audit_bsm.c revision 195291
1/* 2 * Copyright (c) 1999-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30#include <sys/cdefs.h> 31__FBSDID("$FreeBSD: head/sys/security/audit/audit_bsm.c 195291 2009-07-02 16:33:38Z rwatson $"); 32 33#include <sys/param.h> 34#include <sys/vnode.h> 35#include <sys/ipc.h> 36#include <sys/lock.h> 37#include <sys/malloc.h> 38#include <sys/mutex.h> 39#include <sys/socket.h> 40#include <sys/extattr.h> 41#include <sys/fcntl.h> 42#include <sys/user.h> 43#include <sys/systm.h> 44 45#include <bsm/audit.h> 46#include <bsm/audit_internal.h> 47#include <bsm/audit_record.h> 48#include <bsm/audit_kevents.h> 49 50#include <security/audit/audit.h> 51#include <security/audit/audit_private.h> 52 53#include <netinet/in_systm.h> 54#include <netinet/in.h> 55#include <netinet/ip.h> 56 57MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 58 59static void audit_sys_auditon(struct audit_record *ar, 60 struct au_record *rec); 61 62/* 63 * Initialize the BSM auditing subsystem. 64 */ 65void 66kau_init(void) 67{ 68 69 au_evclassmap_init(); 70} 71 72/* 73 * This call reserves memory for the audit record. Memory must be guaranteed 74 * before any auditable event can be generated. The au_record structure 75 * maintains a reference to the memory allocated above and also the list of 76 * tokens associated with this record. 77 */ 78static struct au_record * 79kau_open(void) 80{ 81 struct au_record *rec; 82 83 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 84 rec->data = NULL; 85 TAILQ_INIT(&rec->token_q); 86 rec->len = 0; 87 rec->used = 1; 88 89 return (rec); 90} 91 92/* 93 * Store the token with the record descriptor. 94 */ 95static void 96kau_write(struct au_record *rec, struct au_token *tok) 97{ 98 99 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 100 101 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 102 rec->len += tok->len; 103} 104 105/* 106 * Close out the audit record by adding the header token, identifying any 107 * missing tokens. Write out the tokens to the record memory. 108 */ 109static void 110kau_close(struct au_record *rec, struct timespec *ctime, short event) 111{ 112 u_char *dptr; 113 size_t tot_rec_size; 114 token_t *cur, *hdr, *trail; 115 struct timeval tm; 116 size_t hdrsize; 117 struct auditinfo_addr ak; 118 struct in6_addr *ap; 119 120 audit_get_kinfo(&ak); 121 hdrsize = 0; 122 switch (ak.ai_termid.at_type) { 123 case AU_IPv4: 124 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ? 125 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak); 126 break; 127 case AU_IPv6: 128 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0]; 129 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE : 130 AUDIT_HEADER_EX_SIZE(&ak); 131 break; 132 default: 133 panic("kau_close: invalid address family"); 134 } 135 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE; 136 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 137 138 tm.tv_usec = ctime->tv_nsec / 1000; 139 tm.tv_sec = ctime->tv_sec; 140 if (hdrsize != AUDIT_HEADER_SIZE) 141 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak); 142 else 143 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 144 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 145 146 trail = au_to_trailer(tot_rec_size); 147 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 148 149 rec->len = tot_rec_size; 150 dptr = rec->data; 151 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 152 memcpy(dptr, cur->t_data, cur->len); 153 dptr += cur->len; 154 } 155} 156 157/* 158 * Free a BSM audit record by releasing all the tokens and clearing the audit 159 * record information. 160 */ 161void 162kau_free(struct au_record *rec) 163{ 164 struct au_token *tok; 165 166 /* Free the token list. */ 167 while ((tok = TAILQ_FIRST(&rec->token_q))) { 168 TAILQ_REMOVE(&rec->token_q, tok, tokens); 169 free(tok->t_data, M_AUDITBSM); 170 free(tok, M_AUDITBSM); 171 } 172 173 rec->used = 0; 174 rec->len = 0; 175 free(rec->data, M_AUDITBSM); 176 free(rec, M_AUDITBSM); 177} 178 179/* 180 * XXX: May want turn some (or all) of these macros into functions in order 181 * to reduce the generated code size. 182 * 183 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 184 * caller are OK with this. 185 */ 186#define UPATH1_TOKENS do { \ 187 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 188 tok = au_to_path(ar->ar_arg_upath1); \ 189 kau_write(rec, tok); \ 190 } \ 191} while (0) 192 193#define UPATH2_TOKENS do { \ 194 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 195 tok = au_to_path(ar->ar_arg_upath2); \ 196 kau_write(rec, tok); \ 197 } \ 198} while (0) 199 200#define VNODE1_TOKENS do { \ 201 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 202 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 203 kau_write(rec, tok); \ 204 } \ 205} while (0) 206 207#define UPATH1_VNODE1_TOKENS do { \ 208 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 209 UPATH1_TOKENS; \ 210 } \ 211 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 212 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 213 kau_write(rec, tok); \ 214 } \ 215} while (0) 216 217#define VNODE2_TOKENS do { \ 218 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 219 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 