1/*
2 * Copyright (c) 1999-2005 Apple Computer, Inc.
3 * Copyright (c) 2005 Robert N. M. Watson
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
15 * its contributors may be used to endorse or promote products derived
16 * from this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 *
30 * $FreeBSD: head/sys/security/audit/audit_bsm_klib.c 159143 2006-06-01 15:38:30Z csjp $
31 */
32
33#include <sys/param.h>
34#include <sys/fcntl.h>
35#include <sys/filedesc.h>
36#include <sys/libkern.h>
37#include <sys/malloc.h>
38#include <sys/mount.h>
39#include <sys/proc.h>
40#include <sys/sem.h>
41#include <sys/syscall.h>
42#include <sys/sysctl.h>
43#include <sys/sysent.h>
44#include <sys/vnode.h>
45
46#include <bsm/audit.h>
47#include <bsm/audit_kevents.h>
48#include <security/audit/audit.h>
49#include <security/audit/audit_private.h>
50
51/*
52 * Hash table functions for the audit event number to event class mask
53 * mapping.
54 */
55#define EVCLASSMAP_HASH_TABLE_SIZE 251
56struct evclass_elem {
57 au_event_t event;
58 au_class_t class;
59 LIST_ENTRY(evclass_elem) entry;
60};
61struct evclass_list {
62 LIST_HEAD(, evclass_elem) head;
63};
64
65static MALLOC_DEFINE(M_AUDITEVCLASS, "audit_evclass", "Audit event class");
66static struct mtx evclass_mtx;
67static struct evclass_list evclass_hash[EVCLASSMAP_HASH_TABLE_SIZE];
68
69/*
70 * Look up the class for an audit event in the class mapping table.
71 */
72au_class_t
73au_event_class(au_event_t event)
74{
75 struct evclass_list *evcl;
76 struct evclass_elem *evc;
77 au_class_t class;
78
79 mtx_lock(&evclass_mtx);
80 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
81 class = AU_NULL;
82 LIST_FOREACH(evc, &evcl->head, entry) {
83 if (evc->event == event) {
84 class = evc->class;
85 goto out;
86 }
87 }
88out:
89 mtx_unlock(&evclass_mtx);
90 return (class);
91}
92
93/*
94 * Insert a event to class mapping. If the event already exists in the
95 * mapping, then replace the mapping with the new one.
96 *
97 * XXX There is currently no constraints placed on the number of mappings.
98 * May want to either limit to a number, or in terms of memory usage.
99 */
100void
101au_evclassmap_insert(au_event_t event, au_class_t class)
102{
103 struct evclass_list *evcl;
104 struct evclass_elem *evc, *evc_new;
105
106 /*
107 * Pessimistically, always allocate storage before acquiring mutex.
108 * Free if there is already a mapping for this event.
109 */
110 evc_new = malloc(sizeof(*evc), M_AUDITEVCLASS, M_WAITOK);
111
112 mtx_lock(&evclass_mtx);
113 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
114 LIST_FOREACH(evc, &evcl->head, entry) {
115 if (evc->event == event) {
116 evc->class = class;
117 mtx_unlock(&evclass_mtx);
118 free(evc_new, M_AUDITEVCLASS);
119 return;
120 }
121 }
122 evc = evc_new;
123 evc->event = event;
124 evc->class = class;
125 LIST_INSERT_HEAD(&evcl->head, evc, entry);
126 mtx_unlock(&evclass_mtx);
127}
128
129void
130au_evclassmap_init(void)
131{
132 int i;
133
134 mtx_init(&evclass_mtx, "evclass_mtx", NULL, MTX_DEF);
135 for (i = 0; i < EVCLASSMAP_HASH_TABLE_SIZE; i++)
136 LIST_INIT(&evclass_hash[i].head);
137
138 /*
139 * Set up the initial event to class mapping for system calls.
140 *
141 * XXXRW: Really, this should walk all possible audit events, not all
142 * native ABI system calls, as there may be audit events reachable
143 * only through non-native system calls. It also seems a shame to
144 * frob the mutex this early.
