audit_bsm.c revision 247602
1/* 2 * Copyright (c) 1999-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30#include <sys/cdefs.h> 31__FBSDID("$FreeBSD: head/sys/security/audit/audit_bsm.c 247602 2013-03-02 00:53:12Z pjd $"); 32 33#include <sys/param.h> 34#include <sys/vnode.h> 35#include <sys/ipc.h> 36#include <sys/lock.h> 37#include <sys/malloc.h> 38#include <sys/mutex.h> 39#include <sys/socket.h> 40#include <sys/extattr.h> 41#include <sys/fcntl.h> 42#include <sys/user.h> 43#include <sys/systm.h> 44 45#include <bsm/audit.h> 46#include <bsm/audit_internal.h> 47#include <bsm/audit_record.h> 48#include <bsm/audit_kevents.h> 49 50#include <security/audit/audit.h> 51#include <security/audit/audit_private.h> 52 53#include <netinet/in_systm.h> 54#include <netinet/in.h> 55#include <netinet/ip.h> 56 57MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 58 59static void audit_sys_auditon(struct audit_record *ar, 60 struct au_record *rec); 61 62/* 63 * Initialize the BSM auditing subsystem. 64 */ 65void 66kau_init(void) 67{ 68 69 au_evclassmap_init(); 70} 71 72/* 73 * This call reserves memory for the audit record. Memory must be guaranteed 74 * before any auditable event can be generated. The au_record structure 75 * maintains a reference to the memory allocated above and also the list of 76 * tokens associated with this record. 77 */ 78static struct au_record * 79kau_open(void) 80{ 81 struct au_record *rec; 82 83 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 84 rec->data = NULL; 85 TAILQ_INIT(&rec->token_q); 86 rec->len = 0; 87 rec->used = 1; 88 89 return (rec); 90} 91 92/* 93 * Store the token with the record descriptor. 94 */ 95static void 96kau_write(struct au_record *rec, struct au_token *tok) 97{ 98 99 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 100 101 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 102 rec->len += tok->len; 103} 104 105/* 106 * Close out the audit record by adding the header token, identifying any 107 * missing tokens. Write out the tokens to the record memory. 108 */ 109static void 110kau_close(struct au_record *rec, struct timespec *ctime, short event) 111{ 112 u_char *dptr; 113 size_t tot_rec_size; 114 token_t *cur, *hdr, *trail; 115 struct timeval tm; 116 size_t hdrsize; 117 struct auditinfo_addr ak; 118 struct in6_addr *ap; 119 120 audit_get_kinfo(&ak); 121 hdrsize = 0; 122 switch (ak.ai_termid.at_type) { 123 case AU_IPv4: 124 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ? 125 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak); 126 break; 127 case AU_IPv6: 128 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0]; 129 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE : 130 AUDIT_HEADER_EX_SIZE(&ak); 131 break; 132 default: 133 panic("kau_close: invalid address family"); 134 } 135 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE; 136 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 137 138 tm.tv_usec = ctime->tv_nsec / 1000; 139 tm.tv_sec = ctime->tv_sec; 140 if (hdrsize != AUDIT_HEADER_SIZE) 141 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak); 142 else 143 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 144 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 145 146 trail = au_to_trailer(tot_rec_size); 147 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 148 149 rec->len = tot_rec_size; 150 dptr = rec->data; 151 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 152 memcpy(dptr, cur->t_data, cur->len); 153 dptr += cur->len; 154 } 155} 156 157/* 158 * Free a BSM audit record by releasing all the tokens and clearing the audit 159 * record information. 160 */ 161void 162kau_free(struct au_record *rec) 163{ 164 struct au_token *tok; 165 166 /* Free the token list. */ 167 while ((tok = TAILQ_FIRST(&rec->token_q))) { 168 TAILQ_REMOVE(&rec->token_q, tok, tokens); 169 free(tok->t_data, M_AUDITBSM); 170 free(tok, M_AUDITBSM); 171 } 172 173 rec->used = 0; 174 rec->len = 0; 175 free(rec->data, M_AUDITBSM); 176 free(rec, M_AUDITBSM); 177} 178 179/* 180 * XXX: May want turn some (or all) of these macros into functions in order 181 * to reduce the generated code size. 182 * 183 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 184 * caller are OK with this. 185 */ 186#define ATFD1_TOKENS(argnum) do { \ 187 if (ARG_IS_VALID(kar, ARG_ATFD1)) { \ 188 tok = au_to_arg32(argnum, "at fd 1", ar->ar_arg_atfd1); \ 189 kau_write(rec, tok); \ 190 } \ 191} while (0) 192 193#define ATFD2_TOKENS(argnum) do { \ 194 if (ARG_IS_VALID(kar, ARG_ATFD2)) { \ 195 tok = au_to_arg32(argnum, "at fd 2", ar->ar_arg_atfd2); \ 196 kau_write(rec, tok); \ 197 } \ 198} while (0) 199 200#define UPATH1_TOKENS do { \ 201 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 202 tok = au_to_path(ar->ar_arg_upath1); \ 203 kau_write(rec, tok); \ 204 } \ 205} while (0) 206 207#define UPATH2_TOKENS do { \ 208 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 209 tok = au_to_path(ar->ar_arg_upath2); \ 210 kau_write(rec, tok); \ 211 } \ 212} while (0) 213 214#define VNODE1_TOKENS do { \ 215 if (ARG_IS_VALID(kar, ARG_ATFD)) { \ 216 tok = au_to_arg32(1, "at fd", ar->ar_arg_atfd); \ 217 kau_write(rec, tok); \ 218 } \ 219 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 220 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 221 kau_write(rec, tok); \ 222 } \ 223} while (0) 224 225#define UPATH1_VNODE1_TOKENS do { \ 226 UPATH1_TOKENS; \ 227 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 