1 /* 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1999-2009 Apple Inc. 5 * Copyright (c) 2016-2017 Robert N. M. Watson 6 * All rights reserved. 7 * 8 * Portions of this software were developed by BAE Systems, the University of 9 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL 10 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent 11 * Computing (TC) research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 22 * its contributors may be used to endorse or promote products derived 23 * from this software without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 29 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 33 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 34 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 35 * POSSIBILITY OF SUCH DAMAGE. 36 */ 37 38 #include <sys/cdefs.h> 39 __FBSDID("$FreeBSD$"); 40 41 #include <sys/param.h> 42 #include <sys/vnode.h> 43 #include <sys/ipc.h> 44 #include <sys/lock.h> 45 #include <sys/malloc.h> 46 #include <sys/mutex.h> 47 #include <sys/socket.h> 48 #include <sys/extattr.h> 49 #include <sys/fcntl.h> 50 #include <sys/user.h> 51 #include <sys/systm.h> 52 53 #include <bsm/audit.h> 54 #include <bsm/audit_internal.h> 55 #include <bsm/audit_record.h> 56 #include <bsm/audit_kevents.h> 57 58 #include <security/audit/audit.h> 59 #include <security/audit/audit_private.h> 60 61 #include <netinet/in_systm.h> 62 #include <netinet/in.h> 63 #include <netinet/ip.h> 64 65 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 66 67 static void audit_sys_auditon(struct audit_record *ar, 68 struct au_record *rec); 69 70 /* 71 * Initialize the BSM auditing subsystem. 72 */ 73 void 74 kau_init(void) 75 { 76 77 au_evclassmap_init(); 78 au_evnamemap_init(); 79 } 80 81 /* 82 * This call reserves memory for the audit record. Memory must be guaranteed 83 * before any auditable event can be generated. The au_record structure 84 * maintains a reference to the memory allocated above and also the list of 85 * tokens associated with this record. 86 */ 87 static struct au_record * 88 kau_open(void) 89 { 90 struct au_record *rec; 91 92 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 93 rec->data = NULL; 94 TAILQ_INIT(&rec->token_q); 95 rec->len = 0; 96 rec->used = 1; 97 98 return (rec); 99 } 100 101 /* 102 * Store the token with the record descriptor. 103 */ 104 static void 105 kau_write(struct au_record *rec, struct au_token *tok) 106 { 107 108 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 109 110 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 111 rec->len += tok->len; 112 } 113 114 /* 115 * Close out the audit record by adding the header token, identifying any 116 * missing tokens. Write out the tokens to the record memory. 117 */ 118 static void 119 kau_close(struct au_record *rec, struct timespec *ctime, short event) 120 { 121 u_char *dptr; 122 size_t tot_rec_size; 123 token_t *cur, *hdr, *trail; 124 struct timeval tm; 125 size_t hdrsize; 126 struct auditinfo_addr ak; 127 struct in6_addr *ap; 128 129 audit_get_kinfo(&ak); 130 hdrsize = 0; 131 switch (ak.ai_termid.at_type) { 132 case AU_IPv4: 133 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ? 134 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak); 135 break; 136 case AU_IPv6: 137 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0]; 138 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE : 139 AUDIT_HEADER_EX_SIZE(&ak); 140 break; 141 default: 142 panic("kau_close: invalid address family"); 143 } 144 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE; 145 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 146 147 tm.tv_usec = ctime->tv_nsec / 1000; 148 tm.tv_sec = ctime->tv_sec; 149 if (hdrsize != AUDIT_HEADER_SIZE) 150 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak); 151 else 152 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 153 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 154 155 trail = au_to_trailer(tot_rec_size); 156 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 157 158 rec->len = tot_rec_size; 159 dptr = rec->data; 160 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 161 memcpy(dptr, cur->t_data, cur->len); 162 dptr += cur->len; 163 } 164 } 165 166 /* 167 * Free a BSM audit record by releasing all the tokens and clearing the audit 168 * record information. 169 */ 170 void 171 kau_free(struct au_record *rec) 172 { 173 struct au_token *tok; 174 175 /* Free the token list. */ 176 while ((tok = TAILQ_FIRST(&rec->token_q))) { 177 TAILQ_REMOVE(&rec->token_q, tok, tokens); 178 free(tok->t_data, M_AUDITBSM); 179 free(tok, M_AUDITBSM); 180 } 181 182 rec->used = 0; 183 rec->len = 0; 184 free(rec->data, M_AUDITBSM); 185 free(rec, M_AUDITBSM); 186 } 187 188 /* 189 * XXX: May want turn some (or all) of these macros into functions in order 190 * to reduce the generated code size. 191 * 192 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 193 * caller are OK with this. 194 */ 195 #define ATFD1_TOKENS(argnum) do { \ 196 if (ARG_IS_VALID(kar, ARG_ATFD1)) { \ 197 tok = au_to_arg32(argnum, "at fd 1", ar->ar_arg_atfd1); \ 198 kau_write(rec, tok); \ 199 } \ 200 } while (0) 201 202 #define ATFD2_TOKENS(argnum) do { \ 203 if (ARG_IS_VALID(kar, ARG_ATFD2)) { \ 204 tok = au_to_arg32(argnum, "at fd 2", ar->ar_arg_atfd2); \ 205 kau_write(rec, tok); \ 206 } \ 207 } while (0) 208 209 #define UPATH1_TOKENS do { \ 210 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 211 tok = au_to_path(ar->ar_arg_upath1); \ 212 kau_write(rec, tok); \ 213 } \ 214 } while (0) 215 216 #define UPATH2_TOKENS do { \ 217 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 218 tok = au_to_path(ar->ar_arg_upath2); \ 219 kau_write(rec, tok); \ 220 } \ 221 } while (0) 222 223 #define VNODE1_TOKENS do { \ 224 if (ARG_IS_VALID(kar, ARG_ATFD)) { \ 225 tok = au_to_arg32(1, "at fd", ar->ar_arg_atfd); \ 226 kau_write(rec, tok); \ 227 } \ 228 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 229 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 230 