1 /* 2 * Copyright (c) 1999-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 #include <sys/cdefs.h> 31 __FBSDID("$FreeBSD$"); 32 33 #include <sys/param.h> 34 #include <sys/vnode.h> 35 #include <sys/ipc.h> 36 #include <sys/lock.h> 37 #include <sys/malloc.h> 38 #include <sys/mutex.h> 39 #include <sys/socket.h> 40 #include <sys/extattr.h> 41 #include <sys/fcntl.h> 42 #include <sys/user.h> 43 #include <sys/systm.h> 44 45 #include <bsm/audit.h> 46 #include <bsm/audit_internal.h> 47 #include <bsm/audit_record.h> 48 #include <bsm/audit_kevents.h> 49 50 #include <security/audit/audit.h> 51 #include <security/audit/audit_private.h> 52 53 #include <netinet/in_systm.h> 54 #include <netinet/in.h> 55 #include <netinet/ip.h> 56 57 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 58 59 static void audit_sys_auditon(struct audit_record *ar, 60 struct au_record *rec); 61 62 /* 63 * Initialize the BSM auditing subsystem. 64 */ 65 void 66 kau_init(void) 67 { 68 69 au_evclassmap_init(); 70 } 71 72 /* 73 * This call reserves memory for the audit record. Memory must be guaranteed 74 * before any auditable event can be generated. The au_record structure 75 * maintains a reference to the memory allocated above and also the list of 76 * tokens associated with this record. 77 */ 78 static struct au_record * 79 kau_open(void) 80 { 81 struct au_record *rec; 82 83 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 84 rec->data = NULL; 85 TAILQ_INIT(&rec->token_q); 86 rec->len = 0; 87 rec->used = 1; 88 89 return (rec); 90 } 91 92 /* 93 * Store the token with the record descriptor. 94 */ 95 static void 96 kau_write(struct au_record *rec, struct au_token *tok) 97 { 98 99 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 100 101 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 102 rec->len += tok->len; 103 } 104 105 /* 106 * Close out the audit record by adding the header token, identifying any 107 * missing tokens. Write out the tokens to the record memory. 108 */ 109 static void 110 kau_close(struct au_record *rec, struct timespec *ctime, short event) 111 { 112 u_char *dptr; 113 size_t tot_rec_size; 114 token_t *cur, *hdr, *trail; 115 struct timeval tm; 116 size_t hdrsize; 117 struct auditinfo_addr ak; 118 struct in6_addr *ap; 119 120 audit_get_kinfo(&ak); 121 hdrsize = 0; 122 switch (ak.ai_termid.at_type) { 123 case AU_IPv4: 124 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ? 125 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak); 126 break; 127 case AU_IPv6: 128 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0]; 129 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE : 130 AUDIT_HEADER_EX_SIZE(&ak); 131 break; 132 default: 133 panic("kau_close: invalid address family"); 134 } 135 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE; 136 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 137 138 tm.tv_usec = ctime->tv_nsec / 1000; 139 tm.tv_sec = ctime->tv_sec; 140 if (hdrsize != AUDIT_HEADER_SIZE) 141 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak); 142 else 143 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 144 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 145 146 trail = au_to_trailer(tot_rec_size); 147 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 148 149 rec->len = tot_rec_size; 150 dptr = rec->data; 151 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 152 memcpy(dptr, cur->t_data, cur->len); 153 dptr += cur->len; 154 } 155 } 156 157 /* 158 * Free a BSM audit record by releasing all the tokens and clearing the audit 159 * record information. 160 */ 161 void 162 kau_free(struct au_record *rec) 163 { 164 struct au_token *tok; 165 166 /* Free the token list. */ 167 while ((tok = TAILQ_FIRST(&rec->token_q))) { 168 TAILQ_REMOVE(&rec->token_q, tok, tokens); 169 free(tok->t_data, M_AUDITBSM); 170 free(tok, M_AUDITBSM); 171 } 172 173 rec->used = 0; 174 rec->len = 0; 175 free(rec->data, M_AUDITBSM); 176 free(rec, M_AUDITBSM); 177 } 178 179 /* 180 * XXX: May want turn some (or all) of these macros into functions in order 181 * to reduce the generated code size. 182 * 183 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 184 * caller are OK with this. 185 */ 186 #define ATFD1_TOKENS(argnum) do { \ 187 if (ARG_IS_VALID(kar, ARG_ATFD1)) { \ 188 tok = au_to_arg32(argnum, "at fd 1", ar->ar_arg_atfd1); \ 189 kau_write(rec, tok); \ 190 } \ 191 } while (0) 192 193 #define ATFD2_TOKENS(argnum) do { \ 194 if (ARG_IS_VALID(kar, ARG_ATFD2)) { \ 195 tok = au_to_arg32(argnum, "at fd 2", ar->ar_arg_atfd2); \ 196 kau_write(rec, tok); \ 197 } \ 198 } while (0) 199 200 #define UPATH1_TOKENS do { \ 201 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 202 tok = au_to_path(ar->ar_arg_upath1); \ 203 kau_write(rec, tok); \ 204 } \ 205 } while (0) 206 207 #define UPATH2_TOKENS do { \ 208 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 209 tok = au_to_path(ar->ar_arg_upath2); \ 210 kau_write(rec, tok); \ 211 } \ 212 } while (0) 213 214 #define VNODE1_TOKENS do { \ 215 if (ARG_IS_VALID(kar, ARG_ATFD)) { \ 216 tok = au_to_arg32(1, "at fd", ar->ar_arg_atfd); \ 217 kau_write(rec, tok); \ 218 } \ 219 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 220 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 221 kau_write(rec, tok); \ 222 } \ 223 } while (0) 224 225 #define UPATH1_VNODE1_TOKENS do { \ 226 UPATH1_TOKENS; \ 227 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 228 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 229 kau_write(rec, tok); \ 230 } \ 231 } while (0) 232 233 #define VNODE2_TOKENS do { \ 234 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 235 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 236 kau_write(rec, tok); \ 237 } \ 238 } while (0) 239 240 #define FD_VNODE1_TOKENS do { \ 241 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 242 if (ARG_IS_VALID(kar, ARG_FD)) { \ 243 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 244 kau_write(rec, tok); \ 245 } \ 246 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 247 kau_write(rec, tok); \ 248 } else { \ 249 if (ARG_IS_VALID(kar, ARG_FD)) { \ 250 tok = au_to_arg32(1, "non-file: fd", \ 251 ar->ar_arg_fd); \ 252 kau_write(rec, tok); \ 253 } \ 254 } \ 255 } while (0) 256 257 #define PROCESS_PID_TOKENS(argn) do { \ 258 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 259 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 260 tok = au_to_process32_ex(ar->ar_arg_auid, \ 261 ar->ar_arg_euid, ar->ar_arg_egid, \ 262 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 263 ar->ar_arg_pid, ar->ar_arg_asid, \ 264 &ar->ar_arg_termid_addr); \ 265 kau_write(rec, tok); \ 266 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 267 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 268 kau_write(rec, tok); \ 269 } \ 270 } while (0) 271 272 #define EXTATTR_TOKENS(namespace_argnum) do { \ 273 if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 274 switch (ar->ar_arg_value) { \ 275 case EXTATTR_NAMESPACE_USER: \ 276 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 277 break; \ 278 case EXTATTR_NAMESPACE_SYSTEM: \ 279 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 280 break; \ 281 default: \ 282 tok = au_to_arg32((namespace_argnum), \ 283 "attrnamespace", ar->ar_arg_value); \ 284 break; \ 285 } \ 286 kau_write(rec, tok); \ 287 } \ 288 /* attrname is in the text field */ \ 289 if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 290 tok = au_to_text(ar->ar_arg_text); \ 291 kau_write(rec, tok); \ 292 } \ 293 } while (0) 294 295 /* 296 * Not all pointer arguments to system calls are of interest, but in some 297 * cases they reflect delegation of rights, such as mmap(2) followed by 298 * minherit(2) before execve(2), so do the best we can. 299 */ 300 #define ADDR_TOKEN(argnum, argname) do { \ 301 if (ARG_IS_VALID(kar, ARG_ADDR)) { \ 302 if (sizeof(void *) == sizeof(uint32_t)) \ 303 tok = au_to_arg32((argnum), (argname), \ 304 (uint32_t)(uintptr_t)ar->ar_arg_addr); \ 305 else \ 306 tok = au_to_arg64((argnum), (argname), \ 307 (uint64_t)(uintptr_t)ar->ar_arg_addr); \ 308 kau_write(rec, tok); \ 309 } \ 310 } while (0) 311 312 313 /* 314 * Implement auditing for the auditon() system call. The audit tokens that 315 * are generated depend on the command that was sent into the auditon() 316 * system call. 317 */ 318 static void 319 audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 320 { 321 struct au_token *tok; 322 323 tok = au_to_arg32(3, "length", ar->ar_arg_len); 324 kau_write(rec, tok); 325 switch (ar->ar_arg_cmd) { 326 case A_OLDSETPOLICY: 327 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 328 tok = au_to_arg64(2, "policy", 329 ar->ar_arg_auditon.au_policy64); 330 kau_write(rec, tok); 331 break; 332 } 333 /* FALLTHROUGH */ 334 335 case A_SETPOLICY: 336 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy); 337 kau_write(rec, tok); 338 break; 339 340 case A_SETKMASK: 341 tok = au_to_arg32(2, "setkmask:as_success", 342 ar->ar_arg_auditon.au_mask.am_success); 343 kau_write(rec, tok); 344 tok = au_to_arg32(2, "setkmask:as_failure", 345 ar->ar_arg_auditon.au_mask.am_failure); 346 kau_write(rec, tok); 347 break; 348 349 case A_OLDSETQCTRL: 350 if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) { 351 tok = au_to_arg64(2, "setqctrl:aq_hiwater", 352 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater); 353 kau_write(rec, tok); 354 tok = au_to_arg64(2, "setqctrl:aq_lowater", 355 ar->ar_arg_auditon.au_qctrl64.aq64_lowater); 356 kau_write(rec, tok); 357 tok = au_to_arg64(2, "setqctrl:aq_bufsz", 358 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz); 359 kau_write(rec, tok); 360 tok = au_to_arg64(2, "setqctrl:aq_delay", 361 ar->ar_arg_auditon.au_qctrl64.aq64_delay); 362 kau_write(rec, tok); 363 tok = au_to_arg64(2, "setqctrl:aq_minfree", 364 ar->ar_arg_auditon.au_qctrl64.aq64_minfree); 365 kau_write(rec, tok); 366 break; 367 } 368 /* FALLTHROUGH */ 369 370 case A_SETQCTRL: 371 tok = au_to_arg32(2, "setqctrl:aq_hiwater", 372 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 373 kau_write(rec, tok); 374 tok = au_to_arg32(2, "setqctrl:aq_lowater", 375 ar->ar_arg_auditon.au_qctrl.aq_lowater); 376 kau_write(rec, tok); 377 tok = au_to_arg32(2, "setqctrl:aq_bufsz", 378 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 379 kau_write(rec, tok); 380 tok = au_to_arg32(2, "setqctrl:aq_delay", 381 ar->ar_arg_auditon.au_qctrl.aq_delay); 382 kau_write(rec, tok); 383 tok = au_to_arg32(2, "setqctrl:aq_minfree", 384 ar->ar_arg_auditon.au_qctrl.aq_minfree); 385 kau_write(rec, tok); 386 break; 387 388 case A_SETUMASK: 389 tok = au_to_arg32(2, "setumask:as_success", 390 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 391 kau_write(rec, tok); 392 tok = au_to_arg32(2, "setumask:as_failure", 393 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 394 kau_write(rec, tok); 395 break; 396 397 case A_SETSMASK: 398 tok = au_to_arg32(2, "setsmask:as_success", 399 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 400 kau_write(rec, tok); 401 tok = au_to_arg32(2, "setsmask:as_failure", 402 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 403 kau_write(rec, tok); 404 break; 405 406 case A_OLDSETCOND: 407 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 408 tok = au_to_arg64(2, "setcond", 409 ar->ar_arg_auditon.au_cond64); 410 kau_write(rec, tok); 411 break; 412 } 413 /* FALLTHROUGH */ 414 415 case A_SETCOND: 416 