audit_bsm.c revision 171066
1116742Ssam/* 2116904Ssam * Copyright (c) 1999-2005 Apple Computer, Inc. 3170360Ssam * All rights reserved. 4116742Ssam * 5116742Ssam * Redistribution and use in source and binary forms, with or without 6116742Ssam * modification, are permitted provided that the following conditions 7116742Ssam * are met: 8116742Ssam * 1. Redistributions of source code must retain the above copyright 9116742Ssam * notice, this list of conditions and the following disclaimer. 10116904Ssam * 2. Redistributions in binary form must reproduce the above copyright 11116904Ssam * notice, this list of conditions and the following disclaimer in the 12116904Ssam * documentation and/or other materials provided with the distribution. 13116904Ssam * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 14116742Ssam * its contributors may be used to endorse or promote products derived 15116904Ssam * from this software without specific prior written permission. 16116904Ssam * 17116904Ssam * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18116904Ssam * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19116904Ssam * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20116904Ssam * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21116904Ssam * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22116904Ssam * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23116904Ssam * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24116904Ssam * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25116742Ssam * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26116742Ssam * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27116742Ssam * POSSIBILITY OF SUCH DAMAGE. 28116742Ssam * 29116742Ssam * $FreeBSD: head/sys/security/audit/audit_bsm.c 171066 2007-06-27 17:01:15Z csjp $ 30162659Sru */ 31162659Sru 32116742Ssam#include <sys/param.h> 33116742Ssam#include <sys/vnode.h> 34116742Ssam#include <sys/ipc.h> 35116742Ssam#include <sys/lock.h> 36127646Ssam#include <sys/malloc.h> 37127646Ssam#include <sys/mutex.h> 38127646Ssam#include <sys/socket.h> 39116742Ssam#include <sys/extattr.h> 40116742Ssam#include <sys/fcntl.h> 41116742Ssam#include <sys/user.h> 42164033Srwatson#include <sys/systm.h> 43116742Ssam 44116742Ssam#include <bsm/audit.h> 45116742Ssam#include <bsm/audit_internal.h> 46116742Ssam#include <bsm/audit_record.h> 47116742Ssam#include <bsm/audit_kevents.h> 48152315Sru 49116742Ssam#include <security/audit/audit.h> 50116742Ssam#include <security/audit/audit_private.h> 51116742Ssam 52127646Ssam#include <netinet/in_systm.h> 53127646Ssam#include <netinet/in.h> 54127646Ssam#include <netinet/ip.h> 55127646Ssam 56127646SsamMALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 57127646Ssam 58127646Ssamstatic void audit_sys_auditon(struct audit_record *ar, 59127646Ssam struct au_record *rec); 60127646Ssam 61127646Ssam/* 62116742Ssam * Initialize the BSM auditing subsystem. 63116742Ssam */ 64116742Ssamvoid 65138568Ssamkau_init(void) 66148887Srwatson{ 67148887Srwatson 68138568Ssam printf("BSM auditing present\n"); 69138568Ssam au_evclassmap_init(); 70170530Ssam} 71138568Ssam 72170530Ssam/* 73170530Ssam * This call reserves memory for the audit record. Memory must be guaranteed 74116742Ssam * before any auditable event can be generated. The au_record structure 75116742Ssam * maintains a reference to the memory allocated above and also the list of 76138568Ssam * tokens associated with this record 77138568Ssam */ 78138568Ssamstatic struct au_record * 79138568Ssamkau_open(void) 80138568Ssam{ 81138568Ssam struct au_record *rec; 82138568Ssam 83138568Ssam rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 84138568Ssam rec->data = NULL; 85138568Ssam TAILQ_INIT(&rec->token_q); 86138568Ssam rec->len = 0; 87138568Ssam rec->used = 1; 88138568Ssam 89138568Ssam return (rec); 90138568Ssam} 91138568Ssam 92138568Ssam/* 93138568Ssam * Store the token with the record descriptor. 94138568Ssam */ 95138568Ssamstatic void 96138568Ssamkau_write(struct au_record *rec, struct au_token *tok) 97138568Ssam{ 98138568Ssam 99138568Ssam KASSERT(tok != NULL, ("kau_write: tok == NULL")); 100138568Ssam 101138568Ssam TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 102138568Ssam rec->len += tok->len; 103138568Ssam} 104138568Ssam 105140753Ssam/* 106138568Ssam * Close out the audit record by adding the header token, identifying any 107138568Ssam * missing tokens. Write out the tokens to the record memory. 108138568Ssam */ 109138568Ssamstatic void 110138568Ssamkau_close(struct au_record *rec, struct timespec *ctime, short event) 111138568Ssam{ 112138568Ssam u_char *dptr; 113138568Ssam size_t tot_rec_size; 114138568Ssam token_t *cur, *hdr, *trail; 115138568Ssam struct timeval tm; 116138568Ssam 117138568Ssam tot_rec_size = rec->len + AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE; 118138568Ssam rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 119138568Ssam 120138568Ssam tm.tv_usec = ctime->tv_nsec / 1000; 121138568Ssam tm.tv_sec = ctime->tv_sec; 122164033Srwatson hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 123138568Ssam TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 124138568Ssam 125138568Ssam trail = au_to_trailer(tot_rec_size); 126138568Ssam TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 127138568Ssam 128138568Ssam rec->len = tot_rec_size; 129138568Ssam dptr = rec->data; 130138568Ssam TAILQ_FOREACH(cur, &rec->token_q, tokens) { 131138568Ssam memcpy(dptr, cur->t_data, cur->len); 132138568Ssam dptr += cur->len; 133138568Ssam } 134138568Ssam} 135138568Ssam 136138568Ssam/* 137138568Ssam * Free a BSM audit record by releasing all the tokens and clearing the audit 138138568Ssam * record information. 139138568Ssam */ 140138568Ssamvoid 141138568Ssamkau_free(struct au_record *rec) 142138568Ssam{ 143138568Ssam struct au_token *tok; 144138568Ssam 145138568Ssam /* Free the token list. */ 146138568Ssam while ((tok = TAILQ_FIRST(&rec->token_q))) { 147153344Ssam TAILQ_REMOVE(&rec->token_q, tok, tokens); 148138568Ssam free(tok->t_data, M_AUDITBSM); 149138568Ssam free(tok, M_AUDITBSM); 150138568Ssam } 151138568Ssam 152138568Ssam rec->used = 0; 153138568Ssam rec->len = 0; 154138568Ssam free(rec->data, M_AUDITBSM); 155170530Ssam free(rec, M_AUDITBSM); 156138568Ssam} 157138568Ssam 158170530Ssam/* 159138568Ssam * XXX: May want turn some (or all) of these macros into functions in order 160138568Ssam * to reduce the generated code sized. 