1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
|
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Routines for writing audit records.
*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#include <sys/door.h>
#include <sys/param.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/statvfs.h> /* for statfs */
#include <sys/vnode.h>
#include <sys/file.h>
#include <sys/vfs.h>
#include <sys/user.h>
#include <sys/uio.h>
#include <sys/reboot.h>
#include <sys/kmem.h> /* for KM_SLEEP */
#include <sys/resource.h> /* for RLIM_INFINITY */
#include <sys/cmn_err.h> /* panic */
#include <sys/systm.h>
#include <sys/debug.h>
#include <sys/sysmacros.h>
#include <sys/syscall.h>
#include <sys/zone.h>
#include <c2/audit.h>
#include <c2/audit_kernel.h>
#include <c2/audit_record.h>
#include <c2/audit_kevents.h>
#include <c2/audit_door_infc.h>
static void au_dequeue(au_kcontext_t *, au_buff_t *);
static void audit_async_finish_backend(void *);
static int audit_sync_block(au_kcontext_t *);
/*
* each of these two tables are indexed by the values AU_DBUF_COMPLETE
* through AU_DBUF_LAST; the content is the next state value. The
* first table determines the next state for a buffer which is not the
* end of a record and the second table determines the state for a
* buffer which is the end of a record. The initial state is
* AU_DBUF_COMPLETE.
*/
static int state_if_part[] = {
AU_DBUF_FIRST, AU_DBUF_MIDDLE, AU_DBUF_MIDDLE, AU_DBUF_FIRST};
static int state_if_not_part[] = {
AU_DBUF_COMPLETE, AU_DBUF_LAST, AU_DBUF_LAST, AU_DBUF_COMPLETE};
/*
* Write to an audit descriptor.
* Add the au_membuf to the descriptor chain and free the chain passed in.
*/
void
au_uwrite(m)
token_t *m;
{
au_write(&(u_ad), m);
}
void
au_write(caddr_t *d, token_t *m)
{
if (d == NULL) {
au_toss_token(m);
return;
}
if (m == (token_t *)0) {
printf("au_write: null token\n");
return;
}
if (*d == NULL)
*d = (caddr_t)m;
else
(void) au_append_rec((au_buff_t *)*d, m, AU_PACK);
}
/*
* Close an audit descriptor.
* Use the second parameter to indicate if it should be written or not.
*/
void
au_close(au_kcontext_t *kctx, caddr_t *d, int flag, au_event_t e_type,
au_emod_t e_mod)
{
token_t *dchain; /* au_membuf chain which is the tokens */
t_audit_data_t *tad = U2A(u);
ASSERT(tad != NULL);
ASSERT(d != NULL);
ASSERT(kctx != NULL);
if ((dchain = (token_t *)*d) == (token_t *)NULL)
return;
*d = NULL;
/*
* If async then defer; or if requested, defer the closing/queueing to
* syscall end, unless no syscall is active or the syscall is _exit.
*/
if ((flag & AU_DONTBLOCK) || ((flag & AU_DEFER) &&
(tad->tad_scid != 0) && (tad->tad_scid != SYS_exit))) {
au_close_defer(dchain, flag, e_type, e_mod);
return;
}
au_close_time(kctx, dchain, flag, e_type, e_mod, NULL);
}
/*
* Defer closing/queueing of an audit descriptor. For async events, queue
* via softcall. Otherwise, defer by queueing the record onto the tad; at
* syscall end time it will be pulled off.
*/
void
au_close_defer(token_t *dchain, int flag, au_event_t e_type, au_emod_t e_mod)
{
au_defer_info_t *attr;
t_audit_data_t *tad = U2A(u);
ASSERT(tad != NULL);
/* If not to be written, toss the record. */
if ((flag & AU_OK) == 0) {
au_toss_token(dchain);
return;
}
attr = kmem_alloc(sizeof (au_defer_info_t), KM_NOSLEEP);
/* If no mem available, failing silently is the best recourse */
if (attr == NULL) {
au_toss_token(dchain);
return;
}
attr->audi_next = NULL;
attr->audi_ad = dchain;
attr->audi_e_type = e_type;
attr->audi_e_mod = e_mod;
attr->audi_flag = flag;
gethrestime(&attr->audi_atime);
/*
* All async events must be queued via softcall to avoid possible
* sleeping in high interrupt context. softcall will ensure it's
* done on a dedicated software-level interrupt thread.
