audit_bsm.c revision 170196
1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $FreeBSD: head/sys/security/audit/audit_bsm.c 170196 2007-06-01 21:58:59Z rwatson $ 30 */ 31 32#include <sys/param.h> 33#include <sys/vnode.h> 34#include <sys/ipc.h> 35#include <sys/lock.h> 36#include <sys/malloc.h> 37#include <sys/mutex.h> 38#include <sys/socket.h> 39#include <sys/extattr.h> 40#include <sys/fcntl.h> 41#include <sys/user.h> 42#include <sys/systm.h> 43 44#include <bsm/audit.h> 45#include <bsm/audit_internal.h> 46#include <bsm/audit_record.h> 47#include <bsm/audit_kevents.h> 48 49#include <security/audit/audit.h> 50#include <security/audit/audit_private.h> 51 52#include <netinet/in_systm.h> 53#include <netinet/in.h> 54#include <netinet/ip.h> 55 56MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 57 58/* 59 * Forward declares. 60 */ 61static void audit_sys_auditon(struct audit_record *ar, 62 struct au_record *rec); 63 64/* 65 * Initialize the BSM auditing subsystem. 66 */ 67void 68kau_init(void) 69{ 70 71 printf("BSM auditing present\n"); 72 au_evclassmap_init(); 73} 74 75/* 76 * This call reserves memory for the audit record. Memory must be guaranteed 77 * before any auditable event can be generated. The au_record structure 78 * maintains a reference to the memory allocated above and also the list of 79 * tokens associated with this record 80 */ 81static struct au_record * 82kau_open(void) 83{ 84 struct au_record *rec; 85 86 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 87 rec->data = NULL; 88 TAILQ_INIT(&rec->token_q); 89 rec->len = 0; 90 rec->used = 1; 91 92 return (rec); 93} 94 95/* 96 * Store the token with the record descriptor. 97 */ 98static void 99kau_write(struct au_record *rec, struct au_token *tok) 100{ 101 102 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 103 104 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 105 rec->len += tok->len; 106} 107 108/* 109 * Close out the audit record by adding the header token, identifying any 110 * missing tokens. Write out the tokens to the record memory. 111 */ 112static void 113kau_close(struct au_record *rec, struct timespec *ctime, short event) 114{ 115 u_char *dptr; 116 size_t tot_rec_size; 117 token_t *cur, *hdr, *trail; 118 struct timeval tm; 119 120 tot_rec_size = rec->len + AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE; 121 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 122 123 tm.tv_usec = ctime->tv_nsec / 1000; 124 tm.tv_sec = ctime->tv_sec; 125 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 126 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 127 128 trail = au_to_trailer(tot_rec_size); 129 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 130 131 rec->len = tot_rec_size; 132 dptr = rec->data; 133 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 134 memcpy(dptr, cur->t_data, cur->len); 135 dptr += cur->len; 136 } 137} 138 139/* 140 * Free a BSM audit record by releasing all the tokens and clearing the audit 141 * record information. 142 */ 143void 144kau_free(struct au_record *rec) 145{ 146 struct au_token *tok; 147 148 /* Free the token list. */ 149 while ((tok = TAILQ_FIRST(&rec->token_q))) { 150 TAILQ_REMOVE(&rec->token_q, tok, tokens); 151 free(tok->t_data, M_AUDITBSM); 152 free(tok, M_AUDITBSM); 153 } 154 155 rec->used = 0; 156 rec->len = 0; 157 free(rec->data, M_AUDITBSM); 158 free(rec, M_AUDITBSM); 159} 160 161/* 162 * XXX: May want turn some (or all) of these macros into functions in order 163 * to reduce the generated code sized. 164 * 165 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 166 * caller are OK with this. 167 */ 168#define UPATH1_TOKENS do { \ 169 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 170 tok = au_to_path(ar->ar_arg_upath1); \ 171 kau_write(rec, tok); \ 172 } \ 173} while (0) 174 175#define UPATH2_TOKENS do { \ 176 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 177 tok = au_to_path(ar->ar_arg_upath2); \ 178 kau_write(rec, tok); \ 179 } \ 180} while (0) 181 182#define VNODE1_TOKENS do { \ 183 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 184 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 185 kau_write(rec, tok); \ 186 } \ 187} while (0) 188 189#define UPATH1_VNODE1_TOKENS do { \ 190 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 191 UPATH1_TOKENS; \ 192 } \ 193 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 194 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 195 kau_write(rec, tok); \ 196 } \ 197} while (0) 198 199#define VNODE2_TOKENS do { \ 200 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 201 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 202 kau_write(rec, tok); \ 203 } \ 204} while (0) 205 206#define