audit_bsm.c revision 155192
1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $FreeBSD: head/sys/security/audit/audit_bsm.c 155192 2006-02-01 20:01:18Z rwatson $ 30 */ 31 32#include <sys/param.h> 33#include <sys/vnode.h> 34#include <sys/ipc.h> 35#include <sys/lock.h> 36#include <sys/malloc.h> 37#include <sys/mutex.h> 38#include <sys/socket.h> 39#include <sys/fcntl.h> 40#include <sys/user.h> 41#include <sys/systm.h> 42 43#include <bsm/audit.h> 44#include <bsm/audit_internal.h> 45#include <bsm/audit_record.h> 46#include <bsm/audit_kevents.h> 47 48#include <security/audit/audit.h> 49#include <security/audit/audit_private.h> 50 51#include <netinet/in_systm.h> 52#include <netinet/in.h> 53#include <netinet/ip.h> 54 55MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 56 57/* 58 * Forward declares. 59 */ 60static void audit_sys_auditon(struct audit_record *ar, 61 struct au_record *rec); 62 63/* 64 * Initialize the BSM auditing subsystem. 65 */ 66void 67kau_init(void) 68{ 69 70 printf("BSM auditing present\n"); 71 au_evclassmap_init(); 72} 73 74/* 75 * This call reserves memory for the audit record. 76 * Memory must be guaranteed before any auditable event can be 77 * generated. 78 * The au_record structure maintains a reference to the 79 * memory allocated above and also the list of tokens associated 80 * with this record 81 */ 82static struct au_record * 83kau_open(void) 84{ 85 struct au_record *rec; 86 87 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 88 rec->data = malloc(MAX_AUDIT_RECORD_SIZE * sizeof(u_char), 89 M_AUDITBSM, M_WAITOK | M_ZERO); 90 TAILQ_INIT(&rec->token_q); 91 rec->len = 0; 92 rec->used = 1; 93 94 return (rec); 95} 96 97/* 98 * Store the token with the record descriptor. 99 */ 100static void 101kau_write(struct au_record *rec, struct au_token *tok) 102{ 103 104 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 105 106 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 107 rec->len += tok->len; 108} 109 110/* 111 * Close out the audit record by adding the header token, identifying any 112 * missing tokens. Write out the tokens to the record memory. 113 */ 114static void 115kau_close(struct au_record *rec, struct timespec *ctime, short event) 116{ 117 u_char *dptr; 118 size_t tot_rec_size; 119 token_t *cur, *hdr, *trail; 120 struct timeval tm; 121 122 tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE; 123 if (tot_rec_size <= MAX_AUDIT_RECORD_SIZE) { 124 /* Create the header token */ 125 tm.tv_usec = ctime->tv_nsec / 1000; 126 tm.tv_sec = ctime->tv_sec; 127 hdr = au_to_header32(tot_rec_size, event, 0, tm); 128 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 129 130 trail = au_to_trailer(tot_rec_size); 131 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 132 133 /* Serialize token data to the record. */ 134 135 rec->len = tot_rec_size; 136 dptr = rec->data; 137 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 138 memcpy(dptr, cur->t_data, cur->len); 139 dptr += cur->len; 140 } 141 } 142} 143 144/* 145 * Free a BSM audit record by releasing all the tokens and clearing the 146 * audit record information. 147 */ 148void 149kau_free(struct au_record *rec) 150{ 151 struct au_token *tok; 152 153 /* Free the token list */ 154 while ((tok = TAILQ_FIRST(&rec->token_q))) { 155 TAILQ_REMOVE(&rec->token_q, tok, tokens); 156 free(tok->t_data, M_AUDITBSM); 157 free(tok, M_AUDITBSM); 158 } 159 160 rec->used = 0; 161 rec->len = 0; 162 free(rec->data, M_AUDITBSM); 163 free(rec, M_AUDITBSM); 164} 165 166/* 167 * XXX May want turn some (or all) of these macros into functions in order 168 * to reduce the generated code sized. 