| audit_bsm.c (bad70a881b0ee0301dbf60227b6c2c30dddbaf9f) | audit_bsm.c (871499fef514fd9934f9a8a07194e8ef86c07bd5) |
|---|---|
| 1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 40 unchanged lines hidden (view full) --- 49#include <security/audit/audit_private.h> 50 51#include <netinet/in_systm.h> 52#include <netinet/in.h> 53#include <netinet/ip.h> 54 55MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 56 | 1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 40 unchanged lines hidden (view full) --- 49#include <security/audit/audit_private.h> 50 51#include <netinet/in_systm.h> 52#include <netinet/in.h> 53#include <netinet/ip.h> 54 55MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 56 |
| 57/* | 57/* |
| 58 * Forward declares. 59 */ 60static void audit_sys_auditon(struct audit_record *ar, 61 struct au_record *rec); 62 63/* 64 * Initialize the BSM auditing subsystem. 65 */ 66void 67kau_init(void) 68{ 69 70 printf("BSM auditing present\n"); 71 au_evclassmap_init(); 72} 73 74/* | 58 * Forward declares. 59 */ 60static void audit_sys_auditon(struct audit_record *ar, 61 struct au_record *rec); 62 63/* 64 * Initialize the BSM auditing subsystem. 65 */ 66void 67kau_init(void) 68{ 69 70 printf("BSM auditing present\n"); 71 au_evclassmap_init(); 72} 73 74/* |
| 75 * This call reserves memory for the audit record. 76 * Memory must be guaranteed before any auditable event can be 77 * generated. 78 * The au_record structure maintains a reference to the 79 * memory allocated above and also the list of tokens associated 80 * with this record 81 */ 82static struct au_record * | 75 * This call reserves memory for the audit record. Memory must be guaranteed 76 * before any auditable event can be generated. The au_record structure 77 * maintains a reference to the memory allocated above and also the list of 78 * tokens associated with this record 79 */ 80static struct au_record * |
| 83kau_open(void) | 81kau_open(void) |
| 84{ | 82{ |
| 85 struct au_record *rec; | 83 struct au_record *rec; |
| 86 | 84 |
| 87 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 88 rec->data = malloc(MAX_AUDIT_RECORD_SIZE * sizeof(u_char), 89 M_AUDITBSM, M_WAITOK | M_ZERO); 90 TAILQ_INIT(&rec->token_q); 91 rec->len = 0; 92 rec->used = 1; 93 94 return (rec); 95} 96 97/* 98 * Store the token with the record descriptor. | 85 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 86 rec->data = malloc(MAX_AUDIT_RECORD_SIZE * sizeof(u_char), 87 M_AUDITBSM, M_WAITOK | M_ZERO); 88 TAILQ_INIT(&rec->token_q); 89 rec->len = 0; 90 rec->used = 1; 91 92 return (rec); 93} 94 95/* 96 * Store the token with the record descriptor. |
| 99 */ | 97 */ |
| 100static void 101kau_write(struct au_record *rec, struct au_token *tok) 102{ 103 104 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 105 106 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 107 rec->len += tok->len; --- 5 unchanged lines hidden (view full) --- 113 */ 114static void 115kau_close(struct au_record *rec, struct timespec *ctime, short event) 116{ 117 u_char *dptr; 118 size_t tot_rec_size; 119 token_t *cur, *hdr, *trail; 120 struct timeval tm; | 98static void 99kau_write(struct au_record *rec, struct au_token *tok) 100{ 101 102 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 103 104 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 105 rec->len += tok->len; --- 5 unchanged lines hidden (view full) --- 111 */ 112static void 113kau_close(struct au_record *rec, struct timespec *ctime, short event) 114{ 115 u_char *dptr; 116 size_t tot_rec_size; 117 token_t *cur, *hdr, *trail; 118 struct timeval tm; |
| 121 | 119 |
| 122 tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE; 123 if (tot_rec_size <= MAX_AUDIT_RECORD_SIZE) { 124 /* Create the header token */ 125 tm.tv_usec = ctime->tv_nsec / 1000; 126 tm.tv_sec = ctime->tv_sec; 127 hdr = au_to_header32(tot_rec_size, event, 0, tm); 128 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 129 130 trail = au_to_trailer(tot_rec_size); 131 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 132 133 /* Serialize token data to the record. */ | 120 tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE; 121 if (tot_rec_size <= MAX_AUDIT_RECORD_SIZE) { 122 /* Create the header token */ 123 tm.tv_usec = ctime->tv_nsec / 1000; 124 tm.tv_sec = ctime->tv_sec; 125 hdr = au_to_header32(tot_rec_size, event, 0, tm); 126 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 127 128 trail = au_to_trailer(tot_rec_size); 129 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 130 131 /* Serialize token data to the record. */ |
| 134 | |
| 135 rec->len = tot_rec_size; 136 dptr = rec->data; 137 TAILQ_FOREACH(cur, &rec->token_q, tokens) { | 132 rec->len = tot_rec_size; 133 dptr = rec->data; 134 TAILQ_FOREACH(cur, &rec->token_q, tokens) { |
| 138 memcpy(dptr, cur->t_data, cur->len); | 135 memcpy(dptr, cur->t_data, cur->len); |
| 139 dptr += cur->len; 140 } 141 } 142} 143 144/* | 136 dptr += cur->len; 137 } 138 } 139} 140 141/* |
| 145 * Free a BSM audit record by releasing all the tokens and clearing the 146 * audit record information. | 142 * Free a BSM audit record by releasing all the tokens and clearing the audit 143 * record information. |
| 147 */ 148void 149kau_free(struct au_record *rec) 150{ 151 struct au_token *tok; 152 | 144 */ 145void 146kau_free(struct au_record *rec) 147{ 148 struct au_token *tok; 149 |
| 153 /* Free the token list */ | 150 /* Free the token list. */ |
| 154 while ((tok = TAILQ_FIRST(&rec->token_q))) { 155 TAILQ_REMOVE(&rec->token_q, tok, tokens); 156 free(tok->t_data, M_AUDITBSM); 157 free(tok, M_AUDITBSM); | 151 while ((tok = TAILQ_FIRST(&rec->token_q))) { 152 TAILQ_REMOVE(&rec->token_q, tok, tokens); 153 free(tok->t_data, M_AUDITBSM); 154 free(tok, M_AUDITBSM); |