*/
if (flag & AU_DONTBLOCK) {
softcall(audit_async_finish_backend, attr);
audit_async_done(NULL, 0);
return;
}
/*
* If not an async event, defer by queuing onto the tad until
* syscall end. No locking is needed because the tad is per-thread.
*/
if (tad->tad_defer_head)
tad->tad_defer_tail->audi_next = attr;
else
tad->tad_defer_head = attr;
tad->tad_defer_tail = attr;
}
/*
* Save the time in the event header. If time is not specified (i.e., pointer
* is NULL), use the current time. This code is fairly ugly since it needs
* to support both 32- and 64-bit environments and can be called indirectly
* from both au_close() (for kernel audit) and from audit() (userland audit).
*/
/*ARGSUSED*/
static void
au_save_time(adr_t *hadrp, timestruc_t *time, int size)
{
struct {
uint32_t sec;
uint32_t usec;
} tv;
timestruc_t now;
if (time == NULL) {
gethrestime(&now);
time = &now;
}
#ifdef _LP64
if (size)
adr_int64(hadrp, (int64_t *)time, 2);
else
#endif
{
tv.sec = (uint32_t)time->tv_sec;
tv.usec = (uint32_t)time->tv_nsec;
adr_int32(hadrp, (int32_t *)&tv, 2);
}
}
/*
* Close an audit descriptor.
* If time of event is specified, use it in the record, otherwise use the
* current time.
*/
void
au_close_time(au_kcontext_t *kctx, token_t *dchain, int flag, au_event_t e_type,
au_emod_t e_mod, timestruc_t *etime)
{
token_t *record; /* au_membuf chain == the record */
int byte_count;
token_t *m; /* for potential sequence token */
adr_t hadr; /* handle for header token */
adr_t sadr; /* handle for sequence token */
size_t zone_length; /* length of zonename token */
ASSERT(dchain != NULL);
/* If not to be written, toss the record */
if ((flag & AU_OK) == 0) {
au_toss_token(dchain);
return;
}
/* if auditing not enabled, then don't generate an audit record */
ASSERT(kctx != NULL);
if ((kctx->auk_auditstate != AUC_AUDITING) &&
(kctx->auk_auditstate != AUC_INIT_AUDIT)) {
/*
* at system boot, neither is set yet we want to generate
* an audit record.
*/
if (e_type != AUE_SYSTEMBOOT) {
au_toss_token(dchain);
return;
}
}
/* Count up the bytes used in the record. */
byte_count = au_token_size(dchain);
/*
* add in size of header token (always present).
*/
byte_count += sizeof (char) + sizeof (int32_t) +
sizeof (char) + 2 * sizeof (short) + sizeof (timestruc_t);
if (kctx->auk_hostaddr_valid)
byte_count += sizeof (int32_t) +
kctx->auk_info.ai_termid.at_type;
/*
* add in size of zonename token (zero if !AUDIT_ZONENAME)
*/
if (kctx->auk_policy & AUDIT_ZONENAME) {
zone_length = au_zonename_length(NULL);
byte_count += zone_length;
} else {
zone_length = 0;
}
/* add in size of (optional) trailer token */
if (kctx->auk_policy & AUDIT_TRAIL)
byte_count += 7;
/* add in size of (optional) sequence token */
if (kctx->auk_policy & AUDIT_SEQ)
byte_count += 5;
/* build the header */
if (kctx->auk_hostaddr_valid)
record = au_to_header_ex(byte_count, e_type, e_mod);
else
record = au_to_header(byte_count, e_type, e_mod);
/*
* If timestamp was specified, save it in header now. Otherwise,
* save reference to header so we can update time/data later
* and artificially adjust pointer to the time/date field of header.
