1 /* 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1999-2009 Apple Inc. 5 * Copyright (c) 2016-2017 Robert N. M. Watson 6 * All rights reserved. 7 * 8 * Portions of this software were developed by BAE Systems, the University of 9 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL 10 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent 11 * Computing (TC) research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 22 * its contributors may be used to endorse or promote products derived 23 * from this software without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 29 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 33 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 34 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 35 * POSSIBILITY OF SUCH DAMAGE. 36 */ 37 38 #include <sys/cdefs.h> 39 #include <sys/param.h> 40 #include <sys/vnode.h> 41 #include <sys/ipc.h> 42 #include <sys/lock.h> 43 #include <sys/malloc.h> 44 #include <sys/mutex.h> 45 #include <sys/socket.h> 46 #include <sys/extattr.h> 47 #include <sys/fcntl.h> 48 #include <sys/user.h> 49 #include <sys/systm.h> 50 51 #include <bsm/audit.h> 52 #include <bsm/audit_internal.h> 53 #include <bsm/audit_record.h> 54 #include <bsm/audit_kevents.h> 55 56 #include <security/audit/audit.h> 57 #include <security/audit/audit_private.h> 58 59 #include <netinet/in_systm.h> 60 #include <netinet/in.h> 61 #include <netinet/ip.h> 62 63 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 64 65 static void audit_sys_auditon(struct audit_record *ar, 66 struct au_record *rec); 67 68 /* 69 * Initialize the BSM auditing subsystem. 70 */ 71 void 72 kau_init(void) 73 { 74 75 au_evclassmap_init(); 76 au_evnamemap_init(); 77 } 78 79 /* 80 * This call reserves memory for the audit record. Memory must be guaranteed 81 * before any auditable event can be generated. The au_record structure 82 * maintains a reference to the memory allocated above and also the list of 83 * tokens associated with this record. 84 */ 85 static struct au_record * 86 kau_open(void) 87 { 88 struct au_record *rec; 89 90 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 91 rec->data = NULL; 92 TAILQ_INIT(&rec->token_q); 93 rec->len = 0; 94 rec->used = 1; 95 96 return (rec); 97 } 98 99 /* 100 * Store the token with the record descriptor. 101 */ 102 static void 103 kau_write(struct au_record *rec, struct au_token *tok) 104 { 105 106 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 107 108 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 109 rec->len += tok->len; 110 } 111 112 /* 113 * Close out the audit record by adding the header token, identifying any 114 * missing tokens. Write out the tokens to the record memory. 115 */ 116 static void 117 kau_close(struct au_record *rec, struct timespec *ctime, short event) 118 { 119 u_char *dptr; 120 size_t tot_rec_size; 121 token_t *cur, *hdr, *trail; 122 struct timeval tm; 123 size_t hdrsize; 124 struct auditinfo_addr ak; 125 struct in6_addr *ap; 126 127 audit_get_kinfo(&ak); 128 hdrsize = 0; 129 switch (ak.ai_termid.at_type) { 130 case AU_IPv4: 131 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ? 132 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak); 133 break; 134 case AU_IPv6: 135 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0]; 136 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE : 137 AUDIT_HEADER_EX_SIZE(&ak); 138 break; 139 default: 140 panic("kau_close: invalid address family"); 141 } 142 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE; 143 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 144 145 tm.tv_usec = ctime->tv_nsec / 1000; 146 tm.tv_sec = ctime->tv_sec; 147 if (hdrsize != AUDIT_HEADER_SIZE) 148 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak); 149 else 150 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 151 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 152 153 trail = au_to_trailer(tot_rec_size); 154 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 155 156 rec->len = tot_rec_size; 157 dptr = rec->data; 158 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 159 memcpy(dptr, cur->t_data, cur->len); 160 dptr += cur->len; 161 } 162 } 163 164 /* 165 * Free a BSM audit record by releasing all the tokens and clearing the audit 166 * record information. 167 */ 168 void 169 kau_free(struct au_record *rec) 170 { 171 struct au_token *tok; 172 173 /* Free the token list. */ 174 while ((tok = TAILQ_FIRST(&rec->token_q))) { 175 TAILQ_REMOVE(&rec->token_q, tok, tokens); 176 free(tok->t_data, M_AUDITBSM); 177 free(tok, M_AUDITBSM); 178 } 179 180 rec->used = 0; 181 rec->len = 0; 182 free(rec->data, M_AUDITBSM); 183 free(rec, M_AUDITBSM); 184 } 185 186 /* 187 * XXX: May want turn some (or all) of these macros into functions in order 188 * to reduce the generated code size. 189 * 190 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 191 * caller are OK with this. 192 */ 193 #define ATFD1_TOKENS(argnum) do { \ 194 if (ARG_IS_VALID(kar, ARG_ATFD1)) { \ 195 tok = au_to_arg32(argnum, "at fd 1", ar->ar_arg_atfd1); \ 196 kau_write(rec, tok); \ 197 } \ 198 } while (0) 199 200 #define ATFD2_TOKENS(argnum) do { \ 201 if (ARG_IS_VALID(kar, ARG_ATFD2)) { \ 202 tok = au_to_arg32(argnum, "at fd 2", ar->ar_arg_atfd2); \ 203 kau_write(rec, tok); \ 204 } \ 205 } while (0) 206 207 #define UPATH1_TOKENS do { \ 208 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 209 tok = au_to_path(ar->ar_arg_upath1); \ 210 kau_write(rec, tok); \ 211 } \ 212 } while (0) 213 214 #define UPATH2_TOKENS do { \ 215 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 216 tok = au_to_path(ar->ar_arg_upath2); \ 217 kau_write(rec, tok); \ 218 } \ 219 } while (0) 220 221 #define VNODE1_TOKENS do { \ 222 if (ARG_IS_VALID(kar, ARG_ATFD)) { \ 223 tok = au_to_arg32(1, "at fd", ar->ar_arg_atfd); \ 224 kau_write(rec, tok); \ 225 } \ 226 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 227 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 228 kau_write(rec, tok); \ 229 } \ 230 } while (0) 231 232 #define UPATH1_VNODE1_TOKENS do { \ 233 UPATH1_TOKENS; \ 234 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 235 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 236 kau_write(rec, tok); \ 237 } \ 238 } while (0) 239 240 #define VNODE2_TOKENS do { \ 241 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 