145 */
146 for (i = 0; i < SYS_MAXSYSCALL; i++) {
147 if (sysent[i].sy_auevent != AUE_NULL)
148 au_evclassmap_insert(sysent[i].sy_auevent, AU_NULL);
149 }
150}
151
152/*
153 * Check whether an event is aditable by comparing the mask of classes this
154 * event is part of against the given mask.
155 */
156int
157au_preselect(au_event_t event, au_mask_t *mask_p, int sorf)
158{
159 au_class_t effmask = 0;
160 au_class_t ae_class;
161
162 if (mask_p == NULL)
163 return (-1);
164
165 ae_class = au_event_class(event);
166
167 /*
168 * Perform the actual check of the masks against the event.
169 */
170 if (sorf & AU_PRS_SUCCESS)
171 effmask |= (mask_p->am_success & ae_class);
172
173 if (sorf & AU_PRS_FAILURE)
174 effmask |= (mask_p->am_failure & ae_class);
175
176 if (effmask)
177 return (1);
178 else
179 return (0);
180}
181
182/*
183 * Convert sysctl names and present arguments to events.
184 */
185au_event_t
186ctlname_to_sysctlevent(int name[], uint64_t valid_arg)
187{
188
189 /* can't parse it - so return the worst case */
190 if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != (ARG_CTLNAME | ARG_LEN))
191 return (AUE_SYSCTL);
192
193 switch (name[0]) {
194 /* non-admin "lookups" treat them special */
195 case KERN_OSTYPE:
196 case KERN_OSRELEASE:
197 case KERN_OSREV:
198 case KERN_VERSION:
199 case KERN_ARGMAX:
200 case KERN_CLOCKRATE:
201 case KERN_BOOTTIME:
202 case KERN_POSIX1:
203 case KERN_NGROUPS:
204 case KERN_JOB_CONTROL:
205 case KERN_SAVED_IDS:
206 case KERN_OSRELDATE:
207 case KERN_DUMMY:
208 return (AUE_SYSCTL_NONADMIN);
209
210 /* only treat the changeable controls as admin */
211 case KERN_MAXVNODES:
212 case KERN_MAXPROC:
213 case KERN_MAXFILES:
214 case KERN_MAXPROCPERUID:
215 case KERN_MAXFILESPERPROC:
216 case KERN_HOSTID:
217 case KERN_SECURELVL:
218 case KERN_HOSTNAME:
219 case KERN_VNODE:
220 case KERN_PROC:
221 case KERN_FILE:
222 case KERN_PROF:
223 case KERN_NISDOMAINNAME:
224 case KERN_UPDATEINTERVAL:
225 case KERN_NTP_PLL:
226 case KERN_BOOTFILE:
227 case KERN_DUMPDEV:
228 case KERN_IPC:
229 case KERN_PS_STRINGS:
230 case KERN_USRSTACK:
231 case KERN_LOGSIGEXIT:
232 case KERN_IOV_MAX:
233 case KERN_MAXID:
234 return ((valid_arg & ARG_VALUE) ?
235 AUE_SYSCTL : AUE_SYSCTL_NONADMIN);
236
237 default:
238 return (AUE_SYSCTL);
239 }
240 /* NOTREACHED */
241}
242
243/*
244 * Convert an open flags specifier into a specific type of open event for
245 * auditing purposes.
246 */
247au_event_t
248flags_and_error_to_openevent(int oflags, int error)
249{
250 au_event_t aevent;
251
252 /*
253 * Need to check only those flags we care about.
254 */
255 oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
256
257 /*
258 * These checks determine what flags are on with the condition that
259 * ONLY that combination is on, and no other flags are on.