161170530Ssam * 162170530Ssam * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 163138568Ssam * caller are OK with this. 164138568Ssam */ 165138568Ssam#define UPATH1_TOKENS do { \ 166170530Ssam if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 167138568Ssam tok = au_to_path(ar->ar_arg_upath1); \ 168138568Ssam kau_write(rec, tok); \ 169170530Ssam } \ 170138568Ssam} while (0) 171138568Ssam 172138568Ssam#define UPATH2_TOKENS do { \ 173138568Ssam if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 174138568Ssam tok = au_to_path(ar->ar_arg_upath2); \ 175138568Ssam kau_write(rec, tok); \ 176138568Ssam } \ 177140753Ssam} while (0) 178138568Ssam 179170530Ssam#define VNODE1_TOKENS do { \ 180138568Ssam if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 181138568Ssam tok = au_to_attr32(&ar->ar_arg_vnode1); \ 182138568Ssam kau_write(rec, tok); \ 183138568Ssam } \ 184138568Ssam} while (0) 185138568Ssam 186138568Ssam#define UPATH1_VNODE1_TOKENS do { \ 187170530Ssam if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 188170530Ssam UPATH1_TOKENS; \ 189170530Ssam } \ 190170530Ssam if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 191170530Ssam tok = au_to_attr32(&ar->ar_arg_vnode1); \ 192170530Ssam kau_write(rec, tok); \ 193170530Ssam } \ 194170530Ssam} while (0) 195170530Ssam 196170530Ssam#define VNODE2_TOKENS do { \ 197170530Ssam if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 198170530Ssam tok = au_to_attr32(&ar->ar_arg_vnode2); \ 199170530Ssam kau_write(rec, tok); \ 200170530Ssam } \ 201170530Ssam} while (0) 202170530Ssam 203170530Ssam#define FD_VNODE1_TOKENS do { \ 204170530Ssam if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 205170530Ssam if (ARG_IS_VALID(kar, ARG_FD)) { \ 206170530Ssam tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 207170530Ssam kau_write(rec, tok); \ 208170530Ssam } \ 209138568Ssam tok = au_to_attr32(&ar->ar_arg_vnode1); \ 210138568Ssam kau_write(rec, tok); \ 211138568Ssam } else { \ 212138568Ssam if (ARG_IS_VALID(kar, ARG_FD)) { \ 213138568Ssam tok = au_to_arg32(1, "non-file: fd", \ 214138568Ssam ar->ar_arg_fd); \ 215138568Ssam kau_write(rec, tok); \ 216138568Ssam } \ 217170530Ssam } \ 218138568Ssam} while (0) 219138568Ssam 220138568Ssam#define PROCESS_PID_TOKENS(argn) do { \ 221138568Ssam if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 222138568Ssam && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 223138568Ssam tok = au_to_process(ar->ar_arg_auid, \ 224138568Ssam ar->ar_arg_euid, ar->ar_arg_egid, \ 225138568Ssam ar->ar_arg_ruid, ar->ar_arg_rgid, \ 226140753Ssam ar->ar_arg_pid, ar->ar_arg_asid, \ 227170530Ssam &ar->ar_arg_termid); \ 228170530Ssam kau_write(rec, tok); \ 229138568Ssam } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 230138568Ssam tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 231138568Ssam kau_write(rec, tok); \ 232170530Ssam } \ 233138568Ssam} while (0) \ 234138568Ssam 235138568Ssam#define EXTATTR_TOKENS do { \ 236138568Ssam if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 237138568Ssam switch (ar->ar_arg_value) { \ 238170530Ssam case EXTATTR_NAMESPACE_USER: \ 239170530Ssam tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 240170530Ssam break; \ 241170530Ssam case EXTATTR_NAMESPACE_SYSTEM: \ 242170530Ssam tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 243170530Ssam break; \ 244170530Ssam default: \ 245170530Ssam tok = au_to_arg32(3, "attrnamespace", \ 246170530Ssam ar->ar_arg_value); \ 247170530Ssam break; \ 248154541Ssam } \ 249154541Ssam kau_write(rec, tok); \ 250154541Ssam } \ 251154541Ssam /* attrname is in the text field */ \ 252170530Ssam if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 253170530Ssam tok = au_to_text(ar->ar_arg_text); \ 254170530Ssam kau_write(rec, tok); \ 255170530Ssam } \ 256170530Ssam} while (0) 257170530Ssam 258170530Ssam/* 259170530Ssam * Implement auditing for the auditon() system call. The audit tokens that 260170530Ssam * are generated depend on the command that was sent into the auditon() 261170530Ssam * system call. 262170530Ssam */ 263170530Ssamstatic void 264170530Ssamaudit_sys_auditon(struct audit_record *ar, struct au_record *rec) 265170530Ssam{ 266154541Ssam struct au_token *tok; 267154541Ssam 268154541Ssam switch (ar->ar_arg_cmd) { 269170530Ssam case A_SETPOLICY: 270170530Ssam if (sizeof(ar->ar_arg_auditon.au_flags) > 4) 271170530Ssam tok = au_to_arg64(1, "policy", 272170530Ssam ar->ar_arg_auditon.au_flags); 273170530Ssam else 274170530Ssam tok = au_to_arg32(1, "policy", 275170530Ssam ar->ar_arg_auditon.au_flags); 276170530Ssam kau_write(rec, tok); 277170530Ssam break; 278170530Ssam 279170530Ssam case A_SETKMASK: 280170530Ssam tok = au_to_arg32(2, "setkmask:as_success", 281170530Ssam ar->ar_arg_auditon.au_mask.am_success); 282170530Ssam kau_write(rec, tok); 283170530Ssam tok = au_to_arg32(2, "setkmask:as_failure", 284170530Ssam ar->ar_arg_auditon.au_mask.am_failure); 285170530Ssam kau_write(rec, tok); 286170530Ssam break; 287170530Ssam 288170530Ssam case A_SETQCTRL: 289170530Ssam tok = au_to_arg32(3, "setqctrl:aq_hiwater", 290170530Ssam ar->ar_arg_auditon.au_qctrl.aq_hiwater); 291170530Ssam kau_write(rec, tok); 292170530Ssam tok = au_to_arg32(3, "setqctrl:aq_lowater", 293138568Ssam ar->ar_arg_auditon.au_qctrl.aq_lowater); 294170530Ssam kau_write(rec, tok); 295138568Ssam tok = au_to_arg32(3, "setqctrl:aq_bufsz", 296170530Ssam ar->ar_arg_auditon.au_qctrl.aq_bufsz); 297170530Ssam kau_write(rec, tok); 298138568Ssam tok = au_to_arg32(3, "setqctrl:aq_delay", 299170530Ssam ar->ar_arg_auditon.au_qctrl.aq_delay); 300170530Ssam kau_write(rec, tok); 301170530Ssam tok = au_to_arg32(3, "setqctrl:aq_minfree", 302170530Ssam ar->ar_arg_auditon.au_qctrl.aq_minfree); 303170530Ssam kau_write(rec, tok); 304170530Ssam break; 305170530Ssam 306170530Ssam case A_SETUMASK: 307170530Ssam tok = au_to_arg32(3, "setumask:as_success", 308170530Ssam ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 309170530Ssam kau_write(rec, tok); 310170530Ssam tok = au_to_arg32(3, "setumask:as_failure", 311170530Ssam ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 312170530Ssam kau_write(rec, tok); 313170530Ssam break; 314170530Ssam 315138568Ssam case A_SETSMASK: 316170530Ssam tok = au_to_arg32(3, "setsmask:as_success", 317154541Ssam ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 318154541Ssam kau_write(rec, tok); 319170530Ssam tok = au_to_arg32(3, "setsmask:as_failure", 320170530Ssam ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 321170530Ssam kau_write(rec, tok); 322170530Ssam break; 323170530Ssam 324170530Ssam case A_SETCOND: 325170530Ssam if (sizeof(ar->ar_arg_auditon.au_cond) > 4) 326170530Ssam tok = au_to_arg64(3, "setcond", 327170530Ssam ar->ar_arg_auditon.au_cond); 328170530Ssam else 329170530Ssam tok = au_to_arg32(3, "setcond", 330170530Ssam ar->ar_arg_auditon.au_cond); 331170530Ssam kau_write(rec, tok); 332170530Ssam break; 333170530Ssam 334170530Ssam case A_SETCLASS: 335170530Ssam tok = au_to_arg32(2, "setclass:ec_event", 336170530Ssam ar->ar_arg_auditon.au_evclass.ec_number); 337170530Ssam kau_write(rec, tok); 338170530Ssam tok = au_to_arg32(3, "setclass:ec_class", 339170530Ssam ar->ar_arg_auditon.au_evclass.ec_class); 340138568Ssam kau_write(rec, tok); 341170530Ssam break; 342170530Ssam 343170530Ssam case A_SETPMASK: 344138568Ssam tok = au_to_arg32(2, "setpmask:as_success", 345138568Ssam ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 346138568Ssam kau_write(rec, tok); 347154541Ssam tok = au_to_arg32(2, "setpmask:as_failure", 348138568Ssam ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 349170530Ssam kau_write(rec, tok); 350170530Ssam break; 351138568Ssam 352170530Ssam case A_SETFSIZE: 353170530Ssam tok = au_to_arg32(2, "setfsize:filesize", 354170530Ssam ar->ar_arg_auditon.au_fstat.af_filesz); 355138568Ssam kau_write(rec, tok); 356170530Ssam break; 357170530Ssam 358170530Ssam default: 359170530Ssam break; 360170530Ssam } 361170530Ssam} 362170530Ssam 363170530Ssam/* 364170530Ssam * Convert an internal kernel audit record to a BSM record and return a 365170530Ssam * success/failure indicator. The BSM record is passed as an out parameter to 366170530Ssam * this function. 