mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-12 09:58:36 +00:00
Code Issues Releases Activity

Merge Perforce change 93581 from TrustedBSD audit3 branch:

Browse Source 
Mega-style patch.

Obtained from:	TrustedBSD Project
This commit is contained in:
Robert Watson 2006-03-19 17:34:00 +00:00
parent 08e57af45b
commit 871499fef5
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=156889
9 changed files with 542 additions and 527 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
sys/security/audit/audit.c
View File

@ -76,43 +76,43 @@ MALLOC_DEFINE(M_AUDITPATH, "audit_path", "Audit path storage");
MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage");
/*
* Audit control settings that are set/read by system calls and are
* Audit control settings that are set/read by system calls and are
* hence non-static.
*/
/*
/*
* Define the audit control flags.
*/
int audit_enabled;
int audit_suspended;
int audit_enabled;
int audit_suspended;
/*
* Flags controlling behavior in low storage situations.
* Should we panic if a write fails? Should we fail stop
* if we're out of disk space?
*/
int audit_panic_on_write_fail;
int audit_fail_stop;
int audit_panic_on_write_fail;
int audit_fail_stop;
/*
* Are we currently "failing stop" due to out of disk space?
*/
int audit_in_failure;
int audit_in_failure;
/*
* Global audit statistiscs.
* Global audit statistiscs.
*/
struct audit_fstat audit_fstat;
struct audit_fstat audit_fstat;
/*
* Preselection mask for non-attributable events.
*/
struct au_mask audit_nae_mask;
struct au_mask audit_nae_mask;
/*
* Mutex to protect global variables shared between various threads and
* processes.
*/
struct mtx audit_mtx;
struct mtx audit_mtx;
/*
* Queue of audit records ready for delivery to disk. We insert new
@ -122,21 +122,21 @@ struct mtx audit_mtx;
* not yet in the queue, which is needed to estimate the total
* size of the combined set of records outstanding in the system.
*/
struct kaudit_queue audit_q;
int audit_q_len;
int audit_pre_q_len;
struct kaudit_queue audit_q;
int audit_q_len;
int audit_pre_q_len;
/*
* Audit queue control settings (minimum free, low/high water marks, etc.)
*/
struct au_qctrl audit_qctrl;
struct au_qctrl audit_qctrl;
/*
* Condition variable to signal to the worker that it has work to do:
* either new records are in the queue, or a log replacement is taking
* place.
*/
struct cv audit_cv;
struct cv audit_cv;
/*
* Condition variable to signal to the worker that it has work to do:
@ -145,14 +145,14 @@ struct cv audit_cv;
*
* XXXRW: This description is incorrect.
*/
struct cv audit_commit_cv;
struct cv audit_commit_cv;
/*
* Condition variable for auditing threads wait on when in fail-stop mode.
* Threads wait on this CV forever (and ever), never seeing the light of
/*
* Condition variable for auditing threads wait on when in fail-stop mode.
* Threads wait on this CV forever (and ever), never seeing the light of
* day again.
*/
static struct cv audit_fail_cv;
static struct cv audit_fail_cv;
/*
* Construct an audit record for the passed thread.
@ -226,7 +226,7 @@ audit_init(void)
audit_in_failure = 0;
audit_fstat.af_filesz = 0; /* '0' means unset, unbounded */
audit_fstat.af_currsz = 0;
audit_fstat.af_currsz = 0;
audit_nae_mask.am_success = AU_NULL;
audit_nae_mask.am_failure = AU_NULL;
@ -351,7 +351,7 @@ audit_commit(struct kaudit_record *ar, int error, int retval)
aumask = &audit_nae_mask;
else
aumask = &ar->k_ar.ar_subj_amask;
if (error)
sorf = AU_PRS_FAILURE;
else
@ -361,7 +361,7 @@ audit_commit(struct kaudit_record *ar, int error, int retval)
case AUE_OPEN_RWTC:
/* The open syscall always writes a AUE_OPEN_RWTC event; change
* it to the proper type of event based on the flags and the
* it to the proper type of event based on the flags and the
* error value.
*/
ar->k_ar.ar_event = flags_and_error_to_openevent(
@ -419,7 +419,7 @@ audit_commit(struct kaudit_record *ar, int error, int retval)
uma_zfree(audit_record_zone, ar);
return;
}
/*
* Constrain the number of committed audit records based on
* the configurable parameter.
@ -478,9 +478,9 @@ audit_syscall_enter(unsigned short code, struct thread *td)
aumask = &audit_nae_mask;
else
aumask = &td->td_proc->p_au->ai_mask;
/*
* Allocate an audit record, if preselection allows it, and store
* Allocate an audit record, if preselection allows it, and store
* in the thread for later use.
*/
if (au_preselect(audit_event, aumask,
@ -531,7 +531,7 @@ audit_syscall_exit(int error, struct thread *td)
audit_commit(td->td_ar, error, retval);
if (td->td_ar != NULL)
AUDIT_PRINTF(("audit record committed by pid %d\n",
AUDIT_PRINTF(("audit record committed by pid %d\n",
td->td_proc->p_pid));
td->td_ar = NULL;
@ -571,11 +571,11 @@ audit_thread_free(struct thread *td)
KASSERT(td->td_ar == NULL, ("audit_thread_free: td_ar != NULL"));
}
/*
* Initialize the audit information for the a process, presumably the first
/*
* Initialize the audit information for the a process, presumably the first
* process in the system.
* XXX It is not clear what the initial values should be for audit ID,
* session ID, etc.
* XXX It is not clear what the initial values should be for audit ID,
* session ID, etc.
*/
void
audit_proc_kproc0(struct proc *p)
@ -598,7 +598,7 @@ audit_proc_init(struct proc *p)
p->p_au->ai_auid = AU_DEFAUDITID;
}
/*
/*
* Copy the audit info from the parent process to the child process when
* a fork takes place.
*/
@ -624,7 +624,7 @@ audit_proc_fork(struct proc *parent, struct proc *child)
}
/*
* Free the auditing structure for the process.
* Free the auditing structure for the process.
*/
void
audit_proc_free(struct proc *p)

