1 /* 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1999-2009 Apple Inc. 5 * Copyright (c) 2016-2017 Robert N. M. Watson 6 * All rights reserved. 7 * 8 * Portions of this software were developed by BAE Systems, the University of 9 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL 10 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent 11 * Computing (TC) research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 22 * its contributors may be used to endorse or promote products derived 23 * from this software without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 29 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 33 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 34 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 35 * POSSIBILITY OF SUCH DAMAGE. 36 */ 37 38 #include <sys/cdefs.h> 39 __FBSDID("$FreeBSD$"); 40 41 #include <sys/param.h> 42 #include <sys/vnode.h> 43 #include <sys/ipc.h> 44 #include <sys/lock.h> 45 #include <sys/malloc.h> 46 #include <sys/mutex.h> 47 #include <sys/socket.h> 48 #include <sys/extattr.h> 49 #include <sys/fcntl.h> 50 #include <sys/user.h> 51 #include <sys/systm.h> 52 53 #include <bsm/audit.h> 54 #include <bsm/audit_internal.h> 55 #include <bsm/audit_record.h> 56 #include <bsm/audit_kevents.h> 57 58 #include <security/audit/audit.h> 59 #include <security/audit/audit_private.h> 60 61 #include <netinet/in_systm.h> 62 #include <netinet/in.h> 63 #include <netinet/ip.h> 64 65 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 66 67 static void audit_sys_auditon(struct audit_record *ar, 68 struct au_record *rec); 69 70 /* 71 * Initialize the BSM auditing subsystem. 72 */ 73 void 74 kau_init(void) 75 { 76 77 au_evclassmap_init(); 78 au_evnamemap_init(); 79 } 80 81 /* 82 * This call reserves memory for the audit record. Memory must be guaranteed 83 * before any auditable event can be generated. The au_record structure 84 * maintains a reference to the memory allocated above and also the list of 85 * tokens associated with this record. 86 */ 87 static struct au_record * 88 kau_open(void) 89 { 90 struct au_record *rec; 91 92 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 93 rec->data = NULL; 94 TAILQ_INIT(&rec->token_q); 95 rec->len = 0; 96 rec->used = 1; 97 98 return (rec); 99 } 100 101 /* 102 * Store the token with the record descriptor. 103 */ 104 static void 105 kau_write(struct au_record *rec, struct au_token *tok) 106 { 107 108 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 109 110 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 111 rec->len += tok->len; 112 } 113 114 /* 115 * Close out the audit record by adding the header token, identifying any 116 * missing tokens. Write out the tokens to the record memory. 117 */ 118 static void 119 kau_close(struct au_record *rec, struct timespec *ctime, short event) 120 { 121 u_char *dptr; 122 size_t tot_rec_size; 123 token_t *cur, *hdr, *trail; 124 struct timeval tm; 125 size_t hdrsize; 126 struct auditinfo_addr ak; 127 struct in6_addr *ap; 128 129 audit_get_kinfo(&ak); 130 hdrsize = 0; 131 switch (ak.ai_termid.at_type) { 132 case AU_IPv4: 133 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ? 134 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak); 135 break; 136 case AU_IPv6: 137 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0]; 138 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE : 139 AUDIT_HEADER_EX_SIZE(&ak); 140 break; 141 default: 142 panic("kau_close: invalid address family"); 143 } 144 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE; 145 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 146 147 tm.tv_usec = ctime->tv_nsec / 1000; 148 tm.tv_sec = ctime->tv_sec; 149 if (hdrsize != AUDIT_HEADER_SIZE) 150 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak); 151 else 152 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 153 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 154 155 trail = au_to_trailer(tot_rec_size); 156 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 157 158 rec->len = tot_rec_size; 159 dptr = rec->data; 160 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 161 memcpy(dptr, cur->t_data, cur->len); 162 dptr += cur->len; 163 } 164 } 165 166 /* 167 * Free a BSM audit record by releasing all the tokens and clearing the audit 168 * record information. 169 */ 170 void 171 kau_free(struct au_record *rec) 172 { 173 struct au_token *tok; 174 175 /* Free the token list. */ 176 while ((tok = TAILQ_FIRST(&rec->token_q))) { 177 TAILQ_REMOVE(&rec->token_q, tok, tokens); 178 free(tok->t_data, M_AUDITBSM); 179 free(tok, M_AUDITBSM); 180 } 181 182 rec->used = 0; 183 rec->len = 0; 184 free(rec->data, M_AUDITBSM); 185 free(rec, M_AUDITBSM); 186 } 187 188 /* 189 * XXX: May want turn some (or all) of these macros into functions in order 190 * to reduce the generated code size. 191 * 192 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 193 * caller are OK with this. 194 */ 195 #define ATFD1_TOKENS(argnum) do { \ 196 if (ARG_IS_VALID(kar, ARG_ATFD1)) { \ 197 tok = au_to_arg32(argnum, "at fd 1", ar->ar_arg_atfd1); \ 198 kau_write(rec, tok); \ 199 } \ 200 } while (0) 201 202 #define ATFD2_TOKENS(argnum) do { \ 203 if (ARG_IS_VALID(kar, ARG_ATFD2)) { \ 204 tok = au_to_arg32(argnum, "at fd 2", ar->ar_arg_atfd2); \ 205 kau_write(rec, tok); \ 206 } \ 207 } while (0) 208 209 #define UPATH1_TOKENS do { \ 210 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 211 tok = au_to_path(ar->ar_arg_upath1); \ 212 kau_write(rec, tok); \ 213 } \ 214 } while (0) 215 216 #define UPATH2_TOKENS do { \ 217 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 218 tok = au_to_path(ar->ar_arg_upath2); \ 219 kau_write(rec, tok); \ 220 } \ 221 } while (0) 222 223 #define VNODE1_TOKENS do { \ 224 if (ARG_IS_VALID(kar, ARG_ATFD)) { \ 225 tok = au_to_arg32(1, "at fd", ar->ar_arg_atfd); \ 226 kau_write(rec, tok); \ 227 } \ 228 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 229 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 230 kau_write(rec, tok); \ 231 } \ 232 } while (0) 233 234 #define UPATH1_VNODE1_TOKENS do { \ 235 UPATH1_TOKENS; \ 236 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 237 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 238 