367170530Ssam * 368170530Ssam * Return conditions: 369170530Ssam * BSM_SUCCESS: The BSM record is valid 370170530Ssam * BSM_FAILURE: Failure; the BSM record is NULL. 371170530Ssam * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 372170530Ssam */ 373170530Ssamint 374170530Ssamkaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 375170530Ssam{ 376170530Ssam struct au_token *tok, *subj_tok; 377138568Ssam struct au_record *rec; 378138568Ssam au_tid_t tid; 379154541Ssam struct audit_record *ar; 380138568Ssam int ctr; 381170530Ssam 382154541Ssam KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 383170530Ssam 384154541Ssam *pau = NULL; 385154541Ssam ar = &kar->k_ar; 386154541Ssam rec = kau_open(); 387170530Ssam 388154541Ssam /* Create the subject token */ 389154541Ssam switch (ar->ar_subj_term_addr.at_type) { 390154541Ssam case AU_IPv4: 391154541Ssam tid.port = ar->ar_subj_term_addr.at_port; 392170530Ssam tid.machine = ar->ar_subj_term_addr.at_addr[0]; 393170530Ssam subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 394170530Ssam ar->ar_subj_cred.cr_uid, /* eff uid */ 395170530Ssam ar->ar_subj_egid, /* eff group id */ 396170530Ssam ar->ar_subj_ruid, /* real uid */ 397170530Ssam ar->ar_subj_rgid, /* real group id */ 398170530Ssam ar->ar_subj_pid, /* process id */ 399170530Ssam ar->ar_subj_asid, /* session ID */ 400154541Ssam &tid); 401154541Ssam break; 402154541Ssam case AU_IPv6: 403154541Ssam subj_tok = au_to_subject32_ex(ar->ar_subj_auid, 404154541Ssam ar->ar_subj_cred.cr_uid, 405170530Ssam ar->ar_subj_egid, 406170530Ssam ar->ar_subj_ruid, 407154541Ssam ar->ar_subj_rgid, 408154541Ssam ar->ar_subj_pid, 409154541Ssam ar->ar_subj_asid, 410170530Ssam &ar->ar_subj_term_addr); 411154541Ssam break; 412170530Ssam default: 413170530Ssam bzero(&tid, sizeof(tid)); 414154541Ssam subj_tok = au_to_subject32(ar->ar_subj_auid, 415170530Ssam ar->ar_subj_cred.cr_uid, 416154541Ssam ar->ar_subj_egid, 417154541Ssam ar->ar_subj_ruid, 418154541Ssam ar->ar_subj_rgid, 419170530Ssam ar->ar_subj_pid, 420154541Ssam ar->ar_subj_asid, 421170530Ssam &tid); 422154541Ssam } 423170530Ssam 424170530Ssam /* 425154541Ssam * The logic inside each case fills in the tokens required for the 426170530Ssam * event, except for the header, trailer, and return tokens. The 427154541Ssam * header and trailer tokens are added by the kau_close() function. 428154541Ssam * The return token is added outside of the switch statement. 429170530Ssam */ 430154541Ssam switch(ar->ar_event) { 431154541Ssam case AUE_ACCEPT: 432170530Ssam case AUE_BIND: 433170530Ssam case AUE_CONNECT: 434170530Ssam case AUE_RECV: 435154541Ssam case AUE_RECVFROM: 436170530Ssam case AUE_RECVMSG: 437170530Ssam case AUE_SEND: 438170530Ssam case AUE_SENDFILE: 439170530Ssam case AUE_SENDMSG: 440170530Ssam case AUE_SENDTO: 441170530Ssam /* 442170530Ssam * Socket-related events. 443170530Ssam */ 444170530Ssam if (ARG_IS_VALID(kar, ARG_FD)) { 445170530Ssam tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 446170530Ssam kau_write(rec, tok); 447170530Ssam } 448170530Ssam if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 449170530Ssam tok = au_to_sock_inet((struct sockaddr_in *) 450170530Ssam &ar->ar_arg_sockaddr); 451170530Ssam kau_write(rec, tok); 452170530Ssam } 453170530Ssam if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 454170530Ssam tok = au_to_sock_unix((struct sockaddr_un *) 455170530Ssam &ar->ar_arg_sockaddr); 456170530Ssam kau_write(rec, tok); 457170530Ssam UPATH1_TOKENS; 458170530Ssam } 459170530Ssam /* XXX Need to handle ARG_SADDRINET6 */ 460170530Ssam break; 461154541Ssam 462154541Ssam case AUE_SOCKET: 463154541Ssam case AUE_SOCKETPAIR: 464170530Ssam if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 465154541Ssam tok = au_to_arg32(1,"domain", 466154541Ssam ar->ar_arg_sockinfo.so_domain); 467154541Ssam kau_write(rec, tok); 468154541Ssam tok = au_to_arg32(2,"type", 469154541Ssam ar->ar_arg_sockinfo.so_type); 470170530Ssam kau_write(rec, tok); 471154541Ssam tok = au_to_arg32(3,"protocol", 472154541Ssam ar->ar_arg_sockinfo.so_protocol); 473167245Ssam kau_write(rec, tok); 474154541Ssam } 475154541Ssam break; 476154541Ssam 477154541Ssam case AUE_SETSOCKOPT: 478170530Ssam case AUE_SHUTDOWN: 479154541Ssam if (ARG_IS_VALID(kar, ARG_FD)) { 480154541Ssam tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 481154541Ssam kau_write(rec, tok); 482154541Ssam } 483154541Ssam break; 484154541Ssam 485154541Ssam case AUE_ACCT: 486154541Ssam if (ARG_IS_VALID(kar, ARG_UPATH1)) { 487154541Ssam UPATH1_VNODE1_TOKENS; 488154541Ssam } else { 489154541Ssam tok = au_to_arg32(1, "accounting off", 0); 490154541Ssam kau_write(rec, tok); 491170530Ssam } 492154541Ssam break; 493154541Ssam 494154541Ssam case AUE_SETAUID: 495154541Ssam if (ARG_IS_VALID(kar, ARG_AUID)) { 496154541Ssam tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 497154541Ssam kau_write(rec, tok); 498154541Ssam } 499154541Ssam break; 500154541Ssam 501148845Ssam case AUE_SETAUDIT: 502148845Ssam if (ARG_IS_VALID(kar, ARG_AUID) && 503148845Ssam ARG_IS_VALID(kar, ARG_ASID) && 504148845Ssam ARG_IS_VALID(kar, ARG_AMASK) && 505148845Ssam ARG_IS_VALID(kar, ARG_TERMID)) { 506148845Ssam tok = au_to_arg32(1, "setaudit:auid", 507148845Ssam ar->ar_arg_auid); 508148845Ssam kau_write(rec, tok); 509148845Ssam tok = au_to_arg32(1, "setaudit:port", 510148845Ssam ar->ar_arg_termid.port); 511148845Ssam kau_write(rec, tok); 512148845Ssam tok = au_to_arg32(1, "setaudit:machine", 513170530Ssam ar->ar_arg_termid.machine); 514170530Ssam kau_write(rec, tok); 515148845Ssam tok = au_to_arg32(1, "setaudit:as_success", 516148845Ssam ar->ar_arg_amask.am_success); 517170530Ssam kau_write(rec, tok); 518170530Ssam tok = au_to_arg32(1, "setaudit:as_failure", 519148845Ssam ar->ar_arg_amask.am_failure); 520170530Ssam