220 kau_write(rec, tok); \ 221 } \ 222} while (0) 223 224#define FD_VNODE1_TOKENS do { \ 225 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 226 if (ARG_IS_VALID(kar, ARG_FD)) { \ 227 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 228 kau_write(rec, tok); \ 229 } \ 230 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 231 kau_write(rec, tok); \ 232 } else { \ 233 if (ARG_IS_VALID(kar, ARG_FD)) { \ 234 tok = au_to_arg32(1, "non-file: fd", \ 235 ar->ar_arg_fd); \ 236 kau_write(rec, tok); \ 237 } \ 238 } \ 239} while (0) 240 241#define PROCESS_PID_TOKENS(argn) do { \ 242 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 243 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 244 tok = au_to_process32_ex(ar->ar_arg_auid, \ 245 ar->ar_arg_euid, ar->ar_arg_egid, \ 246 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 247 ar->ar_arg_pid, ar->ar_arg_asid, \ 248 &ar->ar_arg_termid_addr); \ 249 kau_write(rec, tok); \ 250 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 251 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 252 kau_write(rec, tok); \ 253 } \ 254} while (0) 255 256#define EXTATTR_TOKENS(namespace_argnum) do { \ 257 if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 258 switch (ar->ar_arg_value) { \ 259 case EXTATTR_NAMESPACE_USER: \ 260 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 261 break; \ 262 case EXTATTR_NAMESPACE_SYSTEM: \ 263 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 264 break; \ 265 default: \ 266 tok = au_to_arg32((namespace_argnum), \ 267 "attrnamespace", ar->ar_arg_value); \ 268 break; \ 269 } \ 270 kau_write(rec, tok); \ 271 } \ 272 /* attrname is in the text field */ \ 273 if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 274 tok = au_to_text(ar->ar_arg_text); \ 275 kau_write(rec, tok); \ 276 } \ 277} while (0) 278 279/* 280 * Not all pointer arguments to system calls are of interest, but in some 281 * cases they reflect delegation of rights, such as mmap(2) followed by 282 * minherit(2) before execve(2), so do the best we can. 283 */ 284#define ADDR_TOKEN(argnum, argname) do { \ 285 if (ARG_IS_VALID(kar, ARG_ADDR)) { \ 286 if (sizeof(void *) == sizeof(uint32_t)) \ 287 tok = au_to_arg32((argnum), (argname), \ 288 (uint32_t)(uintptr_t)ar->ar_arg_addr); \ 289 else \ 290 tok = au_to_arg64((argnum), (argname), \ 291 (uint64_t)(uintptr_t)ar->ar_arg_addr); \ 292 kau_write(rec, tok); \ 293 } \ 294} while (0) 295 296 297/* 298 * Implement auditing for the auditon() system call. The audit tokens that 299 * are generated depend on the command that was sent into the auditon() 300 * system call. 301 */ 302static void 303audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 304{ 305 struct au_token *tok; 306 307 tok = au_to_arg32(3, "length", ar->ar_arg_len); 308 kau_write(rec, tok); 309 switch (ar->ar_arg_cmd) { 310 case A_OLDSETPOLICY: 311 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 312 tok = au_to_arg64(2, "policy", 313 ar->ar_arg_auditon.au_policy64); 314 kau_write(rec, tok); 315 break; 316 } 317 /* FALLTHROUGH */ 318 319 case A_SETPOLICY: 320 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy); 321 kau_write(rec, tok); 322 break; 323 324 case A_SETKMASK: 325 tok = au_to_arg32(2, "setkmask:as_success", 326 ar->ar_arg_auditon.au_mask.am_success); 327 kau_write(rec, tok); 328 tok = au_to_arg32(2, "setkmask:as_failure", 329 ar->ar_arg_auditon.au_mask.am_failure); 330 kau_write(rec, tok); 331 break; 332 333 case A_OLDSETQCTRL: 334 if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) { 335 tok = au_to_arg64(2, "setqctrl:aq_hiwater", 336 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater); 337 kau_write(rec, tok); 338 tok = au_to_arg64(2, "setqctrl:aq_lowater", 339 ar->ar_arg_auditon.au_qctrl64.aq64_lowater); 340 kau_write(rec, tok); 341 tok = au_to_arg64(2, "setqctrl:aq_bufsz", 342 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz); 343 kau_write(rec, tok); 344 tok = au_to_arg64(2, "setqctrl:aq_delay", 345 ar->ar_arg_auditon.au_qctrl64.aq64_delay); 346 kau_write(rec, tok); 347 tok = au_to_arg64(2, "setqctrl:aq_minfree", 348 ar->ar_arg_auditon.au_qctrl64.aq64_minfree); 349 kau_write(rec, tok); 350 break; 351 } 352 /* FALLTHROUGH */ 353 354 case A_SETQCTRL: 355 tok = au_to_arg32(2, "setqctrl:aq_hiwater", 356 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 357 kau_write(rec, tok); 358 tok = au_to_arg32(2, "setqctrl:aq_lowater", 359 ar->ar_arg_auditon.au_qctrl.aq_lowater); 360 kau_write(rec, tok); 361 tok = au_to_arg32(2, "setqctrl:aq_bufsz", 362 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 363 kau_write(rec, tok); 364 tok = au_to_arg32(2, "setqctrl:aq_delay", 365 ar->ar_arg_auditon.au_qctrl.aq_delay); 366 kau_write(rec, tok); 367 tok = au_to_arg32(2, "setqctrl:aq_minfree", 368 ar->ar_arg_auditon.au_qctrl.aq_minfree); 369 kau_write(rec, tok); 370 break; 371 372 case A_SETUMASK: 373 tok = au_to_arg32(2, "setumask:as_success", 374 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 375 kau_write(rec, tok); 376 tok = au_to_arg32(2, "setumask:as_failure", 377 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 378 kau_write(rec, tok); 379 break; 380 381 case A_SETSMASK: 382 tok = au_to_arg32(2, "setsmask:as_success", 