260 */
261 switch (oflags) {
262 case O_RDONLY:
263 aevent = AUE_OPEN_R;
264 break;
265
266 case (O_RDONLY | O_CREAT):
267 aevent = AUE_OPEN_RC;
268 break;
269
270 case (O_RDONLY | O_CREAT | O_TRUNC):
271 aevent = AUE_OPEN_RTC;
272 break;
273
274 case (O_RDONLY | O_TRUNC):
275 aevent = AUE_OPEN_RT;
276 break;
277
278 case O_RDWR:
279 aevent = AUE_OPEN_RW;
280 break;
281
282 case (O_RDWR | O_CREAT):
283 aevent = AUE_OPEN_RWC;
284 break;
285
286 case (O_RDWR | O_CREAT | O_TRUNC):
287 aevent = AUE_OPEN_RWTC;
288 break;
289
290 case (O_RDWR | O_TRUNC):
291 aevent = AUE_OPEN_RWT;
292 break;
293
294 case O_WRONLY:
295 aevent = AUE_OPEN_W;
296 break;
297
298 case (O_WRONLY | O_CREAT):
299 aevent = AUE_OPEN_WC;
300 break;
301
302 case (O_WRONLY | O_CREAT | O_TRUNC):
303 aevent = AUE_OPEN_WTC;
304 break;
305
306 case (O_WRONLY | O_TRUNC):
307 aevent = AUE_OPEN_WT;
308 break;
309
310 default:
311 aevent = AUE_OPEN;
312 break;
313 }
314
315#if 0
316 /*
317 * Convert chatty errors to better matching events.
318 * Failures to find a file are really just attribute
319 * events - so recast them as such.
320 *
321 * XXXAUDIT: Solaris defines that AUE_OPEN will never be returned, it
322 * is just a placeholder. However, in Darwin we return that in
323 * preference to other events. For now, comment this out as we don't
324 * have a BSM conversion routine for AUE_OPEN.
325 */
326 switch (aevent) {
327 case AUE_OPEN_R:
328 case AUE_OPEN_RT:
329 case AUE_OPEN_RW:
330 case AUE_OPEN_RWT:
331 case AUE_OPEN_W:
332 case AUE_OPEN_WT:
333 if (error == ENOENT)
334 aevent = AUE_OPEN;
335 }
336#endif
337 return (aevent);
338}
339
340/*
341 * Convert a MSGCTL command to a specific event.
342 */
343int
344msgctl_to_event(int cmd)
345{
346
347 switch (cmd) {
348 case IPC_RMID:
349 return (AUE_MSGCTL_RMID);
350
351 case IPC_SET:
352 return (AUE_MSGCTL_SET);
353
354 case IPC_STAT:
355 return (AUE_MSGCTL_STAT);
356
357 default:
358 /* We will audit a bad command */
359 return (AUE_MSGCTL);
360 }
361}
362
363/*
364 * Convert a SEMCTL command to a specific event.
365 */
366int
367semctl_to_event(int cmd)
368{
369
370 switch (cmd) {
371 case GETALL:
372 return (AUE_SEMCTL_GETALL);
373
374 case GETNCNT:
375 return (AUE_SEMCTL_GETNCNT);
376
377 case GETPID:
378 return (AUE_SEMCTL_GETPID);
379
380 case GETVAL:
381 return (AUE_SEMCTL_GETVAL);
382
383 case GETZCNT:
384 return (AUE_SEMCTL_GETZCNT);
385
386 case IPC_RMID:
387 return (AUE_SEMCTL_RMID);
388
389 case IPC_SET:
390 return (AUE_SEMCTL_SET);
391
392 case SETALL:
393 return (AUE_SEMCTL_SETALL);
394
395 case SETVAL:
396 return (AUE_SEMCTL_SETVAL);
397
398 case IPC_STAT:
399 return (AUE_SEMCTL_STAT);
400
401 default:
402 /* We will audit a bad command */
403 return (AUE_SEMCTL);
404 }
405}
406
407/*
408 * Convert a command for the auditon() system call to a audit event.
