audit_bsm.c revision 159278
1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $FreeBSD: head/sys/security/audit/audit_bsm.c 159278 2006-06-05 16:14:49Z rwatson $ 30 */ 31 32#include <sys/param.h> 33#include <sys/vnode.h> 34#include <sys/ipc.h> 35#include <sys/lock.h> 36#include <sys/malloc.h> 37#include <sys/mutex.h> 38#include <sys/socket.h> 39#include <sys/fcntl.h> 40#include <sys/user.h> 41#include <sys/systm.h> 42 43#include <bsm/audit.h> 44#include <bsm/audit_internal.h> 45#include <bsm/audit_record.h> 46#include <bsm/audit_kevents.h> 47 48#include <security/audit/audit.h> 49#include <security/audit/audit_private.h> 50 51#include <netinet/in_systm.h> 52#include <netinet/in.h> 53#include <netinet/ip.h> 54 55MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 56 57/* 58 * Forward declares. 59 */ 60static void audit_sys_auditon(struct audit_record *ar, 61 struct au_record *rec); 62 63/* 64 * Initialize the BSM auditing subsystem. 65 */ 66void 67kau_init(void) 68{ 69 70 printf("BSM auditing present\n"); 71 au_evclassmap_init(); 72} 73 74/* 75 * This call reserves memory for the audit record. Memory must be guaranteed 76 * before any auditable event can be generated. The au_record structure 77 * maintains a reference to the memory allocated above and also the list of 78 * tokens associated with this record 79 */ 80static struct au_record * 81kau_open(void) 82{ 83 struct au_record *rec; 84 85 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 86 rec->data = malloc(MAX_AUDIT_RECORD_SIZE * sizeof(u_char), 87 M_AUDITBSM, M_WAITOK | M_ZERO); 88 TAILQ_INIT(&rec->token_q); 89 rec->len = 0; 90 rec->used = 1; 91 92 return (rec); 93} 94 95/* 96 * Store the token with the record descriptor. 97 */ 98static void 99kau_write(struct au_record *rec, struct au_token *tok) 100{ 101 102 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 103 104 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 105 rec->len += tok->len; 106} 107 108/* 109 * Close out the audit record by adding the header token, identifying any 110 * missing tokens. Write out the tokens to the record memory. 111 */ 112static void 113kau_close(struct au_record *rec, struct timespec *ctime, short event) 114{ 115 u_char *dptr; 116 size_t tot_rec_size; 117 token_t *cur, *hdr, *trail; 118 struct timeval tm; 119 120 tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE; 121 if (tot_rec_size <= MAX_AUDIT_RECORD_SIZE) { 122 /* Create the header token */ 123 tm.tv_usec = ctime->tv_nsec / 1000; 124 tm.tv_sec = ctime->tv_sec; 125 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 126 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 127 128 trail = au_to_trailer(tot_rec_size); 129 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 130 131 /* Serialize token data to the record. */ 132 rec->len = tot_rec_size; 133 dptr = rec->data; 134 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 135 memcpy(dptr, cur->t_data, cur->len); 136 dptr += cur->len; 137 } 138 } 139} 140 141/* 142 * Free a BSM audit record by releasing all the tokens and clearing the audit 143 * record information. 144 */ 145void 146kau_free(struct au_record *rec) 147{ 148 struct au_token *tok; 149 150 /* Free the token list. */ 151 while ((tok = TAILQ_FIRST(&rec->token_q))) { 152 TAILQ_REMOVE(&rec->token_q, tok, tokens); 153 free(tok->t_data, M_AUDITBSM); 154 free(tok, M_AUDITBSM); 155 } 156 157 rec->used = 0; 158 rec->len = 0; 159 free(rec->data, M_AUDITBSM); 160 free(rec, M_AUDITBSM); 161} 162 163/* 164 * XXX May want turn some (or all) of these macros into functions in order 165 * to reduce the generated code sized. 166 * 167 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 168 * caller are OK with this. 169 */ 170#define UPATH1_TOKENS do { \ 171 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 172 tok = au_to_path(ar->ar_arg_upath1); \ 173 kau_write(rec, tok); \ 174 } \ 175} while (0) 176 177#define UPATH2_TOKENS do { \ 178 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 179 tok = au_to_path(ar->ar_arg_upath2); \ 180 kau_write(rec, tok); \ 181 } \ 182} while (0) 183 184#define VNODE1_TOKENS do { \ 185 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 186 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 187 kau_write(rec, tok); \ 188 } \ 189} while (0) 190 