383 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 384 kau_write(rec, tok); 385 tok = au_to_arg32(2, "setsmask:as_failure", 386 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 387 kau_write(rec, tok); 388 break; 389 390 case A_OLDSETCOND: 391 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 392 tok = au_to_arg64(2, "setcond", 393 ar->ar_arg_auditon.au_cond64); 394 kau_write(rec, tok); 395 break; 396 } 397 /* FALLTHROUGH */ 398 399 case A_SETCOND: 400 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond); 401 kau_write(rec, tok); 402 break; 403 404 case A_SETCLASS: 405 kau_write(rec, tok); 406 tok = au_to_arg32(2, "setclass:ec_event", 407 ar->ar_arg_auditon.au_evclass.ec_number); 408 kau_write(rec, tok); 409 tok = au_to_arg32(2, "setclass:ec_class", 410 ar->ar_arg_auditon.au_evclass.ec_class); 411 kau_write(rec, tok); 412 break; 413 414 case A_SETPMASK: 415 tok = au_to_arg32(2, "setpmask:as_success", 416 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 417 kau_write(rec, tok); 418 tok = au_to_arg32(2, "setpmask:as_failure", 419 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 420 kau_write(rec, tok); 421 break; 422 423 case A_SETFSIZE: 424 tok = au_to_arg32(2, "setfsize:filesize", 425 ar->ar_arg_auditon.au_fstat.af_filesz); 426 kau_write(rec, tok); 427 break; 428 429 default: 430 break; 431 } 432} 433 434/* 435 * Convert an internal kernel audit record to a BSM record and return a 436 * success/failure indicator. The BSM record is passed as an out parameter to 437 * this function. 438 * 439 * Return conditions: 440 * BSM_SUCCESS: The BSM record is valid 441 * BSM_FAILURE: Failure; the BSM record is NULL. 442 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 443 */ 444int 445kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 446{ 447 struct au_token *tok, *subj_tok; 448 struct au_record *rec; 449 au_tid_t tid; 450 struct audit_record *ar; 451 int ctr; 452 453 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 454 455 *pau = NULL; 456 ar = &kar->k_ar; 457 rec = kau_open(); 458 459 /* 460 * Create the subject token. 461 */ 462 switch (ar->ar_subj_term_addr.at_type) { 463 case AU_IPv4: 464 tid.port = ar->ar_subj_term_addr.at_port; 465 tid.machine = ar->ar_subj_term_addr.at_addr[0]; 466 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 467 ar->ar_subj_cred.cr_uid, /* eff uid */ 468 ar->ar_subj_egid, /* eff group id */ 469 ar->ar_subj_ruid, /* real uid */ 470 ar->ar_subj_rgid, /* real group id */ 471 ar->ar_subj_pid, /* process id */ 472 ar->ar_subj_asid, /* session ID */ 473 &tid); 474 break; 475 case AU_IPv6: 476 subj_tok = au_to_subject32_ex(ar->ar_subj_auid, 477 ar->ar_subj_cred.cr_uid, 478 ar->ar_subj_egid, 479 ar->ar_subj_ruid, 480 ar->ar_subj_rgid, 481 ar->ar_subj_pid, 482 ar->ar_subj_asid, 483 &ar->ar_subj_term_addr); 484 break; 485 default: 486 bzero(&tid, sizeof(tid)); 487 subj_tok = au_to_subject32(ar->ar_subj_auid, 488 ar->ar_subj_cred.cr_uid, 489 ar->ar_subj_egid, 490 ar->ar_subj_ruid, 491 ar->ar_subj_rgid, 492 ar->ar_subj_pid, 493 ar->ar_subj_asid, 494 &tid); 495 } 496 497 /* 498 * The logic inside each case fills in the tokens required for the 499 * event, except for the header, trailer, and return tokens. The 500 * header and trailer tokens are added by the kau_close() function. 501 * The return token is added outside of the switch statement. 502 */ 503 switch(ar->ar_event) { 504 case AUE_ACCEPT: 505 case AUE_BIND: 506 case AUE_LISTEN: 507 case AUE_CONNECT: 508 case AUE_RECV: 509 case AUE_RECVFROM: 510 case AUE_RECVMSG: 511 case AUE_SEND: 512 case AUE_SENDFILE: 513 case AUE_SENDMSG: 514 case AUE_SENDTO: 515 /* 516 * Socket-related events. 517 */ 518 if (ARG_IS_VALID(kar, ARG_FD)) { 519 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 520 kau_write(rec, tok); 521 } 522 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 523 tok = au_to_sock_inet((struct sockaddr_in *) 524 &ar->ar_arg_sockaddr); 525 kau_write(rec, tok); 526 } 527 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 528 tok = au_to_sock_unix((struct sockaddr_un *) 529 &ar->ar_arg_sockaddr); 530 kau_write(rec, tok); 531 UPATH1_TOKENS; 532 } 533 /* XXX Need to handle ARG_SADDRINET6 */ 534 break; 535 536 case AUE_SOCKET: 537 case AUE_SOCKETPAIR: 538 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 539 tok = au_to_arg32(1, "domain", 540 ar->ar_arg_sockinfo.so_domain); 541 kau_write(rec, tok); 542 tok = au_to_arg32(2, "type", 543 ar->ar_arg_sockinfo.so_type); 544 kau_write(rec, tok); 545 tok = au_to_arg32(3, "protocol", 546 ar->ar_arg_sockinfo.so_protocol); 547 kau_write(rec, tok); 548 } 549 break; 550 551 case AUE_SETSOCKOPT: 552 case AUE_SHUTDOWN: 553 if (ARG_IS_VALID(kar, ARG_FD)) { 554 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 555 kau_write(rec, tok); 556 } 557 break; 558 559 case AUE_ACCT: 560 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 561 UPATH1_VNODE1_TOKENS; 562 } else { 563 tok = au_to_arg32(1, "accounting off", 0); 564 kau_write(rec, tok); 565 } 566 break; 567 568 case AUE_SETAUID: 569 if (ARG_IS_VALID(kar, ARG_AUID)) { 570 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 571 kau_write(rec, tok); 572 } 573 break; 574 575 case AUE_SETAUDIT: 576 if (ARG_IS_VALID(kar, ARG_AUID) && 577 ARG_IS_VALID(kar, ARG_ASID) && 578 ARG_IS_VALID(kar, ARG_AMASK) && 579 ARG_IS_VALID(kar, ARG_TERMID)) { 580 tok = au_to_arg32(1, "setaudit:auid", 581 ar->ar_arg_auid); 582 kau_write(rec, tok); 583 tok = au_to_arg32(1, "setaudit:port", 584 ar->ar_arg_termid.port); 585 kau_write(rec, tok); 586 tok = au_to_arg32(1, "setaudit:machine", 587 ar->ar_arg_termid.machine); 588 kau_write(rec, tok); 589 tok = au_to_arg32(1, "setaudit:as_success", 590 ar->ar_arg_amask.am_success); 591 kau_write(rec, tok); 592 tok = au_to_arg32(1, "setaudit:as_failure", 593 ar->ar_arg_amask.am_failure); 594 kau_write(rec, tok); 595 tok = au_to_arg32(1, "setaudit:asid", 596 ar->ar_arg_asid); 597 kau_write(rec, tok); 598 } 599 break; 600 601 case AUE_SETAUDIT_ADDR: 602 if (ARG_IS_VALID(kar, ARG_AUID) && 603 ARG_IS_VALID(kar, ARG_ASID) && 604 ARG_IS_VALID(kar, ARG_AMASK) && 605 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) { 606 tok = au_to_arg32(1, "setaudit_addr:auid", 607 ar->ar_arg_auid); 608 kau_write(rec, tok); 609 tok = au_to_arg32(1, "setaudit_addr:as_success", 610 ar->ar_arg_amask.am_success); 611 kau_write(rec, tok); 612 tok = au_to_arg32(1, "setaudit_addr:as_failure", 613 ar->ar_arg_amask.am_failure); 614 kau_write(rec, tok); 615 tok = au_to_arg32(1, "setaudit_addr:asid", 616 ar->ar_arg_asid); 617 kau_write(rec, tok); 618 tok = au_to_arg32(1, "setaudit_addr:type", 619 ar->ar_arg_termid_addr.at_type); 620 kau_write(rec, tok); 621 tok = au_to_arg32(1, "setaudit_addr:port", 622 ar->ar_arg_termid_addr.at_port); 623 kau_write(rec, tok); 624 if (ar->ar_arg_termid_addr.at_type == AU_IPv6) 625 tok = au_to_in_addr_ex((struct in6_addr *) 626 &ar->ar_arg_termid_addr.at_addr[0]); 627 if (ar->ar_arg_termid_addr.at_type == AU_IPv4) 628 tok = au_to_in_addr((struct in_addr *) 629 &ar->ar_arg_termid_addr.at_addr[0]); 630 kau_write(rec, tok); 631 } 632 break; 633 634 case AUE_AUDITON: 635 /* 636 * For AUDITON commands without own event, audit the cmd. 637 */ 638 if (ARG_IS_VALID(kar, ARG_CMD)) { 639 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 640 kau_write(rec, tok); 641 } 642 /* FALLTHROUGH */ 643 644 case AUE_AUDITON_GETCAR: 645 case AUE_AUDITON_GETCLASS: 646 case AUE_AUDITON_GETCOND: 647 case AUE_AUDITON_GETCWD: 648 case AUE_AUDITON_GETKMASK: 649 case AUE_AUDITON_GETSTAT: 650 case AUE_AUDITON_GPOLICY: 651 case AUE_AUDITON_GQCTRL: 652 case AUE_AUDITON_SETCLASS: 653 case AUE_AUDITON_SETCOND: 654 case AUE_AUDITON_SETKMASK: 655 case AUE_AUDITON_SETSMASK: 656 case AUE_AUDITON_SETSTAT: 657 case AUE_AUDITON_SETUMASK: 658 case AUE_AUDITON_SPOLICY: 659 case AUE_AUDITON_SQCTRL: 660 if (ARG_IS_VALID(kar, ARG_AUDITON)) 661 audit_sys_auditon(ar, rec); 662 break; 663 664 case AUE_AUDITCTL: 665 UPATH1_VNODE1_TOKENS; 666 break; 667 668 case AUE_EXIT: 669 if (ARG_IS_VALID(kar, ARG_EXIT)) { 670 tok = au_to_exit(ar->ar_arg_exitretval, 671 ar->ar_arg_exitstatus); 672 kau_write(rec, tok); 673 } 674 break; 675 676 case AUE_ADJTIME: 677 case AUE_CLOCK_SETTIME: 678 case AUE_AUDIT: 679 case AUE_DUP2: 680 case AUE_GETAUDIT: 681 case AUE_GETAUDIT_ADDR: 682 case AUE_GETAUID: 683 case AUE_GETCWD: 684 case AUE_GETFSSTAT: 685 case AUE_GETRESUID: 686 case AUE_GETRESGID: 687 case AUE_KQUEUE: 688 case AUE_MODLOAD: 689 case AUE_MODUNLOAD: 690 case AUE_MSGSYS: 691 case AUE_NTP_ADJTIME: 692 case AUE_PIPE: 693 case AUE_POSIX_OPENPT: 694 case AUE_PROFILE: 695 case AUE_RTPRIO: 696 case AUE_SEMSYS: 697 case AUE_SHMSYS: 698 case AUE_SETPGRP: 699 case AUE_SETRLIMIT: 700 case AUE_SETSID: 701 case AUE_SETTIMEOFDAY: 702 case AUE_SYSARCH: 703 704 /* 705 * Header, subject, and return tokens added at end. 706 */ 707 break; 708 709 case AUE_MKFIFO: 710 if (ARG_IS_VALID(kar, ARG_MODE)) { 711 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 712 kau_write(rec, tok); 713 } 714 /* FALLTHROUGH */ 715 716 case AUE_CHDIR: 717 case AUE_CHROOT: 718 case AUE_GETATTRLIST: 719 case AUE_JAIL: 720 case AUE_LUTIMES: 721 case AUE_NFS_GETFH: 722 case AUE_LSTAT: 723 case AUE_PATHCONF: 724 case AUE_READLINK: 725 case AUE_REVOKE: 726 case AUE_RMDIR: 727 case AUE_SEARCHFS: 728 case AUE_SETATTRLIST: 729 case AUE_STAT: 730 case AUE_STATFS: 731 case AUE_SWAPON: 732 case AUE_SWAPOFF: 733 case AUE_TRUNCATE: 734 case AUE_UNDELETE: 735 case AUE_UNLINK: 736 case AUE_UTIMES: 737 UPATH1_VNODE1_TOKENS; 738 break; 739 740 case AUE_ACCESS: 741 case AUE_EACCESS: 742 UPATH1_VNODE1_TOKENS; 743 if (ARG_IS_VALID(kar, ARG_VALUE)) { 744 tok = au_to_arg32(2, "mode", ar->ar_arg_value); 745 kau_write(rec, tok); 746 } 747 break; 748 749 case AUE_FHSTATFS: 750 case AUE_FHOPEN: 751 case AUE_FHSTAT: 752 /* XXXRW: Need to audit vnode argument. */ 753 break; 754 755 case AUE_CHFLAGS: 756 case AUE_LCHFLAGS: 757 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 758 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 759 kau_write(rec, tok); 760 } 761 UPATH1_VNODE1_TOKENS; 762 break; 763 764 case AUE_CHMOD: 765 case AUE_LCHMOD: 766 if (ARG_IS_VALID(kar, ARG_MODE)) { 767 tok = au_to_arg32(2, "new file mode", 768 ar->ar_arg_mode); 769 kau_write(rec, tok); 770 } 771 UPATH1_VNODE1_TOKENS; 772 break; 773 774 case AUE_CHOWN: 775 case AUE_LCHOWN: 776 if (ARG_IS_VALID(kar, ARG_UID)) { 777 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 