audit_bsm.c revision 159277
1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $FreeBSD: head/sys/security/audit/audit_bsm.c 159277 2006-06-05 16:12:00Z rwatson $ 30 */ 31 32#include <sys/param.h> 33#include <sys/vnode.h> 34#include <sys/ipc.h> 35#include <sys/lock.h> 36#include <sys/malloc.h> 37#include <sys/mutex.h> 38#include <sys/socket.h> 39#include <sys/fcntl.h> 40#include <sys/user.h> 41#include <sys/systm.h> 42 43#include <bsm/audit.h> 44#include <bsm/audit_internal.h> 45#include <bsm/audit_record.h> 46#include <bsm/audit_kevents.h> 47 48#include <security/audit/audit.h> 49#include <security/audit/audit_private.h> 50 51#include <netinet/in_systm.h> 52#include <netinet/in.h> 53#include <netinet/ip.h> 54 55MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 56 57/* 58 * Forward declares. 59 */ 60static void audit_sys_auditon(struct audit_record *ar, 61 struct au_record *rec); 62 63/* 64 * Initialize the BSM auditing subsystem. 65 */ 66void 67kau_init(void) 68{ 69 70 printf("BSM auditing present\n"); 71 au_evclassmap_init(); 72} 73 74/* 75 * This call reserves memory for the audit record. Memory must be guaranteed 76 * before any auditable event can be generated. The au_record structure 77 * maintains a reference to the memory allocated above and also the list of 78 * tokens associated with this record 79 */ 80static struct au_record * 81kau_open(void) 82{ 83 struct au_record *rec; 84 85 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 86 rec->data = malloc(MAX_AUDIT_RECORD_SIZE * sizeof(u_char), 87 M_AUDITBSM, M_WAITOK | M_ZERO); 88 TAILQ_INIT(&rec->token_q); 89 rec->len = 0; 90 rec->used = 1; 91 92 return (rec); 93} 94 95/* 96 * Store the token with the record descriptor. 97 */ 98static void 99kau_write(struct au_record *rec, struct au_token *tok) 100{ 101 102 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 103 104 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 105 rec->len += tok->len; 106} 107 108/* 109 * Close out the audit record by adding the header token, identifying any 110 * missing tokens. Write out the tokens to the record memory. 111 */ 112static void 113kau_close(struct au_record *rec, struct timespec *ctime, short event) 114{ 115 u_char *dptr; 116 size_t tot_rec_size; 117 token_t *cur, *hdr, *trail; 118 struct timeval tm; 119 120 tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE; 121 if (tot_rec_size <= MAX_AUDIT_RECORD_SIZE) { 122 /* Create the header token */ 123 tm.tv_usec = ctime->tv_nsec / 1000; 124 tm.tv_sec = ctime->tv_sec; 125 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 126 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 127 128 trail = au_to_trailer(tot_rec_size); 129 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 130 131 /* Serialize token data to the record. */ 132 rec->len = tot_rec_size; 133 dptr = rec->data; 134 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 135 memcpy(dptr, cur->t_data, cur->len); 136 dptr += cur->len; 137 } 138 } 139} 140 141/* 142 * Free a BSM audit record by releasing all the tokens and clearing the audit 143 * record information. 144 */ 145void 146kau_free(struct au_record *rec) 147{ 148 struct au_token *tok; 149 150 /* Free the token list. */ 151 while ((tok = TAILQ_FIRST(&rec->token_q))) { 152 TAILQ_REMOVE(&rec->token_q, tok, tokens); 153 free(tok->t_data, M_AUDITBSM); 154 free(tok, M_AUDITBSM); 155 } 156 157 rec->used = 0; 158 rec->len = 0; 159 free(rec->data, M_AUDITBSM); 160 free(rec, M_AUDITBSM); 161} 162 163/* 164 * XXX May want turn some (or all) of these macros into functions in order 165 * to reduce the generated code sized. 166 * 167 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 168 * caller are OK with this. 169 */ 170#define UPATH1_TOKENS do { \ 171 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 172 tok = au_to_path(ar->ar_arg_upath1); \ 173 kau_write(rec, tok); \ 174 } \ 175} while (0) 176 177#define UPATH2_TOKENS do { \ 178 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 179 tok = au_to_path(ar->ar_arg_upath2); \ 180 kau_write(rec, tok); \ 181 } \ 182} while (0) 183 184#define VNODE1_TOKENS do { \ 185 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 186 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 187 kau_write(rec, tok); \ 188 } \ 