| 158 } | 155 } |
| 159 160 rec->used = 0; | 156 157 rec->used = 0; |
| 161 rec->len = 0; | 158 rec->len = 0; |
| 162 free(rec->data, M_AUDITBSM); 163 free(rec, M_AUDITBSM); 164} 165 166/* 167 * XXX May want turn some (or all) of these macros into functions in order 168 * to reduce the generated code sized. 169 * --- 43 unchanged lines hidden (view full) --- 213 if (ARG_IS_VALID(kar, ARG_FD)) { \ 214 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 215 kau_write(rec, tok); \ 216 } \ 217 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 218 kau_write(rec, tok); \ 219 } else { \ 220 if (ARG_IS_VALID(kar, ARG_FD)) { \ | 159 free(rec->data, M_AUDITBSM); 160 free(rec, M_AUDITBSM); 161} 162 163/* 164 * XXX May want turn some (or all) of these macros into functions in order 165 * to reduce the generated code sized. 166 * --- 43 unchanged lines hidden (view full) --- 210 if (ARG_IS_VALID(kar, ARG_FD)) { \ 211 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 212 kau_write(rec, tok); \ 213 } \ 214 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 215 kau_write(rec, tok); \ 216 } else { \ 217 if (ARG_IS_VALID(kar, ARG_FD)) { \ |
| 221 tok = au_to_arg32(1, "non-file: fd", ar->ar_arg_fd);\ | 218 tok = au_to_arg32(1, "non-file: fd", \ 219 ar->ar_arg_fd); \ |
| 222 kau_write(rec, tok); \ 223 } \ 224 } \ 225} while (0) 226 227#define PROCESS_PID_TOKENS(argn) do { \ 228 if (ARG_IS_VALID(kar, ARG_PID)) { \ 229 if ((ar->ar_arg_pid > 0) /* Kill a single process */ \ --- 18 unchanged lines hidden (view full) --- 248 * system call. 249 */ 250static void 251audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 252{ 253 struct au_token *tok; 254 255 switch (ar->ar_arg_cmd) { | 220 kau_write(rec, tok); \ 221 } \ 222 } \ 223} while (0) 224 225#define PROCESS_PID_TOKENS(argn) do { \ 226 if (ARG_IS_VALID(kar, ARG_PID)) { \ 227 if ((ar->ar_arg_pid > 0) /* Kill a single process */ \ --- 18 unchanged lines hidden (view full) --- 246 * system call. 247 */ 248static void 249audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 250{ 251 struct au_token *tok; 252 253 switch (ar->ar_arg_cmd) { |
| 256 case A_SETPOLICY: | 254 case A_SETPOLICY: |
| 257 if (sizeof(ar->ar_arg_auditon.au_flags) > 4) | 255 if (sizeof(ar->ar_arg_auditon.au_flags) > 4) |
| 258 tok = au_to_arg64(1, "policy", 259 ar->ar_arg_auditon.au_flags); | 256 tok = au_to_arg64(1, "policy", 257 ar->ar_arg_auditon.au_flags); |
| 260 else | 258 else |
| 261 tok = au_to_arg32(1, "policy", 262 ar->ar_arg_auditon.au_flags); | 259 tok = au_to_arg32(1, "policy", 260 ar->ar_arg_auditon.au_flags); |
| 263 kau_write(rec, tok); 264 break; 265 | 261 kau_write(rec, tok); 262 break; 263 |
| 266 case A_SETKMASK: 267 tok = au_to_arg32(2, "setkmask:as_success", 268 ar->ar_arg_auditon.au_mask.am_success); | 264 case A_SETKMASK: 265 tok = au_to_arg32(2, "setkmask:as_success", 266 ar->ar_arg_auditon.au_mask.am_success); |
| 269 kau_write(rec, tok); | 267 kau_write(rec, tok); |
| 270 tok = au_to_arg32(2, "setkmask:as_failure", 271 ar->ar_arg_auditon.au_mask.am_failure); | 268 tok = au_to_arg32(2, "setkmask:as_failure", 269 ar->ar_arg_auditon.au_mask.am_failure); |
| 272 kau_write(rec, tok); 273 break; 274 | 270 kau_write(rec, tok); 271 break; 272 |
| 275 case A_SETQCTRL: 276 tok = au_to_arg32(3, "setqctrl:aq_hiwater", 277 ar->ar_arg_auditon.au_qctrl.aq_hiwater); | 273 case A_SETQCTRL: 274 tok = au_to_arg32(3, "setqctrl:aq_hiwater", 275 ar->ar_arg_auditon.au_qctrl.aq_hiwater); |
| 278 kau_write(rec, tok); | 276 kau_write(rec, tok); |
| 279 tok = au_to_arg32(3, "setqctrl:aq_lowater", 280 ar->ar_arg_auditon.au_qctrl.aq_lowater); | 277 tok = au_to_arg32(3, "setqctrl:aq_lowater", 278 ar->ar_arg_auditon.au_qctrl.aq_lowater); |
| 281 kau_write(rec, tok); | 279 kau_write(rec, tok); |
| 282 tok = au_to_arg32(3, "setqctrl:aq_bufsz", 283 ar->ar_arg_auditon.au_qctrl.aq_bufsz); | 280 tok = au_to_arg32(3, "setqctrl:aq_bufsz", 281 ar->ar_arg_auditon.au_qctrl.aq_bufsz); |
| 284 kau_write(rec, tok); | 282 kau_write(rec, tok); |
| 285 tok = au_to_arg32(3, "setqctrl:aq_delay", 286 ar->ar_arg_auditon.au_qctrl.aq_delay); | 283 tok = au_to_arg32(3, "setqctrl:aq_delay", 284 ar->ar_arg_auditon.au_qctrl.aq_delay); |
| 287 kau_write(rec, tok); | 285 kau_write(rec, tok); |
| 288 tok = au_to_arg32(3, "setqctrl:aq_minfree", 289 ar->ar_arg_auditon.au_qctrl.aq_minfree); | 286 tok = au_to_arg32(3, "setqctrl:aq_minfree", 287 ar->ar_arg_auditon.au_qctrl.aq_minfree); |
| 290 kau_write(rec, tok); 291 break; 292 | 288 kau_write(rec, tok); 289 break; 290 |
| 293 case A_SETUMASK: 294 tok = au_to_arg32(3, "setumask:as_success", 295 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); | 291 case A_SETUMASK: 292 tok = au_to_arg32(3, "setumask:as_success", 293 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); |
| 296 kau_write(rec, tok); | 294 kau_write(rec, tok); |
| 297 tok = au_to_arg32(3, "setumask:as_failure", 298 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); | 295 tok = au_to_arg32(3, "setumask:as_failure", 296 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); |
| 299 kau_write(rec, tok); 300 break; 301 | 297 kau_write(rec, tok); 298 break; 299 |
| 302 case A_SETSMASK: 303 tok = au_to_arg32(3, "setsmask:as_success", 304 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); | 300 case A_SETSMASK: 301 tok = au_to_arg32(3, "setsmask:as_success", 302 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); |
| 305 kau_write(rec, tok); | 303 kau_write(rec, tok); |
| 306 tok = au_to_arg32(3, "setsmask:as_failure", 307 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); | 304 tok = au_to_arg32(3, "setsmask:as_failure", 305 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); |
