1 /* 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1999-2009 Apple Inc. 5 * Copyright (c) 2016-2017 Robert N. M. Watson 6 * All rights reserved. 7 * 8 * Portions of this software were developed by BAE Systems, the University of 9 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL 10 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent 11 * Computing (TC) research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 22 * its contributors may be used to endorse or promote products derived 23 * from this software without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 29 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 33 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 34 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 35 * POSSIBILITY OF SUCH DAMAGE. 36 */ 37 38 #include <sys/cdefs.h> 39 __FBSDID("$FreeBSD$"); 40 41 #include <sys/param.h> 42 #include <sys/vnode.h> 43 #include <sys/ipc.h> 44 #include <sys/lock.h> 45 #include <sys/malloc.h> 46 #include <sys/mutex.h> 47 #include <sys/socket.h> 48 #include <sys/extattr.h> 49 #include <sys/fcntl.h> 50 #include <sys/user.h> 51 #include <sys/systm.h> 52 53 #include <bsm/audit.h> 54 #include <bsm/audit_internal.h> 55 #include <bsm/audit_record.h> 56 #include <bsm/audit_kevents.h> 57 58 #include <security/audit/audit.h> 59 #include <security/audit/audit_private.h> 60 61 #include <netinet/in_systm.h> 62 #include <netinet/in.h> 63 #include <netinet/ip.h> 64 65 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 66 67 static void audit_sys_auditon(struct audit_record *ar, 68 struct au_record *rec); 69 70 /* 71 * Initialize the BSM auditing subsystem. 72 */ 73 void 74 kau_init(void) 75 { 76 77 au_evclassmap_init(); 78 au_evnamemap_init(); 79 } 80 81 /* 82 * This call reserves memory for the audit record. Memory must be guaranteed 83 * before any auditable event can be generated. The au_record structure 84 * maintains a reference to the memory allocated above and also the list of 85 * tokens associated with this record. 86 */ 87 static struct au_record * 88 kau_open(void) 89 { 90 struct au_record *rec; 91 92 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 93 rec->data = NULL; 94 TAILQ_INIT(&rec->token_q); 95 rec->len = 0; 96 rec->used = 1; 97 98 return (rec); 99 } 100 101 /* 102 * Store the token with the record descriptor. 103 */ 104 static void 105 kau_write(struct au_record *rec, struct au_token *tok) 106 { 107 108 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 109 110 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 111 rec->len += tok->len; 112 } 113 114 /* 115 * Close out the audit record by adding the header token, identifying any 116 * missing tokens. Write out the tokens to the record memory. 117 */ 118 static void 119 kau_close(struct au_record *rec, struct timespec *ctime, short event) 120 { 121 u_char *dptr; 122 size_t tot_rec_size; 123 token_t *cur, *hdr, *trail; 124 struct timeval tm; 125 size_t hdrsize; 126 struct auditinfo_addr ak; 127 struct in6_addr *ap; 128 129 audit_get_kinfo(&ak); 130 hdrsize = 0; 131 switch (ak.ai_termid.at_type) { 132 case AU_IPv4: 133 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ? 134 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak); 135 break; 136 case AU_IPv6: 137 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0]; 138 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE : 139 AUDIT_HEADER_EX_SIZE(&ak); 140 break; 141 default: 142 panic("kau_close: invalid address family"); 143 } 144 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE; 145 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 146 147 tm.tv_usec = ctime->tv_nsec / 1000; 148 tm.tv_sec = ctime->tv_sec; 149 if (hdrsize != AUDIT_HEADER_SIZE) 150 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak); 151 else 152 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 153 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 154 155 trail = au_to_trailer(tot_rec_size); 156 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 157 158 rec->len = tot_rec_size; 159 dptr = rec->data; 160 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 161 memcpy(dptr, cur->t_data, cur->len); 162 dptr += cur->len; 163 } 164 } 165 166 /* 167 * Free a BSM audit record by releasing all the tokens and clearing the audit 168 * record information. 169 */ 170 void 171 kau_free(struct au_record *rec) 172 { 173 struct au_token *tok; 174 175 /* Free the token list. */ 176 while ((tok = TAILQ_FIRST(&rec->token_q))) { 177 TAILQ_REMOVE(&rec->token_q, tok, tokens); 178 free(tok->t_data, M_AUDITBSM); 179 free(tok, M_AUDITBSM); 180 } 181 182 rec->used = 0; 183 rec->len = 0; 184 free(rec->data, M_AUDITBSM); 185 free(rec, M_AUDITBSM); 186 } 187 188 /* 189 * XXX: May want turn some (or all) of these macros into functions in order 190 * to reduce the generated code size. 191 * 192 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 193 * caller are OK with this. 194 */ 195 #define ATFD1_TOKENS(argnum) do { \ 196 if (ARG_IS_VALID(kar, ARG_ATFD1)) { \ 197 tok = au_to_arg32(argnum, "at fd 1", ar->ar_arg_atfd1); \ 198 kau_write(rec, tok); \ 199 } \ 200 } while (0) 201 202 #define ATFD2_TOKENS(argnum) do { \ 203 if (ARG_IS_VALID(kar, ARG_ATFD2)) { \ 204 tok = au_to_arg32(argnum, "at fd 2", ar->ar_arg_atfd2); \ 205 kau_write(rec, tok); \ 206 } \ 207 } while (0) 208 209 #define UPATH1_TOKENS do { \ 210 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 211 tok = au_to_path(ar->ar_arg_upath1); \ 212 kau_write(rec, tok); \ 213 } \ 214 } while (0) 215 216 #define UPATH2_TOKENS do { \ 217 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 218 tok = au_to_path(ar->ar_arg_upath2); \ 219 kau_write(rec, tok); \ 220 } \ 221 } while (0) 222 223 #define VNODE1_TOKENS do { \ 224 if (ARG_IS_VALID(kar, ARG_ATFD)) { \ 225 tok = au_to_arg32(1, "at fd", ar->ar_arg_atfd); \ 226 kau_write(rec, tok); \ 227 } \ 228 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 229 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 230 kau_write(rec, tok); \ 231 } \ 232 } while (0) 233 234 #define UPATH1_VNODE1_TOKENS do { \ 235 UPATH1_TOKENS; \ 236 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 237 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 238 kau_write(rec, tok); \ 239 } \ 240 } while (0) 241 242 #define VNODE2_TOKENS do { \ 243 