1 /* 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1999-2009 Apple Inc. 5 * Copyright (c) 2016-2017 Robert N. M. Watson 6 * All rights reserved. 7 * 8 * Portions of this software were developed by BAE Systems, the University of 9 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL 10 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent 11 * Computing (TC) research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 22 * its contributors may be used to endorse or promote products derived 23 * from this software without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 29 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 33 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 34 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 35 * POSSIBILITY OF SUCH DAMAGE. 36 */ 37 38 #include <sys/param.h> 39 #include <sys/vnode.h> 40 #include <sys/ipc.h> 41 #include <sys/lock.h> 42 #include <sys/malloc.h> 43 #include <sys/mutex.h> 44 #include <sys/socket.h> 45 #include <sys/extattr.h> 46 #include <sys/fcntl.h> 47 #include <sys/user.h> 48 #include <sys/systm.h> 49 50 #include <bsm/audit.h> 51 #include <bsm/audit_internal.h> 52 #include <bsm/audit_record.h> 53 #include <bsm/audit_kevents.h> 54 55 #include <security/audit/audit.h> 56 #include <security/audit/audit_private.h> 57 58 #include <netinet/in_systm.h> 59 #include <netinet/in.h> 60 #include <netinet/ip.h> 61 62 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 63 64 static void audit_sys_auditon(struct audit_record *ar, 65 struct au_record *rec); 66 67 /* 68 * Initialize the BSM auditing subsystem. 69 */ 70 void 71 kau_init(void) 72 { 73 74 au_evclassmap_init(); 75 au_evnamemap_init(); 76 } 77 78 /* 79 * This call reserves memory for the audit record. Memory must be guaranteed 80 * before any auditable event can be generated. The au_record structure 81 * maintains a reference to the memory allocated above and also the list of 82 * tokens associated with this record. 83 */ 84 static struct au_record * 85 kau_open(void) 86 { 87 struct au_record *rec; 88 89 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 90 rec->data = NULL; 91 TAILQ_INIT(&rec->token_q); 92 rec->len = 0; 93 rec->used = 1; 94 95 return (rec); 96 } 97 98 /* 99 * Store the token with the record descriptor. 100 */ 101 static void 102 kau_write(struct au_record *rec, struct au_token *tok) 103 { 104 105 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 106 107 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 108 rec->len += tok->len; 109 } 110 111 /* 112 * Close out the audit record by adding the header token, identifying any 113 * missing tokens. Write out the tokens to the record memory. 114 */ 115 static void 116 kau_close(struct au_record *rec, struct timespec *ctime, short event) 117 { 118 u_char *dptr; 119 size_t tot_rec_size; 120 token_t *cur, *hdr, *trail; 121 struct timeval tm; 122 size_t hdrsize; 123 struct auditinfo_addr ak; 124 struct in6_addr *ap; 125 126 audit_get_kinfo(&ak); 127 hdrsize = 0; 128 switch (ak.ai_termid.at_type) { 129 case AU_IPv4: 130 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ? 131 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak); 132 break; 133 case AU_IPv6: 134 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0]; 135 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE : 136 AUDIT_HEADER_EX_SIZE(&ak); 137 break; 138 default: 139 panic("kau_close: invalid address family"); 140 } 141 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE; 142 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 143 144 tm.tv_usec = ctime->tv_nsec / 1000; 145 tm.tv_sec = ctime->tv_sec; 146 if (hdrsize != AUDIT_HEADER_SIZE) 147 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak); 148 else 149 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 150 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 151 152 trail = au_to_trailer(tot_rec_size); 153 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 154 155 rec->len = tot_rec_size; 156 dptr = rec->data; 157 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 158 memcpy(dptr, cur->t_data, cur->len); 159 dptr += cur->len; 160 } 161 } 162 163 /* 164 * Free a BSM audit record by releasing all the tokens and clearing the audit 165 * record information. 166 */ 167 void 168 kau_free(struct au_record *rec) 169 { 170 struct au_token *tok; 171 172 /* Free the token list. */ 173 while ((tok = TAILQ_FIRST(&rec->token_q))) { 174 TAILQ_REMOVE(&rec->token_q, tok, tokens); 175 free(tok->t_data, M_AUDITBSM); 176 free(tok, M_AUDITBSM); 177 } 178 179 rec->used = 0; 180 rec->len = 0; 181 free(rec->data, M_AUDITBSM); 182 free(rec, M_AUDITBSM); 183 } 184 185 /* 186 * XXX: May want turn some (or all) of these macros into functions in order 187 * to reduce the generated code size. 188 * 189 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 190 * caller are OK with this. 191 */ 192 #define ATFD1_TOKENS(argnum) do { \ 193 if (ARG_IS_VALID(kar, ARG_ATFD1)) { \ 194 tok = au_to_arg32(argnum, "at fd 1", ar->ar_arg_atfd1); \ 195 kau_write(rec, tok); \ 196 } \ 197 } while (0) 198 199 #define ATFD2_TOKENS(argnum) do { \ 200 if (ARG_IS_VALID(kar, ARG_ATFD2)) { \ 201 tok = au_to_arg32(argnum, "at fd 2", ar->ar_arg_atfd2); \ 202 kau_write(rec, tok); \ 203 } \ 204 } while (0) 205 206 #define UPATH1_TOKENS do { \ 207 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 208 tok = au_to_path(ar->ar_arg_upath1); \ 209 kau_write(rec, tok); \ 210 } \ 211 } while (0) 212 213 #define UPATH2_TOKENS do { \ 214 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 215 tok = au_to_path(ar->ar_arg_upath2); \ 216 kau_write(rec, tok); \ 217 } \ 218 } while (0) 219 220 #define VNODE1_TOKENS do { \ 221 if (ARG_IS_VALID(kar, ARG_ATFD)) { \ 222 tok = au_to_arg32(1, "at fd", ar->ar_arg_atfd); \ 223 kau_write(rec, tok); \ 224 } \ 225 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 226 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 227 kau_write(rec, tok); \ 228 } \ 229 } while (0) 230 231 #define UPATH1_VNODE1_TOKENS do { \ 232 UPATH1_TOKENS; \ 233 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 234 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 235 kau_write(rec, tok); \ 236 } \ 237 } while (0) 238 239 #define VNODE2_TOKENS do { \ 240 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 241 