189} while (0) 190 191#define UPATH1_VNODE1_TOKENS do { \ 192 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 193 UPATH1_TOKENS; \ 194 } \ 195 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 196 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 197 kau_write(rec, tok); \ 198 } \ 199} while (0) 200 201#define VNODE2_TOKENS do { \ 202 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 203 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 204 kau_write(rec, tok); \ 205 } \ 206} while (0) 207 208#define FD_VNODE1_TOKENS do { \ 209 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 210 if (ARG_IS_VALID(kar, ARG_FD)) { \ 211 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 212 kau_write(rec, tok); \ 213 } \ 214 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 215 kau_write(rec, tok); \ 216 } else { \ 217 if (ARG_IS_VALID(kar, ARG_FD)) { \ 218 tok = au_to_arg32(1, "non-file: fd", \ 219 ar->ar_arg_fd); \ 220 kau_write(rec, tok); \ 221 } \ 222 } \ 223} while (0) 224 225#define PROCESS_PID_TOKENS(argn) do { \ 226 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 227 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 228 tok = au_to_process(ar->ar_arg_auid, \ 229 ar->ar_arg_euid, ar->ar_arg_egid, \ 230 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 231 ar->ar_arg_pid, ar->ar_arg_asid, \ 232 &ar->ar_arg_termid); \ 233 kau_write(rec, tok); \ 234 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 235 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 236 kau_write(rec, tok); \ 237 } \ 238} while (0) \ 239 240/* 241 * Implement auditing for the auditon() system call. The audit tokens that 242 * are generated depend on the command that was sent into the auditon() 243 * system call. 244 */ 245static void 246audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 247{ 248 struct au_token *tok; 249 250 switch (ar->ar_arg_cmd) { 251 case A_SETPOLICY: 252 if (sizeof(ar->ar_arg_auditon.au_flags) > 4) 253 tok = au_to_arg64(1, "policy", 254 ar->ar_arg_auditon.au_flags); 255 else 256 tok = au_to_arg32(1, "policy", 257 ar->ar_arg_auditon.au_flags); 258 kau_write(rec, tok); 259 break; 260 261 case A_SETKMASK: 262 tok = au_to_arg32(2, "setkmask:as_success", 263 ar->ar_arg_auditon.au_mask.am_success); 264 kau_write(rec, tok); 265 tok = au_to_arg32(2, "setkmask:as_failure", 266 ar->ar_arg_auditon.au_mask.am_failure); 267 kau_write(rec, tok); 268 break; 269 270 case A_SETQCTRL: 271 tok = au_to_arg32(3, "setqctrl:aq_hiwater", 272 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 273 kau_write(rec, tok); 274 tok = au_to_arg32(3, "setqctrl:aq_lowater", 275 ar->ar_arg_auditon.au_qctrl.aq_lowater); 276 kau_write(rec, tok); 277 tok = au_to_arg32(3, "setqctrl:aq_bufsz", 278 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 279 kau_write(rec, tok); 280 tok = au_to_arg32(3, "setqctrl:aq_delay", 281 ar->ar_arg_auditon.au_qctrl.aq_delay); 282 kau_write(rec, tok); 283 tok = au_to_arg32(3, "setqctrl:aq_minfree", 284 ar->ar_arg_auditon.au_qctrl.aq_minfree); 285 kau_write(rec, tok); 286 break; 287 288 case A_SETUMASK: 289 tok = au_to_arg32(3, "setumask:as_success", 290 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 291 kau_write(rec, tok); 292 tok = au_to_arg32(3, "setumask:as_failure", 293 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 294 kau_write(rec, tok); 295 break; 296 297 case A_SETSMASK: 298 tok = au_to_arg32(3, "setsmask:as_success", 299 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 300 kau_write(rec, tok); 301 tok = au_to_arg32(3, "setsmask:as_failure", 302 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 303 kau_write(rec, tok); 304 break; 305 306 case A_SETCOND: 307 if (sizeof(ar->ar_arg_auditon.au_cond) > 4) 308 tok = au_to_arg64(3, "setcond", 309 ar->ar_arg_auditon.au_cond); 310 else 311 tok = au_to_arg32(3, "setcond", 312 ar->ar_arg_auditon.au_cond); 313 kau_write(rec, tok); 314 break; 315 316 case A_SETCLASS: 317 tok = au_to_arg32(2, "setclass:ec_event", 318 ar->ar_arg_auditon.au_evclass.ec_number); 319 kau_write(rec, tok); 320 tok = au_to_arg32(3, "setclass:ec_class", 321 ar->ar_arg_auditon.au_evclass.ec_class); 322 kau_write(rec, tok); 323 break; 324 325 case A_SETPMASK: 326 tok = au_to_arg32(2, "setpmask:as_success", 327 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 328 kau_write(rec, tok); 329 tok = au_to_arg32(2, "setpmask:as_failure", 330 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 331 kau_write(rec, tok); 332 break; 333 334 case A_SETFSIZE: 335 tok = au_to_arg32(2, "setfsize:filesize", 336 ar->ar_arg_auditon.au_fstat.af_filesz); 337 kau_write(rec, tok); 338 break; 339 340 default: 341 break; 342 } 343} 344 345/* 346 * Convert an internal kernel audit record to a BSM record and return a 347 * success/failure indicator. The BSM record is passed as an out parameter to 348 * this function. 