778 kau_write(rec, tok); 779 } 780 if (ARG_IS_VALID(kar, ARG_GID)) { 781 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 782 kau_write(rec, tok); 783 } 784 UPATH1_VNODE1_TOKENS; 785 break; 786 787 case AUE_EXCHANGEDATA: 788 UPATH1_VNODE1_TOKENS; 789 UPATH2_TOKENS; 790 break; 791 792 case AUE_CLOSE: 793 if (ARG_IS_VALID(kar, ARG_FD)) { 794 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 795 kau_write(rec, tok); 796 } 797 UPATH1_VNODE1_TOKENS; 798 break; 799 800 case AUE_CORE: 801 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 802 tok = au_to_arg32(1, "signal", ar->ar_arg_signum); 803 kau_write(rec, tok); 804 } 805 UPATH1_VNODE1_TOKENS; 806 break; 807 808 case AUE_EXTATTRCTL: 809 UPATH1_VNODE1_TOKENS; 810 if (ARG_IS_VALID(kar, ARG_CMD)) { 811 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 812 kau_write(rec, tok); 813 } 814 /* extattrctl(2) filename parameter is in upath2/vnode2 */ 815 UPATH2_TOKENS; 816 VNODE2_TOKENS; 817 EXTATTR_TOKENS(4); 818 break; 819 820 case AUE_EXTATTR_GET_FILE: 821 case AUE_EXTATTR_SET_FILE: 822 case AUE_EXTATTR_LIST_FILE: 823 case AUE_EXTATTR_DELETE_FILE: 824 case AUE_EXTATTR_GET_LINK: 825 case AUE_EXTATTR_SET_LINK: 826 case AUE_EXTATTR_LIST_LINK: 827 case AUE_EXTATTR_DELETE_LINK: 828 UPATH1_VNODE1_TOKENS; 829 EXTATTR_TOKENS(2); 830 break; 831 832 case AUE_EXTATTR_GET_FD: 833 case AUE_EXTATTR_SET_FD: 834 case AUE_EXTATTR_LIST_FD: 835 case AUE_EXTATTR_DELETE_FD: 836 if (ARG_IS_VALID(kar, ARG_FD)) { 837 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 838 kau_write(rec, tok); 839 } 840 EXTATTR_TOKENS(2); 841 break; 842 843 case AUE_FEXECVE: 844 if (ARG_IS_VALID(kar, ARG_FD)) { 845 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 846 kau_write(rec, tok); 847 } 848 /* FALLTHROUGH */ 849 850 case AUE_EXECVE: 851 case AUE_MAC_EXECVE: 852 if (ARG_IS_VALID(kar, ARG_ARGV)) { 853 tok = au_to_exec_args(ar->ar_arg_argv, 854 ar->ar_arg_argc); 855 kau_write(rec, tok); 856 } 857 if (ARG_IS_VALID(kar, ARG_ENVV)) { 858 tok = au_to_exec_env(ar->ar_arg_envv, 859 ar->ar_arg_envc); 860 kau_write(rec, tok); 861 } 862 UPATH1_VNODE1_TOKENS; 863 break; 864 865 case AUE_FCHMOD: 866 if (ARG_IS_VALID(kar, ARG_MODE)) { 867 tok = au_to_arg32(2, "new file mode", 868 ar->ar_arg_mode); 869 kau_write(rec, tok); 870 } 871 FD_VNODE1_TOKENS; 872 break; 873 874 /* 875 * XXXRW: Some of these need to handle non-vnode cases as well. 876 */ 877 case AUE_FCHDIR: 878 case AUE_FPATHCONF: 879 case AUE_FSTAT: 880 case AUE_FSTATFS: 881 case AUE_FSYNC: 882 case AUE_FTRUNCATE: 883 case AUE_FUTIMES: 884 case AUE_GETDIRENTRIES: 885 case AUE_GETDIRENTRIESATTR: 886 case AUE_LSEEK: 887 case AUE_POLL: 888 case AUE_READ: 889 case AUE_READV: 890 case AUE_WRITE: 891 case AUE_WRITEV: 892 FD_VNODE1_TOKENS; 893 break; 894 895 case AUE_FCHOWN: 896 if (ARG_IS_VALID(kar, ARG_UID)) { 897 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 898 kau_write(rec, tok); 899 } 900 if (ARG_IS_VALID(kar, ARG_GID)) { 901 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 902 kau_write(rec, tok); 903 } 904 FD_VNODE1_TOKENS; 905 break; 906 907 case AUE_FCNTL: 908 if (ARG_IS_VALID(kar, ARG_CMD)) { 909 tok = au_to_arg32(2, "cmd", 910 au_fcntl_cmd_to_bsm(ar->ar_arg_cmd)); 911 kau_write(rec, tok); 912 } 913 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 914 ar->ar_arg_cmd == F_SETLKW) { 915 FD_VNODE1_TOKENS; 916 } 917 break; 918 919 case AUE_FCHFLAGS: 920 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 921 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 922 kau_write(rec, tok); 923 } 924 FD_VNODE1_TOKENS; 925 break; 926 927 case AUE_FLOCK: 928 if (ARG_IS_VALID(kar, ARG_CMD)) { 929 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 930 kau_write(rec, tok); 931 } 932 FD_VNODE1_TOKENS; 933 break; 934 935 case AUE_RFORK: 936 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 937 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 938 kau_write(rec, tok); 939 } 940 /* FALLTHROUGH */ 941 942 case AUE_FORK: 943 case AUE_VFORK: 944 if (ARG_IS_VALID(kar, ARG_PID)) { 945 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 946 kau_write(rec, tok); 947 } 948 break; 949 950 case AUE_IOCTL: 951 if (ARG_IS_VALID(kar, ARG_CMD)) { 952 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 953 kau_write(rec, tok); 954 } 955 if (ARG_IS_VALID(kar, ARG_VNODE1)) 956 FD_VNODE1_TOKENS; 957 else { 958 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 959 tok = kau_to_socket(&ar->ar_arg_sockinfo); 960 kau_write(rec, tok); 961 } else { 962 if (ARG_IS_VALID(kar, ARG_FD)) { 963 tok = au_to_arg32(1, "fd", 964 ar->ar_arg_fd); 965 kau_write(rec, tok); 966 } 967 } 968 } 969 break; 970 971 case AUE_KILL: 972 case AUE_KILLPG: 973 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 974 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 975 kau_write(rec, tok); 976 } 977 PROCESS_PID_TOKENS(1); 978 break; 979 980 case AUE_KTRACE: 981 if (ARG_IS_VALID(kar, ARG_CMD)) { 982 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 983 kau_write(rec, tok); 984 } 985 if (ARG_IS_VALID(kar, ARG_VALUE)) { 986 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 987 kau_write(rec, tok); 988 } 989 PROCESS_PID_TOKENS(4); 990 UPATH1_VNODE1_TOKENS; 991 break; 992 993 