1 /* 2 * Copyright (c) 1999-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 #include <sys/cdefs.h> 31 __FBSDID("$FreeBSD$"); 32 33 #include <sys/param.h> 34 #include <sys/vnode.h> 35 #include <sys/ipc.h> 36 #include <sys/lock.h> 37 #include <sys/malloc.h> 38 #include <sys/mutex.h> 39 #include <sys/socket.h> 40 #include <sys/extattr.h> 41 #include <sys/fcntl.h> 42 #include <sys/user.h> 43 #include <sys/systm.h> 44 45 #include <bsm/audit.h> 46 #include <bsm/audit_internal.h> 47 #include <bsm/audit_record.h> 48 #include <bsm/audit_kevents.h> 49 50 #include <security/audit/audit.h> 51 #include <security/audit/audit_private.h> 52 53 #include <netinet/in_systm.h> 54 #include <netinet/in.h> 55 #include <netinet/ip.h> 56 57 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 58 59 static void audit_sys_auditon(struct audit_record *ar, 60 struct au_record *rec); 61 62 /* 63 * Initialize the BSM auditing subsystem. 64 */ 65 void 66 kau_init(void) 67 { 68 69 au_evclassmap_init(); 70 } 71 72 /* 73 * This call reserves memory for the audit record. Memory must be guaranteed 74 * before any auditable event can be generated. The au_record structure 75 * maintains a reference to the memory allocated above and also the list of 76 * tokens associated with this record. 77 */ 78 static struct au_record * 79 kau_open(void) 80 { 81 struct au_record *rec; 82 83 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 84 rec->data = NULL; 85 TAILQ_INIT(&rec->token_q); 86 rec->len = 0; 87 rec->used = 1; 88 89 return (rec); 90 } 91 92 /* 93 * Store the token with the record descriptor. 94 */ 95 static void 96 kau_write(struct au_record *rec, struct au_token *tok) 97 { 98 99 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 100 101 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 102 rec->len += tok->len; 103 } 104 105 /* 106 * Close out the audit record by adding the header token, identifying any 107 * missing tokens. Write out the tokens to the record memory. 108 */ 109 static void 110 kau_close(struct au_record *rec, struct timespec *ctime, short event) 111 { 112 u_char *dptr; 113 size_t tot_rec_size; 114 token_t *cur, *hdr, *trail; 115 struct timeval tm; 116 size_t hdrsize; 117 struct auditinfo_addr ak; 118 struct in6_addr *ap; 119 120 audit_get_kinfo(&ak); 121 hdrsize = 0; 122 switch (ak.ai_termid.at_type) { 123 case AU_IPv4: 124 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ? 125 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak); 126 break; 127 case AU_IPv6: 128 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0]; 129 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE : 130 AUDIT_HEADER_EX_SIZE(&ak); 131 break; 132 default: 133 panic("kau_close: invalid address family"); 134 } 135 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE; 136 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 137 138 tm.tv_usec = ctime->tv_nsec / 1000; 139 tm.tv_sec = ctime->tv_sec; 140 if (hdrsize != AUDIT_HEADER_SIZE) 141 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak); 142 else 143 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 144 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 145 146 trail = au_to_trailer(tot_rec_size); 147 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 148 149 rec->len = tot_rec_size; 150 dptr = rec->data; 151 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 152 memcpy(dptr, cur->t_data, cur->len); 153 dptr += cur->len; 154 } 155 } 156 157 /* 158 * Free a BSM audit record by releasing all the tokens and clearing the audit 159 * record information. 160 */ 161 void 162 kau_free(struct au_record *rec) 163 { 164 struct au_token *tok; 165 166 /* Free the token list. */ 167 while ((tok = TAILQ_FIRST(&rec->token_q))) { 168 TAILQ_REMOVE(&rec->token_q, tok, tokens); 169 free(tok->t_data, M_AUDITBSM); 170 free(tok, M_AUDITBSM); 171 } 172 173 rec->used = 0; 174 rec->len = 0; 175 free(rec->data, M_AUDITBSM); 176 free(rec, M_AUDITBSM); 177 } 178 179 /* 180 * XXX: May want turn some (or all) of these macros into functions in order 181 * to reduce the generated code size. 182 * 183 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 184 * caller are OK with this. 185 */ 186 #define UPATH1_TOKENS do { \ 187 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 188 tok = au_to_path(ar->ar_arg_upath1); \ 189 kau_write(rec, tok); \ 190 } \ 191 } while (0) 192 193 #define UPATH2_TOKENS do { \ 194 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 195 tok = au_to_path(ar->ar_arg_upath2); \ 196 kau_write(rec, tok); \ 197 } \ 198 } while (0) 199 200 #define VNODE1_TOKENS do { \ 201 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 202 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 203 kau_write(rec, tok); \ 204 } \ 205 } while (0) 206 207 #define UPATH1_VNODE1_TOKENS do { \ 208 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 209 UPATH1_TOKENS; \ 210 } \ 211 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 212 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 213 