kau_write(rec, tok); \ 239 } \ 240 } while (0) 241 242 #define VNODE2_TOKENS do { \ 243 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 244 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 245 kau_write(rec, tok); \ 246 } \ 247 } while (0) 248 249 #define FD_VNODE1_TOKENS do { \ 250 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 251 if (ARG_IS_VALID(kar, ARG_FD)) { \ 252 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 253 kau_write(rec, tok); \ 254 } \ 255 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 256 kau_write(rec, tok); \ 257 } else { \ 258 if (ARG_IS_VALID(kar, ARG_FD)) { \ 259 tok = au_to_arg32(1, "non-file: fd", \ 260 ar->ar_arg_fd); \ 261 kau_write(rec, tok); \ 262 } \ 263 } \ 264 } while (0) 265 266 #define PROCESS_PID_TOKENS(argn) do { \ 267 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 268 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 269 tok = au_to_process32_ex(ar->ar_arg_auid, \ 270 ar->ar_arg_euid, ar->ar_arg_egid, \ 271 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 272 ar->ar_arg_pid, ar->ar_arg_asid, \ 273 &ar->ar_arg_termid_addr); \ 274 kau_write(rec, tok); \ 275 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 276 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 277 kau_write(rec, tok); \ 278 } \ 279 } while (0) 280 281 #define EXTATTR_TOKENS(namespace_argnum) do { \ 282 if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 283 switch (ar->ar_arg_value) { \ 284 case EXTATTR_NAMESPACE_USER: \ 285 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 286 break; \ 287 case EXTATTR_NAMESPACE_SYSTEM: \ 288 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 289 break; \ 290 default: \ 291 tok = au_to_arg32((namespace_argnum), \ 292 "attrnamespace", ar->ar_arg_value); \ 293 break; \ 294 } \ 295 kau_write(rec, tok); \ 296 } \ 297 /* attrname is in the text field */ \ 298 if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 299 tok = au_to_text(ar->ar_arg_text); \ 300 kau_write(rec, tok); \ 301 } \ 302 } while (0) 303 304 /* 305 * Not all pointer arguments to system calls are of interest, but in some 306 * cases they reflect delegation of rights, such as mmap(2) followed by 307 * minherit(2) before execve(2), so do the best we can. 308 */ 309 #define ADDR_TOKEN(argnum, argname) do { \ 310 if (ARG_IS_VALID(kar, ARG_ADDR)) { \ 311 if (sizeof(void *) == sizeof(uint32_t)) \ 312 tok = au_to_arg32((argnum), (argname), \ 313 (uint32_t)(uintptr_t)ar->ar_arg_addr); \ 314 else \ 315 tok = au_to_arg64((argnum), (argname), \ 316 (uint64_t)(uintptr_t)ar->ar_arg_addr); \ 317 kau_write(rec, tok); \ 318 } \ 319 } while (0) 320 321 322 /* 323 * Implement auditing for the auditon() system call. The audit tokens that 324 * are generated depend on the command that was sent into the auditon() 325 * system call. 326 */ 327 static void 328 audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 329 { 330 struct au_token *tok; 331 332 tok = au_to_arg32(3, "length", ar->ar_arg_len); 333 kau_write(rec, tok); 334 switch (ar->ar_arg_cmd) { 335 case A_OLDSETPOLICY: 336 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 337 tok = au_to_arg64(2, "policy", 338 ar->ar_arg_auditon.au_policy64); 339 kau_write(rec, tok); 340 break; 341 } 342 /* FALLTHROUGH */ 343 344 case A_SETPOLICY: 345 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy); 346 kau_write(rec, tok); 347 break; 348 349 case A_SETKMASK: 350 tok = au_to_arg32(2, "setkmask:as_success", 351 ar->ar_arg_auditon.au_mask.am_success); 352 kau_write(rec, tok); 353 tok = au_to_arg32(2, "setkmask:as_failure", 354 ar->ar_arg_auditon.au_mask.am_failure); 355 kau_write(rec, tok); 356 break; 357 358 case A_OLDSETQCTRL: 359 if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) { 360 tok = au_to_arg64(2, "setqctrl:aq_hiwater", 361 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater); 362 kau_write(rec, tok); 363 tok = au_to_arg64(2, "setqctrl:aq_lowater", 364 ar->ar_arg_auditon.au_qctrl64.aq64_lowater); 365 kau_write(rec, tok); 366 tok = au_to_arg64(2, "setqctrl:aq_bufsz", 367 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz); 368 kau_write(rec, tok); 369 tok = au_to_arg64(2, "setqctrl:aq_delay", 370 ar->ar_arg_auditon.au_qctrl64.aq64_delay); 371 kau_write(rec, tok); 372 tok = au_to_arg64(2, "setqctrl:aq_minfree", 373 ar->ar_arg_auditon.au_qctrl64.aq64_minfree); 374 kau_write(rec, tok); 375 break; 376 } 377 /* FALLTHROUGH */ 378 379 case A_SETQCTRL: 380 tok = au_to_arg32(2, "setqctrl:aq_hiwater", 381 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 382 kau_write(rec, tok); 383 tok = au_to_arg32(2, "setqctrl:aq_lowater", 384 ar->ar_arg_auditon.au_qctrl.aq_lowater); 385 kau_write(rec, tok); 386 tok = au_to_arg32(2, "setqctrl:aq_bufsz", 387 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 388 kau_write(rec, tok); 389 tok = au_to_arg32(2, "setqctrl:aq_delay", 390 ar->ar_arg_auditon.au_qctrl.aq_delay); 391 kau_write(rec, tok); 392 tok = au_to_arg32(2, "setqctrl:aq_minfree", 393 ar->ar_arg_auditon.au_qctrl.aq_minfree); 394 kau_write(rec, tok); 395 break; 396 397 case A_SETUMASK: 398 tok = au_to_arg32(2, "setumask:as_success", 399 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 400 kau_write(rec, tok); 401 tok = au_to_arg32(2, "setumask:as_failure", 402 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 403 kau_write(rec, tok); 404 break; 405 406 case A_SETSMASK: 407 tok = au_to_arg32(2, "setsmask:as_success", 408 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 409 kau_write(rec, tok); 410 tok = au_to_arg32(2, "setsmask:as_failure", 411 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 412 kau_write(rec, tok); 413 break; 414 415 case A_OLDSETCOND: 416 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 417 tok = au_to_arg64(2, "setcond", 418 ar->ar_arg_auditon.au_cond64); 419 kau_write(rec, tok); 420 break; 421 } 422 /* FALLTHROUGH */ 423 424 case A_SETCOND: 425 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond); 426 kau_write(rec, tok); 427 break; 428 429 case A_SETCLASS: 430 tok = au_to_arg32(2, "setclass:ec_event", 431 ar->ar_arg_auditon.au_evclass.ec_number); 432 kau_write(rec, tok); 433 tok = au_to_arg32(2, "setclass:ec_class", 434 ar->ar_arg_auditon.au_evclass.ec_class); 435 kau_write(rec, tok); 436 break; 437 438 case A_SETPMASK: 439 tok = au_to_arg32(2, "setpmask:as_success", 440 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 441 kau_write(rec, tok); 442 tok = au_to_arg32(2, "setpmask:as_failure", 443 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 444 kau_write(rec, tok); 445 break; 446 447 case A_SETFSIZE: 448 tok = au_to_arg32(2, "setfsize:filesize", 449 ar->ar_arg_auditon.au_fstat.af_filesz); 450 kau_write(rec, tok); 451 break; 452 453 default: 454 break; 455 } 456 } 457 458 /* 459 * Convert an internal kernel audit record to a BSM record and return a 460 * success/failure indicator. The BSM record is passed as an out parameter to 461 * this function. 