kau_write(rec, tok); \ 231 } \ 232 } while (0) 233 234 #define UPATH1_VNODE1_TOKENS do { \ 235 UPATH1_TOKENS; \ 236 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 237 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 238 kau_write(rec, tok); \ 239 } \ 240 } while (0) 241 242 #define VNODE2_TOKENS do { \ 243 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 244 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 245 kau_write(rec, tok); \ 246 } \ 247 } while (0) 248 249 #define FD_VNODE1_TOKENS do { \ 250 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 251 if (ARG_IS_VALID(kar, ARG_FD)) { \ 252 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 253 kau_write(rec, tok); \ 254 } \ 255 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 256 kau_write(rec, tok); \ 257 } else { \ 258 if (ARG_IS_VALID(kar, ARG_FD)) { \ 259 tok = au_to_arg32(1, "non-file: fd", \ 260 ar->ar_arg_fd); \ 261 kau_write(rec, tok); \ 262 } \ 263 } \ 264 } while (0) 265 266 #define PROCESS_PID_TOKENS(argn) do { \ 267 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 268 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 269 tok = au_to_process32_ex(ar->ar_arg_auid, \ 270 ar->ar_arg_euid, ar->ar_arg_egid, \ 271 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 272 ar->ar_arg_pid, ar->ar_arg_asid, \ 273 &ar->ar_arg_termid_addr); \ 274 kau_write(rec, tok); \ 275 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 276 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 277 kau_write(rec, tok); \ 278 } \ 279 } while (0) 280 281 #define EXTATTR_TOKENS(namespace_argnum) do { \ 282 if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 283 switch (ar->ar_arg_value) { \ 284 case EXTATTR_NAMESPACE_USER: \ 285 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 286 break; \ 287 case EXTATTR_NAMESPACE_SYSTEM: \ 288 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 289 break; \ 290 default: \ 291 tok = au_to_arg32((namespace_argnum), \ 292 "attrnamespace", ar->ar_arg_value); \ 293 break; \ 294 } \ 295 kau_write(rec, tok); \ 296 } \ 297 /* attrname is in the text field */ \ 298 if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 299 tok = au_to_text(ar->ar_arg_text); \ 300 kau_write(rec, tok); \ 301 } \ 302 } while (0) 303 304 /* 305 * Not all pointer arguments to system calls are of interest, but in some 306 * cases they reflect delegation of rights, such as mmap(2) followed by 307 * minherit(2) before execve(2), so do the best we can. 308 */ 309 #define ADDR_TOKEN(argnum, argname) do { \ 310 if (ARG_IS_VALID(kar, ARG_ADDR)) { \ 311 if (sizeof(void *) == sizeof(uint32_t)) \ 312 tok = au_to_arg32((argnum), (argname), \ 313 (uint32_t)(uintptr_t)ar->ar_arg_addr); \ 314 else \ 315 tok = au_to_arg64((argnum), (argname), \ 316 (uint64_t)(uintptr_t)ar->ar_arg_addr); \ 317 kau_write(rec, tok); \ 318 } \ 319 } while (0) 320 321 322 /* 323 * Implement auditing for the auditon() system call. The audit tokens that 324 * are generated depend on the command that was sent into the auditon() 325 * system call. 326 */ 327 static void 328 audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 329 { 330 struct au_token *tok; 331 332 tok = au_to_arg32(3, "length", ar->ar_arg_len); 333 kau_write(rec, tok); 334 switch (ar->ar_arg_cmd) { 335 case A_OLDSETPOLICY: 336 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 337 tok = au_to_arg64(2, "policy", 338 ar->ar_arg_auditon.au_policy64); 339 kau_write(rec, tok); 340 break; 341 } 342 /* FALLTHROUGH */ 343 344 case A_SETPOLICY: 345 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy); 346 kau_write(rec, tok); 347 break; 348 349 case A_SETKMASK: 350 tok = au_to_arg32(2, "setkmask:as_success", 351 ar->ar_arg_auditon.au_mask.am_success); 352 kau_write(rec, tok); 353 tok = au_to_arg32(2, "setkmask:as_failure", 354 ar->ar_arg_auditon.au_mask.am_failure); 355 kau_write(rec, tok); 356 break; 357 358 case A_OLDSETQCTRL: 359 if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) { 360 tok = au_to_arg64(2, "setqctrl:aq_hiwater", 361 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater); 362 kau_write(rec, tok); 363 tok = au_to_arg64(2, "setqctrl:aq_lowater", 364 ar->ar_arg_auditon.au_qctrl64.aq64_lowater); 365 kau_write(rec, tok); 366 tok = au_to_arg64(2, "setqctrl:aq_bufsz", 367 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz); 368 kau_write(rec, tok); 369 tok = au_to_arg64(2, "setqctrl:aq_delay", 370 ar->ar_arg_auditon.au_qctrl64.aq64_delay); 371 kau_write(rec, tok); 372 tok = au_to_arg64(2, "setqctrl:aq_minfree", 373 ar->ar_arg_auditon.au_qctrl64.aq64_minfree); 374 kau_write(rec, tok); 375 break; 376 } 377 /* FALLTHROUGH */ 378 379 case A_SETQCTRL: 380 tok = au_to_arg32(2, "setqctrl:aq_hiwater", 381 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 382 kau_write(rec, tok); 383 tok = au_to_arg32(2, "setqctrl:aq_lowater", 384 ar->ar_arg_auditon.au_qctrl.aq_lowater); 385 kau_write(rec, tok); 386 tok = au_to_arg32(2, "setqctrl:aq_bufsz", 387 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 388 kau_write(rec, tok); 389 tok = au_to_arg32(2, "setqctrl:aq_delay", 390 ar->ar_arg_auditon.au_qctrl.aq_delay); 391 kau_write(rec, tok); 392 tok = au_to_arg32(2, "setqctrl:aq_minfree", 393 ar->ar_arg_auditon.au_qctrl.aq_minfree); 394 kau_write(rec, tok); 395 break; 396 397 case A_SETUMASK: 398 tok = au_to_arg32(2, "setumask:as_success", 399 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 400 kau_write(rec, tok); 401 tok = au_to_arg32(2, "setumask:as_failure", 402 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 403 kau_write(rec, tok); 404 break; 405 406 case A_SETSMASK: 407 tok = au_to_arg32(2, "setsmask:as_success", 408 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 409 kau_write(rec, tok); 410 tok = au_to_arg32(2, "setsmask:as_failure", 411 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 412 kau_write(rec, tok); 413 break; 414 415 case A_OLDSETCOND: 416 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 417 tok = au_to_arg64(2, "setcond", 