| 308 kau_write(rec, tok); 309 break; 310 | 306 kau_write(rec, tok); 307 break; 308 |
| 311 case A_SETCOND: | 309 case A_SETCOND: |
| 312 if (sizeof(ar->ar_arg_auditon.au_cond) > 4) | 310 if (sizeof(ar->ar_arg_auditon.au_cond) > 4) |
| 313 tok = au_to_arg64(3, "setcond", 314 ar->ar_arg_auditon.au_cond); | 311 tok = au_to_arg64(3, "setcond", 312 ar->ar_arg_auditon.au_cond); |
| 315 else | 313 else |
| 316 tok = au_to_arg32(3, "setcond", 317 ar->ar_arg_auditon.au_cond); | 314 tok = au_to_arg32(3, "setcond", 315 ar->ar_arg_auditon.au_cond); |
| 318 kau_write(rec, tok); 319 break; 320 | 316 kau_write(rec, tok); 317 break; 318 |
| 321 case A_SETCLASS: | 319 case A_SETCLASS: |
| 322 tok = au_to_arg32(2, "setclass:ec_event", | 320 tok = au_to_arg32(2, "setclass:ec_event", |
| 323 ar->ar_arg_auditon.au_evclass.ec_number); | 321 ar->ar_arg_auditon.au_evclass.ec_number); |
| 324 kau_write(rec, tok); 325 tok = au_to_arg32(3, "setclass:ec_class", | 322 kau_write(rec, tok); 323 tok = au_to_arg32(3, "setclass:ec_class", |
| 326 ar->ar_arg_auditon.au_evclass.ec_class); | 324 ar->ar_arg_auditon.au_evclass.ec_class); |
| 327 kau_write(rec, tok); 328 break; 329 | 325 kau_write(rec, tok); 326 break; 327 |
| 330 case A_SETPMASK: 331 tok = au_to_arg32(2, "setpmask:as_success", 332 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); | 328 case A_SETPMASK: 329 tok = au_to_arg32(2, "setpmask:as_success", 330 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); |
| 333 kau_write(rec, tok); | 331 kau_write(rec, tok); |
| 334 tok = au_to_arg32(2, "setpmask:as_failure", 335 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); | 332 tok = au_to_arg32(2, "setpmask:as_failure", 333 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); |
| 336 kau_write(rec, tok); 337 break; 338 | 334 kau_write(rec, tok); 335 break; 336 |
| 339 case A_SETFSIZE: 340 tok = au_to_arg32(2, "setfsize:filesize", 341 ar->ar_arg_auditon.au_fstat.af_filesz); | 337 case A_SETFSIZE: 338 tok = au_to_arg32(2, "setfsize:filesize", 339 ar->ar_arg_auditon.au_fstat.af_filesz); |
| 342 kau_write(rec, tok); 343 break; 344 345 default: 346 break; 347 } 348} 349 350/* | 340 kau_write(rec, tok); 341 break; 342 343 default: 344 break; 345 } 346} 347 348/* |
| 351 * Convert an internal kernel audit record to a BSM record and return 352 * a success/failure indicator. The BSM record is passed as an out 353 * parameter to this function. | 349 * Convert an internal kernel audit record to a BSM record and return a 350 * success/failure indicator. The BSM record is passed as an out parameter to 351 * this function. 352 * |
| 354 * Return conditions: 355 * BSM_SUCCESS: The BSM record is valid 356 * BSM_FAILURE: Failure; the BSM record is NULL. | 353 * Return conditions: 354 * BSM_SUCCESS: The BSM record is valid 355 * BSM_FAILURE: Failure; the BSM record is NULL. |
| 357 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. | 356 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. |
| 358 */ 359int 360kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 361{ 362 struct au_token *tok, *subj_tok; 363 struct au_record *rec; 364 au_tid_t tid; 365 struct audit_record *ar; --- 12 unchanged lines hidden (view full) --- 378 ar->ar_subj_cred.cr_uid, /* eff uid */ 379 ar->ar_subj_egid, /* eff group id */ 380 ar->ar_subj_ruid, /* real uid */ 381 ar->ar_subj_rgid, /* real group id */ 382 ar->ar_subj_pid, /* process id */ 383 ar->ar_subj_asid, /* session ID */ 384 &tid); 385 | 357 */ 358int 359kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 360{ 361 struct au_token *tok, *subj_tok; 362 struct au_record *rec; 363 au_tid_t tid; 364 struct audit_record *ar; --- 12 unchanged lines hidden (view full) --- 377 ar->ar_subj_cred.cr_uid, /* eff uid */ 378 ar->ar_subj_egid, /* eff group id */ 379 ar->ar_subj_ruid, /* real uid */ 380 ar->ar_subj_rgid, /* real group id */ 381 ar->ar_subj_pid, /* process id */ 382 ar->ar_subj_asid, /* session ID */ 383 &tid); 384 |
| 386 /* The logic inside each case fills in the tokens required for the 387 * event, except for the header, trailer, and return tokens. The | 385 /* 386 * The logic inside each case fills in the tokens required for the 387 * event, except for the header, trailer, and return tokens. The |
| 388 * header and trailer tokens are added by the kau_close() function. 389 * The return token is added outside of the switch statement. | 388 * header and trailer tokens are added by the kau_close() function. 389 * The return token is added outside of the switch statement. |
| 390 */ 391 switch(ar->ar_event) { 392 393 /* 394 * Socket-related events. | |
| 395 */ | 390 */ |
| 391 switch(ar->ar_event) { |
|
| 396 case AUE_ACCEPT: 397 case AUE_BIND: 398 case AUE_CONNECT: 399 case AUE_RECVFROM: | 392 case AUE_ACCEPT: 393 case AUE_BIND: 394 case AUE_CONNECT: 395 case AUE_RECVFROM: |
| 400 case AUE_RECVMSG: | 396 case AUE_RECVMSG: |
| 401 case AUE_SENDMSG: 402 case AUE_SENDTO: | 397 case AUE_SENDMSG: 398 case AUE_SENDTO: |
| 399 /* 400 * Socket-related events. 401 */ |
|
| 403 if (ARG_IS_VALID(kar, ARG_FD)) { 404 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 405 kau_write(rec, tok); 406 } 407 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { | 402 if (ARG_IS_VALID(kar, ARG_FD)) { 403 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 404 kau_write(rec, tok); 405 } 406 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { |
| 408 tok = au_to_sock_inet( 409 (struct sockaddr_in *)&ar->ar_arg_sockaddr); | 407 tok = au_to_sock_inet((struct sockaddr_in *) 408 &ar->ar_arg_sockaddr); |
| 410 kau_write(rec, tok); 411 } 412 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { | 409 kau_write(rec, tok); 410 } 411 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { |
| 413 tok = au_to_sock_unix( 414 (struct sockaddr_un *)&ar->ar_arg_sockaddr); | 412 tok = au_to_sock_unix((struct sockaddr_un *) 413 &ar->ar_arg_sockaddr); |
| 415 kau_write(rec, tok); 416 UPATH1_TOKENS; 417 } 418 /* XXX Need to handle ARG_SADDRINET6 */ 419 break; 420 421 case AUE_SOCKET: 422 case AUE_SOCKETPAIR: --- 31 unchanged lines hidden (view full) --- 454 if (ARG_IS_VALID(kar, ARG_AUID)) { 455 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 456 kau_write(rec, tok); 457 } 458 break; 459 460 case AUE_SETAUDIT: 461 if (ARG_IS_VALID(kar, ARG_AUID)) { | 414 kau_write(rec, tok); 415 UPATH1_TOKENS; 416 } 417 /* XXX Need to handle ARG_SADDRINET6 */ 418 break; 419 420 case AUE_SOCKET: 421 case AUE_SOCKETPAIR: --- 31 unchanged lines hidden (view full) --- 453 if (ARG_IS_VALID(kar, ARG_AUID)) { 454 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 455 kau_write(rec, tok); 456 } 457 break; 458 459 case AUE_SETAUDIT: 460 if (ARG_IS_VALID(kar, ARG_AUID)) { |
| 462 tok = au_to_arg32(1, "setaudit:auid", ar->ar_arg_auid); | 461 tok = au_to_arg32(1, "setaudit:auid", 462 ar->ar_arg_auid); |
| 463 kau_write(rec, tok); | 463 kau_write(rec, tok); |
| 464 tok = au_to_arg32(1, "setaudit:port", 465 ar->ar_arg_termid.port); | 464 tok = au_to_arg32(1, "setaudit:port", 465 ar->ar_arg_termid.port); |
| 466 kau_write(rec, tok); | 466 kau_write(rec, tok); |
| 467 tok = au_to_arg32(1, "setaudit:machine", 468 ar->ar_arg_termid.machine); | 467 tok = au_to_arg32(1, "setaudit:machine", 468 ar->ar_arg_termid.machine); |
| 469 kau_write(rec, tok); | 469 kau_write(rec, tok); |
| 470 tok = au_to_arg32(1, "setaudit:as_success", 471 ar->ar_arg_amask.am_success); | 470 tok = au_to_arg32(1, "setaudit:as_success", 471 ar->ar_arg_amask.am_success); |
| 472 kau_write(rec, tok); | 472 kau_write(rec, tok); |
| 473 tok = au_to_arg32(1, "setaudit:as_failure", 474 ar->ar_arg_amask.am_failure); | 473 tok = au_to_arg32(1, "setaudit:as_failure", 474 ar->ar_arg_amask.am_failure); |
| 475 kau_write(rec, tok); | 475 kau_write(rec, tok); |
| 476 tok = au_to_arg32(1, "setaudit:asid", ar->ar_arg_asid); | 476 tok = au_to_arg32(1, "setaudit:asid", 477 ar->ar_arg_asid); |
| 477 kau_write(rec, tok); 478 } 479 break; 480 481 case AUE_SETAUDIT_ADDR: 482 break; /* XXX need to add arguments */ 483 484 case AUE_AUDITON: | 478 kau_write(rec, tok); 479 } 480 break; 481 482 case AUE_SETAUDIT_ADDR: 483 break; /* XXX need to add arguments */ 484 485 case AUE_AUDITON: |
| 485 /* For AUDITON commands without own event, audit the cmd */ | 486 /* 487 * For AUDITON commands without own event, audit the cmd. 488 */ |
| 486 if (ARG_IS_VALID(kar, ARG_CMD)) { 487 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 488 kau_write(rec, tok); 489 } 490 /* fall thru */ 491 492 case AUE_AUDITON_GETCAR: 493 case AUE_AUDITON_GETCLASS: --- 6 unchanged lines hidden (view full) --- 500 case AUE_AUDITON_SETCLASS: 501 case AUE_AUDITON_SETCOND: 502 case AUE_AUDITON_SETKMASK: 503 case AUE_AUDITON_SETSMASK: 504 case AUE_AUDITON_SETSTAT: 505 case AUE_AUDITON_SETUMASK: 506 case AUE_AUDITON_SPOLICY: 507 case AUE_AUDITON_SQCTRL: | 489 if (ARG_IS_VALID(kar, ARG_CMD)) { 490 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 491 kau_write(rec, tok); 492 } 493 /* fall thru */ 494 495 case AUE_AUDITON_GETCAR: 496 case AUE_AUDITON_GETCLASS: --- 6 unchanged lines hidden (view full) --- 503 case AUE_AUDITON_SETCLASS: 504 case AUE_AUDITON_SETCOND: 505 case AUE_AUDITON_SETKMASK: 506 case AUE_AUDITON_SETSMASK: 507 case AUE_AUDITON_SETSTAT: 508 case AUE_AUDITON_SETUMASK: 509 case AUE_AUDITON_SPOLICY: 510 case AUE_AUDITON_SQCTRL: |
| 508 if (ARG_IS_VALID(kar, ARG_AUDITON)) { | 511 if (ARG_IS_VALID(kar, ARG_AUDITON)) |
| 509 audit_sys_auditon(ar, rec); | 512 audit_sys_auditon(ar, rec); |
| 510 } | |
| 511 break; | 513 break; |
| 512 | 514 |
| 513 case AUE_AUDITCTL: 514 UPATH1_VNODE1_TOKENS; 515 break; 516 517 case AUE_EXIT: 518 if (ARG_IS_VALID(kar, ARG_EXIT)) { 519 tok = au_to_exit(ar->ar_arg_exitretval, 520 ar->ar_arg_exitstatus); --- 8 unchanged lines hidden (view full) --- 529 case AUE_GETAUID: 530 case AUE_GETFSSTAT: 531 case AUE_PIPE: 532 case AUE_SETPGRP: 533 case AUE_SETRLIMIT: 534 case AUE_SETSID: 535 case AUE_SETTIMEOFDAY: 536 case AUE_NEWSYSTEMSHREG: | 515 case AUE_AUDITCTL: 516 UPATH1_VNODE1_TOKENS; 517 break; 518 519 case AUE_EXIT: 520 if (ARG_IS_VALID(kar, ARG_EXIT)) { 521 tok = au_to_exit(ar->ar_arg_exitretval, 522 ar->ar_arg_exitstatus); --- 8 unchanged lines hidden (view full) --- 531 case AUE_GETAUID: 532 case AUE_GETFSSTAT: 533 case AUE_PIPE: 534 case AUE_SETPGRP: 535 case AUE_SETRLIMIT: 536 case AUE_SETSID: 537 case AUE_SETTIMEOFDAY: 538 case AUE_NEWSYSTEMSHREG: |
| 537 /* Header, subject, and return tokens added at end */ | 539 /* 540 * Header, subject, and return tokens added at end. 541 */ |
| 538 break; 539 540 case AUE_ACCESS: 541 case AUE_CHDIR: 542 case AUE_CHROOT: 543 case AUE_EACCESS: 544 case AUE_EXECVE: 545 case AUE_GETATTRLIST: --- 18 unchanged lines hidden (view full) --- 564 case AUE_CHFLAGS: 565 case AUE_LCHFLAGS: 566 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 567 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 568 kau_write(rec, tok); 569 } 570 UPATH1_VNODE1_TOKENS; 571 break; | 542 break; 543 544 case AUE_ACCESS: 545 case AUE_CHDIR: 546 case AUE_CHROOT: 547 case AUE_EACCESS: 548 case AUE_EXECVE: 549 case AUE_GETATTRLIST: --- 18 unchanged lines hidden (view full) --- 568 case AUE_CHFLAGS: 569 case AUE_LCHFLAGS: 570 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 571 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 572 kau_write(rec, tok); 573 } 574 UPATH1_VNODE1_TOKENS; 575 break; |
| 572 | 576 |
| 573 case AUE_CHMOD: 574 case AUE_LCHMOD: 575 if (ARG_IS_VALID(kar, ARG_MODE)) { | 577 case AUE_CHMOD: 578 case AUE_LCHMOD: 579 if (ARG_IS_VALID(kar, ARG_MODE)) { |