409 */
410int
411auditon_command_event(int cmd)
412{
413
414 switch(cmd) {
415 case A_GETPOLICY:
416 return (AUE_AUDITON_GPOLICY);
417
418 case A_SETPOLICY:
419 return (AUE_AUDITON_SPOLICY);
420
421 case A_GETKMASK:
422 return (AUE_AUDITON_GETKMASK);
423
424 case A_SETKMASK:
425 return (AUE_AUDITON_SETKMASK);
426
427 case A_GETQCTRL:
428 return (AUE_AUDITON_GQCTRL);
429
430 case A_SETQCTRL:
431 return (AUE_AUDITON_SQCTRL);
432
433 case A_GETCWD:
434 return (AUE_AUDITON_GETCWD);
435
436 case A_GETCAR:
437 return (AUE_AUDITON_GETCAR);
438
439 case A_GETSTAT:
440 return (AUE_AUDITON_GETSTAT);
441
442 case A_SETSTAT:
443 return (AUE_AUDITON_SETSTAT);
444
445 case A_SETUMASK:
446 return (AUE_AUDITON_SETUMASK);
447
448 case A_SETSMASK:
449 return (AUE_AUDITON_SETSMASK);
450
451 case A_GETCOND:
452 return (AUE_AUDITON_GETCOND);
453
454 case A_SETCOND:
455 return (AUE_AUDITON_SETCOND);
456
457 case A_GETCLASS:
458 return (AUE_AUDITON_GETCLASS);
459
460 case A_SETCLASS:
461 return (AUE_AUDITON_SETCLASS);
462
463 case A_GETPINFO:
464 case A_SETPMASK:
465 case A_SETFSIZE:
466 case A_GETFSIZE:
467 case A_GETPINFO_ADDR:
468 case A_GETKAUDIT:
469 case A_SETKAUDIT:
470 default:
471 return (AUE_AUDITON); /* No special record */
472 }
473}
474
475/*
476 * Create a canonical path from given path by prefixing either the root
477 * directory, or the current working directory. If the process working
478 * directory is NULL, we could use 'rootvnode' to obtain the root directoty,
479 * but this results in a volfs name written to the audit log. So we will
480 * leave the filename starting with '/' in the audit log in this case.
481 *
482 * XXXRW: Since we combine two paths here, ideally a buffer of size
483 * MAXPATHLEN * 2 would be passed in.
484 */
485void
486canon_path(struct thread *td, char *path, char *cpath)
487{
488 char *bufp;
489 char *retbuf, *freebuf;
490 struct vnode *vnp;
491 struct filedesc *fdp;
492 int cisr, error, vfslocked;
493
494 fdp = td->td_proc->p_fd;
495 bufp = path;
496 cisr = 0;
497 FILEDESC_LOCK(fdp);
498 if (*(path) == '/') {
499 while (*(bufp) == '/')
500 bufp++; /* Skip leading '/'s. */
501 /*
502 * If no process root, or it is the same as the system root,
503 * audit the path as passed in with a single '/'.
504 */
505 if ((fdp->fd_rdir == NULL) ||
506 (fdp->fd_rdir == rootvnode)) {
507 vnp = NULL;
508 bufp--; /* Restore one '/'. */
509 } else {
510 vnp = fdp->fd_rdir; /* Use process root. */
511 vref(vnp);
512 }
513 } else {
514 vnp = fdp->fd_cdir; /* Prepend the current dir. */
515 cisr = (fdp->fd_rdir == fdp->fd_cdir);
516 vref(vnp);
517 bufp = path;
518 }
519 FILEDESC_UNLOCK(fdp);
520 if (vnp != NULL) {
521 /*
522 * XXX: vn_fullpath() on FreeBSD is "less reliable" than
523 * vn_getpath() on Darwin, so this will need more attention
524 * in the future. Also, the question and string bounding
525 * here seems a bit questionable and will also require
526 * attention.
527 */
528 vfslocked = VFS_LOCK_GIANT(vnp->v_mount);
529 vn_lock(vnp, LK_EXCLUSIVE | LK_RETRY, td);
530 error = vn_fullpath(td, vnp, &retbuf, &freebuf);
531 if (error == 0) {
532 /* Copy and free buffer allocated by vn_fullpath().
533 * If the current working directory was the same as
534 * the root directory, and the path was a relative
535 * pathname, do not separate the two components with
536 * the '/' character.
537 */
538 snprintf(cpath, MAXPATHLEN, "%s%s%s", retbuf,
539 cisr ? "" : "/", bufp);
540 free(freebuf, M_TEMP);
541 } else
542 cpath[0] = '\0';
543 vput(vnp);
544 VFS_UNLOCK_GIANT(vfslocked);
545 } else {
546 strlcpy(cpath, bufp, MAXPATHLEN);
547 }
548}
2 * Copyright (c) 1999-2005 Apple Computer, Inc.