228 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 229 kau_write(rec, tok); \ 230 } \ 231} while (0) 232 233#define VNODE2_TOKENS do { \ 234 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 235 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 236 kau_write(rec, tok); \ 237 } \ 238} while (0) 239 240#define FD_VNODE1_TOKENS do { \ 241 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 242 if (ARG_IS_VALID(kar, ARG_FD)) { \ 243 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 244 kau_write(rec, tok); \ 245 } \ 246 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 247 kau_write(rec, tok); \ 248 } else { \ 249 if (ARG_IS_VALID(kar, ARG_FD)) { \ 250 tok = au_to_arg32(1, "non-file: fd", \ 251 ar->ar_arg_fd); \ 252 kau_write(rec, tok); \ 253 } \ 254 } \ 255} while (0) 256 257#define PROCESS_PID_TOKENS(argn) do { \ 258 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 259 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 260 tok = au_to_process32_ex(ar->ar_arg_auid, \ 261 ar->ar_arg_euid, ar->ar_arg_egid, \ 262 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 263 ar->ar_arg_pid, ar->ar_arg_asid, \ 264 &ar->ar_arg_termid_addr); \ 265 kau_write(rec, tok); \ 266 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 267 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 268 kau_write(rec, tok); \ 269 } \ 270} while (0) 271 272#define EXTATTR_TOKENS(namespace_argnum) do { \ 273 if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 274 switch (ar->ar_arg_value) { \ 275 case EXTATTR_NAMESPACE_USER: \ 276 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 277 break; \ 278 case EXTATTR_NAMESPACE_SYSTEM: \ 279 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 280 break; \ 281 default: \ 282 tok = au_to_arg32((namespace_argnum), \ 283 "attrnamespace", ar->ar_arg_value); \ 284 break; \ 285 } \ 286 kau_write(rec, tok); \ 287 } \ 288 /* attrname is in the text field */ \ 289 if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 290 tok = au_to_text(ar->ar_arg_text); \ 291 kau_write(rec, tok); \ 292 } \ 293} while (0) 294 295/* 296 * Not all pointer arguments to system calls are of interest, but in some 297 * cases they reflect delegation of rights, such as mmap(2) followed by 298 * minherit(2) before execve(2), so do the best we can. 299 */ 300#define ADDR_TOKEN(argnum, argname) do { \ 301 if (ARG_IS_VALID(kar, ARG_ADDR)) { \ 302 if (sizeof(void *) == sizeof(uint32_t)) \ 303 tok = au_to_arg32((argnum), (argname), \ 304 (uint32_t)(uintptr_t)ar->ar_arg_addr); \ 305 else \ 306 tok = au_to_arg64((argnum), (argname), \ 307 (uint64_t)(uintptr_t)ar->ar_arg_addr); \ 308 kau_write(rec, tok); \ 309 } \ 310} while (0) 311 312 313/* 314 * Implement auditing for the auditon() system call. The audit tokens that 315 * are generated depend on the command that was sent into the auditon() 316 * system call. 317 */ 318static void 319audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 320{ 321 struct au_token *tok; 322 323 tok = au_to_arg32(3, "length", ar->ar_arg_len); 324 kau_write(rec, tok); 325 switch (ar->ar_arg_cmd) { 326 case A_OLDSETPOLICY: 327 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 328 tok = au_to_arg64(2, "policy", 329 ar->ar_arg_auditon.au_policy64); 330 kau_write(rec, tok); 331 break; 332 } 333 /* FALLTHROUGH */ 334 335 case A_SETPOLICY: 336 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy); 337 kau_write(rec, tok); 338 break; 339 340 case A_SETKMASK: 341 tok = au_to_arg32(2, "setkmask:as_success", 342 ar->ar_arg_auditon.au_mask.am_success); 343 kau_write(rec, tok); 344 tok = au_to_arg32(2, "setkmask:as_failure", 345 ar->ar_arg_auditon.au_mask.am_failure); 346 kau_write(rec, tok); 347 break; 348 349 case A_OLDSETQCTRL: 350 if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) { 351 tok = au_to_arg64(2, "setqctrl:aq_hiwater", 352 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater); 353 kau_write(rec, tok); 354 tok = au_to_arg64(2, "setqctrl:aq_lowater", 355 ar->ar_arg_auditon.au_qctrl64.aq64_lowater); 356 kau_write(rec, tok); 357 tok = au_to_arg64(2, "setqctrl:aq_bufsz", 358 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz); 359 kau_write(rec, tok); 360 tok = au_to_arg64(2, "setqctrl:aq_delay", 361 ar->ar_arg_auditon.au_qctrl64.aq64_delay); 362 kau_write(rec, tok); 363 tok = au_to_arg64(2, "setqctrl:aq_minfree", 364 ar->ar_arg_auditon.au_qctrl64.aq64_minfree); 365 kau_write(rec, tok); 366 break; 367 } 368 /* FALLTHROUGH */ 369 370 case A_SETQCTRL: 371 tok = au_to_arg32(2, "setqctrl:aq_hiwater", 372 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 373 kau_write(rec, tok); 374 tok = au_to_arg32(2, "setqctrl:aq_lowater", 375 ar->ar_arg_auditon.au_qctrl.aq_lowater); 376 kau_write(rec, tok); 377 tok = au_to_arg32(2, "setqctrl:aq_bufsz", 378 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 379 kau_write(rec, tok); 380 tok = au_to_arg32(2, "setqctrl:aq_delay", 381 ar->ar_arg_auditon.au_qctrl.aq_delay); 382 kau_write(rec, tok); 383 tok = au_to_arg32(2, "setqctrl:aq_minfree", 384 ar->ar_arg_auditon.au_qctrl.aq_minfree); 385 kau_write(rec, tok); 386 break; 387 388 case A_SETUMASK: 389 tok = au_to_arg32(2, "setumask:as_success", 390 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 391 kau_write(rec, tok); 392 tok = au_to_arg32(2, "setumask:as_failure", 393 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 394 kau_write(rec, tok); 395 break; 396 397 case A_SETSMASK: 398 