135
sys/security/audit/audit.h
View File

@ -75,7 +75,7 @@ extern int audit_suspended;
#define ARG_AUID 0x0000000000000100ULL
#define ARG_GID 0x0000000000000200ULL
#define ARG_FD 0x0000000000000400ULL
#define ARG_POSIX_IPC_PERM 0x0000000000000800ULL
#define ARG_POSIX_IPC_PERM 0x0000000000000800ULL
#define ARG_FFLAGS 0x0000000000001000ULL
#define ARG_MODE 0x0000000000002000ULL
#define ARG_DEV 0x0000000000004000ULL
@ -114,73 +114,65 @@ extern int audit_suspended;
#define ARG_NONE 0x0000000000000000ULL
#define ARG_ALL 0xFFFFFFFFFFFFFFFFULL
void audit_syscall_enter(unsigned short code,
struct thread *td);
void audit_syscall_exit(int error, struct thread *td);
void audit_syscall_enter(unsigned short code, struct thread *td);
void audit_syscall_exit(int error, struct thread *td);
/*
* The remaining kernel functions are conditionally compiled in as they
* are wrapped by a macro, and the macro should be the only place in
* are wrapped by a macro, and the macro should be the only place in
* the source tree where these functions are referenced.
*/
#ifdef AUDIT
struct ipc_perm;
struct sockaddr;
union auditon_udata;
void audit_arg_addr(void * addr);
void audit_arg_exit(int status, int retval);
void audit_arg_len(int len);
void audit_arg_fd(int fd);
void audit_arg_fflags(int fflags);
void audit_arg_gid(gid_t gid);
void audit_arg_uid(uid_t uid);
void audit_arg_egid(gid_t egid);
void audit_arg_euid(uid_t euid);
void audit_arg_rgid(gid_t rgid);
void audit_arg_ruid(uid_t ruid);
void audit_arg_sgid(gid_t sgid);
void audit_arg_suid(uid_t suid);
void audit_arg_groupset(gid_t *gidset, u_int gidset_size);
void audit_arg_login(char *login);
void audit_arg_ctlname(int *name, int namelen);
void audit_arg_mask(int mask);
void audit_arg_mode(mode_t mode);
void audit_arg_dev(int dev);
void audit_arg_value(long value);
void audit_arg_owner(uid_t uid, gid_t gid);
void audit_arg_pid(pid_t pid);
void audit_arg_process(struct proc *p);
void audit_arg_signum(u_int signum);
void audit_arg_socket(int sodomain, int sotype,
int soprotocol);
void audit_arg_sockaddr(struct thread *td,
struct sockaddr *so);
void audit_arg_auid(uid_t auid);
void audit_arg_auditinfo(struct auditinfo *au_info);
void audit_arg_upath(struct thread *td, char *upath,
u_int64_t flags);
void audit_arg_vnode(struct vnode *vp, u_int64_t flags);
void audit_arg_text(char *text);
void audit_arg_cmd(int cmd);
void audit_arg_svipc_cmd(int cmd);
void audit_arg_svipc_perm(struct ipc_perm *perm);
void audit_arg_svipc_id(int id);
void audit_arg_svipc_addr(void *addr);
void audit_arg_posix_ipc_perm(uid_t uid, gid_t gid,
mode_t mode);
void audit_arg_auditon(union auditon_udata *udata);
void audit_arg_file(struct proc *p, struct file *fp);
void audit_sysclose(struct thread *td, int fd);
void audit_proc_alloc(struct proc *p);
void audit_proc_kproc0(struct proc *p);
void audit_proc_init(struct proc *p);
void audit_proc_fork(struct proc *parent,
struct proc *child);
void audit_proc_free(struct proc *p);
void audit_thread_alloc(struct thread *td);
void audit_thread_free(struct thread *td);
void audit_arg_addr(void * addr);
void audit_arg_exit(int status, int retval);
void audit_arg_len(int len);
void audit_arg_fd(int fd);
void audit_arg_fflags(int fflags);
void audit_arg_gid(gid_t gid);
void audit_arg_uid(uid_t uid);
void audit_arg_egid(gid_t egid);
void audit_arg_euid(uid_t euid);
void audit_arg_rgid(gid_t rgid);
void audit_arg_ruid(uid_t ruid);
void audit_arg_sgid(gid_t sgid);
void audit_arg_suid(uid_t suid);
void audit_arg_groupset(gid_t *gidset, u_int gidset_size);
void audit_arg_login(char *login);
void audit_arg_ctlname(int *name, int namelen);
void audit_arg_mask(int mask);
void audit_arg_mode(mode_t mode);
void audit_arg_dev(int dev);
void audit_arg_value(long value);
void audit_arg_owner(uid_t uid, gid_t gid);
void audit_arg_pid(pid_t pid);
void audit_arg_process(struct proc *p);
void audit_arg_signum(u_int signum);
void audit_arg_socket(int sodomain, int sotype, int soprotocol);
void audit_arg_sockaddr(struct thread *td, struct sockaddr *so);
void audit_arg_auid(uid_t auid);
void audit_arg_auditinfo(struct auditinfo *au_info);
void audit_arg_upath(struct thread *td, char *upath, u_int64_t flags);
void audit_arg_vnode(struct vnode *vp, u_int64_t flags);
void audit_arg_text(char *text);
void audit_arg_cmd(int cmd);
void audit_arg_svipc_cmd(int cmd);
void audit_arg_svipc_perm(struct ipc_perm *perm);
void audit_arg_svipc_id(int id);
void audit_arg_svipc_addr(void *addr);
void audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode);
void audit_arg_auditon(union auditon_udata *udata);
void audit_arg_file(struct proc *p, struct file *fp);
void audit_sysclose(struct thread *td, int fd);
void audit_proc_alloc(struct proc *p);
void audit_proc_kproc0(struct proc *p);
void audit_proc_init(struct proc *p);
void audit_proc_fork(struct proc *parent, struct proc *child);
void audit_proc_free(struct proc *p);
void audit_thread_alloc(struct thread *td);
void audit_thread_free(struct thread *td);
/*
* Define a macro to wrap the audit_arg_* calls by checking the global
@ -189,23 +181,23 @@ void audit_thread_free(struct thread *td);
#define AUDIT_ARG(op, args...) do { \
if (audit_enabled) \
audit_arg_ ## op (args); \
} while (0)
} while (0)
#define AUDIT_SYSCALL_ENTER(code, td) do { \
if (audit_enabled) { \
audit_syscall_enter(code, td); \
} \
} while (0)
} while (0)
/*
* Wrap the audit_syscall_exit() function so that it is called only when
* auditing is enabled, or we have a audit record on the thread. It is
* auditing is enabled, or we have a audit record on the thread. It is
* possible that an audit record was begun before auditing was turned off.
*/
#define AUDIT_SYSCALL_EXIT(error, td) do { \
if (audit_enabled | (td->td_ar != NULL)) \
audit_syscall_exit(error, td); \
} while (0)
} while (0)
/*
* A Macro to wrap the audit_sysclose() function.
@ -213,26 +205,25 @@ void audit_thread_free(struct thread *td);
#define AUDIT_SYSCLOSE(td, fd) do { \
if (audit_enabled) \
audit_sysclose(td, fd); \
} while (0)
} while (0)
#else /* !AUDIT */
void audit_proc_init(struct proc *p);
void audit_proc_fork(struct proc *parent,
struct proc *child);
void audit_proc_free(struct proc *p);
void audit_proc_init(struct proc *p);
void audit_proc_fork(struct proc *parent, struct proc *child);
void audit_proc_free(struct proc *p);
#define AUDIT_ARG(op, args...) do { \
} while (0)
} while (0)
#define AUDIT_SYSCALL_ENTER(code, td) do { \
} while (0)
} while (0)
#define AUDIT_SYSCALL_EXIT(error, td) do { \
} while (0)
} while (0)
#define AUDIT_SYSCLOSE(p, fd) do { \
} while (0)
} while (0)
#endif /* AUDIT */

54
sys/security/audit/audit_arg.c
View File

@ -391,7 +391,7 @@ void
audit_arg_socket(int sodomain, int sotype, int soprotocol)
{
struct kaudit_record *ar;
ar = currecord();
if (ar == NULL)
return;
@ -426,7 +426,7 @@ audit_arg_sockaddr(struct thread *td, struct sockaddr *so)
break;
case AF_UNIX:
audit_arg_upath(td, ((struct sockaddr_un *)so)->sun_path,
audit_arg_upath(td, ((struct sockaddr_un *)so)->sun_path,
ARG_UPATH1);
ARG_SET_VALID(ar, ARG_SADDRUNIX);
break;
@ -480,7 +480,7 @@ audit_arg_text(char *text)
/* Invalidate the text string */
ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT);
if (text == NULL)
return;
return;
if (ar->k_ar.ar_arg_text == NULL)
ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT,
@ -525,8 +525,8 @@ audit_arg_svipc_perm(struct ipc_perm *perm)
if (ar == NULL)
return;
bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
sizeof(ar->k_ar.ar_arg_svipc_perm));
bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
sizeof(ar->k_ar.ar_arg_svipc_perm));
ARG_SET_VALID(ar, ARG_SVIPC_PERM);
}
@ -580,8 +580,8 @@ audit_arg_auditon(union auditon_udata *udata)
if (ar == NULL)
return;
bcopy((void *)udata, &ar->k_ar.ar_arg_auditon,
sizeof(ar->k_ar.ar_arg_auditon));
bcopy((void *)udata, &ar->k_ar.ar_arg_auditon,
sizeof(ar->k_ar.ar_arg_auditon));
ARG_SET_VALID(ar, ARG_AUDITON);
}
@ -628,20 +628,20 @@ audit_arg_file(struct proc *p, struct file *fp)
if (so->so_pcb == NULL)
return;
ar->k_ar.ar_arg_sockinfo.so_type =
so->so_type;
so->so_type;
ar->k_ar.ar_arg_sockinfo.so_domain =
INP_SOCKAF(so);
INP_SOCKAF(so);
ar->k_ar.ar_arg_sockinfo.so_protocol =
so->so_proto->pr_protocol;
so->so_proto->pr_protocol;
pcb = (struct inpcb *)so->so_pcb;
ar->k_ar.ar_arg_sockinfo.so_raddr =
pcb->inp_faddr.s_addr;
pcb->inp_faddr.s_addr;
ar->k_ar.ar_arg_sockinfo.so_laddr =
pcb->inp_laddr.s_addr;
pcb->inp_laddr.s_addr;
ar->k_ar.ar_arg_sockinfo.so_rport =
pcb->inp_fport;
pcb->inp_fport;
ar->k_ar.ar_arg_sockinfo.so_lport =
pcb->inp_lport;
pcb->inp_lport;
ARG_SET_VALID(ar, ARG_SOCKINFO);
}
break;
@ -653,11 +653,11 @@ audit_arg_file(struct proc *p, struct file *fp)
}
/*
* Store a path as given by the user process for auditing into the audit
* record stored on the user thread. This function will allocate the memory to
* store the path info if not already available. This memory will be
* freed when the audit record is freed.
/*
* Store a path as given by the user process for auditing into the audit
* record stored on the user thread. This function will allocate the memory
* to store the path info if not already available. This memory will be freed
* when the audit record is freed.
*
* XXXAUDIT: Possibly assert that the memory isn't already allocated?
*/
@ -667,7 +667,7 @@ audit_arg_upath(struct thread *td, char *upath, u_int64_t flag)
struct kaudit_record *ar;
char **pathp;
if (td == NULL || upath == NULL)
if (td == NULL || upath == NULL)
return; /* nothing to do! */
/*
@ -696,8 +696,8 @@ audit_arg_upath(struct thread *td, char *upath, u_int64_t flag)
}
/*
* Function to save the path and vnode attr information into the audit
* record.
* Function to save the path and vnode attr information into the audit
* record.
*
* It is assumed that the caller will hold any vnode locks necessary to
* perform a VOP_GETATTR() on the passed vnode.
@ -734,7 +734,7 @@ audit_arg_vnode(struct vnode *vp, u_int64_t flags)
ASSERT_VOP_LOCKED(vp, "audit_arg_vnode");
ar = currecord();
if (ar == NULL) /* This will be the case for unaudited system calls */
if (ar == NULL)
return;
/*
@ -777,9 +777,9 @@ audit_arg_vnode(struct vnode *vp, u_int64_t flags)
}
/*
* The close() system call uses it's own audit call to capture the
* path/vnode information because those pieces are not easily obtained
* within the system call itself.
* The close() system call uses it's own audit call to capture the path/vnode
* information because those pieces are not easily obtained within the system
* call itself.
*/
void
audit_sysclose(struct thread *td, int fd)
@ -800,4 +800,4 @@ audit_sysclose(struct thread *td, int fd)
VOP_UNLOCK(vp, 0, td);
VFS_UNLOCK_GIANT(vfslocked);
fdrop(fp, td);
}
}

