audit_bsm.c revision 195267
1/* 2 * Copyright (c) 1999-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30#include <sys/cdefs.h> 31__FBSDID("$FreeBSD: head/sys/security/audit/audit_bsm.c 195267 2009-07-01 22:47:45Z rwatson $"); 32 33#include <sys/param.h> 34#include <sys/vnode.h> 35#include <sys/ipc.h> 36#include <sys/lock.h> 37#include <sys/malloc.h> 38#include <sys/mutex.h> 39#include <sys/socket.h> 40#include <sys/extattr.h> 41#include <sys/fcntl.h> 42#include <sys/user.h> 43#include <sys/systm.h> 44 45#include <bsm/audit.h> 46#include <bsm/audit_internal.h> 47#include <bsm/audit_record.h> 48#include <bsm/audit_kevents.h> 49 50#include <security/audit/audit.h> 51#include <security/audit/audit_private.h> 52 53#include <netinet/in_systm.h> 54#include <netinet/in.h> 55#include <netinet/ip.h> 56 57MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 58 59static void audit_sys_auditon(struct audit_record *ar, 60 struct au_record *rec); 61 62/* 63 * Initialize the BSM auditing subsystem. 64 */ 65void 66kau_init(void) 67{ 68 69 au_evclassmap_init(); 70} 71 72/* 73 * This call reserves memory for the audit record. Memory must be guaranteed 74 * before any auditable event can be generated. The au_record structure 75 * maintains a reference to the memory allocated above and also the list of 76 * tokens associated with this record. 77 */ 78static struct au_record * 79kau_open(void) 80{ 81 struct au_record *rec; 82 83 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 84 rec->data = NULL; 85 TAILQ_INIT(&rec->token_q); 86 rec->len = 0; 87 rec->used = 1; 88 89 return (rec); 90} 91 92/* 93 * Store the token with the record descriptor. 94 */ 95static void 96kau_write(struct au_record *rec, struct au_token *tok) 97{ 98 99 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 100 101 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 102 rec->len += tok->len; 103} 104 105/* 106 * Close out the audit record by adding the header token, identifying any 107 * missing tokens. Write out the tokens to the record memory. 108 */ 109static void 110kau_close(struct au_record *rec, struct timespec *ctime, short event) 111{ 112 u_char *dptr; 113 size_t tot_rec_size; 114 token_t *cur, *hdr, *trail; 115 struct timeval tm; 116 size_t hdrsize; 117 struct auditinfo_addr ak; 118 struct in6_addr *ap; 119 120 audit_get_kinfo(&ak); 121 hdrsize = 0; 122 switch (ak.ai_termid.at_type) { 123 case AU_IPv4: 124 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ? 125 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak); 126 break; 127 case AU_IPv6: 128 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0]; 129 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE : 130 AUDIT_HEADER_EX_SIZE(&ak); 131 break; 132 default: 133 panic("kau_close: invalid address family"); 134 } 135 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE; 136 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 137 138 tm.tv_usec = ctime->tv_nsec / 1000; 139 tm.tv_sec = ctime->tv_sec; 140 if (hdrsize != AUDIT_HEADER_SIZE) 141 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak); 142 else 143 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 144 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 145 146 trail = au_to_trailer(tot_rec_size); 147 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 148 149 rec->len = tot_rec_size; 150 dptr = rec->data; 151 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 152 memcpy(dptr, cur->t_data, cur->len); 153 dptr += cur->len; 154 } 155} 156 157/* 158 * Free a BSM audit record by releasing all the tokens and clearing the audit 159 * record information. 160 */ 161void 162kau_free(struct au_record *rec) 163{ 164 struct au_token *tok; 165 166 /* Free the token list. */ 167 while ((tok = TAILQ_FIRST(&rec->token_q))) { 168 TAILQ_REMOVE(&rec->token_q, tok, tokens); 169 free(tok->t_data, M_AUDITBSM); 170 free(tok, M_AUDITBSM); 171 } 172 173 rec->used = 0; 174 rec->len = 0; 175 free(rec->data, M_AUDITBSM); 176 free(rec, M_AUDITBSM); 177} 178 179/* 180 * XXX: May want turn some (or all) of these macros into functions in order 181 * to reduce the generated code size. 182 * 183 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 184 * caller are OK with this. 185 */ 186#define UPATH1_TOKENS do { \ 187 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 188 tok = au_to_path(ar->ar_arg_upath1); \ 189 kau_write(rec, tok); \ 190 } \ 191} while (0) 192 193#define UPATH2_TOKENS do { \ 194 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 195 tok = au_to_path(ar->ar_arg_upath2); \ 196 kau_write(rec, tok); \ 197 } \ 198} while (0) 199 200#define VNODE1_TOKENS do { \ 201 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 202 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 203 kau_write(rec, tok); \ 204 } \ 205} while (0) 206 207#define UPATH1_VNODE1_TOKENS do { \ 208 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 209 UPATH1_TOKENS; \ 210 } \ 211 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 212 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 213 kau_write(rec, tok); \ 214 } \ 215} while (0) 216 217#define VNODE2_TOKENS do { \ 218 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 219 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 220 kau_write(rec, tok); \ 221 } \ 222} while (0) 