audit.c revision 175763 
11590Srgrimes/*
21590Srgrimes * Copyright (c) 1999-2005 Apple Computer, Inc.
31590Srgrimes * Copyright (c) 2006-2007 Robert N. M. Watson
41590Srgrimes * All rights reserved.
51590Srgrimes *
61590Srgrimes * Redistribution and use in source and binary forms, with or without
71590Srgrimes * modification, are permitted provided that the following conditions
81590Srgrimes * are met:
91590Srgrimes * 1.  Redistributions of source code must retain the above copyright
101590Srgrimes *     notice, this list of conditions and the following disclaimer.
111590Srgrimes * 2.  Redistributions in binary form must reproduce the above copyright
121590Srgrimes *     notice, this list of conditions and the following disclaimer in the
131590Srgrimes *     documentation and/or other materials provided with the distribution.
141590Srgrimes * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
151590Srgrimes *     its contributors may be used to endorse or promote products derived
161590Srgrimes *     from this software without specific prior written permission.
171590Srgrimes *
181590Srgrimes * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
191590Srgrimes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
201590Srgrimes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
211590Srgrimes * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
221590Srgrimes * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
231590Srgrimes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
241590Srgrimes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
251590Srgrimes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
261590Srgrimes * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
271590Srgrimes * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
281590Srgrimes * POSSIBILITY OF SUCH DAMAGE.
291590Srgrimes *
301590Srgrimes * $FreeBSD: head/sys/security/audit/audit.c 175763 2008-01-28 17:33:46Z csjp $
311590Srgrimes */
3260833Sjake
3360833Sjake#include <sys/param.h>
341590Srgrimes#include <sys/condvar.h>
351590Srgrimes#include <sys/conf.h>
361590Srgrimes#include <sys/file.h>
371590Srgrimes#include <sys/filedesc.h>
381590Srgrimes#include <sys/fcntl.h>
391590Srgrimes#include <sys/ipc.h>
401590Srgrimes#include <sys/kernel.h>
411590Srgrimes#include <sys/kthread.h>
421590Srgrimes#include <sys/malloc.h>
431590Srgrimes#include <sys/mount.h>
441590Srgrimes#include <sys/namei.h>
451590Srgrimes#include <sys/priv.h>
461590Srgrimes#include <sys/proc.h>
471590Srgrimes#include <sys/queue.h>
481590Srgrimes#include <sys/socket.h>
491590Srgrimes#include <sys/socketvar.h>
501590Srgrimes#include <sys/protosw.h>
5174588Sache#include <sys/domain.h>
5216438Sache#include <sys/sysctl.h>
531590Srgrimes#include <sys/sysproto.h>
541590Srgrimes#include <sys/sysent.h>
551590Srgrimes#include <sys/systm.h>
561590Srgrimes#include <sys/ucred.h>
571590Srgrimes#include <sys/uio.h>
581590Srgrimes#include <sys/un.h>
591590Srgrimes#include <sys/unistd.h>
601590Srgrimes#include <sys/vnode.h>
6111547Sdg
621590Srgrimes#include <bsm/audit.h>
631590Srgrimes#include <bsm/audit_internal.h>
641590Srgrimes#include <bsm/audit_kevents.h>
651590Srgrimes
661590Srgrimes#include <netinet/in.h>
671590Srgrimes#include <netinet/in_pcb.h>
681590Srgrimes
691590Srgrimes#include <security/audit/audit.h>
701590Srgrimes#include <security/audit/audit_private.h>
711590Srgrimes
721590Srgrimes#include <vm/uma.h>
731590Srgrimes
741590Srgrimesstatic uma_zone_t	audit_record_zone;
751590Srgrimesstatic MALLOC_DEFINE(M_AUDITCRED, "audit_cred", "Audit cred storage");
761590SrgrimesMALLOC_DEFINE(M_AUDITDATA, "audit_data", "Audit data storage");
771590SrgrimesMALLOC_DEFINE(M_AUDITPATH, "audit_path", "Audit path storage");
7860938SjakeMALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage");
7911547Sdg
8011547SdgSYSCTL_NODE(_security, OID_AUTO, audit, CTLFLAG_RW, 0,
8136062Sjb    "TrustedBSD audit controls");
821590Srgrimes
8360938Sjake/*
8411547Sdg * Audit control settings that are set/read by system calls and are hence
851590Srgrimes * non-static.