286
sys/security/audit/audit_bsm.c
View File

@ -54,7 +54,7 @@
MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data");
/*
/*
* Forward declares.
*/
static void audit_sys_auditon(struct audit_record *ar,
@ -72,18 +72,16 @@ kau_init(void)
}
/*
* This call reserves memory for the audit record.
* Memory must be guaranteed before any auditable event can be
* generated.
* The au_record structure maintains a reference to the
* memory allocated above and also the list of tokens associated
* with this record
*/
static struct au_record *
* This call reserves memory for the audit record. Memory must be guaranteed
* before any auditable event can be generated. The au_record structure
* maintains a reference to the memory allocated above and also the list of
* tokens associated with this record
*/
static struct au_record *
kau_open(void)
{
{
struct au_record *rec;
rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK);
rec->data = malloc(MAX_AUDIT_RECORD_SIZE * sizeof(u_char),
M_AUDITBSM, M_WAITOK | M_ZERO);
@ -96,7 +94,7 @@ kau_open(void)
/*
* Store the token with the record descriptor.
*/
*/
static void
kau_write(struct au_record *rec, struct au_token *tok)
{
@ -118,7 +116,7 @@ kau_close(struct au_record *rec, struct timespec *ctime, short event)
size_t tot_rec_size;
token_t *cur, *hdr, *trail;
struct timeval tm;
tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE;
if (tot_rec_size <= MAX_AUDIT_RECORD_SIZE) {
/* Create the header token */
@ -131,34 +129,33 @@ kau_close(struct au_record *rec, struct timespec *ctime, short event)
TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens);
/* Serialize token data to the record. */
rec->len = tot_rec_size;
dptr = rec->data;
TAILQ_FOREACH(cur, &rec->token_q, tokens) {
memcpy(dptr, cur->t_data, cur->len);
memcpy(dptr, cur->t_data, cur->len);
dptr += cur->len;
}
}
}
/*
* Free a BSM audit record by releasing all the tokens and clearing the
* audit record information.
* Free a BSM audit record by releasing all the tokens and clearing the audit
* record information.
*/
void
kau_free(struct au_record *rec)
{
struct au_token *tok;
/* Free the token list */
/* Free the token list. */
while ((tok = TAILQ_FIRST(&rec->token_q))) {
TAILQ_REMOVE(&rec->token_q, tok, tokens);
free(tok->t_data, M_AUDITBSM);
free(tok, M_AUDITBSM);
}
}
rec->used = 0;
rec->len = 0;
rec->len = 0;
free(rec->data, M_AUDITBSM);
free(rec, M_AUDITBSM);
}
@ -218,7 +215,8 @@ kau_free(struct au_record *rec)
kau_write(rec, tok); \
} else { \
if (ARG_IS_VALID(kar, ARG_FD)) { \
tok = au_to_arg32(1, "non-file: fd", ar->ar_arg_fd);\
tok = au_to_arg32(1, "non-file: fd", \
ar->ar_arg_fd); \
kau_write(rec, tok); \
} \
} \
@ -253,92 +251,92 @@ audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
struct au_token *tok;
switch (ar->ar_arg_cmd) {
case A_SETPOLICY:
case A_SETPOLICY:
if (sizeof(ar->ar_arg_auditon.au_flags) > 4)
tok = au_to_arg64(1, "policy",
ar->ar_arg_auditon.au_flags);
tok = au_to_arg64(1, "policy",
ar->ar_arg_auditon.au_flags);
else
tok = au_to_arg32(1, "policy",
ar->ar_arg_auditon.au_flags);
tok = au_to_arg32(1, "policy",
ar->ar_arg_auditon.au_flags);
kau_write(rec, tok);
break;
case A_SETKMASK:
tok = au_to_arg32(2, "setkmask:as_success",
ar->ar_arg_auditon.au_mask.am_success);
case A_SETKMASK:
tok = au_to_arg32(2, "setkmask:as_success",
ar->ar_arg_auditon.au_mask.am_success);
kau_write(rec, tok);
tok = au_to_arg32(2, "setkmask:as_failure",
ar->ar_arg_auditon.au_mask.am_failure);
tok = au_to_arg32(2, "setkmask:as_failure",
ar->ar_arg_auditon.au_mask.am_failure);
kau_write(rec, tok);
break;
case A_SETQCTRL:
tok = au_to_arg32(3, "setqctrl:aq_hiwater",
ar->ar_arg_auditon.au_qctrl.aq_hiwater);
case A_SETQCTRL:
tok = au_to_arg32(3, "setqctrl:aq_hiwater",
ar->ar_arg_auditon.au_qctrl.aq_hiwater);
kau_write(rec, tok);
tok = au_to_arg32(3, "setqctrl:aq_lowater",
ar->ar_arg_auditon.au_qctrl.aq_lowater);
tok = au_to_arg32(3, "setqctrl:aq_lowater",
ar->ar_arg_auditon.au_qctrl.aq_lowater);
kau_write(rec, tok);
tok = au_to_arg32(3, "setqctrl:aq_bufsz",
ar->ar_arg_auditon.au_qctrl.aq_bufsz);
tok = au_to_arg32(3, "setqctrl:aq_bufsz",
ar->ar_arg_auditon.au_qctrl.aq_bufsz);
kau_write(rec, tok);
tok = au_to_arg32(3, "setqctrl:aq_delay",
ar->ar_arg_auditon.au_qctrl.aq_delay);
tok = au_to_arg32(3, "setqctrl:aq_delay",
ar->ar_arg_auditon.au_qctrl.aq_delay);
kau_write(rec, tok);
tok = au_to_arg32(3, "setqctrl:aq_minfree",
ar->ar_arg_auditon.au_qctrl.aq_minfree);
tok = au_to_arg32(3, "setqctrl:aq_minfree",
ar->ar_arg_auditon.au_qctrl.aq_minfree);
kau_write(rec, tok);
break;
case A_SETUMASK:
tok = au_to_arg32(3, "setumask:as_success",
ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
case A_SETUMASK:
tok = au_to_arg32(3, "setumask:as_success",
ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
kau_write(rec, tok);
tok = au_to_arg32(3, "setumask:as_failure",
ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
tok = au_to_arg32(3, "setumask:as_failure",
ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
kau_write(rec, tok);
break;
case A_SETSMASK:
tok = au_to_arg32(3, "setsmask:as_success",
ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
case A_SETSMASK:
tok = au_to_arg32(3, "setsmask:as_success",
ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
kau_write(rec, tok);
tok = au_to_arg32(3, "setsmask:as_failure",
ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
tok = au_to_arg32(3, "setsmask:as_failure",
ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
kau_write(rec, tok);
break;
case A_SETCOND:
case A_SETCOND:
if (sizeof(ar->ar_arg_auditon.au_cond) > 4)
tok = au_to_arg64(3, "setcond",
ar->ar_arg_auditon.au_cond);
tok = au_to_arg64(3, "setcond",
ar->ar_arg_auditon.au_cond);
else
tok = au_to_arg32(3, "setcond",
ar->ar_arg_auditon.au_cond);
tok = au_to_arg32(3, "setcond",
ar->ar_arg_auditon.au_cond);
kau_write(rec, tok);
break;
case A_SETCLASS:
case A_SETCLASS:
tok = au_to_arg32(2, "setclass:ec_event",
ar->ar_arg_auditon.au_evclass.ec_number);
ar->ar_arg_auditon.au_evclass.ec_number);
kau_write(rec, tok);
tok = au_to_arg32(3, "setclass:ec_class",
ar->ar_arg_auditon.au_evclass.ec_class);
ar->ar_arg_auditon.au_evclass.ec_class);
kau_write(rec, tok);
break;
case A_SETPMASK:
tok = au_to_arg32(2, "setpmask:as_success",
ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
case A_SETPMASK:
tok = au_to_arg32(2, "setpmask:as_success",
ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
kau_write(rec, tok);
tok = au_to_arg32(2, "setpmask:as_failure",
ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
tok = au_to_arg32(2, "setpmask:as_failure",
ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
kau_write(rec, tok);
break;
case A_SETFSIZE:
tok = au_to_arg32(2, "setfsize:filesize",
ar->ar_arg_auditon.au_fstat.af_filesz);
case A_SETFSIZE:
tok = au_to_arg32(2, "setfsize:filesize",
ar->ar_arg_auditon.au_fstat.af_filesz);
kau_write(rec, tok);
break;
@ -348,13 +346,14 @@ audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
}
/*
* Convert an internal kernel audit record to a BSM record and return
* a success/failure indicator. The BSM record is passed as an out
* parameter to this function.
* Convert an internal kernel audit record to a BSM record and return a
* success/failure indicator. The BSM record is passed as an out parameter to
* this function.
*
* Return conditions:
* BSM_SUCCESS: The BSM record is valid
* BSM_FAILURE: Failure; the BSM record is NULL.
* BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL.
* BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL.
*/
int
kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
@ -383,35 +382,35 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
ar->ar_subj_asid, /* session ID */
&tid);
/* The logic inside each case fills in the tokens required for the
* event, except for the header, trailer, and return tokens. The
/*
* The logic inside each case fills in the tokens required for the
* event, except for the header, trailer, and return tokens. The
* header and trailer tokens are added by the kau_close() function.
* The return token is added outside of the switch statement.
*/
switch(ar->ar_event) {
/*
* Socket-related events.
*/
switch(ar->ar_event) {
case AUE_ACCEPT:
case AUE_BIND:
case AUE_CONNECT:
case AUE_RECVFROM:
case AUE_RECVMSG:
case AUE_RECVMSG:
case AUE_SENDMSG:
case AUE_SENDTO:
/*
* Socket-related events.
*/
if (ARG_IS_VALID(kar, ARG_FD)) {
tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
kau_write(rec, tok);
}
if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
tok = au_to_sock_inet(
(struct sockaddr_in *)&ar->ar_arg_sockaddr);
tok = au_to_sock_inet((struct sockaddr_in *)
&ar->ar_arg_sockaddr);
kau_write(rec, tok);
}
if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
tok = au_to_sock_unix(
(struct sockaddr_un *)&ar->ar_arg_sockaddr);
tok = au_to_sock_unix((struct sockaddr_un *)
&ar->ar_arg_sockaddr);
kau_write(rec, tok);
UPATH1_TOKENS;
}
@ -459,21 +458,23 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
case AUE_SETAUDIT:
if (ARG_IS_VALID(kar, ARG_AUID)) {
tok = au_to_arg32(1, "setaudit:auid", ar->ar_arg_auid);
tok = au_to_arg32(1, "setaudit:auid",
ar->ar_arg_auid);
kau_write(rec, tok);
tok = au_to_arg32(1, "setaudit:port",
ar->ar_arg_termid.port);
tok = au_to_arg32(1, "setaudit:port",
ar->ar_arg_termid.port);
kau_write(rec, tok);
