Lines Matching defs:ar
69 static void audit_sys_auditon(struct audit_record *ar,
195 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the
200 if (ar->ar_vnode1_mac_labels != NULL && \
201 strlen(ar->ar_vnode1_mac_labels) != 0) { \
202 tok = au_to_text(ar->ar_vnode1_mac_labels); \
208 if (ar->ar_vnode2_mac_labels != NULL && \
209 strlen(ar->ar_vnode2_mac_labels) != 0) { \
210 tok = au_to_text(ar->ar_vnode2_mac_labels); \
220 tok = au_to_path(ar->ar_arg_upath1); \
227 tok = au_to_path(ar->ar_arg_upath2); \
234 tok = au_to_path(ar->ar_arg_kpath1); \
238 tok = au_to_attr32(&ar->ar_arg_vnode1); \
246 tok = au_to_path(ar->ar_arg_upath1); \
250 tok = au_to_path(ar->ar_arg_kpath1); \
254 tok = au_to_attr32(&ar->ar_arg_vnode1); \
262 tok = au_to_attr32(&ar->ar_arg_vnode2); \
271 tok = au_to_path(ar->ar_arg_kpath1); \
275 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \
279 tok = au_to_attr32(&ar->ar_arg_vnode1); \
284 ar->ar_arg_fd); \
292 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \
294 tok = au_to_process32_ex(ar->ar_arg_auid, \
295 ar->ar_arg_euid, ar->ar_arg_egid, \
296 ar->ar_arg_ruid, ar->ar_arg_rgid, \
297 ar->ar_arg_pid, ar->ar_arg_asid, \
298 &ar->ar_arg_termid_addr); \
301 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \
308 switch (ar->ar_arg_value32) { \
317 ar->ar_arg_value32); \
324 tok = au_to_text(ar->ar_arg_text); \
332 tok = au_to_opaque(ar->ar_arg_opaque, \
333 ar->ar_arg_opq_size); \
337 tok = au_to_arg32(n+2, "mode", ar->ar_arg_mode);\
341 tok = au_to_arg32(n+1, "gid", ar->ar_arg_gid); \
345 tok = au_to_arg32(n, "uid", ar->ar_arg_uid); \
351 if (ar->ar_valid_arg & ARG_MAC_STRING) { \
352 tok = au_to_text(ar->ar_arg_mac_string); \
363 audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
367 switch (ar->ar_arg_cmd) {
369 if (ar->ar_arg_len > sizeof(int)) {
370 tok = au_to_arg32(3, "length", ar->ar_arg_len);
373 ar->ar_arg_auditon.au_policy64);
379 tok = au_to_arg32(3, "length", ar->ar_arg_len);
381 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy);
386 tok = au_to_arg32(3, "length", ar->ar_arg_len);
389 ar->ar_arg_auditon.au_mask.am_success);
392 ar->ar_arg_auditon.au_mask.am_failure);
397 if (ar->ar_arg_len > sizeof(au_qctrl_t)) {
398 tok = au_to_arg32(3, "length", ar->ar_arg_len);
401 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater);
404 ar->ar_arg_auditon.au_qctrl64.aq64_lowater);
407 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz);
410 ar->ar_arg_auditon.au_qctrl64.aq64_delay);
413 ar->ar_arg_auditon.au_qctrl64.aq64_minfree);
419 tok = au_to_arg32(3, "length", ar->ar_arg_len);
422 ar->ar_arg_auditon.au_qctrl.aq_hiwater);
425 ar->ar_arg_auditon.au_qctrl.aq_lowater);
428 ar->ar_arg_auditon.au_qctrl.aq_bufsz);
431 ar->ar_arg_auditon.au_qctrl.aq_delay);
434 ar->ar_arg_auditon.au_qctrl.aq_minfree);
439 tok = au_to_arg32(3, "length", ar->ar_arg_len);
442 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
445 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
450 tok = au_to_arg32(3, "length", ar->ar_arg_len);
453 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
456 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
461 if (ar->ar_arg_len > sizeof(int)) {
462 tok = au_to_arg32(3, "length", ar->ar_arg_len);
465 ar->ar_arg_auditon.au_cond64);
471 tok = au_to_arg32(3, "length", ar->ar_arg_len);
473 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond);
478 tok = au_to_arg32(3, "length", ar->ar_arg_len);
481 ar->ar_arg_auditon.au_evclass.ec_number);
484 ar->ar_arg_auditon.au_evclass.ec_class);
489 tok = au_to_arg32(3, "length", ar->ar_arg_len);
492 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