242 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 243 kau_write(rec, tok); \ 244 } \ 245 } while (0) 246 247 #define FD_VNODE1_TOKENS do { \ 248 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 249 if (ARG_IS_VALID(kar, ARG_FD)) { \ 250 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 251 kau_write(rec, tok); \ 252 } \ 253 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 254 kau_write(rec, tok); \ 255 } else { \ 256 if (ARG_IS_VALID(kar, ARG_FD)) { \ 257 tok = au_to_arg32(1, "non-file: fd", \ 258 ar->ar_arg_fd); \ 259 kau_write(rec, tok); \ 260 } \ 261 } \ 262 } while (0) 263 264 #define PROCESS_PID_TOKENS(argn) do { \ 265 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 266 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 267 tok = au_to_process32_ex(ar->ar_arg_auid, \ 268 ar->ar_arg_euid, ar->ar_arg_egid, \ 269 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 270 ar->ar_arg_pid, ar->ar_arg_asid, \ 271 &ar->ar_arg_termid_addr); \ 272 kau_write(rec, tok); \ 273 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 274 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 275 kau_write(rec, tok); \ 276 } \ 277 } while (0) 278 279 #define EXTATTR_TOKENS(namespace_argnum) do { \ 280 if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 281 switch (ar->ar_arg_value) { \ 282 case EXTATTR_NAMESPACE_USER: \ 283 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 284 break; \ 285 case EXTATTR_NAMESPACE_SYSTEM: \ 286 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 287 break; \ 288 default: \ 289 tok = au_to_arg32((namespace_argnum), \ 290 "attrnamespace", ar->ar_arg_value); \ 291 break; \ 292 } \ 293 kau_write(rec, tok); \ 294 } \ 295 /* attrname is in the text field */ \ 296 if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 297 tok = au_to_text(ar->ar_arg_text); \ 298 kau_write(rec, tok); \ 299 } \ 300 } while (0) 301 302 /* 303 * Not all pointer arguments to system calls are of interest, but in some 304 * cases they reflect delegation of rights, such as mmap(2) followed by 305 * minherit(2) before execve(2), so do the best we can. 306 */ 307 #define ADDR_TOKEN(argnum, argname) do { \ 308 if (ARG_IS_VALID(kar, ARG_ADDR)) { \ 309 if (sizeof(void *) == sizeof(uint32_t)) \ 310 tok = au_to_arg32((argnum), (argname), \ 311 (uint32_t)(uintptr_t)ar->ar_arg_addr); \ 312 else \ 313 tok = au_to_arg64((argnum), (argname), \ 314 (uint64_t)(uintptr_t)ar->ar_arg_addr); \ 315 kau_write(rec, tok); \ 316 } \ 317 } while (0) 318 319 /* 320 * Implement auditing for the auditon() system call. The audit tokens that 321 * are generated depend on the command that was sent into the auditon() 322 * system call. 323 */ 324 static void 325 audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 326 { 327 struct au_token *tok; 328 329 tok = au_to_arg32(3, "length", ar->ar_arg_len); 330 kau_write(rec, tok); 331 switch (ar->ar_arg_cmd) { 332 case A_OLDSETPOLICY: 333 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 334 tok = au_to_arg64(2, "policy", 335 ar->ar_arg_auditon.au_policy64); 336 kau_write(rec, tok); 337 break; 338 } 339 /* FALLTHROUGH */ 340 341 case A_SETPOLICY: 342 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy); 343 kau_write(rec, tok); 344 break; 345 346 case A_SETKMASK: 347 tok = au_to_arg32(2, "setkmask:as_success", 348 ar->ar_arg_auditon.au_mask.am_success); 349 kau_write(rec, tok); 350 tok = au_to_arg32(2, "setkmask:as_failure", 351 ar->ar_arg_auditon.au_mask.am_failure); 352 kau_write(rec, tok); 353 break; 354 355 case A_OLDSETQCTRL: 356 if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) { 357 tok = au_to_arg64(2, "setqctrl:aq_hiwater", 358 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater); 359 kau_write(rec, tok); 360 tok = au_to_arg64(2, "setqctrl:aq_lowater", 361 ar->ar_arg_auditon.au_qctrl64.aq64_lowater); 362 kau_write(rec, tok); 363 tok = au_to_arg64(2, "setqctrl:aq_bufsz", 364 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz); 365 kau_write(rec, tok); 366 tok = au_to_arg64(2, "setqctrl:aq_delay", 367 ar->ar_arg_auditon.au_qctrl64.aq64_delay); 368 kau_write(rec, tok); 369 tok = au_to_arg64(2, "setqctrl:aq_minfree", 370 ar->ar_arg_auditon.au_qctrl64.aq64_minfree); 371 kau_write(rec, tok); 372 break; 373 } 374 /* FALLTHROUGH */ 375 376 case A_SETQCTRL: 377 tok = au_to_arg32(2, "setqctrl:aq_hiwater", 378 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 379 kau_write(rec, tok); 380 tok = au_to_arg32(2, "setqctrl:aq_lowater", 381 ar->ar_arg_auditon.au_qctrl.aq_lowater); 382 kau_write(rec, tok); 383 tok = au_to_arg32(2, "setqctrl:aq_bufsz", 384 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 385 kau_write(rec, tok); 386 tok = au_to_arg32(2, "setqctrl:aq_delay", 387 ar->ar_arg_auditon.au_qctrl.aq_delay); 388 kau_write(rec, tok); 389 tok = au_to_arg32(2, "setqctrl:aq_minfree", 390 ar->ar_arg_auditon.au_qctrl.aq_minfree); 391 kau_write(rec, tok); 392 break; 393 394 case A_SETUMASK: 395 tok = au_to_arg32(2, "setumask:as_success", 396 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 397 kau_write(rec, tok); 398 tok = au_to_arg32(2, "setumask:as_failure", 399 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 400 kau_write(rec, tok); 401 break; 402 403 case A_SETSMASK: 404 tok = au_to_arg32(2, "setsmask:as_success", 405 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 406 kau_write(rec, tok); 407 tok = au_to_arg32(2, "setsmask:as_failure", 408 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 409 kau_write(rec, tok); 410 break; 411 412 case A_OLDSETCOND: 413 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 414 tok = au_to_arg64(2, "setcond", 415 ar->ar_arg_auditon.au_cond64); 416 kau_write(rec, tok); 417 break; 418 } 419 /* FALLTHROUGH */ 420 421 case A_SETCOND: 422 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond); 423 kau_write(rec, tok); 424 break; 425 426 case A_SETCLASS: 427 tok = au_to_arg32(2, "setclass:ec_event", 428 ar->ar_arg_auditon.au_evclass.ec_number); 429 kau_write(rec, tok); 430 tok = au_to_arg32(2, "setclass:ec_class", 431 ar->ar_arg_auditon.au_evclass.ec_class); 432 kau_write(rec, tok); 433 break; 434 435 case A_SETPMASK: 436 tok = au_to_arg32(2, "setpmask:as_success", 437 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 438 kau_write(rec, tok); 439 tok = au_to_arg32(2, "setpmask:as_failure", 440 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 441 kau_write(rec, tok); 442 break; 443 444 case A_SETFSIZE: 445 tok = au_to_arg32(2, "setfsize:filesize", 446 ar->ar_arg_auditon.au_fstat.af_filesz); 447 kau_write(rec, tok); 448 break; 449 450 default: 451 break; 452 } 453 } 454 455 /* 456 * Convert an internal kernel audit record to a BSM record and return a 457 * success/failure indicator. The BSM record is passed as an out parameter to 458 * this function. 