861590Srgrimes *
871590Srgrimes * Define the audit control flags.
881590Srgrimes */
8936434Sdannyint			audit_enabled;
9036434Sdannyint			audit_suspended;
9174588Sache
921590Srgrimes/*
931590Srgrimes * Flags controlling behavior in low storage situations.  Should we panic if
941590Srgrimes * a write fails?  Should we fail stop if we're out of disk space?
951590Srgrimes */
961590Srgrimesint			audit_panic_on_write_fail;
9711547Sdgint			audit_fail_stop;
981590Srgrimesint			audit_argv;
991590Srgrimesint			audit_arge;
10036434Sdanny
10136434Sdanny/*
10236434Sdanny * Are we currently "failing stop" due to out of disk space?
10336434Sdanny */
10436434Sdannyint			audit_in_failure;
10536434Sdanny
10636434Sdanny/*
10736434Sdanny * Global audit statistics.
1081590Srgrimes */
1091590Srgrimesstruct audit_fstat	audit_fstat;
1101590Srgrimes
1111590Srgrimes/*
1121590Srgrimes * Preselection mask for non-attributable events.
1131590Srgrimes */
1141590Srgrimesstruct au_mask		audit_nae_mask;
1151590Srgrimes
11616438Sache/*
11774588Sache * Mutex to protect global variables shared between various threads and
11816438Sache * processes.
1191590Srgrimes */
12036434Sdannystruct mtx		audit_mtx;
1211590Srgrimes
1221590Srgrimes/*
1231590Srgrimes * Queue of audit records ready for delivery to disk.  We insert new records
1241590Srgrimes * at the tail, and remove records from the head.  Also, a count of the
1251590Srgrimes * number of records used for checking queue depth.  In addition, a counter
1261590Srgrimes * of records that we have allocated but are not yet in the queue, which is
1271590Srgrimes * needed to estimate the total size of the combined set of records
1281590Srgrimes * outstanding in the system.
1291590Srgrimes */
1301590Srgrimesstruct kaudit_queue	audit_q;
1311590Srgrimesint			audit_q_len;
1321590Srgrimesint			audit_pre_q_len;
1331590Srgrimes
1341590Srgrimes/*
1351590Srgrimes * Audit queue control settings (minimum free, low/high water marks, etc.)
1361590Srgrimes */
1371590Srgrimesstruct au_qctrl		audit_qctrl;
1381590Srgrimes
1391590Srgrimes/*
1401590Srgrimes * Condition variable to signal to the worker that it has work to do: either
1411590Srgrimes * new records are in the queue, or a log replacement is taking place.
1421590Srgrimes */
1431590Srgrimesstruct cv		audit_worker_cv;
1441590Srgrimes
14536434Sdanny/*
14636434Sdanny * Condition variable to flag when crossing the low watermark, meaning that
14736434Sdanny * threads blocked due to hitting the high watermark can wake up and continue
1481590Srgrimes * to commit records.
1491590Srgrimes */
1501590Srgrimesstruct cv		audit_watermark_cv;
15136434Sdanny
15236434Sdanny/*
15336434Sdanny * Condition variable for  auditing threads wait on when in fail-stop mode.
1541590Srgrimes * Threads wait on this CV forever (and ever), never seeing the light of day
1551590Srgrimes * again.
15636434Sdanny */
1571590Srgrimesstatic struct cv	audit_fail_cv;
1581590Srgrimes
15936434Sdanny/*
16036434Sdanny * Construct an audit record for the passed thread.
1611590Srgrimes */
1621590Srgrimesstatic int
1631590Srgrimesaudit_record_ctor(void *mem, int size, void *arg, int flags)
1641590Srgrimes{
1651590Srgrimes	struct kaudit_record *ar;
1661590Srgrimes	struct thread *td;
1671590Srgrimes
1681590Srgrimes	KASSERT(sizeof(*ar) == size, ("audit_record_ctor: wrong size"));
1691590Srgrimes
1701590Srgrimes	td = arg;
1711590Srgrimes	ar = mem;
1721590Srgrimes	bzero(ar, sizeof(*ar));
1731590Srgrimes	ar->k_ar.ar_magic = AUDIT_RECORD_MAGIC;
1741590Srgrimes	nanotime(&ar->k_ar.ar_starttime);
1751590Srgrimes
1761590Srgrimes	/*
1771590Srgrimes	 * Export the subject credential.