495 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
500 tok = au_to_arg32(3, "length", ar->ar_arg_len);
503 ar->ar_arg_auditon.au_fstat.af_filesz);
510 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
523 struct audit_record *ar = &kar->k_ar;
525 switch (ar->ar_arg_cmd) {
529 tok = au_to_arg32(3, "min fd", ar->ar_arg_value32);
537 ar->ar_arg_value32);
544 tok = au_to_arg32(3, "fd flags", ar->ar_arg_value32);
551 tok = au_to_arg32(3, "pid", ar->ar_arg_value32);
559 tok = au_to_arg64(3, "offset", ar->ar_arg_value64);
568 tok = au_to_text(ar->ar_arg_text);
577 tok = au_to_arg32(2, "cmd", au_fcntl_cmd_to_bsm(ar->ar_arg_cmd));
597 struct audit_record *ar;
604 ar = &kar->k_ar;
610 switch (ar->ar_subj_term_addr.at_type) {
612 tid.port = ar->ar_subj_term_addr.at_port;
613 tid.machine = ar->ar_subj_term_addr.at_addr[0];
614 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */
615 ar->ar_subj_cred.cr_uid, /* eff uid */
616 ar->ar_subj_egid, /* eff group id */
617 ar->ar_subj_ruid, /* real uid */
618 ar->ar_subj_rgid, /* real group id */
619 ar->ar_subj_pid, /* process id */
620 ar->ar_subj_asid, /* session ID */
624 subj_tok = au_to_subject32_ex(ar->ar_subj_auid,
625 ar->ar_subj_cred.cr_uid,
626 ar->ar_subj_egid,
627 ar->ar_subj_ruid,
628 ar->ar_subj_rgid,
629 ar->ar_subj_pid,
630 ar->ar_subj_asid,
631 &ar->ar_subj_term_addr);
635 subj_tok = au_to_subject32(ar->ar_subj_auid,
636 ar->ar_subj_cred.cr_uid,
637 ar->ar_subj_egid,
638 ar->ar_subj_ruid,
639 ar->ar_subj_rgid,
640 ar->ar_subj_pid,
641 ar->ar_subj_asid,
651 switch(ar->ar_event) {
655 tok = au_to_arg32(2, "sd", ar->ar_arg_value32);
671 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
676 &ar->ar_arg_sockaddr);
681 &ar->ar_arg_sockaddr);
687 &ar->ar_arg_sockaddr);
696 au_domain_to_bsm(ar->ar_arg_sockinfo.sai_domain));
699 au_socket_type_to_bsm(ar->ar_arg_sockinfo.sai_type));
702 ar->ar_arg_sockinfo.sai_protocol);
710 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
726 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid);
737 ar->ar_arg_auid);
740 ar->ar_arg_termid.port);
743 ar->ar_arg_termid.machine);
746 ar->ar_arg_amask.am_success);
749 ar->ar_arg_amask.am_failure);
752 ar->ar_arg_asid);
763 ar->ar_arg_auid);
766 ar->ar_arg_amask.am_success);
769 ar->ar_arg_amask.am_failure);
772 ar->ar_arg_asid);
775 ar->ar_arg_termid_addr.at_type);
778 ar->ar_arg_termid_addr.at_port);
780 if (ar->ar_arg_termid_addr.at_type == AU_IPv6)
782 &ar->ar_arg_termid_addr.at_addr[0]);
783 if (ar->ar_arg_termid_addr.at_type == AU_IPv4)
785 &ar->ar_arg_termid_addr.at_addr[0]);
795 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
817 audit_sys_auditon(ar, rec);
826 tok = au_to_exit(ar->ar_arg_exitretval,
827 ar->ar_arg_exitstatus);
864 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
876 tok = au_to_opaque(ar->ar_arg_opaque,
877 ar->ar_arg_opq_size);
885 tok = au_to_data(AUP_DECIMAL, ar->ar_arg_data_type,
886 ar->ar_arg_data_count, ar->ar_arg_data);
920 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
929 ar->ar_arg_mode);
938 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
942 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
955 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
963 tok = au_to_arg32(0, "signal", ar->ar_arg_signum);
971 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
978 tok = au_to_exec_args(ar->ar_arg_argv,
979 ar->ar_arg_argc);
983 tok = au_to_exec_env(ar->ar_arg_envv,
984 ar->ar_arg_envc);
998 ar->ar_arg_mode);
1005 tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
1007 if (ar->ar_valid_arg & (ARG_KPATH1 | ARG_UPATH1)) {
1039 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