459 * 460 * Return conditions: 461 * BSM_SUCCESS: The BSM record is valid 462 * BSM_FAILURE: Failure; the BSM record is NULL. 463 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 464 */ 465 int 466 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 467 { 468 struct au_token *tok, *subj_tok, *jail_tok; 469 struct au_record *rec; 470 au_tid_t tid; 471 struct audit_record *ar; 472 int ctr; 473 474 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 475 476 *pau = NULL; 477 ar = &kar->k_ar; 478 rec = kau_open(); 479 480 /* 481 * Create the subject token. If this credential was jailed be sure to 482 * generate a zonename token. 483 */ 484 if (ar->ar_jailname[0] != '\0') 485 jail_tok = au_to_zonename(ar->ar_jailname); 486 else 487 jail_tok = NULL; 488 switch (ar->ar_subj_term_addr.at_type) { 489 case AU_IPv4: 490 tid.port = ar->ar_subj_term_addr.at_port; 491 tid.machine = ar->ar_subj_term_addr.at_addr[0]; 492 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 493 ar->ar_subj_cred.cr_uid, /* eff uid */ 494 ar->ar_subj_egid, /* eff group id */ 495 ar->ar_subj_ruid, /* real uid */ 496 ar->ar_subj_rgid, /* real group id */ 497 ar->ar_subj_pid, /* process id */ 498 ar->ar_subj_asid, /* session ID */ 499 &tid); 500 break; 501 case AU_IPv6: 502 subj_tok = au_to_subject32_ex(ar->ar_subj_auid, 503 ar->ar_subj_cred.cr_uid, 504 ar->ar_subj_egid, 505 ar->ar_subj_ruid, 506 ar->ar_subj_rgid, 507 ar->ar_subj_pid, 508 ar->ar_subj_asid, 509 &ar->ar_subj_term_addr); 510 break; 511 default: 512 bzero(&tid, sizeof(tid)); 513 subj_tok = au_to_subject32(ar->ar_subj_auid, 514 ar->ar_subj_cred.cr_uid, 515 ar->ar_subj_egid, 516 ar->ar_subj_ruid, 517 ar->ar_subj_rgid, 518 ar->ar_subj_pid, 519 ar->ar_subj_asid, 520 &tid); 521 } 522 523 /* 524 * The logic inside each case fills in the tokens required for the 525 * event, except for the header, trailer, and return tokens. The 526 * header and trailer tokens are added by the kau_close() function. 527 * The return token is added outside of the switch statement. 528 */ 529 switch(ar->ar_event) { 530 case AUE_ACCEPT: 531 if (ARG_IS_VALID(kar, ARG_FD)) { 532 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 533 kau_write(rec, tok); 534 } 535 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 536 tok = au_to_sock_inet((struct sockaddr_in *) 537 &ar->ar_arg_sockaddr); 538 kau_write(rec, tok); 539 } 540 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 541 tok = au_to_sock_unix((struct sockaddr_un *) 542 &ar->ar_arg_sockaddr); 543 kau_write(rec, tok); 544 UPATH1_TOKENS; 545 } 546 break; 547 548 case AUE_BIND: 549 case AUE_LISTEN: 550 case AUE_CONNECT: 551 case AUE_RECV: 552 case AUE_RECVFROM: 553 case AUE_RECVMSG: 554 case AUE_SEND: 555 case AUE_SENDMSG: 556 case AUE_SENDTO: 557 /* 558 * Socket-related events. 559 */ 560 if (ARG_IS_VALID(kar, ARG_FD)) { 561 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 562 kau_write(rec, tok); 563 } 564 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 565 tok = au_to_sock_inet((struct sockaddr_in *) 566 &ar->ar_arg_sockaddr); 567 kau_write(rec, tok); 568 } 569 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 570 tok = au_to_sock_unix((struct sockaddr_un *) 571 &ar->ar_arg_sockaddr); 572 kau_write(rec, tok); 573 UPATH1_TOKENS; 574 } 575 /* XXX Need to handle ARG_SADDRINET6 */ 576 break; 577 578 case AUE_BINDAT: 579 case AUE_CONNECTAT: 580 ATFD1_TOKENS(1); 581 if (ARG_IS_VALID(kar, ARG_FD)) { 582 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 583 kau_write(rec, tok); 584 } 585 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 586 tok = au_to_sock_unix((struct sockaddr_un *) 587 &ar->ar_arg_sockaddr); 588 kau_write(rec, tok); 589 UPATH1_TOKENS; 590 } 591 break; 592 593 case AUE_SENDFILE: 594 FD_VNODE1_TOKENS; 595 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 596 tok = au_to_sock_inet((struct sockaddr_in *) 597 &ar->ar_arg_sockaddr); 598 kau_write(rec, tok); 599 } 600 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 601 tok = au_to_sock_unix((struct sockaddr_un *) 602 &ar->ar_arg_sockaddr); 603 kau_write(rec, tok); 604 UPATH1_TOKENS; 605 } 606 /* XXX Need to handle ARG_SADDRINET6 */ 607 break; 608 609 case AUE_SOCKET: 610 case AUE_SOCKETPAIR: 611 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 612 tok = au_to_arg32(1, "domain", 613 ar->ar_arg_sockinfo.so_domain); 614 kau_write(rec, tok); 615 tok = au_to_arg32(2, "type", 616 ar->ar_arg_sockinfo.so_type); 617 kau_write(rec, tok); 618 tok = au_to_arg32(3, "protocol", 619 ar->ar_arg_sockinfo.so_protocol); 620 kau_write(rec, tok); 621 } 622 break; 623 624 case AUE_SETSOCKOPT: 625 case AUE_SHUTDOWN: 626 if (ARG_IS_VALID(kar, ARG_FD)) { 627 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 628 kau_write(rec, tok); 629 } 630 break; 631 632 case AUE_ACCT: 633 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 634 UPATH1_VNODE1_TOKENS; 635 } else { 636 tok = au_to_arg32(1, "accounting off", 0); 637 kau_write(rec, tok); 638 } 639 break; 640 641 case AUE_SETAUID: 642 if (ARG_IS_VALID(kar, ARG_AUID)) { 643 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 644 kau_write(rec, tok); 645 } 646 break; 647 648 case AUE_SETAUDIT: 649 if (ARG_IS_VALID(kar, ARG_AUID) && 650 ARG_IS_VALID(kar, ARG_ASID) && 651 ARG_IS_VALID(kar, ARG_AMASK) && 652 ARG_IS_VALID(kar, ARG_TERMID)) { 653 tok = au_to_arg32(1, "setaudit:auid", 654 ar->ar_arg_auid); 655 kau_write(rec, tok); 656 tok = au_to_arg32(1, "setaudit:port", 657 ar->ar_arg_termid.port); 658 kau_write(rec, tok); 659 tok = au_to_arg32(1, "setaudit:machine", 660 ar->ar_arg_termid.machine); 661 kau_write(rec, tok); 662 tok = au_to_arg32(1, "setaudit:as_success", 663 ar->ar_arg_amask.am_success); 664 kau_write(rec, tok); 665 tok = au_to_arg32(1, "setaudit:as_failure", 666 ar->ar_arg_amask.am_failure); 667 kau_write(rec, tok); 668 tok = au_to_arg32(1, "setaudit:asid", 