audit_bsm.c revision 162419
1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $FreeBSD: head/sys/security/audit/audit_bsm.c 162419 2006-09-18 17:55:32Z csjp $ 30 */ 31 32#include <sys/param.h> 33#include <sys/vnode.h> 34#include <sys/ipc.h> 35#include <sys/lock.h> 36#include <sys/malloc.h> 37#include <sys/mutex.h> 38#include <sys/socket.h> 39#include <sys/extattr.h> 40#include <sys/fcntl.h> 41#include <sys/user.h> 42#include <sys/systm.h> 43 44#include <bsm/audit.h> 45#include <bsm/audit_internal.h> 46#include <bsm/audit_record.h> 47#include <bsm/audit_kevents.h> 48 49#include <security/audit/audit.h> 50#include <security/audit/audit_private.h> 51 52#include <netinet/in_systm.h> 53#include <netinet/in.h> 54#include <netinet/ip.h> 55 56MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 57 58/* 59 * Forward declares. 60 */ 61static void audit_sys_auditon(struct audit_record *ar, 62 struct au_record *rec); 63 64/* 65 * Initialize the BSM auditing subsystem. 66 */ 67void 68kau_init(void) 69{ 70 71 printf("BSM auditing present\n"); 72 au_evclassmap_init(); 73} 74 75/* 76 * This call reserves memory for the audit record. Memory must be guaranteed 77 * before any auditable event can be generated. The au_record structure 78 * maintains a reference to the memory allocated above and also the list of 79 * tokens associated with this record 80 */ 81static struct au_record * 82kau_open(void) 83{ 84 struct au_record *rec; 85 86 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 87 rec->data = malloc(MAX_AUDIT_RECORD_SIZE * sizeof(u_char), 88 M_AUDITBSM, M_WAITOK | M_ZERO); 89 TAILQ_INIT(&rec->token_q); 90 rec->len = 0; 91 rec->used = 1; 92 93 return (rec); 94} 95 96/* 97 * Store the token with the record descriptor. 98 */ 99static void 100kau_write(struct au_record *rec, struct au_token *tok) 101{ 102 103 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 104 105 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 106 rec->len += tok->len; 107} 108 109/* 110 * Close out the audit record by adding the header token, identifying any 111 * missing tokens. Write out the tokens to the record memory. 112 */ 113static void 114kau_close(struct au_record *rec, struct timespec *ctime, short event) 115{ 116 u_char *dptr; 117 size_t tot_rec_size; 118 token_t *cur, *hdr, *trail; 119 struct timeval tm; 120 121 tot_rec_size = rec->len + AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE; 122 if (tot_rec_size <= MAX_AUDIT_RECORD_SIZE) { 123 /* Create the header token */ 124 tm.tv_usec = ctime->tv_nsec / 1000; 125 tm.tv_sec = ctime->tv_sec; 126 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 127 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 128 129 trail = au_to_trailer(tot_rec_size); 130 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 131 132 /* Serialize token data to the record. */ 133 rec->len = tot_rec_size; 134 dptr = rec->data; 135 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 136 memcpy(dptr, cur->t_data, cur->len); 137 dptr += cur->len; 138 } 139 } 140} 141 142/* 143 * Free a BSM audit record by releasing all the tokens and clearing the audit 144 * record information. 145 */ 146void 147kau_free(struct au_record *rec) 148{ 149 struct au_token *tok; 150 151 /* Free the token list. */ 152 while ((tok = TAILQ_FIRST(&rec->token_q))) { 153 TAILQ_REMOVE(&rec->token_q, tok, tokens); 154 free(tok->t_data, M_AUDITBSM); 155 free(tok, M_AUDITBSM); 156 } 157 158 rec->used = 0; 159 rec->len = 0; 160 free(rec->data, M_AUDITBSM); 161 free(rec, M_AUDITBSM); 162} 163 164/* 165 * XXX May want turn some (or all) of these macros into functions in order 166 * to reduce the generated code sized. 167 * 168 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 169 * caller are OK with this. 170 */ 171#define UPATH1_TOKENS do { \ 172 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 173 tok = au_to_path(ar->ar_arg_upath1); \ 174 kau_write(rec, tok); \ 175 } \ 176} while (0) 177 178#define UPATH2_TOKENS do { \ 179 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 180 tok = au_to_path(ar->ar_arg_upath2); \ 181 kau_write(rec, tok); \ 182 } \ 183} while (0) 184 185#define VNODE1_TOKENS do { \ 186 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 187 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 188 kau_write(rec, tok); \ 189 } \ 190} while (0) 191 192#define UPATH1_VNODE1_TOKENS do { \ 193 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 194 UPATH1_TOKENS; \ 195 } \ 196 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 197 