Mercurial > illumos > illumos-gate
changeset 12617:d82a7bcb6fed
6625545 auditd Generates Plethora Events due to Missing System Files (AUE_OPEN_R, AUE_OPENAT_R, AUE_EXECVE)
6631622 The tad_ctrl (PAD_) stuff is a mess
author | Marek Pospisil <Marek.Pospisil@Sun.COM> |
---|---|
date | Mon, 14 Jun 2010 02:08:23 -0700 |
parents | 17a31b0faaa4 |
children | 0e5eaf4bf546 |
files | usr/src/uts/common/c2/audit.c usr/src/uts/common/c2/audit.h usr/src/uts/common/c2/audit_event.c usr/src/uts/common/c2/audit_io.c usr/src/uts/common/c2/audit_kernel.h usr/src/uts/common/c2/audit_mem.c usr/src/uts/common/c2/audit_start.c usr/src/uts/common/fs/lookup.c usr/src/uts/common/os/fio.c usr/src/uts/common/os/streamio.c usr/src/uts/common/sys/sad.h usr/src/uts/common/syscall/open.c usr/src/uts/intel/ia32/ml/modstubs.s usr/src/uts/sparc/ml/modstubs.s |
diffstat | 14 files changed, 126 insertions(+), 335 deletions(-) [+] |
line wrap: on
line diff
--- a/usr/src/uts/common/c2/audit.c Sat Jun 12 23:20:18 2010 -0700 +++ b/usr/src/uts/common/c2/audit.c Mon Jun 14 02:08:23 2010 -0700 @@ -86,6 +86,7 @@ audit_savepath( struct pathname *pnp, /* pathname to lookup */ struct vnode *vp, /* vnode of the last component */ + struct vnode *pvp, /* vnode of the last parent component */ int flag, /* status of the last access */ cred_t *cr) /* cred of requestor */ { @@ -96,33 +97,53 @@ tad = U2A(u); /* + * Noise elimination in audit trails - this event will be discarded if: + * - the public policy is not active AND + * - the system call is a public operation AND + * - the file was not found: VFS lookup failed with ENOENT error AND + * - the missing file would have been located in the public directory + * owned by root if it had existed + */ + if (tad->tad_flag != 0 && flag == ENOENT && pvp != NULL && + (tad->tad_ctrl & TAD_PUBLIC_EV) && + !(kctx->auk_policy & AUDIT_PUBLIC)) { + struct vattr attr; + + attr.va_mask = AT_ALL; + if (VOP_GETATTR(pvp, &attr, 0, CRED(), NULL) == 0) { + if (object_is_public(&attr)) { + tad->tad_ctrl |= TAD_NOAUDIT; + } + } + } + + /* * this event being audited or do we need path information * later? This might be for a chdir/chroot or open (add path * to file pointer. If the path has already been found for an * open/creat then we don't need to process the path. * - * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with + * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with * chroot, chdir, open, creat system call processing. It determines * if audit_savepath() will discard the path or we need it later. - * PAD_PATHFND means path already included in this audit record. It + * TAD_PATHFND means path already included in this audit record. It * is used in cases where multiple path lookups are done per * system call. The policy flag, AUDIT_PATH, controls if multiple * paths are allowed. - * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with + * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with * exit processing to inhibit any paths that may be added due to * closes. */ - if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || - ((tad->tad_ctrl & PAD_PATHFND) && + if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) || + ((tad->tad_ctrl & TAD_PATHFND) && !(kctx->auk_policy & AUDIT_PATH)) || - (tad->tad_ctrl & PAD_NOPATH)) { + (tad->tad_ctrl & TAD_NOPATH)) { return (0); } - tad->tad_ctrl |= PAD_NOPATH; /* prevent possible reentry */ + tad->tad_ctrl |= TAD_NOPATH; /* prevent possible reentry */ audit_pathbuild(pnp); - tad->tad_vn = vp; /* * are we auditing only if error, or if it is not open or create @@ -135,7 +156,7 @@ tad->tad_scid == SYS_open64 || tad->tad_scid == SYS_openat || tad->tad_scid == SYS_openat64)) { - tad->tad_ctrl |= PAD_TRUE_CREATE; + tad->tad_ctrl |= TAD_TRUE_CREATE; } /* add token to audit record for this name */ @@ -153,23 +174,22 @@ * then don't add attribute, * it will be added at end of vn_create(). */ - if (!flag && !(tad->tad_ctrl & PAD_NOATTRB)) + if (!flag && !