1 /* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $FreeBSD$ 30 */ 31 32 #include <sys/param.h> 33 #include <sys/vnode.h> 34 #include <sys/ipc.h> 35 #include <sys/lock.h> 36 #include <sys/malloc.h> 37 #include <sys/mutex.h> 38 #include <sys/socket.h> 39 #include <sys/extattr.h> 40 #include <sys/fcntl.h> 41 #include <sys/user.h> 42 #include <sys/systm.h> 43 44 #include <bsm/audit.h> 45 #include <bsm/audit_internal.h> 46 #include <bsm/audit_record.h> 47 #include <bsm/audit_kevents.h> 48 49 #include <security/audit/audit.h> 50 #include <security/audit/audit_private.h> 51 52 #include <netinet/in_systm.h> 53 #include <netinet/in.h> 54 #include <netinet/ip.h> 55 56 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 57 58 static void audit_sys_auditon(struct audit_record *ar, 59 struct au_record *rec); 60 61 /* 62 * Initialize the BSM auditing subsystem. 63 */ 64 void 65 kau_init(void) 66 { 67 68 au_evclassmap_init(); 69 } 70 71 /* 72 * This call reserves memory for the audit record. Memory must be guaranteed 73 * before any auditable event can be generated. The au_record structure 74 * maintains a reference to the memory allocated above and also the list of 75 * tokens associated with this record 76 */ 77 static struct au_record * 78 kau_open(void) 79 { 80 struct au_record *rec; 81 82 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 83 rec->data = NULL; 84 TAILQ_INIT(&rec->token_q); 85 rec->len = 0; 86 rec->used = 1; 87 88 return (rec); 89 } 90 91 /* 92 * Store the token with the record descriptor. 93 */ 94 static void 95 kau_write(struct au_record *rec, struct au_token *tok) 96 { 97 98 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 99 100 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 101 rec->len += tok->len; 102 } 103 104 /* 105 * Close out the audit record by adding the header token, identifying any 106 * missing tokens. Write out the tokens to the record memory. 107 */ 108 static void 109 kau_close(struct au_record *rec, struct timespec *ctime, short event) 110 { 111 u_char *dptr; 112 size_t tot_rec_size; 113 token_t *cur, *hdr, *trail; 114 struct timeval tm; 115 116 tot_rec_size = rec->len + AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE; 117 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 118 119 tm.tv_usec = ctime->tv_nsec / 1000; 120 tm.tv_sec = ctime->tv_sec; 121 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 122 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 123 124 trail = au_to_trailer(tot_rec_size); 125 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 126 127 rec->len = tot_rec_size; 128 dptr = rec->data; 129 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 130 memcpy(dptr, cur->t_data, cur->len); 131 dptr += cur->len; 132 } 133 } 134 135 /* 136 * Free a BSM audit record by releasing all the tokens and clearing the audit 137 * record information. 138 */ 139 void 140 kau_free(struct au_record *rec) 141 { 142 struct au_token *tok; 143 144 /* Free the token list. */ 145 while ((tok = TAILQ_FIRST(&rec->token_q))) { 146 TAILQ_REMOVE(&rec->token_q, tok, tokens); 147 free(tok->t_data, M_AUDITBSM); 148 free(tok, M_AUDITBSM); 149 } 150 151 rec->used = 0; 152 rec->len = 0; 153 free(rec->data, M_AUDITBSM); 154 free(rec, M_AUDITBSM); 155 } 156 157 /* 158 * XXX: May want turn some (or all) of these macros into functions in order 159 * to reduce the generated code sized. 160 * 161 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 162 * caller are OK with this. 163 */ 164 #define UPATH1_TOKENS do { \ 165 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 166 tok = au_to_path(ar->ar_arg_upath1); \ 167 kau_write(rec, tok); \ 168 } \ 169 } while (0) 170 171 #define UPATH2_TOKENS do { \ 172 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 173 tok = au_to_path(ar->ar_arg_upath2); \ 174 kau_write(rec, tok); \ 175 } \ 176 } while (0) 177 178 #define VNODE1_TOKENS do { \ 179 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 180 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 181 kau_write(rec, tok); \ 182 } \ 183 } while (0) 184 185 #define UPATH1_VNODE1_TOKENS do { \ 186 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 187 UPATH1_TOKENS; \ 188 } \ 189 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 190 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 191 kau_write(rec, tok); \ 192 } \ 193 } while (0) 194 195 #define VNODE2_TOKENS do { \ 196 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 197 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 198 kau_write(rec, tok); \ 199 } \ 200 } while (0) 201 202 #define FD_VNODE1_TOKENS do { \ 203 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 204 if (ARG_IS_VALID(kar, ARG_FD)) { \ 205 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 206 kau_write(rec, tok); \ 207 } \ 208 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 209 kau_write(rec, tok); \ 