462 * 463 * Return conditions: 464 * BSM_SUCCESS: The BSM record is valid 465 * BSM_FAILURE: Failure; the BSM record is NULL. 466 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 467 */ 468 int 469 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 470 { 471 struct au_token *tok, *subj_tok, *jail_tok; 472 struct au_record *rec; 473 au_tid_t tid; 474 struct audit_record *ar; 475 int ctr; 476 477 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 478 479 *pau = NULL; 480 ar = &kar->k_ar; 481 rec = kau_open(); 482 483 /* 484 * Create the subject token. If this credential was jailed be sure to 485 * generate a zonename token. 486 */ 487 if (ar->ar_jailname[0] != '\0') 488 jail_tok = au_to_zonename(ar->ar_jailname); 489 else 490 jail_tok = NULL; 491 switch (ar->ar_subj_term_addr.at_type) { 492 case AU_IPv4: 493 tid.port = ar->ar_subj_term_addr.at_port; 494 tid.machine = ar->ar_subj_term_addr.at_addr[0]; 495 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 496 ar->ar_subj_cred.cr_uid, /* eff uid */ 497 ar->ar_subj_egid, /* eff group id */ 498 ar->ar_subj_ruid, /* real uid */ 499 ar->ar_subj_rgid, /* real group id */ 500 ar->ar_subj_pid, /* process id */ 501 ar->ar_subj_asid, /* session ID */ 502 &tid); 503 break; 504 case AU_IPv6: 505 subj_tok = au_to_subject32_ex(ar->ar_subj_auid, 506 ar->ar_subj_cred.cr_uid, 507 ar->ar_subj_egid, 508 ar->ar_subj_ruid, 509 ar->ar_subj_rgid, 510 ar->ar_subj_pid, 511 ar->ar_subj_asid, 512 &ar->ar_subj_term_addr); 513 break; 514 default: 515 bzero(&tid, sizeof(tid)); 516 subj_tok = au_to_subject32(ar->ar_subj_auid, 517 ar->ar_subj_cred.cr_uid, 518 ar->ar_subj_egid, 519 ar->ar_subj_ruid, 520 ar->ar_subj_rgid, 521 ar->ar_subj_pid, 522 ar->ar_subj_asid, 523 &tid); 524 } 525 526 /* 527 * The logic inside each case fills in the tokens required for the 528 * event, except for the header, trailer, and return tokens. The 529 * header and trailer tokens are added by the kau_close() function. 530 * The return token is added outside of the switch statement. 531 */ 532 switch(ar->ar_event) { 533 case AUE_ACCEPT: 534 if (ARG_IS_VALID(kar, ARG_FD)) { 535 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 536 kau_write(rec, tok); 537 } 538 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 539 tok = au_to_sock_inet((struct sockaddr_in *) 540 &ar->ar_arg_sockaddr); 541 kau_write(rec, tok); 542 } 543 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 544 tok = au_to_sock_unix((struct sockaddr_un *) 545 &ar->ar_arg_sockaddr); 546 kau_write(rec, tok); 547 UPATH1_TOKENS; 548 } 549 break; 550 551 case AUE_BIND: 552 case AUE_LISTEN: 553 case AUE_CONNECT: 554 case AUE_RECV: 555 case AUE_RECVFROM: 556 case AUE_RECVMSG: 557 case AUE_SEND: 558 case AUE_SENDMSG: 559 case AUE_SENDTO: 560 /* 561 * Socket-related events. 562 */ 563 if (ARG_IS_VALID(kar, ARG_FD)) { 564 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 565 kau_write(rec, tok); 566 } 567 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 568 tok = au_to_sock_inet((struct sockaddr_in *) 569 &ar->ar_arg_sockaddr); 570 kau_write(rec, tok); 571 } 572 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 573 tok = au_to_sock_unix((struct sockaddr_un *) 574 &ar->ar_arg_sockaddr); 575 kau_write(rec, tok); 576 UPATH1_TOKENS; 577 } 578 /* XXX Need to handle ARG_SADDRINET6 */ 579 break; 580 581 case AUE_BINDAT: 582 case AUE_CONNECTAT: 583 ATFD1_TOKENS(1); 584 if (ARG_IS_VALID(kar, ARG_FD)) { 585 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 586 kau_write(rec, tok); 587 } 588 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 589 tok = au_to_sock_unix((struct sockaddr_un *) 590 &ar->ar_arg_sockaddr); 591 kau_write(rec, tok); 592 UPATH1_TOKENS; 593 } 594 break; 595 596 case AUE_SENDFILE: 597 FD_VNODE1_TOKENS; 598 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 599 tok = au_to_sock_inet((struct sockaddr_in *) 600 &ar->ar_arg_sockaddr); 601 kau_write(rec, tok); 602 } 603 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 604 tok = au_to_sock_unix((struct sockaddr_un *) 605 &ar->ar_arg_sockaddr); 606 kau_write(rec, tok); 607 UPATH1_TOKENS; 608 } 609 /* XXX Need to handle ARG_SADDRINET6 */ 610 break; 611 612 case AUE_SOCKET: 613 case AUE_SOCKETPAIR: 614 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 615 tok = au_to_arg32(1, "domain", 616 ar->ar_arg_sockinfo.so_domain); 617 kau_write(rec, tok); 618 tok = au_to_arg32(2, "type", 619 ar->ar_arg_sockinfo.so_type); 620 kau_write(rec, tok); 621 tok = au_to_arg32(3, "protocol", 622 ar->ar_arg_sockinfo.so_protocol); 623 kau_write(rec, tok); 624 } 625 break; 626 627 case AUE_SETSOCKOPT: 628 case AUE_SHUTDOWN: 629 if (ARG_IS_VALID(kar, ARG_FD)) { 630 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 631 kau_write(rec, tok); 632 } 633 break; 634 635 case AUE_ACCT: 636 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 637 UPATH1_VNODE1_TOKENS; 638 } else { 639 tok = au_to_arg32(1, "accounting off", 0); 640 kau_write(rec, tok); 641 } 642 break; 643 644 case AUE_SETAUID: 645 if (ARG_IS_VALID(kar, ARG_AUID)) { 646 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 647 kau_write(rec, tok); 648 } 649 break; 650 651 case AUE_SETAUDIT: 652 if (ARG_IS_VALID(kar, ARG_AUID) && 653 ARG_IS_VALID(kar, ARG_ASID) && 654 ARG_IS_VALID(kar, ARG_AMASK) && 655 ARG_IS_VALID(kar, ARG_TERMID)) { 656 tok = au_to_arg32(1, "setaudit:auid", 657 ar->ar_arg_auid); 658 kau_write(rec, tok); 659 tok = au_to_arg32(1, "setaudit:port", 660 ar->ar_arg_termid.port); 661 kau_write(rec, tok); 662 tok = au_to_arg32(1, "setaudit:machine", 