1781590Srgrimes	 */
1791590Srgrimes	cru2x(td->td_ucred, &ar->k_ar.ar_subj_cred);
1801590Srgrimes	ar->k_ar.ar_subj_ruid = td->td_ucred->cr_ruid;
1811590Srgrimes	ar->k_ar.ar_subj_rgid = td->td_ucred->cr_rgid;
1821590Srgrimes	ar->k_ar.ar_subj_egid = td->td_ucred->cr_groups[0];
1831590Srgrimes	ar->k_ar.ar_subj_auid = td->td_ucred->cr_audit.ai_auid;
18419223Sjoerg	ar->k_ar.ar_subj_asid = td->td_ucred->cr_audit.ai_asid;
1851590Srgrimes	ar->k_ar.ar_subj_pid = td->td_proc->p_pid;
18636062Sjb	ar->k_ar.ar_subj_amask = td->td_ucred->cr_audit.ai_mask;
18736062Sjb	ar->k_ar.ar_subj_term_addr = td->td_ucred->cr_audit.ai_termid;
1881590Srgrimes	return (0);
18916438Sache}
19016438Sache
19116438Sachestatic void
1921590Srgrimesaudit_record_dtor(void *mem, int size, void *arg)
19311547Sdg{
19411547Sdg	struct kaudit_record *ar;
1951590Srgrimes
1961590Srgrimes	KASSERT(sizeof(*ar) == size, ("audit_record_dtor: wrong size"));
1971590Srgrimes
1981590Srgrimes	ar = mem;
1991590Srgrimes	if (ar->k_ar.ar_arg_upath1 != NULL)
2001590Srgrimes		free(ar->k_ar.ar_arg_upath1, M_AUDITPATH);
2011590Srgrimes	if (ar->k_ar.ar_arg_upath2 != NULL)
2021590Srgrimes		free(ar->k_ar.ar_arg_upath2, M_AUDITPATH);
2031590Srgrimes	if (ar->k_ar.ar_arg_text != NULL)
2041590Srgrimes		free(ar->k_ar.ar_arg_text, M_AUDITTEXT);
2051590Srgrimes	if (ar->k_udata != NULL)
2061590Srgrimes		free(ar->k_udata, M_AUDITDATA);
2071590Srgrimes	if (ar->k_ar.ar_arg_argv != NULL)
2081590Srgrimes		free(ar->k_ar.ar_arg_argv, M_AUDITTEXT);
2091590Srgrimes	if (ar->k_ar.ar_arg_envv != NULL)
2101590Srgrimes		free(ar->k_ar.ar_arg_envv, M_AUDITTEXT);
2111590Srgrimes}
2121590Srgrimes
2131590Srgrimes/*
21470467Sphk * Initialize the Audit subsystem: configuration state, work queue,
21511547Sdg * synchronization primitives, worker thread, and trigger device node.  Also
21619223Sjoerg * call into the BSM assembly code to initialize it.
