audit_syscalls.c revision 67dbe2be0c0f1e2eb428b89088bb5667e8f0b9f6
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/*
* This file contains the auditing system call code.
*
*/
#include <sys/pathname.h>
#include <sys/sysmacros.h>
#include <c2/audit_kernel.h>
#include <c2/audit_record.h>
#define CLEAR_VAL -1
#define HEADER_SIZE64 1;
#define HEADER_SIZE32 0;
extern int audit_load; /* defined in audit_start.c */
int audit_policy; /* global audit policies in force */
static int getaudit_addr(caddr_t, int);
static int setaudit_addr(caddr_t, int);
static int auditdoor(int);
static int audit_modsysent(char *, int, int (*)());
static void au_output_thread();
/*
* This is the loadable module wrapper.
*/
static struct sysent auditsysent = {
6,
0,
};
/*
* Module linkage information for the kernel.
*/
extern struct mod_ops mod_syscallops;
};
static struct modlinkage modlinkage = {
};
int
_init()
{
int retval;
if (audit_load == 0)
return (-1);
/*
* We are going to do an ugly thing here.
* Because auditsys is already defined as a regular
* syscall we have to change the definition for syscall
* auditsys. Basically or in the SE_LOADABLE flag for
* auditsys. We no have a static loadable syscall. Also
* create an rw_lock.
*/
_auditsys)) == -1)
return (-1);
return (retval);
return (0);
}
int
_fini()
{
return (EBUSY);
}
int
{
}
/*
* reboot (and when the audit stubs are removed) *most* of these
* calls should return an error when auditing is off -- some
* for local zones only.
*/
int
{
int result = 0;
case BSM_GETAUID:
break;
case BSM_SETAUID:
break;
case BSM_GETAUDIT:
break;
case BSM_GETAUDIT_ADDR:
break;
case BSM_SETAUDIT:
break;
case BSM_SETAUDIT_ADDR:
break;
case BSM_AUDIT:
break;
case BSM_AUDITDOOR:
break;
case BSM_AUDITON:
case BSM_AUDITCTL:
break;
default:
}
return (result);
}
/*
* Return the audit user ID for the current process. Currently only
* the privileged processes may see the audit id. That may change.
* If copyout is unsucessful return EFAULT.
*/
static int
{
const auditinfo_addr_t *ainfo;
if (secpolicy_audit_getattr(CRED()) != 0)
return (EPERM);
return (EINVAL);
return (EFAULT);
return (0);
}
/*
* Set the audit userid, for a process. This can only be changed by
* privileged processes. The audit userid is inherited across forks & execs.
* Passed in is a pointer to the au_id_t; if copyin unsuccessful return EFAULT.
*/
static int
{
proc_t *p;
if (secpolicy_audit_config(CRED()) != 0)
return (EPERM);
return (EFAULT);
}
return (EINVAL);
}
/* grab p_crlock and switch to new cred */
p = curproc;
mutex_enter(&p->p_crlock);
/* unlock and broadcast the cred changes */
mutex_exit(&p->p_crlock);
return (0);
}
/*
* Get the audit state information from the current process.
* Return EFAULT if copyout fails.
*/
static int
{
const auditinfo_addr_t *ainfo;
if (secpolicy_audit_getattr(CRED()) != 0)
return (EPERM);
model = get_udatamodel();
return (EINVAL);
/* trying to read a process with an IPv6 address? */
return (EOVERFLOW);
#ifdef _LP64
if (model == DATAMODEL_ILP32) {
/* convert internal 64 bit form to 32 bit version */
return (EOVERFLOW);
}
} else
#else
#endif
return (EFAULT);
return (0);
}
/*
* Get the audit state information from the current process.
* Return EFAULT if copyout fails.
*/
static int
{
const auditinfo_addr_t *ainfo;
if (secpolicy_audit_getattr(CRED()) != 0)
return (EPERM);
model = get_udatamodel();
return (EOVERFLOW);
return (EINVAL);
#ifdef _LP64
if (model == DATAMODEL_ILP32) {
/* convert internal 64 bit form to 32 bit version */
return (EOVERFLOW);
}
} else
#else
#endif
return (EFAULT);
return (0);
}
/*
* Set the audit state information for the current process.