(tad->tad_ctrl & TAD_NOATTRB)) audit_attributes(vp); } } /* free up space if we're not going to save path (open, creat) */ - if ((tad->tad_ctrl & PAD_SAVPATH) == 0) { + if ((tad->tad_ctrl & TAD_SAVPATH) == 0) { if (tad->tad_aupath != NULL) { au_pathrele(tad->tad_aupath); tad->tad_aupath = NULL; - tad->tad_vn = NULL; } } - if (tad->tad_ctrl & PAD_MLD) - tad->tad_ctrl |= PAD_PATHFND; + if (tad->tad_ctrl & TAD_MLD) + tad->tad_ctrl |= TAD_PATHFND; - tad->tad_ctrl &= ~PAD_NOPATH; /* restore */ + tad->tad_ctrl &= ~TAD_NOPATH; /* restore */ return (0); } @@ -196,10 +216,10 @@ mutex_enter(&pad->pad_lock); if (tad->tad_aupath != NULL) { pfxapp = tad->tad_aupath; - } else if ((tad->tad_ctrl & PAD_ATCALL) && pnp->pn_buf[0] != '/') { + } else if ((tad->tad_ctrl & TAD_ATCALL) && pnp->pn_buf[0] != '/') { ASSERT(tad->tad_atpath != NULL); pfxapp = tad->tad_atpath; - } else if (tad->tad_ctrl & PAD_ABSPATH) { + } else if (tad->tad_ctrl & TAD_ABSPATH) { pfxapp = pad->pad_root; } else { pfxapp = pad->pad_cwd; @@ -208,7 +228,7 @@ mutex_exit(&pad->pad_lock); /* get an expanded buffer to hold the anchored path */ - newsect = tad->tad_ctrl & PAD_ATTPATH; + newsect = tad->tad_ctrl & TAD_ATTPATH; newapp = au_pathdup(pfxapp, newsect, len); au_pathrele(pfxapp); @@ -230,54 +250,10 @@ tad->tad_aupath = newapp; /* for case where multiple lookups in one syscall (rename) */ - tad->tad_ctrl &= ~(PAD_ABSPATH | PAD_ATTPATH); + tad->tad_ctrl &= ~(TAD_ABSPATH | TAD_ATTPATH); } - -/*ARGSUSED*/ - -/* - * ROUTINE: AUDIT_ADDCOMPONENT - * PURPOSE: extend the path by the component accepted - * CALLBY: LOOKUPPN - * NOTE: This function is called only when there is an error in - * parsing a path component - * TODO: Add the error component to audit record - * QUESTION: what is this for - */ - -void -audit_addcomponent(struct pathname *pnp) -{ - au_kcontext_t *kctx = GET_KCTX_PZ; - t_audit_data_t *tad; - - tad = U2A(u); - /* - * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with - * chroot, chdir, open, creat system call processing. It determines - * if audit_savepath() will discard the path or we need it later. - * PAD_PATHFND means path already included in this audit record. It - * is used in cases where multiple path lookups are done per - * system call. The policy flag, AUDIT_PATH, controls if multiple - * paths are allowed. - * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with - * exit processing to inhibit any paths that may be added due to - * closes. - */ - if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || - ((tad->tad_ctrl & PAD_PATHFND) && - !(kctx->auk_policy & AUDIT_PATH)) || - (tad->tad_ctrl & PAD_NOPATH)) { - return; - } - - return; - -} /* AUDIT_ADDCOMPONENT */ - - /* * ROUTINE: AUDIT_ANCHORPATH * PURPOSE: @@ -287,7 +263,7 @@ * first time we will throw away any saved path if path is anchored. * * flag = 0, path is relative. - * flag = 1, path is absolute. Free any saved path and set flag to PAD_ABSPATH. + * flag = 1, path is absolute. Free any saved path and set flag to TAD_ABSPATH. * * If the (new) path is absolute, then we have to throw away whatever we have * already accumulated since it is being superseded by new path which is @@ -311,30 +287,29 @@ * to file pointer. If the path has already been found for an * open/creat then we don't need to process the path. * - * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with + * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with * chroot, chdir, open, creat system call processing. It determines * if audit_savepath() will discard the path or we need it later. - * PAD_PATHFND means path already included in this audit record. It + * TAD_PATHFND means path already included in this audit record. It * is used in cases where multiple path lookups are done per * system call. The policy flag, AUDIT_PATH, controls if multiple * paths are allowed. - * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with + * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with * exit processing to inhibit any paths that may be added due to * closes. */ - if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) || - ((tad->tad_ctrl & PAD_PATHFND) && + if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) || + ((tad->tad_ctrl & TAD_PATHFND) && !