2 * Copyright (c) 1999-2005 Apple Inc.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
33 #include <sys/param.h>
34 #include <sys/filedesc.h>
36 #include <sys/mount.h>
38 #include <sys/socket.h>
39 #include <sys/socketvar.h>
40 #include <sys/protosw.h>
41 #include <sys/domain.h>
43 #include <sys/systm.h>
45 #include <sys/vnode.h>
47 #include <netinet/in.h>
48 #include <netinet/in_pcb.h>
50 #include <security/audit/audit.h>
51 #include <security/audit/audit_private.h>
54 * Calls to manipulate elements of the audit record structure from system
55 * call code. Macro wrappers will prevent this functions from being entered
56 * if auditing is disabled, avoiding the function call cost. We check the
57 * thread audit record pointer anyway, as the audit condition could change,
58 * and pre-selection may not have allocated an audit record for this event.
60 * XXXAUDIT: Should we assert, in each case, that this field of the record
61 * hasn't already been filled in?
64 audit_arg_addr(void *addr)
66 struct kaudit_record *ar;
72 ar->k_ar.ar_arg_addr = addr;
73 ARG_SET_VALID(ar, ARG_ADDR);
77 audit_arg_exit(int status, int retval)
79 struct kaudit_record *ar;
85 ar->k_ar.ar_arg_exitstatus = status;
86 ar->k_ar.ar_arg_exitretval = retval;
87 ARG_SET_VALID(ar, ARG_EXIT);
91 audit_arg_len(int len)
93 struct kaudit_record *ar;
99 ar->k_ar.ar_arg_len = len;
100 ARG_SET_VALID(ar, ARG_LEN);
104 audit_arg_atfd1(int atfd)
106 struct kaudit_record *ar;
112 ar->k_ar.ar_arg_atfd1 = atfd;
113 ARG_SET_VALID(ar, ARG_ATFD1);
117 audit_arg_atfd2(int atfd)
119 struct kaudit_record *ar;
125 ar->k_ar.ar_arg_atfd2 = atfd;
126 ARG_SET_VALID(ar, ARG_ATFD2);
132 struct kaudit_record *ar;
138 ar->k_ar.ar_arg_fd = fd;
139 ARG_SET_VALID(ar, ARG_FD);
143 audit_arg_fflags(int fflags)
145 struct kaudit_record *ar;
151 ar->k_ar.ar_arg_fflags = fflags;
152 ARG_SET_VALID(ar, ARG_FFLAGS);
156 audit_arg_gid(gid_t gid)
158 struct kaudit_record *ar;
164 ar->k_ar.ar_arg_gid = gid;
165 ARG_SET_VALID(ar, ARG_GID);
169 audit_arg_uid(uid_t uid)
171 struct kaudit_record *ar;
177 ar->k_ar.ar_arg_uid = uid;
178 ARG_SET_VALID(ar, ARG_UID);
182 audit_arg_egid(gid_t egid)
184 struct kaudit_record *ar;
190 ar->k_ar.ar_arg_egid = egid;
191 ARG_SET_VALID(ar, ARG_EGID);
195 audit_arg_euid(uid_t euid)
197 struct kaudit_record *ar;
203 ar->k_ar.ar_arg_euid = euid;
204 ARG_SET_VALID(ar, ARG_EUID);
208 audit_arg_rgid(gid_t rgid)
210 struct kaudit_record *ar;
216 ar->k_ar.ar_arg_rgid = rgid;
217 ARG_SET_VALID(ar, ARG_RGID);
221 audit_arg_ruid(uid_t ruid)
223 struct kaudit_record *ar;
229 ar->k_ar.ar_arg_ruid = ruid;
230 ARG_SET_VALID(ar, ARG_RUID);
234 audit_arg_sgid(gid_t sgid)
236 struct kaudit_record *ar;
242 ar->k_ar.ar_arg_sgid = sgid;
243 ARG_SET_VALID(ar, ARG_SGID);
247 audit_arg_suid(uid_t suid)
249 struct kaudit_record *ar;
255 ar->k_ar.ar_arg_suid = suid;
256 ARG_SET_VALID(ar, ARG_SUID);
260 audit_arg_groupset(gid_t *gidset, u_int gidset_size)
263 struct kaudit_record *ar;
265 KASSERT(gidset_size <= NGROUPS,
266 ("audit_arg_groupset: gidset_size > NGROUPS"));
272 if (ar->k_ar.ar_arg_groups.gidset == NULL)
273 ar->k_ar.ar_arg_groups.gidset = malloc(
274 sizeof(gid_t) * gidset_size, M_AUDITGIDSET, M_WAITOK);
276 for (i = 0; i < gidset_size; i++)
277 ar->k_ar.ar_arg_groups.gidset[i] = gidset[i];
278 ar->k_ar.ar_arg_groups.gidset_size = gidset_size;
279 ARG_SET_VALID(ar, ARG_GROUPSET);
283 audit_arg_login(char *login)
285 struct kaudit_record *ar;
291 strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME);