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 242 kau_write(rec, tok); \ 243 } \ 244 } while (0) 245 246 #define FD_VNODE1_TOKENS do { \ 247 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 248 if (ARG_IS_VALID(kar, ARG_FD)) { \ 249 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 250 kau_write(rec, tok); \ 251 } \ 252 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 253 kau_write(rec, tok); \ 254 } else { \ 255 if (ARG_IS_VALID(kar, ARG_FD)) { \ 256 tok = au_to_arg32(1, "non-file: fd", \ 257 ar->ar_arg_fd); \ 258 kau_write(rec, tok); \ 259 } \ 260 } \ 261 } while (0) 262 263 #define PROCESS_PID_TOKENS(argn) do { \ 264 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 265 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 266 tok = au_to_process32_ex(ar->ar_arg_auid, \ 267 ar->ar_arg_euid, ar->ar_arg_egid, \ 268 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 269 ar->ar_arg_pid, ar->ar_arg_asid, \ 270 &ar->ar_arg_termid_addr); \ 271 kau_write(rec, tok); \ 272 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 273 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 274 kau_write(rec, tok); \ 275 } \ 276 } while (0) 277 278 #define EXTATTR_TOKENS(namespace_argnum) do { \ 279 if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 280 switch (ar->ar_arg_value) { \ 281 case EXTATTR_NAMESPACE_USER: \ 282 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 283 break; \ 284 case EXTATTR_NAMESPACE_SYSTEM: \ 285 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 286 break; \ 287 default: \ 288 tok = au_to_arg32((namespace_argnum), \ 289 "attrnamespace", ar->ar_arg_value); \ 290 break; \ 291 } \ 292 kau_write(rec, tok); \ 293 } \ 294 /* attrname is in the text field */ \ 295 if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 296 tok = au_to_text(ar->ar_arg_text); \ 297 kau_write(rec, tok); \ 298 } \ 299 } while (0) 300 301 /* 302 * Not all pointer arguments to system calls are of interest, but in some 303 * cases they reflect delegation of rights, such as mmap(2) followed by 304 * minherit(2) before execve(2), so do the best we can. 305 */ 306 #define ADDR_TOKEN(argnum, argname) do { \ 307 if (ARG_IS_VALID(kar, ARG_ADDR)) { \ 308 if (sizeof(void *) == sizeof(uint32_t)) \ 309 tok = au_to_arg32((argnum), (argname), \ 310 (uint32_t)(uintptr_t)ar->ar_arg_addr); \ 311 else \ 312 tok = au_to_arg64((argnum), (argname), \ 313 (uint64_t)(uintptr_t)ar->ar_arg_addr); \ 314 kau_write(rec, tok); \ 315 } \ 316 } while (0) 317 318 /* 319 * Implement auditing for the auditon() system call. The audit tokens that 320 * are generated depend on the command that was sent into the auditon() 321 * system call. 322 */ 323 static void 324 audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 325 { 326 struct au_token *tok; 327 328 tok = au_to_arg32(3, "length", ar->ar_arg_len); 329 kau_write(rec, tok); 330 switch (ar->ar_arg_cmd) { 331 case A_OLDSETPOLICY: 332 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 333 tok = au_to_arg64(2, "policy", 334 ar->ar_arg_auditon.au_policy64); 335 kau_write(rec, tok); 336 break; 337 } 338 /* FALLTHROUGH */ 339 340 case A_SETPOLICY: 341 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy); 342 kau_write(rec, tok); 343 break; 344 345 case A_SETKMASK: 346 tok = au_to_arg32(2, "setkmask:as_success", 347 ar->ar_arg_auditon.au_mask.am_success); 348 kau_write(rec, tok); 349 tok = au_to_arg32(2, "setkmask:as_failure", 350 ar->ar_arg_auditon.au_mask.am_failure); 351 kau_write(rec, tok); 352 break; 353 354 case A_OLDSETQCTRL: 355 if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) { 356 tok = au_to_arg64(2, "setqctrl:aq_hiwater", 357 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater); 358 kau_write(rec, tok); 359 tok = au_to_arg64(2, "setqctrl:aq_lowater", 360 ar->ar_arg_auditon.au_qctrl64.aq64_lowater); 361 kau_write(rec, tok); 362 tok = au_to_arg64(2, "setqctrl:aq_bufsz", 363 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz); 364 kau_write(rec, tok); 365 tok = au_to_arg64(2, "setqctrl:aq_delay", 366 ar->ar_arg_auditon.au_qctrl64.aq64_delay); 367 kau_write(rec, tok); 368 tok = au_to_arg64(2, "setqctrl:aq_minfree", 369 ar->ar_arg_auditon.au_qctrl64.aq64_minfree); 370 kau_write(rec, tok); 371 break; 372 } 373 /* FALLTHROUGH */ 374 375 case A_SETQCTRL: 376 tok = au_to_arg32(2, "setqctrl:aq_hiwater", 377 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 378 kau_write(rec, tok); 379 tok = au_to_arg32(2, "setqctrl:aq_lowater", 380 ar->ar_arg_auditon.au_qctrl.aq_lowater); 381 kau_write(rec, tok); 382 tok = au_to_arg32(2, "setqctrl:aq_bufsz", 383 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 384 kau_write(rec, tok); 385 tok = au_to_arg32(2, "setqctrl:aq_delay", 386 ar->ar_arg_auditon.au_qctrl.aq_delay); 387 kau_write(rec, tok); 388 tok = au_to_arg32(2, "setqctrl:aq_minfree", 389 ar->ar_arg_auditon.au_qctrl.aq_minfree); 390 kau_write(rec, tok); 391 break; 392 393 case A_SETUMASK: 394 tok = au_to_arg32(2, "setumask:as_success", 395 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 396 kau_write(rec, tok); 397 tok = au_to_arg32(2, "setumask:as_failure", 398 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 399 kau_write(rec, tok); 400 break; 401 402 case A_SETSMASK: 403 tok = au_to_arg32(2, "setsmask:as_success", 404 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 405 kau_write(rec, tok); 406 tok = au_to_arg32(2, "setsmask:as_failure", 407 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 408 kau_write(rec, tok); 409 break; 410 411 case A_OLDSETCOND: 412 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 413 tok = au_to_arg64(2, "setcond", 414 ar->ar_arg_auditon.au_cond64); 415 kau_write(rec, tok); 416 break; 417 } 418 /* FALLTHROUGH */ 419 420 case A_SETCOND: 421 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond); 422 kau_write(rec, tok); 423 break; 424 425 case A_SETCLASS: 426 tok = au_to_arg32(2, "setclass:ec_event", 427 ar->ar_arg_auditon.au_evclass.ec_number); 428 kau_write(rec, tok); 429 tok = au_to_arg32(2, "setclass:ec_class", 430 ar->ar_arg_auditon.au_evclass.ec_class); 431 kau_write(rec, tok); 432 break; 433 434 case A_SETPMASK: 435 tok = au_to_arg32(2, "setpmask:as_success", 436 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 437 kau_write(rec, tok); 438 tok = au_to_arg32(2, "setpmask:as_failure", 439 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 440 kau_write(rec, tok); 441 break; 442 443 case A_SETFSIZE: 444 tok = au_to_arg32(2, "setfsize:filesize", 445 ar->ar_arg_auditon.au_fstat.af_filesz); 446 kau_write(rec, tok); 447 break; 448 449 default: 450 break; 451 } 452 } 453 454 /* 455 * Convert an internal kernel audit record to a BSM record and return a 456 * success/failure indicator. The BSM record is passed as an out parameter to 457 * this function. 