223 224#define FD_VNODE1_TOKENS do { \ 225 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 226 if (ARG_IS_VALID(kar, ARG_FD)) { \ 227 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 228 kau_write(rec, tok); \ 229 } \ 230 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 231 kau_write(rec, tok); \ 232 } else { \ 233 if (ARG_IS_VALID(kar, ARG_FD)) { \ 234 tok = au_to_arg32(1, "non-file: fd", \ 235 ar->ar_arg_fd); \ 236 kau_write(rec, tok); \ 237 } \ 238 } \ 239} while (0) 240 241#define PROCESS_PID_TOKENS(argn) do { \ 242 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 243 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 244 tok = au_to_process32_ex(ar->ar_arg_auid, \ 245 ar->ar_arg_euid, ar->ar_arg_egid, \ 246 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 247 ar->ar_arg_pid, ar->ar_arg_asid, \ 248 &ar->ar_arg_termid_addr); \ 249 kau_write(rec, tok); \ 250 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 251 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 252 kau_write(rec, tok); \ 253 } \ 254} while (0) 255 256#define EXTATTR_TOKENS do { \ 257 if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 258 switch (ar->ar_arg_value) { \ 259 case EXTATTR_NAMESPACE_USER: \ 260 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 261 break; \ 262 case EXTATTR_NAMESPACE_SYSTEM: \ 263 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 264 break; \ 265 default: \ 266 tok = au_to_arg32(3, "attrnamespace", \ 267 ar->ar_arg_value); \ 268 break; \ 269 } \ 270 kau_write(rec, tok); \ 271 } \ 272 /* attrname is in the text field */ \ 273 if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 274 tok = au_to_text(ar->ar_arg_text); \ 275 kau_write(rec, tok); \ 276 } \ 277} while (0) 278 279/* 280 * Implement auditing for the auditon() system call. The audit tokens that 281 * are generated depend on the command that was sent into the auditon() 282 * system call. 283 */ 284static void 285audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 286{ 287 struct au_token *tok; 288 289 switch (ar->ar_arg_cmd) { 290 case A_OLDSETPOLICY: 291 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 292 tok = au_to_arg32(3, "length", ar->ar_arg_len); 293 kau_write(rec, tok); 294 tok = au_to_arg64(2, "policy", 295 ar->ar_arg_auditon.au_policy64); 296 kau_write(rec, tok); 297 break; 298 } 299 /* FALLTHROUGH */ 300 case A_SETPOLICY: 301 tok = au_to_arg32(3, "length", ar->ar_arg_len); 302 kau_write(rec, tok); 303 tok = au_to_arg32(1, "policy", ar->ar_arg_auditon.au_policy); 304 kau_write(rec, tok); 305 break; 306 307 case A_SETKMASK: 308 tok = au_to_arg32(2, "setkmask:as_success", 309 ar->ar_arg_auditon.au_mask.am_success); 310 kau_write(rec, tok); 311 tok = au_to_arg32(2, "setkmask:as_failure", 312 ar->ar_arg_auditon.au_mask.am_failure); 313 kau_write(rec, tok); 314 break; 315 316 case A_OLDSETQCTRL: 317 if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) { 318 tok = au_to_arg32(3, "length", ar->ar_arg_len); 319 kau_write(rec, tok); 320 tok = au_to_arg64(2, "setqctrl:aq_hiwater", 321 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater); 322 kau_write(rec, tok); 323 tok = au_to_arg64(2, "setqctrl:aq_lowater", 324 ar->ar_arg_auditon.au_qctrl64.aq64_lowater); 325 kau_write(rec, tok); 326 tok = au_to_arg64(2, "setqctrl:aq_bufsz", 327 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz); 328 kau_write(rec, tok); 329 tok = au_to_arg64(2, "setqctrl:aq_delay", 330 ar->ar_arg_auditon.au_qctrl64.aq64_delay); 331 kau_write(rec, tok); 332 tok = au_to_arg64(2, "setqctrl:aq_minfree", 333 ar->ar_arg_auditon.au_qctrl64.aq64_minfree); 334 kau_write(rec, tok); 335 break; 336 } 337 /* FALLTHROUGH */ 338 case A_SETQCTRL: 339 tok = au_to_arg32(3, "setqctrl:aq_hiwater", 340 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 341 kau_write(rec, tok); 342 tok = au_to_arg32(2, "setqctrl:aq_lowater", 343 ar->ar_arg_auditon.au_qctrl.aq_lowater); 344 kau_write(rec, tok); 345 tok = au_to_arg32(2, "setqctrl:aq_bufsz", 346 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 347 kau_write(rec, tok); 348 tok = au_to_arg32(2, "setqctrl:aq_delay", 349 ar->ar_arg_auditon.au_qctrl.aq_delay); 350 kau_write(rec, tok); 351 tok = au_to_arg32(2, "setqctrl:aq_minfree", 352 ar->ar_arg_auditon.au_qctrl.aq_minfree); 353 kau_write(rec, tok); 354 break; 355 356 case A_SETUMASK: 357 tok = au_to_arg32(3, "setumask:as_success", 358 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 359 kau_write(rec, tok); 360 tok = au_to_arg32(3, "setumask:as_failure", 361 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 362 kau_write(rec, tok); 363 break; 364 365 case A_SETSMASK: 366 tok = au_to_arg32(3, "length", ar->ar_arg_len); 367 kau_write(rec, tok); 368 tok = au_to_arg32(2, "setsmask:as_success", 369 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 370 kau_write(rec, tok); 371 tok = au_to_arg32(2, "setsmask:as_failure", 372 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 373 kau_write(rec, tok); 374 break; 375 376 case A_OLDSETCOND: 377 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 378 tok = au_to_arg32(3, "length", ar->ar_arg_len); 379 kau_write(rec, tok); 380 tok = au_to_arg64(2, "setcond", 381 ar->ar_arg_auditon.au_cond64); 382 kau_write(rec, tok); 383 break; 384 } 385 /* FALLTHROUGH */ 386 case A_SETCOND: 387 