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 198 kau_write(rec, tok); \ 199 } \ 200} while (0) 201 202#define VNODE2_TOKENS do { \ 203 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 204 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 205 kau_write(rec, tok); \ 206 } \ 207} while (0) 208 209#define FD_VNODE1_TOKENS do { \ 210 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 211 if (ARG_IS_VALID(kar, ARG_FD)) { \ 212 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 213 kau_write(rec, tok); \ 214 } \ 215 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 216 kau_write(rec, tok); \ 217 } else { \ 218 if (ARG_IS_VALID(kar, ARG_FD)) { \ 219 tok = au_to_arg32(1, "non-file: fd", \ 220 ar->ar_arg_fd); \ 221 kau_write(rec, tok); \ 222 } \ 223 } \ 224} while (0) 225 226#define PROCESS_PID_TOKENS(argn) do { \ 227 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 228 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 229 tok = au_to_process(ar->ar_arg_auid, \ 230 ar->ar_arg_euid, ar->ar_arg_egid, \ 231 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 232 ar->ar_arg_pid, ar->ar_arg_asid, \ 233 &ar->ar_arg_termid); \ 234 kau_write(rec, tok); \ 235 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 236 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 237 kau_write(rec, tok); \ 238 } \ 239} while (0) \ 240 241#define EXTATTR_TOKENS do { \ 242 if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 243 switch (ar->ar_arg_value) { \ 244 case EXTATTR_NAMESPACE_USER: \ 245 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 246 break; \ 247 case EXTATTR_NAMESPACE_SYSTEM: \ 248 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 249 break; \ 250 default: \ 251 tok = au_to_arg32(3, "attrnamespace", \ 252 ar->ar_arg_value); \ 253 break; \ 254 } \ 255 kau_write(rec, tok); \ 256 } \ 257 /* attrname is in the text field */ \ 258 if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 259 tok = au_to_text(ar->ar_arg_text); \ 260 kau_write(rec, tok); \ 261 } \ 262} while (0) 263 264/* 265 * Implement auditing for the auditon() system call. The audit tokens that 266 * are generated depend on the command that was sent into the auditon() 267 * system call. 268 */ 269static void 270audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 271{ 272 struct au_token *tok; 273 274 switch (ar->ar_arg_cmd) { 275 case A_SETPOLICY: 276 if (sizeof(ar->ar_arg_auditon.au_flags) > 4) 277 tok = au_to_arg64(1, "policy", 278 ar->ar_arg_auditon.au_flags); 279 else 280 tok = au_to_arg32(1, "policy", 281 ar->ar_arg_auditon.au_flags); 282 kau_write(rec, tok); 283 break; 284 285 case A_SETKMASK: 286 tok = au_to_arg32(2, "setkmask:as_success", 287 ar->ar_arg_auditon.au_mask.am_success); 288 kau_write(rec, tok); 289 tok = au_to_arg32(2, "setkmask:as_failure", 290 ar->ar_arg_auditon.au_mask.am_failure); 291 kau_write(rec, tok); 292 break; 293 294 case A_SETQCTRL: 295 tok = au_to_arg32(3, "setqctrl:aq_hiwater", 296 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 297 kau_write(rec, tok); 298 tok = au_to_arg32(3, "setqctrl:aq_lowater", 299 ar->ar_arg_auditon.au_qctrl.aq_lowater); 300 kau_write(rec, tok); 301 tok = au_to_arg32(3, "setqctrl:aq_bufsz", 302 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 303 kau_write(rec, tok); 304 tok = au_to_arg32(3, "setqctrl:aq_delay", 305 ar->ar_arg_auditon.au_qctrl.aq_delay); 306 kau_write(rec, tok); 307 tok = au_to_arg32(3, "setqctrl:aq_minfree", 308 ar->ar_arg_auditon.au_qctrl.aq_minfree); 309 kau_write(rec, tok); 310 break; 311 312 case A_SETUMASK: 313 tok = au_to_arg32(3, "setumask:as_success", 314 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 315 kau_write(rec, tok); 316 tok = au_to_arg32(3, "setumask:as_failure", 317 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 318 kau_write(rec, tok); 319 break; 320 321 case A_SETSMASK: 322 tok = au_to_arg32(3, "setsmask:as_success", 323 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 324 kau_write(rec, tok); 325 tok = au_to_arg32(3, "setsmask:as_failure", 326 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 327 kau_write(rec, tok); 328 break; 329 330 case A_SETCOND: 331 if (sizeof(ar->ar_arg_auditon.au_cond) > 4) 332 tok = au_to_arg64(3, "setcond", 333 ar->ar_arg_auditon.au_cond); 334 else 335 tok = au_to_arg32(3, "setcond", 336 ar->ar_arg_auditon.au_cond); 337 kau_write(rec, tok); 338 break; 339 340 case A_SETCLASS: 341 tok = au_to_arg32(2, "setclass:ec_event", 342 ar->ar_arg_auditon.au_evclass.ec_number); 343 kau_write(rec, tok); 344 tok = au_to_arg32(3, "setclass:ec_class", 345 