418 ar->ar_arg_auditon.au_cond64); 419 kau_write(rec, tok); 420 break; 421 } 422 /* FALLTHROUGH */ 423 424 case A_SETCOND: 425 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond); 426 kau_write(rec, tok); 427 break; 428 429 case A_SETCLASS: 430 kau_write(rec, tok); 431 tok = au_to_arg32(2, "setclass:ec_event", 432 ar->ar_arg_auditon.au_evclass.ec_number); 433 kau_write(rec, tok); 434 tok = au_to_arg32(2, "setclass:ec_class", 435 ar->ar_arg_auditon.au_evclass.ec_class); 436 kau_write(rec, tok); 437 break; 438 439 case A_SETPMASK: 440 tok = au_to_arg32(2, "setpmask:as_success", 441 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 442 kau_write(rec, tok); 443 tok = au_to_arg32(2, "setpmask:as_failure", 444 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 445 kau_write(rec, tok); 446 break; 447 448 case A_SETFSIZE: 449 tok = au_to_arg32(2, "setfsize:filesize", 450 ar->ar_arg_auditon.au_fstat.af_filesz); 451 kau_write(rec, tok); 452 break; 453 454 default: 455 break; 456 } 457 } 458 459 /* 460 * Convert an internal kernel audit record to a BSM record and return a 461 * success/failure indicator. The BSM record is passed as an out parameter to 462 * this function. 463 * 464 * Return conditions: 465 * BSM_SUCCESS: The BSM record is valid 466 * BSM_FAILURE: Failure; the BSM record is NULL. 467 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 468 */ 469 int 470 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 471 { 472 struct au_token *tok, *subj_tok, *jail_tok; 473 struct au_record *rec; 474 au_tid_t tid; 475 struct audit_record *ar; 476 int ctr; 477 478 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 479 480 *pau = NULL; 481 ar = &kar->k_ar; 482 rec = kau_open(); 483 484 /* 485 * Create the subject token. If this credential was jailed be sure to 486 * generate a zonename token. 487 */ 488 if (ar->ar_jailname[0] != '\0') 489 jail_tok = au_to_zonename(ar->ar_jailname); 490 else 491 jail_tok = NULL; 492 switch (ar->ar_subj_term_addr.at_type) { 493 case AU_IPv4: 494 tid.port = ar->ar_subj_term_addr.at_port; 495 tid.machine = ar->ar_subj_term_addr.at_addr[0]; 496 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 497 ar->ar_subj_cred.cr_uid, /* eff uid */ 498 ar->ar_subj_egid, /* eff group id */ 499 ar->ar_subj_ruid, /* real uid */ 500 ar->ar_subj_rgid, /* real group id */ 501 ar->ar_subj_pid, /* process id */ 502 ar->ar_subj_asid, /* session ID */ 503 &tid); 504 break; 505 case AU_IPv6: 506 subj_tok = au_to_subject32_ex(ar->ar_subj_auid, 507 ar->ar_subj_cred.cr_uid, 508 ar->ar_subj_egid, 509 ar->ar_subj_ruid, 510 ar->ar_subj_rgid, 511 ar->ar_subj_pid, 512 ar->ar_subj_asid, 513 &ar->ar_subj_term_addr); 514 break; 515 default: 516 bzero(&tid, sizeof(tid)); 517 subj_tok = au_to_subject32(ar->ar_subj_auid, 518 ar->ar_subj_cred.cr_uid, 519 ar->ar_subj_egid, 520 ar->ar_subj_ruid, 521 ar->ar_subj_rgid, 522 ar->ar_subj_pid, 523 ar->ar_subj_asid, 524 &tid); 525 } 526 527 /* 528 * The logic inside each case fills in the tokens required for the 529 * event, except for the header, trailer, and return tokens. The 530 * header and trailer tokens are added by the kau_close() function. 531 * The return token is added outside of the switch statement. 532 */ 533 switch(ar->ar_event) { 534 case AUE_ACCEPT: 535 if (ARG_IS_VALID(kar, ARG_FD)) { 536 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 537 kau_write(rec, tok); 538 } 539 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 540 tok = au_to_sock_inet((struct sockaddr_in *) 541 &ar->ar_arg_sockaddr); 542 kau_write(rec, tok); 543 } 544 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 545 tok = au_to_sock_unix((struct sockaddr_un *) 546 &ar->ar_arg_sockaddr); 547 kau_write(rec, tok); 548 UPATH1_TOKENS; 549 } 550 break; 551 552 case AUE_BIND: 553 case AUE_LISTEN: 554 case AUE_CONNECT: 555 case AUE_RECV: 556 case AUE_RECVFROM: 557 case AUE_RECVMSG: 558 case AUE_SEND: 559 case AUE_SENDMSG: 560 case AUE_SENDTO: 561 /* 562 * Socket-related events. 563 */ 564 if (ARG_IS_VALID(kar, ARG_FD)) { 565 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 566 kau_write(rec, tok); 567 } 568 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 569 tok = au_to_sock_inet((struct sockaddr_in *) 570 &ar->ar_arg_sockaddr); 571 kau_write(rec, tok); 572 } 573 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 574 tok = au_to_sock_unix((struct sockaddr_un *) 575 &ar->ar_arg_sockaddr); 576 kau_write(rec, tok); 577 UPATH1_TOKENS; 578 } 579 /* XXX Need to handle ARG_SADDRINET6 */ 580 break; 581 582 case AUE_BINDAT: 583 case AUE_CONNECTAT: 584 ATFD1_TOKENS(1); 585 if (ARG_IS_VALID(kar, ARG_FD)) { 586 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 587 kau_write(rec, tok); 588 } 589 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 590 tok = au_to_sock_unix((struct sockaddr_un *) 591 &ar->ar_arg_sockaddr); 592 kau_write(rec, tok); 593 UPATH1_TOKENS; 594 } 595 break; 596 597 case AUE_SENDFILE: 598 FD_VNODE1_TOKENS; 599 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 600 tok = au_to_sock_inet((struct sockaddr_in *) 601 &ar->ar_arg_sockaddr); 602 kau_write(rec, tok); 603 } 604 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 605 tok = au_to_sock_unix((struct sockaddr_un *) 606 &ar->ar_arg_sockaddr); 607 kau_write(rec, tok); 608 UPATH1_TOKENS; 609 } 610 /* XXX Need to handle ARG_SADDRINET6 */ 611 break; 612 613 case AUE_SOCKET: 614 case AUE_SOCKETPAIR: 615 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 616 tok = au_to_arg32(1, "domain", 617 ar->ar_arg_sockinfo.so_domain); 618 kau_write(rec, tok); 619 tok = au_to_arg32(2, "type", 620 ar->ar_arg_sockinfo.so_type); 621 kau_write(rec, tok); 622 tok = au_to_arg32(3, "protocol", 623 ar->ar_arg_sockinfo.so_protocol); 624 kau_write(rec, tok); 625 } 626 break; 627 628 case AUE_SETSOCKOPT: 629 case AUE_SHUTDOWN: 630 if (ARG_IS_VALID(kar, ARG_FD)) { 631 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 632 kau_write(rec, tok); 633 } 634 break; 635 636 case AUE_ACCT: 637 