| 576 tok = au_to_arg32(2, "new file mode", ar->ar_arg_mode); | 580 tok = au_to_arg32(2, "new file mode", 581 ar->ar_arg_mode); |
| 577 kau_write(rec, tok); 578 } 579 UPATH1_VNODE1_TOKENS; 580 break; | 582 kau_write(rec, tok); 583 } 584 UPATH1_VNODE1_TOKENS; 585 break; |
| 581 | 586 |
| 582 case AUE_CHOWN: 583 case AUE_LCHOWN: 584 if (ARG_IS_VALID(kar, ARG_UID)) { 585 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 586 kau_write(rec, tok); 587 } 588 if (ARG_IS_VALID(kar, ARG_GID)) { 589 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 590 kau_write(rec, tok); 591 } 592 UPATH1_VNODE1_TOKENS; 593 break; | 587 case AUE_CHOWN: 588 case AUE_LCHOWN: 589 if (ARG_IS_VALID(kar, ARG_UID)) { 590 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 591 kau_write(rec, tok); 592 } 593 if (ARG_IS_VALID(kar, ARG_GID)) { 594 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 595 kau_write(rec, tok); 596 } 597 UPATH1_VNODE1_TOKENS; 598 break; |
| 594 | 599 |
| 595 case AUE_EXCHANGEDATA: 596 UPATH1_VNODE1_TOKENS; 597 UPATH2_TOKENS; 598 break; 599 600 case AUE_CLOSE: 601 if (ARG_IS_VALID(kar, ARG_FD)) { 602 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 603 kau_write(rec, tok); 604 } 605 UPATH1_VNODE1_TOKENS; 606 break; 607 608 case AUE_FCHMOD: 609 if (ARG_IS_VALID(kar, ARG_MODE)) { | 600 case AUE_EXCHANGEDATA: 601 UPATH1_VNODE1_TOKENS; 602 UPATH2_TOKENS; 603 break; 604 605 case AUE_CLOSE: 606 if (ARG_IS_VALID(kar, ARG_FD)) { 607 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 608 kau_write(rec, tok); 609 } 610 UPATH1_VNODE1_TOKENS; 611 break; 612 613 case AUE_FCHMOD: 614 if (ARG_IS_VALID(kar, ARG_MODE)) { |
| 610 tok = au_to_arg32(2, "new file mode", ar->ar_arg_mode); | 615 tok = au_to_arg32(2, "new file mode", 616 ar->ar_arg_mode); |
| 611 kau_write(rec, tok); 612 } 613 FD_VNODE1_TOKENS; 614 break; | 617 kau_write(rec, tok); 618 } 619 FD_VNODE1_TOKENS; 620 break; |
| 615 | 621 |
| 616 case AUE_FCHDIR: 617 case AUE_FPATHCONF: 618 case AUE_FSTAT: /* XXX Need to handle sockets and shm */ 619 case AUE_FSTATFS: 620 case AUE_FSYNC: 621 case AUE_FTRUNCATE: 622 case AUE_FUTIMES: 623 case AUE_GETDIRENTRIES: 624 case AUE_GETDIRENTRIESATTR: 625 FD_VNODE1_TOKENS; 626 break; | 622 case AUE_FCHDIR: 623 case AUE_FPATHCONF: 624 case AUE_FSTAT: /* XXX Need to handle sockets and shm */ 625 case AUE_FSTATFS: 626 case AUE_FSYNC: 627 case AUE_FTRUNCATE: 628 case AUE_FUTIMES: 629 case AUE_GETDIRENTRIES: 630 case AUE_GETDIRENTRIESATTR: 631 FD_VNODE1_TOKENS; 632 break; |
| 627 | 633 |
| 628 case AUE_FCHOWN: 629 if (ARG_IS_VALID(kar, ARG_UID)) { 630 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 631 kau_write(rec, tok); 632 } 633 if (ARG_IS_VALID(kar, ARG_GID)) { 634 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 635 kau_write(rec, tok); 636 } 637 FD_VNODE1_TOKENS; 638 break; | 634 case AUE_FCHOWN: 635 if (ARG_IS_VALID(kar, ARG_UID)) { 636 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 637 kau_write(rec, tok); 638 } 639 if (ARG_IS_VALID(kar, ARG_GID)) { 640 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 641 kau_write(rec, tok); 642 } 643 FD_VNODE1_TOKENS; 644 break; |
| 639 | 645 |
| 640 case AUE_FCNTL: 641 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 642 ar->ar_arg_cmd == F_SETLKW) { 643 if (ARG_IS_VALID(kar, ARG_CMD)) { 644 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 645 kau_write(rec, tok); 646 } 647 FD_VNODE1_TOKENS; 648 } 649 break; | 646 case AUE_FCNTL: 647 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 648 ar->ar_arg_cmd == F_SETLKW) { 649 if (ARG_IS_VALID(kar, ARG_CMD)) { 650 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 651 kau_write(rec, tok); 652 } 653 FD_VNODE1_TOKENS; 654 } 655 break; |
| 650 | 656 |
| 651 case AUE_FCHFLAGS: 652 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 653 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 654 kau_write(rec, tok); 655 } 656 FD_VNODE1_TOKENS; 657 break; | 657 case AUE_FCHFLAGS: 658 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 659 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 660 kau_write(rec, tok); 661 } 662 FD_VNODE1_TOKENS; 663 break; |
| 658 | 664 |
| 659 case AUE_FLOCK: 660 if (ARG_IS_VALID(kar, ARG_CMD)) { 661 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 662 kau_write(rec, tok); 663 } 664 FD_VNODE1_TOKENS; 665 break; | 665 case AUE_FLOCK: 666 if (ARG_IS_VALID(kar, ARG_CMD)) { 667 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 668 kau_write(rec, tok); 669 } 670 FD_VNODE1_TOKENS; 671 break; |
| 666 | 672 |
| 667 case AUE_RFORK: 668 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 669 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 670 kau_write(rec, tok); 671 } 672 /* fall through */ 673 case AUE_FORK: 674 case AUE_VFORK: 675 if (ARG_IS_VALID(kar, ARG_PID)) { 676 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 677 kau_write(rec, tok); 678 } 679 break; | 673 case AUE_RFORK: 674 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 675 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 676 kau_write(rec, tok); 677 } 678 /* fall through */ 679 case AUE_FORK: 680 case AUE_VFORK: 681 if (ARG_IS_VALID(kar, ARG_PID)) { 682 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 683 kau_write(rec, tok); 684 } 685 break; |
| 680 | 686 |
| 681 case AUE_IOCTL: 682 if (ARG_IS_VALID(kar, ARG_CMD)) { 683 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 684 kau_write(rec, tok); 685 } 686 if (ARG_IS_VALID(kar, ARG_ADDR)) { 687 tok = au_to_arg32(1, "arg", 688 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 689 kau_write(rec, tok); 690 } | 687 case AUE_IOCTL: 688 if (ARG_IS_VALID(kar, ARG_CMD)) { 689 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 690 kau_write(rec, tok); 691 } 692 if (ARG_IS_VALID(kar, ARG_ADDR)) { 693 tok = au_to_arg32(1, "arg", 694 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 695 kau_write(rec, tok); 696 } |