kau_write(rec, tok); 521148845Ssam tok = au_to_arg32(1, "setaudit:asid", 522148845Ssam ar->ar_arg_asid); 523138568Ssam kau_write(rec, tok); 524148845Ssam } 525138568Ssam break; 526148845Ssam 527138568Ssam case AUE_SETAUDIT_ADDR: 528148845Ssam if (ARG_IS_VALID(kar, ARG_AUID) && 529138568Ssam ARG_IS_VALID(kar, ARG_ASID) && 530148845Ssam ARG_IS_VALID(kar, ARG_AMASK) && 531148845Ssam ARG_IS_VALID(kar, ARG_TERMID_ADDR)) { 532148845Ssam tok = au_to_arg32(1, "setaudit_addr:auid", 533148845Ssam ar->ar_arg_auid); 534148845Ssam kau_write(rec, tok); 535148845Ssam tok = au_to_arg32(1, "setaudit_addr:as_success", 536148845Ssam ar->ar_arg_amask.am_success); 537148845Ssam kau_write(rec, tok); 538148845Ssam tok = au_to_arg32(1, "setaudit_addr:as_failure", 539148845Ssam ar->ar_arg_amask.am_failure); 540148845Ssam kau_write(rec, tok); 541148845Ssam tok = au_to_arg32(1, "setaudit_addr:asid", 542148845Ssam ar->ar_arg_asid); 543170530Ssam kau_write(rec, tok); 544148845Ssam tok = au_to_arg32(1, "setaudit_addr:type", 545148845Ssam ar->ar_arg_termid_addr.at_type); 546148845Ssam kau_write(rec, tok); 547148845Ssam tok = au_to_arg32(1, "setaudit_addr:port", 548148845Ssam ar->ar_arg_termid_addr.at_port); 549148845Ssam kau_write(rec, tok); 550148845Ssam if (ar->ar_arg_termid_addr.at_type == AU_IPv6) 551148845Ssam tok = au_to_in_addr_ex((struct in6_addr *) 552148845Ssam &ar->ar_arg_termid_addr.at_addr[0]); 553148845Ssam if (ar->ar_arg_termid_addr.at_type == AU_IPv4) 554148845Ssam tok = au_to_in_addr((struct in_addr *) 555170530Ssam &ar->ar_arg_termid_addr.at_addr[0]); 556148845Ssam kau_write(rec, tok); 557138568Ssam } 558138568Ssam break; 559138568Ssam 560138568Ssam case AUE_AUDITON: 561170530Ssam /* 562161146Ssam * For AUDITON commands without own event, audit the cmd. 563138568Ssam */ 564138568Ssam if (ARG_IS_VALID(kar, ARG_CMD)) { 565138568Ssam tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 566138568Ssam kau_write(rec, tok); 567138568Ssam } 568138568Ssam /* fall thru */ 569138568Ssam 570138568Ssam case AUE_AUDITON_GETCAR: 571170530Ssam case AUE_AUDITON_GETCLASS: 572138568Ssam case AUE_AUDITON_GETCOND: 573138568Ssam case AUE_AUDITON_GETCWD: 574138568Ssam case AUE_AUDITON_GETKMASK: 575138568Ssam case AUE_AUDITON_GETSTAT: 576138568Ssam case AUE_AUDITON_GPOLICY: 577138568Ssam case AUE_AUDITON_GQCTRL: 578138568Ssam case AUE_AUDITON_SETCLASS: 579167439Ssam case AUE_AUDITON_SETCOND: 580167439Ssam case AUE_AUDITON_SETKMASK: 581138568Ssam case AUE_AUDITON_SETSMASK: 582148845Ssam case AUE_AUDITON_SETSTAT: 583148845Ssam case AUE_AUDITON_SETUMASK: 584138568Ssam case AUE_AUDITON_SPOLICY: 585148845Ssam case AUE_AUDITON_SQCTRL: 586138568Ssam if (ARG_IS_VALID(kar, ARG_AUDITON)) 587138568Ssam audit_sys_auditon(ar, rec); 588138568Ssam break; 589138568Ssam 590148845Ssam case AUE_AUDITCTL: 591170530Ssam UPATH1_VNODE1_TOKENS; 592170530Ssam break; 593170530Ssam 594170530Ssam case AUE_EXIT: 595170530Ssam if (ARG_IS_VALID(kar, ARG_EXIT)) { 596170530Ssam tok = au_to_exit(ar->ar_arg_exitretval, 597148845Ssam ar->ar_arg_exitstatus); 598148845Ssam kau_write(rec, tok); 599170530Ssam } 600148845Ssam break; 601138568Ssam 602138568Ssam case AUE_ADJTIME: 603138568Ssam case AUE_CLOCK_SETTIME: 604161146Ssam case AUE_AUDIT: 605161146Ssam case AUE_DUP2: 606138568Ssam case AUE_GETAUDIT: 607148845Ssam case AUE_GETAUDIT_ADDR: 608161146Ssam case AUE_GETAUID: 609161146Ssam case AUE_GETCWD: 610148845Ssam case AUE_GETFSSTAT: 611138568Ssam case AUE_GETRESUID: 612138568Ssam case AUE_GETRESGID: 613148845Ssam case AUE_KQUEUE: 614161146Ssam case AUE_LSEEK: 615161146Ssam case AUE_MODLOAD: 616161146Ssam case AUE_MODUNLOAD: 617161146Ssam case AUE_MSGSYS: 618148845Ssam case AUE_NFS_SVC: 619148845Ssam case AUE_NTP_ADJTIME: 620148845Ssam case AUE_PIPE: 621148845Ssam case AUE_PROFILE: 622148845Ssam case AUE_RTPRIO: 623148845Ssam case AUE_SEMSYS: 624161146Ssam case AUE_SHMSYS: 625161146Ssam case AUE_SETPGRP: 626161146Ssam case AUE_SETRLIMIT: 627161146Ssam case AUE_SETSID: 628148845Ssam case AUE_SETTIMEOFDAY: 629161146Ssam case AUE_SYSARCH: 630161146Ssam 631161146Ssam /* 632161146Ssam * Header, subject, and return tokens added at end. 633148845Ssam */ 634170530Ssam break; 635148845Ssam 636148845Ssam case AUE_MKFIFO: 637148845Ssam if (ARG_IS_VALID(kar, ARG_MODE)) { 638161146Ssam tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 639161146Ssam kau_write(rec, tok); 640161146Ssam } 641138568Ssam /* fall through */ 642138568Ssam case AUE_ACCESS: 643138568Ssam case AUE_CHDIR: 644138568Ssam case AUE_CHROOT: 645161146Ssam case AUE_EACCESS: 646161146Ssam case AUE_GETATTRLIST: 647170530Ssam case AUE_JAIL: 648161146Ssam case AUE_LUTIMES: 649161146Ssam case AUE_NFS_GETFH: 650161146Ssam case AUE_LSTAT: 651161146Ssam case AUE_PATHCONF: 652161146Ssam case AUE_READLINK: 653161146Ssam case AUE_REVOKE: 654161146Ssam case AUE_RMDIR: 655161146Ssam case AUE_SEARCHFS: 656161146Ssam case AUE_SETATTRLIST: 657161146Ssam case AUE_STAT: 658161146Ssam case AUE_STATFS: 659161146Ssam case AUE_SWAPON: 660161146Ssam case AUE_SWAPOFF: 661170530Ssam case AUE_TRUNCATE: 662170530Ssam case AUE_UNDELETE: 663161146Ssam case AUE_UNLINK: 664161146Ssam case AUE_UTIMES: 665161146Ssam UPATH1_VNODE1_TOKENS; 666161146Ssam break; 667161146Ssam 668161146Ssam case AUE_FHSTATFS: 669161146Ssam case AUE_FHOPEN: 670161146Ssam case AUE_FHSTAT: 671161146Ssam /* XXXRW: Need to audit vnode argument. */ 672161146Ssam break; 673161146Ssam 674161146Ssam case AUE_CHFLAGS: 675161146Ssam case AUE_LCHFLAGS: 676161146Ssam if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 677161146Ssam tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 678161146Ssam kau_write(rec, tok); 679161146Ssam } 680138568Ssam UPATH1_VNODE1_TOKENS; 681138568Ssam break; 682138568Ssam 683138568Ssam case AUE_CHMOD: 684138568Ssam case AUE_LCHMOD: 685138568Ssam if (ARG_IS_VALID(kar, ARG_MODE)) { 686138568Ssam tok = au_to_arg32(2, "new file mode", 687138568Ssam ar->ar_arg_mode); 688138568Ssam kau_write(rec, tok); 689138568Ssam } 690138568Ssam UPATH1_VNODE1_TOKENS; 691140753Ssam break; 692138568Ssam 693138568Ssam case AUE_CHOWN: 694138568Ssam case AUE_LCHOWN: 695138568Ssam if (ARG_IS_VALID(kar, ARG_UID)) { 696138568Ssam tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 697138568Ssam kau_write(rec, tok); 698138568Ssam } 699138568Ssam if (ARG_IS_VALID(kar, ARG_GID)) { 700138568Ssam tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 701138568Ssam kau_write(rec, tok); 702138568Ssam } 703138568Ssam UPATH1_VNODE1_TOKENS; 704138568Ssam break; 705138568Ssam 706138568Ssam case AUE_EXCHANGEDATA: 707138568Ssam UPATH1_VNODE1_TOKENS; 708138568Ssam UPATH2_TOKENS; 709138568Ssam break; 710138568Ssam 711138568Ssam case AUE_CLOSE: 712138568Ssam if (ARG_IS_VALID(kar, ARG_FD)) { 713138568Ssam tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 714138568Ssam