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond); 417 kau_write(rec, tok); 418 break; 419 420 case A_SETCLASS: 421 kau_write(rec, tok); 422 tok = au_to_arg32(2, "setclass:ec_event", 423 ar->ar_arg_auditon.au_evclass.ec_number); 424 kau_write(rec, tok); 425 tok = au_to_arg32(2, "setclass:ec_class", 426 ar->ar_arg_auditon.au_evclass.ec_class); 427 kau_write(rec, tok); 428 break; 429 430 case A_SETPMASK: 431 tok = au_to_arg32(2, "setpmask:as_success", 432 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 433 kau_write(rec, tok); 434 tok = au_to_arg32(2, "setpmask:as_failure", 435 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 436 kau_write(rec, tok); 437 break; 438 439 case A_SETFSIZE: 440 tok = au_to_arg32(2, "setfsize:filesize", 441 ar->ar_arg_auditon.au_fstat.af_filesz); 442 kau_write(rec, tok); 443 break; 444 445 default: 446 break; 447 } 448 } 449 450 /* 451 * Convert an internal kernel audit record to a BSM record and return a 452 * success/failure indicator. The BSM record is passed as an out parameter to 453 * this function. 454 * 455 * Return conditions: 456 * BSM_SUCCESS: The BSM record is valid 457 * BSM_FAILURE: Failure; the BSM record is NULL. 458 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 459 */ 460 int 461 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 462 { 463 struct au_token *tok, *subj_tok, *jail_tok; 464 struct au_record *rec; 465 au_tid_t tid; 466 struct audit_record *ar; 467 int ctr; 468 469 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 470 471 *pau = NULL; 472 ar = &kar->k_ar; 473 rec = kau_open(); 474 475 /* 476 * Create the subject token. If this credential was jailed be sure to 477 * generate a zonename token. 478 */ 479 if (ar->ar_jailname[0] != '\0') 480 jail_tok = au_to_zonename(ar->ar_jailname); 481 else 482 jail_tok = NULL; 483 switch (ar->ar_subj_term_addr.at_type) { 484 case AU_IPv4: 485 tid.port = ar->ar_subj_term_addr.at_port; 486 tid.machine = ar->ar_subj_term_addr.at_addr[0]; 487 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 488 ar->ar_subj_cred.cr_uid, /* eff uid */ 489 ar->ar_subj_egid, /* eff group id */ 490 ar->ar_subj_ruid, /* real uid */ 491 ar->ar_subj_rgid, /* real group id */ 492 ar->ar_subj_pid, /* process id */ 493 ar->ar_subj_asid, /* session ID */ 494 &tid); 495 break; 496 case AU_IPv6: 497 subj_tok = au_to_subject32_ex(ar->ar_subj_auid, 498 ar->ar_subj_cred.cr_uid, 499 ar->ar_subj_egid, 500 ar->ar_subj_ruid, 501 ar->ar_subj_rgid, 502 ar->ar_subj_pid, 503 ar->ar_subj_asid, 504 &ar->ar_subj_term_addr); 505 break; 506 default: 507 bzero(&tid, sizeof(tid)); 508 subj_tok = au_to_subject32(ar->ar_subj_auid, 509 ar->ar_subj_cred.cr_uid, 510 ar->ar_subj_egid, 511 ar->ar_subj_ruid, 512 ar->ar_subj_rgid, 513 ar->ar_subj_pid, 514 ar->ar_subj_asid, 515 &tid); 516 } 517 518 /* 519 * The logic inside each case fills in the tokens required for the 520 * event, except for the header, trailer, and return tokens. The 521 * header and trailer tokens are added by the kau_close() function. 522 * The return token is added outside of the switch statement. 523 */ 524 switch(ar->ar_event) { 525 case AUE_ACCEPT: 526 case AUE_BIND: 527 case AUE_LISTEN: 528 case AUE_CONNECT: 529 case AUE_RECV: 530 case AUE_RECVFROM: 531 case AUE_RECVMSG: 532 case AUE_SEND: 533 case AUE_SENDFILE: 534 case AUE_SENDMSG: 535 case AUE_SENDTO: 536 /* 537 * Socket-related events. 538 */ 539 if (ARG_IS_VALID(kar, ARG_FD)) { 540 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 541 kau_write(rec, tok); 542 } 543 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 544 tok = au_to_sock_inet((struct sockaddr_in *) 545 &ar->ar_arg_sockaddr); 546 kau_write(rec, tok); 547 } 548 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 549 tok = au_to_sock_unix((struct sockaddr_un *) 550 &ar->ar_arg_sockaddr); 551 kau_write(rec, tok); 552 UPATH1_TOKENS; 553 } 554 /* XXX Need to handle ARG_SADDRINET6 */ 555 break; 556 557 case AUE_BINDAT: 558 case AUE_CONNECTAT: 559 ATFD1_TOKENS(1); 560 if (ARG_IS_VALID(kar, ARG_FD)) { 561 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 562 kau_write(rec, tok); 563 } 564 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 565 tok = au_to_sock_unix((struct sockaddr_un *) 566 &ar->ar_arg_sockaddr); 567 kau_write(rec, tok); 568 UPATH1_TOKENS; 569 } 570 break; 571 572 case AUE_SOCKET: 573 case AUE_SOCKETPAIR: 574 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 575 tok = au_to_arg32(1, "domain", 576 ar->ar_arg_sockinfo.so_domain); 577 kau_write(rec, tok); 578 tok = au_to_arg32(2, "type", 579 ar->ar_arg_sockinfo.so_type); 580 kau_write(rec, tok); 581 tok = au_to_arg32(3, "protocol", 582 ar->ar_arg_sockinfo.so_protocol); 583 kau_write(rec, tok); 584 } 585 break; 586 587 case AUE_SETSOCKOPT: 588 case AUE_SHUTDOWN: 589 if (ARG_IS_VALID(kar, ARG_FD)) { 590 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 591 kau_write(rec, tok); 592 } 593 break; 594 595 case AUE_ACCT: 596 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 597 UPATH1_VNODE1_TOKENS; 598 } else { 599 tok = au_to_arg32(1, "accounting off", 0); 600 kau_write(rec, tok); 601 } 602 break; 603 604 case AUE_SETAUID: 605 if (ARG_IS_VALID(kar, ARG_AUID)) { 606 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 607 kau_write(rec, tok); 608 } 609 break; 610 611 case AUE_SETAUDIT: 612 if (ARG_IS_VALID(kar, ARG_AUID) && 613 ARG_IS_VALID(kar, ARG_ASID) && 614 ARG_IS_VALID(kar, ARG_AMASK) && 615 ARG_IS_VALID(kar, ARG_TERMID)) { 616 tok = au_to_arg32(1, "setaudit:auid", 617 ar->ar_arg_auid); 618 kau_write(rec, tok); 619 tok = au_to_arg32(1, "setaudit:port", 620 ar->ar_arg_termid.port); 621 kau_write(rec, tok); 622 tok = au_to_arg32(1, "setaudit:machine", 623 ar->ar_arg_termid.machine); 624 