(kctx->auk_policy & AUDIT_PATH)) || - (tad->tad_ctrl & PAD_NOPATH)) { + (tad->tad_ctrl & TAD_NOPATH)) { return; } if (flag) { - tad->tad_ctrl |= PAD_ABSPATH; + tad->tad_ctrl |= TAD_ABSPATH; if (tad->tad_aupath != NULL) { au_pathrele(tad->tad_aupath); tad->tad_aupath = NULL; - tad->tad_vn = NULL; } } } @@ -382,22 +357,22 @@ * to file pointer. If the path has already been found for an * open/creat then we don't need to process the path. * - * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with + * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with * chroot, chdir, open, creat system call processing. It determines * if audit_savepath() will discard the path or we need it later. - * PAD_PATHFND means path already included in this audit record. It + * TAD_PATHFND means path already included in this audit record. It * is used in cases where multiple path lookups are done per * system call. The policy flag, AUDIT_PATH, controls if multiple * paths are allowed. - * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with + * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with * exit processing to inhibit any paths that may be added due to * closes. */ if ((tad->tad_flag == 0 && - !(tad->tad_ctrl & PAD_SAVPATH)) || - ((tad->tad_ctrl & PAD_PATHFND) && + !(tad->tad_ctrl & TAD_SAVPATH)) || + ((tad->tad_ctrl & TAD_PATHFND) && !(kctx->auk_policy & AUDIT_PATH)) || - (tad->tad_ctrl & PAD_NOPATH)) { + (tad->tad_ctrl & TAD_NOPATH)) { return; } @@ -431,11 +406,12 @@ } /* - * file_is_public : determine whether events for the file (corresponding to - * the specified file attr) should be audited or ignored. + * object_is_public : determine whether events for the object (corresponding to + * the specified file/directory attr) should be audited or + * ignored. * - * returns: 1 - if audit policy and file attributes indicate that - * file is effectively public. read events for + * returns: 1 - if audit policy and object attributes indicate that + * file/directory is effectively public. read events for * the file should not be audited. * 0 - otherwise * @@ -447,7 +423,7 @@ * (mode doesn't need to be checked for symlinks) */ int -file_is_public(struct vattr *attr) +object_is_public(struct vattr *attr) { au_kcontext_t *kctx = GET_KCTX_PZ; @@ -484,7 +460,8 @@ if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0) return; - if (file_is_public(&attr) && (tad->tad_ctrl & PAD_PUBLIC_EV)) { + if (object_is_public(&attr) && + (tad->tad_ctrl & TAD_PUBLIC_EV)) { /* * This is a public object and a "public" event * (i.e., read only) -- either by definition @@ -492,7 +469,7 @@ * not being requested (e.g. mmap). * Flag it in the tad to prevent this audit at the end. */ - tad->tad_ctrl |= PAD_NOAUDIT; + tad->tad_ctrl |= TAD_NOAUDIT; } else { au_uwrite(au_to_attr(&attr)); audit_sec_attributes(&(u_ad), vp); @@ -581,7 +558,7 @@ return; /* reset the flags for non-user attributable events */ - tad->tad_ctrl = PAD_CORE; + tad->tad_ctrl = TAD_CORE; tad->tad_scid = 0; /* if auditing not enabled, then don't generate an audit record */ @@ -661,32 +638,12 @@ if (tad->tad_aupath != NULL) { au_pathrele(tad->tad_aupath); tad->tad_aupath = NULL; - tad->tad_vn = NULL; } tad->tad_event = 0; tad->tad_evmod = 0; tad->tad_ctrl = 0; } -/*ARGSUSED*/ -void -audit_stropen(struct vnode *vp, dev_t *devp, int flag, cred_t *crp) -{ -} - -/*ARGSUSED*/ -void -audit_strclose(struct vnode *vp, int flag, cred_t *crp) -{ -} - -/*ARGSUSED*/ -void -audit_strioctl(struct vnode *vp, int cmd, intptr_t arg, int flag, - int copyflag, cred_t *crp, int *rvalp) -{ -} - /*ARGSUSED*/ void @@ -826,7 +783,7 @@ * then skip the audit. */ if ((getattr_ret == 0) && ((fp->f_flag & FWRITE) == 0)) { - if (file_is_public(&attr)) { + if (object_is_public(&attr)) { return; } } @@ -909,14 +866,13 @@ */ fad->fad_aupath = tad->tad_aupath; tad->tad_aupath = NULL; - tad->tad_vn = NULL; - if (!(tad->tad_ctrl & PAD_TRUE_CREATE)) { + if (!(tad->tad_ctrl & TAD_TRUE_CREATE)) { /* adjust event type by dropping the 'creat' part */ switch (tad->tad_event) { case AUE_OPEN_RC: tad->tad_event = AUE_OPEN_R; - tad->tad_ctrl |= PAD_PUBLIC_EV; + tad->tad_ctrl |= TAD_PUBLIC_EV; break; case AUE_OPEN_RTC: tad->tad_event = AUE_OPEN_RT; @@ -940,20 +896,6 @@ } -/* - * ROUTINE: AUDIT_COPEN - * PURPOSE: - * CALLBY: COPEN - * NOTE: - * TODO: - * QUESTION: - */ -/*ARGSUSED*/ -void -audit_copen(int fd, file_t *fp, vnode_t *vp) -{ -} - void audit_ipc(int type, int id, void *vp) { @@ -1110,13 +1052,13 @@ } if (fd != AT_FDCWD) { if ((fp = getf(fd)) == NULL) { - tad->tad_ctrl |= PAD_NOPATH; + tad->tad_ctrl |= TAD_NOPATH; return; } fad = F2A(fp); ASSERT(fad); if (fad->fad_aupath == NULL) { - tad->tad_ctrl |= PAD_NOPATH; + tad->tad_ctrl |= TAD_NOPATH; releasef(fd); return; } @@ -1172,7 +1114,7 @@ t_audit_data_t *tad; tad = U2A(u); - tad->tad_ctrl |= PAD_NOATTRB; + tad->tad_ctrl |= TAD_NOATTRB; } /* @@ -1197,13 +1139,13 @@ if (tad->tad_flag == 0) return; - if (tad->tad_ctrl & PAD_TRUE_CREATE) { + if (tad->tad_ctrl & TAD_TRUE_CREATE) { audit_attributes(vp); } - if (tad->tad_ctrl & PAD_CORE) { + if (tad->tad_ctrl & TAD_CORE) { audit_attributes(vp); - tad->tad_ctrl &= ~PAD_CORE; + tad->tad_ctrl &= ~TAD_CORE; } if (!error && ((tad->tad_event == AUE_MKNOD) || @@ -1212,7 +1154,7 @@ } /* for case where multiple lookups in one syscall (rename) */ - tad->tad_ctrl &= ~PAD_NOATTRB; + tad->tad_ctrl &= ~TAD_NOATTRB; } @@ -1367,22 +1309,6 @@ intptr_t arg; }; -/* - * ROUTINE: AUDIT_C2_REVOKE - * PURPOSE: - * CALLBY: FCNTL - * NOTE: - * TODO: - * QUESTION: are we keeping this func - */ - -/*ARGSUSED*/ -int -audit_c2_revoke(struct fcntla *uap, rval_t *rvp) -{ - return (0); -} - /* * ROUTINE: AUDIT_CHDIREC @@ -1448,38 +1374,6 @@ } } -/* - * ROUTINE: AUDIT_GETF - * PURPOSE: - * CALLBY: GETF_INTERNAL - * NOTE: The main function of GETF_INTERNAL is to associate a given - * file descriptor with a file structure and increment the - * file pointer reference count. - * TODO: remove pass in of fpp. - * increment a reference count so that even if a thread with same process delete - * the same object, it will not panic our system - * QUESTION: - * where to decrement the f_count????????????????? - * seems like I need to set a flag if f_count incremented through audit_getf - */ - -/*ARGSUSED*/ -int -audit_getf(int fd) -{ -#ifdef NOTYET - t_audit_data_t *tad; - - tad = T2A(curthread); - - if (!(tad->tad_scid == SYS_openat || - tad->tad_scid == SYS_openat64 || - tad->tad_scid == SYS_open || - tad->tad_scid == SYS_open64)) - return (0); -#endif - return (0); -} /* * Audit hook for stream based socket and tli request. @@ -1643,17 +1537,6 @@ } } -void -audit_lookupname() -{ -} - -/*ARGSUSED*/ -int -audit_pathcomp(struct pathname *pnp, vnode_t *cvp, cred_t *cr) -{ - return (0); -} static void add_return_token(caddr_t *ad, unsigned int scid, int err, int rval)
--- a/usr/src/uts/common/c2/audit.h Sat Jun 12 23:20:18 2010 -0700 +++ b/usr/src/uts/common/c2/audit.h Mon Jun 14 02:08:23 2010 -0700 @@ -501,30 +501,24 @@ void audit_pfree(struct proc *); void audit_thread_create(kthread_id_t); void audit_thread_free(kthread_id_t); -int audit_savepath(struct pathname *, struct vnode *, int, cred_t *); -void audit_addcomponent(struct pathname *); +int audit_savepath(struct pathname *, struct vnode *, struct vnode *, + int, cred_t *); void audit_anchorpath(struct pathname *, int); void audit_symlink(struct pathname *, struct pathname *); void audit_symlink_create(struct vnode *, char *, char *, int); -int file_is_public(struct vattr *); +int object_is_public(struct vattr *); void audit_attributes(struct vnode *); void audit_falloc(struct file *); void audit_unfalloc(struct file *); void audit_exit(int, int); void audit_core_start(int); void audit_core_finish(int); -void audit_stropen(struct vnode *, dev_t *, int, struct cred *); -void audit_strclose(struct vnode *, int, struct cred *); -void audit_strioctl(struct vnode *, int, intptr_t, int, int, struct cred *, - int *); void audit_strgetmsg(struct vnode *, struct strbuf *, struct strbuf *, unsigned char *, int *, int); void audit_strputmsg(struct vnode *, struct strbuf *, struct strbuf *, unsigned char, int, int); void audit_closef(struct file *); -int audit_getf(int); void audit_setf(struct file *, int); -void audit_copen(int, struct file *, struct vnode *); void audit_reboot(void); void audit_vncreate_start(void); void audit_setfsat_path(int argnum); @@ -567,8 +561,8 @@ * Get the given zone audit status. zcontext != NULL serves * as a protection when c2audit module is not loaded. */ -#define AU_ZONE_AUDITING(zcontext) \ - (audit_active == C2AUDIT_LOADED && \ +#define AU_ZONE_AUDITING(zcontext) \ + (audit_active == C2AUDIT_LOADED && \ ((AU_AUDIT_MASK) & au_zone_getstate((zcontext)))) /* @@ -581,11 +575,8 @@ void audit_fixpath(struct audit_path *, int); void audit_ipc(int, int, void *); void audit_ipcget(int, void *); -void audit_lookupname(); -int audit_pathcomp(struct pathname *, vnode_t *, cred_t *); void audit_fdsend(int, struct file *, int); void audit_fdrecv(int, struct file *); -int audit_c2_revoke(struct fcntla *, rval_t *); void audit_priv(int, const struct priv_set *, int); void audit_setppriv(int, int, const struct priv_set *, const cred_t *); void audit_devpolicy(int, const struct devplcysys *);