349 * 350 * Return conditions: 351 * BSM_SUCCESS: The BSM record is valid 352 * BSM_FAILURE: Failure; the BSM record is NULL. 353 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 354 */ 355int 356kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 357{ 358 struct au_token *tok, *subj_tok; 359 struct au_record *rec; 360 au_tid_t tid; 361 struct audit_record *ar; 362 int ctr; 363 364 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 365 366 *pau = NULL; 367 ar = &kar->k_ar; 368 rec = kau_open(); 369 370 /* Create the subject token */ 371 tid.port = ar->ar_subj_term.port; 372 tid.machine = ar->ar_subj_term.machine; 373 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 374 ar->ar_subj_cred.cr_uid, /* eff uid */ 375 ar->ar_subj_egid, /* eff group id */ 376 ar->ar_subj_ruid, /* real uid */ 377 ar->ar_subj_rgid, /* real group id */ 378 ar->ar_subj_pid, /* process id */ 379 ar->ar_subj_asid, /* session ID */ 380 &tid); 381 382 /* 383 * The logic inside each case fills in the tokens required for the 384 * event, except for the header, trailer, and return tokens. The 385 * header and trailer tokens are added by the kau_close() function. 386 * The return token is added outside of the switch statement. 387 */ 388 switch(ar->ar_event) { 389 case AUE_ACCEPT: 390 case AUE_BIND: 391 case AUE_CONNECT: 392 case AUE_RECVFROM: 393 case AUE_RECVMSG: 394 case AUE_SENDMSG: 395 case AUE_SENDTO: 396 /* 397 * Socket-related events. 398 */ 399 if (ARG_IS_VALID(kar, ARG_FD)) { 400 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 401 kau_write(rec, tok); 402 } 403 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 404 tok = au_to_sock_inet((struct sockaddr_in *) 405 &ar->ar_arg_sockaddr); 406 kau_write(rec, tok); 407 } 408 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 409 tok = au_to_sock_unix((struct sockaddr_un *) 410 &ar->ar_arg_sockaddr); 411 kau_write(rec, tok); 412 UPATH1_TOKENS; 413 } 414 /* XXX Need to handle ARG_SADDRINET6 */ 415 break; 416 417 case AUE_SOCKET: 418 case AUE_SOCKETPAIR: 419 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 420 tok = au_to_arg32(1,"domain", 421 ar->ar_arg_sockinfo.so_domain); 422 kau_write(rec, tok); 423 tok = au_to_arg32(2,"type", 424 ar->ar_arg_sockinfo.so_type); 425 kau_write(rec, tok); 426 tok = au_to_arg32(3,"protocol", 427 ar->ar_arg_sockinfo.so_protocol); 428 kau_write(rec, tok); 429 } 430 break; 431 432 case AUE_SETSOCKOPT: 433 case AUE_SHUTDOWN: 434 if (ARG_IS_VALID(kar, ARG_FD)) { 435 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 436 kau_write(rec, tok); 437 } 438 break; 439 440 case AUE_ACCT: 441 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 442 UPATH1_VNODE1_TOKENS; 443 } else { 444 tok = au_to_arg32(1, "accounting off", 0); 445 kau_write(rec, tok); 446 } 447 break; 448 449 case AUE_SETAUID: 450 if (ARG_IS_VALID(kar, ARG_AUID)) { 451 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 452 kau_write(rec, tok); 453 } 454 break; 455 456 case AUE_SETAUDIT: 457 if (ARG_IS_VALID(kar, ARG_AUID)) { 458 tok = au_to_arg32(1, "setaudit:auid", 459 ar->ar_arg_auid); 460 kau_write(rec, tok); 461 tok = au_to_arg32(1, "setaudit:port", 462 ar->ar_arg_termid.port); 463 kau_write(rec, tok); 464 tok = au_to_arg32(1, "setaudit:machine", 465 ar->ar_arg_termid.machine); 466 kau_write(rec, tok); 467 tok = au_to_arg32(1, "setaudit:as_success", 468 ar->ar_arg_amask.am_success); 469 kau_write(rec, tok); 470 tok = au_to_arg32(1, "setaudit:as_failure", 471 ar->ar_arg_amask.am_failure); 472 kau_write(rec, tok); 473 tok = au_to_arg32(1, "setaudit:asid", 474 ar->ar_arg_asid); 475 kau_write(rec, tok); 476 } 477 break; 478 479 case AUE_SETAUDIT_ADDR: 480 break; /* XXX need to add