kau_write(rec, tok); \ 214 } \ 215 } while (0) 216 217 #define VNODE2_TOKENS do { \ 218 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 219 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 220 kau_write(rec, tok); \ 221 } \ 222 } while (0) 223 224 #define FD_VNODE1_TOKENS do { \ 225 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 226 if (ARG_IS_VALID(kar, ARG_FD)) { \ 227 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 228 kau_write(rec, tok); \ 229 } \ 230 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 231 kau_write(rec, tok); \ 232 } else { \ 233 if (ARG_IS_VALID(kar, ARG_FD)) { \ 234 tok = au_to_arg32(1, "non-file: fd", \ 235 ar->ar_arg_fd); \ 236 kau_write(rec, tok); \ 237 } \ 238 } \ 239 } while (0) 240 241 #define PROCESS_PID_TOKENS(argn) do { \ 242 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 243 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 244 tok = au_to_process32_ex(ar->ar_arg_auid, \ 245 ar->ar_arg_euid, ar->ar_arg_egid, \ 246 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 247 ar->ar_arg_pid, ar->ar_arg_asid, \ 248 &ar->ar_arg_termid_addr); \ 249 kau_write(rec, tok); \ 250 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 251 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 252 kau_write(rec, tok); \ 253 } \ 254 } while (0) 255 256 #define EXTATTR_TOKENS do { \ 257 if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 258 switch (ar->ar_arg_value) { \ 259 case EXTATTR_NAMESPACE_USER: \ 260 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 261 break; \ 262 case EXTATTR_NAMESPACE_SYSTEM: \ 263 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 264 break; \ 265 default: \ 266 tok = au_to_arg32(3, "attrnamespace", \ 267 ar->ar_arg_value); \ 268 break; \ 269 } \ 270 kau_write(rec, tok); \ 271 } \ 272 /* attrname is in the text field */ \ 273 if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 274 tok = au_to_text(ar->ar_arg_text); \ 275 kau_write(rec, tok); \ 276 } \ 277 } while (0) 278 279 /* 280 * Implement auditing for the auditon() system call. The audit tokens that 281 * are generated depend on the command that was sent into the auditon() 282 * system call. 283 */ 284 static void 285 audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 286 { 287 struct au_token *tok; 288 289 switch (ar->ar_arg_cmd) { 290 case A_SETPOLICY: 291 if (sizeof(ar->ar_arg_auditon.au_flags) > 4) 292 tok = au_to_arg64(1, "policy", 293 ar->ar_arg_auditon.au_flags); 294 else 295 tok = au_to_arg32(1, "policy", 296 ar->ar_arg_auditon.au_flags); 297 kau_write(rec, tok); 298 break; 299 300 case A_SETKMASK: 301 tok = au_to_arg32(2, "setkmask:as_success", 302 ar->ar_arg_auditon.au_mask.am_success); 303 kau_write(rec, tok); 304 tok = au_to_arg32(2, "setkmask:as_failure", 305 ar->ar_arg_auditon.au_mask.am_failure); 306 kau_write(rec, tok); 307 break; 308 309 case A_SETQCTRL: 310 tok = au_to_arg32(3, "setqctrl:aq_hiwater", 311 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 312 kau_write(rec, tok); 313 tok = au_to_arg32(3, "setqctrl:aq_lowater", 314 ar->ar_arg_auditon.au_qctrl.aq_lowater); 315 kau_write(rec, tok); 316 tok = au_to_arg32(3, "setqctrl:aq_bufsz", 317 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 318 kau_write(rec, tok); 319 tok = au_to_arg32(3, "setqctrl:aq_delay", 320 ar->ar_arg_auditon.au_qctrl.aq_delay); 321 kau_write(rec, tok); 322 tok = au_to_arg32(3, "setqctrl:aq_minfree", 323 ar->ar_arg_auditon.au_qctrl.aq_minfree); 324 kau_write(rec, tok); 325 break; 326 327 case A_SETUMASK: 328 tok = au_to_arg32(3, "setumask:as_success", 329 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 330 kau_write(rec, tok); 331 tok = au_to_arg32(3, "setumask:as_failure", 332 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 333 kau_write(rec, tok); 334 break; 335 336 case A_SETSMASK: 337 tok = au_to_arg32(3, "setsmask:as_success", 338 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 339 kau_write(rec, tok); 340 tok = au_to_arg32(3, "setsmask:as_failure", 341 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 342 kau_write(rec, tok); 343 break; 344 345 case A_SETCOND: 346 if (sizeof(ar->ar_arg_auditon.au_cond) > 4) 347 tok = au_to_arg64(3, "setcond", 348 ar->ar_arg_auditon.au_cond); 349 else 350 tok = au_to_arg32(3, "setcond", 351 ar->ar_arg_auditon.au_cond); 352 kau_write(rec, tok); 353 break; 354 355 case A_SETCLASS: 356 tok = au_to_arg32(2, "setclass:ec_event", 357 ar->ar_arg_auditon.au_evclass.ec_number); 358 kau_write(rec, tok); 359 tok = au_to_arg32(3, "setclass:ec_class", 360 ar->ar_arg_auditon.au_evclass.ec_class); 361 kau_write(rec, tok); 362 break; 363 364 case A_SETPMASK: 365 tok = au_to_arg32(2, "setpmask:as_success", 366 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 367 kau_write(rec, tok); 368 tok = au_to_arg32(2, "setpmask:as_failure", 369 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 370 kau_write(rec, tok); 371 break; 372 373 case A_SETFSIZE: 374 tok = au_to_arg32(2, "setfsize:filesize", 375 ar->ar_arg_auditon.au_fstat.af_filesz); 376 kau_write(rec, tok); 377 break; 378 379 default: 380 break; 381 } 382 } 383 384 /* 385 * Convert an internal kernel audit record to a BSM record and return a 386 * success/failure indicator. The BSM record is passed as an out parameter to 387 * this function. 