663 ar->ar_arg_termid.machine); 664 kau_write(rec, tok); 665 tok = au_to_arg32(1, "setaudit:as_success", 666 ar->ar_arg_amask.am_success); 667 kau_write(rec, tok); 668 tok = au_to_arg32(1, "setaudit:as_failure", 669 ar->ar_arg_amask.am_failure); 670 kau_write(rec, tok); 671 tok = au_to_arg32(1, "setaudit:asid", 672 ar->ar_arg_asid); 673 kau_write(rec, tok); 674 } 675 break; 676 677 case AUE_SETAUDIT_ADDR: 678 if (ARG_IS_VALID(kar, ARG_AUID) && 679 ARG_IS_VALID(kar, ARG_ASID) && 680 ARG_IS_VALID(kar, ARG_AMASK) && 681 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) { 682 tok = au_to_arg32(1, "setaudit_addr:auid", 683 ar->ar_arg_auid); 684 kau_write(rec, tok); 685 tok = au_to_arg32(1, "setaudit_addr:as_success", 686 ar->ar_arg_amask.am_success); 687 kau_write(rec, tok); 688 tok = au_to_arg32(1, "setaudit_addr:as_failure", 689 ar->ar_arg_amask.am_failure); 690 kau_write(rec, tok); 691 tok = au_to_arg32(1, "setaudit_addr:asid", 692 ar->ar_arg_asid); 693 kau_write(rec, tok); 694 tok = au_to_arg32(1, "setaudit_addr:type", 695 ar->ar_arg_termid_addr.at_type); 696 kau_write(rec, tok); 697 tok = au_to_arg32(1, "setaudit_addr:port", 698 ar->ar_arg_termid_addr.at_port); 699 kau_write(rec, tok); 700 if (ar->ar_arg_termid_addr.at_type == AU_IPv6) 701 tok = au_to_in_addr_ex((struct in6_addr *) 702 &ar->ar_arg_termid_addr.at_addr[0]); 703 if (ar->ar_arg_termid_addr.at_type == AU_IPv4) 704 tok = au_to_in_addr((struct in_addr *) 705 &ar->ar_arg_termid_addr.at_addr[0]); 706 kau_write(rec, tok); 707 } 708 break; 709 710 case AUE_AUDITON: 711 /* 712 * For AUDITON commands without own event, audit the cmd. 713 */ 714 if (ARG_IS_VALID(kar, ARG_CMD)) { 715 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 716 kau_write(rec, tok); 717 } 718 /* FALLTHROUGH */ 719 720 case AUE_AUDITON_GETCAR: 721 case AUE_AUDITON_GETCLASS: 722 case AUE_AUDITON_GETCOND: 723 case AUE_AUDITON_GETCWD: 724 case AUE_AUDITON_GETKMASK: 725 case AUE_AUDITON_GETSTAT: 726 case AUE_AUDITON_GPOLICY: 727 case AUE_AUDITON_GQCTRL: 728 case AUE_AUDITON_SETCLASS: 729 case AUE_AUDITON_SETCOND: 730 case AUE_AUDITON_SETKMASK: 731 case AUE_AUDITON_SETSMASK: 732 case AUE_AUDITON_SETSTAT: 733 case AUE_AUDITON_SETUMASK: 734 case AUE_AUDITON_SPOLICY: 735 case AUE_AUDITON_SQCTRL: 736 if (ARG_IS_VALID(kar, ARG_AUDITON)) 737 audit_sys_auditon(ar, rec); 738 break; 739 740 case AUE_AUDITCTL: 741 UPATH1_VNODE1_TOKENS; 742 break; 743 744 case AUE_EXIT: 745 if (ARG_IS_VALID(kar, ARG_EXIT)) { 746 tok = au_to_exit(ar->ar_arg_exitretval, 747 ar->ar_arg_exitstatus); 748 kau_write(rec, tok); 749 } 750 break; 751 752 case AUE_ADJTIME: 753 case AUE_CLOCK_SETTIME: 754 case AUE_AUDIT: 755 case AUE_DUP2: 756 case AUE_GETAUDIT: 757 case AUE_GETAUDIT_ADDR: 758 case AUE_GETAUID: 759 case AUE_GETCWD: 760 case AUE_GETFSSTAT: 761 case AUE_GETRESUID: 762 case AUE_GETRESGID: 763 case AUE_KQUEUE: 764 case AUE_MODLOAD: 765 case AUE_MODUNLOAD: 766 case AUE_MSGSYS: 767 case AUE_NTP_ADJTIME: 768 case AUE_PIPE: 769 case AUE_POSIX_OPENPT: 770 case AUE_PROFILE: 771 case AUE_RTPRIO: 772 case AUE_SEMSYS: 773 case AUE_SETFIB: 774 case AUE_SHMSYS: 775 case AUE_SETPGRP: 776 case AUE_SETRLIMIT: 777 case AUE_SETSID: 778 case AUE_SETTIMEOFDAY: 779 case AUE_SYSARCH: 780 781 /* 782 * Header, subject, and return tokens added at end. 783 */ 784 break; 785 786 case AUE_ACL_DELETE_FD: 787 case AUE_ACL_DELETE_FILE: 788 case AUE_ACL_CHECK_FD: 789 case AUE_ACL_CHECK_FILE: 790 case AUE_ACL_CHECK_LINK: 791 case AUE_ACL_DELETE_LINK: 792 case AUE_ACL_GET_FD: 793 case AUE_ACL_GET_FILE: 794 case AUE_ACL_GET_LINK: 795 case AUE_ACL_SET_FD: 796 case AUE_ACL_SET_FILE: 797 case AUE_ACL_SET_LINK: 798 if (ARG_IS_VALID(kar, ARG_VALUE)) { 799 tok = au_to_arg32(1, "type", ar->ar_arg_value); 800 kau_write(rec, tok); 801 } 802 ATFD1_TOKENS(1); 803 UPATH1_VNODE1_TOKENS; 804 break; 805 806 /* 807 * NB: We may want to verify that the appropriate 808 * audit args are being processed here, but I think 809 * a bit analysis is required. 810 * 811 * Process AUE_JAIL_SET in the next block so we can pickup any path 812 * related tokens that might exist. 813 */ 814 case AUE_JAIL_GET: 815 case AUE_JAIL_ATTACH: 816 case AUE_JAIL_REMOVE: 817 break; 818 819 case AUE_JAIL_SET: 820 case AUE_CHDIR: 821 case AUE_CHROOT: 822 case AUE_FSTATAT: 823 case AUE_FUTIMESAT: 824 case AUE_GETATTRLIST: 825 case AUE_JAIL: 826 case AUE_LUTIMES: 827 case AUE_NFS_GETFH: 828 case AUE_LGETFH: 829 case AUE_LSTAT: 830 case AUE_LPATHCONF: 831 case AUE_PATHCONF: 832 case AUE_READLINK: 833 case AUE_READLINKAT: 834 case AUE_REVOKE: 835 case AUE_RMDIR: 836 case AUE_SEARCHFS: 837 case AUE_SETATTRLIST: 838 case AUE_STAT: 839 case AUE_STATFS: 840 case AUE_SWAPON: 841 case AUE_SWAPOFF: 842 case AUE_TRUNCATE: 843 case AUE_UNDELETE: 844 case AUE_UNLINK: 845 case AUE_UNLINKAT: 846 case AUE_UTIMES: 847 case AUE_REALPATHAT: 848 ATFD1_TOKENS(1); 849 UPATH1_VNODE1_TOKENS; 850 break; 851 852 case AUE_ACCESS: 853 case AUE_EACCESS: 854 case AUE_FACCESSAT: 855 ATFD1_TOKENS(1); 856 UPATH1_VNODE1_TOKENS; 857 if (ARG_IS_VALID(kar, ARG_VALUE)) { 858 tok = au_to_arg32(2, "mode", ar->ar_arg_value); 859 kau_write(rec, tok); 860 } 861 break; 862 863 case AUE_FHSTATFS: 864 case AUE_FHOPEN: 865 case AUE_FHSTAT: 866 /* XXXRW: Need to audit vnode argument. */ 867 break; 868 869 case AUE_CHFLAGS: 870 case AUE_LCHFLAGS: 871 case AUE_CHFLAGSAT: 872 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 873 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 874 kau_write(rec, tok); 875 } 876 UPATH1_VNODE1_TOKENS; 877 break; 878 879 case AUE_CHMOD: 880 case AUE_LCHMOD: 881 if (ARG_IS_VALID(kar, ARG_MODE)) { 882 tok = au_to_arg32(2, "new file mode", 883 ar->ar_arg_mode); 884 kau_write(rec, tok); 885 } 886 UPATH1_VNODE1_TOKENS; 887 break; 888 889 case AUE_FCHMODAT: 890 ATFD1_TOKENS(1); 891 if (ARG_IS_VALID(kar, ARG_MODE)) { 892 tok = au_to_arg32(3, "new file mode", 893 ar->ar_arg_mode); 894 kau_write(rec, tok); 895 } 896 UPATH1_VNODE1_TOKENS; 897 break; 898 899 case AUE_CHOWN: 900 case AUE_LCHOWN: 901 if (ARG_IS_VALID(kar, ARG_UID)) { 902 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 903 kau_write(rec, tok); 904 } 905 if (ARG_IS_VALID(kar, ARG_GID)) { 906 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 907 