*/
adr_start(&hadr, memtod(record, char *));
hadr.adr_now += sizeof (char) + sizeof (int32_t) +
sizeof (char) + 2 * sizeof (short);
if (kctx->auk_hostaddr_valid)
hadr.adr_now += sizeof (int32_t) +
kctx->auk_info.ai_termid.at_type;
if (etime != NULL) {
au_save_time(&hadr, etime, 1);
hadr.adr_now = (char *)NULL;
}
/* append body of audit record */
(void) au_append_rec(record, dchain, AU_PACK);
/* add (optional) zonename token */
if (zone_length > 0) {
m = au_to_zonename(zone_length, NULL);
(void) au_append_rec(record, m, AU_PACK);
}
/* Add an (optional) sequence token. NULL offset if none */
if (kctx->auk_policy & AUDIT_SEQ) {
/* get the sequence token */
m = au_to_seq();
/* link to audit record (i.e. don't pack the data) */
(void) au_append_rec(record, m, AU_LINK);
/*
* advance to count field of sequence token by skipping
* the token type byte.
*/
adr_start(&sadr, memtod(m, char *));
sadr.adr_now += 1;
} else {
sadr.adr_now = NULL;
}
/* add (optional) trailer token */
if (kctx->auk_policy & AUDIT_TRAIL) {
(void) au_append_rec(record, au_to_trailer(byte_count),
AU_PACK);
}
/*
* 1 - use 64 bit version of audit tokens for 64 bit kernels.
* 0 - use 32 bit version of audit tokens for 32 bit kernels.
*/
#ifdef _LP64
au_enqueue(kctx, record, &hadr, &sadr, 1, flag & AU_DONTBLOCK);
#else
au_enqueue(kctx, record, &hadr, &sadr, 0, flag & AU_DONTBLOCK);
#endif
AS_INC(as_totalsize, byte_count, kctx);
}
/*ARGSUSED*/
void
au_enqueue(au_kcontext_t *kctx, au_buff_t *m, adr_t *hadrp, adr_t *sadrp,
int size, int dontblock)
{
if (kctx == NULL)
return;
mutex_enter(&(kctx->auk_queue.lock));
if (!dontblock && (kctx->auk_queue.cnt >= kctx->auk_queue.hiwater) &&
audit_sync_block(kctx)) {
mutex_exit(&(kctx->auk_queue.lock));
au_free_rec(m);
return;
}
/* Fill in date and time if needed */
if (hadrp->adr_now) {
au_save_time(hadrp, NULL, size);
}
/* address will be non-zero only if AUDIT_SEQ set */
if (sadrp->adr_now) {
kctx->auk_sequence++;
adr_int32(sadrp, (int32_t *)&(kctx->auk_sequence), 1);
}
if (kctx->auk_queue.head)
kctx->auk_queue.tail->next_rec = m;
else
kctx->auk_queue.head = m;
kctx->auk_queue.tail = m;
if (++(kctx->auk_queue.cnt) >
kctx->auk_queue.lowater && kctx->auk_queue.rd_block)
cv_broadcast(&(kctx->auk_queue.read_cv));
mutex_exit(&(kctx->auk_queue.lock));
/* count # audit records put onto kernel audit queue */
AS_INC(as_enqueue, 1, kctx);
}
/*
* Dequeue and free buffers upto and including "freeto"
* Keeps the queue lock long but acquires it only once when doing
* bulk dequeueing.
*/
static void
au_dequeue(au_kcontext_t *kctx, au_buff_t *freeto)
{
au_buff_t *m, *l, *lastl;
int n = 0;
ASSERT(kctx != NULL);
mutex_enter(&(kctx->auk_queue.lock));
ASSERT(kctx->auk_queue.head != NULL);
ASSERT(freeto != NULL);
l = m = kctx->auk_queue.head;
do {
n++;
lastl = l;
l = l->next_rec;
} while (l != NULL && freeto != lastl);
kctx->auk_queue.cnt -= n;
lastl->next_rec = NULL;
kctx->auk_queue.head = l;
/* Freeto must exist in the list */
ASSERT(freeto == lastl);
if (kctx->auk_queue.cnt <= kctx->auk_queue.lowater &&
kctx->auk_queue.wt_block)
cv_broadcast(&(kctx->auk_queue.write_cv));
mutex_exit(&(kctx->auk_queue.lock));
while (m) {
l = m->next_rec;
au_free_rec(m);
m = l;
}
AS_INC(as_written, n, kctx);
}
/*
* audit_sync_block()
* If we've reached the high water mark, we look at the policy to see
* if we sleep or we should drop the audit record.
