1 /*
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 1999-2009 Apple Inc.
5 * Copyright (c) 2016-2017 Robert N. M. Watson
6 * All rights reserved.
7 *
8 * Portions of this software were developed by BAE Systems, the University of
9 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
10 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
11 * Computing (TC) research program.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
22 * its contributors may be used to endorse or promote products derived
23 * from this software without specific prior written permission.
24 *
25 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
29 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
33 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
34 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
35 * POSSIBILITY OF SUCH DAMAGE.
36 */
37
38 #include <sys/param.h>
39 #include <sys/vnode.h>
40 #include <sys/ipc.h>
41 #include <sys/lock.h>
42 #include <sys/malloc.h>
43 #include <sys/mutex.h>
44 #include <sys/socket.h>
45 #include <sys/extattr.h>
46 #include <sys/fcntl.h>
47 #include <sys/user.h>
48 #include <sys/systm.h>
49
50 #include <bsm/audit.h>
51 #include <bsm/audit_internal.h>
52 #include <bsm/audit_record.h>
53 #include <bsm/audit_kevents.h>
54
55 #include <security/audit/audit.h>
56 #include <security/audit/audit_private.h>
57
58 #include <netinet/in_systm.h>
59 #include <netinet/in.h>
60 #include <netinet/ip.h>
61
62 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data");
63
64 static void audit_sys_auditon(struct audit_record *ar,
65 struct au_record *rec);
66
67 /*
68 * Initialize the BSM auditing subsystem.
69 */
70 void
kau_init(void)71 kau_init(void)
72 {
73
74 au_evclassmap_init();
75 au_evnamemap_init();
76 }
77
78 /*
79 * This call reserves memory for the audit record. Memory must be guaranteed
80 * before any auditable event can be generated. The au_record structure
81 * maintains a reference to the memory allocated above and also the list of
82 * tokens associated with this record.
83 */
84 static struct au_record *
kau_open(void)85 kau_open(void)
86 {
87 struct au_record *rec;
88
89 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK);
90 rec->data = NULL;
91 TAILQ_INIT(&rec->token_q);
92 rec->len = 0;
93 rec->used = 1;
94
95 return (rec);
96 }
97
98 /*
99 * Store the token with the record descriptor.
100 */
101 static void
kau_write(struct au_record * rec,struct au_token * tok)102 kau_write(struct au_record *rec, struct au_token *tok)
103 {
104
105 KASSERT(tok != NULL, ("kau_write: tok == NULL"));
106
107 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
108 rec->len += tok->len;
109 }
110
111 /*
112 * Close out the audit record by adding the header token, identifying any
113 * missing tokens. Write out the tokens to the record memory.
114 */
115 static void
kau_close(struct au_record * rec,struct timespec * ctime,short event)116 kau_close(struct au_record *rec, struct timespec *ctime, short event)
117 {
118 u_char *dptr;
119 size_t tot_rec_size;
120 token_t *cur, *hdr, *trail;
121 struct timeval tm;
122 size_t hdrsize;
123 struct auditinfo_addr ak;
124 struct in6_addr *ap;
125
126 audit_get_kinfo(&ak);
127 hdrsize = 0;
128 switch (ak.ai_termid.at_type) {
129 case AU_IPv4:
130 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ?
131 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak);
132 break;
133 case AU_IPv6:
134 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0];
135 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE :
136 AUDIT_HEADER_EX_SIZE(&ak);
137 break;
138 default:
139 panic("kau_close: invalid address family");
140 }
141 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE;
142 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO);
143
144 tm.tv_usec = ctime->tv_nsec / 1000;
145 tm.tv_sec = ctime->tv_sec;
146 if (hdrsize != AUDIT_HEADER_SIZE)
147 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak);
148 else
149 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm);
150 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens);
151
152 trail = au_to_trailer(tot_rec_size);
153 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens);
154
155 rec->len = tot_rec_size;
156 dptr = rec->data;
157 TAILQ_FOREACH(cur, &rec->token_q, tokens) {
158 memcpy(dptr, cur->t_data, cur->len);
159 dptr += cur->len;
160 }
161 }
162
163 /*
164 * Free a BSM audit record by releasing all the tokens and clearing the audit
165 * record information.
166 */
167 void
kau_free(struct au_record * rec)168 kau_free(struct au_record *rec)
169 {
170 struct au_token *tok;
171
172 /* Free the token list. */
173 while ((tok = TAILQ_FIRST(&rec->token_q))) {
174 TAILQ_REMOVE(&rec->token_q, tok, tokens);
175 free(tok->t_data, M_AUDITBSM);
176 free(tok, M_AUDITBSM);
177 }
178
179 rec->used = 0;
180 rec->len = 0;
181 free(rec->data, M_AUDITBSM);
182 free(rec, M_AUDITBSM);
183 }
184
185 /*
186 * XXX: May want turn some (or all) of these macros into functions in order
187 * to reduce the generated code size.
188 *
189 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the
190 * caller are OK with this.
191 */
192 #define ATFD1_TOKENS(argnum) do { \
193 if (ARG_IS_VALID(kar, ARG_ATFD1)) { \
194 tok = au_to_arg32(argnum, "at fd 1", ar->ar_arg_atfd1); \
195 kau_write(rec, tok); \
196 } \
197 } while (0)
198
199 #define ATFD2_TOKENS(argnum) do { \
200 if (ARG_IS_VALID(kar, ARG_ATFD2)) { \
201 tok = au_to_arg32(argnum, "at fd 2", ar->ar_arg_atfd2); \
202 kau_write(rec, tok); \
203 } \
204 } while (0)
205
206 #define UPATH1_TOKENS do { \
207 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
208 tok = au_to_path(ar->ar_arg_upath1); \
209 kau_write(rec, tok); \
210 } \
211 } while (0)
212
213 #define UPATH2_TOKENS do { \
214 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \
215 tok = au_to_path(ar->ar_arg_upath2); \
216 kau_write(rec, tok); \
217 } \
218 } while (0)
219
220 #define VNODE1_TOKENS do { \
221 if (ARG_IS_VALID(kar, ARG_ATFD)) { \
222 tok = au_to_arg32(1, "at fd", ar->ar_arg_atfd); \
223 kau_write(rec, tok); \
224 } \
225 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
226 tok = au_to_attr32(&ar->ar_arg_vnode1); \
227 kau_write(rec, tok); \
228 } \
229 } while (0)
230
231 #define UPATH1_VNODE1_TOKENS do { \
232 UPATH1_TOKENS; \
233 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
234 tok = au_to_attr32(&ar->ar_arg_vnode1); \
235 kau_write(rec, tok); \
236 } \
237 } while (0)
238
239 #define VNODE2_TOKENS do { \
240 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \
241 tok = au_to_attr32(&ar->ar_arg_vnode2); \
242 kau_write(rec, tok); \
243 } \
244 } while (0)
245
246 #define FD_VNODE1_TOKENS do { \
247 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
248 if (ARG_IS_VALID(kar, ARG_FD)) { \
249 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \
250 kau_write(rec, tok); \
251 } \
252 tok = au_to_attr32(&ar->ar_arg_vnode1); \
253 kau_write(rec, tok); \
254 } else { \
255 if (ARG_IS_VALID(kar, ARG_FD)) { \
256 tok = au_to_arg32(1, "non-file: fd", \
257 ar->ar_arg_fd); \
258 kau_write(rec, tok); \
259 } \
260 } \
261 } while (0)
262
263 #define PROCESS_PID_TOKENS(argn) do { \
264 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \
265 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \
266 tok = au_to_process32_ex(ar->ar_arg_auid, \
267 ar->ar_arg_euid, ar->ar_arg_egid, \
268 ar->ar_arg_ruid, ar->ar_arg_rgid, \
269 ar->ar_arg_pid, ar->ar_arg_asid, \
270 &ar->ar_arg_termid_addr); \
271 kau_write(rec, tok); \
272 } else if (ARG_IS_VALID(kar, ARG_PID)) { \
273 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \
274 kau_write(rec, tok); \
275 } \
276 } while (0)
277
278 #define EXTATTR_TOKENS(namespace_argnum) do { \
279 if (ARG_IS_VALID(kar, ARG_VALUE)) { \
280 switch (ar->ar_arg_value) { \
281 case EXTATTR_NAMESPACE_USER: \
282 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\
283 break; \
284 case EXTATTR_NAMESPACE_SYSTEM: \
285 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\
286 break; \
287 default: \
288 tok = au_to_arg32((namespace_argnum), \
289 "attrnamespace", ar->ar_arg_value); \
290 break; \
291 } \
292 kau_write(rec, tok); \
293 } \
294 /* attrname is in the text field */ \
295 if (ARG_IS_VALID(kar, ARG_TEXT)) { \
296 tok = au_to_text(ar->ar_arg_text); \
297 kau_write(rec, tok); \
298 } \
299 } while (0)
300
301 /*
302 * Not all pointer arguments to system calls are of interest, but in some
303 * cases they reflect delegation of rights, such as mmap(2) followed by
304 * minherit(2) before execve(2), so do the best we can.
