1 /* 2 * Copyright (c) 1999-2009 Apple Inc. 3 * Copyright (c) 2016-2017 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Portions of this software were developed by BAE Systems, the University of 7 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL 8 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent 9 * Computing (TC) research program. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 20 * its contributors may be used to endorse or promote products derived 21 * from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 #include <sys/cdefs.h> 37 __FBSDID("$FreeBSD$"); 38 39 #include <sys/param.h> 40 #include <sys/vnode.h> 41 #include <sys/ipc.h> 42 #include <sys/lock.h> 43 #include <sys/malloc.h> 44 #include <sys/mutex.h> 45 #include <sys/socket.h> 46 #include <sys/extattr.h> 47 #include <sys/fcntl.h> 48 #include <sys/user.h> 49 #include <sys/systm.h> 50 51 #include <bsm/audit.h> 52 #include <bsm/audit_internal.h> 53 #include <bsm/audit_record.h> 54 #include <bsm/audit_kevents.h> 55 56 #include <security/audit/audit.h> 57 #include <security/audit/audit_private.h> 58 59 #include <netinet/in_systm.h> 60 #include <netinet/in.h> 61 #include <netinet/ip.h> 62 63 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 64 65 static void audit_sys_auditon(struct audit_record *ar, 66 struct au_record *rec); 67 68 /* 69 * Initialize the BSM auditing subsystem. 70 */ 71 void 72 kau_init(void) 73 { 74 75 au_evclassmap_init(); 76 au_evnamemap_init(); 77 } 78 79 /* 80 * This call reserves memory for the audit record. Memory must be guaranteed 81 * before any auditable event can be generated. The au_record structure 82 * maintains a reference to the memory allocated above and also the list of 83 * tokens associated with this record. 84 */ 85 static struct au_record * 86 kau_open(void) 87 { 88 struct au_record *rec; 89 90 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 91 rec->data = NULL; 92 TAILQ_INIT(&rec->token_q); 93 rec->len = 0; 94 rec->used = 1; 95 96 return (rec); 97 } 98 99 /* 100 * Store the token with the record descriptor. 101 */ 102 static void 103 kau_write(struct au_record *rec, struct au_token *tok) 104 { 105 106 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 107 108 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 109 rec->len += tok->len; 110 } 111 112 /* 113 * Close out the audit record by adding the header token, identifying any 114 * missing tokens. Write out the tokens to the record memory. 115 */ 116 static void 117 kau_close(struct au_record *rec, struct timespec *ctime, short event) 118 { 119 u_char *dptr; 120 size_t tot_rec_size; 121 token_t *cur, *hdr, *trail; 122 struct timeval tm; 123 size_t hdrsize; 124 struct auditinfo_addr ak; 125 struct in6_addr *ap; 126 127 audit_get_kinfo(&ak); 128 hdrsize = 0; 129 switch (ak.ai_termid.at_type) { 130 case AU_IPv4: 131 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ? 132 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak); 133 break; 134 case AU_IPv6: 135 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0]; 136 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE : 137 AUDIT_HEADER_EX_SIZE(&ak); 138 break; 139 default: 140 panic("kau_close: invalid address family"); 141 } 142 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE; 143 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 144 145 tm.tv_usec = ctime->tv_nsec / 1000; 146 tm.tv_sec = ctime->tv_sec; 147 if (hdrsize != AUDIT_HEADER_SIZE) 148 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak); 149 else 150 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 151 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 152 153 trail = au_to_trailer(tot_rec_size); 154 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 155 156 rec->len = tot_rec_size; 157 dptr = rec->data; 158 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 159 memcpy(dptr, cur->t_data, cur->len); 160 dptr += cur->len; 161 } 162 } 163 164 /* 165 * Free a BSM audit record by releasing all the tokens and clearing the audit 166 * record information. 167 */ 168 void 169 kau_free(struct au_record *rec) 170 { 171 struct au_token *tok; 172 173 /* Free the token list. */ 174 while ((tok = TAILQ_FIRST(&rec->token_q))) { 175 TAILQ_REMOVE(&rec->token_q, tok, tokens); 176 free(tok->t_data, M_AUDITBSM); 177 free(tok, M_AUDITBSM); 178 } 179 180 rec->used = 0; 181 rec->len = 0; 182 free(rec->data, M_AUDITBSM); 183 free(rec, M_AUDITBSM); 184 } 185 186 /* 187 * XXX: May want turn some (or all) of these macros into functions in order 188 * to reduce the generated code size. 189 * 190 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 191 * caller are OK with this. 192 */ 193 #define ATFD1_TOKENS(argnum) do { \ 194 if (ARG_IS_VALID(kar, ARG_ATFD1)) { \ 195 tok = au_to_arg32(argnum, "at fd 1", ar->ar_arg_atfd1); \ 196 kau_write(rec, tok); \ 197 } \ 198 } while (0) 199 200 #define ATFD2_TOKENS(argnum) do { \ 201 if (ARG_IS_VALID(kar, ARG_ATFD2)) { \ 202 tok = au_to_arg32(argnum, "at fd 2", ar->ar_arg_atfd2); \ 203 kau_write(rec, tok); \ 204 } \ 205 } while (0) 206 207 #define UPATH1_TOKENS do { \ 208 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 209 tok = au_to_path(ar->ar_arg_upath1); \ 210 kau_write(rec, tok); \ 211 } \ 212 } while (0) 213 214 #define UPATH2_TOKENS do { \ 215 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 216 tok = au_to_path(ar->ar_arg_upath2); \ 217 kau_write(rec, tok); \ 218 } \ 219 } while (0) 220 221 #define VNODE1_TOKENS do { \ 222 if (ARG_IS_VALID(kar, ARG_ATFD)) { \ 223 tok = au_to_arg32(1, "at fd", ar->ar_arg_atfd); \ 224 kau_write(rec, tok); \ 225 } \ 226 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 227 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 228 kau_write(rec, tok); \ 229 } \ 230 } while (0) 231 232 #define UPATH1_VNODE1_TOKENS do { \ 233 UPATH1_TOKENS; \ 234 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 235 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 236 