kau_write(rec, tok); 625 tok = au_to_arg32(1, "setaudit:as_success", 626 ar->ar_arg_amask.am_success); 627 kau_write(rec, tok); 628 tok = au_to_arg32(1, "setaudit:as_failure", 629 ar->ar_arg_amask.am_failure); 630 kau_write(rec, tok); 631 tok = au_to_arg32(1, "setaudit:asid", 632 ar->ar_arg_asid); 633 kau_write(rec, tok); 634 } 635 break; 636 637 case AUE_SETAUDIT_ADDR: 638 if (ARG_IS_VALID(kar, ARG_AUID) && 639 ARG_IS_VALID(kar, ARG_ASID) && 640 ARG_IS_VALID(kar, ARG_AMASK) && 641 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) { 642 tok = au_to_arg32(1, "setaudit_addr:auid", 643 ar->ar_arg_auid); 644 kau_write(rec, tok); 645 tok = au_to_arg32(1, "setaudit_addr:as_success", 646 ar->ar_arg_amask.am_success); 647 kau_write(rec, tok); 648 tok = au_to_arg32(1, "setaudit_addr:as_failure", 649 ar->ar_arg_amask.am_failure); 650 kau_write(rec, tok); 651 tok = au_to_arg32(1, "setaudit_addr:asid", 652 ar->ar_arg_asid); 653 kau_write(rec, tok); 654 tok = au_to_arg32(1, "setaudit_addr:type", 655 ar->ar_arg_termid_addr.at_type); 656 kau_write(rec, tok); 657 tok = au_to_arg32(1, "setaudit_addr:port", 658 ar->ar_arg_termid_addr.at_port); 659 kau_write(rec, tok); 660 if (ar->ar_arg_termid_addr.at_type == AU_IPv6) 661 tok = au_to_in_addr_ex((struct in6_addr *) 662 &ar->ar_arg_termid_addr.at_addr[0]); 663 if (ar->ar_arg_termid_addr.at_type == AU_IPv4) 664 tok = au_to_in_addr((struct in_addr *) 665 &ar->ar_arg_termid_addr.at_addr[0]); 666 kau_write(rec, tok); 667 } 668 break; 669 670 case AUE_AUDITON: 671 /* 672 * For AUDITON commands without own event, audit the cmd. 673 */ 674 if (ARG_IS_VALID(kar, ARG_CMD)) { 675 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 676 kau_write(rec, tok); 677 } 678 /* FALLTHROUGH */ 679 680 case AUE_AUDITON_GETCAR: 681 case AUE_AUDITON_GETCLASS: 682 case AUE_AUDITON_GETCOND: 683 case AUE_AUDITON_GETCWD: 684 case AUE_AUDITON_GETKMASK: 685 case AUE_AUDITON_GETSTAT: 686 case AUE_AUDITON_GPOLICY: 687 case AUE_AUDITON_GQCTRL: 688 case AUE_AUDITON_SETCLASS: 689 case AUE_AUDITON_SETCOND: 690 case AUE_AUDITON_SETKMASK: 691 case AUE_AUDITON_SETSMASK: 692 case AUE_AUDITON_SETSTAT: 693 case AUE_AUDITON_SETUMASK: 694 case AUE_AUDITON_SPOLICY: 695 case AUE_AUDITON_SQCTRL: 696 if (ARG_IS_VALID(kar, ARG_AUDITON)) 697 audit_sys_auditon(ar, rec); 698 break; 699 700 case AUE_AUDITCTL: 701 UPATH1_VNODE1_TOKENS; 702 break; 703 704 case AUE_EXIT: 705 if (ARG_IS_VALID(kar, ARG_EXIT)) { 706 tok = au_to_exit(ar->ar_arg_exitretval, 707 ar->ar_arg_exitstatus); 708 kau_write(rec, tok); 709 } 710 break; 711 712 case AUE_ADJTIME: 713 case AUE_CLOCK_SETTIME: 714 case AUE_AUDIT: 715 case AUE_DUP2: 716 case AUE_GETAUDIT: 717 case AUE_GETAUDIT_ADDR: 718 case AUE_GETAUID: 719 case AUE_GETCWD: 720 case AUE_GETFSSTAT: 721 case AUE_GETRESUID: 722 case AUE_GETRESGID: 723 case AUE_KQUEUE: 724 case AUE_MODLOAD: 725 case AUE_MODUNLOAD: 726 case AUE_MSGSYS: 727 case AUE_NTP_ADJTIME: 728 case AUE_PIPE: 729 case AUE_POSIX_OPENPT: 730 case AUE_PROFILE: 731 case AUE_RTPRIO: 732 case AUE_SEMSYS: 733 case AUE_SHMSYS: 734 case AUE_SETPGRP: 735 case AUE_SETRLIMIT: 736 case AUE_SETSID: 737 case AUE_SETTIMEOFDAY: 738 case AUE_SYSARCH: 739 740 /* 741 * Header, subject, and return tokens added at end. 742 */ 743 break; 744 745 case AUE_CHDIR: 746 case AUE_CHROOT: 747 case AUE_FSTATAT: 748 case AUE_FUTIMESAT: 749 case AUE_GETATTRLIST: 750 case AUE_JAIL: 751 case AUE_LUTIMES: 752 case AUE_NFS_GETFH: 753 case AUE_LSTAT: 754 case AUE_LPATHCONF: 755 case AUE_PATHCONF: 756 case AUE_READLINK: 757 case AUE_READLINKAT: 758 case AUE_REVOKE: 759 case AUE_RMDIR: 760 case AUE_SEARCHFS: 761 case AUE_SETATTRLIST: 762 case AUE_STAT: 763 case AUE_STATFS: 764 case AUE_SWAPON: 765 case AUE_SWAPOFF: 766 case AUE_TRUNCATE: 767 case AUE_UNDELETE: 768 case AUE_UNLINK: 769 case AUE_UNLINKAT: 770 case AUE_UTIMES: 771 ATFD1_TOKENS(1); 772 UPATH1_VNODE1_TOKENS; 773 break; 774 775 case AUE_ACCESS: 776 case AUE_EACCESS: 777 case AUE_FACCESSAT: 778 ATFD1_TOKENS(1); 779 UPATH1_VNODE1_TOKENS; 780 if (ARG_IS_VALID(kar, ARG_VALUE)) { 781 tok = au_to_arg32(2, "mode", ar->ar_arg_value); 782 kau_write(rec, tok); 783 } 784 break; 785 786 case AUE_FHSTATFS: 787 case AUE_FHOPEN: 788 case AUE_FHSTAT: 789 /* XXXRW: Need to audit vnode argument. */ 790 break; 791 792 case AUE_CHFLAGS: 793 case AUE_LCHFLAGS: 794 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 795 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 796 kau_write(rec, tok); 797 } 798 UPATH1_VNODE1_TOKENS; 799 break; 800 801 case AUE_CHMOD: 802 case AUE_LCHMOD: 803 if (ARG_IS_VALID(kar, ARG_MODE)) { 804 tok = au_to_arg32(2, "new file mode", 805 ar->ar_arg_mode); 806 kau_write(rec, tok); 807 } 808 UPATH1_VNODE1_TOKENS; 809 break; 810 811 case AUE_FCHMODAT: 812 ATFD1_TOKENS(1); 813 if (ARG_IS_VALID(kar, ARG_MODE)) { 814 tok = au_to_arg32(3, "new file mode", 815 ar->ar_arg_mode); 816 kau_write(rec, tok); 817 } 818 UPATH1_VNODE1_TOKENS; 819 break; 820 821 case AUE_CHOWN: 822 case AUE_LCHOWN: 823 if (ARG_IS_VALID(kar, ARG_UID)) { 824 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 825 kau_write(rec, tok); 826 } 827 if (ARG_IS_VALID(kar, ARG_GID)) { 828 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 829 kau_write(rec, tok); 830 } 831 UPATH1_VNODE1_TOKENS; 832 break; 833 834 case AUE_FCHOWNAT: 835 ATFD1_TOKENS(1); 836 if (ARG_IS_VALID(kar, ARG_UID)) { 837 tok = au_to_arg32(3, "new file uid", ar->ar_arg_uid); 838 kau_write(rec, tok); 839 } 840 if (ARG_IS_VALID(kar, ARG_GID)) { 841 tok = au_to_arg32(4, "new file gid", ar->ar_arg_gid); 842 kau_write(rec, tok); 843 } 844 UPATH1_VNODE1_TOKENS; 845 break; 846 847 case AUE_EXCHANGEDATA: 848 UPATH1_VNODE1_TOKENS; 849 UPATH2_TOKENS; 850 break; 851 852 case