388 * 389 * Return conditions: 390 * BSM_SUCCESS: The BSM record is valid 391 * BSM_FAILURE: Failure; the BSM record is NULL. 392 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 393 */ 394 int 395 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 396 { 397 struct au_token *tok, *subj_tok; 398 struct au_record *rec; 399 au_tid_t tid; 400 struct audit_record *ar; 401 int ctr; 402 403 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 404 405 *pau = NULL; 406 ar = &kar->k_ar; 407 rec = kau_open(); 408 409 /* 410 * Create the subject token. 411 */ 412 switch (ar->ar_subj_term_addr.at_type) { 413 case AU_IPv4: 414 tid.port = ar->ar_subj_term_addr.at_port; 415 tid.machine = ar->ar_subj_term_addr.at_addr[0]; 416 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 417 ar->ar_subj_cred.cr_uid, /* eff uid */ 418 ar->ar_subj_egid, /* eff group id */ 419 ar->ar_subj_ruid, /* real uid */ 420 ar->ar_subj_rgid, /* real group id */ 421 ar->ar_subj_pid, /* process id */ 422 ar->ar_subj_asid, /* session ID */ 423 &tid); 424 break; 425 case AU_IPv6: 426 subj_tok = au_to_subject32_ex(ar->ar_subj_auid, 427 ar->ar_subj_cred.cr_uid, 428 ar->ar_subj_egid, 429 ar->ar_subj_ruid, 430 ar->ar_subj_rgid, 431 ar->ar_subj_pid, 432 ar->ar_subj_asid, 433 &ar->ar_subj_term_addr); 434 break; 435 default: 436 bzero(&tid, sizeof(tid)); 437 subj_tok = au_to_subject32(ar->ar_subj_auid, 438 ar->ar_subj_cred.cr_uid, 439 ar->ar_subj_egid, 440 ar->ar_subj_ruid, 441 ar->ar_subj_rgid, 442 ar->ar_subj_pid, 443 ar->ar_subj_asid, 444 &tid); 445 } 446 447 /* 448 * The logic inside each case fills in the tokens required for the 449 * event, except for the header, trailer, and return tokens. The 450 * header and trailer tokens are added by the kau_close() function. 451 * The return token is added outside of the switch statement. 452 */ 453 switch(ar->ar_event) { 454 case AUE_ACCEPT: 455 case AUE_BIND: 456 case AUE_LISTEN: 457 case AUE_CONNECT: 458 case AUE_RECV: 459 case AUE_RECVFROM: 460 case AUE_RECVMSG: 461 case AUE_SEND: 462 case AUE_SENDFILE: 463 case AUE_SENDMSG: 464 case AUE_SENDTO: 465 /* 466 * Socket-related events. 467 */ 468 if (ARG_IS_VALID(kar, ARG_FD)) { 469 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 470 kau_write(rec, tok); 471 } 472 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 473 tok = au_to_sock_inet((struct sockaddr_in *) 474 &ar->ar_arg_sockaddr); 475 kau_write(rec, tok); 476 } 477 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 478 tok = au_to_sock_unix((struct sockaddr_un *) 479 &ar->ar_arg_sockaddr); 480 kau_write(rec, tok); 481 UPATH1_TOKENS; 482 } 483 /* XXX Need to handle ARG_SADDRINET6 */ 484 break; 485 486 case AUE_SOCKET: 487 case AUE_SOCKETPAIR: 488 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 489 tok = au_to_arg32(1,"domain", 490 ar->ar_arg_sockinfo.so_domain); 491 kau_write(rec, tok); 492 tok = au_to_arg32(2,"type", 493 ar->ar_arg_sockinfo.so_type); 494 kau_write(rec, tok); 495 tok = au_to_arg32(3,"protocol", 496 ar->ar_arg_sockinfo.so_protocol); 497 kau_write(rec, tok); 498 } 499 break; 500 501 case AUE_SETSOCKOPT: 502 case AUE_SHUTDOWN: 503 if (ARG_IS_VALID(kar, ARG_FD)) { 504 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 505 kau_write(rec, tok); 506 } 507 break; 508 509 case AUE_ACCT: 510 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 511 UPATH1_VNODE1_TOKENS; 512 } else { 513 tok = au_to_arg32(1, "accounting off", 0); 514 kau_write(rec, tok); 515 } 516 break; 517 518 case AUE_SETAUID: 519 if (ARG_IS_VALID(kar, ARG_AUID)) { 520 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 521 kau_write(rec, tok); 522 } 523 break; 524 525 case AUE_SETAUDIT: 526 if (ARG_IS_VALID(kar, ARG_AUID) && 527 ARG_IS_VALID(kar, ARG_ASID) && 528 ARG_IS_VALID(kar, ARG_AMASK) && 529 ARG_IS_VALID(kar, ARG_TERMID)) { 530 tok = au_to_arg32(1, "setaudit:auid", 531 ar->ar_arg_auid); 532 kau_write(rec, tok); 533 tok = au_to_arg32(1, "setaudit:port", 534 ar->ar_arg_termid.port); 535 kau_write(rec, tok); 536 tok = au_to_arg32(1, "setaudit:machine", 537 ar->ar_arg_termid.machine); 538 kau_write(rec, tok); 539 tok = au_to_arg32(1, "setaudit:as_success", 540 ar->ar_arg_amask.am_success); 541 kau_write(rec, tok); 542 tok = au_to_arg32(1, "setaudit:as_failure", 543 ar->ar_arg_amask.am_failure); 544 kau_write(rec, tok); 545 tok = au_to_arg32(1, "setaudit:asid", 546 ar->ar_arg_asid); 547 kau_write(rec, tok); 548 } 549 break; 550 551 case AUE_SETAUDIT_ADDR: 552 if (ARG_IS_VALID(kar, ARG_AUID) && 553 ARG_IS_VALID(kar, ARG_ASID) && 554 ARG_IS_VALID(kar, ARG_AMASK) && 555 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) { 556 tok = au_to_arg32(1, "setaudit_addr:auid", 557 ar->ar_arg_auid); 558 kau_write(rec, tok); 559 tok = au_to_arg32(1, "setaudit_addr:as_success", 