* Return EFAULT if copyout fails.
*/
static int
{
proc_t *p;
if (secpolicy_audit_config(CRED()) != 0)
return (EPERM);
model = get_udatamodel();
return (EFAULT);
return (EINVAL);
}
/* grab p_crlock and switch to new cred */
p = curproc;
mutex_enter(&p->p_crlock);
/* Set audit mask, id, termid and session id as specified */
#ifdef _LP64
/* only convert to 64 bit if coming from a 32 bit binary */
if (model == DATAMODEL_ILP32)
else
#else
#endif
/* unlock and broadcast the cred changes */
mutex_exit(&p->p_crlock);
return (0);
}
/*
* Set the audit state information for the current process.
* Return EFAULT if copyin fails.
*/
static int
{
proc_t *p;
int i;
int type;
if (secpolicy_audit_config(CRED()) != 0)
return (EPERM);
model = get_udatamodel();
return (EOVERFLOW);
return (EFAULT);
return (EINVAL);
return (EINVAL);
}
/* grab p_crlock and switch to new cred */
p = curproc;
mutex_enter(&p->p_crlock);
/* Set audit mask, id, termid and session id as specified */
#ifdef _LP64
/* only convert to 64 bit if coming from a 32 bit binary */
if (model == DATAMODEL_ILP32)
else
#else
#endif
for (i = 0; i < (type/sizeof (int)); i++)
}
/* unlock and broadcast the cred changes */
mutex_exit(&p->p_crlock);
return (0);
}
/*
* The audit system call. Trust what the user has sent down and save it
* away in the audit file. User passes a complete audit record and its
* length. We will fill in the time stamp, check the header and the length
* Put a trailer and a sequence token if policy requires.
* In the future length might become size_t instead of an int.
*
* The call is valid whether or not AUDIT_PERZONE is set (think of
* login to a zone). When the local audit state (auk_auditstate) is
* AUC_INIT_AUDIT, records are accepted even though auditd isn't
* running.
*/
int
{
char c;
int count, l;
int size; /* 0: 32 bit utility 1: 64 bit utility */
int host_len;
/* if auditing not enabled, then don't generate an audit record */
return (0);
/* Only privileged processes can audit */
if (secpolicy_audit_modify(CRED()) != 0)
return (EPERM);
/* Max user record size is 32K */
if (length > AUDIT_REC_SIZE)
return (E2BIG);
/*
* The specified length must be at least as big as the smallest
* possible header token. Later after beginning to scan the
* header we'll determine the true minimum length according to
* the header type and attributes.
*/
#define AU_MIN_HEADER_LEN (sizeof (char) + sizeof (int32_t) + \
sizeof (char) + sizeof (short) + sizeof (short) + \
(sizeof (int32_t) * 2))
if (length < AU_MIN_HEADER_LEN)
return (EINVAL);
/* Read in user's audit record */
while (count) {
m = au_getclr();
if (!s)
s = n = m;
else {
n->next_buf = m;
n = m;
}
/* copyin failed release au_membuf */
au_free_rec(s);
return (EFAULT);
}
record += l;
count -= l;
}
/* Now attach the entire thing to ad */
/* validate header token type. trust everything following it */
(void) adr_getchar(&hadr, &c);
switch (c) {
case AUT_HEADER32:
/* size vers+event_ID+event_modifier fields */
break;
#ifdef _LP64
case AUT_HEADER64:
/* size vers+event_ID+event_modifier fields */
break;
#endif
case AUT_HEADER32_EX:
/*
* grab the host address type (length), then rewind.
* This is safe per the previous minimum length check.
*/
/* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */
break;
#ifdef _LP64
case AUT_HEADER64_EX:
/*
* the host address type (length), then rewind.
* This is safe per the previous minimum length check.