305 */
306 #define ADDR_TOKEN(argnum, argname) do { \
307 if (ARG_IS_VALID(kar, ARG_ADDR)) { \
308 if (sizeof(void *) == sizeof(uint32_t)) \
309 tok = au_to_arg32((argnum), (argname), \
310 (uint32_t)(uintptr_t)ar->ar_arg_addr); \
311 else \
312 tok = au_to_arg64((argnum), (argname), \
313 (uint64_t)(uintptr_t)ar->ar_arg_addr); \
314 kau_write(rec, tok); \
315 } \
316 } while (0)
317
318 /*
319 * Implement auditing for the auditon() system call. The audit tokens that
320 * are generated depend on the command that was sent into the auditon()
321 * system call.
322 */
323 static void
audit_sys_auditon(struct audit_record * ar,struct au_record * rec)324 audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
325 {
326 struct au_token *tok;
327
328 tok = au_to_arg32(3, "length", ar->ar_arg_len);
329 kau_write(rec, tok);
330 switch (ar->ar_arg_cmd) {
331 case A_OLDSETPOLICY:
332 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
333 tok = au_to_arg64(2, "policy",
334 ar->ar_arg_auditon.au_policy64);
335 kau_write(rec, tok);
336 break;
337 }
338 /* FALLTHROUGH */
339
340 case A_SETPOLICY:
341 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy);
342 kau_write(rec, tok);
343 break;
344
345 case A_SETKMASK:
346 tok = au_to_arg32(2, "setkmask:as_success",
347 ar->ar_arg_auditon.au_mask.am_success);
348 kau_write(rec, tok);
349 tok = au_to_arg32(2, "setkmask:as_failure",
350 ar->ar_arg_auditon.au_mask.am_failure);
351 kau_write(rec, tok);
352 break;
353
354 case A_OLDSETQCTRL:
355 if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) {
356 tok = au_to_arg64(2, "setqctrl:aq_hiwater",
357 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater);
358 kau_write(rec, tok);
359 tok = au_to_arg64(2, "setqctrl:aq_lowater",
360 ar->ar_arg_auditon.au_qctrl64.aq64_lowater);
361 kau_write(rec, tok);
362 tok = au_to_arg64(2, "setqctrl:aq_bufsz",
363 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz);
364 kau_write(rec, tok);
365 tok = au_to_arg64(2, "setqctrl:aq_delay",
366 ar->ar_arg_auditon.au_qctrl64.aq64_delay);
367 kau_write(rec, tok);
368 tok = au_to_arg64(2, "setqctrl:aq_minfree",
369 ar->ar_arg_auditon.au_qctrl64.aq64_minfree);
370 kau_write(rec, tok);
371 break;
372 }
373 /* FALLTHROUGH */
374
375 case A_SETQCTRL:
376 tok = au_to_arg32(2, "setqctrl:aq_hiwater",
377 ar->ar_arg_auditon.au_qctrl.aq_hiwater);
378 kau_write(rec, tok);
379 tok = au_to_arg32(2, "setqctrl:aq_lowater",
380 ar->ar_arg_auditon.au_qctrl.aq_lowater);
381 kau_write(rec, tok);
382 tok = au_to_arg32(2, "setqctrl:aq_bufsz",
383 ar->ar_arg_auditon.au_qctrl.aq_bufsz);
384 kau_write(rec, tok);
385 tok = au_to_arg32(2, "setqctrl:aq_delay",
386 ar->ar_arg_auditon.au_qctrl.aq_delay);
387 kau_write(rec, tok);
388 tok = au_to_arg32(2, "setqctrl:aq_minfree",
389 ar->ar_arg_auditon.au_qctrl.aq_minfree);
390 kau_write(rec, tok);
391 break;
392
393 case A_SETUMASK:
394 tok = au_to_arg32(2, "setumask:as_success",
395 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
396 kau_write(rec, tok);
397 tok = au_to_arg32(2, "setumask:as_failure",
398 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
399 kau_write(rec, tok);
400 break;
401
402 case A_SETSMASK:
403 tok = au_to_arg32(2, "setsmask:as_success",
404 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
405 kau_write(rec, tok);
406 tok = au_to_arg32(2, "setsmask:as_failure",
407 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
408 kau_write(rec, tok);
409 break;
410
411 case A_OLDSETCOND:
412 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
413 tok = au_to_arg64(2, "setcond",
414 ar->ar_arg_auditon.au_cond64);
415 kau_write(rec, tok);
416 break;
417 }
418 /* FALLTHROUGH */
419
420 case A_SETCOND:
421 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond);
422 kau_write(rec, tok);
423 break;
424
425 case A_SETCLASS:
426 tok = au_to_arg32(2, "setclass:ec_event",
427 ar->ar_arg_auditon.au_evclass.ec_number);
428 kau_write(rec, tok);
429 tok = au_to_arg32(2, "setclass:ec_class",
430 ar->ar_arg_auditon.au_evclass.ec_class);
431 kau_write(rec, tok);
432 break;
433
434 case A_SETPMASK:
435 tok = au_to_arg32(2, "setpmask:as_success",
436 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
437 kau_write(rec, tok);
438 tok = au_to_arg32(2, "setpmask:as_failure",
439 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
440 kau_write(rec, tok);
441 break;
442
443 case A_SETFSIZE:
444 tok = au_to_arg32(2, "setfsize:filesize",
445 ar->ar_arg_auditon.au_fstat.af_filesz);
446 kau_write(rec, tok);
447 break;
448
449 default:
450 break;
451 }
452 }
453
454 /*
455 * Convert an internal kernel audit record to a BSM record and return a
456 * success/failure indicator. The BSM record is passed as an out parameter to
457 * this function.
458 *
459 * Return conditions:
460 * BSM_SUCCESS: The BSM record is valid
461 * BSM_FAILURE: Failure; the BSM record is NULL.
462 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL.
463 */
464 int
kaudit_to_bsm(struct kaudit_record * kar,struct au_record ** pau)465 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
466 {
467 struct au_token *tok, *subj_tok, *jail_tok;
468 struct au_record *rec;
469 au_tid_t tid;
470 struct audit_record *ar;
471 int ctr;
472
473 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL"));
474
475 *pau = NULL;
476 ar = &kar->k_ar;
477 rec = kau_open();
478
479 /*
480 * Create the subject token. If this credential was jailed be sure to
481 * generate a zonename token.