tok = au_to_arg32(2, "setsmask:as_success", 399 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 400 kau_write(rec, tok); 401 tok = au_to_arg32(2, "setsmask:as_failure", 402 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 403 kau_write(rec, tok); 404 break; 405 406 case A_OLDSETCOND: 407 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 408 tok = au_to_arg64(2, "setcond", 409 ar->ar_arg_auditon.au_cond64); 410 kau_write(rec, tok); 411 break; 412 } 413 /* FALLTHROUGH */ 414 415 case A_SETCOND: 416 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond); 417 kau_write(rec, tok); 418 break; 419 420 case A_SETCLASS: 421 kau_write(rec, tok); 422 tok = au_to_arg32(2, "setclass:ec_event", 423 ar->ar_arg_auditon.au_evclass.ec_number); 424 kau_write(rec, tok); 425 tok = au_to_arg32(2, "setclass:ec_class", 426 ar->ar_arg_auditon.au_evclass.ec_class); 427 kau_write(rec, tok); 428 break; 429 430 case A_SETPMASK: 431 tok = au_to_arg32(2, "setpmask:as_success", 432 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 433 kau_write(rec, tok); 434 tok = au_to_arg32(2, "setpmask:as_failure", 435 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 436 kau_write(rec, tok); 437 break; 438 439 case A_SETFSIZE: 440 tok = au_to_arg32(2, "setfsize:filesize", 441 ar->ar_arg_auditon.au_fstat.af_filesz); 442 kau_write(rec, tok); 443 break; 444 445 default: 446 break; 447 } 448} 449 450/* 451 * Convert an internal kernel audit record to a BSM record and return a 452 * success/failure indicator. The BSM record is passed as an out parameter to 453 * this function. 454 * 455 * Return conditions: 456 * BSM_SUCCESS: The BSM record is valid 457 * BSM_FAILURE: Failure; the BSM record is NULL. 458 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 459 */ 460int 461kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 462{ 463 struct au_token *tok, *subj_tok, *jail_tok; 464 struct au_record *rec; 465 au_tid_t tid; 466 struct audit_record *ar; 467 int ctr; 468 469 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 470 471 *pau = NULL; 472 ar = &kar->k_ar; 473 rec = kau_open(); 474 475 /* 476 * Create the subject token. If this credential was jailed be sure to 477 * generate a zonename token. 478 */ 479 if (ar->ar_jailname[0] != '\0') 480 jail_tok = au_to_zonename(ar->ar_jailname); 481 else 482 jail_tok = NULL; 483 switch (ar->ar_subj_term_addr.at_type) { 484 case AU_IPv4: 485 tid.port = ar->ar_subj_term_addr.at_port; 486 tid.machine = ar->ar_subj_term_addr.at_addr[0]; 487 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 488 ar->ar_subj_cred.cr_uid, /* eff uid */ 489 ar->ar_subj_egid, /* eff group id */ 490 ar->ar_subj_ruid, /* real uid */ 491 ar->ar_subj_rgid, /* real group id */ 492 ar->ar_subj_pid, /* process id */ 493 ar->ar_subj_asid, /* session ID */ 494 &tid); 495 break; 496 case AU_IPv6: 497 subj_tok = au_to_subject32_ex(ar->ar_subj_auid, 498 ar->ar_subj_cred.cr_uid, 499 ar->ar_subj_egid, 500 ar->ar_subj_ruid, 501 ar->ar_subj_rgid, 502 ar->ar_subj_pid, 503 ar->ar_subj_asid, 504 &ar->ar_subj_term_addr); 505 break; 506 default: 507 bzero(&tid, sizeof(tid)); 508 subj_tok = au_to_subject32(ar->ar_subj_auid, 509 ar->ar_subj_cred.cr_uid, 510 ar->ar_subj_egid, 511 ar->ar_subj_ruid, 512 ar->ar_subj_rgid, 513 ar->ar_subj_pid, 514 ar->ar_subj_asid, 515 &tid); 516 } 517 518 /* 519 * The logic inside each case fills in the tokens required for the 520 * event, except for the header, trailer, and return tokens. The 521 * header and trailer tokens are added by the kau_close() function. 522 * The return token is added outside of the switch statement. 523 */ 524 switch(ar->ar_event) { 525 case AUE_ACCEPT: 526 case AUE_BIND: 527 case AUE_LISTEN: 528 case AUE_CONNECT: 529 case AUE_RECV: 530 case AUE_RECVFROM: 531 case AUE_RECVMSG: 532 case AUE_SEND: 533 case AUE_SENDFILE: 534 case AUE_SENDMSG: 535 case AUE_SENDTO: 536 /* 537 * Socket-related events. 538 */ 539 if (ARG_IS_VALID(kar, ARG_FD)) { 540 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 541 kau_write(rec, tok); 542 } 543 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 544 tok = au_to_sock_inet((struct sockaddr_in *) 545 &ar->ar_arg_sockaddr); 546 kau_write(rec, tok); 547 } 548 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 549 tok = au_to_sock_unix((struct sockaddr_un *) 550 &ar->ar_arg_sockaddr); 551 kau_write(rec, tok); 552 UPATH1_TOKENS; 553 } 554 /* XXX Need to handle ARG_SADDRINET6 */ 555 break; 556 557 case AUE_SOCKET: 558 case AUE_SOCKETPAIR: 559 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 560 tok = au_to_arg32(1, "domain", 561 ar->ar_arg_sockinfo.so_domain); 562 kau_write(rec, tok); 563 tok = au_to_arg32(2, "type", 564 ar->ar_arg_sockinfo.so_type); 565 kau_write(rec, tok); 566 tok = au_to_arg32(3, "protocol", 567 ar->ar_arg_sockinfo.so_protocol); 568 kau_write(rec, tok); 569 } 570 break; 571 572 case AUE_SETSOCKOPT: 573 case AUE_SHUTDOWN: 574 if (ARG_IS_VALID(kar, ARG_FD)) { 575 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 576 kau_write(rec, tok); 577 } 578 break; 579 580 case AUE_ACCT: 581 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 582 UPATH1_VNODE1_TOKENS; 583 } else { 584 tok = au_to_arg32(1, "accounting off", 0); 585 kau_write(rec, tok); 586 } 587 break; 588 589 case AUE_SETAUID: 590 if (ARG_IS_VALID(kar, ARG_AUID)) { 591 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 592 kau_write(rec, tok); 593 } 594 break; 595 596 case AUE_SETAUDIT: 597 if (ARG_IS_VALID(kar, ARG_AUID) && 598 ARG_IS_VALID(kar, ARG_ASID) && 599 ARG_IS_VALID(kar, ARG_AMASK) && 600 ARG_IS_VALID(kar, ARG_TERMID)) { 601 tok = au_to_arg32(1, "setaudit:auid", 602 ar->ar_arg_auid); 603 kau_write(rec, tok); 604 tok = au_to_arg32(1, "setaudit:port", 605 ar->ar_arg_termid.port); 606 kau_write(rec, tok); 607 tok = au_to_arg32(1, "setaudit:machine", 608 ar->ar_arg_termid.machine); 609 kau_write(rec, tok); 610 tok = au_to_arg32(1, "setaudit:as_success", 611 ar->ar_arg_amask.am_success); 612 kau_write(rec, tok); 613 tok = au_to_arg32(1, "setaudit:as_failure", 614 ar->ar_arg_amask.am_failure); 615 kau_write(rec, tok); 616 tok = au_to_arg32(1, "setaudit:asid", 617 ar->ar_arg_asid); 618 kau_write(rec, tok); 619 } 620 break; 621 622 case AUE_SETAUDIT_ADDR: 623 if (ARG_IS_VALID(kar, ARG_AUID) && 624 ARG_IS_VALID(kar, ARG_ASID) && 625 ARG_IS_VALID(kar, ARG_AMASK) && 626 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) { 627 tok = au_to_arg32(1, "setaudit_addr:auid", 628 ar->ar_arg_auid); 629 kau_write(rec, tok); 630 tok = au_to_arg32(1, "setaudit_addr:as_success", 631 ar->ar_arg_amask.am_success); 632 kau_write(rec, tok); 633 tok = au_to_arg32(1, "setaudit_addr:as_failure", 634 ar->ar_arg_amask.am_failure); 635 kau_write(rec, tok); 636 tok = au_to_arg32(1, "setaudit_addr:asid", 637 ar->ar_arg_asid); 638 kau_write(rec, tok); 639 tok = au_to_arg32(1, "setaudit_addr:type", 640 ar->ar_arg_termid_addr.at_type); 641 kau_write(rec, tok); 642 tok = au_to_arg32(1, "setaudit_addr:port", 643 ar->ar_arg_termid_addr.at_port); 644 kau_write(rec, tok); 645 if (ar->ar_arg_termid_addr.at_type == AU_IPv6) 646 tok = au_to_in_addr_ex((struct in6_addr *) 647 &ar->ar_arg_termid_addr.at_addr[0]); 648 if (ar->ar_arg_termid_addr.at_type == AU_IPv4) 649 tok = au_to_in_addr((struct in_addr *) 650 &ar->ar_arg_termid_addr.at_addr[0]); 651 kau_write(rec, tok); 652 } 653 break; 654 655 case AUE_AUDITON: 656 /* 657 * For AUDITON commands without own event, audit the cmd. 658 */ 659 if (ARG_IS_VALID(kar, ARG_CMD)) { 660 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 661 kau_write(rec, tok); 662 } 663 /* FALLTHROUGH */ 664 665 case AUE_AUDITON_GETCAR: 666 case AUE_AUDITON_GETCLASS: 667 case AUE_AUDITON_GETCOND: 668 case AUE_AUDITON_GETCWD: 669 case AUE_AUDITON_GETKMASK: 670 case AUE_AUDITON_GETSTAT: 671 case AUE_AUDITON_GPOLICY: 672 case AUE_AUDITON_GQCTRL: 673 case AUE_AUDITON_SETCLASS: 674 case AUE_AUDITON_SETCOND: 675 case AUE_AUDITON_SETKMASK: 676 case AUE_AUDITON_SETSMASK: 677 case AUE_AUDITON_SETSTAT: 678 case AUE_AUDITON_SETUMASK: 679 case AUE_AUDITON_SPOLICY: 680 case AUE_AUDITON_SQCTRL: 681 if (ARG_IS_VALID(kar, ARG_AUDITON)) 682 audit_sys_auditon(ar, rec); 683 break; 684 685 case AUE_AUDITCTL: 686 UPATH1_VNODE1_TOKENS; 687 break; 688 689 case AUE_EXIT: 690 if (ARG_IS_VALID(kar, ARG_EXIT)) { 691 tok = au_to_exit(ar->ar_arg_exitretval, 692 ar->ar_arg_exitstatus); 693 kau_write(rec, tok); 694 } 695 break; 696 697 case AUE_ADJTIME: 698 case AUE_CLOCK_SETTIME: 699 case AUE_AUDIT: 700 case AUE_DUP2: 701 case AUE_GETAUDIT: 702 case AUE_GETAUDIT_ADDR: 703 case AUE_GETAUID: 704 case AUE_GETCWD: 705 case AUE_GETFSSTAT: 706 case AUE_GETRESUID: 707 case AUE_GETRESGID: 708 case AUE_KQUEUE: 709 case AUE_MODLOAD: 710 case AUE_MODUNLOAD: 711 case AUE_MSGSYS: 712 case AUE_NTP_ADJTIME: 713 case AUE_PIPE: 714 case AUE_POSIX_OPENPT: 715 case AUE_PROFILE: 716 case AUE_RTPRIO: 717 case AUE_SEMSYS: 718 case AUE_SHMSYS: 719 case AUE_SETPGRP: 720 case AUE_SETRLIMIT: 721 case AUE_SETSID: 722 case AUE_SETTIMEOFDAY: 723 case AUE_SYSARCH: 724 725 /* 726 * Header, subject, and return tokens added at end. 727 */ 728 break; 729 730 case AUE_CHDIR: 731 case AUE_CHROOT: 732 case AUE_FSTATAT: 733 case AUE_FUTIMESAT: 734 case AUE_GETATTRLIST: 735 case AUE_JAIL: 736 case AUE_LUTIMES: 737 case AUE_NFS_GETFH: 738 case AUE_LSTAT: 739 case AUE_LPATHCONF: 740 case AUE_PATHCONF: 741 case AUE_READLINK: 742 case AUE_READLINKAT: 743 case AUE_REVOKE: 744 case AUE_RMDIR: 745 case AUE_SEARCHFS: 746 case AUE_SETATTRLIST: 747 case AUE_STAT: 748 case AUE_STATFS: 749 case AUE_SWAPON: 750 case AUE_SWAPOFF: 751 case AUE_TRUNCATE: 752 case AUE_UNDELETE: 753 case AUE_UNLINK: 754 case AUE_UNLINKAT: 755 case AUE_UTIMES: 756 ATFD1_TOKENS(1); 757 UPATH1_VNODE1_TOKENS; 758 break; 759 760 case AUE_ACCESS: 761 case AUE_EACCESS: 762 case AUE_FACCESSAT: 763 ATFD1_TOKENS(1); 764 UPATH1_VNODE1_TOKENS; 765 if (ARG_IS_VALID(kar, ARG_VALUE)) { 766 tok = au_to_arg32(2, "mode", ar->ar_arg_value); 767 kau_write(rec, tok); 768 } 769 break; 770 771 case AUE_FHSTATFS: 772 case AUE_FHOPEN: 773 case AUE_FHSTAT: 774 /* XXXRW: Need to audit vnode argument. */ 775 break; 776 777 case AUE_CHFLAGS: 778 case AUE_LCHFLAGS: 779 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 780 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 781 kau_write(rec, tok); 782 } 783 UPATH1_VNODE1_TOKENS; 784 break; 785 786 case AUE_CHMOD: 787 case AUE_LCHMOD: 788 if (ARG_IS_VALID(kar, ARG_MODE)) { 789 tok = au_to_arg32(2, "new file mode", 790 ar->ar_arg_mode); 791 kau_write(rec, tok); 792 } 793 UPATH1_VNODE1_TOKENS; 794 break; 795 796 case AUE_FCHMODAT: 797 ATFD1_TOKENS(1); 798 if (ARG_IS_VALID(kar, ARG_MODE)) { 799 tok = au_to_arg32(3, "new file mode", 800 ar->ar_arg_mode); 801 kau_write(rec, tok); 802 } 803 UPATH1_VNODE1_TOKENS; 804 break; 805 806 case AUE_CHOWN: 807 case AUE_LCHOWN: 808 if (ARG_IS_VALID(kar, ARG_UID)) { 809 