tok = au_to_arg32(3, "length", ar->ar_arg_len); 388 kau_write(rec, tok); 389 tok = au_to_arg32(3, "setcond", ar->ar_arg_auditon.au_cond); 390 kau_write(rec, tok); 391 break; 392 393 case A_SETCLASS: 394 tok = au_to_arg32(3, "length", ar->ar_arg_len); 395 kau_write(rec, tok); 396 tok = au_to_arg32(2, "setclass:ec_event", 397 ar->ar_arg_auditon.au_evclass.ec_number); 398 kau_write(rec, tok); 399 tok = au_to_arg32(2, "setclass:ec_class", 400 ar->ar_arg_auditon.au_evclass.ec_class); 401 kau_write(rec, tok); 402 break; 403 404 case A_SETPMASK: 405 tok = au_to_arg32(3, "length", ar->ar_arg_len); 406 kau_write(rec, tok); 407 tok = au_to_arg32(2, "setpmask:as_success", 408 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 409 kau_write(rec, tok); 410 tok = au_to_arg32(2, "setpmask:as_failure", 411 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 412 kau_write(rec, tok); 413 break; 414 415 case A_SETFSIZE: 416 tok = au_to_arg32(3, "length", ar->ar_arg_len); 417 kau_write(rec, tok); 418 tok = au_to_arg32(2, "setfsize:filesize", 419 ar->ar_arg_auditon.au_fstat.af_filesz); 420 kau_write(rec, tok); 421 break; 422 423 default: 424 break; 425 } 426} 427 428/* 429 * Convert an internal kernel audit record to a BSM record and return a 430 * success/failure indicator. The BSM record is passed as an out parameter to 431 * this function. 432 * 433 * Return conditions: 434 * BSM_SUCCESS: The BSM record is valid 435 * BSM_FAILURE: Failure; the BSM record is NULL. 436 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 437 */ 438int 439kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 440{ 441 struct au_token *tok, *subj_tok; 442 struct au_record *rec; 443 au_tid_t tid; 444 struct audit_record *ar; 445 int ctr; 446 447 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 448 449 *pau = NULL; 450 ar = &kar->k_ar; 451 rec = kau_open(); 452 453 /* 454 * Create the subject token. 455 */ 456 switch (ar->ar_subj_term_addr.at_type) { 457 case AU_IPv4: 458 tid.port = ar->ar_subj_term_addr.at_port; 459 tid.machine = ar->ar_subj_term_addr.at_addr[0]; 460 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 461 ar->ar_subj_cred.cr_uid, /* eff uid */ 462 ar->ar_subj_egid, /* eff group id */ 463 ar->ar_subj_ruid, /* real uid */ 464 ar->ar_subj_rgid, /* real group id */ 465 ar->ar_subj_pid, /* process id */ 466 ar->ar_subj_asid, /* session ID */ 467 &tid); 468 break; 469 case AU_IPv6: 470 subj_tok = au_to_subject32_ex(ar->ar_subj_auid, 471 ar->ar_subj_cred.cr_uid, 472 ar->ar_subj_egid, 473 ar->ar_subj_ruid, 474 ar->ar_subj_rgid, 475 ar->ar_subj_pid, 476 ar->ar_subj_asid, 477 &ar->ar_subj_term_addr); 478 break; 479 default: 480 bzero(&tid, sizeof(tid)); 481 subj_tok = au_to_subject32(ar->ar_subj_auid, 482 ar->ar_subj_cred.cr_uid, 483 ar->ar_subj_egid, 484 ar->ar_subj_ruid, 485 ar->ar_subj_rgid, 486 ar->ar_subj_pid, 487 ar->ar_subj_asid, 488 &tid); 489 } 490 491 /* 492 * The logic inside each case fills in the tokens required for the 493 * event, except for the header, trailer, and return tokens. The 494 * header and trailer tokens are added by the kau_close() function. 495 * The return token is added outside of the switch statement. 496 */ 497 switch(ar->ar_event) { 498 case AUE_ACCEPT: 499 case AUE_BIND: 500 case AUE_LISTEN: 501 case AUE_CONNECT: 502 case AUE_RECV: 503 case AUE_RECVFROM: 504 case AUE_RECVMSG: 505 case AUE_SEND: 506 case AUE_SENDFILE: 507 case AUE_SENDMSG: 508 case AUE_SENDTO: 509 /* 510 * Socket-related events. 511 */ 512 if (ARG_IS_VALID(kar, ARG_FD)) { 513 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 514 kau_write(rec, tok); 515 } 516 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 517 tok = au_to_sock_inet((struct sockaddr_in *) 518 &ar->ar_arg_sockaddr); 519 kau_write(rec, tok); 520 } 521 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 522 tok = au_to_sock_unix((struct sockaddr_un *) 523 &ar->ar_arg_sockaddr); 524 kau_write(rec, tok); 525 UPATH1_TOKENS; 526 } 527 /* XXX Need to handle ARG_SADDRINET6 */ 528 break; 529 530 case AUE_SOCKET: 531 case AUE_SOCKETPAIR: 532 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 533 tok = au_to_arg32(1,"domain", 534 ar->ar_arg_sockinfo.so_domain); 535 kau_write(rec, tok); 536 tok = au_to_arg32(2,"type", 537 ar->ar_arg_sockinfo.so_type); 538 kau_write(rec, tok); 539 tok = au_to_arg32(3,"protocol", 540 ar->ar_arg_sockinfo.so_protocol); 541 kau_write(rec, tok); 542 } 543 break; 544 545 case AUE_SETSOCKOPT: 546 case AUE_SHUTDOWN: 547 if (ARG_IS_VALID(kar, ARG_FD)) { 548 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 549 kau_write(rec, tok); 550 } 551 break; 552 553 case AUE_ACCT: 554 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 555 UPATH1_VNODE1_TOKENS; 556 } else { 557 tok = au_to_arg32(1, "accounting off", 0); 558 kau_write(rec, tok); 559 } 560 break; 561 562 case AUE_SETAUID: 563 if (ARG_IS_VALID(kar, ARG_AUID)) { 564 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 565 kau_write(rec, tok); 566 } 567 break; 568 569 case AUE_SETAUDIT: 570 if (ARG_IS_VALID(kar, ARG_AUID) && 571 ARG_IS_VALID(kar, ARG_ASID) && 572 ARG_IS_VALID(kar, ARG_AMASK) && 573 ARG_IS_VALID(kar, ARG_TERMID)) { 574 tok = au_to_arg32(1, "setaudit:auid", 575 ar->ar_arg_auid); 576 kau_write(rec, tok); 577 tok = au_to_arg32(1, "setaudit:port", 578 ar->ar_arg_termid.port); 