482 */
483 if (ar->ar_jailname[0] != '\0')
484 jail_tok = au_to_zonename(ar->ar_jailname);
485 else
486 jail_tok = NULL;
487 switch (ar->ar_subj_term_addr.at_type) {
488 case AU_IPv4:
489 tid.port = ar->ar_subj_term_addr.at_port;
490 tid.machine = ar->ar_subj_term_addr.at_addr[0];
491 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */
492 ar->ar_subj_cred.cr_uid, /* eff uid */
493 ar->ar_subj_egid, /* eff group id */
494 ar->ar_subj_ruid, /* real uid */
495 ar->ar_subj_rgid, /* real group id */
496 ar->ar_subj_pid, /* process id */
497 ar->ar_subj_asid, /* session ID */
498 &tid);
499 break;
500 case AU_IPv6:
501 subj_tok = au_to_subject32_ex(ar->ar_subj_auid,
502 ar->ar_subj_cred.cr_uid,
503 ar->ar_subj_egid,
504 ar->ar_subj_ruid,
505 ar->ar_subj_rgid,
506 ar->ar_subj_pid,
507 ar->ar_subj_asid,
508 &ar->ar_subj_term_addr);
509 break;
510 default:
511 bzero(&tid, sizeof(tid));
512 subj_tok = au_to_subject32(ar->ar_subj_auid,
513 ar->ar_subj_cred.cr_uid,
514 ar->ar_subj_egid,
515 ar->ar_subj_ruid,
516 ar->ar_subj_rgid,
517 ar->ar_subj_pid,
518 ar->ar_subj_asid,
519 &tid);
520 }
521
522 /*
523 * The logic inside each case fills in the tokens required for the
524 * event, except for the header, trailer, and return tokens. The
525 * header and trailer tokens are added by the kau_close() function.
526 * The return token is added outside of the switch statement.
527 */
528 switch(ar->ar_event) {
529 case AUE_ACCEPT:
530 if (ARG_IS_VALID(kar, ARG_FD)) {
531 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
532 kau_write(rec, tok);
533 }
534 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
535 tok = au_to_sock_inet((struct sockaddr_in *)
536 &ar->ar_arg_sockaddr);
537 kau_write(rec, tok);
538 }
539 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
540 tok = au_to_sock_unix((struct sockaddr_un *)
541 &ar->ar_arg_sockaddr);
542 kau_write(rec, tok);
543 UPATH1_TOKENS;
544 }
545 break;
546
547 case AUE_BIND:
548 case AUE_LISTEN:
549 case AUE_CONNECT:
550 case AUE_RECV:
551 case AUE_RECVFROM:
552 case AUE_RECVMSG:
553 case AUE_SEND:
554 case AUE_SENDMSG:
555 case AUE_SENDTO:
556 /*
557 * Socket-related events.
558 */
559 if (ARG_IS_VALID(kar, ARG_FD)) {
560 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
561 kau_write(rec, tok);
562 }
563 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
564 tok = au_to_sock_inet((struct sockaddr_in *)
565 &ar->ar_arg_sockaddr);
566 kau_write(rec, tok);
567 }
568 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
569 tok = au_to_sock_unix((struct sockaddr_un *)
570 &ar->ar_arg_sockaddr);
571 kau_write(rec, tok);
572 UPATH1_TOKENS;
573 }
574 /* XXX Need to handle ARG_SADDRINET6 */
575 break;
576
577 case AUE_BINDAT:
578 case AUE_CONNECTAT:
579 ATFD1_TOKENS(1);
580 if (ARG_IS_VALID(kar, ARG_FD)) {
581 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
582 kau_write(rec, tok);
583 }
584 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
585 tok = au_to_sock_unix((struct sockaddr_un *)
586 &ar->ar_arg_sockaddr);
587 kau_write(rec, tok);
588 UPATH1_TOKENS;
589 }
590 break;
591
592 case AUE_SENDFILE:
593 FD_VNODE1_TOKENS;
594 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
595 tok = au_to_sock_inet((struct sockaddr_in *)
596 &ar->ar_arg_sockaddr);
597 kau_write(rec, tok);
598 }
599 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
600 tok = au_to_sock_unix((struct sockaddr_un *)
601 &ar->ar_arg_sockaddr);
602 kau_write(rec, tok);
603 UPATH1_TOKENS;
604 }
605 /* XXX Need to handle ARG_SADDRINET6 */
606 break;
607
608 case AUE_SOCKET:
609 case AUE_SOCKETPAIR:
610 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
611 tok = au_to_arg32(1, "domain",
612 ar->ar_arg_sockinfo.so_domain);
613 kau_write(rec, tok);
614 tok = au_to_arg32(2, "type",
615 ar->ar_arg_sockinfo.so_type);
616 kau_write(rec, tok);
617 tok = au_to_arg32(3, "protocol",
618 ar->ar_arg_sockinfo.so_protocol);
619 kau_write(rec, tok);
620 }
621 break;
622
623 case AUE_SETSOCKOPT:
624 case AUE_SHUTDOWN:
625 if (ARG_IS_VALID(kar, ARG_FD)) {
626 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
627 kau_write(rec, tok);
628 }
629 break;
630
631 case AUE_ACCT:
632 if (ARG_IS_VALID(kar, ARG_UPATH1)) {
633 UPATH1_VNODE1_TOKENS;
634 } else {
635 tok = au_to_arg32(1, "accounting off", 0);
636 kau_write(rec, tok);
637 }
638 break;
639
640 case AUE_SETAUID:
641 if (ARG_IS_VALID(kar, ARG_AUID)) {
642 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid);
643 kau_write(rec, tok);
644 }
645 break;
646
647 case AUE_SETAUDIT:
648 if (ARG_IS_VALID(kar, ARG_AUID) &&
649 ARG_IS_VALID(kar, ARG_ASID) &&
650 ARG_IS_VALID(kar, ARG_AMASK) &&
651 ARG_IS_VALID(kar, ARG_TERMID)) {
652 tok = au_to_arg32(1, "setaudit:auid",
653 ar->ar_arg_auid);
654 kau_write(rec, tok);
655 tok = au_to_arg32(1, "setaudit:port",
656 ar->ar_arg_termid.port);
657 kau_write(rec, tok);
658 tok = au_to_arg32(1, "setaudit:machine",
659 ar->ar_arg_termid.machine);
660 kau_write(rec, tok);
661 tok = au_to_arg32(1, "setaudit:as_success",
662 ar->ar_arg_amask.am_success);
663 kau_write(rec, tok);
664 tok = au_to_arg32(1, "setaudit:as_failure",
665 ar->ar_arg_amask.am_failure);
666 kau_write(rec, tok);
667 tok = au_to_arg32(1, "setaudit:asid",
668 ar->ar_arg_asid);
669 kau_write(rec, tok);
670 }
671 break;
672
673 case AUE_SETAUDIT_ADDR:
674 if (ARG_IS_VALID(kar, ARG_AUID) &&
675 ARG_IS_VALID(kar, ARG_ASID) &&
676 ARG_IS_VALID(kar, ARG_AMASK) &&
677 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) {
678 tok = au_to_arg32(1, "setaudit_addr:auid",
679 ar->ar_arg_auid);
680 kau_write(rec, tok);
681 tok = au_to_arg32(1, "setaudit_addr:as_success",
682 ar->ar_arg_amask.am_success);
683 kau_write(rec, tok);
684 tok = au_to_arg32(1, "setaudit_addr:as_failure",
685 ar->ar_arg_amask.am_failure);
686 kau_write(rec, tok);
687 tok = au_to_arg32(1, "setaudit_addr:asid",
688 ar->ar_arg_asid);
689 kau_write(rec, tok);
690 tok = au_to_arg32(1, "setaudit_addr:type",
691 ar->ar_arg_termid_addr.at_type);
692 kau_write(rec, tok);
693 tok = au_to_arg32(1, "setaudit_addr:port",
694 ar->ar_arg_termid_addr.at_port);
695 kau_write(rec, tok);
696 if (ar->ar_arg_termid_addr.at_type == AU_IPv6)
697 tok = au_to_in_addr_ex((struct in6_addr *)
698 &ar->ar_arg_termid_addr.at_addr[0]);
699 if (ar->ar_arg_termid_addr.at_type == AU_IPv4)
700 tok = au_to_in_addr((struct in_addr *)
701 &ar->ar_arg_termid_addr.at_addr[0]);
702 kau_write(rec, tok);
703 }
704 break;
705
706 case AUE_AUDITON:
707 /*
708 * For AUDITON commands without own event, audit the cmd.