FD_VNODE1_TOKENS do { \ 207 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 208 if (ARG_IS_VALID(kar, ARG_FD)) { \ 209 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 210 kau_write(rec, tok); \ 211 } \ 212 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 213 kau_write(rec, tok); \ 214 } else { \ 215 if (ARG_IS_VALID(kar, ARG_FD)) { \ 216 tok = au_to_arg32(1, "non-file: fd", \ 217 ar->ar_arg_fd); \ 218 kau_write(rec, tok); \ 219 } \ 220 } \ 221} while (0) 222 223#define PROCESS_PID_TOKENS(argn) do { \ 224 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 225 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 226 tok = au_to_process(ar->ar_arg_auid, \ 227 ar->ar_arg_euid, ar->ar_arg_egid, \ 228 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 229 ar->ar_arg_pid, ar->ar_arg_asid, \ 230 &ar->ar_arg_termid); \ 231 kau_write(rec, tok); \ 232 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 233 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 234 kau_write(rec, tok); \ 235 } \ 236} while (0) \ 237 238#define EXTATTR_TOKENS do { \ 239 if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 240 switch (ar->ar_arg_value) { \ 241 case EXTATTR_NAMESPACE_USER: \ 242 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 243 break; \ 244 case EXTATTR_NAMESPACE_SYSTEM: \ 245 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 246 break; \ 247 default: \ 248 tok = au_to_arg32(3, "attrnamespace", \ 249 ar->ar_arg_value); \ 250 break; \ 251 } \ 252 kau_write(rec, tok); \ 253 } \ 254 /* attrname is in the text field */ \ 255 if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 256 tok = au_to_text(ar->ar_arg_text); \ 257 kau_write(rec, tok); \ 258 } \ 259} while (0) 260 261/* 262 * Implement auditing for the auditon() system call. The audit tokens that 263 * are generated depend on the command that was sent into the auditon() 264 * system call. 265 */ 266static void 267audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 268{ 269 struct au_token *tok; 270 271 switch (ar->ar_arg_cmd) { 272 case A_SETPOLICY: 273 if (sizeof(ar->ar_arg_auditon.au_flags) > 4) 274 tok = au_to_arg64(1, "policy", 275 ar->ar_arg_auditon.au_flags); 276 else 277 tok = au_to_arg32(1, "policy", 278 ar->ar_arg_auditon.au_flags); 279 kau_write(rec, tok); 280 break; 281 282 case A_SETKMASK: 283 tok = au_to_arg32(2, "setkmask:as_success", 284 ar->ar_arg_auditon.au_mask.am_success); 285 kau_write(rec, tok); 286 tok = au_to_arg32(2, "setkmask:as_failure", 287 ar->ar_arg_auditon.au_mask.am_failure); 288 kau_write(rec, tok); 289 break; 290 291 case A_SETQCTRL: 292 tok = au_to_arg32(3, "setqctrl:aq_hiwater", 293 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 294 kau_write(rec, tok); 295 tok = au_to_arg32(3, "setqctrl:aq_lowater", 296 ar->ar_arg_auditon.au_qctrl.aq_lowater); 297 kau_write(rec, tok); 298 tok = au_to_arg32(3, "setqctrl:aq_bufsz", 299 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 300 kau_write(rec, tok); 301 tok = au_to_arg32(3, "setqctrl:aq_delay", 302 ar->ar_arg_auditon.au_qctrl.aq_delay); 303 kau_write(rec, tok); 304 tok = au_to_arg32(3, "setqctrl:aq_minfree", 305 ar->ar_arg_auditon.au_qctrl.aq_minfree); 306 kau_write(rec, tok); 307 break; 308 309 case A_SETUMASK: 310 tok = au_to_arg32(3, "setumask:as_success", 311 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 312 kau_write(rec, tok); 313 tok = au_to_arg32(3, "setumask:as_failure", 314 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 315 kau_write(rec, tok); 316 break; 317 318 case A_SETSMASK: 319 tok = au_to_arg32(3, "setsmask:as_success", 320 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 321 kau_write(rec, tok); 322 tok = au_to_arg32(3, "setsmask:as_failure", 323 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 324 kau_write(rec, tok); 325 break; 326 327 case A_SETCOND: 328 if (sizeof(ar->ar_arg_auditon.au_cond) > 4) 329 tok = au_to_arg64(3, "setcond", 330 ar->ar_arg_auditon.au_cond); 331 else 332 tok = au_to_arg32(3, "setcond", 333 ar->ar_arg_auditon.au_cond); 334 kau_write(rec, tok); 335 break; 336 337 case A_SETCLASS: 338 tok = au_to_arg32(2, "setclass:ec_event", 339 ar->ar_arg_auditon.au_evclass.ec_number); 340 kau_write(rec, tok); 341 tok = au_to_arg32(3, "setclass:ec_class", 342 ar->ar_arg_auditon.au_evclass.ec_class); 343 kau_write(rec, tok); 344 break; 345 346 case A_SETPMASK: 347 tok = au_to_arg32(2, "setpmask:as_success", 348 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 349 kau_write(rec, tok); 350 tok = au_to_arg32(2, "setpmask:as_failure", 351 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 352 kau_write(rec, tok); 353 break; 354 355 case A_SETFSIZE: 356 tok = au_to_arg32(2, "setfsize:filesize", 357 ar->ar_arg_auditon.au_fstat.af_filesz); 358 kau_write(rec, tok); 359 break; 360 361 default: 362 break; 363 } 364} 365 366/* 367 * Convert an internal kernel audit record to a BSM record and return a 368 * success/failure indicator. The BSM record is passed as an out parameter to 369 * this function. 