169 * 170 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 171 * caller are OK with this. 172 */ 173#define UPATH1_TOKENS do { \ 174 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 175 tok = au_to_path(ar->ar_arg_upath1); \ 176 kau_write(rec, tok); \ 177 } \ 178} while (0) 179 180#define UPATH2_TOKENS do { \ 181 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 182 tok = au_to_path(ar->ar_arg_upath2); \ 183 kau_write(rec, tok); \ 184 } \ 185} while (0) 186 187#define VNODE1_TOKENS do { \ 188 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 189 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 190 kau_write(rec, tok); \ 191 } \ 192} while (0) 193 194#define UPATH1_VNODE1_TOKENS do { \ 195 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 196 UPATH1_TOKENS; \ 197 } \ 198 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 199 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 200 kau_write(rec, tok); \ 201 } \ 202} while (0) 203 204#define VNODE2_TOKENS do { \ 205 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 206 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 207 kau_write(rec, tok); \ 208 } \ 209} while (0) 210 211#define FD_VNODE1_TOKENS do { \ 212 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 213 if (ARG_IS_VALID(kar, ARG_FD)) { \ 214 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 215 kau_write(rec, tok); \ 216 } \ 217 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 218 kau_write(rec, tok); \ 219 } else { \ 220 if (ARG_IS_VALID(kar, ARG_FD)) { \ 221 tok = au_to_arg32(1, "non-file: fd", ar->ar_arg_fd);\ 222 kau_write(rec, tok); \ 223 } \ 224 } \ 225} while (0) 226 227#define PROCESS_PID_TOKENS(argn) do { \ 228 if (ARG_IS_VALID(kar, ARG_PID)) { \ 229 if ((ar->ar_arg_pid > 0) /* Kill a single process */ \ 230 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 231 tok = au_to_process(ar->ar_arg_auid, \ 232 ar->ar_arg_euid, ar->ar_arg_egid, \ 233 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 234 ar->ar_arg_pid, ar->ar_arg_asid, \ 235 &ar->ar_arg_termid); \ 236 kau_write(rec, tok); \ 237 } else { \ 238 tok = au_to_arg32(argn, "process", \ 239 ar->ar_arg_pid); \ 240 kau_write(rec, tok); \ 241 } \ 242 } \ 243} while (0) \ 244 245/* 246 * Implement auditing for the auditon() system call. The audit tokens that 247 * are generated depend on the command that was sent into the auditon() 248 * system call. 249 */ 250static void 251audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 252{ 253 struct au_token *tok; 254 255 switch (ar->ar_arg_cmd) { 256 case A_SETPOLICY: 257 if (sizeof(ar->ar_arg_auditon.au_flags) > 4) 258 tok = au_to_arg64(1, "policy", 259 ar->ar_arg_auditon.au_flags); 260 else 261 tok = au_to_arg32(1, "policy", 262 ar->ar_arg_auditon.au_flags); 263 kau_write(rec, tok); 264 break; 265 266 case A_SETKMASK: 267 tok = au_to_arg32(2, "setkmask:as_success", 268 ar->ar_arg_auditon.au_mask.am_success); 269 kau_write(rec, tok); 270 tok = au_to_arg32(2, "setkmask:as_failure", 271 ar->ar_arg_auditon.au_mask.am_failure); 272 kau_write(rec, tok); 273 break; 274 275 case A_SETQCTRL: 276 tok = au_to_arg32(3, "setqctrl:aq_hiwater", 277 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 278 kau_write(rec, tok); 279 tok = au_to_arg32(3, "setqctrl:aq_lowater", 280 ar->ar_arg_auditon.au_qctrl.aq_lowater); 281 kau_write(rec, tok); 282 tok = au_to_arg32(3, "setqctrl:aq_bufsz", 283 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 284 kau_write(rec, tok); 285 tok = au_to_arg32(3, "setqctrl:aq_delay", 286 ar->ar_arg_auditon.au_qctrl.aq_delay); 287 kau_write(rec, tok); 288 tok = au_to_arg32(3, "setqctrl:aq_minfree", 289 ar->ar_arg_auditon.au_qctrl.aq_minfree); 290 kau_write(rec, tok); 291 break; 292 293 case A_SETUMASK: 294 tok = au_to_arg32(3, "setumask:as_success", 295 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 296 kau_write(rec, tok); 297 tok = au_to_arg32(3, "setumask:as_failure", 298 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 299 kau_write(rec, tok); 300 break; 301 302 case A_SETSMASK: 303 tok = au_to_arg32(3, "setsmask:as_success", 304 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 305 kau_write(rec, tok); 306 tok = au_to_arg32(3, "setsmask:as_failure", 307 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 308 kau_write(rec, tok); 309 break; 310 311 case A_SETCOND: 312 if (sizeof(ar->ar_arg_auditon.au_cond) > 4) 313 tok = au_to_arg64(3, "setcond", 314 ar->ar_arg_auditon.au_cond); 315 else 316 tok = au_to_arg32(3, "setcond", 317 ar->ar_arg_auditon.au_cond); 318 kau_write(rec, tok); 319 break; 320 321 case A_SETCLASS: 322 tok = au_to_arg32(2, "setclass:ec_event", 323 ar->ar_arg_auditon.au_evclass.ec_number); 324 kau_write(rec, tok); 325 tok = au_to_arg32(3, "setclass:ec_class", 326 ar->ar_arg_auditon.au_evclass.ec_class); 327 kau_write(rec, tok); 328 break; 329 330 case