ar->ar_arg_auditon.au_evclass.ec_class); 346 kau_write(rec, tok); 347 break; 348 349 case A_SETPMASK: 350 tok = au_to_arg32(2, "setpmask:as_success", 351 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 352 kau_write(rec, tok); 353 tok = au_to_arg32(2, "setpmask:as_failure", 354 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 355 kau_write(rec, tok); 356 break; 357 358 case A_SETFSIZE: 359 tok = au_to_arg32(2, "setfsize:filesize", 360 ar->ar_arg_auditon.au_fstat.af_filesz); 361 kau_write(rec, tok); 362 break; 363 364 default: 365 break; 366 } 367} 368 369/* 370 * Convert an internal kernel audit record to a BSM record and return a 371 * success/failure indicator. The BSM record is passed as an out parameter to 372 * this function. 373 * 374 * Return conditions: 375 * BSM_SUCCESS: The BSM record is valid 376 * BSM_FAILURE: Failure; the BSM record is NULL. 377 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 378 */ 379int 380kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 381{ 382 struct au_token *tok, *subj_tok; 383 struct au_record *rec; 384 au_tid_t tid; 385 struct audit_record *ar; 386 int ctr; 387 388 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 389 390 *pau = NULL; 391 ar = &kar->k_ar; 392 rec = kau_open(); 393 394 /* Create the subject token */ 395 tid.port = ar->ar_subj_term.port; 396 tid.machine = ar->ar_subj_term.machine; 397 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 398 ar->ar_subj_cred.cr_uid, /* eff uid */ 399 ar->ar_subj_egid, /* eff group id */ 400 ar->ar_subj_ruid, /* real uid */ 401 ar->ar_subj_rgid, /* real group id */ 402 ar->ar_subj_pid, /* process id */ 403 ar->ar_subj_asid, /* session ID */ 404 &tid); 405 406 /* 407 * The logic inside each case fills in the tokens required for the 408 * event, except for the header, trailer, and return tokens. The 409 * header and trailer tokens are added by the kau_close() function. 410 * The return token is added outside of the switch statement. 411 */ 412 switch(ar->ar_event) { 413 case AUE_ACCEPT: 414 case AUE_BIND: 415 case AUE_CONNECT: 416 case AUE_RECVFROM: 417 case AUE_RECVMSG: 418 case AUE_SENDMSG: 419 case AUE_SENDTO: 420 /* 421 * Socket-related events. 422 */ 423 if (ARG_IS_VALID(kar, ARG_FD)) { 424 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 425 kau_write(rec, tok); 426 } 427 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 428 tok = au_to_sock_inet((struct sockaddr_in *) 429 &ar->ar_arg_sockaddr); 430 kau_write(rec, tok); 431 } 432 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 433 tok = au_to_sock_unix((struct sockaddr_un *) 434 &ar->ar_arg_sockaddr); 435 kau_write(rec, tok); 436 UPATH1_TOKENS; 437 } 438 /* XXX Need to handle ARG_SADDRINET6 */ 439 break; 440 441 case AUE_SOCKET: 442 case AUE_SOCKETPAIR: 443 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 444 tok = au_to_arg32(1,"domain", 445 ar->ar_arg_sockinfo.so_domain); 446 kau_write(rec, tok); 447 tok = au_to_arg32(2,"type", 448 ar->ar_arg_sockinfo.so_type); 449 kau_write(rec, tok); 450 tok = au_to_arg32(3,"protocol", 451 ar->ar_arg_sockinfo.so_protocol); 452 kau_write(rec, tok); 453 } 454 break; 455 456 case AUE_SETSOCKOPT: 457 case AUE_SHUTDOWN: 458 if (ARG_IS_VALID(kar, ARG_FD)) { 459 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 460 kau_write(rec, tok); 461 } 462 break; 463 464 case AUE_ACCT: 465 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 466 UPATH1_VNODE1_TOKENS; 467 } else { 468 tok = au_to_arg32(1, "accounting off", 0); 469 kau_write(rec, tok); 470 } 471 break; 472 473 case AUE_SETAUID: 474 if (ARG_IS_VALID(kar, ARG_AUID)) { 475 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 476 kau_write(rec, tok); 477 } 478 break; 479 480 case AUE_SETAUDIT: 481 if (ARG_IS_VALID(kar, ARG_AUID)) { 482 tok = au_to_arg32(1, "setaudit:auid", 483 ar->ar_arg_auid); 484 kau_write(rec, tok); 485 tok = au_to_arg32(1, "setaudit:port", 486 ar->ar_arg_termid.port); 487 kau_write(rec, tok); 488 tok = au_to_arg32(1, "setaudit:machine", 489 ar->ar_arg_termid.machine); 490 kau_write(rec, tok); 491 tok = au_to_arg32(1, "setaudit:as_success", 492 ar->ar_arg_amask.am_success); 493 kau_write(rec, tok); 494 tok = au_to_arg32(1, "setaudit:as_failure", 495 ar->ar_arg_amask.am_failure); 496 kau_write(rec, tok); 497 tok = au_to_arg32(1, "setaudit:asid", 498 ar->ar_arg_asid); 499 kau_write(rec, tok); 500 } 501 break; 502 503 case AUE_SETAUDIT_ADDR: 504 break; /* XXX need to add arguments */ 505 506 case AUE_AUDITON: 507 /* 508 * For AUDITON commands without own event, audit the cmd. 509 */ 510 