21770467Sphk */
21819223Sjoergstatic void
21911547Sdgaudit_init(void)
2201590Srgrimes{
2211590Srgrimes
2221590Srgrimes	audit_enabled = 0;
22311547Sdg	audit_suspended = 0;
22416438Sache	audit_panic_on_write_fail = 0;
22574588Sache	audit_fail_stop = 0;
22674588Sache	audit_in_failure = 0;
22774588Sache	audit_argv = 0;
22874588Sache	audit_arge = 0;
22974588Sache
2301590Srgrimes	audit_fstat.af_filesz = 0;	/* '0' means unset, unbounded. */
2311590Srgrimes	audit_fstat.af_currsz = 0;
2321590Srgrimes	audit_nae_mask.am_success = 0;
2331590Srgrimes	audit_nae_mask.am_failure = 0;
23474588Sache
2351590Srgrimes	TAILQ_INIT(&audit_q);
2361590Srgrimes	audit_q_len = 0;
2371590Srgrimes	audit_pre_q_len = 0;
2381590Srgrimes	audit_qctrl.aq_hiwater = AQ_HIWATER;
2391590Srgrimes	audit_qctrl.aq_lowater = AQ_LOWATER;
2401590Srgrimes	audit_qctrl.aq_bufsz = AQ_BUFSZ;
2411590Srgrimes	audit_qctrl.aq_minfree = AU_FS_MINFREE;
2421590Srgrimes
2431590Srgrimes	mtx_init(&audit_mtx, "audit_mtx", NULL, MTX_DEF);
2441590Srgrimes	cv_init(&audit_worker_cv, "audit_worker_cv");
2451590Srgrimes	cv_init(&audit_watermark_cv, "audit_watermark_cv");
24611547Sdg	cv_init(&audit_fail_cv, "audit_fail_cv");
24716438Sache
24874588Sache	audit_record_zone = uma_zcreate("audit_record",
24974588Sache	    sizeof(struct kaudit_record), audit_record_ctor,
25074588Sache	    audit_record_dtor, NULL, NULL, UMA_ALIGN_PTR, 0);
25174588Sache
25274588Sache	/* Initialize the BSM audit subsystem. */
25311547Sdg	kau_init();
25411547Sdg
25511547Sdg	audit_trigger_init();
25674588Sache
2571590Srgrimes	/* Register shutdown handler. */
2581590Srgrimes	EVENTHANDLER_REGISTER(shutdown_pre_sync, audit_shutdown, NULL,
2591590Srgrimes	    SHUTDOWN_PRI_FIRST);
2601590Srgrimes
2611590Srgrimes	/* Start audit worker thread. */
26211547Sdg	audit_worker_init();
26311547Sdg}
26470467Sphk
26511547SdgSYSINIT(audit_init, SI_SUB_AUDIT, SI_ORDER_FIRST, audit_init, NULL)
26611547Sdg
26770467Sphk/*
26870467Sphk * Drain the audit queue and close the log at shutdown.  Note that this can
26970467Sphk * be called both from the system shutdown path and also from audit
27070467Sphk * configuration syscalls, so 'arg' and 'howto' are ignored.
27170467Sphk */
27270467Sphkvoid
27370467Sphkaudit_shutdown(void *arg, int howto)
27470467Sphk{
27570467Sphk
2761590Srgrimes	audit_rotate_vnode(NULL, NULL);
27770467Sphk}
27811547Sdg
27911547Sdg/*
28011547Sdg * Return the current thread's audit record, if any.
28111547Sdg */
28211547Sdgstruct kaudit_record *
28311547Sdgcurrecord(void)
28411547Sdg{
28511547Sdg
28611547Sdg	return (curthread->td_ar);
28711547Sdg}
28816438Sache
28974588Sache/*
29074588Sache * XXXAUDIT: There are a number of races present in the code below due to
29174588Sache * release and re-grab of the mutex.  The code should be revised to become
29274588Sache * slightly less racy.
29374588Sache *
29411547Sdg * XXXAUDIT: Shouldn't there be logic here to sleep waiting on available
29511547Sdg * pre_q space, suspending the system call until there is room?
29611547Sdg */
29774588Sachestruct kaudit_record *
29811547Sdgaudit_new(int event, struct thread *td)
29911547Sdg{
30011547Sdg	struct kaudit_record *ar;
30111547Sdg	int no_record;
30211547Sdg
30311547Sdg	mtx_lock(&audit_mtx);
30411547Sdg	no_record = (audit_suspended || !audit_enabled);
30516438Sache	mtx_unlock(&audit_mtx);
30616438Sache	if (no_record)
30774588Sache		return (NULL);
30874588Sache
30916438Sache	/*
31011547Sdg	 * Note: the number of outstanding uncommitted audit records is
31136434Sdanny	 * limited to the number of concurrent threads servicing system calls
31236434Sdanny	 * in the kernel.
