1 /* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $FreeBSD$ 30 */ 31 32 #include <sys/param.h> 33 #include <sys/vnode.h> 34 #include <sys/ipc.h> 35 #include <sys/lock.h> 36 #include <sys/malloc.h> 37 #include <sys/mutex.h> 38 #include <sys/socket.h> 39 #include <sys/fcntl.h> 40 #include <sys/user.h> 41 #include <sys/systm.h> 42 43 #include <bsm/audit.h> 44 #include <bsm/audit_internal.h> 45 #include <bsm/audit_record.h> 46 #include <bsm/audit_kevents.h> 47 48 #include <security/audit/audit.h> 49 #include <security/audit/audit_private.h> 50 51 #include <netinet/in_systm.h> 52 #include <netinet/in.h> 53 #include <netinet/ip.h> 54 55 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 56 57 /* 58 * Forward declares. 59 */ 60 static void audit_sys_auditon(struct audit_record *ar, 61 struct au_record *rec); 62 63 /* 64 * Initialize the BSM auditing subsystem. 65 */ 66 void 67 kau_init(void) 68 { 69 70 printf("BSM auditing present\n"); 71 au_evclassmap_init(); 72 } 73 74 /* 75 * This call reserves memory for the audit record. 76 * Memory must be guaranteed before any auditable event can be 77 * generated. 78 * The au_record structure maintains a reference to the 79 * memory allocated above and also the list of tokens associated 80 * with this record 81 */ 82 static struct au_record * 83 kau_open(void) 84 { 85 struct au_record *rec; 86 87 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 88 rec->data = malloc(MAX_AUDIT_RECORD_SIZE * sizeof(u_char), 89 M_AUDITBSM, M_WAITOK | M_ZERO); 90 TAILQ_INIT(&rec->token_q); 91 rec->len = 0; 92 rec->used = 1; 93 94 return (rec); 95 } 96 97 /* 98 * Store the token with the record descriptor. 99 */ 100 static void 101 kau_write(struct au_record *rec, struct au_token *tok) 102 { 103 104 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 105 106 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 107 rec->len += tok->len; 108 } 109 110 /* 111 * Close out the audit record by adding the header token, identifying any 112 * missing tokens. Write out the tokens to the record memory. 113 */ 114 static void 115 kau_close(struct au_record *rec, struct timespec *ctime, short event) 116 { 117 u_char *dptr; 118 size_t tot_rec_size; 119 token_t *cur, *hdr, *trail; 120 struct timeval tm; 121 122 tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE; 123 if (tot_rec_size <= MAX_AUDIT_RECORD_SIZE) { 124 /* Create the header token */ 125 tm.tv_usec = ctime->tv_nsec / 1000; 126 tm.tv_sec = ctime->tv_sec; 127 hdr = au_to_header32(tot_rec_size, event, 0, tm); 128 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 129 130 trail = au_to_trailer(tot_rec_size); 131 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 132 133 /* Serialize token data to the record. */ 134 135 rec->len = tot_rec_size; 136 dptr = rec->data; 137 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 138 memcpy(dptr, cur->t_data, cur->len); 139 dptr += cur->len; 140 } 141 } 142 } 143 144 /* 145 * Free a BSM audit record by releasing all the tokens and clearing the 146 * audit record information. 147 */ 148 void 149 kau_free(struct au_record *rec) 150 { 151 struct au_token *tok; 152 153 /* Free the token list */ 154 while ((tok = TAILQ_FIRST(&rec->token_q))) { 155 TAILQ_REMOVE(&rec->token_q, tok, tokens); 156 free(tok->t_data, M_AUDITBSM); 157 free(tok, M_AUDITBSM); 158 } 159 160 rec->used = 0; 161 rec->len = 0; 162 free(rec->data, M_AUDITBSM); 163 free(rec, M_AUDITBSM); 164 } 165 166 /* 167 * XXX May want turn some (or all) of these macros into functions in order 168 * to reduce the generated code sized. 169 * 170 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 171 * caller are OK with this. 172 */ 173 #define UPATH1_TOKENS do { \ 174 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 175 tok = au_to_path(ar->ar_arg_upath1); \ 176 kau_write(rec, tok); \ 177 } \ 178 } while (0) 179 180 #define UPATH2_TOKENS do { \ 181 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 182 tok = au_to_path(ar->ar_arg_upath2); \ 183 kau_write(rec, tok); \ 184 } \ 185 } while (0) 186 187 #define VNODE1_TOKENS do { \ 188 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 189 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 190 kau_write(rec, tok); \ 191 } \ 192 } while (0) 193 194 #define