audit_bsm.c revision 182158
1/* 2 * Copyright (c) 1999-2005 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30#include <sys/cdefs.h> 31__FBSDID("$FreeBSD: head/sys/security/audit/audit_bsm.c 182158 2008-08-25 13:50:01Z rwatson $"); 32 33#include <sys/param.h> 34#include <sys/vnode.h> 35#include <sys/ipc.h> 36#include <sys/lock.h> 37#include <sys/malloc.h> 38#include <sys/mutex.h> 39#include <sys/socket.h> 40#include <sys/extattr.h> 41#include <sys/fcntl.h> 42#include <sys/user.h> 43#include <sys/systm.h> 44 45#include <bsm/audit.h> 46#include <bsm/audit_internal.h> 47#include <bsm/audit_record.h> 48#include <bsm/audit_kevents.h> 49 50#include <security/audit/audit.h> 51#include <security/audit/audit_private.h> 52 53#include <netinet/in_systm.h> 54#include <netinet/in.h> 55#include <netinet/ip.h> 56 57MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 58 59static void audit_sys_auditon(struct audit_record *ar, 60 struct au_record *rec); 61 62/* 63 * Initialize the BSM auditing subsystem. 64 */ 65void 66kau_init(void) 67{ 68 69 au_evclassmap_init(); 70} 71 72/* 73 * This call reserves memory for the audit record. Memory must be guaranteed 74 * before any auditable event can be generated. The au_record structure 75 * maintains a reference to the memory allocated above and also the list of 76 * tokens associated with this record. 77 */ 78static struct au_record * 79kau_open(void) 80{ 81 struct au_record *rec; 82 83 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 84 rec->data = NULL; 85 TAILQ_INIT(&rec->token_q); 86 rec->len = 0; 87 rec->used = 1; 88 89 return (rec); 90} 91 92/* 93 * Store the token with the record descriptor. 94 */ 95static void 96kau_write(struct au_record *rec, struct au_token *tok) 97{ 98 99 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 100 101 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 102 rec->len += tok->len; 103} 104 105/* 106 * Close out the audit record by adding the header token, identifying any 107 * missing tokens. Write out the tokens to the record memory. 108 */ 109static void 110kau_close(struct au_record *rec, struct timespec *ctime, short event) 111{ 112 u_char *dptr; 113 size_t tot_rec_size; 114 token_t *cur, *hdr, *trail; 115 struct timeval tm; 116 117 tot_rec_size = rec->len + AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE; 118 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 119 120 tm.tv_usec = ctime->tv_nsec / 1000; 121 tm.tv_sec = ctime->tv_sec; 122 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 123 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 124 125 trail = au_to_trailer(tot_rec_size); 126 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 127 128 rec->len = tot_rec_size; 129 dptr = rec->data; 130 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 131 memcpy(dptr, cur->t_data, cur->len); 132 dptr += cur->len; 133 } 134} 135 136/* 137 * Free a BSM audit record by releasing all the tokens and clearing the audit 138 * record information. 139 */ 140void 141kau_free(struct au_record *rec) 142{ 143 struct au_token *tok; 144 145 /* Free the token list. */ 146 while ((tok = TAILQ_FIRST(&rec->token_q))) { 147 TAILQ_REMOVE(&rec->token_q, tok, tokens); 148 free(tok->t_data, M_AUDITBSM); 149 free(tok, M_AUDITBSM); 150 } 151 152 rec->used = 0; 153 rec->len = 0; 154 free(rec->data, M_AUDITBSM); 155 free(rec, M_AUDITBSM); 156} 157 158/* 159 * XXX: May want turn some (or all) of these macros into functions in order 160 * to reduce the generated code size. 161 * 162 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 163 * caller are OK with this. 164 */ 165#define UPATH1_TOKENS do { \ 166 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 167 tok = au_to_path(ar->ar_arg_upath1); \ 168 kau_write(rec, tok); \ 169 } \ 170} while (0) 171 172#define UPATH2_TOKENS do { \ 173 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 174 tok = au_to_path(ar->ar_arg_upath2); \ 175 kau_write(rec, tok); \ 176 } \ 177} while (0) 178 179#define VNODE1_TOKENS do { \ 180 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 181 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 182 kau_write(rec, tok); \ 183 } \ 184} while (0) 185 186#define UPATH1_VNODE1_TOKENS do { \ 187 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 188 UPATH1_TOKENS; \ 189 } \ 190 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 191 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 192 kau_write(rec, tok); \ 193 } \ 194} while (0) 195 196#define VNODE2_TOKENS do { \ 197 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 198 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 199 kau_write(rec, tok); \ 200 } \ 201} while (0) 202 203#define FD_VNODE1_TOKENS do { \ 204 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 205 if (ARG_IS_VALID(kar, ARG_FD)) { \ 206 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 207 kau_write(rec, tok); \ 208 } \ 