560 ar->ar_arg_amask.am_success); 561 kau_write(rec, tok); 562 tok = au_to_arg32(1, "setaudit_addr:as_failure", 563 ar->ar_arg_amask.am_failure); 564 kau_write(rec, tok); 565 tok = au_to_arg32(1, "setaudit_addr:asid", 566 ar->ar_arg_asid); 567 kau_write(rec, tok); 568 tok = au_to_arg32(1, "setaudit_addr:type", 569 ar->ar_arg_termid_addr.at_type); 570 kau_write(rec, tok); 571 tok = au_to_arg32(1, "setaudit_addr:port", 572 ar->ar_arg_termid_addr.at_port); 573 kau_write(rec, tok); 574 if (ar->ar_arg_termid_addr.at_type == AU_IPv6) 575 tok = au_to_in_addr_ex((struct in6_addr *) 576 &ar->ar_arg_termid_addr.at_addr[0]); 577 if (ar->ar_arg_termid_addr.at_type == AU_IPv4) 578 tok = au_to_in_addr((struct in_addr *) 579 &ar->ar_arg_termid_addr.at_addr[0]); 580 kau_write(rec, tok); 581 } 582 break; 583 584 case AUE_AUDITON: 585 /* 586 * For AUDITON commands without own event, audit the cmd. 587 */ 588 if (ARG_IS_VALID(kar, ARG_CMD)) { 589 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 590 kau_write(rec, tok); 591 } 592 /* FALLTHROUGH */ 593 594 case AUE_AUDITON_GETCAR: 595 case AUE_AUDITON_GETCLASS: 596 case AUE_AUDITON_GETCOND: 597 case AUE_AUDITON_GETCWD: 598 case AUE_AUDITON_GETKMASK: 599 case AUE_AUDITON_GETSTAT: 600 case AUE_AUDITON_GPOLICY: 601 case AUE_AUDITON_GQCTRL: 602 case AUE_AUDITON_SETCLASS: 603 case AUE_AUDITON_SETCOND: 604 case AUE_AUDITON_SETKMASK: 605 case AUE_AUDITON_SETSMASK: 606 case AUE_AUDITON_SETSTAT: 607 case AUE_AUDITON_SETUMASK: 608 case AUE_AUDITON_SPOLICY: 609 case AUE_AUDITON_SQCTRL: 610 if (ARG_IS_VALID(kar, ARG_AUDITON)) 611 audit_sys_auditon(ar, rec); 612 break; 613 614 case AUE_AUDITCTL: 615 UPATH1_VNODE1_TOKENS; 616 break; 617 618 case AUE_EXIT: 619 if (ARG_IS_VALID(kar, ARG_EXIT)) { 620 tok = au_to_exit(ar->ar_arg_exitretval, 621 ar->ar_arg_exitstatus); 622 kau_write(rec, tok); 623 } 624 break; 625 626 case AUE_ADJTIME: 627 case AUE_CLOCK_SETTIME: 628 case AUE_AUDIT: 629 case AUE_DUP2: 630 case AUE_GETAUDIT: 631 case AUE_GETAUDIT_ADDR: 632 case AUE_GETAUID: 633 case AUE_GETCWD: 634 case AUE_GETFSSTAT: 635 case AUE_GETRESUID: 636 case AUE_GETRESGID: 637 case AUE_KQUEUE: 638 case AUE_LSEEK: 639 case AUE_MODLOAD: 640 case AUE_MODUNLOAD: 641 case AUE_MSGSYS: 642 case AUE_NTP_ADJTIME: 643 case AUE_PIPE: 644 case AUE_PROFILE: 645 case AUE_RTPRIO: 646 case AUE_SEMSYS: 647 case AUE_SHMSYS: 648 case AUE_SETPGRP: 649 case AUE_SETRLIMIT: 650 case AUE_SETSID: 651 case AUE_SETTIMEOFDAY: 652 case AUE_SYSARCH: 653 654 /* 655 * Header, subject, and return tokens added at end. 656 */ 657 break; 658 659 case AUE_MKFIFO: 660 if (ARG_IS_VALID(kar, ARG_MODE)) { 661 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 662 kau_write(rec, tok); 663 } 664 /* FALLTHROUGH */ 665 666 case AUE_ACCESS: 667 case AUE_CHDIR: 668 case AUE_CHROOT: 669 case AUE_EACCESS: 670 case AUE_GETATTRLIST: 671 case AUE_JAIL: 672 case AUE_LUTIMES: 673 case AUE_NFS_GETFH: 674 case AUE_LSTAT: 675 case AUE_PATHCONF: 676 case AUE_READLINK: 677 case AUE_REVOKE: 678 case AUE_RMDIR: 679 case AUE_SEARCHFS: 680 case AUE_SETATTRLIST: 681 case AUE_STAT: 682 case AUE_STATFS: 683 case AUE_SWAPON: 684 case AUE_SWAPOFF: 685 case AUE_TRUNCATE: 686 case AUE_UNDELETE: 687 case AUE_UNLINK: 688 case AUE_UTIMES: 689 UPATH1_VNODE1_TOKENS; 690 break; 691 692 case AUE_FHSTATFS: 693 case AUE_FHOPEN: 694 case AUE_FHSTAT: 695 /* XXXRW: Need to audit vnode argument. */ 696 break; 697 698 case AUE_CHFLAGS: 699 case AUE_LCHFLAGS: 700 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 701 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 702 kau_write(rec, tok); 703 } 704 UPATH1_VNODE1_TOKENS; 705 break; 706 707 case AUE_CHMOD: 708 case AUE_LCHMOD: 709 if (ARG_IS_VALID(kar, ARG_MODE)) { 710 tok = au_to_arg32(2, "new file mode", 711 ar->ar_arg_mode); 712 kau_write(rec, tok); 713 } 714 UPATH1_VNODE1_TOKENS; 715 break; 716 717 case AUE_CHOWN: 718 case AUE_LCHOWN: 719 if (ARG_IS_VALID(kar, ARG_UID)) { 720 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 721 kau_write(rec, tok); 722 } 723 if (ARG_IS_VALID(kar, ARG_GID)) { 724 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 725 kau_write(rec, tok); 726 } 727 UPATH1_VNODE1_TOKENS; 728 break; 729 730 case AUE_EXCHANGEDATA: 731 UPATH1_VNODE1_TOKENS; 732 UPATH2_TOKENS; 733 break; 734 735 case AUE_CLOSE: 736 if (ARG_IS_VALID(kar, ARG_FD)) { 737 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 738 kau_write(rec, tok); 739 } 740 UPATH1_VNODE1_TOKENS; 741 break; 742 743 case AUE_CORE: 744 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 745 tok = au_to_arg32(0, "signal", ar->ar_arg_signum); 746 kau_write(rec, tok); 747 } 748 UPATH1_VNODE1_TOKENS; 749 break; 750 751 case AUE_EXTATTRCTL: 752 UPATH1_VNODE1_TOKENS; 753 if (ARG_IS_VALID(kar, ARG_CMD)) { 754 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 755 kau_write(rec, tok); 756 } 757 /* extattrctl(2) filename parameter is in upath2/vnode2 */ 758 UPATH2_TOKENS; 759 VNODE2_TOKENS; 760 EXTATTR_TOKENS; 761 break; 762 763 case AUE_EXTATTR_GET_FILE: 