arguments */ 481 482 case AUE_AUDITON: 483 /* 484 * For AUDITON commands without own event, audit the cmd. 485 */ 486 if (ARG_IS_VALID(kar, ARG_CMD)) { 487 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 488 kau_write(rec, tok); 489 } 490 /* fall thru */ 491 492 case AUE_AUDITON_GETCAR: 493 case AUE_AUDITON_GETCLASS: 494 case AUE_AUDITON_GETCOND: 495 case AUE_AUDITON_GETCWD: 496 case AUE_AUDITON_GETKMASK: 497 case AUE_AUDITON_GETSTAT: 498 case AUE_AUDITON_GPOLICY: 499 case AUE_AUDITON_GQCTRL: 500 case AUE_AUDITON_SETCLASS: 501 case AUE_AUDITON_SETCOND: 502 case AUE_AUDITON_SETKMASK: 503 case AUE_AUDITON_SETSMASK: 504 case AUE_AUDITON_SETSTAT: 505 case AUE_AUDITON_SETUMASK: 506 case AUE_AUDITON_SPOLICY: 507 case AUE_AUDITON_SQCTRL: 508 if (ARG_IS_VALID(kar, ARG_AUDITON)) 509 audit_sys_auditon(ar, rec); 510 break; 511 512 case AUE_AUDITCTL: 513 UPATH1_VNODE1_TOKENS; 514 break; 515 516 case AUE_EXIT: 517 if (ARG_IS_VALID(kar, ARG_EXIT)) { 518 tok = au_to_exit(ar->ar_arg_exitretval, 519 ar->ar_arg_exitstatus); 520 kau_write(rec, tok); 521 } 522 break; 523 524 case AUE_ADJTIME: 525 case AUE_AUDIT: 526 case AUE_GETAUDIT: 527 case AUE_GETAUDIT_ADDR: 528 case AUE_GETAUID: 529 case AUE_GETFSSTAT: 530 case AUE_PIPE: 531 case AUE_SETPGRP: 532 case AUE_SETRLIMIT: 533 case AUE_SETSID: 534 case AUE_SETTIMEOFDAY: 535 case AUE_NEWSYSTEMSHREG: 536 /* 537 * Header, subject, and return tokens added at end. 538 */ 539 break; 540 541 case AUE_ACCESS: 542 case AUE_CHDIR: 543 case AUE_CHROOT: 544 case AUE_EACCESS: 545 case AUE_EXECVE: 546 case AUE_GETATTRLIST: 547 case AUE_NFS_GETFH: 548 case AUE_LSTAT: 549 case AUE_MKFIFO: 550 case AUE_PATHCONF: 551 case AUE_READLINK: 552 case AUE_REVOKE: 553 case AUE_RMDIR: 554 case AUE_SEARCHFS: 555 case AUE_SETATTRLIST: 556 case AUE_STAT: 557 case AUE_STATFS: 558 case AUE_TRUNCATE: 559 case AUE_UNDELETE: 560 case AUE_UNLINK: 561 case AUE_UTIMES: 562 UPATH1_VNODE1_TOKENS; 563 break; 564 565 case AUE_CHFLAGS: 566 case AUE_LCHFLAGS: 567 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 568 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 569 kau_write(rec, tok); 570 } 571 UPATH1_VNODE1_TOKENS; 572 break; 573 574 case AUE_CHMOD: 575 case AUE_LCHMOD: 576 if (ARG_IS_VALID(kar, ARG_MODE)) { 577 tok = au_to_arg32(2, "new file mode", 578 ar->ar_arg_mode); 579 kau_write(rec, tok); 580 } 581 UPATH1_VNODE1_TOKENS; 582 break; 583 584 case AUE_CHOWN: 585 case AUE_LCHOWN: 586 if (ARG_IS_VALID(kar, ARG_UID)) { 587 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 588 kau_write(rec, tok); 589 } 590 if (ARG_IS_VALID(kar, ARG_GID)) { 591 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 592 kau_write(rec, tok); 593 } 594 UPATH1_VNODE1_TOKENS; 595 break; 596 597 case AUE_EXCHANGEDATA: 598 UPATH1_VNODE1_TOKENS; 599 UPATH2_TOKENS; 600 break; 601 602 case AUE_CLOSE: 603 if (ARG_IS_VALID(kar, ARG_FD)) { 604 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 605 kau_write(rec, tok); 606 } 607 UPATH1_VNODE1_TOKENS; 608 break; 609 610 case AUE_FCHMOD: 611 if (ARG_IS_VALID(kar, ARG_MODE)) { 612 tok = au_to_arg32(2, "new file mode", 613 ar->ar_arg_mode); 614 kau_write(rec, tok); 615 } 616 FD_VNODE1_TOKENS; 617 break; 618 619 case AUE_FCHDIR: 620 case AUE_FPATHCONF: 621 case AUE_FSTAT: /* XXX Need to handle sockets and shm */ 622 case AUE_FSTATFS: 623 case AUE_FSYNC: 624 case AUE_FTRUNCATE: 625 case AUE_FUTIMES: 626 case AUE_GETDIRENTRIES: 627 case AUE_GETDIRENTRIESATTR: 628 FD_VNODE1_TOKENS; 629 break; 630 631 case AUE_FCHOWN: 632 if (ARG_IS_VALID(kar, ARG_UID)) { 633 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 634 kau_write(rec, tok); 635 } 636 if (ARG_IS_VALID(kar, ARG_GID)) { 637 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 638 kau_write(rec, tok); 639 } 640 FD_VNODE1_TOKENS; 641 break; 642 643 case AUE_FCNTL: 644 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 645 ar->ar_arg_cmd == F_SETLKW) { 646 if (ARG_IS_VALID(kar, ARG_CMD)) { 647 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 648 kau_write(rec, tok); 649 } 650 FD_VNODE1_TOKENS; 651 } 652 break; 653 654 case AUE_FCHFLAGS: 655 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 656 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 657 kau_write(rec, tok); 658 } 659 FD_VNODE1_TOKENS; 660 break; 