UPATH1_VNODE1_TOKENS do { \ 195 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 196 UPATH1_TOKENS; \ 197 } \ 198 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 199 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 200 kau_write(rec, tok); \ 201 } \ 202 } while (0) 203 204 #define VNODE2_TOKENS do { \ 205 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 206 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 207 kau_write(rec, tok); \ 208 } \ 209 } while (0) 210 211 #define FD_VNODE1_TOKENS do { \ 212 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 213 if (ARG_IS_VALID(kar, ARG_FD)) { \ 214 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 215 kau_write(rec, tok); \ 216 } \ 217 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 218 kau_write(rec, tok); \ 219 } else { \ 220 if (ARG_IS_VALID(kar, ARG_FD)) { \ 221 tok = au_to_arg32(1, "non-file: fd", ar->ar_arg_fd);\ 222 kau_write(rec, tok); \ 223 } \ 224 } \ 225 } while (0) 226 227 #define PROCESS_PID_TOKENS(argn) do { \ 228 if (ARG_IS_VALID(kar, ARG_PID)) { \ 229 if ((ar->ar_arg_pid > 0) /* Kill a single process */ \ 230 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 231 tok = au_to_process(ar->ar_arg_auid, \ 232 ar->ar_arg_euid, ar->ar_arg_egid, \ 233 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 234 ar->ar_arg_pid, ar->ar_arg_asid, \ 235 &ar->ar_arg_termid); \ 236 kau_write(rec, tok); \ 237 } else { \ 238 tok = au_to_arg32(argn, "process", \ 239 ar->ar_arg_pid); \ 240 kau_write(rec, tok); \ 241 } \ 242 } \ 243 } while (0) \ 244 245 /* 246 * Implement auditing for the auditon() system call. The audit tokens that 247 * are generated depend on the command that was sent into the auditon() 248 * system call. 249 */ 250 static void 251 audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 252 { 253 struct au_token *tok; 254 255 switch (ar->ar_arg_cmd) { 256 case A_SETPOLICY: 257 if (sizeof(ar->ar_arg_auditon.au_flags) > 4) 258 tok = au_to_arg64(1, "policy", 259 ar->ar_arg_auditon.au_flags); 260 else 261 tok = au_to_arg32(1, "policy", 262 ar->ar_arg_auditon.au_flags); 263 kau_write(rec, tok); 264 break; 265 266 case A_SETKMASK: 267 tok = au_to_arg32(2, "setkmask:as_success", 268 ar->ar_arg_auditon.au_mask.am_success); 269 kau_write(rec, tok); 270 tok = au_to_arg32(2, "setkmask:as_failure", 271 ar->ar_arg_auditon.au_mask.am_failure); 272 kau_write(rec, tok); 273 break; 274 275 case A_SETQCTRL: 276 tok = au_to_arg32(3, "setqctrl:aq_hiwater", 277 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 278 kau_write(rec, tok); 279 tok = au_to_arg32(3, "setqctrl:aq_lowater", 280 ar->ar_arg_auditon.au_qctrl.aq_lowater); 281 kau_write(rec, tok); 282 tok = au_to_arg32(3, "setqctrl:aq_bufsz", 283 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 284 kau_write(rec, tok); 285 tok = au_to_arg32(3, "setqctrl:aq_delay", 286 ar->ar_arg_auditon.au_qctrl.aq_delay); 287 kau_write(rec, tok); 288 tok = au_to_arg32(3, "setqctrl:aq_minfree", 289 ar->ar_arg_auditon.au_qctrl.aq_minfree); 290 kau_write(rec, tok); 291 break; 292 293 case A_SETUMASK: 294 tok = au_to_arg32(3, "setumask:as_success", 295 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 296 kau_write(rec, tok); 297 tok = au_to_arg32(3, "setumask:as_failure", 298 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 299 kau_write(rec, tok); 300 break; 301 302 case A_SETSMASK: 303 tok = au_to_arg32(3, "setsmask:as_success", 304 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 305 kau_write(rec, tok); 306 tok = au_to_arg32(3, "setsmask:as_failure", 307 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 308 kau_write(rec, tok); 309 break; 310 311 case A_SETCOND: 312 if (sizeof(ar->ar_arg_auditon.au_cond) > 4) 313 tok = au_to_arg64(3, "setcond", 314 ar->ar_arg_auditon.au_cond); 315 else 316 tok = au_to_arg32(3, "setcond", 317 ar->ar_arg_auditon.au_cond); 318 kau_write(rec, tok); 319 break; 320 321 case A_SETCLASS: 322 tok = au_to_arg32(2, "setclass:ec_event", 323 ar->ar_arg_auditon.au_evclass.ec_number); 324 kau_write(rec, tok); 325 tok = au_to_arg32(3, "setclass:ec_class", 326 ar->ar_arg_auditon.au_evclass.ec_class); 327 kau_write(rec, tok); 328 break; 329 330 case A_SETPMASK: 331 tok = au_to_arg32(2, "setpmask:as_success", 332 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 333 kau_write(rec, tok); 334 tok = au_to_arg32(2, "setpmask:as_failure", 335 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 336 kau_write(rec, tok); 337 break; 338 339 case A_SETFSIZE: 340 tok = au_to_arg32(2, "setfsize:filesize", 341 ar->ar_arg_auditon.au_fstat.af_filesz); 342 kau_write(rec, tok); 343 break; 344 345 default: 346 break; 347 } 348 } 349 350 /* 351 * Convert an internal kernel audit record to a BSM record and return 352 * a success/failure indicator. The BSM record is passed as an out 353 * parameter to this function. 