458 * 459 * Return conditions: 460 * BSM_SUCCESS: The BSM record is valid 461 * BSM_FAILURE: Failure; the BSM record is NULL. 462 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 463 */ 464 int 465 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 466 { 467 struct au_token *tok, *subj_tok, *jail_tok; 468 struct au_record *rec; 469 au_tid_t tid; 470 struct audit_record *ar; 471 int ctr; 472 473 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 474 475 *pau = NULL; 476 ar = &kar->k_ar; 477 rec = kau_open(); 478 479 /* 480 * Create the subject token. If this credential was jailed be sure to 481 * generate a zonename token. 482 */ 483 if (ar->ar_jailname[0] != '\0') 484 jail_tok = au_to_zonename(ar->ar_jailname); 485 else 486 jail_tok = NULL; 487 switch (ar->ar_subj_term_addr.at_type) { 488 case AU_IPv4: 489 tid.port = ar->ar_subj_term_addr.at_port; 490 tid.machine = ar->ar_subj_term_addr.at_addr[0]; 491 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 492 ar->ar_subj_cred.cr_uid, /* eff uid */ 493 ar->ar_subj_egid, /* eff group id */ 494 ar->ar_subj_ruid, /* real uid */ 495 ar->ar_subj_rgid, /* real group id */ 496 ar->ar_subj_pid, /* process id */ 497 ar->ar_subj_asid, /* session ID */ 498 &tid); 499 break; 500 case AU_IPv6: 501 subj_tok = au_to_subject32_ex(ar->ar_subj_auid, 502 ar->ar_subj_cred.cr_uid, 503 ar->ar_subj_egid, 504 ar->ar_subj_ruid, 505 ar->ar_subj_rgid, 506 ar->ar_subj_pid, 507 ar->ar_subj_asid, 508 &ar->ar_subj_term_addr); 509 break; 510 default: 511 bzero(&tid, sizeof(tid)); 512 subj_tok = au_to_subject32(ar->ar_subj_auid, 513 ar->ar_subj_cred.cr_uid, 514 ar->ar_subj_egid, 515 ar->ar_subj_ruid, 516 ar->ar_subj_rgid, 517 ar->ar_subj_pid, 518 ar->ar_subj_asid, 519 &tid); 520 } 521 522 /* 523 * The logic inside each case fills in the tokens required for the 524 * event, except for the header, trailer, and return tokens. The 525 * header and trailer tokens are added by the kau_close() function. 526 * The return token is added outside of the switch statement. 527 */ 528 switch(ar->ar_event) { 529 case AUE_ACCEPT: 530 if (ARG_IS_VALID(kar, ARG_FD)) { 531 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 532 kau_write(rec, tok); 533 } 534 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 535 tok = au_to_sock_inet((struct sockaddr_in *) 536 &ar->ar_arg_sockaddr); 537 kau_write(rec, tok); 538 } 539 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 540 tok = au_to_sock_unix((struct sockaddr_un *) 541 &ar->ar_arg_sockaddr); 542 kau_write(rec, tok); 543 UPATH1_TOKENS; 544 } 545 break; 546 547 case AUE_BIND: 548 case AUE_LISTEN: 549 case AUE_CONNECT: 550 case AUE_RECV: 551 case AUE_RECVFROM: 552 case AUE_RECVMSG: 553 case AUE_SEND: 554 case AUE_SENDMSG: 555 case AUE_SENDTO: 556 /* 557 * Socket-related events. 558 */ 559 if (ARG_IS_VALID(kar, ARG_FD)) { 560 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 561 kau_write(rec, tok); 562 } 563 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 564 tok = au_to_sock_inet((struct sockaddr_in *) 565 &ar->ar_arg_sockaddr); 566 kau_write(rec, tok); 567 } 568 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 569 tok = au_to_sock_unix((struct sockaddr_un *) 570 &ar->ar_arg_sockaddr); 571 kau_write(rec, tok); 572 UPATH1_TOKENS; 573 } 574 /* XXX Need to handle ARG_SADDRINET6 */ 575 break; 576 577 case AUE_BINDAT: 578 case AUE_CONNECTAT: 579 ATFD1_TOKENS(1); 580 if (ARG_IS_VALID(kar, ARG_FD)) { 581 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 582 kau_write(rec, tok); 583 } 584 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 585 tok = au_to_sock_unix((struct sockaddr_un *) 586 &ar->ar_arg_sockaddr); 587 kau_write(rec, tok); 588 UPATH1_TOKENS; 589 } 590 break; 591 592 case AUE_SENDFILE: 593 FD_VNODE1_TOKENS; 594 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 595 tok = au_to_sock_inet((struct sockaddr_in *) 596 &ar->ar_arg_sockaddr); 597 kau_write(rec, tok); 598 } 599 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 600 tok = au_to_sock_unix((struct sockaddr_un *) 601 &ar->ar_arg_sockaddr); 602 kau_write(rec, tok); 603 UPATH1_TOKENS; 604 } 605 /* XXX Need to handle ARG_SADDRINET6 */ 606 break; 607 608 case AUE_SOCKET: 609 case AUE_SOCKETPAIR: 610 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 611 tok = au_to_arg32(1, "domain", 612 ar->ar_arg_sockinfo.so_domain); 613 kau_write(rec, tok); 614 tok = au_to_arg32(2, "type", 615 ar->ar_arg_sockinfo.so_type); 616 kau_write(rec, tok); 617 tok = au_to_arg32(3, "protocol", 618 ar->ar_arg_sockinfo.so_protocol); 619 kau_write(rec, tok); 620 } 621 break; 622 623 case AUE_SETSOCKOPT: 624 case AUE_SHUTDOWN: 625 if (ARG_IS_VALID(kar, ARG_FD)) { 626 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 627 kau_write(rec, tok); 628 } 629 break; 630 631 case AUE_ACCT: 632 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 633 UPATH1_VNODE1_TOKENS; 634 } else { 635 tok = au_to_arg32(1, "accounting off", 0); 636 kau_write(rec, tok); 637 } 638 break; 639 640 case AUE_SETAUID: 641 if (ARG_IS_VALID(kar, ARG_AUID)) { 642 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 643 kau_write(rec, tok); 644 } 645 break; 646 647 case AUE_SETAUDIT: 648 if (ARG_IS_VALID(kar, ARG_AUID) && 649 ARG_IS_VALID(kar, ARG_ASID) && 650 ARG_IS_VALID(kar, ARG_AMASK) && 651 ARG_IS_VALID(kar, ARG_TERMID)) { 652 tok = au_to_arg32(1, "setaudit:auid", 653 ar->ar_arg_auid); 654 kau_write(rec, tok); 655 tok = au_to_arg32(1, "setaudit:port", 656 ar->ar_arg_termid.port); 657 kau_write(rec, tok); 658 tok = au_to_arg32(1, "setaudit:machine", 659 ar->ar_arg_termid.machine); 660 kau_write(rec, tok); 661 tok = au_to_arg32(1, "setaudit:as_success", 662 ar->ar_arg_amask.am_success); 663 kau_write(rec, tok); 664 tok = au_to_arg32(1, "setaudit:as_failure", 665 ar->ar_arg_amask.am_failure); 666 kau_write(rec, tok); 667 tok = au_to_arg32(1, "setaudit:asid", 668 