*/
/* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */
break;
#endif
default:
/* Header is wrong, reject message */
au_free_rec(s);
return (EINVAL);
}
au_free_rec(s);
return (0);
}
/* advance over header token length field */
/* validate version */
(void) adr_getchar(&hadr, &c);
if (c != TOKEN_VERSION) {
/* version is wrong, reject message */
au_free_rec(s);
return (EINVAL);
}
/* backup to header length field (including version field) */
/*
* add on the zonename token if policy AUDIT_ZONENAME is set
*/
if (zlen > 0) {
}
}
/* Add an (optional) sequence token. NULL offset if none */
/* get the sequnce token */
m = au_to_seq();
/* sequence token 5 bytes long */
length += 5;
/* link to audit record (i.e. don't pack the data) */
/* advance to count field of token */
} else
/* add the (optional) trailer token */
/* trailer token is 7 bytes long */
length += 7;
/* append to audit record */
}
/* audit record completely assembled. set the length */
/* We are done put it on the queue */
return (0);
}
static void
audit_dont_stop(void *kctx)
{
return;
}
/*
* auditdoor starts a kernel thread to generate output from the audit
* queue. The thread terminates when it detects auditing being turned
* off, such as when auditd exits with a SIGTERM. If a subsequent
* auditdoor arrives while the thread is running, the door descriptor
* of the last auditdoor in will be used for output. auditd is responsible
* for insuring that multiple copies are not running.
*/
static int
{
int do_create = 0;
if (secpolicy_audit_config(CRED()) != 0)
return (EPERM);
return (EINVAL);
kctx = GET_KCTX_NGZ;
/*
* convert file pointer to file descriptor
* Note: fd ref count incremented here.
*/
return (EBADF);
}
"auditdoor() did not get the expected door descriptor\n");
return (EINVAL);
}
/*
* If the output thread is already running, then replace the
* door descriptor with the new one and continue; otherwise
* create the thread too. Since au_output_thread makes a call
* to au_doorio() which also does
* done after the unlock...
*/
if (!kctx->auk_output_active) {
do_create = 1;
}
if (do_create) {
}
return (0);
}
/*
* au_queue_kick -- wake up the output queue after delay ticks
*/
static void
au_queue_kick(void *kctx)
{
/*
* wakeup reader if its not running and there is something
* to do. It also helps that kctx still be valid...
*/
return;
/* fire off timeout event to kick audit queue awake */
}
/*
* output thread
*
* this runs "forever" where "forever" means until either auk_auditstate
* changes from AUC_AUDITING or if the door descriptor becomes invalid.
*
* there is one thread per active zone if AUC_PERZONE is set. Since
* there is the possibility that a zone may go down without auditd
* terminating properly, a zone shutdown kills its au_output_thread()
* via taskq_destroy().
*/
static void
{
int error = 0;
/*
* Wait for work, until a signal arrives,
* or until auditing is disabled.
*/
while (!error) {
/* safety check. kick writer awake */
cv_broadcast(&(kctx->
}
au_resid);
goto output_exit;
}
}
/*
* au_doorio() calls au_door_upcall which holds
* auk_svc_lock; au_doorio empties the queue before
* returning.
*/
} else {
/* auditing turned off while we slept */
break;
}
}
kctx->auk_output_active = 0;
}
/*
* Get the global policy flag
*/
static int
{
int policy;
return (EFAULT);
return (0);
}
/*
* Set the global and local policy flags
*
* The global flags only make sense from the global zone;
* the local flags depend on the AUDIT_PERZONE policy:
* if the perzone policy is set, then policy is set separately
* per zone, else held only in the global zone.
*
* The initial value of a local zone's policy flag is determined
* by the value of the global zone's flags at the time the
* local zone is created.
*
* While auditconfig(1M) allows setting and unsetting policies one bit
* at a time, the mask passed in from auditconfig() is created by a
* syscall to getpolicy and then modified based on the auditconfig()
* cmd line, so the input policy value is used to replace the existing
* policy.
*/
static int
{
int policy;
return (EFAULT);
kctx = GET_KCTX_NGZ;
if (INGLOBALZONE(curproc)) {
return (EINVAL);
} else {
if (!(audit_policy & AUDIT_PERZONE))
return (EINVAL);
return (EINVAL);
}
/*
* auk_current_vp is NULL before auditd starts (or during early
* auditd starup) or if auditd is halted; in either case,
* notification of a policy change is not needed, since auditd
* reads policy as it comes up. The error return from au_doormsg()
* is ignored to avoid a race condition -- for example if auditd
* segv's, the audit state may be "auditing" but the door may
* be closed. Returning an error if the door is open makes it
* impossible for Greenline to restart auditd.
