Changeset View
Changeset View
Standalone View
Standalone View
sys/security/audit/audit_syscalls.c
Show First 20 Lines • Show All 159 Lines • ▼ Show 20 Lines | |||||
/* | /* | ||||
* System call to manipulate auditing. | * System call to manipulate auditing. | ||||
*/ | */ | ||||
/* ARGSUSED */ | /* ARGSUSED */ | ||||
int | int | ||||
sys_auditon(struct thread *td, struct auditon_args *uap) | sys_auditon(struct thread *td, struct auditon_args *uap) | ||||
{ | { | ||||
struct ucred *cred, *newcred, *oldcred; | struct ucred *cred, *newcred, *oldcred; | ||||
struct credwrap *newcredwrap, *oldcredwrap; | |||||
int error; | int error; | ||||
union auditon_udata udata; | union auditon_udata udata; | ||||
struct proc *tp; | struct proc *tp; | ||||
if (jailed(td->td_ucred)) | if (jailed(td->td_ucred)) | ||||
return (ENOSYS); | return (ENOSYS); | ||||
AUDIT_ARG_CMD(uap->cmd); | AUDIT_ARG_CMD(uap->cmd); | ||||
▲ Show 20 Lines • Show All 297 Lines • ▼ Show 20 Lines | case A_GETPINFO: | ||||
break; | break; | ||||
case A_SETPMASK: | case A_SETPMASK: | ||||
if (uap->length != sizeof(udata.au_aupinfo)) | if (uap->length != sizeof(udata.au_aupinfo)) | ||||
return (EINVAL); | return (EINVAL); | ||||
if (udata.au_aupinfo.ap_pid < 1) | if (udata.au_aupinfo.ap_pid < 1) | ||||
return (ESRCH); | return (ESRCH); | ||||
newcred = crget(); | newcred = crget(); | ||||
newcredwrap = crwget(newcred); | |||||
if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL) { | if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL) { | ||||
crfree(newcred); | crfree(newcred); | ||||
crwfree(newcredwrap); | |||||
return (ESRCH); | return (ESRCH); | ||||
} | } | ||||
if ((error = p_cansee(td, tp)) != 0) { | if ((error = p_cansee(td, tp)) != 0) { | ||||
PROC_UNLOCK(tp); | PROC_UNLOCK(tp); | ||||
crfree(newcred); | crfree(newcred); | ||||
crwfree(newcredwrap); | |||||
return (error); | return (error); | ||||
} | } | ||||
oldcred = tp->p_ucred; | oldcred = tp->p_ucred; | ||||
oldcredwrap = tp->p_credwrap; | |||||
crcopy(newcred, oldcred); | crcopy(newcred, oldcred); | ||||
newcred->cr_audit.ai_mask.am_success = | newcred->cr_audit.ai_mask.am_success = | ||||
udata.au_aupinfo.ap_mask.am_success; | udata.au_aupinfo.ap_mask.am_success; | ||||
newcred->cr_audit.ai_mask.am_failure = | newcred->cr_audit.ai_mask.am_failure = | ||||
udata.au_aupinfo.ap_mask.am_failure; | udata.au_aupinfo.ap_mask.am_failure; | ||||
proc_set_cred(tp, newcred); | proc_set_cred(tp, newcred, newcredwrap); | ||||
PROC_UNLOCK(tp); | PROC_UNLOCK(tp); | ||||
crfree(oldcred); | crfree(oldcred); | ||||
crwfree(oldcredwrap); | |||||
break; | break; | ||||
case A_SETFSIZE: | case A_SETFSIZE: | ||||
if (uap->length != sizeof(udata.au_fstat)) | if (uap->length != sizeof(udata.au_fstat)) | ||||
return (EINVAL); | return (EINVAL); | ||||
if ((udata.au_fstat.af_filesz != 0) && | if ((udata.au_fstat.af_filesz != 0) && | ||||
(udata.au_fstat.af_filesz < MIN_AUDIT_FILE_SIZE)) | (udata.au_fstat.af_filesz < MIN_AUDIT_FILE_SIZE)) | ||||
return (EINVAL); | return (EINVAL); | ||||
▲ Show 20 Lines • Show All 98 Lines • ▼ Show 20 Lines | return (copyout(&td->td_ucred->cr_audit.ai_auid, uap->auid, | ||||
sizeof(td->td_ucred->cr_audit.ai_auid))); | sizeof(td->td_ucred->cr_audit.ai_auid))); | ||||
} | } | ||||
/* ARGSUSED */ | /* ARGSUSED */ | ||||
int | int | ||||
sys_setauid(struct thread *td, struct setauid_args *uap) | sys_setauid(struct thread *td, struct setauid_args *uap) | ||||
{ | { | ||||
struct ucred *newcred, *oldcred; | struct ucred *newcred, *oldcred; | ||||
struct credwrap *newcredwrap, *oldcredwrap; | |||||
au_id_t id; | au_id_t id; | ||||
int error; | int error; | ||||
if (jailed(td->td_ucred)) | if (jailed(td->td_ucred)) | ||||
return (ENOSYS); | return (ENOSYS); | ||||