* This function is called with the auk_queue.lock held and the check
* performed one time already as an optimization. Caller should unlock.
* Returns 1 if the caller needs to free the record.
*/
static int
audit_sync_block(au_kcontext_t *kctx)
{
ASSERT(MUTEX_HELD(&(kctx->auk_queue.lock)));
/*
* Loop while we are at the high watermark.
*/
do {
if ((kctx->auk_auditstate != AUC_AUDITING) ||
(kctx->auk_policy & AUDIT_CNT)) {
/* just count # of dropped audit records */
AS_INC(as_dropped, 1, kctx);
return (1);
}
/* kick reader awake if its asleep */
if (kctx->auk_queue.rd_block &&
kctx->auk_queue.cnt > kctx->auk_queue.lowater)
cv_broadcast(&(kctx->auk_queue.read_cv));
/* keep count of # times blocked */
AS_INC(as_wblocked, 1, kctx);
/* sleep now, until woken by reader */
kctx->auk_queue.wt_block++;
cv_wait(&(kctx->auk_queue.write_cv), &(kctx->auk_queue.lock));
kctx->auk_queue.wt_block--;
} while (kctx->auk_queue.cnt >= kctx->auk_queue.hiwater);
return (0);
}
/*
* audit_async_block()
* if we've reached the high water mark, we look at the ahlt policy to see
* if we reboot we should drop the audit record.
* Returns 1 if blocked.
*/
static int
audit_async_block(au_kcontext_t *kctx, caddr_t *rpp)
{
ASSERT(kctx != NULL);
mutex_enter(&(kctx->auk_queue.lock));
/* see if we've reached high water mark */
if (kctx->auk_queue.cnt >= kctx->auk_queue.hiwater) {
mutex_exit(&(kctx->auk_queue.lock));
audit_async_drop(rpp, AU_BACKEND);
return (1);
}
mutex_exit(&(kctx->auk_queue.lock));
return (0);
}
/*
* au_door_upcall. auditdoor() may change vp without notice, so
* some locking seems in order.
*
*/
#define AGAIN_TICKS 10
static int
au_door_upcall(au_kcontext_t *kctx, au_dbuf_t *aubuf)
{
int rc;
door_arg_t darg;
int retry = 1;
int ticks_to_wait;
darg.data_ptr = (char *)aubuf;
darg.data_size = AU_DBUF_HEADER + aubuf->aub_size;
darg.desc_ptr = NULL;
darg.desc_num = 0;
while (retry == 1) {
/* non-zero means return results expected */
darg.rbuf = (char *)aubuf;
darg.rsize = darg.data_size;
retry = 0;
mutex_enter(&(kctx->auk_svc_lock));
rc = door_upcall(kctx->auk_current_vp, &darg, NULL,
SIZE_MAX, 0);
if (rc != 0) {
mutex_exit(&(kctx->auk_svc_lock));
if (rc == EAGAIN)
ticks_to_wait = AGAIN_TICKS;
else
return (rc);
mutex_enter(&(kctx->auk_eagain_mutex));
(void) cv_reltimedwait(&(kctx->auk_eagain_cv),
&(kctx->auk_eagain_mutex), ticks_to_wait,
TR_CLOCK_TICK);
mutex_exit(&(kctx->auk_eagain_mutex));
retry = 1;
} else
mutex_exit(&(kctx->auk_svc_lock)); /* no retry */
} /* end while (retry == 1) */
if (darg.rbuf == NULL)
return (-1);
/* return code from door server */
return (*(int *)darg.rbuf);
}
/*
* Write an audit control message to the door handle. The message
* structure depends on message_code and at present the only control
* message defined is for a policy change. These are infrequent,
* so no memory is held for control messages.
*/
int
au_doormsg(au_kcontext_t *kctx, uint32_t message_code, void *message)
{
int rc;
au_dbuf_t *buf;
size_t alloc_size;
switch (message_code) {
case AU_DBUF_POLICY:
alloc_size = AU_DBUF_HEADER + sizeof (uint32_t);
buf = kmem_alloc(alloc_size, KM_SLEEP);
buf->aub_size = sizeof (uint32_t);
*(uint32_t *)buf->aub_buf = *(uint32_t *)message;
break;
case AU_DBUF_SHUTDOWN:
alloc_size = AU_DBUF_HEADER;
buf = kmem_alloc(alloc_size, KM_SLEEP);
buf->aub_size = 0;
break;
default:
return (1);
}
buf->aub_type = AU_DBUF_NOTIFY | message_code;
rc = au_door_upcall(kctx, buf);
kmem_free(buf, alloc_size);
return (rc);
}
/*
* Write audit information to the door handle. au_doorio is called with
* one or more complete audit records on the queue and outputs those
* records in buffers of up to auk_queue.buflen in size.