370 * 371 * Return conditions: 372 * BSM_SUCCESS: The BSM record is valid 373 * BSM_FAILURE: Failure; the BSM record is NULL. 374 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 375 */ 376int 377kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 378{ 379 struct au_token *tok, *subj_tok; 380 struct au_record *rec; 381 au_tid_t tid; 382 struct audit_record *ar; 383 int ctr; 384 385 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 386 387 *pau = NULL; 388 ar = &kar->k_ar; 389 rec = kau_open(); 390 391 /* Create the subject token */ 392 switch (ar->ar_subj_term_addr.at_type) { 393 case AU_IPv4: 394 tid.port = ar->ar_subj_term_addr.at_port; 395 tid.machine = ar->ar_subj_term_addr.at_addr[0]; 396 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 397 ar->ar_subj_cred.cr_uid, /* eff uid */ 398 ar->ar_subj_egid, /* eff group id */ 399 ar->ar_subj_ruid, /* real uid */ 400 ar->ar_subj_rgid, /* real group id */ 401 ar->ar_subj_pid, /* process id */ 402 ar->ar_subj_asid, /* session ID */ 403 &tid); 404 break; 405 case AU_IPv6: 406 subj_tok = au_to_subject32_ex(ar->ar_subj_auid, 407 ar->ar_subj_cred.cr_uid, 408 ar->ar_subj_egid, 409 ar->ar_subj_ruid, 410 ar->ar_subj_rgid, 411 ar->ar_subj_pid, 412 ar->ar_subj_asid, 413 &ar->ar_subj_term_addr); 414 break; 415 default: 416 bzero(&tid, sizeof(tid)); 417 subj_tok = au_to_subject32(ar->ar_subj_auid, 418 ar->ar_subj_cred.cr_uid, 419 ar->ar_subj_egid, 420 ar->ar_subj_ruid, 421 ar->ar_subj_rgid, 422 ar->ar_subj_pid, 423 ar->ar_subj_asid, 424 &tid); 425 } 426 427 /* 428 * The logic inside each case fills in the tokens required for the 429 * event, except for the header, trailer, and return tokens. The 430 * header and trailer tokens are added by the kau_close() function. 431 * The return token is added outside of the switch statement. 432 */ 433 switch(ar->ar_event) { 434 case AUE_ACCEPT: 435 case AUE_BIND: 436 case AUE_CONNECT: 437 case AUE_RECV: 438 case AUE_RECVFROM: 439 case AUE_RECVMSG: 440 case AUE_SEND: 441 case AUE_SENDFILE: 442 case AUE_SENDMSG: 443 case AUE_SENDTO: 444 /* 445 * Socket-related events. 446 */ 447 if (ARG_IS_VALID(kar, ARG_FD)) { 448 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 449 kau_write(rec, tok); 450 } 451 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 452 tok = au_to_sock_inet((struct sockaddr_in *) 453 &ar->ar_arg_sockaddr); 454 kau_write(rec, tok); 455 } 456 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 457 tok = au_to_sock_unix((struct sockaddr_un *) 458 &ar->ar_arg_sockaddr); 459 kau_write(rec, tok); 460 UPATH1_TOKENS; 461 } 462 /* XXX Need to handle ARG_SADDRINET6 */ 463 break; 464 465 case AUE_SOCKET: 466 case AUE_SOCKETPAIR: 467 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 468 tok = au_to_arg32(1,"domain", 469 ar->ar_arg_sockinfo.so_domain); 470 kau_write(rec, tok); 471 tok = au_to_arg32(2,"type", 472 ar->ar_arg_sockinfo.so_type); 473 kau_write(rec, tok); 474 tok = au_to_arg32(3,"protocol", 475 ar->ar_arg_sockinfo.so_protocol); 476 kau_write(rec, tok); 477 } 478 break; 479 480 case AUE_SETSOCKOPT: 481 case AUE_SHUTDOWN: 482 if (ARG_IS_VALID(kar, ARG_FD)) { 483 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 484 kau_write(rec, tok); 485 } 486 break; 487 488 case AUE_ACCT: 489 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 490 UPATH1_VNODE1_TOKENS; 491 } else { 492 tok = au_to_arg32(1, "accounting off", 0); 493 kau_write(rec, tok); 494 } 495 break; 496 497 case AUE_SETAUID: 498 if (ARG_IS_VALID(kar, ARG_AUID)) { 499 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 500 kau_write(rec, tok); 501 } 502 break; 503 504 case AUE_SETAUDIT: 505 if (ARG_IS_VALID(kar, ARG_AUID)) { 506 tok = au_to_arg32(1, "setaudit:auid", 507 ar->ar_arg_auid); 508 kau_write(rec, tok); 509 tok = au_to_arg32(1, "setaudit:port", 510 ar->ar_arg_termid.port); 511 kau_write(rec, tok); 512 tok = au_to_arg32(1, "setaudit:machine", 513 ar->ar_arg_termid.machine); 514 kau_write(rec, tok); 515 tok = au_to_arg32(1, "setaudit:as_success", 516 ar->ar_arg_amask.am_success); 517 kau_write(rec, tok); 518 tok = au_to_arg32(1, "setaudit:as_failure", 519 ar->ar_arg_amask.am_failure); 520 kau_write(rec, tok); 521 tok = au_to_arg32(1, "setaudit:asid", 522 ar->ar_arg_asid); 523 kau_write(rec, tok); 524 } 525 break; 526 527 case AUE_SETAUDIT_ADDR: 528 break; /* XXX need to add arguments */ 529 530 case AUE_AUDITON: 531 /* 532 * For AUDITON commands