191#define UPATH1_VNODE1_TOKENS do { \ 192 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 193 UPATH1_TOKENS; \ 194 } \ 195 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 196 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 197 kau_write(rec, tok); \ 198 } \ 199} while (0) 200 201#define VNODE2_TOKENS do { \ 202 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 203 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 204 kau_write(rec, tok); \ 205 } \ 206} while (0) 207 208#define FD_VNODE1_TOKENS do { \ 209 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 210 if (ARG_IS_VALID(kar, ARG_FD)) { \ 211 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 212 kau_write(rec, tok); \ 213 } \ 214 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 215 kau_write(rec, tok); \ 216 } else { \ 217 if (ARG_IS_VALID(kar, ARG_FD)) { \ 218 tok = au_to_arg32(1, "non-file: fd", \ 219 ar->ar_arg_fd); \ 220 kau_write(rec, tok); \ 221 } \ 222 } \ 223} while (0) 224 225#define PROCESS_PID_TOKENS(argn) do { \ 226 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 227 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 228 tok = au_to_process(ar->ar_arg_auid, \ 229 ar->ar_arg_euid, ar->ar_arg_egid, \ 230 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 231 ar->ar_arg_pid, ar->ar_arg_asid, \ 232 &ar->ar_arg_termid); \ 233 kau_write(rec, tok); \ 234 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 235 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 236 kau_write(rec, tok); \ 237 } \ 238} while (0) \ 239 240/* 241 * Implement auditing for the auditon() system call. The audit tokens that 242 * are generated depend on the command that was sent into the auditon() 243 * system call. 244 */ 245static void 246audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 247{ 248 struct au_token *tok; 249 250 switch (ar->ar_arg_cmd) { 251 case A_SETPOLICY: 252 if (sizeof(ar->ar_arg_auditon.au_flags) > 4) 253 tok = au_to_arg64(1, "policy", 254 ar->ar_arg_auditon.au_flags); 255 else 256 tok = au_to_arg32(1, "policy", 257 ar->ar_arg_auditon.au_flags); 258 kau_write(rec, tok); 259 break; 260 261 case A_SETKMASK: 262 tok = au_to_arg32(2, "setkmask:as_success", 263 ar->ar_arg_auditon.au_mask.am_success); 264 kau_write(rec, tok); 265 tok = au_to_arg32(2, "setkmask:as_failure", 266 ar->ar_arg_auditon.au_mask.am_failure); 267 kau_write(rec, tok); 268 break; 269 270 case A_SETQCTRL: 271 tok = au_to_arg32(3, "setqctrl:aq_hiwater", 272 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 273 kau_write(rec, tok); 274 tok = au_to_arg32(3, "setqctrl:aq_lowater", 275 ar->ar_arg_auditon.au_qctrl.aq_lowater); 276 kau_write(rec, tok); 277 tok = au_to_arg32(3, "setqctrl:aq_bufsz", 278 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 279 kau_write(rec, tok); 280 tok = au_to_arg32(3, "setqctrl:aq_delay", 281 ar->ar_arg_auditon.au_qctrl.aq_delay); 282 kau_write(rec, tok); 283 tok = au_to_arg32(3, "setqctrl:aq_minfree", 284 ar->ar_arg_auditon.au_qctrl.aq_minfree); 285 kau_write(rec, tok); 286 break; 287 288 case A_SETUMASK: 289 tok = au_to_arg32(3, "setumask:as_success", 290 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 291 kau_write(rec, tok); 292 tok = au_to_arg32(3, "setumask:as_failure", 293 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 294 kau_write(rec, tok); 295 break; 296 297 case A_SETSMASK: 298 tok = au_to_arg32(3, "setsmask:as_success", 299 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 300 kau_write(rec, tok); 301 tok = au_to_arg32(3, "setsmask:as_failure", 302 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 303 kau_write(rec, tok); 304 break; 305 306 case A_SETCOND: 307 if (sizeof(ar->ar_arg_auditon.au_cond) > 4) 308 tok = au_to_arg64(3, "setcond", 309 ar->ar_arg_auditon.au_cond); 310 else 311 tok = au_to_arg32(3, "setcond", 312 ar->ar_arg_auditon.au_cond); 313 kau_write(rec, tok); 314 break; 315 316 case A_SETCLASS: 317 tok = au_to_arg32(2, "setclass:ec_event", 318 ar->ar_arg_auditon.au_evclass.ec_number); 319 kau_write(rec, tok); 320 tok = au_to_arg32(3, "setclass:ec_class", 321 ar->ar_arg_auditon.au_evclass.ec_class); 322 kau_write(rec, tok); 323 break; 324 325 case A_SETPMASK: 326 tok = au_to_arg32(2, "setpmask:as_success", 327 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 328 kau_write(rec, tok); 329 tok = au_to_arg32(2, "setpmask:as_failure", 330 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 331 kau_write(rec, tok); 332 break; 333 334 case A_SETFSIZE: 335 tok = au_to_arg32(2, "setfsize:filesize", 336 ar->ar_arg_auditon.au_fstat.af_filesz); 337 kau_write(rec, tok); 338 break; 339 340 default: 341 break; 342 } 343} 344 345/* 346 * Convert an internal kernel audit record to a BSM record and return a 347 * success/failure indicator. The BSM record is passed as an out parameter to 348 * this function. 