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 638 UPATH1_VNODE1_TOKENS; 639 } else { 640 tok = au_to_arg32(1, "accounting off", 0); 641 kau_write(rec, tok); 642 } 643 break; 644 645 case AUE_SETAUID: 646 if (ARG_IS_VALID(kar, ARG_AUID)) { 647 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 648 kau_write(rec, tok); 649 } 650 break; 651 652 case AUE_SETAUDIT: 653 if (ARG_IS_VALID(kar, ARG_AUID) && 654 ARG_IS_VALID(kar, ARG_ASID) && 655 ARG_IS_VALID(kar, ARG_AMASK) && 656 ARG_IS_VALID(kar, ARG_TERMID)) { 657 tok = au_to_arg32(1, "setaudit:auid", 658 ar->ar_arg_auid); 659 kau_write(rec, tok); 660 tok = au_to_arg32(1, "setaudit:port", 661 ar->ar_arg_termid.port); 662 kau_write(rec, tok); 663 tok = au_to_arg32(1, "setaudit:machine", 664 ar->ar_arg_termid.machine); 665 kau_write(rec, tok); 666 tok = au_to_arg32(1, "setaudit:as_success", 667 ar->ar_arg_amask.am_success); 668 kau_write(rec, tok); 669 tok = au_to_arg32(1, "setaudit:as_failure", 670 ar->ar_arg_amask.am_failure); 671 kau_write(rec, tok); 672 tok = au_to_arg32(1, "setaudit:asid", 673 ar->ar_arg_asid); 674 kau_write(rec, tok); 675 } 676 break; 677 678 case AUE_SETAUDIT_ADDR: 679 if (ARG_IS_VALID(kar, ARG_AUID) && 680 ARG_IS_VALID(kar, ARG_ASID) && 681 ARG_IS_VALID(kar, ARG_AMASK) && 682 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) { 683 tok = au_to_arg32(1, "setaudit_addr:auid", 684 ar->ar_arg_auid); 685 kau_write(rec, tok); 686 tok = au_to_arg32(1, "setaudit_addr:as_success", 687 ar->ar_arg_amask.am_success); 688 kau_write(rec, tok); 689 tok = au_to_arg32(1, "setaudit_addr:as_failure", 690 ar->ar_arg_amask.am_failure); 691 kau_write(rec, tok); 692 tok = au_to_arg32(1, "setaudit_addr:asid", 693 ar->ar_arg_asid); 694 kau_write(rec, tok); 695 tok = au_to_arg32(1, "setaudit_addr:type", 696 ar->ar_arg_termid_addr.at_type); 697 kau_write(rec, tok); 698 tok = au_to_arg32(1, "setaudit_addr:port", 699 ar->ar_arg_termid_addr.at_port); 700 kau_write(rec, tok); 701 if (ar->ar_arg_termid_addr.at_type == AU_IPv6) 702 tok = au_to_in_addr_ex((struct in6_addr *) 703 &ar->ar_arg_termid_addr.at_addr[0]); 704 if (ar->ar_arg_termid_addr.at_type == AU_IPv4) 705 tok = au_to_in_addr((struct in_addr *) 706 &ar->ar_arg_termid_addr.at_addr[0]); 707 kau_write(rec, tok); 708 } 709 break; 710 711 case AUE_AUDITON: 712 /* 713 * For AUDITON commands without own event, audit the cmd. 714 */ 715 if (ARG_IS_VALID(kar, ARG_CMD)) { 716 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 717 kau_write(rec, tok); 718 } 719 /* FALLTHROUGH */ 720 721 case AUE_AUDITON_GETCAR: 722 case AUE_AUDITON_GETCLASS: 723 case AUE_AUDITON_GETCOND: 724 case AUE_AUDITON_GETCWD: 725 case AUE_AUDITON_GETKMASK: 726 case AUE_AUDITON_GETSTAT: 727 case AUE_AUDITON_GPOLICY: 728 case AUE_AUDITON_GQCTRL: 729 case AUE_AUDITON_SETCLASS: 730 case AUE_AUDITON_SETCOND: 731 case AUE_AUDITON_SETKMASK: 732 case AUE_AUDITON_SETSMASK: 733 case AUE_AUDITON_SETSTAT: 734 case AUE_AUDITON_SETUMASK: 735 case AUE_AUDITON_SPOLICY: 736 case AUE_AUDITON_SQCTRL: 737 if (ARG_IS_VALID(kar, ARG_AUDITON)) 738 audit_sys_auditon(ar, rec); 739 break; 740 741 case AUE_AUDITCTL: 742 UPATH1_VNODE1_TOKENS; 743 break; 744 745 case AUE_EXIT: 746 if (ARG_IS_VALID(kar, ARG_EXIT)) { 747 tok = au_to_exit(ar->ar_arg_exitretval, 748 ar->ar_arg_exitstatus); 749 kau_write(rec, tok); 750 } 751 break; 752 753 case AUE_ADJTIME: 754 case AUE_CLOCK_SETTIME: 755 case AUE_AUDIT: 756 case AUE_DUP2: 757 case AUE_GETAUDIT: 758 case AUE_GETAUDIT_ADDR: 759 case AUE_GETAUID: 760 case AUE_GETCWD: 761 case AUE_GETFSSTAT: 762 case AUE_GETRESUID: 763 case AUE_GETRESGID: 764 case AUE_KQUEUE: 765 case AUE_MODLOAD: 766 case AUE_MODUNLOAD: 767 case AUE_MSGSYS: 768 case AUE_NTP_ADJTIME: 769 case AUE_PIPE: 770 case AUE_POSIX_OPENPT: 771 case AUE_PROFILE: 772 case AUE_RTPRIO: 773 case AUE_SEMSYS: 774 case AUE_SHMSYS: 775 case AUE_SETPGRP: 776 case AUE_SETRLIMIT: 777 case AUE_SETSID: 778 case AUE_SETTIMEOFDAY: 779 case AUE_SYSARCH: 780 781 /* 782 * Header, subject, and return tokens added at end. 783 */ 784 break; 785 786 case AUE_ACL_DELETE_FD: 787 case AUE_ACL_DELETE_FILE: 788 case AUE_ACL_CHECK_FD: 789 case AUE_ACL_CHECK_FILE: 790 case AUE_ACL_CHECK_LINK: 791 case AUE_ACL_DELETE_LINK: 792 case AUE_ACL_GET_FD: 793 case AUE_ACL_GET_FILE: 794 case AUE_ACL_GET_LINK: 795 case AUE_ACL_SET_FD: 796 case AUE_ACL_SET_FILE: 797 case AUE_ACL_SET_LINK: 798 if (ARG_IS_VALID(kar, ARG_VALUE)) { 799 tok = au_to_arg32(1, "type", ar->ar_arg_value); 800 kau_write(rec, tok); 801 } 802 ATFD1_TOKENS(1); 803 UPATH1_VNODE1_TOKENS; 804 break; 805 806 case AUE_CHDIR: 807 case AUE_CHROOT: 808 case AUE_FSTATAT: 809 case AUE_FUTIMESAT: 810 case AUE_GETATTRLIST: 811 case AUE_JAIL: 812 case AUE_LUTIMES: 813 case AUE_NFS_GETFH: 814 case AUE_LSTAT: 815 case AUE_LPATHCONF: 816 case AUE_PATHCONF: 817 case AUE_READLINK: 818 case AUE_READLINKAT: 819 case AUE_REVOKE: 820 case AUE_RMDIR: 821 case AUE_SEARCHFS: 822 case AUE_SETATTRLIST: 823 case AUE_STAT: 824 case AUE_STATFS: 825 case AUE_SWAPON: 826 case AUE_SWAPOFF: 827 case AUE_TRUNCATE: 828 case AUE_UNDELETE: 829 case AUE_UNLINK: 830 case AUE_UNLINKAT: 831 case AUE_UTIMES: 832 ATFD1_TOKENS(1); 833 UPATH1_VNODE1_TOKENS; 834 break; 835 836 case AUE_ACCESS: 837 case AUE_EACCESS: 838 case AUE_FACCESSAT: 839 ATFD1_TOKENS(1); 840 UPATH1_VNODE1_TOKENS; 841 if (ARG_IS_VALID(kar, ARG_VALUE)) { 842 tok = au_to_arg32(2, "mode", ar->ar_arg_value); 843 kau_write(rec, tok); 844 } 845 break; 846 847 case AUE_FHSTATFS: 848 case AUE_FHOPEN: 849 case AUE_FHSTAT: 850 /* XXXRW: Need to audit vnode argument. */ 851 break; 852 853 case AUE_CHFLAGS: 854 case AUE_LCHFLAGS: 855 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 856 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 857 kau_write(rec, tok); 858 } 859 UPATH1_VNODE1_TOKENS; 860 break; 861 862 case AUE_CHMOD: 863 case AUE_LCHMOD: 864 if (ARG_IS_VALID(kar, ARG_MODE)) { 865 tok = au_to_arg32(2, "new file mode", 866 ar->ar_arg_mode); 867 kau_write(rec, tok); 868 } 869 UPATH1_VNODE1_TOKENS; 870 break; 871 872 