1 /* 2 * Copyright (c) 1999-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 #include <sys/cdefs.h> 31 __FBSDID("$FreeBSD$"); 32 33 #include <sys/param.h> 34 #include <sys/vnode.h> 35 #include <sys/ipc.h> 36 #include <sys/lock.h> 37 #include <sys/malloc.h> 38 #include <sys/mutex.h> 39 #include <sys/socket.h> 40 #include <sys/extattr.h> 41 #include <sys/fcntl.h> 42 #include <sys/user.h> 43 #include <sys/systm.h> 44 45 #include <bsm/audit.h> 46 #include <bsm/audit_internal.h> 47 #include <bsm/audit_record.h> 48 #include <bsm/audit_kevents.h> 49 50 #include <security/audit/audit.h> 51 #include <security/audit/audit_private.h> 52 53 #include <netinet/in_systm.h> 54 #include <netinet/in.h> 55 #include <netinet/ip.h> 56 57 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 58 59 static void audit_sys_auditon(struct audit_record *ar, 60 struct au_record *rec); 61 62 /* 63 * Initialize the BSM auditing subsystem. 64 */ 65 void 66 kau_init(void) 67 { 68 69 au_evclassmap_init(); 70 } 71 72 /* 73 * This call reserves memory for the audit record. Memory must be guaranteed 74 * before any auditable event can be generated. The au_record structure 75 * maintains a reference to the memory allocated above and also the list of 76 * tokens associated with this record. 77 */ 78 static struct au_record * 79 kau_open(void) 80 { 81 struct au_record *rec; 82 83 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 84 rec->data = NULL; 85 TAILQ_INIT(&rec->token_q); 86 rec->len = 0; 87 rec->used = 1; 88 89 return (rec); 90 } 91 92 /* 93 * Store the token with the record descriptor. 94 */ 95 static void 96 kau_write(struct au_record *rec, struct au_token *tok) 97 { 98 99 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 100 101 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 102 rec->len += tok->len; 103 } 104 105 /* 106 * Close out the audit record by adding the header token, identifying any 107 * missing tokens. Write out the tokens to the record memory. 108 */ 109 static void 110 kau_close(struct au_record *rec, struct timespec *ctime, short event) 111 { 112 u_char *dptr; 113 size_t tot_rec_size; 114 token_t *cur, *hdr, *trail; 115 struct timeval tm; 116 size_t hdrsize; 117 struct auditinfo_addr ak; 118 struct in6_addr *ap; 119 120 audit_get_kinfo(&ak); 121 hdrsize = 0; 122 switch (ak.ai_termid.at_type) { 123 case AU_IPv4: 124 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ? 125 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak); 126 break; 127 case AU_IPv6: 128 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0]; 129 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE : 130 AUDIT_HEADER_EX_SIZE(&ak); 131 break; 132 default: 133 panic("kau_close: invalid address family"); 134 } 135 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE; 136 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 137 138 tm.tv_usec = ctime->tv_nsec / 1000; 139 tm.tv_sec = ctime->tv_sec; 140 if (hdrsize != AUDIT_HEADER_SIZE) 141 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak); 142 else 143 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 144 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 145 146 trail = au_to_trailer(tot_rec_size); 147 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 148 149 rec->len = tot_rec_size; 150 dptr = rec->data; 151 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 152 memcpy(dptr, cur->t_data, cur->len); 153 dptr += cur->len; 154 } 155 } 156 157 /* 158 * Free a BSM audit record by releasing all the tokens and clearing the audit 159 * record information. 160 */ 161 void 162 kau_free(struct au_record *rec) 163 { 164 struct au_token *tok; 165 166 /* Free the token list. */ 167 while ((tok = TAILQ_FIRST(&rec->token_q))) { 168 TAILQ_REMOVE(&rec->token_q, tok, tokens); 169 free(tok->t_data, M_AUDITBSM); 170 free(tok, M_AUDITBSM); 171 } 172 173 rec->used = 0; 174 rec->len = 0; 175 free(rec->data, M_AUDITBSM); 176 free(rec, M_AUDITBSM); 177 } 178 179 /* 180 * XXX: May want turn some (or all) of these macros into functions in order 181 * to reduce the generated code size. 182 * 183 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 184 * caller are OK with this. 185 */ 186 #define ATFD1_TOKENS(argnum) do { \ 187 if (ARG_IS_VALID(kar, ARG_ATFD1)) { \ 188 tok = au_to_arg32(argnum, "at fd 1", ar->ar_arg_atfd1); \ 189 kau_write(rec, tok); \ 190 } \ 191 } while (0) 192 193 #define ATFD2_TOKENS(argnum) do { \ 194 if (ARG_IS_VALID(kar, ARG_ATFD2)) { \ 195 tok = au_to_arg32(argnum, "at fd 2", ar->ar_arg_atfd2); \ 196 kau_write(rec, tok); \ 197 } \ 198 } while (0) 199 200 #define UPATH1_TOKENS do { \ 201 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 202 tok = au_to_path(ar->ar_arg_upath1); \ 203 kau_write(rec, tok); \ 204 } \ 205 } while (0) 206 207 #define UPATH2_TOKENS do { \ 208 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 209 tok = au_to_path(ar->ar_arg_upath2); \ 210 kau_write(rec, tok); \ 211 } \ 212 } while (0) 213 214 #define VNODE1_TOKENS do { \ 215 if (ARG_IS_VALID(kar, ARG_ATFD)) { \ 216 tok = au_to_arg32(1, "at fd", ar->ar_arg_atfd); \ 217 kau_write(rec, tok); \ 218 } \ 219 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 220 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 221 kau_write(rec, tok); \ 222 } \ 223 } while (0) 224 225 #define UPATH1_VNODE1_TOKENS do { \ 226 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 227 UPATH1_TOKENS; \ 228 } \ 229 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 230 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 231 kau_write(rec, tok); \ 232 } \ 233 } while (0) 234 235 #define VNODE2_TOKENS do { \ 236 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 237 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 238 kau_write(rec, tok); \ 239 } \ 240 } while (0) 241 242 #define FD_VNODE1_TOKENS do { \ 243 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 244 if (ARG_IS_VALID(kar, ARG_FD)) { \ 245 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 246 kau_write(rec, tok); \ 247 } \ 248 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 249 kau_write(rec, tok); \ 250 } else { \ 251 if (ARG_IS_VALID(kar, ARG_FD)) { \ 252 tok = au_to_arg32(1, "non-file: fd", \ 253 ar->ar_arg_fd); \ 254 kau_write(rec, tok); \ 255 } \ 256 } \ 257 } while (0) 258 259 #define PROCESS_PID_TOKENS(argn) do { \ 260 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 261 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 262 tok = au_to_process32_ex(ar->ar_arg_auid, \ 263 ar->ar_arg_euid, ar->ar_arg_egid, \ 264 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 265 ar->ar_arg_pid, ar->ar_arg_asid, \ 266 &ar->ar_arg_termid_addr); \ 267 kau_write(rec, tok); \ 268 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 269 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 270 kau_write(rec, tok); \ 271 } \ 272 } while (0) 273 274 #define EXTATTR_TOKENS(namespace_argnum) do { \ 275 if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 276 switch (ar->ar_arg_value) { \ 277 case EXTATTR_NAMESPACE_USER: \ 278 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 279 break; \ 280 case EXTATTR_NAMESPACE_SYSTEM: \ 281 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 282 break; \ 283 default: \ 284 tok = au_to_arg32((namespace_argnum), \ 285 "attrnamespace", ar->ar_arg_value); \ 286 break; \ 287 } \ 288 kau_write(rec, tok); \ 289 } \ 290 /* attrname is in the text field */ \ 291 if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 292 tok = au_to_text(ar->ar_arg_text); \ 293 kau_write(rec, tok); \ 294 } \ 295 } while (0) 296 297 /* 298 * Not all pointer arguments to system calls are of interest, but in some 299 * cases they reflect delegation of rights, such as mmap(2) followed by 300 * minherit(2) before execve(2), so do the best we can. 301 */ 302 #define ADDR_TOKEN(argnum, argname) do { \ 303 if (ARG_IS_VALID(kar, ARG_ADDR)) { \ 304 if (sizeof(void *) == sizeof(uint32_t)) \ 305 tok = au_to_arg32((argnum), (argname), \ 306 (uint32_t)(uintptr_t)ar->ar_arg_addr); \ 307 else \ 308 tok = au_to_arg64((argnum), (argname), \ 309 (uint64_t)(uintptr_t)ar->ar_arg_addr); \ 310 kau_write(rec, tok); \ 311 } \ 312 } while (0) 313 314 315 /* 316 * Implement auditing for the auditon() system call. The audit tokens that 317 * are generated depend on the command that was sent into the auditon() 318 * system call. 319 */ 320 static void 321 audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 322 { 323 struct au_token *tok; 324 325 tok = au_to_arg32(3, "length", ar->ar_arg_len); 326 kau_write(rec, tok); 327 switch (ar->ar_arg_cmd) { 328 case A_OLDSETPOLICY: 329 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 330 tok = au_to_arg64(2, "policy", 331 ar->ar_arg_auditon.au_policy64); 332 kau_write(rec, tok); 333 break; 334 } 335 /* FALLTHROUGH */ 336 337 case A_SETPOLICY: 338 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy); 339 kau_write(rec, tok); 340 break; 341 342 case A_SETKMASK: 343 tok = au_to_arg32(2, "setkmask:as_success", 344 ar->ar_arg_auditon.au_mask.am_success); 345 kau_write(rec, tok); 346 tok = au_to_arg32(2, "setkmask:as_failure", 347 ar->ar_arg_auditon.au_mask.am_failure); 348 kau_write(rec, tok); 349 break; 350 351 case A_OLDSETQCTRL: 352 if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) { 353 tok = au_to_arg64(2, "setqctrl:aq_hiwater", 354 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater); 355 kau_write(rec, tok); 356 tok = au_to_arg64(2, "setqctrl:aq_lowater", 357 ar->ar_arg_auditon.au_qctrl64.aq64_lowater); 358 kau_write(rec, tok); 359 tok = au_to_arg64(2, "setqctrl:aq_bufsz", 360 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz); 361 kau_write(rec, tok); 362 tok = au_to_arg64(2, "setqctrl:aq_delay", 363 ar->ar_arg_auditon.au_qctrl64.aq64_delay); 364 kau_write(rec, tok); 365 tok = au_to_arg64(2, "setqctrl:aq_minfree", 366 ar->ar_arg_auditon.au_qctrl64.aq64_minfree); 367 kau_write(rec, tok); 368 break; 369 } 370 /* FALLTHROUGH */ 371 372 case A_SETQCTRL: 373 tok = au_to_arg32(2, "setqctrl:aq_hiwater", 374 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 375 kau_write(rec, tok); 376 tok = au_to_arg32(2, "setqctrl:aq_lowater", 377 ar->ar_arg_auditon.au_qctrl.aq_lowater); 378 kau_write(rec, tok); 379 tok = au_to_arg32(2, "setqctrl:aq_bufsz", 380 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 381 kau_write(rec, tok); 382 tok = au_to_arg32(2, "setqctrl:aq_delay", 383 ar->ar_arg_auditon.au_qctrl.aq_delay); 384 kau_write(rec, tok); 385 tok = au_to_arg32(2, "setqctrl:aq_minfree", 386 ar->ar_arg_auditon.au_qctrl.aq_minfree); 387 kau_write(rec, tok); 388 break; 389 390 case A_SETUMASK: 391 tok = au_to_arg32(2, "setumask:as_success", 392 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 393 kau_write(rec, tok); 394 tok = au_to_arg32(2, "setumask:as_failure", 395 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 396 kau_write(rec, tok); 397 break; 398 399 case A_SETSMASK: 400 tok = au_to_arg32(2, "setsmask:as_success", 401 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 402 kau_write(rec, tok); 403 tok = au_to_arg32(2, "setsmask:as_failure", 404 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 