if (ARG_IS_VALID(kar, ARG_CMD)) { 511 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 512 kau_write(rec, tok); 513 } 514 /* fall thru */ 515 516 case AUE_AUDITON_GETCAR: 517 case AUE_AUDITON_GETCLASS: 518 case AUE_AUDITON_GETCOND: 519 case AUE_AUDITON_GETCWD: 520 case AUE_AUDITON_GETKMASK: 521 case AUE_AUDITON_GETSTAT: 522 case AUE_AUDITON_GPOLICY: 523 case AUE_AUDITON_GQCTRL: 524 case AUE_AUDITON_SETCLASS: 525 case AUE_AUDITON_SETCOND: 526 case AUE_AUDITON_SETKMASK: 527 case AUE_AUDITON_SETSMASK: 528 case AUE_AUDITON_SETSTAT: 529 case AUE_AUDITON_SETUMASK: 530 case AUE_AUDITON_SPOLICY: 531 case AUE_AUDITON_SQCTRL: 532 if (ARG_IS_VALID(kar, ARG_AUDITON)) 533 audit_sys_auditon(ar, rec); 534 break; 535 536 case AUE_AUDITCTL: 537 UPATH1_VNODE1_TOKENS; 538 break; 539 540 case AUE_EXIT: 541 if (ARG_IS_VALID(kar, ARG_EXIT)) { 542 tok = au_to_exit(ar->ar_arg_exitretval, 543 ar->ar_arg_exitstatus); 544 kau_write(rec, tok); 545 } 546 break; 547 548 case AUE_ADJTIME: 549 case AUE_AUDIT: 550 case AUE_GETAUDIT: 551 case AUE_GETAUDIT_ADDR: 552 case AUE_GETAUID: 553 case AUE_GETFSSTAT: 554 case AUE_PIPE: 555 case AUE_SETPGRP: 556 case AUE_SETRLIMIT: 557 case AUE_SETSID: 558 case AUE_SETTIMEOFDAY: 559 case AUE_NEWSYSTEMSHREG: 560 /* 561 * Header, subject, and return tokens added at end. 562 */ 563 break; 564 565 case AUE_MKFIFO: 566 if (ARG_IS_VALID(kar, ARG_MODE)) { 567 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 568 kau_write(rec, tok); 569 } 570 /* fall through */ 571 case AUE_ACCESS: 572 case AUE_CHDIR: 573 case AUE_CHROOT: 574 case AUE_EACCESS: 575 case AUE_GETATTRLIST: 576 case AUE_LUTIMES: 577 case AUE_NFS_GETFH: 578 case AUE_LSTAT: 579 case AUE_PATHCONF: 580 case AUE_READLINK: 581 case AUE_REVOKE: 582 case AUE_RMDIR: 583 case AUE_SEARCHFS: 584 case AUE_SETATTRLIST: 585 case AUE_STAT: 586 case AUE_STATFS: 587 case AUE_TRUNCATE: 588 case AUE_UNDELETE: 589 case AUE_UNLINK: 590 case AUE_UTIMES: 591 UPATH1_VNODE1_TOKENS; 592 break; 593 594 case AUE_CHFLAGS: 595 case AUE_LCHFLAGS: 596 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 597 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 598 kau_write(rec, tok); 599 } 600 UPATH1_VNODE1_TOKENS; 601 break; 602 603 case AUE_CHMOD: 604 case AUE_LCHMOD: 605 if (ARG_IS_VALID(kar, ARG_MODE)) { 606 tok = au_to_arg32(2, "new file mode", 607 ar->ar_arg_mode); 608 kau_write(rec, tok); 609 } 610 UPATH1_VNODE1_TOKENS; 611 break; 612 613 case AUE_CHOWN: 614 case AUE_LCHOWN: 615 if (ARG_IS_VALID(kar, ARG_UID)) { 616 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 617 kau_write(rec, tok); 618 } 619 if (ARG_IS_VALID(kar, ARG_GID)) { 620 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 621 kau_write(rec, tok); 622 } 623 UPATH1_VNODE1_TOKENS; 624 break; 625 626 case AUE_EXCHANGEDATA: 627 UPATH1_VNODE1_TOKENS; 628 UPATH2_TOKENS; 629 break; 630 631 case AUE_CLOSE: 632 if (ARG_IS_VALID(kar, ARG_FD)) { 633 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 634 kau_write(rec, tok); 635 } 636 UPATH1_VNODE1_TOKENS; 637 break; 638 639 case AUE_EXTATTRCTL: 640 UPATH1_VNODE1_TOKENS; 641 if (ARG_IS_VALID(kar, ARG_CMD)) { 642 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 643 kau_write(rec, tok); 644 } 645 /* extattrctl(2) filename parameter is in upath2/vnode2 */ 646 UPATH2_TOKENS; 647 VNODE2_TOKENS; 648 EXTATTR_TOKENS; 649 break; 650 651 case AUE_EXTATTR_GET_FILE: 652 case AUE_EXTATTR_SET_FILE: 653 case AUE_EXTATTR_LIST_FILE: 654 case AUE_EXTATTR_DELETE_FILE: 655 case AUE_EXTATTR_GET_LINK: 656 case AUE_EXTATTR_SET_LINK: 657 case AUE_EXTATTR_LIST_LINK: 658 case AUE_EXTATTR_DELETE_LINK: 659 UPATH1_VNODE1_TOKENS; 660 EXTATTR_TOKENS; 661 break; 662 663 case AUE_EXTATTR_GET_FD: 664 case AUE_EXTATTR_SET_FD: 665 case AUE_EXTATTR_LIST_FD: 666 case AUE_EXTATTR_DELETE_FD: 667 if (ARG_IS_VALID(kar, ARG_FD)) { 668 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 669 kau_write(rec, tok); 670 } 671 EXTATTR_TOKENS; 672 break; 673 674 case AUE_EXECVE: 675 if (ARG_IS_VALID(kar, ARG_ARGV)) { 676 tok = au_to_exec_args(ar->ar_arg_argv, 677 ar->ar_arg_argc); 678 kau_write(rec, tok); 679 } 680 if (ARG_IS_VALID(kar, ARG_ENVV)) { 681 tok = au_to_exec_env(ar->ar_arg_envv, 682 ar->ar_arg_envc); 683 kau_write(rec, tok); 684 } 685 UPATH1_VNODE1_TOKENS; 686 break; 687 688 case AUE_FCHMOD: 689 if (ARG_IS_VALID(kar, ARG_MODE)) { 690 tok = au_to_arg32(2, "new file mode", 691 ar->ar_arg_mode); 692 kau_write(rec, tok); 693 } 694 FD_VNODE1_TOKENS; 695 break; 696 697 case AUE_FCHDIR: 698 case AUE_FPATHCONF: 699 case AUE_FSTAT: /* XXX Need to handle