case AUE_FCHMODAT: 873 ATFD1_TOKENS(1); 874 if (ARG_IS_VALID(kar, ARG_MODE)) { 875 tok = au_to_arg32(3, "new file mode", 876 ar->ar_arg_mode); 877 kau_write(rec, tok); 878 } 879 UPATH1_VNODE1_TOKENS; 880 break; 881 882 case AUE_CHOWN: 883 case AUE_LCHOWN: 884 if (ARG_IS_VALID(kar, ARG_UID)) { 885 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 886 kau_write(rec, tok); 887 } 888 if (ARG_IS_VALID(kar, ARG_GID)) { 889 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 890 kau_write(rec, tok); 891 } 892 UPATH1_VNODE1_TOKENS; 893 break; 894 895 case AUE_FCHOWNAT: 896 ATFD1_TOKENS(1); 897 if (ARG_IS_VALID(kar, ARG_UID)) { 898 tok = au_to_arg32(3, "new file uid", ar->ar_arg_uid); 899 kau_write(rec, tok); 900 } 901 if (ARG_IS_VALID(kar, ARG_GID)) { 902 tok = au_to_arg32(4, "new file gid", ar->ar_arg_gid); 903 kau_write(rec, tok); 904 } 905 UPATH1_VNODE1_TOKENS; 906 break; 907 908 case AUE_EXCHANGEDATA: 909 UPATH1_VNODE1_TOKENS; 910 UPATH2_TOKENS; 911 break; 912 913 case AUE_CLOSE: 914 if (ARG_IS_VALID(kar, ARG_FD)) { 915 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 916 kau_write(rec, tok); 917 } 918 UPATH1_VNODE1_TOKENS; 919 break; 920 921 case AUE_CLOSEFROM: 922 if (ARG_IS_VALID(kar, ARG_FD)) { 923 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 924 kau_write(rec, tok); 925 } 926 break; 927 928 case AUE_CORE: 929 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 930 tok = au_to_arg32(1, "signal", ar->ar_arg_signum); 931 kau_write(rec, tok); 932 } 933 UPATH1_VNODE1_TOKENS; 934 break; 935 936 case AUE_EXTATTRCTL: 937 UPATH1_VNODE1_TOKENS; 938 if (ARG_IS_VALID(kar, ARG_CMD)) { 939 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 940 kau_write(rec, tok); 941 } 942 /* extattrctl(2) filename parameter is in upath2/vnode2 */ 943 UPATH2_TOKENS; 944 VNODE2_TOKENS; 945 EXTATTR_TOKENS(4); 946 break; 947 948 case AUE_EXTATTR_GET_FILE: 949 case AUE_EXTATTR_SET_FILE: 950 case AUE_EXTATTR_LIST_FILE: 951 case AUE_EXTATTR_DELETE_FILE: 952 case AUE_EXTATTR_GET_LINK: 953 case AUE_EXTATTR_SET_LINK: 954 case AUE_EXTATTR_LIST_LINK: 955 case AUE_EXTATTR_DELETE_LINK: 956 UPATH1_VNODE1_TOKENS; 957 EXTATTR_TOKENS(2); 958 break; 959 960 case AUE_EXTATTR_GET_FD: 961 case AUE_EXTATTR_SET_FD: 962 case AUE_EXTATTR_LIST_FD: 963 case AUE_EXTATTR_DELETE_FD: 964 if (ARG_IS_VALID(kar, ARG_FD)) { 965 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 966 kau_write(rec, tok); 967 } 968 EXTATTR_TOKENS(2); 969 break; 970 971 case AUE_FEXECVE: 972 if (ARG_IS_VALID(kar, ARG_FD)) { 973 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 974 kau_write(rec, tok); 975 } 976 /* FALLTHROUGH */ 977 978 case AUE_EXECVE: 979 case AUE_MAC_EXECVE: 980 if (ARG_IS_VALID(kar, ARG_ARGV)) { 981 tok = au_to_exec_args(ar->ar_arg_argv, 982 ar->ar_arg_argc); 983 kau_write(rec, tok); 984 } 985 if (ARG_IS_VALID(kar, ARG_ENVV)) { 986 tok = au_to_exec_env(ar->ar_arg_envv, 987 ar->ar_arg_envc); 988 kau_write(rec, tok); 989 } 990 UPATH1_VNODE1_TOKENS; 991 break; 992 993 case AUE_FCHMOD: 994 if (ARG_IS_VALID(kar, ARG_MODE)) { 995 tok = au_to_arg32(2, "new file mode", 996 ar->ar_arg_mode); 997 kau_write(rec, tok); 998 } 999 FD_VNODE1_TOKENS; 1000 break; 1001 1002 /* 1003 * XXXRW: Some of these need to handle non-vnode cases as well. 1004 */ 1005 case AUE_FCHDIR: 1006 case AUE_FPATHCONF: 1007 case AUE_FSTAT: 1008 case AUE_FSTATFS: 1009 case AUE_FSYNC: 1010 case AUE_FTRUNCATE: 1011 case AUE_FUTIMES: 1012 case AUE_GETDIRENTRIES: 1013 case AUE_GETDIRENTRIESATTR: 1014 case AUE_LSEEK: 1015 case AUE_POLL: 1016 case AUE_POSIX_FALLOCATE: 1017 case AUE_PREAD: 1018 case AUE_PWRITE: 1019 case AUE_READ: 1020 case AUE_READV: 1021 case AUE_WRITE: 1022 case AUE_WRITEV: 1023 FD_VNODE1_TOKENS; 1024 break; 1025 1026 case AUE_FCHOWN: 1027 if (ARG_IS_VALID(kar, ARG_UID)) { 1028 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 1029 kau_write(rec, tok); 1030 } 1031 if (ARG_IS_VALID(kar, ARG_GID)) { 1032 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 1033 kau_write(rec, tok); 1034 } 1035 FD_VNODE1_TOKENS; 1036 break; 1037 1038 case AUE_FCNTL: 1039 if (ARG_IS_VALID(kar, ARG_CMD)) { 1040 tok = au_to_arg32(2, "cmd", 1041 au_fcntl_cmd_to_bsm(ar->ar_arg_cmd)); 1042 kau_write(rec, tok); 1043 } 1044 FD_VNODE1_TOKENS; 1045 break; 1046 1047 case AUE_FCHFLAGS: 1048 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1049 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1050 kau_write(rec, tok); 1051 } 1052 FD_VNODE1_TOKENS; 1053 break; 1054 1055 case AUE_FLOCK: 1056 if (ARG_IS_VALID(kar, ARG_CMD)) { 1057 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 1058 kau_write(rec, tok); 1059 } 1060 FD_VNODE1_TOKENS; 1061 break; 1062 1063 case AUE_RFORK: 1064 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1065 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 1066 kau_write(rec, tok); 1067 } 1068 /* FALLTHROUGH */ 1069 1070 case AUE_FORK: 1071 case AUE_VFORK: 1072 if (ARG_IS_VALID(kar, ARG_PID)) { 1073 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 1074 kau_write(rec, tok); 1075 } 1076 break; 1077 1078 case AUE_IOCTL: 1079 if (ARG_IS_VALID(kar, ARG_CMD)) { 1080 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 1081 kau_write(rec, tok); 1082 } 1083 if (ARG_IS_VALID(kar, ARG_VNODE1)) 1084 FD_VNODE1_TOKENS; 1085 else { 1086 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 1087 tok = kau_to_socket(&ar->ar_arg_sockinfo); 1088 kau_write(rec, tok); 1089 } else { 1090 if (ARG_IS_VALID(kar, ARG_FD)) { 1091 tok = au_to_arg32(1, "fd", 1092 ar->ar_arg_fd); 1093 kau_write(rec, tok); 1094 } 1095 } 1096 } 1097 break; 1098 1099 case AUE_KILL: 1100 case AUE_KILLPG: 1101 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 1102 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 1103 kau_write(rec, tok); 1104 } 1105 PROCESS_PID_TOKENS(1); 1106 break; 1107 1108 case AUE_KTRACE: 1109 if (ARG_IS_VALID(kar, ARG_CMD)) { 1110 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 1111 kau_write(rec, tok); 1112 } 1113 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1114 