A_SETPMASK: 331 tok = au_to_arg32(2, "setpmask:as_success", 332 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 333 kau_write(rec, tok); 334 tok = au_to_arg32(2, "setpmask:as_failure", 335 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 336 kau_write(rec, tok); 337 break; 338 339 case A_SETFSIZE: 340 tok = au_to_arg32(2, "setfsize:filesize", 341 ar->ar_arg_auditon.au_fstat.af_filesz); 342 kau_write(rec, tok); 343 break; 344 345 default: 346 break; 347 } 348} 349 350/* 351 * Convert an internal kernel audit record to a BSM record and return 352 * a success/failure indicator. The BSM record is passed as an out 353 * parameter to this function. 354 * Return conditions: 355 * BSM_SUCCESS: The BSM record is valid 356 * BSM_FAILURE: Failure; the BSM record is NULL. 357 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 358 */ 359int 360kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 361{ 362 struct au_token *tok, *subj_tok; 363 struct au_record *rec; 364 au_tid_t tid; 365 struct audit_record *ar; 366 int ctr; 367 368 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 369 370 *pau = NULL; 371 ar = &kar->k_ar; 372 rec = kau_open(); 373 374 /* Create the subject token */ 375 tid.port = ar->ar_subj_term.port; 376 tid.machine = ar->ar_subj_term.machine; 377 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 378 ar->ar_subj_cred.cr_uid, /* eff uid */ 379 ar->ar_subj_egid, /* eff group id */ 380 ar->ar_subj_ruid, /* real uid */ 381 ar->ar_subj_rgid, /* real group id */ 382 ar->ar_subj_pid, /* process id */ 383 ar->ar_subj_asid, /* session ID */ 384 &tid); 385 386 /* The logic inside each case fills in the tokens required for the 387 * event, except for the header, trailer, and return tokens. The 388 * header and trailer tokens are added by the kau_close() function. 389 * The return token is added outside of the switch statement. 390 */ 391 switch(ar->ar_event) { 392 393 /* 394 * Socket-related events. 395 */ 396 case AUE_ACCEPT: 397 case AUE_BIND: 398 case AUE_CONNECT: 399 case AUE_RECVFROM: 400 case AUE_RECVMSG: 401 case AUE_SENDMSG: 402 case AUE_SENDTO: 403 if (ARG_IS_VALID(kar, ARG_FD)) { 404 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 405 kau_write(rec, tok); 406 } 407 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 408 tok = au_to_sock_inet( 409 (struct sockaddr_in *)&ar->ar_arg_sockaddr); 410 kau_write(rec, tok); 411 } 412 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 413 tok = au_to_sock_unix( 414 (struct sockaddr_un *)&ar->ar_arg_sockaddr); 415 kau_write(rec, tok); 416 UPATH1_TOKENS; 417 } 418 /* XXX Need to handle ARG_SADDRINET6 */ 419 break; 420 421 case AUE_SOCKET: 422 case AUE_SOCKETPAIR: 423 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 424 tok = au_to_arg32(1,"domain", 425 ar->ar_arg_sockinfo.so_domain); 426 kau_write(rec, tok); 427 tok = au_to_arg32(2,"type", 428 ar->ar_arg_sockinfo.so_type); 429 kau_write(rec, tok); 430 tok = au_to_arg32(3,"protocol", 431 ar->ar_arg_sockinfo.so_protocol); 432 kau_write(rec, tok); 433 } 434 break; 435 436 case AUE_SETSOCKOPT: 437 case AUE_SHUTDOWN: 438 if (ARG_IS_VALID(kar, ARG_FD)) { 439 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 440 kau_write(rec, tok); 441 } 442 break; 443 444 case AUE_ACCT: 445 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 446 UPATH1_VNODE1_TOKENS; 447 } else { 448 tok = au_to_arg32(1, "accounting off", 0); 449 kau_write(rec, tok); 450 } 451 break; 452 453 case AUE_SETAUID: 454 if (ARG_IS_VALID(kar, ARG_AUID)) { 455 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 456 kau_write(rec, tok); 457 } 458 break; 459 460 case AUE_SETAUDIT: 461 if (ARG_IS_VALID(kar, ARG_AUID)) { 462 tok = au_to_arg32(1, "setaudit:auid", ar->ar_arg_auid); 463 kau_write(rec, tok); 464 tok = au_to_arg32(1, "setaudit:port", 465 ar->ar_arg_termid.port); 466 kau_write(rec, tok); 467 tok = au_to_arg32(1, "setaudit:machine", 468 ar->ar_arg_termid.machine); 469 kau_write(rec, tok); 470 tok = au_to_arg32(1, "setaudit:as_success", 471 ar->ar_arg_amask.am_success); 472 kau_write(rec, tok); 473 tok = au_to_arg32(1, "setaudit:as_failure", 474 ar->ar_arg_amask.am_failure); 475 kau_write(rec, tok); 476 tok = au_to_arg32(1, "setaudit:asid", ar->ar_arg_asid); 477 kau_write(rec, tok); 