210 } else { \ 211 if (ARG_IS_VALID(kar, ARG_FD)) { \ 212 tok = au_to_arg32(1, "non-file: fd", \ 213 ar->ar_arg_fd); \ 214 kau_write(rec, tok); \ 215 } \ 216 } \ 217 } while (0) 218 219 #define PROCESS_PID_TOKENS(argn) do { \ 220 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 221 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 222 tok = au_to_process32_ex(ar->ar_arg_auid, \ 223 ar->ar_arg_euid, ar->ar_arg_egid, \ 224 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 225 ar->ar_arg_pid, ar->ar_arg_asid, \ 226 &ar->ar_arg_termid_addr); \ 227 kau_write(rec, tok); \ 228 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 229 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 230 kau_write(rec, tok); \ 231 } \ 232 } while (0) \ 233 234 #define EXTATTR_TOKENS do { \ 235 if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 236 switch (ar->ar_arg_value) { \ 237 case EXTATTR_NAMESPACE_USER: \ 238 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 239 break; \ 240 case EXTATTR_NAMESPACE_SYSTEM: \ 241 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 242 break; \ 243 default: \ 244 tok = au_to_arg32(3, "attrnamespace", \ 245 ar->ar_arg_value); \ 246 break; \ 247 } \ 248 kau_write(rec, tok); \ 249 } \ 250 /* attrname is in the text field */ \ 251 if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 252 tok = au_to_text(ar->ar_arg_text); \ 253 kau_write(rec, tok); \ 254 } \ 255 } while (0) 256 257 /* 258 * Implement auditing for the auditon() system call. The audit tokens that 259 * are generated depend on the command that was sent into the auditon() 260 * system call. 261 */ 262 static void 263 audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 264 { 265 struct au_token *tok; 266 267 switch (ar->ar_arg_cmd) { 268 case A_SETPOLICY: 269 if (sizeof(ar->ar_arg_auditon.au_flags) > 4) 270 tok = au_to_arg64(1, "policy", 271 ar->ar_arg_auditon.au_flags); 272 else 273 tok = au_to_arg32(1, "policy", 274 ar->ar_arg_auditon.au_flags); 275 kau_write(rec, tok); 276 break; 277 278 case A_SETKMASK: 279 tok = au_to_arg32(2, "setkmask:as_success", 280 ar->ar_arg_auditon.au_mask.am_success); 281 kau_write(rec, tok); 282 tok = au_to_arg32(2, "setkmask:as_failure", 283 ar->ar_arg_auditon.au_mask.am_failure); 284 kau_write(rec, tok); 285 break; 286 287 case A_SETQCTRL: 288 tok = au_to_arg32(3, "setqctrl:aq_hiwater", 289 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 290 kau_write(rec, tok); 291 tok = au_to_arg32(3, "setqctrl:aq_lowater", 292 ar->ar_arg_auditon.au_qctrl.aq_lowater); 293 kau_write(rec, tok); 294 tok = au_to_arg32(3, "setqctrl:aq_bufsz", 295 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 296 kau_write(rec, tok); 297 tok = au_to_arg32(3, "setqctrl:aq_delay", 298 ar->ar_arg_auditon.au_qctrl.aq_delay); 299 kau_write(rec, tok); 300 tok = au_to_arg32(3, "setqctrl:aq_minfree", 301 ar->ar_arg_auditon.au_qctrl.aq_minfree); 302 kau_write(rec, tok); 303 break; 304 305 case A_SETUMASK: 306 tok = au_to_arg32(3, "setumask:as_success", 307 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 308 kau_write(rec, tok); 309 tok = au_to_arg32(3, "setumask:as_failure", 310 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 311 kau_write(rec, tok); 312 break; 313 314 case A_SETSMASK: 315 tok = au_to_arg32(3, "setsmask:as_success", 316 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 317 kau_write(rec, tok); 318 tok = au_to_arg32(3, "setsmask:as_failure", 319 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 320 kau_write(rec, tok); 321 break; 322 323 case A_SETCOND: 324 if (sizeof(ar->ar_arg_auditon.au_cond) > 4) 325 tok = au_to_arg64(3, "setcond", 326 ar->ar_arg_auditon.au_cond); 327 else 328 tok = au_to_arg32(3, "setcond", 329 ar->ar_arg_auditon.au_cond); 330 kau_write(rec, tok); 331 break; 332 333 case A_SETCLASS: 334 tok = au_to_arg32(2, "setclass:ec_event", 335 ar->ar_arg_auditon.au_evclass.ec_number); 336 kau_write(rec, tok); 337 tok = au_to_arg32(3, "setclass:ec_class", 338 ar->ar_arg_auditon.au_evclass.ec_class); 339 kau_write(rec, tok); 340 break; 341 342 case A_SETPMASK: 343 tok = au_to_arg32(2, "setpmask:as_success", 344 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 345 kau_write(rec, tok); 346 tok = au_to_arg32(2, "setpmask:as_failure", 347 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 348 kau_write(rec, tok); 349 break; 350 351 case A_SETFSIZE: 352 tok = au_to_arg32(2, "setfsize:filesize", 353 ar->ar_arg_auditon.au_fstat.af_filesz); 354 kau_write(rec, tok); 355 break; 356 357 default: 358 break; 359 } 360 } 361 362 /* 363 * Convert an internal kernel audit record to a BSM record and return a 364 * success/failure indicator. The BSM record is passed as an out parameter to 365 * this function. 