tok = au_to_arg32(1, "setaudit:machine",
ar->ar_arg_termid.machine);
tok = au_to_arg32(1, "setaudit:machine",
ar->ar_arg_termid.machine);
kau_write(rec, tok);
tok = au_to_arg32(1, "setaudit:as_success",
ar->ar_arg_amask.am_success);
tok = au_to_arg32(1, "setaudit:as_success",
ar->ar_arg_amask.am_success);
kau_write(rec, tok);
tok = au_to_arg32(1, "setaudit:as_failure",
ar->ar_arg_amask.am_failure);
tok = au_to_arg32(1, "setaudit:as_failure",
ar->ar_arg_amask.am_failure);
kau_write(rec, tok);
tok = au_to_arg32(1, "setaudit:asid", ar->ar_arg_asid);
tok = au_to_arg32(1, "setaudit:asid",
ar->ar_arg_asid);
kau_write(rec, tok);
}
break;
@ -482,7 +483,9 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
break; /* XXX need to add arguments */
case AUE_AUDITON:
/* For AUDITON commands without own event, audit the cmd */
/*
* For AUDITON commands without own event, audit the cmd.
*/
if (ARG_IS_VALID(kar, ARG_CMD)) {
tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
kau_write(rec, tok);
@ -505,11 +508,10 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
case AUE_AUDITON_SETUMASK:
case AUE_AUDITON_SPOLICY:
case AUE_AUDITON_SQCTRL:
if (ARG_IS_VALID(kar, ARG_AUDITON)) {
if (ARG_IS_VALID(kar, ARG_AUDITON))
audit_sys_auditon(ar, rec);
}
break;
case AUE_AUDITCTL:
UPATH1_VNODE1_TOKENS;
break;
@ -534,7 +536,9 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
case AUE_SETSID:
case AUE_SETTIMEOFDAY:
case AUE_NEWSYSTEMSHREG:
/* Header, subject, and return tokens added at end */
/*
* Header, subject, and return tokens added at end.
*/
break;
case AUE_ACCESS:
@ -569,16 +573,17 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
}
UPATH1_VNODE1_TOKENS;
break;
case AUE_CHMOD:
case AUE_LCHMOD:
if (ARG_IS_VALID(kar, ARG_MODE)) {
tok = au_to_arg32(2, "new file mode", ar->ar_arg_mode);
tok = au_to_arg32(2, "new file mode",
ar->ar_arg_mode);
kau_write(rec, tok);
}
UPATH1_VNODE1_TOKENS;
break;
case AUE_CHOWN:
case AUE_LCHOWN:
if (ARG_IS_VALID(kar, ARG_UID)) {
@ -591,7 +596,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
}
UPATH1_VNODE1_TOKENS;
break;
case AUE_EXCHANGEDATA:
UPATH1_VNODE1_TOKENS;
UPATH2_TOKENS;
@ -607,12 +612,13 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
case AUE_FCHMOD:
if (ARG_IS_VALID(kar, ARG_MODE)) {
tok = au_to_arg32(2, "new file mode", ar->ar_arg_mode);
tok = au_to_arg32(2, "new file mode",
ar->ar_arg_mode);
kau_write(rec, tok);
}
FD_VNODE1_TOKENS;
break;
case AUE_FCHDIR:
case AUE_FPATHCONF:
case AUE_FSTAT: /* XXX Need to handle sockets and shm */
@ -624,7 +630,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
case AUE_GETDIRENTRIESATTR:
FD_VNODE1_TOKENS;
break;
case AUE_FCHOWN:
if (ARG_IS_VALID(kar, ARG_UID)) {
tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
@ -636,7 +642,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
}
FD_VNODE1_TOKENS;
break;
case AUE_FCNTL:
if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK ||
ar->ar_arg_cmd == F_SETLKW) {
@ -647,7 +653,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
FD_VNODE1_TOKENS;
}
break;
case AUE_FCHFLAGS:
if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
@ -655,7 +661,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
}
FD_VNODE1_TOKENS;
break;
case AUE_FLOCK:
if (ARG_IS_VALID(kar, ARG_CMD)) {
tok = au_to_arg32(2, "operation", ar->ar_arg_cmd);
@ -663,7 +669,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
}
FD_VNODE1_TOKENS;
break;
case AUE_RFORK:
if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
tok = au_to_arg32(1, "flags", ar->ar_arg_fflags);
@ -677,7 +683,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
kau_write(rec, tok);
}
break;
case AUE_IOCTL:
if (ARG_IS_VALID(kar, ARG_CMD)) {
tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
@ -688,11 +694,11 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
(u_int32_t)(uintptr_t)ar->ar_arg_addr);
kau_write(rec, tok);
}
if (ARG_IS_VALID(kar, ARG_VNODE1)) {
if (ARG_IS_VALID(kar, ARG_VNODE1))
FD_VNODE1_TOKENS;
} else {
else {
if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
tok = kau_to_socket(&ar->ar_arg_sockinfo);
tok = kau_to_socket(&ar->ar_arg_sockinfo);
kau_write(rec, tok);
} else {
if (ARG_IS_VALID(kar, ARG_FD)) {
@ -739,7 +745,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
}
UPATH1_VNODE1_TOKENS;
break;
case AUE_MKDIR:
if (ARG_IS_VALID(kar, ARG_MODE)) {
tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
@ -804,6 +810,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
kau_write(rec, tok);
}
/* fall through */
case AUE_UMOUNT:
UPATH1_VNODE1_TOKENS;
break;
@ -811,6 +818,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
case AUE_MSGCTL:
ar->ar_event = msgctl_to_event(ar->ar_arg_svipc_cmd);
/* Fall through */
case AUE_MSGRCV:
case AUE_MSGSND:
tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id);
@ -838,7 +846,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
kau_write(rec, tok);
}
break;
case AUE_OPEN_RC:
case AUE_OPEN_RTC:
case AUE_OPEN_RWC:
@ -904,6 +912,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
case AUE_SEMCTL:
ar->ar_event = semctl_to_event(ar->ar_arg_svipc_cmd);
/* Fall through */
case AUE_SEMOP:
if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id);
@ -915,6 +924,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
}
}
break;
case AUE_SEMGET:
if (ar->ar_errno == 0) {
if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
@ -924,18 +934,21 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
}
}
break;
case AUE_SETEGID:
if (ARG_IS_VALID(kar, ARG_EGID)) {
tok = au_to_arg32(1, "gid", ar->ar_arg_egid);
kau_write(rec, tok);
}
break;
case AUE_SETEUID:
if (ARG_IS_VALID(kar, ARG_EUID)) {
tok = au_to_arg32(1, "uid", ar->ar_arg_euid);
kau_write(rec, tok);
}
break;
case AUE_SETREGID:
if (ARG_IS_VALID(kar, ARG_RGID)) {
tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
@ -946,6 +959,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
kau_write(rec, tok);
}
break;
case AUE_SETREUID:
if (ARG_IS_VALID(kar, ARG_RUID)) {
tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
@ -956,6 +970,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
kau_write(rec, tok);
}
break;
case AUE_SETRESGID:
if (ARG_IS_VALID(kar, ARG_RGID)) {
tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
@ -970,6 +985,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
kau_write(rec, tok);
}
break;
case AUE_SETRESUID:
if (ARG_IS_VALID(kar, ARG_RUID)) {
tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
@ -984,18 +1000,21 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
kau_write(rec, tok);
}
break;
case AUE_SETGID:
if (ARG_IS_VALID(kar, ARG_GID)) {
tok = au_to_arg32(1, "gid", ar->ar_arg_gid);
kau_write(rec, tok);
}
break;
case AUE_SETUID:
if (ARG_IS_VALID(kar, ARG_UID)) {
tok = au_to_arg32(1, "uid", ar->ar_arg_uid);
kau_write(rec, tok);
}
break;
case AUE_SETGROUPS:
if (ARG_IS_VALID(kar, ARG_GROUPSET)) {
for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++)
@ -1104,7 +1123,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
}
break;
/* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE
/* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE
* and AUE_SEMUNLINK are Posix IPC */
case AUE_SHMOPEN:
if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
@ -1149,6 +1168,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
kau_write(rec, tok);
}
/* fall through */
case AUE_SEMUNLINK:
if (ARG_IS_VALID(kar, ARG_TEXT)) {
tok = au_to_text(ar->ar_arg_text);
@ -1187,8 +1207,9 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
case AUE_SYSCTL:
if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) {
for (ctr = 0; ctr < ar->ar_arg_len; ctr++) {
tok = au_to_arg32(1, "name", ar->ar_arg_ctlname[ctr]);
kau_write(rec, tok);
tok = au_to_arg32(1, "name",
ar->ar_arg_ctlname[ctr]);
kau_write(rec, tok);
}
}
if (ARG_IS_VALID(kar, ARG_VALUE)) {
@ -1217,16 +1238,16 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
}
break;
default: /* We shouldn't fall through to here. */
default:
printf("BSM conversion requested for unknown event %d\n",
ar->ar_event);
ar->ar_event);
/* Write the subject token so it is properly freed here. */
kau_write(rec, subj_tok);
kau_free(rec);
return (BSM_NOAUDIT);
}
kau_write(rec, subj_tok);
kau_write(rec, subj_tok);
tok = au_to_return32((char)ar->ar_errno, ar->ar_retval);
kau_write(rec, tok); /* Every record gets a return token */
@ -1237,27 +1258,24 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
}
/*
* Verify that a record is a valid BSM record. This verification is
* simple now, but may be expanded on sometime in the future.
* Return 1 if the record is good, 0 otherwise.
*
* Verify that a record is a valid BSM record. This verification is simple
* now, but may be expanded on sometime in the future. Return 1 if the
* record is good, 0 otherwise.
*/
int
bsm_rec_verify(void *rec)
{
char c = *(char *)rec;
/*
/*
* Check the token ID of the first token; it has to be a header
* token.
*/
/* XXXAUDIT There needs to be a token structure to map a token.
*
* XXXAUDIT There needs to be a token structure to map a token.
* XXXAUDIT 'Shouldn't be simply looking at the first char.
*/
if ( (c != AUT_HEADER32) &&
(c != AUT_HEADER32_EX) &&
(c != AUT_HEADER64) &&
(c != AUT_HEADER64_EX) ) {
if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) &&
(c != AUT_HEADER64) && (c != AUT_HEADER64_EX))
return (0);
}
return (1);
}