sockets and shm */ 700 case AUE_FSTATFS: 701 case AUE_FSYNC: 702 case AUE_FTRUNCATE: 703 case AUE_FUTIMES: 704 case AUE_GETDIRENTRIES: 705 case AUE_GETDIRENTRIESATTR: 706 FD_VNODE1_TOKENS; 707 break; 708 709 case AUE_FCHOWN: 710 if (ARG_IS_VALID(kar, ARG_UID)) { 711 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 712 kau_write(rec, tok); 713 } 714 if (ARG_IS_VALID(kar, ARG_GID)) { 715 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 716 kau_write(rec, tok); 717 } 718 FD_VNODE1_TOKENS; 719 break; 720 721 case AUE_FCNTL: 722 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 723 ar->ar_arg_cmd == F_SETLKW) { 724 if (ARG_IS_VALID(kar, ARG_CMD)) { 725 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 726 kau_write(rec, tok); 727 } 728 FD_VNODE1_TOKENS; 729 } 730 break; 731 732 case AUE_FCHFLAGS: 733 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 734 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 735 kau_write(rec, tok); 736 } 737 FD_VNODE1_TOKENS; 738 break; 739 740 case AUE_FLOCK: 741 if (ARG_IS_VALID(kar, ARG_CMD)) { 742 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 743 kau_write(rec, tok); 744 } 745 FD_VNODE1_TOKENS; 746 break; 747 748 case AUE_RFORK: 749 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 750 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 751 kau_write(rec, tok); 752 } 753 /* fall through */ 754 case AUE_FORK: 755 case AUE_VFORK: 756 if (ARG_IS_VALID(kar, ARG_PID)) { 757 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 758 kau_write(rec, tok); 759 } 760 break; 761 762 case AUE_IOCTL: 763 if (ARG_IS_VALID(kar, ARG_CMD)) { 764 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 765 kau_write(rec, tok); 766 } 767 if (ARG_IS_VALID(kar, ARG_ADDR)) { 768 tok = au_to_arg32(1, "arg", 769 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 770 kau_write(rec, tok); 771 } 772 if (ARG_IS_VALID(kar, ARG_VNODE1)) 773 FD_VNODE1_TOKENS; 774 else { 775 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 776 tok = kau_to_socket(&ar->ar_arg_sockinfo); 777 kau_write(rec, tok); 778 } else { 779 if (ARG_IS_VALID(kar, ARG_FD)) { 780 tok = au_to_arg32(1, "fd", 781 ar->ar_arg_fd); 782 kau_write(rec, tok); 783 } 784 } 785 } 786 break; 787 788 case AUE_KILL: 789 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 790 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 791 kau_write(rec, tok); 792 } 793 PROCESS_PID_TOKENS(1); 794 break; 795 796 case AUE_KTRACE: 797 if (ARG_IS_VALID(kar, ARG_CMD)) { 798 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 799 kau_write(rec, tok); 800 } 801 if (ARG_IS_VALID(kar, ARG_VALUE)) { 802 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 803 kau_write(rec, tok); 804 } 805 PROCESS_PID_TOKENS(4); 806 UPATH1_VNODE1_TOKENS; 807 break; 808 809 case AUE_LINK: 810 case AUE_RENAME: 811 UPATH1_VNODE1_TOKENS; 812 UPATH2_TOKENS; 813 break; 814 815 case AUE_LOADSHFILE: 816 if (ARG_IS_VALID(kar, ARG_ADDR)) { 817 tok = au_to_arg32(4, "base addr", 818 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 819 kau_write(rec, tok); 820 } 821 UPATH1_VNODE1_TOKENS; 822 break; 823 824 case AUE_MKDIR: 825 if (ARG_IS_VALID(kar, ARG_MODE)) { 826 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 827 kau_write(rec, tok); 828 } 829 UPATH1_VNODE1_TOKENS; 830 break; 831 832 case AUE_MKNOD: 833 if (ARG_IS_VALID(kar, ARG_MODE)) { 834 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 835 kau_write(rec, tok); 836 } 837 if (ARG_IS_VALID(kar, ARG_DEV)) { 838 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 839 kau_write(rec, tok); 840 } 841 UPATH1_VNODE1_TOKENS; 842 break; 843 844 case AUE_MMAP: 845 case AUE_MUNMAP: 846 case AUE_MPROTECT: 847 case AUE_MLOCK: 848 case AUE_MUNLOCK: 849 case AUE_MINHERIT: 850 if (ARG_IS_VALID(kar, ARG_ADDR)) { 851 tok = au_to_arg32(1, "addr", 852 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 853 kau_write(rec, tok); 854 } 855 if (ARG_IS_VALID(kar, ARG_LEN)) { 856 tok = au_to_arg32(2, "len", ar->ar_arg_len); 857 kau_write(rec, tok); 858 } 859 if (ar->ar_event == AUE_MMAP) 860 FD_VNODE1_TOKENS; 861 if (ar->ar_event == AUE_MPROTECT) { 862 if (ARG_IS_VALID(kar, ARG_VALUE)) { 863 tok = au_to_arg32(3, "protection", 864 ar->ar_arg_value); 865 kau_write(rec, tok); 866 } 867 } 868 if (ar->ar_event == AUE_MINHERIT) { 869 if (ARG_IS_VALID(kar, ARG_VALUE)) { 870 tok = au_to_arg32(3, "inherit", 871 ar->ar_arg_value); 872 kau_write(rec, tok); 873 } 874 } 875 break; 876 877 case AUE_MOUNT: 878 /* XXX Need to handle NFS mounts */ 879 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 