kau_write(rec, tok); 715138568Ssam } 716138568Ssam UPATH1_VNODE1_TOKENS; 717138568Ssam break; 718138568Ssam 719138568Ssam case AUE_EXTATTRCTL: 720138568Ssam UPATH1_VNODE1_TOKENS; 721138568Ssam if (ARG_IS_VALID(kar, ARG_CMD)) { 722138568Ssam tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 723138568Ssam kau_write(rec, tok); 724138568Ssam } 725138568Ssam /* extattrctl(2) filename parameter is in upath2/vnode2 */ 726138568Ssam UPATH2_TOKENS; 727138568Ssam VNODE2_TOKENS; 728138568Ssam EXTATTR_TOKENS; 729138568Ssam break; 730138568Ssam 731138568Ssam case AUE_EXTATTR_GET_FILE: 732138568Ssam case AUE_EXTATTR_SET_FILE: 733138568Ssam case AUE_EXTATTR_LIST_FILE: 734138568Ssam case AUE_EXTATTR_DELETE_FILE: 735138568Ssam case AUE_EXTATTR_GET_LINK: 736138568Ssam case AUE_EXTATTR_SET_LINK: 737138568Ssam case AUE_EXTATTR_LIST_LINK: 738138568Ssam case AUE_EXTATTR_DELETE_LINK: 739138568Ssam UPATH1_VNODE1_TOKENS; 740138568Ssam EXTATTR_TOKENS; 741138568Ssam break; 742149028Ssam 743149028Ssam case AUE_EXTATTR_GET_FD: 744149028Ssam case AUE_EXTATTR_SET_FD: 745149028Ssam case AUE_EXTATTR_LIST_FD: 746149028Ssam case AUE_EXTATTR_DELETE_FD: 747149028Ssam if (ARG_IS_VALID(kar, ARG_FD)) { 748149028Ssam tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 749149028Ssam kau_write(rec, tok); 750143110Swpaul } 751170530Ssam EXTATTR_TOKENS; 752170530Ssam break; 753170530Ssam 754170530Ssam case AUE_EXECVE: 755170530Ssam if (ARG_IS_VALID(kar, ARG_ARGV)) { 756170530Ssam tok = au_to_exec_args(ar->ar_arg_argv, 757170530Ssam ar->ar_arg_argc); 758170530Ssam kau_write(rec, tok); 759170530Ssam } 760170530Ssam if (ARG_IS_VALID(kar, ARG_ENVV)) { 761170530Ssam tok = au_to_exec_env(ar->ar_arg_envv, 762170530Ssam ar->ar_arg_envc); 763170530Ssam kau_write(rec, tok); 764170530Ssam } 765170530Ssam UPATH1_VNODE1_TOKENS; 766170530Ssam break; 767170530Ssam 768170530Ssam case AUE_FCHMOD: 769170530Ssam if (ARG_IS_VALID(kar, ARG_MODE)) { 770170530Ssam tok = au_to_arg32(2, "new file mode", 771170530Ssam ar->ar_arg_mode); 772170530Ssam kau_write(rec, tok); 773143110Swpaul } 774143110Swpaul FD_VNODE1_TOKENS; 775143110Swpaul break; 776143110Swpaul 777143110Swpaul /* 778143110Swpaul * XXXRW: Some of these need to handle non-vnode cases as well. 779143110Swpaul */ 780143110Swpaul case AUE_FCHDIR: 781143110Swpaul case AUE_FPATHCONF: 782143110Swpaul case AUE_FSTAT: 783143110Swpaul case AUE_FSTATFS: 784143110Swpaul case AUE_FSYNC: 785143110Swpaul case AUE_FTRUNCATE: 786143110Swpaul case AUE_FUTIMES: 787143110Swpaul case AUE_GETDIRENTRIES: 788143110Swpaul case AUE_GETDIRENTRIESATTR: 789143110Swpaul case AUE_POLL: 790143110Swpaul case AUE_READ: 791138568Ssam case AUE_READV: 792138568Ssam case AUE_WRITE: 793138568Ssam case AUE_WRITEV: 794138568Ssam FD_VNODE1_TOKENS; 795116742Ssam break; 796138568Ssam 797170530Ssam case AUE_FCHOWN: 798116742Ssam if (ARG_IS_VALID(kar, ARG_UID)) { 799116742Ssam tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 800138568Ssam kau_write(rec, tok); 801138568Ssam } 802138568Ssam if (ARG_IS_VALID(kar, ARG_GID)) { 803138568Ssam tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 804138568Ssam kau_write(rec, tok); 805170530Ssam } 806170530Ssam FD_VNODE1_TOKENS; 807138568Ssam break; 808138568Ssam 809138568Ssam case AUE_FCNTL: 810138568Ssam if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 811138568Ssam ar->ar_arg_cmd == F_SETLKW) { 812138568Ssam if (ARG_IS_VALID(kar, ARG_CMD)) { 813138568Ssam tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 814138568Ssam kau_write(rec, tok); 815116742Ssam } 816138568Ssam FD_VNODE1_TOKENS; 817138568Ssam } 818138568Ssam break; 819138568Ssam 820138568Ssam case AUE_FCHFLAGS: 821138568Ssam if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 822138568Ssam tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 823138568Ssam kau_write(rec, tok); 824138568Ssam } 825138568Ssam FD_VNODE1_TOKENS; 826138568Ssam break; 827138568Ssam 828138568Ssam case AUE_FLOCK: 829138568Ssam if (ARG_IS_VALID(kar, ARG_CMD)) { 830138568Ssam tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 831138568Ssam kau_write(rec, tok); 832138568Ssam } 833164033Srwatson FD_VNODE1_TOKENS; 834138568Ssam break; 835138568Ssam 836138568Ssam case AUE_RFORK: 837138568Ssam if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 838138568Ssam tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 839138568Ssam kau_write(rec, tok); 840138568Ssam } 841138568Ssam /* fall through */ 842138568Ssam case AUE_FORK: 843138568Ssam case AUE_VFORK: 844138568Ssam if (ARG_IS_VALID(kar, ARG_PID)) { 845138568Ssam tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 846138568Ssam kau_write(rec, tok); 847138568Ssam } 848138568Ssam break; 849138568Ssam 850138568Ssam case AUE_IOCTL: 851138568Ssam if (ARG_IS_VALID(kar, ARG_CMD)) { 852138568Ssam tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 853138568Ssam kau_write(rec, tok); 854148936Ssam } 855138568Ssam if (ARG_IS_VALID(kar, ARG_ADDR)) { 856138568Ssam tok = au_to_arg32(1, "arg", 857138568Ssam (u_int32_t)(uintptr_t)ar->ar_arg_addr); 858138568Ssam kau_write(rec, tok); 859138568Ssam } 860138568Ssam if (ARG_IS_VALID(kar, ARG_VNODE1)) 861138568Ssam FD_VNODE1_TOKENS; 862138568Ssam else { 863138568Ssam if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 864138568Ssam tok = kau_to_socket(&ar->ar_arg_sockinfo); 865138568Ssam kau_write(rec, tok); 866138568Ssam } else { 867138568Ssam if (ARG_IS_VALID(kar, ARG_FD)) { 868138568Ssam tok = au_to_arg32(1, "fd", 869138568Ssam ar->ar_arg_fd); 870138568Ssam kau_write(rec, tok); 871138568Ssam } 872138568Ssam } 873138568Ssam } 874138568Ssam break; 875138568Ssam 876138568Ssam case AUE_KILL: 877138568Ssam case AUE_KILLPG: 878138568Ssam if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 879138568Ssam tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 880138568Ssam kau_write(rec, tok); 881138568Ssam } 882138568Ssam PROCESS_PID_TOKENS(1); 883138568Ssam break; 884138568Ssam 885138568Ssam case AUE_KTRACE: 886138568Ssam if (ARG_IS_VALID(kar, ARG_CMD)) { 887138568Ssam tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 888138568Ssam kau_write(rec, tok); 889138568Ssam } 890138568Ssam if (ARG_IS_VALID(kar, ARG_VALUE)) { 891138568Ssam tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 892138568Ssam kau_write(rec, tok); 893138568Ssam } 894138568Ssam PROCESS_PID_TOKENS(4); 895138568Ssam UPATH1_VNODE1_TOKENS; 896138568Ssam break; 897138568Ssam 898138568Ssam case AUE_LINK: 899138568Ssam case AUE_RENAME: 900138568Ssam UPATH1_VNODE1_TOKENS; 901138568Ssam UPATH2_TOKENS; 902138568Ssam break; 903116742Ssam 904116742Ssam case AUE_LOADSHFILE: 905138568Ssam if (ARG_IS_VALID(kar, ARG_ADDR)) { 906138568Ssam tok = au_to_arg32(4, "base addr", 907116742Ssam (u_int32_t)(uintptr_t)ar->ar_arg_addr); 908138568Ssam kau_write(rec, tok); 909138568Ssam } 910116742Ssam