--- a/usr/src/uts/common/c2/audit_event.c Sat Jun 12 23:20:18 2010 -0700 +++ b/usr/src/uts/common/c2/audit_event.c Mon Jun 14 02:08:23 2010 -0700 @@ -18,10 +18,8 @@ * * CDDL HEADER END */ - /* - * Copyright 2010 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. */ /* @@ -1024,7 +1022,7 @@ /* convert to appropriate au_ctrl */ if (fm & (FXATTR | FXATTRDIROPEN)) - tad->tad_ctrl |= PAD_ATTPATH; + tad->tad_ctrl |= TAD_ATTPATH; return (open_event(fm)); } @@ -1045,7 +1043,7 @@ /* If no write, create, or trunc modes, mark as a public op */ if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) - tad->tad_ctrl |= PAD_PUBLIC_EV; + tad->tad_ctrl |= TAD_PUBLIC_EV; } /* ARGSUSED */ @@ -1067,7 +1065,7 @@ /* convert to appropriate au_ctrl */ if (fm & (FXATTR | FXATTRDIROPEN)) - tad->tad_ctrl |= PAD_ATTPATH; + tad->tad_ctrl |= TAD_ATTPATH; return (open_event(fm)); } @@ -1089,7 +1087,7 @@ /* If no write, create, or trunc modes, mark as a public op */ if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) - tad->tad_ctrl |= PAD_PUBLIC_EV; + tad->tad_ctrl |= TAD_PUBLIC_EV; } static au_event_t @@ -1552,7 +1550,7 @@ /* do the lookup to force generation of path token */ pnamep = (caddr_t)uap->pnamep; - tad->tad_ctrl |= PAD_NOATTRB; + tad->tad_ctrl |= TAD_NOATTRB; error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); if (error == 0) VN_RELE(dvp); @@ -1839,7 +1837,7 @@ * considered public, skip the audit. */ if (((fp->f_flag & FWRITE) == 0) && - file_is_public(&attr)) { + object_is_public(&attr)) { tad->tad_flag = 0; tad->tad_evmod = 0; /* free any residual audit data */ @@ -2318,7 +2316,7 @@ * public object, the mmap event may be discarded. */ if (((uap->prot) & PROT_WRITE) == 0) { - tad->tad_ctrl |= PAD_PUBLIC_EV; + tad->tad_ctrl |= TAD_PUBLIC_EV; } fad = F2A(fp);
--- a/usr/src/uts/common/c2/audit_io.c Sat Jun 12 23:20:18 2010 -0700 +++ b/usr/src/uts/common/c2/audit_io.c Mon Jun 14 02:08:23 2010 -0700 @@ -19,12 +19,12 @@ * CDDL HEADER END */ /* - * Routines for writing audit records. - * - * Copyright 2010 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. */ +/* + * Routines for writing audit records. + */ #include <sys/door.h> #include <sys/param.h> @@ -736,9 +736,9 @@ /* clean up the tad unless called from softcall backend */ if (!(flags & AU_BACKEND)) { ASSERT(tad != NULL); - ASSERT(tad->tad_ctrl & PAD_ERRJMP); + ASSERT(tad->tad_ctrl & TAD_ERRJMP); - tad->tad_ctrl &= ~PAD_ERRJMP; + tad->tad_ctrl &= ~TAD_ERRJMP; tad->tad_errjmp = NULL; } @@ -817,7 +817,7 @@ ASSERT(tad->tad_errjmp == NULL); tad->tad_errjmp = (void *)jb; - tad->tad_ctrl |= PAD_ERRJMP; + tad->tad_ctrl |= TAD_ERRJMP; return (0); }
--- a/usr/src/uts/common/c2/audit_kernel.h Sat Jun 12 23:20:18 2010 -0700 +++ b/usr/src/uts/common/c2/audit_kernel.h Mon Jun 14 02:08:23 2010 -0700 @@ -79,11 +79,11 @@ /* * Defines for au_ctrl */ -#define S2E_SP PAD_SAVPATH /* save path for later use */ -#define S2E_MLD PAD_MLD /* only one lookup per system call */ -#define S2E_NPT PAD_NOPATH /* force no path in audit record */ -#define S2E_PUB PAD_PUBLIC_EV /* syscall is defined as a public op */ -#define S2E_ATC PAD_ATCALL /* syscall is one of the *at() family */ +#define S2E_SP TAD_SAVPATH /* save path for later use */ +#define S2E_MLD TAD_MLD /* only one lookup per system call */ +#define S2E_NPT TAD_NOPATH /* force no path in audit record */ +#define S2E_PUB TAD_PUBLIC_EV /* syscall is defined as a public op */ +#define S2E_ATC TAD_ATCALL /* syscall is one of the *at() family */ /* * At present, we are using the audit classes imbedded with in the kernel. Each @@ -162,35 +162,28 @@ #define pad_flags pad_data.pad_flags /* - * Defines for pad_flags + * Defines for process audit flags (pad_flags) */ #define PAD_SETMASK 0x00000001 /* need to complete pending setmask */ extern kmem_cache_t *au_pad_cache; /* - * Defines for tad_ctrl + * Defines for thread audit control/status flags (tad_ctrl) */ -#define PAD_SAVPATH 0x00000001 /* save path for further processing */ -#define PAD_MLD 0x00000002 /* system call involves MLD */ -#define PAD_NOPATH 0x00000004 /* force no paths in audit record */ -#define PAD_ABSPATH 0x00000008 /* path from lookup is absolute */ -#define PAD_NOATTRB 0x00000010 /* do not automatically add attribute */ - /* 0x20 unused */ -#define PAD_ATCALL 0x00000040 /* *at() syscall, like openat() */ -#define PAD_LFLOAT 0x00000080 /* Label float */ -#define PAD_NOAUDIT 0x00000100 /* discard audit record */ -#define PAD_PATHFND 