366 * 367 * Return conditions: 368 * BSM_SUCCESS: The BSM record is valid 369 * BSM_FAILURE: Failure; the BSM record is NULL. 370 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 371 */ 372 int 373 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 374 { 375 struct au_token *tok, *subj_tok; 376 struct au_record *rec; 377 au_tid_t tid; 378 struct audit_record *ar; 379 int ctr; 380 381 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 382 383 *pau = NULL; 384 ar = &kar->k_ar; 385 rec = kau_open(); 386 387 /* Create the subject token */ 388 switch (ar->ar_subj_term_addr.at_type) { 389 case AU_IPv4: 390 tid.port = ar->ar_subj_term_addr.at_port; 391 tid.machine = ar->ar_subj_term_addr.at_addr[0]; 392 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 393 ar->ar_subj_cred.cr_uid, /* eff uid */ 394 ar->ar_subj_egid, /* eff group id */ 395 ar->ar_subj_ruid, /* real uid */ 396 ar->ar_subj_rgid, /* real group id */ 397 ar->ar_subj_pid, /* process id */ 398 ar->ar_subj_asid, /* session ID */ 399 &tid); 400 break; 401 case AU_IPv6: 402 subj_tok = au_to_subject32_ex(ar->ar_subj_auid, 403 ar->ar_subj_cred.cr_uid, 404 ar->ar_subj_egid, 405 ar->ar_subj_ruid, 406 ar->ar_subj_rgid, 407 ar->ar_subj_pid, 408 ar->ar_subj_asid, 409 &ar->ar_subj_term_addr); 410 break; 411 default: 412 bzero(&tid, sizeof(tid)); 413 subj_tok = au_to_subject32(ar->ar_subj_auid, 414 ar->ar_subj_cred.cr_uid, 415 ar->ar_subj_egid, 416 ar->ar_subj_ruid, 417 ar->ar_subj_rgid, 418 ar->ar_subj_pid, 419 ar->ar_subj_asid, 420 &tid); 421 } 422 423 /* 424 * The logic inside each case fills in the tokens required for the 425 * event, except for the header, trailer, and return tokens. The 426 * header and trailer tokens are added by the kau_close() function. 427 * The return token is added outside of the switch statement. 428 */ 429 switch(ar->ar_event) { 430 case AUE_ACCEPT: 431 case AUE_BIND: 432 case AUE_LISTEN: 433 case AUE_CONNECT: 434 case AUE_RECV: 435 case AUE_RECVFROM: 436 case AUE_RECVMSG: 437 case AUE_SEND: 438 case AUE_SENDFILE: 439 case AUE_SENDMSG: 440 case AUE_SENDTO: 441 /* 442 * Socket-related events. 443 */ 444 if (ARG_IS_VALID(kar, ARG_FD)) { 445 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 446 kau_write(rec, tok); 447 } 448 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 449 tok = au_to_sock_inet((struct sockaddr_in *) 450 &ar->ar_arg_sockaddr); 451 kau_write(rec, tok); 452 } 453 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 454 tok = au_to_sock_unix((struct sockaddr_un *) 455 &ar->ar_arg_sockaddr); 456 kau_write(rec, tok); 457 UPATH1_TOKENS; 458 } 459 /* XXX Need to handle ARG_SADDRINET6 */ 460 break; 461 462 case AUE_SOCKET: 463 case AUE_SOCKETPAIR: 464 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 465 tok = au_to_arg32(1,"domain", 466 ar->ar_arg_sockinfo.so_domain); 467 kau_write(rec, tok); 468 tok = au_to_arg32(2,"type", 469 ar->ar_arg_sockinfo.so_type); 470 kau_write(rec, tok); 471 tok = au_to_arg32(3,"protocol", 472 ar->ar_arg_sockinfo.so_protocol); 473 kau_write(rec, tok); 474 } 475 break; 476 477 case AUE_SETSOCKOPT: 478 case AUE_SHUTDOWN: 479 if (ARG_IS_VALID(kar, ARG_FD)) { 480 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 481 kau_write(rec, tok); 482 } 483 break; 484 485 case AUE_ACCT: 486 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 487 UPATH1_VNODE1_TOKENS; 488 } else { 489 tok = au_to_arg32(1, "accounting off", 0); 490 kau_write(rec, tok); 491 } 492 break; 493 494 case AUE_SETAUID: 495 if (ARG_IS_VALID(kar, ARG_AUID)) { 496 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 497 kau_write(rec, tok); 498 } 499 break; 500 501 case AUE_SETAUDIT: 502 if (ARG_IS_VALID(kar, ARG_AUID) && 503 ARG_IS_VALID(kar, ARG_ASID) && 504 ARG_IS_VALID(kar, ARG_AMASK) && 505 ARG_IS_VALID(kar, ARG_TERMID)) { 506 tok = au_to_arg32(1, "setaudit:auid", 507 ar->ar_arg_auid); 508 kau_write(rec, tok); 509 tok = au_to_arg32(1, "setaudit:port", 510 ar->ar_arg_termid.port); 511 kau_write(rec, tok); 512 tok = au_to_arg32(1, "setaudit:machine", 513 ar->ar_arg_termid.machine); 514 kau_write(rec, tok); 515 tok = au_to_arg32(1, "setaudit:as_success", 516 ar->ar_arg_amask.am_success); 517 kau_write(rec, tok); 518 tok = au_to_arg32(1, "setaudit:as_failure", 519 ar->ar_arg_amask.am_failure); 520 kau_write(rec, tok); 521 tok = au_to_arg32(1, "setaudit:asid", 522 ar->ar_arg_asid); 523 kau_write(rec, tok); 524 } 525 break; 526 527 case AUE_SETAUDIT_ADDR: 528 if (ARG_IS_VALID(kar, ARG_AUID) && 529 ARG_IS_VALID(kar, ARG_ASID) && 530 ARG_IS_VALID(kar, ARG_AMASK) && 531 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) { 532 tok = au_to_arg32(1, "setaudit_addr:auid", 533 ar->ar_arg_auid); 534 kau_write(rec, tok); 535 tok = au_to_arg32(1, "setaudit_addr:as_success", 536 ar->ar_arg_amask.am_success); 537 kau_write(rec, tok); 538 tok = au_to_arg32(1, "setaudit_addr:as_failure", 539 ar->ar_arg_amask.am_failure); 540 kau_write(rec, tok); 541 tok = au_to_arg32(1, "setaudit_addr:asid", 542 ar->ar_arg_asid); 543 kau_write(rec, tok); 