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 810 kau_write(rec, tok); 811 } 812 if (ARG_IS_VALID(kar, ARG_GID)) { 813 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 814 kau_write(rec, tok); 815 } 816 UPATH1_VNODE1_TOKENS; 817 break; 818 819 case AUE_FCHOWNAT: 820 ATFD1_TOKENS(1); 821 if (ARG_IS_VALID(kar, ARG_UID)) { 822 tok = au_to_arg32(3, "new file uid", ar->ar_arg_uid); 823 kau_write(rec, tok); 824 } 825 if (ARG_IS_VALID(kar, ARG_GID)) { 826 tok = au_to_arg32(4, "new file gid", ar->ar_arg_gid); 827 kau_write(rec, tok); 828 } 829 UPATH1_VNODE1_TOKENS; 830 break; 831 832 case AUE_EXCHANGEDATA: 833 UPATH1_VNODE1_TOKENS; 834 UPATH2_TOKENS; 835 break; 836 837 case AUE_CLOSE: 838 if (ARG_IS_VALID(kar, ARG_FD)) { 839 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 840 kau_write(rec, tok); 841 } 842 UPATH1_VNODE1_TOKENS; 843 break; 844 845 case AUE_CLOSEFROM: 846 if (ARG_IS_VALID(kar, ARG_FD)) { 847 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 848 kau_write(rec, tok); 849 } 850 break; 851 852 case AUE_CORE: 853 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 854 tok = au_to_arg32(1, "signal", ar->ar_arg_signum); 855 kau_write(rec, tok); 856 } 857 UPATH1_VNODE1_TOKENS; 858 break; 859 860 case AUE_EXTATTRCTL: 861 UPATH1_VNODE1_TOKENS; 862 if (ARG_IS_VALID(kar, ARG_CMD)) { 863 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 864 kau_write(rec, tok); 865 } 866 /* extattrctl(2) filename parameter is in upath2/vnode2 */ 867 UPATH2_TOKENS; 868 VNODE2_TOKENS; 869 EXTATTR_TOKENS(4); 870 break; 871 872 case AUE_EXTATTR_GET_FILE: 873 case AUE_EXTATTR_SET_FILE: 874 case AUE_EXTATTR_LIST_FILE: 875 case AUE_EXTATTR_DELETE_FILE: 876 case AUE_EXTATTR_GET_LINK: 877 case AUE_EXTATTR_SET_LINK: 878 case AUE_EXTATTR_LIST_LINK: 879 case AUE_EXTATTR_DELETE_LINK: 880 UPATH1_VNODE1_TOKENS; 881 EXTATTR_TOKENS(2); 882 break; 883 884 case AUE_EXTATTR_GET_FD: 885 case AUE_EXTATTR_SET_FD: 886 case AUE_EXTATTR_LIST_FD: 887 case AUE_EXTATTR_DELETE_FD: 888 if (ARG_IS_VALID(kar, ARG_FD)) { 889 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 890 kau_write(rec, tok); 891 } 892 EXTATTR_TOKENS(2); 893 break; 894 895 case AUE_FEXECVE: 896 if (ARG_IS_VALID(kar, ARG_FD)) { 897 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 898 kau_write(rec, tok); 899 } 900 /* FALLTHROUGH */ 901 902 case AUE_EXECVE: 903 case AUE_MAC_EXECVE: 904 if (ARG_IS_VALID(kar, ARG_ARGV)) { 905 tok = au_to_exec_args(ar->ar_arg_argv, 906 ar->ar_arg_argc); 907 kau_write(rec, tok); 908 } 909 if (ARG_IS_VALID(kar, ARG_ENVV)) { 910 tok = au_to_exec_env(ar->ar_arg_envv, 911 ar->ar_arg_envc); 912 kau_write(rec, tok); 913 } 914 UPATH1_VNODE1_TOKENS; 915 break; 916 917 case AUE_FCHMOD: 918 if (ARG_IS_VALID(kar, ARG_MODE)) { 919 tok = au_to_arg32(2, "new file mode", 920 ar->ar_arg_mode); 921 kau_write(rec, tok); 922 } 923 FD_VNODE1_TOKENS; 924 break; 925 926 /* 927 * XXXRW: Some of these need to handle non-vnode cases as well. 928 */ 929 case AUE_FCHDIR: 930 case AUE_FPATHCONF: 931 case AUE_FSTAT: 932 case AUE_FSTATFS: 933 case AUE_FSYNC: 934 case AUE_FTRUNCATE: 935 case AUE_FUTIMES: 936 case AUE_GETDIRENTRIES: 937 case AUE_GETDIRENTRIESATTR: 938 case AUE_LSEEK: 939 case AUE_POLL: 940 case AUE_READ: 941 case AUE_READV: 942 case AUE_WRITE: 943 case AUE_WRITEV: 944 FD_VNODE1_TOKENS; 945 break; 946 947 case AUE_FCHOWN: 948 if (ARG_IS_VALID(kar, ARG_UID)) { 949 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 950 kau_write(rec, tok); 951 } 952 if (ARG_IS_VALID(kar, ARG_GID)) { 953 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 954 kau_write(rec, tok); 955 } 956 FD_VNODE1_TOKENS; 957 break; 958 959 case AUE_FCNTL: 960 if (ARG_IS_VALID(kar, ARG_CMD)) { 961 tok = au_to_arg32(2, "cmd", 962 au_fcntl_cmd_to_bsm(ar->ar_arg_cmd)); 963 kau_write(rec, tok); 964 } 965 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 966 ar->ar_arg_cmd == F_SETLKW) { 967 FD_VNODE1_TOKENS; 968 } 969 break; 970 971 case AUE_FCHFLAGS: 972 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 973 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 974 kau_write(rec, tok); 975 } 976 FD_VNODE1_TOKENS; 977 break; 978 979 case AUE_FLOCK: 980 if (ARG_IS_VALID(kar, ARG_CMD)) { 981 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 982 kau_write(rec, tok); 983 } 984 FD_VNODE1_TOKENS; 985 break; 986 987 case AUE_RFORK: 988 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 989 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 990 kau_write(rec, tok); 991 } 992 /* FALLTHROUGH */ 993 994 case AUE_FORK: 995 case AUE_VFORK: 996 if (ARG_IS_VALID(kar, ARG_PID)) { 997 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 998 kau_write(rec, tok); 999 } 1000 break; 1001 1002 case AUE_IOCTL: 1003 if (ARG_IS_VALID(kar, ARG_CMD)) { 1004 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 1005 kau_write(rec, tok); 1006 } 1007 if (ARG_IS_VALID(kar, ARG_VNODE1)) 1008 FD_VNODE1_TOKENS; 1009 else { 1010 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 1011 tok = kau_to_socket(&ar->ar_arg_sockinfo); 1012 kau_write(rec, tok); 1013 } else { 1014 if (ARG_IS_VALID(kar, ARG_FD)) { 1015 tok = au_to_arg32(1, "fd", 1016 ar->ar_arg_fd); 1017 kau_write(rec, tok); 1018 } 1019 } 1020 } 1021 break; 1022 1023 case AUE_KILL: 1024 case AUE_KILLPG: 1025 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 1026 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 1027 kau_write(rec, tok); 1028 } 1029 PROCESS_PID_TOKENS(1); 1030 break; 1031 