709 */
710 if (ARG_IS_VALID(kar, ARG_CMD)) {
711 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
712 kau_write(rec, tok);
713 }
714 /* FALLTHROUGH */
715
716 case AUE_AUDITON_GETCAR:
717 case AUE_AUDITON_GETCLASS:
718 case AUE_AUDITON_GETCOND:
719 case AUE_AUDITON_GETCWD:
720 case AUE_AUDITON_GETKMASK:
721 case AUE_AUDITON_GETSTAT:
722 case AUE_AUDITON_GPOLICY:
723 case AUE_AUDITON_GQCTRL:
724 case AUE_AUDITON_SETCLASS:
725 case AUE_AUDITON_SETCOND:
726 case AUE_AUDITON_SETKMASK:
727 case AUE_AUDITON_SETSMASK:
728 case AUE_AUDITON_SETSTAT:
729 case AUE_AUDITON_SETUMASK:
730 case AUE_AUDITON_SPOLICY:
731 case AUE_AUDITON_SQCTRL:
732 if (ARG_IS_VALID(kar, ARG_AUDITON))
733 audit_sys_auditon(ar, rec);
734 break;
735
736 case AUE_AUDITCTL:
737 UPATH1_VNODE1_TOKENS;
738 break;
739
740 case AUE_EXIT:
741 if (ARG_IS_VALID(kar, ARG_EXIT)) {
742 tok = au_to_exit(ar->ar_arg_exitretval,
743 ar->ar_arg_exitstatus);
744 kau_write(rec, tok);
745 }
746 break;
747
748 case AUE_ADJTIME:
749 case AUE_CLOCK_SETTIME:
750 case AUE_AUDIT:
751 case AUE_DUP2:
752 case AUE_GETAUDIT:
753 case AUE_GETAUDIT_ADDR:
754 case AUE_GETAUID:
755 case AUE_GETCWD:
756 case AUE_GETFSSTAT:
757 case AUE_GETRESUID:
758 case AUE_GETRESGID:
759 case AUE_KQUEUE:
760 case AUE_MODLOAD:
761 case AUE_MODUNLOAD:
762 case AUE_MSGSYS:
763 case AUE_NTP_ADJTIME:
764 case AUE_PIPE:
765 case AUE_POSIX_OPENPT:
766 case AUE_PROFILE:
767 case AUE_RTPRIO:
768 case AUE_SEMSYS:
769 case AUE_SETFIB:
770 case AUE_SHMSYS:
771 case AUE_SETPGRP:
772 case AUE_SETRLIMIT:
773 case AUE_SETSID:
774 case AUE_SETTIMEOFDAY:
775 case AUE_SYSARCH:
776
777 /*
778 * Header, subject, and return tokens added at end.
779 */
780 break;
781
782 case AUE_ACL_DELETE_FD:
783 case AUE_ACL_DELETE_FILE:
784 case AUE_ACL_CHECK_FD:
785 case AUE_ACL_CHECK_FILE:
786 case AUE_ACL_CHECK_LINK:
787 case AUE_ACL_DELETE_LINK:
788 case AUE_ACL_GET_FD:
789 case AUE_ACL_GET_FILE:
790 case AUE_ACL_GET_LINK:
791 case AUE_ACL_SET_FD:
792 case AUE_ACL_SET_FILE:
793 case AUE_ACL_SET_LINK:
794 if (ARG_IS_VALID(kar, ARG_VALUE)) {
795 tok = au_to_arg32(1, "type", ar->ar_arg_value);
796 kau_write(rec, tok);
797 }
798 ATFD1_TOKENS(1);
799 UPATH1_VNODE1_TOKENS;
800 break;
801
802 /*
803 * NB: We may want to verify that the appropriate
804 * audit args are being processed here, but I think
805 * a bit analysis is required.
806 *
807 * Process AUE_JAIL_SET in the next block so we can pickup any path
808 * related tokens that might exist.
809 */
810 case AUE_JAIL_GET:
811 case AUE_JAIL_ATTACH:
812 case AUE_JAIL_REMOVE:
813 break;
814
815 case AUE_JAIL_SET:
816 case AUE_CHDIR:
817 case AUE_CHROOT:
818 case AUE_FSTATAT:
819 case AUE_FUTIMESAT:
820 case AUE_GETATTRLIST:
821 case AUE_JAIL:
822 case AUE_LUTIMES:
823 case AUE_NFS_GETFH:
824 case AUE_LGETFH:
825 case AUE_LSTAT:
826 case AUE_LPATHCONF:
827 case AUE_PATHCONF:
828 case AUE_READLINK:
829 case AUE_READLINKAT:
830 case AUE_REVOKE:
831 case AUE_RMDIR:
832 case AUE_SEARCHFS:
833 case AUE_SETATTRLIST:
834 case AUE_STAT:
835 case AUE_STATFS:
836 case AUE_SWAPON:
837 case AUE_SWAPOFF:
838 case AUE_TRUNCATE:
839 case AUE_UNDELETE:
840 case AUE_UNLINK:
841 case AUE_UNLINKAT:
842 case AUE_UTIMES:
843 case AUE_REALPATHAT:
844 ATFD1_TOKENS(1);
845 UPATH1_VNODE1_TOKENS;
846 break;
847
848 case AUE_ACCESS:
849 case AUE_EACCESS:
850 case AUE_FACCESSAT:
851 ATFD1_TOKENS(1);
852 UPATH1_VNODE1_TOKENS;
853 if (ARG_IS_VALID(kar, ARG_VALUE)) {
854 tok = au_to_arg32(2, "mode", ar->ar_arg_value);
855 kau_write(rec, tok);
856 }
857 break;
858
859 case AUE_FHSTATFS:
860 case AUE_FHOPEN:
861 case AUE_FHSTAT:
862 /* XXXRW: Need to audit vnode argument. */
863 break;
864
865 case AUE_CHFLAGS:
866 case AUE_LCHFLAGS:
867 case AUE_CHFLAGSAT:
868 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
869 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
870 kau_write(rec, tok);
871 }
872 UPATH1_VNODE1_TOKENS;
873 break;
874
875 case AUE_CHMOD:
876 case AUE_LCHMOD:
877 if (ARG_IS_VALID(kar, ARG_MODE)) {
878 tok = au_to_arg32(2, "new file mode",
879 ar->ar_arg_mode);
880 kau_write(rec, tok);
881 }
882 UPATH1_VNODE1_TOKENS;
883 break;
884
885 case AUE_FCHMODAT:
886 ATFD1_TOKENS(1);
887 if (ARG_IS_VALID(kar, ARG_MODE)) {
888 tok = au_to_arg32(3, "new file mode",
889 ar->ar_arg_mode);
890 kau_write(rec, tok);
891 }
892 UPATH1_VNODE1_TOKENS;
893 break;
894
895 case AUE_CHOWN:
896 case AUE_LCHOWN:
897 if (ARG_IS_VALID(kar, ARG_UID)) {
898 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
899 kau_write(rec, tok);
900 }
901 if (ARG_IS_VALID(kar, ARG_GID)) {
902 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
903 kau_write(rec, tok);
904 }
905 UPATH1_VNODE1_TOKENS;
906 break;
907
908 case AUE_FCHOWNAT:
909 ATFD1_TOKENS(1);
910 if (ARG_IS_VALID(kar, ARG_UID)) {
911 tok = au_to_arg32(3, "new file uid", ar->ar_arg_uid);
912 kau_write(rec, tok);
913 }
914 if (ARG_IS_VALID(kar, ARG_GID)) {
915 tok = au_to_arg32(4, "new file gid", ar->ar_arg_gid);
916 kau_write(rec, tok);
917 }
918 UPATH1_VNODE1_TOKENS;
919 break;
920
921 case AUE_EXCHANGEDATA:
922 UPATH1_VNODE1_TOKENS;
923 UPATH2_TOKENS;
924 break;
925
926 case AUE_CLOSE:
927 if (ARG_IS_VALID(kar, ARG_FD)) {
928 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
929 kau_write(rec, tok);
930 }
931 UPATH1_VNODE1_TOKENS;
932 break;
933
934 case AUE_CLOSEFROM:
935 if (ARG_IS_VALID(kar, ARG_FD)) {
936 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
937 kau_write(rec, tok);
938 }
939 break;
940
941 case AUE_CLOSERANGE:
942 if (ARG_IS_VALID(kar, ARG_FD)) {
943 tok = au_to_arg32(1, "lowfd", ar->ar_arg_fd);
944 kau_write(rec, tok);
945 }
946 if (ARG_IS_VALID(kar, ARG_CMD)) {
947 tok = au_to_arg32(2, "highfd", ar->ar_arg_cmd);
948 kau_write(rec, tok);
949 }
950 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
951 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
952 kau_write(rec, tok);
953 }
954 break;
955
956 case AUE_CORE:
957 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
958 tok = au_to_arg32(1, "signal", ar->ar_arg_signum);
959 kau_write(rec, tok);
960 }
961 UPATH1_VNODE1_TOKENS;