544 tok = au_to_arg32(1, "setaudit_addr:type", 545 ar->ar_arg_termid_addr.at_type); 546 kau_write(rec, tok); 547 tok = au_to_arg32(1, "setaudit_addr:port", 548 ar->ar_arg_termid_addr.at_port); 549 kau_write(rec, tok); 550 if (ar->ar_arg_termid_addr.at_type == AU_IPv6) 551 tok = au_to_in_addr_ex((struct in6_addr *) 552 &ar->ar_arg_termid_addr.at_addr[0]); 553 if (ar->ar_arg_termid_addr.at_type == AU_IPv4) 554 tok = au_to_in_addr((struct in_addr *) 555 &ar->ar_arg_termid_addr.at_addr[0]); 556 kau_write(rec, tok); 557 } 558 break; 559 560 case AUE_AUDITON: 561 /* 562 * For AUDITON commands without own event, audit the cmd. 563 */ 564 if (ARG_IS_VALID(kar, ARG_CMD)) { 565 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 566 kau_write(rec, tok); 567 } 568 /* fall thru */ 569 570 case AUE_AUDITON_GETCAR: 571 case AUE_AUDITON_GETCLASS: 572 case AUE_AUDITON_GETCOND: 573 case AUE_AUDITON_GETCWD: 574 case AUE_AUDITON_GETKMASK: 575 case AUE_AUDITON_GETSTAT: 576 case AUE_AUDITON_GPOLICY: 577 case AUE_AUDITON_GQCTRL: 578 case AUE_AUDITON_SETCLASS: 579 case AUE_AUDITON_SETCOND: 580 case AUE_AUDITON_SETKMASK: 581 case AUE_AUDITON_SETSMASK: 582 case AUE_AUDITON_SETSTAT: 583 case AUE_AUDITON_SETUMASK: 584 case AUE_AUDITON_SPOLICY: 585 case AUE_AUDITON_SQCTRL: 586 if (ARG_IS_VALID(kar, ARG_AUDITON)) 587 audit_sys_auditon(ar, rec); 588 break; 589 590 case AUE_AUDITCTL: 591 UPATH1_VNODE1_TOKENS; 592 break; 593 594 case AUE_EXIT: 595 if (ARG_IS_VALID(kar, ARG_EXIT)) { 596 tok = au_to_exit(ar->ar_arg_exitretval, 597 ar->ar_arg_exitstatus); 598 kau_write(rec, tok); 599 } 600 break; 601 602 case AUE_ADJTIME: 603 case AUE_CLOCK_SETTIME: 604 case AUE_AUDIT: 605 case AUE_DUP2: 606 case AUE_GETAUDIT: 607 case AUE_GETAUDIT_ADDR: 608 case AUE_GETAUID: 609 case AUE_GETCWD: 610 case AUE_GETFSSTAT: 611 case AUE_GETRESUID: 612 case AUE_GETRESGID: 613 case AUE_KQUEUE: 614 case AUE_LSEEK: 615 case AUE_MODLOAD: 616 case AUE_MODUNLOAD: 617 case AUE_MSGSYS: 618 case AUE_NFS_SVC: 619 case AUE_NTP_ADJTIME: 620 case AUE_PIPE: 621 case AUE_PROFILE: 622 case AUE_RTPRIO: 623 case AUE_SEMSYS: 624 case AUE_SHMSYS: 625 case AUE_SETPGRP: 626 case AUE_SETRLIMIT: 627 case AUE_SETSID: 628 case AUE_SETTIMEOFDAY: 629 case AUE_SYSARCH: 630 631 /* 632 * Header, subject, and return tokens added at end. 633 */ 634 break; 635 636 case AUE_MKFIFO: 637 if (ARG_IS_VALID(kar, ARG_MODE)) { 638 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 639 kau_write(rec, tok); 640 } 641 /* fall through */ 642 case AUE_ACCESS: 643 case AUE_CHDIR: 644 case AUE_CHROOT: 645 case AUE_EACCESS: 646 case AUE_GETATTRLIST: 647 case AUE_JAIL: 648 case AUE_LUTIMES: 649 case AUE_NFS_GETFH: 650 case AUE_LSTAT: 651 case AUE_PATHCONF: 652 case AUE_READLINK: 653 case AUE_REVOKE: 654 case AUE_RMDIR: 655 case AUE_SEARCHFS: 656 case AUE_SETATTRLIST: 657 case AUE_STAT: 658 case AUE_STATFS: 659 case AUE_SWAPON: 660 case AUE_SWAPOFF: 661 case AUE_TRUNCATE: 662 case AUE_UNDELETE: 663 case AUE_UNLINK: 664 case AUE_UTIMES: 665 UPATH1_VNODE1_TOKENS; 666 break; 667 668 case AUE_FHSTATFS: 669 case AUE_FHOPEN: 670 case AUE_FHSTAT: 671 /* XXXRW: Need to audit vnode argument. */ 672 break; 673 674 case AUE_CHFLAGS: 675 case AUE_LCHFLAGS: 676 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 677 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 678 kau_write(rec, tok); 679 } 680 UPATH1_VNODE1_TOKENS; 681 break; 682 683 case AUE_CHMOD: 684 case AUE_LCHMOD: 685 if (ARG_IS_VALID(kar, ARG_MODE)) { 686 tok = au_to_arg32(2, "new file mode", 687 ar->ar_arg_mode); 688 kau_write(rec, tok); 689 } 690 UPATH1_VNODE1_TOKENS; 691 break; 692 693 case AUE_CHOWN: 694 case AUE_LCHOWN: 695 if (ARG_IS_VALID(kar, ARG_UID)) { 696 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 697 kau_write(rec, tok); 698 } 699 if (ARG_IS_VALID(kar, ARG_GID)) { 700 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 701 kau_write(rec, tok); 702 } 703 UPATH1_VNODE1_TOKENS; 704 break; 705 706 case AUE_EXCHANGEDATA: 707 UPATH1_VNODE1_TOKENS; 708 UPATH2_TOKENS; 709 break; 710 711 case AUE_CLOSE: 712 if (ARG_IS_VALID(kar, ARG_FD)) { 713 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 714 kau_write(rec, tok); 715 } 716 UPATH1_VNODE1_TOKENS; 717 break; 718 719 case AUE_CORE: 720 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 721 tok = au_to_arg32(0, "signal", ar->ar_arg_signum); 722 kau_write(rec, tok); 723 } 724 UPATH1_VNODE1_TOKENS; 725 break; 726 727 case AUE_EXTATTRCTL: 728 UPATH1_VNODE1_TOKENS; 729 if (ARG_IS_VALID(kar, ARG_CMD)) { 730 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 731 kau_write(rec, tok); 732 } 733 /* extattrctl(2) filename parameter is in upath2/vnode2 */ 734 UPATH2_TOKENS; 735 VNODE2_TOKENS; 736 EXTATTR_TOKENS; 737 break; 738 739 case AUE_EXTATTR_GET_FILE: 740 case AUE_EXTATTR_SET_FILE: 741 case AUE_EXTATTR_LIST_FILE: 742 case AUE_EXTATTR_DELETE_FILE: 743 case