59 static void	audit_sys_auditon(struct audit_record *ar,
183  * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the
188 		tok = au_to_arg32(argnum, "at fd 1", ar->ar_arg_atfd1);	\
195 		tok = au_to_arg32(argnum, "at fd 2", ar->ar_arg_atfd2);	\
202 		tok = au_to_path(ar->ar_arg_upath1);			\
209 		tok = au_to_path(ar->ar_arg_upath2);			\
216 		tok = au_to_arg32(1, "at fd", ar->ar_arg_atfd);		\
220 		tok = au_to_attr32(&ar->ar_arg_vnode1);			\
230 		tok = au_to_attr32(&ar->ar_arg_vnode1);			\
237 		tok = au_to_attr32(&ar->ar_arg_vnode2);			\
245 			tok = au_to_arg32(1, "fd", ar->ar_arg_fd);	\
248 		tok = au_to_attr32(&ar->ar_arg_vnode1);			\
253 			    ar->ar_arg_fd);				\
260 	if ((ar->ar_arg_pid > 0) /* Reference a single process */	\
262 		tok = au_to_process32_ex(ar->ar_arg_auid,		\
263 		    ar->ar_arg_euid, ar->ar_arg_egid,			\
264 		    ar->ar_arg_ruid, ar->ar_arg_rgid,			\
265 		    ar->ar_arg_pid, ar->ar_arg_asid,			\
266 		    &ar->ar_arg_termid_addr);				\
269 		tok = au_to_arg32(argn, "process", ar->ar_arg_pid);	\
276 		switch (ar->ar_arg_value) {				\
285 			    "attrnamespace", ar->ar_arg_value);		\
292 		tok = au_to_text(ar->ar_arg_text);			\
306 			    (uint32_t)(uintptr_t)ar->ar_arg_addr);	\
309 			    (uint64_t)(uintptr_t)ar->ar_arg_addr);	\
321 audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
325 	tok = au_to_arg32(3, "length", ar->ar_arg_len);
327 	switch (ar->ar_arg_cmd) {
329 		if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
331 			    ar->ar_arg_auditon.au_policy64);
338 		tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy);
344 		    ar->ar_arg_auditon.au_mask.am_success);
347 		    ar->ar_arg_auditon.au_mask.am_failure);
352 		if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) {
354 			    ar->ar_arg_auditon.au_qctrl64.aq64_hiwater);
357 			    ar->ar_arg_auditon.au_qctrl64.aq64_lowater);
360 			    ar->ar_arg_auditon.au_qctrl64.aq64_bufsz);
363 			    ar->ar_arg_auditon.au_qctrl64.aq64_delay);
366 			    ar->ar_arg_auditon.au_qctrl64.aq64_minfree);
374 		    ar->ar_arg_auditon.au_qctrl.aq_hiwater);
377 		    ar->ar_arg_auditon.au_qctrl.aq_lowater);
380 		    ar->ar_arg_auditon.au_qctrl.aq_bufsz);
383 		    ar->ar_arg_auditon.au_qctrl.aq_delay);
386 		    ar->ar_arg_auditon.au_qctrl.aq_minfree);
392 		    ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
395 		    ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
401 		    ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
404 		    ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
409 		if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
411 			    ar->ar_arg_auditon.au_cond64);
418 		tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond);
425 		    ar->ar_arg_auditon.au_evclass.ec_number);
428 		    ar->ar_arg_auditon.au_evclass.ec_class);
434 		    ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
437 		    ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
443 		    ar->ar_arg_auditon.au_fstat.af_filesz);
468 	struct audit_record *ar;
474 	ar = &kar->k_ar;
480 	switch (ar->ar_subj_term_addr.at_type) {
482 		tid.port = ar->ar_subj_term_addr.at_port;
483 		tid.machine = ar->ar_subj_term_addr.at_addr[0];
484 		subj_tok = au_to_subject32(ar->ar_subj_auid,  /* audit ID */
485 		    ar->ar_subj_cred.cr_uid, /* eff uid */
486 		    ar->ar_subj_egid,	/* eff group id */
487 		    ar->ar_subj_ruid,	/* real uid */
488 		    ar->ar_subj_rgid,	/* real group id */
489 		    ar->ar_subj_pid,	/* process id */
490 		    ar->ar_subj_asid,	/* session ID */
494 		subj_tok = au_to_subject32_ex(ar->ar_subj_auid,
495 		    ar->ar_subj_cred.cr_uid,
496 		    ar->ar_subj_egid,
497 		    ar->ar_subj_ruid,
498 		    ar->ar_subj_rgid,
499 		    ar->ar_subj_pid,
500 		    ar->ar_subj_asid,
501 		    &ar->ar_subj_term_addr);
505 		subj_tok = au_to_subject32(ar->ar_subj_auid,
506 		    ar->ar_subj_cred.cr_uid,
507 		    ar->ar_subj_egid,
508 		    ar->ar_subj_ruid,
509 		    ar->ar_subj_rgid,
510 		    ar->ar_subj_pid,
511 		    ar->ar_subj_asid,
521 	switch(ar->ar_event) {
537 			tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
542 			    &ar->ar_arg_sockaddr);
547 			    &ar->ar_arg_sockaddr);
558 			    ar->ar_arg_sockinfo.so_domain);
561 			    ar->ar_arg_sockinfo.so_type);