764 case AUE_EXTATTR_SET_FILE: 765 case AUE_EXTATTR_LIST_FILE: 766 case AUE_EXTATTR_DELETE_FILE: 767 case AUE_EXTATTR_GET_LINK: 768 case AUE_EXTATTR_SET_LINK: 769 case AUE_EXTATTR_LIST_LINK: 770 case AUE_EXTATTR_DELETE_LINK: 771 UPATH1_VNODE1_TOKENS; 772 EXTATTR_TOKENS; 773 break; 774 775 case AUE_EXTATTR_GET_FD: 776 case AUE_EXTATTR_SET_FD: 777 case AUE_EXTATTR_LIST_FD: 778 case AUE_EXTATTR_DELETE_FD: 779 if (ARG_IS_VALID(kar, ARG_FD)) { 780 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 781 kau_write(rec, tok); 782 } 783 EXTATTR_TOKENS; 784 break; 785 786 case AUE_FEXECVE: 787 if (ARG_IS_VALID(kar, ARG_FD)) { 788 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 789 kau_write(rec, tok); 790 } 791 /* FALLTHROUGH */ 792 793 case AUE_EXECVE: 794 case AUE_MAC_EXECVE: 795 if (ARG_IS_VALID(kar, ARG_ARGV)) { 796 tok = au_to_exec_args(ar->ar_arg_argv, 797 ar->ar_arg_argc); 798 kau_write(rec, tok); 799 } 800 if (ARG_IS_VALID(kar, ARG_ENVV)) { 801 tok = au_to_exec_env(ar->ar_arg_envv, 802 ar->ar_arg_envc); 803 kau_write(rec, tok); 804 } 805 UPATH1_VNODE1_TOKENS; 806 break; 807 808 case AUE_FCHMOD: 809 if (ARG_IS_VALID(kar, ARG_MODE)) { 810 tok = au_to_arg32(2, "new file mode", 811 ar->ar_arg_mode); 812 kau_write(rec, tok); 813 } 814 FD_VNODE1_TOKENS; 815 break; 816 817 /* 818 * XXXRW: Some of these need to handle non-vnode cases as well. 819 */ 820 case AUE_FCHDIR: 821 case AUE_FPATHCONF: 822 case AUE_FSTAT: 823 case AUE_FSTATFS: 824 case AUE_FSYNC: 825 case AUE_FTRUNCATE: 826 case AUE_FUTIMES: 827 case AUE_GETDIRENTRIES: 828 case AUE_GETDIRENTRIESATTR: 829 case AUE_POLL: 830 case AUE_READ: 831 case AUE_READV: 832 case AUE_WRITE: 833 case AUE_WRITEV: 834 FD_VNODE1_TOKENS; 835 break; 836 837 case AUE_FCHOWN: 838 if (ARG_IS_VALID(kar, ARG_UID)) { 839 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 840 kau_write(rec, tok); 841 } 842 if (ARG_IS_VALID(kar, ARG_GID)) { 843 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 844 kau_write(rec, tok); 845 } 846 FD_VNODE1_TOKENS; 847 break; 848 849 case AUE_FCNTL: 850 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 851 ar->ar_arg_cmd == F_SETLKW) { 852 if (ARG_IS_VALID(kar, ARG_CMD)) { 853 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 854 kau_write(rec, tok); 855 } 856 FD_VNODE1_TOKENS; 857 } 858 break; 859 860 case AUE_FCHFLAGS: 861 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 862 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 863 kau_write(rec, tok); 864 } 865 FD_VNODE1_TOKENS; 866 break; 867 868 case AUE_FLOCK: 869 if (ARG_IS_VALID(kar, ARG_CMD)) { 870 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 871 kau_write(rec, tok); 872 } 873 FD_VNODE1_TOKENS; 874 break; 875 876 case AUE_RFORK: 877 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 878 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 879 kau_write(rec, tok); 880 } 881 /* FALLTHROUGH */ 882 883 case AUE_FORK: 884 case AUE_VFORK: 885 if (ARG_IS_VALID(kar, ARG_PID)) { 886 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 887 kau_write(rec, tok); 888 } 889 break; 890 891 case AUE_IOCTL: 892 if (ARG_IS_VALID(kar, ARG_CMD)) { 893 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 894 kau_write(rec, tok); 895 } 896 if (ARG_IS_VALID(kar, ARG_ADDR)) { 897 tok = au_to_arg32(1, "arg", 898 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 899 kau_write(rec, tok); 900 } 901 if (ARG_IS_VALID(kar, ARG_VNODE1)) 902 FD_VNODE1_TOKENS; 903 else { 904 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 905 tok = kau_to_socket(&ar->ar_arg_sockinfo); 906 kau_write(rec, tok); 907 } else { 908 if (ARG_IS_VALID(kar, ARG_FD)) { 909 tok = au_to_arg32(1, "fd", 910 ar->ar_arg_fd); 911 kau_write(rec, tok); 912 } 913 } 914 } 915 break; 916 917 case AUE_KILL: 918 case AUE_KILLPG: 919 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 920 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 921 kau_write(rec, tok); 922 } 923 PROCESS_PID_TOKENS(1); 924 break; 925 926 case AUE_KTRACE: 927 if (ARG_IS_VALID(kar, ARG_CMD)) { 928 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 929 kau_write(rec, tok); 930 } 931 if (ARG_IS_VALID(kar, ARG_VALUE)) { 932 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 933 kau_write(rec, tok); 934 } 935 PROCESS_PID_TOKENS(4); 936 UPATH1_VNODE1_TOKENS; 937 break; 938 939 case AUE_LINK: 940 case AUE_RENAME: 941 UPATH1_VNODE1_TOKENS; 942 UPATH2_TOKENS; 943 break; 944 945 case AUE_LOADSHFILE: 946 if (ARG_IS_VALID(kar, ARG_ADDR)) { 947 tok = au_to_arg32(4, "base addr", 948 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 949 kau_write(rec, tok); 950 } 951 UPATH1_VNODE1_TOKENS; 952 break; 953 954 case AUE_MKDIR: 955 if (ARG_IS_VALID(kar, ARG_MODE)) { 956 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 957 kau_write(rec, tok); 958 } 959 UPATH1_VNODE1_TOKENS; 960 break; 961 962 case AUE_MKNOD: 963 if (ARG_IS_VALID(kar, ARG_MODE)) { 964 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 965 kau_write(rec, tok); 966 } 967 if (ARG_IS_VALID(kar, ARG_DEV)) { 