349 * 350 * Return conditions: 351 * BSM_SUCCESS: The BSM record is valid 352 * BSM_FAILURE: Failure; the BSM record is NULL. 353 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 354 */ 355int 356kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 357{ 358 struct au_token *tok, *subj_tok; 359 struct au_record *rec; 360 au_tid_t tid; 361 struct audit_record *ar; 362 int ctr; 363 364 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 365 366 *pau = NULL; 367 ar = &kar->k_ar; 368 rec = kau_open(); 369 370 /* Create the subject token */ 371 tid.port = ar->ar_subj_term.port; 372 tid.machine = ar->ar_subj_term.machine; 373 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 374 ar->ar_subj_cred.cr_uid, /* eff uid */ 375 ar->ar_subj_egid, /* eff group id */ 376 ar->ar_subj_ruid, /* real uid */ 377 ar->ar_subj_rgid, /* real group id */ 378 ar->ar_subj_pid, /* process id */ 379 ar->ar_subj_asid, /* session ID */ 380 &tid); 381 382 /* 383 * The logic inside each case fills in the tokens required for the 384 * event, except for the header, trailer, and return tokens. The 385 * header and trailer tokens are added by the kau_close() function. 386 * The return token is added outside of the switch statement. 387 */ 388 switch(ar->ar_event) { 389 case AUE_ACCEPT: 390 case AUE_BIND: 391 case AUE_CONNECT: 392 case AUE_RECVFROM: 393 case AUE_RECVMSG: 394 case AUE_SENDMSG: 395 case AUE_SENDTO: 396 /* 397 * Socket-related events. 398 */ 399 if (ARG_IS_VALID(kar, ARG_FD)) { 400 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 401 kau_write(rec, tok); 402 } 403 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 404 tok = au_to_sock_inet((struct sockaddr_in *) 405 &ar->ar_arg_sockaddr); 406 kau_write(rec, tok); 407 } 408 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 409 tok = au_to_sock_unix((struct sockaddr_un *) 410 &ar->ar_arg_sockaddr); 411 kau_write(rec, tok); 412 UPATH1_TOKENS; 413 } 414 /* XXX Need to handle ARG_SADDRINET6 */ 415 break; 416 417 case AUE_SOCKET: 418 case AUE_SOCKETPAIR: 419 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 420 tok = au_to_arg32(1,"domain", 421 ar->ar_arg_sockinfo.so_domain); 422 kau_write(rec, tok); 423 tok = au_to_arg32(2,"type", 424 ar->ar_arg_sockinfo.so_type); 425 kau_write(rec, tok); 426 tok = au_to_arg32(3,"protocol", 427 ar->ar_arg_sockinfo.so_protocol); 428 kau_write(rec, tok); 429 } 430 break; 431 432 case AUE_SETSOCKOPT: 433 case AUE_SHUTDOWN: 434 if (ARG_IS_VALID(kar, ARG_FD)) { 435 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 436 kau_write(rec, tok); 437 } 438 break; 439 440 case AUE_ACCT: 441 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 442 UPATH1_VNODE1_TOKENS; 443 } else { 444 tok = au_to_arg32(1, "accounting off", 0); 445 kau_write(rec, tok); 446 } 447 break; 448 449 case AUE_SETAUID: 450 if (ARG_IS_VALID(kar, ARG_AUID)) { 451 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 452 kau_write(rec, tok); 453 } 454 break; 455 456 case AUE_SETAUDIT: 457 if (ARG_IS_VALID(kar, ARG_AUID)) { 458 tok = au_to_arg32(1, "setaudit:auid", 459 ar->ar_arg_auid); 460 kau_write(rec, tok); 461 tok = au_to_arg32(1, "setaudit:port", 462 ar->ar_arg_termid.port); 463 kau_write(rec, tok); 464 tok = au_to_arg32(1, "setaudit:machine", 465 ar->ar_arg_termid.machine); 466 kau_write(rec, tok); 467 tok = au_to_arg32(1, "setaudit:as_success", 468 ar->ar_arg_amask.am_success); 469 kau_write(rec, tok); 470 tok = au_to_arg32(1, "setaudit:as_failure", 471 ar->ar_arg_amask.am_failure); 472 kau_write(rec, tok); 473 tok = au_to_arg32(1, "setaudit:asid", 474 ar->ar_arg_asid); 475 kau_write(rec, tok); 476 } 477 break; 478 479 case AUE_SETAUDIT_ADDR: 480 break; /* XXX need to add arguments */ 481 482 case AUE_AUDITON: 483 /* 484 * For