880 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 881 kau_write(rec, tok); 882 } 883 if (ARG_IS_VALID(kar, ARG_TEXT)) { 884 tok = au_to_text(ar->ar_arg_text); 885 kau_write(rec, tok); 886 } 887 /* fall through */ 888 889 case AUE_UMOUNT: 890 UPATH1_VNODE1_TOKENS; 891 break; 892 893 case AUE_MSGCTL: 894 ar->ar_event = msgctl_to_event(ar->ar_arg_svipc_cmd); 895 /* Fall through */ 896 897 case AUE_MSGRCV: 898 case AUE_MSGSND: 899 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 900 kau_write(rec, tok); 901 if (ar->ar_errno != EINVAL) { 902 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 903 kau_write(rec, tok); 904 } 905 break; 906 907 case AUE_MSGGET: 908 if (ar->ar_errno == 0) { 909 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 910 tok = au_to_ipc(AT_IPC_MSG, 911 ar->ar_arg_svipc_id); 912 kau_write(rec, tok); 913 } 914 } 915 break; 916 917 case AUE_RESETSHFILE: 918 if (ARG_IS_VALID(kar, ARG_ADDR)) { 919 tok = au_to_arg32(1, "base addr", 920 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 921 kau_write(rec, tok); 922 } 923 break; 924 925 case AUE_OPEN_RC: 926 case AUE_OPEN_RTC: 927 case AUE_OPEN_RWC: 928 case AUE_OPEN_RWTC: 929 case AUE_OPEN_WC: 930 case AUE_OPEN_WTC: 931 /* case AUE_O_CREAT: */ /* AUE_O_CREAT == AUE_OPEN_RWTC */ 932 if (ARG_IS_VALID(kar, ARG_MODE)) { 933 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 934 kau_write(rec, tok); 935 } 936 /* fall through */ 937 938 case AUE_OPEN_R: 939 case AUE_OPEN_RT: 940 case AUE_OPEN_RW: 941 case AUE_OPEN_RWT: 942 case AUE_OPEN_W: 943 case AUE_OPEN_WT: 944 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 945 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 946 kau_write(rec, tok); 947 } 948 UPATH1_VNODE1_TOKENS; 949 break; 950 951 case AUE_PTRACE: 952 if (ARG_IS_VALID(kar, ARG_CMD)) { 953 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 954 kau_write(rec, tok); 955 } 956 if (ARG_IS_VALID(kar, ARG_ADDR)) { 957 tok = au_to_arg32(3, "addr", 958 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 959 kau_write(rec, tok); 960 } 961 if (ARG_IS_VALID(kar, ARG_VALUE)) { 962 tok = au_to_arg32(4, "data", ar->ar_arg_value); 963 kau_write(rec, tok); 964 } 965 PROCESS_PID_TOKENS(2); 966 break; 967 968 case AUE_QUOTACTL: 969 if (ARG_IS_VALID(kar, ARG_CMD)) { 970 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 971 kau_write(rec, tok); 972 } 973 if (ARG_IS_VALID(kar, ARG_UID)) { 974 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 975 kau_write(rec, tok); 976 } 977 UPATH1_VNODE1_TOKENS; 978 break; 979 980 case AUE_REBOOT: 981 if (ARG_IS_VALID(kar, ARG_CMD)) { 982 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 983 kau_write(rec, tok); 984 } 985 break; 986 987 case AUE_SEMCTL: 988 ar->ar_event = semctl_to_event(ar->ar_arg_svipc_cmd); 989 /* Fall through */ 990 991 case AUE_SEMOP: 992 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 993 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 994 kau_write(rec, tok); 995 if (ar->ar_errno != EINVAL) { 996 tok = au_to_ipc(AT_IPC_SEM, 997 ar->ar_arg_svipc_id); 998 kau_write(rec, tok); 999 } 1000 } 1001 break; 1002 1003 case AUE_SEMGET: 1004 if (ar->ar_errno == 0) { 1005 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1006 tok = au_to_ipc(AT_IPC_SEM, 1007 ar->ar_arg_svipc_id); 1008 kau_write(rec, tok); 1009 } 1010 } 1011 break; 1012 1013 case AUE_SETEGID: 1014 if (ARG_IS_VALID(kar, ARG_EGID)) { 1015 tok = au_to_arg32(1, "gid", ar->ar_arg_egid); 1016 kau_write(rec, tok); 1017 } 1018 break; 1019 1020 case AUE_SETEUID: 1021 if (ARG_IS_VALID(kar, ARG_EUID)) { 1022 tok = au_to_arg32(1, "uid", ar->ar_arg_euid); 1023 kau_write(rec, tok); 1024 } 1025 break; 1026 1027 case AUE_SETREGID: 1028 if (ARG_IS_VALID(kar, ARG_RGID)) { 1029 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1030 kau_write(rec, tok); 1031 } 1032 if (ARG_IS_VALID(kar, ARG_EGID)) { 1033 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1034 kau_write(rec, tok); 1035 } 1036 break; 1037 1038 case AUE_SETREUID: 1039 if (ARG_IS_VALID(kar, ARG_RUID)) { 1040 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1041 kau_write(rec, tok); 1042 } 1043 if (ARG_IS_VALID(kar, ARG_EUID)) { 1044 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1045 kau_write(rec, tok); 1046 } 1047 break; 1048 1049 case AUE_SETRESGID: 1050 if (ARG_IS_VALID(kar, ARG_RGID)) { 1051 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1052 kau_write(rec, tok); 1053 } 1054 if (ARG_IS_VALID(kar, ARG_EGID)) { 1055 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1056 