478 } 479 break; 480 481 case AUE_SETAUDIT_ADDR: 482 break; /* XXX need to add arguments */ 483 484 case AUE_AUDITON: 485 /* For AUDITON commands without own event, audit the cmd */ 486 if (ARG_IS_VALID(kar, ARG_CMD)) { 487 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 488 kau_write(rec, tok); 489 } 490 /* fall thru */ 491 492 case AUE_AUDITON_GETCAR: 493 case AUE_AUDITON_GETCLASS: 494 case AUE_AUDITON_GETCOND: 495 case AUE_AUDITON_GETCWD: 496 case AUE_AUDITON_GETKMASK: 497 case AUE_AUDITON_GETSTAT: 498 case AUE_AUDITON_GPOLICY: 499 case AUE_AUDITON_GQCTRL: 500 case AUE_AUDITON_SETCLASS: 501 case AUE_AUDITON_SETCOND: 502 case AUE_AUDITON_SETKMASK: 503 case AUE_AUDITON_SETSMASK: 504 case AUE_AUDITON_SETSTAT: 505 case AUE_AUDITON_SETUMASK: 506 case AUE_AUDITON_SPOLICY: 507 case AUE_AUDITON_SQCTRL: 508 if (ARG_IS_VALID(kar, ARG_AUDITON)) { 509 audit_sys_auditon(ar, rec); 510 } 511 break; 512 513 case AUE_AUDITCTL: 514 UPATH1_VNODE1_TOKENS; 515 break; 516 517 case AUE_EXIT: 518 if (ARG_IS_VALID(kar, ARG_EXIT)) { 519 tok = au_to_exit(ar->ar_arg_exitretval, 520 ar->ar_arg_exitstatus); 521 kau_write(rec, tok); 522 } 523 break; 524 525 case AUE_ADJTIME: 526 case AUE_AUDIT: 527 case AUE_GETAUDIT: 528 case AUE_GETAUDIT_ADDR: 529 case AUE_GETAUID: 530 case AUE_GETFSSTAT: 531 case AUE_PIPE: 532 case AUE_SETPGRP: 533 case AUE_SETRLIMIT: 534 case AUE_SETSID: 535 case AUE_SETTIMEOFDAY: 536 case AUE_NEWSYSTEMSHREG: 537 /* Header, subject, and return tokens added at end */ 538 break; 539 540 case AUE_ACCESS: 541 case AUE_CHDIR: 542 case AUE_CHROOT: 543 case AUE_EXECVE: 544 case AUE_GETATTRLIST: 545 case AUE_NFS_GETFH: 546 case AUE_LSTAT: 547 case AUE_MKFIFO: 548 case AUE_PATHCONF: 549 case AUE_READLINK: 550 case AUE_REVOKE: 551 case AUE_RMDIR: 552 case AUE_SEARCHFS: 553 case AUE_SETATTRLIST: 554 case AUE_STAT: 555 case AUE_STATFS: 556 case AUE_TRUNCATE: 557 case AUE_UNDELETE: 558 case AUE_UNLINK: 559 case AUE_UTIMES: 560 UPATH1_VNODE1_TOKENS; 561 break; 562 563 case AUE_CHFLAGS: 564 case AUE_LCHFLAGS: 565 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 566 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 567 kau_write(rec, tok); 568 } 569 UPATH1_VNODE1_TOKENS; 570 break; 571 572 case AUE_CHMOD: 573 case AUE_LCHMOD: 574 if (ARG_IS_VALID(kar, ARG_MODE)) { 575 tok = au_to_arg32(2, "new file mode", ar->ar_arg_mode); 576 kau_write(rec, tok); 577 } 578 UPATH1_VNODE1_TOKENS; 579 break; 580 581 case AUE_CHOWN: 582 case AUE_LCHOWN: 583 if (ARG_IS_VALID(kar, ARG_UID)) { 584 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 585 kau_write(rec, tok); 586 } 587 if (ARG_IS_VALID(kar, ARG_GID)) { 588 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 589 kau_write(rec, tok); 590 } 591 UPATH1_VNODE1_TOKENS; 592 break; 593 594 case AUE_EXCHANGEDATA: 595 UPATH1_VNODE1_TOKENS; 596 UPATH2_TOKENS; 597 break; 598 599 case AUE_CLOSE: 600 if (ARG_IS_VALID(kar, ARG_FD)) { 601 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 602 kau_write(rec, tok); 603 } 604 UPATH1_VNODE1_TOKENS; 605 break; 606 607 case AUE_FCHMOD: 608 if (ARG_IS_VALID(kar, ARG_MODE)) { 609 tok = au_to_arg32(2, "new file mode", ar->ar_arg_mode); 610 kau_write(rec, tok); 611 } 612 FD_VNODE1_TOKENS; 613 break; 614 615 case AUE_FCHDIR: 616 case AUE_FPATHCONF: 617 case AUE_FSTAT: /* XXX Need to handle sockets and shm */ 618 case AUE_FSTATFS: 619 case AUE_FSYNC: 620 case AUE_FTRUNCATE: 621 case AUE_FUTIMES: 622 case AUE_GETDIRENTRIES: 623 case AUE_GETDIRENTRIESATTR: 624 FD_VNODE1_TOKENS; 625 break; 626 627 case AUE_FCHOWN: 628 if (ARG_IS_VALID(kar, ARG_UID)) { 629 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 630 kau_write(rec, tok); 631 } 632 if (ARG_IS_VALID(kar, ARG_GID)) { 633 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 634 kau_write(rec, tok); 635 } 636 FD_VNODE1_TOKENS; 637 break; 638 639 case AUE_FCNTL: 640 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 641 ar->ar_arg_cmd == F_SETLKW) { 642 if (ARG_IS_VALID(kar, ARG_CMD)) { 643 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 644 kau_write(rec, tok); 645 } 646 FD_VNODE1_TOKENS; 647 } 648 break; 649 650 case AUE_FCHFLAGS: 651 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 652 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 