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 244 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 245 kau_write(rec, tok); \ 246 } \ 247 } while (0) 248 249 #define FD_VNODE1_TOKENS do { \ 250 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 251 if (ARG_IS_VALID(kar, ARG_FD)) { \ 252 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 253 kau_write(rec, tok); \ 254 } \ 255 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 256 kau_write(rec, tok); \ 257 } else { \ 258 if (ARG_IS_VALID(kar, ARG_FD)) { \ 259 tok = au_to_arg32(1, "non-file: fd", \ 260 ar->ar_arg_fd); \ 261 kau_write(rec, tok); \ 262 } \ 263 } \ 264 } while (0) 265 266 #define PROCESS_PID_TOKENS(argn) do { \ 267 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 268 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 269 tok = au_to_process32_ex(ar->ar_arg_auid, \ 270 ar->ar_arg_euid, ar->ar_arg_egid, \ 271 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 272 ar->ar_arg_pid, ar->ar_arg_asid, \ 273 &ar->ar_arg_termid_addr); \ 274 kau_write(rec, tok); \ 275 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 276 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 277 kau_write(rec, tok); \ 278 } \ 279 } while (0) 280 281 #define EXTATTR_TOKENS(namespace_argnum) do { \ 282 if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 283 switch (ar->ar_arg_value) { \ 284 case EXTATTR_NAMESPACE_USER: \ 285 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 286 break; \ 287 case EXTATTR_NAMESPACE_SYSTEM: \ 288 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 289 break; \ 290 default: \ 291 tok = au_to_arg32((namespace_argnum), \ 292 "attrnamespace", ar->ar_arg_value); \ 293 break; \ 294 } \ 295 kau_write(rec, tok); \ 296 } \ 297 /* attrname is in the text field */ \ 298 if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 299 tok = au_to_text(ar->ar_arg_text); \ 300 kau_write(rec, tok); \ 301 } \ 302 } while (0) 303 304 /* 305 * Not all pointer arguments to system calls are of interest, but in some 306 * cases they reflect delegation of rights, such as mmap(2) followed by 307 * minherit(2) before execve(2), so do the best we can. 308 */ 309 #define ADDR_TOKEN(argnum, argname) do { \ 310 if (ARG_IS_VALID(kar, ARG_ADDR)) { \ 311 if (sizeof(void *) == sizeof(uint32_t)) \ 312 tok = au_to_arg32((argnum), (argname), \ 313 (uint32_t)(uintptr_t)ar->ar_arg_addr); \ 314 else \ 315 tok = au_to_arg64((argnum), (argname), \ 316 (uint64_t)(uintptr_t)ar->ar_arg_addr); \ 317 kau_write(rec, tok); \ 318 } \ 319 } while (0) 320 321 /* 322 * Implement auditing for the auditon() system call. The audit tokens that 323 * are generated depend on the command that was sent into the auditon() 324 * system call. 325 */ 326 static void 327 audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 328 { 329 struct au_token *tok; 330 331 tok = au_to_arg32(3, "length", ar->ar_arg_len); 332 kau_write(rec, tok); 333 switch (ar->ar_arg_cmd) { 334 case A_OLDSETPOLICY: 335 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 336 tok = au_to_arg64(2, "policy", 337 ar->ar_arg_auditon.au_policy64); 338 kau_write(rec, tok); 339 break; 340 } 341 /* FALLTHROUGH */ 342 343 case A_SETPOLICY: 344 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy); 345 kau_write(rec, tok); 346 break; 347 348 case A_SETKMASK: 349 tok = au_to_arg32(2, "setkmask:as_success", 350 ar->ar_arg_auditon.au_mask.am_success); 351 kau_write(rec, tok); 352 tok = au_to_arg32(2, "setkmask:as_failure", 353 ar->ar_arg_auditon.au_mask.am_failure); 354 kau_write(rec, tok); 355 break; 356 357 case A_OLDSETQCTRL: 358 if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) { 359 tok = au_to_arg64(2, "setqctrl:aq_hiwater", 360 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater); 361 kau_write(rec, tok); 362 tok = au_to_arg64(2, "setqctrl:aq_lowater", 363 ar->ar_arg_auditon.au_qctrl64.aq64_lowater); 364 kau_write(rec, tok); 365 tok = au_to_arg64(2, "setqctrl:aq_bufsz", 366 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz); 367 kau_write(rec, tok); 368 tok = au_to_arg64(2, "setqctrl:aq_delay", 369 ar->ar_arg_auditon.au_qctrl64.aq64_delay); 370 kau_write(rec, tok); 371 tok = au_to_arg64(2, "setqctrl:aq_minfree", 372 ar->ar_arg_auditon.au_qctrl64.aq64_minfree); 373 kau_write(rec, tok); 374 break; 375 } 376 /* FALLTHROUGH */ 377 378 case A_SETQCTRL: 379 tok = au_to_arg32(2, "setqctrl:aq_hiwater", 380 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 381 kau_write(rec, tok); 382 tok = au_to_arg32(2, "setqctrl:aq_lowater", 383 ar->ar_arg_auditon.au_qctrl.aq_lowater); 384 kau_write(rec, tok); 385 tok = au_to_arg32(2, "setqctrl:aq_bufsz", 386 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 387 kau_write(rec, tok); 388 tok = au_to_arg32(2, "setqctrl:aq_delay", 389 ar->ar_arg_auditon.au_qctrl.aq_delay); 390 kau_write(rec, tok); 391 tok = au_to_arg32(2, "setqctrl:aq_minfree", 392 ar->ar_arg_auditon.au_qctrl.aq_minfree); 393 kau_write(rec, tok); 394 break; 395 396 case A_SETUMASK: 397 tok = au_to_arg32(2, "setumask:as_success", 398 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 399 kau_write(rec, tok); 400 tok = au_to_arg32(2, "setumask:as_failure", 401 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 402 kau_write(rec, tok); 403 break; 404 405 case A_SETSMASK: 406 tok = au_to_arg32(2, "setsmask:as_success", 407 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 408 kau_write(rec, tok); 409 tok = au_to_arg32(2, "setsmask:as_failure", 410 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 411 kau_write(rec, tok); 412 break; 413 414 case A_OLDSETCOND: 415 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 416 tok = au_to_arg64(2, "setcond", 417 ar->ar_arg_auditon.au_cond64); 418 kau_write(rec, tok); 419 break; 420 } 421 /* FALLTHROUGH */ 422 423 case A_SETCOND: 424 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond); 425 kau_write(rec, tok); 426 break; 427 428 case A_SETCLASS: 429 tok = au_to_arg32(2, "setclass:ec_event", 430 ar->ar_arg_auditon.au_evclass.ec_number); 431 kau_write(rec, tok); 432 tok = au_to_arg32(2, "setclass:ec_class", 433 ar->ar_arg_auditon.au_evclass.ec_class); 434 kau_write(rec, tok); 435 break; 436 437 case A_SETPMASK: 438 tok = au_to_arg32(2, "setpmask:as_success", 439 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 440 kau_write(rec, tok); 441 tok = au_to_arg32(2, "setpmask:as_failure", 442 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 443 kau_write(rec, tok); 444 break; 445 446 case A_SETFSIZE: 447 tok = au_to_arg32(2, "setfsize:filesize", 448 ar->ar_arg_auditon.au_fstat.af_filesz); 449 kau_write(rec, tok); 450 break; 451 452 default: 453 break; 454 } 455 } 456 457 /* 458 * Convert an internal kernel audit record to a BSM record and return a 459 * success/failure indicator. The BSM record is passed as an out parameter to 460 * this function. 