audit_bsm.c revision 245573
1/* 2 * Copyright (c) 1999-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30#include <sys/cdefs.h> 31__FBSDID("$FreeBSD: head/sys/security/audit/audit_bsm.c 245573 2013-01-17 21:02:53Z csjp $"); 32 33#include <sys/param.h> 34#include <sys/vnode.h> 35#include <sys/ipc.h> 36#include <sys/lock.h> 37#include <sys/malloc.h> 38#include <sys/mutex.h> 39#include <sys/socket.h> 40#include <sys/extattr.h> 41#include <sys/fcntl.h> 42#include <sys/user.h> 43#include <sys/systm.h> 44 45#include <bsm/audit.h> 46#include <bsm/audit_internal.h> 47#include <bsm/audit_record.h> 48#include <bsm/audit_kevents.h> 49 50#include <security/audit/audit.h> 51#include <security/audit/audit_private.h> 52 53#include <netinet/in_systm.h> 54#include <netinet/in.h> 55#include <netinet/ip.h> 56 57MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 58 59static void audit_sys_auditon(struct audit_record *ar, 60 struct au_record *rec); 61 62/* 63 * Initialize the BSM auditing subsystem. 64 */ 65void 66kau_init(void) 67{ 68 69 au_evclassmap_init(); 70} 71 72/* 73 * This call reserves memory for the audit record. Memory must be guaranteed 74 * before any auditable event can be generated. The au_record structure 75 * maintains a reference to the memory allocated above and also the list of 76 * tokens associated with this record. 77 */ 78static struct au_record * 79kau_open(void) 80{ 81 struct au_record *rec; 82 83 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 84 rec->data = NULL; 85 TAILQ_INIT(&rec->token_q); 86 rec->len = 0; 87 rec->used = 1; 88 89 return (rec); 90} 91 92/* 93 * Store the token with the record descriptor. 94 */ 95static void 96kau_write(struct au_record *rec, struct au_token *tok) 97{ 98 99 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 100 101 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 102 rec->len += tok->len; 103} 104 105/* 106 * Close out the audit record by adding the header token, identifying any 107 * missing tokens. Write out the tokens to the record memory. 108 */ 109static void 110kau_close(struct au_record *rec, struct timespec *ctime, short event) 111{ 112 u_char *dptr; 113 size_t tot_rec_size; 114 token_t *cur, *hdr, *trail; 115 struct timeval tm; 116 size_t hdrsize; 117 struct auditinfo_addr ak; 118 struct in6_addr *ap; 119 120 audit_get_kinfo(&ak); 121 hdrsize = 0; 122 switch (ak.ai_termid.at_type) { 123 case AU_IPv4: 124 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ? 125 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak); 126 break; 127 case AU_IPv6: 128 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0]; 129 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE : 130 AUDIT_HEADER_EX_SIZE(&ak); 131 break; 132 default: 133 panic("kau_close: invalid address family"); 134 } 135 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE; 136 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 137 138 tm.tv_usec = ctime->tv_nsec / 1000; 139 tm.tv_sec = ctime->tv_sec; 140 if (hdrsize != AUDIT_HEADER_SIZE) 141 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak); 142 else 143 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 144 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 145 146 trail = au_to_trailer(tot_rec_size); 147 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 148 149 rec->len = tot_rec_size; 150 dptr = rec->data; 151 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 152 memcpy(dptr, cur->t_data, cur->len); 153 dptr += cur->len; 154 } 155} 156 157/* 158 * Free a BSM audit record by releasing all the tokens and clearing the audit 159 * record information. 160 */ 161void 162kau_free(struct au_record *rec) 163{ 164 struct au_token *tok; 165 166 /* Free the token list. */ 167 while ((tok = TAILQ_FIRST(&rec->token_q))) { 168 TAILQ_REMOVE(&rec->token_q, tok, tokens); 169 free(tok->t_data, M_AUDITBSM); 170 free(tok, M_AUDITBSM); 171 } 172 173 rec->used = 0; 174 rec->len = 0; 175 free(rec->data, M_AUDITBSM); 176 free(rec, M_AUDITBSM); 177} 178 179/* 180 * XXX: May want turn some (or all) of these macros into functions in order 181 * to reduce the generated code size. 182 * 183 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 184 * caller are OK with this. 185 */ 186#define ATFD1_TOKENS(argnum) do { \ 187 if (ARG_IS_VALID(kar, ARG_ATFD1)) { \ 188 tok = au_to_arg32(argnum, "at fd 1", ar->ar_arg_atfd1); \ 189 kau_write(rec, tok); \ 190 } \ 191} while (0) 192 193#define ATFD2_TOKENS(argnum) do { \ 194 if (ARG_IS_VALID(kar, ARG_ATFD2)) { \ 195 tok = au_to_arg32(argnum, "at fd 2", ar->ar_arg_atfd2); \ 196 kau_write(rec, tok); \ 197 } \ 198} while (0) 199 200#define UPATH1_TOKENS do { \ 201 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 202 tok = au_to_path(ar->ar_arg_upath1); \ 203 kau_write(rec, tok); \ 204 } \ 205} while (0) 206 207#define UPATH2_TOKENS do { \ 208 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 209 tok = au_to_path(ar->ar_arg_upath2); \ 210 kau_write(rec, tok); \ 211 } \ 212} while (0) 213 214#define VNODE1_TOKENS do { \ 215 if (ARG_IS_VALID(kar, ARG_ATFD)) { \ 216 tok = au_to_arg32(1, "at fd", ar->ar_arg_atfd); \ 217 kau_write(rec, tok); \ 218 } \ 219 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 220 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 221 kau_write(rec, tok); \ 222 } \ 223} while (0) 224 225#define UPATH1_VNODE1_TOKENS do { \ 226 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 227 UPATH1_TOKENS; \ 228 } \ 229 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 230 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 231 kau_write(rec, tok); \ 232 } \ 233} while (0) 234 235#define VNODE2_TOKENS do { \ 236 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 237 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 238 kau_write(rec, tok); \ 239 } \ 240} while (0) 241 242#define FD_VNODE1_TOKENS do { \ 243 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 244 if (ARG_IS_VALID(kar, ARG_FD)) { \ 245 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 246 kau_write(rec, tok); \ 247 } \ 248 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 249 kau_write(rec, tok); \ 250 } else { \ 251 if (ARG_IS_VALID(kar, ARG_FD)) { \ 252 tok = au_to_arg32(1, "non-file: fd", \ 253 ar->ar_arg_fd); \ 254 kau_write(rec, tok); \ 255 } \ 256 } \ 257} while (0) 258 259#define PROCESS_PID_TOKENS(argn) do { \ 260 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 261 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 262 tok = au_to_process32_ex(ar->ar_arg_auid, \ 263 ar->ar_arg_euid, ar->ar_arg_egid, \ 264 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 265 ar->ar_arg_pid, ar->ar_arg_asid, \ 266 &ar->ar_arg_termid_addr); \ 267 kau_write(rec, tok); \ 268 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 269 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 270 kau_write(rec, tok); \ 271 } \ 272} while (0) 273 274#define EXTATTR_TOKENS(namespace_argnum) do { \ 275 if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 276 switch (ar->ar_arg_value) { \ 277 case EXTATTR_NAMESPACE_USER: \ 278 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 279 break; \ 280 case EXTATTR_NAMESPACE_SYSTEM: \ 281 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 282 break; \ 283 default: \ 284 tok = au_to_arg32((namespace_argnum), \ 285 "attrnamespace", ar->ar_arg_value); \ 286 break; \ 287 } \ 288 kau_write(rec, tok); \ 289 } \ 290 /* attrname is in the text field */ \ 291 if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 292 tok = au_to_text(ar->ar_arg_text); \ 293 kau_write(rec, tok); \ 294 } \ 295} while (0) 296 297/* 298 * Not all pointer arguments to system calls are of interest, but in some 299 * cases they reflect delegation of rights, such as mmap(2) followed by 300 * minherit(2) before execve(2), so do the best we can. 301 */ 302#define ADDR_TOKEN(argnum, argname) do { \ 303 if (ARG_IS_VALID(kar, ARG_ADDR)) { \ 304 if (sizeof(void *) == sizeof(uint32_t)) \ 305 tok = au_to_arg32((argnum), (argname), \ 306 (uint32_t)(uintptr_t)ar->ar_arg_addr); \ 307 else \ 308 tok = au_to_arg64((argnum), (argname), \ 309 (uint64_t)(uintptr_t)ar->ar_arg_addr); \ 310 kau_write(rec, tok); \ 311 } \ 312} while (0) 313 314 315/* 316 * Implement auditing for the auditon() system call. The audit tokens that 317 * are generated depend on the command that was sent into the auditon() 318 * system call. 319 */ 320static void 321audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 322{ 323 struct au_token *tok; 324 325 tok = au_to_arg32(3, "length", ar->ar_arg_len); 326 kau_write(rec, tok); 327 switch (ar->ar_arg_cmd) { 328 case A_OLDSETPOLICY: 329 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 330 tok = au_to_arg64(2, "policy", 331 ar->ar_arg_auditon.au_policy64); 332 kau_write(rec, tok); 333 break; 334 } 335 /* FALLTHROUGH */ 336 337 case A_SETPOLICY: 338 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy); 339 kau_write(rec, tok); 340 break; 341 342 case A_SETKMASK: 343 tok = au_to_arg32(2, "setkmask:as_success", 344 ar->ar_arg_auditon.au_mask.am_success); 345 kau_write(rec, tok); 346 tok = au_to_arg32(2, "setkmask:as_failure", 347 ar->ar_arg_auditon.au_mask.am_failure); 348 kau_write(rec, tok); 349 break; 350 351 case A_OLDSETQCTRL: 352 if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) { 353 tok = au_to_arg64(2, "setqctrl:aq_hiwater", 354 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater); 355 kau_write(rec, tok); 356 tok = au_to_arg64(2, "setqctrl:aq_lowater", 357 ar->ar_arg_auditon.au_qctrl64.aq64_lowater); 358 kau_write(rec, tok); 359 tok = au_to_arg64(2, "setqctrl:aq_bufsz", 360 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz); 361 kau_write(rec, tok); 362 tok = au_to_arg64(2, "setqctrl:aq_delay", 363 ar->ar_arg_auditon.au_qctrl64.aq64_delay); 364 kau_write(rec, tok); 365 tok = au_to_arg64(2, "setqctrl:aq_minfree", 366 ar->ar_arg_auditon.au_qctrl64.aq64_minfree); 367 kau_write(rec, tok); 368 break; 369 } 370 /* FALLTHROUGH */ 371 372 case A_SETQCTRL: 373 tok = au_to_arg32(2, "setqctrl:aq_hiwater", 374 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 375 kau_write(rec, tok); 376 tok = au_to_arg32(2, "setqctrl:aq_lowater", 377 ar->ar_arg_auditon.au_qctrl.aq_lowater); 378 kau_write(rec, tok); 379 tok = au_to_arg32(2, "setqctrl:aq_bufsz", 380 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 381 kau_write(rec, tok); 382 tok = au_to_arg32(2, "setqctrl:aq_delay", 383 ar->ar_arg_auditon.au_qctrl.aq_delay); 384 kau_write(rec, tok); 385 tok = au_to_arg32(2, "setqctrl:aq_minfree", 386 ar->ar_arg_auditon.au_qctrl.aq_minfree); 387 kau_write(rec, tok); 388 break; 389 390 case A_SETUMASK: 391 tok = au_to_arg32(2, "setumask:as_success", 392 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 393 kau_write(rec, tok); 394 tok = au_to_arg32(2, "setumask:as_failure", 395 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 396 kau_write(rec, tok); 397 break; 398 399 case A_SETSMASK: 400 tok = au_to_arg32(2, "setsmask:as_success", 401 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 402 kau_write(rec, tok); 403 tok = au_to_arg32(2, "setsmask:as_failure", 404 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 405 kau_write(rec, tok); 406 break; 407 408 case