1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * This file contains the auditing system call code. 28 * 29 */ 30 31 32 #include <sys/param.h> 33 #include <sys/systm.h> 34 #include <sys/user.h> 35 #include <sys/vnode.h> 36 #include <sys/vfs.h> 37 #include <sys/session.h> /* for session structure (auditctl(2) */ 38 #include <sys/kmem.h> /* for KM_SLEEP */ 39 #include <sys/cred_impl.h> 40 #include <sys/types.h> 41 #include <sys/proc.h> 42 #include <sys/uio.h> 43 #include <sys/file.h> 44 #include <sys/stat.h> 45 #include <sys/pathname.h> 46 #include <sys/acct.h> 47 #include <sys/stropts.h> 48 #include <sys/exec.h> 49 #include <sys/thread.h> 50 #include <sys/cmn_err.h> 51 #include <sys/debug.h> 52 #include <sys/disp.h> 53 #include <sys/kobj.h> 54 #include <sys/sysmacros.h> 55 #include <sys/policy.h> 56 #include <sys/taskq.h> 57 #include <sys/zone.h> 58 59 #include <c2/audit.h> 60 #include <c2/audit_kernel.h> 61 #include <c2/audit_record.h> 62 63 #define CLEAR_VAL -1 64 65 #define HEADER_SIZE64 1; 66 #define HEADER_SIZE32 0; 67 #define AU_MIN_FILE_SZ 0x80000 /* minumum audit file size */ 68 #define AUDIT_REC_SIZE 0x8000 /* maximum user audit record size */ 69 70 extern kmutex_t pidlock; 71 72 extern pri_t minclsyspri; /* priority for taskq */ 73 74 extern int audit_load; /* defined in audit_start.c */ 75 76 int au_auditstate = AUC_UNSET; /* global audit state */ 77 int audit_policy; /* global audit policies in force */ 78 static clock_t au_resid = 15; /* wait .15 sec before droping a rec */ 79 80 static int getauid(caddr_t); 81 static int setauid(caddr_t); 82 static int getaudit(caddr_t); 83 static int getaudit_addr(caddr_t, int); 84 static int setaudit(caddr_t); 85 static int setaudit_addr(caddr_t, int); 86 static int auditdoor(int); 87 static int auditctl(int, caddr_t, int); 88 static int audit_modsysent(char *, int, int (*)()); 89 static void au_output_thread(); 90 /* 91 * This is the loadable module wrapper. 92 */ 93 #include <sys/modctl.h> 94 #include "sys/syscall.h" 95 96 static struct sysent auditsysent = { 97 6, 98 0, 99 _auditsys 100 }; 101 102 /* 103 * Module linkage information for the kernel. 104 */ 105 extern struct mod_ops mod_syscallops; 106 107 static struct modlsys modlsys = { 108 &mod_syscallops, "C2 system call", &auditsysent 109 }; 110 111 static struct modlinkage modlinkage = { 112 MODREV_1, (void *)&modlsys, 0 113 }; 114 115 int 116 _init() 117 { 118 int retval; 119 120 if (audit_load == 0) 121 return (-1); 122 123 /* 124 * We are going to do an ugly thing here. 125 * Because auditsys is already defined as a regular 126 * syscall we have to change the definition for syscall 127 * auditsys. Basically or in the SE_LOADABLE flag for 128 * auditsys. We no have a static loadable syscall. Also 129 * create an rw_lock. 130 */ 131 132 if ((audit_modsysent("c2audit", SE_LOADABLE|SE_NOUNLOAD, 133 _auditsys)) == -1) 134 return (-1); 135 136 if ((retval = mod_install(&modlinkage)) != 0) 137 return (retval); 138 139 return (0); 140 } 141 142 int 143 _fini() 144 { 145 return (EBUSY); 146 } 147 148 int 149 _info(struct modinfo *modinfop) 150 { 151 return (mod_info(&modlinkage, modinfop)); 152 } 153 154 /* 155 * when auditing is updated to allow enable/disable without 156 * reboot (and when the audit stubs are removed) *most* of these 157 * calls should return an error when auditing is off -- some 158 * for local zones only. 159 */ 160 161 int 162 _auditsys(struct auditcalls *uap, rval_t *rvp) 163 { 164 int result = 0; 165 166 switch (uap->code) { 167 case BSM_GETAUID: 168 result = getauid((caddr_t)uap->a1); 169 break; 170 case BSM_SETAUID: 171 result = setauid((caddr_t)uap->a1); 