354 * Return conditions: 355 * BSM_SUCCESS: The BSM record is valid 356 * BSM_FAILURE: Failure; the BSM record is NULL. 357 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 358 */ 359 int 360 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 361 { 362 struct au_token *tok, *subj_tok; 363 struct au_record *rec; 364 au_tid_t tid; 365 struct audit_record *ar; 366 int ctr; 367 368 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 369 370 *pau = NULL; 371 ar = &kar->k_ar; 372 rec = kau_open(); 373 374 /* Create the subject token */ 375 tid.port = ar->ar_subj_term.port; 376 tid.machine = ar->ar_subj_term.machine; 377 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 378 ar->ar_subj_cred.cr_uid, /* eff uid */ 379 ar->ar_subj_egid, /* eff group id */ 380 ar->ar_subj_ruid, /* real uid */ 381 ar->ar_subj_rgid, /* real group id */ 382 ar->ar_subj_pid, /* process id */ 383 ar->ar_subj_asid, /* session ID */ 384 &tid); 385 386 /* The logic inside each case fills in the tokens required for the 387 * event, except for the header, trailer, and return tokens. The 388 * header and trailer tokens are added by the kau_close() function. 389 * The return token is added outside of the switch statement. 390 */ 391 switch(ar->ar_event) { 392 393 /* 394 * Socket-related events. 395 */ 396 case AUE_ACCEPT: 397 case AUE_BIND: 398 case AUE_CONNECT: 399 case AUE_RECVFROM: 400 case AUE_RECVMSG: 401 case AUE_SENDMSG: 402 case AUE_SENDTO: 403 if (ARG_IS_VALID(kar, ARG_FD)) { 404 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 405 kau_write(rec, tok); 406 } 407 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 408 tok = au_to_sock_inet( 409 (struct sockaddr_in *)&ar->ar_arg_sockaddr); 410 kau_write(rec, tok); 411 } 412 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 413 tok = au_to_sock_unix( 414 (struct sockaddr_un *)&ar->ar_arg_sockaddr); 415 kau_write(rec, tok); 416 UPATH1_TOKENS; 417 } 418 /* XXX Need to handle ARG_SADDRINET6 */ 419 break; 420 421 case AUE_SOCKET: 422 case AUE_SOCKETPAIR: 423 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 424 tok = au_to_arg32(1,"domain", 425 ar->ar_arg_sockinfo.so_domain); 426 kau_write(rec, tok); 427 tok = au_to_arg32(2,"type", 428 ar->ar_arg_sockinfo.so_type); 429 kau_write(rec, tok); 430 tok = au_to_arg32(3,"protocol", 431 ar->ar_arg_sockinfo.so_protocol); 432 kau_write(rec, tok); 433 } 434 break; 435 436 case AUE_SETSOCKOPT: 437 case AUE_SHUTDOWN: 438 if (ARG_IS_VALID(kar, ARG_FD)) { 439 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 440 kau_write(rec, tok); 441 } 442 break; 443 444 case AUE_ACCT: 445 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 446 UPATH1_VNODE1_TOKENS; 447 } else { 448 tok = au_to_arg32(1, "accounting off", 0); 449 kau_write(rec, tok); 450 } 451 break; 452 453 case AUE_SETAUID: 454 if (ARG_IS_VALID(kar, ARG_AUID)) { 455 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 456 kau_write(rec, tok); 457 } 458 break; 459 460 case AUE_SETAUDIT: 461 if (ARG_IS_VALID(kar, ARG_AUID)) { 462 tok = au_to_arg32(1, "setaudit:auid", ar->ar_arg_auid); 463 kau_write(rec, tok); 464 tok = au_to_arg32(1, "setaudit:port", 465 ar->ar_arg_termid.port); 466 kau_write(rec, tok); 467 tok = au_to_arg32(1, "setaudit:machine", 468 ar->ar_arg_termid.machine); 469 kau_write(rec, tok); 470 tok = au_to_arg32(1, "setaudit:as_success", 471 ar->ar_arg_amask.am_success); 472 kau_write(rec, tok); 473 tok = au_to_arg32(1, "setaudit:as_failure", 474 ar->ar_arg_amask.am_failure); 475 kau_write(rec, tok); 476 tok = au_to_arg32(1, "setaudit:asid", ar->ar_arg_asid); 477 kau_write(rec, tok); 478 } 479 break; 480 481 case AUE_SETAUDIT_ADDR: 482 break; /* XXX need to add arguments */ 483 484 case AUE_AUDITON: 485 /* For AUDITON commands without own event, audit the cmd */ 486 if (ARG_IS_VALID(kar, ARG_CMD)) { 487 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 488 kau_write(rec, tok); 489 } 490 /* fall thru */ 491 492 case AUE_AUDITON_GETCAR: 493 case AUE_AUDITON_GETCLASS: 494 case AUE_AUDITON_GETCOND: 495 case AUE_AUDITON_GETCWD: 496 case AUE_AUDITON_GETKMASK: 497 case AUE_AUDITON_GETSTAT: 498 case AUE_AUDITON_GPOLICY: 499 case AUE_AUDITON_GQCTRL: 500 case AUE_AUDITON_SETCLASS: 501 case AUE_AUDITON_SETCOND: 502 case AUE_AUDITON_SETKMASK: 503 case AUE_AUDITON_SETSMASK: 504 case AUE_AUDITON_SETSTAT: 505 case AUE_AUDITON_SETUMASK: 506 case AUE_AUDITON_SPOLICY: 507 case AUE_AUDITON_SQCTRL: 508 if (ARG_IS_VALID(kar, ARG_AUDITON)) { 509 audit_sys_auditon(ar, rec); 510 } 511 break; 512 513 case AUE_AUDITCTL: 514 UPATH1_VNODE1_TOKENS; 515 break; 516 517 case AUE_EXIT: 518 if (ARG_IS_VALID(kar, ARG_EXIT)) { 519 tok = au_to_exit(ar->ar_arg_exitretval, 520 ar->ar_arg_exitstatus); 521 kau_write(rec, tok); 522 } 523 break; 524 525 case AUE_ADJTIME: 526 case AUE_AUDIT: 527 case AUE_GETAUDIT: 528 case AUE_GETAUDIT_ADDR: 529 case AUE_GETAUID: 530 case AUE_GETFSSTAT: 531 case AUE_PIPE: 532 case AUE_SETPGRP: 533 case AUE_SETRLIMIT: 534 case AUE_SETSID: 535 case AUE_SETTIMEOFDAY: 536 case AUE_NEWSYSTEMSHREG: 537 /* Header, subject, and return tokens added at end */ 538 break; 539 540 case AUE_ACCESS: 541 case AUE_CHDIR: 542 case AUE_CHROOT: 543 case AUE_EACCESS: 544 case AUE_EXECVE: 545 case AUE_GETATTRLIST: 546 case AUE_NFS_GETFH: 547 case AUE_LSTAT: 548 case AUE_MKFIFO: 549 case AUE_PATHCONF: 550 case AUE_READLINK: 551 case AUE_REVOKE: 552 case AUE_RMDIR: 553 case AUE_SEARCHFS: 554 case AUE_SETATTRLIST: 555 case AUE_STAT: 556 case AUE_STATFS: 557 case AUE_TRUNCATE: 558 case AUE_UNDELETE: 559 case AUE_UNLINK: 560 case AUE_UTIMES: 561 UPATH1_VNODE1_TOKENS; 562 break; 563 564 case AUE_CHFLAGS: 565 case AUE_LCHFLAGS: 566 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 567 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 568 kau_write(rec, tok); 569 } 570 UPATH1_VNODE1_TOKENS; 571 break; 572 573 case AUE_CHMOD: 574 case AUE_LCHMOD: 575 if (ARG_IS_VALID(kar, ARG_MODE)) { 576 tok = au_to_arg32(2, "new file mode", ar->ar_arg_mode); 577 kau_write(rec, tok); 578 } 579 UPATH1_VNODE1_TOKENS; 580 break; 581 582 case AUE_CHOWN: 583 case AUE_LCHOWN: 584 if (ARG_IS_VALID(kar, ARG_UID)) { 585 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 586 kau_write(rec, tok); 587 } 588 if (ARG_IS_VALID(kar, ARG_GID)) { 589 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 590 kau_write(rec, tok); 591 } 592 UPATH1_VNODE1_TOKENS; 593 break; 594 595 case AUE_EXCHANGEDATA: 596 UPATH1_VNODE1_TOKENS; 597 UPATH2_TOKENS; 598 break; 599 600 case AUE_CLOSE: 601 if (ARG_IS_VALID(kar, ARG_FD)) { 602 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 603 kau_write(rec, tok); 604 } 605 UPATH1_VNODE1_TOKENS; 606 break; 607 608 case AUE_FCHMOD: 609 if (ARG_IS_VALID(kar, ARG_MODE)) { 610 tok = au_to_arg32(2, "new file mode", ar->ar_arg_mode); 611 kau_write(rec, tok); 612 } 613 FD_VNODE1_TOKENS; 614 break; 615 616 case AUE_FCHDIR: 617 case AUE_FPATHCONF: 618 case AUE_FSTAT: /* XXX Need to handle sockets and shm */ 619 case AUE_FSTATFS: 620 case AUE_FSYNC: 621 case AUE_FTRUNCATE: 622 case AUE_FUTIMES: 623 case AUE_GETDIRENTRIES: 624 case AUE_GETDIRENTRIESATTR: 625 FD_VNODE1_TOKENS; 626 break; 627 628 case AUE_FCHOWN: 629 if (ARG_IS_VALID(kar, ARG_UID)) { 630 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 631 kau_write(rec, tok); 632 } 633 if (ARG_IS_VALID(kar, ARG_GID)) { 634 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 635 kau_write(rec, tok); 636 } 637 FD_VNODE1_TOKENS; 638 break; 639 640 case AUE_FCNTL: 641 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 642 ar->ar_arg_cmd == F_SETLKW) { 643 if (ARG_IS_VALID(kar, ARG_CMD)) { 644 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 645 kau_write(rec, tok); 646 } 647 FD_VNODE1_TOKENS; 648 } 649 break; 650 651 case AUE_FCHFLAGS: 652 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 653 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 654 kau_write(rec, tok); 655 } 656 FD_VNODE1_TOKENS; 657 break; 658 659 case AUE_FLOCK: 