A_OLDSETCOND: 409 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 410 tok = au_to_arg64(2, "setcond", 411 ar->ar_arg_auditon.au_cond64); 412 kau_write(rec, tok); 413 break; 414 } 415 /* FALLTHROUGH */ 416 417 case A_SETCOND: 418 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond); 419 kau_write(rec, tok); 420 break; 421 422 case A_SETCLASS: 423 kau_write(rec, tok); 424 tok = au_to_arg32(2, "setclass:ec_event", 425 ar->ar_arg_auditon.au_evclass.ec_number); 426 kau_write(rec, tok); 427 tok = au_to_arg32(2, "setclass:ec_class", 428 ar->ar_arg_auditon.au_evclass.ec_class); 429 kau_write(rec, tok); 430 break; 431 432 case A_SETPMASK: 433 tok = au_to_arg32(2, "setpmask:as_success", 434 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 435 kau_write(rec, tok); 436 tok = au_to_arg32(2, "setpmask:as_failure", 437 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 438 kau_write(rec, tok); 439 break; 440 441 case A_SETFSIZE: 442 tok = au_to_arg32(2, "setfsize:filesize", 443 ar->ar_arg_auditon.au_fstat.af_filesz); 444 kau_write(rec, tok); 445 break; 446 447 default: 448 break; 449 } 450} 451 452/* 453 * Convert an internal kernel audit record to a BSM record and return a 454 * success/failure indicator. The BSM record is passed as an out parameter to 455 * this function. 456 * 457 * Return conditions: 458 * BSM_SUCCESS: The BSM record is valid 459 * BSM_FAILURE: Failure; the BSM record is NULL. 460 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 461 */ 462int 463kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 464{ 465 struct au_token *tok, *subj_tok, *jail_tok; 466 struct au_record *rec; 467 au_tid_t tid; 468 struct audit_record *ar; 469 int ctr; 470 471 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 472 473 *pau = NULL; 474 ar = &kar->k_ar; 475 rec = kau_open(); 476 477 /* 478 * Create the subject token. If this credential was jailed be sure to 479 * generate a zonename token. 480 */ 481 if (ar->ar_jailname[0] != '\0') 482 jail_tok = au_to_zonename(ar->ar_jailname); 483 else 484 jail_tok = NULL; 485 switch (ar->ar_subj_term_addr.at_type) { 486 case AU_IPv4: 487 tid.port = ar->ar_subj_term_addr.at_port; 488 tid.machine = ar->ar_subj_term_addr.at_addr[0]; 489 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 490 ar->ar_subj_cred.cr_uid, /* eff uid */ 491 ar->ar_subj_egid, /* eff group id */ 492 ar->ar_subj_ruid, /* real uid */ 493 ar->ar_subj_rgid, /* real group id */ 494 ar->ar_subj_pid, /* process id */ 495 ar->ar_subj_asid, /* session ID */ 496 &tid); 497 break; 498 case AU_IPv6: 499 subj_tok = au_to_subject32_ex(ar->ar_subj_auid, 500 ar->ar_subj_cred.cr_uid, 501 ar->ar_subj_egid, 502 ar->ar_subj_ruid, 503 ar->ar_subj_rgid, 504 ar->ar_subj_pid, 505 ar->ar_subj_asid, 506 &ar->ar_subj_term_addr); 507 break; 508 default: 509 bzero(&tid, sizeof(tid)); 510 subj_tok = au_to_subject32(ar->ar_subj_auid, 511 ar->ar_subj_cred.cr_uid, 512 ar->ar_subj_egid, 513 ar->ar_subj_ruid, 514 ar->ar_subj_rgid, 515 ar->ar_subj_pid, 516 ar->ar_subj_asid, 517 &tid); 518 } 519 520 /* 521 * The logic inside each case fills in the tokens required for the 522 * event, except for the header, trailer, and return tokens. The 523 * header and trailer tokens are added by the kau_close() function. 524 * The return token is added outside of the switch statement. 525 */ 526 switch(ar->ar_event) { 527 case AUE_ACCEPT: 528 case AUE_BIND: 529 case AUE_LISTEN: 530 case AUE_CONNECT: 531 case AUE_RECV: 532 case AUE_RECVFROM: 533 case AUE_RECVMSG: 534 case AUE_SEND: 535 case AUE_SENDFILE: 536 case AUE_SENDMSG: 537 case AUE_SENDTO: 538 /* 539 * Socket-related events. 540 */ 541 if (ARG_IS_VALID(kar, ARG_FD)) { 542 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 543 kau_write(rec, tok); 544 } 545 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 546 tok = au_to_sock_inet((struct sockaddr_in *) 547 &ar->ar_arg_sockaddr); 548 kau_write(rec, tok); 549 } 550 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 551 tok = au_to_sock_unix((struct sockaddr_un *) 552 &ar->ar_arg_sockaddr); 553 kau_write(rec, tok); 554 UPATH1_TOKENS; 555 } 556 /* XXX Need to handle ARG_SADDRINET6 */ 557 break; 558 559 case AUE_SOCKET: 560 case AUE_SOCKETPAIR: 561 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 562 tok = au_to_arg32(1, "domain", 563 ar->ar_arg_sockinfo.so_domain); 564 kau_write(rec, tok); 565 tok = au_to_arg32(2, "type", 566 ar->ar_arg_sockinfo.so_type); 567 kau_write(rec, tok); 568 tok = au_to_arg32(3, "protocol", 569 ar->ar_arg_sockinfo.so_protocol); 570 kau_write(rec, tok); 571 } 572 break; 573 574 case AUE_SETSOCKOPT: 575 case AUE_SHUTDOWN: 576 if (ARG_IS_VALID(kar, ARG_FD)) { 577 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 578 kau_write(rec, tok); 579 } 580 break; 581 582 case AUE_ACCT: 583 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 584 UPATH1_VNODE1_TOKENS; 585 } else { 586 tok = au_to_arg32(1, "accounting off", 0); 587 kau_write(rec, tok); 588 } 589 break; 590 591 case AUE_SETAUID: 592 if (ARG_IS_VALID(kar, ARG_AUID)) { 593 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 594 kau_write(rec, tok); 595 } 596 break; 597 598 case AUE_SETAUDIT: 599 if (ARG_IS_VALID(kar, ARG_AUID) && 600 ARG_IS_VALID(kar, ARG_ASID) && 601 ARG_IS_VALID(kar, ARG_AMASK) && 602 ARG_IS_VALID(kar, ARG_TERMID)) { 603 tok = au_to_arg32(1, "setaudit:auid", 604 ar->ar_arg_auid); 605 kau_write(rec, tok); 606 tok = au_to_arg32(1, "setaudit:port", 607 ar->ar_arg_termid.port); 608 kau_write(rec, tok); 609 tok = au_to_arg32(1, "setaudit:machine", 610 ar->ar_arg_termid.machine); 611 kau_write(rec, tok); 612 tok = au_to_arg32(1, "setaudit:as_success", 