461 * 462 * Return conditions: 463 * BSM_SUCCESS: The BSM record is valid 464 * BSM_FAILURE: Failure; the BSM record is NULL. 465 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 466 */ 467 int 468 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 469 { 470 struct au_token *tok, *subj_tok, *jail_tok; 471 struct au_record *rec; 472 au_tid_t tid; 473 struct audit_record *ar; 474 int ctr; 475 476 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 477 478 *pau = NULL; 479 ar = &kar->k_ar; 480 rec = kau_open(); 481 482 /* 483 * Create the subject token. If this credential was jailed be sure to 484 * generate a zonename token. 485 */ 486 if (ar->ar_jailname[0] != '\0') 487 jail_tok = au_to_zonename(ar->ar_jailname); 488 else 489 jail_tok = NULL; 490 switch (ar->ar_subj_term_addr.at_type) { 491 case AU_IPv4: 492 tid.port = ar->ar_subj_term_addr.at_port; 493 tid.machine = ar->ar_subj_term_addr.at_addr[0]; 494 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 495 ar->ar_subj_cred.cr_uid, /* eff uid */ 496 ar->ar_subj_egid, /* eff group id */ 497 ar->ar_subj_ruid, /* real uid */ 498 ar->ar_subj_rgid, /* real group id */ 499 ar->ar_subj_pid, /* process id */ 500 ar->ar_subj_asid, /* session ID */ 501 &tid); 502 break; 503 case AU_IPv6: 504 subj_tok = au_to_subject32_ex(ar->ar_subj_auid, 505 ar->ar_subj_cred.cr_uid, 506 ar->ar_subj_egid, 507 ar->ar_subj_ruid, 508 ar->ar_subj_rgid, 509 ar->ar_subj_pid, 510 ar->ar_subj_asid, 511 &ar->ar_subj_term_addr); 512 break; 513 default: 514 bzero(&tid, sizeof(tid)); 515 subj_tok = au_to_subject32(ar->ar_subj_auid, 516 ar->ar_subj_cred.cr_uid, 517 ar->ar_subj_egid, 518 ar->ar_subj_ruid, 519 ar->ar_subj_rgid, 520 ar->ar_subj_pid, 521 ar->ar_subj_asid, 522 &tid); 523 } 524 525 /* 526 * The logic inside each case fills in the tokens required for the 527 * event, except for the header, trailer, and return tokens. The 528 * header and trailer tokens are added by the kau_close() function. 529 * The return token is added outside of the switch statement. 530 */ 531 switch(ar->ar_event) { 532 case AUE_ACCEPT: 533 if (ARG_IS_VALID(kar, ARG_FD)) { 534 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 535 kau_write(rec, tok); 536 } 537 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 538 tok = au_to_sock_inet((struct sockaddr_in *) 539 &ar->ar_arg_sockaddr); 540 kau_write(rec, tok); 541 } 542 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 543 tok = au_to_sock_unix((struct sockaddr_un *) 544 &ar->ar_arg_sockaddr); 545 kau_write(rec, tok); 546 UPATH1_TOKENS; 547 } 548 break; 549 550 case AUE_BIND: 551 case AUE_LISTEN: 552 case AUE_CONNECT: 553 case AUE_RECV: 554 case AUE_RECVFROM: 555 case AUE_RECVMSG: 556 case AUE_SEND: 557 case AUE_SENDMSG: 558 case AUE_SENDTO: 559 /* 560 * Socket-related events. 561 */ 562 if (ARG_IS_VALID(kar, ARG_FD)) { 563 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 564 kau_write(rec, tok); 565 } 566 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 567 tok = au_to_sock_inet((struct sockaddr_in *) 568 &ar->ar_arg_sockaddr); 569 kau_write(rec, tok); 570 } 571 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 572 tok = au_to_sock_unix((struct sockaddr_un *) 573 &ar->ar_arg_sockaddr); 574 kau_write(rec, tok); 575 UPATH1_TOKENS; 576 } 577 /* XXX Need to handle ARG_SADDRINET6 */ 578 break; 579 580 case AUE_BINDAT: 581 case AUE_CONNECTAT: 582 ATFD1_TOKENS(1); 583 if (ARG_IS_VALID(kar, ARG_FD)) { 584 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 585 kau_write(rec, tok); 586 } 587 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 588 tok = au_to_sock_unix((struct sockaddr_un *) 589 &ar->ar_arg_sockaddr); 590 kau_write(rec, tok); 591 UPATH1_TOKENS; 592 } 593 break; 594 595 case AUE_SENDFILE: 596 FD_VNODE1_TOKENS; 597 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 598 tok = au_to_sock_inet((struct sockaddr_in *) 599 &ar->ar_arg_sockaddr); 600 kau_write(rec, tok); 601 } 602 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 603 tok = au_to_sock_unix((struct sockaddr_un *) 604 &ar->ar_arg_sockaddr); 605 kau_write(rec, tok); 606 UPATH1_TOKENS; 607 } 608 /* XXX Need to handle ARG_SADDRINET6 */ 609 break; 610 611 case AUE_SOCKET: 612 case AUE_SOCKETPAIR: 613 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 614 tok = au_to_arg32(1, "domain", 615 ar->ar_arg_sockinfo.so_domain); 616 kau_write(rec, tok); 617 tok = au_to_arg32(2, "type", 618 ar->ar_arg_sockinfo.so_type); 619 kau_write(rec, tok); 620 tok = au_to_arg32(3, "protocol", 621 ar->ar_arg_sockinfo.so_protocol); 622 kau_write(rec, tok); 623 } 624 break; 625 626 case AUE_SETSOCKOPT: 627 case AUE_SHUTDOWN: 628 if (ARG_IS_VALID(kar, ARG_FD)) { 629 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 630 kau_write(rec, tok); 631 } 632 break; 633 634 case AUE_ACCT: 635 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 636 UPATH1_VNODE1_TOKENS; 637 } else { 638 tok = au_to_arg32(1, "accounting off", 0); 639 kau_write(rec, tok); 640 } 641 break; 642 643 case AUE_SETAUID: 644 if (ARG_IS_VALID(kar, ARG_AUID)) { 645 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 646 kau_write(rec, tok); 647 } 648 break; 649 650 case AUE_SETAUDIT: 651 if (ARG_IS_VALID(kar, ARG_AUID) && 652 ARG_IS_VALID(kar, ARG_ASID) && 653 ARG_IS_VALID(kar, ARG_AMASK) && 654 ARG_IS_VALID(kar, ARG_TERMID)) { 655 tok = au_to_arg32(1, "setaudit:auid", 656 ar->ar_arg_auid); 657 kau_write(rec, tok); 658 tok = au_to_arg32(1, "setaudit:port", 659 ar->ar_arg_termid.port); 660 kau_write(rec, tok); 661 tok = au_to_arg32(1, "setaudit:machine", 662 ar->ar_arg_termid.machine); 663 kau_write(rec, tok); 664 tok = au_to_arg32(1, "setaudit:as_success", 665 ar->ar_arg_amask.am_success); 666 kau_write(rec, tok); 667 tok = au_to_arg32(1, "setaudit:as_failure", 668 ar->ar_arg_amask.am_failure); 669 kau_write(rec, tok); 670 tok = au_to_arg32(1, "setaudit:asid", 671 ar->ar_arg_asid); 672 kau_write(rec, tok); 673 } 674 break; 675 676 case AUE_SETAUDIT_ADDR: 677 if (ARG_IS_VALID(kar, ARG_AUID) && 678 ARG_IS_VALID(kar, ARG_ASID) && 679 ARG_IS_VALID(kar, ARG_AMASK) && 680 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) { 681 tok = au_to_arg32(1, "setaudit_addr:auid", 682 ar->ar_arg_auid); 683 kau_write(rec, tok); 684 tok = au_to_arg32(1, "setaudit_addr:as_success", 685 ar->ar_arg_amask.am_success); 686 kau_write(rec, tok); 687 tok = au_to_arg32(1, "setaudit_addr:as_failure", 688 ar->ar_arg_amask.am_failure); 689 kau_write(rec, tok); 690 tok = au_to_arg32(1, "setaudit_addr:asid", 691 ar->ar_arg_asid); 692 kau_write(rec, tok); 693 tok = au_to_arg32(1, "setaudit_addr:type", 694 ar->ar_arg_termid_addr.at_type); 695 kau_write(rec, tok); 696 tok = au_to_arg32(1, "setaudit_addr:port", 697 ar->ar_arg_termid_addr.at_port); 698 kau_write(rec, tok); 699 if (ar->ar_arg_termid_addr.at_type == AU_IPv6) 700 tok = au_to_in_addr_ex((struct in6_addr *) 701 &ar->ar_arg_termid_addr.at_addr[0]); 702 if (ar->ar_arg_termid_addr.at_type == AU_IPv4) 703 tok = au_to_in_addr((struct in_addr *) 704 &ar->ar_arg_termid_addr.at_addr[0]); 705 kau_write(rec, tok); 706 } 707 break; 708 709 case AUE_AUDITON: 710 /* 711 * For AUDITON commands without own event, audit the cmd. 712 */ 713 if (ARG_IS_VALID(kar, ARG_CMD)) { 714 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 715 kau_write(rec, tok); 716 } 717 /* FALLTHROUGH */ 718 719 case AUE_AUDITON_GETCAR: 720 case AUE_AUDITON_GETCLASS: 721 case AUE_AUDITON_GETCOND: 722 case AUE_AUDITON_GETCWD: 723 case AUE_AUDITON_GETKMASK: 724 case AUE_AUDITON_GETSTAT: 725 case AUE_AUDITON_GPOLICY: 726 case AUE_AUDITON_GQCTRL: 727 case AUE_AUDITON_SETCLASS: 728 case AUE_AUDITON_SETCOND: 729 case AUE_AUDITON_SETKMASK: 730 case AUE_AUDITON_SETSMASK: 731 case AUE_AUDITON_SETSTAT: 732 case AUE_AUDITON_SETUMASK: 733 case AUE_AUDITON_SPOLICY: 734 case AUE_AUDITON_SQCTRL: 735 if (ARG_IS_VALID(kar, ARG_AUDITON)) 736 audit_sys_auditon(ar, rec); 737 break; 738 739 case AUE_AUDITCTL: 740 UPATH1_VNODE1_TOKENS; 741 break; 742 743 case AUE_EXIT: 744 if (ARG_IS_VALID(kar, ARG_EXIT)) { 745 tok = au_to_exit(ar->ar_arg_exitretval, 746 ar->ar_arg_exitstatus); 747 kau_write(rec, tok); 748 } 749 break; 750 751 case AUE_ADJTIME: 752 case AUE_CLOCK_SETTIME: 753 case AUE_AUDIT: 754 case AUE_DUP2: 755 case AUE_GETAUDIT: 756 case AUE_GETAUDIT_ADDR: 757 case AUE_GETAUID: 758 case AUE_GETCWD: 759 case AUE_GETFSSTAT: 760 case AUE_GETRESUID: 761 case AUE_GETRESGID: 762 case AUE_KQUEUE: 763 case AUE_MODLOAD: 764 case AUE_MODUNLOAD: 765 case AUE_MSGSYS: 766 case AUE_NTP_ADJTIME: 767 case AUE_PIPE: 768 case AUE_POSIX_OPENPT: 769 case AUE_PROFILE: 770 case AUE_RTPRIO: 771 case AUE_SEMSYS: 772 case AUE_SETFIB: 773 case AUE_SHMSYS: 774 case AUE_SETPGRP: 775 case AUE_SETRLIMIT: 776 case AUE_SETSID: 777 case AUE_SETTIMEOFDAY: 778 case AUE_SYSARCH: 779 780 /* 781 * Header, subject, and return tokens added at end. 782 */ 783 break; 784 785 case AUE_ACL_DELETE_FD: 786 case AUE_ACL_DELETE_FILE: 787 case AUE_ACL_CHECK_FD: 788 case AUE_ACL_CHECK_FILE: 789 case AUE_ACL_CHECK_LINK: 790 case AUE_ACL_DELETE_LINK: 791 case AUE_ACL_GET_FD: 792 case AUE_ACL_GET_FILE: 793 case AUE_ACL_GET_LINK: 794 case AUE_ACL_SET_FD: 795 case AUE_ACL_SET_FILE: 796 case AUE_ACL_SET_LINK: 797 if (ARG_IS_VALID(kar, ARG_VALUE)) { 798 tok = au_to_arg32(1, "type", ar->ar_arg_value); 799 kau_write(rec, tok); 800 } 801 ATFD1_TOKENS(1); 802 UPATH1_VNODE1_TOKENS; 803 break; 804 805 /* 806 * NB: We may want to verify that the appropriate 807 * audit args are being processed here, but I think 808 * a bit analysis is required. 809 * 810 * Process AUE_JAIL_SET in the next block so we can pickup any path 811 * related tokens that might exist. 812 */ 813 case AUE_JAIL_GET: 814 case AUE_JAIL_ATTACH: 815 case AUE_JAIL_REMOVE: 816 break; 817 818 case AUE_JAIL_SET: 819 case AUE_CHDIR: 820 case AUE_CHROOT: 821 case AUE_FSTATAT: 822 case AUE_FUTIMESAT: 823 case AUE_GETATTRLIST: 824 case AUE_JAIL: 825 case AUE_LUTIMES: 826 case AUE_NFS_GETFH: 827 case AUE_LGETFH: 828 case AUE_LSTAT: 829 case AUE_LPATHCONF: 830 case AUE_PATHCONF: 831 case AUE_READLINK: 832 case AUE_READLINKAT: 833 case AUE_REVOKE: 834 case AUE_RMDIR: 835 case AUE_SEARCHFS: 836 case AUE_SETATTRLIST: 837 case AUE_STAT: 838 case AUE_STATFS: 839 case AUE_SWAPON: 840 case AUE_SWAPOFF: 841 case AUE_TRUNCATE: 842 case AUE_UNDELETE: 843 case AUE_UNLINK: 844 case AUE_UNLINKAT: 845 case AUE_UTIMES: 846 case AUE_REALPATHAT: 847 ATFD1_TOKENS(1); 848 UPATH1_VNODE1_TOKENS; 849 break; 850 851 case AUE_ACCESS: 852 case AUE_EACCESS: 853 case AUE_FACCESSAT: 854 ATFD1_TOKENS(1); 855 UPATH1_VNODE1_TOKENS; 856 if (ARG_IS_VALID(kar, ARG_VALUE)) { 857 tok = au_to_arg32(2, "mode", ar->ar_arg_value); 858 kau_write(rec, tok); 859 } 860 break; 861 862 case AUE_FHSTATFS: 863 case AUE_FHOPEN: 864 case AUE_FHSTAT: 865 /* XXXRW: Need to audit vnode argument. */ 866 break; 867 868 case AUE_CHFLAGS: 869 case AUE_LCHFLAGS: 870 case AUE_CHFLAGSAT: 871 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 872 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 873 kau_write(rec, tok); 874 } 875 UPATH1_VNODE1_TOKENS; 876 break; 877 878 case AUE_CHMOD: 879 case AUE_LCHMOD: 880 if (ARG_IS_VALID(kar, ARG_MODE)) { 881 tok = au_to_arg32(2, "new file mode", 882 ar->ar_arg_mode); 883 kau_write(rec, tok); 884 } 885 UPATH1_VNODE1_TOKENS; 886 break; 887 888 case AUE_FCHMODAT: 889 ATFD1_TOKENS(1); 890 if (ARG_IS_VALID(kar, ARG_MODE)) { 891 tok = au_to_arg32(3, "new file mode", 892 ar->ar_arg_mode); 893 kau_write(rec, tok); 894 } 895 UPATH1_VNODE1_TOKENS; 896 break; 897 898 case AUE_CHOWN: 899 case AUE_LCHOWN: 900 if (ARG_IS_VALID(kar, ARG_UID)) { 901 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 902 kau_write(rec, tok); 903 } 904 if (ARG_IS_VALID(kar, ARG_GID)) { 905 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 906 kau_write(rec, tok); 907 } 908 UPATH1_VNODE1_TOKENS; 909 break; 910 911 case AUE_FCHOWNAT: 912 ATFD1_TOKENS(1); 913 if (ARG_IS_VALID(kar, ARG_UID)) { 914 tok = au_to_arg32(3, "new file uid", ar->ar_arg_uid); 915 kau_write(rec, tok); 916 } 917 if (ARG_IS_VALID(kar, ARG_GID)) { 918 tok = au_to_arg32(4, "new file gid", ar->ar_arg_gid); 919 kau_write(rec, tok); 920 } 921 UPATH1_VNODE1_TOKENS; 