172 break; 173 case BSM_GETAUDIT: 174 result = getaudit((caddr_t)uap->a1); 175 break; 176 case BSM_GETAUDIT_ADDR: 177 178 result = getaudit_addr((caddr_t)uap->a1, (int)uap->a2); 179 break; 180 case BSM_SETAUDIT: 181 result = setaudit((caddr_t)uap->a1); 182 break; 183 case BSM_SETAUDIT_ADDR: 184 result = setaudit_addr((caddr_t)uap->a1, (int)uap->a2); 185 break; 186 case BSM_AUDIT: 187 result = audit((caddr_t)uap->a1, (int)uap->a2); 188 break; 189 case BSM_AUDITDOOR: 190 result = auditdoor((int)uap->a1); 191 break; 192 case BSM_AUDITON: 193 case BSM_AUDITCTL: 194 result = auditctl((int)uap->a1, (caddr_t)uap->a2, (int)uap->a3); 195 break; 196 default: 197 result = EINVAL; 198 } 199 rvp->r_vals = result; 200 return (result); 201 } 202 203 /* 204 * Return the audit user ID for the current process. Currently only 205 * the privileged processes may see the audit id. That may change. 206 * If copyout is unsucessful return EFAULT. 207 */ 208 static int 209 getauid(caddr_t auid_p) 210 { 211 const auditinfo_addr_t *ainfo; 212 213 if (secpolicy_audit_getattr(CRED()) != 0) 214 return (EPERM); 215 216 ainfo = crgetauinfo(CRED()); 217 if (ainfo == NULL) 218 return (EINVAL); 219 220 if (copyout(&ainfo->ai_auid, auid_p, sizeof (au_id_t))) 221 return (EFAULT); 222 223 return (0); 224 } 225 226 /* 227 * Set the audit userid, for a process. This can only be changed by 228 * privileged processes. The audit userid is inherited across forks & execs. 229 * Passed in is a pointer to the au_id_t; if copyin unsuccessful return EFAULT. 230 */ 231 static int 232 setauid(caddr_t auid_p) 233 { 234 proc_t *p; 235 au_id_t auid; 236 cred_t *newcred; 237 auditinfo_addr_t *auinfo; 238 239 if (secpolicy_audit_config(CRED()) != 0) 240 return (EPERM); 241 242 if (copyin(auid_p, &auid, sizeof (au_id_t))) { 243 return (EFAULT); 244 } 245 246 newcred = cralloc(); 247 if ((auinfo = crgetauinfo_modifiable(newcred)) == NULL) { 248 crfree(newcred); 249 return (EINVAL); 250 } 251 252 /* grab p_crlock and switch to new cred */ 253 p = curproc; 254 mutex_enter(&p->p_crlock); 255 crcopy_to(p->p_cred, newcred); 256 p->p_cred = newcred; 257 258 auinfo->ai_auid = auid; /* update the auid */ 259 260 /* unlock and broadcast the cred changes */ 261 mutex_exit(&p->p_crlock); 262 crset(p, newcred); 263 264 return (0); 265 } 266 267 /* 268 * Get the audit state information from the current process. 269 * Return EFAULT if copyout fails. 270 */ 271 static int 272 getaudit(caddr_t info_p) 273 { 274 STRUCT_DECL(auditinfo, info); 275 const auditinfo_addr_t *ainfo; 276 model_t model; 277 278 if (secpolicy_audit_getattr(CRED()) != 0) 279 return (EPERM); 280 281 model = get_udatamodel(); 282 STRUCT_INIT(info, model); 283 284 ainfo = crgetauinfo(CRED()); 285 if (ainfo == NULL) 286 return (EINVAL); 287 288 /* trying to read a process with an IPv6 address? */ 289 if (ainfo->ai_termid.at_type == AU_IPv6) 290 return (EOVERFLOW); 291 292 STRUCT_FSET(info, ai_auid, ainfo->ai_auid); 293 STRUCT_FSET(info, ai_mask, ainfo->ai_mask); 294 #ifdef _LP64 295 if (model == DATAMODEL_ILP32) { 296 dev32_t dev; 297 /* convert internal 64 bit form to 32 bit version */ 298 if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) { 299 return (EOVERFLOW); 300 } 301 STRUCT_FSET(info, ai_termid.port, dev); 302 } else 303 STRUCT_FSET(info, ai_termid.port, ainfo->ai_termid.at_port); 304 #else 305 STRUCT_FSET(info, ai_termid.port, ainfo->ai_termid.at_port); 306 #endif 307 STRUCT_FSET(info, ai_termid.machine, ainfo->ai_termid.at_addr[0]); 308 STRUCT_FSET(info, ai_asid, ainfo->ai_asid); 309 310 if (copyout(STRUCT_BUF(info), info_p, STRUCT_SIZE(info))) 311 return (EFAULT); 312 313 return (0); 314 } 315 316 /* 317 * Get the audit state information from the current process. 