Changeset View
Changeset View
Standalone View
Standalone View
sys/security/audit/audit_syscalls.c
| Show First 20 Lines • Show All 159 Lines • ▼ Show 20 Lines | |||||
| /* | /* | ||||
| * System call to manipulate auditing. | * System call to manipulate auditing. | ||||
| */ | */ | ||||
| /* ARGSUSED */ | /* ARGSUSED */ | ||||
| int | int | ||||
| sys_auditon(struct thread *td, struct auditon_args *uap) | sys_auditon(struct thread *td, struct auditon_args *uap) | ||||
| { | { | ||||
| struct ucred *cred, *newcred, *oldcred; | struct ucred *cred, *newcred, *oldcred; | ||||
| struct credwrap *newcredwrap, *oldcredwrap; | |||||
| int error; | int error; | ||||
| union auditon_udata udata; | union auditon_udata udata; | ||||
| struct proc *tp; | struct proc *tp; | ||||
| if (jailed(td->td_ucred)) | if (jailed(td->td_ucred)) | ||||
| return (ENOSYS); | return (ENOSYS); | ||||
| AUDIT_ARG_CMD(uap->cmd); | AUDIT_ARG_CMD(uap->cmd); | ||||
| ▲ Show 20 Lines • Show All 297 Lines • ▼ Show 20 Lines | case A_GETPINFO: | ||||
| break; | break; | ||||
| case A_SETPMASK: | case A_SETPMASK: | ||||
| if (uap->length != sizeof(udata.au_aupinfo)) | if (uap->length != sizeof(udata.au_aupinfo)) | ||||
| return (EINVAL); | return (EINVAL); | ||||
| if (udata.au_aupinfo.ap_pid < 1) | if (udata.au_aupinfo.ap_pid < 1) | ||||
| return (ESRCH); | return (ESRCH); | ||||
| newcred = crget(); | newcred = crget(); | ||||
| newcredwrap = crwget(newcred); | |||||
| if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL) { | if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL) { | ||||
| crfree(newcred); | crfree(newcred); | ||||
| crwfree(newcredwrap); | |||||
| return (ESRCH); | return (ESRCH); | ||||
| } | } | ||||
| if ((error = p_cansee(td, tp)) != 0) { | if ((error = p_cansee(td, tp)) != 0) { | ||||
| PROC_UNLOCK(tp); | PROC_UNLOCK(tp); | ||||
| crfree(newcred); | crfree(newcred); | ||||
| crwfree(newcredwrap); | |||||
| return (error); | return (error); | ||||
| } | } | ||||
| oldcred = tp->p_ucred; | oldcred = tp->p_ucred; | ||||
| oldcredwrap = tp->p_credwrap; | |||||
| crcopy(newcred, oldcred); | crcopy(newcred, oldcred); | ||||
| newcred->cr_audit.ai_mask.am_success = | newcred->cr_audit.ai_mask.am_success = | ||||
| udata.au_aupinfo.ap_mask.am_success; | udata.au_aupinfo.ap_mask.am_success; | ||||
| newcred->cr_audit.ai_mask.am_failure = | newcred->cr_audit.ai_mask.am_failure = | ||||
| udata.au_aupinfo.ap_mask.am_failure; | udata.au_aupinfo.ap_mask.am_failure; | ||||
| proc_set_cred(tp, newcred); | proc_set_cred(tp, newcred, newcredwrap); | ||||
| PROC_UNLOCK(tp); | PROC_UNLOCK(tp); | ||||
| crfree(oldcred); | crfree(oldcred); | ||||
| crwfree(oldcredwrap); | |||||
| break; | break; | ||||
| case A_SETFSIZE: | case A_SETFSIZE: | ||||
| if (uap->length != sizeof(udata.au_fstat)) | if (uap->length != sizeof(udata.au_fstat)) | ||||
| return (EINVAL); | return (EINVAL); | ||||