kau_write(rec, tok); \ 237 } \ 238 } while (0) 239 240 #define VNODE2_TOKENS do { \ 241 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 242 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 243 kau_write(rec, tok); \ 244 } \ 245 } while (0) 246 247 #define FD_VNODE1_TOKENS do { \ 248 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 249 if (ARG_IS_VALID(kar, ARG_FD)) { \ 250 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 251 kau_write(rec, tok); \ 252 } \ 253 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 254 kau_write(rec, tok); \ 255 } else { \ 256 if (ARG_IS_VALID(kar, ARG_FD)) { \ 257 tok = au_to_arg32(1, "non-file: fd", \ 258 ar->ar_arg_fd); \ 259 kau_write(rec, tok); \ 260 } \ 261 } \ 262 } while (0) 263 264 #define PROCESS_PID_TOKENS(argn) do { \ 265 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 266 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 267 tok = au_to_process32_ex(ar->ar_arg_auid, \ 268 ar->ar_arg_euid, ar->ar_arg_egid, \ 269 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 270 ar->ar_arg_pid, ar->ar_arg_asid, \ 271 &ar->ar_arg_termid_addr); \ 272 kau_write(rec, tok); \ 273 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 274 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 275 kau_write(rec, tok); \ 276 } \ 277 } while (0) 278 279 #define EXTATTR_TOKENS(namespace_argnum) do { \ 280 if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 281 switch (ar->ar_arg_value) { \ 282 case EXTATTR_NAMESPACE_USER: \ 283 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 284 break; \ 285 case EXTATTR_NAMESPACE_SYSTEM: \ 286 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 287 break; \ 288 default: \ 289 tok = au_to_arg32((namespace_argnum), \ 290 "attrnamespace", ar->ar_arg_value); \ 291 break; \ 292 } \ 293 kau_write(rec, tok); \ 294 } \ 295 /* attrname is in the text field */ \ 296 if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 297 tok = au_to_text(ar->ar_arg_text); \ 298 kau_write(rec, tok); \ 299 } \ 300 } while (0) 301 302 /* 303 * Not all pointer arguments to system calls are of interest, but in some 304 * cases they reflect delegation of rights, such as mmap(2) followed by 305 * minherit(2) before execve(2), so do the best we can. 306 */ 307 #define ADDR_TOKEN(argnum, argname) do { \ 308 if (ARG_IS_VALID(kar, ARG_ADDR)) { \ 309 if (sizeof(void *) == sizeof(uint32_t)) \ 310 tok = au_to_arg32((argnum), (argname), \ 311 (uint32_t)(uintptr_t)ar->ar_arg_addr); \ 312 else \ 313 tok = au_to_arg64((argnum), (argname), \ 314 (uint64_t)(uintptr_t)ar->ar_arg_addr); \ 315 kau_write(rec, tok); \ 316 } \ 317 } while (0) 318 319 320 /* 321 * Implement auditing for the auditon() system call. The audit tokens that 322 * are generated depend on the command that was sent into the auditon() 323 * system call. 324 */ 325 static void 326 audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 327 { 328 struct au_token *tok; 329 330 tok = au_to_arg32(3, "length", ar->ar_arg_len); 331 kau_write(rec, tok); 332 switch (ar->ar_arg_cmd) { 333 case A_OLDSETPOLICY: 334 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 335 tok = au_to_arg64(2, "policy", 336 ar->ar_arg_auditon.au_policy64); 337 kau_write(rec, tok); 338 break; 339 } 340 /* FALLTHROUGH */ 341 342 case A_SETPOLICY: 343 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy); 344 kau_write(rec, tok); 345 break; 346 347 case A_SETKMASK: 348 tok = au_to_arg32(2, "setkmask:as_success", 349 ar->ar_arg_auditon.au_mask.am_success); 350 kau_write(rec, tok); 351 tok = au_to_arg32(2, "setkmask:as_failure", 352 ar->ar_arg_auditon.au_mask.am_failure); 353 kau_write(rec, tok); 354 break; 355 356 case A_OLDSETQCTRL: 357 if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) { 358 tok = au_to_arg64(2, "setqctrl:aq_hiwater", 359 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater); 360 kau_write(rec, tok); 361 tok = au_to_arg64(2, "setqctrl:aq_lowater", 362 ar->ar_arg_auditon.au_qctrl64.aq64_lowater); 363 kau_write(rec, tok); 364 tok = au_to_arg64(2, "setqctrl:aq_bufsz", 365 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz); 366 kau_write(rec, tok); 367 tok = au_to_arg64(2, "setqctrl:aq_delay", 368 ar->ar_arg_auditon.au_qctrl64.aq64_delay); 369 kau_write(rec, tok); 370 tok = au_to_arg64(2, "setqctrl:aq_minfree", 371 ar->ar_arg_auditon.au_qctrl64.aq64_minfree); 372 kau_write(rec, tok); 373 break; 374 } 375 /* FALLTHROUGH */ 376 377 case A_SETQCTRL: 378 tok = au_to_arg32(2, "setqctrl:aq_hiwater", 379 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 380 kau_write(rec, tok); 381 tok = au_to_arg32(2, "setqctrl:aq_lowater", 382 ar->ar_arg_auditon.au_qctrl.aq_lowater); 383 kau_write(rec, tok); 384 tok = au_to_arg32(2, "setqctrl:aq_bufsz", 385 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 386 kau_write(rec, tok); 387 tok = au_to_arg32(2, "setqctrl:aq_delay", 388 ar->ar_arg_auditon.au_qctrl.aq_delay); 389 kau_write(rec, tok); 390 tok = au_to_arg32(2, "setqctrl:aq_minfree", 391 ar->ar_arg_auditon.au_qctrl.aq_minfree); 392 kau_write(rec, tok); 393 break; 394 395 case A_SETUMASK: 396 tok = au_to_arg32(2, "setumask:as_success", 397 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 398 kau_write(rec, tok); 399 tok = au_to_arg32(2, "setumask:as_failure", 400 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 401 kau_write(rec, tok); 402 break; 403 404 case A_SETSMASK: 405 tok = au_to_arg32(2, "setsmask:as_success", 406 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 407 kau_write(rec, tok); 408 tok = au_to_arg32(2, "setsmask:as_failure", 409 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 410 kau_write(rec, tok); 411 break; 412 413 case A_OLDSETCOND: 414 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 415 tok = au_to_arg64(2, "setcond", 416 ar->ar_arg_auditon.au_cond64); 417 kau_write(rec, tok); 418 break; 419 } 420 /* FALLTHROUGH */ 421 422 case A_SETCOND: 423 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond); 424 