209 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 210 kau_write(rec, tok); \ 211 } else { \ 212 if (ARG_IS_VALID(kar, ARG_FD)) { \ 213 tok = au_to_arg32(1, "non-file: fd", \ 214 ar->ar_arg_fd); \ 215 kau_write(rec, tok); \ 216 } \ 217 } \ 218} while (0) 219 220#define PROCESS_PID_TOKENS(argn) do { \ 221 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 222 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 223 tok = au_to_process32_ex(ar->ar_arg_auid, \ 224 ar->ar_arg_euid, ar->ar_arg_egid, \ 225 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 226 ar->ar_arg_pid, ar->ar_arg_asid, \ 227 &ar->ar_arg_termid_addr); \ 228 kau_write(rec, tok); \ 229 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 230 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 231 kau_write(rec, tok); \ 232 } \ 233} while (0) 234 235#define EXTATTR_TOKENS do { \ 236 if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 237 switch (ar->ar_arg_value) { \ 238 case EXTATTR_NAMESPACE_USER: \ 239 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 240 break; \ 241 case EXTATTR_NAMESPACE_SYSTEM: \ 242 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 243 break; \ 244 default: \ 245 tok = au_to_arg32(3, "attrnamespace", \ 246 ar->ar_arg_value); \ 247 break; \ 248 } \ 249 kau_write(rec, tok); \ 250 } \ 251 /* attrname is in the text field */ \ 252 if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 253 tok = au_to_text(ar->ar_arg_text); \ 254 kau_write(rec, tok); \ 255 } \ 256} while (0) 257 258/* 259 * Implement auditing for the auditon() system call. The audit tokens that 260 * are generated depend on the command that was sent into the auditon() 261 * system call. 262 */ 263static void 264audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 265{ 266 struct au_token *tok; 267 268 switch (ar->ar_arg_cmd) { 269 case A_SETPOLICY: 270 if (sizeof(ar->ar_arg_auditon.au_flags) > 4) 271 tok = au_to_arg64(1, "policy", 272 ar->ar_arg_auditon.au_flags); 273 else 274 tok = au_to_arg32(1, "policy", 275 ar->ar_arg_auditon.au_flags); 276 kau_write(rec, tok); 277 break; 278 279 case A_SETKMASK: 280 tok = au_to_arg32(2, "setkmask:as_success", 281 ar->ar_arg_auditon.au_mask.am_success); 282 kau_write(rec, tok); 283 tok = au_to_arg32(2, "setkmask:as_failure", 284 ar->ar_arg_auditon.au_mask.am_failure); 285 kau_write(rec, tok); 286 break; 287 288 case A_SETQCTRL: 289 tok = au_to_arg32(3, "setqctrl:aq_hiwater", 290 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 291 kau_write(rec, tok); 292 tok = au_to_arg32(3, "setqctrl:aq_lowater", 293 ar->ar_arg_auditon.au_qctrl.aq_lowater); 294 kau_write(rec, tok); 295 tok = au_to_arg32(3, "setqctrl:aq_bufsz", 296 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 297 kau_write(rec, tok); 298 tok = au_to_arg32(3, "setqctrl:aq_delay", 299 ar->ar_arg_auditon.au_qctrl.aq_delay); 300 kau_write(rec, tok); 301 tok = au_to_arg32(3, "setqctrl:aq_minfree", 302 ar->ar_arg_auditon.au_qctrl.aq_minfree); 303 kau_write(rec, tok); 304 break; 305 306 case A_SETUMASK: 307 tok = au_to_arg32(3, "setumask:as_success", 308 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 309 kau_write(rec, tok); 310 tok = au_to_arg32(3, "setumask:as_failure", 311 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 312 kau_write(rec, tok); 313 break; 314 315 case A_SETSMASK: 316 tok = au_to_arg32(3, "setsmask:as_success", 317 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 318 kau_write(rec, tok); 319 tok = au_to_arg32(3, "setsmask:as_failure", 320 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 321 kau_write(rec, tok); 322 break; 323 324 case A_SETCOND: 325 if (sizeof(ar->ar_arg_auditon.au_cond) > 4) 326 tok = au_to_arg64(3, "setcond", 327 ar->ar_arg_auditon.au_cond); 328 else 329 tok = au_to_arg32(3, "setcond", 330 ar->ar_arg_auditon.au_cond); 331 kau_write(rec, tok); 332 break; 333 334 case A_SETCLASS: 335 tok = au_to_arg32(2, "setclass:ec_event", 336 ar->ar_arg_auditon.au_evclass.ec_number); 337 kau_write(rec, tok); 338 tok = au_to_arg32(3, "setclass:ec_class", 339 ar->ar_arg_auditon.au_evclass.ec_class); 340 kau_write(rec, tok); 341 break; 342 343 case A_SETPMASK: 344 tok = au_to_arg32(2, "setpmask:as_success", 345 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 346 kau_write(rec, tok); 347 tok = au_to_arg32(2, "setpmask:as_failure", 348 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 349 kau_write(rec, tok); 350 break; 351 352 case A_SETFSIZE: 353 tok = au_to_arg32(2, "setfsize:filesize", 354 ar->ar_arg_auditon.au_fstat.af_filesz); 355 kau_write(rec, tok); 356 break; 357 358 default: 359 break; 360 } 361} 362 363/* 364 * Convert an internal kernel audit record to a BSM record and return a 365 * success/failure indicator. The BSM record is passed as an out parameter to 366 * this function. 