; 52457416Smarkm ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID_ADDR); 525102644Snectar} 52672445Sassar 52772445Sassarvoid 52872445Sassaraudit_arg_text(char *text) 529233294Sstas{ 530233294Sstas struct kaudit_record *ar; 531233294Sstas 532233294Sstas KASSERT(text != NULL, ("audit_arg_text: text == NULL")); 533178825Sdfr 534233294Sstas ar = currecord(); 535233294Sstas if (ar == NULL) 536233294Sstas return; 537233294Sstas 538233294Sstas /* Invalidate the text string */ 539233294Sstas ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT); 540233294Sstas 541178825Sdfr if (ar->k_ar.ar_arg_text == NULL) 542127808Snectar ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT, 543127808Snectar M_WAITOK); 544127808Snectar 545127808Snectar strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN); 546127808Snectar ARG_SET_VALID(ar, ARG_TEXT); 547127808Snectar} 548127808Snectar 549233294Sstasvoid 550233294Sstasaudit_arg_cmd(int cmd) 551233294Sstas{ 552127808Snectar struct kaudit_record *ar; 553233294Sstas 554127808Snectar ar = currecord(); 55578527Sassar if (ar == NULL) 556102644Snectar return; 557233294Sstas 558233294Sstas ar->k_ar.ar_arg_cmd = cmd; 55978527Sassar ARG_SET_VALID(ar, ARG_CMD); 56057416Smarkm} 561127808Snectar 56257416Smarkmvoid 56357416Smarkmaudit_arg_svipc_cmd(int cmd) 564178825Sdfr{ 565178825Sdfr struct kaudit_record *ar; 566178825Sdfr 567178825Sdfr ar = currecord(); 568178825Sdfr if (ar == NULL) 569178825Sdfr return; 570178825Sdfr 571178825Sdfr ar->k_ar.ar_arg_svipc_cmd = cmd; 572178825Sdfr ARG_SET_VALID(ar, ARG_SVIPC_CMD); 573178825Sdfr} 574178825Sdfr 575178825Sdfrvoid 576102644Snectaraudit_arg_svipc_perm(struct ipc_perm *perm) 57757416Smarkm{ 578178825Sdfr struct kaudit_record *ar; 579233294Sstas 580233294Sstas ar = currecord(); 581233294Sstas if (ar == NULL) 582102644Snectar return; 583233294Sstas 584233294Sstas bcopy(perm, &ar->k_ar.ar_arg_svipc_perm, 585102644Snectar sizeof(ar->k_ar.ar_arg_svipc_perm)); 586233294Sstas ARG_SET_VALID(ar, ARG_SVIPC_PERM); 58757416Smarkm} 588233294Sstas 589233294Sstasvoid 59072445Sassaraudit_arg_svipc_id(int id) 59157416Smarkm{ 59257416Smarkm struct kaudit_record *ar; 593233294Sstas 59457416Smarkm ar = currecord(); 595142403Snectar if (ar == NULL) 596178825Sdfr return; 59757416Smarkm 598233294Sstas ar->k_ar.ar_arg_svipc_id = id; 599233294Sstas ARG_SET_VALID(ar, ARG_SVIPC_ID); 600233294Sstas} 601233294Sstas 602233294Sstasvoid 603233294Sstasaudit_arg_svipc_addr(void * addr) 604233294Sstas{ 605233294Sstas struct kaudit_record *ar; 606233294Sstas 607233294Sstas ar = currecord(); 608233294Sstas if (ar == NULL) 609233294Sstas return; 610233294Sstas 61190926Snectar ar->k_ar.ar_arg_svipc_addr = addr; 612233294Sstas ARG_SET_VALID(ar, ARG_SVIPC_ADDR); 613233294Sstas} 614178825Sdfr 615178825Sdfrvoid 616233294Sstasaudit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode) 61790926Snectar{ 61857416Smarkm struct kaudit_record *ar; 61957416Smarkm 62057416Smarkm ar = currecord(); 62190926Snectar if (ar == NULL) 622127808Snectar return; 62390926Snectar 62457416Smarkm ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid; 62557416Smarkm ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid; 62657416Smarkm ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode; 62790926Snectar