1032 case AUE_KTRACE: 1033 if (ARG_IS_VALID(kar, ARG_CMD)) { 1034 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 1035 kau_write(rec, tok); 1036 } 1037 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1038 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 1039 kau_write(rec, tok); 1040 } 1041 PROCESS_PID_TOKENS(4); 1042 UPATH1_VNODE1_TOKENS; 1043 break; 1044 1045 case AUE_LINK: 1046 case AUE_LINKAT: 1047 case AUE_RENAME: 1048 case AUE_RENAMEAT: 1049 ATFD1_TOKENS(1); 1050 UPATH1_VNODE1_TOKENS; 1051 ATFD2_TOKENS(3); 1052 UPATH2_TOKENS; 1053 break; 1054 1055 case AUE_LOADSHFILE: 1056 ADDR_TOKEN(4, "base addr"); 1057 UPATH1_VNODE1_TOKENS; 1058 break; 1059 1060 case AUE_MKDIR: 1061 case AUE_MKDIRAT: 1062 case AUE_MKFIFO: 1063 case AUE_MKFIFOAT: 1064 ATFD1_TOKENS(1); 1065 if (ARG_IS_VALID(kar, ARG_MODE)) { 1066 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1067 kau_write(rec, tok); 1068 } 1069 UPATH1_VNODE1_TOKENS; 1070 break; 1071 1072 case AUE_MKNOD: 1073 case AUE_MKNODAT: 1074 ATFD1_TOKENS(1); 1075 if (ARG_IS_VALID(kar, ARG_MODE)) { 1076 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1077 kau_write(rec, tok); 1078 } 1079 if (ARG_IS_VALID(kar, ARG_DEV)) { 1080 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 1081 kau_write(rec, tok); 1082 } 1083 UPATH1_VNODE1_TOKENS; 1084 break; 1085 1086 case AUE_MMAP: 1087 case AUE_MUNMAP: 1088 case AUE_MPROTECT: 1089 case AUE_MLOCK: 1090 case AUE_MUNLOCK: 1091 case AUE_MINHERIT: 1092 ADDR_TOKEN(1, "addr"); 1093 if (ARG_IS_VALID(kar, ARG_LEN)) { 1094 tok = au_to_arg32(2, "len", ar->ar_arg_len); 1095 kau_write(rec, tok); 1096 } 1097 if (ar->ar_event == AUE_MMAP) 1098 FD_VNODE1_TOKENS; 1099 if (ar->ar_event == AUE_MPROTECT) { 1100 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1101 tok = au_to_arg32(3, "protection", 1102 ar->ar_arg_value); 1103 kau_write(rec, tok); 1104 } 1105 } 1106 if (ar->ar_event == AUE_MINHERIT) { 1107 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1108 tok = au_to_arg32(3, "inherit", 1109 ar->ar_arg_value); 1110 kau_write(rec, tok); 1111 } 1112 } 1113 break; 1114 1115 case AUE_MOUNT: 1116 case AUE_NMOUNT: 1117 /* XXX Need to handle NFS mounts */ 1118 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1119 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 1120 kau_write(rec, tok); 1121 } 1122 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1123 tok = au_to_text(ar->ar_arg_text); 1124 kau_write(rec, tok); 1125 } 1126 /* FALLTHROUGH */ 1127 1128 case AUE_NFS_SVC: 1129 if (ARG_IS_VALID(kar, ARG_CMD)) { 1130 tok = au_to_arg32(1, "flags", ar->ar_arg_cmd); 1131 kau_write(rec, tok); 1132 } 1133 break; 1134 1135 case AUE_UMOUNT: 1136 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1137 tok = au_to_arg32(2, "flags", ar->ar_arg_value); 1138 kau_write(rec, tok); 1139 } 1140 UPATH1_VNODE1_TOKENS; 1141 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1142 tok = au_to_text(ar->ar_arg_text); 1143 kau_write(rec, tok); 1144 } 1145 break; 1146 1147 case AUE_MSGCTL: 1148 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd); 1149 /* Fall through */ 1150 1151 case AUE_MSGRCV: 1152 case AUE_MSGSND: 1153 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 1154 kau_write(rec, tok); 1155 if (ar->ar_errno != EINVAL) { 1156 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 1157 kau_write(rec, tok); 1158 } 1159 break; 1160 1161 case AUE_MSGGET: 1162 if (ar->ar_errno == 0) { 1163 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1164 tok = au_to_ipc(AT_IPC_MSG, 1165 ar->ar_arg_svipc_id); 1166 kau_write(rec, tok); 1167 } 1168 } 1169 break; 1170 1171 case AUE_RESETSHFILE: 1172 ADDR_TOKEN(1, "base addr"); 1173 break; 1174 1175 case AUE_OPEN_RC: 1176 case AUE_OPEN_RTC: 1177 case AUE_OPEN_RWC: 1178 case AUE_OPEN_RWTC: 1179 case AUE_OPEN_WC: 1180 case AUE_OPEN_WTC: 1181 case AUE_CREAT: 1182 if (ARG_IS_VALID(kar, ARG_MODE)) { 1183 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1184 kau_write(rec, tok); 1185 } 1186 /* FALLTHROUGH */ 1187 1188 case AUE_OPEN_R: 1189 case AUE_OPEN_RT: 1190 case AUE_OPEN_RW: 1191 case AUE_OPEN_RWT: 1192 case AUE_OPEN_W: 1193 case AUE_OPEN_WT: 1194 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1195 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1196 kau_write(rec, tok); 1197 } 1198 UPATH1_VNODE1_TOKENS; 1199 break; 1200 1201 case AUE_OPENAT_RC: 1202 case AUE_OPENAT_RTC: 1203 case AUE_OPENAT_RWC: 1204 case AUE_OPENAT_RWTC: 1205 case AUE_OPENAT_WC: 1206 case AUE_OPENAT_WTC: 1207 if (ARG_IS_VALID(kar, ARG_MODE)) { 1208 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1209 kau_write(rec, tok); 1210 } 1211 /* FALLTHROUGH */ 1212 1213 case AUE_OPENAT_R: 1214 case AUE_OPENAT_RT: 1215 case AUE_OPENAT_RW: 1216 case AUE_OPENAT_RWT: 1217 case AUE_OPENAT_W: 1218 case AUE_OPENAT_WT: 1219 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1220 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1221 kau_write(rec, tok); 1222 } 1223 ATFD1_TOKENS(1); 1224 UPATH1_VNODE1_TOKENS; 1225 break; 1226 1227 case AUE_PTRACE: 1228 if (ARG_IS_VALID(kar, ARG_CMD)) { 1229 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1230 kau_write(rec, tok); 1231 } 1232 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1233 tok = au_to_arg32(4, "data", ar->ar_arg_value); 1234 kau_write(rec, tok); 1235 } 1236 PROCESS_PID_TOKENS(2); 1237 break; 1238 1239 case AUE_QUOTACTL: 1240 if (ARG_IS_VALID(kar, ARG_CMD)) { 1241 