case AUE_LINK: 994 case AUE_RENAME: 995 UPATH1_VNODE1_TOKENS; 996 UPATH2_TOKENS; 997 break; 998 999 case AUE_LOADSHFILE: 1000 ADDR_TOKEN(4, "base addr"); 1001 UPATH1_VNODE1_TOKENS; 1002 break; 1003 1004 case AUE_MKDIR: 1005 if (ARG_IS_VALID(kar, ARG_MODE)) { 1006 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1007 kau_write(rec, tok); 1008 } 1009 UPATH1_VNODE1_TOKENS; 1010 break; 1011 1012 case AUE_MKNOD: 1013 if (ARG_IS_VALID(kar, ARG_MODE)) { 1014 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1015 kau_write(rec, tok); 1016 } 1017 if (ARG_IS_VALID(kar, ARG_DEV)) { 1018 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 1019 kau_write(rec, tok); 1020 } 1021 UPATH1_VNODE1_TOKENS; 1022 break; 1023 1024 case AUE_MMAP: 1025 case AUE_MUNMAP: 1026 case AUE_MPROTECT: 1027 case AUE_MLOCK: 1028 case AUE_MUNLOCK: 1029 case AUE_MINHERIT: 1030 ADDR_TOKEN(1, "addr"); 1031 if (ARG_IS_VALID(kar, ARG_LEN)) { 1032 tok = au_to_arg32(2, "len", ar->ar_arg_len); 1033 kau_write(rec, tok); 1034 } 1035 if (ar->ar_event == AUE_MMAP) 1036 FD_VNODE1_TOKENS; 1037 if (ar->ar_event == AUE_MPROTECT) { 1038 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1039 tok = au_to_arg32(3, "protection", 1040 ar->ar_arg_value); 1041 kau_write(rec, tok); 1042 } 1043 } 1044 if (ar->ar_event == AUE_MINHERIT) { 1045 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1046 tok = au_to_arg32(3, "inherit", 1047 ar->ar_arg_value); 1048 kau_write(rec, tok); 1049 } 1050 } 1051 break; 1052 1053 case AUE_MOUNT: 1054 case AUE_NMOUNT: 1055 /* XXX Need to handle NFS mounts */ 1056 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1057 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 1058 kau_write(rec, tok); 1059 } 1060 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1061 tok = au_to_text(ar->ar_arg_text); 1062 kau_write(rec, tok); 1063 } 1064 /* FALLTHROUGH */ 1065 1066 case AUE_NFS_SVC: 1067 if (ARG_IS_VALID(kar, ARG_CMD)) { 1068 tok = au_to_arg32(1, "flags", ar->ar_arg_cmd); 1069 kau_write(rec, tok); 1070 } 1071 break; 1072 1073 case AUE_UMOUNT: 1074 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1075 tok = au_to_arg32(2, "flags", ar->ar_arg_value); 1076 kau_write(rec, tok); 1077 } 1078 UPATH1_VNODE1_TOKENS; 1079 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1080 tok = au_to_text(ar->ar_arg_text); 1081 kau_write(rec, tok); 1082 } 1083 break; 1084 1085 case AUE_MSGCTL: 1086 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd); 1087 /* Fall through */ 1088 1089 case AUE_MSGRCV: 1090 case AUE_MSGSND: 1091 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 1092 kau_write(rec, tok); 1093 if (ar->ar_errno != EINVAL) { 1094 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 1095 kau_write(rec, tok); 1096 } 1097 break; 1098 1099 case AUE_MSGGET: 1100 if (ar->ar_errno == 0) { 1101 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1102 tok = au_to_ipc(AT_IPC_MSG, 1103 ar->ar_arg_svipc_id); 1104 kau_write(rec, tok); 1105 } 1106 } 1107 break; 1108 1109 case AUE_RESETSHFILE: 1110 ADDR_TOKEN(1, "base addr"); 1111 break; 1112 1113 case AUE_OPEN_RC: 1114 case AUE_OPEN_RTC: 1115 case AUE_OPEN_RWC: 1116 case AUE_OPEN_RWTC: 1117 case AUE_OPEN_WC: 1118 case AUE_OPEN_WTC: 1119 case AUE_CREAT: 1120 if (ARG_IS_VALID(kar, ARG_MODE)) { 1121 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1122 kau_write(rec, tok); 1123 } 1124 /* FALLTHROUGH */ 1125 1126 case AUE_OPEN_R: 1127 case AUE_OPEN_RT: 1128 case AUE_OPEN_RW: 1129 case AUE_OPEN_RWT: 1130 case AUE_OPEN_W: 1131 case AUE_OPEN_WT: 1132 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1133 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1134 kau_write(rec, tok); 1135 } 1136 UPATH1_VNODE1_TOKENS; 1137 break; 1138 1139 case AUE_PTRACE: 1140 if (ARG_IS_VALID(kar, ARG_CMD)) { 1141 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1142 kau_write(rec, tok); 1143 } 1144 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1145 tok = au_to_arg32(4, "data", ar->ar_arg_value); 1146 kau_write(rec, tok); 1147 } 1148 PROCESS_PID_TOKENS(2); 1149 break; 1150 1151 case AUE_QUOTACTL: 1152 if (ARG_IS_VALID(kar, ARG_CMD)) { 1153 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1154 kau_write(rec, tok); 1155 } 1156 if (ARG_IS_VALID(kar, ARG_UID)) { 1157 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1158 kau_write(rec, tok); 1159 } 1160 if (ARG_IS_VALID(kar, ARG_GID)) { 1161 tok = au_to_arg32(3, "gid", ar->ar_arg_gid); 1162 kau_write(rec, tok); 1163 } 1164 UPATH1_VNODE1_TOKENS; 1165 break; 1166 1167 case AUE_REBOOT: 1168 if (ARG_IS_VALID(kar, ARG_CMD)) { 1169 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1170 kau_write(rec, tok); 1171 } 1172 break; 1173 1174 case AUE_SEMCTL: 1175 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd); 1176 /* Fall through */ 1177 1178 case AUE_SEMOP: 1179 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1180 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1181 kau_write(rec, tok); 1182 if (ar->ar_errno != EINVAL) { 1183 tok = au_to_ipc(AT_IPC_SEM, 1184 ar->ar_arg_svipc_id); 1185 kau_write(rec, tok); 1186 } 1187 } 1188 break; 1189 1190 case AUE_SEMGET: 1191 if (ar->ar_errno == 0) { 1192 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1193 tok = au_to_ipc(AT_IPC_SEM, 1194 ar->ar_arg_svipc_id); 1195 kau_write(rec, tok); 1196 } 1197 } 1198 break; 1199 1200 case AUE_SETEGID: 1201 if (ARG_IS_VALID(kar, ARG_EGID)) { 1202 tok = au_to_arg32(1, "egid", ar->ar_arg_egid); 1203 kau_write(rec, tok); 1204 } 1205 break; 1206 1207 case AUE_SETEUID: 1208 if (ARG_IS_VALID(kar, ARG_EUID)) { 1209 tok = au_to_arg32(1, "euid", ar->ar_arg_euid); 1210 kau_write(rec, tok); 1211 } 1212 break; 1213 1214 case AUE_SETREGID: 1215 if (ARG_IS_VALID(kar, ARG_RGID)) { 1216 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1217 kau_write(rec, tok); 1218 } 1219 if (ARG_IS_VALID(kar, ARG_EGID)) { 1220 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1221 kau_write(rec, tok); 1222 } 1223 break; 1224 1225 case AUE_SETREUID: 1226 if (ARG_IS_VALID(kar, ARG_RUID)) { 1227 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1228 kau_write(rec, tok); 1229 } 1230 if (ARG_IS_VALID(kar, ARG_EUID)) { 1231 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1232 kau_write(rec, tok); 1233 } 1234 break; 1235 1236 case AUE_SETRESGID: 1237 if (ARG_IS_VALID(kar, ARG_RGID)) { 1238 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1239 kau_write(rec, tok); 1240 } 1241 if (ARG_IS_VALID(kar, ARG_EGID)) { 1242 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1243 kau_write(rec, tok); 1244 } 1245 if (ARG_IS_VALID(kar, ARG_SGID)) { 1246 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1247 kau_write(rec, tok); 1248 } 1249 break; 1250 1251 case AUE_SETRESUID: 1252 if (ARG_IS_VALID(kar, ARG_RUID)) { 1253 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1254 kau_write(rec, tok); 1255 } 1256 if (ARG_IS_VALID(kar, ARG_EUID)) { 1257 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1258 kau_write(rec, tok); 1259 } 1260 if (ARG_IS_VALID(kar, ARG_SUID)) { 1261 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1262 kau_write(rec, tok); 1263 } 1264 break; 1265 1266 case AUE_SETGID: 1267 if (ARG_IS_VALID(kar, ARG_GID)) { 1268 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1269 kau_write(rec, tok); 1270 } 1271 break; 1272 1273 case AUE_SETUID: 1274 if (ARG_IS_VALID(kar, ARG_UID)) { 1275 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1276 kau_write(rec, tok); 1277 } 1278 break; 1279 1280 case AUE_SETGROUPS: 1281 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1282 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1283 { 1284 tok = au_to_arg32(1, "setgroups", 1285 ar->ar_arg_groups.gidset[ctr]); 1286 kau_write(rec, tok); 1287 } 1288 } 1289 break; 1290 1291 case AUE_SETLOGIN: 1292 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1293 tok = au_to_text(ar->ar_arg_text); 1294 kau_write(rec, tok); 1295 } 1296 break; 1297 1298 case AUE_SETPRIORITY: 1299 if (ARG_IS_VALID(kar, ARG_CMD)) { 1300 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1301 kau_write(rec, tok); 1302 } 1303 if (ARG_IS_VALID(kar, ARG_UID)) { 1304 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1305 kau_write(rec, tok); 1306 } 1307 PROCESS_PID_TOKENS(2); 1308 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1309 tok = au_to_arg32(3, "priority", ar->ar_arg_value); 1310 kau_write(rec, tok); 1311 } 1312 break; 1313 1314 case AUE_SETPRIVEXEC: 1315 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1316 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1317 kau_write(rec, tok); 1318 } 1319 break; 1320 1321 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1322 case AUE_SHMAT: 1323 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1324 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1325 kau_write(rec, tok); 1326 /* XXXAUDIT: Does having the ipc token make sense? */ 1327 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1328 kau_write(rec, tok); 1329 } 1330 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1331 tok = au_to_arg32(2, "shmaddr", 1332 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1333 kau_write(rec, tok); 1334 } 1335 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1336 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1337 kau_write(rec, tok); 1338 } 1339 break; 1340 1341 case AUE_SHMCTL: 1342 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1343 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1344 kau_write(rec, tok); 1345 /* XXXAUDIT: Does having the ipc token make sense? */ 1346 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1347 kau_write(rec, tok); 1348 } 1349 switch (ar->ar_arg_svipc_cmd) { 1350 case IPC_STAT: 1351 ar->ar_event = AUE_SHMCTL_STAT; 1352 break; 1353 case IPC_RMID: 1354 ar->ar_event = AUE_SHMCTL_RMID; 1355 break; 1356 case IPC_SET: 1357 ar->ar_event = AUE_SHMCTL_SET; 1358 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1359 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1360 kau_write(rec, tok); 1361 } 1362 break; 1363 default: 1364 break; /* We will audit a bad command */ 1365 } 1366 break; 1367 1368 case AUE_SHMDT: 1369 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1370 tok = au_to_arg32(1, "shmaddr", 1371 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1372 kau_write(rec, tok); 1373 } 1374 break; 1375 1376 case AUE_SHMGET: 1377 /* This is unusual; the return value is in an argument token */ 1378 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1379 