669 ar->ar_arg_asid); 670 kau_write(rec, tok); 671 } 672 break; 673 674 case AUE_SETAUDIT_ADDR: 675 if (ARG_IS_VALID(kar, ARG_AUID) && 676 ARG_IS_VALID(kar, ARG_ASID) && 677 ARG_IS_VALID(kar, ARG_AMASK) && 678 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) { 679 tok = au_to_arg32(1, "setaudit_addr:auid", 680 ar->ar_arg_auid); 681 kau_write(rec, tok); 682 tok = au_to_arg32(1, "setaudit_addr:as_success", 683 ar->ar_arg_amask.am_success); 684 kau_write(rec, tok); 685 tok = au_to_arg32(1, "setaudit_addr:as_failure", 686 ar->ar_arg_amask.am_failure); 687 kau_write(rec, tok); 688 tok = au_to_arg32(1, "setaudit_addr:asid", 689 ar->ar_arg_asid); 690 kau_write(rec, tok); 691 tok = au_to_arg32(1, "setaudit_addr:type", 692 ar->ar_arg_termid_addr.at_type); 693 kau_write(rec, tok); 694 tok = au_to_arg32(1, "setaudit_addr:port", 695 ar->ar_arg_termid_addr.at_port); 696 kau_write(rec, tok); 697 if (ar->ar_arg_termid_addr.at_type == AU_IPv6) 698 tok = au_to_in_addr_ex((struct in6_addr *) 699 &ar->ar_arg_termid_addr.at_addr[0]); 700 if (ar->ar_arg_termid_addr.at_type == AU_IPv4) 701 tok = au_to_in_addr((struct in_addr *) 702 &ar->ar_arg_termid_addr.at_addr[0]); 703 kau_write(rec, tok); 704 } 705 break; 706 707 case AUE_AUDITON: 708 /* 709 * For AUDITON commands without own event, audit the cmd. 710 */ 711 if (ARG_IS_VALID(kar, ARG_CMD)) { 712 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 713 kau_write(rec, tok); 714 } 715 /* FALLTHROUGH */ 716 717 case AUE_AUDITON_GETCAR: 718 case AUE_AUDITON_GETCLASS: 719 case AUE_AUDITON_GETCOND: 720 case AUE_AUDITON_GETCWD: 721 case AUE_AUDITON_GETKMASK: 722 case AUE_AUDITON_GETSTAT: 723 case AUE_AUDITON_GPOLICY: 724 case AUE_AUDITON_GQCTRL: 725 case AUE_AUDITON_SETCLASS: 726 case AUE_AUDITON_SETCOND: 727 case AUE_AUDITON_SETKMASK: 728 case AUE_AUDITON_SETSMASK: 729 case AUE_AUDITON_SETSTAT: 730 case AUE_AUDITON_SETUMASK: 731 case AUE_AUDITON_SPOLICY: 732 case AUE_AUDITON_SQCTRL: 733 if (ARG_IS_VALID(kar, ARG_AUDITON)) 734 audit_sys_auditon(ar, rec); 735 break; 736 737 case AUE_AUDITCTL: 738 UPATH1_VNODE1_TOKENS; 739 break; 740 741 case AUE_EXIT: 742 if (ARG_IS_VALID(kar, ARG_EXIT)) { 743 tok = au_to_exit(ar->ar_arg_exitretval, 744 ar->ar_arg_exitstatus); 745 kau_write(rec, tok); 746 } 747 break; 748 749 case AUE_ADJTIME: 750 case AUE_CLOCK_SETTIME: 751 case AUE_AUDIT: 752 case AUE_DUP2: 753 case AUE_GETAUDIT: 754 case AUE_GETAUDIT_ADDR: 755 case AUE_GETAUID: 756 case AUE_GETCWD: 757 case AUE_GETFSSTAT: 758 case AUE_GETRESUID: 759 case AUE_GETRESGID: 760 case AUE_KQUEUE: 761 case AUE_MODLOAD: 762 case AUE_MODUNLOAD: 763 case AUE_MSGSYS: 764 case AUE_NTP_ADJTIME: 765 case AUE_PIPE: 766 case AUE_POSIX_OPENPT: 767 case AUE_PROFILE: 768 case AUE_RTPRIO: 769 case AUE_SEMSYS: 770 case AUE_SETFIB: 771 case AUE_SHMSYS: 772 case AUE_SETPGRP: 773 case AUE_SETRLIMIT: 774 case AUE_SETSID: 775 case AUE_SETTIMEOFDAY: 776 case AUE_SYSARCH: 777 778 /* 779 * Header, subject, and return tokens added at end. 780 */ 781 break; 782 783 case AUE_ACL_DELETE_FD: 784 case AUE_ACL_DELETE_FILE: 785 case AUE_ACL_CHECK_FD: 786 case AUE_ACL_CHECK_FILE: 787 case AUE_ACL_CHECK_LINK: 788 case AUE_ACL_DELETE_LINK: 789 case AUE_ACL_GET_FD: 790 case AUE_ACL_GET_FILE: 791 case AUE_ACL_GET_LINK: 792 case AUE_ACL_SET_FD: 793 case AUE_ACL_SET_FILE: 794 case AUE_ACL_SET_LINK: 795 if (ARG_IS_VALID(kar, ARG_VALUE)) { 796 tok = au_to_arg32(1, "type", ar->ar_arg_value); 797 kau_write(rec, tok); 798 } 799 ATFD1_TOKENS(1); 800 UPATH1_VNODE1_TOKENS; 801 break; 802 803 /* 804 * NB: We may want to verify that the appropriate 805 * audit args are being processed here, but I think 806 * a bit analysis is required. 807 * 808 * Process AUE_JAIL_SET in the next block so we can pickup any path 809 * related tokens that might exist. 810 */ 811 case AUE_JAIL_GET: 812 case AUE_JAIL_ATTACH: 813 case AUE_JAIL_REMOVE: 814 break; 815 816 case AUE_JAIL_SET: 817 case AUE_CHDIR: 818 case AUE_CHROOT: 819 case AUE_FSTATAT: 820 case AUE_FUTIMESAT: 821 case AUE_GETATTRLIST: 822 case AUE_JAIL: 823 case AUE_LUTIMES: 824 case AUE_NFS_GETFH: 825 case AUE_LGETFH: 826 case AUE_LSTAT: 827 case AUE_LPATHCONF: 828 case AUE_PATHCONF: 829 case AUE_READLINK: 830 case AUE_READLINKAT: 831 case AUE_REVOKE: 832 case AUE_RMDIR: 833 case AUE_SEARCHFS: 834 case AUE_SETATTRLIST: 835 case AUE_STAT: 836 case AUE_STATFS: 837 case AUE_SWAPON: 838 case AUE_SWAPOFF: 839 case AUE_TRUNCATE: 840 case AUE_UNDELETE: 841 case AUE_UNLINK: 842 case AUE_UNLINKAT: 843 case AUE_UTIMES: 844 case AUE_REALPATHAT: 845 ATFD1_TOKENS(1); 846 UPATH1_VNODE1_TOKENS; 847 break; 848 849 case AUE_ACCESS: 850 case AUE_EACCESS: 851 case AUE_FACCESSAT: 852 ATFD1_TOKENS(1); 853 UPATH1_VNODE1_TOKENS; 854 if (ARG_IS_VALID(kar, ARG_VALUE)) { 855 tok = au_to_arg32(2, "mode", ar->ar_arg_value); 856 kau_write(rec, tok); 857 } 858 break; 859 860 case AUE_FHSTATFS: 861 case AUE_FHOPEN: 862 case AUE_FHSTAT: 863 /* XXXRW: Need to audit vnode argument. */ 864 break; 865 866 case AUE_CHFLAGS: 867 case AUE_LCHFLAGS: 868 case AUE_CHFLAGSAT: 869 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 870 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 871 kau_write(rec, tok); 872 } 873 UPATH1_VNODE1_TOKENS; 874 break; 875 876 case AUE_CHMOD: 877 case AUE_LCHMOD: 878 if (ARG_IS_VALID(kar, ARG_MODE)) { 879 tok = au_to_arg32(2, "new file mode", 880 ar->ar_arg_mode); 881 kau_write(rec, tok); 882 } 883 UPATH1_VNODE1_TOKENS; 884 break; 885 886 case AUE_FCHMODAT: 887 ATFD1_TOKENS(1); 888 if (ARG_IS_VALID(kar, ARG_MODE)) { 889 tok = au_to_arg32(3, "new file mode", 890 ar->ar_arg_mode); 891 kau_write(rec, tok); 892 } 893 UPATH1_VNODE1_TOKENS; 894 break; 895 896 case AUE_CHOWN: 897 case AUE_LCHOWN: 898 if (ARG_IS_VALID(kar, ARG_UID)) { 899 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 900 kau_write(rec, tok); 901 } 902 if (ARG_IS_VALID(kar, ARG_GID)) { 903 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 904 kau_write(rec, tok); 905 } 906 UPATH1_VNODE1_TOKENS; 907 break; 908 909 case AUE_FCHOWNAT: 910 ATFD1_TOKENS(1); 911 if (ARG_IS_VALID(kar, ARG_UID)) { 912 tok = au_to_arg32(3, "new file uid", ar->ar_arg_uid); 913 kau_write(rec, tok); 914 } 915 if (ARG_IS_VALID(kar, ARG_GID)) { 916 tok = au_to_arg32(4, "new file gid", ar->ar_arg_gid); 917 kau_write(rec, tok); 918 } 919 UPATH1_VNODE1_TOKENS; 920 break; 921 