922 break; 923 924 case AUE_EXCHANGEDATA: 925 UPATH1_VNODE1_TOKENS; 926 UPATH2_TOKENS; 927 break; 928 929 case AUE_CLOSE: 930 if (ARG_IS_VALID(kar, ARG_FD)) { 931 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 932 kau_write(rec, tok); 933 } 934 UPATH1_VNODE1_TOKENS; 935 break; 936 937 case AUE_CLOSEFROM: 938 if (ARG_IS_VALID(kar, ARG_FD)) { 939 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 940 kau_write(rec, tok); 941 } 942 break; 943 944 case AUE_CLOSERANGE: 945 if (ARG_IS_VALID(kar, ARG_FD)) { 946 tok = au_to_arg32(1, "lowfd", ar->ar_arg_fd); 947 kau_write(rec, tok); 948 } 949 if (ARG_IS_VALID(kar, ARG_CMD)) { 950 tok = au_to_arg32(2, "highfd", ar->ar_arg_cmd); 951 kau_write(rec, tok); 952 } 953 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 954 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 955 kau_write(rec, tok); 956 } 957 break; 958 959 case AUE_CORE: 960 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 961 tok = au_to_arg32(1, "signal", ar->ar_arg_signum); 962 kau_write(rec, tok); 963 } 964 UPATH1_VNODE1_TOKENS; 965 break; 966 967 case AUE_EXTATTRCTL: 968 UPATH1_VNODE1_TOKENS; 969 if (ARG_IS_VALID(kar, ARG_CMD)) { 970 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 971 kau_write(rec, tok); 972 } 973 /* extattrctl(2) filename parameter is in upath2/vnode2 */ 974 UPATH2_TOKENS; 975 VNODE2_TOKENS; 976 EXTATTR_TOKENS(4); 977 break; 978 979 case AUE_EXTATTR_GET_FILE: 980 case AUE_EXTATTR_SET_FILE: 981 case AUE_EXTATTR_LIST_FILE: 982 case AUE_EXTATTR_DELETE_FILE: 983 case AUE_EXTATTR_GET_LINK: 984 case AUE_EXTATTR_SET_LINK: 985 case AUE_EXTATTR_LIST_LINK: 986 case AUE_EXTATTR_DELETE_LINK: 987 UPATH1_VNODE1_TOKENS; 988 EXTATTR_TOKENS(2); 989 break; 990 991 case AUE_EXTATTR_GET_FD: 992 case AUE_EXTATTR_SET_FD: 993 case AUE_EXTATTR_LIST_FD: 994 case AUE_EXTATTR_DELETE_FD: 995 if (ARG_IS_VALID(kar, ARG_FD)) { 996 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 997 kau_write(rec, tok); 998 } 999 EXTATTR_TOKENS(2); 1000 break; 1001 1002 case AUE_FEXECVE: 1003 if (ARG_IS_VALID(kar, ARG_FD)) { 1004 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1005 kau_write(rec, tok); 1006 } 1007 /* FALLTHROUGH */ 1008 1009 case AUE_EXECVE: 1010 case AUE_MAC_EXECVE: 1011 if (ARG_IS_VALID(kar, ARG_ARGV)) { 1012 tok = au_to_exec_args(ar->ar_arg_argv, 1013 ar->ar_arg_argc); 1014 kau_write(rec, tok); 1015 } 1016 if (ARG_IS_VALID(kar, ARG_ENVV)) { 1017 tok = au_to_exec_env(ar->ar_arg_envv, 1018 ar->ar_arg_envc); 1019 kau_write(rec, tok); 1020 } 1021 UPATH1_VNODE1_TOKENS; 1022 break; 1023 1024 case AUE_FCHMOD: 1025 if (ARG_IS_VALID(kar, ARG_MODE)) { 1026 tok = au_to_arg32(2, "new file mode", 1027 ar->ar_arg_mode); 1028 kau_write(rec, tok); 1029 } 1030 FD_VNODE1_TOKENS; 1031 break; 1032 1033 /* 1034 * XXXRW: Some of these need to handle non-vnode cases as well. 1035 */ 1036 case AUE_FCHDIR: 1037 case AUE_FPATHCONF: 1038 case AUE_FSTAT: 1039 case AUE_FSTATFS: 1040 case AUE_FSYNC: 1041 case AUE_FTRUNCATE: 1042 case AUE_FUTIMES: 1043 case AUE_GETDIRENTRIES: 1044 case AUE_GETDIRENTRIESATTR: 1045 case AUE_LSEEK: 1046 case AUE_POLL: 1047 case AUE_POSIX_FALLOCATE: 1048 case AUE_PREAD: 1049 case AUE_PWRITE: 1050 case AUE_READ: 1051 case AUE_READV: 1052 case AUE_WRITE: 1053 case AUE_WRITEV: 1054 FD_VNODE1_TOKENS; 1055 break; 1056 1057 case AUE_FCHOWN: 1058 if (ARG_IS_VALID(kar, ARG_UID)) { 1059 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 1060 kau_write(rec, tok); 1061 } 1062 if (ARG_IS_VALID(kar, ARG_GID)) { 1063 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 1064 kau_write(rec, tok); 1065 } 1066 FD_VNODE1_TOKENS; 1067 break; 1068 1069 case AUE_FCNTL: 1070 if (ARG_IS_VALID(kar, ARG_CMD)) { 1071 tok = au_to_arg32(2, "cmd", 1072 au_fcntl_cmd_to_bsm(ar->ar_arg_cmd)); 1073 kau_write(rec, tok); 1074 } 1075 FD_VNODE1_TOKENS; 1076 break; 1077 1078 case AUE_FCHFLAGS: 1079 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1080 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1081 kau_write(rec, tok); 1082 } 1083 FD_VNODE1_TOKENS; 1084 break; 1085 1086 case AUE_FLOCK: 1087 if (ARG_IS_VALID(kar, ARG_CMD)) { 1088 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 1089 kau_write(rec, tok); 1090 } 1091 FD_VNODE1_TOKENS; 1092 break; 1093 1094 case AUE_FSPACECTL: 1095 if (ARG_IS_VALID(kar, ARG_CMD)) { 1096 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 1097 kau_write(rec, tok); 1098 } 1099 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1100 tok = au_to_arg32(4, "flags", ar->ar_arg_fflags); 1101 kau_write(rec, tok); 1102 } 1103 FD_VNODE1_TOKENS; 1104 break; 1105 1106 case AUE_RFORK: 1107 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1108 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 1109 kau_write(rec, tok); 1110 } 1111 /* FALLTHROUGH */ 1112 1113 case AUE_FORK: 1114 case AUE_VFORK: 1115 if (ARG_IS_VALID(kar, ARG_PID)) { 1116 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 1117 kau_write(rec, tok); 1118 } 1119 break; 1120 1121 case AUE_IOCTL: 1122 if (ARG_IS_VALID(kar, ARG_CMD)) { 1123 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 1124 kau_write(rec, tok); 1125 } 1126 if (ARG_IS_VALID(kar, ARG_VNODE1)) 1127 FD_VNODE1_TOKENS; 1128 else { 1129 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 1130 tok = kau_to_socket(&ar->ar_arg_sockinfo); 1131 kau_write(rec, tok); 1132 } else { 1133 if (ARG_IS_VALID(kar, ARG_FD)) { 1134 tok = au_to_arg32(1, "fd", 1135 ar->ar_arg_fd); 1136 kau_write(rec, tok); 1137 } 1138 } 1139 } 1140 break; 1141 1142 case AUE_KILL: 1143 case AUE_KILLPG: 1144 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 1145 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 1146 kau_write(rec, tok); 1147 } 1148 PROCESS_PID_TOKENS(1); 1149 break; 1150 1151 case AUE_KTRACE: 1152 if (ARG_IS_VALID(kar, ARG_CMD)) { 1153 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 1154 kau_write(rec, tok); 1155 } 1156 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1157 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 1158 kau_write(rec, tok); 1159 } 1160 PROCESS_PID_TOKENS(4); 1161 UPATH1_VNODE1_TOKENS; 1162 break; 1163 1164 case AUE_LINK: 1165 case AUE_LINKAT: 1166 case AUE_RENAME: 1167 case AUE_RENAMEAT: 1168 ATFD1_TOKENS(1); 1169 UPATH1_VNODE1_TOKENS; 1170 ATFD2_TOKENS(3); 1171 UPATH2_TOKENS; 1172 break; 1173 1174 case AUE_LOADSHFILE: 1175 