318 * Return EFAULT if copyout fails. 319 */ 320 static int 321 getaudit_addr(caddr_t info_p, int len) 322 { 323 STRUCT_DECL(auditinfo_addr, info); 324 const auditinfo_addr_t *ainfo; 325 model_t model; 326 327 if (secpolicy_audit_getattr(CRED()) != 0) 328 return (EPERM); 329 330 model = get_udatamodel(); 331 STRUCT_INIT(info, model); 332 333 if (len < STRUCT_SIZE(info)) 334 return (EOVERFLOW); 335 336 ainfo = crgetauinfo(CRED()); 337 338 if (ainfo == NULL) 339 return (EINVAL); 340 341 STRUCT_FSET(info, ai_auid, ainfo->ai_auid); 342 STRUCT_FSET(info, ai_mask, ainfo->ai_mask); 343 #ifdef _LP64 344 if (model == DATAMODEL_ILP32) { 345 dev32_t dev; 346 /* convert internal 64 bit form to 32 bit version */ 347 if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) { 348 return (EOVERFLOW); 349 } 350 STRUCT_FSET(info, ai_termid.at_port, dev); 351 } else 352 STRUCT_FSET(info, ai_termid.at_port, ainfo->ai_termid.at_port); 353 #else 354 STRUCT_FSET(info, ai_termid.at_port, ainfo->ai_termid.at_port); 355 #endif 356 STRUCT_FSET(info, ai_termid.at_type, ainfo->ai_termid.at_type); 357 STRUCT_FSET(info, ai_termid.at_addr[0], ainfo->ai_termid.at_addr[0]); 358 STRUCT_FSET(info, ai_termid.at_addr[1], ainfo->ai_termid.at_addr[1]); 359 STRUCT_FSET(info, ai_termid.at_addr[2], ainfo->ai_termid.at_addr[2]); 360 STRUCT_FSET(info, ai_termid.at_addr[3], ainfo->ai_termid.at_addr[3]); 361 STRUCT_FSET(info, ai_asid, ainfo->ai_asid); 362 363 if (copyout(STRUCT_BUF(info), info_p, STRUCT_SIZE(info))) 364 return (EFAULT); 365 366 return (0); 367 } 368 369 /* 370 * Set the audit state information for the current process. 371 * Return EFAULT if copyout fails. 372 */ 373 static int 374 setaudit(caddr_t info_p) 375 { 376 STRUCT_DECL(auditinfo, info); 377 proc_t *p; 378 cred_t *newcred; 379 model_t model; 380 auditinfo_addr_t *ainfo; 381 382 if (secpolicy_audit_config(CRED()) != 0) 383 return (EPERM); 384 385 model = get_udatamodel(); 386 STRUCT_INIT(info, model); 387 388 if (copyin(info_p, STRUCT_BUF(info), STRUCT_SIZE(info))) 389 return (EFAULT); 390 391 newcred = cralloc(); 392 if ((ainfo = crgetauinfo_modifiable(newcred)) == NULL) { 393 crfree(newcred); 394 return (EINVAL); 395 } 396 397 /* grab p_crlock and switch to new cred */ 398 p = curproc; 399 mutex_enter(&p->p_crlock); 400 crcopy_to(p->p_cred, newcred); 401 p->p_cred = newcred; 402 403 /* Set audit mask, id, termid and session id as specified */ 404 ainfo->ai_auid = STRUCT_FGET(info, ai_auid); 405 #ifdef _LP64 406 /* only convert to 64 bit if coming from a 32 bit binary */ 407 if (model == DATAMODEL_ILP32) 408 ainfo->ai_termid.at_port = 409 DEVEXPL(STRUCT_FGET(info, ai_termid.port)); 410 else 411 ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.port); 412 #else 413 ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.port); 414 #endif 415 ainfo->ai_termid.at_type = AU_IPv4; 416 ainfo->ai_termid.at_addr[0] = STRUCT_FGET(info, ai_termid.machine); 417 ainfo->ai_asid = STRUCT_FGET(info, ai_asid); 418 ainfo->ai_mask = STRUCT_FGET(info, ai_mask); 419 420 /* unlock and broadcast the cred changes */ 421 mutex_exit(&p->p_crlock); 422 crset(p, newcred); 423 424 return (0); 425 } 426 427 /* 428 * Set the audit state information for the current process. 429 * Return EFAULT if copyin fails. 