3 * Copyright (c) 2005 Robert N. M. Watson
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
15 * its contributors may be used to endorse or promote products derived
16 * from this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 *
30 * $FreeBSD: head/sys/security/audit/audit_bsm_klib.c 159143 2006-06-01 15:38:30Z csjp $
31 */
32
33#include <sys/param.h>
34#include <sys/fcntl.h>
35#include <sys/filedesc.h>
36#include <sys/libkern.h>
37#include <sys/malloc.h>
38#include <sys/mount.h>
39#include <sys/proc.h>
40#include <sys/sem.h>
41#include <sys/syscall.h>
42#include <sys/sysctl.h>
43#include <sys/sysent.h>
44#include <sys/vnode.h>
45
46#include <bsm/audit.h>
47#include <bsm/audit_kevents.h>
48#include <security/audit/audit.h>
49#include <security/audit/audit_private.h>
50
51/*
52 * Hash table functions for the audit event number to event class mask
53 * mapping.
54 */
55#define EVCLASSMAP_HASH_TABLE_SIZE 251
56struct evclass_elem {
57 au_event_t event;
58 au_class_t class;
59 LIST_ENTRY(evclass_elem) entry;
60};
61struct evclass_list {
62 LIST_HEAD(, evclass_elem) head;
63};
64
65static MALLOC_DEFINE(M_AUDITEVCLASS, "audit_evclass", "Audit event class");
66static struct mtx evclass_mtx;
67static struct evclass_list evclass_hash[EVCLASSMAP_HASH_TABLE_SIZE];
68
69/*
70 * Look up the class for an audit event in the class mapping table.
71 */
72au_class_t
73au_event_class(au_event_t event)
74{
75 struct evclass_list *evcl;
76 struct evclass_elem *evc;
77 au_class_t class;
78
79 mtx_lock(&evclass_mtx);
80 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
81 class = AU_NULL;
82 LIST_FOREACH(evc, &evcl->head, entry) {
83 if (evc->event == event) {
84 class = evc->class;
85 goto out;
86 }
87 }
88out:
89 mtx_unlock(&evclass_mtx);
90 return (class);
91}
92
93/*
94 * Insert a event to class mapping. If the event already exists in the
95 * mapping, then replace the mapping with the new one.
96 *
97 * XXX There is currently no constraints placed on the number of mappings.
98 * May want to either limit to a number, or in terms of memory usage.
99 */
100void
101au_evclassmap_insert(au_event_t event, au_class_t class)
102{
103 struct evclass_list *evcl;
104 struct evclass_elem *evc, *evc_new;
105
106 /*
107 * Pessimistically, always allocate storage before acquiring mutex.
108 * Free if there is already a mapping for this event.
109 */
110 evc_new = malloc(sizeof(*evc), M_AUDITEVCLASS, M_WAITOK);
111
112 mtx_lock(&evclass_mtx);
113 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
114 LIST_FOREACH(evc, &evcl->head, entry) {
115 if (evc->event == event) {
116 evc->class = class;
117 mtx_unlock(&evclass_mtx);
118 free(evc_new, M_AUDITEVCLASS);
119 return;
120 }
121 }
122 evc = evc_new;
123 evc->event = event;
124 evc->class = class;
125 LIST_INSERT_HEAD(&evcl->head, evc, entry);
126 mtx_unlock(&evclass_mtx);
127}
128
129void
130au_evclassmap_init(void)
131{
132 int i;
133
134 mtx_init(&evclass_mtx, "evclass_mtx", NULL, MTX_DEF);
135 for (i = 0; i < EVCLASSMAP_HASH_TABLE_SIZE; i++)
136 LIST_INIT(&evclass_hash[i].head);
137
138 /*
139 * Set up the initial event to class mapping for system calls.
140 *
141 * XXXRW: Really, this should walk all possible audit events, not all
142 * native ABI system calls, as there may be audit events reachable
143 * only through non-native system calls. It also seems a shame to
144 * frob the mutex this early.