error = copyin(uap->auid, &id, sizeof(id)); | error = copyin(uap->auid, &id, sizeof(id)); | ||||
if (error) | if (error) | ||||
return (error); | return (error); | ||||
audit_arg_auid(id); | audit_arg_auid(id); | ||||
newcred = crget(); | newcred = crget(); | ||||
newcredwrap = crwget(newcred); | |||||
PROC_LOCK(td->td_proc); | PROC_LOCK(td->td_proc); | ||||
oldcred = td->td_proc->p_ucred; | oldcred = td->td_proc->p_ucred; | ||||
oldcredwrap = td->td_proc->p_credwrap; | |||||
crcopy(newcred, oldcred); | crcopy(newcred, oldcred); | ||||
#ifdef MAC | #ifdef MAC | ||||
error = mac_cred_check_setauid(oldcred, id); | error = mac_cred_check_setauid(oldcred, id); | ||||
if (error) | if (error) | ||||
goto fail; | goto fail; | ||||
#endif | #endif | ||||
error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT); | error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT); | ||||
if (error) | if (error) | ||||
goto fail; | goto fail; | ||||
newcred->cr_audit.ai_auid = id; | newcred->cr_audit.ai_auid = id; | ||||
proc_set_cred(td->td_proc, newcred); | proc_set_cred(td->td_proc, newcred, newcredwrap); | ||||
PROC_UNLOCK(td->td_proc); | PROC_UNLOCK(td->td_proc); | ||||
crfree(oldcred); | crfree(oldcred); | ||||
crwfree(oldcredwrap); | |||||
return (0); | return (0); | ||||
fail: | fail: | ||||
PROC_UNLOCK(td->td_proc); | PROC_UNLOCK(td->td_proc); | ||||
crfree(newcred); | crfree(newcred); | ||||
crwfree(newcredwrap); | |||||
return (error); | return (error); | ||||
} | } | ||||
/* | /* | ||||
* System calls to get and set process audit information. | * System calls to get and set process audit information. | ||||
*/ | */ | ||||
/* ARGSUSED */ | /* ARGSUSED */ | ||||
int | int | ||||
Show All 20 Lines | sys_getaudit(struct thread *td, struct getaudit_args *uap) | ||||
return (copyout(&ai, uap->auditinfo, sizeof(ai))); | return (copyout(&ai, uap->auditinfo, sizeof(ai))); | ||||
} | } | ||||
/* ARGSUSED */ | /* ARGSUSED */ | ||||
int | int | ||||
sys_setaudit(struct thread *td, struct setaudit_args *uap) | sys_setaudit(struct thread *td, struct setaudit_args *uap) | ||||
{ | { | ||||
struct ucred *newcred, *oldcred; | struct ucred *newcred, *oldcred; | ||||
struct credwrap *newcredwrap, *oldcredwrap; | |||||
struct auditinfo ai; | struct auditinfo ai; | ||||
int error; | int error; | ||||
if (jailed(td->td_ucred)) | if (jailed(td->td_ucred)) | ||||
return (ENOSYS); | return (ENOSYS); | ||||
error = copyin(uap->auditinfo, &ai, sizeof(ai)); | error = copyin(uap->auditinfo, &ai, sizeof(ai)); | ||||
if (error) | if (error) | ||||
return (error); | return (error); | ||||
audit_arg_auditinfo(&ai); | audit_arg_auditinfo(&ai); | ||||
newcred = crget(); | newcred = crget(); | ||||
newcredwrap = crwget(newcred); | |||||
PROC_LOCK(td->td_proc); | PROC_LOCK(td->td_proc); | ||||
oldcred = td->td_proc->p_ucred; | oldcred = td->td_proc->p_ucred; | ||||
oldcredwrap = td->td_proc->p_credwrap; | |||||
crcopy(newcred, oldcred); | crcopy(newcred, oldcred); | ||||
#ifdef MAC | #ifdef MAC | ||||
error = mac_cred_check_setaudit(oldcred, &ai); | error = mac_cred_check_setaudit(oldcred, &ai); | ||||
if (error) | if (error) | ||||
goto fail; | goto fail; | ||||
#endif | #endif | ||||
error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT); | error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT); | ||||
if (error) | if (error) | ||||
goto fail; | goto fail; | ||||
bzero(&newcred->cr_audit, sizeof(newcred->cr_audit)); | bzero(&newcred->cr_audit, sizeof(newcred->cr_audit)); | ||||
newcred->cr_audit.ai_auid = ai.ai_auid; | newcred->cr_audit.ai_auid = ai.ai_auid; | ||||
newcred->cr_audit.ai_mask = ai.ai_mask; | newcred->cr_audit.ai_mask = ai.ai_mask; | ||||
newcred->cr_audit.ai_asid = ai.ai_asid; | newcred->cr_audit.ai_asid = ai.ai_asid; | ||||