564 			    ar->ar_arg_sockinfo.so_protocol);
572 			tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
588 			tok = au_to_arg32(2, "setauid", ar->ar_arg_auid);
599 			    ar->ar_arg_auid);
602 			    ar->ar_arg_termid.port);
605 			    ar->ar_arg_termid.machine);
608 			    ar->ar_arg_amask.am_success);
611 			    ar->ar_arg_amask.am_failure);
614 			    ar->ar_arg_asid);
625 			    ar->ar_arg_auid);
628 			    ar->ar_arg_amask.am_success);
631 			    ar->ar_arg_amask.am_failure);
634 			    ar->ar_arg_asid);
637 			    ar->ar_arg_termid_addr.at_type);
640 			    ar->ar_arg_termid_addr.at_port);
642 			if (ar->ar_arg_termid_addr.at_type == AU_IPv6)
644 				    &ar->ar_arg_termid_addr.at_addr[0]);
645 			if (ar->ar_arg_termid_addr.at_type == AU_IPv4)
647 				    &ar->ar_arg_termid_addr.at_addr[0]);
657 			tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
679 			audit_sys_auditon(ar, rec);
688 			tok = au_to_exit(ar->ar_arg_exitretval,
689 			    ar->ar_arg_exitstatus);
763 			tok = au_to_arg32(2, "mode", ar->ar_arg_value);
777 			tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
787 			    ar->ar_arg_mode);
797 			    ar->ar_arg_mode);
806 			tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
810 			tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
819 			tok = au_to_arg32(3, "new file uid", ar->ar_arg_uid);
823 			tok = au_to_arg32(4, "new file gid", ar->ar_arg_gid);
836 			tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
844 			tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
851 			tok = au_to_arg32(1, "signal", ar->ar_arg_signum);
860 			tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
886 			tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
894 			tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
902 			tok = au_to_exec_args(ar->ar_arg_argv,
903 			    ar->ar_arg_argc);
907 			tok = au_to_exec_env(ar->ar_arg_envv,
908 			    ar->ar_arg_envc);
917 			    ar->ar_arg_mode);
946 			tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
950 			tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
959 			    au_fcntl_cmd_to_bsm(ar->ar_arg_cmd));
962 		if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK ||
963 		    ar->ar_arg_cmd == F_SETLKW) {
970 			tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
978 			tok = au_to_arg32(2, "operation", ar->ar_arg_cmd);
986 			tok = au_to_arg32(1, "flags", ar->ar_arg_fflags);
994 			tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
1001 			tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
1008 				tok = kau_to_socket(&ar->ar_arg_sockinfo);
1013 					    ar->ar_arg_fd);
1023 			tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
1031 			tok = au_to_arg32(2, "ops", ar->ar_arg_cmd);
1035 			tok = au_to_arg32(3, "trpoints", ar->ar_arg_value);
1063 			tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1073 			tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1077 			tok = au_to_arg32(3, "dev", ar->ar_arg_dev);
1091 			tok = au_to_arg32(2, "len", ar->ar_arg_len);
1094 		if (ar->ar_event == AUE_MMAP)
1096 		if (ar->ar_event == AUE_MPROTECT) {
1099 				    ar->ar_arg_value);
1103 		if (ar->ar_event == AUE_MINHERIT) {
1106 				    ar->ar_arg_value);
1116 			tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1120 			tok = au_to_text(ar->ar_arg_text);
1127 			tok = au_to_arg32(1, "flags", ar->ar_arg_cmd);
1134 			tok = au_to_arg32(2, "flags", ar->ar_arg_value);
1139 			tok = au_to_text(ar->ar_arg_text);
1145 		ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd);
1150 		tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id);
1152 		if (ar->ar_errno != EINVAL) {
1153 			tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id);
1159 		if (ar->ar_errno == 0) {
1162 				    ar->ar_arg_svipc_id);
1180 			tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1192 			tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1205 			tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1217 			tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1226 			tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
1230 			tok = au_to_arg32(4, "data", ar->ar_arg_value);
1238 			tok = au_to_arg32(2, "command", ar->ar_arg_cmd);
1242 			tok = au_to_arg32(3, "uid", ar->ar_arg_uid);