kau_write(rec, tok); 425 break; 426 427 case A_SETCLASS: 428 kau_write(rec, tok); 429 tok = au_to_arg32(2, "setclass:ec_event", 430 ar->ar_arg_auditon.au_evclass.ec_number); 431 kau_write(rec, tok); 432 tok = au_to_arg32(2, "setclass:ec_class", 433 ar->ar_arg_auditon.au_evclass.ec_class); 434 kau_write(rec, tok); 435 break; 436 437 case A_SETPMASK: 438 tok = au_to_arg32(2, "setpmask:as_success", 439 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 440 kau_write(rec, tok); 441 tok = au_to_arg32(2, "setpmask:as_failure", 442 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 443 kau_write(rec, tok); 444 break; 445 446 case A_SETFSIZE: 447 tok = au_to_arg32(2, "setfsize:filesize", 448 ar->ar_arg_auditon.au_fstat.af_filesz); 449 kau_write(rec, tok); 450 break; 451 452 default: 453 break; 454 } 455 } 456 457 /* 458 * Convert an internal kernel audit record to a BSM record and return a 459 * success/failure indicator. The BSM record is passed as an out parameter to 460 * this function. 461 * 462 * Return conditions: 463 * BSM_SUCCESS: The BSM record is valid 464 * BSM_FAILURE: Failure; the BSM record is NULL. 465 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 466 */ 467 int 468 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 469 { 470 struct au_token *tok, *subj_tok, *jail_tok; 471 struct au_record *rec; 472 au_tid_t tid; 473 struct audit_record *ar; 474 int ctr; 475 476 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 477 478 *pau = NULL; 479 ar = &kar->k_ar; 480 rec = kau_open(); 481 482 /* 483 * Create the subject token. If this credential was jailed be sure to 484 * generate a zonename token. 485 */ 486 if (ar->ar_jailname[0] != '\0') 487 jail_tok = au_to_zonename(ar->ar_jailname); 488 else 489 jail_tok = NULL; 490 switch (ar->ar_subj_term_addr.at_type) { 491 case AU_IPv4: 492 tid.port = ar->ar_subj_term_addr.at_port; 493 tid.machine = ar->ar_subj_term_addr.at_addr[0]; 494 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 495 ar->ar_subj_cred.cr_uid, /* eff uid */ 496 ar->ar_subj_egid, /* eff group id */ 497 ar->ar_subj_ruid, /* real uid */ 498 ar->ar_subj_rgid, /* real group id */ 499 ar->ar_subj_pid, /* process id */ 500 ar->ar_subj_asid, /* session ID */ 501 &tid); 502 break; 503 case AU_IPv6: 504 subj_tok = au_to_subject32_ex(ar->ar_subj_auid, 505 ar->ar_subj_cred.cr_uid, 506 ar->ar_subj_egid, 507 ar->ar_subj_ruid, 508 ar->ar_subj_rgid, 509 ar->ar_subj_pid, 510 ar->ar_subj_asid, 511 &ar->ar_subj_term_addr); 512 break; 513 default: 514 bzero(&tid, sizeof(tid)); 515 subj_tok = au_to_subject32(ar->ar_subj_auid, 516 ar->ar_subj_cred.cr_uid, 517 ar->ar_subj_egid, 518 ar->ar_subj_ruid, 519 ar->ar_subj_rgid, 520 ar->ar_subj_pid, 521 ar->ar_subj_asid, 522 &tid); 523 } 524 525 /* 526 * The logic inside each case fills in the tokens required for the 527 * event, except for the header, trailer, and return tokens. The 528 * header and trailer tokens are added by the kau_close() function. 529 * The return token is added outside of the switch statement. 530 */ 531 switch(ar->ar_event) { 532 case AUE_ACCEPT: 533 if (ARG_IS_VALID(kar, ARG_FD)) { 534 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 535 kau_write(rec, tok); 536 } 537 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 538 tok = au_to_sock_inet((struct sockaddr_in *) 539 &ar->ar_arg_sockaddr); 540 kau_write(rec, tok); 541 } 542 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 543 tok = au_to_sock_unix((struct sockaddr_un *) 544 &ar->ar_arg_sockaddr); 545 kau_write(rec, tok); 546 UPATH1_TOKENS; 547 } 548 break; 549 550 case AUE_BIND: 551 case AUE_LISTEN: 552 case AUE_CONNECT: 553 case AUE_RECV: 554 case AUE_RECVFROM: 555 case AUE_RECVMSG: 556 case AUE_SEND: 557 case AUE_SENDMSG: 558 case AUE_SENDTO: 559 /* 560 * Socket-related events. 561 */ 562 if (ARG_IS_VALID(kar, ARG_FD)) { 563 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 564 kau_write(rec, tok); 565 } 566 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 567 tok = au_to_sock_inet((struct sockaddr_in *) 568 &ar->ar_arg_sockaddr); 569 kau_write(rec, tok); 570 } 571 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 572 tok = au_to_sock_unix((struct sockaddr_un *) 573 &ar->ar_arg_sockaddr); 574 kau_write(rec, tok); 575 UPATH1_TOKENS; 576 } 577 /* XXX Need to handle ARG_SADDRINET6 */ 578 break; 579 580 case AUE_BINDAT: 581 case AUE_CONNECTAT: 582 ATFD1_TOKENS(1); 583 if (ARG_IS_VALID(kar, ARG_FD)) { 584 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 585 kau_write(rec, tok); 586 } 587 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 588 tok = au_to_sock_unix((struct sockaddr_un *) 589 &ar->ar_arg_sockaddr); 590 kau_write(rec, tok); 591 UPATH1_TOKENS; 592 } 593 break; 594 595 case AUE_SENDFILE: 596 FD_VNODE1_TOKENS; 597 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 598 tok = au_to_sock_inet((struct sockaddr_in *) 599 &ar->ar_arg_sockaddr); 600 kau_write(rec, tok); 601 } 602 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 603 tok = au_to_sock_unix((struct sockaddr_un *) 604 &ar->ar_arg_sockaddr); 605 kau_write(rec, tok); 606 UPATH1_TOKENS; 607 } 608 /* XXX Need to handle ARG_SADDRINET6 */ 609 break; 610 611 case AUE_SOCKET: 612 case AUE_SOCKETPAIR: 613 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 614 tok = au_to_arg32(1, "domain", 615 ar->ar_arg_sockinfo.so_domain); 616 kau_write(rec, tok); 617 tok = au_to_arg32(2, "type", 618 ar->ar_arg_sockinfo.so_type); 619 kau_write(rec, tok); 620 tok = au_to_arg32(3, "protocol", 621 ar->ar_arg_sockinfo.so_protocol); 622 kau_write(rec, tok); 623 } 624 break; 625 626 case AUE_SETSOCKOPT: 627 case AUE_SHUTDOWN: 628 if (ARG_IS_VALID(kar, ARG_FD)) { 629 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 630 kau_write(rec, tok); 631 } 632 break; 633 634 case AUE_ACCT: 635 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 636 UPATH1_VNODE1_TOKENS; 637 } else { 638 tok = au_to_arg32(1, "accounting off", 0); 639 kau_write(rec, tok); 640 } 641 break; 642 