| 691 if (ARG_IS_VALID(kar, ARG_VNODE1)) { | 697 if (ARG_IS_VALID(kar, ARG_VNODE1)) |
| 692 FD_VNODE1_TOKENS; | 698 FD_VNODE1_TOKENS; |
| 693 } else { | 699 else { |
| 694 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { | 700 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { |
| 695 tok = kau_to_socket(&ar->ar_arg_sockinfo); | 701 tok = kau_to_socket(&ar->ar_arg_sockinfo); |
| 696 kau_write(rec, tok); 697 } else { 698 if (ARG_IS_VALID(kar, ARG_FD)) { 699 tok = au_to_arg32(1, "fd", 700 ar->ar_arg_fd); 701 kau_write(rec, tok); 702 } 703 } --- 30 unchanged lines hidden (view full) --- 734 case AUE_LOADSHFILE: 735 if (ARG_IS_VALID(kar, ARG_ADDR)) { 736 tok = au_to_arg32(4, "base addr", 737 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 738 kau_write(rec, tok); 739 } 740 UPATH1_VNODE1_TOKENS; 741 break; | 702 kau_write(rec, tok); 703 } else { 704 if (ARG_IS_VALID(kar, ARG_FD)) { 705 tok = au_to_arg32(1, "fd", 706 ar->ar_arg_fd); 707 kau_write(rec, tok); 708 } 709 } --- 30 unchanged lines hidden (view full) --- 740 case AUE_LOADSHFILE: 741 if (ARG_IS_VALID(kar, ARG_ADDR)) { 742 tok = au_to_arg32(4, "base addr", 743 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 744 kau_write(rec, tok); 745 } 746 UPATH1_VNODE1_TOKENS; 747 break; |
| 742 | 748 |
| 743 case AUE_MKDIR: 744 if (ARG_IS_VALID(kar, ARG_MODE)) { 745 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 746 kau_write(rec, tok); 747 } 748 UPATH1_VNODE1_TOKENS; 749 break; 750 --- 48 unchanged lines hidden (view full) --- 799 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 800 kau_write(rec, tok); 801 } 802 if (ARG_IS_VALID(kar, ARG_TEXT)) { 803 tok = au_to_text(ar->ar_arg_text); 804 kau_write(rec, tok); 805 } 806 /* fall through */ | 749 case AUE_MKDIR: 750 if (ARG_IS_VALID(kar, ARG_MODE)) { 751 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 752 kau_write(rec, tok); 753 } 754 UPATH1_VNODE1_TOKENS; 755 break; 756 --- 48 unchanged lines hidden (view full) --- 805 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 806 kau_write(rec, tok); 807 } 808 if (ARG_IS_VALID(kar, ARG_TEXT)) { 809 tok = au_to_text(ar->ar_arg_text); 810 kau_write(rec, tok); 811 } 812 /* fall through */ |
| 813 |
|
| 807 case AUE_UMOUNT: 808 UPATH1_VNODE1_TOKENS; 809 break; 810 811 case AUE_MSGCTL: 812 ar->ar_event = msgctl_to_event(ar->ar_arg_svipc_cmd); 813 /* Fall through */ | 814 case AUE_UMOUNT: 815 UPATH1_VNODE1_TOKENS; 816 break; 817 818 case AUE_MSGCTL: 819 ar->ar_event = msgctl_to_event(ar->ar_arg_svipc_cmd); 820 /* Fall through */ |
| 821 |
|
| 814 case AUE_MSGRCV: 815 case AUE_MSGSND: 816 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 817 kau_write(rec, tok); 818 if (ar->ar_errno != EINVAL) { 819 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 820 kau_write(rec, tok); 821 } --- 11 unchanged lines hidden (view full) --- 833 834 case AUE_RESETSHFILE: 835 if (ARG_IS_VALID(kar, ARG_ADDR)) { 836 tok = au_to_arg32(1, "base addr", 837 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 838 kau_write(rec, tok); 839 } 840 break; | 822 case AUE_MSGRCV: 823 case AUE_MSGSND: 824 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 825 kau_write(rec, tok); 826 if (ar->ar_errno != EINVAL) { 827 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 828 kau_write(rec, tok); 829 } --- 11 unchanged lines hidden (view full) --- 841 842 case AUE_RESETSHFILE: 843 if (ARG_IS_VALID(kar, ARG_ADDR)) { 844 tok = au_to_arg32(1, "base addr", 845 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 846 kau_write(rec, tok); 847 } 848 break; |
| 841 | 849 |
| 842 case AUE_OPEN_RC: 843 case AUE_OPEN_RTC: 844 case AUE_OPEN_RWC: 845 case AUE_OPEN_RWTC: 846 case AUE_OPEN_WC: 847 case AUE_OPEN_WTC: 848 /* case AUE_O_CREAT: */ /* AUE_O_CREAT == AUE_OPEN_RWTC */ 849 if (ARG_IS_VALID(kar, ARG_MODE)) { --- 49 unchanged lines hidden (view full) --- 899 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 900 kau_write(rec, tok); 901 } 902 break; 903 904 case AUE_SEMCTL: 905 ar->ar_event = semctl_to_event(ar->ar_arg_svipc_cmd); 906 /* Fall through */ | 850 case AUE_OPEN_RC: 851 case AUE_OPEN_RTC: 852 case AUE_OPEN_RWC: 853 case AUE_OPEN_RWTC: 854 case AUE_OPEN_WC: 855 case AUE_OPEN_WTC: 856 /* case AUE_O_CREAT: */ /* AUE_O_CREAT == AUE_OPEN_RWTC */ 857 if (ARG_IS_VALID(kar, ARG_MODE)) { --- 49 unchanged lines hidden (view full) --- 907 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 908 kau_write(rec, tok); 909 } 910 break; 911 912 case AUE_SEMCTL: 913 ar->ar_event = semctl_to_event(ar->ar_arg_svipc_cmd); 914 /* Fall through */ |
| 915 |
|
| 907 case AUE_SEMOP: 908 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 909 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 910 kau_write(rec, tok); 911 if (ar->ar_errno != EINVAL) { 912 tok = au_to_ipc(AT_IPC_SEM, 913 ar->ar_arg_svipc_id); 914 kau_write(rec, tok); 915 } 916 } 917 break; | 916 case AUE_SEMOP: 917 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 918 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 919 kau_write(rec, tok); 920 if (ar->ar_errno != EINVAL) { 921 tok = au_to_ipc(AT_IPC_SEM, 922 ar->ar_arg_svipc_id); 923 kau_write(rec, tok); 924 } 925 } 926 break; |
| 927 |
|
| 918 case AUE_SEMGET: 919 if (ar->ar_errno == 0) { 920 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 921 tok = au_to_ipc(AT_IPC_SEM, 922 ar->ar_arg_svipc_id); 923 kau_write(rec, tok); 924 } 925 } 926 break; | 928 case AUE_SEMGET: 929 if (ar->ar_errno == 0) { 930 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 931 tok = au_to_ipc(AT_IPC_SEM, 932 ar->ar_arg_svipc_id); 933 kau_write(rec, tok); 934 } 935 } 936 break; |
