audit_start.c revision d3e710c89b603b989e3d64ee2352d71c2d97d967
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/*
* This file contains the envelope code for system call auditing.
*/
#include <sys/pathname.h>
#include <sys/cred_impl.h>
#include <c2/audit_kernel.h>
#include <c2/audit_kevents.h>
#include <c2/audit_record.h>
#include "audit_door_infc.h"
int audit_load = 0; /* set from /etc/system */
struct p_audit_data *pad0;
struct t_audit_data *tad0;
/*
* Das Boot. Initialize first process. Also generate an audit record indicating
* that the system has been booted.
*/
void
{
struct audit_path apempty;
if (audit_load == 0) {
audit_active = 0;
return;
#ifdef DEBUG
} else if (audit_load == 2) {
debug_enter((char *)NULL);
#endif
}
audit_active = 1;
set_all_proc_sys(); /* set pre- and post-syscall flags */
/* initialize memory allocators */
au_mem_init();
/* inital thread structure */
/* initial process structure */
/*
* The kernel allocates a bunch of threads make sure they have
* a valid tad
*/
do {
}
/*
* Initialize audit context in our cred (kcred).
* No copy-on-write needed here because it's so early in init.
*/
/* fabricate an empty audit_path to extend */
/*
* setup environment for asynchronous auditing. We can't use
* audit_async_start() here since it assumes the audit system
* has been started via auditd(1m). auditd sets the variable,
* auk_auditstate, to indicate audit record generation should
* commence. Here we want to always generate an audit record.
*/
/* process audit policy (AUDIT_AHLT) for asynchronous events */
return;
}
/* generate a system-booted audit record */
}
void
{
}
/*
* Check for any pending changes to the audit context for the given proc.
* p_crlock and pad_lock for the process are acquired here. Caller is
* responsible for assuring the process doesn't go away. If context is
* updated, the specified cralloc'ed cred will be used, otherwise it's freed.
* If no cred is given, it will be cralloc'ed here and caller assures that
* it is safe to allocate memory.
*/
void
{
struct p_audit_data *pad;
return;
}
/* If a mask update is pending, take care of it. */
/* the condition may have been handled by the time we lock */
return;
}
mutex_enter(&p->p_crlock);
/* Unlock and cleanup. */
mutex_exit(&p->p_crlock);
/*
* For curproc, assure that our thread points to right
* cred, so CRED() will be correct. Otherwise, no need
* to broadcast changes (via set_proc_pre_sys), since
* t_pre_sys is ALWAYS on when audit is enabled... due
* to syscall auditing.
*/
if (p == curproc)
else
} else {
}
} else {
}
}
/*
* Enter system call. Do any necessary setup here. allocate resouces, etc.
*/
/*ARGSUSED*/
int
unsigned type,
unsigned scid,
int error,
{
struct t_audit_data *tad;
if (error) {
return (0);
}
/*
* if this is an indirect system call then don't do anything.
* audit_start will be called again from indir() in trap.c
*/
if (scid == 0) {
return (0);
}
if (scid >= num_syscall)
scid = 0;
/*
* we can no longer depend on a valid lwp_ap, so we need to
* copy the syscall args as future audit stuff may need them.
*/
(void) save_syscall_args();
/*
* We need to gather paths for certain system calls even if they are
* not audited so that we can audit the various f* calls and be
* sure to have a CWD and CAR. Thus we thus set tad_ctrl over the
* system call regardless if the call is audited or not.
* We allow the event specific initial processing routines (au_init)
* to adjust the tad_ctrl as necessary.
*/
/* get basic event for system call */
/* get specific event */
}
kctx = GET_KCTX_PZ;
/* now do preselection. Audit or not to Audit, that is the question */
/*
* we assume that audit_finish will always be called.
*/
return (0);
}
/*
* if auditing not enabled, then don't generate an audit record
* and don't count it.
*/
/*
* we assume that audit_finish will always be called.
*/
return (0);
}
/*
* audit daemon has informed us that there is no longer any
* space left to hold audit records. We decide here if records
* should be dropped (but counted).
*/
/* assume that audit_finish will always be called. */
/* just count # of dropped audit records */
return (0);
}
}
/* do start of system call processing */
}
return (0);
}
/*
* system call has completed. Now determine if we genearate an audit record
* or not.
*/
/*ARGSUSED*/
void
unsigned type,
unsigned scid,
int error,
{
struct t_audit_data *tad;
int flag;
/*
* Process all deferred events first.
*/
}
/*
* clear the ctrl flag so that we don't have spurious
* collection of audit information.
*/
return;
}
/*
* Perform any extra processing and determine if we are
* really going to generate any audit record.
*/
/* do any post system call processing */
}
unsigned int sy_flags;
/* Add subject information */
AUT_UPRIV, 1));
}
AUT_UPRIV, 0));
}
/* Add a return token */
#ifdef _SYSCALL32_IMPL
} else {
sy_flags =
}
#else /* _SYSCALL64_IMPL */
#endif /* _SYSCALL32_IMPL */
if (sy_flags == SE_32RVAL1) {
if (type == 0) {
au_to_return32(error, 0));
} else {
}
}
if (type == 0) {
au_to_return32(error, 0));
} else {
#ifdef NOTYET /* for possible future support */
#endif
}
}
if (type == 0) {
au_to_return64(error, 0));
} else {
}
}
}
/* Close up everything */
}
/* free up any space remaining with the path's */
}
/* free up any space remaining with openat path's */
if (tad->tad_atpath) {
}
/*
* clear the ctrl flag so that we don't have spurious collection of
* audit information.
*/
}
int
{
const auditinfo_addr_t *ainfo;
if (error)
/* see if we really want to generate an audit record */
return (0);
/*
* nfs operation and we're auditing privilege or MAC. This
* is so we have a client audit record to match a nfs server
* audit record.
*/
return (AU_OK);
/*
* Used passed cred if available, otherwise use cred from kernel thread
*/
return (0);
if (error == 0)
else
}
/*
* determine if we've preselected this event (system call).
*/
int
{
int flag = 0;
const auditinfo_addr_t *ainfo;
return (0);
/* preselected system call */
flag = 1;
flag = 1;
}
return (flag);
}