660 if (ARG_IS_VALID(kar, ARG_CMD)) { 661 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 662 kau_write(rec, tok); 663 } 664 FD_VNODE1_TOKENS; 665 break; 666 667 case AUE_RFORK: 668 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 669 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 670 kau_write(rec, tok); 671 } 672 /* fall through */ 673 case AUE_FORK: 674 case AUE_VFORK: 675 if (ARG_IS_VALID(kar, ARG_PID)) { 676 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 677 kau_write(rec, tok); 678 } 679 break; 680 681 case AUE_IOCTL: 682 if (ARG_IS_VALID(kar, ARG_CMD)) { 683 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 684 kau_write(rec, tok); 685 } 686 if (ARG_IS_VALID(kar, ARG_ADDR)) { 687 tok = au_to_arg32(1, "arg", 688 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 689 kau_write(rec, tok); 690 } 691 if (ARG_IS_VALID(kar, ARG_VNODE1)) { 692 FD_VNODE1_TOKENS; 693 } else { 694 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 695 tok = kau_to_socket(&ar->ar_arg_sockinfo); 696 kau_write(rec, tok); 697 } else { 698 if (ARG_IS_VALID(kar, ARG_FD)) { 699 tok = au_to_arg32(1, "fd", 700 ar->ar_arg_fd); 701 kau_write(rec, tok); 702 } 703 } 704 } 705 break; 706 707 case AUE_KILL: 708 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 709 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 710 kau_write(rec, tok); 711 } 712 PROCESS_PID_TOKENS(1); 713 break; 714 715 case AUE_KTRACE: 716 if (ARG_IS_VALID(kar, ARG_CMD)) { 717 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 718 kau_write(rec, tok); 719 } 720 if (ARG_IS_VALID(kar, ARG_VALUE)) { 721 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 722 kau_write(rec, tok); 723 } 724 PROCESS_PID_TOKENS(4); 725 UPATH1_VNODE1_TOKENS; 726 break; 727 728 case AUE_LINK: 729 case AUE_RENAME: 730 UPATH1_VNODE1_TOKENS; 731 UPATH2_TOKENS; 732 break; 733 734 case AUE_LOADSHFILE: 735 if (ARG_IS_VALID(kar, ARG_ADDR)) { 736 tok = au_to_arg32(4, "base addr", 737 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 738 kau_write(rec, tok); 739 } 740 UPATH1_VNODE1_TOKENS; 741 break; 742 743 case AUE_MKDIR: 744 if (ARG_IS_VALID(kar, ARG_MODE)) { 745 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 746 kau_write(rec, tok); 747 } 748 UPATH1_VNODE1_TOKENS; 749 break; 750 751 case AUE_MKNOD: 752 if (ARG_IS_VALID(kar, ARG_MODE)) { 753 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 754 kau_write(rec, tok); 755 } 756 if (ARG_IS_VALID(kar, ARG_DEV)) { 757 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 758 kau_write(rec, tok); 759 } 760 UPATH1_VNODE1_TOKENS; 761 break; 762 763 case AUE_MMAP: 764 case AUE_MUNMAP: 765 case AUE_MPROTECT: 766 case AUE_MLOCK: 767 case AUE_MUNLOCK: 768 case AUE_MINHERIT: 769 if (ARG_IS_VALID(kar, ARG_ADDR)) { 770 tok = au_to_arg32(1, "addr", 771 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 772 kau_write(rec, tok); 773 } 774 if (ARG_IS_VALID(kar, ARG_LEN)) { 775 tok = au_to_arg32(2, "len", ar->ar_arg_len); 776 kau_write(rec, tok); 777 } 778 if (ar->ar_event == AUE_MMAP) 779 FD_VNODE1_TOKENS; 780 if (ar->ar_event == AUE_MPROTECT) { 781 if (ARG_IS_VALID(kar, ARG_VALUE)) { 782 tok = au_to_arg32(3, "protection", 783 ar->ar_arg_value); 784 kau_write(rec, tok); 785 } 786 } 787 if (ar->ar_event == AUE_MINHERIT) { 788 if (ARG_IS_VALID(kar, ARG_VALUE)) { 789 tok = au_to_arg32(3, "inherit", 790 ar->ar_arg_value); 791 kau_write(rec, tok); 792 } 793 } 794 break; 795 796 case AUE_MOUNT: 797 /* XXX Need to handle NFS mounts */ 798 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 799 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 800 kau_write(rec, tok); 801 } 802 if (ARG_IS_VALID(kar, ARG_TEXT)) { 803 tok = au_to_text(ar->ar_arg_text); 804 kau_write(rec, tok); 805 } 806 /* fall through */ 807 case AUE_UMOUNT: 808 UPATH1_VNODE1_TOKENS; 809 break; 810 811 case AUE_MSGCTL: 812 ar->ar_event = msgctl_to_event(ar->ar_arg_svipc_cmd); 813 /* Fall through */ 814 case AUE_MSGRCV: 815 case AUE_MSGSND: 816 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 817 kau_write(rec, tok); 818 if (ar->ar_errno != EINVAL) { 819 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 820 kau_write(rec, tok); 821 } 822 break; 823 824 case AUE_MSGGET: 825 if (ar->ar_errno == 0) { 826 