ar->ar_arg_asid); 669 kau_write(rec, tok); 670 } 671 break; 672 673 case AUE_SETAUDIT_ADDR: 674 if (ARG_IS_VALID(kar, ARG_AUID) && 675 ARG_IS_VALID(kar, ARG_ASID) && 676 ARG_IS_VALID(kar, ARG_AMASK) && 677 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) { 678 tok = au_to_arg32(1, "setaudit_addr:auid", 679 ar->ar_arg_auid); 680 kau_write(rec, tok); 681 tok = au_to_arg32(1, "setaudit_addr:as_success", 682 ar->ar_arg_amask.am_success); 683 kau_write(rec, tok); 684 tok = au_to_arg32(1, "setaudit_addr:as_failure", 685 ar->ar_arg_amask.am_failure); 686 kau_write(rec, tok); 687 tok = au_to_arg32(1, "setaudit_addr:asid", 688 ar->ar_arg_asid); 689 kau_write(rec, tok); 690 tok = au_to_arg32(1, "setaudit_addr:type", 691 ar->ar_arg_termid_addr.at_type); 692 kau_write(rec, tok); 693 tok = au_to_arg32(1, "setaudit_addr:port", 694 ar->ar_arg_termid_addr.at_port); 695 kau_write(rec, tok); 696 if (ar->ar_arg_termid_addr.at_type == AU_IPv6) 697 tok = au_to_in_addr_ex((struct in6_addr *) 698 &ar->ar_arg_termid_addr.at_addr[0]); 699 if (ar->ar_arg_termid_addr.at_type == AU_IPv4) 700 tok = au_to_in_addr((struct in_addr *) 701 &ar->ar_arg_termid_addr.at_addr[0]); 702 kau_write(rec, tok); 703 } 704 break; 705 706 case AUE_AUDITON: 707 /* 708 * For AUDITON commands without own event, audit the cmd. 709 */ 710 if (ARG_IS_VALID(kar, ARG_CMD)) { 711 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 712 kau_write(rec, tok); 713 } 714 /* FALLTHROUGH */ 715 716 case AUE_AUDITON_GETCAR: 717 case AUE_AUDITON_GETCLASS: 718 case AUE_AUDITON_GETCOND: 719 case AUE_AUDITON_GETCWD: 720 case AUE_AUDITON_GETKMASK: 721 case AUE_AUDITON_GETSTAT: 722 case AUE_AUDITON_GPOLICY: 723 case AUE_AUDITON_GQCTRL: 724 case AUE_AUDITON_SETCLASS: 725 case AUE_AUDITON_SETCOND: 726 case AUE_AUDITON_SETKMASK: 727 case AUE_AUDITON_SETSMASK: 728 case AUE_AUDITON_SETSTAT: 729 case AUE_AUDITON_SETUMASK: 730 case AUE_AUDITON_SPOLICY: 731 case AUE_AUDITON_SQCTRL: 732 if (ARG_IS_VALID(kar, ARG_AUDITON)) 733 audit_sys_auditon(ar, rec); 734 break; 735 736 case AUE_AUDITCTL: 737 UPATH1_VNODE1_TOKENS; 738 break; 739 740 case AUE_EXIT: 741 if (ARG_IS_VALID(kar, ARG_EXIT)) { 742 tok = au_to_exit(ar->ar_arg_exitretval, 743 ar->ar_arg_exitstatus); 744 kau_write(rec, tok); 745 } 746 break; 747 748 case AUE_ADJTIME: 749 case AUE_CLOCK_SETTIME: 750 case AUE_AUDIT: 751 case AUE_DUP2: 752 case AUE_GETAUDIT: 753 case AUE_GETAUDIT_ADDR: 754 case AUE_GETAUID: 755 case AUE_GETCWD: 756 case AUE_GETFSSTAT: 757 case AUE_GETRESUID: 758 case AUE_GETRESGID: 759 case AUE_KQUEUE: 760 case AUE_MODLOAD: 761 case AUE_MODUNLOAD: 762 case AUE_MSGSYS: 763 case AUE_NTP_ADJTIME: 764 case AUE_PIPE: 765 case AUE_POSIX_OPENPT: 766 case AUE_PROFILE: 767 case AUE_RTPRIO: 768 case AUE_SEMSYS: 769 case AUE_SETFIB: 770 case AUE_SHMSYS: 771 case AUE_SETPGRP: 772 case AUE_SETRLIMIT: 773 case AUE_SETSID: 774 case AUE_SETTIMEOFDAY: 775 case AUE_SYSARCH: 776 777 /* 778 * Header, subject, and return tokens added at end. 779 */ 780 break; 781 782 case AUE_ACL_DELETE_FD: 783 case AUE_ACL_DELETE_FILE: 784 case AUE_ACL_CHECK_FD: 785 case AUE_ACL_CHECK_FILE: 786 case AUE_ACL_CHECK_LINK: 787 case AUE_ACL_DELETE_LINK: 788 case AUE_ACL_GET_FD: 789 case AUE_ACL_GET_FILE: 790 case AUE_ACL_GET_LINK: 791 case AUE_ACL_SET_FD: 792 case AUE_ACL_SET_FILE: 793 case AUE_ACL_SET_LINK: 794 if (ARG_IS_VALID(kar, ARG_VALUE)) { 795 tok = au_to_arg32(1, "type", ar->ar_arg_value); 796 kau_write(rec, tok); 797 } 798 ATFD1_TOKENS(1); 799 UPATH1_VNODE1_TOKENS; 800 break; 801 802 /* 803 * NB: We may want to verify that the appropriate 804 * audit args are being processed here, but I think 805 * a bit analysis is required. 806 * 807 * Process AUE_JAIL_SET in the next block so we can pickup any path 808 * related tokens that might exist. 809 */ 810 case AUE_JAIL_GET: 811 case AUE_JAIL_ATTACH: 812 case AUE_JAIL_REMOVE: 813 break; 814 815 case AUE_JAIL_SET: 816 case AUE_CHDIR: 817 case AUE_CHROOT: 818 case AUE_FSTATAT: 819 case AUE_FUTIMESAT: 820 case AUE_GETATTRLIST: 821 case AUE_JAIL: 822 case AUE_LUTIMES: 823 case AUE_NFS_GETFH: 824 case AUE_LGETFH: 825 case AUE_LSTAT: 826 case AUE_LPATHCONF: 827 case AUE_PATHCONF: 828 case AUE_READLINK: 829 case AUE_READLINKAT: 830 case AUE_REVOKE: 831 case AUE_RMDIR: 832 case AUE_SEARCHFS: 833 case AUE_SETATTRLIST: 834 case AUE_STAT: 835 case AUE_STATFS: 836 case AUE_SWAPON: 837 case AUE_SWAPOFF: 838 case AUE_TRUNCATE: 839 case AUE_UNDELETE: 840 case AUE_UNLINK: 841 case AUE_UNLINKAT: 842 case AUE_UTIMES: 843 case AUE_REALPATHAT: 844 ATFD1_TOKENS(1); 845 UPATH1_VNODE1_TOKENS; 846 break; 847 848 case AUE_ACCESS: 849 case AUE_EACCESS: 850 case AUE_FACCESSAT: 851 ATFD1_TOKENS(1); 852 UPATH1_VNODE1_TOKENS; 853 if (ARG_IS_VALID(kar, ARG_VALUE)) { 854 tok = au_to_arg32(2, "mode", ar->ar_arg_value); 855 kau_write(rec, tok); 856 } 857 break; 858 859 case AUE_FHSTATFS: 860 case AUE_FHOPEN: 861 case AUE_FHSTAT: 862 /* XXXRW: Need to audit vnode argument. */ 863 break; 864 865 case AUE_CHFLAGS: 866 case AUE_LCHFLAGS: 867 case AUE_CHFLAGSAT: 868 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 869 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 870 kau_write(rec, tok); 871 } 872 UPATH1_VNODE1_TOKENS; 873 break; 874 875 case AUE_CHMOD: 876 case AUE_LCHMOD: 877 if (ARG_IS_VALID(kar, ARG_MODE)) { 878 tok = au_to_arg32(2, "new file mode", 879 ar->ar_arg_mode); 880 kau_write(rec, tok); 881 } 882 UPATH1_VNODE1_TOKENS; 883 break; 884 885 case AUE_FCHMODAT: 886 ATFD1_TOKENS(1); 887 if (ARG_IS_VALID(kar, ARG_MODE)) { 888 tok = au_to_arg32(3, "new file mode", 889 ar->ar_arg_mode); 890 kau_write(rec, tok); 891 } 892 UPATH1_VNODE1_TOKENS; 893 break; 894 895 case AUE_CHOWN: 896 case AUE_LCHOWN: 897 if (ARG_IS_VALID(kar, ARG_UID)) { 898 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 899 kau_write(rec, tok); 900 } 901 if (ARG_IS_VALID(kar, ARG_GID)) { 902 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 903 kau_write(rec, tok); 904 } 905 UPATH1_VNODE1_TOKENS; 906 break; 907 908 case AUE_FCHOWNAT: 909 ATFD1_TOKENS(1); 910 if (ARG_IS_VALID(kar, ARG_UID)) { 911 tok = au_to_arg32(3, "new file uid", ar->ar_arg_uid); 912 kau_write(rec, tok); 913 } 914 if (ARG_IS_VALID(kar, ARG_GID)) { 915 tok = au_to_arg32(4, "new file gid", ar->ar_arg_gid); 916 kau_write(rec, tok); 917 } 918 UPATH1_VNODE1_TOKENS; 919 break; 920 921 case