*/
/*
* Wake up anyone who might have blocked on full audit
* partitions. audit daemons need to set AUDIT_FULL when no
* space so we can tell if we should start dropping records.
*/
return (0);
}
static int
{
kctx = GET_KCTX_PZ;
return (EFAULT);
return (0);
}
static int
{
return (EINVAL);
kctx = GET_KCTX_NGZ;
return (EFAULT);
return (0);
}
static int
{
model = get_udatamodel();
return (EOVERFLOW);
#ifdef _LP64
if (model == DATAMODEL_ILP32) {
/* convert internal 64 bit form to 32 bit version */
return (EOVERFLOW);
}
} else {
}
#else
#endif
return (EFAULT);
return (0);
}
/*
* the host address for AUDIT_PERZONE == 0 is that of the global
* zone and for local zones it is of the current zone.
*/
static int
{
return (EINVAL);
kctx = GET_KCTX_NGZ;
model = get_udatamodel();
return (EOVERFLOW);
return (EFAULT);
return (EINVAL);
/* Set audit mask, termid and session id as specified */
#ifdef _LP64
/* only convert to 64 bit if coming from a 32 bit binary */
if (model == DATAMODEL_ILP32)
else
#else
#endif
}
else
return (0);
}
static int
{
return (EFAULT);
return (0);
}
static int
{
return (EINVAL);
kctx = GET_KCTX_NGZ;
return (EFAULT);
/* enforce sane values */
return (EINVAL);
return (EINVAL);
return (EINVAL);
return (EINVAL);
return (EINVAL);
return (EINVAL);
return (EINVAL);
/* update everything at once so things are consistant */
return (0);
}
static int
{
struct p_audit_data *pad;
struct audit_path *app;
int pathlen;
return (E2BIG);
}
return (EFAULT);
}
return (0);
}
static int
{
struct p_audit_data *pad;
struct audit_path *app;
int pathlen;
return (E2BIG);
}
return (EFAULT);
}
return (0);
}
static int
{
return (EFAULT);
return (0);
}
static int
{
return (EINVAL);
return (EFAULT);
return (0);
}
static int
{
struct proc *p;
const auditinfo_addr_t *ainfo;
/* setumask not applicable in non-global zones without perzone policy */
return (EINVAL);
model = get_udatamodel();
return (EFAULT);
/* if in non-global zone only modify processes in same zone */
continue;
/* skip system processes and ones being created or going away */
mutex_exit(&p->p_lock);
continue;
}
mutex_enter(&p->p_crlock);
mutex_exit(&p->p_crlock);
mutex_exit(&p->p_lock);
continue;
}
int err;
/*
* Here's a process which matches the specified auid.
* If its mask doesn't already match the new mask,
* save the new mask in the pad, to be picked up
* next syscall.
*/
if (err != 0) {
/*
* No need to call set_proc_pre_sys(), since
* t_pre_sys is ALWAYS on when audit is
* enabled...due to syscall auditing.
*/
}
} else {
}
mutex_exit(&p->p_lock);
}
return (0);
}
static int
{
struct proc *p;
const auditinfo_addr_t *ainfo;
/* setsmask not applicable in non-global zones without perzone policy */
return (EINVAL);
model = get_udatamodel();
return (EFAULT);
/* if in non-global zone only modify processes in same zone */
continue;
/* skip system processes and ones being created or going away */
mutex_exit(&p->p_lock);
continue;
}
mutex_enter(&p->p_crlock);
mutex_exit(&p->p_crlock);
mutex_exit(&p->p_lock);
continue;
}
int err;
/*
* Here's a process which matches the specified asid.
* If its mask doesn't already match the new mask,
* save the new mask in the pad, to be picked up
* next syscall.
*/
if (err != 0) {
/*
* No need to call set_proc_pre_sys(), since
* t_pre_sys is ALWAYS on when audit is
* enabled...due to syscall auditing.