962 break;
963
964 case AUE_EXTATTRCTL:
965 UPATH1_VNODE1_TOKENS;
966 if (ARG_IS_VALID(kar, ARG_CMD)) {
967 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
968 kau_write(rec, tok);
969 }
970 /* extattrctl(2) filename parameter is in upath2/vnode2 */
971 UPATH2_TOKENS;
972 VNODE2_TOKENS;
973 EXTATTR_TOKENS(4);
974 break;
975
976 case AUE_EXTATTR_GET_FILE:
977 case AUE_EXTATTR_SET_FILE:
978 case AUE_EXTATTR_LIST_FILE:
979 case AUE_EXTATTR_DELETE_FILE:
980 case AUE_EXTATTR_GET_LINK:
981 case AUE_EXTATTR_SET_LINK:
982 case AUE_EXTATTR_LIST_LINK:
983 case AUE_EXTATTR_DELETE_LINK:
984 UPATH1_VNODE1_TOKENS;
985 EXTATTR_TOKENS(2);
986 break;
987
988 case AUE_EXTATTR_GET_FD:
989 case AUE_EXTATTR_SET_FD:
990 case AUE_EXTATTR_LIST_FD:
991 case AUE_EXTATTR_DELETE_FD:
992 if (ARG_IS_VALID(kar, ARG_FD)) {
993 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
994 kau_write(rec, tok);
995 }
996 EXTATTR_TOKENS(2);
997 break;
998
999 case AUE_FEXECVE:
1000 if (ARG_IS_VALID(kar, ARG_FD)) {
1001 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
1002 kau_write(rec, tok);
1003 }
1004 /* FALLTHROUGH */
1005
1006 case AUE_EXECVE:
1007 case AUE_MAC_EXECVE:
1008 if (ARG_IS_VALID(kar, ARG_ARGV)) {
1009 tok = au_to_exec_args(ar->ar_arg_argv,
1010 ar->ar_arg_argc);
1011 kau_write(rec, tok);
1012 }
1013 if (ARG_IS_VALID(kar, ARG_ENVV)) {
1014 tok = au_to_exec_env(ar->ar_arg_envv,
1015 ar->ar_arg_envc);
1016 kau_write(rec, tok);
1017 }
1018 UPATH1_VNODE1_TOKENS;
1019 break;
1020
1021 case AUE_FCHMOD:
1022 if (ARG_IS_VALID(kar, ARG_MODE)) {
1023 tok = au_to_arg32(2, "new file mode",
1024 ar->ar_arg_mode);
1025 kau_write(rec, tok);
1026 }
1027 FD_VNODE1_TOKENS;
1028 break;
1029
1030 /*
1031 * XXXRW: Some of these need to handle non-vnode cases as well.
1032 */
1033 case AUE_FCHDIR:
1034 case AUE_FPATHCONF:
1035 case AUE_FSTAT:
1036 case AUE_FSTATFS:
1037 case AUE_FSYNC:
1038 case AUE_FTRUNCATE:
1039 case AUE_FUTIMES:
1040 case AUE_GETDIRENTRIES:
1041 case AUE_GETDIRENTRIESATTR:
1042 case AUE_LSEEK:
1043 case AUE_POLL:
1044 case AUE_POSIX_FALLOCATE:
1045 case AUE_PREAD:
1046 case AUE_PWRITE:
1047 case AUE_READ:
1048 case AUE_READV:
1049 case AUE_WRITE:
1050 case AUE_WRITEV:
1051 FD_VNODE1_TOKENS;
1052 break;
1053
1054 case AUE_FCHOWN:
1055 if (ARG_IS_VALID(kar, ARG_UID)) {
1056 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
1057 kau_write(rec, tok);
1058 }
1059 if (ARG_IS_VALID(kar, ARG_GID)) {
1060 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
1061 kau_write(rec, tok);
1062 }
1063 FD_VNODE1_TOKENS;
1064 break;
1065
1066 case AUE_FCNTL:
1067 if (ARG_IS_VALID(kar, ARG_CMD)) {
1068 tok = au_to_arg32(2, "cmd",
1069 au_fcntl_cmd_to_bsm(ar->ar_arg_cmd));
1070 kau_write(rec, tok);
1071 }
1072 FD_VNODE1_TOKENS;
1073 break;
1074
1075 case AUE_FCHFLAGS:
1076 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1077 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1078 kau_write(rec, tok);
1079 }
1080 FD_VNODE1_TOKENS;
1081 break;
1082
1083 case AUE_FLOCK:
1084 if (ARG_IS_VALID(kar, ARG_CMD)) {
1085 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd);
1086 kau_write(rec, tok);
1087 }
1088 FD_VNODE1_TOKENS;
1089 break;
1090
1091 case AUE_FSPACECTL:
1092 if (ARG_IS_VALID(kar, ARG_CMD)) {
1093 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd);
1094 kau_write(rec, tok);
1095 }
1096 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1097 tok = au_to_arg32(4, "flags", ar->ar_arg_fflags);
1098 kau_write(rec, tok);
1099 }
1100 FD_VNODE1_TOKENS;
1101 break;
1102
1103 case AUE_RFORK:
1104 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1105 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags);
1106 kau_write(rec, tok);
1107 }
1108 /* FALLTHROUGH */
1109
1110 case AUE_FORK:
1111 case AUE_VFORK:
1112 if (ARG_IS_VALID(kar, ARG_PID)) {
1113 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
1114 kau_write(rec, tok);
1115 }
1116 break;
1117
1118 case AUE_IOCTL:
1119 if (ARG_IS_VALID(kar, ARG_CMD)) {
1120 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
1121 kau_write(rec, tok);
1122 }
1123 if (ARG_IS_VALID(kar, ARG_VNODE1))
1124 FD_VNODE1_TOKENS;
1125 else {
1126 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
1127 tok = kau_to_socket(&ar->ar_arg_sockinfo);
1128 kau_write(rec, tok);
1129 } else {
1130 if (ARG_IS_VALID(kar, ARG_FD)) {
1131 tok = au_to_arg32(1, "fd",
1132 ar->ar_arg_fd);
1133 kau_write(rec, tok);
1134 }
1135 }
1136 }
1137 break;
1138
1139 case AUE_KILL:
1140 case AUE_KILLPG:
1141 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
1142 tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
1143 kau_write(rec, tok);
1144 }
1145 PROCESS_PID_TOKENS(1);
1146 break;
1147
1148 case AUE_KTRACE:
1149 if (ARG_IS_VALID(kar, ARG_CMD)) {
1150 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd);
1151 kau_write(rec, tok);
1152 }
1153 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1154 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value);
1155 kau_write(rec, tok);
1156 }
1157 PROCESS_PID_TOKENS(4);
1158 UPATH1_VNODE1_TOKENS;
1159 break;
1160
1161 case AUE_LINK:
1162 case AUE_LINKAT:
1163 case AUE_RENAME:
1164 case AUE_RENAMEAT:
1165 ATFD1_TOKENS(1);
1166 UPATH1_VNODE1_TOKENS;
1167 ATFD2_TOKENS(3);
1168 UPATH2_TOKENS;
1169 break;
1170
1171 case AUE_LOADSHFILE:
1172 ADDR_TOKEN(4, "base addr");
1173 UPATH1_VNODE1_TOKENS;
1174 break;
1175
1176 case AUE_MKDIR:
1177 case AUE_MKDIRAT:
1178 case AUE_MKFIFO:
1179 case AUE_MKFIFOAT:
1180 ATFD1_TOKENS(1);
1181 if (ARG_IS_VALID(kar, ARG_MODE)) {
1182 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1183 kau_write(rec, tok);
1184 }
1185 UPATH1_VNODE1_TOKENS;
1186 break;
1187
1188 case AUE_MKNOD:
1189 case AUE_MKNODAT:
1190 ATFD1_TOKENS(1);
1191 if (ARG_IS_VALID(kar, ARG_MODE)) {
1192 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1193 kau_write(rec, tok);
1194 }
1195 if (ARG_IS_VALID(kar, ARG_DEV)) {
1196 tok = au_to_arg32(3, "dev", ar->ar_arg_dev);
1197 kau_write(rec, tok);
1198 }
1199 UPATH1_VNODE1_TOKENS;
1200 break;
1201
1202 case AUE_MMAP:
1203 case AUE_MUNMAP:
1204 case AUE_MPROTECT:
1205 case AUE_MLOCK:
1206 case AUE_MUNLOCK:
1207 case AUE_MINHERIT:
1208 ADDR_TOKEN(1, "addr");
1209 if (ARG_IS_VALID(kar, ARG_LEN)) {
1210 tok = au_to_arg32(2, "len", ar->ar_arg_len);
1211 kau_write(rec, tok);
1212 }
1213 if (ar->ar_event == AUE_MMAP)
1214 FD_VNODE1_TOKENS;
1215 if (ar->ar_event == AUE_MPROTECT) {
1216 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1217 tok = au_to_arg32(3, "protection",
1218 ar->ar_arg_value);
1219 kau_write(rec, tok);
1220 }
1221 }
1222 if (ar->ar_event == AUE_MINHERIT) {
1223 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1224 tok = au_to_arg32(3, "inherit",
1225 ar->ar_arg_value);
1226 kau_write(rec, tok);
1227 }
1228 }
1229 break;
1230
1231 case AUE_MOUNT:
1232 case AUE_NMOUNT:
1233 /* XXX Need to handle NFS mounts */
1234 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1235 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1236 kau_write(rec, tok);
1237 }
1238 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1239 tok = au_to_text(ar->ar_arg_text);
1240 kau_write(rec, tok);
1241 }
1242 /* FALLTHROUGH */
1243
1244 case AUE_NFS_SVC:
1245 if (ARG_IS_VALID(kar, ARG_CMD)) {
1246 tok = au_to_arg32(1, "flags", ar->ar_arg_cmd);
1247 kau_write(rec, tok);
1248 }
1249 break;
1250
1251 case AUE_UMOUNT:
1252 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1253 tok = au_to_arg32(2, "flags", ar->ar_arg_value);
1254 kau_write(rec, tok);
1255 }
1256 UPATH1_VNODE1_TOKENS;
1257 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1258 tok = au_to_text(ar->ar_arg_text);
1259 kau_write(rec, tok);
1260 }
1261 break;
1262
1263 case AUE_MSGCTL:
1264 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd);
1265 /* Fall through */
1266
1267 case AUE_MSGRCV:
1268 case AUE_MSGSND:
1269 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id);
1270 kau_write(rec, tok);
1271 if (ar->ar_errno != EINVAL) {
1272 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id);
1273 kau_write(rec, tok);
1274 }
1275 break;
1276
1277 case AUE_MSGGET:
1278 if (ar->ar_errno == 0) {
1279 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1280 tok = au_to_ipc(AT_IPC_MSG,
1281 ar->ar_arg_svipc_id);
1282 kau_write(rec, tok);
1283 }
1284 }
1285 break;
1286
1287 case AUE_RESETSHFILE:
1288 ADDR_TOKEN(1, "base addr");
1289 break;
1290
1291 case AUE_OPEN_RC:
1292 case AUE_OPEN_RTC:
1293 case AUE_OPEN_RWC:
1294 case AUE_OPEN_RWTC:
1295 case AUE_OPEN_WC:
1296 case AUE_OPEN_WTC:
1297 case AUE_CREAT:
1298 if (ARG_IS_VALID(kar, ARG_MODE)) {
1299 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1300 kau_write(rec, tok);
1301 }
1302 /* FALLTHROUGH */
1303
1304 case AUE_OPEN_R:
1305 case AUE_OPEN_RT:
1306 case AUE_OPEN_RW:
1307 case AUE_OPEN_RWT:
1308 case AUE_OPEN_W:
1309 case AUE_OPEN_WT:
1310 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1311 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1312 kau_write(rec, tok);
1313 }
1314 UPATH1_VNODE1_TOKENS;
1315 break;
1316
1317 case AUE_OPENAT_RC:
1318 case AUE_OPENAT_RTC:
1319 case AUE_OPENAT_RWC:
1320 case AUE_OPENAT_RWTC:
1321 case AUE_OPENAT_WC:
1322 case AUE_OPENAT_WTC:
1323 if (ARG_IS_VALID(kar, ARG_MODE)) {
1324 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1325 kau_write(rec, tok);
1326 }
1327 /* FALLTHROUGH */
1328
1329 case AUE_OPENAT_R:
1330 case AUE_OPENAT_RT:
1331 case AUE_OPENAT_RW:
1332 case AUE_OPENAT_RWT:
1333 case AUE_OPENAT_W:
1334 case AUE_OPENAT_WT:
1335 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1336 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1337 kau_write(rec, tok);
1338 }
1339 ATFD1_TOKENS(1);
1340 UPATH1_VNODE1_TOKENS;
1341 break;
1342
1343 case AUE_PDKILL:
1344 if (ARG_IS_VALID(kar, ARG_FD)) {
1345 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
1346 kau_write(rec, tok);
1347 }
1348 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
1349 tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
1350 kau_write(rec, tok);
1351 }
1352 PROCESS_PID_TOKENS(1);
1353 break;
1354 case AUE_PDFORK:
1355 if (ARG_IS_VALID(kar, ARG_PID)) {
1356 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
1357 kau_write(rec, tok);
1358 }
1359 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1360 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1361 kau_write(rec, tok);
1362 }
1363 if (ARG_IS_VALID(kar, ARG_FD)) {
1364 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
1365 kau_write(rec, tok);
1366 }
1367 break;
1368 case AUE_PDGETPID:
1369 if (ARG_IS_VALID(kar, ARG_FD)) {
1370 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
1371 kau_write(rec, tok);
1372 }
1373 break;
1374
1375 case AUE_PROCCTL:
1376 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1377 tok = au_to_arg32(1, "idtype", ar->ar_arg_value);
1378 kau_write(rec, tok);
1379 }
1380 if (ARG_IS_VALID(kar, ARG_CMD)) {
1381 tok = au_to_arg32(2, "com", ar->ar_arg_cmd);
1382 kau_write(rec, tok);
1383 }
1384 PROCESS_PID_TOKENS(3);
1385 break;
1386
1387 case AUE_PTRACE:
1388 if (ARG_IS_VALID(kar, ARG_CMD)) {
1389 tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
1390 kau_write(rec, tok);
1391 }
1392 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1393 tok = au_to_arg32(4, "data", ar->ar_arg_value);
1394 kau_write(rec, tok);
1395 }
1396 PROCESS_PID_TOKENS(2);
1397 break;
1398
1399 case AUE_QUOTACTL:
1400 if (ARG_IS_VALID(kar, ARG_CMD)) {
1401 tok = au_to_arg32(2, "command", ar->ar_arg_cmd);
1402 kau_write(rec, tok);
1403 }
1404 if (ARG_IS_VALID(kar, ARG_UID)) {
1405 tok = au_to_arg32(3, "uid", ar->ar_arg_uid);
1406 kau_write(rec, tok);
1407 }
1408 if (ARG_IS_VALID(kar, ARG_GID)) {
1409 tok = au_to_arg32(3, "gid", ar->ar_arg_gid);
1410 kau_write(rec, tok);
1411 }
1412 UPATH1_VNODE1_TOKENS;
1413 break;
1414
1415 case AUE_REBOOT:
1416 if (ARG_IS_VALID(kar, ARG_CMD)) {
1417 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd);
1418 kau_write(rec, tok);
1419 }
1420 break;
1421
1422 case AUE_SEMCTL:
1423 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd);
1424 /* Fall through */
1425
1426 case AUE_SEMOP:
1427 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1428 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id);