AUDITON commands without own event, audit the cmd. 485 */ 486 if (ARG_IS_VALID(kar, ARG_CMD)) { 487 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 488 kau_write(rec, tok); 489 } 490 /* fall thru */ 491 492 case AUE_AUDITON_GETCAR: 493 case AUE_AUDITON_GETCLASS: 494 case AUE_AUDITON_GETCOND: 495 case AUE_AUDITON_GETCWD: 496 case AUE_AUDITON_GETKMASK: 497 case AUE_AUDITON_GETSTAT: 498 case AUE_AUDITON_GPOLICY: 499 case AUE_AUDITON_GQCTRL: 500 case AUE_AUDITON_SETCLASS: 501 case AUE_AUDITON_SETCOND: 502 case AUE_AUDITON_SETKMASK: 503 case AUE_AUDITON_SETSMASK: 504 case AUE_AUDITON_SETSTAT: 505 case AUE_AUDITON_SETUMASK: 506 case AUE_AUDITON_SPOLICY: 507 case AUE_AUDITON_SQCTRL: 508 if (ARG_IS_VALID(kar, ARG_AUDITON)) 509 audit_sys_auditon(ar, rec); 510 break; 511 512 case AUE_AUDITCTL: 513 UPATH1_VNODE1_TOKENS; 514 break; 515 516 case AUE_EXIT: 517 if (ARG_IS_VALID(kar, ARG_EXIT)) { 518 tok = au_to_exit(ar->ar_arg_exitretval, 519 ar->ar_arg_exitstatus); 520 kau_write(rec, tok); 521 } 522 break; 523 524 case AUE_ADJTIME: 525 case AUE_AUDIT: 526 case AUE_GETAUDIT: 527 case AUE_GETAUDIT_ADDR: 528 case AUE_GETAUID: 529 case AUE_GETFSSTAT: 530 case AUE_PIPE: 531 case AUE_SETPGRP: 532 case AUE_SETRLIMIT: 533 case AUE_SETSID: 534 case AUE_SETTIMEOFDAY: 535 case AUE_NEWSYSTEMSHREG: 536 /* 537 * Header, subject, and return tokens added at end. 538 */ 539 break; 540 541 case AUE_MKFIFO: 542 if (ARG_IS_VALID(kar, ARG_MODE)) { 543 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 544 kau_write(rec, tok); 545 } 546 /* fall through */ 547 case AUE_ACCESS: 548 case AUE_CHDIR: 549 case AUE_CHROOT: 550 case AUE_EACCESS: 551 case AUE_EXECVE: 552 case AUE_GETATTRLIST: 553 case AUE_NFS_GETFH: 554 case AUE_LSTAT: 555 case AUE_PATHCONF: 556 case AUE_READLINK: 557 case AUE_REVOKE: 558 case AUE_RMDIR: 559 case AUE_SEARCHFS: 560 case AUE_SETATTRLIST: 561 case AUE_STAT: 562 case AUE_STATFS: 563 case AUE_TRUNCATE: 564 case AUE_UNDELETE: 565 case AUE_UNLINK: 566 case AUE_UTIMES: 567 UPATH1_VNODE1_TOKENS; 568 break; 569 570 case AUE_CHFLAGS: 571 case AUE_LCHFLAGS: 572 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 573 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 574 kau_write(rec, tok); 575 } 576 UPATH1_VNODE1_TOKENS; 577 break; 578 579 case AUE_CHMOD: 580 case AUE_LCHMOD: 581 if (ARG_IS_VALID(kar, ARG_MODE)) { 582 tok = au_to_arg32(2, "new file mode", 583 ar->ar_arg_mode); 584 kau_write(rec, tok); 585 } 586 UPATH1_VNODE1_TOKENS; 587 break; 588 589 case AUE_CHOWN: 590 case AUE_LCHOWN: 591 if (ARG_IS_VALID(kar, ARG_UID)) { 592 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 593 kau_write(rec, tok); 594 } 595 if (ARG_IS_VALID(kar, ARG_GID)) { 596 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 597 kau_write(rec, tok); 598 } 599 UPATH1_VNODE1_TOKENS; 600 break; 601 602 case AUE_EXCHANGEDATA: 603 UPATH1_VNODE1_TOKENS; 604 UPATH2_TOKENS; 605 break; 606 607 case AUE_CLOSE: 608 if (ARG_IS_VALID(kar, ARG_FD)) { 609 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 610 kau_write(rec, tok); 611 } 612 UPATH1_VNODE1_TOKENS; 613 break; 614 615 case AUE_FCHMOD: 616 if (ARG_IS_VALID(kar, ARG_MODE)) { 617 tok = au_to_arg32(2, "new file mode", 618 ar->ar_arg_mode); 619 kau_write(rec, tok); 620 } 621 FD_VNODE1_TOKENS; 622 break; 623 624 case AUE_FCHDIR: 625 case AUE_FPATHCONF: 626 case AUE_FSTAT: /* XXX Need to handle sockets and shm */ 627 case AUE_FSTATFS: 628 case AUE_FSYNC: 629 case AUE_FTRUNCATE: 630 case AUE_FUTIMES: 631 case AUE_GETDIRENTRIES: 632 case AUE_GETDIRENTRIESATTR: 633 FD_VNODE1_TOKENS; 634 break; 635 636 case AUE_FCHOWN: 637 if (ARG_IS_VALID(kar, ARG_UID)) { 638 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 639 kau_write(rec, tok); 640 } 641 if (ARG_IS_VALID(kar, ARG_GID)) { 642 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 643 kau_write(rec, tok); 644 } 645 FD_VNODE1_TOKENS; 646 break; 647 648 case AUE_FCNTL: 649 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 650 ar->ar_arg_cmd == F_SETLKW) { 651 if (ARG_IS_VALID(kar, ARG_CMD)) { 652 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 653 kau_write(rec, tok); 654 } 655 FD_VNODE1_TOKENS; 656 } 657 break; 658 659 case AUE_FCHFLAGS: 660 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 661 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 