AUE_CLOSE: 853 if (ARG_IS_VALID(kar, ARG_FD)) { 854 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 855 kau_write(rec, tok); 856 } 857 UPATH1_VNODE1_TOKENS; 858 break; 859 860 case AUE_CLOSEFROM: 861 if (ARG_IS_VALID(kar, ARG_FD)) { 862 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 863 kau_write(rec, tok); 864 } 865 break; 866 867 case AUE_CORE: 868 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 869 tok = au_to_arg32(1, "signal", ar->ar_arg_signum); 870 kau_write(rec, tok); 871 } 872 UPATH1_VNODE1_TOKENS; 873 break; 874 875 case AUE_EXTATTRCTL: 876 UPATH1_VNODE1_TOKENS; 877 if (ARG_IS_VALID(kar, ARG_CMD)) { 878 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 879 kau_write(rec, tok); 880 } 881 /* extattrctl(2) filename parameter is in upath2/vnode2 */ 882 UPATH2_TOKENS; 883 VNODE2_TOKENS; 884 EXTATTR_TOKENS(4); 885 break; 886 887 case AUE_EXTATTR_GET_FILE: 888 case AUE_EXTATTR_SET_FILE: 889 case AUE_EXTATTR_LIST_FILE: 890 case AUE_EXTATTR_DELETE_FILE: 891 case AUE_EXTATTR_GET_LINK: 892 case AUE_EXTATTR_SET_LINK: 893 case AUE_EXTATTR_LIST_LINK: 894 case AUE_EXTATTR_DELETE_LINK: 895 UPATH1_VNODE1_TOKENS; 896 EXTATTR_TOKENS(2); 897 break; 898 899 case AUE_EXTATTR_GET_FD: 900 case AUE_EXTATTR_SET_FD: 901 case AUE_EXTATTR_LIST_FD: 902 case AUE_EXTATTR_DELETE_FD: 903 if (ARG_IS_VALID(kar, ARG_FD)) { 904 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 905 kau_write(rec, tok); 906 } 907 EXTATTR_TOKENS(2); 908 break; 909 910 case AUE_FEXECVE: 911 if (ARG_IS_VALID(kar, ARG_FD)) { 912 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 913 kau_write(rec, tok); 914 } 915 /* FALLTHROUGH */ 916 917 case AUE_EXECVE: 918 case AUE_MAC_EXECVE: 919 if (ARG_IS_VALID(kar, ARG_ARGV)) { 920 tok = au_to_exec_args(ar->ar_arg_argv, 921 ar->ar_arg_argc); 922 kau_write(rec, tok); 923 } 924 if (ARG_IS_VALID(kar, ARG_ENVV)) { 925 tok = au_to_exec_env(ar->ar_arg_envv, 926 ar->ar_arg_envc); 927 kau_write(rec, tok); 928 } 929 UPATH1_VNODE1_TOKENS; 930 break; 931 932 case AUE_FCHMOD: 933 if (ARG_IS_VALID(kar, ARG_MODE)) { 934 tok = au_to_arg32(2, "new file mode", 935 ar->ar_arg_mode); 936 kau_write(rec, tok); 937 } 938 FD_VNODE1_TOKENS; 939 break; 940 941 /* 942 * XXXRW: Some of these need to handle non-vnode cases as well. 943 */ 944 case AUE_FCHDIR: 945 case AUE_FPATHCONF: 946 case AUE_FSTAT: 947 case AUE_FSTATFS: 948 case AUE_FSYNC: 949 case AUE_FTRUNCATE: 950 case AUE_FUTIMES: 951 case AUE_GETDIRENTRIES: 952 case AUE_GETDIRENTRIESATTR: 953 case AUE_LSEEK: 954 case AUE_POLL: 955 case AUE_PREAD: 956 case AUE_PWRITE: 957 case AUE_READ: 958 case AUE_READV: 959 case AUE_WRITE: 960 case AUE_WRITEV: 961 FD_VNODE1_TOKENS; 962 break; 963 964 case AUE_FCHOWN: 965 if (ARG_IS_VALID(kar, ARG_UID)) { 966 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 967 kau_write(rec, tok); 968 } 969 if (ARG_IS_VALID(kar, ARG_GID)) { 970 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 971 kau_write(rec, tok); 972 } 973 FD_VNODE1_TOKENS; 974 break; 975 976 case AUE_FCNTL: 977 if (ARG_IS_VALID(kar, ARG_CMD)) { 978 tok = au_to_arg32(2, "cmd", 979 au_fcntl_cmd_to_bsm(ar->ar_arg_cmd)); 980 kau_write(rec, tok); 981 } 982 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 983 ar->ar_arg_cmd == F_SETLKW) { 984 FD_VNODE1_TOKENS; 985 } 986 break; 987 988 case AUE_FCHFLAGS: 989 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 990 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 991 kau_write(rec, tok); 992 } 993 FD_VNODE1_TOKENS; 994 break; 995 996 case AUE_FLOCK: 997 if (ARG_IS_VALID(kar, ARG_CMD)) { 998 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 999 kau_write(rec, tok); 1000 } 1001 FD_VNODE1_TOKENS; 1002 break; 1003 1004 case AUE_RFORK: 1005 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1006 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 1007 kau_write(rec, tok); 1008 } 1009 /* FALLTHROUGH */ 1010 1011 case AUE_FORK: 1012 case AUE_VFORK: 1013 if (ARG_IS_VALID(kar, ARG_PID)) { 1014 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 1015 kau_write(rec, tok); 1016 } 1017 break; 1018 1019 case AUE_IOCTL: 1020 if (ARG_IS_VALID(kar, ARG_CMD)) { 1021 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 1022 kau_write(rec, tok); 1023 } 1024 if (ARG_IS_VALID(kar, ARG_VNODE1)) 1025 FD_VNODE1_TOKENS; 1026 else { 1027 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 1028 tok = kau_to_socket(&ar->ar_arg_sockinfo); 1029 kau_write(rec, tok); 1030 } else { 1031 if (ARG_IS_VALID(kar, ARG_FD)) { 1032 tok = au_to_arg32(1, "fd", 1033 ar->ar_arg_fd); 1034 kau_write(rec, tok); 1035 } 1036 } 1037 } 1038 break; 1039 1040 case AUE_KILL: 1041 case AUE_KILLPG: 1042 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 1043 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 1044 kau_write(rec, tok); 1045 } 1046 PROCESS_PID_TOKENS(1); 1047 break; 1048 1049 case AUE_KTRACE: 1050 if (ARG_IS_VALID(kar, ARG_CMD)) { 1051 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 1052 kau_write(rec, tok); 1053 } 1054 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1055 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 1056 kau_write(rec, tok); 1057 } 1058 PROCESS_PID_TOKENS(4); 1059 UPATH1_VNODE1_TOKENS; 1060 break; 1061 1062 case AUE_LINK: 1063 case AUE_LINKAT: 1064 case AUE_RENAME: 1065 case AUE_RENAMEAT: 1066 ATFD1_TOKENS(1); 1067 UPATH1_VNODE1_TOKENS; 1068 ATFD2_TOKENS(3); 1069 UPATH2_TOKENS; 1070 break; 1071 1072 case AUE_LOADSHFILE: 1073 ADDR_TOKEN(4, "base addr"); 1074 UPATH1_VNODE1_TOKENS; 1075 break; 1076 1077 case AUE_MKDIR: 1078 case AUE_MKDIRAT: 1079 case AUE_MKFIFO: 1080 case AUE_MKFIFOAT: 1081 ATFD1_TOKENS(1); 1082 if (ARG_IS_VALID(kar, ARG_MODE)) { 1083 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1084 