ADDR_TOKEN(4, "base addr"); 1176 UPATH1_VNODE1_TOKENS; 1177 break; 1178 1179 case AUE_MKDIR: 1180 case AUE_MKDIRAT: 1181 case AUE_MKFIFO: 1182 case AUE_MKFIFOAT: 1183 ATFD1_TOKENS(1); 1184 if (ARG_IS_VALID(kar, ARG_MODE)) { 1185 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1186 kau_write(rec, tok); 1187 } 1188 UPATH1_VNODE1_TOKENS; 1189 break; 1190 1191 case AUE_MKNOD: 1192 case AUE_MKNODAT: 1193 ATFD1_TOKENS(1); 1194 if (ARG_IS_VALID(kar, ARG_MODE)) { 1195 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1196 kau_write(rec, tok); 1197 } 1198 if (ARG_IS_VALID(kar, ARG_DEV)) { 1199 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 1200 kau_write(rec, tok); 1201 } 1202 UPATH1_VNODE1_TOKENS; 1203 break; 1204 1205 case AUE_MMAP: 1206 case AUE_MUNMAP: 1207 case AUE_MPROTECT: 1208 case AUE_MLOCK: 1209 case AUE_MUNLOCK: 1210 case AUE_MINHERIT: 1211 ADDR_TOKEN(1, "addr"); 1212 if (ARG_IS_VALID(kar, ARG_LEN)) { 1213 tok = au_to_arg32(2, "len", ar->ar_arg_len); 1214 kau_write(rec, tok); 1215 } 1216 if (ar->ar_event == AUE_MMAP) 1217 FD_VNODE1_TOKENS; 1218 if (ar->ar_event == AUE_MPROTECT) { 1219 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1220 tok = au_to_arg32(3, "protection", 1221 ar->ar_arg_value); 1222 kau_write(rec, tok); 1223 } 1224 } 1225 if (ar->ar_event == AUE_MINHERIT) { 1226 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1227 tok = au_to_arg32(3, "inherit", 1228 ar->ar_arg_value); 1229 kau_write(rec, tok); 1230 } 1231 } 1232 break; 1233 1234 case AUE_MOUNT: 1235 case AUE_NMOUNT: 1236 /* XXX Need to handle NFS mounts */ 1237 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1238 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 1239 kau_write(rec, tok); 1240 } 1241 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1242 tok = au_to_text(ar->ar_arg_text); 1243 kau_write(rec, tok); 1244 } 1245 /* FALLTHROUGH */ 1246 1247 case AUE_NFS_SVC: 1248 if (ARG_IS_VALID(kar, ARG_CMD)) { 1249 tok = au_to_arg32(1, "flags", ar->ar_arg_cmd); 1250 kau_write(rec, tok); 1251 } 1252 break; 1253 1254 case AUE_UMOUNT: 1255 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1256 tok = au_to_arg32(2, "flags", ar->ar_arg_value); 1257 kau_write(rec, tok); 1258 } 1259 UPATH1_VNODE1_TOKENS; 1260 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1261 tok = au_to_text(ar->ar_arg_text); 1262 kau_write(rec, tok); 1263 } 1264 break; 1265 1266 case AUE_MSGCTL: 1267 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd); 1268 /* Fall through */ 1269 1270 case AUE_MSGRCV: 1271 case AUE_MSGSND: 1272 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 1273 kau_write(rec, tok); 1274 if (ar->ar_errno != EINVAL) { 1275 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 1276 kau_write(rec, tok); 1277 } 1278 break; 1279 1280 case AUE_MSGGET: 1281 if (ar->ar_errno == 0) { 1282 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1283 tok = au_to_ipc(AT_IPC_MSG, 1284 ar->ar_arg_svipc_id); 1285 kau_write(rec, tok); 1286 } 1287 } 1288 break; 1289 1290 case AUE_RESETSHFILE: 1291 ADDR_TOKEN(1, "base addr"); 1292 break; 1293 1294 case AUE_OPEN_RC: 1295 case AUE_OPEN_RTC: 1296 case AUE_OPEN_RWC: 1297 case AUE_OPEN_RWTC: 1298 case AUE_OPEN_WC: 1299 case AUE_OPEN_WTC: 1300 case AUE_CREAT: 1301 if (ARG_IS_VALID(kar, ARG_MODE)) { 1302 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1303 kau_write(rec, tok); 1304 } 1305 /* FALLTHROUGH */ 1306 1307 case AUE_OPEN_R: 1308 case AUE_OPEN_RT: 1309 case AUE_OPEN_RW: 1310 case AUE_OPEN_RWT: 1311 case AUE_OPEN_W: 1312 case AUE_OPEN_WT: 1313 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1314 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1315 kau_write(rec, tok); 1316 } 1317 UPATH1_VNODE1_TOKENS; 1318 break; 1319 1320 case AUE_OPENAT_RC: 1321 case AUE_OPENAT_RTC: 1322 case AUE_OPENAT_RWC: 1323 case AUE_OPENAT_RWTC: 1324 case AUE_OPENAT_WC: 1325 case AUE_OPENAT_WTC: 1326 if (ARG_IS_VALID(kar, ARG_MODE)) { 1327 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1328 kau_write(rec, tok); 1329 } 1330 /* FALLTHROUGH */ 1331 1332 case AUE_OPENAT_R: 1333 case AUE_OPENAT_RT: 1334 case AUE_OPENAT_RW: 1335 case AUE_OPENAT_RWT: 1336 case AUE_OPENAT_W: 1337 case AUE_OPENAT_WT: 1338 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1339 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1340 kau_write(rec, tok); 1341 } 1342 ATFD1_TOKENS(1); 1343 UPATH1_VNODE1_TOKENS; 1344 break; 1345 1346 case AUE_PDKILL: 1347 if (ARG_IS_VALID(kar, ARG_FD)) { 1348 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1349 kau_write(rec, tok); 1350 } 1351 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 1352 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 1353 kau_write(rec, tok); 1354 } 1355 PROCESS_PID_TOKENS(1); 1356 break; 1357 case AUE_PDFORK: 1358 if (ARG_IS_VALID(kar, ARG_PID)) { 1359 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 1360 kau_write(rec, tok); 1361 } 1362 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1363 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1364 kau_write(rec, tok); 1365 } 1366 if (ARG_IS_VALID(kar, ARG_FD)) { 1367 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1368 kau_write(rec, tok); 1369 } 1370 break; 1371 case AUE_PDGETPID: 1372 if (ARG_IS_VALID(kar, ARG_FD)) { 1373 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1374 kau_write(rec, tok); 1375 } 1376 break; 1377 1378 case AUE_PROCCTL: 1379 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1380 tok = au_to_arg32(1, "idtype", ar->ar_arg_value); 1381 kau_write(rec, tok); 1382 } 1383 if (ARG_IS_VALID(kar, ARG_CMD)) { 1384 tok = au_to_arg32(2, "com", ar->ar_arg_cmd); 1385 kau_write(rec, tok); 1386 } 1387 PROCESS_PID_TOKENS(3); 1388 break; 1389 1390 case AUE_PTRACE: 1391 if (ARG_IS_VALID(kar, ARG_CMD)) { 1392 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1393 kau_write(rec, tok); 1394 } 1395 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1396 tok = au_to_arg32(4, "data", ar->ar_arg_value); 1397 kau_write(rec, tok); 1398 } 1399 PROCESS_PID_TOKENS(2); 1400 break; 1401 1402 case AUE_QUOTACTL: 1403 if (ARG_IS_VALID(kar, ARG_CMD)) { 1404 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1405 kau_write(rec, tok); 1406 } 1407 if (ARG_IS_VALID(kar, ARG_UID)) { 1408 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1409 kau_write(rec, tok); 1410 } 1411 if (ARG_IS_VALID(kar, ARG_GID)) { 1412 tok = au_to_arg32(3, "gid", ar->ar_arg_gid); 1413 kau_write(rec, tok); 1414 } 1415 UPATH1_VNODE1_TOKENS; 1416 break; 1417 1418 case AUE_REBOOT: 1419 if (ARG_IS_VALID(kar, ARG_CMD)) { 1420 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1421 kau_write(rec, tok); 1422 } 1423 break; 1424 1425 case AUE_SEMCTL: 1426 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd); 1427 /* Fall through */ 1428 1429 case AUE_SEMOP: 1430 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1431 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1432 kau_write(rec, tok); 1433 if (ar->ar_errno != EINVAL) { 1434 tok = au_to_ipc(AT_IPC_SEM, 1435 ar->ar_arg_svipc_id); 1436 kau_write(rec, tok); 1437 } 1438 } 1439 break; 1440 1441 case AUE_SEMGET: 1442 if (ar->ar_errno == 0) { 1443 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1444 tok = au_to_ipc(AT_IPC_SEM, 1445 ar->ar_arg_svipc_id); 1446 kau_write(rec, tok); 1447 } 1448 } 1449 break; 1450 1451 case AUE_SETEGID: 1452 if (ARG_IS_VALID(kar, ARG_EGID)) { 1453 tok = au_to_arg32(1, "egid", ar->ar_arg_egid); 1454 kau_write(rec, tok); 1455 } 1456 break; 1457 1458 case AUE_SETEUID: 1459 if (ARG_IS_VALID(kar, ARG_EUID)) { 1460 tok = au_to_arg32(1, "euid", ar->ar_arg_euid); 1461 kau_write(rec, tok); 1462 } 1463 break; 1464 1465 case AUE_SETREGID: 1466 if (ARG_IS_VALID(kar, ARG_RGID)) { 1467 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1468 kau_write(rec, tok); 1469 } 1470 if (ARG_IS_VALID(kar, ARG_EGID)) { 1471 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1472 kau_write(rec, tok); 1473 } 1474 break; 1475 1476 case AUE_SETREUID: 1477 if (ARG_IS_VALID(kar, ARG_RUID)) { 1478 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1479 kau_write(rec, tok); 1480 } 1481 if (ARG_IS_VALID(kar, ARG_EUID)) { 1482 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1483 kau_write(rec, tok); 1484 } 1485 break; 1486 1487 case AUE_SETRESGID: 1488 if (ARG_IS_VALID(kar, ARG_RGID)) { 1489 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1490 kau_write(rec, tok); 1491 } 1492 if (ARG_IS_VALID(kar, ARG_EGID)) { 1493 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1494 kau_write(rec, tok); 1495 } 1496 if (ARG_IS_VALID(kar, ARG_SGID)) { 1497 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1498 kau_write(rec, tok); 1499 } 1500 break; 1501 1502 case AUE_SETRESUID: 1503 if (ARG_IS_VALID(kar, ARG_RUID)) { 1504 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1505 kau_write(rec, tok); 1506 } 1507 if (ARG_IS_VALID(kar, ARG_EUID)) { 1508 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1509 kau_write(rec, tok); 1510 } 1511 if (ARG_IS_VALID(kar, ARG_SUID)) { 1512 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1513 kau_write(rec, tok); 1514 } 1515 break; 1516 1517 case AUE_SETGID: 1518 if (ARG_IS_VALID(kar, ARG_GID)) { 1519 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1520 kau_write(rec, tok); 1521 } 1522 break; 1523 1524 case AUE_SETUID: 1525 if (ARG_IS_VALID(kar, ARG_UID)) { 1526 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1527 kau_write(rec, tok); 1528 } 1529 break; 1530 1531 case AUE_SETGROUPS: 1532 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1533 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1534 { 1535 tok = au_to_arg32(1, "setgroups", 1536 ar->ar_arg_groups.gidset[ctr]); 1537 kau_write(rec, tok); 1538 } 1539 } 1540 break; 1541 1542 case AUE_SETLOGIN: 1543 if (ARG_IS_VALID(kar, ARG_LOGIN)) { 1544 tok = au_to_text(ar->ar_arg_login); 1545 kau_write(rec, tok); 1546 } 1547 break; 1548 1549 case AUE_SETLOGINCLASS: 1550 break; 1551 1552 case AUE_SETPRIORITY: 1553 if (ARG_IS_VALID(kar, ARG_CMD)) { 1554 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1555 kau_write(rec, tok); 1556 } 1557 if (ARG_IS_VALID(kar, ARG_UID)) { 1558 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1559 kau_write(rec, tok); 1560 } 1561 PROCESS_PID_TOKENS(2); 1562 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1563 tok = au_to_arg32(3, "priority", ar->ar_arg_value); 1564 kau_write(rec, tok); 1565 } 1566 break; 1567 1568 case AUE_SETPRIVEXEC: 1569 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1570 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1571 kau_write(rec, tok); 1572 } 1573 break; 1574 1575 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1576 case AUE_SHMAT: 1577 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1578 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1579 kau_write(rec, tok); 1580 /* XXXAUDIT: Does having the ipc token make sense? */ 1581 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1582 kau_write(rec, tok); 1583 } 1584 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1585 tok = au_to_arg32(2, "shmaddr", 1586 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1587 kau_write(rec, tok); 1588 } 1589 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1590 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1591 kau_write(rec, tok); 1592 } 1593 break; 1594 1595 case AUE_SHMCTL: 1596 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1597 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1598 kau_write(rec, tok); 1599 /* XXXAUDIT: Does having the ipc token make sense? */ 1600 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1601 kau_write(rec, tok); 1602 } 1603 switch (ar->ar_arg_svipc_cmd) { 1604 case IPC_STAT: 1605 ar->ar_event = AUE_SHMCTL_STAT; 1606 break; 1607 case IPC_RMID: 1608 ar->ar_event = AUE_SHMCTL_RMID; 1609 break; 1610 case IPC_SET: 1611 ar->ar_event = AUE_SHMCTL_SET; 1612 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1613 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1614 kau_write(rec, tok); 1615 } 1616 break; 1617 default: 1618 break; /* We will audit a bad command */ 1619 } 1620 break; 1621 1622 case AUE_SHMDT: 1623 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1624 tok = au_to_arg32(1, "shmaddr", 1625 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1626 kau_write(rec, tok); 1627 } 1628 break; 1629 1630 case AUE_SHMGET: 1631 /* This is unusual; the return value is in an argument token */ 1632 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1633 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1634 kau_write(rec, tok); 1635 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1636 kau_write(rec, tok); 1637 } 1638 