ARG_SET_VALID(ar, ARG_POSIX_IPC_PERM); 62890926Snectar} 62990926Snectar 63090926Snectarvoid 63157416Smarkmaudit_arg_auditon(union auditon_udata *udata) 63257416Smarkm{ 63390926Snectar struct kaudit_record *ar; 63457416Smarkm 63557416Smarkm ar = currecord(); 63657416Smarkm if (ar == NULL) 63790926Snectar return; 63890926Snectar 63957416Smarkm bcopy((void *)udata, &ar->k_ar.ar_arg_auditon, 64090926Snectar sizeof(ar->k_ar.ar_arg_auditon)); 641127808Snectar ARG_SET_VALID(ar, ARG_AUDITON); 64290926Snectar} 64390926Snectar 64457416Smarkm/* 64557416Smarkm * Audit information about a file, either the file's vnode info, or its 64657416Smarkm * socket address info. 64757416Smarkm */ 64857416Smarkmvoid 649178825Sdfraudit_arg_file(struct proc *p, struct file *fp) 650233294Sstas{ 65157416Smarkm struct kaudit_record *ar; 65257416Smarkm struct socket *so; 65390926Snectar struct inpcb *pcb; 65490926Snectar struct vnode *vp; 65590926Snectar int vfslocked; 65657416Smarkm 65790926Snectar ar = currecord(); 65857416Smarkm if (ar == NULL) 65990926Snectar return; 660127808Snectar 661178825Sdfr switch (fp->f_type) { 66257416Smarkm case DTYPE_VNODE: 66390926Snectar case DTYPE_FIFO: 66457416Smarkm /* 66590926Snectar * XXXAUDIT: Only possibly to record as first vnode? 66657416Smarkm */ 667142403Snectar vp = fp->f_vnode; 668142403Snectar vfslocked = VFS_LOCK_GIANT(vp->v_mount); 669233294Sstas vn_lock(vp, LK_SHARED | LK_RETRY); 670233294Sstas audit_arg_vnode1(vp); 67190926Snectar VOP_UNLOCK(vp, 0); 67257416Smarkm VFS_UNLOCK_GIANT(vfslocked); 67390926Snectar break; 67490926Snectar 675120945Snectar case DTYPE_SOCKET: 676120945Snectar so = (struct socket *)fp->f_data; 677120945Snectar if (INP_CHECK_SOCKAF(so, PF_INET)) { 678178825Sdfr SOCK_LOCK(so); 679178825Sdfr ar->k_ar.ar_arg_sockinfo.so_type = 680233294Sstas so->so_type; 681233294Sstas ar->k_ar.ar_arg_sockinfo.so_domain = 68290926Snectar INP_SOCKAF(so); 68390926Snectar ar->k_ar.ar_arg_sockinfo.so_protocol = 68490926Snectar so->so_proto->pr_protocol; 685178825Sdfr SOCK_UNLOCK(so); 686178825Sdfr pcb = (struct inpcb *)so->so_pcb; 687233294Sstas INP_RLOCK(pcb); 688233294Sstas ar->k_ar.ar_arg_sockinfo.so_raddr = 68990926Snectar pcb->inp_faddr.s_addr; 69090926Snectar ar->k_ar.ar_arg_sockinfo.so_laddr = 691233294Sstas pcb->inp_laddr.s_addr; 692233294Sstas ar->k_ar.ar_arg_sockinfo.so_rport = 69390926Snectar pcb->inp_fport; 69490926Snectar ar->k_ar.ar_arg_sockinfo.so_lport = 695178825Sdfr pcb->inp_lport; 696178825Sdfr INP_RUNLOCK(pcb); 697233294Sstas ARG_SET_VALID(ar, ARG_SOCKINFO); 698233294Sstas } 699178825Sdfr break; 700178825Sdfr 701233294Sstas default: 702233294Sstas /* XXXAUDIT: else? */ 70390926Snectar break; 70490926Snectar } 70557416Smarkm} 706127808Snectar 70790926Snectar/* 70857416Smarkm * Store a path as given by the user process for auditing into the audit 70990926Snectar * record stored on the user thread. This function will allocate the memory 71057416Smarkm * to store the path info if not already available. This memory will be 71190926Snectar * freed when the audit record is freed. 71290926Snectar * 713127808Snectar * XXXAUDIT: Possibly assert that the memory isn't already allocated? 