0x00000200 /* found path, don't retry lookup */ -#define PAD_SPRIV 0x00000400 /* succ priv use. extra audit_finish */ -#define PAD_FPRIV 0x00000800 /* fail priv use. extra audit_finish */ -#define PAD_SMAC 0x00001000 /* succ mac use. extra audit_finish */ -#define PAD_FMAC 0x00002000 /* fail mac use. extra audit_finish */ -#define PAD_AUDITME 0x00004000 /* audit me because of NFS operation */ -#define PAD_ATTPATH 0x00008000 /* attribute file lookup */ -#define PAD_TRUE_CREATE 0x00010000 /* true create, file not found */ -#define PAD_CORE 0x00020000 /* save attribute during core dump */ -#define PAD_ERRJMP 0x00040000 /* abort record generation on error */ -#define PAD_PUBLIC_EV 0x00080000 /* syscall is defined as a public op */ +#define TAD_ABSPATH 0x00000001 /* path from lookup is absolute */ +#define TAD_ATCALL 0x00000002 /* *at() syscall, like openat() */ +#define TAD_ATTPATH 0x00000004 /* attribute file lookup */ +#define TAD_CORE 0x00000008 /* save attribute during core dump */ +#define TAD_ERRJMP 0x00000010 /* abort record generation on error */ +#define TAD_MLD 0x00000020 /* system call involves MLD */ +#define TAD_NOATTRB 0x00000040 /* do not automatically add attribute */ +#define TAD_NOAUDIT 0x00000080 /* discard audit record */ +#define TAD_NOPATH 0x00000100 /* force no paths in audit record */ +#define TAD_PATHFND 0x00000200 /* found path, don't retry lookup */ +#define TAD_PUBLIC_EV 0x00000400 /* syscall is defined as a public op */ +#define TAD_SAVPATH 0x00000800 /* save path for further processing */ +#define TAD_TRUE_CREATE 0x00001000 /* true create, file not found */ /* * The structure t_audit_data hangs off of the thread structure. It contains @@ -210,7 +203,6 @@ uint32_t tad_audit; /* auditing enabled/disabled */ struct audit_path *tad_aupath; /* captured at vfs_lookup */ struct audit_path *tad_atpath; /* openat prefix, path of fd */ - struct vnode *tad_vn; /* saved inode from vfs_lookup */ caddr_t tad_ad; /* base of accumulated audit data */ au_defer_info_t *tad_defer_head; /* queue of records to defer */ /* until syscall end: */
--- a/usr/src/uts/common/c2/audit_mem.c Sat Jun 12 23:20:18 2010 -0700 +++ b/usr/src/uts/common/c2/audit_mem.c Mon Jun 14 02:08:23 2010 -0700 @@ -19,8 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2010 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. */ #include <sys/param.h> @@ -57,7 +56,7 @@ * If asynchronous (interrupt) thread, then we can't sleep * (the tad ERRJMP flag is set at the start of async processing). */ - if (tad->tad_ctrl & PAD_ERRJMP) { + if (tad->tad_ctrl & TAD_ERRJMP) { buffer = kmem_cache_alloc(au_buf_cache, KM_NOSLEEP); if (buffer == NULL) { /* return to top of stack & report an error */ @@ -89,7 +88,7 @@ * If asynchronous (interrupt) thread, schedule the release * (the tad ERRJMP flag is set at the start of async processing). */ - if (tad->tad_ctrl & PAD_ERRJMP) { + if (tad->tad_ctrl & TAD_ERRJMP) { /* Discard async events via softcall. */ softcall(audit_async_discard_backend, buf); }
--- a/usr/src/uts/common/c2/audit_start.c Sat Jun 12 23:20:18 2010 -0700 +++ b/usr/src/uts/common/c2/audit_start.c Mon Jun 14 02:08:23 2010 -0700 @@ -102,7 +102,7 @@ ASSERT(tad->tad_errjmp == NULL); tad->tad_errjmp = (void *)&jb; - tad->tad_ctrl |= PAD_ERRJMP; + tad->tad_ctrl |= TAD_ERRJMP; /* generate a system-booted audit record */ au_write((caddr_t *)&rp, au_to_text("booting kernel")); @@ -265,7 +265,7 @@ } tad->tad_defer_head = tad->tad_defer_tail = NULL; - if (tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) { + if (tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) { /* * clear the ctrl flag so that we don't have spurious * collection of audit information. @@ -375,7 +375,6 @@ if (tad->tad_aupath != NULL) { au_pathrele(tad->tad_aupath); tad->tad_aupath = NULL; - tad->tad_vn = NULL; } /* free up any space remaining with openat path's */ @@ -410,18 +409,10 @@ tad->tad_evmod |= PAD_FAILURE; /* see if we really want to generate an audit record */ - if (tad->tad_ctrl & PAD_NOAUDIT) + if (tad->tad_ctrl & TAD_NOAUDIT) return (0); /* - * nfs operation and we're auditing privilege or MAC. This - * is so we have a client audit record to match a nfs server - * audit record. - */ - if (tad->tad_ctrl & PAD_AUDITME) - return (AU_OK); - - /* * Used passed cred if available, otherwise use cred from kernel thread */ if (cr == NULL)