AUE_EXCHANGEDATA: 922 UPATH1_VNODE1_TOKENS; 923 UPATH2_TOKENS; 924 break; 925 926 case AUE_CLOSE: 927 if (ARG_IS_VALID(kar, ARG_FD)) { 928 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 929 kau_write(rec, tok); 930 } 931 UPATH1_VNODE1_TOKENS; 932 break; 933 934 case AUE_CLOSEFROM: 935 if (ARG_IS_VALID(kar, ARG_FD)) { 936 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 937 kau_write(rec, tok); 938 } 939 break; 940 941 case AUE_CLOSERANGE: 942 if (ARG_IS_VALID(kar, ARG_FD)) { 943 tok = au_to_arg32(1, "lowfd", ar->ar_arg_fd); 944 kau_write(rec, tok); 945 } 946 if (ARG_IS_VALID(kar, ARG_CMD)) { 947 tok = au_to_arg32(2, "highfd", ar->ar_arg_cmd); 948 kau_write(rec, tok); 949 } 950 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 951 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 952 kau_write(rec, tok); 953 } 954 break; 955 956 case AUE_CORE: 957 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 958 tok = au_to_arg32(1, "signal", ar->ar_arg_signum); 959 kau_write(rec, tok); 960 } 961 UPATH1_VNODE1_TOKENS; 962 break; 963 964 case AUE_EXTATTRCTL: 965 UPATH1_VNODE1_TOKENS; 966 if (ARG_IS_VALID(kar, ARG_CMD)) { 967 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 968 kau_write(rec, tok); 969 } 970 /* extattrctl(2) filename parameter is in upath2/vnode2 */ 971 UPATH2_TOKENS; 972 VNODE2_TOKENS; 973 EXTATTR_TOKENS(4); 974 break; 975 976 case AUE_EXTATTR_GET_FILE: 977 case AUE_EXTATTR_SET_FILE: 978 case AUE_EXTATTR_LIST_FILE: 979 case AUE_EXTATTR_DELETE_FILE: 980 case AUE_EXTATTR_GET_LINK: 981 case AUE_EXTATTR_SET_LINK: 982 case AUE_EXTATTR_LIST_LINK: 983 case AUE_EXTATTR_DELETE_LINK: 984 UPATH1_VNODE1_TOKENS; 985 EXTATTR_TOKENS(2); 986 break; 987 988 case AUE_EXTATTR_GET_FD: 989 case AUE_EXTATTR_SET_FD: 990 case AUE_EXTATTR_LIST_FD: 991 case AUE_EXTATTR_DELETE_FD: 992 if (ARG_IS_VALID(kar, ARG_FD)) { 993 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 994 kau_write(rec, tok); 995 } 996 EXTATTR_TOKENS(2); 997 break; 998 999 case AUE_FEXECVE: 1000 if (ARG_IS_VALID(kar, ARG_FD)) { 1001 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1002 kau_write(rec, tok); 1003 } 1004 /* FALLTHROUGH */ 1005 1006 case AUE_EXECVE: 1007 case AUE_MAC_EXECVE: 1008 if (ARG_IS_VALID(kar, ARG_ARGV)) { 1009 tok = au_to_exec_args(ar->ar_arg_argv, 1010 ar->ar_arg_argc); 1011 kau_write(rec, tok); 1012 } 1013 if (ARG_IS_VALID(kar, ARG_ENVV)) { 1014 tok = au_to_exec_env(ar->ar_arg_envv, 1015 ar->ar_arg_envc); 1016 kau_write(rec, tok); 1017 } 1018 UPATH1_VNODE1_TOKENS; 1019 break; 1020 1021 case AUE_FCHMOD: 1022 if (ARG_IS_VALID(kar, ARG_MODE)) { 1023 tok = au_to_arg32(2, "new file mode", 1024 ar->ar_arg_mode); 1025 kau_write(rec, tok); 1026 } 1027 FD_VNODE1_TOKENS; 1028 break; 1029 1030 /* 1031 * XXXRW: Some of these need to handle non-vnode cases as well. 1032 */ 1033 case AUE_FCHDIR: 1034 case AUE_FPATHCONF: 1035 case AUE_FSTAT: 1036 case AUE_FSTATFS: 1037 case AUE_FSYNC: 1038 case AUE_FTRUNCATE: 1039 case AUE_FUTIMES: 1040 case AUE_GETDIRENTRIES: 1041 case AUE_GETDIRENTRIESATTR: 1042 case AUE_LSEEK: 1043 case AUE_POLL: 1044 case AUE_POSIX_FALLOCATE: 1045 case AUE_PREAD: 1046 case AUE_PWRITE: 1047 case AUE_READ: 1048 case AUE_READV: 1049 case AUE_WRITE: 1050 case AUE_WRITEV: 1051 FD_VNODE1_TOKENS; 1052 break; 1053 1054 case AUE_FCHOWN: 1055 if (ARG_IS_VALID(kar, ARG_UID)) { 1056 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 1057 kau_write(rec, tok); 1058 } 1059 if (ARG_IS_VALID(kar, ARG_GID)) { 1060 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 1061 kau_write(rec, tok); 1062 } 1063 FD_VNODE1_TOKENS; 1064 break; 1065 1066 case AUE_FCNTL: 1067 if (ARG_IS_VALID(kar, ARG_CMD)) { 1068 tok = au_to_arg32(2, "cmd", 1069 au_fcntl_cmd_to_bsm(ar->ar_arg_cmd)); 1070 kau_write(rec, tok); 1071 } 1072 FD_VNODE1_TOKENS; 1073 break; 1074 1075 case AUE_FCHFLAGS: 1076 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1077 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1078 kau_write(rec, tok); 1079 } 1080 FD_VNODE1_TOKENS; 1081 break; 1082 1083 case AUE_FLOCK: 1084 if (ARG_IS_VALID(kar, ARG_CMD)) { 1085 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 1086 kau_write(rec, tok); 1087 } 1088 FD_VNODE1_TOKENS; 1089 break; 1090 1091 case AUE_FSPACECTL: 1092 if (ARG_IS_VALID(kar, ARG_CMD)) { 1093 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 1094 kau_write(rec, tok); 1095 } 1096 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1097 tok = au_to_arg32(4, "flags", ar->ar_arg_fflags); 1098 kau_write(rec, tok); 1099 } 1100 FD_VNODE1_TOKENS; 1101 break; 1102 1103 case AUE_RFORK: 1104 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1105 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 1106 kau_write(rec, tok); 1107 } 1108 /* FALLTHROUGH */ 1109 1110 case AUE_FORK: 1111 case AUE_VFORK: 1112 if (ARG_IS_VALID(kar, ARG_PID)) { 1113 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 1114 kau_write(rec, tok); 1115 } 1116 break; 1117 1118 case AUE_IOCTL: 1119 if (ARG_IS_VALID(kar, ARG_CMD)) { 1120 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 1121 kau_write(rec, tok); 1122 } 1123 if (ARG_IS_VALID(kar, ARG_VNODE1)) 1124 FD_VNODE1_TOKENS; 1125 else { 1126 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 1127 tok = kau_to_socket(&ar->ar_arg_sockinfo); 1128 kau_write(rec, tok); 1129 } else { 1130 if (ARG_IS_VALID(kar, ARG_FD)) { 1131 tok = au_to_arg32(1, "fd", 1132 ar->ar_arg_fd); 1133 kau_write(rec, tok); 1134 } 1135 } 1136 } 1137 break; 1138 1139 case AUE_KILL: 1140 case AUE_KILLPG: 1141 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 1142 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 1143 kau_write(rec, tok); 1144 } 1145 PROCESS_PID_TOKENS(1); 1146 break; 1147 1148 case AUE_KTRACE: 1149 if (ARG_IS_VALID(kar, ARG_CMD)) { 1150 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 1151 kau_write(rec, tok); 1152 } 1153 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1154 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 1155 kau_write(rec, tok); 1156 } 1157 PROCESS_PID_TOKENS(4); 1158 UPATH1_VNODE1_TOKENS; 1159 break; 1160 1161 case AUE_LINK: 1162 case AUE_LINKAT: 1163 case AUE_RENAME: 1164 case AUE_RENAMEAT: 1165 ATFD1_TOKENS(1); 1166 UPATH1_VNODE1_TOKENS; 1167 ATFD2_TOKENS(3); 1168 UPATH2_TOKENS; 1169 break; 1170 1171 case AUE_LOADSHFILE: 1172 ADDR_TOKEN(4, "base addr"); 