430 */ 431 static int 432 setaudit_addr(caddr_t info_p, int len) 433 { 434 STRUCT_DECL(auditinfo_addr, info); 435 proc_t *p; 436 cred_t *newcred; 437 model_t model; 438 int i; 439 int type; 440 auditinfo_addr_t *ainfo; 441 442 if (secpolicy_audit_config(CRED()) != 0) 443 return (EPERM); 444 445 model = get_udatamodel(); 446 STRUCT_INIT(info, model); 447 448 if (len < STRUCT_SIZE(info)) 449 return (EOVERFLOW); 450 451 if (copyin(info_p, STRUCT_BUF(info), STRUCT_SIZE(info))) 452 return (EFAULT); 453 454 type = STRUCT_FGET(info, ai_termid.at_type); 455 if ((type != AU_IPv4) && (type != AU_IPv6)) 456 return (EINVAL); 457 458 newcred = cralloc(); 459 if ((ainfo = crgetauinfo_modifiable(newcred)) == NULL) { 460 crfree(newcred); 461 return (EINVAL); 462 } 463 464 /* grab p_crlock and switch to new cred */ 465 p = curproc; 466 mutex_enter(&p->p_crlock); 467 crcopy_to(p->p_cred, newcred); 468 p->p_cred = newcred; 469 470 /* Set audit mask, id, termid and session id as specified */ 471 ainfo->ai_auid = STRUCT_FGET(info, ai_auid); 472 ainfo->ai_mask = STRUCT_FGET(info, ai_mask); 473 #ifdef _LP64 474 /* only convert to 64 bit if coming from a 32 bit binary */ 475 if (model == DATAMODEL_ILP32) 476 ainfo->ai_termid.at_port = 477 DEVEXPL(STRUCT_FGET(info, ai_termid.at_port)); 478 else 479 ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.at_port); 480 #else 481 ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.at_port); 482 #endif 483 ainfo->ai_termid.at_type = type; 484 bzero(&ainfo->ai_termid.at_addr[0], sizeof (ainfo->ai_termid.at_addr)); 485 for (i = 0; i < (type/sizeof (int)); i++) 486 ainfo->ai_termid.at_addr[i] = 487 STRUCT_FGET(info, ai_termid.at_addr[i]); 488 489 if (ainfo->ai_termid.at_type == AU_IPv6 && 490 IN6_IS_ADDR_V4MAPPED(((in6_addr_t *)ainfo->ai_termid.at_addr))) { 491 ainfo->ai_termid.at_type = AU_IPv4; 492 ainfo->ai_termid.at_addr[0] = ainfo->ai_termid.at_addr[3]; 493 ainfo->ai_termid.at_addr[1] = 0; 494 ainfo->ai_termid.at_addr[2] = 0; 495 ainfo->ai_termid.at_addr[3] = 0; 496 } 497 498 ainfo->ai_asid = STRUCT_FGET(info, ai_asid); 499 500 /* unlock and broadcast the cred changes */ 501 mutex_exit(&p->p_crlock); 502 crset(p, newcred); 503 504 return (0); 505 } 506 507 /* 508 * The audit system call. Trust what the user has sent down and save it 509 * away in the audit file. User passes a complete audit record and its 510 * length. We will fill in the time stamp, check the header and the length 511 * Put a trailer and a sequence token if policy requires. 512 * In the future length might become size_t instead of an int. 513 * 514 * The call is valid whether or not AUDIT_PERZONE is set (think of 515 * login to a zone). When the local audit state (auk_auditstate) is 516 * AUC_INIT_AUDIT, records are accepted even though auditd isn't 517 * running. 518 */ 519 int 520 audit(caddr_t record, int length) 521 { 522 char c; 523 int count, l; 524 token_t *m, *n, *s, *ad; 525 int hdrlen, delta; 526 adr_t hadr; 527 adr_t sadr; 528 int size; /* 0: 32 bit utility 1: 64 bit utility */ 529 int host_len; 530 size_t zlen; 531 au_kcontext_t *kctx = GET_KCTX_PZ; 532 533 /* if auditing not enabled, then don't generate an audit record */ 534 if (kctx->auk_auditstate != AUC_AUDITING && 535 kctx->auk_auditstate != AUC_INIT_AUDIT) 536 return (0); 537 538 /* Only privileged processes can audit */ 539 if (secpolicy_audit_modify(CRED()) != 0) 540 return (EPERM); 541 542 /* Max user record size is 32K */ 543 if (length > AUDIT_REC_SIZE) 544 return (E2BIG); 545 546 /* 547 * The specified length must be at least as big as the smallest 548 * possible header token. Later after beginning to scan the 549 * header we'll determine the true minimum length according to 550 * the header type and attributes. 