653 kau_write(rec, tok); 654 } 655 FD_VNODE1_TOKENS; 656 break; 657 658 case AUE_FLOCK: 659 if (ARG_IS_VALID(kar, ARG_CMD)) { 660 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 661 kau_write(rec, tok); 662 } 663 FD_VNODE1_TOKENS; 664 break; 665 666 case AUE_RFORK: 667 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 668 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 669 kau_write(rec, tok); 670 } 671 /* fall through */ 672 case AUE_FORK: 673 case AUE_VFORK: 674 if (ARG_IS_VALID(kar, ARG_PID)) { 675 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 676 kau_write(rec, tok); 677 } 678 break; 679 680 case AUE_IOCTL: 681 if (ARG_IS_VALID(kar, ARG_CMD)) { 682 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 683 kau_write(rec, tok); 684 } 685 if (ARG_IS_VALID(kar, ARG_ADDR)) { 686 tok = au_to_arg32(1, "arg", (u_int32_t)ar->ar_arg_addr); 687 kau_write(rec, tok); 688 } 689 if (ARG_IS_VALID(kar, ARG_VNODE1)) { 690 FD_VNODE1_TOKENS; 691 } else { 692 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 693 tok = kau_to_socket(&ar->ar_arg_sockinfo); 694 kau_write(rec, tok); 695 } else { 696 if (ARG_IS_VALID(kar, ARG_FD)) { 697 tok = au_to_arg32(1, "fd", 698 ar->ar_arg_fd); 699 kau_write(rec, tok); 700 } 701 } 702 } 703 break; 704 705 case AUE_KILL: 706 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 707 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 708 kau_write(rec, tok); 709 } 710 PROCESS_PID_TOKENS(1); 711 break; 712 713 case AUE_KTRACE: 714 if (ARG_IS_VALID(kar, ARG_CMD)) { 715 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 716 kau_write(rec, tok); 717 } 718 if (ARG_IS_VALID(kar, ARG_VALUE)) { 719 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 720 kau_write(rec, tok); 721 } 722 PROCESS_PID_TOKENS(4); 723 UPATH1_VNODE1_TOKENS; 724 break; 725 726 case AUE_LINK: 727 case AUE_RENAME: 728 UPATH1_VNODE1_TOKENS; 729 UPATH2_TOKENS; 730 break; 731 732 case AUE_LOADSHFILE: 733 if (ARG_IS_VALID(kar, ARG_ADDR)) { 734 tok = au_to_arg32(4, "base addr", 735 (u_int32_t)ar->ar_arg_addr); 736 kau_write(rec, tok); 737 } 738 UPATH1_VNODE1_TOKENS; 739 break; 740 741 case AUE_MKDIR: 742 if (ARG_IS_VALID(kar, ARG_MODE)) { 743 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 744 kau_write(rec, tok); 745 } 746 UPATH1_VNODE1_TOKENS; 747 break; 748 749 case AUE_MKNOD: 750 if (ARG_IS_VALID(kar, ARG_MODE)) { 751 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 752 kau_write(rec, tok); 753 } 754 if (ARG_IS_VALID(kar, ARG_DEV)) { 755 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 756 kau_write(rec, tok); 757 } 758 UPATH1_VNODE1_TOKENS; 759 break; 760 761 case AUE_MMAP: 762 case AUE_MUNMAP: 763 case AUE_MPROTECT: 764 case AUE_MLOCK: 765 case AUE_MUNLOCK: 766 case AUE_MINHERIT: 767 if (ARG_IS_VALID(kar, ARG_ADDR)) { 768 tok = au_to_arg32(1, "addr", 769 (u_int32_t)ar->ar_arg_addr); 770 kau_write(rec, tok); 771 } 772 if (ARG_IS_VALID(kar, ARG_LEN)) { 773 tok = au_to_arg32(2, "len", ar->ar_arg_len); 774 kau_write(rec, tok); 775 } 776 if (ar->ar_event == AUE_MMAP) 777 FD_VNODE1_TOKENS; 778 if (ar->ar_event == AUE_MPROTECT) { 779 if (ARG_IS_VALID(kar, ARG_VALUE)) { 780 tok = au_to_arg32(3, "protection", 781 ar->ar_arg_value); 782 kau_write(rec, tok); 783 } 784 } 785 if (ar->ar_event == AUE_MINHERIT) { 786 if (ARG_IS_VALID(kar, ARG_VALUE)) { 787 tok = au_to_arg32(3, "inherit", 788 ar->ar_arg_value); 789 kau_write(rec, tok); 790 } 791 } 792 break; 793 794 case AUE_MOUNT: 795 /* XXX Need to handle NFS mounts */ 796 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 797 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 798 kau_write(rec, tok); 799 } 800 if (ARG_IS_VALID(kar, ARG_TEXT)) { 801 tok = au_to_text(ar->ar_arg_text); 802 kau_write(rec, tok); 803 } 804 /* fall through */ 805 case AUE_UMOUNT: 806 UPATH1_VNODE1_TOKENS; 807 break; 808 809 case AUE_MSGCTL: 810 ar->ar_event = msgctl_to_event(ar->ar_arg_svipc_cmd); 811 /* Fall through */ 812 case AUE_MSGRCV: 813 case AUE_MSGSND: 814 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 815 kau_write(rec, tok); 816 if (ar->ar_errno != EINVAL) { 817 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 818 kau_write(rec, tok); 819 } 820 break; 821 822 case AUE_MSGGET: 823 if (ar->ar_errno == 0) { 824 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 825 tok = au_to_ipc(AT_IPC_MSG, 826 ar->ar_arg_svipc_id); 827 kau_write(rec, tok); 828 } 829 } 830 break; 831 832 case AUE_RESETSHFILE: 833 if (ARG_IS_VALID(kar, ARG_ADDR)) { 834 tok = au_to_arg32(1, "base addr", 835 (u_int32_t)ar->ar_arg_addr); 836 kau_write(rec, tok); 837 } 838 break; 839 840 case AUE_OPEN_RC: 841 case AUE_OPEN_RTC: 842 case AUE_OPEN_RWC: 843 case AUE_OPEN_RWTC: 844 case AUE_OPEN_WC: 845 case AUE_OPEN_WTC: 846 /* case AUE_O_CREAT: */ /* AUE_O_CREAT == AUE_OPEN_RWTC */ 847 if (ARG_IS_VALID(kar, ARG_MODE)) { 848 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 849 kau_write(rec, tok); 850 } 851 /* fall through */ 852 853 case AUE_OPEN_R: 854 case AUE_OPEN_RT: 855 case AUE_OPEN_RW: 856 case AUE_OPEN_RWT: 857 case AUE_OPEN_W: 858 case AUE_OPEN_WT: 859 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 860 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 861 kau_write(rec, tok); 862 } 863 UPATH1_VNODE1_TOKENS; 864 break; 865 866 case AUE_PTRACE: 867 if (ARG_IS_VALID(kar, ARG_CMD)) { 868 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 869 kau_write(rec, tok); 870 } 871 if (ARG_IS_VALID(kar, ARG_ADDR)) { 872 tok = au_to_arg32(3, "addr", 873 (u_int32_t)ar->ar_arg_addr); 874 kau_write(rec, tok); 875 } 876 if (ARG_IS_VALID(kar, ARG_VALUE)) { 877 tok = au_to_arg32(4, "data", ar->ar_arg_value); 878 kau_write(rec, tok); 879 } 880 PROCESS_PID_TOKENS(2); 881 break; 882 883 case AUE_QUOTACTL: 884 if (ARG_IS_VALID(kar, ARG_CMD)) { 885 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 886 kau_write(rec, tok); 887 } 888 if (ARG_IS_VALID(kar, ARG_UID)) { 889 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 890 kau_write(rec, tok); 891 } 892 UPATH1_VNODE1_TOKENS; 893 break; 894 895 case AUE_REBOOT: 896 if (ARG_IS_VALID(kar, ARG_CMD)) { 897 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 898 kau_write(rec, tok); 899 } 900 break; 901 902 case AUE_SEMCTL: 903 ar->ar_event = semctl_to_event(ar->ar_arg_svipc_cmd); 904 /* Fall through */ 905 case AUE_SEMOP: 906 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 907 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 908 kau_write(rec, tok); 909 if (ar->ar_errno != EINVAL) { 910 tok = au_to_ipc(AT_IPC_SEM, 911 ar->ar_arg_svipc_id); 912 kau_write(rec, tok); 913 } 914 } 915 break; 916 case AUE_SEMGET: 917 if (ar->ar_errno == 0) { 918 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 919 tok = au_to_ipc(AT_IPC_SEM, 920 ar->ar_arg_svipc_id); 921 kau_write(rec, tok); 922 } 923 } 924 break; 925 case AUE_SETEGID: 926 if (ARG_IS_VALID(kar, ARG_EGID)) { 927 tok = au_to_arg32(1, "gid", ar->ar_arg_egid); 928 kau_write(rec, tok); 929 } 930 break; 931 case AUE_SETEUID: 932 if (ARG_IS_VALID(kar, ARG_EUID)) { 933 tok = au_to_arg32(1, "uid", ar->ar_arg_euid); 934 kau_write(rec, tok); 935 } 936 break; 937 case AUE_SETREGID: 938 if (ARG_IS_VALID(kar, ARG_RGID)) { 939 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 940 kau_write(rec, tok); 941 } 942 if (ARG_IS_VALID(kar, ARG_EGID)) { 943 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 944 kau_write(rec, tok); 945 } 946 break; 947 case AUE_SETREUID: 948 if (ARG_IS_VALID(kar, ARG_RUID)) { 949 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 950 kau_write(rec, tok); 951 } 952 if (ARG_IS_VALID(kar, ARG_EUID)) { 953 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 954 kau_write(rec, tok); 955 } 956 break; 957 case AUE_SETRESGID: 958 if (ARG_IS_VALID(kar, ARG_RGID)) { 959 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 960 kau_write(rec, tok); 961 } 962 if (ARG_IS_VALID(kar, ARG_EGID)) { 963 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 964 kau_write(rec, tok); 965 } 966 if (ARG_IS_VALID(kar, ARG_SGID)) { 967 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 968 kau_write(rec, tok); 969 } 970 break; 971 case AUE_SETRESUID: 972 if (ARG_IS_VALID(kar, ARG_RUID)) { 973 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 974 kau_write(rec, tok); 975 } 976 if (ARG_IS_VALID(kar, ARG_EUID)) { 977 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 978 kau_write(rec, tok); 979 } 980 if (ARG_IS_VALID(kar, ARG_SUID)) { 981 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 