84
sys/security/audit/audit_bsm_klib.c
View File

@ -63,8 +63,8 @@ struct evclass_list {
};
static MALLOC_DEFINE(M_AUDITEVCLASS, "audit_evclass", "Audit event class");
static struct mtx evclass_mtx;
static struct evclass_list evclass_hash[EVCLASSMAP_HASH_TABLE_SIZE];
static struct mtx evclass_mtx;
static struct evclass_list evclass_hash[EVCLASSMAP_HASH_TABLE_SIZE];
/*
* Look up the class for an audit event in the class mapping table.
@ -90,14 +90,15 @@ au_event_class(au_event_t event)
return (class);
}
/*
/*
* Insert a event to class mapping. If the event already exists in the
* mapping, then replace the mapping with the new one.
*
* XXX There is currently no constraints placed on the number of mappings.
* May want to either limit to a number, or in terms of memory usage.
* May want to either limit to a number, or in terms of memory usage.
*/
void
au_evclassmap_insert(au_event_t event, au_class_t class)
au_evclassmap_insert(au_event_t event, au_class_t class)
{
struct evclass_list *evcl;
struct evclass_elem *evc, *evc_new;
@ -126,7 +127,7 @@ au_evclassmap_insert(au_event_t event, au_class_t class)
}
void
au_evclassmap_init(void)
au_evclassmap_init(void)
{
int i;
@ -141,7 +142,7 @@ au_evclassmap_init(void)
* native ABI system calls, as there may be audit events reachable
* only through non-native system calls. It also seems a shame to
* frob the mutex this early.
*/
*/
for (i = 0; i < SYS_MAXSYSCALL; i++) {
if (sysent[i].sy_auevent != AUE_NULL)
au_evclassmap_insert(sysent[i].sy_auevent, AU_NULL);
@ -163,31 +164,30 @@ au_preselect(au_event_t event, au_mask_t *mask_p, int sorf)
ae_class = au_event_class(event);
/*
/*
* Perform the actual check of the masks against the event.
*/
if (sorf & AU_PRS_SUCCESS)
effmask |= (mask_p->am_success & ae_class);
if (sorf & AU_PRS_FAILURE)
effmask |= (mask_p->am_failure & ae_class);
if (effmask)
return (1);
else
else
return (0);
}
/*
* Convert sysctl names and present arguments to events
* Convert sysctl names and present arguments to events.
*/
au_event_t
ctlname_to_sysctlevent(int name[], uint64_t valid_arg)
{
/* can't parse it - so return the worst case */
if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) !=
(ARG_CTLNAME | ARG_LEN))
if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != (ARG_CTLNAME | ARG_LEN))
return (AUE_SYSCTL);
switch (name[0]) {
@ -241,14 +241,17 @@ ctlname_to_sysctlevent(int name[], uint64_t valid_arg)
}
/*
* Convert an open flags specifier into a specific type of open event for
* Convert an open flags specifier into a specific type of open event for
* auditing purposes.
*/
au_event_t
flags_and_error_to_openevent(int oflags, int error) {
flags_and_error_to_openevent(int oflags, int error)
{
au_event_t aevent;
/* Need to check only those flags we care about. */
/*
* Need to check only those flags we care about.
*/
oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
/*
@ -310,7 +313,7 @@ flags_and_error_to_openevent(int oflags, int error) {
}
#if 0
/*
/*
* Convert chatty errors to better matching events.
* Failures to find a file are really just attribute
* events - so recast them as such.
@ -469,13 +472,12 @@ auditon_command_event(int cmd)
}
}
/*
* Create a canonical path from given path by prefixing either the
* root directory, or the current working directory.
* If the process working directory is NULL, we could use 'rootvnode'
* to obtain the root directoty, but this results in a volfs name
* written to the audit log. So we will leave the filename starting
* with '/' in the audit log in this case.
/*
* Create a canonical path from given path by prefixing either the root
* directory, or the current working directory. If the process working
* directory is NULL, we could use 'rootvnode' to obtain the root directoty,
* but this results in a volfs name written to the audit log. So we will
* leave the filename starting with '/' in the audit log in this case.
*
* XXXRW: Since we combine two paths here, ideally a buffer of size
* MAXPATHLEN * 2 would be passed in.
@ -493,43 +495,43 @@ canon_path(struct thread *td, char *path, char *cpath)
bufp = path;
FILEDESC_LOCK(fdp);
if (*(path) == '/') {
while (*(bufp) == '/')
bufp++; /* skip leading '/'s */
/* If no process root, or it is the same as the system root,
while (*(bufp) == '/')
bufp++; /* Skip leading '/'s. */
/*
* If no process root, or it is the same as the system root,
* audit the path as passed in with a single '/'.
*/
if ((fdp->fd_rdir == NULL) ||
(fdp->fd_rdir == rootvnode)) {
(fdp->fd_rdir == rootvnode)) {
vnp = NULL;
bufp--; /* restore one '/' */
bufp--; /* Restore one '/'. */
} else {
vnp = fdp->fd_rdir; /* use process root */
vnp = fdp->fd_rdir; /* Use process root. */
vref(vnp);
}
} else {
vnp = fdp->fd_cdir; /* prepend the current dir */
vnp = fdp->fd_cdir; /* Prepend the current dir. */
vref(vnp);
bufp = path;
}
FILEDESC_UNLOCK(fdp);
if (vnp != NULL) {
/*
* XXX: vn_fullpath() on FreeBSD is "less reliable"
* than vn_getpath() on Darwin, so this will need more
* attention in the future. Also, the question and
* string bounding here seems a bit questionable and
* will also require attention.
* XXX: vn_fullpath() on FreeBSD is "less reliable" than
* vn_getpath() on Darwin, so this will need more attention
* in the future. Also, the question and string bounding
* here seems a bit questionable and will also require
* attention.
*/
vfslocked = VFS_LOCK_GIANT(vnp->v_mount);
vn_lock(vnp, LK_EXCLUSIVE | LK_RETRY, td);
error = vn_fullpath(td, vnp, &retbuf, &freebuf);
if (error == 0) {
/* Copy and free buffer allocated by vn_fullpath() */
/* Copy and free buffer allocated by vn_fullpath(). */
snprintf(cpath, MAXPATHLEN, "%s/%s", retbuf, bufp);
free(freebuf, M_TEMP);
} else {
free(freebuf, M_TEMP);
} else
cpath[0] = '\0';
}
vput(vnp);
VFS_UNLOCK_GIANT(vfslocked);
} else {

2
sys/security/audit/audit_ioctl.h
View File

@ -28,7 +28,7 @@
* $FreeBSD$
*/
#ifndef _SECURITY_AUDIT_AUDIT_IOCTL_H_
#ifndef _SECURITY_AUDIT_AUDIT_IOCTL_H_
#define _SECURITY_AUDIT_AUDIT_IOCTL_H_
#define AUDITPIPE_IOBASE 'A'