922 case AUE_EXCHANGEDATA: 923 UPATH1_VNODE1_TOKENS; 924 UPATH2_TOKENS; 925 break; 926 927 case AUE_CLOSE: 928 if (ARG_IS_VALID(kar, ARG_FD)) { 929 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 930 kau_write(rec, tok); 931 } 932 UPATH1_VNODE1_TOKENS; 933 break; 934 935 case AUE_CLOSEFROM: 936 if (ARG_IS_VALID(kar, ARG_FD)) { 937 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 938 kau_write(rec, tok); 939 } 940 break; 941 942 case AUE_CLOSERANGE: 943 if (ARG_IS_VALID(kar, ARG_FD)) { 944 tok = au_to_arg32(1, "lowfd", ar->ar_arg_fd); 945 kau_write(rec, tok); 946 } 947 if (ARG_IS_VALID(kar, ARG_CMD)) { 948 tok = au_to_arg32(2, "highfd", ar->ar_arg_cmd); 949 kau_write(rec, tok); 950 } 951 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 952 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 953 kau_write(rec, tok); 954 } 955 break; 956 957 case AUE_CORE: 958 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 959 tok = au_to_arg32(1, "signal", ar->ar_arg_signum); 960 kau_write(rec, tok); 961 } 962 UPATH1_VNODE1_TOKENS; 963 break; 964 965 case AUE_EXTATTRCTL: 966 UPATH1_VNODE1_TOKENS; 967 if (ARG_IS_VALID(kar, ARG_CMD)) { 968 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 969 kau_write(rec, tok); 970 } 971 /* extattrctl(2) filename parameter is in upath2/vnode2 */ 972 UPATH2_TOKENS; 973 VNODE2_TOKENS; 974 EXTATTR_TOKENS(4); 975 break; 976 977 case AUE_EXTATTR_GET_FILE: 978 case AUE_EXTATTR_SET_FILE: 979 case AUE_EXTATTR_LIST_FILE: 980 case AUE_EXTATTR_DELETE_FILE: 981 case AUE_EXTATTR_GET_LINK: 982 case AUE_EXTATTR_SET_LINK: 983 case AUE_EXTATTR_LIST_LINK: 984 case AUE_EXTATTR_DELETE_LINK: 985 UPATH1_VNODE1_TOKENS; 986 EXTATTR_TOKENS(2); 987 break; 988 989 case AUE_EXTATTR_GET_FD: 990 case AUE_EXTATTR_SET_FD: 991 case AUE_EXTATTR_LIST_FD: 992 case AUE_EXTATTR_DELETE_FD: 993 if (ARG_IS_VALID(kar, ARG_FD)) { 994 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 995 kau_write(rec, tok); 996 } 997 EXTATTR_TOKENS(2); 998 break; 999 1000 case AUE_FEXECVE: 1001 if (ARG_IS_VALID(kar, ARG_FD)) { 1002 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1003 kau_write(rec, tok); 1004 } 1005 /* FALLTHROUGH */ 1006 1007 case AUE_EXECVE: 1008 case AUE_MAC_EXECVE: 1009 if (ARG_IS_VALID(kar, ARG_ARGV)) { 1010 tok = au_to_exec_args(ar->ar_arg_argv, 1011 ar->ar_arg_argc); 1012 kau_write(rec, tok); 1013 } 1014 if (ARG_IS_VALID(kar, ARG_ENVV)) { 1015 tok = au_to_exec_env(ar->ar_arg_envv, 1016 ar->ar_arg_envc); 1017 kau_write(rec, tok); 1018 } 1019 UPATH1_VNODE1_TOKENS; 1020 break; 1021 1022 case AUE_FCHMOD: 1023 if (ARG_IS_VALID(kar, ARG_MODE)) { 1024 tok = au_to_arg32(2, "new file mode", 1025 ar->ar_arg_mode); 1026 kau_write(rec, tok); 1027 } 1028 FD_VNODE1_TOKENS; 1029 break; 1030 1031 /* 1032 * XXXRW: Some of these need to handle non-vnode cases as well. 1033 */ 1034 case AUE_FCHDIR: 1035 case AUE_FPATHCONF: 1036 case AUE_FSTAT: 1037 case AUE_FSTATFS: 1038 case AUE_FSYNC: 1039 case AUE_FTRUNCATE: 1040 case AUE_FUTIMES: 1041 case AUE_GETDIRENTRIES: 1042 case AUE_GETDIRENTRIESATTR: 1043 case AUE_LSEEK: 1044 case AUE_POLL: 1045 case AUE_POSIX_FALLOCATE: 1046 case AUE_PREAD: 1047 case AUE_PWRITE: 1048 case AUE_READ: 1049 case AUE_READV: 1050 case AUE_WRITE: 1051 case AUE_WRITEV: 1052 FD_VNODE1_TOKENS; 1053 break; 1054 1055 case AUE_FCHOWN: 1056 if (ARG_IS_VALID(kar, ARG_UID)) { 1057 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 1058 kau_write(rec, tok); 1059 } 1060 if (ARG_IS_VALID(kar, ARG_GID)) { 1061 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 1062 kau_write(rec, tok); 1063 } 1064 FD_VNODE1_TOKENS; 1065 break; 1066 1067 case AUE_FCNTL: 1068 if (ARG_IS_VALID(kar, ARG_CMD)) { 1069 tok = au_to_arg32(2, "cmd", 1070 au_fcntl_cmd_to_bsm(ar->ar_arg_cmd)); 1071 kau_write(rec, tok); 1072 } 1073 FD_VNODE1_TOKENS; 1074 break; 1075 1076 case AUE_FCHFLAGS: 1077 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1078 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1079 kau_write(rec, tok); 1080 } 1081 FD_VNODE1_TOKENS; 1082 break; 1083 1084 case AUE_FLOCK: 1085 if (ARG_IS_VALID(kar, ARG_CMD)) { 1086 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 1087 kau_write(rec, tok); 1088 } 1089 FD_VNODE1_TOKENS; 1090 break; 1091 1092 case AUE_FSPACECTL: 1093 if (ARG_IS_VALID(kar, ARG_CMD)) { 1094 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 1095 kau_write(rec, tok); 1096 } 1097 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1098 tok = au_to_arg32(4, "flags", ar->ar_arg_fflags); 1099 kau_write(rec, tok); 1100 } 1101 FD_VNODE1_TOKENS; 1102 break; 1103 1104 case AUE_RFORK: 1105 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1106 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 1107 kau_write(rec, tok); 1108 } 1109 /* FALLTHROUGH */ 1110 1111 case AUE_FORK: 1112 case AUE_VFORK: 1113 if (ARG_IS_VALID(kar, ARG_PID)) { 1114 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 1115 kau_write(rec, tok); 1116 } 1117 break; 1118 1119 case AUE_IOCTL: 1120 if (ARG_IS_VALID(kar, ARG_CMD)) { 1121 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 1122 kau_write(rec, tok); 1123 } 1124 if (ARG_IS_VALID(kar, ARG_VNODE1)) 1125 FD_VNODE1_TOKENS; 1126 else { 1127 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 1128 tok = kau_to_socket(&ar->ar_arg_sockinfo); 1129 kau_write(rec, tok); 1130 } else { 1131 if (ARG_IS_VALID(kar, ARG_FD)) { 1132 tok = au_to_arg32(1, "fd", 1133 ar->ar_arg_fd); 1134 kau_write(rec, tok); 1135 } 1136 } 1137 } 1138 break; 1139 1140 case AUE_KILL: 1141 case AUE_KILLPG: 1142 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 1143 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 1144 kau_write(rec, tok); 1145 } 1146 PROCESS_PID_TOKENS(1); 1147 break; 1148 1149 case AUE_KTRACE: 1150 if (ARG_IS_VALID(kar, ARG_CMD)) { 1151 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 1152 kau_write(rec, tok); 1153 } 1154 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1155 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 1156 kau_write(rec, tok); 1157 } 1158 PROCESS_PID_TOKENS(4); 1159 UPATH1_VNODE1_TOKENS; 1160 break; 1161 1162 case AUE_LINK: 1163 case AUE_LINKAT: 1164 case AUE_RENAME: 1165 case AUE_RENAMEAT: 1166 ATFD1_TOKENS(1); 1167 UPATH1_VNODE1_TOKENS; 1168 ATFD2_TOKENS(3); 1169 UPATH2_TOKENS; 1170 break; 1171 1172 case AUE_LOADSHFILE: 1173 ADDR_TOKEN(4, "base