405 kau_write(rec, tok); 406 break; 407 408 case A_OLDSETCOND: 409 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 410 tok = au_to_arg64(2, "setcond", 411 ar->ar_arg_auditon.au_cond64); 412 kau_write(rec, tok); 413 break; 414 } 415 /* FALLTHROUGH */ 416 417 case A_SETCOND: 418 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond); 419 kau_write(rec, tok); 420 break; 421 422 case A_SETCLASS: 423 kau_write(rec, tok); 424 tok = au_to_arg32(2, "setclass:ec_event", 425 ar->ar_arg_auditon.au_evclass.ec_number); 426 kau_write(rec, tok); 427 tok = au_to_arg32(2, "setclass:ec_class", 428 ar->ar_arg_auditon.au_evclass.ec_class); 429 kau_write(rec, tok); 430 break; 431 432 case A_SETPMASK: 433 tok = au_to_arg32(2, "setpmask:as_success", 434 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 435 kau_write(rec, tok); 436 tok = au_to_arg32(2, "setpmask:as_failure", 437 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 438 kau_write(rec, tok); 439 break; 440 441 case A_SETFSIZE: 442 tok = au_to_arg32(2, "setfsize:filesize", 443 ar->ar_arg_auditon.au_fstat.af_filesz); 444 kau_write(rec, tok); 445 break; 446 447 default: 448 break; 449 } 450 } 451 452 /* 453 * Convert an internal kernel audit record to a BSM record and return a 454 * success/failure indicator. The BSM record is passed as an out parameter to 455 * this function. 456 * 457 * Return conditions: 458 * BSM_SUCCESS: The BSM record is valid 459 * BSM_FAILURE: Failure; the BSM record is NULL. 460 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 461 */ 462 int 463 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 464 { 465 struct au_token *tok, *subj_tok; 466 struct au_record *rec; 467 au_tid_t tid; 468 struct audit_record *ar; 469 int ctr; 470 471 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 472 473 *pau = NULL; 474 ar = &kar->k_ar; 475 rec = kau_open(); 476 477 /* 478 * Create the subject token. 479 */ 480 switch (ar->ar_subj_term_addr.at_type) { 481 case AU_IPv4: 482 tid.port = ar->ar_subj_term_addr.at_port; 483 tid.machine = ar->ar_subj_term_addr.at_addr[0]; 484 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 485 ar->ar_subj_cred.cr_uid, /* eff uid */ 486 ar->ar_subj_egid, /* eff group id */ 487 ar->ar_subj_ruid, /* real uid */ 488 ar->ar_subj_rgid, /* real group id */ 489 ar->ar_subj_pid, /* process id */ 490 ar->ar_subj_asid, /* session ID */ 491 &tid); 492 break; 493 case AU_IPv6: 494 subj_tok = au_to_subject32_ex(ar->ar_subj_auid, 495 ar->ar_subj_cred.cr_uid, 496 ar->ar_subj_egid, 497 ar->ar_subj_ruid, 498 ar->ar_subj_rgid, 499 ar->ar_subj_pid, 500 ar->ar_subj_asid, 501 &ar->ar_subj_term_addr); 502 break; 503 default: 504 bzero(&tid, sizeof(tid)); 505 subj_tok = au_to_subject32(ar->ar_subj_auid, 506 ar->ar_subj_cred.cr_uid, 507 ar->ar_subj_egid, 508 ar->ar_subj_ruid, 509 ar->ar_subj_rgid, 510 ar->ar_subj_pid, 511 ar->ar_subj_asid, 512 &tid); 513 } 514 515 /* 516 * The logic inside each case fills in the tokens required for the 517 * event, except for the header, trailer, and return tokens. The 518 * header and trailer tokens are added by the kau_close() function. 519 * The return token is added outside of the switch statement. 520 */ 521 switch(ar->ar_event) { 522 case AUE_ACCEPT: 523 case AUE_BIND: 524 case AUE_LISTEN: 525 case AUE_CONNECT: 526 case AUE_RECV: 527 case AUE_RECVFROM: 528 case AUE_RECVMSG: 529 case AUE_SEND: 530 case AUE_SENDFILE: 531 case AUE_SENDMSG: 532 case AUE_SENDTO: 533 /* 534 * Socket-related events. 535 */ 536 if (ARG_IS_VALID(kar, ARG_FD)) { 537 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 538 kau_write(rec, tok); 539 } 540 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 541 tok = au_to_sock_inet((struct sockaddr_in *) 542 &ar->ar_arg_sockaddr); 543 kau_write(rec, tok); 544 } 545 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 546 tok = au_to_sock_unix((struct sockaddr_un *) 547 &ar->ar_arg_sockaddr); 548 kau_write(rec, tok); 549 UPATH1_TOKENS; 550 } 551 /* XXX Need to handle ARG_SADDRINET6 */ 552 break; 553 554 case AUE_SOCKET: 555 case AUE_SOCKETPAIR: 556 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 557 tok = au_to_arg32(1, "domain", 558 ar->ar_arg_sockinfo.so_domain); 559 kau_write(rec, tok); 560 tok = au_to_arg32(2, "type", 561 ar->ar_arg_sockinfo.so_type); 562 kau_write(rec, tok); 563 tok = au_to_arg32(3, "protocol", 564 ar->ar_arg_sockinfo.so_protocol); 565 kau_write(rec, tok); 566 } 567 break; 568 569 case AUE_SETSOCKOPT: 570 case AUE_SHUTDOWN: 571 if (ARG_IS_VALID(kar, ARG_FD)) { 572 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 573 kau_write(rec, tok); 574 } 575 break; 576 577 case AUE_ACCT: 578 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 579 UPATH1_VNODE1_TOKENS; 580 } else { 581 tok = au_to_arg32(1, "accounting off", 0); 582 kau_write(rec, tok); 583 } 584 break; 585 586 case AUE_SETAUID: 587 if (ARG_IS_VALID(kar, ARG_AUID)) { 588 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 589 kau_write(rec, tok); 590 } 591 break; 592 593 case AUE_SETAUDIT: 594 if (ARG_IS_VALID(kar, ARG_AUID) && 595 ARG_IS_VALID(kar, ARG_ASID) && 596 ARG_IS_VALID(kar, ARG_AMASK) && 597 ARG_IS_VALID(kar, ARG_TERMID)) { 598 tok = au_to_arg32(1, "setaudit:auid", 599 ar->ar_arg_auid); 600 kau_write(rec, tok); 601 tok = au_to_arg32(1, "setaudit:port", 602 ar->ar_arg_termid.port); 603 kau_write(rec, tok); 604 tok = au_to_arg32(1, "setaudit:machine", 605 ar->ar_arg_termid.machine); 606 kau_write(rec, tok); 607 tok = au_to_arg32(1, "setaudit:as_success", 608 ar->ar_arg_amask.am_success); 609 kau_write(rec, tok); 610 tok = au_to_arg32(1, "setaudit:as_failure", 611 ar->ar_arg_amask.am_failure); 612 kau_write(rec, tok); 613 tok = au_to_arg32(1, "setaudit:asid", 614 ar->ar_arg_asid); 615 kau_write(rec, tok); 616 } 617 break; 618 619 case AUE_SETAUDIT_ADDR: 620 if (ARG_IS_VALID(kar, ARG_AUID) && 621 ARG_IS_VALID(kar, ARG_ASID) && 622 ARG_IS_VALID(kar, ARG_AMASK) && 623 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) { 624 tok = au_to_arg32(1, "setaudit_addr:auid", 625 ar->ar_arg_auid); 626 kau_write(rec, tok); 627 tok = au_to_arg32(1, "setaudit_addr:as_success", 628 ar->ar_arg_amask.am_success); 629 kau_write(rec, tok); 630 tok = au_to_arg32(1, "setaudit_addr:as_failure", 631 ar->ar_arg_amask.am_failure); 632 kau_write(rec, tok); 633 tok = au_to_arg32(1, "setaudit_addr:asid", 634 ar->ar_arg_asid); 635 kau_write(rec, tok); 636 tok = au_to_arg32(1, "setaudit_addr:type", 637 ar->ar_arg_termid_addr.at_type); 638 kau_write(rec, tok); 639 tok = au_to_arg32(1, "setaudit_addr:port", 640 ar->ar_arg_termid_addr.at_port); 641 kau_write(rec, tok); 642 if (ar->ar_arg_termid_addr.at_type == AU_IPv6) 643 tok = au_to_in_addr_ex((struct in6_addr *) 644 &ar->ar_arg_termid_addr.at_addr[0]); 645 if (ar->ar_arg_termid_addr.at_type == AU_IPv4) 646 tok = au_to_in_addr((struct in_addr *) 647 &ar->ar_arg_termid_addr.at_addr[0]); 648 kau_write(rec, tok); 649 } 650 break; 651 652 case AUE_AUDITON: 653 /* 654 * For AUDITON commands without own event, audit the cmd. 655 */ 656 if (ARG_IS_VALID(kar, ARG_CMD)) { 657 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 658 kau_write(rec, tok); 659 } 660 /* FALLTHROUGH */ 661 662 case AUE_AUDITON_GETCAR: 663 case AUE_AUDITON_GETCLASS: 664 case AUE_AUDITON_GETCOND: 665 case AUE_AUDITON_GETCWD: 666 case AUE_AUDITON_GETKMASK: 667 case AUE_AUDITON_GETSTAT: 668 case AUE_AUDITON_GPOLICY: 669 case AUE_AUDITON_GQCTRL: 670 case AUE_AUDITON_SETCLASS: 671 case AUE_AUDITON_SETCOND: 672 case AUE_AUDITON_SETKMASK: 673 case AUE_AUDITON_SETSMASK: 674 case AUE_AUDITON_SETSTAT: 675 case AUE_AUDITON_SETUMASK: 676 case AUE_AUDITON_SPOLICY: 677 case AUE_AUDITON_SQCTRL: 678 if (ARG_IS_VALID(kar, ARG_AUDITON)) 679 audit_sys_auditon(ar, rec); 680 break; 681 682 case AUE_AUDITCTL: 683 UPATH1_VNODE1_TOKENS; 684 break; 685 686 case AUE_EXIT: 687 if (ARG_IS_VALID(kar, ARG_EXIT)) { 688 tok = au_to_exit(ar->ar_arg_exitretval, 689 ar->ar_arg_exitstatus); 690 kau_write(rec, tok); 691 } 692 break; 693 694 case AUE_ADJTIME: 695 case AUE_CLOCK_SETTIME: 696 case AUE_AUDIT: 697 case AUE_DUP2: 698 case AUE_GETAUDIT: 699 case AUE_GETAUDIT_ADDR: 700 case AUE_GETAUID: 701 case AUE_GETCWD: 702 case AUE_GETFSSTAT: 703 case AUE_GETRESUID: 704 case AUE_GETRESGID: 705 case AUE_KQUEUE: 706 case AUE_MODLOAD: 707 case AUE_MODUNLOAD: 708 case AUE_MSGSYS: 709 case AUE_NTP_ADJTIME: 710 case AUE_PIPE: 711 case AUE_POSIX_OPENPT: 712 case AUE_PROFILE: 713 case AUE_RTPRIO: 714 case AUE_SEMSYS: 715 case AUE_SHMSYS: 716 case AUE_SETPGRP: 717 case AUE_SETRLIMIT: 718 case AUE_SETSID: 719 case AUE_SETTIMEOFDAY: 720 case AUE_SYSARCH: 721 722 /* 723 * Header, subject, and return tokens added at end. 724 */ 725 break; 726 727 case AUE_CHDIR: 728 case AUE_CHROOT: 729 case AUE_FSTATAT: 730 case AUE_FUTIMESAT: 731 case AUE_GETATTRLIST: 732 case AUE_JAIL: 733 case AUE_LUTIMES: 734 case AUE_NFS_GETFH: 735 case AUE_LSTAT: 736 case AUE_LPATHCONF: 737 case AUE_PATHCONF: 738 case AUE_READLINK: 739 case AUE_READLINKAT: 740 case AUE_REVOKE: 741 case AUE_RMDIR: 742 case AUE_SEARCHFS: 743 case AUE_SETATTRLIST: 744 case AUE_STAT: 745 case AUE_STATFS: 746 case AUE_SWAPON: 747 case AUE_SWAPOFF: 748 case AUE_TRUNCATE: 749 case AUE_UNDELETE: 750 case AUE_UNLINK: 751 case AUE_UNLINKAT: 752 case AUE_UTIMES: 753 ATFD1_TOKENS(1); 754 UPATH1_VNODE1_TOKENS; 755 break; 756 757 case AUE_ACCESS: 758 case AUE_EACCESS: 759 case AUE_FACCESSAT: 760 ATFD1_TOKENS(1); 761 UPATH1_VNODE1_TOKENS; 762 if (ARG_IS_VALID(kar, ARG_VALUE)) { 763 tok = au_to_arg32(2, "mode", ar->ar_arg_value); 764 kau_write(rec, tok); 765 } 766 break; 767 768 case AUE_FHSTATFS: 769 case AUE_FHOPEN: 770 case AUE_FHSTAT: 771 /* XXXRW: Need to audit vnode argument. */ 772 break; 773 774 case AUE_CHFLAGS: 775 case AUE_LCHFLAGS: 776 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 777 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 778 kau_write(rec, tok); 779 } 780 UPATH1_VNODE1_TOKENS; 781 break; 782 783 case AUE_CHMOD: 784 case AUE_LCHMOD: 785 if (ARG_IS_VALID(kar, ARG_MODE)) { 786 tok = au_to_arg32(2, "new file mode", 787 ar->ar_arg_mode); 788 kau_write(rec, tok); 789 } 790 UPATH1_VNODE1_TOKENS; 791 break; 792 793 case AUE_FCHMODAT: 794 ATFD1_TOKENS(1); 795 if (ARG_IS_VALID(kar, ARG_MODE)) { 796 tok = au_to_arg32(3, "new file mode", 797 ar->ar_arg_mode); 798 kau_write(rec, tok); 799 } 800 UPATH1_VNODE1_TOKENS; 801 break; 802 803 case AUE_CHOWN: 804 case AUE_LCHOWN: 805 if (ARG_IS_VALID(kar, ARG_UID)) { 806 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 807 kau_write(rec, tok); 808 } 809 if (ARG_IS_VALID(kar, ARG_GID)) { 810 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 811 kau_write(rec, tok); 812 } 813 UPATH1_VNODE1_TOKENS; 814 break; 815 816 case AUE_FCHOWNAT: 817 ATFD1_TOKENS(1); 818 if (ARG_IS_VALID(kar, ARG_UID)) { 819 tok = au_to_arg32(3, "new file uid", ar->ar_arg_uid); 820 kau_write(rec, tok); 821 } 822 if (ARG_IS_VALID(kar, ARG_GID)) { 823 tok = au_to_arg32(4, "new file gid", ar->ar_arg_gid); 824 kau_write(rec, tok); 825 } 826 UPATH1_VNODE1_TOKENS; 827 break; 828 829 case AUE_EXCHANGEDATA: 830 UPATH1_VNODE1_TOKENS; 831 UPATH2_TOKENS; 832 break; 833 834 case AUE_CLOSE: 835 if (ARG_IS_VALID(kar, ARG_FD)) { 836 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 837 kau_write(rec, tok); 838 } 839 UPATH1_VNODE1_TOKENS; 840 break; 841 842 case AUE_CLOSEFROM: 843 if (ARG_IS_VALID(kar, ARG_FD)) { 844 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 845 kau_write(rec, tok); 846 } 847 break; 848 849 case AUE_CORE: 850 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 851 tok = au_to_arg32(1, "signal", ar->ar_arg_signum); 852 kau_write(rec, tok); 853 } 854 UPATH1_VNODE1_TOKENS; 855 break; 856 857 case AUE_EXTATTRCTL: 858 UPATH1_VNODE1_TOKENS; 859 if (ARG_IS_VALID(kar, ARG_CMD)) { 860 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 861 kau_write(rec, tok); 862 } 863 /* extattrctl(2) filename parameter is in upath2/vnode2 */ 864 UPATH2_TOKENS; 865 VNODE2_TOKENS; 866 EXTATTR_TOKENS(4); 867 break; 868 869 case AUE_EXTATTR_GET_FILE: 870 case AUE_EXTATTR_SET_FILE: 871 case AUE_EXTATTR_LIST_FILE: 872 case AUE_EXTATTR_DELETE_FILE: 873 case AUE_EXTATTR_GET_LINK: 874 case AUE_EXTATTR_SET_LINK: 875 case AUE_EXTATTR_LIST_LINK: 876 case AUE_EXTATTR_DELETE_LINK: 877 UPATH1_VNODE1_TOKENS; 878 EXTATTR_TOKENS(2); 879 break; 880 881 case AUE_EXTATTR_GET_FD: 882 case AUE_EXTATTR_SET_FD: 883 case AUE_EXTATTR_LIST_FD: 884 case AUE_EXTATTR_DELETE_FD: 885 if (ARG_IS_VALID(kar, ARG_FD)) { 886 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 887 kau_write(rec, tok); 888 } 889 EXTATTR_TOKENS(2); 890 break; 891 892 case AUE_FEXECVE: 893 if (ARG_IS_VALID(kar, ARG_FD)) { 894 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 895 kau_write(rec, tok); 896 } 897 /* FALLTHROUGH */ 898 899 case AUE_EXECVE: 900 case AUE_MAC_EXECVE: 901 if (ARG_IS_VALID(kar, ARG_ARGV)) { 902 tok = au_to_exec_args(ar->ar_arg_argv, 903 ar->ar_arg_argc); 904 kau_write(rec, tok); 905 } 906 if (ARG_IS_VALID(kar, ARG_ENVV)) { 907 tok = au_to_exec_env(ar->ar_arg_envv, 908 ar->ar_arg_envc); 909 kau_write(rec, tok); 910 } 911 UPATH1_VNODE1_TOKENS; 912 break; 913 914 case AUE_FCHMOD: 915 if (ARG_IS_VALID(kar, ARG_MODE)) { 916 tok = au_to_arg32(2, "new file mode", 917 ar->ar_arg_mode); 918 kau_write(rec, tok); 919 } 920 FD_VNODE1_TOKENS; 921 break; 922 923 /* 924 * XXXRW: Some of these need to handle non-vnode cases as well. 925 */ 926 case AUE_FCHDIR: 927 case AUE_FPATHCONF: 928 case AUE_FSTAT: 929 case AUE_FSTATFS: 930 case AUE_FSYNC: 931 case AUE_FTRUNCATE: 932 case AUE_FUTIMES: 933 case AUE_GETDIRENTRIES: 934 case AUE_GETDIRENTRIESATTR: 935 case AUE_LSEEK: 936 case AUE_POLL: 937 case AUE_READ: 938 case AUE_READV: 939 case AUE_WRITE: 940 case AUE_WRITEV: 941 FD_VNODE1_TOKENS; 942 break; 943 944 case AUE_FCHOWN: 945 if (ARG_IS_VALID(kar, ARG_UID)) { 946 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 947 kau_write(rec, tok); 948 } 949 if (ARG_IS_VALID(kar, ARG_GID)) { 950 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 951 kau_write(rec, tok); 952 } 953 FD_VNODE1_TOKENS; 954 break; 955 956 case AUE_FCNTL: 957 if (ARG_IS_VALID(kar, ARG_CMD)) { 958 tok = au_to_arg32(2, "cmd", 959 au_fcntl_cmd_to_bsm(ar->ar_arg_cmd)); 960 kau_write(rec, tok); 961 } 962 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 963 ar->ar_arg_cmd == F_SETLKW) { 964 FD_VNODE1_TOKENS; 965 } 966 break; 967 968 case AUE_FCHFLAGS: 969 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 970 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 971 kau_write(rec, tok); 972 } 973 FD_VNODE1_TOKENS; 974 break; 975 976 case AUE_FLOCK: 977 if (ARG_IS_VALID(kar, ARG_CMD)) { 978 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 979 kau_write(rec, tok); 980 } 981 FD_VNODE1_TOKENS; 982 break; 983 984 case AUE_RFORK: 985 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 986 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 987 kau_write(rec, tok); 988 } 989 /* FALLTHROUGH */ 990 991 case AUE_FORK: 992 case AUE_VFORK: 993 if (ARG_IS_VALID(kar, ARG_PID)) { 994 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 995 kau_write(rec, tok); 996 } 997 break; 998 999 case AUE_IOCTL: 1000 if (ARG_IS_VALID(kar, ARG_CMD)) { 1001 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 1002 kau_write(rec, tok); 1003 } 1004 if (ARG_IS_VALID(kar, ARG_VNODE1)) 1005 FD_VNODE1_TOKENS; 1006 else { 1007 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 1008 tok = kau_to_socket(&ar->ar_arg_sockinfo); 1009 kau_write(rec, tok); 1010 } else { 1011 if (ARG_IS_VALID(kar, ARG_FD)) { 1012 tok = au_to_arg32(1, "fd", 1013 ar->ar_arg_fd); 1014 kau_write(rec, tok); 1015 } 1016 } 1017 } 1018 break; 1019 1020 case AUE_KILL: 1021 case AUE_KILLPG: 1022 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 1023 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 1024 kau_write(rec, tok); 1025 } 1026 PROCESS_PID_TOKENS(1); 1027 break; 1028 1029 case AUE_KTRACE: 1030 if (ARG_IS_VALID(kar, ARG_CMD)) { 1031 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 1032 kau_write(rec, tok); 1033 } 1034 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1035 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 1036 kau_write(rec, tok); 1037 } 1038 PROCESS_PID_TOKENS(4); 1039 UPATH1_VNODE1_TOKENS; 1040 break; 1041 1042 case AUE_LINK: 1043 case AUE_LINKAT: 1044 case AUE_RENAME: 1045 case AUE_RENAMEAT: 1046 ATFD1_TOKENS(1); 1047 UPATH1_VNODE1_TOKENS; 1048 ATFD2_TOKENS(3); 1049 UPATH2_TOKENS; 1050 break; 1051 1052 case AUE_LOADSHFILE: 1053 ADDR_TOKEN(4, "base addr"); 1054 UPATH1_VNODE1_TOKENS; 1055 break; 1056 1057 case AUE_MKDIR: 1058 case AUE_MKDIRAT: 1059 case AUE_MKFIFO: 1060 case AUE_MKFIFOAT: 1061 ATFD1_TOKENS(1); 1062 if (ARG_IS_VALID(kar, ARG_MODE)) { 