579 kau_write(rec, tok); 580 tok = au_to_arg32(1, "setaudit:machine", 581 ar->ar_arg_termid.machine); 582 kau_write(rec, tok); 583 tok = au_to_arg32(1, "setaudit:as_success", 584 ar->ar_arg_amask.am_success); 585 kau_write(rec, tok); 586 tok = au_to_arg32(1, "setaudit:as_failure", 587 ar->ar_arg_amask.am_failure); 588 kau_write(rec, tok); 589 tok = au_to_arg32(1, "setaudit:asid", 590 ar->ar_arg_asid); 591 kau_write(rec, tok); 592 } 593 break; 594 595 case AUE_SETAUDIT_ADDR: 596 if (ARG_IS_VALID(kar, ARG_AUID) && 597 ARG_IS_VALID(kar, ARG_ASID) && 598 ARG_IS_VALID(kar, ARG_AMASK) && 599 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) { 600 tok = au_to_arg32(1, "setaudit_addr:auid", 601 ar->ar_arg_auid); 602 kau_write(rec, tok); 603 tok = au_to_arg32(1, "setaudit_addr:as_success", 604 ar->ar_arg_amask.am_success); 605 kau_write(rec, tok); 606 tok = au_to_arg32(1, "setaudit_addr:as_failure", 607 ar->ar_arg_amask.am_failure); 608 kau_write(rec, tok); 609 tok = au_to_arg32(1, "setaudit_addr:asid", 610 ar->ar_arg_asid); 611 kau_write(rec, tok); 612 tok = au_to_arg32(1, "setaudit_addr:type", 613 ar->ar_arg_termid_addr.at_type); 614 kau_write(rec, tok); 615 tok = au_to_arg32(1, "setaudit_addr:port", 616 ar->ar_arg_termid_addr.at_port); 617 kau_write(rec, tok); 618 if (ar->ar_arg_termid_addr.at_type == AU_IPv6) 619 tok = au_to_in_addr_ex((struct in6_addr *) 620 &ar->ar_arg_termid_addr.at_addr[0]); 621 if (ar->ar_arg_termid_addr.at_type == AU_IPv4) 622 tok = au_to_in_addr((struct in_addr *) 623 &ar->ar_arg_termid_addr.at_addr[0]); 624 kau_write(rec, tok); 625 } 626 break; 627 628 case AUE_AUDITON: 629 /* 630 * For AUDITON commands without own event, audit the cmd. 631 */ 632 if (ARG_IS_VALID(kar, ARG_CMD)) { 633 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 634 kau_write(rec, tok); 635 } 636 /* FALLTHROUGH */ 637 638 case AUE_AUDITON_GETCAR: 639 case AUE_AUDITON_GETCLASS: 640 case AUE_AUDITON_GETCOND: 641 case AUE_AUDITON_GETCWD: 642 case AUE_AUDITON_GETKMASK: 643 case AUE_AUDITON_GETSTAT: 644 case AUE_AUDITON_GPOLICY: 645 case AUE_AUDITON_GQCTRL: 646 case AUE_AUDITON_SETCLASS: 647 case AUE_AUDITON_SETCOND: 648 case AUE_AUDITON_SETKMASK: 649 case AUE_AUDITON_SETSMASK: 650 case AUE_AUDITON_SETSTAT: 651 case AUE_AUDITON_SETUMASK: 652 case AUE_AUDITON_SPOLICY: 653 case AUE_AUDITON_SQCTRL: 654 if (ARG_IS_VALID(kar, ARG_AUDITON)) 655 audit_sys_auditon(ar, rec); 656 break; 657 658 case AUE_AUDITCTL: 659 UPATH1_VNODE1_TOKENS; 660 break; 661 662 case AUE_EXIT: 663 if (ARG_IS_VALID(kar, ARG_EXIT)) { 664 tok = au_to_exit(ar->ar_arg_exitretval, 665 ar->ar_arg_exitstatus); 666 kau_write(rec, tok); 667 } 668 break; 669 670 case AUE_ADJTIME: 671 case AUE_CLOCK_SETTIME: 672 case AUE_AUDIT: 673 case AUE_DUP2: 674 case AUE_GETAUDIT: 675 case AUE_GETAUDIT_ADDR: 676 case AUE_GETAUID: 677 case AUE_GETCWD: 678 case AUE_GETFSSTAT: 679 case AUE_GETRESUID: 680 case AUE_GETRESGID: 681 case AUE_KQUEUE: 682 case AUE_MODLOAD: 683 case AUE_MODUNLOAD: 684 case AUE_MSGSYS: 685 case AUE_NTP_ADJTIME: 686 case AUE_PIPE: 687 case AUE_PROFILE: 688 case AUE_RTPRIO: 689 case AUE_SEMSYS: 690 case AUE_SHMSYS: 691 case AUE_SETPGRP: 692 case AUE_SETRLIMIT: 693 case AUE_SETSID: 694 case AUE_SETTIMEOFDAY: 695 case AUE_SYSARCH: 696 697 /* 698 * Header, subject, and return tokens added at end. 699 */ 700 break; 701 702 case AUE_MKFIFO: 703 if (ARG_IS_VALID(kar, ARG_MODE)) { 704 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 705 kau_write(rec, tok); 706 } 707 /* FALLTHROUGH */ 708 709 case AUE_CHDIR: 710 case AUE_CHROOT: 711 case AUE_GETATTRLIST: 712 case AUE_JAIL: 713 case AUE_LUTIMES: 714 case AUE_NFS_GETFH: 715 case AUE_LSTAT: 716 case AUE_PATHCONF: 717 case AUE_READLINK: 718 case AUE_REVOKE: 719 case AUE_RMDIR: 720 case AUE_SEARCHFS: 721 case AUE_SETATTRLIST: 722 case AUE_STAT: 723 case AUE_STATFS: 724 case AUE_SWAPON: 725 case AUE_SWAPOFF: 726 case AUE_TRUNCATE: 727 case AUE_UNDELETE: 728 case AUE_UNLINK: 729 case AUE_UTIMES: 730 UPATH1_VNODE1_TOKENS; 731 break; 732 733 case AUE_ACCESS: 734 case AUE_EACCESS: 735 UPATH1_VNODE1_TOKENS; 736 if (ARG_IS_VALID(kar, ARG_VALUE)) { 737 tok = au_to_arg32(1, "mode", ar->ar_arg_value); 738 kau_write(rec, tok); 739 } 740 break; 741 742 case AUE_FHSTATFS: 743 case AUE_FHOPEN: 744 case AUE_FHSTAT: 745 /* XXXRW: Need to audit vnode argument. */ 746 break; 747 748 case AUE_CHFLAGS: 749 case AUE_LCHFLAGS: 750 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 751 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 752 kau_write(rec, tok); 753 } 754 UPATH1_VNODE1_TOKENS; 755 break; 756 757 case AUE_CHMOD: 758 case AUE_LCHMOD: 759 if (ARG_IS_VALID(kar, ARG_MODE)) { 760 tok = au_to_arg32(2, "new file mode", 761 ar->ar_arg_mode); 762 kau_write(rec, tok); 763 } 764 UPATH1_VNODE1_TOKENS; 765 break; 766 767 case AUE_CHOWN: 768 case AUE_LCHOWN: 769 if (ARG_IS_VALID(kar, ARG_UID)) { 770 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 771 kau_write(rec, tok); 772 } 773 if (ARG_IS_VALID(kar, ARG_GID)) { 774 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 775 kau_write(rec, tok); 776 } 777 UPATH1_VNODE1_TOKENS; 778 break; 779 780 case AUE_EXCHANGEDATA: 781 UPATH1_VNODE1_TOKENS; 782 UPATH2_TOKENS; 783 break; 784 785 case AUE_CLOSE: 786 if (ARG_IS_VALID(kar, ARG_FD)) { 787 