968 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 969 kau_write(rec, tok); 970 } 971 UPATH1_VNODE1_TOKENS; 972 break; 973 974 case AUE_MMAP: 975 case AUE_MUNMAP: 976 case AUE_MPROTECT: 977 case AUE_MLOCK: 978 case AUE_MUNLOCK: 979 case AUE_MINHERIT: 980 if (ARG_IS_VALID(kar, ARG_ADDR)) { 981 tok = au_to_arg32(1, "addr", 982 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 983 kau_write(rec, tok); 984 } 985 if (ARG_IS_VALID(kar, ARG_LEN)) { 986 tok = au_to_arg32(2, "len", ar->ar_arg_len); 987 kau_write(rec, tok); 988 } 989 if (ar->ar_event == AUE_MMAP) 990 FD_VNODE1_TOKENS; 991 if (ar->ar_event == AUE_MPROTECT) { 992 if (ARG_IS_VALID(kar, ARG_VALUE)) { 993 tok = au_to_arg32(3, "protection", 994 ar->ar_arg_value); 995 kau_write(rec, tok); 996 } 997 } 998 if (ar->ar_event == AUE_MINHERIT) { 999 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1000 tok = au_to_arg32(3, "inherit", 1001 ar->ar_arg_value); 1002 kau_write(rec, tok); 1003 } 1004 } 1005 break; 1006 1007 case AUE_MOUNT: 1008 case AUE_NMOUNT: 1009 /* XXX Need to handle NFS mounts */ 1010 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1011 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 1012 kau_write(rec, tok); 1013 } 1014 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1015 tok = au_to_text(ar->ar_arg_text); 1016 kau_write(rec, tok); 1017 } 1018 /* FALLTHROUGH */ 1019 1020 case AUE_NFS_SVC: 1021 if (ARG_IS_VALID(kar, ARG_CMD)) { 1022 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1023 kau_write(rec, tok); 1024 } 1025 break; 1026 1027 case AUE_UMOUNT: 1028 UPATH1_VNODE1_TOKENS; 1029 break; 1030 1031 case AUE_MSGCTL: 1032 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd); 1033 /* Fall through */ 1034 1035 case AUE_MSGRCV: 1036 case AUE_MSGSND: 1037 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 1038 kau_write(rec, tok); 1039 if (ar->ar_errno != EINVAL) { 1040 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 1041 kau_write(rec, tok); 1042 } 1043 break; 1044 1045 case AUE_MSGGET: 1046 if (ar->ar_errno == 0) { 1047 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1048 tok = au_to_ipc(AT_IPC_MSG, 1049 ar->ar_arg_svipc_id); 1050 kau_write(rec, tok); 1051 } 1052 } 1053 break; 1054 1055 case AUE_RESETSHFILE: 1056 if (ARG_IS_VALID(kar, ARG_ADDR)) { 1057 tok = au_to_arg32(1, "base addr", 1058 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 1059 kau_write(rec, tok); 1060 } 1061 break; 1062 1063 case AUE_OPEN_RC: 1064 case AUE_OPEN_RTC: 1065 case AUE_OPEN_RWC: 1066 case AUE_OPEN_RWTC: 1067 case AUE_OPEN_WC: 1068 case AUE_OPEN_WTC: 1069 case AUE_CREAT: 1070 if (ARG_IS_VALID(kar, ARG_MODE)) { 1071 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1072 kau_write(rec, tok); 1073 } 1074 /* FALLTHROUGH */ 1075 1076 case AUE_OPEN_R: 1077 case AUE_OPEN_RT: 1078 case AUE_OPEN_RW: 1079 case AUE_OPEN_RWT: 1080 case AUE_OPEN_W: 1081 case AUE_OPEN_WT: 1082 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1083 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1084 kau_write(rec, tok); 1085 } 1086 UPATH1_VNODE1_TOKENS; 1087 break; 1088 1089 case AUE_PTRACE: 1090 if (ARG_IS_VALID(kar, ARG_CMD)) { 1091 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1092 kau_write(rec, tok); 1093 } 1094 if (ARG_IS_VALID(kar, ARG_ADDR)) { 1095 tok = au_to_arg32(3, "addr", 1096 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 1097 kau_write(rec, tok); 1098 } 1099 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1100 tok = au_to_arg32(4, "data", ar->ar_arg_value); 1101 kau_write(rec, tok); 1102 } 1103 PROCESS_PID_TOKENS(2); 1104 break; 1105 1106 case AUE_QUOTACTL: 1107 if (ARG_IS_VALID(kar, ARG_CMD)) { 1108 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1109 kau_write(rec, tok); 1110 } 1111 if (ARG_IS_VALID(kar, ARG_UID)) { 1112 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1113 kau_write(rec, tok); 1114 } 1115 UPATH1_VNODE1_TOKENS; 1116 break; 1117 1118 case AUE_REBOOT: 1119 if (ARG_IS_VALID(kar, ARG_CMD)) { 1120 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1121 kau_write(rec, tok); 1122 } 1123 break; 1124 1125 case AUE_SEMCTL: 1126 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd); 1127 /* Fall through */ 1128 1129 case AUE_SEMOP: 1130 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1131 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1132 kau_write(rec, tok); 1133 if (ar->ar_errno != EINVAL) { 1134 tok = au_to_ipc(AT_IPC_SEM, 1135 ar->ar_arg_svipc_id); 1136 kau_write(rec, tok); 1137 } 1138 } 1139 break; 1140 1141 case AUE_SEMGET: 1142 if (ar->ar_errno == 0) { 1143 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1144 tok = au_to_ipc(AT_IPC_SEM, 1145 ar->ar_arg_svipc_id); 1146 kau_write(rec, tok); 1147 } 1148 } 1149 break; 1150 1151 case AUE_SETEGID: 1152 if (ARG_IS_VALID(kar, ARG_EGID)) { 1153 tok = au_to_arg32(1, "gid", ar->ar_arg_egid); 1154 kau_write(rec, tok); 1155 } 1156 break; 1157 1158 case AUE_SETEUID: 1159 if (ARG_IS_VALID(kar, ARG_EUID)) { 1160 tok = au_to_arg32(1, "uid", ar->ar_arg_euid); 1161 kau_write(rec, tok); 1162 } 1163 break; 1164 1165 case AUE_SETREGID: 1166 if (ARG_IS_VALID(kar, ARG_RGID)) { 1167 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1168 kau_write(rec, tok); 1169 } 1170 if (ARG_IS_VALID(kar, ARG_EGID)) { 1171 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1172 kau_write(rec, tok); 1173 } 1174 break; 1175 1176 case AUE_SETREUID: 1177 if (ARG_IS_VALID(kar, ARG_RUID)) { 1178 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1179 kau_write(rec, tok); 1180 } 1181 if (ARG_IS_VALID(kar, ARG_EUID)) { 1182 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1183 kau_write(rec, tok); 1184 } 1185 break; 1186 1187 case AUE_SETRESGID: 1188 if (ARG_IS_VALID(kar, ARG_RGID)) { 1189 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1190 kau_write(rec, tok); 1191 } 1192 if (ARG_IS_VALID(kar, ARG_EGID)) { 1193 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1194 kau_write(rec, tok); 1195 } 1196 if (ARG_IS_VALID(kar, ARG_SGID)) { 1197 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1198 kau_write(rec, tok); 1199 } 1200 break; 1201 1202 case AUE_SETRESUID: 1203 if (ARG_IS_VALID(kar, ARG_RUID)) { 1204 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1205 kau_write(rec, tok); 1206 } 1207 if (ARG_IS_VALID(kar, ARG_EUID)) { 1208 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1209 kau_write(rec, tok); 1210 } 1211 if (ARG_IS_VALID(kar, ARG_SUID)) { 1212 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1213 kau_write(rec, tok); 1214 } 1215 break; 1216 1217 case AUE_SETGID: 1218 if (ARG_IS_VALID(kar, ARG_GID)) { 1219 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1220 kau_write(rec, tok); 1221 } 1222 break; 1223 1224 case AUE_SETUID: 1225 if (ARG_IS_VALID(kar, ARG_UID)) { 1226 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1227 kau_write(rec, tok); 1228 } 1229 break; 1230 1231 case AUE_SETGROUPS: 1232 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1233 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1234 { 1235 tok = au_to_arg32(1, "setgroups", 1236 ar->ar_arg_groups.gidset[ctr]); 1237 kau_write(rec, tok); 1238 } 1239 } 1240 break; 1241 1242 case AUE_SETLOGIN: 1243 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1244 tok = au_to_text(ar->ar_arg_text); 1245 kau_write(rec, tok); 1246 } 1247 break; 1248 1249 case AUE_SETPRIORITY: 1250 if (ARG_IS_VALID(kar, ARG_CMD)) { 1251 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1252 kau_write(rec, tok); 1253 } 1254 if (ARG_IS_VALID(kar, ARG_UID)) { 1255 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1256 kau_write(rec, tok); 1257 } 1258 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1259 tok = au_to_arg32(2, "priority", ar->ar_arg_value); 1260 kau_write(rec, tok); 1261 } 1262 break; 1263 1264 case AUE_SETPRIVEXEC: 1265 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1266 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1267 kau_write(rec, tok); 1268 } 1269 break; 1270 1271 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1272 case AUE_SHMAT: 1273 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1274 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1275 kau_write(rec, tok); 1276 /* XXXAUDIT: Does having the ipc token make sense? */ 1277 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1278 kau_write(rec, tok); 1279 } 1280 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1281 tok = au_to_arg32(2, "shmaddr", 1282 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1283 kau_write(rec, tok); 1284 } 1285 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1286 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1287 kau_write(rec, tok); 1288 } 1289 break; 1290 1291 case AUE_SHMCTL: 1292 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1293 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1294 kau_write(rec, tok); 1295 /* XXXAUDIT: Does having the ipc token make sense? */ 1296 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1297 kau_write(rec, tok); 1298 } 1299 switch (ar->ar_arg_svipc_cmd) { 1300 case IPC_STAT: 1301 ar->ar_event = AUE_SHMCTL_STAT; 1302 break; 1303 case IPC_RMID: 1304 ar->ar_event = AUE_SHMCTL_RMID; 1305 break; 1306 case IPC_SET: 1307 ar->ar_event = AUE_SHMCTL_SET; 1308 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1309 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1310 kau_write(rec, tok); 1311 } 1312 break; 1313 default: 1314 break; /* We will audit a bad command */ 1315 } 1316 break; 1317 1318 case AUE_SHMDT: 1319 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1320 tok = au_to_arg32(1, "shmaddr", 1321 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1322 kau_write(rec, tok); 1323 } 1324 break; 1325 1326 case AUE_SHMGET: 1327 /* This is unusual; the return value is in an argument token */ 1328 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1329 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1330 kau_write(rec, tok); 1331 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1332 