661 662 case AUE_FLOCK: 663 if (ARG_IS_VALID(kar, ARG_CMD)) { 664 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 665 kau_write(rec, tok); 666 } 667 FD_VNODE1_TOKENS; 668 break; 669 670 case AUE_RFORK: 671 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 672 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 673 kau_write(rec, tok); 674 } 675 /* fall through */ 676 case AUE_FORK: 677 case AUE_VFORK: 678 if (ARG_IS_VALID(kar, ARG_PID)) { 679 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 680 kau_write(rec, tok); 681 } 682 break; 683 684 case AUE_IOCTL: 685 if (ARG_IS_VALID(kar, ARG_CMD)) { 686 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 687 kau_write(rec, tok); 688 } 689 if (ARG_IS_VALID(kar, ARG_ADDR)) { 690 tok = au_to_arg32(1, "arg", 691 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 692 kau_write(rec, tok); 693 } 694 if (ARG_IS_VALID(kar, ARG_VNODE1)) 695 FD_VNODE1_TOKENS; 696 else { 697 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 698 tok = kau_to_socket(&ar->ar_arg_sockinfo); 699 kau_write(rec, tok); 700 } else { 701 if (ARG_IS_VALID(kar, ARG_FD)) { 702 tok = au_to_arg32(1, "fd", 703 ar->ar_arg_fd); 704 kau_write(rec, tok); 705 } 706 } 707 } 708 break; 709 710 case AUE_KILL: 711 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 712 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 713 kau_write(rec, tok); 714 } 715 PROCESS_PID_TOKENS(1); 716 break; 717 718 case AUE_KTRACE: 719 if (ARG_IS_VALID(kar, ARG_CMD)) { 720 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 721 kau_write(rec, tok); 722 } 723 if (ARG_IS_VALID(kar, ARG_VALUE)) { 724 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 725 kau_write(rec, tok); 726 } 727 PROCESS_PID_TOKENS(4); 728 UPATH1_VNODE1_TOKENS; 729 break; 730 731 case AUE_LINK: 732 case AUE_RENAME: 733 UPATH1_VNODE1_TOKENS; 734 UPATH2_TOKENS; 735 break; 736 737 case AUE_LOADSHFILE: 738 if (ARG_IS_VALID(kar, ARG_ADDR)) { 739 tok = au_to_arg32(4, "base addr", 740 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 741 kau_write(rec, tok); 742 } 743 UPATH1_VNODE1_TOKENS; 744 break; 745 746 case AUE_MKDIR: 747 if (ARG_IS_VALID(kar, ARG_MODE)) { 748 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 749 kau_write(rec, tok); 750 } 751 UPATH1_VNODE1_TOKENS; 752 break; 753 754 case AUE_MKNOD: 755 if (ARG_IS_VALID(kar, ARG_MODE)) { 756 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 757 kau_write(rec, tok); 758 } 759 if (ARG_IS_VALID(kar, ARG_DEV)) { 760 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 761 kau_write(rec, tok); 762 } 763 UPATH1_VNODE1_TOKENS; 764 break; 765 766 case AUE_MMAP: 767 case AUE_MUNMAP: 768 case AUE_MPROTECT: 769 case AUE_MLOCK: 770 case AUE_MUNLOCK: 771 case AUE_MINHERIT: 772 if (ARG_IS_VALID(kar, ARG_ADDR)) { 773 tok = au_to_arg32(1, "addr", 774 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 775 kau_write(rec, tok); 776 } 777 if (ARG_IS_VALID(kar, ARG_LEN)) { 778 tok = au_to_arg32(2, "len", ar->ar_arg_len); 779 kau_write(rec, tok); 780 } 781 if (ar->ar_event == AUE_MMAP) 782 FD_VNODE1_TOKENS; 783 if (ar->ar_event == AUE_MPROTECT) { 784 if (ARG_IS_VALID(kar, ARG_VALUE)) { 785 tok = au_to_arg32(3, "protection", 786 ar->ar_arg_value); 787 kau_write(rec, tok); 788 } 789 } 790 if (ar->ar_event == AUE_MINHERIT) { 791 if (ARG_IS_VALID(kar, ARG_VALUE)) { 792 tok = au_to_arg32(3, "inherit", 793 ar->ar_arg_value); 794 kau_write(rec, tok); 795 } 796 } 797 break; 798 799 case AUE_MOUNT: 800 /* XXX Need to handle NFS mounts */ 801 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 802 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 803 kau_write(rec, tok); 804 } 805 if (ARG_IS_VALID(kar, ARG_TEXT)) { 806 tok = au_to_text(ar->ar_arg_text); 807 kau_write(rec, tok); 808 } 809 /* fall through */ 810 811 case AUE_UMOUNT: 812 UPATH1_VNODE1_TOKENS; 813 break; 814 815 case AUE_MSGCTL: 816 ar->ar_event = msgctl_to_event(ar->ar_arg_svipc_cmd); 817 /* Fall through */ 818 819 case AUE_MSGRCV: 820 case AUE_MSGSND: 821 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 822 kau_write(rec, tok); 823 if (ar->ar_errno != EINVAL) { 824 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 825 kau_write(rec, tok); 826 } 827 break; 828 829 case AUE_MSGGET: 830 if (ar->ar_errno == 0) { 