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 788 kau_write(rec, tok); 789 } 790 UPATH1_VNODE1_TOKENS; 791 break; 792 793 case AUE_CORE: 794 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 795 tok = au_to_arg32(0, "signal", ar->ar_arg_signum); 796 kau_write(rec, tok); 797 } 798 UPATH1_VNODE1_TOKENS; 799 break; 800 801 case AUE_EXTATTRCTL: 802 UPATH1_VNODE1_TOKENS; 803 if (ARG_IS_VALID(kar, ARG_CMD)) { 804 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 805 kau_write(rec, tok); 806 } 807 /* extattrctl(2) filename parameter is in upath2/vnode2 */ 808 UPATH2_TOKENS; 809 VNODE2_TOKENS; 810 EXTATTR_TOKENS; 811 break; 812 813 case AUE_EXTATTR_GET_FILE: 814 case AUE_EXTATTR_SET_FILE: 815 case AUE_EXTATTR_LIST_FILE: 816 case AUE_EXTATTR_DELETE_FILE: 817 case AUE_EXTATTR_GET_LINK: 818 case AUE_EXTATTR_SET_LINK: 819 case AUE_EXTATTR_LIST_LINK: 820 case AUE_EXTATTR_DELETE_LINK: 821 UPATH1_VNODE1_TOKENS; 822 EXTATTR_TOKENS; 823 break; 824 825 case AUE_EXTATTR_GET_FD: 826 case AUE_EXTATTR_SET_FD: 827 case AUE_EXTATTR_LIST_FD: 828 case AUE_EXTATTR_DELETE_FD: 829 if (ARG_IS_VALID(kar, ARG_FD)) { 830 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 831 kau_write(rec, tok); 832 } 833 EXTATTR_TOKENS; 834 break; 835 836 case AUE_FEXECVE: 837 if (ARG_IS_VALID(kar, ARG_FD)) { 838 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 839 kau_write(rec, tok); 840 } 841 /* FALLTHROUGH */ 842 843 case AUE_EXECVE: 844 case AUE_MAC_EXECVE: 845 if (ARG_IS_VALID(kar, ARG_ARGV)) { 846 tok = au_to_exec_args(ar->ar_arg_argv, 847 ar->ar_arg_argc); 848 kau_write(rec, tok); 849 } 850 if (ARG_IS_VALID(kar, ARG_ENVV)) { 851 tok = au_to_exec_env(ar->ar_arg_envv, 852 ar->ar_arg_envc); 853 kau_write(rec, tok); 854 } 855 UPATH1_VNODE1_TOKENS; 856 break; 857 858 case AUE_FCHMOD: 859 if (ARG_IS_VALID(kar, ARG_MODE)) { 860 tok = au_to_arg32(2, "new file mode", 861 ar->ar_arg_mode); 862 kau_write(rec, tok); 863 } 864 FD_VNODE1_TOKENS; 865 break; 866 867 /* 868 * XXXRW: Some of these need to handle non-vnode cases as well. 869 */ 870 case AUE_FCHDIR: 871 case AUE_FPATHCONF: 872 case AUE_FSTAT: 873 case AUE_FSTATFS: 874 case AUE_FSYNC: 875 case AUE_FTRUNCATE: 876 case AUE_FUTIMES: 877 case AUE_GETDIRENTRIES: 878 case AUE_GETDIRENTRIESATTR: 879 case AUE_LSEEK: 880 case AUE_POLL: 881 case AUE_READ: 882 case AUE_READV: 883 case AUE_WRITE: 884 case AUE_WRITEV: 885 FD_VNODE1_TOKENS; 886 break; 887 888 case AUE_FCHOWN: 889 if (ARG_IS_VALID(kar, ARG_UID)) { 890 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 891 kau_write(rec, tok); 892 } 893 if (ARG_IS_VALID(kar, ARG_GID)) { 894 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 895 kau_write(rec, tok); 896 } 897 FD_VNODE1_TOKENS; 898 break; 899 900 case AUE_FCNTL: 901 if (ARG_IS_VALID(kar, ARG_CMD)) { 902 tok = au_to_arg32(2, "cmd", 903 au_fcntl_cmd_to_bsm(ar->ar_arg_cmd)); 904 kau_write(rec, tok); 905 } 906 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 907 ar->ar_arg_cmd == F_SETLKW) { 908 FD_VNODE1_TOKENS; 909 } 910 break; 911 912 case AUE_FCHFLAGS: 913 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 914 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 915 kau_write(rec, tok); 916 } 917 FD_VNODE1_TOKENS; 918 break; 919 920 case AUE_FLOCK: 921 if (ARG_IS_VALID(kar, ARG_CMD)) { 922 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 923 kau_write(rec, tok); 924 } 925 FD_VNODE1_TOKENS; 926 break; 927 928 case AUE_RFORK: 929 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 930 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 931 kau_write(rec, tok); 932 } 933 /* FALLTHROUGH */ 934 935 case AUE_FORK: 936 case AUE_VFORK: 937 if (ARG_IS_VALID(kar, ARG_PID)) { 938 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 939 kau_write(rec, tok); 940 } 941 break; 942 943 case AUE_IOCTL: 944 if (ARG_IS_VALID(kar, ARG_CMD)) { 945 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 946 kau_write(rec, tok); 947 } 948 if (ARG_IS_VALID(kar, ARG_ADDR)) { 949 tok = au_to_arg32(1, "arg", 950 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 951 kau_write(rec, tok); 952 } 953 if (ARG_IS_VALID(kar, ARG_VNODE1)) 954 FD_VNODE1_TOKENS; 955 else { 956 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 957 tok = kau_to_socket(&ar->ar_arg_sockinfo); 958 kau_write(rec, tok); 959 } else { 960 if (ARG_IS_VALID(kar, ARG_FD)) { 961 tok = au_to_arg32(1, "fd", 962 ar->ar_arg_fd); 963 kau_write(rec, tok); 964 } 965 } 966 } 967 break; 968 969 case AUE_KILL: 970 case AUE_KILLPG: 971 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 972 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 973 kau_write(rec, tok); 974 } 975 PROCESS_PID_TOKENS(1); 976 break; 977 978 case AUE_KTRACE: 979 if (ARG_IS_VALID(kar, ARG_CMD)) { 980 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 981 kau_write(rec, tok); 982 } 983 if (ARG_IS_VALID(kar, ARG_VALUE)) { 984 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 985 kau_write(rec, tok); 986 } 987 PROCESS_PID_TOKENS(4); 988 UPATH1_VNODE1_TOKENS; 989 break; 990 991 case AUE_LINK: 992 case AUE_RENAME: 993 UPATH1_VNODE1_TOKENS; 994 UPATH2_TOKENS; 995 break; 996 997 case AUE_LOADSHFILE: 998 if (ARG_IS_VALID(kar, ARG_ADDR)) { 999 tok = au_to_arg32(4, "base addr", 1000 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 1001 kau_write(rec, tok); 1002 } 1003 