367 * 368 * Return conditions: 369 * BSM_SUCCESS: The BSM record is valid 370 * BSM_FAILURE: Failure; the BSM record is NULL. 371 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 372 */ 373int 374kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 375{ 376 struct au_token *tok, *subj_tok; 377 struct au_record *rec; 378 au_tid_t tid; 379 struct audit_record *ar; 380 int ctr; 381 382 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 383 384 *pau = NULL; 385 ar = &kar->k_ar; 386 rec = kau_open(); 387 388 /* 389 * Create the subject token. 390 */ 391 switch (ar->ar_subj_term_addr.at_type) { 392 case AU_IPv4: 393 tid.port = ar->ar_subj_term_addr.at_port; 394 tid.machine = ar->ar_subj_term_addr.at_addr[0]; 395 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 396 ar->ar_subj_cred.cr_uid, /* eff uid */ 397 ar->ar_subj_egid, /* eff group id */ 398 ar->ar_subj_ruid, /* real uid */ 399 ar->ar_subj_rgid, /* real group id */ 400 ar->ar_subj_pid, /* process id */ 401 ar->ar_subj_asid, /* session ID */ 402 &tid); 403 break; 404 case AU_IPv6: 405 subj_tok = au_to_subject32_ex(ar->ar_subj_auid, 406 ar->ar_subj_cred.cr_uid, 407 ar->ar_subj_egid, 408 ar->ar_subj_ruid, 409 ar->ar_subj_rgid, 410 ar->ar_subj_pid, 411 ar->ar_subj_asid, 412 &ar->ar_subj_term_addr); 413 break; 414 default: 415 bzero(&tid, sizeof(tid)); 416 subj_tok = au_to_subject32(ar->ar_subj_auid, 417 ar->ar_subj_cred.cr_uid, 418 ar->ar_subj_egid, 419 ar->ar_subj_ruid, 420 ar->ar_subj_rgid, 421 ar->ar_subj_pid, 422 ar->ar_subj_asid, 423 &tid); 424 } 425 426 /* 427 * The logic inside each case fills in the tokens required for the 428 * event, except for the header, trailer, and return tokens. The 429 * header and trailer tokens are added by the kau_close() function. 430 * The return token is added outside of the switch statement. 431 */ 432 switch(ar->ar_event) { 433 case AUE_ACCEPT: 434 case AUE_BIND: 435 case AUE_LISTEN: 436 case AUE_CONNECT: 437 case AUE_RECV: 438 case AUE_RECVFROM: 439 case AUE_RECVMSG: 440 case AUE_SEND: 441 case AUE_SENDFILE: 442 case AUE_SENDMSG: 443 case AUE_SENDTO: 444 /* 445 * Socket-related events. 446 */ 447 if (ARG_IS_VALID(kar, ARG_FD)) { 448 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 449 kau_write(rec, tok); 450 } 451 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 452 tok = au_to_sock_inet((struct sockaddr_in *) 453 &ar->ar_arg_sockaddr); 454 kau_write(rec, tok); 455 } 456 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 457 tok = au_to_sock_unix((struct sockaddr_un *) 458 &ar->ar_arg_sockaddr); 459 kau_write(rec, tok); 460 UPATH1_TOKENS; 461 } 462 /* XXX Need to handle ARG_SADDRINET6 */ 463 break; 464 465 case AUE_SOCKET: 466 case AUE_SOCKETPAIR: 467 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 468 tok = au_to_arg32(1,"domain", 469 ar->ar_arg_sockinfo.so_domain); 470 kau_write(rec, tok); 471 tok = au_to_arg32(2,"type", 472 ar->ar_arg_sockinfo.so_type); 473 kau_write(rec, tok); 474 tok = au_to_arg32(3,"protocol", 475 ar->ar_arg_sockinfo.so_protocol); 476 kau_write(rec, tok); 477 } 478 break; 479 480 case AUE_SETSOCKOPT: 481 case AUE_SHUTDOWN: 482 if (ARG_IS_VALID(kar, ARG_FD)) { 483 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 484 kau_write(rec, tok); 485 } 486 break; 487 488 case AUE_ACCT: 489 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 490 UPATH1_VNODE1_TOKENS; 491 } else { 492 tok = au_to_arg32(1, "accounting off", 0); 493 kau_write(rec, tok); 494 } 495 break; 496 497 case AUE_SETAUID: 498 if (ARG_IS_VALID(kar, ARG_AUID)) { 499 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 500 kau_write(rec, tok); 501 } 502 break; 503 504 case AUE_SETAUDIT: 505 if (ARG_IS_VALID(kar, ARG_AUID) && 506 ARG_IS_VALID(kar, ARG_ASID) && 507 ARG_IS_VALID(kar, ARG_AMASK) && 508 ARG_IS_VALID(kar, ARG_TERMID)) { 509 tok = au_to_arg32(1, "setaudit:auid", 510 ar->ar_arg_auid); 511 kau_write(rec, tok); 512 tok = au_to_arg32(1, "setaudit:port", 513 ar->ar_arg_termid.port); 514 kau_write(rec, tok); 515 tok = au_to_arg32(1, "setaudit:machine", 516 ar->ar_arg_termid.machine); 517 kau_write(rec, tok); 518 tok = au_to_arg32(1, "setaudit:as_success", 519 ar->ar_arg_amask.am_success); 520 kau_write(rec, tok); 521 tok = au_to_arg32(1, "setaudit:as_failure", 522 ar->ar_arg_amask.am_failure); 523 kau_write(rec, tok); 524 tok = au_to_arg32(1, "setaudit:asid", 525 ar->ar_arg_asid); 526 kau_write(rec, tok); 527 } 528 break; 529 530 case AUE_SETAUDIT_ADDR: 531 if (ARG_IS_VALID(kar, ARG_AUID) && 532 ARG_IS_VALID(kar, ARG_ASID) && 533 ARG_IS_VALID(kar, ARG_AMASK) && 534 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) { 535 tok = au_to_arg32(1, "setaudit_addr:auid", 536 ar->ar_arg_auid); 537 kau_write(rec, tok); 538 tok = au_to_arg32(1, "setaudit_addr:as_success", 539 ar->ar_arg_amask.am_success); 540 kau_write(rec, tok); 541 tok = au_to_arg32(1, "setaudit_addr:as_failure", 542 ar->ar_arg_amask.am_failure); 543 kau_write(rec, tok); 544 tok = au_to_arg32(1, "setaudit_addr:asid", 545 ar->ar_arg_asid); 546 kau_write(rec, tok); 