AUE_EXTATTR_GET_LINK: 744 case AUE_EXTATTR_SET_LINK: 745 case AUE_EXTATTR_LIST_LINK: 746 case AUE_EXTATTR_DELETE_LINK: 747 UPATH1_VNODE1_TOKENS; 748 EXTATTR_TOKENS; 749 break; 750 751 case AUE_EXTATTR_GET_FD: 752 case AUE_EXTATTR_SET_FD: 753 case AUE_EXTATTR_LIST_FD: 754 case AUE_EXTATTR_DELETE_FD: 755 if (ARG_IS_VALID(kar, ARG_FD)) { 756 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 757 kau_write(rec, tok); 758 } 759 EXTATTR_TOKENS; 760 break; 761 762 case AUE_EXECVE: 763 if (ARG_IS_VALID(kar, ARG_ARGV)) { 764 tok = au_to_exec_args(ar->ar_arg_argv, 765 ar->ar_arg_argc); 766 kau_write(rec, tok); 767 } 768 if (ARG_IS_VALID(kar, ARG_ENVV)) { 769 tok = au_to_exec_env(ar->ar_arg_envv, 770 ar->ar_arg_envc); 771 kau_write(rec, tok); 772 } 773 UPATH1_VNODE1_TOKENS; 774 break; 775 776 case AUE_FCHMOD: 777 if (ARG_IS_VALID(kar, ARG_MODE)) { 778 tok = au_to_arg32(2, "new file mode", 779 ar->ar_arg_mode); 780 kau_write(rec, tok); 781 } 782 FD_VNODE1_TOKENS; 783 break; 784 785 /* 786 * XXXRW: Some of these need to handle non-vnode cases as well. 787 */ 788 case AUE_FCHDIR: 789 case AUE_FPATHCONF: 790 case AUE_FSTAT: 791 case AUE_FSTATFS: 792 case AUE_FSYNC: 793 case AUE_FTRUNCATE: 794 case AUE_FUTIMES: 795 case AUE_GETDIRENTRIES: 796 case AUE_GETDIRENTRIESATTR: 797 case AUE_POLL: 798 case AUE_READ: 799 case AUE_READV: 800 case AUE_WRITE: 801 case AUE_WRITEV: 802 FD_VNODE1_TOKENS; 803 break; 804 805 case AUE_FCHOWN: 806 if (ARG_IS_VALID(kar, ARG_UID)) { 807 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 808 kau_write(rec, tok); 809 } 810 if (ARG_IS_VALID(kar, ARG_GID)) { 811 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 812 kau_write(rec, tok); 813 } 814 FD_VNODE1_TOKENS; 815 break; 816 817 case AUE_FCNTL: 818 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 819 ar->ar_arg_cmd == F_SETLKW) { 820 if (ARG_IS_VALID(kar, ARG_CMD)) { 821 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 822 kau_write(rec, tok); 823 } 824 FD_VNODE1_TOKENS; 825 } 826 break; 827 828 case AUE_FCHFLAGS: 829 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 830 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 831 kau_write(rec, tok); 832 } 833 FD_VNODE1_TOKENS; 834 break; 835 836 case AUE_FLOCK: 837 if (ARG_IS_VALID(kar, ARG_CMD)) { 838 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 839 kau_write(rec, tok); 840 } 841 FD_VNODE1_TOKENS; 842 break; 843 844 case AUE_RFORK: 845 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 846 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 847 kau_write(rec, tok); 848 } 849 /* fall through */ 850 case AUE_FORK: 851 case AUE_VFORK: 852 if (ARG_IS_VALID(kar, ARG_PID)) { 853 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 854 kau_write(rec, tok); 855 } 856 break; 857 858 case AUE_IOCTL: 859 if (ARG_IS_VALID(kar, ARG_CMD)) { 860 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 861 kau_write(rec, tok); 862 } 863 if (ARG_IS_VALID(kar, ARG_ADDR)) { 864 tok = au_to_arg32(1, "arg", 865 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 866 kau_write(rec, tok); 867 } 868 if (ARG_IS_VALID(kar, ARG_VNODE1)) 869 FD_VNODE1_TOKENS; 870 else { 871 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 872 tok = kau_to_socket(&ar->ar_arg_sockinfo); 873 kau_write(rec, tok); 874 } else { 875 if (ARG_IS_VALID(kar, ARG_FD)) { 876 tok = au_to_arg32(1, "fd", 877 ar->ar_arg_fd); 878 kau_write(rec, tok); 879 } 880 } 881 } 882 break; 883 884 case AUE_KILL: 885 case AUE_KILLPG: 886 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 887 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 888 kau_write(rec, tok); 889 } 890 PROCESS_PID_TOKENS(1); 891 break; 892 893 case AUE_KTRACE: 894 if (ARG_IS_VALID(kar, ARG_CMD)) { 895 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 896 kau_write(rec, tok); 897 } 898 if (ARG_IS_VALID(kar, ARG_VALUE)) { 899 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 900 kau_write(rec, tok); 901 } 902 PROCESS_PID_TOKENS(4); 903 UPATH1_VNODE1_TOKENS; 904 break; 905 906 case AUE_LINK: 907 case AUE_RENAME: 908 UPATH1_VNODE1_TOKENS; 909 UPATH2_TOKENS; 910 break; 911 912 case AUE_LOADSHFILE: 913 if (ARG_IS_VALID(kar, ARG_ADDR)) { 914 tok = au_to_arg32(4, "base addr", 915 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 916 kau_write(rec, tok); 917 } 918 UPATH1_VNODE1_TOKENS; 919 break; 920 921 case AUE_MKDIR: 922 if (ARG_IS_VALID(kar, ARG_MODE)) { 923 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 924 kau_write(rec, tok); 925 } 926 UPATH1_VNODE1_TOKENS; 927 break; 928 929 case AUE_MKNOD: 930 if (ARG_IS_VALID(kar, ARG_MODE)) { 931 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 932 kau_write(rec, tok); 933 } 934 if (ARG_IS_VALID(kar, ARG_DEV)) { 935 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 936 kau_write(rec, tok); 937 } 938 UPATH1_VNODE1_TOKENS; 939 break; 940 941 case AUE_MMAP: 942 case