| if ((udata.au_fstat.af_filesz != 0) && | if ((udata.au_fstat.af_filesz != 0) && | ||||
| (udata.au_fstat.af_filesz < MIN_AUDIT_FILE_SIZE)) | (udata.au_fstat.af_filesz < MIN_AUDIT_FILE_SIZE)) | ||||
| return (EINVAL); | return (EINVAL); | ||||
| ▲ Show 20 Lines • Show All 98 Lines • ▼ Show 20 Lines | return (copyout(&td->td_ucred->cr_audit.ai_auid, uap->auid, | ||||
| sizeof(td->td_ucred->cr_audit.ai_auid))); | sizeof(td->td_ucred->cr_audit.ai_auid))); | ||||
| } | } | ||||
| /* ARGSUSED */ | /* ARGSUSED */ | ||||
| int | int | ||||
| sys_setauid(struct thread *td, struct setauid_args *uap) | sys_setauid(struct thread *td, struct setauid_args *uap) | ||||
| { | { | ||||
| struct ucred *newcred, *oldcred; | struct ucred *newcred, *oldcred; | ||||
| struct credwrap *newcredwrap, *oldcredwrap; | |||||
| au_id_t id; | au_id_t id; | ||||
| int error; | int error; | ||||
| if (jailed(td->td_ucred)) | if (jailed(td->td_ucred)) | ||||
| return (ENOSYS); | return (ENOSYS); | ||||
| error = copyin(uap->auid, &id, sizeof(id)); | error = copyin(uap->auid, &id, sizeof(id)); | ||||
| if (error) | if (error) | ||||
| return (error); | return (error); | ||||
| audit_arg_auid(id); | audit_arg_auid(id); | ||||
| newcred = crget(); | newcred = crget(); | ||||
| newcredwrap = crwget(newcred); | |||||
| PROC_LOCK(td->td_proc); | PROC_LOCK(td->td_proc); | ||||
| oldcred = td->td_proc->p_ucred; | oldcred = td->td_proc->p_ucred; | ||||
| oldcredwrap = td->td_proc->p_credwrap; | |||||
| crcopy(newcred, oldcred); | crcopy(newcred, oldcred); | ||||
| #ifdef MAC | #ifdef MAC | ||||
| error = mac_cred_check_setauid(oldcred, id); | error = mac_cred_check_setauid(oldcred, id); | ||||
| if (error) | if (error) | ||||
| goto fail; | goto fail; | ||||
| #endif | #endif | ||||
| error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT); | error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT); | ||||
| if (error) | if (error) | ||||
| goto fail; | goto fail; | ||||
| newcred->cr_audit.ai_auid = id; | newcred->cr_audit.ai_auid = id; | ||||
| proc_set_cred(td->td_proc, newcred); | proc_set_cred(td->td_proc, newcred, newcredwrap); | ||||
| PROC_UNLOCK(td->td_proc); | PROC_UNLOCK(td->td_proc); | ||||
| crfree(oldcred); | crfree(oldcred); | ||||
| crwfree(oldcredwrap); | |||||
| return (0); | return (0); | ||||
| fail: | fail: | ||||
| PROC_UNLOCK(td->td_proc); | PROC_UNLOCK(td->td_proc); | ||||
| crfree(newcred); | crfree(newcred); | ||||
| crwfree(newcredwrap); | |||||
| return (error); | return (error); | ||||
| } | } | ||||
| /* | /* | ||||
| * System calls to get and set process audit information. | * System calls to get and set process audit information. | ||||
| */ | */ | ||||
| /* ARGSUSED */ | /* ARGSUSED */ | ||||
| int | int | ||||
| Show All 20 Lines | sys_getaudit(struct thread *td, struct getaudit_args *uap) | ||||
| return (copyout(&ai, uap->auditinfo, sizeof(ai))); | return (copyout(&ai, uap->auditinfo, sizeof(ai))); | ||||