982 kau_write(rec, tok); 983 } 984 break; 985 case AUE_SETGID: 986 if (ARG_IS_VALID(kar, ARG_GID)) { 987 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 988 kau_write(rec, tok); 989 } 990 break; 991 case AUE_SETUID: 992 if (ARG_IS_VALID(kar, ARG_UID)) { 993 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 994 kau_write(rec, tok); 995 } 996 break; 997 case AUE_SETGROUPS: 998 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 999 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1000 { 1001 tok = au_to_arg32(1, "setgroups", ar->ar_arg_groups.gidset[ctr]); 1002 kau_write(rec, tok); 1003 } 1004 } 1005 break; 1006 1007 case AUE_SETLOGIN: 1008 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1009 tok = au_to_text(ar->ar_arg_text); 1010 kau_write(rec, tok); 1011 } 1012 break; 1013 1014 case AUE_SETPRIORITY: 1015 if (ARG_IS_VALID(kar, ARG_CMD)) { 1016 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1017 kau_write(rec, tok); 1018 } 1019 if (ARG_IS_VALID(kar, ARG_UID)) { 1020 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1021 kau_write(rec, tok); 1022 } 1023 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1024 tok = au_to_arg32(2, "priority", ar->ar_arg_value); 1025 kau_write(rec, tok); 1026 } 1027 break; 1028 1029 case AUE_SETPRIVEXEC: 1030 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1031 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1032 kau_write(rec, tok); 1033 } 1034 break; 1035 1036 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1037 case AUE_SHMAT: 1038 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1039 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1040 kau_write(rec, tok); 1041 /* XXXAUDIT: Does having the ipc token make sense? */ 1042 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1043 kau_write(rec, tok); 1044 } 1045 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1046 tok = au_to_arg32(2, "shmaddr", 1047 (int)ar->ar_arg_svipc_addr); 1048 kau_write(rec, tok); 1049 } 1050 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1051 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1052 kau_write(rec, tok); 1053 } 1054 break; 1055 1056 case AUE_SHMCTL: 1057 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1058 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1059 kau_write(rec, tok); 1060 /* XXXAUDIT: Does having the ipc token make sense? */ 1061 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1062 kau_write(rec, tok); 1063 } 1064 switch (ar->ar_arg_svipc_cmd) { 1065 case IPC_STAT: 1066 ar->ar_event = AUE_SHMCTL_STAT; 1067 break; 1068 case IPC_RMID: 1069 ar->ar_event = AUE_SHMCTL_RMID; 1070 break; 1071 case IPC_SET: 1072 ar->ar_event = AUE_SHMCTL_SET; 1073 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1074 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1075 kau_write(rec, tok); 1076 } 1077 break; 1078 default: 1079 break; /* We will audit a bad command */ 1080 } 1081 break; 1082 1083 case AUE_SHMDT: 1084 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1085 tok = au_to_arg32(1, "shmaddr", 1086 (int)ar->ar_arg_svipc_addr); 1087 kau_write(rec, tok); 1088 } 1089 break; 1090 1091 case AUE_SHMGET: 1092 /* This is unusual; the return value is in an argument token */ 1093 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1094 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1095 kau_write(rec, tok); 1096 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1097 kau_write(rec, tok); 1098 } 1099 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1100 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1101 kau_write(rec, tok); 1102 } 1103 break; 1104 1105 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1106 * and AUE_SEMUNLINK are Posix IPC */ 1107 case AUE_SHMOPEN: 1108 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1109 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1110 kau_write(rec, tok); 1111 } 1112 if (ARG_IS_VALID(kar, ARG_MODE)) { 1113 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1114 kau_write(rec, tok); 1115 } 1116 case AUE_SHMUNLINK: 1117 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1118 tok = au_to_text(ar->ar_arg_text); 1119 kau_write(rec, tok); 1120 } 1121 