--- a/usr/src/uts/common/fs/lookup.c Sat Jun 12 23:20:18 2010 -0700 +++ b/usr/src/uts/common/fs/lookup.c Mon Jun 14 02:08:23 2010 -0700 @@ -91,8 +91,6 @@ error = pn_get_buf(fnamep, seg, &lookpn, namebuf, sizeof (namebuf)); if (error == 0) { - if (AU_AUDITING()) - audit_lookupname(); error = lookuppnatcred(&lookpn, NULL, followlink, dirvpp, compvpp, startvp, cr); } @@ -276,8 +274,6 @@ * Process the next component of the pathname. */ if (error = pn_getcomponent(pnp, component)) { - if (auditing) - audit_addcomponent(pnp); goto bad; } @@ -409,9 +405,10 @@ if (pn_pathleft(pnp) || dirvpp == NULL || error != ENOENT) goto bad; if (auditing) { /* directory access */ - if (error = audit_savepath(pnp, vp, error, cr)) + if (error = audit_savepath(pnp, vp, vp, error, cr)) goto bad_noaudit; } + pn_setlast(pnp); /* * We inform the caller that the desired entry must be @@ -466,10 +463,6 @@ */ if (cvp->v_type == VLNK && ((flags & FOLLOW) || pn_pathleft(pnp))) { struct pathname linkpath; - if (auditing) { - if (error = audit_pathcomp(pnp, cvp, cr)) - goto bad; - } if (++nlink > MAXSYMLINKS) { error = ELOOP; @@ -579,7 +572,7 @@ */ if (vn_compare(vp, cvp)) { if (auditing) - (void) audit_savepath(pnp, cvp, + (void) audit_savepath(pnp, cvp, vp, EINVAL, cr); pn_setlast(pnp); VN_RELE(vp); @@ -590,15 +583,11 @@ pn_free(pp); return (EINVAL); } - if (auditing) { - if (error = audit_pathcomp(pnp, vp, cr)) - goto bad; - } *dirvpp = vp; } else VN_RELE(vp); if (auditing) - (void) audit_savepath(pnp, cvp, 0, cr); + (void) audit_savepath(pnp, cvp, vp, 0, cr); if (pnp->pn_path == pnp->pn_buf) (void) pn_set(pnp, "."); else @@ -621,11 +610,6 @@ return (0); } - if (auditing) { - if (error = audit_pathcomp(pnp, cvp, cr)) - goto bad; - } - /* * Skip over slashes from end of last component. */ @@ -646,7 +630,7 @@ bad: if (auditing) /* reached end of path */ - (void) audit_savepath(pnp, cvp, error, cr); + (void) audit_savepath(pnp, cvp, vp, error, cr); bad_noaudit: /* * Error. Release vnodes and return.
--- a/usr/src/uts/common/os/fio.c Sat Jun 12 23:20:18 2010 -0700 +++ b/usr/src/uts/common/os/fio.c Mon Jun 14 02:08:23 2010 -0700 @@ -606,12 +606,6 @@ } ufp->uf_refcnt++; - /* - * archive per file audit data - */ - if (AU_AUDITING()) - (void) audit_getf(fd); - set_active_fd(fd); /* record the active file descriptor */ UF_EXIT(ufp); @@ -684,11 +678,6 @@ } } - /* - * archive per file audit data - */ - if (AU_AUDITING()) - (void) audit_getf(fd); ASSERT(ufp->uf_busy); ufp->uf_file = NULL; ufp->uf_flag = 0;
--- a/usr/src/uts/common/os/streamio.c Sat Jun 12 23:20:18 2010 -0700 +++ b/usr/src/uts/common/os/streamio.c Mon Jun 14 02:08:23 2010 -0700 @@ -250,9 +250,6 @@ zoneid_t zoneid; uint_t anchor; - if (AU_AUDITING()) - audit_stropen(vp, devp, flag, crp); - /* * If the stream already exists, wait for any open in progress * to complete, then call the open function of each module and @@ -619,9 +616,6 @@ int freestp = 1; queue_t *rmq; - if (AU_AUDITING()) - audit_strclose(vp, flag, crp); - TRACE_1(TR_FAC_STREAMS_FR, TR_STRCLOSE, "strclose:%p", vp); ASSERT(vp->v_stream); @@ -3222,9 +3216,6 @@ TRACE_3(TR_FAC_STREAMS_FR, TR_IOCTL_ENTER, "strioctl:stp %p cmd %X arg %lX", stp, cmd, arg); - if (auditing) - audit_strioctl(vp, cmd, arg, flag, copyflag, crp, rvalp); - /* * If the copy is kernel to kernel, make sure that the FNATIVE * flag is set. After this it would be a serious error to have
--- a/usr/src/uts/common/sys/sad.h Sat Jun 12 23:20:18 2010 -0700 +++ b/usr/src/uts/common/sys/sad.h Mon Jun 14 02:08:23 2010 -0700 @@ -19,8 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2007 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved. */ /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */ @@ -30,8 +29,6 @@ #ifndef _SYS_SAD_H #define _SYS_SAD_H -#pragma ident "%Z%%M% %I% %E% SMI" /* SVr4.0 1.5 */ - #include <sys/types.h> #ifdef _KERNEL #include <sys/strsubr.h> @@ -208,9 +205,6 @@ /* * function prototypes */ -void audit_stropen(struct vnode *, dev_t *, int, cred_t *); -void audit_strclose(struct vnode *, int, cred_t *); -void audit_strioctl(struct vnode *, int, intptr_t, int, int, cred_t *, int *); struct strbuf; void audit_strputmsg(struct vnode *, struct strbuf *, struct strbuf *, unsigned char, int, int);