AUE_MUNMAP: 943 case AUE_MPROTECT: 944 case AUE_MLOCK: 945 case AUE_MUNLOCK: 946 case AUE_MINHERIT: 947 if (ARG_IS_VALID(kar, ARG_ADDR)) { 948 tok = au_to_arg32(1, "addr", 949 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 950 kau_write(rec, tok); 951 } 952 if (ARG_IS_VALID(kar, ARG_LEN)) { 953 tok = au_to_arg32(2, "len", ar->ar_arg_len); 954 kau_write(rec, tok); 955 } 956 if (ar->ar_event == AUE_MMAP) 957 FD_VNODE1_TOKENS; 958 if (ar->ar_event == AUE_MPROTECT) { 959 if (ARG_IS_VALID(kar, ARG_VALUE)) { 960 tok = au_to_arg32(3, "protection", 961 ar->ar_arg_value); 962 kau_write(rec, tok); 963 } 964 } 965 if (ar->ar_event == AUE_MINHERIT) { 966 if (ARG_IS_VALID(kar, ARG_VALUE)) { 967 tok = au_to_arg32(3, "inherit", 968 ar->ar_arg_value); 969 kau_write(rec, tok); 970 } 971 } 972 break; 973 974 case AUE_MOUNT: 975 case AUE_NMOUNT: 976 /* XXX Need to handle NFS mounts */ 977 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 978 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 979 kau_write(rec, tok); 980 } 981 if (ARG_IS_VALID(kar, ARG_TEXT)) { 982 tok = au_to_text(ar->ar_arg_text); 983 kau_write(rec, tok); 984 } 985 /* fall through */ 986 987 case AUE_UMOUNT: 988 UPATH1_VNODE1_TOKENS; 989 break; 990 991 case AUE_MSGCTL: 992 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd); 993 /* Fall through */ 994 995 case AUE_MSGRCV: 996 case AUE_MSGSND: 997 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 998 kau_write(rec, tok); 999 if (ar->ar_errno != EINVAL) { 1000 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 1001 kau_write(rec, tok); 1002 } 1003 break; 1004 1005 case AUE_MSGGET: 1006 if (ar->ar_errno == 0) { 1007 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1008 tok = au_to_ipc(AT_IPC_MSG, 1009 ar->ar_arg_svipc_id); 1010 kau_write(rec, tok); 1011 } 1012 } 1013 break; 1014 1015 case AUE_RESETSHFILE: 1016 if (ARG_IS_VALID(kar, ARG_ADDR)) { 1017 tok = au_to_arg32(1, "base addr", 1018 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 1019 kau_write(rec, tok); 1020 } 1021 break; 1022 1023 case AUE_OPEN_RC: 1024 case AUE_OPEN_RTC: 1025 case AUE_OPEN_RWC: 1026 case AUE_OPEN_RWTC: 1027 case AUE_OPEN_WC: 1028 case AUE_OPEN_WTC: 1029 case AUE_CREAT: 1030 if (ARG_IS_VALID(kar, ARG_MODE)) { 1031 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1032 kau_write(rec, tok); 1033 } 1034 /* fall through */ 1035 1036 case AUE_OPEN_R: 1037 case AUE_OPEN_RT: 1038 case AUE_OPEN_RW: 1039 case AUE_OPEN_RWT: 1040 case AUE_OPEN_W: 1041 case AUE_OPEN_WT: 1042 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1043 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1044 kau_write(rec, tok); 1045 } 1046 UPATH1_VNODE1_TOKENS; 1047 break; 1048 1049 case AUE_PTRACE: 1050 if (ARG_IS_VALID(kar, ARG_CMD)) { 1051 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1052 kau_write(rec, tok); 1053 } 1054 if (ARG_IS_VALID(kar, ARG_ADDR)) { 1055 tok = au_to_arg32(3, "addr", 1056 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 1057 kau_write(rec, tok); 1058 } 1059 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1060 tok = au_to_arg32(4, "data", ar->ar_arg_value); 1061 kau_write(rec, tok); 1062 } 1063 PROCESS_PID_TOKENS(2); 1064 break; 1065 1066 case AUE_QUOTACTL: 1067 if (ARG_IS_VALID(kar, ARG_CMD)) { 1068 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1069 kau_write(rec, tok); 1070 } 1071 if (ARG_IS_VALID(kar, ARG_UID)) { 1072 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1073 kau_write(rec, tok); 1074 } 1075 UPATH1_VNODE1_TOKENS; 1076 break; 1077 1078 case AUE_REBOOT: 1079 if (ARG_IS_VALID(kar, ARG_CMD)) { 1080 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1081 kau_write(rec, tok); 1082 } 1083 break; 1084 1085 case AUE_SEMCTL: 1086 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd); 1087 /* Fall through */ 1088 1089 case AUE_SEMOP: 1090 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1091 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1092 kau_write(rec, tok); 1093 if (ar->ar_errno != EINVAL) { 1094 tok = au_to_ipc(AT_IPC_SEM, 1095 ar->ar_arg_svipc_id); 1096 kau_write(rec, tok); 1097 } 1098 } 1099 break; 1100 1101 case AUE_SEMGET: 1102 if (ar->ar_errno == 0) { 1103 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1104 tok = au_to_ipc(AT_IPC_SEM, 1105 ar->ar_arg_svipc_id); 1106 kau_write(rec, tok); 1107 } 1108 } 1109 break; 1110 1111 case AUE_SETEGID: 1112 if (ARG_IS_VALID(kar, ARG_EGID)) { 1113 tok = au_to_arg32(1, "gid", ar->ar_arg_egid); 1114 kau_write(rec, tok); 1115 } 1116 break; 1117 1118 case AUE_SETEUID: 1119 if (ARG_IS_VALID(kar, ARG_EUID)) { 1120 tok = au_to_arg32(1, "uid", ar->ar_arg_euid); 1121 kau_write(rec, tok); 1122 } 1123 break; 1124 1125 case AUE_SETREGID: 1126 if (ARG_IS_VALID(kar, ARG_RGID)) { 1127 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1128 kau_write(rec, tok); 1129 } 1130 if (ARG_IS_VALID(kar, ARG_EGID)) { 