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 827 tok = au_to_ipc(AT_IPC_MSG, 828 ar->ar_arg_svipc_id); 829 kau_write(rec, tok); 830 } 831 } 832 break; 833 834 case AUE_RESETSHFILE: 835 if (ARG_IS_VALID(kar, ARG_ADDR)) { 836 tok = au_to_arg32(1, "base addr", 837 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 838 kau_write(rec, tok); 839 } 840 break; 841 842 case AUE_OPEN_RC: 843 case AUE_OPEN_RTC: 844 case AUE_OPEN_RWC: 845 case AUE_OPEN_RWTC: 846 case AUE_OPEN_WC: 847 case AUE_OPEN_WTC: 848 /* case AUE_O_CREAT: */ /* AUE_O_CREAT == AUE_OPEN_RWTC */ 849 if (ARG_IS_VALID(kar, ARG_MODE)) { 850 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 851 kau_write(rec, tok); 852 } 853 /* fall through */ 854 855 case AUE_OPEN_R: 856 case AUE_OPEN_RT: 857 case AUE_OPEN_RW: 858 case AUE_OPEN_RWT: 859 case AUE_OPEN_W: 860 case AUE_OPEN_WT: 861 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 862 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 863 kau_write(rec, tok); 864 } 865 UPATH1_VNODE1_TOKENS; 866 break; 867 868 case AUE_PTRACE: 869 if (ARG_IS_VALID(kar, ARG_CMD)) { 870 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 871 kau_write(rec, tok); 872 } 873 if (ARG_IS_VALID(kar, ARG_ADDR)) { 874 tok = au_to_arg32(3, "addr", 875 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 876 kau_write(rec, tok); 877 } 878 if (ARG_IS_VALID(kar, ARG_VALUE)) { 879 tok = au_to_arg32(4, "data", ar->ar_arg_value); 880 kau_write(rec, tok); 881 } 882 PROCESS_PID_TOKENS(2); 883 break; 884 885 case AUE_QUOTACTL: 886 if (ARG_IS_VALID(kar, ARG_CMD)) { 887 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 888 kau_write(rec, tok); 889 } 890 if (ARG_IS_VALID(kar, ARG_UID)) { 891 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 892 kau_write(rec, tok); 893 } 894 UPATH1_VNODE1_TOKENS; 895 break; 896 897 case AUE_REBOOT: 898 if (ARG_IS_VALID(kar, ARG_CMD)) { 899 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 900 kau_write(rec, tok); 901 } 902 break; 903 904 case AUE_SEMCTL: 905 ar->ar_event = semctl_to_event(ar->ar_arg_svipc_cmd); 906 /* Fall through */ 907 case AUE_SEMOP: 908 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 909 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 910 kau_write(rec, tok); 911 if (ar->ar_errno != EINVAL) { 912 tok = au_to_ipc(AT_IPC_SEM, 913 ar->ar_arg_svipc_id); 914 kau_write(rec, tok); 915 } 916 } 917 break; 918 case AUE_SEMGET: 919 if (ar->ar_errno == 0) { 920 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 921 tok = au_to_ipc(AT_IPC_SEM, 922 ar->ar_arg_svipc_id); 923 kau_write(rec, tok); 924 } 925 } 926 break; 927 case AUE_SETEGID: 928 if (ARG_IS_VALID(kar, ARG_EGID)) { 929 tok = au_to_arg32(1, "gid", ar->ar_arg_egid); 930 kau_write(rec, tok); 931 } 932 break; 933 case AUE_SETEUID: 934 if (ARG_IS_VALID(kar, ARG_EUID)) { 935 tok = au_to_arg32(1, "uid", ar->ar_arg_euid); 936 kau_write(rec, tok); 937 } 938 break; 939 case AUE_SETREGID: 940 if (ARG_IS_VALID(kar, ARG_RGID)) { 941 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 942 kau_write(rec, tok); 943 } 944 if (ARG_IS_VALID(kar, ARG_EGID)) { 945 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 946 kau_write(rec, tok); 947 } 948 break; 949 case AUE_SETREUID: 950 if (ARG_IS_VALID(kar, ARG_RUID)) { 951 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 952 kau_write(rec, tok); 953 } 954 if (ARG_IS_VALID(kar, ARG_EUID)) { 955 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 956 kau_write(rec, tok); 957 } 958 break; 959 case AUE_SETRESGID: 960 if (ARG_IS_VALID(kar, ARG_RGID)) { 961 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 962 kau_write(rec, tok); 963 } 964 if (ARG_IS_VALID(kar, ARG_EGID)) { 965 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 966 kau_write(rec, tok); 967 } 968 if (ARG_IS_VALID(kar, ARG_SGID)) { 969 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 970 kau_write(rec, tok); 971 } 972 break; 973 case AUE_SETRESUID: 974 if (ARG_IS_VALID(kar, ARG_RUID)) { 975 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 976 kau_write(rec, tok); 977 } 978 if (ARG_IS_VALID(kar, ARG_EUID)) { 979 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 980 kau_write(rec, tok); 981 } 982 if (ARG_IS_VALID(kar, ARG_SUID)) { 983 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 