--- a/usr/src/uts/common/syscall/open.c Sat Jun 12 23:20:18 2010 -0700 +++ b/usr/src/uts/common/syscall/open.c Mon Jun 14 02:08:23 2010 -0700 @@ -20,8 +20,7 @@ */ /* - * Copyright 2010 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 1994, 2010, Oracle and/or its affiliates. All rights reserved. */ /* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */ @@ -200,8 +199,6 @@ if (startvp != NULL) VN_RELE(startvp); if (error == 0) { - if (auditing) - audit_copen(fd, fp, vp); if ((vp->v_flag & VDUP) == 0) { fp->f_vnode = vp; mutex_exit(&fp->f_tlock);
--- a/usr/src/uts/intel/ia32/ml/modstubs.s Sat Jun 12 23:20:18 2010 -0700 +++ b/usr/src/uts/intel/ia32/ml/modstubs.s Mon Jun 14 02:08:23 2010 -0700 @@ -958,17 +958,11 @@ NO_UNLOAD_STUB(c2audit, audit, nomod_zero); NO_UNLOAD_STUB(c2audit, auditdoor, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_closef, nomod_zero); - NO_UNLOAD_STUB(c2audit, audit_copen, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_core_start, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_core_finish, nomod_zero); - NO_UNLOAD_STUB(c2audit, audit_stropen, nomod_zero); - NO_UNLOAD_STUB(c2audit, audit_strclose, nomod_zero); - NO_UNLOAD_STUB(c2audit, audit_strioctl, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_strputmsg, nomod_zero); - NO_UNLOAD_STUB(c2audit, audit_c2_revoke, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_savepath, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_anchorpath, nomod_zero); - NO_UNLOAD_STUB(c2audit, audit_addcomponent, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_exit, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_exec, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_symlink, nomod_zero); @@ -978,14 +972,11 @@ NO_UNLOAD_STUB(c2audit, audit_enterprom, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_exitprom, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_chdirec, nomod_zero); - NO_UNLOAD_STUB(c2audit, audit_getf, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_setf, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_sock, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_strgetmsg, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_ipc, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_ipcget, nomod_zero); - NO_UNLOAD_STUB(c2audit, audit_lookupname, nomod_zero); - NO_UNLOAD_STUB(c2audit, audit_pathcomp, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_fdsend, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_fdrecv, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_priv, nomod_zero);
--- a/usr/src/uts/sparc/ml/modstubs.s Sat Jun 12 23:20:18 2010 -0700 +++ b/usr/src/uts/sparc/ml/modstubs.s Mon Jun 14 02:08:23 2010 -0700 @@ -878,17 +878,11 @@ NO_UNLOAD_STUB(c2audit, audit, nomod_zero); NO_UNLOAD_STUB(c2audit, auditdoor, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_closef, nomod_zero); - NO_UNLOAD_STUB(c2audit, audit_copen, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_core_start, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_core_finish, nomod_zero); - NO_UNLOAD_STUB(c2audit, audit_stropen, nomod_zero); - NO_UNLOAD_STUB(c2audit, audit_strclose, nomod_zero); - NO_UNLOAD_STUB(c2audit, audit_strioctl, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_strputmsg, nomod_zero); - NO_UNLOAD_STUB(c2audit, audit_c2_revoke, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_savepath, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_anchorpath, nomod_zero); - NO_UNLOAD_STUB(c2audit, audit_addcomponent, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_exit, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_exec, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_symlink, nomod_zero); @@ -898,14 +892,11 @@ NO_UNLOAD_STUB(c2audit, audit_enterprom, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_exitprom, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_chdirec, nomod_zero); - NO_UNLOAD_STUB(c2audit, audit_getf, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_setf, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_sock, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_strgetmsg, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_ipc, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_ipcget, nomod_zero); - NO_UNLOAD_STUB(c2audit, audit_lookupname, nomod_zero); - NO_UNLOAD_STUB(c2audit, audit_pathcomp, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_fdsend, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_fdrecv, nomod_zero); NO_UNLOAD_STUB(c2audit, audit_priv, nomod_zero);