UPATH1_VNODE1_TOKENS; 1004 break; 1005 1006 case AUE_MKDIR: 1007 if (ARG_IS_VALID(kar, ARG_MODE)) { 1008 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1009 kau_write(rec, tok); 1010 } 1011 UPATH1_VNODE1_TOKENS; 1012 break; 1013 1014 case AUE_MKNOD: 1015 if (ARG_IS_VALID(kar, ARG_MODE)) { 1016 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1017 kau_write(rec, tok); 1018 } 1019 if (ARG_IS_VALID(kar, ARG_DEV)) { 1020 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 1021 kau_write(rec, tok); 1022 } 1023 UPATH1_VNODE1_TOKENS; 1024 break; 1025 1026 case AUE_MMAP: 1027 case AUE_MUNMAP: 1028 case AUE_MPROTECT: 1029 case AUE_MLOCK: 1030 case AUE_MUNLOCK: 1031 case AUE_MINHERIT: 1032 if (ARG_IS_VALID(kar, ARG_ADDR)) { 1033 tok = au_to_arg32(1, "addr", 1034 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 1035 kau_write(rec, tok); 1036 } 1037 if (ARG_IS_VALID(kar, ARG_LEN)) { 1038 tok = au_to_arg32(2, "len", ar->ar_arg_len); 1039 kau_write(rec, tok); 1040 } 1041 if (ar->ar_event == AUE_MMAP) 1042 FD_VNODE1_TOKENS; 1043 if (ar->ar_event == AUE_MPROTECT) { 1044 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1045 tok = au_to_arg32(3, "protection", 1046 ar->ar_arg_value); 1047 kau_write(rec, tok); 1048 } 1049 } 1050 if (ar->ar_event == AUE_MINHERIT) { 1051 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1052 tok = au_to_arg32(3, "inherit", 1053 ar->ar_arg_value); 1054 kau_write(rec, tok); 1055 } 1056 } 1057 break; 1058 1059 case AUE_MOUNT: 1060 case AUE_NMOUNT: 1061 /* XXX Need to handle NFS mounts */ 1062 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1063 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 1064 kau_write(rec, tok); 1065 } 1066 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1067 tok = au_to_text(ar->ar_arg_text); 1068 kau_write(rec, tok); 1069 } 1070 /* FALLTHROUGH */ 1071 1072 case AUE_NFS_SVC: 1073 if (ARG_IS_VALID(kar, ARG_CMD)) { 1074 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1075 kau_write(rec, tok); 1076 } 1077 break; 1078 1079 case AUE_UMOUNT: 1080 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1081 tok = au_to_arg32(1, "flags", ar->ar_arg_value); 1082 kau_write(rec, tok); 1083 } 1084 UPATH1_VNODE1_TOKENS; 1085 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1086 tok = au_to_text(ar->ar_arg_text); 1087 kau_write(rec, tok); 1088 } 1089 break; 1090 1091 case AUE_MSGCTL: 1092 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd); 1093 /* Fall through */ 1094 1095 case AUE_MSGRCV: 1096 case AUE_MSGSND: 1097 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 1098 kau_write(rec, tok); 1099 if (ar->ar_errno != EINVAL) { 1100 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 1101 kau_write(rec, tok); 1102 } 1103 break; 1104 1105 case AUE_MSGGET: 1106 if (ar->ar_errno == 0) { 1107 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1108 tok = au_to_ipc(AT_IPC_MSG, 1109 ar->ar_arg_svipc_id); 1110 kau_write(rec, tok); 1111 } 1112 } 1113 break; 1114 1115 case AUE_RESETSHFILE: 1116 if (ARG_IS_VALID(kar, ARG_ADDR)) { 1117 tok = au_to_arg32(1, "base addr", 1118 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 1119 kau_write(rec, tok); 1120 } 1121 break; 1122 1123 case AUE_OPEN_RC: 1124 case AUE_OPEN_RTC: 1125 case AUE_OPEN_RWC: 1126 case AUE_OPEN_RWTC: 1127 case AUE_OPEN_WC: 1128 case AUE_OPEN_WTC: 1129 case AUE_CREAT: 1130 if (ARG_IS_VALID(kar, ARG_MODE)) { 1131 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1132 kau_write(rec, tok); 1133 } 1134 /* FALLTHROUGH */ 1135 1136 case AUE_OPEN_R: 1137 case AUE_OPEN_RT: 1138 case AUE_OPEN_RW: 1139 case AUE_OPEN_RWT: 1140 case AUE_OPEN_W: 1141 case AUE_OPEN_WT: 1142 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1143 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1144 kau_write(rec, tok); 1145 } 1146 UPATH1_VNODE1_TOKENS; 1147 break; 1148 1149 case AUE_PTRACE: 1150 if (ARG_IS_VALID(kar, ARG_CMD)) { 1151 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1152 kau_write(rec, tok); 1153 } 1154 if (ARG_IS_VALID(kar, ARG_ADDR)) { 1155 tok = au_to_arg32(3, "addr", 1156 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 1157 kau_write(rec, tok); 1158 } 1159 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1160 tok = au_to_arg32(4, "data", ar->ar_arg_value); 1161 kau_write(rec, tok); 1162 } 1163 PROCESS_PID_TOKENS(2); 1164 break; 1165 1166 case AUE_QUOTACTL: 1167 if (ARG_IS_VALID(kar, ARG_CMD)) { 1168 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1169 kau_write(rec, tok); 1170 } 1171 if (ARG_IS_VALID(kar, ARG_UID)) { 1172 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1173 kau_write(rec, tok); 1174 } 1175 UPATH1_VNODE1_TOKENS; 1176 break; 1177 1178 case AUE_REBOOT: 1179 if (ARG_IS_VALID(kar, ARG_CMD)) { 1180 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1181 kau_write(rec, tok); 1182 } 1183 break; 1184 1185 case AUE_SEMCTL: 1186 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd); 1187 /* Fall through */ 1188 1189 case AUE_SEMOP: 1190 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1191 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1192 kau_write(rec, tok); 1193 if (ar->ar_errno != EINVAL) { 1194 tok = au_to_ipc(AT_IPC_SEM, 1195 ar->ar_arg_svipc_id); 1196 kau_write(rec, tok); 1197 } 1198 } 1199 break; 1200 1201 case AUE_SEMGET: 1202 if (ar->ar_errno == 0) { 1203 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1204 tok = au_to_ipc(AT_IPC_SEM, 1205 ar->ar_arg_svipc_id); 1206 kau_write(rec, tok); 1207 } 1208 } 1209 break; 1210 1211 case AUE_SETEGID: 1212 if (ARG_IS_VALID(kar, ARG_EGID)) { 1213 tok = au_to_arg32(1, "gid", ar->ar_arg_egid); 1214 kau_write(rec, tok); 1215 } 1216 break; 1217 1218 case AUE_SETEUID: 1219 if (ARG_IS_VALID(kar, ARG_EUID)) { 1220 tok = au_to_arg32(1, "uid", ar->ar_arg_euid); 1221 kau_write(rec, tok); 1222 } 1223 break; 1224 1225 case AUE_SETREGID: 1226 if (ARG_IS_VALID(kar, ARG_RGID)) { 1227 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1228 kau_write(rec, tok); 1229 } 1230 if (ARG_IS_VALID(kar, ARG_EGID)) { 1231 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1232 kau_write(rec, tok); 1233 } 1234 break; 1235 1236 case AUE_SETREUID: 1237 if (ARG_IS_VALID(kar, ARG_RUID)) { 1238 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1239 kau_write(rec, tok); 1240 } 1241 if (ARG_IS_VALID(kar, ARG_EUID)) { 1242 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1243 kau_write(rec, tok); 1244 } 1245 break; 1246 1247 case AUE_SETRESGID: 1248 if (ARG_IS_VALID(kar, ARG_RGID)) { 1249 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1250 kau_write(rec, tok); 1251 } 1252 if (ARG_IS_VALID(kar, ARG_EGID)) { 1253 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1254 kau_write(rec, tok); 1255 } 1256 if (ARG_IS_VALID(kar, ARG_SGID)) { 1257 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1258 kau_write(rec, tok); 1259 } 1260 break; 1261 1262 case AUE_SETRESUID: 1263 if (ARG_IS_VALID(kar, ARG_RUID)) { 1264 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1265 kau_write(rec, tok); 1266 } 1267 if (ARG_IS_VALID(kar, ARG_EUID)) { 1268 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1269 kau_write(rec, tok); 1270 } 1271 if (ARG_IS_VALID(kar, ARG_SUID)) { 1272 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1273 kau_write(rec, tok); 1274 } 1275 break; 1276 1277 case AUE_SETGID: 1278 if (ARG_IS_VALID(kar, ARG_GID)) { 1279 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1280 kau_write(rec, tok); 1281 } 1282 break; 1283 1284 case AUE_SETUID: 1285 if (ARG_IS_VALID(kar, ARG_UID)) { 1286 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1287 kau_write(rec, tok); 1288 } 1289 break; 1290 1291 case AUE_SETGROUPS: 1292 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1293 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1294 { 1295 tok = au_to_arg32(1, "setgroups", 1296 ar->ar_arg_groups.gidset[ctr]); 1297 kau_write(rec, tok); 1298 } 1299 } 1300 break; 1301 1302 case AUE_SETLOGIN: 1303 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1304 tok = au_to_text(ar->ar_arg_text); 1305 kau_write(rec, tok); 1306 } 1307 break; 1308 1309 case AUE_SETPRIORITY: 1310 if (ARG_IS_VALID(kar, ARG_CMD)) { 1311 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1312 kau_write(rec, tok); 1313 } 1314 if (ARG_IS_VALID(kar, ARG_UID)) { 1315 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1316 kau_write(rec, tok); 1317 } 1318 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1319 tok = au_to_arg32(2, "priority", ar->ar_arg_value); 1320 kau_write(rec, tok); 1321 } 1322 break; 1323 1324 case AUE_SETPRIVEXEC: 1325 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1326 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1327 kau_write(rec, tok); 1328 } 1329 break; 1330 1331 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1332 case AUE_SHMAT: 1333 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1334 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1335 kau_write(rec, tok); 1336 /* XXXAUDIT: Does having the ipc token make sense? */ 1337 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1338 kau_write(rec, tok); 1339 } 1340 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1341 tok = au_to_arg32(2, "shmaddr", 1342 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1343 kau_write(rec, tok); 1344 } 1345 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1346 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1347 kau_write(rec, tok); 1348 } 1349 break; 1350 1351 case AUE_SHMCTL: 1352 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1353 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1354 kau_write(rec, tok); 1355 /* XXXAUDIT: Does having the ipc token make sense? */ 1356 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1357 kau_write(rec, tok); 1358 } 1359 switch (ar->ar_arg_svipc_cmd) { 1360 case IPC_STAT: 1361 ar->ar_event = AUE_SHMCTL_STAT; 1362 break; 1363 case IPC_RMID: 1364 ar->ar_event = AUE_SHMCTL_RMID; 1365 break; 1366 case IPC_SET: 1367 ar->ar_event = AUE_SHMCTL_SET; 1368 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1369 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1370 kau_write(rec, tok); 1371 } 1372 break; 1373 default: 1374 break; /* We will audit a bad command */ 1375 } 1376 break; 1377 1378 case AUE_SHMDT: 1379 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1380 tok = au_to_arg32(1, "shmaddr", 1381 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1382 kau_write(rec, tok); 1383 } 1384 break; 1385 1386 case AUE_SHMGET: 1387 /* This is unusual; the return value is in an argument token */ 1388 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1389 