292 ARG_SET_VALID(ar, ARG_LOGIN);
296 audit_arg_ctlname(int *name, int namelen)
298 struct kaudit_record *ar;
304 bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int));
305 ar->k_ar.ar_arg_len = namelen;
306 ARG_SET_VALID(ar, ARG_CTLNAME | ARG_LEN);
310 audit_arg_mask(int mask)
312 struct kaudit_record *ar;
318 ar->k_ar.ar_arg_mask = mask;
319 ARG_SET_VALID(ar, ARG_MASK);
323 audit_arg_mode(mode_t mode)
325 struct kaudit_record *ar;
331 ar->k_ar.ar_arg_mode = mode;
332 ARG_SET_VALID(ar, ARG_MODE);
336 audit_arg_dev(int dev)
338 struct kaudit_record *ar;
344 ar->k_ar.ar_arg_dev = dev;
345 ARG_SET_VALID(ar, ARG_DEV);
349 audit_arg_value(long value)
351 struct kaudit_record *ar;
357 ar->k_ar.ar_arg_value = value;
358 ARG_SET_VALID(ar, ARG_VALUE);
362 audit_arg_owner(uid_t uid, gid_t gid)
364 struct kaudit_record *ar;
370 ar->k_ar.ar_arg_uid = uid;
371 ar->k_ar.ar_arg_gid = gid;
372 ARG_SET_VALID(ar, ARG_UID | ARG_GID);
376 audit_arg_pid(pid_t pid)
378 struct kaudit_record *ar;
384 ar->k_ar.ar_arg_pid = pid;
385 ARG_SET_VALID(ar, ARG_PID);
389 audit_arg_process(struct proc *p)
391 struct kaudit_record *ar;
394 KASSERT(p != NULL, ("audit_arg_process: p == NULL"));
396 PROC_LOCK_ASSERT(p, MA_OWNED);
403 ar->k_ar.ar_arg_auid = cred->cr_audit.ai_auid;
404 ar->k_ar.ar_arg_euid = cred->cr_uid;
405 ar->k_ar.ar_arg_egid = cred->cr_groups[0];
406 ar->k_ar.ar_arg_ruid = cred->cr_ruid;
407 ar->k_ar.ar_arg_rgid = cred->cr_rgid;
408 ar->k_ar.ar_arg_asid = cred->cr_audit.ai_asid;
409 ar->k_ar.ar_arg_termid_addr = cred->cr_audit.ai_termid;
410 ar->k_ar.ar_arg_pid = p->p_pid;
411 ARG_SET_VALID(ar, ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID |
412 ARG_RGID | ARG_ASID | ARG_TERMID_ADDR | ARG_PID | ARG_PROCESS);
416 audit_arg_signum(u_int signum)
418 struct kaudit_record *ar;
424 ar->k_ar.ar_arg_signum = signum;
425 ARG_SET_VALID(ar, ARG_SIGNUM);
429 audit_arg_socket(int sodomain, int sotype, int soprotocol)
431 struct kaudit_record *ar;
437 ar->k_ar.ar_arg_sockinfo.so_domain = sodomain;
438 ar->k_ar.ar_arg_sockinfo.so_type = sotype;
439 ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol;
440 ARG_SET_VALID(ar, ARG_SOCKINFO);
444 audit_arg_sockaddr(struct thread *td, struct sockaddr *sa)
446 struct kaudit_record *ar;
448 KASSERT(td != NULL, ("audit_arg_sockaddr: td == NULL"));
449 KASSERT(sa != NULL, ("audit_arg_sockaddr: sa == NULL"));
455 bcopy(sa, &ar->k_ar.ar_arg_sockaddr, sa->sa_len);
456 switch (sa->sa_family) {
458 ARG_SET_VALID(ar, ARG_SADDRINET);
462 ARG_SET_VALID(ar, ARG_SADDRINET6);
466 audit_arg_upath1(td, ((struct sockaddr_un *)sa)->sun_path);
467 ARG_SET_VALID(ar, ARG_SADDRUNIX);
469 /* XXXAUDIT: default:? */
474 audit_arg_auid(uid_t auid)
476 struct kaudit_record *ar;
482 ar->k_ar.ar_arg_auid = auid;
483 ARG_SET_VALID(ar, ARG_AUID);
487 audit_arg_auditinfo(struct auditinfo *au_info)
489 struct kaudit_record *ar;
495 ar->k_ar.ar_arg_auid = au_info->ai_auid;
496 ar->k_ar.ar_arg_asid = au_info->ai_asid;
497 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
498 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
499 ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port;
500 ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine;
501 ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID);
505 audit_arg_auditinfo_addr(struct auditinfo_addr *au_info)
507 struct kaudit_record *ar;
513 ar->k_ar.ar_arg_auid = au_info->ai_auid;
514 ar->k_ar.ar_arg_asid = au_info->ai_asid;
515 ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