without own event, audit the cmd. 533 */ 534 if (ARG_IS_VALID(kar, ARG_CMD)) { 535 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 536 kau_write(rec, tok); 537 } 538 /* fall thru */ 539 540 case AUE_AUDITON_GETCAR: 541 case AUE_AUDITON_GETCLASS: 542 case AUE_AUDITON_GETCOND: 543 case AUE_AUDITON_GETCWD: 544 case AUE_AUDITON_GETKMASK: 545 case AUE_AUDITON_GETSTAT: 546 case AUE_AUDITON_GPOLICY: 547 case AUE_AUDITON_GQCTRL: 548 case AUE_AUDITON_SETCLASS: 549 case AUE_AUDITON_SETCOND: 550 case AUE_AUDITON_SETKMASK: 551 case AUE_AUDITON_SETSMASK: 552 case AUE_AUDITON_SETSTAT: 553 case AUE_AUDITON_SETUMASK: 554 case AUE_AUDITON_SPOLICY: 555 case AUE_AUDITON_SQCTRL: 556 if (ARG_IS_VALID(kar, ARG_AUDITON)) 557 audit_sys_auditon(ar, rec); 558 break; 559 560 case AUE_AUDITCTL: 561 UPATH1_VNODE1_TOKENS; 562 break; 563 564 case AUE_EXIT: 565 if (ARG_IS_VALID(kar, ARG_EXIT)) { 566 tok = au_to_exit(ar->ar_arg_exitretval, 567 ar->ar_arg_exitstatus); 568 kau_write(rec, tok); 569 } 570 break; 571 572 case AUE_ADJTIME: 573 case AUE_CLOCK_SETTIME: 574 case AUE_AUDIT: 575 case AUE_DUP2: 576 case AUE_GETAUDIT: 577 case AUE_GETAUDIT_ADDR: 578 case AUE_GETAUID: 579 case AUE_GETCWD: 580 case AUE_GETFSSTAT: 581 case AUE_GETRESUID: 582 case AUE_GETRESGID: 583 case AUE_KQUEUE: 584 case AUE_LSEEK: 585 case AUE_MODLOAD: 586 case AUE_MODUNLOAD: 587 case AUE_MSGSYS: 588 case AUE_NFS_SVC: 589 case AUE_NTP_ADJTIME: 590 case AUE_PIPE: 591 case AUE_PROFILE: 592 case AUE_RTPRIO: 593 case AUE_SEMSYS: 594 case AUE_SHMSYS: 595 case AUE_SETPGRP: 596 case AUE_SETRLIMIT: 597 case AUE_SETSID: 598 case AUE_SETTIMEOFDAY: 599 case AUE_SYSARCH: 600 601 /* 602 * Header, subject, and return tokens added at end. 603 */ 604 break; 605 606 case AUE_MKFIFO: 607 if (ARG_IS_VALID(kar, ARG_MODE)) { 608 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 609 kau_write(rec, tok); 610 } 611 /* fall through */ 612 case AUE_ACCESS: 613 case AUE_CHDIR: 614 case AUE_CHROOT: 615 case AUE_EACCESS: 616 case AUE_GETATTRLIST: 617 case AUE_JAIL: 618 case AUE_LUTIMES: 619 case AUE_NFS_GETFH: 620 case AUE_LSTAT: 621 case AUE_PATHCONF: 622 case AUE_READLINK: 623 case AUE_REVOKE: 624 case AUE_RMDIR: 625 case AUE_SEARCHFS: 626 case AUE_SETATTRLIST: 627 case AUE_STAT: 628 case AUE_STATFS: 629 case AUE_SWAPON: 630 case AUE_SWAPOFF: 631 case AUE_TRUNCATE: 632 case AUE_UNDELETE: 633 case AUE_UNLINK: 634 case AUE_UTIMES: 635 UPATH1_VNODE1_TOKENS; 636 break; 637 638 case AUE_FHSTATFS: 639 case AUE_FHOPEN: 640 case AUE_FHSTAT: 641 /* XXXRW: Need to audit vnode argument. */ 642 break; 643 644 case AUE_CHFLAGS: 645 case AUE_LCHFLAGS: 646 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 647 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 648 kau_write(rec, tok); 649 } 650 UPATH1_VNODE1_TOKENS; 651 break; 652 653 case AUE_CHMOD: 654 case AUE_LCHMOD: 655 if (ARG_IS_VALID(kar, ARG_MODE)) { 656 tok = au_to_arg32(2, "new file mode", 657 ar->ar_arg_mode); 658 kau_write(rec, tok); 659 } 660 UPATH1_VNODE1_TOKENS; 661 break; 662 663 case AUE_CHOWN: 664 case AUE_LCHOWN: 665 if (ARG_IS_VALID(kar, ARG_UID)) { 666 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 667 kau_write(rec, tok); 668 } 669 if (ARG_IS_VALID(kar, ARG_GID)) { 670 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 671 kau_write(rec, tok); 672 } 673 UPATH1_VNODE1_TOKENS; 674 break; 675 676 case AUE_EXCHANGEDATA: 677 UPATH1_VNODE1_TOKENS; 678 UPATH2_TOKENS; 679 break; 680 681 case AUE_CLOSE: 682 if (ARG_IS_VALID(kar, ARG_FD)) { 683 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 684 kau_write(rec, tok); 685 } 686 UPATH1_VNODE1_TOKENS; 687 break; 688 689 case AUE_EXTATTRCTL: 690 UPATH1_VNODE1_TOKENS; 691 if (ARG_IS_VALID(kar, ARG_CMD)) { 692 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 693 kau_write(rec, tok); 694 } 695 /* extattrctl(2) filename parameter is in upath2/vnode2 */ 696 UPATH2_TOKENS; 697 VNODE2_TOKENS; 698 EXTATTR_TOKENS; 699 break; 700 701 case AUE_EXTATTR_GET_FILE: 702 case AUE_EXTATTR_SET_FILE: 703 case AUE_EXTATTR_LIST_FILE: 704 case AUE_EXTATTR_DELETE_FILE: 705 case AUE_EXTATTR_GET_LINK: 706 case AUE_EXTATTR_SET_LINK: 707 case AUE_EXTATTR_LIST_LINK: 708 case AUE_EXTATTR_DELETE_LINK: 709 UPATH1_VNODE1_TOKENS; 710 EXTATTR_TOKENS; 711 break; 712 713 case AUE_EXTATTR_GET_FD: 714 case AUE_EXTATTR_SET_FD: 715 case AUE_EXTATTR_LIST_FD: 716 case AUE_EXTATTR_DELETE_FD: 717 if (ARG_IS_VALID(kar, ARG_FD)) { 718 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 719 kau_write(rec, tok); 720 } 721 EXTATTR_TOKENS; 722 break; 723 724 case AUE_EXECVE: 725 if (ARG_IS_VALID(kar, ARG_ARGV)) { 726 tok = au_to_exec_args(ar->ar_arg_argv, 727 ar->ar_arg_argc); 728 kau_write(rec, tok); 729 } 730 if (ARG_IS_VALID(kar, ARG_ENVV)) { 731 tok = au_to_exec_env(ar->ar_arg_envv, 732 ar->ar_arg_envc); 733 kau_write(rec, tok); 734 } 735 UPATH1_VNODE1_TOKENS; 736 break; 737 738 case AUE_FCHMOD: 739 if (ARG_IS_VALID(kar, ARG_MODE)) { 740 tok = au_to_arg32(2, "new file mode", 741 ar->ar_arg_mode); 742 kau_write(rec, tok); 743 } 744 FD_VNODE1_TOKENS; 745 break; 746 747 /* 748 * XXXRW: Some of these need to handle non-vnode cases as well. 749 */ 750 case AUE_FCHDIR: 751 case AUE_FPATHCONF: 752 case AUE_FSTAT: 753 case AUE_FSTATFS: 754 case AUE_FSYNC: 755 case AUE_FTRUNCATE: 756 case AUE_FUTIMES: 757 case AUE_GETDIRENTRIES: 758 case AUE_GETDIRENTRIESATTR: 759 case AUE_POLL: 760 case AUE_READ: 761 case AUE_READV: 762 case AUE_WRITE: 763 case AUE_WRITEV: 764 FD_VNODE1_TOKENS; 765 break; 766 767 case AUE_FCHOWN: 768 if (ARG_IS_VALID(kar, ARG_UID)) { 769 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 770 kau_write(rec, tok); 771 } 772 if (ARG_IS_VALID(kar, ARG_GID)) { 773 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 774 kau_write(rec, tok); 775 } 776 FD_VNODE1_TOKENS; 777 break; 778 779 case AUE_FCNTL: 780 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 781 ar->ar_arg_cmd == F_SETLKW) { 782 if (ARG_IS_VALID(kar, ARG_CMD)) { 783 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 784 kau_write(rec, tok); 785 } 786 FD_VNODE1_TOKENS; 787 } 788 break; 789 790 case AUE_FCHFLAGS: 791 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 792 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 793 kau_write(rec, tok); 794 } 795 FD_VNODE1_TOKENS; 796 break; 797 798 case AUE_FLOCK: 799 if (ARG_IS_VALID(kar, ARG_CMD)) { 800 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 801 kau_write(rec, tok); 802 } 803 FD_VNODE1_TOKENS; 804 break; 805 806 case AUE_RFORK: 807 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 808 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 809 kau_write(rec, tok); 810 } 811 /* fall through */ 812 case AUE_FORK: 813 case AUE_VFORK: 814 if (ARG_IS_VALID(kar, ARG_PID)) { 815 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 816 kau_write(rec, tok); 817 } 818 break; 819 820 case AUE_IOCTL: 821 if (ARG_IS_VALID(kar, ARG_CMD)) { 822 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 823 kau_write(rec, tok); 824 } 825 if (ARG_IS_VALID(kar, ARG_ADDR)) { 826 tok = au_to_arg32(1, "arg", 827 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 828 kau_write(rec, tok); 829 } 830 if (ARG_IS_VALID(kar, ARG_VNODE1)) 831 FD_VNODE1_TOKENS; 832 else { 833 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 834 tok = kau_to_socket(&ar->ar_arg_sockinfo); 835 kau_write(rec, tok); 836 } else { 837 if (ARG_IS_VALID(kar, ARG_FD)) { 838 tok = au_to_arg32(1, "fd", 839 ar->ar_arg_fd); 840 kau_write(rec, tok); 841 } 842 } 843 } 844 break; 845 846 case AUE_KILL: 847 case AUE_KILLPG: 848 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 849 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 850 kau_write(rec, tok); 851 } 852 PROCESS_PID_TOKENS(1); 853 break; 854 855 case AUE_KTRACE: 856 if (ARG_IS_VALID(kar, ARG_CMD)) { 857 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 858 kau_write(rec, tok); 859 } 860 if (ARG_IS_VALID(kar, ARG_VALUE)) { 861 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 862 kau_write(rec, tok); 863 } 864 PROCESS_PID_TOKENS(4); 865 UPATH1_VNODE1_TOKENS; 866 break; 867 868 case AUE_LINK: 869 case AUE_RENAME: 870 UPATH1_VNODE1_TOKENS; 871 UPATH2_TOKENS; 872 break; 873 874 case AUE_LOADSHFILE: 875 if (ARG_IS_VALID(kar, ARG_ADDR)) { 876 tok = au_to_arg32(4, "base addr", 877 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 878 kau_write(rec, tok); 879 } 880 UPATH1_VNODE1_TOKENS; 881 break; 882 883 case AUE_MKDIR: 884 if (ARG_IS_VALID(kar, ARG_MODE)) { 885 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 886 kau_write(rec, tok); 887 } 888 UPATH1_VNODE1_TOKENS; 889 break; 890 891 case AUE_MKNOD: 892 if (ARG_IS_VALID(kar, ARG_MODE)) { 893 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 894 kau_write(rec, tok); 895 } 896 if (ARG_IS_VALID(kar, ARG_DEV)) { 897 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 898 kau_write(rec, tok); 899 } 900 UPATH1_VNODE1_TOKENS; 901 break; 902 903 case AUE_MMAP: 904 case AUE_MUNMAP: 905 case AUE_MPROTECT: 906 case AUE_MLOCK: 907 case AUE_MUNLOCK: 908 case AUE_MINHERIT: 909 if (ARG_IS_VALID(kar, ARG_ADDR)) { 910 tok = au_to_arg32(1, "addr", 911 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 912 kau_write(rec, tok); 913 } 914 if (ARG_IS_VALID(kar, ARG_LEN)) { 915 tok = au_to_arg32(2, "len", ar->ar_arg_len); 916 kau_write(rec, tok); 917 } 918 if (ar->ar_event == AUE_MMAP) 919 FD_VNODE1_TOKENS; 920 if (ar->ar_event == AUE_MPROTECT) { 921 if (ARG_IS_VALID(kar, ARG_VALUE)) { 922 tok = au_to_arg32(3, "protection", 923 ar->ar_arg_value); 924 kau_write(rec, tok); 925 } 926 } 927 if (ar->ar_event == AUE_MINHERIT) { 928 if (ARG_IS_VALID(kar, ARG_VALUE)) { 929 tok = au_to_arg32(3, "inherit", 930 ar->ar_arg_value); 931 kau_write(rec, tok); 932 } 933 } 934 break; 935 936 case AUE_MOUNT: 937 case AUE_NMOUNT: 938 /* XXX Need to handle NFS mounts */ 939 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 940 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 941 kau_write(rec, tok); 942 } 943 if (ARG_IS_VALID(kar, ARG_TEXT)) { 944 tok = au_to_text(ar->ar_arg_text); 945 kau_write(rec, tok); 946 } 947 /* fall through */ 948 949 case AUE_UMOUNT: 950 UPATH1_VNODE1_TOKENS; 951 break; 952 953 case AUE_MSGCTL: 954 ar->ar_event = msgctl_to_event(ar->ar_arg_svipc_cmd); 955 /* Fall through */ 956 957 case AUE_MSGRCV: 958 case AUE_MSGSND: 959 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 960 kau_write(rec, tok); 961 if (ar->ar_errno != EINVAL) { 962 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 963 kau_write(rec, tok); 964 } 965 break; 966 967 case AUE_MSGGET: 968 if (ar->ar_errno == 0) { 969 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 970 tok = au_to_ipc(AT_IPC_MSG, 971 ar->ar_arg_svipc_id); 972 kau_write(rec, tok); 973 } 974 } 975 break; 976 977 case AUE_RESETSHFILE: 978 if (ARG_IS_VALID(kar, ARG_ADDR)) { 979 tok = au_to_arg32(1, "base addr", 980 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 981 kau_write(rec, tok); 982 } 983 break; 984 985 case AUE_OPEN_RC: 986 case AUE_OPEN_RTC: 987 case AUE_OPEN_RWC: 988 case AUE_OPEN_RWTC: 989 case AUE_OPEN_WC: 990 case AUE_OPEN_WTC: 991 case AUE_CREAT: 992 if (ARG_IS_VALID(kar, ARG_MODE)) { 993 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 994 kau_write(rec, tok); 995 } 996 /* fall through */ 997 998 case AUE_OPEN_R: 999 case AUE_OPEN_RT: 1000 case AUE_OPEN_RW: 1001 case AUE_OPEN_RWT: 1002 case AUE_OPEN_W: 1003 case AUE_OPEN_WT: 1004 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1005 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1006 kau_write(rec, tok); 1007 } 1008 UPATH1_VNODE1_TOKENS; 1009 break; 1010 1011 case AUE_PTRACE: 1012 if (ARG_IS_VALID(kar, ARG_CMD)) { 1013 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1014 kau_write(rec, tok); 1015 } 1016 if (ARG_IS_VALID(kar, ARG_ADDR)) { 1017 tok = au_to_arg32(3, "addr", 1018 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 1019 kau_write(rec, tok); 1020 } 1021 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1022 tok = au_to_arg32(4, "data", ar->ar_arg_value); 1023 kau_write(rec, tok); 1024 } 1025 PROCESS_PID_TOKENS(2); 1026 break; 1027 1028 case AUE_QUOTACTL: 1029 if (ARG_IS_VALID(kar, ARG_CMD)) { 1030 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1031 kau_write(rec, tok); 1032 } 1033 if (ARG_IS_VALID(kar, ARG_UID)) { 1034 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1035 kau_write(rec, tok); 1036 } 1037 UPATH1_VNODE1_TOKENS; 1038 break; 1039 1040 case AUE_REBOOT: 1041 if (ARG_IS_VALID(kar, ARG_CMD)) { 1042 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1043 kau_write(rec, tok); 1044 } 1045 break; 1046 1047 case AUE_SEMCTL: 1048 ar->ar_event = semctl_to_event(ar->ar_arg_svipc_cmd); 1049 /* Fall through */ 1050 1051 case AUE_SEMOP: 1052 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1053 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1054 kau_write(rec, tok); 1055 if (ar->ar_errno != EINVAL) { 1056 tok = au_to_ipc(AT_IPC_SEM, 1057 ar->ar_arg_svipc_id); 1058 kau_write(rec, tok); 1059 } 1060 } 1061 break; 1062 1063 case AUE_SEMGET: 1064 if (ar->ar_errno == 0) { 1065 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1066 tok = au_to_ipc(AT_IPC_SEM, 1067 ar->ar_arg_svipc_id); 1068 kau_write(rec, tok); 1069 } 1070 } 1071 break; 1072 1073 case AUE_SETEGID: 1074 if (ARG_IS_VALID(kar, ARG_EGID)) { 1075 tok = au_to_arg32(1, "gid", ar->ar_arg_egid); 1076 kau_write(rec, tok); 1077 } 1078 break; 1079 1080 case AUE_SETEUID: 1081 if (ARG_IS_VALID(kar, ARG_EUID)) { 1082 tok = au_to_arg32(1, "uid", ar->ar_arg_euid); 1083 kau_write(rec, tok); 1084 } 1085 break; 1086 1087 case AUE_SETREGID: 1088 if (ARG_IS_VALID(kar, ARG_RGID)) { 1089 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1090 kau_write(rec, tok); 1091 } 1092 if (ARG_IS_VALID(kar, ARG_EGID)) { 1093 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1094 kau_write(rec, tok); 1095 } 1096 break; 1097 1098 case AUE_SETREUID: 1099 if (ARG_IS_VALID(kar, ARG_RUID)) { 1100 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1101 kau_write(rec, tok); 1102 } 1103 if (ARG_IS_VALID(kar, ARG_EUID)) { 1104 