31336434Sdanny	 */
31436434Sdanny	ar = uma_zalloc_arg(audit_record_zone, td, M_WAITOK);
31536434Sdanny	ar->k_ar.ar_event = event;
31674588Sache
31774588Sache	mtx_lock(&audit_mtx);
31874588Sache	audit_pre_q_len++;
31936434Sdanny	mtx_unlock(&audit_mtx);
32074588Sache
32136434Sdanny	return (ar);
32274588Sache}
32374588Sache
32436434Sdannyvoid
3251590Srgrimesaudit_free(struct kaudit_record *ar)
32611547Sdg{
32711547Sdg
32811547Sdg	uma_zfree(audit_record_zone, ar);
32911547Sdg}
33011547Sdg
33111547Sdgvoid
3321590Srgrimesaudit_commit(struct kaudit_record *ar, int error, int retval)
3331590Srgrimes{
3341590Srgrimes	au_event_t event;
3351590Srgrimes	au_class_t class;
33616438Sache	au_id_t auid;
33735658Ssteve	int sorf;
33862871Skris	struct au_mask *aumask;
3391590Srgrimes
3401590Srgrimes	if (ar == NULL)
3411590Srgrimes		return;
3421590Srgrimes
3431590Srgrimes	/*
3441590Srgrimes	 * Decide whether to commit the audit record by checking the error
3451590Srgrimes	 * value from the system call and using the appropriate audit mask.
34611547Sdg	 */
3471590Srgrimes	if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID)
3481590Srgrimes		aumask = &audit_nae_mask;
3491590Srgrimes	else
3501590Srgrimes		aumask = &ar->k_ar.ar_subj_amask;
3511590Srgrimes
3521590Srgrimes	if (error)
3531590Srgrimes		sorf = AU_PRS_FAILURE;
3541590Srgrimes	else
3551590Srgrimes		sorf = AU_PRS_SUCCESS;
3561590Srgrimes
3571590Srgrimes	switch(ar->k_ar.ar_event) {
3581590Srgrimes	case AUE_OPEN_RWTC:
3591590Srgrimes		/*
3601590Srgrimes		 * The open syscall always writes a AUE_OPEN_RWTC event;
3611590Srgrimes		 * change it to the proper type of event based on the flags
3621590Srgrimes		 * and the error value.
3631590Srgrimes		 */
3641590Srgrimes		ar->k_ar.ar_event = flags_and_error_to_openevent(
3651590Srgrimes		    ar->k_ar.ar_arg_fflags, error);
3661590Srgrimes		break;
3671590Srgrimes
3681590Srgrimes	case AUE_SYSCTL:
3691590Srgrimes		ar->k_ar.ar_event = ctlname_to_sysctlevent(
3701590Srgrimes		    ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg);
3711590Srgrimes		break;
3721590Srgrimes
3731590Srgrimes	case AUE_AUDITON:
3741590Srgrimes		/* Convert the auditon() command to an event. */
3751590Srgrimes		ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd);
3761590Srgrimes		break;
3771590Srgrimes	}
3781590Srgrimes
3791590Srgrimes	auid = ar->k_ar.ar_subj_auid;
3801590Srgrimes	event = ar->k_ar.ar_event;
3811590Srgrimes	class = au_event_class(event);
3821590Srgrimes
3831590Srgrimes	ar->k_ar_commit |= AR_COMMIT_KERNEL;
3841590Srgrimes	if (au_preselect(event, class, aumask, sorf) != 0)
3851590Srgrimes		ar->k_ar_commit |= AR_PRESELECT_TRAIL;
3861590Srgrimes	if (audit_pipe_preselect(auid, event, class, sorf,
3871590Srgrimes	    ar->k_ar_commit & AR_PRESELECT_TRAIL) != 0)
3881590Srgrimes		ar->k_ar_commit |= AR_PRESELECT_PIPE;
3891590Srgrimes	if ((ar->k_ar_commit & (AR_PRESELECT_TRAIL | AR_PRESELECT_PIPE |
3901590Srgrimes	    AR_PRESELECT_USER_TRAIL | AR_PRESELECT_USER_PIPE)) == 0) {
3911590Srgrimes		mtx_lock(&audit_mtx);
3921590Srgrimes		audit_pre_q_len--;
3931590Srgrimes		mtx_unlock(&audit_mtx);
3941590Srgrimes		audit_free(ar);
3951590Srgrimes		return;
3961590Srgrimes	}
3971590Srgrimes
3981590Srgrimes	ar->k_ar.ar_errno = error;
3991590Srgrimes	ar->k_ar.ar_retval = retval;
4001590Srgrimes	nanotime(&ar->k_ar.ar_endtime);
4011590Srgrimes
4021590Srgrimes	/*
4031590Srgrimes	 * Note: it could be that some records initiated while audit was
4041590Srgrimes	 * enabled should still be committed?