1429 kau_write(rec, tok);
1430 if (ar->ar_errno != EINVAL) {
1431 tok = au_to_ipc(AT_IPC_SEM,
1432 ar->ar_arg_svipc_id);
1433 kau_write(rec, tok);
1434 }
1435 }
1436 break;
1437
1438 case AUE_SEMGET:
1439 if (ar->ar_errno == 0) {
1440 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1441 tok = au_to_ipc(AT_IPC_SEM,
1442 ar->ar_arg_svipc_id);
1443 kau_write(rec, tok);
1444 }
1445 }
1446 break;
1447
1448 case AUE_SETEGID:
1449 if (ARG_IS_VALID(kar, ARG_EGID)) {
1450 tok = au_to_arg32(1, "egid", ar->ar_arg_egid);
1451 kau_write(rec, tok);
1452 }
1453 break;
1454
1455 case AUE_SETEUID:
1456 if (ARG_IS_VALID(kar, ARG_EUID)) {
1457 tok = au_to_arg32(1, "euid", ar->ar_arg_euid);
1458 kau_write(rec, tok);
1459 }
1460 break;
1461
1462 case AUE_SETREGID:
1463 if (ARG_IS_VALID(kar, ARG_RGID)) {
1464 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1465 kau_write(rec, tok);
1466 }
1467 if (ARG_IS_VALID(kar, ARG_EGID)) {
1468 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1469 kau_write(rec, tok);
1470 }
1471 break;
1472
1473 case AUE_SETREUID:
1474 if (ARG_IS_VALID(kar, ARG_RUID)) {
1475 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1476 kau_write(rec, tok);
1477 }
1478 if (ARG_IS_VALID(kar, ARG_EUID)) {
1479 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1480 kau_write(rec, tok);
1481 }
1482 break;
1483
1484 case AUE_SETRESGID:
1485 if (ARG_IS_VALID(kar, ARG_RGID)) {
1486 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1487 kau_write(rec, tok);
1488 }
1489 if (ARG_IS_VALID(kar, ARG_EGID)) {
1490 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1491 kau_write(rec, tok);
1492 }
1493 if (ARG_IS_VALID(kar, ARG_SGID)) {
1494 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid);
1495 kau_write(rec, tok);
1496 }
1497 break;
1498
1499 case AUE_SETRESUID:
1500 if (ARG_IS_VALID(kar, ARG_RUID)) {
1501 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1502 kau_write(rec, tok);
1503 }
1504 if (ARG_IS_VALID(kar, ARG_EUID)) {
1505 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1506 kau_write(rec, tok);
1507 }
1508 if (ARG_IS_VALID(kar, ARG_SUID)) {
1509 tok = au_to_arg32(3, "suid", ar->ar_arg_suid);
1510 kau_write(rec, tok);
1511 }
1512 break;
1513
1514 case AUE_SETGID:
1515 if (ARG_IS_VALID(kar, ARG_GID)) {
1516 tok = au_to_arg32(1, "gid", ar->ar_arg_gid);
1517 kau_write(rec, tok);
1518 }
1519 break;
1520
1521 case AUE_SETUID:
1522 if (ARG_IS_VALID(kar, ARG_UID)) {
1523 tok = au_to_arg32(1, "uid", ar->ar_arg_uid);
1524 kau_write(rec, tok);
1525 }
1526 break;
1527
1528 case AUE_SETGROUPS:
1529 if (ARG_IS_VALID(kar, ARG_GROUPSET)) {
1530 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++)
1531 {
1532 tok = au_to_arg32(1, "setgroups",
1533 ar->ar_arg_groups.gidset[ctr]);
1534 kau_write(rec, tok);
1535 }
1536 }
1537 break;
1538
1539 case AUE_SETLOGIN:
1540 if (ARG_IS_VALID(kar, ARG_LOGIN)) {
1541 tok = au_to_text(ar->ar_arg_login);
1542 kau_write(rec, tok);
1543 }
1544 break;
1545
1546 case AUE_SETLOGINCLASS:
1547 break;
1548
1549 case AUE_SETPRIORITY:
1550 if (ARG_IS_VALID(kar, ARG_CMD)) {
1551 tok = au_to_arg32(1, "which", ar->ar_arg_cmd);
1552 kau_write(rec, tok);
1553 }
1554 if (ARG_IS_VALID(kar, ARG_UID)) {
1555 tok = au_to_arg32(2, "who", ar->ar_arg_uid);
1556 kau_write(rec, tok);
1557 }
1558 PROCESS_PID_TOKENS(2);
1559 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1560 tok = au_to_arg32(3, "priority", ar->ar_arg_value);
1561 kau_write(rec, tok);
1562 }
1563 break;
1564
1565 case AUE_SETPRIVEXEC:
1566 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1567 tok = au_to_arg32(1, "flag", ar->ar_arg_value);
1568 kau_write(rec, tok);
1569 }
1570 break;
1571
1572 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */
1573 case AUE_SHMAT:
1574 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1575 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1576 kau_write(rec, tok);
1577 /* XXXAUDIT: Does having the ipc token make sense? */
1578 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1579 kau_write(rec, tok);
1580 }
1581 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1582 tok = au_to_arg32(2, "shmaddr",
1583 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1584 kau_write(rec, tok);
1585 }
1586 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1587 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1588 kau_write(rec, tok);
1589 }
1590 break;
1591
1592 case AUE_SHMCTL:
1593 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1594 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1595 kau_write(rec, tok);
1596 /* XXXAUDIT: Does having the ipc token make sense? */
1597 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1598 kau_write(rec, tok);
1599 }
1600 switch (ar->ar_arg_svipc_cmd) {
1601 case IPC_STAT:
1602 ar->ar_event = AUE_SHMCTL_STAT;
1603 break;
1604 case IPC_RMID:
1605 ar->ar_event = AUE_SHMCTL_RMID;
1606 break;
1607 case IPC_SET:
1608 ar->ar_event = AUE_SHMCTL_SET;
1609 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1610 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1611 kau_write(rec, tok);
1612 }
1613 break;
1614 default:
1615 break; /* We will audit a bad command */
1616 }
1617 break;
1618
1619 case AUE_SHMDT:
1620 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1621 tok = au_to_arg32(1, "shmaddr",
1622 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1623 kau_write(rec, tok);
1624 }
1625 break;
1626
1627 case AUE_SHMGET:
1628 /* This is unusual; the return value is in an argument token */
1629 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1630 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id);
1631 kau_write(rec, tok);
1632 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1633 kau_write(rec, tok);
1634 }
1635 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1636 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1637 kau_write(rec, tok);
1638 }
1639 break;
1640
1641 /* shm_rename is a non-Posix extension to the Posix shm implementation */
1642 case AUE_SHMRENAME:
1643 UPATH1_TOKENS;
1644 UPATH2_TOKENS;