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 1115 kau_write(rec, tok); 1116 } 1117 PROCESS_PID_TOKENS(4); 1118 UPATH1_VNODE1_TOKENS; 1119 break; 1120 1121 case AUE_LINK: 1122 case AUE_LINKAT: 1123 case AUE_RENAME: 1124 case AUE_RENAMEAT: 1125 ATFD1_TOKENS(1); 1126 UPATH1_VNODE1_TOKENS; 1127 ATFD2_TOKENS(3); 1128 UPATH2_TOKENS; 1129 break; 1130 1131 case AUE_LOADSHFILE: 1132 ADDR_TOKEN(4, "base addr"); 1133 UPATH1_VNODE1_TOKENS; 1134 break; 1135 1136 case AUE_MKDIR: 1137 case AUE_MKDIRAT: 1138 case AUE_MKFIFO: 1139 case AUE_MKFIFOAT: 1140 ATFD1_TOKENS(1); 1141 if (ARG_IS_VALID(kar, ARG_MODE)) { 1142 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1143 kau_write(rec, tok); 1144 } 1145 UPATH1_VNODE1_TOKENS; 1146 break; 1147 1148 case AUE_MKNOD: 1149 case AUE_MKNODAT: 1150 ATFD1_TOKENS(1); 1151 if (ARG_IS_VALID(kar, ARG_MODE)) { 1152 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1153 kau_write(rec, tok); 1154 } 1155 if (ARG_IS_VALID(kar, ARG_DEV)) { 1156 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 1157 kau_write(rec, tok); 1158 } 1159 UPATH1_VNODE1_TOKENS; 1160 break; 1161 1162 case AUE_MMAP: 1163 case AUE_MUNMAP: 1164 case AUE_MPROTECT: 1165 case AUE_MLOCK: 1166 case AUE_MUNLOCK: 1167 case AUE_MINHERIT: 1168 ADDR_TOKEN(1, "addr"); 1169 if (ARG_IS_VALID(kar, ARG_LEN)) { 1170 tok = au_to_arg32(2, "len", ar->ar_arg_len); 1171 kau_write(rec, tok); 1172 } 1173 if (ar->ar_event == AUE_MMAP) 1174 FD_VNODE1_TOKENS; 1175 if (ar->ar_event == AUE_MPROTECT) { 1176 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1177 tok = au_to_arg32(3, "protection", 1178 ar->ar_arg_value); 1179 kau_write(rec, tok); 1180 } 1181 } 1182 if (ar->ar_event == AUE_MINHERIT) { 1183 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1184 tok = au_to_arg32(3, "inherit", 1185 ar->ar_arg_value); 1186 kau_write(rec, tok); 1187 } 1188 } 1189 break; 1190 1191 case AUE_MOUNT: 1192 case AUE_NMOUNT: 1193 /* XXX Need to handle NFS mounts */ 1194 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1195 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 1196 kau_write(rec, tok); 1197 } 1198 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1199 tok = au_to_text(ar->ar_arg_text); 1200 kau_write(rec, tok); 1201 } 1202 /* FALLTHROUGH */ 1203 1204 case AUE_NFS_SVC: 1205 if (ARG_IS_VALID(kar, ARG_CMD)) { 1206 tok = au_to_arg32(1, "flags", ar->ar_arg_cmd); 1207 kau_write(rec, tok); 1208 } 1209 break; 1210 1211 case AUE_UMOUNT: 1212 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1213 tok = au_to_arg32(2, "flags", ar->ar_arg_value); 1214 kau_write(rec, tok); 1215 } 1216 UPATH1_VNODE1_TOKENS; 1217 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1218 tok = au_to_text(ar->ar_arg_text); 1219 kau_write(rec, tok); 1220 } 1221 break; 1222 1223 case AUE_MSGCTL: 1224 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd); 1225 /* Fall through */ 1226 1227 case AUE_MSGRCV: 1228 case AUE_MSGSND: 1229 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 1230 kau_write(rec, tok); 1231 if (ar->ar_errno != EINVAL) { 1232 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 1233 kau_write(rec, tok); 1234 } 1235 break; 1236 1237 case AUE_MSGGET: 1238 if (ar->ar_errno == 0) { 1239 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1240 tok = au_to_ipc(AT_IPC_MSG, 1241 ar->ar_arg_svipc_id); 1242 kau_write(rec, tok); 1243 } 1244 } 1245 break; 1246 1247 case AUE_RESETSHFILE: 1248 ADDR_TOKEN(1, "base addr"); 1249 break; 1250 1251 case AUE_OPEN_RC: 1252 case AUE_OPEN_RTC: 1253 case AUE_OPEN_RWC: 1254 case AUE_OPEN_RWTC: 1255 case AUE_OPEN_WC: 1256 case AUE_OPEN_WTC: 1257 case AUE_CREAT: 1258 if (ARG_IS_VALID(kar, ARG_MODE)) { 1259 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1260 kau_write(rec, tok); 1261 } 1262 /* FALLTHROUGH */ 1263 1264 case AUE_OPEN_R: 1265 case AUE_OPEN_RT: 1266 case AUE_OPEN_RW: 1267 case AUE_OPEN_RWT: 1268 case AUE_OPEN_W: 1269 case AUE_OPEN_WT: 1270 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1271 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1272 kau_write(rec, tok); 1273 } 1274 UPATH1_VNODE1_TOKENS; 1275 break; 1276 1277 case AUE_OPENAT_RC: 1278 case AUE_OPENAT_RTC: 1279 case AUE_OPENAT_RWC: 1280 case AUE_OPENAT_RWTC: 1281 case AUE_OPENAT_WC: 1282 case AUE_OPENAT_WTC: 1283 if (ARG_IS_VALID(kar, ARG_MODE)) { 1284 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1285 kau_write(rec, tok); 1286 } 1287 /* FALLTHROUGH */ 1288 1289 case AUE_OPENAT_R: 1290 case AUE_OPENAT_RT: 1291 case AUE_OPENAT_RW: 1292 case AUE_OPENAT_RWT: 1293 case AUE_OPENAT_W: 1294 case AUE_OPENAT_WT: 1295 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1296 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1297 kau_write(rec, tok); 1298 } 1299 ATFD1_TOKENS(1); 1300 UPATH1_VNODE1_TOKENS; 1301 break; 1302 1303 case AUE_PROCCTL: 1304 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1305 tok = au_to_arg32(1, "idtype", ar->ar_arg_value); 1306 kau_write(rec, tok); 1307 } 1308 if (ARG_IS_VALID(kar, ARG_CMD)) { 1309 tok = au_to_arg32(2, "com", ar->ar_arg_cmd); 1310 kau_write(rec, tok); 1311 } 1312 PROCESS_PID_TOKENS(3); 1313 break; 1314 1315 case AUE_PTRACE: 1316 if (ARG_IS_VALID(kar, ARG_CMD)) { 1317 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1318 kau_write(rec, tok); 1319 } 1320 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1321 tok = au_to_arg32(4, "data", ar->ar_arg_value); 1322 kau_write(rec, tok); 1323 } 1324 PROCESS_PID_TOKENS(2); 1325 break; 1326 1327 case AUE_QUOTACTL: 1328 if (ARG_IS_VALID(kar, ARG_CMD)) { 1329 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1330 kau_write(rec, tok); 1331 } 1332 if (ARG_IS_VALID(kar, ARG_UID)) { 1333 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1334 kau_write(rec, tok); 1335 } 1336 if (ARG_IS_VALID(kar, ARG_GID)) { 1337 tok = au_to_arg32(3, "gid", ar->ar_arg_gid); 1338 kau_write(rec, tok); 1339 } 1340 UPATH1_VNODE1_TOKENS; 1341 break; 1342 1343 case AUE_REBOOT: 1344 if (ARG_IS_VALID(kar, ARG_CMD)) { 1345 