kau_write(rec, tok); 1057 } 1058 if (ARG_IS_VALID(kar, ARG_SGID)) { 1059 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1060 kau_write(rec, tok); 1061 } 1062 break; 1063 1064 case AUE_SETRESUID: 1065 if (ARG_IS_VALID(kar, ARG_RUID)) { 1066 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1067 kau_write(rec, tok); 1068 } 1069 if (ARG_IS_VALID(kar, ARG_EUID)) { 1070 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1071 kau_write(rec, tok); 1072 } 1073 if (ARG_IS_VALID(kar, ARG_SUID)) { 1074 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1075 kau_write(rec, tok); 1076 } 1077 break; 1078 1079 case AUE_SETGID: 1080 if (ARG_IS_VALID(kar, ARG_GID)) { 1081 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1082 kau_write(rec, tok); 1083 } 1084 break; 1085 1086 case AUE_SETUID: 1087 if (ARG_IS_VALID(kar, ARG_UID)) { 1088 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1089 kau_write(rec, tok); 1090 } 1091 break; 1092 1093 case AUE_SETGROUPS: 1094 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1095 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1096 { 1097 tok = au_to_arg32(1, "setgroups", ar->ar_arg_groups.gidset[ctr]); 1098 kau_write(rec, tok); 1099 } 1100 } 1101 break; 1102 1103 case AUE_SETLOGIN: 1104 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1105 tok = au_to_text(ar->ar_arg_text); 1106 kau_write(rec, tok); 1107 } 1108 break; 1109 1110 case AUE_SETPRIORITY: 1111 if (ARG_IS_VALID(kar, ARG_CMD)) { 1112 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1113 kau_write(rec, tok); 1114 } 1115 if (ARG_IS_VALID(kar, ARG_UID)) { 1116 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1117 kau_write(rec, tok); 1118 } 1119 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1120 tok = au_to_arg32(2, "priority", ar->ar_arg_value); 1121 kau_write(rec, tok); 1122 } 1123 break; 1124 1125 case AUE_SETPRIVEXEC: 1126 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1127 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1128 kau_write(rec, tok); 1129 } 1130 break; 1131 1132 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1133 case AUE_SHMAT: 1134 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1135 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1136 kau_write(rec, tok); 1137 /* XXXAUDIT: Does having the ipc token make sense? */ 1138 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1139 kau_write(rec, tok); 1140 } 1141 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1142 tok = au_to_arg32(2, "shmaddr", 1143 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1144 kau_write(rec, tok); 1145 } 1146 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1147 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1148 kau_write(rec, tok); 1149 } 1150 break; 1151 1152 case AUE_SHMCTL: 1153 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1154 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1155 kau_write(rec, tok); 1156 /* XXXAUDIT: Does having the ipc token make sense? */ 1157 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1158 kau_write(rec, tok); 1159 } 1160 switch (ar->ar_arg_svipc_cmd) { 1161 case IPC_STAT: 1162 ar->ar_event = AUE_SHMCTL_STAT; 1163 break; 1164 case IPC_RMID: 1165 ar->ar_event = AUE_SHMCTL_RMID; 1166 break; 1167 case IPC_SET: 1168 ar->ar_event = AUE_SHMCTL_SET; 1169 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1170 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1171 kau_write(rec, tok); 1172 } 1173 break; 1174 default: 1175 break; /* We will audit a bad command */ 1176 } 1177 break; 1178 1179 case AUE_SHMDT: 1180 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1181 tok = au_to_arg32(1, "shmaddr", 1182 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1183 kau_write(rec, tok); 1184 } 1185 break; 1186 1187 case AUE_SHMGET: 1188 /* This is unusual; the return value is in an argument token */ 1189 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1190 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1191 kau_write(rec, tok); 1192 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1193 kau_write(rec, tok); 1194 } 1195 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1196 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1197 kau_write(rec, tok); 1198 } 1199 break; 1200 1201 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1202 * and AUE_SEMUNLINK are Posix IPC */ 1203 case AUE_SHMOPEN: 1204 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1205 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1206 kau_write(rec, tok); 1207 } 1208 if (ARG_IS_VALID(kar, ARG_MODE)) { 1209 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1210 kau_write(rec, tok); 1211 } 1212 case AUE_SHMUNLINK: 1213 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1214 tok = au_to_text(ar->ar_arg_text); 1215 kau_write(rec, tok); 1216 } 1217 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1218 /* Create an ipc_perm token */ 1219 struct ipc_perm perm; 1220 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1221 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1222 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1223 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1224 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1225 perm.seq = 0; 1226 perm.key = 0; 1227 tok = au_to_ipc_perm(&perm); 1228 kau_write(rec, tok); 1229 } 1230 break; 1231 1232 case AUE_SEMOPEN: 1233 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1234 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1235 kau_write(rec, tok); 1236 } 1237 if (ARG_IS_VALID(kar, ARG_MODE)) { 1238 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1239 kau_write(rec, tok); 1240 } 1241 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1242 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1243 kau_write(rec, tok); 1244 } 1245 /* fall through */ 1246 1247 case AUE_SEMUNLINK: 1248 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1249 tok = au_to_text(ar->ar_arg_text); 1250 kau_write(rec, tok); 1251 } 1252 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1253 /* Create an ipc_perm token */ 1254 struct ipc_perm perm; 1255 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1256 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1257 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1258 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1259 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1260 perm.seq = 0; 1261 perm.key = 0; 1262 tok = au_to_ipc_perm(&perm); 1263 kau_write(rec, tok); 1264 } 1265 break; 1266 1267 case AUE_SEMCLOSE: 1268 if (ARG_IS_VALID(kar, ARG_FD)) { 1269 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1270 kau_write(rec, tok); 1271 } 1272 break; 1273 1274 case AUE_SYMLINK: 1275 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1276 tok = au_to_text(ar->ar_arg_text); 1277 kau_write(rec, tok); 1278 } 1279 UPATH1_VNODE1_TOKENS; 1280 break; 1281 1282 case AUE_SYSCTL: 1283 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1284 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1285 tok = au_to_arg32(1, "name", 1286 ar->ar_arg_ctlname[ctr]); 1287 kau_write(rec, tok); 1288 } 1289 } 1290 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1291 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1292 kau_write(rec, tok); 1293 } 1294 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1295 tok = au_to_text(ar->ar_arg_text); 1296 kau_write(rec, tok); 1297 } 1298 break; 1299 1300 case AUE_UMASK: 1301 if (ARG_IS_VALID(kar, ARG_MASK)) { 1302 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1303 kau_write(rec, tok); 1304 } 1305 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1306 kau_write(rec, tok); 1307 break; 1308 1309 case AUE_WAIT4: 1310 if (ARG_IS_VALID(kar, ARG_PID)) { 1311 tok = au_to_arg32(0, "pid", ar->ar_arg_pid); 1312 kau_write(rec, tok); 1313 } 1314 break; 1315 1316 case AUE_GETCWD: 1317 case AUE_SYSARCH: 1318 break; 1319 1320 default: 1321 printf("BSM conversion requested for unknown event %d\n", 1322 ar->ar_event); 1323 /* Write the subject token so it is properly freed here. */ 1324 kau_write(rec, subj_tok); 1325 kau_free(rec); 1326 return (BSM_NOAUDIT); 1327 } 1328 1329 kau_write(rec, subj_tok); 1330 tok = au_to_return32((char)ar->ar_errno, ar->ar_retval); 1331 kau_write(rec, tok); /* Every record gets a return token */ 1332 1333 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1334 1335 *pau = rec; 1336 return (BSM_SUCCESS); 1337} 1338 1339/* 1340 * Verify that a record is a valid BSM record. This verification is simple 1341 * now, but may be expanded on sometime in the future. Return 1 if the 1342 * record is good, 0 otherwise. 1343 */ 1344int 1345bsm_rec_verify(void *rec) 1346{ 1347 char c = *(char *)rec; 1348 1349 /* 1350 * Check the token ID of the first token; it has to be a header 1351 * token. 1352 * 1353 * XXXAUDIT There needs to be a token structure to map a token. 1354 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1355 */ 1356 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1357 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1358 return (0); 1359 return (1); 1360} 1361