145 */
146 for (i = 0; i < SYS_MAXSYSCALL; i++) {
147 if (sysent[i].sy_auevent != AUE_NULL)
148 au_evclassmap_insert(sysent[i].sy_auevent, AU_NULL);
149 }
150}
151
152/*
153 * Check whether an event is aditable by comparing the mask of classes this
154 * event is part of against the given mask.
155 */
156int
157au_preselect(au_event_t event, au_mask_t *mask_p, int sorf)
158{
159 au_class_t effmask = 0;
160 au_class_t ae_class;
161
162 if (mask_p == NULL)
163 return (-1);
164
165 ae_class = au_event_class(event);
166
167 /*
168 * Perform the actual check of the masks against the event.
169 */
170 if (sorf & AU_PRS_SUCCESS)
171 effmask |= (mask_p->am_success & ae_class);
172
173 if (sorf & AU_PRS_FAILURE)
174 effmask |= (mask_p->am_failure & ae_class);
175
176 if (effmask)
177 return (1);
178 else
179 return (0);
180}
181
182/*
183 * Convert sysctl names and present arguments to events.
184 */
185au_event_t
186ctlname_to_sysctlevent(int name[], uint64_t valid_arg)
187{
188
189 /* can't parse it - so return the worst case */
190 if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != (ARG_CTLNAME | ARG_LEN))
191 return (AUE_SYSCTL);
192
193 switch (name[0]) {
194 /* non-admin "lookups" treat them special */
195 case KERN_OSTYPE:
196 case KERN_OSRELEASE:
197 case KERN_OSREV:
198 case KERN_VERSION:
199 case KERN_ARGMAX:
200 case KERN_CLOCKRATE:
201 case KERN_BOOTTIME:
202 case KERN_POSIX1:
203 case KERN_NGROUPS:
204 case KERN_JOB_CONTROL:
205 case KERN_SAVED_IDS:
206 case KERN_OSRELDATE:
207 case KERN_DUMMY:
208 return (AUE_SYSCTL_NONADMIN);
209
210 /* only treat the changeable controls as admin */
211 case KERN_MAXVNODES:
212 case KERN_MAXPROC:
213 case KERN_MAXFILES:
214 case KERN_MAXPROCPERUID:
215 case KERN_MAXFILESPERPROC:
216 case KERN_HOSTID:
217 case KERN_SECURELVL:
218 case KERN_HOSTNAME:
219 case KERN_VNODE:
220 case KERN_PROC:
221 case KERN_FILE:
222 case KERN_PROF:
223 case KERN_NISDOMAINNAME:
224 case KERN_UPDATEINTERVAL:
225 case KERN_NTP_PLL:
226 case KERN_BOOTFILE:
227 case KERN_DUMPDEV:
228 case KERN_IPC:
229 case KERN_PS_STRINGS:
230 case KERN_USRSTACK:
231 case KERN_LOGSIGEXIT:
232 case KERN_IOV_MAX:
233 case KERN_MAXID:
234 return ((valid_arg & ARG_VALUE) ?
235 AUE_SYSCTL : AUE_SYSCTL_NONADMIN);
236
237 default:
238 return (AUE_SYSCTL);
239 }
240 /* NOTREACHED */
241}
242
243/*
244 * Convert an open flags specifier into a specific type of open event for
245 * auditing purposes.
246 */
247au_event_t
248flags_and_error_to_openevent(int oflags, int error)
249{
250 au_event_t aevent;
251
252 /*
253 * Need to check only those flags we care about.
254 */
255 oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
256
257 /*
258 * These checks determine what flags are on with the condition that
259 * ONLY that combination is on, and no other flags are on.
