audit_core.c revision 005d3feb53a9a10272d4a24b03991575d6a9bcb3
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2010 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#include <sys/pathname.h>
#include <sys/cred_impl.h>
#include <c2/audit_kernel.h>
#include <c2/audit_kevents.h>
#include <c2/audit_record.h>
struct p_audit_data *pad0;
struct t_audit_data *tad0;
void
{
struct audit_path apempty;
/*
* it cannot be loaded later (e.g. using modload). Make a notice
* that the module won't be present and do nothing.
*/
return;
}
/* c2audit module can be loaded anytime */
/* initialize the process audit data (pad) memory allocator */
au_pad_init();
/* initialize the zone audit context */
/* inital thread structure */
/* initial process structure */
/*
* The kernel allocates a bunch of threads make sure they have
* a valid tad
*/
do {
}
/*
* Initialize audit context in our cred (kcred).
* No copy-on-write needed here because it's so early in init.
*/
/* fabricate an empty audit_path to extend */
}
/*
* Check for any pending changes to the audit context for the given proc.
* p_crlock and pad_lock for the process are acquired here. Caller is
* responsible for assuring the process doesn't go away. If context is
* updated, the specified cralloc'ed cred will be used, otherwise it's freed.
* If no cred is given, it will be cralloc'ed here and caller assures that
* it is safe to allocate memory.
*/
void
{
struct p_audit_data *pad;
return;
}
/* If a mask update is pending, take care of it. */
/* the condition may have been handled by the time we lock */
return;
}
mutex_enter(&p->p_crlock);
/* Unlock and cleanup. */
mutex_exit(&p->p_crlock);
/*
* For curproc, assure that our thread points to right
* cred, so CRED() will be correct. Otherwise, no need
* to broadcast changes (via set_proc_pre_sys), since
* t_pre_sys is ALWAYS on when audit is enabled... due
* to syscall auditing.
*/
if (p == curproc)
else
} else {
}
} else {
}
}
/*
* ROUTINE: AUDIT_NEWPROC
* PURPOSE: initialize the child p_audit_data structure
* CALLBY: GETPROC
* NOTE: All threads for the parent process are locked at this point.
* We are essentially running singled threaded for this reason.
* GETPROC is called when system creates a new process.
* By the time AUDIT_NEWPROC is called, the child proc
* structure has already been initialized. What we need
* to do is to allocate the child p_audit_data and
* initialize it with the content of current parent process.
*/
void
{
/*
* copy the audit data. Note that all threads of current
* process have been "held". Thus there is no race condition
* here with mutiple threads trying to alter the cwrd
* structure (such as releasing it).
*
* The audit context in the cred is "duplicated" for the new
* proc by elsewhere crhold'ing the parent's cred which it shares.
*
* We still want to hold things since auditon() [A_SETUMASK,
* A_SETSMASK] could be walking through the processes to
* update things.
*/
/*
* If we are in the limited mode, there is nothing to audit and
* there could not have been anything to audit, since it is not
* possible to switch from the full mode into the limited mode
* once the full mode is set.
*/
if (audit_active != C2AUDIT_LOADED)
return;
/*
* finish auditing of parent here so that it will be done
* before child has a chance to run. We include the child
* pid since the return value in the return token is a dummy
* one and contains no useful information (it is included to
* make the audit record structure consistant).
*
* tad_flag is set if auditing is on
*/
/*
* finish up audit record generation here because child process
* is set to run before parent process. We distinguish here
* between FORK, FORK1, or VFORK by the saved system call ID.
*/
}
/*
* ROUTINE: AUDIT_PFREE
* PURPOSE: deallocate the per-process udit data structure
* CALLBY: EXIT
* FORK_FAIL
* NOTE: all lwp except current one have stopped in SEXITLWPS
* why we are single threaded?
* . all lwp except current one have stopped in SEXITLWPS.
*/
void
{ /* AUDIT_PFREE */
/* better be a per process audit data structure */
return;
}
/* deallocate all auditing resources for this process */
/*
* Since the pad structure is completely overwritten after alloc,
* we don't bother to clear it.
*/
}
/*
* ROUTINE: AUDIT_THREAD_CREATE
* PURPOSE: allocate per-process thread audit data structure
* CALLBY: THREAD_CREATE
* NOTE: This is called just after *t was bzero'd.
* We are single threaded in this routine.
* TODO:
* QUESTION:
*/
void
{
}
/*
* ROUTINE: AUDIT_THREAD_FREE
* PURPOSE: free the per-thread audit data structure
* CALLBY: THREAD_FREE
* NOTE: most thread data is clear after return
*/
void
{
/* thread audit data must still be set */
return;
}
return;
}
t->t_audit_data = 0;
/* must not have any audit record residual */
/* saved path must be empty */
if (tad->tad_atpath)
if (audit_active == C2AUDIT_LOADED) {
}
}
}
/*
* ROUTINE: AUDIT_FALLOC
* PURPOSE: allocating a new file structure
* CALLBY: FALLOC
* NOTE: file structure already initialized
* TODO:
* QUESTION:
*/
void
{ /* AUDIT_FALLOC */
/* allocate per file audit structure if there a'int any */
}
/*
* ROUTINE: AUDIT_UNFALLOC
* PURPOSE: deallocate file audit data structure
* CALLBY: CLOSEF
* UNFALLOC
* NOTE:
* TODO:
* QUESTION:
*/
void
{
if (!fad) {
return;
}
}
fp->f_audit_data = 0;
}
{
return (audit_active == C2AUDIT_LOADED &&
}