191
sys/security/audit/audit_private.h
View File

@ -66,8 +66,8 @@ MALLOC_DECLARE(M_AUDITTEXT);
#endif
/*
* Audit control variables that are usually set/read via system calls
* and used to control various aspects of auditing.
* Audit control variables that are usually set/read via system calls and
* used to control various aspects of auditing.
*/
extern struct au_qctrl audit_qctrl;
extern struct audit_fstat audit_fstat;
@ -79,9 +79,9 @@ extern int audit_fail_stop;
* Success/failure conditions for the conversion of a kernel audit record to
* BSM format.
*/
#define BSM_SUCCESS 0
#define BSM_FAILURE 1
#define BSM_NOAUDIT 2
#define BSM_SUCCESS 0
#define BSM_FAILURE 1
#define BSM_NOAUDIT 2
/*
* Defines for the kernel audit record k_ar_commit field.
@ -97,13 +97,13 @@ extern int audit_fail_stop;
* This structure is converted to BSM format before being written to disk.
*/
struct vnode_au_info {
mode_t vn_mode;
uid_t vn_uid;
gid_t vn_gid;
dev_t vn_dev;
long vn_fsid;
long vn_fileid;
long vn_gen;
mode_t vn_mode;
uid_t vn_uid;
gid_t vn_gid;
dev_t vn_dev;
long vn_fsid;
long vn_fileid;
long vn_gen;
};
struct groupset {
@ -115,10 +115,10 @@ struct socket_au_info {
int so_domain;
int so_type;
int so_protocol;
in_addr_t so_raddr; /* remote address if INET socket */
in_addr_t so_laddr; /* local address if INET socket */
u_short so_rport; /* remote port */
u_short so_lport; /* local port */
in_addr_t so_raddr; /* Remote address if INET socket. */
in_addr_t so_laddr; /* Local address if INET socket. */
u_short so_rport; /* Remote port. */
u_short so_lport; /* Local port. */
};
union auditon_udata {
@ -138,9 +138,9 @@ union auditon_udata {
};
struct posix_ipc_perm {
uid_t pipc_uid;
gid_t pipc_gid;
mode_t pipc_mode;
uid_t pipc_uid;
gid_t pipc_gid;
mode_t pipc_mode;
};
struct audit_record {
@ -154,59 +154,59 @@ struct audit_record {
u_int64_t ar_valid_arg; /* Bitmask of valid arguments */
/* Audit subject information. */
struct xucred ar_subj_cred;
uid_t ar_subj_ruid;
gid_t ar_subj_rgid;
gid_t ar_subj_egid;
uid_t ar_subj_auid; /* Audit user ID */
pid_t ar_subj_asid; /* Audit session ID */
pid_t ar_subj_pid;
struct au_tid ar_subj_term;
char ar_subj_comm[MAXCOMLEN + 1];
struct au_mask ar_subj_amask;
struct xucred ar_subj_cred;
uid_t ar_subj_ruid;
gid_t ar_subj_rgid;
gid_t ar_subj_egid;
uid_t ar_subj_auid; /* Audit user ID */
pid_t ar_subj_asid; /* Audit session ID */
pid_t ar_subj_pid;
struct au_tid ar_subj_term;
char ar_subj_comm[MAXCOMLEN + 1];
struct au_mask ar_subj_amask;
/* Operation arguments. */
uid_t ar_arg_euid;
uid_t ar_arg_ruid;
uid_t ar_arg_suid;
gid_t ar_arg_egid;
gid_t ar_arg_rgid;
gid_t ar_arg_sgid;
pid_t ar_arg_pid;
pid_t ar_arg_asid;
struct au_tid ar_arg_termid;
uid_t ar_arg_uid;
uid_t ar_arg_auid;
gid_t ar_arg_gid;
struct groupset ar_arg_groups;
int ar_arg_fd;
int ar_arg_fflags;
mode_t ar_arg_mode;
int ar_arg_dev;
long ar_arg_value;
void * ar_arg_addr;
int ar_arg_len;
int ar_arg_mask;
u_int ar_arg_signum;
char ar_arg_login[MAXLOGNAME];
int ar_arg_ctlname[CTL_MAXNAME];
struct sockaddr ar_arg_sockaddr;
struct socket_au_info ar_arg_sockinfo;
char *ar_arg_upath1;
char *ar_arg_upath2;
char *ar_arg_text;
struct au_mask ar_arg_amask;
struct vnode_au_info ar_arg_vnode1;
struct vnode_au_info ar_arg_vnode2;
int ar_arg_cmd;
int ar_arg_svipc_cmd;
struct ipc_perm ar_arg_svipc_perm;
int ar_arg_svipc_id;
void * ar_arg_svipc_addr;
struct posix_ipc_perm ar_arg_pipc_perm;
union auditon_udata ar_arg_auditon;
int ar_arg_exitstatus;
int ar_arg_exitretval;
uid_t ar_arg_euid;
uid_t ar_arg_ruid;
uid_t ar_arg_suid;
gid_t ar_arg_egid;
gid_t ar_arg_rgid;
gid_t ar_arg_sgid;
pid_t ar_arg_pid;
pid_t ar_arg_asid;
struct au_tid ar_arg_termid;
uid_t ar_arg_uid;
uid_t ar_arg_auid;
gid_t ar_arg_gid;
struct groupset ar_arg_groups;
int ar_arg_fd;
int ar_arg_fflags;
mode_t ar_arg_mode;
int ar_arg_dev;
long ar_arg_value;
void * ar_arg_addr;
int ar_arg_len;
int ar_arg_mask;
u_int ar_arg_signum;
char ar_arg_login[MAXLOGNAME];
int ar_arg_ctlname[CTL_MAXNAME];
struct sockaddr ar_arg_sockaddr;
struct socket_au_info ar_arg_sockinfo;
char *ar_arg_upath1;
char *ar_arg_upath2;
char *ar_arg_text;
struct au_mask ar_arg_amask;
struct vnode_au_info ar_arg_vnode1;
struct vnode_au_info ar_arg_vnode2;
int ar_arg_cmd;
int ar_arg_svipc_cmd;
struct ipc_perm ar_arg_svipc_perm;
int ar_arg_svipc_id;
void * ar_arg_svipc_addr;
struct posix_ipc_perm ar_arg_pipc_perm;
union auditon_udata ar_arg_auditon;
int ar_arg_exitstatus;
int ar_arg_exitretval;
};
/*
@ -221,16 +221,16 @@ struct audit_record {
/*
* In-kernel version of audit record; the basic record plus queue meta-data.
* This record can also have a pointer set to some opaque data that will
* be passed through to the audit writing mechanism.
* This record can also have a pointer set to some opaque data that will be
* passed through to the audit writing mechanism.
*/
struct kaudit_record {
struct audit_record k_ar;
u_int32_t k_ar_commit;
void *k_udata; /* user data */
u_int k_ulen; /* user data length */
struct uthread *k_uthread; /* thread we are auditing */
TAILQ_ENTRY(kaudit_record) k_q;
struct audit_record k_ar;
u_int32_t k_ar_commit;
void *k_udata; /* User data. */
u_int k_ulen; /* User data length. */
struct uthread *k_uthread; /* Audited thread. */
TAILQ_ENTRY(kaudit_record) k_q;
};
TAILQ_HEAD(kaudit_queue, kaudit_record);
@ -248,34 +248,33 @@ struct kaudit_record *audit_new(int event, struct thread *td);
* the BSM file format.
*/
struct au_record;
int kaudit_to_bsm(struct kaudit_record *kar,
struct au_record **pau);
int bsm_rec_verify(void *rec);
int kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau);
int bsm_rec_verify(void *rec);
/*
* Kernel versions of the libbsm audit record functions.
*/
void kau_free(struct au_record *rec);
void kau_init(void);
void kau_free(struct au_record *rec);
void kau_init(void);
/*
* Return values for pre-selection and post-selection decisions.
*/
#define AU_PRS_SUCCESS 1
#define AU_PRS_FAILURE 2
#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE)
#define AU_PRS_SUCCESS 1
#define AU_PRS_FAILURE 2
#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE)
/*
* Data structures relating to the kernel audit queue. Ideally, these might
* be abstracted so that only accessor methods are exposed.
*/
extern struct mtx audit_mtx;
extern struct cv audit_commit_cv;
extern struct cv audit_cv;
extern struct kaudit_queue audit_q;
extern int audit_q_len;
extern int audit_pre_q_len;
extern int audit_in_failure;
extern struct mtx audit_mtx;
extern struct cv audit_commit_cv;
extern struct cv audit_cv;
extern struct kaudit_queue audit_q;
extern int audit_q_len;
extern int audit_pre_q_len;
extern int audit_in_failure;
/*
* Flags to use on audit files when opening and closing.
@ -289,8 +288,8 @@ extern int audit_in_failure;
/*
* Some of the BSM tokenizer functions take different parameters in the
* kernel implementations in order to save the copying of large kernel
* data structures. The prototypes of these functions are declared here.
* kernel implementations in order to save the copying of large kernel data
* structures. The prototypes of these functions are declared here.
*/
token_t *kau_to_socket(struct socket_au_info *soi);
@ -328,6 +327,6 @@ void audit_worker_init(void);
/*
* Audit pipe functions.
*/
void audit_pipe_submit(void *record, u_int record_len);
void audit_pipe_submit(void *record, u_int record_len);
#endif /* ! _SECURITY_AUDIT_PRIVATE_H_ */