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1105 kau_write(rec, tok); 1106 } 1107 break; 1108 1109 case AUE_SETRESGID: 1110 if (ARG_IS_VALID(kar, ARG_RGID)) { 1111 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1112 kau_write(rec, tok); 1113 } 1114 if (ARG_IS_VALID(kar, ARG_EGID)) { 1115 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1116 kau_write(rec, tok); 1117 } 1118 if (ARG_IS_VALID(kar, ARG_SGID)) { 1119 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1120 kau_write(rec, tok); 1121 } 1122 break; 1123 1124 case AUE_SETRESUID: 1125 if (ARG_IS_VALID(kar, ARG_RUID)) { 1126 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1127 kau_write(rec, tok); 1128 } 1129 if (ARG_IS_VALID(kar, ARG_EUID)) { 1130 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1131 kau_write(rec, tok); 1132 } 1133 if (ARG_IS_VALID(kar, ARG_SUID)) { 1134 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1135 kau_write(rec, tok); 1136 } 1137 break; 1138 1139 case AUE_SETGID: 1140 if (ARG_IS_VALID(kar, ARG_GID)) { 1141 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1142 kau_write(rec, tok); 1143 } 1144 break; 1145 1146 case AUE_SETUID: 1147 if (ARG_IS_VALID(kar, ARG_UID)) { 1148 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1149 kau_write(rec, tok); 1150 } 1151 break; 1152 1153 case AUE_SETGROUPS: 1154 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1155 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1156 { 1157 tok = au_to_arg32(1, "setgroups", ar->ar_arg_groups.gidset[ctr]); 1158 kau_write(rec, tok); 1159 } 1160 } 1161 break; 1162 1163 case AUE_SETLOGIN: 1164 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1165 tok = au_to_text(ar->ar_arg_text); 1166 kau_write(rec, tok); 1167 } 1168 break; 1169 1170 case AUE_SETPRIORITY: 1171 if (ARG_IS_VALID(kar, ARG_CMD)) { 1172 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1173 kau_write(rec, tok); 1174 } 1175 if (ARG_IS_VALID(kar, ARG_UID)) { 1176 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1177 kau_write(rec, tok); 1178 } 1179 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1180 tok = au_to_arg32(2, "priority", ar->ar_arg_value); 1181 kau_write(rec, tok); 1182 } 1183 break; 1184 1185 case AUE_SETPRIVEXEC: 1186 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1187 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1188 kau_write(rec, tok); 1189 } 1190 break; 1191 1192 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1193 case AUE_SHMAT: 1194 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1195 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1196 kau_write(rec, tok); 1197 /* XXXAUDIT: Does having the ipc token make sense? */ 1198 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1199 kau_write(rec, tok); 1200 } 1201 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1202 tok = au_to_arg32(2, "shmaddr", 1203 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1204 kau_write(rec, tok); 1205 } 1206 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1207 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1208 kau_write(rec, tok); 1209 } 1210 break; 1211 1212 case AUE_SHMCTL: 1213 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1214 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1215 kau_write(rec, tok); 1216 /* XXXAUDIT: Does having the ipc token make sense? */ 1217 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1218 kau_write(rec, tok); 1219 } 1220 switch (ar->ar_arg_svipc_cmd) { 1221 case IPC_STAT: 1222 ar->ar_event = AUE_SHMCTL_STAT; 1223 break; 1224 case IPC_RMID: 1225 ar->ar_event = AUE_SHMCTL_RMID; 1226 break; 1227 case IPC_SET: 1228 ar->ar_event = AUE_SHMCTL_SET; 1229 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1230 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1231 kau_write(rec, tok); 1232 } 1233 break; 1234 default: 1235 break; /* We will audit a bad command */ 1236 } 1237 break; 1238 1239 case AUE_SHMDT: 1240 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1241 tok = au_to_arg32(1, "shmaddr", 1242 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1243 kau_write(rec, tok); 1244 } 1245 break; 1246 1247 case AUE_SHMGET: 1248 /* This is unusual; the return value is in an argument token */ 1249 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1250 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1251 kau_write(rec, tok); 1252 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1253 kau_write(rec, tok); 1254 } 1255 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1256 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1257 kau_write(rec, tok); 1258 } 1259 break; 1260 1261 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1262 * and AUE_SEMUNLINK are Posix IPC */ 