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1346 kau_write(rec, tok); 1347 } 1348 break; 1349 1350 case AUE_SEMCTL: 1351 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd); 1352 /* Fall through */ 1353 1354 case AUE_SEMOP: 1355 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1356 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1357 kau_write(rec, tok); 1358 if (ar->ar_errno != EINVAL) { 1359 tok = au_to_ipc(AT_IPC_SEM, 1360 ar->ar_arg_svipc_id); 1361 kau_write(rec, tok); 1362 } 1363 } 1364 break; 1365 1366 case AUE_SEMGET: 1367 if (ar->ar_errno == 0) { 1368 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1369 tok = au_to_ipc(AT_IPC_SEM, 1370 ar->ar_arg_svipc_id); 1371 kau_write(rec, tok); 1372 } 1373 } 1374 break; 1375 1376 case AUE_SETEGID: 1377 if (ARG_IS_VALID(kar, ARG_EGID)) { 1378 tok = au_to_arg32(1, "egid", ar->ar_arg_egid); 1379 kau_write(rec, tok); 1380 } 1381 break; 1382 1383 case AUE_SETEUID: 1384 if (ARG_IS_VALID(kar, ARG_EUID)) { 1385 tok = au_to_arg32(1, "euid", ar->ar_arg_euid); 1386 kau_write(rec, tok); 1387 } 1388 break; 1389 1390 case AUE_SETREGID: 1391 if (ARG_IS_VALID(kar, ARG_RGID)) { 1392 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1393 kau_write(rec, tok); 1394 } 1395 if (ARG_IS_VALID(kar, ARG_EGID)) { 1396 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1397 kau_write(rec, tok); 1398 } 1399 break; 1400 1401 case AUE_SETREUID: 1402 if (ARG_IS_VALID(kar, ARG_RUID)) { 1403 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1404 kau_write(rec, tok); 1405 } 1406 if (ARG_IS_VALID(kar, ARG_EUID)) { 1407 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1408 kau_write(rec, tok); 1409 } 1410 break; 1411 1412 case AUE_SETRESGID: 1413 if (ARG_IS_VALID(kar, ARG_RGID)) { 1414 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1415 kau_write(rec, tok); 1416 } 1417 if (ARG_IS_VALID(kar, ARG_EGID)) { 1418 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1419 kau_write(rec, tok); 1420 } 1421 if (ARG_IS_VALID(kar, ARG_SGID)) { 1422 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1423 kau_write(rec, tok); 1424 } 1425 break; 1426 1427 case AUE_SETRESUID: 1428 if (ARG_IS_VALID(kar, ARG_RUID)) { 1429 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1430 kau_write(rec, tok); 1431 } 1432 if (ARG_IS_VALID(kar, ARG_EUID)) { 1433 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1434 kau_write(rec, tok); 1435 } 1436 if (ARG_IS_VALID(kar, ARG_SUID)) { 1437 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1438 kau_write(rec, tok); 1439 } 1440 break; 1441 1442 case AUE_SETGID: 1443 if (ARG_IS_VALID(kar, ARG_GID)) { 1444 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1445 kau_write(rec, tok); 1446 } 1447 break; 1448 1449 case AUE_SETUID: 1450 if (ARG_IS_VALID(kar, ARG_UID)) { 1451 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1452 kau_write(rec, tok); 1453 } 1454 break; 1455 1456 case AUE_SETGROUPS: 1457 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1458 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1459 { 1460 tok = au_to_arg32(1, "setgroups", 1461 ar->ar_arg_groups.gidset[ctr]); 1462 kau_write(rec, tok); 1463 } 1464 } 1465 break; 1466 1467 case AUE_SETLOGIN: 1468 if (ARG_IS_VALID(kar, ARG_LOGIN)) { 1469 tok = au_to_text(ar->ar_arg_login); 1470 kau_write(rec, tok); 1471 } 1472 break; 1473 1474 case AUE_SETPRIORITY: 1475 if (ARG_IS_VALID(kar, ARG_CMD)) { 1476 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1477 kau_write(rec, tok); 1478 } 1479 if (ARG_IS_VALID(kar, ARG_UID)) { 1480 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1481 kau_write(rec, tok); 1482 } 1483 PROCESS_PID_TOKENS(2); 1484 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1485 tok = au_to_arg32(3, "priority", ar->ar_arg_value); 1486 kau_write(rec, tok); 1487 } 1488 break; 1489 1490 case AUE_SETPRIVEXEC: 1491 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1492 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1493 kau_write(rec, tok); 1494 } 1495 break; 1496 1497 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1498 case AUE_SHMAT: 1499 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1500 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1501 kau_write(rec, tok); 1502 /* XXXAUDIT: Does having the ipc token make sense? */ 1503 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1504 kau_write(rec, tok); 1505 } 1506 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1507 tok = au_to_arg32(2, "shmaddr", 1508 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1509 kau_write(rec, tok); 1510 } 1511 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1512 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1513 kau_write(rec, tok); 1514 } 1515 break; 1516 1517 case AUE_SHMCTL: 1518 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1519 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1520 kau_write(rec, tok); 1521 /* XXXAUDIT: Does having the ipc token make sense? */ 1522 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1523 kau_write(rec, tok); 1524 } 1525 switch (ar->ar_arg_svipc_cmd) { 1526 case IPC_STAT: 1527 ar->ar_event = AUE_SHMCTL_STAT; 1528 break; 1529 case IPC_RMID: 1530 ar->ar_event = AUE_SHMCTL_RMID; 1531 break; 1532 case IPC_SET: 1533 ar->ar_event = AUE_SHMCTL_SET; 1534 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1535 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1536 kau_write(rec, tok); 1537 } 1538 break; 1539 default: 1540 break; /* We will audit a bad command */ 1541 } 1542 break; 1543 1544 case AUE_SHMDT: 1545 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1546 tok = au_to_arg32(1, "shmaddr", 1547 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1548 kau_write(rec, tok); 1549 } 1550 break; 1551 1552 case AUE_SHMGET: 1553 /* This is unusual; the return value is in an argument token */ 1554 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1555 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1556 kau_write(rec, tok); 1557 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1558 