1131 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1132 kau_write(rec, tok); 1133 } 1134 break; 1135 1136 case AUE_SETREUID: 1137 if (ARG_IS_VALID(kar, ARG_RUID)) { 1138 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1139 kau_write(rec, tok); 1140 } 1141 if (ARG_IS_VALID(kar, ARG_EUID)) { 1142 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1143 kau_write(rec, tok); 1144 } 1145 break; 1146 1147 case AUE_SETRESGID: 1148 if (ARG_IS_VALID(kar, ARG_RGID)) { 1149 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1150 kau_write(rec, tok); 1151 } 1152 if (ARG_IS_VALID(kar, ARG_EGID)) { 1153 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1154 kau_write(rec, tok); 1155 } 1156 if (ARG_IS_VALID(kar, ARG_SGID)) { 1157 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1158 kau_write(rec, tok); 1159 } 1160 break; 1161 1162 case AUE_SETRESUID: 1163 if (ARG_IS_VALID(kar, ARG_RUID)) { 1164 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1165 kau_write(rec, tok); 1166 } 1167 if (ARG_IS_VALID(kar, ARG_EUID)) { 1168 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1169 kau_write(rec, tok); 1170 } 1171 if (ARG_IS_VALID(kar, ARG_SUID)) { 1172 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1173 kau_write(rec, tok); 1174 } 1175 break; 1176 1177 case AUE_SETGID: 1178 if (ARG_IS_VALID(kar, ARG_GID)) { 1179 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1180 kau_write(rec, tok); 1181 } 1182 break; 1183 1184 case AUE_SETUID: 1185 if (ARG_IS_VALID(kar, ARG_UID)) { 1186 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1187 kau_write(rec, tok); 1188 } 1189 break; 1190 1191 case AUE_SETGROUPS: 1192 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1193 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1194 { 1195 tok = au_to_arg32(1, "setgroups", 1196 ar->ar_arg_groups.gidset[ctr]); 1197 kau_write(rec, tok); 1198 } 1199 } 1200 break; 1201 1202 case AUE_SETLOGIN: 1203 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1204 tok = au_to_text(ar->ar_arg_text); 1205 kau_write(rec, tok); 1206 } 1207 break; 1208 1209 case AUE_SETPRIORITY: 1210 if (ARG_IS_VALID(kar, ARG_CMD)) { 1211 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1212 kau_write(rec, tok); 1213 } 1214 if (ARG_IS_VALID(kar, ARG_UID)) { 1215 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1216 kau_write(rec, tok); 1217 } 1218 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1219 tok = au_to_arg32(2, "priority", ar->ar_arg_value); 1220 kau_write(rec, tok); 1221 } 1222 break; 1223 1224 case AUE_SETPRIVEXEC: 1225 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1226 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1227 kau_write(rec, tok); 1228 } 1229 break; 1230 1231 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1232 case AUE_SHMAT: 1233 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1234 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1235 kau_write(rec, tok); 1236 /* XXXAUDIT: Does having the ipc token make sense? */ 1237 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1238 kau_write(rec, tok); 1239 } 1240 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1241 tok = au_to_arg32(2, "shmaddr", 1242 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1243 kau_write(rec, tok); 1244 } 1245 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1246 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1247 kau_write(rec, tok); 1248 } 1249 break; 1250 1251 case AUE_SHMCTL: 1252 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1253 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1254 kau_write(rec, tok); 1255 /* XXXAUDIT: Does having the ipc token make sense? */ 1256 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1257 kau_write(rec, tok); 1258 } 1259 switch (ar->ar_arg_svipc_cmd) { 1260 case IPC_STAT: 1261 ar->ar_event = AUE_SHMCTL_STAT; 1262 break; 1263 case IPC_RMID: 1264 ar->ar_event = AUE_SHMCTL_RMID; 1265 break; 1266 case IPC_SET: 1267 ar->ar_event = AUE_SHMCTL_SET; 1268 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1269 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1270 kau_write(rec, tok); 1271 } 1272 break; 1273 default: 1274 break; /* We will audit a bad command */ 1275 } 1276 break; 1277 1278 case AUE_SHMDT: 1279 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1280 tok = au_to_arg32(1, "shmaddr", 1281 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1282 kau_write(rec, tok); 1283 } 1284 break; 1285 1286 case AUE_SHMGET: 1287 /* This is unusual; the return value is in an argument token */ 1288 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1289 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1290 kau_write(rec, tok); 1291 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1292 kau_write(rec, tok); 1293 } 1294 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1295 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1296 