1263 case AUE_SHMOPEN: 1264 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1265 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1266 kau_write(rec, tok); 1267 } 1268 if (ARG_IS_VALID(kar, ARG_MODE)) { 1269 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1270 kau_write(rec, tok); 1271 } 1272 case AUE_SHMUNLINK: 1273 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1274 tok = au_to_text(ar->ar_arg_text); 1275 kau_write(rec, tok); 1276 } 1277 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1278 /* Create an ipc_perm token */ 1279 struct ipc_perm perm; 1280 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1281 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1282 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1283 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1284 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1285 perm.seq = 0; 1286 perm.key = 0; 1287 tok = au_to_ipc_perm(&perm); 1288 kau_write(rec, tok); 1289 } 1290 break; 1291 1292 case AUE_SEMOPEN: 1293 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1294 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1295 kau_write(rec, tok); 1296 } 1297 if (ARG_IS_VALID(kar, ARG_MODE)) { 1298 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1299 kau_write(rec, tok); 1300 } 1301 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1302 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1303 kau_write(rec, tok); 1304 } 1305 /* fall through */ 1306 1307 case AUE_SEMUNLINK: 1308 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1309 tok = au_to_text(ar->ar_arg_text); 1310 kau_write(rec, tok); 1311 } 1312 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1313 /* Create an ipc_perm token */ 1314 struct ipc_perm perm; 1315 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1316 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1317 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1318 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1319 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1320 perm.seq = 0; 1321 perm.key = 0; 1322 tok = au_to_ipc_perm(&perm); 1323 kau_write(rec, tok); 1324 } 1325 break; 1326 1327 case AUE_SEMCLOSE: 1328 if (ARG_IS_VALID(kar, ARG_FD)) { 1329 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1330 kau_write(rec, tok); 1331 } 1332 break; 1333 1334 case AUE_SYMLINK: 1335 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1336 tok = au_to_text(ar->ar_arg_text); 1337 kau_write(rec, tok); 1338 } 1339 UPATH1_VNODE1_TOKENS; 1340 break; 1341 1342 case AUE_SYSCTL: 1343 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1344 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1345 tok = au_to_arg32(1, "name", 1346 ar->ar_arg_ctlname[ctr]); 1347 kau_write(rec, tok); 1348 } 1349 } 1350 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1351 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1352 kau_write(rec, tok); 1353 } 1354 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1355 tok = au_to_text(ar->ar_arg_text); 1356 kau_write(rec, tok); 1357 } 1358 break; 1359 1360 case AUE_UMASK: 1361 if (ARG_IS_VALID(kar, ARG_MASK)) { 1362 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1363 kau_write(rec, tok); 1364 } 1365 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1366 kau_write(rec, tok); 1367 break; 1368 1369 case AUE_WAIT4: 1370 if (ARG_IS_VALID(kar, ARG_PID)) { 1371 tok = au_to_arg32(0, "pid", ar->ar_arg_pid); 1372 kau_write(rec, tok); 1373 } 1374 break; 1375 1376 case AUE_NULL: 1377 default: 1378 printf("BSM conversion requested for unknown event %d\n", 1379 ar->ar_event); 1380 /* Write the subject token so it is properly freed here. */ 1381 kau_write(rec, subj_tok); 1382 kau_free(rec); 1383 return (BSM_NOAUDIT); 1384 } 1385 1386 kau_write(rec, subj_tok); 1387 tok = au_to_return32((char)ar->ar_errno, ar->ar_retval); 1388 kau_write(rec, tok); /* Every record gets a return token */ 1389 1390 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1391 1392 *pau = rec; 1393 return (BSM_SUCCESS); 1394} 1395 1396/* 1397 * Verify that a record is a valid BSM record. This verification is simple 1398 * now, but may be expanded on sometime in the future. Return 1 if the 1399 * record is good, 0 otherwise. 1400 */ 1401int 1402bsm_rec_verify(void *rec) 1403{ 1404 char c = *(char *)rec; 1405 1406 /* 1407 * Check the token ID of the first token; it has to be a header 1408 * token. 1409 * 1410 * XXXAUDIT There needs to be a token structure to map a token. 1411 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1412 */ 1413 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1414 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1415 return (0); 1416 return (1); 1417} 1418