addr"); 1174 UPATH1_VNODE1_TOKENS; 1175 break; 1176 1177 case AUE_MKDIR: 1178 case AUE_MKDIRAT: 1179 case AUE_MKFIFO: 1180 case AUE_MKFIFOAT: 1181 ATFD1_TOKENS(1); 1182 if (ARG_IS_VALID(kar, ARG_MODE)) { 1183 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1184 kau_write(rec, tok); 1185 } 1186 UPATH1_VNODE1_TOKENS; 1187 break; 1188 1189 case AUE_MKNOD: 1190 case AUE_MKNODAT: 1191 ATFD1_TOKENS(1); 1192 if (ARG_IS_VALID(kar, ARG_MODE)) { 1193 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1194 kau_write(rec, tok); 1195 } 1196 if (ARG_IS_VALID(kar, ARG_DEV)) { 1197 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 1198 kau_write(rec, tok); 1199 } 1200 UPATH1_VNODE1_TOKENS; 1201 break; 1202 1203 case AUE_MMAP: 1204 case AUE_MUNMAP: 1205 case AUE_MPROTECT: 1206 case AUE_MLOCK: 1207 case AUE_MUNLOCK: 1208 case AUE_MINHERIT: 1209 ADDR_TOKEN(1, "addr"); 1210 if (ARG_IS_VALID(kar, ARG_LEN)) { 1211 tok = au_to_arg32(2, "len", ar->ar_arg_len); 1212 kau_write(rec, tok); 1213 } 1214 if (ar->ar_event == AUE_MMAP) 1215 FD_VNODE1_TOKENS; 1216 if (ar->ar_event == AUE_MPROTECT) { 1217 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1218 tok = au_to_arg32(3, "protection", 1219 ar->ar_arg_value); 1220 kau_write(rec, tok); 1221 } 1222 } 1223 if (ar->ar_event == AUE_MINHERIT) { 1224 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1225 tok = au_to_arg32(3, "inherit", 1226 ar->ar_arg_value); 1227 kau_write(rec, tok); 1228 } 1229 } 1230 break; 1231 1232 case AUE_MOUNT: 1233 case AUE_NMOUNT: 1234 /* XXX Need to handle NFS mounts */ 1235 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1236 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 1237 kau_write(rec, tok); 1238 } 1239 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1240 tok = au_to_text(ar->ar_arg_text); 1241 kau_write(rec, tok); 1242 } 1243 /* FALLTHROUGH */ 1244 1245 case AUE_NFS_SVC: 1246 if (ARG_IS_VALID(kar, ARG_CMD)) { 1247 tok = au_to_arg32(1, "flags", ar->ar_arg_cmd); 1248 kau_write(rec, tok); 1249 } 1250 break; 1251 1252 case AUE_UMOUNT: 1253 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1254 tok = au_to_arg32(2, "flags", ar->ar_arg_value); 1255 kau_write(rec, tok); 1256 } 1257 UPATH1_VNODE1_TOKENS; 1258 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1259 tok = au_to_text(ar->ar_arg_text); 1260 kau_write(rec, tok); 1261 } 1262 break; 1263 1264 case AUE_MSGCTL: 1265 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd); 1266 /* Fall through */ 1267 1268 case AUE_MSGRCV: 1269 case AUE_MSGSND: 1270 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 1271 kau_write(rec, tok); 1272 if (ar->ar_errno != EINVAL) { 1273 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 1274 kau_write(rec, tok); 1275 } 1276 break; 1277 1278 case AUE_MSGGET: 1279 if (ar->ar_errno == 0) { 1280 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1281 tok = au_to_ipc(AT_IPC_MSG, 1282 ar->ar_arg_svipc_id); 1283 kau_write(rec, tok); 1284 } 1285 } 1286 break; 1287 1288 case AUE_RESETSHFILE: 1289 ADDR_TOKEN(1, "base addr"); 1290 break; 1291 1292 case AUE_OPEN_RC: 1293 case AUE_OPEN_RTC: 1294 case AUE_OPEN_RWC: 1295 case AUE_OPEN_RWTC: 1296 case AUE_OPEN_WC: 1297 case AUE_OPEN_WTC: 1298 case AUE_CREAT: 1299 if (ARG_IS_VALID(kar, ARG_MODE)) { 1300 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1301 kau_write(rec, tok); 1302 } 1303 /* FALLTHROUGH */ 1304 1305 case AUE_OPEN_R: 1306 case AUE_OPEN_RT: 1307 case AUE_OPEN_RW: 1308 case AUE_OPEN_RWT: 1309 case AUE_OPEN_W: 1310 case AUE_OPEN_WT: 1311 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1312 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1313 kau_write(rec, tok); 1314 } 1315 UPATH1_VNODE1_TOKENS; 1316 break; 1317 1318 case AUE_OPENAT_RC: 1319 case AUE_OPENAT_RTC: 1320 case AUE_OPENAT_RWC: 1321 case AUE_OPENAT_RWTC: 1322 case AUE_OPENAT_WC: 1323 case AUE_OPENAT_WTC: 1324 if (ARG_IS_VALID(kar, ARG_MODE)) { 1325 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1326 kau_write(rec, tok); 1327 } 1328 /* FALLTHROUGH */ 1329 1330 case AUE_OPENAT_R: 1331 case AUE_OPENAT_RT: 1332 case AUE_OPENAT_RW: 1333 case AUE_OPENAT_RWT: 1334 case AUE_OPENAT_W: 1335 case AUE_OPENAT_WT: 1336 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1337 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1338 kau_write(rec, tok); 1339 } 1340 ATFD1_TOKENS(1); 1341 UPATH1_VNODE1_TOKENS; 1342 break; 1343 1344 case AUE_PDKILL: 1345 if (ARG_IS_VALID(kar, ARG_FD)) { 1346 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1347 kau_write(rec, tok); 1348 } 1349 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 1350 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 1351 kau_write(rec, tok); 1352 } 1353 PROCESS_PID_TOKENS(1); 1354 break; 1355 case AUE_PDFORK: 1356 if (ARG_IS_VALID(kar, ARG_PID)) { 1357 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 1358 kau_write(rec, tok); 1359 } 1360 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1361 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1362 kau_write(rec, tok); 1363 } 1364 if (ARG_IS_VALID(kar, ARG_FD)) { 1365 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1366 kau_write(rec, tok); 1367 } 1368 break; 1369 case AUE_PDGETPID: 1370 if (ARG_IS_VALID(kar, ARG_FD)) { 1371 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1372 kau_write(rec, tok); 1373 } 1374 break; 1375 1376 case AUE_PROCCTL: 1377 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1378 tok = au_to_arg32(1, "idtype", ar->ar_arg_value); 1379 kau_write(rec, tok); 1380 } 1381 if (ARG_IS_VALID(kar, ARG_CMD)) { 1382 tok = au_to_arg32(2, "com", ar->ar_arg_cmd); 1383 kau_write(rec, tok); 1384 } 1385 PROCESS_PID_TOKENS(3); 1386 break; 1387 1388 case AUE_PTRACE: 1389 if (ARG_IS_VALID(kar, ARG_CMD)) { 1390 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1391 kau_write(rec, tok); 1392 } 1393 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1394 tok = au_to_arg32(4, "data", ar->ar_arg_value); 1395 kau_write(rec, tok); 1396 } 1397 PROCESS_PID_TOKENS(2); 1398 break; 1399 1400 case AUE_QUOTACTL: 1401 if (ARG_IS_VALID(kar, ARG_CMD)) { 1402 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1403 kau_write(rec, tok); 1404 } 1405 if (ARG_IS_VALID(kar, ARG_UID)) { 1406 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1407 kau_write(rec, tok); 1408 } 1409 if (ARG_IS_VALID(kar, ARG_GID)) { 