831 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 832 tok = au_to_ipc(AT_IPC_MSG, 833 ar->ar_arg_svipc_id); 834 kau_write(rec, tok); 835 } 836 } 837 break; 838 839 case AUE_RESETSHFILE: 840 if (ARG_IS_VALID(kar, ARG_ADDR)) { 841 tok = au_to_arg32(1, "base addr", 842 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 843 kau_write(rec, tok); 844 } 845 break; 846 847 case AUE_OPEN_RC: 848 case AUE_OPEN_RTC: 849 case AUE_OPEN_RWC: 850 case AUE_OPEN_RWTC: 851 case AUE_OPEN_WC: 852 case AUE_OPEN_WTC: 853 /* case AUE_O_CREAT: */ /* AUE_O_CREAT == AUE_OPEN_RWTC */ 854 if (ARG_IS_VALID(kar, ARG_MODE)) { 855 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 856 kau_write(rec, tok); 857 } 858 /* fall through */ 859 860 case AUE_OPEN_R: 861 case AUE_OPEN_RT: 862 case AUE_OPEN_RW: 863 case AUE_OPEN_RWT: 864 case AUE_OPEN_W: 865 case AUE_OPEN_WT: 866 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 867 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 868 kau_write(rec, tok); 869 } 870 UPATH1_VNODE1_TOKENS; 871 break; 872 873 case AUE_PTRACE: 874 if (ARG_IS_VALID(kar, ARG_CMD)) { 875 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 876 kau_write(rec, tok); 877 } 878 if (ARG_IS_VALID(kar, ARG_ADDR)) { 879 tok = au_to_arg32(3, "addr", 880 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 881 kau_write(rec, tok); 882 } 883 if (ARG_IS_VALID(kar, ARG_VALUE)) { 884 tok = au_to_arg32(4, "data", ar->ar_arg_value); 885 kau_write(rec, tok); 886 } 887 PROCESS_PID_TOKENS(2); 888 break; 889 890 case AUE_QUOTACTL: 891 if (ARG_IS_VALID(kar, ARG_CMD)) { 892 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 893 kau_write(rec, tok); 894 } 895 if (ARG_IS_VALID(kar, ARG_UID)) { 896 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 897 kau_write(rec, tok); 898 } 899 UPATH1_VNODE1_TOKENS; 900 break; 901 902 case AUE_REBOOT: 903 if (ARG_IS_VALID(kar, ARG_CMD)) { 904 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 905 kau_write(rec, tok); 906 } 907 break; 908 909 case AUE_SEMCTL: 910 ar->ar_event = semctl_to_event(ar->ar_arg_svipc_cmd); 911 /* Fall through */ 912 913 case AUE_SEMOP: 914 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 915 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 916 kau_write(rec, tok); 917 if (ar->ar_errno != EINVAL) { 918 tok = au_to_ipc(AT_IPC_SEM, 919 ar->ar_arg_svipc_id); 920 kau_write(rec, tok); 921 } 922 } 923 break; 924 925 case AUE_SEMGET: 926 if (ar->ar_errno == 0) { 927 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 928 tok = au_to_ipc(AT_IPC_SEM, 929 ar->ar_arg_svipc_id); 930 kau_write(rec, tok); 931 } 932 } 933 break; 934 935 case AUE_SETEGID: 936 if (ARG_IS_VALID(kar, ARG_EGID)) { 937 tok = au_to_arg32(1, "gid", ar->ar_arg_egid); 938 kau_write(rec, tok); 939 } 940 break; 941 942 case AUE_SETEUID: 943 if (ARG_IS_VALID(kar, ARG_EUID)) { 944 tok = au_to_arg32(1, "uid", ar->ar_arg_euid); 945 kau_write(rec, tok); 946 } 947 break; 948 949 case AUE_SETREGID: 950 if (ARG_IS_VALID(kar, ARG_RGID)) { 951 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 952 kau_write(rec, tok); 953 } 954 if (ARG_IS_VALID(kar, ARG_EGID)) { 955 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 956 kau_write(rec, tok); 957 } 958 break; 959 960 case AUE_SETREUID: 961 if (ARG_IS_VALID(kar, ARG_RUID)) { 962 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 963 kau_write(rec, tok); 964 } 965 if (ARG_IS_VALID(kar, ARG_EUID)) { 966 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 967 kau_write(rec, tok); 968 } 969 break; 970 971 case AUE_SETRESGID: 972 if (ARG_IS_VALID(kar, ARG_RGID)) { 973 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 974 kau_write(rec, tok); 975 } 976 if (ARG_IS_VALID(kar, ARG_EGID)) { 977 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 978 kau_write(rec, tok); 979 } 980 if (ARG_IS_VALID(kar, ARG_SGID)) { 981 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 982 kau_write(rec, tok); 983 } 984 break; 985 986 case AUE_SETRESUID: 987 if (ARG_IS_VALID(kar, ARG_RUID)) { 988 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 989 kau_write(rec, tok); 990 } 991 if (ARG_IS_VALID(kar, ARG_EUID)) { 992 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 993 kau_write(rec, tok); 994 } 995 if (ARG_IS_VALID(kar, ARG_SUID)) { 