kau_write(rec, tok); 908 } 909 UPATH1_VNODE1_TOKENS; 910 break; 911 912 case AUE_FCHOWNAT: 913 ATFD1_TOKENS(1); 914 if (ARG_IS_VALID(kar, ARG_UID)) { 915 tok = au_to_arg32(3, "new file uid", ar->ar_arg_uid); 916 kau_write(rec, tok); 917 } 918 if (ARG_IS_VALID(kar, ARG_GID)) { 919 tok = au_to_arg32(4, "new file gid", ar->ar_arg_gid); 920 kau_write(rec, tok); 921 } 922 UPATH1_VNODE1_TOKENS; 923 break; 924 925 case AUE_EXCHANGEDATA: 926 UPATH1_VNODE1_TOKENS; 927 UPATH2_TOKENS; 928 break; 929 930 case AUE_CLOSE: 931 if (ARG_IS_VALID(kar, ARG_FD)) { 932 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 933 kau_write(rec, tok); 934 } 935 UPATH1_VNODE1_TOKENS; 936 break; 937 938 case AUE_CLOSEFROM: 939 if (ARG_IS_VALID(kar, ARG_FD)) { 940 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 941 kau_write(rec, tok); 942 } 943 break; 944 945 case AUE_CORE: 946 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 947 tok = au_to_arg32(1, "signal", ar->ar_arg_signum); 948 kau_write(rec, tok); 949 } 950 UPATH1_VNODE1_TOKENS; 951 break; 952 953 case AUE_EXTATTRCTL: 954 UPATH1_VNODE1_TOKENS; 955 if (ARG_IS_VALID(kar, ARG_CMD)) { 956 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 957 kau_write(rec, tok); 958 } 959 /* extattrctl(2) filename parameter is in upath2/vnode2 */ 960 UPATH2_TOKENS; 961 VNODE2_TOKENS; 962 EXTATTR_TOKENS(4); 963 break; 964 965 case AUE_EXTATTR_GET_FILE: 966 case AUE_EXTATTR_SET_FILE: 967 case AUE_EXTATTR_LIST_FILE: 968 case AUE_EXTATTR_DELETE_FILE: 969 case AUE_EXTATTR_GET_LINK: 970 case AUE_EXTATTR_SET_LINK: 971 case AUE_EXTATTR_LIST_LINK: 972 case AUE_EXTATTR_DELETE_LINK: 973 UPATH1_VNODE1_TOKENS; 974 EXTATTR_TOKENS(2); 975 break; 976 977 case AUE_EXTATTR_GET_FD: 978 case AUE_EXTATTR_SET_FD: 979 case AUE_EXTATTR_LIST_FD: 980 case AUE_EXTATTR_DELETE_FD: 981 if (ARG_IS_VALID(kar, ARG_FD)) { 982 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 983 kau_write(rec, tok); 984 } 985 EXTATTR_TOKENS(2); 986 break; 987 988 case AUE_FEXECVE: 989 if (ARG_IS_VALID(kar, ARG_FD)) { 990 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 991 kau_write(rec, tok); 992 } 993 /* FALLTHROUGH */ 994 995 case AUE_EXECVE: 996 case AUE_MAC_EXECVE: 997 if (ARG_IS_VALID(kar, ARG_ARGV)) { 998 tok = au_to_exec_args(ar->ar_arg_argv, 999 ar->ar_arg_argc); 1000 kau_write(rec, tok); 1001 } 1002 if (ARG_IS_VALID(kar, ARG_ENVV)) { 1003 tok = au_to_exec_env(ar->ar_arg_envv, 1004 ar->ar_arg_envc); 1005 kau_write(rec, tok); 1006 } 1007 UPATH1_VNODE1_TOKENS; 1008 break; 1009 1010 case AUE_FCHMOD: 1011 if (ARG_IS_VALID(kar, ARG_MODE)) { 1012 tok = au_to_arg32(2, "new file mode", 1013 ar->ar_arg_mode); 1014 kau_write(rec, tok); 1015 } 1016 FD_VNODE1_TOKENS; 1017 break; 1018 1019 /* 1020 * XXXRW: Some of these need to handle non-vnode cases as well. 1021 */ 1022 case AUE_FCHDIR: 1023 case AUE_FPATHCONF: 1024 case AUE_FSTAT: 1025 case AUE_FSTATFS: 1026 case AUE_FSYNC: 1027 case AUE_FTRUNCATE: 1028 case AUE_FUTIMES: 1029 case AUE_GETDIRENTRIES: 1030 case AUE_GETDIRENTRIESATTR: 1031 case AUE_LSEEK: 1032 case AUE_POLL: 1033 case AUE_POSIX_FALLOCATE: 1034 case AUE_PREAD: 1035 case AUE_PWRITE: 1036 case AUE_READ: 1037 case AUE_READV: 1038 case AUE_WRITE: 1039 case AUE_WRITEV: 1040 FD_VNODE1_TOKENS; 1041 break; 1042 1043 case AUE_FCHOWN: 1044 if (ARG_IS_VALID(kar, ARG_UID)) { 1045 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 1046 kau_write(rec, tok); 1047 } 1048 if (ARG_IS_VALID(kar, ARG_GID)) { 1049 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 1050 kau_write(rec, tok); 1051 } 1052 FD_VNODE1_TOKENS; 1053 break; 1054 1055 case AUE_FCNTL: 1056 if (ARG_IS_VALID(kar, ARG_CMD)) { 1057 tok = au_to_arg32(2, "cmd", 1058 au_fcntl_cmd_to_bsm(ar->ar_arg_cmd)); 1059 kau_write(rec, tok); 1060 } 1061 FD_VNODE1_TOKENS; 1062 break; 1063 1064 case AUE_FCHFLAGS: 1065 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1066 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1067 kau_write(rec, tok); 1068 } 1069 FD_VNODE1_TOKENS; 1070 break; 1071 1072 case AUE_FLOCK: 1073 if (ARG_IS_VALID(kar, ARG_CMD)) { 1074 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 1075 kau_write(rec, tok); 1076 } 1077 FD_VNODE1_TOKENS; 1078 break; 1079 1080 case AUE_RFORK: 1081 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1082 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 1083 kau_write(rec, tok); 1084 } 1085 /* FALLTHROUGH */ 1086 1087 case AUE_FORK: 1088 case AUE_VFORK: 1089 if (ARG_IS_VALID(kar, ARG_PID)) { 1090 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 1091 kau_write(rec, tok); 1092 } 1093 break; 1094 1095 case AUE_IOCTL: 1096 if (ARG_IS_VALID(kar, ARG_CMD)) { 1097 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 1098 kau_write(rec, tok); 1099 } 1100 if (ARG_IS_VALID(kar, ARG_VNODE1)) 1101 FD_VNODE1_TOKENS; 1102 else { 1103 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 1104 tok = kau_to_socket(&ar->ar_arg_sockinfo); 1105 kau_write(rec, tok); 1106 } else { 1107 if (ARG_IS_VALID(kar, ARG_FD)) { 1108 tok = au_to_arg32(1, "fd", 1109 ar->ar_arg_fd); 1110 kau_write(rec, tok); 1111 } 1112 } 1113 } 1114 break; 1115 1116 case AUE_KILL: 1117 case AUE_KILLPG: 1118 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 1119 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 1120 kau_write(rec, tok); 1121 } 1122 PROCESS_PID_TOKENS(1); 1123 break; 1124 1125 case AUE_KTRACE: 1126 if (ARG_IS_VALID(kar, ARG_CMD)) { 1127 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 1128 kau_write(rec, tok); 1129 } 1130 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1131 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 1132 kau_write(rec, tok); 1133 } 1134 PROCESS_PID_TOKENS(4); 1135 UPATH1_VNODE1_TOKENS; 1136 break; 1137 1138 case AUE_LINK: 1139 case AUE_LINKAT: 1140 case AUE_RENAME: 1141 case AUE_RENAMEAT: 1142 ATFD1_TOKENS(1); 1143 UPATH1_VNODE1_TOKENS; 1144 ATFD2_TOKENS(3); 1145 UPATH2_TOKENS; 1146 break; 1147 1148 case AUE_LOADSHFILE: 1149 ADDR_TOKEN(4, "base addr"); 1150 UPATH1_VNODE1_TOKENS; 1151 break; 1152 1153 case AUE_MKDIR: 1154 case AUE_MKDIRAT: 1155 case AUE_MKFIFO: 1156 case AUE_MKFIFOAT: 1157 ATFD1_TOKENS(1); 1158 if (ARG_IS_VALID(kar, ARG_MODE)) { 1159 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1160 