551 */ 552 #define AU_MIN_HEADER_LEN (sizeof (char) + sizeof (int32_t) + \ 553 sizeof (char) + sizeof (short) + sizeof (short) + \ 554 (sizeof (int32_t) * 2)) 555 556 if (length < AU_MIN_HEADER_LEN) 557 return (EINVAL); 558 559 /* Read in user's audit record */ 560 count = length; 561 m = n = s = ad = NULL; 562 while (count) { 563 m = au_getclr(); 564 if (!s) 565 s = n = m; 566 else { 567 n->next_buf = m; 568 n = m; 569 } 570 l = MIN(count, AU_BUFSIZE); 571 if (copyin(record, memtod(m, caddr_t), (size_t)l)) { 572 /* copyin failed release au_membuf */ 573 au_free_rec(s); 574 return (EFAULT); 575 } 576 record += l; 577 count -= l; 578 m->len = (uchar_t)l; 579 } 580 581 /* Now attach the entire thing to ad */ 582 au_write((caddr_t *)&(ad), s); 583 584 /* validate header token type. trust everything following it */ 585 adr_start(&hadr, memtod(s, char *)); 586 (void) adr_getchar(&hadr, &c); 587 switch (c) { 588 case AUT_HEADER32: 589 /* size vers+event_ID+event_modifier fields */ 590 delta = 1 + 2 + 2; 591 hdrlen = 1 + 4 + delta + (sizeof (int32_t) * 2); 592 size = HEADER_SIZE32; 593 break; 594 595 #ifdef _LP64 596 case AUT_HEADER64: 597 /* size vers+event_ID+event_modifier fields */ 598 delta = 1 + 2 + 2; 599 hdrlen = 1 + 4 + delta + (sizeof (int64_t) * 2); 600 size = HEADER_SIZE64; 601 break; 602 #endif 603 604 case AUT_HEADER32_EX: 605 /* 606 * Skip over the length/version/type/mod fields and 607 * grab the host address type (length), then rewind. 608 * This is safe per the previous minimum length check. 609 */ 610 hadr.adr_now += 9; 611 (void) adr_getint32(&hadr, &host_len); 612 hadr.adr_now -= 9 + sizeof (int32_t); 613 614 /* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */ 615 delta = 1 + 2 + 2 + 4 + host_len; 616 hdrlen = 1 + 4 + delta + (sizeof (int32_t) * 2); 617 size = HEADER_SIZE32; 618 break; 619 620 #ifdef _LP64 621 case AUT_HEADER64_EX: 622 /* 623 * Skip over the length/version/type/mod fields and grab 624 * the host address type (length), then rewind. 625 * This is safe per the previous minimum length check. 626 */ 627 hadr.adr_now += 9; 628 (void) adr_getint32(&hadr, &host_len); 629 hadr.adr_now -= 9 + sizeof (int32_t); 630 631 /* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */ 632 delta = 1 + 2 + 2 + 4 + host_len; 633 hdrlen = 1 + 4 + delta + (sizeof (int64_t) * 2); 634 size = HEADER_SIZE64; 635 break; 636 #endif 637 638 default: 639 /* Header is wrong, reject message */ 640 au_free_rec(s); 641 return (EINVAL); 642 } 643 644 if (length < hdrlen) { 645 au_free_rec(s); 646 return (0); 647 } 648 649 /* advance over header token length field */ 650 hadr.adr_now += 4; 651 652 /* validate version */ 653 (void) adr_getchar(&hadr, &c); 654 if (c != TOKEN_VERSION) { 655 /* version is wrong, reject message */ 656 au_free_rec(s); 657 return (EINVAL); 658 } 659 660 /* backup to header length field (including version field) */ 661 hadr.adr_now -= 5; 662 663 /* 664 * add on the zonename token if policy AUDIT_ZONENAME is set 665 */ 666 if (kctx->auk_policy & AUDIT_ZONENAME) { 667 zlen = au_zonename_length(NULL); 668 if (zlen > 0) { 669 length += zlen; 670 m = au_to_zonename(zlen, NULL); 671 (void) au_append_rec(ad, m, AU_PACK); 672 } 673 } 674 /* Add an (optional) sequence token. NULL offset if none */ 675 if (kctx->auk_policy & AUDIT_SEQ) { 676 /* get the sequnce token */ 677 m = au_to_seq(); 678 679 /* sequence token 5 bytes long */ 680 length += 5; 681 682 /* link to audit record (i.e. don't pack the data) */ 683 (void) au_append_rec(ad, m, AU_LINK); 684 685 /* advance to count field of token */ 686 adr_start(&sadr, memtod(m, char *)); 687 sadr.adr_now += 1; 688 } else 689 sadr.adr_now = (char *)NULL; 690 691 /* add the (optional) trailer token */ 692 if (kctx->auk_policy & AUDIT_TRAIL) { 693 /* trailer token is 7 bytes long */ 694 length += 7; 695 696 /* append