1173 UPATH1_VNODE1_TOKENS; 1174 break; 1175 1176 case AUE_MKDIR: 1177 case AUE_MKDIRAT: 1178 case AUE_MKFIFO: 1179 case AUE_MKFIFOAT: 1180 ATFD1_TOKENS(1); 1181 if (ARG_IS_VALID(kar, ARG_MODE)) { 1182 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1183 kau_write(rec, tok); 1184 } 1185 UPATH1_VNODE1_TOKENS; 1186 break; 1187 1188 case AUE_MKNOD: 1189 case AUE_MKNODAT: 1190 ATFD1_TOKENS(1); 1191 if (ARG_IS_VALID(kar, ARG_MODE)) { 1192 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1193 kau_write(rec, tok); 1194 } 1195 if (ARG_IS_VALID(kar, ARG_DEV)) { 1196 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 1197 kau_write(rec, tok); 1198 } 1199 UPATH1_VNODE1_TOKENS; 1200 break; 1201 1202 case AUE_MMAP: 1203 case AUE_MUNMAP: 1204 case AUE_MPROTECT: 1205 case AUE_MLOCK: 1206 case AUE_MUNLOCK: 1207 case AUE_MINHERIT: 1208 ADDR_TOKEN(1, "addr"); 1209 if (ARG_IS_VALID(kar, ARG_LEN)) { 1210 tok = au_to_arg32(2, "len", ar->ar_arg_len); 1211 kau_write(rec, tok); 1212 } 1213 if (ar->ar_event == AUE_MMAP) 1214 FD_VNODE1_TOKENS; 1215 if (ar->ar_event == AUE_MPROTECT) { 1216 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1217 tok = au_to_arg32(3, "protection", 1218 ar->ar_arg_value); 1219 kau_write(rec, tok); 1220 } 1221 } 1222 if (ar->ar_event == AUE_MINHERIT) { 1223 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1224 tok = au_to_arg32(3, "inherit", 1225 ar->ar_arg_value); 1226 kau_write(rec, tok); 1227 } 1228 } 1229 break; 1230 1231 case AUE_MOUNT: 1232 case AUE_NMOUNT: 1233 /* XXX Need to handle NFS mounts */ 1234 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1235 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 1236 kau_write(rec, tok); 1237 } 1238 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1239 tok = au_to_text(ar->ar_arg_text); 1240 kau_write(rec, tok); 1241 } 1242 /* FALLTHROUGH */ 1243 1244 case AUE_NFS_SVC: 1245 if (ARG_IS_VALID(kar, ARG_CMD)) { 1246 tok = au_to_arg32(1, "flags", ar->ar_arg_cmd); 1247 kau_write(rec, tok); 1248 } 1249 break; 1250 1251 case AUE_UMOUNT: 1252 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1253 tok = au_to_arg32(2, "flags", ar->ar_arg_value); 1254 kau_write(rec, tok); 1255 } 1256 UPATH1_VNODE1_TOKENS; 1257 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1258 tok = au_to_text(ar->ar_arg_text); 1259 kau_write(rec, tok); 1260 } 1261 break; 1262 1263 case AUE_MSGCTL: 1264 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd); 1265 /* Fall through */ 1266 1267 case AUE_MSGRCV: 1268 case AUE_MSGSND: 1269 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 1270 kau_write(rec, tok); 1271 if (ar->ar_errno != EINVAL) { 1272 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 1273 kau_write(rec, tok); 1274 } 1275 break; 1276 1277 case AUE_MSGGET: 1278 if (ar->ar_errno == 0) { 1279 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1280 tok = au_to_ipc(AT_IPC_MSG, 1281 ar->ar_arg_svipc_id); 1282 kau_write(rec, tok); 1283 } 1284 } 1285 break; 1286 1287 case AUE_RESETSHFILE: 1288 ADDR_TOKEN(1, "base addr"); 1289 break; 1290 1291 case AUE_OPEN_RC: 1292 case AUE_OPEN_RTC: 1293 case AUE_OPEN_RWC: 1294 case AUE_OPEN_RWTC: 1295 case AUE_OPEN_WC: 1296 case AUE_OPEN_WTC: 1297 case AUE_CREAT: 1298 if (ARG_IS_VALID(kar, ARG_MODE)) { 1299 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1300 kau_write(rec, tok); 1301 } 1302 /* FALLTHROUGH */ 1303 1304 case AUE_OPEN_R: 1305 case AUE_OPEN_RT: 1306 case AUE_OPEN_RW: 1307 case AUE_OPEN_RWT: 1308 case AUE_OPEN_W: 1309 case AUE_OPEN_WT: 1310 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1311 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1312 kau_write(rec, tok); 1313 } 1314 UPATH1_VNODE1_TOKENS; 1315 break; 1316 1317 case AUE_OPENAT_RC: 1318 case AUE_OPENAT_RTC: 1319 case AUE_OPENAT_RWC: 1320 case AUE_OPENAT_RWTC: 1321 case AUE_OPENAT_WC: 1322 case AUE_OPENAT_WTC: 1323 if (ARG_IS_VALID(kar, ARG_MODE)) { 1324 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1325 kau_write(rec, tok); 1326 } 1327 /* FALLTHROUGH */ 1328 1329 case AUE_OPENAT_R: 1330 case AUE_OPENAT_RT: 1331 case AUE_OPENAT_RW: 1332 case AUE_OPENAT_RWT: 1333 case AUE_OPENAT_W: 1334 case AUE_OPENAT_WT: 1335 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1336 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1337 kau_write(rec, tok); 1338 } 1339 ATFD1_TOKENS(1); 1340 UPATH1_VNODE1_TOKENS; 1341 break; 1342 1343 case AUE_PDKILL: 1344 if (ARG_IS_VALID(kar, ARG_FD)) { 1345 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1346 kau_write(rec, tok); 1347 } 1348 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 1349 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 1350 kau_write(rec, tok); 1351 } 1352 PROCESS_PID_TOKENS(1); 1353 break; 1354 case AUE_PDFORK: 1355 if (ARG_IS_VALID(kar, ARG_PID)) { 1356 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 1357 kau_write(rec, tok); 1358 } 1359 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1360 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1361 kau_write(rec, tok); 1362 } 1363 if (ARG_IS_VALID(kar, ARG_FD)) { 1364 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1365 kau_write(rec, tok); 1366 } 1367 break; 1368 case AUE_PDGETPID: 1369 if (ARG_IS_VALID(kar, ARG_FD)) { 1370 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1371 kau_write(rec, tok); 1372 } 1373 break; 1374 1375 case AUE_PROCCTL: 1376 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1377 tok = au_to_arg32(1, "idtype", ar->ar_arg_value); 1378 kau_write(rec, tok); 1379 } 1380 if (ARG_IS_VALID(kar, ARG_CMD)) { 1381 tok = au_to_arg32(2, "com", ar->ar_arg_cmd); 1382 kau_write(rec, tok); 1383 } 1384 PROCESS_PID_TOKENS(3); 1385 break; 1386 1387 case AUE_PTRACE: 1388 if (ARG_IS_VALID(kar, ARG_CMD)) { 1389 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1390 kau_write(rec, tok); 1391 } 1392 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1393 tok = au_to_arg32(4, "data", ar->ar_arg_value); 1394 kau_write(rec, tok); 1395 } 1396 PROCESS_PID_TOKENS(2); 1397 break; 1398 1399 case AUE_QUOTACTL: 1400 if (ARG_IS_VALID(kar, ARG_CMD)) { 1401 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1402 kau_write(rec, tok); 1403 } 1404 if (ARG_IS_VALID(kar, ARG_UID)) { 1405 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1406 kau_write(rec, tok); 1407 } 1408 if (ARG_IS_VALID(kar, ARG_GID)) { 