1063 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1064 kau_write(rec, tok); 1065 } 1066 UPATH1_VNODE1_TOKENS; 1067 break; 1068 1069 case AUE_MKNOD: 1070 case AUE_MKNODAT: 1071 ATFD1_TOKENS(1); 1072 if (ARG_IS_VALID(kar, ARG_MODE)) { 1073 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1074 kau_write(rec, tok); 1075 } 1076 if (ARG_IS_VALID(kar, ARG_DEV)) { 1077 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 1078 kau_write(rec, tok); 1079 } 1080 UPATH1_VNODE1_TOKENS; 1081 break; 1082 1083 case AUE_MMAP: 1084 case AUE_MUNMAP: 1085 case AUE_MPROTECT: 1086 case AUE_MLOCK: 1087 case AUE_MUNLOCK: 1088 case AUE_MINHERIT: 1089 ADDR_TOKEN(1, "addr"); 1090 if (ARG_IS_VALID(kar, ARG_LEN)) { 1091 tok = au_to_arg32(2, "len", ar->ar_arg_len); 1092 kau_write(rec, tok); 1093 } 1094 if (ar->ar_event == AUE_MMAP) 1095 FD_VNODE1_TOKENS; 1096 if (ar->ar_event == AUE_MPROTECT) { 1097 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1098 tok = au_to_arg32(3, "protection", 1099 ar->ar_arg_value); 1100 kau_write(rec, tok); 1101 } 1102 } 1103 if (ar->ar_event == AUE_MINHERIT) { 1104 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1105 tok = au_to_arg32(3, "inherit", 1106 ar->ar_arg_value); 1107 kau_write(rec, tok); 1108 } 1109 } 1110 break; 1111 1112 case AUE_MOUNT: 1113 case AUE_NMOUNT: 1114 /* XXX Need to handle NFS mounts */ 1115 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1116 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 1117 kau_write(rec, tok); 1118 } 1119 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1120 tok = au_to_text(ar->ar_arg_text); 1121 kau_write(rec, tok); 1122 } 1123 /* FALLTHROUGH */ 1124 1125 case AUE_NFS_SVC: 1126 if (ARG_IS_VALID(kar, ARG_CMD)) { 1127 tok = au_to_arg32(1, "flags", ar->ar_arg_cmd); 1128 kau_write(rec, tok); 1129 } 1130 break; 1131 1132 case AUE_UMOUNT: 1133 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1134 tok = au_to_arg32(2, "flags", ar->ar_arg_value); 1135 kau_write(rec, tok); 1136 } 1137 UPATH1_VNODE1_TOKENS; 1138 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1139 tok = au_to_text(ar->ar_arg_text); 1140 kau_write(rec, tok); 1141 } 1142 break; 1143 1144 case AUE_MSGCTL: 1145 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd); 1146 /* Fall through */ 1147 1148 case AUE_MSGRCV: 1149 case AUE_MSGSND: 1150 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 1151 kau_write(rec, tok); 1152 if (ar->ar_errno != EINVAL) { 1153 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 1154 kau_write(rec, tok); 1155 } 1156 break; 1157 1158 case AUE_MSGGET: 1159 if (ar->ar_errno == 0) { 1160 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1161 tok = au_to_ipc(AT_IPC_MSG, 1162 ar->ar_arg_svipc_id); 1163 kau_write(rec, tok); 1164 } 1165 } 1166 break; 1167 1168 case AUE_RESETSHFILE: 1169 ADDR_TOKEN(1, "base addr"); 1170 break; 1171 1172 case AUE_OPEN_RC: 1173 case AUE_OPEN_RTC: 1174 case AUE_OPEN_RWC: 1175 case AUE_OPEN_RWTC: 1176 case AUE_OPEN_WC: 1177 case AUE_OPEN_WTC: 1178 case AUE_CREAT: 1179 if (ARG_IS_VALID(kar, ARG_MODE)) { 1180 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1181 kau_write(rec, tok); 1182 } 1183 /* FALLTHROUGH */ 1184 1185 case AUE_OPEN_R: 1186 case AUE_OPEN_RT: 1187 case AUE_OPEN_RW: 1188 case AUE_OPEN_RWT: 1189 case AUE_OPEN_W: 1190 case AUE_OPEN_WT: 1191 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1192 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1193 kau_write(rec, tok); 1194 } 1195 UPATH1_VNODE1_TOKENS; 1196 break; 1197 1198 case AUE_OPENAT_RC: 1199 case AUE_OPENAT_RTC: 1200 case AUE_OPENAT_RWC: 1201 case AUE_OPENAT_RWTC: 1202 case AUE_OPENAT_WC: 1203 case AUE_OPENAT_WTC: 1204 if (ARG_IS_VALID(kar, ARG_MODE)) { 1205 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1206 kau_write(rec, tok); 1207 } 1208 /* FALLTHROUGH */ 1209 1210 case AUE_OPENAT_R: 1211 case AUE_OPENAT_RT: 1212 case AUE_OPENAT_RW: 1213 case AUE_OPENAT_RWT: 1214 case AUE_OPENAT_W: 1215 case AUE_OPENAT_WT: 1216 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1217 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1218 kau_write(rec, tok); 1219 } 1220 ATFD1_TOKENS(1); 1221 UPATH1_VNODE1_TOKENS; 1222 break; 1223 1224 case AUE_PTRACE: 1225 if (ARG_IS_VALID(kar, ARG_CMD)) { 1226 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1227 kau_write(rec, tok); 1228 } 1229 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1230 tok = au_to_arg32(4, "data", ar->ar_arg_value); 1231 kau_write(rec, tok); 1232 } 1233 PROCESS_PID_TOKENS(2); 1234 break; 1235 1236 case AUE_QUOTACTL: 1237 if (ARG_IS_VALID(kar, ARG_CMD)) { 1238 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1239 kau_write(rec, tok); 1240 } 1241 if (ARG_IS_VALID(kar, ARG_UID)) { 1242 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1243 kau_write(rec, tok); 1244 } 1245 if (ARG_IS_VALID(kar, ARG_GID)) { 1246 tok = au_to_arg32(3, "gid", ar->ar_arg_gid); 1247 kau_write(rec, tok); 1248 } 1249 UPATH1_VNODE1_TOKENS; 1250 break; 1251 1252 case AUE_REBOOT: 1253 if (ARG_IS_VALID(kar, ARG_CMD)) { 1254 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1255 kau_write(rec, tok); 1256 } 1257 break; 1258 1259 case AUE_SEMCTL: 1260 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd); 1261 /* Fall through */ 1262 1263 case AUE_SEMOP: 1264 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1265 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1266 kau_write(rec, tok); 1267 if (ar->ar_errno != EINVAL) { 1268 tok = au_to_ipc(AT_IPC_SEM, 1269 ar->ar_arg_svipc_id); 1270 kau_write(rec, tok); 1271 } 1272 } 1273 break; 1274 1275 