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1390 kau_write(rec, tok); 1391 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1392 kau_write(rec, tok); 1393 } 1394 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1395 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1396 kau_write(rec, tok); 1397 } 1398 break; 1399 1400 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1401 * and AUE_SEMUNLINK are Posix IPC */ 1402 case AUE_SHMOPEN: 1403 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1404 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1405 kau_write(rec, tok); 1406 } 1407 if (ARG_IS_VALID(kar, ARG_MODE)) { 1408 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1409 kau_write(rec, tok); 1410 } 1411 /* FALLTHROUGH */ 1412 1413 case AUE_SHMUNLINK: 1414 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1415 tok = au_to_text(ar->ar_arg_text); 1416 kau_write(rec, tok); 1417 } 1418 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1419 struct ipc_perm perm; 1420 1421 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1422 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1423 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1424 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1425 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1426 perm.seq = 0; 1427 perm.key = 0; 1428 tok = au_to_ipc_perm(&perm); 1429 kau_write(rec, tok); 1430 } 1431 break; 1432 1433 case AUE_SEMOPEN: 1434 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1435 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1436 kau_write(rec, tok); 1437 } 1438 if (ARG_IS_VALID(kar, ARG_MODE)) { 1439 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1440 kau_write(rec, tok); 1441 } 1442 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1443 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1444 kau_write(rec, tok); 1445 } 1446 /* FALLTHROUGH */ 1447 1448 case AUE_SEMUNLINK: 1449 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1450 tok = au_to_text(ar->ar_arg_text); 1451 kau_write(rec, tok); 1452 } 1453 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1454 struct ipc_perm perm; 1455 1456 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1457 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1458 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1459 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1460 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1461 perm.seq = 0; 1462 perm.key = 0; 1463 tok = au_to_ipc_perm(&perm); 1464 kau_write(rec, tok); 1465 } 1466 break; 1467 1468 case AUE_SEMCLOSE: 1469 if (ARG_IS_VALID(kar, ARG_FD)) { 1470 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1471 kau_write(rec, tok); 1472 } 1473 break; 1474 1475 case AUE_SYMLINK: 1476 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1477 tok = au_to_text(ar->ar_arg_text); 1478 kau_write(rec, tok); 1479 } 1480 UPATH1_VNODE1_TOKENS; 1481 break; 1482 1483 case AUE_SYSCTL: 1484 case AUE_SYSCTL_NONADMIN: 1485 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1486 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1487 tok = au_to_arg32(1, "name", 1488 ar->ar_arg_ctlname[ctr]); 1489 kau_write(rec, tok); 1490 } 1491 } 1492 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1493 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1494 kau_write(rec, tok); 1495 } 1496 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1497 tok = au_to_text(ar->ar_arg_text); 1498 kau_write(rec, tok); 1499 } 1500 break; 1501 1502 case AUE_UMASK: 1503 if (ARG_IS_VALID(kar, ARG_MASK)) { 1504 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1505 kau_write(rec, tok); 1506 } 1507 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1508 kau_write(rec, tok); 1509 break; 1510 1511 case AUE_WAIT4: 1512 if (ARG_IS_VALID(kar, ARG_PID)) { 1513 tok = au_to_arg32(0, "pid", ar->ar_arg_pid); 1514 kau_write(rec, tok); 1515 } 1516 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1517 tok = au_to_arg32(0, "options", ar->ar_arg_value); 1518 kau_write(rec, tok); 1519 } 1520 break; 1521 1522 case AUE_NULL: 1523 default: 1524 printf("BSM conversion requested for unknown event %d\n", 1525 ar->ar_event); 1526 1527 /* 1528 * Write the subject token so it is properly freed here. 1529 */ 1530 kau_write(rec, subj_tok); 1531 kau_free(rec); 1532 return (BSM_NOAUDIT); 1533 } 1534 1535 kau_write(rec, subj_tok); 1536 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval); 1537 kau_write(rec, tok); /* Every record gets a return token */ 1538 1539 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1540 1541 *pau = rec; 1542 return (BSM_SUCCESS); 1543} 1544 1545/* 1546 * Verify that a record is a valid BSM record. This verification is simple 1547 * now, but may be expanded on sometime in the future. Return 1 if the 1548 * record is good, 0 otherwise. 1549 */ 1550int 1551bsm_rec_verify(void *rec) 1552{ 1553 char c = *(char *)rec; 1554 1555 /* 1556 * Check the token ID of the first token; it has to be a header 1557 * token. 1558 * 1559 * XXXAUDIT There needs to be a token structure to map a token. 1560 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1561 */ 1562 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1563 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1564 return (0); 1565 return (1); 1566} 1567