1409 tok = au_to_arg32(3, "gid", ar->ar_arg_gid); 1410 kau_write(rec, tok); 1411 } 1412 UPATH1_VNODE1_TOKENS; 1413 break; 1414 1415 case AUE_REBOOT: 1416 if (ARG_IS_VALID(kar, ARG_CMD)) { 1417 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1418 kau_write(rec, tok); 1419 } 1420 break; 1421 1422 case AUE_SEMCTL: 1423 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd); 1424 /* Fall through */ 1425 1426 case AUE_SEMOP: 1427 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1428 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1429 kau_write(rec, tok); 1430 if (ar->ar_errno != EINVAL) { 1431 tok = au_to_ipc(AT_IPC_SEM, 1432 ar->ar_arg_svipc_id); 1433 kau_write(rec, tok); 1434 } 1435 } 1436 break; 1437 1438 case AUE_SEMGET: 1439 if (ar->ar_errno == 0) { 1440 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1441 tok = au_to_ipc(AT_IPC_SEM, 1442 ar->ar_arg_svipc_id); 1443 kau_write(rec, tok); 1444 } 1445 } 1446 break; 1447 1448 case AUE_SETEGID: 1449 if (ARG_IS_VALID(kar, ARG_EGID)) { 1450 tok = au_to_arg32(1, "egid", ar->ar_arg_egid); 1451 kau_write(rec, tok); 1452 } 1453 break; 1454 1455 case AUE_SETEUID: 1456 if (ARG_IS_VALID(kar, ARG_EUID)) { 1457 tok = au_to_arg32(1, "euid", ar->ar_arg_euid); 1458 kau_write(rec, tok); 1459 } 1460 break; 1461 1462 case AUE_SETREGID: 1463 if (ARG_IS_VALID(kar, ARG_RGID)) { 1464 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1465 kau_write(rec, tok); 1466 } 1467 if (ARG_IS_VALID(kar, ARG_EGID)) { 1468 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1469 kau_write(rec, tok); 1470 } 1471 break; 1472 1473 case AUE_SETREUID: 1474 if (ARG_IS_VALID(kar, ARG_RUID)) { 1475 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1476 kau_write(rec, tok); 1477 } 1478 if (ARG_IS_VALID(kar, ARG_EUID)) { 1479 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1480 kau_write(rec, tok); 1481 } 1482 break; 1483 1484 case AUE_SETRESGID: 1485 if (ARG_IS_VALID(kar, ARG_RGID)) { 1486 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1487 kau_write(rec, tok); 1488 } 1489 if (ARG_IS_VALID(kar, ARG_EGID)) { 1490 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1491 kau_write(rec, tok); 1492 } 1493 if (ARG_IS_VALID(kar, ARG_SGID)) { 1494 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1495 kau_write(rec, tok); 1496 } 1497 break; 1498 1499 case AUE_SETRESUID: 1500 if (ARG_IS_VALID(kar, ARG_RUID)) { 1501 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1502 kau_write(rec, tok); 1503 } 1504 if (ARG_IS_VALID(kar, ARG_EUID)) { 1505 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1506 kau_write(rec, tok); 1507 } 1508 if (ARG_IS_VALID(kar, ARG_SUID)) { 1509 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1510 kau_write(rec, tok); 1511 } 1512 break; 1513 1514 case AUE_SETGID: 1515 if (ARG_IS_VALID(kar, ARG_GID)) { 1516 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1517 kau_write(rec, tok); 1518 } 1519 break; 1520 1521 case AUE_SETUID: 1522 if (ARG_IS_VALID(kar, ARG_UID)) { 1523 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1524 kau_write(rec, tok); 1525 } 1526 break; 1527 1528 case AUE_SETGROUPS: 1529 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1530 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1531 { 1532 tok = au_to_arg32(1, "setgroups", 1533 ar->ar_arg_groups.gidset[ctr]); 1534 kau_write(rec, tok); 1535 } 1536 } 1537 break; 1538 1539 case AUE_SETLOGIN: 1540 if (ARG_IS_VALID(kar, ARG_LOGIN)) { 1541 tok = au_to_text(ar->ar_arg_login); 1542 kau_write(rec, tok); 1543 } 1544 break; 1545 1546 case AUE_SETLOGINCLASS: 1547 break; 1548 1549 case AUE_SETPRIORITY: 1550 if (ARG_IS_VALID(kar, ARG_CMD)) { 1551 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1552 kau_write(rec, tok); 1553 } 1554 if (ARG_IS_VALID(kar, ARG_UID)) { 1555 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1556 kau_write(rec, tok); 1557 } 1558 PROCESS_PID_TOKENS(2); 1559 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1560 tok = au_to_arg32(3, "priority", ar->ar_arg_value); 1561 kau_write(rec, tok); 1562 } 1563 break; 1564 1565 case AUE_SETPRIVEXEC: 1566 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1567 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1568 kau_write(rec, tok); 1569 } 1570 break; 1571 1572 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1573 case AUE_SHMAT: 1574 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1575 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1576 kau_write(rec, tok); 1577 /* XXXAUDIT: Does having the ipc token make sense? */ 1578 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1579 kau_write(rec, tok); 1580 } 1581 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1582 tok = au_to_arg32(2, "shmaddr", 1583 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1584 kau_write(rec, tok); 1585 } 1586 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1587 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1588 kau_write(rec, tok); 1589 } 1590 break; 1591 1592 case AUE_SHMCTL: 1593 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1594 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1595 kau_write(rec, tok); 1596 /* XXXAUDIT: Does having the ipc token make sense? */ 1597 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1598 kau_write(rec, tok); 1599 } 1600 switch (ar->ar_arg_svipc_cmd) { 1601 case IPC_STAT: 1602 ar->ar_event = AUE_SHMCTL_STAT; 1603 break; 1604 case IPC_RMID: 1605 ar->ar_event = AUE_SHMCTL_RMID; 1606 break; 1607 case IPC_SET: 1608 ar->ar_event = AUE_SHMCTL_SET; 1609 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1610 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1611 kau_write(rec, tok); 1612 } 1613 break; 1614 default: 1615 break; /* We will audit a bad command */ 1616 } 1617 break; 1618 1619 case AUE_SHMDT: 1620 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1621 tok = au_to_arg32(1, "shmaddr", 1622 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1623 kau_write(rec, tok); 1624 } 1625 break; 1626 1627 case AUE_SHMGET: 1628 /* This is unusual; the return value is in an argument token */ 1629 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1630 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1631 kau_write(rec, tok); 1632 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1633 kau_write(rec, tok); 1634 } 1635 