kau_write(rec, tok); 1085 } 1086 UPATH1_VNODE1_TOKENS; 1087 break; 1088 1089 case AUE_MKNOD: 1090 case AUE_MKNODAT: 1091 ATFD1_TOKENS(1); 1092 if (ARG_IS_VALID(kar, ARG_MODE)) { 1093 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1094 kau_write(rec, tok); 1095 } 1096 if (ARG_IS_VALID(kar, ARG_DEV)) { 1097 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 1098 kau_write(rec, tok); 1099 } 1100 UPATH1_VNODE1_TOKENS; 1101 break; 1102 1103 case AUE_MMAP: 1104 case AUE_MUNMAP: 1105 case AUE_MPROTECT: 1106 case AUE_MLOCK: 1107 case AUE_MUNLOCK: 1108 case AUE_MINHERIT: 1109 ADDR_TOKEN(1, "addr"); 1110 if (ARG_IS_VALID(kar, ARG_LEN)) { 1111 tok = au_to_arg32(2, "len", ar->ar_arg_len); 1112 kau_write(rec, tok); 1113 } 1114 if (ar->ar_event == AUE_MMAP) 1115 FD_VNODE1_TOKENS; 1116 if (ar->ar_event == AUE_MPROTECT) { 1117 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1118 tok = au_to_arg32(3, "protection", 1119 ar->ar_arg_value); 1120 kau_write(rec, tok); 1121 } 1122 } 1123 if (ar->ar_event == AUE_MINHERIT) { 1124 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1125 tok = au_to_arg32(3, "inherit", 1126 ar->ar_arg_value); 1127 kau_write(rec, tok); 1128 } 1129 } 1130 break; 1131 1132 case AUE_MOUNT: 1133 case AUE_NMOUNT: 1134 /* XXX Need to handle NFS mounts */ 1135 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1136 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 1137 kau_write(rec, tok); 1138 } 1139 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1140 tok = au_to_text(ar->ar_arg_text); 1141 kau_write(rec, tok); 1142 } 1143 /* FALLTHROUGH */ 1144 1145 case AUE_NFS_SVC: 1146 if (ARG_IS_VALID(kar, ARG_CMD)) { 1147 tok = au_to_arg32(1, "flags", ar->ar_arg_cmd); 1148 kau_write(rec, tok); 1149 } 1150 break; 1151 1152 case AUE_UMOUNT: 1153 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1154 tok = au_to_arg32(2, "flags", ar->ar_arg_value); 1155 kau_write(rec, tok); 1156 } 1157 UPATH1_VNODE1_TOKENS; 1158 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1159 tok = au_to_text(ar->ar_arg_text); 1160 kau_write(rec, tok); 1161 } 1162 break; 1163 1164 case AUE_MSGCTL: 1165 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd); 1166 /* Fall through */ 1167 1168 case AUE_MSGRCV: 1169 case AUE_MSGSND: 1170 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 1171 kau_write(rec, tok); 1172 if (ar->ar_errno != EINVAL) { 1173 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 1174 kau_write(rec, tok); 1175 } 1176 break; 1177 1178 case AUE_MSGGET: 1179 if (ar->ar_errno == 0) { 1180 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1181 tok = au_to_ipc(AT_IPC_MSG, 1182 ar->ar_arg_svipc_id); 1183 kau_write(rec, tok); 1184 } 1185 } 1186 break; 1187 1188 case AUE_RESETSHFILE: 1189 ADDR_TOKEN(1, "base addr"); 1190 break; 1191 1192 case AUE_OPEN_RC: 1193 case AUE_OPEN_RTC: 1194 case AUE_OPEN_RWC: 1195 case AUE_OPEN_RWTC: 1196 case AUE_OPEN_WC: 1197 case AUE_OPEN_WTC: 1198 case AUE_CREAT: 1199 if (ARG_IS_VALID(kar, ARG_MODE)) { 1200 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1201 kau_write(rec, tok); 1202 } 1203 /* FALLTHROUGH */ 1204 1205 case AUE_OPEN_R: 1206 case AUE_OPEN_RT: 1207 case AUE_OPEN_RW: 1208 case AUE_OPEN_RWT: 1209 case AUE_OPEN_W: 1210 case AUE_OPEN_WT: 1211 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1212 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1213 kau_write(rec, tok); 1214 } 1215 UPATH1_VNODE1_TOKENS; 1216 break; 1217 1218 case AUE_OPENAT_RC: 1219 case AUE_OPENAT_RTC: 1220 case AUE_OPENAT_RWC: 1221 case AUE_OPENAT_RWTC: 1222 case AUE_OPENAT_WC: 1223 case AUE_OPENAT_WTC: 1224 if (ARG_IS_VALID(kar, ARG_MODE)) { 1225 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1226 kau_write(rec, tok); 1227 } 1228 /* FALLTHROUGH */ 1229 1230 case AUE_OPENAT_R: 1231 case AUE_OPENAT_RT: 1232 case AUE_OPENAT_RW: 1233 case AUE_OPENAT_RWT: 1234 case AUE_OPENAT_W: 1235 case AUE_OPENAT_WT: 1236 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1237 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1238 kau_write(rec, tok); 1239 } 1240 ATFD1_TOKENS(1); 1241 UPATH1_VNODE1_TOKENS; 1242 break; 1243 1244 case AUE_PTRACE: 1245 if (ARG_IS_VALID(kar, ARG_CMD)) { 1246 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1247 kau_write(rec, tok); 1248 } 1249 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1250 tok = au_to_arg32(4, "data", ar->ar_arg_value); 1251 kau_write(rec, tok); 1252 } 1253 PROCESS_PID_TOKENS(2); 1254 break; 1255 1256 case AUE_QUOTACTL: 1257 if (ARG_IS_VALID(kar, ARG_CMD)) { 1258 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1259 kau_write(rec, tok); 1260 } 1261 if (ARG_IS_VALID(kar, ARG_UID)) { 1262 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1263 kau_write(rec, tok); 1264 } 1265 if (ARG_IS_VALID(kar, ARG_GID)) { 1266 tok = au_to_arg32(3, "gid", ar->ar_arg_gid); 1267 kau_write(rec, tok); 1268 } 1269 UPATH1_VNODE1_TOKENS; 1270 break; 1271 1272 case AUE_REBOOT: 1273 if (ARG_IS_VALID(kar, ARG_CMD)) { 1274 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1275 kau_write(rec, tok); 1276 } 1277 break; 1278 1279 case AUE_SEMCTL: 1280 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd); 1281 /* Fall through */ 1282 1283 case AUE_SEMOP: 1284 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1285 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1286 kau_write(rec, tok); 1287 if (ar->ar_errno != EINVAL) { 1288 tok = au_to_ipc(AT_IPC_SEM, 1289 ar->ar_arg_svipc_id); 1290 kau_write(rec, tok); 1291 } 1292 } 1293 break; 1294 1295 case AUE_SEMGET: 1296 if (ar->ar_errno == 0) { 1297 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1298 tok = au_to_ipc(AT_IPC_SEM, 1299 ar->ar_arg_svipc_id); 1300 kau_write(rec, tok); 