516 ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
517 ar->k_ar.ar_arg_termid_addr.at_type = au_info->ai_termid.at_type;
518 ar->k_ar.ar_arg_termid_addr.at_port = au_info->ai_termid.at_port;
519 ar->k_ar.ar_arg_termid_addr.at_addr[0] = au_info->ai_termid.at_addr[0];
520 ar->k_ar.ar_arg_termid_addr.at_addr[1] = au_info->ai_termid.at_addr[1];
521 ar->k_ar.ar_arg_termid_addr.at_addr[2] = au_info->ai_termid.at_addr[2];
522 ar->k_ar.ar_arg_termid_addr.at_addr[3] = au_info->ai_termid.at_addr[3];
523 ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID_ADDR);
527 audit_arg_text(char *text)
529 struct kaudit_record *ar;
531 KASSERT(text != NULL, ("audit_arg_text: text == NULL"));
537 /* Invalidate the text string */
538 ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT);
540 if (ar->k_ar.ar_arg_text == NULL)
541 ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT,
544 strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN);
545 ARG_SET_VALID(ar, ARG_TEXT);
549 audit_arg_cmd(int cmd)
551 struct kaudit_record *ar;
557 ar->k_ar.ar_arg_cmd = cmd;
558 ARG_SET_VALID(ar, ARG_CMD);
562 audit_arg_svipc_cmd(int cmd)
564 struct kaudit_record *ar;
570 ar->k_ar.ar_arg_svipc_cmd = cmd;
571 ARG_SET_VALID(ar, ARG_SVIPC_CMD);
575 audit_arg_svipc_perm(struct ipc_perm *perm)
577 struct kaudit_record *ar;
583 bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
584 sizeof(ar->k_ar.ar_arg_svipc_perm));
585 ARG_SET_VALID(ar, ARG_SVIPC_PERM);
589 audit_arg_svipc_id(int id)
591 struct kaudit_record *ar;
597 ar->k_ar.ar_arg_svipc_id = id;
598 ARG_SET_VALID(ar, ARG_SVIPC_ID);
602 audit_arg_svipc_addr(void * addr)
604 struct kaudit_record *ar;
610 ar->k_ar.ar_arg_svipc_addr = addr;
611 ARG_SET_VALID(ar, ARG_SVIPC_ADDR);
615 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode)
617 struct kaudit_record *ar;
623 ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid;
624 ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid;
625 ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode;
626 ARG_SET_VALID(ar, ARG_POSIX_IPC_PERM);
630 audit_arg_auditon(union auditon_udata *udata)
632 struct kaudit_record *ar;
638 bcopy((void *)udata, &ar->k_ar.ar_arg_auditon,
639 sizeof(ar->k_ar.ar_arg_auditon));
640 ARG_SET_VALID(ar, ARG_AUDITON);
644 * Audit information about a file, either the file's vnode info, or its
645 * socket address info.
648 audit_arg_file(struct proc *p, struct file *fp)
650 struct kaudit_record *ar;
660 switch (fp->f_type) {
664 * XXXAUDIT: Only possibly to record as first vnode?
667 vfslocked = VFS_LOCK_GIANT(vp->v_mount);
668 vn_lock(vp, LK_SHARED | LK_RETRY);
669 audit_arg_vnode1(vp);
671 VFS_UNLOCK_GIANT(vfslocked);
675 so = (struct socket *)fp->f_data;
676 if (INP_CHECK_SOCKAF(so, PF_INET)) {
678 ar->k_ar.ar_arg_sockinfo.so_type =
680 ar->k_ar.ar_arg_sockinfo.so_domain =
682 ar->k_ar.ar_arg_sockinfo.so_protocol =
683 so->so_proto->pr_protocol;
685 pcb = (struct inpcb *)so->so_pcb;
687 ar->k_ar.ar_arg_sockinfo.so_raddr =
688 pcb->inp_faddr.s_addr;
689 ar->k_ar.ar_arg_sockinfo.so_laddr =
690 pcb->inp_laddr.s_addr;
691 ar->k_ar.ar_arg_sockinfo.so_rport =
693 ar->k_ar.ar_arg_sockinfo.so_lport =
696 ARG_SET_VALID(ar, ARG_SOCKINFO);
701 /* XXXAUDIT: else? */
707 * Store a path as given by the user process for auditing into the audit
708 * record stored on the user thread. This function will allocate the memory
709 * to store the path info if not already available. This memory will be
710 * freed when the audit record is freed.