662 kau_write(rec, tok); 663 } 664 FD_VNODE1_TOKENS; 665 break; 666 667 case AUE_FLOCK: 668 if (ARG_IS_VALID(kar, ARG_CMD)) { 669 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 670 kau_write(rec, tok); 671 } 672 FD_VNODE1_TOKENS; 673 break; 674 675 case AUE_RFORK: 676 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 677 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 678 kau_write(rec, tok); 679 } 680 /* fall through */ 681 case AUE_FORK: 682 case AUE_VFORK: 683 if (ARG_IS_VALID(kar, ARG_PID)) { 684 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 685 kau_write(rec, tok); 686 } 687 break; 688 689 case AUE_IOCTL: 690 if (ARG_IS_VALID(kar, ARG_CMD)) { 691 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 692 kau_write(rec, tok); 693 } 694 if (ARG_IS_VALID(kar, ARG_ADDR)) { 695 tok = au_to_arg32(1, "arg", 696 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 697 kau_write(rec, tok); 698 } 699 if (ARG_IS_VALID(kar, ARG_VNODE1)) 700 FD_VNODE1_TOKENS; 701 else { 702 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 703 tok = kau_to_socket(&ar->ar_arg_sockinfo); 704 kau_write(rec, tok); 705 } else { 706 if (ARG_IS_VALID(kar, ARG_FD)) { 707 tok = au_to_arg32(1, "fd", 708 ar->ar_arg_fd); 709 kau_write(rec, tok); 710 } 711 } 712 } 713 break; 714 715 case AUE_KILL: 716 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 717 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 718 kau_write(rec, tok); 719 } 720 PROCESS_PID_TOKENS(1); 721 break; 722 723 case AUE_KTRACE: 724 if (ARG_IS_VALID(kar, ARG_CMD)) { 725 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 726 kau_write(rec, tok); 727 } 728 if (ARG_IS_VALID(kar, ARG_VALUE)) { 729 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 730 kau_write(rec, tok); 731 } 732 PROCESS_PID_TOKENS(4); 733 UPATH1_VNODE1_TOKENS; 734 break; 735 736 case AUE_LINK: 737 case AUE_RENAME: 738 UPATH1_VNODE1_TOKENS; 739 UPATH2_TOKENS; 740 break; 741 742 case AUE_LOADSHFILE: 743 if (ARG_IS_VALID(kar, ARG_ADDR)) { 744 tok = au_to_arg32(4, "base addr", 745 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 746 kau_write(rec, tok); 747 } 748 UPATH1_VNODE1_TOKENS; 749 break; 750 751 case AUE_MKDIR: 752 if (ARG_IS_VALID(kar, ARG_MODE)) { 753 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 754 kau_write(rec, tok); 755 } 756 UPATH1_VNODE1_TOKENS; 757 break; 758 759 case AUE_MKNOD: 760 if (ARG_IS_VALID(kar, ARG_MODE)) { 761 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 762 kau_write(rec, tok); 763 } 764 if (ARG_IS_VALID(kar, ARG_DEV)) { 765 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 766 kau_write(rec, tok); 767 } 768 UPATH1_VNODE1_TOKENS; 769 break; 770 771 case AUE_MMAP: 772 case AUE_MUNMAP: 773 case AUE_MPROTECT: 774 case AUE_MLOCK: 775 case AUE_MUNLOCK: 776 case AUE_MINHERIT: 777 if (ARG_IS_VALID(kar, ARG_ADDR)) { 778 tok = au_to_arg32(1, "addr", 779 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 780 kau_write(rec, tok); 781 } 782 if (ARG_IS_VALID(kar, ARG_LEN)) { 783 tok = au_to_arg32(2, "len", ar->ar_arg_len); 784 kau_write(rec, tok); 785 } 786 if (ar->ar_event == AUE_MMAP) 787 FD_VNODE1_TOKENS; 788 if (ar->ar_event == AUE_MPROTECT) { 789 if (ARG_IS_VALID(kar, ARG_VALUE)) { 790 tok = au_to_arg32(3, "protection", 791 ar->ar_arg_value); 792 kau_write(rec, tok); 793 } 794 } 795 if (ar->ar_event == AUE_MINHERIT) { 796 if (ARG_IS_VALID(kar, ARG_VALUE)) { 797 tok = au_to_arg32(3, "inherit", 798 ar->ar_arg_value); 799 kau_write(rec, tok); 800 } 801 } 802 break; 803 804 case AUE_MOUNT: 805 /* XXX Need to handle NFS mounts */ 806 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 807 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 808 kau_write(rec, tok); 809 } 810 if (ARG_IS_VALID(kar, ARG_TEXT)) { 811 tok = au_to_text(ar->ar_arg_text); 812 kau_write(rec, tok); 813 } 814 /* fall through */ 815 816 case AUE_UMOUNT: 817 UPATH1_VNODE1_TOKENS; 818 break; 819 820 case AUE_MSGCTL: 821 ar->ar_event = msgctl_to_event(ar->ar_arg_svipc_cmd); 822 /* Fall through */ 823 824 case AUE_MSGRCV: 825 case AUE_MSGSND: 826 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 827 kau_write(rec, tok); 828 if (ar->ar_errno != EINVAL) { 829 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 830 kau_write(rec, tok); 831 } 832 break; 