UPATH1_VNODE1_TOKENS; 911138568Ssam break; 912138568Ssam 913116742Ssam case AUE_MKDIR: 914138568Ssam if (ARG_IS_VALID(kar, ARG_MODE)) { 915138568Ssam tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 916138568Ssam kau_write(rec, tok); 917138568Ssam } 918138568Ssam UPATH1_VNODE1_TOKENS; 919138568Ssam break; 920138568Ssam 921138568Ssam case AUE_MKNOD: 922138568Ssam if (ARG_IS_VALID(kar, ARG_MODE)) { 923138568Ssam tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 924138568Ssam kau_write(rec, tok); 925138568Ssam } 926138568Ssam if (ARG_IS_VALID(kar, ARG_DEV)) { 927138568Ssam tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 928138568Ssam kau_write(rec, tok); 929138568Ssam } 930138568Ssam UPATH1_VNODE1_TOKENS; 931138568Ssam break; 932138568Ssam 933138568Ssam case AUE_MMAP: 934138568Ssam case AUE_MUNMAP: 935138568Ssam case AUE_MPROTECT: 936138568Ssam case AUE_MLOCK: 937138568Ssam case AUE_MUNLOCK: 938138568Ssam case AUE_MINHERIT: 939138568Ssam if (ARG_IS_VALID(kar, ARG_ADDR)) { 940138568Ssam tok = au_to_arg32(1, "addr", 941138568Ssam (u_int32_t)(uintptr_t)ar->ar_arg_addr); 942138568Ssam kau_write(rec, tok); 943138568Ssam } 944138568Ssam if (ARG_IS_VALID(kar, ARG_LEN)) { 945138568Ssam tok = au_to_arg32(2, "len", ar->ar_arg_len); 946138568Ssam kau_write(rec, tok); 947138568Ssam } 948138568Ssam if (ar->ar_event == AUE_MMAP) 949138568Ssam FD_VNODE1_TOKENS; 950138568Ssam if (ar->ar_event == AUE_MPROTECT) { 951138568Ssam if (ARG_IS_VALID(kar, ARG_VALUE)) { 952138568Ssam tok = au_to_arg32(3, "protection", 953138568Ssam ar->ar_arg_value); 954138568Ssam kau_write(rec, tok); 955138568Ssam } 956138568Ssam } 957138568Ssam if (ar->ar_event == AUE_MINHERIT) { 958138568Ssam if (ARG_IS_VALID(kar, ARG_VALUE)) { 959138568Ssam tok = au_to_arg32(3, "inherit", 960138568Ssam ar->ar_arg_value); 961138568Ssam kau_write(rec, tok); 962138568Ssam } 963138568Ssam } 964138568Ssam break; 965138568Ssam 966138568Ssam case AUE_MOUNT: 967170530Ssam case AUE_NMOUNT: 968138568Ssam /* XXX Need to handle NFS mounts */ 969170530Ssam if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 970170530Ssam tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 971170530Ssam kau_write(rec, tok); 972154541Ssam } 973154541Ssam if (ARG_IS_VALID(kar, ARG_TEXT)) { 974154541Ssam tok = au_to_text(ar->ar_arg_text); 975154541Ssam kau_write(rec, tok); 976154541Ssam } 977138568Ssam /* fall through */ 978138568Ssam 979138568Ssam case AUE_UMOUNT: 980138568Ssam UPATH1_VNODE1_TOKENS; 981138568Ssam break; 982138568Ssam 983138568Ssam case AUE_MSGCTL: 984138568Ssam ar->ar_event = msgctl_to_event(ar->ar_arg_svipc_cmd); 985138568Ssam /* Fall through */ 986138568Ssam 987138568Ssam case AUE_MSGRCV: 988138568Ssam case AUE_MSGSND: 989161146Ssam tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 990161146Ssam kau_write(rec, tok); 991161146Ssam if (ar->ar_errno != EINVAL) { 992161146Ssam tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 993161146Ssam kau_write(rec, tok); 994138568Ssam } 995138568Ssam break; 996138568Ssam 997138568Ssam case AUE_MSGGET: 998138568Ssam if (ar->ar_errno == 0) { 999138568Ssam if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1000138568Ssam tok = au_to_ipc(AT_IPC_MSG, 1001138568Ssam ar->ar_arg_svipc_id); 1002138568Ssam kau_write(rec, tok); 1003138568Ssam } 1004138568Ssam } 1005138568Ssam break; 1006138568Ssam 1007138568Ssam case AUE_RESETSHFILE: 1008138568Ssam if (ARG_IS_VALID(kar, ARG_ADDR)) { 1009138568Ssam tok = au_to_arg32(1, "base addr", 1010138568Ssam (u_int32_t)(uintptr_t)ar->ar_arg_addr); 1011138568Ssam kau_write(rec, tok); 1012147794Ssam } 1013147794Ssam break; 1014147794Ssam 1015170530Ssam case AUE_OPEN_RC: 1016170530Ssam case AUE_OPEN_RTC: 1017170530Ssam case AUE_OPEN_RWC: 1018170530Ssam case AUE_OPEN_RWTC: 1019170530Ssam case AUE_OPEN_WC: 1020170530Ssam case AUE_OPEN_WTC: 1021170530Ssam case AUE_CREAT: 1022170530Ssam if (ARG_IS_VALID(kar, ARG_MODE)) { 1023170530Ssam tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1024170530Ssam kau_write(rec, tok); 1025170530Ssam } 1026170530Ssam /* fall through */ 1027170530Ssam 1028170530Ssam case AUE_OPEN_R: 1029170530Ssam case AUE_OPEN_RT: 1030170530Ssam case AUE_OPEN_RW: 1031170530Ssam case AUE_OPEN_RWT: 1032170530Ssam case AUE_OPEN_W: 1033170530Ssam case AUE_OPEN_WT: 1034170530Ssam if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1035170530Ssam tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1036170530Ssam kau_write(rec, tok); 1037170530Ssam } 1038170530Ssam UPATH1_VNODE1_TOKENS; 1039170530Ssam break; 1040170530Ssam 1041170530Ssam case AUE_PTRACE: 1042170530Ssam if (ARG_IS_VALID(kar, ARG_CMD)) { 1043170530Ssam tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1044170530Ssam kau_write(rec, tok); 1045170530Ssam } 1046170530Ssam if (ARG_IS_VALID(kar, ARG_ADDR)) { 1047170530Ssam tok = au_to_arg32(3, "addr", 1048170530Ssam (u_int32_t)(uintptr_t)ar->ar_arg_addr); 1049170530Ssam kau_write(rec, tok); 1050170530Ssam } 1051153346Ssam if (ARG_IS_VALID(kar, ARG_VALUE)) { 1052153346Ssam tok = au_to_arg32(4, "data", ar->ar_arg_value); 1053153346Ssam kau_write(rec, tok); 1054148292Ssam } 1055148292Ssam PROCESS_PID_TOKENS(2); 1056148292Ssam break; 1057149028Ssam 1058149028Ssam case AUE_QUOTACTL: 1059149028Ssam if (ARG_IS_VALID(kar, ARG_CMD)) { 1060153421Ssam tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1061153421Ssam kau_write(rec, tok); 1062153421Ssam } 1063160686Ssam if (ARG_IS_VALID(kar, ARG_UID)) { 1064160686Ssam tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1065160686Ssam kau_write(rec, tok); 1066170530Ssam } 1067170530Ssam UPATH1_VNODE1_TOKENS; 1068170530Ssam break; 1069170530Ssam 1070170530Ssam case AUE_REBOOT: 1071170530Ssam if (ARG_IS_VALID(kar, ARG_CMD)) { 1072170530Ssam tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1073170530Ssam kau_write(rec, tok); 1074170530Ssam } 1075170530Ssam break; 1076170530Ssam 1077170530Ssam case AUE_SEMCTL: 1078170530Ssam ar->ar_event = semctl_to_event(ar->ar_arg_svipc_cmd); 1079170530Ssam /* Fall through */ 1080170530Ssam 1081170530Ssam case AUE_SEMOP: 1082170530Ssam if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1083170530Ssam tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1084170530Ssam kau_write(rec, tok); 1085170530Ssam if (ar->ar_errno != EINVAL) { 1086170530Ssam tok = au_to_ipc(AT_IPC_SEM, 1087170530Ssam ar->ar_arg_svipc_id); 1088170530Ssam kau_write(rec, tok); 1089170530Ssam } 1090170530Ssam } 1091170530Ssam break; 1092170530Ssam 1093170530Ssam case AUE_SEMGET: 1094170530Ssam if (ar->ar_errno == 0) { 1095170530Ssam if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1096170530Ssam tok = au_to_ipc(AT_IPC_SEM, 1097170530Ssam ar->ar_arg_svipc_id); 1098170530Ssam kau_write(rec, tok); 1099170530Ssam } 1100170530Ssam } 1101170530Ssam break; 1102170530Ssam 1103170530Ssam