case AUE_SEMGET: 1276 if (ar->ar_errno == 0) { 1277 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1278 tok = au_to_ipc(AT_IPC_SEM, 1279 ar->ar_arg_svipc_id); 1280 kau_write(rec, tok); 1281 } 1282 } 1283 break; 1284 1285 case AUE_SETEGID: 1286 if (ARG_IS_VALID(kar, ARG_EGID)) { 1287 tok = au_to_arg32(1, "egid", ar->ar_arg_egid); 1288 kau_write(rec, tok); 1289 } 1290 break; 1291 1292 case AUE_SETEUID: 1293 if (ARG_IS_VALID(kar, ARG_EUID)) { 1294 tok = au_to_arg32(1, "euid", ar->ar_arg_euid); 1295 kau_write(rec, tok); 1296 } 1297 break; 1298 1299 case AUE_SETREGID: 1300 if (ARG_IS_VALID(kar, ARG_RGID)) { 1301 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1302 kau_write(rec, tok); 1303 } 1304 if (ARG_IS_VALID(kar, ARG_EGID)) { 1305 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1306 kau_write(rec, tok); 1307 } 1308 break; 1309 1310 case AUE_SETREUID: 1311 if (ARG_IS_VALID(kar, ARG_RUID)) { 1312 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1313 kau_write(rec, tok); 1314 } 1315 if (ARG_IS_VALID(kar, ARG_EUID)) { 1316 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1317 kau_write(rec, tok); 1318 } 1319 break; 1320 1321 case AUE_SETRESGID: 1322 if (ARG_IS_VALID(kar, ARG_RGID)) { 1323 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1324 kau_write(rec, tok); 1325 } 1326 if (ARG_IS_VALID(kar, ARG_EGID)) { 1327 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1328 kau_write(rec, tok); 1329 } 1330 if (ARG_IS_VALID(kar, ARG_SGID)) { 1331 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1332 kau_write(rec, tok); 1333 } 1334 break; 1335 1336 case AUE_SETRESUID: 1337 if (ARG_IS_VALID(kar, ARG_RUID)) { 1338 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1339 kau_write(rec, tok); 1340 } 1341 if (ARG_IS_VALID(kar, ARG_EUID)) { 1342 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1343 kau_write(rec, tok); 1344 } 1345 if (ARG_IS_VALID(kar, ARG_SUID)) { 1346 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1347 kau_write(rec, tok); 1348 } 1349 break; 1350 1351 case AUE_SETGID: 1352 if (ARG_IS_VALID(kar, ARG_GID)) { 1353 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1354 kau_write(rec, tok); 1355 } 1356 break; 1357 1358 case AUE_SETUID: 1359 if (ARG_IS_VALID(kar, ARG_UID)) { 1360 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1361 kau_write(rec, tok); 1362 } 1363 break; 1364 1365 case AUE_SETGROUPS: 1366 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1367 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1368 { 1369 tok = au_to_arg32(1, "setgroups", 1370 ar->ar_arg_groups.gidset[ctr]); 1371 kau_write(rec, tok); 1372 } 1373 } 1374 break; 1375 1376 case AUE_SETLOGIN: 1377 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1378 tok = au_to_text(ar->ar_arg_text); 1379 kau_write(rec, tok); 1380 } 1381 break; 1382 1383 case AUE_SETPRIORITY: 1384 if (ARG_IS_VALID(kar, ARG_CMD)) { 1385 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1386 kau_write(rec, tok); 1387 } 1388 if (ARG_IS_VALID(kar, ARG_UID)) { 1389 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1390 kau_write(rec, tok); 1391 } 1392 PROCESS_PID_TOKENS(2); 1393 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1394 tok = au_to_arg32(3, "priority", ar->ar_arg_value); 1395 kau_write(rec, tok); 1396 } 1397 break; 1398 1399 case AUE_SETPRIVEXEC: 1400 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1401 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1402 kau_write(rec, tok); 1403 } 1404 break; 1405 1406 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1407 case AUE_SHMAT: 1408 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1409 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1410 kau_write(rec, tok); 1411 /* XXXAUDIT: Does having the ipc token make sense? */ 1412 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1413 kau_write(rec, tok); 1414 } 1415 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1416 tok = au_to_arg32(2, "shmaddr", 1417 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1418 kau_write(rec, tok); 1419 } 1420 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1421 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1422 kau_write(rec, tok); 1423 } 1424 break; 1425 1426 case AUE_SHMCTL: 1427 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1428 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1429 kau_write(rec, tok); 1430 /* XXXAUDIT: Does having the ipc token make sense? */ 1431 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1432 kau_write(rec, tok); 1433 } 1434 switch (ar->ar_arg_svipc_cmd) { 1435 case IPC_STAT: 1436 ar->ar_event = AUE_SHMCTL_STAT; 1437 break; 1438 case IPC_RMID: 1439 ar->ar_event = AUE_SHMCTL_RMID; 1440 break; 1441 case IPC_SET: 1442 ar->ar_event = AUE_SHMCTL_SET; 1443 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1444 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1445 kau_write(rec, tok); 1446 } 1447 break; 1448 default: 1449 break; /* We will audit a bad command */ 1450 } 1451 break; 1452 1453 case AUE_SHMDT: 1454 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1455 tok = au_to_arg32(1, "shmaddr", 1456 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1457 kau_write(rec, tok); 1458 } 1459 break; 1460 1461 case AUE_SHMGET: 1462 /* This is unusual; the return value is in an argument token */ 1463 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1464 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1465 kau_write(rec, tok); 1466 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1467 kau_write(rec, tok); 1468 } 1469 