613 ar->ar_arg_amask.am_success); 614 kau_write(rec, tok); 615 tok = au_to_arg32(1, "setaudit:as_failure", 616 ar->ar_arg_amask.am_failure); 617 kau_write(rec, tok); 618 tok = au_to_arg32(1, "setaudit:asid", 619 ar->ar_arg_asid); 620 kau_write(rec, tok); 621 } 622 break; 623 624 case AUE_SETAUDIT_ADDR: 625 if (ARG_IS_VALID(kar, ARG_AUID) && 626 ARG_IS_VALID(kar, ARG_ASID) && 627 ARG_IS_VALID(kar, ARG_AMASK) && 628 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) { 629 tok = au_to_arg32(1, "setaudit_addr:auid", 630 ar->ar_arg_auid); 631 kau_write(rec, tok); 632 tok = au_to_arg32(1, "setaudit_addr:as_success", 633 ar->ar_arg_amask.am_success); 634 kau_write(rec, tok); 635 tok = au_to_arg32(1, "setaudit_addr:as_failure", 636 ar->ar_arg_amask.am_failure); 637 kau_write(rec, tok); 638 tok = au_to_arg32(1, "setaudit_addr:asid", 639 ar->ar_arg_asid); 640 kau_write(rec, tok); 641 tok = au_to_arg32(1, "setaudit_addr:type", 642 ar->ar_arg_termid_addr.at_type); 643 kau_write(rec, tok); 644 tok = au_to_arg32(1, "setaudit_addr:port", 645 ar->ar_arg_termid_addr.at_port); 646 kau_write(rec, tok); 647 if (ar->ar_arg_termid_addr.at_type == AU_IPv6) 648 tok = au_to_in_addr_ex((struct in6_addr *) 649 &ar->ar_arg_termid_addr.at_addr[0]); 650 if (ar->ar_arg_termid_addr.at_type == AU_IPv4) 651 tok = au_to_in_addr((struct in_addr *) 652 &ar->ar_arg_termid_addr.at_addr[0]); 653 kau_write(rec, tok); 654 } 655 break; 656 657 case AUE_AUDITON: 658 /* 659 * For AUDITON commands without own event, audit the cmd. 660 */ 661 if (ARG_IS_VALID(kar, ARG_CMD)) { 662 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 663 kau_write(rec, tok); 664 } 665 /* FALLTHROUGH */ 666 667 case AUE_AUDITON_GETCAR: 668 case AUE_AUDITON_GETCLASS: 669 case AUE_AUDITON_GETCOND: 670 case AUE_AUDITON_GETCWD: 671 case AUE_AUDITON_GETKMASK: 672 case AUE_AUDITON_GETSTAT: 673 case AUE_AUDITON_GPOLICY: 674 case AUE_AUDITON_GQCTRL: 675 case AUE_AUDITON_SETCLASS: 676 case AUE_AUDITON_SETCOND: 677 case AUE_AUDITON_SETKMASK: 678 case AUE_AUDITON_SETSMASK: 679 case AUE_AUDITON_SETSTAT: 680 case AUE_AUDITON_SETUMASK: 681 case AUE_AUDITON_SPOLICY: 682 case AUE_AUDITON_SQCTRL: 683 if (ARG_IS_VALID(kar, ARG_AUDITON)) 684 audit_sys_auditon(ar, rec); 685 break; 686 687 case AUE_AUDITCTL: 688 UPATH1_VNODE1_TOKENS; 689 break; 690 691 case AUE_EXIT: 692 if (ARG_IS_VALID(kar, ARG_EXIT)) { 693 tok = au_to_exit(ar->ar_arg_exitretval, 694 ar->ar_arg_exitstatus); 695 kau_write(rec, tok); 696 } 697 break; 698 699 case AUE_ADJTIME: 700 case AUE_CLOCK_SETTIME: 701 case AUE_AUDIT: 702 case AUE_DUP2: 703 case AUE_GETAUDIT: 704 case AUE_GETAUDIT_ADDR: 705 case AUE_GETAUID: 706 case AUE_GETCWD: 707 case AUE_GETFSSTAT: 708 case AUE_GETRESUID: 709 case AUE_GETRESGID: 710 case AUE_KQUEUE: 711 case AUE_MODLOAD: 712 case AUE_MODUNLOAD: 713 case AUE_MSGSYS: 714 case AUE_NTP_ADJTIME: 715 case AUE_PIPE: 716 case AUE_POSIX_OPENPT: 717 case AUE_PROFILE: 718 case AUE_RTPRIO: 719 case AUE_SEMSYS: 720 case AUE_SHMSYS: 721 case AUE_SETPGRP: 722 case AUE_SETRLIMIT: 723 case AUE_SETSID: 724 case AUE_SETTIMEOFDAY: 725 case AUE_SYSARCH: 726 727 /* 728 * Header, subject, and return tokens added at end. 729 */ 730 break; 731 732 case AUE_CHDIR: 733 case AUE_CHROOT: 734 case AUE_FSTATAT: 735 case AUE_FUTIMESAT: 736 case AUE_GETATTRLIST: 737 case AUE_JAIL: 738 case AUE_LUTIMES: 739 case AUE_NFS_GETFH: 740 case AUE_LSTAT: 741 case AUE_LPATHCONF: 742 case AUE_PATHCONF: 743 case AUE_READLINK: 744 case AUE_READLINKAT: 745 case AUE_REVOKE: 746 case AUE_RMDIR: 747 case AUE_SEARCHFS: 748 case AUE_SETATTRLIST: 749 case AUE_STAT: 750 case AUE_STATFS: 751 case AUE_SWAPON: 752 case AUE_SWAPOFF: 753 case AUE_TRUNCATE: 754 case AUE_UNDELETE: 755 case AUE_UNLINK: 756 case AUE_UNLINKAT: 757 case AUE_UTIMES: 758 ATFD1_TOKENS(1); 759 UPATH1_VNODE1_TOKENS; 760 break; 761 762 case AUE_ACCESS: 763 case AUE_EACCESS: 764 case AUE_FACCESSAT: 765 ATFD1_TOKENS(1); 766 UPATH1_VNODE1_TOKENS; 767 if (ARG_IS_VALID(kar, ARG_VALUE)) { 768 tok = au_to_arg32(2, "mode", ar->ar_arg_value); 769 kau_write(rec, tok); 770 } 771 break; 772 773 case AUE_FHSTATFS: 774 case AUE_FHOPEN: 775 case AUE_FHSTAT: 776 /* XXXRW: Need to audit vnode argument. */ 777 break; 778 779 case AUE_CHFLAGS: 780 case AUE_LCHFLAGS: 781 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 782 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 783 kau_write(rec, tok); 784 } 785 UPATH1_VNODE1_TOKENS; 786 break; 787 788 case AUE_CHMOD: 789 case AUE_LCHMOD: 790 if (ARG_IS_VALID(kar, ARG_MODE)) { 791 tok = au_to_arg32(2, "new file mode", 792 ar->ar_arg_mode); 793 kau_write(rec, tok); 794 } 795 UPATH1_VNODE1_TOKENS; 796 break; 797 798 case AUE_FCHMODAT: 799 ATFD1_TOKENS(1); 800 if (ARG_IS_VALID(kar, ARG_MODE)) { 801 tok = au_to_arg32(3, "new file mode", 802 ar->ar_arg_mode); 803 kau_write(rec, tok); 804 } 805 UPATH1_VNODE1_TOKENS; 806 break; 807 808 case AUE_CHOWN: 809 case AUE_LCHOWN: 810 if (ARG_IS_VALID(kar, ARG_UID)) { 811 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 812 kau_write(rec, tok); 813 } 814 if (ARG_IS_VALID(kar, ARG_GID)) { 815 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 816 kau_write(rec, tok); 817 } 818 UPATH1_VNODE1_TOKENS; 819 break; 820 821 case AUE_FCHOWNAT: 822 ATFD1_TOKENS(1); 823 if (ARG_IS_VALID(kar, ARG_UID)) { 824 tok = au_to_arg32(3, "new file uid", ar->ar_arg_uid); 825 kau_write(rec, tok); 826 } 827 if (ARG_IS_VALID(kar, ARG_GID)) { 828 tok = au_to_arg32(4, "new file gid", ar->ar_arg_gid); 829 kau_write(rec, tok); 830 } 831 UPATH1_VNODE1_TOKENS; 832 break; 833 834 case AUE_EXCHANGEDATA: 835 UPATH1_VNODE1_TOKENS; 836 