case AUE_SETEGID: 1104170530Ssam if (ARG_IS_VALID(kar, ARG_EGID)) { 1105170530Ssam tok = au_to_arg32(1, "gid", ar->ar_arg_egid); 1106170530Ssam kau_write(rec, tok); 1107170530Ssam } 1108138568Ssam break; 1109138568Ssam 1110138568Ssam case AUE_SETEUID: 1111138568Ssam if (ARG_IS_VALID(kar, ARG_EUID)) { 1112138568Ssam tok = au_to_arg32(1, "uid", ar->ar_arg_euid); 1113138568Ssam kau_write(rec, tok); 1114138568Ssam } 1115138568Ssam break; 1116138568Ssam 1117138568Ssam case AUE_SETREGID: 1118138568Ssam if (ARG_IS_VALID(kar, ARG_RGID)) { 1119155862Ssam tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1120138568Ssam kau_write(rec, tok); 1121138568Ssam } 1122138568Ssam if (ARG_IS_VALID(kar, ARG_EGID)) { 1123138568Ssam tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1124138568Ssam kau_write(rec, tok); 1125138568Ssam } 1126138568Ssam break; 1127138568Ssam 1128138568Ssam case AUE_SETREUID: 1129138568Ssam if (ARG_IS_VALID(kar, ARG_RUID)) { 1130138568Ssam tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1131170530Ssam kau_write(rec, tok); 1132170530Ssam } 1133155862Ssam if (ARG_IS_VALID(kar, ARG_EUID)) { 1134155862Ssam tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1135155862Ssam kau_write(rec, tok); 1136155862Ssam } 1137155862Ssam break; 1138155862Ssam 1139155862Ssam case AUE_SETRESGID: 1140155862Ssam if (ARG_IS_VALID(kar, ARG_RGID)) { 1141155862Ssam tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1142155862Ssam kau_write(rec, tok); 1143155862Ssam } 1144155862Ssam if (ARG_IS_VALID(kar, ARG_EGID)) { 1145155862Ssam tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1146138568Ssam kau_write(rec, tok); 1147155862Ssam } 1148138568Ssam if (ARG_IS_VALID(kar, ARG_SGID)) { 1149138568Ssam tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1150155862Ssam kau_write(rec, tok); 1151155862Ssam } 1152138568Ssam break; 1153138568Ssam 1154138568Ssam case AUE_SETRESUID: 1155138568Ssam if (ARG_IS_VALID(kar, ARG_RUID)) { 1156138568Ssam tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1157138568Ssam kau_write(rec, tok); 1158138568Ssam } 1159138568Ssam if (ARG_IS_VALID(kar, ARG_EUID)) { 1160138568Ssam tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1161170530Ssam kau_write(rec, tok); 1162138568Ssam } 1163138568Ssam if (ARG_IS_VALID(kar, ARG_SUID)) { 1164138568Ssam tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1165138568Ssam kau_write(rec, tok); 1166138568Ssam } 1167138568Ssam break; 1168138568Ssam 1169138568Ssam case AUE_SETGID: 1170138568Ssam if (ARG_IS_VALID(kar, ARG_GID)) { 1171138568Ssam tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1172138568Ssam kau_write(rec, tok); 1173138568Ssam } 1174138568Ssam break; 1175138568Ssam 1176138568Ssam case AUE_SETUID: 1177138568Ssam if (ARG_IS_VALID(kar, ARG_UID)) { 1178138568Ssam tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1179147775Ssam kau_write(rec, tok); 1180147775Ssam } 1181147775Ssam break; 1182138568Ssam 1183147775Ssam case AUE_SETGROUPS: 1184138568Ssam if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1185140753Ssam for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1186138568Ssam { 1187138568Ssam tok = au_to_arg32(1, "setgroups", ar->ar_arg_groups.gidset[ctr]); 1188138568Ssam kau_write(rec, tok); 1189138568Ssam } 1190138568Ssam } 1191138568Ssam break; 1192138568Ssam 1193138568Ssam case AUE_SETLOGIN: 1194155885Ssam if (ARG_IS_VALID(kar, ARG_TEXT)) { 1195155885Ssam tok = au_to_text(ar->ar_arg_text); 1196155885Ssam kau_write(rec, tok); 1197155885Ssam } 1198155885Ssam break; 1199155885Ssam 1200138568Ssam case AUE_SETPRIORITY: 1201138568Ssam if (ARG_IS_VALID(kar, ARG_CMD)) { 1202138568Ssam tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1203138568Ssam kau_write(rec, tok); 1204144960Ssam } 1205138568Ssam if (ARG_IS_VALID(kar, ARG_UID)) { 1206138568Ssam tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1207138568Ssam kau_write(rec, tok); 1208138568Ssam } 1209138568Ssam if (ARG_IS_VALID(kar, ARG_VALUE)) { 1210138568Ssam tok = au_to_arg32(2, "priority", ar->ar_arg_value); 1211138568Ssam kau_write(rec, tok); 1212138568Ssam } 1213138568Ssam break; 1214138568Ssam 1215138568Ssam case AUE_SETPRIVEXEC: 1216138568Ssam if (ARG_IS_VALID(kar, ARG_VALUE)) { 1217138568Ssam tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1218138568Ssam kau_write(rec, tok); 1219138568Ssam } 1220138568Ssam break; 1221138568Ssam 1222138568Ssam /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1223138568Ssam case AUE_SHMAT: 1224138568Ssam if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1225138568Ssam tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1226138568Ssam kau_write(rec, tok); 1227138568Ssam /* XXXAUDIT: Does having the ipc token make sense? */ 1228138568Ssam tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1229138568Ssam kau_write(rec, tok); 1230138568Ssam } 1231138568Ssam if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1232138568Ssam tok = au_to_arg32(2, "shmaddr", 1233138568Ssam (int)(uintptr_t)ar->ar_arg_svipc_addr); 1234138568Ssam kau_write(rec, tok); 1235138568Ssam } 1236138568Ssam if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1237138568Ssam tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1238170530Ssam kau_write(rec, tok); 1239170530Ssam } 1240138568Ssam break; 1241138568Ssam 1242147775Ssam case AUE_SHMCTL: 1243147775Ssam if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1244147775Ssam tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1245147775Ssam kau_write(rec, tok); 1246147775Ssam /* XXXAUDIT: Does having the ipc token make sense? */ 1247147775Ssam tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1248147775Ssam kau_write(rec, tok); 1249147775Ssam } 1250147775Ssam switch (ar->ar_arg_svipc_cmd) { 1251147775Ssam case IPC_STAT: 1252147775Ssam ar->ar_event = AUE_SHMCTL_STAT; 1253138568Ssam break; 1254148863Ssam case IPC_RMID: 1255138568Ssam ar->ar_event = AUE_SHMCTL_RMID; 1256138568Ssam break; 1257138568Ssam case IPC_SET: 1258138568Ssam ar->ar_event = AUE_SHMCTL_SET; 1259138568Ssam if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1260138568Ssam tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1261138568Ssam kau_write(rec, tok); 1262138568Ssam } 1263138568Ssam break; 1264138568Ssam default: 1265138568Ssam break; /* We will audit a bad command */ 1266138568Ssam } 1267138568Ssam break; 1268138568Ssam 1269138568Ssam case AUE_SHMDT: 1270138568Ssam if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1271138568Ssam tok = au_to_arg32(1, "shmaddr", 1272138568Ssam (int)(uintptr_t)ar->ar_arg_svipc_addr); 1273138568Ssam kau_write(rec, tok); 1274138568Ssam } 1275138568Ssam break; 1276138568Ssam 1277138568Ssam case AUE_SHMGET: 1278138568Ssam /* This is unusual; the return value is in an argument token */ 1279138568Ssam