kau_write(rec, tok); 1161 } 1162 UPATH1_VNODE1_TOKENS; 1163 break; 1164 1165 case AUE_MKNOD: 1166 case AUE_MKNODAT: 1167 ATFD1_TOKENS(1); 1168 if (ARG_IS_VALID(kar, ARG_MODE)) { 1169 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1170 kau_write(rec, tok); 1171 } 1172 if (ARG_IS_VALID(kar, ARG_DEV)) { 1173 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 1174 kau_write(rec, tok); 1175 } 1176 UPATH1_VNODE1_TOKENS; 1177 break; 1178 1179 case AUE_MMAP: 1180 case AUE_MUNMAP: 1181 case AUE_MPROTECT: 1182 case AUE_MLOCK: 1183 case AUE_MUNLOCK: 1184 case AUE_MINHERIT: 1185 ADDR_TOKEN(1, "addr"); 1186 if (ARG_IS_VALID(kar, ARG_LEN)) { 1187 tok = au_to_arg32(2, "len", ar->ar_arg_len); 1188 kau_write(rec, tok); 1189 } 1190 if (ar->ar_event == AUE_MMAP) 1191 FD_VNODE1_TOKENS; 1192 if (ar->ar_event == AUE_MPROTECT) { 1193 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1194 tok = au_to_arg32(3, "protection", 1195 ar->ar_arg_value); 1196 kau_write(rec, tok); 1197 } 1198 } 1199 if (ar->ar_event == AUE_MINHERIT) { 1200 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1201 tok = au_to_arg32(3, "inherit", 1202 ar->ar_arg_value); 1203 kau_write(rec, tok); 1204 } 1205 } 1206 break; 1207 1208 case AUE_MOUNT: 1209 case AUE_NMOUNT: 1210 /* XXX Need to handle NFS mounts */ 1211 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1212 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 1213 kau_write(rec, tok); 1214 } 1215 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1216 tok = au_to_text(ar->ar_arg_text); 1217 kau_write(rec, tok); 1218 } 1219 /* FALLTHROUGH */ 1220 1221 case AUE_NFS_SVC: 1222 if (ARG_IS_VALID(kar, ARG_CMD)) { 1223 tok = au_to_arg32(1, "flags", ar->ar_arg_cmd); 1224 kau_write(rec, tok); 1225 } 1226 break; 1227 1228 case AUE_UMOUNT: 1229 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1230 tok = au_to_arg32(2, "flags", ar->ar_arg_value); 1231 kau_write(rec, tok); 1232 } 1233 UPATH1_VNODE1_TOKENS; 1234 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1235 tok = au_to_text(ar->ar_arg_text); 1236 kau_write(rec, tok); 1237 } 1238 break; 1239 1240 case AUE_MSGCTL: 1241 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd); 1242 /* Fall through */ 1243 1244 case AUE_MSGRCV: 1245 case AUE_MSGSND: 1246 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 1247 kau_write(rec, tok); 1248 if (ar->ar_errno != EINVAL) { 1249 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 1250 kau_write(rec, tok); 1251 } 1252 break; 1253 1254 case AUE_MSGGET: 1255 if (ar->ar_errno == 0) { 1256 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1257 tok = au_to_ipc(AT_IPC_MSG, 1258 ar->ar_arg_svipc_id); 1259 kau_write(rec, tok); 1260 } 1261 } 1262 break; 1263 1264 case AUE_RESETSHFILE: 1265 ADDR_TOKEN(1, "base addr"); 1266 break; 1267 1268 case AUE_OPEN_RC: 1269 case AUE_OPEN_RTC: 1270 case AUE_OPEN_RWC: 1271 case AUE_OPEN_RWTC: 1272 case AUE_OPEN_WC: 1273 case AUE_OPEN_WTC: 1274 case AUE_CREAT: 1275 if (ARG_IS_VALID(kar, ARG_MODE)) { 1276 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1277 kau_write(rec, tok); 1278 } 1279 /* FALLTHROUGH */ 1280 1281 case AUE_OPEN_R: 1282 case AUE_OPEN_RT: 1283 case AUE_OPEN_RW: 1284 case AUE_OPEN_RWT: 1285 case AUE_OPEN_W: 1286 case AUE_OPEN_WT: 1287 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1288 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1289 kau_write(rec, tok); 1290 } 1291 UPATH1_VNODE1_TOKENS; 1292 break; 1293 1294 case AUE_OPENAT_RC: 1295 case AUE_OPENAT_RTC: 1296 case AUE_OPENAT_RWC: 1297 case AUE_OPENAT_RWTC: 1298 case AUE_OPENAT_WC: 1299 case AUE_OPENAT_WTC: 1300 if (ARG_IS_VALID(kar, ARG_MODE)) { 1301 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1302 kau_write(rec, tok); 1303 } 1304 /* FALLTHROUGH */ 1305 1306 case AUE_OPENAT_R: 1307 case AUE_OPENAT_RT: 1308 case AUE_OPENAT_RW: 1309 case AUE_OPENAT_RWT: 1310 case AUE_OPENAT_W: 1311 case AUE_OPENAT_WT: 1312 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1313 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1314 kau_write(rec, tok); 1315 } 1316 ATFD1_TOKENS(1); 1317 UPATH1_VNODE1_TOKENS; 1318 break; 1319 1320 case AUE_PDKILL: 1321 if (ARG_IS_VALID(kar, ARG_FD)) { 1322 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1323 kau_write(rec, tok); 1324 } 1325 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 1326 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 1327 kau_write(rec, tok); 1328 } 1329 PROCESS_PID_TOKENS(1); 1330 break; 1331 case AUE_PDFORK: 1332 if (ARG_IS_VALID(kar, ARG_PID)) { 1333 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 1334 kau_write(rec, tok); 1335 } 1336 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1337 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1338 kau_write(rec, tok); 1339 } 1340 if (ARG_IS_VALID(kar, ARG_FD)) { 1341 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1342 kau_write(rec, tok); 1343 } 1344 break; 1345 case AUE_PDGETPID: 1346 if (ARG_IS_VALID(kar, ARG_FD)) { 1347 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1348 kau_write(rec, tok); 1349 } 1350 break; 1351 1352 case AUE_PROCCTL: 1353 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1354 tok = au_to_arg32(1, "idtype", ar->ar_arg_value); 1355 kau_write(rec, tok); 1356 } 1357 if (ARG_IS_VALID(kar, ARG_CMD)) { 1358 tok = au_to_arg32(2, "com", ar->ar_arg_cmd); 1359 kau_write(rec, tok); 1360 } 1361 PROCESS_PID_TOKENS(3); 1362 break; 1363 1364 case AUE_PTRACE: 1365 if (ARG_IS_VALID(kar, ARG_CMD)) { 1366 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1367 kau_write(rec, tok); 1368 } 1369 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1370 tok = au_to_arg32(4, "data", ar->ar_arg_value); 1371 kau_write(rec, tok); 1372 } 1373 PROCESS_PID_TOKENS(2); 1374 break; 1375 1376 case AUE_QUOTACTL: 1377 if (ARG_IS_VALID(kar, ARG_CMD)) { 1378 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1379 kau_write(rec, tok); 1380 } 1381 if (ARG_IS_VALID(kar, ARG_UID)) { 1382 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1383 kau_write(rec, tok); 1384 } 1385 if (ARG_IS_VALID(kar, ARG_GID)) { 1386 tok = au_to_arg32(3, "gid", ar->ar_arg_gid); 1387 kau_write(rec, tok); 1388 } 1389 UPATH1_VNODE1_TOKENS; 1390 break; 1391 1392 case AUE_REBOOT: 1393 if (ARG_IS_VALID(kar, ARG_CMD)) { 