833 834 case AUE_MSGGET: 835 if (ar->ar_errno == 0) { 836 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 837 tok = au_to_ipc(AT_IPC_MSG, 838 ar->ar_arg_svipc_id); 839 kau_write(rec, tok); 840 } 841 } 842 break; 843 844 case AUE_RESETSHFILE: 845 if (ARG_IS_VALID(kar, ARG_ADDR)) { 846 tok = au_to_arg32(1, "base addr", 847 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 848 kau_write(rec, tok); 849 } 850 break; 851 852 case AUE_OPEN_RC: 853 case AUE_OPEN_RTC: 854 case AUE_OPEN_RWC: 855 case AUE_OPEN_RWTC: 856 case AUE_OPEN_WC: 857 case AUE_OPEN_WTC: 858 /* case AUE_O_CREAT: */ /* AUE_O_CREAT == AUE_OPEN_RWTC */ 859 if (ARG_IS_VALID(kar, ARG_MODE)) { 860 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 861 kau_write(rec, tok); 862 } 863 /* fall through */ 864 865 case AUE_OPEN_R: 866 case AUE_OPEN_RT: 867 case AUE_OPEN_RW: 868 case AUE_OPEN_RWT: 869 case AUE_OPEN_W: 870 case AUE_OPEN_WT: 871 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 872 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 873 kau_write(rec, tok); 874 } 875 UPATH1_VNODE1_TOKENS; 876 break; 877 878 case AUE_PTRACE: 879 if (ARG_IS_VALID(kar, ARG_CMD)) { 880 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 881 kau_write(rec, tok); 882 } 883 if (ARG_IS_VALID(kar, ARG_ADDR)) { 884 tok = au_to_arg32(3, "addr", 885 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 886 kau_write(rec, tok); 887 } 888 if (ARG_IS_VALID(kar, ARG_VALUE)) { 889 tok = au_to_arg32(4, "data", ar->ar_arg_value); 890 kau_write(rec, tok); 891 } 892 PROCESS_PID_TOKENS(2); 893 break; 894 895 case AUE_QUOTACTL: 896 if (ARG_IS_VALID(kar, ARG_CMD)) { 897 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 898 kau_write(rec, tok); 899 } 900 if (ARG_IS_VALID(kar, ARG_UID)) { 901 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 902 kau_write(rec, tok); 903 } 904 UPATH1_VNODE1_TOKENS; 905 break; 906 907 case AUE_REBOOT: 908 if (ARG_IS_VALID(kar, ARG_CMD)) { 909 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 910 kau_write(rec, tok); 911 } 912 break; 913 914 case AUE_SEMCTL: 915 ar->ar_event = semctl_to_event(ar->ar_arg_svipc_cmd); 916 /* Fall through */ 917 918 case AUE_SEMOP: 919 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 920 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 921 kau_write(rec, tok); 922 if (ar->ar_errno != EINVAL) { 923 tok = au_to_ipc(AT_IPC_SEM, 924 ar->ar_arg_svipc_id); 925 kau_write(rec, tok); 926 } 927 } 928 break; 929 930 case AUE_SEMGET: 931 if (ar->ar_errno == 0) { 932 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 933 tok = au_to_ipc(AT_IPC_SEM, 934 ar->ar_arg_svipc_id); 935 kau_write(rec, tok); 936 } 937 } 938 break; 939 940 case AUE_SETEGID: 941 if (ARG_IS_VALID(kar, ARG_EGID)) { 942 tok = au_to_arg32(1, "gid", ar->ar_arg_egid); 943 kau_write(rec, tok); 944 } 945 break; 946 947 case AUE_SETEUID: 948 if (ARG_IS_VALID(kar, ARG_EUID)) { 949 tok = au_to_arg32(1, "uid", ar->ar_arg_euid); 950 kau_write(rec, tok); 951 } 952 break; 953 954 case AUE_SETREGID: 955 if (ARG_IS_VALID(kar, ARG_RGID)) { 956 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 957 kau_write(rec, tok); 958 } 959 if (ARG_IS_VALID(kar, ARG_EGID)) { 960 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 961 kau_write(rec, tok); 962 } 963 break; 964 965 case AUE_SETREUID: 966 if (ARG_IS_VALID(kar, ARG_RUID)) { 967 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 968 kau_write(rec, tok); 969 } 970 if (ARG_IS_VALID(kar, ARG_EUID)) { 971 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 972 kau_write(rec, tok); 973 } 974 break; 975 976 case AUE_SETRESGID: 977 if (ARG_IS_VALID(kar, ARG_RGID)) { 978 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 979 kau_write(rec, tok); 980 } 981 if (ARG_IS_VALID(kar, ARG_EGID)) { 982 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 983 kau_write(rec, tok); 984 } 985 if (ARG_IS_VALID(kar, ARG_SGID)) { 986 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 987 kau_write(rec, tok); 988 } 989 break; 990 991 case AUE_SETRESUID: 992 if (ARG_IS_VALID(kar, ARG_RUID)) { 993 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 994 kau_write(rec, tok); 995 } 996 if (ARG_IS_VALID(kar, ARG_EUID)) { 997 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 998 kau_write(rec, tok); 999 } 1000 