1645 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1646 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1647 kau_write(rec, tok);
1648 }
1649 break;
1650
1651 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE
1652 * and AUE_SEMUNLINK are Posix IPC */
1653 case AUE_SHMOPEN:
1654 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1655 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1656 kau_write(rec, tok);
1657 }
1658 if (ARG_IS_VALID(kar, ARG_MODE)) {
1659 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1660 kau_write(rec, tok);
1661 }
1662 /* FALLTHROUGH */
1663
1664 case AUE_SHMUNLINK:
1665 UPATH1_TOKENS;
1666 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1667 struct ipc_perm perm;
1668
1669 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1670 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1671 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1672 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1673 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1674 perm.seq = 0;
1675 perm.key = 0;
1676 tok = au_to_ipc_perm(&perm);
1677 kau_write(rec, tok);
1678 }
1679 break;
1680
1681 case AUE_SEMOPEN:
1682 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1683 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1684 kau_write(rec, tok);
1685 }
1686 if (ARG_IS_VALID(kar, ARG_MODE)) {
1687 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1688 kau_write(rec, tok);
1689 }
1690 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1691 tok = au_to_arg32(4, "value", ar->ar_arg_value);
1692 kau_write(rec, tok);
1693 }
1694 /* FALLTHROUGH */
1695
1696 case AUE_SEMUNLINK:
1697 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1698 tok = au_to_text(ar->ar_arg_text);
1699 kau_write(rec, tok);
1700 }
1701 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1702 struct ipc_perm perm;
1703
1704 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1705 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1706 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1707 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1708 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1709 perm.seq = 0;
1710 perm.key = 0;
1711 tok = au_to_ipc_perm(&perm);
1712 kau_write(rec, tok);
1713 }
1714 break;
1715
1716 case AUE_SEMCLOSE:
1717 if (ARG_IS_VALID(kar, ARG_FD)) {
1718 tok = au_to_arg32(1, "sem", ar->ar_arg_fd);
1719 kau_write(rec, tok);
1720 }
1721 break;
1722
1723 case AUE_SYMLINK:
1724 case AUE_SYMLINKAT:
1725 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1726 tok = au_to_text(ar->ar_arg_text);
1727 kau_write(rec, tok);
1728 }
1729 ATFD1_TOKENS(1);
1730 UPATH1_VNODE1_TOKENS;
1731 break;
1732
1733 case AUE_SYSCTL:
1734 case AUE_SYSCTL_NONADMIN:
1735 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) {
1736 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) {
1737 tok = au_to_arg32(1, "name",
1738 ar->ar_arg_ctlname[ctr]);
1739 kau_write(rec, tok);
1740 }
1741 }
1742 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1743 tok = au_to_arg32(5, "newval", ar->ar_arg_value);
1744 kau_write(rec, tok);
1745 }
1746 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1747 tok = au_to_text(ar->ar_arg_text);
1748 kau_write(rec, tok);
1749 }
1750 break;
1751
1752 case AUE_UMASK:
1753 if (ARG_IS_VALID(kar, ARG_MASK)) {
1754 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask);
1755 kau_write(rec, tok);
1756 }
1757 tok = au_to_arg32(0, "prev mask", ar->ar_retval);
1758 kau_write(rec, tok);
1759 break;
1760
1761 case AUE_WAIT4:
1762 case AUE_WAIT6:
1763 PROCESS_PID_TOKENS(1);
1764 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1765 tok = au_to_arg32(3, "options", ar->ar_arg_value);
1766 kau_write(rec, tok);
1767 }
1768 break;
1769
1770 case AUE_CAP_RIGHTS_LIMIT:
1771 /*
1772 * XXXRW/XXXJA: Would be nice to audit socket/etc information.
1773 */
1774 FD_VNODE1_TOKENS;
1775 if (ARG_IS_VALID(kar, ARG_RIGHTS)) {
1776 tok = au_to_rights(&ar->ar_arg_rights);
1777 kau_write(rec, tok);
1778 }
1779 break;
1780
1781 case AUE_CAP_FCNTLS_GET:
1782 case AUE_CAP_IOCTLS_GET:
1783 case AUE_CAP_IOCTLS_LIMIT:
1784 case AUE_CAP_RIGHTS_GET:
1785 if (ARG_IS_VALID(kar, ARG_FD)) {
1786 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
1787 kau_write(rec, tok);
1788 }
1789 break;
1790
1791 case AUE_CAP_FCNTLS_LIMIT:
1792 FD_VNODE1_TOKENS;
1793 if (ARG_IS_VALID(kar, ARG_FCNTL_RIGHTS)) {
1794 tok = au_to_arg32(2, "fcntlrights",
1795 ar->ar_arg_fcntl_rights);
1796 kau_write(rec, tok);
1797 }
1798 break;
1799
1800 case AUE_CAP_ENTER:
1801 case AUE_CAP_GETMODE:
1802 break;
1803
1804 case AUE_THR_NEW:
1805 case AUE_THR_KILL:
1806 case AUE_THR_EXIT:
1807 break;
1808
1809 case AUE_NULL:
1810 default:
1811 printf("BSM conversion requested for unknown event %d\n",
1812 ar->ar_event);
1813
1814 /*
1815 * Write the subject token so it is properly freed here.
1816 */
1817 if (jail_tok != NULL)
1818 kau_write(rec, jail_tok);
1819 kau_write(rec, subj_tok);
1820 kau_free(rec);
1821 return (BSM_NOAUDIT);
1822 }
1823
1824 if (jail_tok != NULL)
1825 kau_write(rec, jail_tok);
1826 kau_write(rec, subj_tok);
1827 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval);
1828 kau_write(rec, tok); /* Every record gets a return token */
1829
1830 kau_close(rec, &ar->ar_endtime, ar->ar_event);
1831
1832 *pau = rec;
1833 return (BSM_SUCCESS);
1834 }
1835
1836 /*
1837 * Verify that a record is a valid BSM record. This verification is simple
1838 * now, but may be expanded on sometime in the future. Return 1 if the
1839 * record is good, 0 otherwise.
1840 */
1841 int
bsm_rec_verify(void * rec)1842 bsm_rec_verify(void *rec)
1843 {
1844 char c = *(char *)rec;
1845
1846 /*
1847 * Check the token ID of the first token; it has to be a header
1848 * token.
1849 *
1850 * XXXAUDIT There needs to be a token structure to map a token.
1851 * XXXAUDIT 'Shouldn't be simply looking at the first char.
1852 */
1853 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) &&
1854 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX))
1855 return (0);
1856 return (1);
1857 }
1858