kau_write(rec, tok); 1297 } 1298 break; 1299 1300 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1301 * and AUE_SEMUNLINK are Posix IPC */ 1302 case AUE_SHMOPEN: 1303 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1304 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1305 kau_write(rec, tok); 1306 } 1307 if (ARG_IS_VALID(kar, ARG_MODE)) { 1308 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1309 kau_write(rec, tok); 1310 } 1311 case AUE_SHMUNLINK: 1312 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1313 tok = au_to_text(ar->ar_arg_text); 1314 kau_write(rec, tok); 1315 } 1316 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1317 /* Create an ipc_perm token */ 1318 struct ipc_perm perm; 1319 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1320 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1321 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1322 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1323 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1324 perm.seq = 0; 1325 perm.key = 0; 1326 tok = au_to_ipc_perm(&perm); 1327 kau_write(rec, tok); 1328 } 1329 break; 1330 1331 case AUE_SEMOPEN: 1332 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1333 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1334 kau_write(rec, tok); 1335 } 1336 if (ARG_IS_VALID(kar, ARG_MODE)) { 1337 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1338 kau_write(rec, tok); 1339 } 1340 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1341 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1342 kau_write(rec, tok); 1343 } 1344 /* fall through */ 1345 1346 case AUE_SEMUNLINK: 1347 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1348 tok = au_to_text(ar->ar_arg_text); 1349 kau_write(rec, tok); 1350 } 1351 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1352 /* Create an ipc_perm token */ 1353 struct ipc_perm perm; 1354 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1355 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1356 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1357 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1358 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1359 perm.seq = 0; 1360 perm.key = 0; 1361 tok = au_to_ipc_perm(&perm); 1362 kau_write(rec, tok); 1363 } 1364 break; 1365 1366 case AUE_SEMCLOSE: 1367 if (ARG_IS_VALID(kar, ARG_FD)) { 1368 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1369 kau_write(rec, tok); 1370 } 1371 break; 1372 1373 case AUE_SYMLINK: 1374 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1375 tok = au_to_text(ar->ar_arg_text); 1376 kau_write(rec, tok); 1377 } 1378 UPATH1_VNODE1_TOKENS; 1379 break; 1380 1381 case AUE_SYSCTL: 1382 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1383 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1384 tok = au_to_arg32(1, "name", 1385 ar->ar_arg_ctlname[ctr]); 1386 kau_write(rec, tok); 1387 } 1388 } 1389 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1390 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1391 kau_write(rec, tok); 1392 } 1393 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1394 tok = au_to_text(ar->ar_arg_text); 1395 kau_write(rec, tok); 1396 } 1397 break; 1398 1399 case AUE_UMASK: 1400 if (ARG_IS_VALID(kar, ARG_MASK)) { 1401 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1402 kau_write(rec, tok); 1403 } 1404 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1405 kau_write(rec, tok); 1406 break; 1407 1408 case AUE_WAIT4: 1409 if (ARG_IS_VALID(kar, ARG_PID)) { 1410 tok = au_to_arg32(0, "pid", ar->ar_arg_pid); 1411 kau_write(rec, tok); 1412 } 1413 break; 1414 1415 case AUE_NULL: 1416 default: 1417 printf("BSM conversion requested for unknown event %d\n", 1418 ar->ar_event); 1419 /* Write the subject token so it is properly freed here. */ 1420 kau_write(rec, subj_tok); 1421 kau_free(rec); 1422 return (BSM_NOAUDIT); 1423 } 1424 1425 kau_write(rec, subj_tok); 1426 tok = au_to_return32((char)ar->ar_errno, ar->ar_retval); 1427 kau_write(rec, tok); /* Every record gets a return token */ 1428 1429 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1430 1431 *pau = rec; 1432 return (BSM_SUCCESS); 1433 } 1434 1435 /* 1436 * Verify that a record is a valid BSM record. This verification is simple 1437 * now, but may be expanded on sometime in the future. Return 1 if the 1438 * record is good, 0 otherwise. 1439 */ 1440 int 1441 bsm_rec_verify(void *rec) 1442 { 1443 char c = *(char *)rec; 1444 1445 /* 1446 * Check the token ID of the first token; it has to be a header 1447 * token. 1448 * 1449 * XXXAUDIT There needs to be a token structure to map a token. 1450 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1451 */ 1452 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1453 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1454 return (0); 1455 return (1); 1456 } 1457