996 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 997 kau_write(rec, tok); 998 } 999 break; 1000 1001 case AUE_SETGID: 1002 if (ARG_IS_VALID(kar, ARG_GID)) { 1003 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1004 kau_write(rec, tok); 1005 } 1006 break; 1007 1008 case AUE_SETUID: 1009 if (ARG_IS_VALID(kar, ARG_UID)) { 1010 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1011 kau_write(rec, tok); 1012 } 1013 break; 1014 1015 case AUE_SETGROUPS: 1016 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1017 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1018 { 1019 tok = au_to_arg32(1, "setgroups", ar->ar_arg_groups.gidset[ctr]); 1020 kau_write(rec, tok); 1021 } 1022 } 1023 break; 1024 1025 case AUE_SETLOGIN: 1026 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1027 tok = au_to_text(ar->ar_arg_text); 1028 kau_write(rec, tok); 1029 } 1030 break; 1031 1032 case AUE_SETPRIORITY: 1033 if (ARG_IS_VALID(kar, ARG_CMD)) { 1034 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1035 kau_write(rec, tok); 1036 } 1037 if (ARG_IS_VALID(kar, ARG_UID)) { 1038 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1039 kau_write(rec, tok); 1040 } 1041 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1042 tok = au_to_arg32(2, "priority", ar->ar_arg_value); 1043 kau_write(rec, tok); 1044 } 1045 break; 1046 1047 case AUE_SETPRIVEXEC: 1048 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1049 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1050 kau_write(rec, tok); 1051 } 1052 break; 1053 1054 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1055 case AUE_SHMAT: 1056 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1057 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1058 kau_write(rec, tok); 1059 /* XXXAUDIT: Does having the ipc token make sense? */ 1060 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1061 kau_write(rec, tok); 1062 } 1063 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1064 tok = au_to_arg32(2, "shmaddr", 1065 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1066 kau_write(rec, tok); 1067 } 1068 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1069 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1070 kau_write(rec, tok); 1071 } 1072 break; 1073 1074 case AUE_SHMCTL: 1075 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1076 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1077 kau_write(rec, tok); 1078 /* XXXAUDIT: Does having the ipc token make sense? */ 1079 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1080 kau_write(rec, tok); 1081 } 1082 switch (ar->ar_arg_svipc_cmd) { 1083 case IPC_STAT: 1084 ar->ar_event = AUE_SHMCTL_STAT; 1085 break; 1086 case IPC_RMID: 1087 ar->ar_event = AUE_SHMCTL_RMID; 1088 break; 1089 case IPC_SET: 1090 ar->ar_event = AUE_SHMCTL_SET; 1091 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1092 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1093 kau_write(rec, tok); 1094 } 1095 break; 1096 default: 1097 break; /* We will audit a bad command */ 1098 } 1099 break; 1100 1101 case AUE_SHMDT: 1102 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1103 tok = au_to_arg32(1, "shmaddr", 1104 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1105 kau_write(rec, tok); 1106 } 1107 break; 1108 1109 case AUE_SHMGET: 1110 /* This is unusual; the return value is in an argument token */ 1111 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1112 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1113 kau_write(rec, tok); 1114 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1115 kau_write(rec, tok); 1116 } 1117 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1118 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1119 kau_write(rec, tok); 1120 } 1121 break; 1122 1123 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1124 * and AUE_SEMUNLINK are Posix IPC */ 1125 case AUE_SHMOPEN: 1126 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1127 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1128 kau_write(rec, tok); 1129 } 1130 if (ARG_IS_VALID(kar, ARG_MODE)) { 1131 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1132 kau_write(rec, tok); 1133 } 1134 case AUE_SHMUNLINK: 1135 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1136 tok = au_to_text(ar->ar_arg_text); 