UPATH2_TOKENS; 837 break; 838 839 case AUE_CLOSE: 840 if (ARG_IS_VALID(kar, ARG_FD)) { 841 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 842 kau_write(rec, tok); 843 } 844 UPATH1_VNODE1_TOKENS; 845 break; 846 847 case AUE_CLOSEFROM: 848 if (ARG_IS_VALID(kar, ARG_FD)) { 849 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 850 kau_write(rec, tok); 851 } 852 break; 853 854 case AUE_CORE: 855 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 856 tok = au_to_arg32(1, "signal", ar->ar_arg_signum); 857 kau_write(rec, tok); 858 } 859 UPATH1_VNODE1_TOKENS; 860 break; 861 862 case AUE_EXTATTRCTL: 863 UPATH1_VNODE1_TOKENS; 864 if (ARG_IS_VALID(kar, ARG_CMD)) { 865 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 866 kau_write(rec, tok); 867 } 868 /* extattrctl(2) filename parameter is in upath2/vnode2 */ 869 UPATH2_TOKENS; 870 VNODE2_TOKENS; 871 EXTATTR_TOKENS(4); 872 break; 873 874 case AUE_EXTATTR_GET_FILE: 875 case AUE_EXTATTR_SET_FILE: 876 case AUE_EXTATTR_LIST_FILE: 877 case AUE_EXTATTR_DELETE_FILE: 878 case AUE_EXTATTR_GET_LINK: 879 case AUE_EXTATTR_SET_LINK: 880 case AUE_EXTATTR_LIST_LINK: 881 case AUE_EXTATTR_DELETE_LINK: 882 UPATH1_VNODE1_TOKENS; 883 EXTATTR_TOKENS(2); 884 break; 885 886 case AUE_EXTATTR_GET_FD: 887 case AUE_EXTATTR_SET_FD: 888 case AUE_EXTATTR_LIST_FD: 889 case AUE_EXTATTR_DELETE_FD: 890 if (ARG_IS_VALID(kar, ARG_FD)) { 891 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 892 kau_write(rec, tok); 893 } 894 EXTATTR_TOKENS(2); 895 break; 896 897 case AUE_FEXECVE: 898 if (ARG_IS_VALID(kar, ARG_FD)) { 899 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 900 kau_write(rec, tok); 901 } 902 /* FALLTHROUGH */ 903 904 case AUE_EXECVE: 905 case AUE_MAC_EXECVE: 906 if (ARG_IS_VALID(kar, ARG_ARGV)) { 907 tok = au_to_exec_args(ar->ar_arg_argv, 908 ar->ar_arg_argc); 909 kau_write(rec, tok); 910 } 911 if (ARG_IS_VALID(kar, ARG_ENVV)) { 912 tok = au_to_exec_env(ar->ar_arg_envv, 913 ar->ar_arg_envc); 914 kau_write(rec, tok); 915 } 916 UPATH1_VNODE1_TOKENS; 917 break; 918 919 case AUE_FCHMOD: 920 if (ARG_IS_VALID(kar, ARG_MODE)) { 921 tok = au_to_arg32(2, "new file mode", 922 ar->ar_arg_mode); 923 kau_write(rec, tok); 924 } 925 FD_VNODE1_TOKENS; 926 break; 927 928 /* 929 * XXXRW: Some of these need to handle non-vnode cases as well. 930 */ 931 case AUE_FCHDIR: 932 case AUE_FPATHCONF: 933 case AUE_FSTAT: 934 case AUE_FSTATFS: 935 case AUE_FSYNC: 936 case AUE_FTRUNCATE: 937 case AUE_FUTIMES: 938 case AUE_GETDIRENTRIES: 939 case AUE_GETDIRENTRIESATTR: 940 case AUE_LSEEK: 941 case AUE_POLL: 942 case AUE_READ: 943 case AUE_READV: 944 case AUE_WRITE: 945 case AUE_WRITEV: 946 FD_VNODE1_TOKENS; 947 break; 948 949 case AUE_FCHOWN: 950 if (ARG_IS_VALID(kar, ARG_UID)) { 951 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 952 kau_write(rec, tok); 953 } 954 if (ARG_IS_VALID(kar, ARG_GID)) { 955 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 956 kau_write(rec, tok); 957 } 958 FD_VNODE1_TOKENS; 959 break; 960 961 case AUE_FCNTL: 962 if (ARG_IS_VALID(kar, ARG_CMD)) { 963 tok = au_to_arg32(2, "cmd", 964 au_fcntl_cmd_to_bsm(ar->ar_arg_cmd)); 965 kau_write(rec, tok); 966 } 967 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 968 ar->ar_arg_cmd == F_SETLKW) { 969 FD_VNODE1_TOKENS; 970 } 971 break; 972 973 case AUE_FCHFLAGS: 974 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 975 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 976 kau_write(rec, tok); 977 } 978 FD_VNODE1_TOKENS; 979 break; 980 981 case AUE_FLOCK: 982 if (ARG_IS_VALID(kar, ARG_CMD)) { 983 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 984 kau_write(rec, tok); 985 } 986 FD_VNODE1_TOKENS; 987 break; 988 989 case AUE_RFORK: 990 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 991 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 992 kau_write(rec, tok); 993 } 994 /* FALLTHROUGH */ 995 996 case AUE_FORK: 997 case AUE_VFORK: 998 if (ARG_IS_VALID(kar, ARG_PID)) { 999 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 1000 kau_write(rec, tok); 1001 } 1002 break; 1003 1004 case AUE_IOCTL: 1005 if (ARG_IS_VALID(kar, ARG_CMD)) { 1006 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 1007 kau_write(rec, tok); 1008 } 1009 if (ARG_IS_VALID(kar, ARG_VNODE1)) 1010 FD_VNODE1_TOKENS; 1011 else { 1012 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 1013 tok = kau_to_socket(&ar->ar_arg_sockinfo); 1014 kau_write(rec, tok); 1015 } else { 1016 if (ARG_IS_VALID(kar, ARG_FD)) { 1017 tok = au_to_arg32(1, "fd", 1018 ar->ar_arg_fd); 1019 kau_write(rec, tok); 1020 } 1021 } 1022 } 1023 break; 1024 1025 case AUE_KILL: 1026 case AUE_KILLPG: 1027 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 1028 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 1029 kau_write(rec, tok); 1030 } 1031 PROCESS_PID_TOKENS(1); 1032 break; 1033 1034 case AUE_KTRACE: 1035 if (ARG_IS_VALID(kar, ARG_CMD)) { 1036 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 1037 kau_write(rec, tok); 1038 } 1039 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1040 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 1041 kau_write(rec, tok); 1042 } 1043 PROCESS_PID_TOKENS(4); 1044 UPATH1_VNODE1_TOKENS; 1045 break; 1046 1047 case AUE_LINK: 1048 case AUE_LINKAT: 1049 case AUE_RENAME: 1050 case AUE_RENAMEAT: 1051 ATFD1_TOKENS(1); 1052 UPATH1_VNODE1_TOKENS; 1053 ATFD2_TOKENS(3); 1054 UPATH2_TOKENS; 1055 break; 1056 1057 case AUE_LOADSHFILE: 1058 ADDR_TOKEN(4, "base addr"); 1059 UPATH1_VNODE1_TOKENS; 1060 break; 1061 1062 case AUE_MKDIR: 1063 case AUE_MKDIRAT: 1064 case AUE_MKFIFO: 1065 case AUE_MKFIFOAT: 1066 ATFD1_TOKENS(1); 1067 if (ARG_IS_VALID(kar, ARG_MODE)) { 1068 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1069 kau_write(rec, tok); 1070 } 1071 UPATH1_VNODE1_TOKENS; 1072 break; 1073 1074 case AUE_MKNOD: 1075 case AUE_MKNODAT: 1076 ATFD1_TOKENS(1); 1077 if (ARG_IS_VALID(kar, ARG_MODE)) { 1078 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1079 kau_write(rec, tok); 1080 } 1081 if (ARG_IS_VALID(kar, ARG_DEV)) { 1082 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 1083 kau_write(rec, tok); 1084 } 1085 UPATH1_VNODE1_TOKENS; 1086 break; 1087 1088 case AUE_MMAP: 1089 case AUE_MUNMAP: 1090 case AUE_MPROTECT: 1091 case AUE_MLOCK: 1092 case AUE_MUNLOCK: 1093 case AUE_MINHERIT: 1094 ADDR_TOKEN(1, "addr"); 1095 if (ARG_IS_VALID(kar, ARG_LEN)) { 1096 tok = au_to_arg32(2, "len", ar->ar_arg_len); 1097 kau_write(rec, tok); 1098 } 1099 if (ar->ar_event == AUE_MMAP) 1100 FD_VNODE1_TOKENS; 1101 if (ar->ar_event == AUE_MPROTECT) { 1102 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1103 tok = au_to_arg32(3, "protection", 1104 ar->ar_arg_value); 1105 kau_write(rec, tok); 1106 } 1107 } 1108 if (ar->ar_event == AUE_MINHERIT) { 1109 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1110 tok = au_to_arg32(3, "inherit", 1111 ar->ar_arg_value); 1112 kau_write(rec, tok); 1113 } 1114 } 1115 break; 1116 1117 case AUE_MOUNT: 1118 case AUE_NMOUNT: 1119 /* XXX Need to handle NFS mounts */ 1120 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1121 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 1122 kau_write(rec, tok); 1123 } 1124 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1125 tok = au_to_text(ar->ar_arg_text); 1126 kau_write(rec, tok); 1127 } 1128 /* FALLTHROUGH */ 1129 1130 case AUE_NFS_SVC: 1131 if (ARG_IS_VALID(kar, ARG_CMD)) { 1132 tok = au_to_arg32(1, "flags", ar->ar_arg_cmd); 1133 kau_write(rec, tok); 1134 } 1135 break; 1136 1137 case AUE_UMOUNT: 1138 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1139 tok = au_to_arg32(2, "flags", ar->ar_arg_value); 1140 kau_write(rec, tok); 1141 } 1142 UPATH1_VNODE1_TOKENS; 1143 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1144 tok = au_to_text(ar->ar_arg_text); 1145 kau_write(rec, tok); 1146 } 1147 break; 1148 1149 case AUE_MSGCTL: 1150 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd); 1151 /* Fall through */ 1152 1153 case AUE_MSGRCV: 1154 case AUE_MSGSND: 1155 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 1156 kau_write(rec, tok); 1157 if (ar->ar_errno != EINVAL) { 1158 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 1159 kau_write(rec, tok); 1160 } 1161 break; 1162 1163 case AUE_MSGGET: 1164 if (ar->ar_errno == 0) { 1165 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1166 tok = au_to_ipc(AT_IPC_MSG, 1167 ar->ar_arg_svipc_id); 1168 kau_write(rec, tok); 1169 } 1170 } 1171 break; 1172 1173 case AUE_RESETSHFILE: 1174 ADDR_TOKEN(1, "base addr"); 1175 break; 1176 1177 case AUE_OPEN_RC: 1178 case AUE_OPEN_RTC: 1179 case AUE_OPEN_RWC: 1180 case AUE_OPEN_RWTC: 1181 case AUE_OPEN_WC: 1182 case AUE_OPEN_WTC: 1183 case AUE_CREAT: 1184 if (ARG_IS_VALID(kar, ARG_MODE)) { 1185 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1186 kau_write(rec, tok); 1187 } 1188 /* FALLTHROUGH */ 1189 1190 case AUE_OPEN_R: 1191 case AUE_OPEN_RT: 1192 case AUE_OPEN_RW: 1193 case AUE_OPEN_RWT: 1194 case AUE_OPEN_W: 1195 case AUE_OPEN_WT: 1196 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1197 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1198 kau_write(rec, tok); 1199 } 1200 UPATH1_VNODE1_TOKENS; 1201 break; 1202 1203 case AUE_OPENAT_RC: 1204 case AUE_OPENAT_RTC: 1205 case AUE_OPENAT_RWC: 1206 case AUE_OPENAT_RWTC: 1207 case AUE_OPENAT_WC: 1208 case AUE_OPENAT_WTC: 1209 if (ARG_IS_VALID(kar, ARG_MODE)) { 1210 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1211 kau_write(rec, tok); 1212 } 1213 /* FALLTHROUGH */ 1214 1215 case AUE_OPENAT_R: 1216 case AUE_OPENAT_RT: 1217 case AUE_OPENAT_RW: 1218 case AUE_OPENAT_RWT: 1219 case AUE_OPENAT_W: 1220 case AUE_OPENAT_WT: 1221 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1222 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1223 kau_write(rec, tok); 1224 } 1225 ATFD1_TOKENS(1); 1226 UPATH1_VNODE1_TOKENS; 1227 break; 1228 1229 case AUE_PTRACE: 1230 if (ARG_IS_VALID(kar, ARG_CMD)) { 1231 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1232 kau_write(rec, tok); 1233 } 1234 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1235 tok = au_to_arg32(4, "data", ar->ar_arg_value); 1236 kau_write(rec, tok); 1237 } 1238 PROCESS_PID_TOKENS(2); 1239 break; 1240 1241 case AUE_QUOTACTL: 1242 if (ARG_IS_VALID(kar, ARG_CMD)) { 1243 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1244 kau_write(rec, tok); 1245 } 1246 if (ARG_IS_VALID(kar, ARG_UID)) { 1247 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1248 kau_write(rec, tok); 1249 } 1250 if (ARG_IS_VALID(kar, ARG_GID)) { 1251 tok = au_to_arg32(3, "gid", ar->ar_arg_gid); 1252 kau_write(rec, tok); 1253 } 1254 UPATH1_VNODE1_TOKENS; 1255 break; 1256 1257 case AUE_REBOOT: 1258 if (ARG_IS_VALID(kar, ARG_CMD)) { 1259 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1260 kau_write(rec, tok); 1261 } 1262 break; 1263 1264 case AUE_SEMCTL: 1265 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd); 1266 /* Fall through */ 1267 1268 case AUE_SEMOP: 1269 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1270 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1271 kau_write(rec, tok); 1272 if (ar->ar_errno != EINVAL) { 1273 tok = au_to_ipc(AT_IPC_SEM, 1274 ar->ar_arg_svipc_id); 1275 kau_write(rec, tok); 1276 } 1277 } 1278 break; 1279 1280 case AUE_SEMGET: 1281 if (ar->ar_errno == 0) { 1282 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1283 tok = au_to_ipc(AT_IPC_SEM, 1284 ar->ar_arg_svipc_id); 1285 kau_write(rec, tok); 1286 } 1287 } 1288 break; 1289 1290 case AUE_SETEGID: 1291 if (ARG_IS_VALID(kar, ARG_EGID)) { 1292 tok = au_to_arg32(1, "egid", ar->ar_arg_egid); 1293 kau_write(rec, tok); 1294 } 1295 break; 1296 1297 case AUE_SETEUID: 1298 if (ARG_IS_VALID(kar, ARG_EUID)) { 1299 tok = au_to_arg32(1, "euid", ar->ar_arg_euid); 1300 kau_write(rec, tok); 1301 } 1302 break; 1303 1304 case AUE_SETREGID: 1305 if (ARG_IS_VALID(kar, ARG_RGID)) { 1306 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1307 kau_write(rec, tok); 1308 } 1309 if (ARG_IS_VALID(kar, ARG_EGID)) { 1310 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1311 kau_write(rec, tok); 1312 } 1313 break; 1314 1315 case AUE_SETREUID: 1316 if (ARG_IS_VALID(kar, ARG_RUID)) { 1317 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1318 kau_write(rec, tok); 1319 } 1320 if (ARG_IS_VALID(kar, ARG_EUID)) { 1321 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1322 kau_write(rec, tok); 1323 } 1324 break; 1325 1326 case AUE_SETRESGID: 1327 if (ARG_IS_VALID(kar, ARG_RGID)) { 1328 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1329 kau_write(rec, tok); 1330 } 1331 if (ARG_IS_VALID(kar, ARG_EGID)) { 1332 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1333 kau_write(rec, tok); 1334 } 1335 if (ARG_IS_VALID(kar, ARG_SGID)) { 1336 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1337 kau_write(rec, tok); 1338 } 1339 break; 1340 1341 case AUE_SETRESUID: 1342 if (ARG_IS_VALID(kar, ARG_RUID)) { 1343 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1344 kau_write(rec, tok); 1345 } 1346 if (ARG_IS_VALID(kar, ARG_EUID)) { 1347 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1348 kau_write(rec, tok); 1349 } 1350 if (ARG_IS_VALID(kar, ARG_SUID)) { 1351 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1352 kau_write(rec, tok); 1353 } 1354 break; 1355 1356 case AUE_SETGID: 1357 if (ARG_IS_VALID(kar, ARG_GID)) { 1358 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1359 kau_write(rec, tok); 1360 } 1361 break; 1362 1363 case AUE_SETUID: 1364 if (ARG_IS_VALID(kar, ARG_UID)) { 1365 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1366 kau_write(rec, tok); 1367 } 1368 break; 1369 1370 case AUE_SETGROUPS: 1371 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1372 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1373 { 1374 tok = au_to_arg32(1, "setgroups", 1375 ar->ar_arg_groups.gidset[ctr]); 1376 kau_write(rec, tok); 1377 } 1378 } 1379 break; 1380 1381 case AUE_SETLOGIN: 1382 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1383 tok = au_to_text(ar->ar_arg_text); 1384 kau_write(rec, tok); 1385 } 1386 break; 1387 1388 case AUE_SETPRIORITY: 1389 if (ARG_IS_VALID(kar, ARG_CMD)) { 1390 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1391 kau_write(rec, tok); 1392 } 1393 if (ARG_IS_VALID(kar, ARG_UID)) { 1394 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1395 kau_write(rec, tok); 1396 } 1397 PROCESS_PID_TOKENS(2); 1398 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1399 tok = au_to_arg32(3, "priority", ar->ar_arg_value); 1400 kau_write(rec, tok); 1401 } 1402 break; 1403 1404 case AUE_SETPRIVEXEC: 1405 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1406 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1407 kau_write(rec, tok); 1408 } 1409 break; 1410 1411 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1412 case AUE_SHMAT: 1413 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1414 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1415 kau_write(rec, tok); 1416 /* XXXAUDIT: Does having the ipc token make sense? */ 1417 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1418 kau_write(rec, tok); 1419 } 1420 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1421 tok = au_to_arg32(2, "shmaddr", 1422 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1423 kau_write(rec, tok); 1424 } 1425 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1426 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1427 kau_write(rec, tok); 1428 } 1429 break; 1430 1431 case AUE_SHMCTL: 1432 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1433 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1434 kau_write(rec, tok); 1435 /* XXXAUDIT: Does having the ipc token make sense? */ 1436 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1437 kau_write(rec, tok); 1438 } 1439 switch (ar->ar_arg_svipc_cmd) { 1440 case IPC_STAT: 1441 ar->ar_event = AUE_SHMCTL_STAT; 1442 break; 1443 case IPC_RMID: 1444 ar->ar_event = AUE_SHMCTL_RMID; 1445 break; 1446 case IPC_SET: 1447 ar->ar_event = AUE_SHMCTL_SET; 1448 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1449 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1450 kau_write(rec, tok); 1451 } 1452 break; 1453 default: 1454 break; /* We will audit a bad command */ 1455 } 1456 break; 1457 1458 case AUE_SHMDT: 1459 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1460 tok = au_to_arg32(1, "shmaddr", 1461 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1462 kau_write(rec, tok); 1463 } 1464 break; 1465 1466 case AUE_SHMGET: 1467 /* This is unusual; the return value is in an argument token */ 1468 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1469 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1470 kau_write(rec, tok); 1471 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1472 kau_write(rec, tok); 1473 } 1474 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1475 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1476 