1410 tok = au_to_arg32(3, "gid", ar->ar_arg_gid); 1411 kau_write(rec, tok); 1412 } 1413 UPATH1_VNODE1_TOKENS; 1414 break; 1415 1416 case AUE_REBOOT: 1417 if (ARG_IS_VALID(kar, ARG_CMD)) { 1418 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1419 kau_write(rec, tok); 1420 } 1421 break; 1422 1423 case AUE_SEMCTL: 1424 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd); 1425 /* Fall through */ 1426 1427 case AUE_SEMOP: 1428 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1429 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1430 kau_write(rec, tok); 1431 if (ar->ar_errno != EINVAL) { 1432 tok = au_to_ipc(AT_IPC_SEM, 1433 ar->ar_arg_svipc_id); 1434 kau_write(rec, tok); 1435 } 1436 } 1437 break; 1438 1439 case AUE_SEMGET: 1440 if (ar->ar_errno == 0) { 1441 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1442 tok = au_to_ipc(AT_IPC_SEM, 1443 ar->ar_arg_svipc_id); 1444 kau_write(rec, tok); 1445 } 1446 } 1447 break; 1448 1449 case AUE_SETEGID: 1450 if (ARG_IS_VALID(kar, ARG_EGID)) { 1451 tok = au_to_arg32(1, "egid", ar->ar_arg_egid); 1452 kau_write(rec, tok); 1453 } 1454 break; 1455 1456 case AUE_SETEUID: 1457 if (ARG_IS_VALID(kar, ARG_EUID)) { 1458 tok = au_to_arg32(1, "euid", ar->ar_arg_euid); 1459 kau_write(rec, tok); 1460 } 1461 break; 1462 1463 case AUE_SETREGID: 1464 if (ARG_IS_VALID(kar, ARG_RGID)) { 1465 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1466 kau_write(rec, tok); 1467 } 1468 if (ARG_IS_VALID(kar, ARG_EGID)) { 1469 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1470 kau_write(rec, tok); 1471 } 1472 break; 1473 1474 case AUE_SETREUID: 1475 if (ARG_IS_VALID(kar, ARG_RUID)) { 1476 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1477 kau_write(rec, tok); 1478 } 1479 if (ARG_IS_VALID(kar, ARG_EUID)) { 1480 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1481 kau_write(rec, tok); 1482 } 1483 break; 1484 1485 case AUE_SETRESGID: 1486 if (ARG_IS_VALID(kar, ARG_RGID)) { 1487 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1488 kau_write(rec, tok); 1489 } 1490 if (ARG_IS_VALID(kar, ARG_EGID)) { 1491 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1492 kau_write(rec, tok); 1493 } 1494 if (ARG_IS_VALID(kar, ARG_SGID)) { 1495 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1496 kau_write(rec, tok); 1497 } 1498 break; 1499 1500 case AUE_SETRESUID: 1501 if (ARG_IS_VALID(kar, ARG_RUID)) { 1502 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1503 kau_write(rec, tok); 1504 } 1505 if (ARG_IS_VALID(kar, ARG_EUID)) { 1506 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1507 kau_write(rec, tok); 1508 } 1509 if (ARG_IS_VALID(kar, ARG_SUID)) { 1510 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1511 kau_write(rec, tok); 1512 } 1513 break; 1514 1515 case AUE_SETGID: 1516 if (ARG_IS_VALID(kar, ARG_GID)) { 1517 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1518 kau_write(rec, tok); 1519 } 1520 break; 1521 1522 case AUE_SETUID: 1523 if (ARG_IS_VALID(kar, ARG_UID)) { 1524 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1525 kau_write(rec, tok); 1526 } 1527 break; 1528 1529 case AUE_SETGROUPS: 1530 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1531 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1532 { 1533 tok = au_to_arg32(1, "setgroups", 1534 ar->ar_arg_groups.gidset[ctr]); 1535 kau_write(rec, tok); 1536 } 1537 } 1538 break; 1539 1540 case AUE_SETLOGIN: 1541 if (ARG_IS_VALID(kar, ARG_LOGIN)) { 1542 tok = au_to_text(ar->ar_arg_login); 1543 kau_write(rec, tok); 1544 } 1545 break; 1546 1547 case AUE_SETLOGINCLASS: 1548 break; 1549 1550 case AUE_SETPRIORITY: 1551 if (ARG_IS_VALID(kar, ARG_CMD)) { 1552 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1553 kau_write(rec, tok); 1554 } 1555 if (ARG_IS_VALID(kar, ARG_UID)) { 1556 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1557 kau_write(rec, tok); 1558 } 1559 PROCESS_PID_TOKENS(2); 1560 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1561 tok = au_to_arg32(3, "priority", ar->ar_arg_value); 1562 kau_write(rec, tok); 1563 } 1564 break; 1565 1566 case AUE_SETPRIVEXEC: 1567 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1568 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1569 kau_write(rec, tok); 1570 } 1571 break; 1572 1573 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1574 case AUE_SHMAT: 1575 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1576 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1577 kau_write(rec, tok); 1578 /* XXXAUDIT: Does having the ipc token make sense? */ 1579 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1580 kau_write(rec, tok); 1581 } 1582 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1583 tok = au_to_arg32(2, "shmaddr", 1584 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1585 kau_write(rec, tok); 1586 } 1587 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1588 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1589 kau_write(rec, tok); 1590 } 1591 break; 1592 1593 case AUE_SHMCTL: 1594 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1595 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1596 kau_write(rec, tok); 1597 /* XXXAUDIT: Does having the ipc token make sense? */ 1598 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1599 kau_write(rec, tok); 1600 } 1601 switch (ar->ar_arg_svipc_cmd) { 1602 case IPC_STAT: 1603 ar->ar_event = AUE_SHMCTL_STAT; 1604 break; 1605 case IPC_RMID: 1606 ar->ar_event = AUE_SHMCTL_RMID; 1607 break; 1608 case IPC_SET: 1609 ar->ar_event = AUE_SHMCTL_SET; 1610 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1611 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1612 kau_write(rec, tok); 1613 } 1614 break; 1615 default: 1616 break; /* We will audit a bad command */ 1617 } 1618 break; 1619 1620 case AUE_SHMDT: 1621 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1622 tok = au_to_arg32(1, "shmaddr", 1623 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1624 kau_write(rec, tok); 1625 } 1626 break; 1627 1628 case AUE_SHMGET: 1629 /* This is unusual; the return value is in an argument token */ 1630 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1631 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1632 kau_write(rec, tok); 1633 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1634 kau_write(rec, tok); 1635 } 1636 