98
sys/security/audit/audit_syscalls.c
View File

@ -46,13 +46,13 @@
/*
* MPSAFE
*
* System call to allow a user space application to submit a BSM audit
* record to the kernel for inclusion in the audit log. This function
* does little verification on the audit record that is submitted.
* System call to allow a user space application to submit a BSM audit record
* to the kernel for inclusion in the audit log. This function does little
* verification on the audit record that is submitted.
*
* XXXAUDIT: Audit preselection for user records does not currently
* work, since we pre-select only based on the AUE_audit event type,
* not the event type submitted as part of the user audit data.
* XXXAUDIT: Audit preselection for user records does not currently work,
* since we pre-select only based on the AUE_audit event type, not the event
* type submitted as part of the user audit data.
*/
/* ARGSUSED */
int
@ -71,14 +71,16 @@ audit(struct thread *td, struct audit_args *uap)
ar = currecord();
/* If there's no current audit record (audit() itself not audited)
/*
* If there's no current audit record (audit() itself not audited)
* commit the user audit record.
*/
if (ar == NULL) {
/* This is not very efficient; we're required to allocate
* a complete kernel audit record just so the user record
* can tag along.
/*
* This is not very efficient; we're required to allocate a
* complete kernel audit record just so the user record can
* tag along.
*
* XXXAUDIT: Maybe AUE_AUDIT in the system call context and
* special pre-select handling?
@ -89,7 +91,7 @@ audit(struct thread *td, struct audit_args *uap)
ar = td->td_ar;
}
if (uap->length > MAX_AUDIT_RECORD_SIZE)
if (uap->length > MAX_AUDIT_RECORD_SIZE)
return (EINVAL);
rec = malloc(uap->length, M_AUDITDATA, M_WAITOK);
@ -98,13 +100,14 @@ audit(struct thread *td, struct audit_args *uap)
if (error)
goto free_out;
/* Verify the record */
/* Verify the record. */
if (bsm_rec_verify(rec) == 0) {
error = EINVAL;
goto free_out;
}
/* Attach the user audit record to the kernel audit record. Because
/*
* Attach the user audit record to the kernel audit record. Because
* this system call is an auditable event, we will write the user
* record along with the record for this audit event.
*
@ -117,8 +120,9 @@ audit(struct thread *td, struct audit_args *uap)
return (0);
free_out:
/* audit_syscall_exit() will free the audit record on the thread
* even if we allocated it above.
/*
* audit_syscall_exit() will free the audit record on the thread even
* if we allocated it above.
*/
free(rec, M_AUDITDATA);
return (error);
@ -147,8 +151,10 @@ auditon(struct thread *td, struct auditon_args *uap)
memset((void *)&udata, 0, sizeof(udata));
/*
* Some of the GET commands use the arguments too.
*/
switch (uap->cmd) {
/* Some of the GET commands use the arguments too */
case A_SETPOLICY:
case A_SETKMASK:
case A_SETQCTRL:
@ -171,7 +177,8 @@ auditon(struct thread *td, struct auditon_args *uap)
break;
}
/* XXX Need to implement these commands by accessing the global
/*
* XXX Need to implement these commands by accessing the global
* values associated with the commands.
*
* XXXAUDIT: Locking?
@ -251,9 +258,9 @@ auditon(struct thread *td, struct auditon_args *uap)
break;
case A_SETCOND:
if (udata.au_cond == AUC_NOAUDIT)
if (udata.au_cond == AUC_NOAUDIT)
audit_suspended = 1;
if (udata.au_cond == AUC_AUDITING)
if (udata.au_cond == AUC_AUDITING)
audit_suspended = 0;
if (udata.au_cond == AUC_DISABLED) {
audit_suspended = 1;
@ -262,17 +269,17 @@ auditon(struct thread *td, struct auditon_args *uap)
break;
case A_GETCLASS:
udata.au_evclass.ec_class =
au_event_class(udata.au_evclass.ec_number);
udata.au_evclass.ec_class = au_event_class(
udata.au_evclass.ec_number);
break;
case A_SETCLASS:
au_evclassmap_insert(udata.au_evclass.ec_number,
udata.au_evclass.ec_class);
udata.au_evclass.ec_class);
break;
case A_GETPINFO:
if (udata.au_aupinfo.ap_pid < 1)
if (udata.au_aupinfo.ap_pid < 1)
return (EINVAL);
/* XXXAUDIT: p_cansee()? */
@ -280,30 +287,29 @@ auditon(struct thread *td, struct auditon_args *uap)
return (EINVAL);
udata.au_aupinfo.ap_auid = tp->p_au->ai_auid;
udata.au_aupinfo.ap_mask.am_success =
tp->p_au->ai_mask.am_success;
udata.au_aupinfo.ap_mask.am_failure =
tp->p_au->ai_mask.am_failure;
udata.au_aupinfo.ap_termid.machine =
tp->p_au->ai_termid.machine;
udata.au_aupinfo.ap_termid.port =
tp->p_au->ai_termid.port;
udata.au_aupinfo.ap_mask.am_success =
tp->p_au->ai_mask.am_success;
udata.au_aupinfo.ap_mask.am_failure =
tp->p_au->ai_mask.am_failure;
udata.au_aupinfo.ap_termid.machine =
tp->p_au->ai_termid.machine;
udata.au_aupinfo.ap_termid.port = tp->p_au->ai_termid.port;
udata.au_aupinfo.ap_asid = tp->p_au->ai_asid;
PROC_UNLOCK(tp);
break;
case A_SETPMASK:
if (udata.au_aupinfo.ap_pid < 1)
if (udata.au_aupinfo.ap_pid < 1)
return (EINVAL);
/* XXXAUDIT: p_cansee()? */
if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL)
return (EINVAL);
tp->p_au->ai_mask.am_success =
udata.au_aupinfo.ap_mask.am_success;
tp->p_au->ai_mask.am_failure =
udata.au_aupinfo.ap_mask.am_failure;
tp->p_au->ai_mask.am_success =
udata.au_aupinfo.ap_mask.am_success;
tp->p_au->ai_mask.am_failure =
udata.au_aupinfo.ap_mask.am_failure;
PROC_UNLOCK(tp);
break;
@ -336,9 +342,11 @@ auditon(struct thread *td, struct auditon_args *uap)
(udata.au_trigger > AUDIT_TRIGGER_MAX))
return (EINVAL);
return (send_trigger(udata.au_trigger));
break;
}
/* Copy data back to userspace for the GET comands */
/*
* Copy data back to userspace for the GET comands.
*/
switch (uap->cmd) {
case A_GETPOLICY:
case A_GETKMASK:
@ -361,7 +369,7 @@ auditon(struct thread *td, struct auditon_args *uap)
return (0);
}
/*
/*
* MPSAFE
*
* System calls to manage the user audit information.
@ -378,8 +386,8 @@ getauid(struct thread *td, struct getauid_args *uap)
return (error);
/*
* XXX:
* Integer read on static pointer dereference: doesn't need locking?
* XXX: Integer read on static pointer dereference: doesn't need
* locking?
*/
PROC_LOCK(td->td_proc);
id = td->td_proc->p_au->ai_auid;
@ -406,15 +414,15 @@ setauid(struct thread *td, struct setauid_args *uap)
audit_arg_auid(id);
/*
* XXX:
* Integer write on static pointer dereference: doesn't need locking?
* XXX: Integer write on static pointer dereference: doesn't need
* locking?
*
* XXXAUDIT: Might need locking to serialize audit events in the same
* order as change events? Or maybe that's an under-solveable
* problem.
*
* XXXRW: Test privilege while holding the proc lock?
*/
*/
PROC_LOCK(td->td_proc);
td->td_proc->p_au->ai_auid = id;
PROC_UNLOCK(td->td_proc);
@ -424,7 +432,7 @@ setauid(struct thread *td, struct setauid_args *uap)
/*
* MPSAFE
* System calls to get and set process audit information.
* System calls to get and set process audit information.
*/
/* ARGSUSED */
int