547 tok = au_to_arg32(1, "setaudit_addr:type", 548 ar->ar_arg_termid_addr.at_type); 549 kau_write(rec, tok); 550 tok = au_to_arg32(1, "setaudit_addr:port", 551 ar->ar_arg_termid_addr.at_port); 552 kau_write(rec, tok); 553 if (ar->ar_arg_termid_addr.at_type == AU_IPv6) 554 tok = au_to_in_addr_ex((struct in6_addr *) 555 &ar->ar_arg_termid_addr.at_addr[0]); 556 if (ar->ar_arg_termid_addr.at_type == AU_IPv4) 557 tok = au_to_in_addr((struct in_addr *) 558 &ar->ar_arg_termid_addr.at_addr[0]); 559 kau_write(rec, tok); 560 } 561 break; 562 563 case AUE_AUDITON: 564 /* 565 * For AUDITON commands without own event, audit the cmd. 566 */ 567 if (ARG_IS_VALID(kar, ARG_CMD)) { 568 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 569 kau_write(rec, tok); 570 } 571 /* fall thru */ 572 573 case AUE_AUDITON_GETCAR: 574 case AUE_AUDITON_GETCLASS: 575 case AUE_AUDITON_GETCOND: 576 case AUE_AUDITON_GETCWD: 577 case AUE_AUDITON_GETKMASK: 578 case AUE_AUDITON_GETSTAT: 579 case AUE_AUDITON_GPOLICY: 580 case AUE_AUDITON_GQCTRL: 581 case AUE_AUDITON_SETCLASS: 582 case AUE_AUDITON_SETCOND: 583 case AUE_AUDITON_SETKMASK: 584 case AUE_AUDITON_SETSMASK: 585 case AUE_AUDITON_SETSTAT: 586 case AUE_AUDITON_SETUMASK: 587 case AUE_AUDITON_SPOLICY: 588 case AUE_AUDITON_SQCTRL: 589 if (ARG_IS_VALID(kar, ARG_AUDITON)) 590 audit_sys_auditon(ar, rec); 591 break; 592 593 case AUE_AUDITCTL: 594 UPATH1_VNODE1_TOKENS; 595 break; 596 597 case AUE_EXIT: 598 if (ARG_IS_VALID(kar, ARG_EXIT)) { 599 tok = au_to_exit(ar->ar_arg_exitretval, 600 ar->ar_arg_exitstatus); 601 kau_write(rec, tok); 602 } 603 break; 604 605 case AUE_ADJTIME: 606 case AUE_CLOCK_SETTIME: 607 case AUE_AUDIT: 608 case AUE_DUP2: 609 case AUE_GETAUDIT: 610 case AUE_GETAUDIT_ADDR: 611 case AUE_GETAUID: 612 case AUE_GETCWD: 613 case AUE_GETFSSTAT: 614 case AUE_GETRESUID: 615 case AUE_GETRESGID: 616 case AUE_KQUEUE: 617 case AUE_LSEEK: 618 case AUE_MODLOAD: 619 case AUE_MODUNLOAD: 620 case AUE_MSGSYS: 621 case AUE_NFS_SVC: 622 case AUE_NTP_ADJTIME: 623 case AUE_PIPE: 624 case AUE_PROFILE: 625 case AUE_RTPRIO: 626 case AUE_SEMSYS: 627 case AUE_SHMSYS: 628 case AUE_SETPGRP: 629 case AUE_SETRLIMIT: 630 case AUE_SETSID: 631 case AUE_SETTIMEOFDAY: 632 case AUE_SYSARCH: 633 634 /* 635 * Header, subject, and return tokens added at end. 636 */ 637 break; 638 639 case AUE_MKFIFO: 640 if (ARG_IS_VALID(kar, ARG_MODE)) { 641 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 642 kau_write(rec, tok); 643 } 644 /* fall through */ 645 case AUE_ACCESS: 646 case AUE_CHDIR: 647 case AUE_CHROOT: 648 case AUE_EACCESS: 649 case AUE_GETATTRLIST: 650 case AUE_JAIL: 651 case AUE_LUTIMES: 652 case AUE_NFS_GETFH: 653 case AUE_LSTAT: 654 case AUE_PATHCONF: 655 case AUE_READLINK: 656 case AUE_REVOKE: 657 case AUE_RMDIR: 658 case AUE_SEARCHFS: 659 case AUE_SETATTRLIST: 660 case AUE_STAT: 661 case AUE_STATFS: 662 case AUE_SWAPON: 663 case AUE_SWAPOFF: 664 case AUE_TRUNCATE: 665 case AUE_UNDELETE: 666 case AUE_UNLINK: 667 case AUE_UTIMES: 668 UPATH1_VNODE1_TOKENS; 669 break; 670 671 case AUE_FHSTATFS: 672 case AUE_FHOPEN: 673 case AUE_FHSTAT: 674 /* XXXRW: Need to audit vnode argument. */ 675 break; 676 677 case AUE_CHFLAGS: 678 case AUE_LCHFLAGS: 679 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 680 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 681 kau_write(rec, tok); 682 } 683 UPATH1_VNODE1_TOKENS; 684 break; 685 686 case AUE_CHMOD: 687 case AUE_LCHMOD: 688 if (ARG_IS_VALID(kar, ARG_MODE)) { 689 tok = au_to_arg32(2, "new file mode", 690 ar->ar_arg_mode); 691 kau_write(rec, tok); 692 } 693 UPATH1_VNODE1_TOKENS; 694 break; 695 696 case AUE_CHOWN: 697 case AUE_LCHOWN: 698 if (ARG_IS_VALID(kar, ARG_UID)) { 699 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 700 kau_write(rec, tok); 701 } 702 if (ARG_IS_VALID(kar, ARG_GID)) { 703 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 704 kau_write(rec, tok); 705 } 706 UPATH1_VNODE1_TOKENS; 707 break; 708 709 case AUE_EXCHANGEDATA: 710 UPATH1_VNODE1_TOKENS; 711 UPATH2_TOKENS; 712 break; 713 714 case AUE_CLOSE: 715 if (ARG_IS_VALID(kar, ARG_FD)) { 716 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 717 kau_write(rec, tok); 718 } 719 UPATH1_VNODE1_TOKENS; 720 break; 721 722 case AUE_CORE: 723 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 724 tok = au_to_arg32(0, "signal", ar->ar_arg_signum); 725 kau_write(rec, tok); 726 } 727 UPATH1_VNODE1_TOKENS; 728 break; 729 730 case AUE_EXTATTRCTL: 731 UPATH1_VNODE1_TOKENS; 732 if (ARG_IS_VALID(kar, ARG_CMD)) { 733 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 734 kau_write(rec, tok); 735 } 736 /* extattrctl(2) filename parameter is in upath2/vnode2 */ 737 UPATH2_TOKENS; 738 VNODE2_TOKENS; 739 EXTATTR_TOKENS; 740 break; 741 742 case AUE_EXTATTR_GET_FILE: 743 case AUE_EXTATTR_SET_FILE: 744 case AUE_EXTATTR_LIST_FILE: 745 case AUE_EXTATTR_DELETE_FILE: 746 case AUE_EXTATTR_GET_LINK: 747 case