4051590Srgrimes	 */
4061590Srgrimes	mtx_lock(&audit_mtx);
4071590Srgrimes	if (audit_suspended || !audit_enabled) {
4081590Srgrimes		audit_pre_q_len--;
4091590Srgrimes		mtx_unlock(&audit_mtx);
4101590Srgrimes		audit_free(ar);
4111590Srgrimes		return;
4121590Srgrimes	}
4131590Srgrimes
4141590Srgrimes	/*
4151590Srgrimes	 * Constrain the number of committed audit records based on the
4161590Srgrimes	 * configurable parameter.
4171590Srgrimes	 */
4181590Srgrimes	while (audit_q_len >= audit_qctrl.aq_hiwater)
4191590Srgrimes		cv_wait(&audit_watermark_cv, &audit_mtx);
4201590Srgrimes
4211590Srgrimes	TAILQ_INSERT_TAIL(&audit_q, ar, k_q);
4221590Srgrimes	audit_q_len++;
4231590Srgrimes	audit_pre_q_len--;
4241590Srgrimes	cv_signal(&audit_worker_cv);
4251590Srgrimes	mtx_unlock(&audit_mtx);
4261590Srgrimes}
4271590Srgrimes
4281590Srgrimes/*
4291590Srgrimes * audit_syscall_enter() is called on entry to each system call.  It is
4301590Srgrimes * responsible for deciding whether or not to audit the call (preselection),
4311590Srgrimes * and if so, allocating a per-thread audit record.  audit_new() will fill in
4321590Srgrimes * basic thread/credential properties.
4331590Srgrimes */
4341590Srgrimesvoid
4351590Srgrimesaudit_syscall_enter(unsigned short code, struct thread *td)
4361590Srgrimes{
4371590Srgrimes	struct au_mask *aumask;
4381590Srgrimes	au_class_t class;
4391590Srgrimes	au_event_t event;
4401590Srgrimes	au_id_t auid;
4411590Srgrimes
4421590Srgrimes	KASSERT(td->td_ar == NULL, ("audit_syscall_enter: td->td_ar != NULL"));
4431590Srgrimes
4441590Srgrimes	/*
4451590Srgrimes	 * In FreeBSD, each ABI has its own system call table, and hence
4461590Srgrimes	 * mapping of system call codes to audit events.  Convert the code to
4471590Srgrimes	 * an audit event identifier using the process system call table
4481590Srgrimes	 * reference.  In Darwin, there's only one, so we use the global
4491590Srgrimes	 * symbol for the system call table.  No audit record is generated
4501590Srgrimes	 * for bad system calls, as no operation has been performed.
4511590Srgrimes	 */
4521590Srgrimes	if (code >= td->td_proc->p_sysent->sv_size)
4531590Srgrimes		return;
4541590Srgrimes
4551590Srgrimes	event = td->td_proc->p_sysent->sv_table[code].sy_auevent;
45616438Sache	if (event == AUE_NULL)
45716438Sache		return;
4581590Srgrimes
45916438Sache	/*
46074588Sache	 * Check which audit mask to use; either the kernel non-attributable
46174588Sache	 * event mask or the process audit mask.
46274588Sache	 */
46374588Sache	auid = td->td_ucred->cr_audit.ai_auid;
4641590Srgrimes	if (auid == AU_DEFAUDITID)
4651590Srgrimes		aumask = &audit_nae_mask;
4661590Srgrimes	else
4671590Srgrimes		aumask = &td->td_ucred->cr_audit.ai_mask;
468
469	/*
470	 * Allocate an audit record, if preselection allows it, and store in
471	 * the thread for later use.
472	 */
473	class = au_event_class(event);
474	if (au_preselect(event, class, aumask, AU_PRS_BOTH)) {
475		/*
476		 * If we're out of space and need to suspend unprivileged
477		 * processes, do that here rather than trying to allocate
478		 * another audit record.
479		 *
480		 * Note: we might wish to be able to continue here in the
481		 * future, if the system recovers.  That should be possible
482		 * by means of checking the condition in a loop around
483		 * cv_wait().  It might be desirable to reevaluate whether an
484		 * audit record is still required for this event by
485		 * re-calling au_preselect().