| 937 |
|
| 927 case AUE_SETEGID: 928 if (ARG_IS_VALID(kar, ARG_EGID)) { 929 tok = au_to_arg32(1, "gid", ar->ar_arg_egid); 930 kau_write(rec, tok); 931 } 932 break; | 938 case AUE_SETEGID: 939 if (ARG_IS_VALID(kar, ARG_EGID)) { 940 tok = au_to_arg32(1, "gid", ar->ar_arg_egid); 941 kau_write(rec, tok); 942 } 943 break; |
| 944 |
|
| 933 case AUE_SETEUID: 934 if (ARG_IS_VALID(kar, ARG_EUID)) { 935 tok = au_to_arg32(1, "uid", ar->ar_arg_euid); 936 kau_write(rec, tok); 937 } 938 break; | 945 case AUE_SETEUID: 946 if (ARG_IS_VALID(kar, ARG_EUID)) { 947 tok = au_to_arg32(1, "uid", ar->ar_arg_euid); 948 kau_write(rec, tok); 949 } 950 break; |
| 951 |
|
| 939 case AUE_SETREGID: 940 if (ARG_IS_VALID(kar, ARG_RGID)) { 941 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 942 kau_write(rec, tok); 943 } 944 if (ARG_IS_VALID(kar, ARG_EGID)) { 945 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 946 kau_write(rec, tok); 947 } 948 break; | 952 case AUE_SETREGID: 953 if (ARG_IS_VALID(kar, ARG_RGID)) { 954 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 955 kau_write(rec, tok); 956 } 957 if (ARG_IS_VALID(kar, ARG_EGID)) { 958 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 959 kau_write(rec, tok); 960 } 961 break; |
| 962 |
|
| 949 case AUE_SETREUID: 950 if (ARG_IS_VALID(kar, ARG_RUID)) { 951 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 952 kau_write(rec, tok); 953 } 954 if (ARG_IS_VALID(kar, ARG_EUID)) { 955 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 956 kau_write(rec, tok); 957 } 958 break; | 963 case AUE_SETREUID: 964 if (ARG_IS_VALID(kar, ARG_RUID)) { 965 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 966 kau_write(rec, tok); 967 } 968 if (ARG_IS_VALID(kar, ARG_EUID)) { 969 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 970 kau_write(rec, tok); 971 } 972 break; |
| 973 |
|
| 959 case AUE_SETRESGID: 960 if (ARG_IS_VALID(kar, ARG_RGID)) { 961 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 962 kau_write(rec, tok); 963 } 964 if (ARG_IS_VALID(kar, ARG_EGID)) { 965 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 966 kau_write(rec, tok); 967 } 968 if (ARG_IS_VALID(kar, ARG_SGID)) { 969 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 970 kau_write(rec, tok); 971 } 972 break; | 974 case AUE_SETRESGID: 975 if (ARG_IS_VALID(kar, ARG_RGID)) { 976 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 977 kau_write(rec, tok); 978 } 979 if (ARG_IS_VALID(kar, ARG_EGID)) { 980 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 981 kau_write(rec, tok); 982 } 983 if (ARG_IS_VALID(kar, ARG_SGID)) { 984 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 985 kau_write(rec, tok); 986 } 987 break; |
| 988 |
|
| 973 case AUE_SETRESUID: 974 if (ARG_IS_VALID(kar, ARG_RUID)) { 975 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 976 kau_write(rec, tok); 977 } 978 if (ARG_IS_VALID(kar, ARG_EUID)) { 979 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 980 kau_write(rec, tok); 981 } 982 if (ARG_IS_VALID(kar, ARG_SUID)) { 983 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 984 kau_write(rec, tok); 985 } 986 break; | 989 case AUE_SETRESUID: 990 if (ARG_IS_VALID(kar, ARG_RUID)) { 991 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 992 kau_write(rec, tok); 993 } 994 if (ARG_IS_VALID(kar, ARG_EUID)) { 995 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 996 kau_write(rec, tok); 997 } 998 if (ARG_IS_VALID(kar, ARG_SUID)) { 999 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1000 kau_write(rec, tok); 1001 } 1002 break; |
| 1003 |
|
| 987 case AUE_SETGID: 988 if (ARG_IS_VALID(kar, ARG_GID)) { 989 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 990 kau_write(rec, tok); 991 } 992 break; | 1004 case AUE_SETGID: 1005 if (ARG_IS_VALID(kar, ARG_GID)) { 1006 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1007 kau_write(rec, tok); 1008 } 1009 break; |
| 1010 |
|
| 993 case AUE_SETUID: 994 if (ARG_IS_VALID(kar, ARG_UID)) { 995 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 996 kau_write(rec, tok); 997 } 998 break; | 1011 case AUE_SETUID: 1012 if (ARG_IS_VALID(kar, ARG_UID)) { 1013 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1014 kau_write(rec, tok); 1015 } 1016 break; |
| 1017 |
|
| 999 case AUE_SETGROUPS: 1000 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1001 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1002 { 1003 tok = au_to_arg32(1, "setgroups", ar->ar_arg_groups.gidset[ctr]); 1004 kau_write(rec, tok); 1005 } 1006 } --- 92 unchanged lines hidden (view full) --- 1099 kau_write(rec, tok); 1100 } 1101 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1102 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1103 kau_write(rec, tok); 1104 } 1105 break; 1106 | 1018 case AUE_SETGROUPS: 1019 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1020 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1021 { 1022 tok = au_to_arg32(1, "setgroups", ar->ar_arg_groups.gidset[ctr]); 1023 kau_write(rec, tok); 1024 } 1025 } --- 92 unchanged lines hidden (view full) --- 1118 kau_write(rec, tok); 1119 } 1120 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1121 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1122 kau_write(rec, tok); 1123 } 1124 break; 1125 |
| 1107 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE | 1126 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE |
| 1108 * and AUE_SEMUNLINK are Posix IPC */ 1109 case AUE_SHMOPEN: 1110 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1111 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1112 kau_write(rec, tok); 1113 } 1114 if (ARG_IS_VALID(kar, ARG_MODE)) { 1115 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); --- 28 unchanged lines hidden (view full) --- 1144 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1145 kau_write(rec, tok); 1146 } 1147 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1148 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1149 kau_write(rec, tok); 1150 } 1151 /* fall through */ | 1127 * and AUE_SEMUNLINK are Posix IPC */ 1128 case AUE_SHMOPEN: 1129 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1130 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1131 kau_write(rec, tok); 1132 } 1133 if (ARG_IS_VALID(kar, ARG_MODE)) { 1134 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); --- 28 unchanged lines hidden (view full) --- 1163 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1164 kau_write(rec, tok); 1165 } 1166 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1167 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1168 kau_write(rec, tok); 1169 } 1170 /* fall through */ |
| 1171 |
|
| 1152 case AUE_SEMUNLINK: 1153 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1154 tok = au_to_text(ar->ar_arg_text); 1155 kau_write(rec, tok); 1156 } 1157 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1158 /* Create an ipc_perm token */ 1159 struct ipc_perm perm; --- 22 unchanged lines hidden (view full) --- 1182 kau_write(rec, tok); 1183 } 1184 UPATH1_VNODE1_TOKENS; 1185 break; 1186 1187 case AUE_SYSCTL: 1188 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1189 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { | 1172 case AUE_SEMUNLINK: 1173 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1174 tok = au_to_text(ar->ar_arg_text); 1175 kau_write(rec, tok); 1176 } 1177 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1178 /* Create an ipc_perm token */ 1179 struct ipc_perm perm; --- 22 unchanged lines hidden (view full) --- 1202 kau_write(rec, tok); 1203 } 1204 UPATH1_VNODE1_TOKENS; 1205 break; 1206 1207 case AUE_SYSCTL: 1208 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1209 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { |
| 1190 tok = au_to_arg32(1, "name", ar->ar_arg_ctlname[ctr]); 1191 kau_write(rec, tok); | 1210 tok = au_to_arg32(1, "name", 1211 ar->ar_arg_ctlname[ctr]); 1212 kau_write(rec, tok); |
| 1192 } 1193 } 1194 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1195 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1196 kau_write(rec, tok); 1197 } 1198 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1199 tok = au_to_text(ar->ar_arg_text); --- 12 unchanged lines hidden (view full) --- 1212 1213 case AUE_WAIT4: 1214 if (ARG_IS_VALID(kar, ARG_PID)) { 1215 tok = au_to_arg32(0, "pid", ar->ar_arg_pid); 1216 kau_write(rec, tok); 1217 } 1218 break; 1219 | 1213 } 1214 } 1215 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1216 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1217 kau_write(rec, tok); 1218 } 1219 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1220 tok = au_to_text(ar->ar_arg_text); --- 12 unchanged lines hidden (view full) --- 1233 1234 case AUE_WAIT4: 1235 if (ARG_IS_VALID(kar, ARG_PID)) { 1236 tok = au_to_arg32(0, "pid", ar->ar_arg_pid); 1237 kau_write(rec, tok); 1238 } 1239 break; 1240 |
| 1220 default: /* We shouldn't fall through to here. */ | 1241 default: |
| 1221 printf("BSM conversion requested for unknown event %d\n", | 1242 printf("BSM conversion requested for unknown event %d\n", |
| 1222 ar->ar_event); | 1243 ar->ar_event); |
| 1223 /* Write the subject token so it is properly freed here. */ 1224 kau_write(rec, subj_tok); 1225 kau_free(rec); 1226 return (BSM_NOAUDIT); 1227 } 1228 | 1244 /* Write the subject token so it is properly freed here. */ 1245 kau_write(rec, subj_tok); 1246 kau_free(rec); 1247 return (BSM_NOAUDIT); 1248 } 1249 |
| 1229 kau_write(rec, subj_tok); | 1250 kau_write(rec, subj_tok); |
| 1230 tok = au_to_return32((char)ar->ar_errno, ar->ar_retval); 1231 kau_write(rec, tok); /* Every record gets a return token */ 1232 1233 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1234 1235 *pau = rec; 1236 return (BSM_SUCCESS); 1237} 1238 1239/* | 1251 tok = au_to_return32((char)ar->ar_errno, ar->ar_retval); 1252 kau_write(rec, tok); /* Every record gets a return token */ 1253 1254 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1255 1256 *pau = rec; 1257 return (BSM_SUCCESS); 1258} 1259 1260/* |
| 1240 * Verify that a record is a valid BSM record. This verification is 1241 * simple now, but may be expanded on sometime in the future. 1242 * Return 1 if the record is good, 0 otherwise. 1243 * | 1261 * Verify that a record is a valid BSM record. This verification is simple 1262 * now, but may be expanded on sometime in the future. Return 1 if the 1263 * record is good, 0 otherwise. |
| 1244 */ 1245int 1246bsm_rec_verify(void *rec) 1247{ 1248 char c = *(char *)rec; | 1264 */ 1265int 1266bsm_rec_verify(void *rec) 1267{ 1268 char c = *(char *)rec; |
| 1249 /* | 1269 1270 /* |
| 1250 * Check the token ID of the first token; it has to be a header 1251 * token. | 1271 * Check the token ID of the first token; it has to be a header 1272 * token. |
| 1252 */ 1253 /* XXXAUDIT There needs to be a token structure to map a token. | 1273 * 1274 * XXXAUDIT There needs to be a token structure to map a token. |
| 1254 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1255 */ | 1275 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1276 */ |
| 1256 if ( (c != AUT_HEADER32) && 1257 (c != AUT_HEADER32_EX) && 1258 (c != AUT_HEADER64) && 1259 (c != AUT_HEADER64_EX) ) { | 1277 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1278 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) |
| 1260 return (0); | 1279 return (0); |
| 1261 } | |
| 1262 return (1); 1263} | 1280 return (1); 1281} |