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1636 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1637 kau_write(rec, tok); 1638 } 1639 break; 1640 1641 /* shm_rename is a non-Posix extension to the Posix shm implementation */ 1642 case AUE_SHMRENAME: 1643 UPATH1_TOKENS; 1644 UPATH2_TOKENS; 1645 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1646 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1647 kau_write(rec, tok); 1648 } 1649 break; 1650 1651 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1652 * and AUE_SEMUNLINK are Posix IPC */ 1653 case AUE_SHMOPEN: 1654 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1655 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1656 kau_write(rec, tok); 1657 } 1658 if (ARG_IS_VALID(kar, ARG_MODE)) { 1659 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1660 kau_write(rec, tok); 1661 } 1662 /* FALLTHROUGH */ 1663 1664 case AUE_SHMUNLINK: 1665 UPATH1_TOKENS; 1666 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1667 struct ipc_perm perm; 1668 1669 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1670 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1671 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1672 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1673 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1674 perm.seq = 0; 1675 perm.key = 0; 1676 tok = au_to_ipc_perm(&perm); 1677 kau_write(rec, tok); 1678 } 1679 break; 1680 1681 case AUE_SEMOPEN: 1682 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1683 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1684 kau_write(rec, tok); 1685 } 1686 if (ARG_IS_VALID(kar, ARG_MODE)) { 1687 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1688 kau_write(rec, tok); 1689 } 1690 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1691 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1692 kau_write(rec, tok); 1693 } 1694 /* FALLTHROUGH */ 1695 1696 case AUE_SEMUNLINK: 1697 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1698 tok = au_to_text(ar->ar_arg_text); 1699 kau_write(rec, tok); 1700 } 1701 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1702 struct ipc_perm perm; 1703 1704 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1705 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1706 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1707 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1708 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1709 perm.seq = 0; 1710 perm.key = 0; 1711 tok = au_to_ipc_perm(&perm); 1712 kau_write(rec, tok); 1713 } 1714 break; 1715 1716 case AUE_SEMCLOSE: 1717 if (ARG_IS_VALID(kar, ARG_FD)) { 1718 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1719 kau_write(rec, tok); 1720 } 1721 break; 1722 1723 case AUE_SYMLINK: 1724 case AUE_SYMLINKAT: 1725 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1726 tok = au_to_text(ar->ar_arg_text); 1727 kau_write(rec, tok); 1728 } 1729 ATFD1_TOKENS(1); 1730 UPATH1_VNODE1_TOKENS; 1731 break; 1732 1733 case AUE_SYSCTL: 1734 case AUE_SYSCTL_NONADMIN: 1735 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1736 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1737 tok = au_to_arg32(1, "name", 1738 ar->ar_arg_ctlname[ctr]); 1739 kau_write(rec, tok); 1740 } 1741 } 1742 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1743 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1744 kau_write(rec, tok); 1745 } 1746 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1747 tok = au_to_text(ar->ar_arg_text); 1748 kau_write(rec, tok); 1749 } 1750 break; 1751 1752 case AUE_UMASK: 1753 if (ARG_IS_VALID(kar, ARG_MASK)) { 1754 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1755 kau_write(rec, tok); 1756 } 1757 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1758 kau_write(rec, tok); 1759 break; 1760 1761 case AUE_WAIT4: 1762 case AUE_WAIT6: 1763 PROCESS_PID_TOKENS(1); 1764 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1765 tok = au_to_arg32(3, "options", ar->ar_arg_value); 1766 kau_write(rec, tok); 1767 } 1768 break; 1769 1770 case AUE_CAP_RIGHTS_LIMIT: 1771 /* 1772 * XXXRW/XXXJA: Would be nice to audit socket/etc information. 1773 */ 1774 FD_VNODE1_TOKENS; 1775 if (ARG_IS_VALID(kar, ARG_RIGHTS)) { 1776 tok = au_to_rights(&ar->ar_arg_rights); 1777 kau_write(rec, tok); 1778 } 1779 break; 1780 1781 case AUE_CAP_FCNTLS_GET: 1782 case AUE_CAP_IOCTLS_GET: 1783 case AUE_CAP_IOCTLS_LIMIT: 1784 case AUE_CAP_RIGHTS_GET: 1785 if (ARG_IS_VALID(kar, ARG_FD)) { 1786 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1787 kau_write(rec, tok); 1788 } 1789 break; 1790 1791 case AUE_CAP_FCNTLS_LIMIT: 1792 FD_VNODE1_TOKENS; 1793 if (ARG_IS_VALID(kar, ARG_FCNTL_RIGHTS)) { 1794 tok = au_to_arg32(2, "fcntlrights", 1795 ar->ar_arg_fcntl_rights); 1796 kau_write(rec, tok); 1797 } 1798 break; 1799 1800 case AUE_CAP_ENTER: 1801 case AUE_CAP_GETMODE: 1802 break; 1803 1804 case AUE_THR_NEW: 1805 case AUE_THR_KILL: 1806 case AUE_THR_EXIT: 1807 break; 1808 1809 case AUE_NULL: 1810 default: 1811 printf("BSM conversion requested for unknown event %d\n", 1812 ar->ar_event); 1813 1814 /* 1815 * Write the subject token so it is properly freed here. 1816 */ 1817 if (jail_tok != NULL) 1818 kau_write(rec, jail_tok); 1819 kau_write(rec, subj_tok); 1820 kau_free(rec); 1821 return (BSM_NOAUDIT); 1822 } 1823 1824 if (jail_tok != NULL) 1825 kau_write(rec, jail_tok); 1826 kau_write(rec, subj_tok); 1827 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval); 1828 kau_write(rec, tok); /* Every record gets a return token */ 1829 1830 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1831 1832 *pau = rec; 1833 return (BSM_SUCCESS); 1834 } 1835 1836 /* 1837 * Verify that a record is a valid BSM record. This verification is simple 1838 * now, but may be expanded on sometime in the future. Return 1 if the 1839 * record is good, 0 otherwise. 1840 */ 1841 int 1842 bsm_rec_verify(void *rec) 1843 { 1844 char c = *(char *)rec; 1845 1846 /* 1847 * Check the token ID of the first token; it has to be a header 1848 * token. 1849 * 1850 * XXXAUDIT There needs to be a token structure to map a token. 1851 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1852 */ 1853 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1854 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1855 return (0); 1856 return (1); 1857 } 1858