AUE_EXTATTR_SET_LINK: 748 case AUE_EXTATTR_LIST_LINK: 749 case AUE_EXTATTR_DELETE_LINK: 750 UPATH1_VNODE1_TOKENS; 751 EXTATTR_TOKENS; 752 break; 753 754 case AUE_EXTATTR_GET_FD: 755 case AUE_EXTATTR_SET_FD: 756 case AUE_EXTATTR_LIST_FD: 757 case AUE_EXTATTR_DELETE_FD: 758 if (ARG_IS_VALID(kar, ARG_FD)) { 759 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 760 kau_write(rec, tok); 761 } 762 EXTATTR_TOKENS; 763 break; 764 765 case AUE_FEXECVE: 766 if (ARG_IS_VALID(kar, ARG_FD)) { 767 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 768 kau_write(rec, tok); 769 } 770 /* FALLTHROUGH */ 771 772 case AUE_EXECVE: 773 if (ARG_IS_VALID(kar, ARG_ARGV)) { 774 tok = au_to_exec_args(ar->ar_arg_argv, 775 ar->ar_arg_argc); 776 kau_write(rec, tok); 777 } 778 if (ARG_IS_VALID(kar, ARG_ENVV)) { 779 tok = au_to_exec_env(ar->ar_arg_envv, 780 ar->ar_arg_envc); 781 kau_write(rec, tok); 782 } 783 UPATH1_VNODE1_TOKENS; 784 break; 785 786 case AUE_FCHMOD: 787 if (ARG_IS_VALID(kar, ARG_MODE)) { 788 tok = au_to_arg32(2, "new file mode", 789 ar->ar_arg_mode); 790 kau_write(rec, tok); 791 } 792 FD_VNODE1_TOKENS; 793 break; 794 795 /* 796 * XXXRW: Some of these need to handle non-vnode cases as well. 797 */ 798 case AUE_FCHDIR: 799 case AUE_FPATHCONF: 800 case AUE_FSTAT: 801 case AUE_FSTATFS: 802 case AUE_FSYNC: 803 case AUE_FTRUNCATE: 804 case AUE_FUTIMES: 805 case AUE_GETDIRENTRIES: 806 case AUE_GETDIRENTRIESATTR: 807 case AUE_POLL: 808 case AUE_READ: 809 case AUE_READV: 810 case AUE_WRITE: 811 case AUE_WRITEV: 812 FD_VNODE1_TOKENS; 813 break; 814 815 case AUE_FCHOWN: 816 if (ARG_IS_VALID(kar, ARG_UID)) { 817 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 818 kau_write(rec, tok); 819 } 820 if (ARG_IS_VALID(kar, ARG_GID)) { 821 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 822 kau_write(rec, tok); 823 } 824 FD_VNODE1_TOKENS; 825 break; 826 827 case AUE_FCNTL: 828 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 829 ar->ar_arg_cmd == F_SETLKW) { 830 if (ARG_IS_VALID(kar, ARG_CMD)) { 831 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 832 kau_write(rec, tok); 833 } 834 FD_VNODE1_TOKENS; 835 } 836 break; 837 838 case AUE_FCHFLAGS: 839 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 840 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 841 kau_write(rec, tok); 842 } 843 FD_VNODE1_TOKENS; 844 break; 845 846 case AUE_FLOCK: 847 if (ARG_IS_VALID(kar, ARG_CMD)) { 848 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 849 kau_write(rec, tok); 850 } 851 FD_VNODE1_TOKENS; 852 break; 853 854 case AUE_RFORK: 855 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 856 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 857 kau_write(rec, tok); 858 } 859 /* fall through */ 860 case AUE_FORK: 861 case AUE_VFORK: 862 if (ARG_IS_VALID(kar, ARG_PID)) { 863 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 864 kau_write(rec, tok); 865 } 866 break; 867 868 case AUE_IOCTL: 869 if (ARG_IS_VALID(kar, ARG_CMD)) { 870 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 871 kau_write(rec, tok); 872 } 873 if (ARG_IS_VALID(kar, ARG_ADDR)) { 874 tok = au_to_arg32(1, "arg", 875 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 876 kau_write(rec, tok); 877 } 878 if (ARG_IS_VALID(kar, ARG_VNODE1)) 879 FD_VNODE1_TOKENS; 880 else { 881 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 882 tok = kau_to_socket(&ar->ar_arg_sockinfo); 883 kau_write(rec, tok); 884 } else { 885 if (ARG_IS_VALID(kar, ARG_FD)) { 886 tok = au_to_arg32(1, "fd", 887 ar->ar_arg_fd); 888 kau_write(rec, tok); 889 } 890 } 891 } 892 break; 893 894 case AUE_KILL: 895 case AUE_KILLPG: 896 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 897 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 898 kau_write(rec, tok); 899 } 900 PROCESS_PID_TOKENS(1); 901 break; 902 903 case AUE_KTRACE: 904 if (ARG_IS_VALID(kar, ARG_CMD)) { 905 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 906 kau_write(rec, tok); 907 } 908 if (ARG_IS_VALID(kar, ARG_VALUE)) { 909 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 910 kau_write(rec, tok); 911 } 912 PROCESS_PID_TOKENS(4); 913 UPATH1_VNODE1_TOKENS; 914 break; 915 916 case AUE_LINK: 917 case AUE_RENAME: 918 UPATH1_VNODE1_TOKENS; 919 UPATH2_TOKENS; 920 break; 921 922 case AUE_LOADSHFILE: 923 if (ARG_IS_VALID(kar, ARG_ADDR)) { 924 tok = au_to_arg32(4, "base addr", 925 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 926 kau_write(rec, tok); 927 } 928 UPATH1_VNODE1_TOKENS; 929 break; 930 931 case AUE_MKDIR: 932 if (ARG_IS_VALID(kar, ARG_MODE)) { 933 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 934 kau_write(rec, tok); 935 } 936 UPATH1_VNODE1_TOKENS; 937 break; 938 939 case AUE_MKNOD: 940 if (ARG_IS_VALID(kar, ARG_MODE)) { 941 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 942 kau_write(rec, tok); 943 } 944 if (ARG_IS_VALID(kar, ARG_DEV)) { 945 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 