kau_write(rec, tok); 1559 } 1560 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1561 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1562 kau_write(rec, tok); 1563 } 1564 break; 1565 1566 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1567 * and AUE_SEMUNLINK are Posix IPC */ 1568 case AUE_SHMOPEN: 1569 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1570 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1571 kau_write(rec, tok); 1572 } 1573 if (ARG_IS_VALID(kar, ARG_MODE)) { 1574 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1575 kau_write(rec, tok); 1576 } 1577 /* FALLTHROUGH */ 1578 1579 case AUE_SHMUNLINK: 1580 UPATH1_TOKENS; 1581 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1582 struct ipc_perm perm; 1583 1584 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1585 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1586 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1587 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1588 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1589 perm.seq = 0; 1590 perm.key = 0; 1591 tok = au_to_ipc_perm(&perm); 1592 kau_write(rec, tok); 1593 } 1594 break; 1595 1596 case AUE_SEMOPEN: 1597 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1598 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1599 kau_write(rec, tok); 1600 } 1601 if (ARG_IS_VALID(kar, ARG_MODE)) { 1602 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1603 kau_write(rec, tok); 1604 } 1605 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1606 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1607 kau_write(rec, tok); 1608 } 1609 /* FALLTHROUGH */ 1610 1611 case AUE_SEMUNLINK: 1612 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1613 tok = au_to_text(ar->ar_arg_text); 1614 kau_write(rec, tok); 1615 } 1616 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1617 struct ipc_perm perm; 1618 1619 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1620 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1621 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1622 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1623 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1624 perm.seq = 0; 1625 perm.key = 0; 1626 tok = au_to_ipc_perm(&perm); 1627 kau_write(rec, tok); 1628 } 1629 break; 1630 1631 case AUE_SEMCLOSE: 1632 if (ARG_IS_VALID(kar, ARG_FD)) { 1633 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1634 kau_write(rec, tok); 1635 } 1636 break; 1637 1638 case AUE_SYMLINK: 1639 case AUE_SYMLINKAT: 1640 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1641 tok = au_to_text(ar->ar_arg_text); 1642 kau_write(rec, tok); 1643 } 1644 ATFD1_TOKENS(1); 1645 UPATH1_VNODE1_TOKENS; 1646 break; 1647 1648 case AUE_SYSCTL: 1649 case AUE_SYSCTL_NONADMIN: 1650 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1651 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1652 tok = au_to_arg32(1, "name", 1653 ar->ar_arg_ctlname[ctr]); 1654 kau_write(rec, tok); 1655 } 1656 } 1657 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1658 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1659 kau_write(rec, tok); 1660 } 1661 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1662 tok = au_to_text(ar->ar_arg_text); 1663 kau_write(rec, tok); 1664 } 1665 break; 1666 1667 case AUE_UMASK: 1668 if (ARG_IS_VALID(kar, ARG_MASK)) { 1669 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1670 kau_write(rec, tok); 1671 } 1672 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1673 kau_write(rec, tok); 1674 break; 1675 1676 case AUE_WAIT4: 1677 case AUE_WAIT6: 1678 PROCESS_PID_TOKENS(1); 1679 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1680 tok = au_to_arg32(3, "options", ar->ar_arg_value); 1681 kau_write(rec, tok); 1682 } 1683 break; 1684 1685 case AUE_CAP_RIGHTS_LIMIT: 1686 /* 1687 * XXXRW/XXXJA: Would be nice to audit socket/etc information. 1688 */ 1689 FD_VNODE1_TOKENS; 1690 if (ARG_IS_VALID(kar, ARG_RIGHTS)) { 1691 tok = au_to_rights(&ar->ar_arg_rights); 1692 kau_write(rec, tok); 1693 } 1694 break; 1695 1696 case AUE_CAP_FCNTLS_GET: 1697 case AUE_CAP_IOCTLS_GET: 1698 case AUE_CAP_IOCTLS_LIMIT: 1699 case AUE_CAP_RIGHTS_GET: 1700 if (ARG_IS_VALID(kar, ARG_FD)) { 1701 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1702 kau_write(rec, tok); 1703 } 1704 break; 1705 1706 case AUE_CAP_FCNTLS_LIMIT: 1707 FD_VNODE1_TOKENS; 1708 if (ARG_IS_VALID(kar, ARG_FCNTL_RIGHTS)) { 1709 tok = au_to_arg32(2, "fcntlrights", 1710 ar->ar_arg_fcntl_rights); 1711 kau_write(rec, tok); 1712 } 1713 break; 1714 1715 case AUE_CAP_ENTER: 1716 case AUE_CAP_GETMODE: 1717 break; 1718 1719 case AUE_NULL: 1720 default: 1721 printf("BSM conversion requested for unknown event %d\n", 1722 ar->ar_event); 1723 1724 /* 1725 * Write the subject token so it is properly freed here. 1726 */ 1727 if (jail_tok != NULL) 1728 kau_write(rec, jail_tok); 1729 kau_write(rec, subj_tok); 1730 kau_free(rec); 1731 return (BSM_NOAUDIT); 1732 } 1733 1734 if (jail_tok != NULL) 1735 kau_write(rec, jail_tok); 1736 kau_write(rec, subj_tok); 1737 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval); 1738 kau_write(rec, tok); /* Every record gets a return token */ 1739 1740 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1741 1742 *pau = rec; 1743 return (BSM_SUCCESS); 1744 } 1745 1746 /* 1747 * Verify that a record is a valid BSM record. This verification is simple 1748 * now, but may be expanded on sometime in the future. Return 1 if the 1749 * record is good, 0 otherwise. 1750 */ 1751 int 1752 bsm_rec_verify(void *rec) 1753 { 1754 char c = *(char *)rec; 1755 1756 /* 1757 * Check the token ID of the first token; it has to be a header 1758 * token. 1759 * 1760 * XXXAUDIT There needs to be a token structure to map a token. 1761 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1762 */ 1763 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1764 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1765 return (0); 1766 return (1); 1767 } 1768