*/
int
au_doorio(au_kcontext_t *kctx) {
off_t off; /* space used in buffer */
ssize_t used; /* space used in au_membuf */
token_t *cAR; /* current AR being processed */
token_t *cMB; /* current au_membuf being processed */
token_t *sp; /* last AR processed */
char *bp; /* start of free space in staging buffer */
unsigned char *cp; /* ptr to data to be moved */
int error; /* return from door upcall */
/*
* size (data left in au_membuf - space in buffer)
*/
ssize_t sz;
ssize_t len; /* len of data to move, size of AR */
ssize_t curr_sz = 0; /* amount of data written during now */
/*
* partial_state is AU_DBUF_COMPLETE...LAST; see audit_door_infc.h
*/
int part = 0; /* partial audit record written */
int partial_state = AU_DBUF_COMPLETE;
/*
* Has the write buffer changed length due to a auditctl(2)?
* Initial allocation is from audit_start.c/audit_init()
*/
if (kctx->auk_queue.bufsz != kctx->auk_queue.buflen) {
kmem_free(kctx->auk_dbuffer, AU_DBUF_HEADER +
kctx->auk_queue.buflen);
kctx->auk_dbuffer = kmem_alloc(AU_DBUF_HEADER +
kctx->auk_queue.bufsz, KM_SLEEP);
/* omit the 64 bit header */
kctx->auk_queue.buflen = kctx->auk_queue.bufsz;
}
if (!kctx->auk_queue.head)
goto nodata;
sp = NULL; /* no record copied */
off = 0; /* no space used in buffer */
used = 0; /* no data processed in au_membuf */
cAR = kctx->auk_queue.head; /* start at head of queue */
cMB = cAR; /* start with first au_membuf of record */
/* start at beginning of buffer */
bp = &(kctx->auk_dbuffer->aub_buf[0]);
while (cMB) {
part = 1; /* indicate audit record being processed */
cp = memtod(cMB, unsigned char *); /* buffer ptr */
sz = (ssize_t)cMB->len - used; /* data left in au_membuf */
/* len to move */
len = (ssize_t)MIN(sz, kctx->auk_queue.buflen - off);
/* move the data */
bcopy(cp + used, bp + off, len);
used += len; /* update used au_membuf */
off += len; /* update offset into buffer */
if (used >= (ssize_t)cMB->len) {
/* advance to next au_membuf */
used = 0;
cMB = cMB->next_buf;
}
if (cMB == NULL) {
/* advance to next audit record */
sp = cAR;
cAR = cAR->next_rec;
cMB = cAR;
part = 0; /* have a complete record */
}
error = 0;
if ((kctx->auk_queue.buflen == off) || (part == 0)) {
if (part)
partial_state = state_if_part[partial_state];
else
partial_state =
state_if_not_part[partial_state];
kctx->auk_dbuffer->aub_type = partial_state;
kctx->auk_dbuffer->aub_size = off;
error = au_door_upcall(kctx, kctx->auk_dbuffer);
if (error != 0)
goto nodata;
/*
* if we've successfully written an audit record,
* free records up to last full record copied
*/
if (sp)
au_dequeue(kctx, sp);
/* Update size */
curr_sz += off;
/* reset auk_dbuffer pointers */
sp = NULL;
off = 0;
}
} /* while(cMB) */
nodata:
return (error);
}
/*
* Clean up thread audit state to clear out asynchronous audit record
* generation error recovery processing. Note that this is done on a
* per-thread basis and thus does not need any locking.