to audit record */ 697 (void) au_append_rec(ad, au_to_trailer(length), AU_PACK); 698 } 699 700 /* audit record completely assembled. set the length */ 701 adr_int32(&hadr, (int32_t *)&length, 1); 702 703 /* advance to date/time field of header */ 704 hadr.adr_now += delta; 705 706 /* We are done put it on the queue */ 707 AS_INC(as_generated, 1, kctx); 708 AS_INC(as_audit, 1, kctx); 709 710 au_enqueue(kctx, s, &hadr, &sadr, size, 0); 711 712 AS_INC(as_totalsize, length, kctx); 713 714 return (0); 715 } 716 717 static void 718 audit_dont_stop(void *kctx) 719 { 720 721 if ((((au_kcontext_t *)kctx)->auk_valid != AUK_VALID) || 722 (((au_kcontext_t *)kctx)->auk_auditstate == AUC_NOAUDIT)) 723 return; 724 725 mutex_enter(&(((au_kcontext_t *)kctx)->auk_queue.lock)); 726 cv_broadcast(&(((au_kcontext_t *)kctx)->auk_queue.write_cv)); 727 mutex_exit(&(((au_kcontext_t *)kctx)->auk_queue.lock)); 728 } 729 730 /* 731 * auditdoor starts a kernel thread to generate output from the audit 732 * queue. The thread terminates when it detects auditing being turned 733 * off, such as when auditd exits with a SIGTERM. If a subsequent 734 * auditdoor arrives while the thread is running, the door descriptor 735 * of the last auditdoor in will be used for output. auditd is responsible 736 * for insuring that multiple copies are not running. 737 */ 738 739 static int 740 auditdoor(int fd) 741 { 742 struct file *fp; 743 struct vnode *vp; 744 int do_create = 0; 745 au_kcontext_t *kctx; 746 747 if (secpolicy_audit_config(CRED()) != 0) 748 return (EPERM); 749 750 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc)) 751 return (EINVAL); 752 753 kctx = GET_KCTX_NGZ; 754 755 /* 756 * convert file pointer to file descriptor 757 * Note: fd ref count incremented here. 758 */ 759 if ((fp = (struct file *)getf(fd)) == NULL) { 760 return (EBADF); 761 } 762 vp = fp->f_vnode; 763 if (vp->v_type != VDOOR) { 764 cmn_err(CE_WARN, 765 "auditdoor() did not get the expected door descriptor\n"); 766 releasef(fd); 767 return (EINVAL); 768 } 769 /* 770 * If the output thread is already running, then replace the 771 * door descriptor with the new one and continue; otherwise 772 * create the thread too. Since au_output_thread makes a call 773 * to au_doorio() which also does 774 * mutex_lock(&(kctx->auk_svc_lock)), the create/dispatch is 775 * done after the unlock... 776 */ 777 mutex_enter(&(kctx->auk_svc_lock)); 778 779 if (kctx->auk_current_vp != NULL) 780 VN_RELE(kctx->auk_current_vp); 781 782 kctx->auk_current_vp = vp; 783 VN_HOLD(kctx->auk_current_vp); 784 releasef(fd); 785 786 if (!kctx->auk_output_active) { 787 kctx->auk_output_active = 1; 788 do_create = 1; 789 } 790 mutex_exit(&(kctx->auk_svc_lock)); 791 if (do_create) { 792 kctx->auk_taskq = 793 taskq_create("output_master", 1, minclsyspri, 1, 1, 0); 794 (void) taskq_dispatch(kctx->auk_taskq, 795 (task_func_t *)au_output_thread, 796 kctx, TQ_SLEEP); 797 } 798 return (0); 799 } 800 801 /* 802 * au_queue_kick -- wake up the output queue after delay ticks 803 */ 804 static void 805 au_queue_kick(void *kctx) 806 { 807 /* 808 * wakeup reader if its not running and there is something 809 * to do. It also helps that kctx still be valid... 810 */ 811 812 if ((((au_kcontext_t *)kctx)->auk_valid != AUK_VALID) || 813 (((au_kcontext_t *)kctx)->auk_auditstate == AUC_NOAUDIT)) 814 return; 815 816 if (((au_kcontext_t *)kctx)->auk_queue.cnt && 817 ((au_kcontext_t *)kctx)->auk_queue.rd_block) 818 cv_broadcast(&((au_kcontext_t *)kctx)->auk_queue.read_cv); 819 820 /* fire off timeout event to kick audit queue awake */ 821 (void) timeout(au_queue_kick, kctx, 822 ((au_kcontext_t *)kctx)->auk_queue.delay); 823 } 824 825 /* 826 * output thread 827 * 828 * this runs "forever" where "forever" means until either auk_auditstate 829 * changes from AUC_AUDITING or if the door descriptor becomes invalid. 