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1637 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1638 kau_write(rec, tok); 1639 } 1640 break; 1641 1642 /* shm_rename is a non-Posix extension to the Posix shm implementation */ 1643 case AUE_SHMRENAME: 1644 UPATH1_TOKENS; 1645 UPATH2_TOKENS; 1646 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1647 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1648 kau_write(rec, tok); 1649 } 1650 break; 1651 1652 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1653 * and AUE_SEMUNLINK are Posix IPC */ 1654 case AUE_SHMOPEN: 1655 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1656 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1657 kau_write(rec, tok); 1658 } 1659 if (ARG_IS_VALID(kar, ARG_MODE)) { 1660 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1661 kau_write(rec, tok); 1662 } 1663 /* FALLTHROUGH */ 1664 1665 case AUE_SHMUNLINK: 1666 UPATH1_TOKENS; 1667 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1668 struct ipc_perm perm; 1669 1670 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1671 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1672 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1673 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1674 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1675 perm.seq = 0; 1676 perm.key = 0; 1677 tok = au_to_ipc_perm(&perm); 1678 kau_write(rec, tok); 1679 } 1680 break; 1681 1682 case AUE_SEMOPEN: 1683 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1684 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1685 kau_write(rec, tok); 1686 } 1687 if (ARG_IS_VALID(kar, ARG_MODE)) { 1688 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1689 kau_write(rec, tok); 1690 } 1691 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1692 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1693 kau_write(rec, tok); 1694 } 1695 /* FALLTHROUGH */ 1696 1697 case AUE_SEMUNLINK: 1698 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1699 tok = au_to_text(ar->ar_arg_text); 1700 kau_write(rec, tok); 1701 } 1702 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1703 struct ipc_perm perm; 1704 1705 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1706 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1707 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1708 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1709 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1710 perm.seq = 0; 1711 perm.key = 0; 1712 tok = au_to_ipc_perm(&perm); 1713 kau_write(rec, tok); 1714 } 1715 break; 1716 1717 case AUE_SEMCLOSE: 1718 if (ARG_IS_VALID(kar, ARG_FD)) { 1719 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1720 kau_write(rec, tok); 1721 } 1722 break; 1723 1724 case AUE_SYMLINK: 1725 case AUE_SYMLINKAT: 1726 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1727 tok = au_to_text(ar->ar_arg_text); 1728 kau_write(rec, tok); 1729 } 1730 ATFD1_TOKENS(1); 1731 UPATH1_VNODE1_TOKENS; 1732 break; 1733 1734 case AUE_SYSCTL: 1735 case AUE_SYSCTL_NONADMIN: 1736 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1737 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1738 tok = au_to_arg32(1, "name", 1739 ar->ar_arg_ctlname[ctr]); 1740 kau_write(rec, tok); 1741 } 1742 } 1743 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1744 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1745 kau_write(rec, tok); 1746 } 1747 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1748 tok = au_to_text(ar->ar_arg_text); 1749 kau_write(rec, tok); 1750 } 1751 break; 1752 1753 case AUE_UMASK: 1754 if (ARG_IS_VALID(kar, ARG_MASK)) { 1755 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1756 kau_write(rec, tok); 1757 } 1758 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1759 kau_write(rec, tok); 1760 break; 1761 1762 case AUE_WAIT4: 1763 case AUE_WAIT6: 1764 PROCESS_PID_TOKENS(1); 1765 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1766 tok = au_to_arg32(3, "options", ar->ar_arg_value); 1767 kau_write(rec, tok); 1768 } 1769 break; 1770 1771 case AUE_CAP_RIGHTS_LIMIT: 1772 /* 1773 * XXXRW/XXXJA: Would be nice to audit socket/etc information. 1774 */ 1775 FD_VNODE1_TOKENS; 1776 if (ARG_IS_VALID(kar, ARG_RIGHTS)) { 1777 tok = au_to_rights(&ar->ar_arg_rights); 1778 kau_write(rec, tok); 1779 } 1780 break; 1781 1782 case AUE_CAP_FCNTLS_GET: 1783 case AUE_CAP_IOCTLS_GET: 1784 case AUE_CAP_IOCTLS_LIMIT: 1785 case AUE_CAP_RIGHTS_GET: 1786 if (ARG_IS_VALID(kar, ARG_FD)) { 1787 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1788 kau_write(rec, tok); 1789 } 1790 break; 1791 1792 case AUE_CAP_FCNTLS_LIMIT: 1793 FD_VNODE1_TOKENS; 1794 if (ARG_IS_VALID(kar, ARG_FCNTL_RIGHTS)) { 1795 tok = au_to_arg32(2, "fcntlrights", 1796 ar->ar_arg_fcntl_rights); 1797 kau_write(rec, tok); 1798 } 1799 break; 1800 1801 case AUE_CAP_ENTER: 1802 case AUE_CAP_GETMODE: 1803 break; 1804 1805 case AUE_THR_NEW: 1806 case AUE_THR_KILL: 1807 case AUE_THR_EXIT: 1808 break; 1809 1810 case AUE_NULL: 1811 default: 1812 printf("BSM conversion requested for unknown event %d\n", 1813 ar->ar_event); 1814 1815 /* 1816 * Write the subject token so it is properly freed here. 1817 */ 1818 if (jail_tok != NULL) 1819 kau_write(rec, jail_tok); 1820 kau_write(rec, subj_tok); 1821 kau_free(rec); 1822 return (BSM_NOAUDIT); 1823 } 1824 1825 if (jail_tok != NULL) 1826 kau_write(rec, jail_tok); 1827 kau_write(rec, subj_tok); 1828 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval); 1829 kau_write(rec, tok); /* Every record gets a return token */ 1830 1831 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1832 1833 *pau = rec; 1834 return (BSM_SUCCESS); 1835 } 1836 1837 /* 1838 * Verify that a record is a valid BSM record. This verification is simple 1839 * now, but may be expanded on sometime in the future. Return 1 if the 1840 * record is good, 0 otherwise. 1841 */ 1842 int 1843 bsm_rec_verify(void *rec) 1844 { 1845 char c = *(char *)rec; 1846 1847 /* 1848 * Check the token ID of the first token; it has to be a header 1849 * token. 1850 * 1851 * XXXAUDIT There needs to be a token structure to map a token. 1852 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1853 */ 1854 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1855 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1856 return (0); 1857 return (1); 1858 } 1859