| } | } | ||||
| /* ARGSUSED */ | /* ARGSUSED */ | ||||
| int | int | ||||
| sys_setaudit(struct thread *td, struct setaudit_args *uap) | sys_setaudit(struct thread *td, struct setaudit_args *uap) | ||||
| { | { | ||||
| struct ucred *newcred, *oldcred; | struct ucred *newcred, *oldcred; | ||||
| struct credwrap *newcredwrap, *oldcredwrap; | |||||
| struct auditinfo ai; | struct auditinfo ai; | ||||
| int error; | int error; | ||||
| if (jailed(td->td_ucred)) | if (jailed(td->td_ucred)) | ||||
| return (ENOSYS); | return (ENOSYS); | ||||
| error = copyin(uap->auditinfo, &ai, sizeof(ai)); | error = copyin(uap->auditinfo, &ai, sizeof(ai)); | ||||
| if (error) | if (error) | ||||
| return (error); | return (error); | ||||
| audit_arg_auditinfo(&ai); | audit_arg_auditinfo(&ai); | ||||
| newcred = crget(); | newcred = crget(); | ||||
| newcredwrap = crwget(newcred); | |||||
| PROC_LOCK(td->td_proc); | PROC_LOCK(td->td_proc); | ||||
| oldcred = td->td_proc->p_ucred; | oldcred = td->td_proc->p_ucred; | ||||
| oldcredwrap = td->td_proc->p_credwrap; | |||||
| crcopy(newcred, oldcred); | crcopy(newcred, oldcred); | ||||
| #ifdef MAC | #ifdef MAC | ||||
| error = mac_cred_check_setaudit(oldcred, &ai); | error = mac_cred_check_setaudit(oldcred, &ai); | ||||
| if (error) | if (error) | ||||
| goto fail; | goto fail; | ||||
| #endif | #endif | ||||
| error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT); | error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT); | ||||
| if (error) | if (error) | ||||
| goto fail; | goto fail; | ||||
| bzero(&newcred->cr_audit, sizeof(newcred->cr_audit)); | bzero(&newcred->cr_audit, sizeof(newcred->cr_audit)); | ||||
| newcred->cr_audit.ai_auid = ai.ai_auid; | newcred->cr_audit.ai_auid = ai.ai_auid; | ||||
| newcred->cr_audit.ai_mask = ai.ai_mask; | newcred->cr_audit.ai_mask = ai.ai_mask; | ||||
| newcred->cr_audit.ai_asid = ai.ai_asid; | newcred->cr_audit.ai_asid = ai.ai_asid; | ||||
| newcred->cr_audit.ai_termid.at_addr[0] = ai.ai_termid.machine; | newcred->cr_audit.ai_termid.at_addr[0] = ai.ai_termid.machine; | ||||
| newcred->cr_audit.ai_termid.at_port = ai.ai_termid.port; | newcred->cr_audit.ai_termid.at_port = ai.ai_termid.port; | ||||
| newcred->cr_audit.ai_termid.at_type = AU_IPv4; | newcred->cr_audit.ai_termid.at_type = AU_IPv4; | ||||
| proc_set_cred(td->td_proc, newcred); | proc_set_cred(td->td_proc, newcred, newcredwrap); | ||||
| PROC_UNLOCK(td->td_proc); | PROC_UNLOCK(td->td_proc); | ||||
| crfree(oldcred); | crfree(oldcred); | ||||
| crwfree(oldcredwrap); | |||||
| return (0); | return (0); | ||||
| fail: | fail: | ||||
| PROC_UNLOCK(td->td_proc); | PROC_UNLOCK(td->td_proc); | ||||
| crfree(newcred); | crfree(newcred); | ||||
| crwfree(newcredwrap); | |||||
| return (error); | return (error); | ||||
| } | } | ||||
| /* ARGSUSED */ | /* ARGSUSED */ | ||||
| int | int | ||||