830 * 831 * there is one thread per active zone if AUC_PERZONE is set. Since 832 * there is the possibility that a zone may go down without auditd 833 * terminating properly, a zone shutdown kills its au_output_thread() 834 * via taskq_destroy(). 835 */ 836 837 static void 838 au_output_thread(au_kcontext_t *kctx) 839 { 840 int error = 0; 841 842 (void) timeout(au_queue_kick, kctx, kctx->auk_queue.delay); 843 844 /* 845 * Wait for work, until a signal arrives, 846 * or until auditing is disabled. 847 */ 848 849 while (!error) { 850 if (kctx->auk_auditstate == AUC_AUDITING) { 851 mutex_enter(&(kctx->auk_queue.lock)); 852 while (kctx->auk_queue.head == NULL) { 853 /* safety check. kick writer awake */ 854 if (kctx->auk_queue.wt_block) { 855 cv_broadcast(&(kctx-> 856 auk_queue.write_cv)); 857 } 858 859 kctx->auk_queue.rd_block = 1; 860 AS_INC(as_rblocked, 1, kctx); 861 862 cv_wait(&(kctx->auk_queue.read_cv), 863 &(kctx->auk_queue.lock)); 864 kctx->auk_queue.rd_block = 0; 865 866 if (kctx->auk_auditstate != AUC_AUDITING) { 867 mutex_exit(&(kctx->auk_queue.lock)); 868 (void) timeout(audit_dont_stop, kctx, 869 au_resid); 870 goto output_exit; 871 } 872 kctx->auk_queue.rd_block = 0; 873 } 874 mutex_exit(&(kctx->auk_queue.lock)); 875 /* 876 * au_doorio() calls au_door_upcall which holds 877 * auk_svc_lock; au_doorio empties the queue before 878 * returning. 879 */ 880 881 error = au_doorio(kctx); 882 } else { 883 /* auditing turned off while we slept */ 884 break; 885 } 886 } 887 output_exit: 888 mutex_enter(&(kctx->auk_svc_lock)); 889 890 VN_RELE(kctx->auk_current_vp); 891 kctx->auk_current_vp = NULL; 892 893 kctx->auk_output_active = 0; 894 895 mutex_exit(&(kctx->auk_svc_lock)); 896 } 897 898 899 /* 900 * Get the global policy flag 901 */ 902 903 static int 904 getpolicy(caddr_t data) 905 { 906 int policy; 907 au_kcontext_t *kctx = GET_KCTX_PZ; 908 909 policy = audit_policy | kctx->auk_policy; 910 911 if (copyout(&policy, data, sizeof (int))) 912 return (EFAULT); 913 return (0); 914 } 915 916 /* 917 * Set the global and local policy flags 918 * 919 * The global flags only make sense from the global zone; 920 * the local flags depend on the AUDIT_PERZONE policy: 921 * if the perzone policy is set, then policy is set separately 922 * per zone, else held only in the global zone. 923 * 924 * The initial value of a local zone's policy flag is determined 925 * by the value of the global zone's flags at the time the 926 * local zone is created. 927 * 928 * While auditconfig(1M) allows setting and unsetting policies one bit 929 * at a time, the mask passed in from auditconfig() is created by a 930 * syscall to getpolicy and then modified based on the auditconfig() 931 * cmd line, so the input policy value is used to replace the existing 932 * policy. 933 */ 934 935 936 static int 937 setpolicy(caddr_t data) 938 { 939 int policy; 940 au_kcontext_t *kctx; 941 942 if (copyin(data, &policy, sizeof (int))) 943 return (EFAULT); 944 945 kctx = GET_KCTX_NGZ; 946 947 if (INGLOBALZONE(curproc)) { 948 if (policy & ~(AUDIT_GLOBAL | AUDIT_LOCAL)) 949 return (EINVAL); 950 951 audit_policy = policy & AUDIT_GLOBAL; 952 } else { 953 if (!