984 kau_write(rec, tok); 985 } 986 break; 987 case AUE_SETGID: 988 if (ARG_IS_VALID(kar, ARG_GID)) { 989 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 990 kau_write(rec, tok); 991 } 992 break; 993 case AUE_SETUID: 994 if (ARG_IS_VALID(kar, ARG_UID)) { 995 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 996 kau_write(rec, tok); 997 } 998 break; 999 case AUE_SETGROUPS: 1000 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1001 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1002 { 1003 tok = au_to_arg32(1, "setgroups", ar->ar_arg_groups.gidset[ctr]); 1004 kau_write(rec, tok); 1005 } 1006 } 1007 break; 1008 1009 case AUE_SETLOGIN: 1010 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1011 tok = au_to_text(ar->ar_arg_text); 1012 kau_write(rec, tok); 1013 } 1014 break; 1015 1016 case AUE_SETPRIORITY: 1017 if (ARG_IS_VALID(kar, ARG_CMD)) { 1018 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1019 kau_write(rec, tok); 1020 } 1021 if (ARG_IS_VALID(kar, ARG_UID)) { 1022 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1023 kau_write(rec, tok); 1024 } 1025 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1026 tok = au_to_arg32(2, "priority", ar->ar_arg_value); 1027 kau_write(rec, tok); 1028 } 1029 break; 1030 1031 case AUE_SETPRIVEXEC: 1032 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1033 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1034 kau_write(rec, tok); 1035 } 1036 break; 1037 1038 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1039 case AUE_SHMAT: 1040 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1041 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1042 kau_write(rec, tok); 1043 /* XXXAUDIT: Does having the ipc token make sense? */ 1044 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1045 kau_write(rec, tok); 1046 } 1047 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1048 tok = au_to_arg32(2, "shmaddr", 1049 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1050 kau_write(rec, tok); 1051 } 1052 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1053 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1054 kau_write(rec, tok); 1055 } 1056 break; 1057 1058 case AUE_SHMCTL: 1059 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1060 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1061 kau_write(rec, tok); 1062 /* XXXAUDIT: Does having the ipc token make sense? */ 1063 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1064 kau_write(rec, tok); 1065 } 1066 switch (ar->ar_arg_svipc_cmd) { 1067 case IPC_STAT: 1068 ar->ar_event = AUE_SHMCTL_STAT; 1069 break; 1070 case IPC_RMID: 1071 ar->ar_event = AUE_SHMCTL_RMID; 1072 break; 1073 case IPC_SET: 1074 ar->ar_event = AUE_SHMCTL_SET; 1075 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1076 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1077 kau_write(rec, tok); 1078 } 1079 break; 1080 default: 1081 break; /* We will audit a bad command */ 1082 } 1083 break; 1084 1085 case AUE_SHMDT: 1086 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1087 tok = au_to_arg32(1, "shmaddr", 1088 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1089 kau_write(rec, tok); 1090 } 1091 break; 1092 1093 case AUE_SHMGET: 1094 /* This is unusual; the return value is in an argument token */ 1095 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1096 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1097 kau_write(rec, tok); 1098 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1099 kau_write(rec, tok); 1100 } 1101 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1102 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1103 kau_write(rec, tok); 1104 } 1105 break; 1106 1107 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1108 * and AUE_SEMUNLINK are Posix IPC */ 1109 case AUE_SHMOPEN: 1110 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1111 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1112 kau_write(rec, tok); 1113 } 1114 if (ARG_IS_VALID(kar, ARG_MODE)) { 1115 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1116 kau_write(rec, tok); 1117 } 1118 case AUE_SHMUNLINK: 1119 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1120 tok = au_to_text(ar->ar_arg_text); 1121 kau_write(rec, tok); 1122 } 1123 