1301 } 1302 } 1303 break; 1304 1305 case AUE_SETEGID: 1306 if (ARG_IS_VALID(kar, ARG_EGID)) { 1307 tok = au_to_arg32(1, "egid", ar->ar_arg_egid); 1308 kau_write(rec, tok); 1309 } 1310 break; 1311 1312 case AUE_SETEUID: 1313 if (ARG_IS_VALID(kar, ARG_EUID)) { 1314 tok = au_to_arg32(1, "euid", ar->ar_arg_euid); 1315 kau_write(rec, tok); 1316 } 1317 break; 1318 1319 case AUE_SETREGID: 1320 if (ARG_IS_VALID(kar, ARG_RGID)) { 1321 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1322 kau_write(rec, tok); 1323 } 1324 if (ARG_IS_VALID(kar, ARG_EGID)) { 1325 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1326 kau_write(rec, tok); 1327 } 1328 break; 1329 1330 case AUE_SETREUID: 1331 if (ARG_IS_VALID(kar, ARG_RUID)) { 1332 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1333 kau_write(rec, tok); 1334 } 1335 if (ARG_IS_VALID(kar, ARG_EUID)) { 1336 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1337 kau_write(rec, tok); 1338 } 1339 break; 1340 1341 case AUE_SETRESGID: 1342 if (ARG_IS_VALID(kar, ARG_RGID)) { 1343 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1344 kau_write(rec, tok); 1345 } 1346 if (ARG_IS_VALID(kar, ARG_EGID)) { 1347 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1348 kau_write(rec, tok); 1349 } 1350 if (ARG_IS_VALID(kar, ARG_SGID)) { 1351 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1352 kau_write(rec, tok); 1353 } 1354 break; 1355 1356 case AUE_SETRESUID: 1357 if (ARG_IS_VALID(kar, ARG_RUID)) { 1358 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1359 kau_write(rec, tok); 1360 } 1361 if (ARG_IS_VALID(kar, ARG_EUID)) { 1362 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1363 kau_write(rec, tok); 1364 } 1365 if (ARG_IS_VALID(kar, ARG_SUID)) { 1366 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1367 kau_write(rec, tok); 1368 } 1369 break; 1370 1371 case AUE_SETGID: 1372 if (ARG_IS_VALID(kar, ARG_GID)) { 1373 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1374 kau_write(rec, tok); 1375 } 1376 break; 1377 1378 case AUE_SETUID: 1379 if (ARG_IS_VALID(kar, ARG_UID)) { 1380 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1381 kau_write(rec, tok); 1382 } 1383 break; 1384 1385 case AUE_SETGROUPS: 1386 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1387 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1388 { 1389 tok = au_to_arg32(1, "setgroups", 1390 ar->ar_arg_groups.gidset[ctr]); 1391 kau_write(rec, tok); 1392 } 1393 } 1394 break; 1395 1396 case AUE_SETLOGIN: 1397 if (ARG_IS_VALID(kar, ARG_LOGIN)) { 1398 tok = au_to_text(ar->ar_arg_login); 1399 kau_write(rec, tok); 1400 } 1401 break; 1402 1403 case AUE_SETPRIORITY: 1404 if (ARG_IS_VALID(kar, ARG_CMD)) { 1405 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1406 kau_write(rec, tok); 1407 } 1408 if (ARG_IS_VALID(kar, ARG_UID)) { 1409 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1410 kau_write(rec, tok); 1411 } 1412 PROCESS_PID_TOKENS(2); 1413 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1414 tok = au_to_arg32(3, "priority", ar->ar_arg_value); 1415 kau_write(rec, tok); 1416 } 1417 break; 1418 1419 case AUE_SETPRIVEXEC: 1420 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1421 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1422 kau_write(rec, tok); 1423 } 1424 break; 1425 1426 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1427 case AUE_SHMAT: 1428 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1429 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1430 kau_write(rec, tok); 1431 /* XXXAUDIT: Does having the ipc token make sense? */ 1432 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1433 kau_write(rec, tok); 1434 } 1435 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1436 tok = au_to_arg32(2, "shmaddr", 1437 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1438 kau_write(rec, tok); 1439 } 1440 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1441 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1442 kau_write(rec, tok); 1443 } 1444 break; 1445 1446 case AUE_SHMCTL: 1447 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1448 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1449 kau_write(rec, tok); 1450 /* XXXAUDIT: Does having the ipc token make sense? */ 1451 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1452 kau_write(rec, tok); 1453 } 1454 switch (ar->ar_arg_svipc_cmd) { 1455 case IPC_STAT: 1456 ar->ar_event = AUE_SHMCTL_STAT; 1457 break; 1458 case IPC_RMID: 1459 ar->ar_event = AUE_SHMCTL_RMID; 1460 break; 1461 case IPC_SET: 1462 ar->ar_event = AUE_SHMCTL_SET; 1463 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1464 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1465 kau_write(rec, tok); 1466 } 1467 break; 1468 default: 1469 break; /* We will audit a bad command */ 1470 } 1471 break; 1472 1473 case AUE_SHMDT: 1474 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1475 tok = au_to_arg32(1, "shmaddr", 1476 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1477 kau_write(rec, tok); 1478 } 1479 break; 1480 1481 case AUE_SHMGET: 1482 /* This is unusual; the return value is in an argument token */ 1483 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1484 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1485 kau_write(rec, tok); 1486 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1487 kau_write(rec, tok); 1488 } 1489 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1490 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1491 kau_write(rec, tok); 1492 } 1493 break; 1494 1495 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1496 * and AUE_SEMUNLINK are Posix IPC */ 1497 case AUE_SHMOPEN: 1498 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1499 