1394 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1395 kau_write(rec, tok); 1396 } 1397 break; 1398 1399 case AUE_SEMCTL: 1400 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd); 1401 /* Fall through */ 1402 1403 case AUE_SEMOP: 1404 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1405 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1406 kau_write(rec, tok); 1407 if (ar->ar_errno != EINVAL) { 1408 tok = au_to_ipc(AT_IPC_SEM, 1409 ar->ar_arg_svipc_id); 1410 kau_write(rec, tok); 1411 } 1412 } 1413 break; 1414 1415 case AUE_SEMGET: 1416 if (ar->ar_errno == 0) { 1417 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1418 tok = au_to_ipc(AT_IPC_SEM, 1419 ar->ar_arg_svipc_id); 1420 kau_write(rec, tok); 1421 } 1422 } 1423 break; 1424 1425 case AUE_SETEGID: 1426 if (ARG_IS_VALID(kar, ARG_EGID)) { 1427 tok = au_to_arg32(1, "egid", ar->ar_arg_egid); 1428 kau_write(rec, tok); 1429 } 1430 break; 1431 1432 case AUE_SETEUID: 1433 if (ARG_IS_VALID(kar, ARG_EUID)) { 1434 tok = au_to_arg32(1, "euid", ar->ar_arg_euid); 1435 kau_write(rec, tok); 1436 } 1437 break; 1438 1439 case AUE_SETREGID: 1440 if (ARG_IS_VALID(kar, ARG_RGID)) { 1441 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1442 kau_write(rec, tok); 1443 } 1444 if (ARG_IS_VALID(kar, ARG_EGID)) { 1445 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1446 kau_write(rec, tok); 1447 } 1448 break; 1449 1450 case AUE_SETREUID: 1451 if (ARG_IS_VALID(kar, ARG_RUID)) { 1452 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1453 kau_write(rec, tok); 1454 } 1455 if (ARG_IS_VALID(kar, ARG_EUID)) { 1456 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1457 kau_write(rec, tok); 1458 } 1459 break; 1460 1461 case AUE_SETRESGID: 1462 if (ARG_IS_VALID(kar, ARG_RGID)) { 1463 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1464 kau_write(rec, tok); 1465 } 1466 if (ARG_IS_VALID(kar, ARG_EGID)) { 1467 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1468 kau_write(rec, tok); 1469 } 1470 if (ARG_IS_VALID(kar, ARG_SGID)) { 1471 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1472 kau_write(rec, tok); 1473 } 1474 break; 1475 1476 case AUE_SETRESUID: 1477 if (ARG_IS_VALID(kar, ARG_RUID)) { 1478 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1479 kau_write(rec, tok); 1480 } 1481 if (ARG_IS_VALID(kar, ARG_EUID)) { 1482 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1483 kau_write(rec, tok); 1484 } 1485 if (ARG_IS_VALID(kar, ARG_SUID)) { 1486 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1487 kau_write(rec, tok); 1488 } 1489 break; 1490 1491 case AUE_SETGID: 1492 if (ARG_IS_VALID(kar, ARG_GID)) { 1493 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1494 kau_write(rec, tok); 1495 } 1496 break; 1497 1498 case AUE_SETUID: 1499 if (ARG_IS_VALID(kar, ARG_UID)) { 1500 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1501 kau_write(rec, tok); 1502 } 1503 break; 1504 1505 case AUE_SETGROUPS: 1506 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1507 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1508 { 1509 tok = au_to_arg32(1, "setgroups", 1510 ar->ar_arg_groups.gidset[ctr]); 1511 kau_write(rec, tok); 1512 } 1513 } 1514 break; 1515 1516 case AUE_SETLOGIN: 1517 if (ARG_IS_VALID(kar, ARG_LOGIN)) { 1518 tok = au_to_text(ar->ar_arg_login); 1519 kau_write(rec, tok); 1520 } 1521 break; 1522 1523 case AUE_SETLOGINCLASS: 1524 break; 1525 1526 case AUE_SETPRIORITY: 1527 if (ARG_IS_VALID(kar, ARG_CMD)) { 1528 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1529 kau_write(rec, tok); 1530 } 1531 if (ARG_IS_VALID(kar, ARG_UID)) { 1532 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1533 kau_write(rec, tok); 1534 } 1535 PROCESS_PID_TOKENS(2); 1536 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1537 tok = au_to_arg32(3, "priority", ar->ar_arg_value); 1538 kau_write(rec, tok); 1539 } 1540 break; 1541 1542 case AUE_SETPRIVEXEC: 1543 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1544 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1545 kau_write(rec, tok); 1546 } 1547 break; 1548 1549 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1550 case AUE_SHMAT: 1551 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1552 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1553 kau_write(rec, tok); 1554 /* XXXAUDIT: Does having the ipc token make sense? */ 1555 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1556 kau_write(rec, tok); 1557 } 1558 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1559 tok = au_to_arg32(2, "shmaddr", 1560 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1561 kau_write(rec, tok); 1562 } 1563 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1564 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1565 kau_write(rec, tok); 1566 } 1567 break; 1568 1569 case AUE_SHMCTL: 1570 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1571 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1572 kau_write(rec, tok); 1573 /* XXXAUDIT: Does having the ipc token make sense? */ 1574 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1575 kau_write(rec, tok); 1576 } 1577 switch (ar->ar_arg_svipc_cmd) { 1578 case IPC_STAT: 1579 ar->ar_event = AUE_SHMCTL_STAT; 1580 break; 1581 case IPC_RMID: 1582 ar->ar_event = AUE_SHMCTL_RMID; 1583 break; 1584 case IPC_SET: 1585 ar->ar_event = AUE_SHMCTL_SET; 1586 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1587 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1588 kau_write(rec, tok); 1589 } 1590 break; 1591 default: 1592 break; /* We will audit a bad command */ 1593 } 1594 break; 1595 1596 case AUE_SHMDT: 1597 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1598 tok = au_to_arg32(1, "shmaddr", 1599 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1600 kau_write(rec, tok); 1601 } 1602 break; 1603 1604 case AUE_SHMGET: 1605 /* This is unusual; the return value is in an argument token */ 1606 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1607 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1608 kau_write(rec, tok); 1609 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1610 kau_write(rec, tok); 1611 } 1612 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1613 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1614 