1246 			tok = au_to_arg32(3, "gid", ar->ar_arg_gid);
1254 			tok = au_to_arg32(1, "howto", ar->ar_arg_cmd);
1260 		ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd);
1265 			tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id);
1267 			if (ar->ar_errno != EINVAL) {
1269 				    ar->ar_arg_svipc_id);
1276 		if (ar->ar_errno == 0) {
1279 				    ar->ar_arg_svipc_id);
1287 			tok = au_to_arg32(1, "egid", ar->ar_arg_egid);
1294 			tok = au_to_arg32(1, "euid", ar->ar_arg_euid);
1301 			tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1305 			tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1312 			tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1316 			tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1323 			tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1327 			tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1331 			tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid);
1338 			tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1342 			tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1346 			tok = au_to_arg32(3, "suid", ar->ar_arg_suid);
1353 			tok = au_to_arg32(1, "gid", ar->ar_arg_gid);
1360 			tok = au_to_arg32(1, "uid", ar->ar_arg_uid);
1367 			for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++)
1370 				    ar->ar_arg_groups.gidset[ctr]);
1378 			tok = au_to_text(ar->ar_arg_text);
1385 			tok = au_to_arg32(1, "which", ar->ar_arg_cmd);
1389 			tok = au_to_arg32(2, "who", ar->ar_arg_uid);
1394 			tok = au_to_arg32(3, "priority", ar->ar_arg_value);
1401 			tok = au_to_arg32(1, "flag", ar->ar_arg_value);
1409 			tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1412 			tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1417 			    (int)(uintptr_t)ar->ar_arg_svipc_addr);
1421 			tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1428 			tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1431 			tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1434 		switch (ar->ar_arg_svipc_cmd) {
1436 			ar->ar_event = AUE_SHMCTL_STAT;
1439 			ar->ar_event = AUE_SHMCTL_RMID;
1442 			ar->ar_event = AUE_SHMCTL_SET;
1444 				tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1456 			    (int)(uintptr_t)ar->ar_arg_svipc_addr);
1464 			tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id);
1466 			tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1470 			tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1479 			tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1483 			tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1490 			tok = au_to_text(ar->ar_arg_text);
1496 			perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1497 			perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1498 			perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1499 			perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1500 			perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1510 			tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1514 			tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1518 			tok = au_to_arg32(4, "value", ar->ar_arg_value);
1525 			tok = au_to_text(ar->ar_arg_text);
1531 			perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1532 			perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1533 			perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1534 			perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1535 			perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1545 			tok = au_to_arg32(1, "sem", ar->ar_arg_fd);
1553 			tok = au_to_text(ar->ar_arg_text);
1563 			for (ctr = 0; ctr < ar->ar_arg_len; ctr++) {
1565 				    ar->ar_arg_ctlname[ctr]);
1570 			tok = au_to_arg32(5, "newval", ar->ar_arg_value);
1574 			tok = au_to_text(ar->ar_arg_text);
1581 			tok = au_to_arg32(1, "new mask", ar->ar_arg_mask);
1584 		tok = au_to_arg32(0, "prev mask", ar->ar_retval);
1591 			tok = au_to_arg32(3, "options", ar->ar_arg_value);
1602 			tok = au_to_arg64(2, "rights", ar->ar_arg_rights);
1609 			tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
1621 		    ar->ar_event);
1632 	tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval);
1635 	kau_close(rec, &ar->ar_endtime, ar->ar_event);

Indexes created Sat May 25 20:21:57 MDT 2024