1137 kau_write(rec, tok); 1138 } 1139 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1140 /* Create an ipc_perm token */ 1141 struct ipc_perm perm; 1142 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1143 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1144 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1145 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1146 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1147 perm.seq = 0; 1148 perm.key = 0; 1149 tok = au_to_ipc_perm(&perm); 1150 kau_write(rec, tok); 1151 } 1152 break; 1153 1154 case AUE_SEMOPEN: 1155 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1156 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1157 kau_write(rec, tok); 1158 } 1159 if (ARG_IS_VALID(kar, ARG_MODE)) { 1160 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1161 kau_write(rec, tok); 1162 } 1163 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1164 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1165 kau_write(rec, tok); 1166 } 1167 /* fall through */ 1168 1169 case AUE_SEMUNLINK: 1170 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1171 tok = au_to_text(ar->ar_arg_text); 1172 kau_write(rec, tok); 1173 } 1174 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1175 /* Create an ipc_perm token */ 1176 struct ipc_perm perm; 1177 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1178 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1179 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1180 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1181 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1182 perm.seq = 0; 1183 perm.key = 0; 1184 tok = au_to_ipc_perm(&perm); 1185 kau_write(rec, tok); 1186 } 1187 break; 1188 1189 case AUE_SEMCLOSE: 1190 if (ARG_IS_VALID(kar, ARG_FD)) { 1191 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1192 kau_write(rec, tok); 1193 } 1194 break; 1195 1196 case AUE_SYMLINK: 1197 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1198 tok = au_to_text(ar->ar_arg_text); 1199 kau_write(rec, tok); 1200 } 1201 UPATH1_VNODE1_TOKENS; 1202 break; 1203 1204 case AUE_SYSCTL: 1205 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1206 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1207 tok = au_to_arg32(1, "name", 1208 ar->ar_arg_ctlname[ctr]); 1209 kau_write(rec, tok); 1210 } 1211 } 1212 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1213 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1214 kau_write(rec, tok); 1215 } 1216 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1217 tok = au_to_text(ar->ar_arg_text); 1218 kau_write(rec, tok); 1219 } 1220 break; 1221 1222 case AUE_UMASK: 1223 if (ARG_IS_VALID(kar, ARG_MASK)) { 1224 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1225 kau_write(rec, tok); 1226 } 1227 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1228 kau_write(rec, tok); 1229 break; 1230 1231 case AUE_WAIT4: 1232 if (ARG_IS_VALID(kar, ARG_PID)) { 1233 tok = au_to_arg32(0, "pid", ar->ar_arg_pid); 1234 kau_write(rec, tok); 1235 } 1236 break; 1237 1238 default: 1239 printf("BSM conversion requested for unknown event %d\n", 1240 ar->ar_event); 1241 /* Write the subject token so it is properly freed here. */ 1242 kau_write(rec, subj_tok); 1243 kau_free(rec); 1244 return (BSM_NOAUDIT); 1245 } 1246 1247 kau_write(rec, subj_tok); 1248 tok = au_to_return32((char)ar->ar_errno, ar->ar_retval); 1249 kau_write(rec, tok); /* Every record gets a return token */ 1250 1251 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1252 1253 *pau = rec; 1254 return (BSM_SUCCESS); 1255} 1256 1257/* 1258 * Verify that a record is a valid BSM record. This verification is simple 1259 * now, but may be expanded on sometime in the future. Return 1 if the 1260 * record is good, 0 otherwise. 1261 */ 1262int 1263bsm_rec_verify(void *rec) 1264{ 1265 char c = *(char *)rec; 1266 1267 /* 1268 * Check the token ID of the first token; it has to be a header 1269 * token. 1270 * 1271 * XXXAUDIT There needs to be a token structure to map a token. 1272 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1273 */ 1274 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1275 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1276 return (0); 1277 return (1); 1278} 1279