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1380 kau_write(rec, tok); 1381 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1382 kau_write(rec, tok); 1383 } 1384 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1385 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1386 kau_write(rec, tok); 1387 } 1388 break; 1389 1390 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1391 * and AUE_SEMUNLINK are Posix IPC */ 1392 case AUE_SHMOPEN: 1393 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1394 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1395 kau_write(rec, tok); 1396 } 1397 if (ARG_IS_VALID(kar, ARG_MODE)) { 1398 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1399 kau_write(rec, tok); 1400 } 1401 /* FALLTHROUGH */ 1402 1403 case AUE_SHMUNLINK: 1404 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1405 tok = au_to_text(ar->ar_arg_text); 1406 kau_write(rec, tok); 1407 } 1408 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1409 struct ipc_perm perm; 1410 1411 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1412 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1413 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1414 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1415 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1416 perm.seq = 0; 1417 perm.key = 0; 1418 tok = au_to_ipc_perm(&perm); 1419 kau_write(rec, tok); 1420 } 1421 break; 1422 1423 case AUE_SEMOPEN: 1424 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1425 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1426 kau_write(rec, tok); 1427 } 1428 if (ARG_IS_VALID(kar, ARG_MODE)) { 1429 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1430 kau_write(rec, tok); 1431 } 1432 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1433 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1434 kau_write(rec, tok); 1435 } 1436 /* FALLTHROUGH */ 1437 1438 case AUE_SEMUNLINK: 1439 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1440 tok = au_to_text(ar->ar_arg_text); 1441 kau_write(rec, tok); 1442 } 1443 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1444 struct ipc_perm perm; 1445 1446 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1447 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1448 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1449 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1450 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1451 perm.seq = 0; 1452 perm.key = 0; 1453 tok = au_to_ipc_perm(&perm); 1454 kau_write(rec, tok); 1455 } 1456 break; 1457 1458 case AUE_SEMCLOSE: 1459 if (ARG_IS_VALID(kar, ARG_FD)) { 1460 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1461 kau_write(rec, tok); 1462 } 1463 break; 1464 1465 case AUE_SYMLINK: 1466 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1467 tok = au_to_text(ar->ar_arg_text); 1468 kau_write(rec, tok); 1469 } 1470 UPATH1_VNODE1_TOKENS; 1471 break; 1472 1473 case AUE_SYSCTL: 1474 case AUE_SYSCTL_NONADMIN: 1475 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1476 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1477 tok = au_to_arg32(1, "name", 1478 ar->ar_arg_ctlname[ctr]); 1479 kau_write(rec, tok); 1480 } 1481 } 1482 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1483 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1484 kau_write(rec, tok); 1485 } 1486 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1487 tok = au_to_text(ar->ar_arg_text); 1488 kau_write(rec, tok); 1489 } 1490 break; 1491 1492 case AUE_UMASK: 1493 if (ARG_IS_VALID(kar, ARG_MASK)) { 1494 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1495 kau_write(rec, tok); 1496 } 1497 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1498 kau_write(rec, tok); 1499 break; 1500 1501 case AUE_WAIT4: 1502 PROCESS_PID_TOKENS(1); 1503 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1504 tok = au_to_arg32(3, "options", ar->ar_arg_value); 1505 kau_write(rec, tok); 1506 } 1507 break; 1508 1509 case AUE_NULL: 1510 default: 1511 printf("BSM conversion requested for unknown event %d\n", 1512 ar->ar_event); 1513 1514 /* 1515 * Write the subject token so it is properly freed here. 1516 */ 1517 kau_write(rec, subj_tok); 1518 kau_free(rec); 1519 return (BSM_NOAUDIT); 1520 } 1521 1522 kau_write(rec, subj_tok); 1523 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval); 1524 kau_write(rec, tok); /* Every record gets a return token */ 1525 1526 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1527 1528 *pau = rec; 1529 return (BSM_SUCCESS); 1530} 1531 1532/* 1533 * Verify that a record is a valid BSM record. This verification is simple 1534 * now, but may be expanded on sometime in the future. Return 1 if the 1535 * record is good, 0 otherwise. 1536 */ 1537int 1538bsm_rec_verify(void *rec) 1539{ 1540 char c = *(char *)rec; 1541 1542 /* 1543 * Check the token ID of the first token; it has to be a header 1544 * token. 1545 * 1546 * XXXAUDIT There needs to be a token structure to map a token. 1547 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1548 */ 1549 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1550 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1551 return (0); 1552 return (1); 1553} 1554