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1470 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1471 kau_write(rec, tok); 1472 } 1473 break; 1474 1475 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1476 * and AUE_SEMUNLINK are Posix IPC */ 1477 case AUE_SHMOPEN: 1478 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1479 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1480 kau_write(rec, tok); 1481 } 1482 if (ARG_IS_VALID(kar, ARG_MODE)) { 1483 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1484 kau_write(rec, tok); 1485 } 1486 /* FALLTHROUGH */ 1487 1488 case AUE_SHMUNLINK: 1489 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1490 tok = au_to_text(ar->ar_arg_text); 1491 kau_write(rec, tok); 1492 } 1493 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1494 struct ipc_perm perm; 1495 1496 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1497 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1498 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1499 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1500 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1501 perm.seq = 0; 1502 perm.key = 0; 1503 tok = au_to_ipc_perm(&perm); 1504 kau_write(rec, tok); 1505 } 1506 break; 1507 1508 case AUE_SEMOPEN: 1509 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1510 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1511 kau_write(rec, tok); 1512 } 1513 if (ARG_IS_VALID(kar, ARG_MODE)) { 1514 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1515 kau_write(rec, tok); 1516 } 1517 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1518 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1519 kau_write(rec, tok); 1520 } 1521 /* FALLTHROUGH */ 1522 1523 case AUE_SEMUNLINK: 1524 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1525 tok = au_to_text(ar->ar_arg_text); 1526 kau_write(rec, tok); 1527 } 1528 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1529 struct ipc_perm perm; 1530 1531 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1532 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1533 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1534 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1535 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1536 perm.seq = 0; 1537 perm.key = 0; 1538 tok = au_to_ipc_perm(&perm); 1539 kau_write(rec, tok); 1540 } 1541 break; 1542 1543 case AUE_SEMCLOSE: 1544 if (ARG_IS_VALID(kar, ARG_FD)) { 1545 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1546 kau_write(rec, tok); 1547 } 1548 break; 1549 1550 case AUE_SYMLINK: 1551 case AUE_SYMLINKAT: 1552 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1553 tok = au_to_text(ar->ar_arg_text); 1554 kau_write(rec, tok); 1555 } 1556 ATFD1_TOKENS(1); 1557 UPATH1_VNODE1_TOKENS; 1558 break; 1559 1560 case AUE_SYSCTL: 1561 case AUE_SYSCTL_NONADMIN: 1562 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1563 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1564 tok = au_to_arg32(1, "name", 1565 ar->ar_arg_ctlname[ctr]); 1566 kau_write(rec, tok); 1567 } 1568 } 1569 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1570 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1571 kau_write(rec, tok); 1572 } 1573 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1574 tok = au_to_text(ar->ar_arg_text); 1575 kau_write(rec, tok); 1576 } 1577 break; 1578 1579 case AUE_UMASK: 1580 if (ARG_IS_VALID(kar, ARG_MASK)) { 1581 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1582 kau_write(rec, tok); 1583 } 1584 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1585 kau_write(rec, tok); 1586 break; 1587 1588 case AUE_WAIT4: 1589 PROCESS_PID_TOKENS(1); 1590 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1591 tok = au_to_arg32(3, "options", ar->ar_arg_value); 1592 kau_write(rec, tok); 1593 } 1594 break; 1595 1596 case AUE_CAP_NEW: 1597 /* 1598 * XXXRW/XXXJA: Would be nice to audit socket/etc information. 1599 */ 1600 FD_VNODE1_TOKENS; 1601 if (ARG_IS_VALID(kar, ARG_RIGHTS)) { 1602 tok = au_to_arg64(2, "rights", ar->ar_arg_rights); 1603 kau_write(rec, tok); 1604 } 1605 break; 1606 1607 case AUE_CAP_GETRIGHTS: 1608 if (ARG_IS_VALID(kar, ARG_FD)) { 1609 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1610 kau_write(rec, tok); 1611 } 1612 break; 1613 1614 case AUE_CAP_ENTER: 1615 case AUE_CAP_GETMODE: 1616 break; 1617 1618 case AUE_NULL: 1619 default: 1620 printf("BSM conversion requested for unknown event %d\n", 1621 ar->ar_event); 1622 1623 /* 1624 * Write the subject token so it is properly freed here. 1625 */ 1626 kau_write(rec, subj_tok); 1627 kau_free(rec); 1628 return (BSM_NOAUDIT); 1629 } 1630 1631 kau_write(rec, subj_tok); 1632 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval); 1633 kau_write(rec, tok); /* Every record gets a return token */ 1634 1635 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1636 1637 *pau = rec; 1638 return (BSM_SUCCESS); 1639 } 1640 1641 /* 1642 * Verify that a record is a valid BSM record. This verification is simple 1643 * now, but may be expanded on sometime in the future. Return 1 if the 1644 * record is good, 0 otherwise. 1645 */ 1646 int 1647 bsm_rec_verify(void *rec) 1648 { 1649 char c = *(char *)rec; 1650 1651 /* 1652 * Check the token ID of the first token; it has to be a header 1653 * token. 1654 * 1655 * XXXAUDIT There needs to be a token structure to map a token. 1656 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1657 */ 1658 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1659 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1660 return (0); 1661 return (1); 1662 } 1663