643 case AUE_SETAUID: 644 if (ARG_IS_VALID(kar, ARG_AUID)) { 645 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 646 kau_write(rec, tok); 647 } 648 break; 649 650 case AUE_SETAUDIT: 651 if (ARG_IS_VALID(kar, ARG_AUID) && 652 ARG_IS_VALID(kar, ARG_ASID) && 653 ARG_IS_VALID(kar, ARG_AMASK) && 654 ARG_IS_VALID(kar, ARG_TERMID)) { 655 tok = au_to_arg32(1, "setaudit:auid", 656 ar->ar_arg_auid); 657 kau_write(rec, tok); 658 tok = au_to_arg32(1, "setaudit:port", 659 ar->ar_arg_termid.port); 660 kau_write(rec, tok); 661 tok = au_to_arg32(1, "setaudit:machine", 662 ar->ar_arg_termid.machine); 663 kau_write(rec, tok); 664 tok = au_to_arg32(1, "setaudit:as_success", 665 ar->ar_arg_amask.am_success); 666 kau_write(rec, tok); 667 tok = au_to_arg32(1, "setaudit:as_failure", 668 ar->ar_arg_amask.am_failure); 669 kau_write(rec, tok); 670 tok = au_to_arg32(1, "setaudit:asid", 671 ar->ar_arg_asid); 672 kau_write(rec, tok); 673 } 674 break; 675 676 case AUE_SETAUDIT_ADDR: 677 if (ARG_IS_VALID(kar, ARG_AUID) && 678 ARG_IS_VALID(kar, ARG_ASID) && 679 ARG_IS_VALID(kar, ARG_AMASK) && 680 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) { 681 tok = au_to_arg32(1, "setaudit_addr:auid", 682 ar->ar_arg_auid); 683 kau_write(rec, tok); 684 tok = au_to_arg32(1, "setaudit_addr:as_success", 685 ar->ar_arg_amask.am_success); 686 kau_write(rec, tok); 687 tok = au_to_arg32(1, "setaudit_addr:as_failure", 688 ar->ar_arg_amask.am_failure); 689 kau_write(rec, tok); 690 tok = au_to_arg32(1, "setaudit_addr:asid", 691 ar->ar_arg_asid); 692 kau_write(rec, tok); 693 tok = au_to_arg32(1, "setaudit_addr:type", 694 ar->ar_arg_termid_addr.at_type); 695 kau_write(rec, tok); 696 tok = au_to_arg32(1, "setaudit_addr:port", 697 ar->ar_arg_termid_addr.at_port); 698 kau_write(rec, tok); 699 if (ar->ar_arg_termid_addr.at_type == AU_IPv6) 700 tok = au_to_in_addr_ex((struct in6_addr *) 701 &ar->ar_arg_termid_addr.at_addr[0]); 702 if (ar->ar_arg_termid_addr.at_type == AU_IPv4) 703 tok = au_to_in_addr((struct in_addr *) 704 &ar->ar_arg_termid_addr.at_addr[0]); 705 kau_write(rec, tok); 706 } 707 break; 708 709 case AUE_AUDITON: 710 /* 711 * For AUDITON commands without own event, audit the cmd. 712 */ 713 if (ARG_IS_VALID(kar, ARG_CMD)) { 714 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 715 kau_write(rec, tok); 716 } 717 /* FALLTHROUGH */ 718 719 case AUE_AUDITON_GETCAR: 720 case AUE_AUDITON_GETCLASS: 721 case AUE_AUDITON_GETCOND: 722 case AUE_AUDITON_GETCWD: 723 case AUE_AUDITON_GETKMASK: 724 case AUE_AUDITON_GETSTAT: 725 case AUE_AUDITON_GPOLICY: 726 case AUE_AUDITON_GQCTRL: 727 case AUE_AUDITON_SETCLASS: 728 case AUE_AUDITON_SETCOND: 729 case AUE_AUDITON_SETKMASK: 730 case AUE_AUDITON_SETSMASK: 731 case AUE_AUDITON_SETSTAT: 732 case AUE_AUDITON_SETUMASK: 733 case AUE_AUDITON_SPOLICY: 734 case AUE_AUDITON_SQCTRL: 735 if (ARG_IS_VALID(kar, ARG_AUDITON)) 736 audit_sys_auditon(ar, rec); 737 break; 738 739 case AUE_AUDITCTL: 740 UPATH1_VNODE1_TOKENS; 741 break; 742 743 case AUE_EXIT: 744 if (ARG_IS_VALID(kar, ARG_EXIT)) { 745 tok = au_to_exit(ar->ar_arg_exitretval, 746 ar->ar_arg_exitstatus); 747 kau_write(rec, tok); 748 } 749 break; 750 751 case AUE_ADJTIME: 752 case AUE_CLOCK_SETTIME: 753 case AUE_AUDIT: 754 case AUE_DUP2: 755 case AUE_GETAUDIT: 756 case AUE_GETAUDIT_ADDR: 757 case AUE_GETAUID: 758 case AUE_GETCWD: 759 case AUE_GETFSSTAT: 760 case AUE_GETRESUID: 761 case AUE_GETRESGID: 762 case AUE_KQUEUE: 763 case AUE_MODLOAD: 764 case AUE_MODUNLOAD: 765 case AUE_MSGSYS: 766 case AUE_NTP_ADJTIME: 767 case AUE_PIPE: 768 case AUE_POSIX_OPENPT: 769 case AUE_PROFILE: 770 case AUE_RTPRIO: 771 case AUE_SEMSYS: 772 case AUE_SHMSYS: 773 case AUE_SETPGRP: 774 case AUE_SETRLIMIT: 775 case AUE_SETSID: 776 case AUE_SETTIMEOFDAY: 777 case AUE_SYSARCH: 778 779 /* 780 * Header, subject, and return tokens added at end. 781 */ 782 break; 783 784 case AUE_ACL_DELETE_FD: 785 case AUE_ACL_DELETE_FILE: 786 case AUE_ACL_CHECK_FD: 787 case AUE_ACL_CHECK_FILE: 788 case AUE_ACL_CHECK_LINK: 789 case AUE_ACL_DELETE_LINK: 790 case AUE_ACL_GET_FD: 791 case AUE_ACL_GET_FILE: 792 case AUE_ACL_GET_LINK: 793 case AUE_ACL_SET_FD: 794 case AUE_ACL_SET_FILE: 795 case AUE_ACL_SET_LINK: 796 if (ARG_IS_VALID(kar, ARG_VALUE)) { 797 tok = au_to_arg32(1, "type", ar->ar_arg_value); 798 kau_write(rec, tok); 799 } 800 ATFD1_TOKENS(1); 801 UPATH1_VNODE1_TOKENS; 802 break; 803 804 case AUE_CHDIR: 805 case AUE_CHROOT: 806 case AUE_FSTATAT: 807 case AUE_FUTIMESAT: 808 case AUE_GETATTRLIST: 809 case AUE_JAIL: 810 case AUE_LUTIMES: 811 case AUE_NFS_GETFH: 812 case AUE_LSTAT: 813 case AUE_LPATHCONF: 814 case AUE_PATHCONF: 815 case AUE_READLINK: 816 case AUE_READLINKAT: 817 case AUE_REVOKE: 818 case AUE_RMDIR: 819 case AUE_SEARCHFS: 820 case AUE_SETATTRLIST: 821 case AUE_STAT: 822 case AUE_STATFS: 823 case AUE_SWAPON: 824 case AUE_SWAPOFF: 825 case AUE_TRUNCATE: 826 case AUE_UNDELETE: 827 case AUE_UNLINK: 828 case AUE_UNLINKAT: 829 case AUE_UTIMES: 830 ATFD1_TOKENS(1); 831 UPATH1_VNODE1_TOKENS; 832 break; 833 834 case AUE_ACCESS: 835 case AUE_EACCESS: 836 case AUE_FACCESSAT: 837 ATFD1_TOKENS(1); 838 UPATH1_VNODE1_TOKENS; 839 if (ARG_IS_VALID(kar, ARG_VALUE)) { 840 tok = au_to_arg32(2, "mode", ar->ar_arg_value); 841 kau_write(rec, tok); 842 } 843 break; 844 845 case AUE_FHSTATFS: 846 case AUE_FHOPEN: 847 case AUE_FHSTAT: 848 /* XXXRW: Need to audit vnode argument. */ 849 break; 850 851 case AUE_CHFLAGS: 852 case AUE_LCHFLAGS: 853 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 854 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 855 kau_write(rec, tok); 856 } 857 UPATH1_VNODE1_TOKENS; 858 break; 859 860 case AUE_CHMOD: 861 case AUE_LCHMOD: 862 if (ARG_IS_VALID(kar, ARG_MODE)) { 863 tok = au_to_arg32(2, "new file mode", 864 ar->ar_arg_mode); 865 kau_write(rec, tok); 866 } 867 UPATH1_VNODE1_TOKENS; 868 break; 869 870 case AUE_FCHMODAT: 871 ATFD1_TOKENS(1); 872 if (ARG_IS_VALID(kar, ARG_MODE)) { 873 tok = au_to_arg32(3, "new file mode", 874 