260 */
261 switch (oflags) {
262 case O_RDONLY:
263 aevent = AUE_OPEN_R;
264 break;
265
266 case (O_RDONLY | O_CREAT):
267 aevent = AUE_OPEN_RC;
268 break;
269
270 case (O_RDONLY | O_CREAT | O_TRUNC):
271 aevent = AUE_OPEN_RTC;
272 break;
273
274 case (O_RDONLY | O_TRUNC):
275 aevent = AUE_OPEN_RT;
276 break;
277
278 case O_RDWR:
279 aevent = AUE_OPEN_RW;
280 break;
281
282 case (O_RDWR | O_CREAT):
283 aevent = AUE_OPEN_RWC;
284 break;
285
286 case (O_RDWR | O_CREAT | O_TRUNC):
287 aevent = AUE_OPEN_RWTC;
288 break;
289
290 case (O_RDWR | O_TRUNC):
291 aevent = AUE_OPEN_RWT;
292 break;
293
294 case O_WRONLY:
295 aevent = AUE_OPEN_W;
296 break;
297
298 case (O_WRONLY | O_CREAT):
299 aevent = AUE_OPEN_WC;
300 break;
301
302 case (O_WRONLY | O_CREAT | O_TRUNC):
303 aevent = AUE_OPEN_WTC;
304 break;
305
306 case (O_WRONLY | O_TRUNC):
307 aevent = AUE_OPEN_WT;
308 break;
309
310 default:
311 aevent = AUE_OPEN;
312 break;
313 }
314
315#if 0
316 /*
317 * Convert chatty errors to better matching events.
318 * Failures to find a file are really just attribute
319 * events - so recast them as such.
320 *
321 * XXXAUDIT: Solaris defines that AUE_OPEN will never be returned, it
322 * is just a placeholder. However, in Darwin we return that in
323 * preference to other events. For now, comment this out as we don't
324 * have a BSM conversion routine for AUE_OPEN.
325 */
326 switch (aevent) {
327 case AUE_OPEN_R:
328 case AUE_OPEN_RT:
329 case AUE_OPEN_RW:
330 case AUE_OPEN_RWT:
331 case AUE_OPEN_W:
332 case AUE_OPEN_WT:
333 if (error == ENOENT)
334 aevent = AUE_OPEN;
335 }
336#endif
337 return (aevent);
338}
339
340/*
341 * Convert a MSGCTL command to a specific event.
342 */
343int
344msgctl_to_event(int cmd)
345{
346
347 switch (cmd) {
348 case IPC_RMID:
349 return (AUE_MSGCTL_RMID);
350
351 case IPC_SET:
352 return (AUE_MSGCTL_SET);
353
354 case IPC_STAT:
355 return (AUE_MSGCTL_STAT);
356
357 default:
358 /* We will audit a bad command */
359 return (AUE_MSGCTL);
360 }
361}
362
363/*
364 * Convert a SEMCTL command to a specific event.
365 */
366int
367semctl_to_event(int cmd)
368{
369
370 switch (cmd) {
371 case GETALL:
372 return (AUE_SEMCTL_GETALL);
373
374 case GETNCNT:
375 return (AUE_SEMCTL_GETNCNT);
376
377 case GETPID:
378 return (AUE_SEMCTL_GETPID);
379
380 case GETVAL:
381 return (AUE_SEMCTL_GETVAL);
382
383 case GETZCNT:
384 return (AUE_SEMCTL_GETZCNT);
385
386 case IPC_RMID:
387 return (AUE_SEMCTL_RMID);
388
389 case IPC_SET:
390 return (AUE_SEMCTL_SET);
391
392 case SETALL:
393 return (AUE_SEMCTL_SETALL);
394
395 case SETVAL:
396 return (AUE_SEMCTL_SETVAL);
397
398 case IPC_STAT:
399 return (AUE_SEMCTL_STAT);
400
401 default:
402 /* We will audit a bad command */
403 return (AUE_SEMCTL);
404 }
405}
406
407/*
408 * Convert a command for the auditon() system call to a audit event.