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1639 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1640 kau_write(rec, tok); 1641 } 1642 break; 1643 1644 /* shm_rename is a non-Posix extension to the Posix shm implementation */ 1645 case AUE_SHMRENAME: 1646 UPATH1_TOKENS; 1647 UPATH2_TOKENS; 1648 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1649 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1650 kau_write(rec, tok); 1651 } 1652 break; 1653 1654 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1655 * and AUE_SEMUNLINK are Posix IPC */ 1656 case AUE_SHMOPEN: 1657 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1658 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1659 kau_write(rec, tok); 1660 } 1661 if (ARG_IS_VALID(kar, ARG_MODE)) { 1662 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1663 kau_write(rec, tok); 1664 } 1665 /* FALLTHROUGH */ 1666 1667 case AUE_SHMUNLINK: 1668 UPATH1_TOKENS; 1669 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1670 struct ipc_perm perm; 1671 1672 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1673 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1674 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1675 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1676 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1677 perm.seq = 0; 1678 perm.key = 0; 1679 tok = au_to_ipc_perm(&perm); 1680 kau_write(rec, tok); 1681 } 1682 break; 1683 1684 case AUE_SEMOPEN: 1685 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1686 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1687 kau_write(rec, tok); 1688 } 1689 if (ARG_IS_VALID(kar, ARG_MODE)) { 1690 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1691 kau_write(rec, tok); 1692 } 1693 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1694 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1695 kau_write(rec, tok); 1696 } 1697 /* FALLTHROUGH */ 1698 1699 case AUE_SEMUNLINK: 1700 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1701 tok = au_to_text(ar->ar_arg_text); 1702 kau_write(rec, tok); 1703 } 1704 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1705 struct ipc_perm perm; 1706 1707 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1708 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1709 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1710 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1711 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1712 perm.seq = 0; 1713 perm.key = 0; 1714 tok = au_to_ipc_perm(&perm); 1715 kau_write(rec, tok); 1716 } 1717 break; 1718 1719 case AUE_SEMCLOSE: 1720 if (ARG_IS_VALID(kar, ARG_FD)) { 1721 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1722 kau_write(rec, tok); 1723 } 1724 break; 1725 1726 case AUE_SYMLINK: 1727 case AUE_SYMLINKAT: 1728 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1729 tok = au_to_text(ar->ar_arg_text); 1730 kau_write(rec, tok); 1731 } 1732 ATFD1_TOKENS(1); 1733 UPATH1_VNODE1_TOKENS; 1734 break; 1735 1736 case AUE_SYSCTL: 1737 case AUE_SYSCTL_NONADMIN: 1738 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1739 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1740 tok = au_to_arg32(1, "name", 1741 ar->ar_arg_ctlname[ctr]); 1742 kau_write(rec, tok); 1743 } 1744 } 1745 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1746 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1747 kau_write(rec, tok); 1748 } 1749 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1750 tok = au_to_text(ar->ar_arg_text); 1751 kau_write(rec, tok); 1752 } 1753 break; 1754 1755 case AUE_UMASK: 1756 if (ARG_IS_VALID(kar, ARG_MASK)) { 1757 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1758 kau_write(rec, tok); 1759 } 1760 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1761 kau_write(rec, tok); 1762 break; 1763 1764 case AUE_WAIT4: 1765 case AUE_WAIT6: 1766 PROCESS_PID_TOKENS(1); 1767 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1768 tok = au_to_arg32(3, "options", ar->ar_arg_value); 1769 kau_write(rec, tok); 1770 } 1771 break; 1772 1773 case AUE_CAP_RIGHTS_LIMIT: 1774 /* 1775 * XXXRW/XXXJA: Would be nice to audit socket/etc information. 1776 */ 1777 FD_VNODE1_TOKENS; 1778 if (ARG_IS_VALID(kar, ARG_RIGHTS)) { 1779 tok = au_to_rights(&ar->ar_arg_rights); 1780 kau_write(rec, tok); 1781 } 1782 break; 1783 1784 case AUE_CAP_FCNTLS_GET: 1785 case AUE_CAP_IOCTLS_GET: 1786 case AUE_CAP_IOCTLS_LIMIT: 1787 case AUE_CAP_RIGHTS_GET: 1788 if (ARG_IS_VALID(kar, ARG_FD)) { 1789 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1790 kau_write(rec, tok); 1791 } 1792 break; 1793 1794 case AUE_CAP_FCNTLS_LIMIT: 1795 FD_VNODE1_TOKENS; 1796 if (ARG_IS_VALID(kar, ARG_FCNTL_RIGHTS)) { 1797 tok = au_to_arg32(2, "fcntlrights", 1798 ar->ar_arg_fcntl_rights); 1799 kau_write(rec, tok); 1800 } 1801 break; 1802 1803 case AUE_CAP_ENTER: 1804 case AUE_CAP_GETMODE: 1805 break; 1806 1807 case AUE_THR_NEW: 1808 case AUE_THR_KILL: 1809 case AUE_THR_EXIT: 1810 break; 1811 1812 case AUE_NULL: 1813 default: 1814 printf("BSM conversion requested for unknown event %d\n", 1815 ar->ar_event); 1816 1817 /* 1818 * Write the subject token so it is properly freed here. 1819 */ 1820 if (jail_tok != NULL) 1821 kau_write(rec, jail_tok); 1822 kau_write(rec, subj_tok); 1823 kau_free(rec); 1824 return (BSM_NOAUDIT); 1825 } 1826 1827 if (jail_tok != NULL) 1828 kau_write(rec, jail_tok); 1829 kau_write(rec, subj_tok); 1830 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval); 1831 kau_write(rec, tok); /* Every record gets a return token */ 1832 1833 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1834 1835 *pau = rec; 1836 return (BSM_SUCCESS); 1837 } 1838 1839 /* 1840 * Verify that a record is a valid BSM record. This verification is simple 1841 * now, but may be expanded on sometime in the future. Return 1 if the 1842 * record is good, 0 otherwise. 1843 */ 1844 int 1845 bsm_rec_verify(void *rec) 1846 { 1847 char c = *(char *)rec; 1848 1849 /* 1850 * Check the token ID of the first token; it has to be a header 1851 * token. 1852 * 1853 * XXXAUDIT There needs to be a token structure to map a token. 1854 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1855 */ 1856 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1857 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1858 return (0); 1859 return (1); 1860 } 1861