(audit_policy & AUDIT_PERZONE)) 954 return (EINVAL); 955 956 if (policy & ~AUDIT_LOCAL) /* global bits are a no-no */ 957 return (EINVAL); 958 } 959 kctx->auk_policy = policy & AUDIT_LOCAL; 960 961 /* 962 * auk_current_vp is NULL before auditd starts (or during early 963 * auditd starup) or if auditd is halted; in either case, 964 * notification of a policy change is not needed, since auditd 965 * reads policy as it comes up. The error return from au_doormsg() 966 * is ignored to avoid a race condition -- for example if auditd 967 * segv's, the audit state may be "auditing" but the door may 968 * be closed. Returning an error if the door is open makes it 969 * impossible for Greenline to restart auditd. 970 */ 971 if (kctx->auk_current_vp != NULL) 972 (void) au_doormsg(kctx, AU_DBUF_POLICY, &policy); 973 974 /* 975 * Wake up anyone who might have blocked on full audit 976 * partitions. audit daemons need to set AUDIT_FULL when no 977 * space so we can tell if we should start dropping records. 978 */ 979 mutex_enter(&(kctx->auk_queue.lock)); 980 981 if ((policy & (AUDIT_CNT | AUDIT_SCNT) && 982 (kctx->auk_queue.cnt >= kctx->auk_queue.hiwater))) 983 cv_broadcast(&(kctx->auk_queue.write_cv)); 984 985 mutex_exit(&(kctx->auk_queue.lock)); 986 987 return (0); 988 } 989 990 static int 991 getkmask(caddr_t data) 992 { 993 au_kcontext_t *kctx; 994 995 kctx = GET_KCTX_PZ; 996 997 if (copyout(&kctx->auk_info.ai_mask, data, sizeof (au_mask_t))) 998 return (EFAULT); 999 return (0); 1000 } 1001 1002 static int 1003 setkmask(caddr_t data) 1004 { 1005 au_mask_t mask; 1006 au_kcontext_t *kctx; 1007 1008 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc)) 1009 return (EINVAL); 1010 1011 kctx = GET_KCTX_NGZ; 1012 1013 if (copyin(data, &mask, sizeof (au_mask_t))) 1014 return (EFAULT); 1015 1016 kctx->auk_info.ai_mask = mask; 1017 return (0); 1018 } 1019 1020 static int 1021 getkaudit(caddr_t info_p, int len) 1022 { 1023 STRUCT_DECL(auditinfo_addr, info); 1024 model_t model; 1025 au_kcontext_t *kctx = GET_KCTX_PZ; 1026 1027 model = get_udatamodel(); 1028 STRUCT_INIT(info, model); 1029 1030 if (len < STRUCT_SIZE(info)) 1031 return (EOVERFLOW); 1032 1033 STRUCT_FSET(info, ai_auid, kctx->auk_info.ai_auid); 1034 STRUCT_FSET(info, ai_mask, kctx->auk_info.ai_mask); 1035 #ifdef _LP64 1036 if (model == DATAMODEL_ILP32) { 1037 dev32_t dev; 1038 /* convert internal 64 bit form to 32 bit version */ 1039 if (cmpldev(&dev, kctx->auk_info.ai_termid.at_port) == 0) { 1040 return (EOVERFLOW); 1041 } 1042 STRUCT_FSET(info, ai_termid.at_port, dev); 1043 } else { 1044 STRUCT_FSET(info, ai_termid.at_port, 1045 kctx->auk_info.ai_termid.at_port); 1046 } 1047 #else 1048 STRUCT_FSET(info, ai_termid.at_port, 1049 kctx->auk_info.ai_termid.at_port); 1050 #endif 1051 STRUCT_FSET(info, ai_termid.at_type, 1052 kctx->auk_info.ai_termid.at_type); 1053 STRUCT_FSET(info, ai_termid.at_addr[0], 1054 kctx->auk_info.ai_termid.at_addr[0]); 1055 STRUCT_FSET(info, ai_termid.at_addr[1], 1056 kctx->auk_info.ai_termid.at_addr[1]); 1057 STRUCT_FSET(info, ai_termid.at_addr[2], 1058 kctx->auk_info.ai_termid.at_addr[2]); 1059 STRUCT_FSET(info, ai_termid.at_addr[3], 1060 kctx->auk_info.ai_termid.at_addr[3]); 1061 STRUCT_FSET(info, ai_asid, kctx->auk_info.ai_asid); 1062 1063 if (copyout(STRUCT_BUF(info), info_p, STRUCT_SIZE(info))) 1064 return (EFAULT); 1065 1066 return (0); 1067 } 1068 1069 /* 1070 * the host address for AUDIT_PERZONE == 0 is that of the global 1071 * zone and for local zones it is of the current zone. 1072 */ 1073 1074 static int 1075 setkaudit(caddr_t info_p, int len) 1076 { 1077 STRUCT_DECL(auditinfo_addr, info); 1078 model_t model; 1079 au_kcontext_t *kctx; 1080 1081 if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc)) 1082 return (EINVAL); 1083 1084 kctx = GET_KCTX_NGZ; 1085 1086 model = get_udatamodel(); 1087 STRUCT_INIT(info, model); 1088 1089 if (len < STRUCT_SIZE(info)) 1090 return (EOVERFLOW);