151
sys/security/audit/audit_worker.c
View File

@ -71,22 +71,22 @@
/*
* Worker thread that will schedule disk I/O, etc.
*/
*/
static struct proc *audit_thread;
/*
* When an audit log is rotated, the actual rotation must be performed
* by the audit worker thread, as it may have outstanding writes on the
* current audit log. audit_replacement_vp holds the vnode replacing
* the current vnode. We can't let more than one replacement occur
* at a time, so if more than one thread requests a replacement, only
* one can have the replacement "in progress" at any given moment. If
* a thread tries to replace the audit vnode and discovers a replacement
* is already in progress (i.e., audit_replacement_flag != 0), then it
* will sleep on audit_replacement_cv waiting its turn to perform a
* replacement. When a replacement is completed, this cv is signalled
* by the worker thread so a waiting thread can start another replacement.
* We also store a credential to perform audit log write operations with.
* When an audit log is rotated, the actual rotation must be performed by the
* audit worker thread, as it may have outstanding writes on the current
* audit log. audit_replacement_vp holds the vnode replacing the current
* vnode. We can't let more than one replacement occur at a time, so if more
* than one thread requests a replacement, only one can have the replacement
* "in progress" at any given moment. If a thread tries to replace the audit
* vnode and discovers a replacement is already in progress (i.e.,
* audit_replacement_flag != 0), then it will sleep on audit_replacement_cv
* waiting its turn to perform a replacement. When a replacement is
* completed, this cv is signalled by the worker thread so a waiting thread
* can start another replacement. We also store a credential to perform
* audit log write operations with.
*
* The current credential and vnode are thread-local to audit_worker.
*/
@ -103,13 +103,13 @@ static int audit_file_rotate_wait;
/*
* XXXAUDIT: Should adjust comments below to make it clear that we get to
* this point only if we believe we have storage, so not having space here
* is a violation of invariants derived from administrative procedures.
* I.e., someone else has written to the audit partition, leaving less space
* than we accounted for.
* this point only if we believe we have storage, so not having space here is
* a violation of invariants derived from administrative procedures. I.e.,
* someone else has written to the audit partition, leaving less space than
* we accounted for.
*/
static int
audit_record_write(struct vnode *vp, struct kaudit_record *ar,
audit_record_write(struct vnode *vp, struct kaudit_record *ar,
struct ucred *cred, struct thread *td)
{
int ret;
@ -122,10 +122,10 @@ audit_record_write(struct vnode *vp, struct kaudit_record *ar,
vfslocked = VFS_LOCK_GIANT(vp->v_mount);
/*
* First, gather statistics on the audit log file and file system
* so that we know how we're doing on space. In both cases,
* if we're unable to perform the operation, we drop the record
* and return. However, this is arguably an assertion failure.
* First, gather statistics on the audit log file and file system so
* that we know how we're doing on space. In both cases, if we're
* unable to perform the operation, we drop the record and return.
* However, this is arguably an assertion failure.
* XXX Need a FreeBSD equivalent.
*/
ret = VFS_STATFS(vp->v_mount, mnt_stat, td);
@ -139,23 +139,24 @@ audit_record_write(struct vnode *vp, struct kaudit_record *ar,
goto out;
/* update the global stats struct */
audit_fstat.af_currsz = vattr.va_size;
audit_fstat.af_currsz = vattr.va_size;
/*
* XXX Need to decide what to do if the trigger to the audit daemon
* fails.
*/
/*
/*
* If we fall below minimum free blocks (hard limit), tell the audit
* daemon to force a rotation off of the file system. We also stop
* writing, which means this audit record is probably lost.
* If we fall below the minimum percent free blocks (soft limit),
* then kindly suggest to the audit daemon to do something.
* writing, which means this audit record is probably lost. If we
* fall below the minimum percent free blocks (soft limit), then
* kindly suggest to the audit daemon to do something.
*/
if (mnt_stat->f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) {
(void)send_trigger(AUDIT_TRIGGER_NO_SPACE);
/* Hopefully userspace did something about all the previous
/*
* Hopefully userspace did something about all the previous
* triggers that were sent prior to this critical condition.
* If fail-stop is set, then we're done; goodnight Gracie.
*/
@ -167,26 +168,27 @@ audit_record_write(struct vnode *vp, struct kaudit_record *ar,
goto out;
}
} else
/*
* Send a message to the audit daemon that disk space
* is getting low.
/*
* Send a message to the audit daemon that disk space is
* getting low.
*
* XXXAUDIT: Check math and block size calculation here.
*/
if (audit_qctrl.aq_minfree != 0) {
temp = mnt_stat->f_blocks / (100 /
temp = mnt_stat->f_blocks / (100 /
audit_qctrl.aq_minfree);
if (mnt_stat->f_bfree < temp)
(void)send_trigger(AUDIT_TRIGGER_LOW_SPACE);
}
/* Check if the current log file is full; if so, call for
* a log rotate. This is not an exact comparison; we may
* write some records over the limit. If that's not
* acceptable, then add a fudge factor here.
/*
* Check if the current log file is full; if so, call for a log
* rotate. This is not an exact comparison; we may write some records
* over the limit. If that's not acceptable, then add a fudge factor
* here.
*/
if ((audit_fstat.af_filesz != 0) &&
(audit_file_rotate_wait == 0) &&
(audit_file_rotate_wait == 0) &&
(vattr.va_size >= audit_fstat.af_filesz)) {
audit_file_rotate_wait = 1;
(void)send_trigger(AUDIT_TRIGGER_OPEN_NEW);
@ -194,15 +196,14 @@ audit_record_write(struct vnode *vp, struct kaudit_record *ar,
/*
* If the estimated amount of audit data in the audit event queue
* (plus records allocated but not yet queued) has reached the
* amount of free space on the disk, then we need to go into an
* audit fail stop state, in which we do not permit the
* allocation/committing of any new audit records. We continue to
* process packets but don't allow any activities that might
* generate new records. In the future, we might want to detect
* when space is available again and allow operation to continue,
* but this behavior is sufficient to meet fail stop requirements
* in CAPP.
* (plus records allocated but not yet queued) has reached the amount
* of free space on the disk, then we need to go into an audit fail
* stop state, in which we do not permit the allocation/committing of
* any new audit records. We continue to process packets but don't
* allow any activities that might generate new records. In the
* future, we might want to detect when space is available again and
* allow operation to continue, but this behavior is sufficient to
* meet fail stop requirements in CAPP.
*/
if (audit_fail_stop &&
(unsigned long)
@ -213,15 +214,14 @@ audit_record_write(struct vnode *vp, struct kaudit_record *ar,
audit_in_failure = 1;
}
/*
/*
* If there is a user audit record attached to the kernel record,
* then write the user record.
*/
/* XXX Need to decide a few things here: IF the user audit
* record is written, but the write of the kernel record fails,
* what to do? Should the kernel record come before or after the
* user record? For now, we write the user record first, and
* we ignore errors.
*
* XXX Need to decide a few things here: IF the user audit record is
* written, but the write of the kernel record fails, what to do?
* Should the kernel record come before or after the user record?
* For now, we write the user record first, and we ignore errors.
*/
if (ar->k_ar_commit & AR_COMMIT_USER) {
/*
@ -233,15 +233,15 @@ audit_record_write(struct vnode *vp, struct kaudit_record *ar,
* And to disk.
*/
ret = vn_rdwr(UIO_WRITE, vp, (void *)ar->k_udata, ar->k_ulen,
(off_t)0, UIO_SYSSPACE, IO_APPEND|IO_UNIT, cred, NULL,
NULL, td);
(off_t)0, UIO_SYSSPACE, IO_APPEND|IO_UNIT, cred, NULL,
NULL, td);
if (ret)
goto out;
}
/*
* Convert the internal kernel record to BSM format and write it
* out if everything's OK.
/*
* Convert the internal kernel record to BSM format and write it out
* if everything's OK.
*/
if (!(ar->k_ar_commit & AR_COMMIT_KERNEL)) {
ret = 0;
@ -259,8 +259,8 @@ audit_record_write(struct vnode *vp, struct kaudit_record *ar,
}
/*
* XXX: We drop the record on BSM conversion failure, but really
* this is an assertion failure.
* XXX: We drop the record on BSM conversion failure, but really this
* is an assertion failure.
*/
if (ret == BSM_FAILURE) {
AUDIT_PRINTF(("BSM conversion failure\n"));
@ -272,28 +272,25 @@ audit_record_write(struct vnode *vp, struct kaudit_record *ar,
* Try submitting the record to any active audit pipes.
*/
audit_pipe_submit((void *)bsm->data, bsm->len);
/*
* XXX
* We should break the write functionality away from the BSM record
* generation and have the BSM generation done before this function
* is called. This function will then take the BSM record as a
* parameter.
*/
ret = (vn_rdwr(UIO_WRITE, vp, (void *)bsm->data, bsm->len,
(off_t)0, UIO_SYSSPACE, IO_APPEND|IO_UNIT, cred, NULL, NULL, td));
/*
* XXX We should break the write functionality away from the BSM
* record generation and have the BSM generation done before this
* function is called. This function will then take the BSM record as
* a parameter.
*/
ret = (vn_rdwr(UIO_WRITE, vp, (void *)bsm->data, bsm->len, (off_t)0,
UIO_SYSSPACE, IO_APPEND|IO_UNIT, cred, NULL, NULL, td));
kau_free(bsm);
out:
/*
* When we're done processing the current record, we have to
* check to see if we're in a failure mode, and if so, whether
* this was the last record left to be drained. If we're done
* draining, then we fsync the vnode and panic.
* When we're done processing the current record, we have to check to
* see if we're in a failure mode, and if so, whether this was the
* last record left to be drained. If we're done draining, then we
* fsync the vnode and panic.
*/
if (audit_in_failure &&
audit_q_len == 0 && audit_pre_q_len == 0) {
if (audit_in_failure && audit_q_len == 0 && audit_pre_q_len == 0) {
VOP_LOCK(vp, LK_DRAIN | LK_INTERLOCK, td);
(void)VOP_FSYNC(vp, MNT_WAIT, td);
VOP_UNLOCK(vp, 0, td);
@ -469,7 +466,7 @@ audit_worker(void *arg)
while ((ar = TAILQ_FIRST(&ar_worklist))) {
TAILQ_REMOVE(&ar_worklist, ar, k_q);
if (audit_vp != NULL) {
error = audit_record_write(audit_vp, ar,
error = audit_record_write(audit_vp, ar,
audit_cred, audit_td);
if (error && audit_panic_on_write_fail)
panic("audit_worker: write error %d\n",