946 kau_write(rec, tok); 947 } 948 UPATH1_VNODE1_TOKENS; 949 break; 950 951 case AUE_MMAP: 952 case AUE_MUNMAP: 953 case AUE_MPROTECT: 954 case AUE_MLOCK: 955 case AUE_MUNLOCK: 956 case AUE_MINHERIT: 957 if (ARG_IS_VALID(kar, ARG_ADDR)) { 958 tok = au_to_arg32(1, "addr", 959 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 960 kau_write(rec, tok); 961 } 962 if (ARG_IS_VALID(kar, ARG_LEN)) { 963 tok = au_to_arg32(2, "len", ar->ar_arg_len); 964 kau_write(rec, tok); 965 } 966 if (ar->ar_event == AUE_MMAP) 967 FD_VNODE1_TOKENS; 968 if (ar->ar_event == AUE_MPROTECT) { 969 if (ARG_IS_VALID(kar, ARG_VALUE)) { 970 tok = au_to_arg32(3, "protection", 971 ar->ar_arg_value); 972 kau_write(rec, tok); 973 } 974 } 975 if (ar->ar_event == AUE_MINHERIT) { 976 if (ARG_IS_VALID(kar, ARG_VALUE)) { 977 tok = au_to_arg32(3, "inherit", 978 ar->ar_arg_value); 979 kau_write(rec, tok); 980 } 981 } 982 break; 983 984 case AUE_MOUNT: 985 case AUE_NMOUNT: 986 /* XXX Need to handle NFS mounts */ 987 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 988 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 989 kau_write(rec, tok); 990 } 991 if (ARG_IS_VALID(kar, ARG_TEXT)) { 992 tok = au_to_text(ar->ar_arg_text); 993 kau_write(rec, tok); 994 } 995 /* fall through */ 996 997 case AUE_UMOUNT: 998 UPATH1_VNODE1_TOKENS; 999 break; 1000 1001 case AUE_MSGCTL: 1002 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd); 1003 /* Fall through */ 1004 1005 case AUE_MSGRCV: 1006 case AUE_MSGSND: 1007 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 1008 kau_write(rec, tok); 1009 if (ar->ar_errno != EINVAL) { 1010 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 1011 kau_write(rec, tok); 1012 } 1013 break; 1014 1015 case AUE_MSGGET: 1016 if (ar->ar_errno == 0) { 1017 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1018 tok = au_to_ipc(AT_IPC_MSG, 1019 ar->ar_arg_svipc_id); 1020 kau_write(rec, tok); 1021 } 1022 } 1023 break; 1024 1025 case AUE_RESETSHFILE: 1026 if (ARG_IS_VALID(kar, ARG_ADDR)) { 1027 tok = au_to_arg32(1, "base addr", 1028 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 1029 kau_write(rec, tok); 1030 } 1031 break; 1032 1033 case AUE_OPEN_RC: 1034 case AUE_OPEN_RTC: 1035 case AUE_OPEN_RWC: 1036 case AUE_OPEN_RWTC: 1037 case AUE_OPEN_WC: 1038 case AUE_OPEN_WTC: 1039 case AUE_CREAT: 1040 if (ARG_IS_VALID(kar, ARG_MODE)) { 1041 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1042 kau_write(rec, tok); 1043 } 1044 /* fall through */ 1045 1046 case AUE_OPEN_R: 1047 case AUE_OPEN_RT: 1048 case AUE_OPEN_RW: 1049 case AUE_OPEN_RWT: 1050 case AUE_OPEN_W: 1051 case AUE_OPEN_WT: 1052 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1053 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1054 kau_write(rec, tok); 1055 } 1056 UPATH1_VNODE1_TOKENS; 1057 break; 1058 1059 case AUE_PTRACE: 1060 if (ARG_IS_VALID(kar, ARG_CMD)) { 1061 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1062 kau_write(rec, tok); 1063 } 1064 if (ARG_IS_VALID(kar, ARG_ADDR)) { 1065 tok = au_to_arg32(3, "addr", 1066 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 1067 kau_write(rec, tok); 1068 } 1069 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1070 tok = au_to_arg32(4, "data", ar->ar_arg_value); 1071 kau_write(rec, tok); 1072 } 1073 PROCESS_PID_TOKENS(2); 1074 break; 1075 1076 case AUE_QUOTACTL: 1077 if (ARG_IS_VALID(kar, ARG_CMD)) { 1078 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1079 kau_write(rec, tok); 1080 } 1081 if (ARG_IS_VALID(kar, ARG_UID)) { 1082 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1083 kau_write(rec, tok); 1084 } 1085 UPATH1_VNODE1_TOKENS; 1086 break; 1087 1088 case AUE_REBOOT: 1089 if (ARG_IS_VALID(kar, ARG_CMD)) { 1090 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1091 kau_write(rec, tok); 1092 } 1093 break; 1094 1095 case AUE_SEMCTL: 1096 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd); 1097 /* Fall through */ 1098 1099 case AUE_SEMOP: 1100 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1101 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1102 kau_write(rec, tok); 1103 if (ar->ar_errno != EINVAL) { 1104 tok = au_to_ipc(AT_IPC_SEM, 1105 ar->ar_arg_svipc_id); 1106 kau_write(rec, tok); 1107 } 1108 } 1109 break; 1110 1111 case AUE_SEMGET: 1112 if (ar->ar_errno == 0) { 1113 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1114 tok = au_to_ipc(AT_IPC_SEM, 1115 ar->ar_arg_svipc_id); 1116 kau_write(rec, tok); 1117 } 1118 } 1119 break; 1120 1121 case AUE_SETEGID: 1122 if (ARG_IS_VALID(kar, ARG_EGID)) { 1123 tok = au_to_arg32(1, "gid", ar->ar_arg_egid); 1124 kau_write(rec, tok); 1125 } 1126 break; 1127 1128 case AUE_SETEUID: 1129 if (ARG_IS_VALID(kar, ARG_EUID)) { 1130 tok = au_to_arg32(1, "uid", ar->ar_arg_euid); 1131 kau_write(rec, tok); 1132 } 1133 break; 1134 1135 case AUE_SETREGID: 1136 if (ARG_IS_VALID(kar, ARG_RGID)) { 1137 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1138 