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1122 /* Create an ipc_perm token */ 1123 struct ipc_perm perm; 1124 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1125 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1126 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1127 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1128 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1129 perm.seq = 0; 1130 perm.key = 0; 1131 tok = au_to_ipc_perm(&perm); 1132 kau_write(rec, tok); 1133 } 1134 break; 1135 1136 case AUE_SEMOPEN: 1137 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1138 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1139 kau_write(rec, tok); 1140 } 1141 if (ARG_IS_VALID(kar, ARG_MODE)) { 1142 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1143 kau_write(rec, tok); 1144 } 1145 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1146 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1147 kau_write(rec, tok); 1148 } 1149 /* fall through */ 1150 case AUE_SEMUNLINK: 1151 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1152 tok = au_to_text(ar->ar_arg_text); 1153 kau_write(rec, tok); 1154 } 1155 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1156 /* Create an ipc_perm token */ 1157 struct ipc_perm perm; 1158 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1159 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1160 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1161 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1162 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1163 perm.seq = 0; 1164 perm.key = 0; 1165 tok = au_to_ipc_perm(&perm); 1166 kau_write(rec, tok); 1167 } 1168 break; 1169 1170 case AUE_SEMCLOSE: 1171 if (ARG_IS_VALID(kar, ARG_FD)) { 1172 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1173 kau_write(rec, tok); 1174 } 1175 break; 1176 1177 case AUE_SYMLINK: 1178 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1179 tok = au_to_text(ar->ar_arg_text); 1180 kau_write(rec, tok); 1181 } 1182 UPATH1_VNODE1_TOKENS; 1183 break; 1184 1185 case AUE_SYSCTL: 1186 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1187 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1188 tok = au_to_arg32(1, "name", ar->ar_arg_ctlname[ctr]); 1189 kau_write(rec, tok); 1190 } 1191 } 1192 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1193 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1194 kau_write(rec, tok); 1195 } 1196 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1197 tok = au_to_text(ar->ar_arg_text); 1198 kau_write(rec, tok); 1199 } 1200 break; 1201 1202 case AUE_UMASK: 1203 if (ARG_IS_VALID(kar, ARG_MASK)) { 1204 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1205 kau_write(rec, tok); 1206 } 1207 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1208 kau_write(rec, tok); 1209 break; 1210 1211 case AUE_WAIT4: 1212 if (ARG_IS_VALID(kar, ARG_PID)) { 1213 tok = au_to_arg32(0, "pid", ar->ar_arg_pid); 1214 kau_write(rec, tok); 1215 } 1216 break; 1217 1218 default: /* We shouldn't fall through to here. */ 1219 printf("BSM conversion requested for unknown event %d\n", 1220 ar->ar_event); 1221 /* Write the subject token so it is properly freed here. */ 1222 kau_write(rec, subj_tok); 1223 kau_free(rec); 1224 return (BSM_NOAUDIT); 1225 } 1226 1227 kau_write(rec, subj_tok); 1228 tok = au_to_return32((char)ar->ar_errno, ar->ar_retval); 1229 kau_write(rec, tok); /* Every record gets a return token */ 1230 1231 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1232 1233 *pau = rec; 1234 return (BSM_SUCCESS); 1235} 1236 1237/* 1238 * Verify that a record is a valid BSM record. This verification is 1239 * simple now, but may be expanded on sometime in the future. 1240 * Return 1 if the record is good, 0 otherwise. 1241 * 1242 */ 1243int 1244bsm_rec_verify(void *rec) 1245{ 1246 char c = *(char *)rec; 1247 /* 1248 * Check the token ID of the first token; it has to be a header 1249 * token. 1250 */ 1251 /* XXXAUDIT There needs to be a token structure to map a token. 1252 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1253 */ 1254 if ( (c != AUT_HEADER32) && 1255 (c != AUT_HEADER32_EX) && 1256 (c != AUT_HEADER64) && 1257 (c != AUT_HEADER64_EX) ) { 1258 return (0); 1259 } 1260 return (1); 1261} 1262