kau_write(rec, tok); 1333 } 1334 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1335 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1336 kau_write(rec, tok); 1337 } 1338 break; 1339 1340 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1341 * and AUE_SEMUNLINK are Posix IPC */ 1342 case AUE_SHMOPEN: 1343 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1344 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1345 kau_write(rec, tok); 1346 } 1347 if (ARG_IS_VALID(kar, ARG_MODE)) { 1348 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1349 kau_write(rec, tok); 1350 } 1351 /* FALLTHROUGH */ 1352 1353 case AUE_SHMUNLINK: 1354 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1355 tok = au_to_text(ar->ar_arg_text); 1356 kau_write(rec, tok); 1357 } 1358 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1359 struct ipc_perm perm; 1360 1361 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1362 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1363 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1364 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1365 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1366 perm.seq = 0; 1367 perm.key = 0; 1368 tok = au_to_ipc_perm(&perm); 1369 kau_write(rec, tok); 1370 } 1371 break; 1372 1373 case AUE_SEMOPEN: 1374 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1375 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1376 kau_write(rec, tok); 1377 } 1378 if (ARG_IS_VALID(kar, ARG_MODE)) { 1379 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1380 kau_write(rec, tok); 1381 } 1382 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1383 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1384 kau_write(rec, tok); 1385 } 1386 /* FALLTHROUGH */ 1387 1388 case AUE_SEMUNLINK: 1389 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1390 tok = au_to_text(ar->ar_arg_text); 1391 kau_write(rec, tok); 1392 } 1393 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1394 struct ipc_perm perm; 1395 1396 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1397 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1398 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1399 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1400 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1401 perm.seq = 0; 1402 perm.key = 0; 1403 tok = au_to_ipc_perm(&perm); 1404 kau_write(rec, tok); 1405 } 1406 break; 1407 1408 case AUE_SEMCLOSE: 1409 if (ARG_IS_VALID(kar, ARG_FD)) { 1410 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1411 kau_write(rec, tok); 1412 } 1413 break; 1414 1415 case AUE_SYMLINK: 1416 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1417 tok = au_to_text(ar->ar_arg_text); 1418 kau_write(rec, tok); 1419 } 1420 UPATH1_VNODE1_TOKENS; 1421 break; 1422 1423 case AUE_SYSCTL: 1424 case AUE_SYSCTL_NONADMIN: 1425 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1426 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1427 tok = au_to_arg32(1, "name", 1428 ar->ar_arg_ctlname[ctr]); 1429 kau_write(rec, tok); 1430 } 1431 } 1432 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1433 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1434 kau_write(rec, tok); 1435 } 1436 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1437 tok = au_to_text(ar->ar_arg_text); 1438 kau_write(rec, tok); 1439 } 1440 break; 1441 1442 case AUE_UMASK: 1443 if (ARG_IS_VALID(kar, ARG_MASK)) { 1444 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1445 kau_write(rec, tok); 1446 } 1447 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1448 kau_write(rec, tok); 1449 break; 1450 1451 case AUE_WAIT4: 1452 if (ARG_IS_VALID(kar, ARG_PID)) { 1453 tok = au_to_arg32(0, "pid", ar->ar_arg_pid); 1454 kau_write(rec, tok); 1455 } 1456 break; 1457 1458 case AUE_NULL: 1459 default: 1460 printf("BSM conversion requested for unknown event %d\n", 1461 ar->ar_event); 1462 1463 /* 1464 * Write the subject token so it is properly freed here. 1465 */ 1466 kau_write(rec, subj_tok); 1467 kau_free(rec); 1468 return (BSM_NOAUDIT); 1469 } 1470 1471 kau_write(rec, subj_tok); 1472 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval); 1473 kau_write(rec, tok); /* Every record gets a return token */ 1474 1475 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1476 1477 *pau = rec; 1478 return (BSM_SUCCESS); 1479 } 1480 1481 /* 1482 * Verify that a record is a valid BSM record. This verification is simple 1483 * now, but may be expanded on sometime in the future. Return 1 if the 1484 * record is good, 0 otherwise. 1485 */ 1486 int 1487 bsm_rec_verify(void *rec) 1488 { 1489 char c = *(char *)rec; 1490 1491 /* 1492 * Check the token ID of the first token; it has to be a header 1493 * token. 1494 * 1495 * XXXAUDIT There needs to be a token structure to map a token. 1496 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1497 */ 1498 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1499 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1500 return (0); 1501 return (1); 1502 } 1503