409 */
410int
411auditon_command_event(int cmd)
412{
413
414 switch(cmd) {
415 case A_GETPOLICY:
416 return (AUE_AUDITON_GPOLICY);
417
418 case A_SETPOLICY:
419 return (AUE_AUDITON_SPOLICY);
420
421 case A_GETKMASK:
422 return (AUE_AUDITON_GETKMASK);
423
424 case A_SETKMASK:
425 return (AUE_AUDITON_SETKMASK);
426
427 case A_GETQCTRL:
428 return (AUE_AUDITON_GQCTRL);
429
430 case A_SETQCTRL:
431 return (AUE_AUDITON_SQCTRL);
432
433 case A_GETCWD:
434 return (AUE_AUDITON_GETCWD);
435
436 case A_GETCAR:
437 return (AUE_AUDITON_GETCAR);
438
439 case A_GETSTAT:
440 return (AUE_AUDITON_GETSTAT);
441
442 case A_SETSTAT:
443 return (AUE_AUDITON_SETSTAT);
444
445 case A_SETUMASK:
446 return (AUE_AUDITON_SETUMASK);
447
448 case A_SETSMASK:
449 return (AUE_AUDITON_SETSMASK);
450
451 case A_GETCOND:
452 return (AUE_AUDITON_GETCOND);
453
454 case A_SETCOND:
455 return (AUE_AUDITON_SETCOND);
456
457 case A_GETCLASS:
458 return (AUE_AUDITON_GETCLASS);
459
460 case A_SETCLASS:
461 return (AUE_AUDITON_SETCLASS);
462
463 case A_GETPINFO:
464 case A_SETPMASK:
465 case A_SETFSIZE:
466 case A_GETFSIZE:
467 case A_GETPINFO_ADDR:
468 case A_GETKAUDIT:
469 case A_SETKAUDIT:
470 default:
471 return (AUE_AUDITON); /* No special record */
472 }
473}
474
475/*
476 * Create a canonical path from given path by prefixing either the root
477 * directory, or the current working directory. If the process working
478 * directory is NULL, we could use 'rootvnode' to obtain the root directoty,
479 * but this results in a volfs name written to the audit log. So we will
480 * leave the filename starting with '/' in the audit log in this case.
481 *
482 * XXXRW: Since we combine two paths here, ideally a buffer of size
483 * MAXPATHLEN * 2 would be passed in.
484 */
485void
486canon_path(struct thread *td, char *path, char *cpath)
487{
488 char *bufp;
489 char *retbuf, *freebuf;
490 struct vnode *vnp;
491 struct filedesc *fdp;
492 int cisr, error, vfslocked;
493
494 fdp = td->td_proc->p_fd;
495 bufp = path;
496 cisr = 0;
497 FILEDESC_LOCK(fdp);
498 if (*(path) == '/') {
499 while (*(bufp) == '/')
500 bufp++; /* Skip leading '/'s. */
501 /*
502 * If no process root, or it is the same as the system root,
503 * audit the path as passed in with a single '/'.
504 */
505 if ((fdp->fd_rdir == NULL) ||
506 (fdp->fd_rdir == rootvnode)) {
507 vnp = NULL;
508 bufp--; /* Restore one '/'. */
509 } else {
510 vnp = fdp->fd_rdir; /* Use process root. */
511 vref(vnp);
512 }
513 } else {
514 vnp = fdp->fd_cdir; /* Prepend the current dir. */
515 cisr = (fdp->fd_rdir == fdp->fd_cdir);
516 vref(vnp);
517 bufp = path;
518 }
519 FILEDESC_UNLOCK(fdp);
520 if (vnp != NULL) {
521 /*
522 * XXX: vn_fullpath() on FreeBSD is "less reliable" than
523 * vn_getpath() on Darwin, so this will need more attention
524 * in the future. Also, the question and string bounding
525 * here seems a bit questionable and will also require
526 * attention.
527 */
528 vfslocked = VFS_LOCK_GIANT(vnp->v_mount);
529 vn_lock(vnp, LK_EXCLUSIVE | LK_RETRY, td);
530 error = vn_fullpath(td, vnp, &retbuf, &freebuf);
531 if (error == 0) {
532 /* Copy and free buffer allocated by vn_fullpath().
533 * If the current working directory was the same as
534 * the root directory, and the path was a relative
535 * pathname, do not separate the two components with
536 * the '/' character.
537 */
538 snprintf(cpath, MAXPATHLEN, "%s%s%s", retbuf,
539 cisr ? "" : "/", bufp);
540 free(freebuf, M_TEMP);
541 } else
542 cpath[0] = '\0';
543 vput(vnp);
544 VFS_UNLOCK_GIANT(vfslocked);
545 } else {
546 strlcpy(cpath, bufp, MAXPATHLEN);
547 }
548}