ar->ar_arg_mode); 875 kau_write(rec, tok); 876 } 877 UPATH1_VNODE1_TOKENS; 878 break; 879 880 case AUE_CHOWN: 881 case AUE_LCHOWN: 882 if (ARG_IS_VALID(kar, ARG_UID)) { 883 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 884 kau_write(rec, tok); 885 } 886 if (ARG_IS_VALID(kar, ARG_GID)) { 887 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 888 kau_write(rec, tok); 889 } 890 UPATH1_VNODE1_TOKENS; 891 break; 892 893 case AUE_FCHOWNAT: 894 ATFD1_TOKENS(1); 895 if (ARG_IS_VALID(kar, ARG_UID)) { 896 tok = au_to_arg32(3, "new file uid", ar->ar_arg_uid); 897 kau_write(rec, tok); 898 } 899 if (ARG_IS_VALID(kar, ARG_GID)) { 900 tok = au_to_arg32(4, "new file gid", ar->ar_arg_gid); 901 kau_write(rec, tok); 902 } 903 UPATH1_VNODE1_TOKENS; 904 break; 905 906 case AUE_EXCHANGEDATA: 907 UPATH1_VNODE1_TOKENS; 908 UPATH2_TOKENS; 909 break; 910 911 case AUE_CLOSE: 912 if (ARG_IS_VALID(kar, ARG_FD)) { 913 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 914 kau_write(rec, tok); 915 } 916 UPATH1_VNODE1_TOKENS; 917 break; 918 919 case AUE_CLOSEFROM: 920 if (ARG_IS_VALID(kar, ARG_FD)) { 921 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 922 kau_write(rec, tok); 923 } 924 break; 925 926 case AUE_CORE: 927 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 928 tok = au_to_arg32(1, "signal", ar->ar_arg_signum); 929 kau_write(rec, tok); 930 } 931 UPATH1_VNODE1_TOKENS; 932 break; 933 934 case AUE_EXTATTRCTL: 935 UPATH1_VNODE1_TOKENS; 936 if (ARG_IS_VALID(kar, ARG_CMD)) { 937 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 938 kau_write(rec, tok); 939 } 940 /* extattrctl(2) filename parameter is in upath2/vnode2 */ 941 UPATH2_TOKENS; 942 VNODE2_TOKENS; 943 EXTATTR_TOKENS(4); 944 break; 945 946 case AUE_EXTATTR_GET_FILE: 947 case AUE_EXTATTR_SET_FILE: 948 case AUE_EXTATTR_LIST_FILE: 949 case AUE_EXTATTR_DELETE_FILE: 950 case AUE_EXTATTR_GET_LINK: 951 case AUE_EXTATTR_SET_LINK: 952 case AUE_EXTATTR_LIST_LINK: 953 case AUE_EXTATTR_DELETE_LINK: 954 UPATH1_VNODE1_TOKENS; 955 EXTATTR_TOKENS(2); 956 break; 957 958 case AUE_EXTATTR_GET_FD: 959 case AUE_EXTATTR_SET_FD: 960 case AUE_EXTATTR_LIST_FD: 961 case AUE_EXTATTR_DELETE_FD: 962 if (ARG_IS_VALID(kar, ARG_FD)) { 963 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 964 kau_write(rec, tok); 965 } 966 EXTATTR_TOKENS(2); 967 break; 968 969 case AUE_FEXECVE: 970 if (ARG_IS_VALID(kar, ARG_FD)) { 971 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 972 kau_write(rec, tok); 973 } 974 /* FALLTHROUGH */ 975 976 case AUE_EXECVE: 977 case AUE_MAC_EXECVE: 978 if (ARG_IS_VALID(kar, ARG_ARGV)) { 979 tok = au_to_exec_args(ar->ar_arg_argv, 980 ar->ar_arg_argc); 981 kau_write(rec, tok); 982 } 983 if (ARG_IS_VALID(kar, ARG_ENVV)) { 984 tok = au_to_exec_env(ar->ar_arg_envv, 985 ar->ar_arg_envc); 986 kau_write(rec, tok); 987 } 988 UPATH1_VNODE1_TOKENS; 989 break; 990 991 case AUE_FCHMOD: 992 if (ARG_IS_VALID(kar, ARG_MODE)) { 993 tok = au_to_arg32(2, "new file mode", 994 ar->ar_arg_mode); 995 kau_write(rec, tok); 996 } 997 FD_VNODE1_TOKENS; 998 break; 999 1000 /* 1001 * XXXRW: Some of these need to handle non-vnode cases as well. 1002 */ 1003 case AUE_FCHDIR: 1004 case AUE_FPATHCONF: 1005 case AUE_FSTAT: 1006 case AUE_FSTATFS: 1007 case AUE_FSYNC: 1008 case AUE_FTRUNCATE: 1009 case AUE_FUTIMES: 1010 case AUE_GETDIRENTRIES: 1011 case AUE_GETDIRENTRIESATTR: 1012 case AUE_LSEEK: 1013 case AUE_POLL: 1014 case AUE_POSIX_FALLOCATE: 1015 case AUE_PREAD: 1016 case AUE_PWRITE: 1017 case AUE_READ: 1018 case AUE_READV: 1019 case AUE_WRITE: 1020 case AUE_WRITEV: 1021 FD_VNODE1_TOKENS; 1022 break; 1023 1024 case AUE_FCHOWN: 1025 if (ARG_IS_VALID(kar, ARG_UID)) { 1026 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 1027 kau_write(rec, tok); 1028 } 1029 if (ARG_IS_VALID(kar, ARG_GID)) { 1030 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 1031 kau_write(rec, tok); 1032 } 1033 FD_VNODE1_TOKENS; 1034 break; 1035 1036 case AUE_FCNTL: 1037 if (ARG_IS_VALID(kar, ARG_CMD)) { 1038 tok = au_to_arg32(2, "cmd", 1039 au_fcntl_cmd_to_bsm(ar->ar_arg_cmd)); 1040 kau_write(rec, tok); 1041 } 1042 FD_VNODE1_TOKENS; 1043 break; 1044 1045 case AUE_FCHFLAGS: 1046 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1047 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1048 kau_write(rec, tok); 1049 } 1050 FD_VNODE1_TOKENS; 1051 break; 1052 1053 case AUE_FLOCK: 1054 if (ARG_IS_VALID(kar, ARG_CMD)) { 1055 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 1056 kau_write(rec, tok); 1057 } 1058 FD_VNODE1_TOKENS; 1059 break; 1060 1061 case AUE_RFORK: 1062 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1063 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 1064 kau_write(rec, tok); 1065 } 1066 /* FALLTHROUGH */ 1067 1068 case AUE_FORK: 1069 case AUE_VFORK: 1070 if (ARG_IS_VALID(kar, ARG_PID)) { 1071 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 1072 kau_write(rec, tok); 1073 } 1074 break; 1075 1076 case AUE_IOCTL: 1077 if (ARG_IS_VALID(kar, ARG_CMD)) { 1078 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 1079 kau_write(rec, tok); 1080 } 1081 if (ARG_IS_VALID(kar, ARG_VNODE1)) 1082 FD_VNODE1_TOKENS; 1083 else { 1084 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 1085 tok = kau_to_socket(&ar->ar_arg_sockinfo); 1086 kau_write(rec, tok); 1087 } else { 1088 if (ARG_IS_VALID(kar, ARG_FD)) { 1089 tok = au_to_arg32(1, "fd", 1090 ar->ar_arg_fd); 1091 kau_write(rec, tok); 1092 } 1093 } 1094 } 1095 break; 1096 1097 case AUE_KILL: 1098 case AUE_KILLPG: 1099 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 1100 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 1101 kau_write(rec, tok); 1102 } 1103 PROCESS_PID_TOKENS(1); 1104 break; 1105 1106 case AUE_KTRACE: 1107 if (ARG_IS_VALID(kar, ARG_CMD)) { 1108 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 1109 kau_write(rec, tok); 1110 } 1111 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1112 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 1113 kau_write(rec, tok); 1114 } 1115 PROCESS_PID_TOKENS(4); 1116 UPATH1_VNODE1_TOKENS; 1117 break; 1118 1119 case AUE_LINK: 1120 case AUE_LINKAT: 1121 case AUE_RENAME: 1122 case AUE_RENAMEAT: 1123 ATFD1_TOKENS(1); 1124 UPATH1_VNODE1_TOKENS; 1125 ATFD2_TOKENS(3); 1126 UPATH2_TOKENS; 1127 break; 1128 1129 case AUE_LOADSHFILE: 1130 ADDR_TOKEN(4, "base addr"); 1131 UPATH1_VNODE1_TOKENS; 1132 break; 1133 1134 case AUE_MKDIR: 1135 case AUE_MKDIRAT: 1136 case AUE_MKFIFO: 1137 case AUE_MKFIFOAT: 1138 ATFD1_TOKENS(1); 1139 if (ARG_IS_VALID(kar, ARG_MODE)) { 1140 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1141 kau_write(rec, tok); 1142 } 1143 UPATH1_VNODE1_TOKENS; 1144 break; 1145 1146 case AUE_MKNOD: 1147 case AUE_MKNODAT: 1148 ATFD1_TOKENS(1); 1149 if (ARG_IS_VALID(kar, ARG_MODE)) { 1150 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1151 kau_write(rec, tok); 1152 } 1153 if (ARG_IS_VALID(kar, ARG_DEV)) { 1154 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 1155 kau_write(rec, tok); 1156 } 1157 UPATH1_VNODE1_TOKENS; 1158 break; 1159 1160 case AUE_MMAP: 1161 case AUE_MUNMAP: 1162 case AUE_MPROTECT: 1163 case AUE_MLOCK: 1164 case AUE_MUNLOCK: 1165 case AUE_MINHERIT: 1166 ADDR_TOKEN(1, "addr"); 1167 if (ARG_IS_VALID(kar, ARG_LEN)) { 1168 tok = au_to_arg32(2, "len", ar->ar_arg_len); 1169 kau_write(rec, tok); 1170 } 1171 if (ar->ar_event == AUE_MMAP) 1172 FD_VNODE1_TOKENS; 1173 if (ar->ar_event == AUE_MPROTECT) { 1174 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1175 tok = au_to_arg32(3, "protection", 1176 ar->ar_arg_value); 1177 kau_write(rec, tok); 1178 } 1179 } 1180 if (ar->ar_event == AUE_MINHERIT) { 1181 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1182 tok = au_to_arg32(3, "inherit", 1183 ar->ar_arg_value); 1184 kau_write(rec, tok); 1185 } 1186 } 1187 break; 1188 1189 case AUE_MOUNT: 1190 case AUE_NMOUNT: 1191 /* XXX Need to handle NFS mounts */ 1192 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1193 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 1194 kau_write(rec, tok); 1195 } 1196 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1197 tok = au_to_text(ar->ar_arg_text); 1198 kau_write(rec, tok); 1199 } 1200 /* FALLTHROUGH */ 1201 1202 case AUE_NFS_SVC: 1203 if (ARG_IS_VALID(kar, ARG_CMD)) { 1204 tok = au_to_arg32(1, "flags", ar->ar_arg_cmd); 1205 kau_write(rec, tok); 1206 } 1207 break; 1208 1209 case AUE_UMOUNT: 1210 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1211 tok = au_to_arg32(2, "flags", ar->ar_arg_value); 1212 kau_write(rec, tok); 1213 } 1214 UPATH1_VNODE1_TOKENS; 1215 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1216 tok = au_to_text(ar->ar_arg_text); 1217 kau_write(rec, tok); 1218 } 1219 break; 1220 1221 case AUE_MSGCTL: 1222 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd); 1223 /* Fall through */ 1224 1225 case AUE_MSGRCV: 1226 case AUE_MSGSND: 1227 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 1228 kau_write(rec, tok); 1229 if (ar->ar_errno != EINVAL) { 1230 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 1231 kau_write(rec, tok); 1232 } 1233 break; 1234 1235 case AUE_MSGGET: 1236 if (ar->ar_errno == 0) { 1237 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1238 tok = au_to_ipc(AT_IPC_MSG, 1239 ar->ar_arg_svipc_id); 1240 kau_write(rec, tok); 1241 } 1242 } 1243 break; 1244 1245 case AUE_RESETSHFILE: 1246 ADDR_TOKEN(1, "base addr"); 1247 break; 1248 1249 case AUE_OPEN_RC: 1250 case AUE_OPEN_RTC: 1251 case AUE_OPEN_RWC: 1252 case AUE_OPEN_RWTC: 1253 case AUE_OPEN_WC: 1254 case AUE_OPEN_WTC: 1255 case AUE_CREAT: 1256 if (ARG_IS_VALID(kar, ARG_MODE)) { 1257 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1258 kau_write(rec, tok); 1259 } 1260 /* FALLTHROUGH */ 1261 1262 case AUE_OPEN_R: 1263 case AUE_OPEN_RT: 1264 case AUE_OPEN_RW: 1265 case AUE_OPEN_RWT: 1266 case AUE_OPEN_W: 1267 case AUE_OPEN_WT: 1268 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1269 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1270 kau_write(rec, tok); 1271 } 1272 UPATH1_VNODE1_TOKENS; 1273 break; 1274 1275 case AUE_OPENAT_RC: 1276 case AUE_OPENAT_RTC: 1277 case AUE_OPENAT_RWC: 1278 case AUE_OPENAT_RWTC: 1279 case AUE_OPENAT_WC: 1280 case AUE_OPENAT_WTC: 1281 if (ARG_IS_VALID(kar, ARG_MODE)) { 1282 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1283 kau_write(rec, tok); 1284 } 1285 /* FALLTHROUGH */ 1286 1287 case AUE_OPENAT_R: 1288 case AUE_OPENAT_RT: 1289 case AUE_OPENAT_RW: 1290 case AUE_OPENAT_RWT: 1291 case AUE_OPENAT_W: 1292 case AUE_OPENAT_WT: 1293 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1294 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1295 kau_write(rec, tok); 1296 } 1297 ATFD1_TOKENS(1); 1298 UPATH1_VNODE1_TOKENS; 1299 break; 1300 1301 case AUE_PROCCTL: 1302 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1303 tok = au_to_arg32(1, "idtype", ar->ar_arg_value); 1304 kau_write(rec, tok); 1305 } 1306 if (ARG_IS_VALID(kar, ARG_CMD)) { 1307 tok = au_to_arg32(2, "com", ar->ar_arg_cmd); 1308 kau_write(rec, tok); 1309 } 1310 PROCESS_PID_TOKENS(3); 1311 break; 1312 1313 case AUE_PTRACE: 1314 if (ARG_IS_VALID(kar, ARG_CMD)) { 1315 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1316 kau_write(rec, tok); 1317 } 1318 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1319 tok = au_to_arg32(4, "data", ar->ar_arg_value); 1320 kau_write(rec, tok); 1321 } 1322 PROCESS_PID_TOKENS(2); 1323 break; 1324 1325 case AUE_QUOTACTL: 1326 if (ARG_IS_VALID(kar, ARG_CMD)) { 1327 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1328 kau_write(rec, tok); 1329 } 1330 if (ARG_IS_VALID(kar, ARG_UID)) { 1331 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1332 kau_write(rec, tok); 1333 } 1334 if (ARG_IS_VALID(kar, ARG_GID)) { 1335 tok = au_to_arg32(3, "gid", ar->ar_arg_gid); 1336 kau_write(rec, tok); 1337 } 1338 UPATH1_VNODE1_TOKENS; 1339 break; 1340 1341 case AUE_REBOOT: 1342 if (ARG_IS_VALID(kar, ARG_CMD)) { 1343 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1344 kau_write(rec, tok); 