714127808Snectar */ 715127808Snectarvoid 716127808Snectaraudit_arg_upath(struct thread *td, char *upath, u_int64_t flag) 717127808Snectar{ 718127808Snectar struct kaudit_record *ar; 719127808Snectar char **pathp; 720127808Snectar 721178825Sdfr KASSERT(td != NULL, ("audit_arg_upath: td == NULL")); 722178825Sdfr KASSERT(upath != NULL, ("audit_arg_upath: upath == NULL")); 723178825Sdfr 724233294Sstas ar = currecord(); 725233294Sstas if (ar == NULL) 726233294Sstas return; 72790926Snectar 728178825Sdfr KASSERT((flag == ARG_UPATH1) || (flag == ARG_UPATH2), 729178825Sdfr ("audit_arg_upath: flag %llu", (unsigned long long)flag)); 730178825Sdfr KASSERT((flag != ARG_UPATH1) || (flag != ARG_UPATH2), 731178825Sdfr ("audit_arg_upath: flag %llu", (unsigned long long)flag)); 732178825Sdfr 733178825Sdfr if (flag == ARG_UPATH1) 734178825Sdfr pathp = &ar->k_ar.ar_arg_upath1; 735178825Sdfr else 736178825Sdfr pathp = &ar->k_ar.ar_arg_upath2; 737178825Sdfr 738178825Sdfr if (*pathp == NULL) 739178825Sdfr *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK); 740178825Sdfr 741178825Sdfr audit_canon_path(td, upath, *pathp); 74290926Snectar 74390926Snectar ARG_SET_VALID(ar, flag); 74457416Smarkm} 74557416Smarkm 74657416Smarkm/* 74757416Smarkm * Function to save the path and vnode attr information into the audit 74857416Smarkm * record. 74972445Sassar * 75072445Sassar * It is assumed that the caller will hold any vnode locks necessary to 75172445Sassar * perform a VOP_GETATTR() on the passed vnode. 75272445Sassar * 75357416Smarkm * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but always 75457416Smarkm * provides access to the generation number as we need that to construct the 75557416Smarkm * BSM file ID. 756178825Sdfr * 757178825Sdfr * XXX: We should accept the process argument from the caller, since it's 75857416Smarkm * very likely they already have a reference. 75957416Smarkm * 76057416Smarkm * XXX: Error handling in this function is poor. 76157416Smarkm * 76257416Smarkm * XXXAUDIT: Possibly KASSERT the path pointer is NULL? 76357416Smarkm */ 76472445Sassarstatic int 76572445Sassaraudit_arg_vnode(struct vnode *vp, struct vnode_au_info *vnp) 76657416Smarkm{ 767178825Sdfr struct vattr vattr; 768178825Sdfr int error; 769178825Sdfr 770178825Sdfr /* 771178825Sdfr * Assume that if the caller is calling audit_arg_vnode() on a 772178825Sdfr * non-MPSAFE vnode, then it will have acquired Giant. 773178825Sdfr */ 774178825Sdfr VFS_ASSERT_GIANT(vp->v_mount); 775178825Sdfr ASSERT_VOP_LOCKED(vp, "audit_arg_vnode"); 776178825Sdfr 777178825Sdfr error = VOP_GETATTR(vp, &vattr, curthread->td_ucred); 77857416Smarkm if (error) { 77957416Smarkm /* XXX: How to handle this case? */ 78057416Smarkm return (error); 781102644Snectar } 782102644Snectar 783178825Sdfr vnp->vn_mode = vattr.va_mode; 784178825Sdfr vnp->vn_uid = vattr.va_uid; 785102644Snectar vnp->vn_gid = vattr.va_gid; 786102644Snectar vnp->vn_dev = vattr.va_rdev; 787102644Snectar vnp->vn_fsid = vattr.va_fsid; 788102644Snectar vnp->vn_fileid = vattr.va_fileid; 789102644Snectar vnp->vn_gen = vattr.va_gen; 790102644Snectar return (0); 791178825Sdfr} 792102644Snectar 793102644Snectarvoid 794102644Snectaraudit_arg_vnode1(struct vnode *vp) 795102644Snectar{ 796102644Snectar struct kaudit_record *ar; 797102644Snectar int error; 798102644Snectar 799102644Snectar ar = currecord(); 800102644Snectar if (ar == NULL) 801102644Snectar return; 802102644Snectar 803102644Snectar ARG_CLEAR_VALID(ar, ARG_VNODE1); 804102644Snectar error = audit_arg_vnode(vp, &ar->k_ar.ar_arg_vnode1); 805102644Snectar if (error == 0) 806102644Snectar ARG_SET_VALID(ar, ARG_VNODE1); 807178825Sdfr} 808102644Snectar 809102644Snectarvoid 810102644Snectaraudit_arg_vnode2(struct vnode *vp) 811102644Snectar{ 812233294Sstas struct kaudit_record *ar; 813233294Sstas int error; 814233294Sstas 81557416Smarkm ar = currecord(); 81657416Smarkm if (ar == NULL) 81757416Smarkm return; 81857416Smarkm 81957416Smarkm ARG_CLEAR_VALID(ar, ARG_VNODE2); 82057416Smarkm error = audit_arg_vnode(vp, &ar->k_ar.ar_arg_vnode2); 82157416Smarkm if (error == 0) 82257416Smarkm ARG_SET_VALID(ar, ARG_VNODE2); 82357416Smarkm} 82457416Smarkm 82557416Smarkm/* 82657416Smarkm * Audit the argument strings passed to exec. 82757416Smarkm */ 82857416Smarkmvoid 82957416Smarkmaudit_arg_argv(char *argv, int argc, int length) 83057416Smarkm{ 83157416Smarkm struct kaudit_record *ar; 83257416Smarkm 83357416Smarkm if (audit_argv == 0) 83457416Smarkm return; 83557416Smarkm 83657416Smarkm ar = currecord(); 83757416Smarkm if (ar == NULL) 83857416Smarkm return; 83957416Smarkm 84057416Smarkm ar->k_ar.ar_arg_argv = malloc(length, M_AUDITTEXT, M_WAITOK); 84157416Smarkm bcopy(argv, ar->k_ar.ar_arg_argv, length); 84257416Smarkm ar->k_ar.ar_arg_argc = argc; 84357416Smarkm ARG_SET_VALID(ar, ARG_ARGV); 84457416Smarkm} 84557416Smarkm 84657416Smarkm/* 84757416Smarkm * Audit the environment strings passed to exec. 84857416Smarkm */ 84957416Smarkmvoid 85057416Smarkmaudit_arg_envv(char *envv, int envc, int length) 85157416Smarkm{ 85257416Smarkm struct kaudit_record *ar; 85357416Smarkm 85457416Smarkm if (audit_arge == 0) 85557416Smarkm return; 85657416Smarkm 85757416Smarkm ar = currecord(); 85857416Smarkm if (ar == NULL) 85957416Smarkm return; 86057416Smarkm 86157416Smarkm ar->k_ar.ar_arg_envv = malloc(length, M_AUDITTEXT, M_WAITOK); 86257416Smarkm bcopy(envv, ar->k_ar.ar_arg_envv, length); 86357416Smarkm ar->k_ar.ar_arg_envc = envc; 86457416Smarkm ARG_SET_VALID(ar, ARG_ENVV); 86557416Smarkm} 86657416Smarkm 86757416Smarkm/* 86857416Smarkm * The close() system call uses it's own audit call to capture the path/vnode 86957416Smarkm * information because those pieces are not easily obtained within the system 87057416Smarkm * call itself. 87157416Smarkm */ 87257416Smarkmvoid 87357416Smarkmaudit_sysclose(struct thread *td, int fd) 87457416Smarkm{ 87557416Smarkm struct kaudit_record *ar; 87657416Smarkm struct vnode *vp; 87757416Smarkm struct file *fp; 87857416Smarkm int vfslocked; 87972445Sassar 880178825Sdfr KASSERT(td != NULL, ("audit_sysclose: td == NULL")); 88157416Smarkm 882178825Sdfr ar = currecord(); 883178825Sdfr if (ar == NULL) 884178825Sdfr return; 885120945Snectar 886178825Sdfr audit_arg_fd(fd); 88757416Smarkm 88857416Smarkm if (getvnode(td->td_proc->p_fd, fd, &fp) != 0) 88957416Smarkm return; 89057416Smarkm 89157416Smarkm vp = fp->f_vnode; 89257416Smarkm vfslocked = VFS_LOCK_GIANT(vp->v_mount); 893178825Sdfr vn_lock(vp, LK_SHARED | LK_RETRY); 894178825Sdfr audit_arg_vnode1(vp); 895178825Sdfr VOP_UNLOCK(vp, 0); 896178825Sdfr VFS_UNLOCK_GIANT(vfslocked); 897178825Sdfr fdrop(fp, td); 898178825Sdfr} 899178825Sdfr