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1124 /* Create an ipc_perm token */ 1125 struct ipc_perm perm; 1126 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1127 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1128 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1129 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1130 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1131 perm.seq = 0; 1132 perm.key = 0; 1133 tok = au_to_ipc_perm(&perm); 1134 kau_write(rec, tok); 1135 } 1136 break; 1137 1138 case AUE_SEMOPEN: 1139 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1140 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1141 kau_write(rec, tok); 1142 } 1143 if (ARG_IS_VALID(kar, ARG_MODE)) { 1144 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1145 kau_write(rec, tok); 1146 } 1147 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1148 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1149 kau_write(rec, tok); 1150 } 1151 /* fall through */ 1152 case AUE_SEMUNLINK: 1153 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1154 tok = au_to_text(ar->ar_arg_text); 1155 kau_write(rec, tok); 1156 } 1157 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1158 /* Create an ipc_perm token */ 1159 struct ipc_perm perm; 1160 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1161 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1162 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1163 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1164 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1165 perm.seq = 0; 1166 perm.key = 0; 1167 tok = au_to_ipc_perm(&perm); 1168 kau_write(rec, tok); 1169 } 1170 break; 1171 1172 case AUE_SEMCLOSE: 1173 if (ARG_IS_VALID(kar, ARG_FD)) { 1174 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1175 kau_write(rec, tok); 1176 } 1177 break; 1178 1179 case AUE_SYMLINK: 1180 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1181 tok = au_to_text(ar->ar_arg_text); 1182 kau_write(rec, tok); 1183 } 1184 UPATH1_VNODE1_TOKENS; 1185 break; 1186 1187 case AUE_SYSCTL: 1188 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1189 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1190 tok = au_to_arg32(1, "name", ar->ar_arg_ctlname[ctr]); 1191 kau_write(rec, tok); 1192 } 1193 } 1194 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1195 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1196 kau_write(rec, tok); 1197 } 1198 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1199 tok = au_to_text(ar->ar_arg_text); 1200 kau_write(rec, tok); 1201 } 1202 break; 1203 1204 case AUE_UMASK: 1205 if (ARG_IS_VALID(kar, ARG_MASK)) { 1206 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1207 kau_write(rec, tok); 1208 } 1209 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1210 kau_write(rec, tok); 1211 break; 1212 1213 case AUE_WAIT4: 1214 if (ARG_IS_VALID(kar, ARG_PID)) { 1215 tok = au_to_arg32(0, "pid", ar->ar_arg_pid); 1216 kau_write(rec, tok); 1217 } 1218 break; 1219 1220 default: /* We shouldn't fall through to here. */ 1221 printf("BSM conversion requested for unknown event %d\n", 1222 ar->ar_event); 1223 /* Write the subject token so it is properly freed here. */ 1224 kau_write(rec, subj_tok); 1225 kau_free(rec); 1226 return (BSM_NOAUDIT); 1227 } 1228 1229 kau_write(rec, subj_tok); 1230 tok = au_to_return32((char)ar->ar_errno, ar->ar_retval); 1231 kau_write(rec, tok); /* Every record gets a return token */ 1232 1233 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1234 1235 *pau = rec; 1236 return (BSM_SUCCESS); 1237 } 1238 1239 /* 1240 * Verify that a record is a valid BSM record. This verification is 1241 * simple now, but may be expanded on sometime in the future. 1242 * Return 1 if the record is good, 0 otherwise. 1243 * 1244 */ 1245 int 1246 bsm_rec_verify(void *rec) 1247 { 1248 char c = *(char *)rec; 1249 /* 1250 * Check the token ID of the first token; it has to be a header 1251 * token. 1252 */ 1253 /* XXXAUDIT There needs to be a token structure to map a token. 1254 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1255 */ 1256 if ( (c != AUT_HEADER32) && 1257 (c != AUT_HEADER32_EX) && 1258 (c != AUT_HEADER64) && 1259 (c != AUT_HEADER64_EX) ) { 1260 return (0); 1261 } 1262 return (1); 1263 } 1264