kau_write(rec, tok); 1477 } 1478 break; 1479 1480 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1481 * and AUE_SEMUNLINK are Posix IPC */ 1482 case AUE_SHMOPEN: 1483 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1484 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1485 kau_write(rec, tok); 1486 } 1487 if (ARG_IS_VALID(kar, ARG_MODE)) { 1488 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1489 kau_write(rec, tok); 1490 } 1491 /* FALLTHROUGH */ 1492 1493 case AUE_SHMUNLINK: 1494 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1495 tok = au_to_text(ar->ar_arg_text); 1496 kau_write(rec, tok); 1497 } 1498 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1499 struct ipc_perm perm; 1500 1501 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1502 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1503 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1504 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1505 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1506 perm.seq = 0; 1507 perm.key = 0; 1508 tok = au_to_ipc_perm(&perm); 1509 kau_write(rec, tok); 1510 } 1511 break; 1512 1513 case AUE_SEMOPEN: 1514 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1515 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1516 kau_write(rec, tok); 1517 } 1518 if (ARG_IS_VALID(kar, ARG_MODE)) { 1519 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1520 kau_write(rec, tok); 1521 } 1522 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1523 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1524 kau_write(rec, tok); 1525 } 1526 /* FALLTHROUGH */ 1527 1528 case AUE_SEMUNLINK: 1529 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1530 tok = au_to_text(ar->ar_arg_text); 1531 kau_write(rec, tok); 1532 } 1533 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1534 struct ipc_perm perm; 1535 1536 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1537 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1538 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1539 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1540 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1541 perm.seq = 0; 1542 perm.key = 0; 1543 tok = au_to_ipc_perm(&perm); 1544 kau_write(rec, tok); 1545 } 1546 break; 1547 1548 case AUE_SEMCLOSE: 1549 if (ARG_IS_VALID(kar, ARG_FD)) { 1550 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1551 kau_write(rec, tok); 1552 } 1553 break; 1554 1555 case AUE_SYMLINK: 1556 case AUE_SYMLINKAT: 1557 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1558 tok = au_to_text(ar->ar_arg_text); 1559 kau_write(rec, tok); 1560 } 1561 ATFD1_TOKENS(1); 1562 UPATH1_VNODE1_TOKENS; 1563 break; 1564 1565 case AUE_SYSCTL: 1566 case AUE_SYSCTL_NONADMIN: 1567 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1568 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1569 tok = au_to_arg32(1, "name", 1570 ar->ar_arg_ctlname[ctr]); 1571 kau_write(rec, tok); 1572 } 1573 } 1574 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1575 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1576 kau_write(rec, tok); 1577 } 1578 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1579 tok = au_to_text(ar->ar_arg_text); 1580 kau_write(rec, tok); 1581 } 1582 break; 1583 1584 case AUE_UMASK: 1585 if (ARG_IS_VALID(kar, ARG_MASK)) { 1586 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1587 kau_write(rec, tok); 1588 } 1589 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1590 kau_write(rec, tok); 1591 break; 1592 1593 case AUE_WAIT4: 1594 PROCESS_PID_TOKENS(1); 1595 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1596 tok = au_to_arg32(3, "options", ar->ar_arg_value); 1597 kau_write(rec, tok); 1598 } 1599 break; 1600 1601 case AUE_CAP_NEW: 1602 /* 1603 * XXXRW/XXXJA: Would be nice to audit socket/etc information. 1604 */ 1605 FD_VNODE1_TOKENS; 1606 if (ARG_IS_VALID(kar, ARG_RIGHTS)) { 1607 tok = au_to_arg64(2, "rights", ar->ar_arg_rights); 1608 kau_write(rec, tok); 1609 } 1610 break; 1611 1612 case AUE_CAP_GETRIGHTS: 1613 if (ARG_IS_VALID(kar, ARG_FD)) { 1614 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1615 kau_write(rec, tok); 1616 } 1617 break; 1618 1619 case AUE_CAP_ENTER: 1620 case AUE_CAP_GETMODE: 1621 break; 1622 1623 case AUE_NULL: 1624 default: 1625 printf("BSM conversion requested for unknown event %d\n", 1626 ar->ar_event); 1627 1628 /* 1629 * Write the subject token so it is properly freed here. 1630 */ 1631 if (jail_tok != NULL) 1632 kau_write(rec, jail_tok); 1633 kau_write(rec, subj_tok); 1634 kau_free(rec); 1635 return (BSM_NOAUDIT); 1636 } 1637 1638 if (jail_tok != NULL) 1639 kau_write(rec, jail_tok); 1640 kau_write(rec, subj_tok); 1641 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval); 1642 kau_write(rec, tok); /* Every record gets a return token */ 1643 1644 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1645 1646 *pau = rec; 1647 return (BSM_SUCCESS); 1648} 1649 1650/* 1651 * Verify that a record is a valid BSM record. This verification is simple 1652 * now, but may be expanded on sometime in the future. Return 1 if the 1653 * record is good, 0 otherwise. 1654 */ 1655int 1656bsm_rec_verify(void *rec) 1657{ 1658 char c = *(char *)rec; 1659 1660 /* 1661 * Check the token ID of the first token; it has to be a header 1662 * token. 1663 * 1664 * XXXAUDIT There needs to be a token structure to map a token. 1665 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1666 */ 1667 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1668 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1669 return (0); 1670 return (1); 1671} 1672