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1500 kau_write(rec, tok); 1501 } 1502 if (ARG_IS_VALID(kar, ARG_MODE)) { 1503 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1504 kau_write(rec, tok); 1505 } 1506 /* FALLTHROUGH */ 1507 1508 case AUE_SHMUNLINK: 1509 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1510 tok = au_to_text(ar->ar_arg_text); 1511 kau_write(rec, tok); 1512 } 1513 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1514 struct ipc_perm perm; 1515 1516 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1517 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1518 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1519 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1520 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1521 perm.seq = 0; 1522 perm.key = 0; 1523 tok = au_to_ipc_perm(&perm); 1524 kau_write(rec, tok); 1525 } 1526 break; 1527 1528 case AUE_SEMOPEN: 1529 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1530 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1531 kau_write(rec, tok); 1532 } 1533 if (ARG_IS_VALID(kar, ARG_MODE)) { 1534 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1535 kau_write(rec, tok); 1536 } 1537 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1538 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1539 kau_write(rec, tok); 1540 } 1541 /* FALLTHROUGH */ 1542 1543 case AUE_SEMUNLINK: 1544 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1545 tok = au_to_text(ar->ar_arg_text); 1546 kau_write(rec, tok); 1547 } 1548 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1549 struct ipc_perm perm; 1550 1551 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1552 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1553 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1554 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1555 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1556 perm.seq = 0; 1557 perm.key = 0; 1558 tok = au_to_ipc_perm(&perm); 1559 kau_write(rec, tok); 1560 } 1561 break; 1562 1563 case AUE_SEMCLOSE: 1564 if (ARG_IS_VALID(kar, ARG_FD)) { 1565 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1566 kau_write(rec, tok); 1567 } 1568 break; 1569 1570 case AUE_SYMLINK: 1571 case AUE_SYMLINKAT: 1572 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1573 tok = au_to_text(ar->ar_arg_text); 1574 kau_write(rec, tok); 1575 } 1576 ATFD1_TOKENS(1); 1577 UPATH1_VNODE1_TOKENS; 1578 break; 1579 1580 case AUE_SYSCTL: 1581 case AUE_SYSCTL_NONADMIN: 1582 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1583 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1584 tok = au_to_arg32(1, "name", 1585 ar->ar_arg_ctlname[ctr]); 1586 kau_write(rec, tok); 1587 } 1588 } 1589 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1590 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1591 kau_write(rec, tok); 1592 } 1593 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1594 tok = au_to_text(ar->ar_arg_text); 1595 kau_write(rec, tok); 1596 } 1597 break; 1598 1599 case AUE_UMASK: 1600 if (ARG_IS_VALID(kar, ARG_MASK)) { 1601 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1602 kau_write(rec, tok); 1603 } 1604 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1605 kau_write(rec, tok); 1606 break; 1607 1608 case AUE_WAIT4: 1609 case AUE_WAIT6: 1610 PROCESS_PID_TOKENS(1); 1611 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1612 tok = au_to_arg32(3, "options", ar->ar_arg_value); 1613 kau_write(rec, tok); 1614 } 1615 break; 1616 1617 case AUE_CAP_RIGHTS_LIMIT: 1618 /* 1619 * XXXRW/XXXJA: Would be nice to audit socket/etc information. 1620 */ 1621 FD_VNODE1_TOKENS; 1622 if (ARG_IS_VALID(kar, ARG_RIGHTS)) { 1623 tok = au_to_rights(&ar->ar_arg_rights); 1624 kau_write(rec, tok); 1625 } 1626 break; 1627 1628 case AUE_CAP_FCNTLS_GET: 1629 case AUE_CAP_IOCTLS_GET: 1630 case AUE_CAP_IOCTLS_LIMIT: 1631 case AUE_CAP_RIGHTS_GET: 1632 if (ARG_IS_VALID(kar, ARG_FD)) { 1633 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1634 kau_write(rec, tok); 1635 } 1636 break; 1637 1638 case AUE_CAP_FCNTLS_LIMIT: 1639 FD_VNODE1_TOKENS; 1640 if (ARG_IS_VALID(kar, ARG_FCNTL_RIGHTS)) { 1641 tok = au_to_arg32(2, "fcntlrights", 1642 ar->ar_arg_fcntl_rights); 1643 kau_write(rec, tok); 1644 } 1645 break; 1646 1647 case AUE_CAP_ENTER: 1648 case AUE_CAP_GETMODE: 1649 break; 1650 1651 case AUE_NULL: 1652 default: 1653 printf("BSM conversion requested for unknown event %d\n", 1654 ar->ar_event); 1655 1656 /* 1657 * Write the subject token so it is properly freed here. 1658 */ 1659 if (jail_tok != NULL) 1660 kau_write(rec, jail_tok); 1661 kau_write(rec, subj_tok); 1662 kau_free(rec); 1663 return (BSM_NOAUDIT); 1664 } 1665 1666 if (jail_tok != NULL) 1667 kau_write(rec, jail_tok); 1668 kau_write(rec, subj_tok); 1669 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval); 1670 kau_write(rec, tok); /* Every record gets a return token */ 1671 1672 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1673 1674 *pau = rec; 1675 return (BSM_SUCCESS); 1676 } 1677 1678 /* 1679 * Verify that a record is a valid BSM record. This verification is simple 1680 * now, but may be expanded on sometime in the future. Return 1 if the 1681 * record is good, 0 otherwise. 1682 */ 1683 int 1684 bsm_rec_verify(void *rec) 1685 { 1686 char c = *(char *)rec; 1687 1688 /* 1689 * Check the token ID of the first token; it has to be a header 1690 * token. 1691 * 1692 * XXXAUDIT There needs to be a token structure to map a token. 1693 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1694 */ 1695 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1696 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1697 return (0); 1698 return (1); 1699 } 1700