if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1280138568Ssam tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1281170530Ssam kau_write(rec, tok); 1282170530Ssam tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1283170530Ssam kau_write(rec, tok); 1284170530Ssam } 1285170530Ssam if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1286170530Ssam tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1287170530Ssam kau_write(rec, tok); 1288170530Ssam } 1289170530Ssam break; 1290170530Ssam 1291170530Ssam /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1292170530Ssam * and AUE_SEMUNLINK are Posix IPC */ 1293170530Ssam case AUE_SHMOPEN: 1294170530Ssam if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1295170530Ssam tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1296170530Ssam kau_write(rec, tok); 1297170530Ssam } 1298170530Ssam if (ARG_IS_VALID(kar, ARG_MODE)) { 1299170530Ssam tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1300170530Ssam kau_write(rec, tok); 1301170530Ssam } 1302170530Ssam case AUE_SHMUNLINK: 1303170530Ssam if (ARG_IS_VALID(kar, ARG_TEXT)) { 1304170530Ssam tok = au_to_text(ar->ar_arg_text); 1305170530Ssam kau_write(rec, tok); 1306170530Ssam } 1307138568Ssam if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1308138568Ssam /* Create an ipc_perm token */ 1309138568Ssam struct ipc_perm perm; 1310138568Ssam perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1311138568Ssam perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1312138568Ssam perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1313138568Ssam perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1314138568Ssam perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1315138568Ssam perm.seq = 0; 1316138568Ssam perm.key = 0; 1317138568Ssam tok = au_to_ipc_perm(&perm); 1318138568Ssam kau_write(rec, tok); 1319138568Ssam } 1320138568Ssam break; 1321170530Ssam 1322170530Ssam case AUE_SEMOPEN: 1323170530Ssam if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1324138568Ssam tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1325170530Ssam kau_write(rec, tok); 1326170530Ssam } 1327170530Ssam if (ARG_IS_VALID(kar, ARG_MODE)) { 1328170530Ssam tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1329170530Ssam kau_write(rec, tok); 1330170530Ssam } 1331170530Ssam if (ARG_IS_VALID(kar, ARG_VALUE)) { 1332170530Ssam tok = au_to_arg32(4, "value", ar->ar_arg_value); 1333170530Ssam kau_write(rec, tok); 1334138568Ssam } 1335170530Ssam /* fall through */ 1336138568Ssam 1337138568Ssam case AUE_SEMUNLINK: 1338138568Ssam if (ARG_IS_VALID(kar, ARG_TEXT)) { 1339138568Ssam tok = au_to_text(ar->ar_arg_text); 1340138568Ssam kau_write(rec, tok); 1341138568Ssam } 1342138568Ssam if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1343116742Ssam /* Create an ipc_perm token */ 1344138568Ssam struct ipc_perm perm; 1345138568Ssam perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1346138568Ssam perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1347140753Ssam perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1348138568Ssam perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1349138568Ssam perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1350138568Ssam perm.seq = 0; 1351138568Ssam perm.key = 0; 1352138568Ssam tok = au_to_ipc_perm(&perm); 1353140753Ssam kau_write(rec, tok); 1354138568Ssam } 1355138568Ssam break; 1356116742Ssam 1357138568Ssam case AUE_SEMCLOSE: 1358138568Ssam if (ARG_IS_VALID(kar, ARG_FD)) { 1359138568Ssam tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1360138568Ssam kau_write(rec, tok); 1361138568Ssam } 1362138568Ssam break; 1363138568Ssam 1364138568Ssam case AUE_SYMLINK: 1365140753Ssam if (ARG_IS_VALID(kar, ARG_TEXT)) { 1366138568Ssam tok = au_to_text(ar->ar_arg_text); 1367138568Ssam kau_write(rec, tok); 1368138568Ssam } 1369148302Ssam UPATH1_VNODE1_TOKENS; 1370138568Ssam break; 1371148302Ssam 1372138568Ssam case AUE_SYSCTL: 1373138568Ssam if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1374138568Ssam for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1375138568Ssam tok = au_to_arg32(1, "name", 1376138568Ssam ar->ar_arg_ctlname[ctr]); 1377138568Ssam kau_write(rec, tok); 1378138568Ssam } 1379138568Ssam } 1380138568Ssam if (ARG_IS_VALID(kar, ARG_VALUE)) { 1381138568Ssam tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1382138568Ssam kau_write(rec, tok); 1383170530Ssam } 1384138568Ssam if (ARG_IS_VALID(kar, ARG_TEXT)) { 1385138568Ssam tok = au_to_text(ar->ar_arg_text); 1386138568Ssam kau_write(rec, tok); 1387138568Ssam } 1388138568Ssam break; 1389138568Ssam 1390138568Ssam case AUE_UMASK: 1391138568Ssam if (ARG_IS_VALID(kar, ARG_MASK)) { 1392138568Ssam tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1393138568Ssam kau_write(rec, tok); 1394138568Ssam } 1395138568Ssam tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1396138568Ssam kau_write(rec, tok); 1397138568Ssam break; 1398138568Ssam 1399138568Ssam case AUE_WAIT4: 1400138568Ssam if (ARG_IS_VALID(kar, ARG_PID)) { 1401138568Ssam tok = au_to_arg32(0, "pid", ar->ar_arg_pid); 1402138568Ssam kau_write(rec, tok); 1403138568Ssam } 1404138568Ssam break; 1405138568Ssam 1406149028Ssam case AUE_NULL: 1407138568Ssam default: 1408138568Ssam printf("BSM conversion requested for unknown event %d\n", 1409138568Ssam ar->ar_event); 1410138568Ssam /* Write the subject token so it is properly freed here. */ 1411138568Ssam kau_write(rec, subj_tok); 1412138568Ssam kau_free(rec); 1413138568Ssam return (BSM_NOAUDIT); 1414138568Ssam } 1415138568Ssam 1416138568Ssam kau_write(rec, subj_tok); 1417138568Ssam tok = au_to_return32((char)ar->ar_errno, ar->ar_retval); 1418138568Ssam kau_write(rec, tok); /* Every record gets a return token */ 1419138568Ssam 1420138568Ssam kau_close(rec, &ar->ar_endtime, ar->ar_event); 1421138568Ssam 1422138568Ssam *pau = rec; 1423138568Ssam return (BSM_SUCCESS); 1424138568Ssam} 1425138568Ssam 1426138568Ssam/* 1427138568Ssam * Verify that a record is a valid BSM record. This verification is simple 1428138568Ssam * now, but may be expanded on sometime in the future. Return 1 if the 1429138568Ssam * record is good, 0 otherwise. 1430138568Ssam */ 1431138568Ssamint 1432138568Ssambsm_rec_verify(void *rec) 1433138568Ssam{ 1434149028Ssam char c = *(char *)rec; 1435149028Ssam 1436149028Ssam /* 1437149028Ssam * Check the token ID of the first token; it has to be a header 1438138568Ssam * token. 1439138568Ssam * 1440138568Ssam * XXXAUDIT There needs to be a token structure to map a token. 1441138568Ssam * XXXAUDIT 'Shouldn't be simply looking at the first char. 1442138568Ssam */ 1443138568Ssam if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1444138568Ssam (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1445138568Ssam return (0); 1446138568Ssam return (1); 1447170530Ssam} 1448138568Ssam