kau_write(rec, tok); 1615 } 1616 break; 1617 1618 /* shm_rename is a non-Posix extension to the Posix shm implementation */ 1619 case AUE_SHMRENAME: 1620 UPATH1_TOKENS; 1621 UPATH2_TOKENS; 1622 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1623 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1624 kau_write(rec, tok); 1625 } 1626 break; 1627 1628 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1629 * and AUE_SEMUNLINK are Posix IPC */ 1630 case AUE_SHMOPEN: 1631 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1632 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1633 kau_write(rec, tok); 1634 } 1635 if (ARG_IS_VALID(kar, ARG_MODE)) { 1636 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1637 kau_write(rec, tok); 1638 } 1639 /* FALLTHROUGH */ 1640 1641 case AUE_SHMUNLINK: 1642 UPATH1_TOKENS; 1643 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1644 struct ipc_perm perm; 1645 1646 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1647 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1648 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1649 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1650 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1651 perm.seq = 0; 1652 perm.key = 0; 1653 tok = au_to_ipc_perm(&perm); 1654 kau_write(rec, tok); 1655 } 1656 break; 1657 1658 case AUE_SEMOPEN: 1659 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1660 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1661 kau_write(rec, tok); 1662 } 1663 if (ARG_IS_VALID(kar, ARG_MODE)) { 1664 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1665 kau_write(rec, tok); 1666 } 1667 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1668 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1669 kau_write(rec, tok); 1670 } 1671 /* FALLTHROUGH */ 1672 1673 case AUE_SEMUNLINK: 1674 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1675 tok = au_to_text(ar->ar_arg_text); 1676 kau_write(rec, tok); 1677 } 1678 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1679 struct ipc_perm perm; 1680 1681 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1682 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1683 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1684 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1685 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1686 perm.seq = 0; 1687 perm.key = 0; 1688 tok = au_to_ipc_perm(&perm); 1689 kau_write(rec, tok); 1690 } 1691 break; 1692 1693 case AUE_SEMCLOSE: 1694 if (ARG_IS_VALID(kar, ARG_FD)) { 1695 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1696 kau_write(rec, tok); 1697 } 1698 break; 1699 1700 case AUE_SYMLINK: 1701 case AUE_SYMLINKAT: 1702 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1703 tok = au_to_text(ar->ar_arg_text); 1704 kau_write(rec, tok); 1705 } 1706 ATFD1_TOKENS(1); 1707 UPATH1_VNODE1_TOKENS; 1708 break; 1709 1710 case AUE_SYSCTL: 1711 case AUE_SYSCTL_NONADMIN: 1712 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1713 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1714 tok = au_to_arg32(1, "name", 1715 ar->ar_arg_ctlname[ctr]); 1716 kau_write(rec, tok); 1717 } 1718 } 1719 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1720 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1721 kau_write(rec, tok); 1722 } 1723 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1724 tok = au_to_text(ar->ar_arg_text); 1725 kau_write(rec, tok); 1726 } 1727 break; 1728 1729 case AUE_UMASK: 1730 if (ARG_IS_VALID(kar, ARG_MASK)) { 1731 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1732 kau_write(rec, tok); 1733 } 1734 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1735 kau_write(rec, tok); 1736 break; 1737 1738 case AUE_WAIT4: 1739 case AUE_WAIT6: 1740 PROCESS_PID_TOKENS(1); 1741 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1742 tok = au_to_arg32(3, "options", ar->ar_arg_value); 1743 kau_write(rec, tok); 1744 } 1745 break; 1746 1747 case AUE_CAP_RIGHTS_LIMIT: 1748 /* 1749 * XXXRW/XXXJA: Would be nice to audit socket/etc information. 1750 */ 1751 FD_VNODE1_TOKENS; 1752 if (ARG_IS_VALID(kar, ARG_RIGHTS)) { 1753 tok = au_to_rights(&ar->ar_arg_rights); 1754 kau_write(rec, tok); 1755 } 1756 break; 1757 1758 case AUE_CAP_FCNTLS_GET: 1759 case AUE_CAP_IOCTLS_GET: 1760 case AUE_CAP_IOCTLS_LIMIT: 1761 case AUE_CAP_RIGHTS_GET: 1762 if (ARG_IS_VALID(kar, ARG_FD)) { 1763 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1764 kau_write(rec, tok); 1765 } 1766 break; 1767 1768 case AUE_CAP_FCNTLS_LIMIT: 1769 FD_VNODE1_TOKENS; 1770 if (ARG_IS_VALID(kar, ARG_FCNTL_RIGHTS)) { 1771 tok = au_to_arg32(2, "fcntlrights", 1772 ar->ar_arg_fcntl_rights); 1773 kau_write(rec, tok); 1774 } 1775 break; 1776 1777 case AUE_CAP_ENTER: 1778 case AUE_CAP_GETMODE: 1779 break; 1780 1781 case AUE_THR_NEW: 1782 case AUE_THR_KILL: 1783 case AUE_THR_EXIT: 1784 break; 1785 1786 case AUE_NULL: 1787 default: 1788 printf("BSM conversion requested for unknown event %d\n", 1789 ar->ar_event); 1790 1791 /* 1792 * Write the subject token so it is properly freed here. 1793 */ 1794 if (jail_tok != NULL) 1795 kau_write(rec, jail_tok); 1796 kau_write(rec, subj_tok); 1797 kau_free(rec); 1798 return (BSM_NOAUDIT); 1799 } 1800 1801 if (jail_tok != NULL) 1802 kau_write(rec, jail_tok); 1803 kau_write(rec, subj_tok); 1804 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval); 1805 kau_write(rec, tok); /* Every record gets a return token */ 1806 1807 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1808 1809 *pau = rec; 1810 return (BSM_SUCCESS); 1811 } 1812 1813 /* 1814 * Verify that a record is a valid BSM record. This verification is simple 1815 * now, but may be expanded on sometime in the future. Return 1 if the 1816 * record is good, 0 otherwise. 1817 */ 1818 int 1819 bsm_rec_verify(void *rec) 1820 { 1821 char c = *(char *)rec; 1822 1823 /* 1824 * Check the token ID of the first token; it has to be a header 1825 * token. 1826 * 1827 * XXXAUDIT There needs to be a token structure to map a token. 1828 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1829 */ 1830 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1831 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1832 return (0); 1833 return (1); 1834 } 1835