1043 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
1057 tok = au_to_arg32(4, "options", ar->ar_arg_value32);
1061 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
1069 tok = au_to_arg32(4, "options", ar->ar_arg_value32);
1073 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
1082 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1090 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd);
1099 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
1106 tok = au_to_arg32(1, "pid", (u_int32_t)ar->ar_arg_pid);
1113 tok = au_to_arg32(1, "pid", (u_int32_t)ar->ar_arg_pid);
1118 (u_int32_t)ar->ar_arg_value32);
1125 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
1129 tok = au_to_arg64(2, "cmd", ar->ar_arg_value64);
1133 tok = au_to_arg64(3, "arg", ar->ar_arg_addr);
1137 (u_int32_t)ar->ar_arg_addr);
1145 ar->ar_arg_sockinfo.sai_domain,
1146 ar->ar_arg_sockinfo.sai_type,
1148 &ar->ar_arg_sockinfo.sai_laddr,
1150 &ar->ar_arg_sockinfo.sai_faddr);
1155 ar->ar_arg_fd);
1164 tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
1185 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1193 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1197 tok = au_to_arg32(3, "dev", ar->ar_arg_value32);
1210 tok = au_to_arg64(1, "addr", ar->ar_arg_addr);
1214 (u_int32_t)ar->ar_arg_addr);
1218 tok = au_to_arg64(2, "len", ar->ar_arg_len);
1221 if (ar->ar_event == AUE_MMAP)
1223 if (ar->ar_event == AUE_MPROTECT) {
1226 ar->ar_arg_value32);
1230 if (ar->ar_event == AUE_MINHERIT) {
1233 ar->ar_arg_value32);
1247 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1251 tok = au_to_text(ar->ar_arg_text);
1262 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd);
1267 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id);
1269 if (ar->ar_errno != EINVAL) {
1270 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id);
1276 if (ar->ar_errno == 0) {
1279 ar->ar_arg_svipc_id);
1292 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1296 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1300 tok = au_to_arg32(1, "dir fd", ar->ar_arg_fd);
1314 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1327 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1331 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1345 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1349 tok = au_to_arg32(1, "dir fd", ar->ar_arg_fd);
1364 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1378 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1386 tok = au_to_arg32(1, "dir fd", ar->ar_arg_fd);
1394 tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
1398 tok = au_to_arg64(3, "addr", ar->ar_arg_addr);
1402 (u_int32_t)ar->ar_arg_addr);
1406 tok = au_to_arg32(4, "data", ar->ar_arg_value32);
1414 tok = au_to_arg32(2, "command", ar->ar_arg_cmd);
1418 tok = au_to_arg32(3, "uid", ar->ar_arg_uid);
1426 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd);
1432 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd);
1437 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id);
1439 if (ar->ar_errno != EINVAL) {
1441 ar->ar_arg_svipc_id);
1448 if (ar->ar_errno == 0) {
1451 ar->ar_arg_svipc_id);
1459 tok = au_to_arg32(1, "gid", ar->ar_arg_egid);
1466 tok = au_to_arg32(1, "uid", ar->ar_arg_euid);
1473 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1477 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1484 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1488 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1495 tok = au_to_arg32(1, "gid", ar->ar_arg_gid);
1502 tok = au_to_arg32(1, "uid", ar->ar_arg_uid);
1509 for (uctr = 0; uctr < ar->ar_arg_groups.gidset_size;