kau_write(rec, tok); 1139 } 1140 if (ARG_IS_VALID(kar, ARG_EGID)) { 1141 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1142 kau_write(rec, tok); 1143 } 1144 break; 1145 1146 case AUE_SETREUID: 1147 if (ARG_IS_VALID(kar, ARG_RUID)) { 1148 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1149 kau_write(rec, tok); 1150 } 1151 if (ARG_IS_VALID(kar, ARG_EUID)) { 1152 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1153 kau_write(rec, tok); 1154 } 1155 break; 1156 1157 case AUE_SETRESGID: 1158 if (ARG_IS_VALID(kar, ARG_RGID)) { 1159 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1160 kau_write(rec, tok); 1161 } 1162 if (ARG_IS_VALID(kar, ARG_EGID)) { 1163 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1164 kau_write(rec, tok); 1165 } 1166 if (ARG_IS_VALID(kar, ARG_SGID)) { 1167 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1168 kau_write(rec, tok); 1169 } 1170 break; 1171 1172 case AUE_SETRESUID: 1173 if (ARG_IS_VALID(kar, ARG_RUID)) { 1174 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1175 kau_write(rec, tok); 1176 } 1177 if (ARG_IS_VALID(kar, ARG_EUID)) { 1178 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1179 kau_write(rec, tok); 1180 } 1181 if (ARG_IS_VALID(kar, ARG_SUID)) { 1182 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1183 kau_write(rec, tok); 1184 } 1185 break; 1186 1187 case AUE_SETGID: 1188 if (ARG_IS_VALID(kar, ARG_GID)) { 1189 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1190 kau_write(rec, tok); 1191 } 1192 break; 1193 1194 case AUE_SETUID: 1195 if (ARG_IS_VALID(kar, ARG_UID)) { 1196 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1197 kau_write(rec, tok); 1198 } 1199 break; 1200 1201 case AUE_SETGROUPS: 1202 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1203 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1204 { 1205 tok = au_to_arg32(1, "setgroups", 1206 ar->ar_arg_groups.gidset[ctr]); 1207 kau_write(rec, tok); 1208 } 1209 } 1210 break; 1211 1212 case AUE_SETLOGIN: 1213 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1214 tok = au_to_text(ar->ar_arg_text); 1215 kau_write(rec, tok); 1216 } 1217 break; 1218 1219 case AUE_SETPRIORITY: 1220 if (ARG_IS_VALID(kar, ARG_CMD)) { 1221 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1222 kau_write(rec, tok); 1223 } 1224 if (ARG_IS_VALID(kar, ARG_UID)) { 1225 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1226 kau_write(rec, tok); 1227 } 1228 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1229 tok = au_to_arg32(2, "priority", ar->ar_arg_value); 1230 kau_write(rec, tok); 1231 } 1232 break; 1233 1234 case AUE_SETPRIVEXEC: 1235 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1236 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1237 kau_write(rec, tok); 1238 } 1239 break; 1240 1241 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1242 case AUE_SHMAT: 1243 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1244 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1245 kau_write(rec, tok); 1246 /* XXXAUDIT: Does having the ipc token make sense? */ 1247 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1248 kau_write(rec, tok); 1249 } 1250 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1251 tok = au_to_arg32(2, "shmaddr", 1252 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1253 kau_write(rec, tok); 1254 } 1255 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1256 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1257 kau_write(rec, tok); 1258 } 1259 break; 1260 1261 case AUE_SHMCTL: 1262 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1263 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1264 kau_write(rec, tok); 1265 /* XXXAUDIT: Does having the ipc token make sense? */ 1266 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1267 kau_write(rec, tok); 1268 } 1269 switch (ar->ar_arg_svipc_cmd) { 1270 case IPC_STAT: 1271 ar->ar_event = AUE_SHMCTL_STAT; 1272 break; 1273 case IPC_RMID: 1274 ar->ar_event = AUE_SHMCTL_RMID; 1275 break; 1276 case IPC_SET: 1277 ar->ar_event = AUE_SHMCTL_SET; 1278 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1279 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1280 kau_write(rec, tok); 1281 } 1282 break; 1283 default: 1284 break; /* We will audit a bad command */ 1285 } 1286 break; 1287 1288 case AUE_SHMDT: 1289 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1290 tok = au_to_arg32(1, "shmaddr", 1291 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1292 kau_write(rec, tok); 1293 } 1294 break; 1295 1296 case AUE_SHMGET: 1297 /* This is unusual; the return value is in an argument token */ 1298 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1299 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1300 kau_write(rec, tok); 1301 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1302 kau_write(rec, tok); 1303 } 1304 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1305 