*/
}
} else {
}
mutex_exit(&p->p_lock);
}
return (0);
}
/*
* Get the current audit state of the system
*/
static int
{
if (au_auditstate == AUC_DISABLED)
return (EFAULT);
kctx = GET_KCTX_PZ;
return (EFAULT);
return (0);
}
/*
* Set the current audit state of the system to on (AUC_AUDITING) or
* off (AUC_NOAUDIT).
*/
/* ARGSUSED */
static int
{
int auditstate;
return (EINVAL);
kctx = GET_KCTX_NGZ;
return (EFAULT);
switch (auditstate) {
case AUC_AUDITING: /* Turn auditing on */
break;
case AUC_NOAUDIT: /* Turn auditing off */
break;
/* clear out the audit queue */
/* unblock au_output_thread */
break;
default:
return (EINVAL);
}
return (0);
}
static int
{
return (EFAULT);
return (EINVAL);
return (EFAULT);
return (0);
}
static int
{
return (EINVAL);
kctx = GET_KCTX_NGZ;
return (EFAULT);
return (EINVAL);
return (0);
}
static int
{
const auditinfo_addr_t *ainfo;
model = get_udatamodel();
return (EFAULT);
return (ESRCH); /* no such process */
}
return (EINVAL);
}
/* designated process has an ipv6 address? */
return (EOVERFLOW);
}
#ifdef _LP64
if (model == DATAMODEL_ILP32) {
/* convert internal 64 bit form to 32 bit version */
return (EOVERFLOW);
}
} else
#else
#endif
return (EFAULT);
return (0);
}
static int
{
const auditinfo_addr_t *ainfo;
model = get_udatamodel();
return (EOVERFLOW);
return (EFAULT);
return (ESRCH);
}
return (EINVAL);
}
#ifdef _LP64
if (model == DATAMODEL_ILP32) {
/* convert internal 64 bit form to 32 bit version */
return (EOVERFLOW);
}
} else
#else
#endif
return (EFAULT);
return (0);
}
static int
{
struct p_audit_data *pad;
model = get_udatamodel();
return (EFAULT);
return (ESRCH);
}
return (EINVAL);
}
/*
* Unlock. No need to broadcast changes via set_proc_pre_sys(),
* since t_pre_sys is ALWAYS on when audit is enabled... due to
* syscall auditing.
*/
/* Reset flag for any previous pending mask change; this supercedes */
return (0);
}
/*
* The out of control system call
* This is audit kitchen sink aka auditadm, aka auditon
*/
static int
int cmd,
int length)
{
int result;
if (!audit_active)
return (EINVAL);
switch (cmd) {
case A_GETCOND:
case A_GETCAR:
case A_GETCLASS:
case A_GETCWD:
case A_GETKAUDIT:
case A_GETKMASK:
case A_GETPINFO:
case A_GETPINFO_ADDR:
case A_GETPOLICY:
case A_GETQCTRL:
case A_GETSTAT:
if (secpolicy_audit_getattr(CRED()) != 0)
return (EPERM);
break;
default:
if (secpolicy_audit_config(CRED()) != 0)
return (EPERM);
break;
}
switch (cmd) {
case A_GETPOLICY:
break;
case A_SETPOLICY:
break;
case A_GETKMASK:
break;
case A_SETKMASK:
break;
case A_GETKAUDIT:
break;
case A_SETKAUDIT:
break;
case A_GETQCTRL:
break;
case A_SETQCTRL:
break;
case A_GETCWD:
break;
case A_GETCAR:
break;
case A_GETSTAT:
break;
case A_SETSTAT:
break;
case A_SETUMASK:
break;
case A_SETSMASK:
break;
case A_GETCOND:
break;
case A_SETCOND:
break;
case A_GETCLASS:
break;
case A_SETCLASS:
break;
case A_GETPINFO:
break;
case A_GETPINFO_ADDR:
break;
case A_SETPMASK:
break;
default:
break;
}
return (result);
}
static int
{
int sysnum;
return (-1);
}
#ifdef _LP64
#else
#endif
#ifdef _SYSCALL32_IMPL
#endif
return (0);
}