*/
void
audit_async_done(caddr_t *rpp, int flags)
{
t_audit_data_t *tad = U2A(u);
/* clean up the tad unless called from softcall backend */
if (!(flags & AU_BACKEND)) {
ASSERT(tad != NULL);
ASSERT(tad->tad_ctrl & PAD_ERRJMP);
tad->tad_ctrl &= ~PAD_ERRJMP;
tad->tad_errjmp = NULL;
}
/* clean out partial audit record */
if ((rpp != NULL) && (*rpp != NULL)) {
au_toss_token((au_buff_t *)*rpp);
*rpp = NULL;
}
}
/*
* implement the audit policy for asynchronous events generated within
* the kernel.
* XXX might need locks around audit_policy check.
*/
void
audit_async_drop(caddr_t *rpp, int flags)
{
au_kcontext_t *kctx;
/* could not generate audit record, clean up */
audit_async_done((caddr_t *)rpp, flags);
kctx = GET_KCTX_GZ;
/* just drop the record and return */
if (((audit_policy & AUDIT_AHLT) == 0) ||
(kctx->auk_auditstate == AUC_INIT_AUDIT)) {
/* just count # of dropped audit records */
AS_INC(as_dropped, 1, kctx);
return;
}
/*
* There can be a lot of data in the audit queue. We
* will first sync the file systems then attempt to
* shutdown the kernel so that a memory dump is
* performed.
*/
sync();
sync();
/*
* now shut down. What a cruel world it has been
*/
panic("non-attributable halt. should dump core");
/* No return */
}
int
audit_async_start(label_t *jb, au_event_t event, int sorf)
{
t_audit_data_t *tad = U2A(u);
au_state_t estate;
int success = 0, failure = 0;
au_kcontext_t *kctx = GET_KCTX_GZ;
/* if audit state off, then no audit record generation */
if ((kctx->auk_auditstate != AUC_AUDITING) &&
(kctx->auk_auditstate != AUC_INIT_AUDIT))
return (1);
/*
* preselect asynchronous event
* XXX should we check for out-of-range???
*/
estate = kctx->auk_ets[event];
if (sorf & AUM_SUCC)
success = kctx->auk_info.ai_mask.as_success & estate;
if (sorf & AUM_FAIL)
failure = kctx->auk_info.ai_mask.as_failure & estate;
if ((success | failure) == NULL)
return (1);
ASSERT(tad->tad_errjmp == NULL);
tad->tad_errjmp = (void *)jb;
tad->tad_ctrl |= PAD_ERRJMP;
return (0);
}
/*
* Complete auditing of an async event. The AU_DONTBLOCK flag to au_close will
* result in the backend routine being invoked from softcall, so all the real
* work can be done in a safe context.
*/
void
audit_async_finish(caddr_t *ad, au_event_t aid, au_emod_t amod)
{
au_kcontext_t *kctx;
kctx = GET_KCTX_GZ;
au_close(kctx, ad, AU_DONTBLOCK | AU_OK, aid, PAD_NONATTR|amod);
}
/*
* Backend routine to complete an async audit. Invoked from softcall.
* (Note: the blocking and the queuing below both involve locking which can't
* be done safely in high interrupt context due to the chance of sleeping on
* the corresponding adaptive mutex. Hence the softcall.)
*/
static void
audit_async_finish_backend(void *addr)
{
au_kcontext_t *kctx;
au_defer_info_t *attr = (au_defer_info_t *)addr;
if (attr == NULL)
return; /* won't happen unless softcall is broken */
kctx = GET_KCTX_GZ;
if (audit_async_block(kctx, (caddr_t *)&attr->audi_ad)) {
kmem_free(attr, sizeof (au_defer_info_t));
return;
}
/*
* Call au_close_time to complete the audit with the saved values.
*
* For the exit-prom event, use the current time instead of the
* saved time as a better approximation. (Because the time saved via
* gethrestime during prom-exit handling would not yet be caught up
* after the system was idled in the debugger for a period of time.)
*/
if (attr->audi_e_type == AUE_EXITPROM) {
au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag,
attr->audi_e_type, attr->audi_e_mod, NULL);
} else {
au_close_time(kctx, (token_t *)attr->audi_ad, attr->audi_flag,
attr->audi_e_type, attr->audi_e_mod, &attr->audi_atime);
}
AS_INC(as_generated, 1, kctx);
AS_INC(as_nonattrib, 1, kctx);
kmem_free(attr, sizeof (au_defer_info_t));
}
|