newcred->cr_audit.ai_termid.at_addr[0] = ai.ai_termid.machine; | newcred->cr_audit.ai_termid.at_addr[0] = ai.ai_termid.machine; | ||||
newcred->cr_audit.ai_termid.at_port = ai.ai_termid.port; | newcred->cr_audit.ai_termid.at_port = ai.ai_termid.port; | ||||
newcred->cr_audit.ai_termid.at_type = AU_IPv4; | newcred->cr_audit.ai_termid.at_type = AU_IPv4; | ||||
proc_set_cred(td->td_proc, newcred); | proc_set_cred(td->td_proc, newcred, newcredwrap); | ||||
PROC_UNLOCK(td->td_proc); | PROC_UNLOCK(td->td_proc); | ||||
crfree(oldcred); | crfree(oldcred); | ||||
crwfree(oldcredwrap); | |||||
return (0); | return (0); | ||||
fail: | fail: | ||||
PROC_UNLOCK(td->td_proc); | PROC_UNLOCK(td->td_proc); | ||||
crfree(newcred); | crfree(newcred); | ||||
crwfree(newcredwrap); | |||||
return (error); | return (error); | ||||
} | } | ||||
/* ARGSUSED */ | /* ARGSUSED */ | ||||
int | int | ||||
sys_getaudit_addr(struct thread *td, struct getaudit_addr_args *uap) | sys_getaudit_addr(struct thread *td, struct getaudit_addr_args *uap) | ||||
{ | { | ||||
int error; | int error; | ||||
Show All 9 Lines | return (copyout(&td->td_ucred->cr_audit, uap->auditinfo_addr, | ||||
sizeof(*uap->auditinfo_addr))); | sizeof(*uap->auditinfo_addr))); | ||||
} | } | ||||
/* ARGSUSED */ | /* ARGSUSED */ | ||||
int | int | ||||
sys_setaudit_addr(struct thread *td, struct setaudit_addr_args *uap) | sys_setaudit_addr(struct thread *td, struct setaudit_addr_args *uap) | ||||
{ | { | ||||
struct ucred *newcred, *oldcred; | struct ucred *newcred, *oldcred; | ||||
struct credwrap *newcredwrap, *oldcredwrap; | |||||
struct auditinfo_addr aia; | struct auditinfo_addr aia; | ||||
int error; | int error; | ||||
if (jailed(td->td_ucred)) | if (jailed(td->td_ucred)) | ||||
return (ENOSYS); | return (ENOSYS); | ||||
error = copyin(uap->auditinfo_addr, &aia, sizeof(aia)); | error = copyin(uap->auditinfo_addr, &aia, sizeof(aia)); | ||||
if (error) | if (error) | ||||
return (error); | return (error); | ||||
audit_arg_auditinfo_addr(&aia); | audit_arg_auditinfo_addr(&aia); | ||||
if (aia.ai_termid.at_type != AU_IPv6 && | if (aia.ai_termid.at_type != AU_IPv6 && | ||||
aia.ai_termid.at_type != AU_IPv4) | aia.ai_termid.at_type != AU_IPv4) | ||||
return (EINVAL); | return (EINVAL); | ||||
newcred = crget(); | newcred = crget(); | ||||
newcredwrap = crwget(newcred); | |||||
PROC_LOCK(td->td_proc); | PROC_LOCK(td->td_proc); | ||||
oldcred = td->td_proc->p_ucred; | oldcred = td->td_proc->p_ucred; | ||||
oldcredwrap = td->td_proc->p_credwrap; | |||||
crcopy(newcred, oldcred); | crcopy(newcred, oldcred); | ||||
#ifdef MAC | #ifdef MAC | ||||
error = mac_cred_check_setaudit_addr(oldcred, &aia); | error = mac_cred_check_setaudit_addr(oldcred, &aia); | ||||
if (error) | if (error) | ||||
goto fail; | goto fail; | ||||
#endif | #endif | ||||
error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT); | error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT); | ||||
if (error) | if (error) | ||||
goto fail; | goto fail; | ||||
newcred->cr_audit = aia; | newcred->cr_audit = aia; | ||||
proc_set_cred(td->td_proc, newcred); | proc_set_cred(td->td_proc, newcred, newcredwrap); | ||||
PROC_UNLOCK(td->td_proc); | PROC_UNLOCK(td->td_proc); | ||||
crfree(oldcred); | crfree(oldcred); | ||||
crwfree(oldcredwrap); | |||||
return (0); | return (0); | ||||
fail: | fail: | ||||
PROC_UNLOCK(td->td_proc); | PROC_UNLOCK(td->td_proc); | ||||
crfree(newcred); | crfree(newcred); | ||||
crwfree(newcredwrap); | |||||
return (error); | return (error); | ||||
} | } | ||||
/* | /* | ||||
* Syscall to manage audit files. | * Syscall to manage audit files. | ||||
*/ | */ | ||||
/* ARGSUSED */ | /* ARGSUSED */ | ||||
int | int | ||||
▲ Show 20 Lines • Show All 129 Lines • Show Last 20 Lines |