713 audit_arg_upath(struct thread *td, char *upath, char **pathp)
717 *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK);
718 audit_canon_path(td, upath, *pathp);
722 audit_arg_upath1(struct thread *td, char *upath)
724 struct kaudit_record *ar;
730 audit_arg_upath(td, upath, &ar->k_ar.ar_arg_upath1);
731 ARG_SET_VALID(ar, ARG_UPATH1);
735 audit_arg_upath2(struct thread *td, char *upath)
737 struct kaudit_record *ar;
743 audit_arg_upath(td, upath, &ar->k_ar.ar_arg_upath2);
744 ARG_SET_VALID(ar, ARG_UPATH2);
748 * Function to save the path and vnode attr information into the audit
751 * It is assumed that the caller will hold any vnode locks necessary to
752 * perform a VOP_GETATTR() on the passed vnode.
754 * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but always
755 * provides access to the generation number as we need that to construct the
758 * XXX: We should accept the process argument from the caller, since it's
759 * very likely they already have a reference.
761 * XXX: Error handling in this function is poor.
763 * XXXAUDIT: Possibly KASSERT the path pointer is NULL?
766 audit_arg_vnode(struct vnode *vp, struct vnode_au_info *vnp)
772 * Assume that if the caller is calling audit_arg_vnode() on a
773 * non-MPSAFE vnode, then it will have acquired Giant.
775 VFS_ASSERT_GIANT(vp->v_mount);
776 ASSERT_VOP_LOCKED(vp, "audit_arg_vnode");
778 error = VOP_GETATTR(vp, &vattr, curthread->td_ucred);
780 /* XXX: How to handle this case? */
784 vnp->vn_mode = vattr.va_mode;
785 vnp->vn_uid = vattr.va_uid;
786 vnp->vn_gid = vattr.va_gid;
787 vnp->vn_dev = vattr.va_rdev;
788 vnp->vn_fsid = vattr.va_fsid;
789 vnp->vn_fileid = vattr.va_fileid;
790 vnp->vn_gen = vattr.va_gen;
795 audit_arg_vnode1(struct vnode *vp)
797 struct kaudit_record *ar;
804 ARG_CLEAR_VALID(ar, ARG_VNODE1);
805 error = audit_arg_vnode(vp, &ar->k_ar.ar_arg_vnode1);
807 ARG_SET_VALID(ar, ARG_VNODE1);
811 audit_arg_vnode2(struct vnode *vp)
813 struct kaudit_record *ar;
820 ARG_CLEAR_VALID(ar, ARG_VNODE2);
821 error = audit_arg_vnode(vp, &ar->k_ar.ar_arg_vnode2);
823 ARG_SET_VALID(ar, ARG_VNODE2);
827 * Audit the argument strings passed to exec.
830 audit_arg_argv(char *argv, int argc, int length)
832 struct kaudit_record *ar;
841 ar->k_ar.ar_arg_argv = malloc(length, M_AUDITTEXT, M_WAITOK);
842 bcopy(argv, ar->k_ar.ar_arg_argv, length);
843 ar->k_ar.ar_arg_argc = argc;
844 ARG_SET_VALID(ar, ARG_ARGV);
848 * Audit the environment strings passed to exec.
851 audit_arg_envv(char *envv, int envc, int length)
853 struct kaudit_record *ar;
862 ar->k_ar.ar_arg_envv = malloc(length, M_AUDITTEXT, M_WAITOK);
863 bcopy(envv, ar->k_ar.ar_arg_envv, length);
864 ar->k_ar.ar_arg_envc = envc;
865 ARG_SET_VALID(ar, ARG_ENVV);
869 * The close() system call uses it's own audit call to capture the path/vnode
870 * information because those pieces are not easily obtained within the system
874 audit_sysclose(struct thread *td, int fd)
876 struct kaudit_record *ar;
881 KASSERT(td != NULL, ("audit_sysclose: td == NULL"));
889 if (getvnode(td->td_proc->p_fd, fd, &fp) != 0)
893 vfslocked = VFS_LOCK_GIANT(vp->v_mount);
894 vn_lock(vp, LK_SHARED | LK_RETRY);
895 audit_arg_vnode1(vp);
897 VFS_UNLOCK_GIANT(vfslocked);