if (ARG_IS_VALID(kar, ARG_SUID)) { 1001 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1002 kau_write(rec, tok); 1003 } 1004 break; 1005 1006 case AUE_SETGID: 1007 if (ARG_IS_VALID(kar, ARG_GID)) { 1008 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1009 kau_write(rec, tok); 1010 } 1011 break; 1012 1013 case AUE_SETUID: 1014 if (ARG_IS_VALID(kar, ARG_UID)) { 1015 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1016 kau_write(rec, tok); 1017 } 1018 break; 1019 1020 case AUE_SETGROUPS: 1021 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1022 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1023 { 1024 tok = au_to_arg32(1, "setgroups", ar->ar_arg_groups.gidset[ctr]); 1025 kau_write(rec, tok); 1026 } 1027 } 1028 break; 1029 1030 case AUE_SETLOGIN: 1031 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1032 tok = au_to_text(ar->ar_arg_text); 1033 kau_write(rec, tok); 1034 } 1035 break; 1036 1037 case AUE_SETPRIORITY: 1038 if (ARG_IS_VALID(kar, ARG_CMD)) { 1039 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1040 kau_write(rec, tok); 1041 } 1042 if (ARG_IS_VALID(kar, ARG_UID)) { 1043 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1044 kau_write(rec, tok); 1045 } 1046 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1047 tok = au_to_arg32(2, "priority", ar->ar_arg_value); 1048 kau_write(rec, tok); 1049 } 1050 break; 1051 1052 case AUE_SETPRIVEXEC: 1053 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1054 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1055 kau_write(rec, tok); 1056 } 1057 break; 1058 1059 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1060 case AUE_SHMAT: 1061 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1062 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1063 kau_write(rec, tok); 1064 /* XXXAUDIT: Does having the ipc token make sense? */ 1065 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1066 kau_write(rec, tok); 1067 } 1068 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1069 tok = au_to_arg32(2, "shmaddr", 1070 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1071 kau_write(rec, tok); 1072 } 1073 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1074 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1075 kau_write(rec, tok); 1076 } 1077 break; 1078 1079 case AUE_SHMCTL: 1080 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1081 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1082 kau_write(rec, tok); 1083 /* XXXAUDIT: Does having the ipc token make sense? */ 1084 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1085 kau_write(rec, tok); 1086 } 1087 switch (ar->ar_arg_svipc_cmd) { 1088 case IPC_STAT: 1089 ar->ar_event = AUE_SHMCTL_STAT; 1090 break; 1091 case IPC_RMID: 1092 ar->ar_event = AUE_SHMCTL_RMID; 1093 break; 1094 case IPC_SET: 1095 ar->ar_event = AUE_SHMCTL_SET; 1096 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1097 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1098 kau_write(rec, tok); 1099 } 1100 break; 1101 default: 1102 break; /* We will audit a bad command */ 1103 } 1104 break; 1105 1106 case AUE_SHMDT: 1107 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1108 tok = au_to_arg32(1, "shmaddr", 1109 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1110 kau_write(rec, tok); 1111 } 1112 break; 1113 1114 case AUE_SHMGET: 1115 /* This is unusual; the return value is in an argument token */ 1116 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1117 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1118 kau_write(rec, tok); 1119 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1120 kau_write(rec, tok); 1121 } 1122 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1123 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1124 kau_write(rec, tok); 1125 } 1126 break; 1127 1128 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1129 * and AUE_SEMUNLINK are Posix IPC */ 1130 case AUE_SHMOPEN: 1131 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1132 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1133 kau_write(rec, tok); 1134 } 1135 if (ARG_IS_VALID(kar, ARG_MODE)) { 1136 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1137 kau_write(rec, tok); 1138 } 1139 case AUE_SHMUNLINK: 1140 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1141 tok = au_to_text(ar->ar_arg_text); 1142 kau_write(rec, tok); 1143 } 1144 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1145 /* Create an ipc_perm token */ 1146 struct ipc_perm perm; 1147 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1148 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1149 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1150 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1151 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1152 perm.seq = 0; 1153 perm.key = 0; 1154 tok = au_to_ipc_perm(&perm); 1155 kau_write(rec, tok); 1156 } 1157 break; 1158 1159 case AUE_SEMOPEN: 1160 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1161 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1162 kau_write(rec, tok); 1163 } 1164 if (ARG_IS_VALID(kar, ARG_MODE)) { 1165 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1166 kau_write(rec, tok); 1167 } 1168 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1169 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1170 kau_write(rec, tok); 1171 } 1172 /* fall through */ 1173 1174 case AUE_SEMUNLINK: 1175 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1176 tok = au_to_text(ar->ar_arg_text); 1177 kau_write(rec, tok); 1178 } 1179 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1180 /* Create an ipc_perm token */ 1181 struct ipc_perm perm; 1182 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1183 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1184 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1185 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1186 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1187 perm.seq = 0; 1188 perm.key = 0; 1189 tok = au_to_ipc_perm(&perm); 1190 kau_write(rec, tok); 1191 } 1192 break; 1193 1194 case AUE_SEMCLOSE: 1195 if (ARG_IS_VALID(kar, ARG_FD)) { 1196 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1197 kau_write(rec, tok); 1198 } 1199 break; 1200 1201 case AUE_SYMLINK: 1202 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1203 tok = au_to_text(ar->ar_arg_text); 1204 kau_write(rec, tok); 1205 } 1206 UPATH1_VNODE1_TOKENS; 1207 break; 1208 1209 case AUE_SYSCTL: 1210 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1211 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1212 tok = au_to_arg32(1, "name", 1213 ar->ar_arg_ctlname[ctr]); 1214 kau_write(rec, tok); 1215 } 1216 } 1217 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1218 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1219 kau_write(rec, tok); 1220 } 1221 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1222 tok = au_to_text(ar->ar_arg_text); 1223 kau_write(rec, tok); 1224 } 1225 break; 1226 1227 case AUE_UMASK: 1228 if (ARG_IS_VALID(kar, ARG_MASK)) { 1229 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1230 kau_write(rec, tok); 1231 } 1232 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1233 kau_write(rec, tok); 1234 break; 1235 1236 case AUE_WAIT4: 1237 if (ARG_IS_VALID(kar, ARG_PID)) { 1238 tok = au_to_arg32(0, "pid", ar->ar_arg_pid); 1239 kau_write(rec, tok); 1240 } 1241 break; 1242 1243 default: 1244 printf("BSM conversion requested for unknown event %d\n", 1245 ar->ar_event); 1246 /* Write the subject token so it is properly freed here. */ 1247 kau_write(rec, subj_tok); 1248 kau_free(rec); 1249 return (BSM_NOAUDIT); 1250 } 1251 1252 kau_write(rec, subj_tok); 1253 tok = au_to_return32((char)ar->ar_errno, ar->ar_retval); 1254 kau_write(rec, tok); /* Every record gets a return token */ 1255 1256 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1257 1258 *pau = rec; 1259 return (BSM_SUCCESS); 1260} 1261 1262/* 1263 * Verify that a record is a valid BSM record. This verification is simple 1264 * now, but may be expanded on sometime in the future. Return 1 if the 1265 * record is good, 0 otherwise. 1266 */ 1267int 1268bsm_rec_verify(void *rec) 1269{ 1270 char c = *(char *)rec; 1271 1272 /* 1273 * Check the token ID of the first token; it has to be a header 1274 * token. 1275 * 1276 * XXXAUDIT There needs to be a token structure to map a token. 1277 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1278 */ 1279 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1280 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1281 return (0); 1282 return (1); 1283} 1284