486		 */
487		if (audit_in_failure &&
488		    priv_check(td, PRIV_AUDIT_FAILSTOP) != 0) {
489			cv_wait(&audit_fail_cv, &audit_mtx);
490			panic("audit_failing_stop: thread continued");
491		}
492		td->td_ar = audit_new(event, td);
493	} else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0))
494		td->td_ar = audit_new(event, td);
495	else
496		td->td_ar = NULL;
497}
498
499/*
500 * audit_syscall_exit() is called from the return of every system call, or in
501 * the event of exit1(), during the execution of exit1().  It is responsible
502 * for committing the audit record, if any, along with return condition.
503 */
504void
505audit_syscall_exit(int error, struct thread *td)
506{
507	int retval;
508
509	/*
510	 * Commit the audit record as desired; once we pass the record into
511	 * audit_commit(), the memory is owned by the audit subsystem.  The
512	 * return value from the system call is stored on the user thread.
513	 * If there was an error, the return value is set to -1, imitating
514	 * the behavior of the cerror routine.
515	 */
516	if (error)
517		retval = -1;
518	else
519		retval = td->td_retval[0];
520
521	audit_commit(td->td_ar, error, retval);
522	td->td_ar = NULL;
523}
524
525void
526audit_cred_copy(struct ucred *src, struct ucred *dest)
527{
528
529	bcopy(&src->cr_audit, &dest->cr_audit, sizeof(dest->cr_audit));
530}
531
532void
533audit_cred_destroy(struct ucred *cred)
534{
535
536}
537
538void
539audit_cred_init(struct ucred *cred)
540{
541
542	bzero(&cred->cr_audit, sizeof(cred->cr_audit));
543}
544
545/*
546 * Initialize audit information for the first kernel process (proc 0) and for
547 * the first user process (init).
548 */
549void
550audit_cred_kproc0(struct ucred *cred)
551{
552
553	cred->cr_audit.ai_auid = AU_DEFAUDITID;
554	cred->cr_audit.ai_termid.at_type = AU_IPv4;
555}
556
557void
558audit_cred_proc1(struct ucred *cred)
559{
560
561	cred->cr_audit.ai_auid = AU_DEFAUDITID;
562	cred->cr_audit.ai_termid.at_type = AU_IPv4;
563}
564
565void
566audit_thread_alloc(struct thread *td)
567{
568
569	td->td_ar = NULL;
570}
571
572void
573audit_thread_free(struct thread *td)
574{
575
576	KASSERT(td->td_ar == NULL, ("audit_thread_free: td_ar != NULL"));
577}
578
579void
580audit_proc_coredump(struct thread *td, char *path, int errcode)
581{
582	struct kaudit_record *ar;
583	struct au_mask *aumask;
584	au_class_t class;
585	int ret, sorf;
586	char **pathp;
587	au_id_t auid;
588
589	ret = 0;
590
591	/*
592	 * Make sure we are using the correct preselection mask.
593	 */
594	auid = td->td_ucred->cr_audit.ai_auid;
595	if (auid == AU_DEFAUDITID)
596		aumask = &audit_nae_mask;
597	else
598		aumask = &td->td_ucred->cr_audit.ai_mask;
599	/*
600	 * It's possible for coredump(9) generation to fail.  Make sure that
601	 * we handle this case correctly for preselection.
602	 */
603	if (errcode != 0)
604		sorf = AU_PRS_FAILURE;
605	else
606		sorf = AU_PRS_SUCCESS;
607	class = au_event_class(AUE_CORE);
608	if (au_preselect(AUE_CORE, class, aumask, sorf) == 0)
609		return;
610	/*
611	 * If we are interested in seeing this audit record, allocate it.
612	 * Where possible coredump records should contain a pathname and arg32
613	 * (signal) tokens.
614	 */
615	ar = audit_new(AUE_CORE, td);
616	if (path != NULL) {
617		pathp = &ar->k_ar.ar_arg_upath1;
618		*pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK);
619		canon_path(td, path, *pathp);
620		ARG_SET_VALID(ar, ARG_UPATH1);
621	}
622	ar->k_ar.ar_arg_signum = td->td_proc->p_sig;
623	ARG_SET_VALID(ar, ARG_SIGNUM);
624	if (errcode != 0)
625		ret = 1;
626	audit_commit(ar, errcode, ret);
627}
628