1345 } 1346 break; 1347 1348 case AUE_SEMCTL: 1349 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd); 1350 /* Fall through */ 1351 1352 case AUE_SEMOP: 1353 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1354 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1355 kau_write(rec, tok); 1356 if (ar->ar_errno != EINVAL) { 1357 tok = au_to_ipc(AT_IPC_SEM, 1358 ar->ar_arg_svipc_id); 1359 kau_write(rec, tok); 1360 } 1361 } 1362 break; 1363 1364 case AUE_SEMGET: 1365 if (ar->ar_errno == 0) { 1366 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1367 tok = au_to_ipc(AT_IPC_SEM, 1368 ar->ar_arg_svipc_id); 1369 kau_write(rec, tok); 1370 } 1371 } 1372 break; 1373 1374 case AUE_SETEGID: 1375 if (ARG_IS_VALID(kar, ARG_EGID)) { 1376 tok = au_to_arg32(1, "egid", ar->ar_arg_egid); 1377 kau_write(rec, tok); 1378 } 1379 break; 1380 1381 case AUE_SETEUID: 1382 if (ARG_IS_VALID(kar, ARG_EUID)) { 1383 tok = au_to_arg32(1, "euid", ar->ar_arg_euid); 1384 kau_write(rec, tok); 1385 } 1386 break; 1387 1388 case AUE_SETREGID: 1389 if (ARG_IS_VALID(kar, ARG_RGID)) { 1390 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1391 kau_write(rec, tok); 1392 } 1393 if (ARG_IS_VALID(kar, ARG_EGID)) { 1394 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1395 kau_write(rec, tok); 1396 } 1397 break; 1398 1399 case AUE_SETREUID: 1400 if (ARG_IS_VALID(kar, ARG_RUID)) { 1401 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1402 kau_write(rec, tok); 1403 } 1404 if (ARG_IS_VALID(kar, ARG_EUID)) { 1405 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1406 kau_write(rec, tok); 1407 } 1408 break; 1409 1410 case AUE_SETRESGID: 1411 if (ARG_IS_VALID(kar, ARG_RGID)) { 1412 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1413 kau_write(rec, tok); 1414 } 1415 if (ARG_IS_VALID(kar, ARG_EGID)) { 1416 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1417 kau_write(rec, tok); 1418 } 1419 if (ARG_IS_VALID(kar, ARG_SGID)) { 1420 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1421 kau_write(rec, tok); 1422 } 1423 break; 1424 1425 case AUE_SETRESUID: 1426 if (ARG_IS_VALID(kar, ARG_RUID)) { 1427 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1428 kau_write(rec, tok); 1429 } 1430 if (ARG_IS_VALID(kar, ARG_EUID)) { 1431 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1432 kau_write(rec, tok); 1433 } 1434 if (ARG_IS_VALID(kar, ARG_SUID)) { 1435 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1436 kau_write(rec, tok); 1437 } 1438 break; 1439 1440 case AUE_SETGID: 1441 if (ARG_IS_VALID(kar, ARG_GID)) { 1442 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1443 kau_write(rec, tok); 1444 } 1445 break; 1446 1447 case AUE_SETUID: 1448 if (ARG_IS_VALID(kar, ARG_UID)) { 1449 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1450 kau_write(rec, tok); 1451 } 1452 break; 1453 1454 case AUE_SETGROUPS: 1455 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1456 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1457 { 1458 tok = au_to_arg32(1, "setgroups", 1459 ar->ar_arg_groups.gidset[ctr]); 1460 kau_write(rec, tok); 1461 } 1462 } 1463 break; 1464 1465 case AUE_SETLOGIN: 1466 if (ARG_IS_VALID(kar, ARG_LOGIN)) { 1467 tok = au_to_text(ar->ar_arg_login); 1468 kau_write(rec, tok); 1469 } 1470 break; 1471 1472 case AUE_SETPRIORITY: 1473 if (ARG_IS_VALID(kar, ARG_CMD)) { 1474 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1475 kau_write(rec, tok); 1476 } 1477 if (ARG_IS_VALID(kar, ARG_UID)) { 1478 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1479 kau_write(rec, tok); 1480 } 1481 PROCESS_PID_TOKENS(2); 1482 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1483 tok = au_to_arg32(3, "priority", ar->ar_arg_value); 1484 kau_write(rec, tok); 1485 } 1486 break; 1487 1488 case AUE_SETPRIVEXEC: 1489 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1490 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1491 kau_write(rec, tok); 1492 } 1493 break; 1494 1495 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1496 case AUE_SHMAT: 1497 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1498 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1499 kau_write(rec, tok); 1500 /* XXXAUDIT: Does having the ipc token make sense? */ 1501 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1502 kau_write(rec, tok); 1503 } 1504 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1505 tok = au_to_arg32(2, "shmaddr", 1506 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1507 kau_write(rec, tok); 1508 } 1509 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1510 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1511 kau_write(rec, tok); 1512 } 1513 break; 1514 1515 case AUE_SHMCTL: 1516 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1517 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1518 kau_write(rec, tok); 1519 /* XXXAUDIT: Does having the ipc token make sense? */ 1520 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1521 kau_write(rec, tok); 1522 } 1523 switch (ar->ar_arg_svipc_cmd) { 1524 case IPC_STAT: 1525 ar->ar_event = AUE_SHMCTL_STAT; 1526 break; 1527 case IPC_RMID: 1528 ar->ar_event = AUE_SHMCTL_RMID; 1529 break; 1530 case IPC_SET: 1531 ar->ar_event = AUE_SHMCTL_SET; 1532 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1533 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1534 kau_write(rec, tok); 1535 } 1536 break; 1537 default: 1538 break; /* We will audit a bad command */ 1539 } 1540 break; 1541 1542 case AUE_SHMDT: 1543 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1544 tok = au_to_arg32(1, "shmaddr", 1545 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1546 kau_write(rec, tok); 1547 } 1548 break; 1549 1550 case AUE_SHMGET: 1551 /* This is unusual; the return value is in an argument token */ 1552 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1553 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1554 kau_write(rec, tok); 1555 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1556 