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1242 kau_write(rec, tok); 1243 } 1244 if (ARG_IS_VALID(kar, ARG_UID)) { 1245 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1246 kau_write(rec, tok); 1247 } 1248 if (ARG_IS_VALID(kar, ARG_GID)) { 1249 tok = au_to_arg32(3, "gid", ar->ar_arg_gid); 1250 kau_write(rec, tok); 1251 } 1252 UPATH1_VNODE1_TOKENS; 1253 break; 1254 1255 case AUE_REBOOT: 1256 if (ARG_IS_VALID(kar, ARG_CMD)) { 1257 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1258 kau_write(rec, tok); 1259 } 1260 break; 1261 1262 case AUE_SEMCTL: 1263 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd); 1264 /* Fall through */ 1265 1266 case AUE_SEMOP: 1267 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1268 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1269 kau_write(rec, tok); 1270 if (ar->ar_errno != EINVAL) { 1271 tok = au_to_ipc(AT_IPC_SEM, 1272 ar->ar_arg_svipc_id); 1273 kau_write(rec, tok); 1274 } 1275 } 1276 break; 1277 1278 case AUE_SEMGET: 1279 if (ar->ar_errno == 0) { 1280 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1281 tok = au_to_ipc(AT_IPC_SEM, 1282 ar->ar_arg_svipc_id); 1283 kau_write(rec, tok); 1284 } 1285 } 1286 break; 1287 1288 case AUE_SETEGID: 1289 if (ARG_IS_VALID(kar, ARG_EGID)) { 1290 tok = au_to_arg32(1, "egid", ar->ar_arg_egid); 1291 kau_write(rec, tok); 1292 } 1293 break; 1294 1295 case AUE_SETEUID: 1296 if (ARG_IS_VALID(kar, ARG_EUID)) { 1297 tok = au_to_arg32(1, "euid", ar->ar_arg_euid); 1298 kau_write(rec, tok); 1299 } 1300 break; 1301 1302 case AUE_SETREGID: 1303 if (ARG_IS_VALID(kar, ARG_RGID)) { 1304 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1305 kau_write(rec, tok); 1306 } 1307 if (ARG_IS_VALID(kar, ARG_EGID)) { 1308 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1309 kau_write(rec, tok); 1310 } 1311 break; 1312 1313 case AUE_SETREUID: 1314 if (ARG_IS_VALID(kar, ARG_RUID)) { 1315 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1316 kau_write(rec, tok); 1317 } 1318 if (ARG_IS_VALID(kar, ARG_EUID)) { 1319 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1320 kau_write(rec, tok); 1321 } 1322 break; 1323 1324 case AUE_SETRESGID: 1325 if (ARG_IS_VALID(kar, ARG_RGID)) { 1326 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1327 kau_write(rec, tok); 1328 } 1329 if (ARG_IS_VALID(kar, ARG_EGID)) { 1330 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1331 kau_write(rec, tok); 1332 } 1333 if (ARG_IS_VALID(kar, ARG_SGID)) { 1334 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1335 kau_write(rec, tok); 1336 } 1337 break; 1338 1339 case AUE_SETRESUID: 1340 if (ARG_IS_VALID(kar, ARG_RUID)) { 1341 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1342 kau_write(rec, tok); 1343 } 1344 if (ARG_IS_VALID(kar, ARG_EUID)) { 1345 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1346 kau_write(rec, tok); 1347 } 1348 if (ARG_IS_VALID(kar, ARG_SUID)) { 1349 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1350 kau_write(rec, tok); 1351 } 1352 break; 1353 1354 case AUE_SETGID: 1355 if (ARG_IS_VALID(kar, ARG_GID)) { 1356 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1357 kau_write(rec, tok); 1358 } 1359 break; 1360 1361 case AUE_SETUID: 1362 if (ARG_IS_VALID(kar, ARG_UID)) { 1363 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1364 kau_write(rec, tok); 1365 } 1366 break; 1367 1368 case AUE_SETGROUPS: 1369 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1370 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1371 { 1372 tok = au_to_arg32(1, "setgroups", 1373 ar->ar_arg_groups.gidset[ctr]); 1374 kau_write(rec, tok); 1375 } 1376 } 1377 break; 1378 1379 case AUE_SETLOGIN: 1380 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1381 tok = au_to_text(ar->ar_arg_text); 1382 kau_write(rec, tok); 1383 } 1384 break; 1385 1386 case AUE_SETPRIORITY: 1387 if (ARG_IS_VALID(kar, ARG_CMD)) { 1388 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1389 kau_write(rec, tok); 1390 } 1391 if (ARG_IS_VALID(kar, ARG_UID)) { 1392 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1393 kau_write(rec, tok); 1394 } 1395 PROCESS_PID_TOKENS(2); 1396 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1397 tok = au_to_arg32(3, "priority", ar->ar_arg_value); 1398 kau_write(rec, tok); 1399 } 1400 break; 1401 1402 case AUE_SETPRIVEXEC: 1403 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1404 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1405 kau_write(rec, tok); 1406 } 1407 break; 1408 1409 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1410 case AUE_SHMAT: 1411 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1412 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1413 kau_write(rec, tok); 1414 /* XXXAUDIT: Does having the ipc token make sense? */ 1415 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1416 kau_write(rec, tok); 1417 } 1418 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1419 tok = au_to_arg32(2, "shmaddr", 1420 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1421 kau_write(rec, tok); 1422 } 1423 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1424 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1425 kau_write(rec, tok); 1426 } 1427 break; 1428 1429 case AUE_SHMCTL: 1430 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1431 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1432 kau_write(rec, tok); 1433 /* XXXAUDIT: Does having the ipc token make sense? */ 1434 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1435 