| sys_getaudit_addr(struct thread *td, struct getaudit_addr_args *uap) | sys_getaudit_addr(struct thread *td, struct getaudit_addr_args *uap) | ||||
| { | { | ||||
| int error; | int error; | ||||
| Show All 9 Lines | return (copyout(&td->td_ucred->cr_audit, uap->auditinfo_addr, | ||||
| sizeof(*uap->auditinfo_addr))); | sizeof(*uap->auditinfo_addr))); | ||||
| } | } | ||||
| /* ARGSUSED */ | /* ARGSUSED */ | ||||
| int | int | ||||
| sys_setaudit_addr(struct thread *td, struct setaudit_addr_args *uap) | sys_setaudit_addr(struct thread *td, struct setaudit_addr_args *uap) | ||||
| { | { | ||||
| struct ucred *newcred, *oldcred; | struct ucred *newcred, *oldcred; | ||||
| struct credwrap *newcredwrap, *oldcredwrap; | |||||
| struct auditinfo_addr aia; | struct auditinfo_addr aia; | ||||
| int error; | int error; | ||||
| if (jailed(td->td_ucred)) | if (jailed(td->td_ucred)) | ||||
| return (ENOSYS); | return (ENOSYS); | ||||
| error = copyin(uap->auditinfo_addr, &aia, sizeof(aia)); | error = copyin(uap->auditinfo_addr, &aia, sizeof(aia)); | ||||
| if (error) | if (error) | ||||
| return (error); | return (error); | ||||
| audit_arg_auditinfo_addr(&aia); | audit_arg_auditinfo_addr(&aia); | ||||
| if (aia.ai_termid.at_type != AU_IPv6 && | if (aia.ai_termid.at_type != AU_IPv6 && | ||||
| aia.ai_termid.at_type != AU_IPv4) | aia.ai_termid.at_type != AU_IPv4) | ||||
| return (EINVAL); | return (EINVAL); | ||||
| newcred = crget(); | newcred = crget(); | ||||
| newcredwrap = crwget(newcred); | |||||
| PROC_LOCK(td->td_proc); | PROC_LOCK(td->td_proc); | ||||
| oldcred = td->td_proc->p_ucred; | oldcred = td->td_proc->p_ucred; | ||||
| oldcredwrap = td->td_proc->p_credwrap; | |||||
| crcopy(newcred, oldcred); | crcopy(newcred, oldcred); | ||||
| #ifdef MAC | #ifdef MAC | ||||
| error = mac_cred_check_setaudit_addr(oldcred, &aia); | error = mac_cred_check_setaudit_addr(oldcred, &aia); | ||||
| if (error) | if (error) | ||||
| goto fail; | goto fail; | ||||
| #endif | #endif | ||||
| error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT); | error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT); | ||||
| if (error) | if (error) | ||||
| goto fail; | goto fail; | ||||
| newcred->cr_audit = aia; | newcred->cr_audit = aia; | ||||
| proc_set_cred(td->td_proc, newcred); | proc_set_cred(td->td_proc, newcred, newcredwrap); | ||||
| PROC_UNLOCK(td->td_proc); | PROC_UNLOCK(td->td_proc); | ||||
| crfree(oldcred); | crfree(oldcred); | ||||
| crwfree(oldcredwrap); | |||||
| return (0); | return (0); | ||||
| fail: | fail: | ||||
| PROC_UNLOCK(td->td_proc); | PROC_UNLOCK(td->td_proc); | ||||
| crfree(newcred); | crfree(newcred); | ||||
| crwfree(newcredwrap); | |||||
| return (error); | return (error); | ||||
| } | } | ||||
| /* | /* | ||||
| * Syscall to manage audit files. | * Syscall to manage audit files. | ||||
| */ | */ | ||||
| /* ARGSUSED */ | /* ARGSUSED */ | ||||
| int | int | ||||
| ▲ Show 20 Lines • Show All 129 Lines • Show Last 20 Lines | |||||