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1306 kau_write(rec, tok); 1307 } 1308 break; 1309 1310 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1311 * and AUE_SEMUNLINK are Posix IPC */ 1312 case AUE_SHMOPEN: 1313 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1314 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1315 kau_write(rec, tok); 1316 } 1317 if (ARG_IS_VALID(kar, ARG_MODE)) { 1318 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1319 kau_write(rec, tok); 1320 } 1321 case AUE_SHMUNLINK: 1322 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1323 tok = au_to_text(ar->ar_arg_text); 1324 kau_write(rec, tok); 1325 } 1326 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1327 struct ipc_perm perm; 1328 1329 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1330 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1331 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1332 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1333 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1334 perm.seq = 0; 1335 perm.key = 0; 1336 tok = au_to_ipc_perm(&perm); 1337 kau_write(rec, tok); 1338 } 1339 break; 1340 1341 case AUE_SEMOPEN: 1342 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1343 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1344 kau_write(rec, tok); 1345 } 1346 if (ARG_IS_VALID(kar, ARG_MODE)) { 1347 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1348 kau_write(rec, tok); 1349 } 1350 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1351 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1352 kau_write(rec, tok); 1353 } 1354 /* fall through */ 1355 1356 case AUE_SEMUNLINK: 1357 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1358 tok = au_to_text(ar->ar_arg_text); 1359 kau_write(rec, tok); 1360 } 1361 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1362 struct ipc_perm perm; 1363 1364 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1365 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1366 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1367 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1368 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1369 perm.seq = 0; 1370 perm.key = 0; 1371 tok = au_to_ipc_perm(&perm); 1372 kau_write(rec, tok); 1373 } 1374 break; 1375 1376 case AUE_SEMCLOSE: 1377 if (ARG_IS_VALID(kar, ARG_FD)) { 1378 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1379 kau_write(rec, tok); 1380 } 1381 break; 1382 1383 case AUE_SYMLINK: 1384 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1385 tok = au_to_text(ar->ar_arg_text); 1386 kau_write(rec, tok); 1387 } 1388 UPATH1_VNODE1_TOKENS; 1389 break; 1390 1391 case AUE_SYSCTL: 1392 case AUE_SYSCTL_NONADMIN: 1393 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1394 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1395 tok = au_to_arg32(1, "name", 1396 ar->ar_arg_ctlname[ctr]); 1397 kau_write(rec, tok); 1398 } 1399 } 1400 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1401 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1402 kau_write(rec, tok); 1403 } 1404 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1405 tok = au_to_text(ar->ar_arg_text); 1406 kau_write(rec, tok); 1407 } 1408 break; 1409 1410 case AUE_UMASK: 1411 if (ARG_IS_VALID(kar, ARG_MASK)) { 1412 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1413 kau_write(rec, tok); 1414 } 1415 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1416 kau_write(rec, tok); 1417 break; 1418 1419 case AUE_WAIT4: 1420 if (ARG_IS_VALID(kar, ARG_PID)) { 1421 tok = au_to_arg32(0, "pid", ar->ar_arg_pid); 1422 kau_write(rec, tok); 1423 } 1424 break; 1425 1426 case AUE_NULL: 1427 default: 1428 printf("BSM conversion requested for unknown event %d\n", 1429 ar->ar_event); 1430 1431 /* 1432 * Write the subject token so it is properly freed here. 1433 */ 1434 kau_write(rec, subj_tok); 1435 kau_free(rec); 1436 return (BSM_NOAUDIT); 1437 } 1438 1439 kau_write(rec, subj_tok); 1440 tok = au_to_return32((char)ar->ar_errno, ar->ar_retval); 1441 kau_write(rec, tok); /* Every record gets a return token */ 1442 1443 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1444 1445 *pau = rec; 1446 return (BSM_SUCCESS); 1447} 1448 1449/* 1450 * Verify that a record is a valid BSM record. This verification is simple 1451 * now, but may be expanded on sometime in the future. Return 1 if the 1452 * record is good, 0 otherwise. 1453 */ 1454int 1455bsm_rec_verify(void *rec) 1456{ 1457 char c = *(char *)rec; 1458 1459 /* 1460 * Check the token ID of the first token; it has to be a header 1461 * token. 1462 * 1463 * XXXAUDIT There needs to be a token structure to map a token. 1464 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1465 */ 1466 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1467 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1468 return (0); 1469 return (1); 1470} 1471