kau_write(rec, tok); 1557 } 1558 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1559 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1560 kau_write(rec, tok); 1561 } 1562 break; 1563 1564 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1565 * and AUE_SEMUNLINK are Posix IPC */ 1566 case AUE_SHMOPEN: 1567 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1568 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1569 kau_write(rec, tok); 1570 } 1571 if (ARG_IS_VALID(kar, ARG_MODE)) { 1572 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1573 kau_write(rec, tok); 1574 } 1575 /* FALLTHROUGH */ 1576 1577 case AUE_SHMUNLINK: 1578 UPATH1_TOKENS; 1579 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1580 struct ipc_perm perm; 1581 1582 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1583 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1584 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1585 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1586 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1587 perm.seq = 0; 1588 perm.key = 0; 1589 tok = au_to_ipc_perm(&perm); 1590 kau_write(rec, tok); 1591 } 1592 break; 1593 1594 case AUE_SEMOPEN: 1595 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1596 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1597 kau_write(rec, tok); 1598 } 1599 if (ARG_IS_VALID(kar, ARG_MODE)) { 1600 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1601 kau_write(rec, tok); 1602 } 1603 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1604 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1605 kau_write(rec, tok); 1606 } 1607 /* FALLTHROUGH */ 1608 1609 case AUE_SEMUNLINK: 1610 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1611 tok = au_to_text(ar->ar_arg_text); 1612 kau_write(rec, tok); 1613 } 1614 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1615 struct ipc_perm perm; 1616 1617 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1618 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1619 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1620 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1621 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1622 perm.seq = 0; 1623 perm.key = 0; 1624 tok = au_to_ipc_perm(&perm); 1625 kau_write(rec, tok); 1626 } 1627 break; 1628 1629 case AUE_SEMCLOSE: 1630 if (ARG_IS_VALID(kar, ARG_FD)) { 1631 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1632 kau_write(rec, tok); 1633 } 1634 break; 1635 1636 case AUE_SYMLINK: 1637 case AUE_SYMLINKAT: 1638 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1639 tok = au_to_text(ar->ar_arg_text); 1640 kau_write(rec, tok); 1641 } 1642 ATFD1_TOKENS(1); 1643 UPATH1_VNODE1_TOKENS; 1644 break; 1645 1646 case AUE_SYSCTL: 1647 case AUE_SYSCTL_NONADMIN: 1648 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1649 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1650 tok = au_to_arg32(1, "name", 1651 ar->ar_arg_ctlname[ctr]); 1652 kau_write(rec, tok); 1653 } 1654 } 1655 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1656 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1657 kau_write(rec, tok); 1658 } 1659 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1660 tok = au_to_text(ar->ar_arg_text); 1661 kau_write(rec, tok); 1662 } 1663 break; 1664 1665 case AUE_UMASK: 1666 if (ARG_IS_VALID(kar, ARG_MASK)) { 1667 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1668 kau_write(rec, tok); 1669 } 1670 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1671 kau_write(rec, tok); 1672 break; 1673 1674 case AUE_WAIT4: 1675 case AUE_WAIT6: 1676 PROCESS_PID_TOKENS(1); 1677 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1678 tok = au_to_arg32(3, "options", ar->ar_arg_value); 1679 kau_write(rec, tok); 1680 } 1681 break; 1682 1683 case AUE_CAP_RIGHTS_LIMIT: 1684 /* 1685 * XXXRW/XXXJA: Would be nice to audit socket/etc information. 1686 */ 1687 FD_VNODE1_TOKENS; 1688 if (ARG_IS_VALID(kar, ARG_RIGHTS)) { 1689 tok = au_to_rights(&ar->ar_arg_rights); 1690 kau_write(rec, tok); 1691 } 1692 break; 1693 1694 case AUE_CAP_FCNTLS_GET: 1695 case AUE_CAP_IOCTLS_GET: 1696 case AUE_CAP_IOCTLS_LIMIT: 1697 case AUE_CAP_RIGHTS_GET: 1698 if (ARG_IS_VALID(kar, ARG_FD)) { 1699 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1700 kau_write(rec, tok); 1701 } 1702 break; 1703 1704 case AUE_CAP_FCNTLS_LIMIT: 1705 FD_VNODE1_TOKENS; 1706 if (ARG_IS_VALID(kar, ARG_FCNTL_RIGHTS)) { 1707 tok = au_to_arg32(2, "fcntlrights", 1708 ar->ar_arg_fcntl_rights); 1709 kau_write(rec, tok); 1710 } 1711 break; 1712 1713 case AUE_CAP_ENTER: 1714 case AUE_CAP_GETMODE: 1715 break; 1716 1717 case AUE_NULL: 1718 default: 1719 printf("BSM conversion requested for unknown event %d\n", 1720 ar->ar_event); 1721 1722 /* 1723 * Write the subject token so it is properly freed here. 1724 */ 1725 if (jail_tok != NULL) 1726 kau_write(rec, jail_tok); 1727 kau_write(rec, subj_tok); 1728 kau_free(rec); 1729 return (BSM_NOAUDIT); 1730 } 1731 1732 if (jail_tok != NULL) 1733 kau_write(rec, jail_tok); 1734 kau_write(rec, subj_tok); 1735 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval); 1736 kau_write(rec, tok); /* Every record gets a return token */ 1737 1738 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1739 1740 *pau = rec; 1741 return (BSM_SUCCESS); 1742 } 1743 1744 /* 1745 * Verify that a record is a valid BSM record. This verification is simple 1746 * now, but may be expanded on sometime in the future. Return 1 if the 1747 * record is good, 0 otherwise. 1748 */ 1749 int 1750 bsm_rec_verify(void *rec) 1751 { 1752 char c = *(char *)rec; 1753 1754 /* 1755 * Check the token ID of the first token; it has to be a header 1756 * token. 1757 * 1758 * XXXAUDIT There needs to be a token structure to map a token. 1759 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1760 */ 1761 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1762 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1763 return (0); 1764 return (1); 1765 } 1766