1512 ar->ar_arg_groups.gidset[uctr]);
1520 tok = au_to_text(ar->ar_arg_text);
1527 tok = au_to_arg32(1, "which", ar->ar_arg_cmd);
1531 tok = au_to_arg32(2, "who", ar->ar_arg_uid);
1535 tok = au_to_arg32(2, "priority", ar->ar_arg_value32);
1542 tok = au_to_arg32(1, "flag", ar->ar_arg_value32);
1550 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1553 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1557 tok = au_to_arg64(2, "shmaddr", ar->ar_arg_svipc_addr);
1561 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1568 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1571 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1574 switch (ar->ar_arg_svipc_cmd) {
1576 ar->ar_event = AUE_SHMCTL_STAT;
1579 ar->ar_event = AUE_SHMCTL_RMID;
1582 ar->ar_event = AUE_SHMCTL_SET;
1584 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1596 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1604 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id);
1606 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1610 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1619 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1623 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1630 tok = au_to_text(ar->ar_arg_text);
1636 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1637 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1638 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1639 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1640 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1650 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1654 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1658 tok = au_to_arg32(4, "value", ar->ar_arg_value32);
1665 tok = au_to_text(ar->ar_arg_text);
1671 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1672 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1673 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1674 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1675 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1685 tok = au_to_arg32(1, "sem", ar->ar_arg_fd);
1692 tok = au_to_text(ar->ar_arg_text);
1701 for (ctr = 0; ctr < (int)ar->ar_arg_len; ctr++) {
1703 ar->ar_arg_ctlname[ctr]);
1708 tok = au_to_arg32(5, "newval", ar->ar_arg_value32);
1712 tok = au_to_text(ar->ar_arg_text);
1720 tok = au_to_opaque(ar->ar_arg_opaque,
1721 ar->ar_arg_opq_size);
1728 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask);
1731 tok = au_to_arg32(0, "prev mask", ar->ar_retval);
1740 tok = au_to_arg32(0, "pid", ar->ar_arg_pid);
1747 tok = au_to_arg32(3, "volfsid", ar->ar_arg_value32);
1751 tok = au_to_arg64(4, "objid", ar->ar_arg_value64);
1755 tok = au_to_text(ar->ar_arg_text);
1765 tok = au_to_arg64(1, "sflags", ar->ar_arg_value64);
1770 ar->ar_arg_amask.am_success);
1773 ar->ar_arg_amask.am_failure);
1787 (u_int32_t)ar->ar_arg_mach_port1);
1791 tok = au_to_arg32(2, "pid", (u_int32_t)ar->ar_arg_pid);
1800 (u_int32_t)ar->ar_arg_mach_port1);
1805 (u_int32_t)ar->ar_arg_mach_port2);
1814 (u_int32_t)ar->ar_arg_value32);
1826 tok = au_to_arg64(3, "va", ar->ar_arg_addr);
1830 (u_int32_t)ar->ar_arg_addr);
1855 tok = au_to_arg32(3, "call", ar->ar_arg_value32);
1867 tok = au_to_arg32(1, "pid", (u_int32_t)ar->ar_arg_pid);
1876 (u_int32_t)ar->ar_arg_value32);
1893 ar->ar_event);
1905 if (NULL != ar->ar_mac_records) {
1909 LIST_FOREACH(mar, ar->ar_mac_records, records) {
1940 if (ar->ar_cred_mac_labels != NULL &&
1941 strlen(ar->ar_cred_mac_labels) != 0) {
1942 tok = au_to_text(ar->ar_cred_mac_labels);
1947 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval);
1950 kau_close(rec, &ar->ar_endtime, ar->ar_event);