kau_write(rec, tok); 1436 } 1437 switch (ar->ar_arg_svipc_cmd) { 1438 case IPC_STAT: 1439 ar->ar_event = AUE_SHMCTL_STAT; 1440 break; 1441 case IPC_RMID: 1442 ar->ar_event = AUE_SHMCTL_RMID; 1443 break; 1444 case IPC_SET: 1445 ar->ar_event = AUE_SHMCTL_SET; 1446 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1447 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1448 kau_write(rec, tok); 1449 } 1450 break; 1451 default: 1452 break; /* We will audit a bad command */ 1453 } 1454 break; 1455 1456 case AUE_SHMDT: 1457 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1458 tok = au_to_arg32(1, "shmaddr", 1459 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1460 kau_write(rec, tok); 1461 } 1462 break; 1463 1464 case AUE_SHMGET: 1465 /* This is unusual; the return value is in an argument token */ 1466 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1467 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1468 kau_write(rec, tok); 1469 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1470 kau_write(rec, tok); 1471 } 1472 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1473 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1474 kau_write(rec, tok); 1475 } 1476 break; 1477 1478 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1479 * and AUE_SEMUNLINK are Posix IPC */ 1480 case AUE_SHMOPEN: 1481 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1482 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1483 kau_write(rec, tok); 1484 } 1485 if (ARG_IS_VALID(kar, ARG_MODE)) { 1486 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1487 kau_write(rec, tok); 1488 } 1489 /* FALLTHROUGH */ 1490 1491 case AUE_SHMUNLINK: 1492 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1493 tok = au_to_text(ar->ar_arg_text); 1494 kau_write(rec, tok); 1495 } 1496 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1497 struct ipc_perm perm; 1498 1499 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1500 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1501 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1502 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1503 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1504 perm.seq = 0; 1505 perm.key = 0; 1506 tok = au_to_ipc_perm(&perm); 1507 kau_write(rec, tok); 1508 } 1509 break; 1510 1511 case AUE_SEMOPEN: 1512 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1513 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1514 kau_write(rec, tok); 1515 } 1516 if (ARG_IS_VALID(kar, ARG_MODE)) { 1517 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1518 kau_write(rec, tok); 1519 } 1520 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1521 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1522 kau_write(rec, tok); 1523 } 1524 /* FALLTHROUGH */ 1525 1526 case AUE_SEMUNLINK: 1527 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1528 tok = au_to_text(ar->ar_arg_text); 1529 kau_write(rec, tok); 1530 } 1531 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1532 struct ipc_perm perm; 1533 1534 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1535 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1536 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1537 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1538 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1539 perm.seq = 0; 1540 perm.key = 0; 1541 tok = au_to_ipc_perm(&perm); 1542 kau_write(rec, tok); 1543 } 1544 break; 1545 1546 case AUE_SEMCLOSE: 1547 if (ARG_IS_VALID(kar, ARG_FD)) { 1548 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1549 kau_write(rec, tok); 1550 } 1551 break; 1552 1553 case AUE_SYMLINK: 1554 case AUE_SYMLINKAT: 1555 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1556 tok = au_to_text(ar->ar_arg_text); 1557 kau_write(rec, tok); 1558 } 1559 ATFD1_TOKENS(1); 1560 UPATH1_VNODE1_TOKENS; 1561 break; 1562 1563 case AUE_SYSCTL: 1564 case AUE_SYSCTL_NONADMIN: 1565 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1566 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1567 tok = au_to_arg32(1, "name", 1568 ar->ar_arg_ctlname[ctr]); 1569 kau_write(rec, tok); 1570 } 1571 } 1572 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1573 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1574 kau_write(rec, tok); 1575 } 1576 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1577 tok = au_to_text(ar->ar_arg_text); 1578 kau_write(rec, tok); 1579 } 1580 break; 1581 1582 case AUE_UMASK: 1583 if (ARG_IS_VALID(kar, ARG_MASK)) { 1584 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1585 kau_write(rec, tok); 1586 } 1587 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1588 kau_write(rec, tok); 1589 break; 1590 1591 case AUE_WAIT4: 1592 PROCESS_PID_TOKENS(1); 1593 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1594 tok = au_to_arg32(3, "options", ar->ar_arg_value); 1595 kau_write(rec, tok); 1596 } 1597 break; 1598 1599 case AUE_CAP_NEW: 1600 case AUE_CAP_RIGHTS_LIMIT: 1601 /* 1602 * XXXRW/XXXJA: Would be nice to audit socket/etc information. 1603 */ 1604 FD_VNODE1_TOKENS; 1605 if (ARG_IS_VALID(kar, ARG_RIGHTS)) { 1606 tok = au_to_arg64(2, "rights", ar->ar_arg_rights); 1607 kau_write(rec, tok); 1608 } 1609 break; 1610 1611 case AUE_CAP_FCNTLS_GET: 1612 case AUE_CAP_IOCTLS_GET: 1613 case AUE_CAP_IOCTLS_LIMIT: 1614 case AUE_CAP_RIGHTS_GET: 1615 if (ARG_IS_VALID(kar, ARG_FD)) { 1616 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1617 kau_write(rec, tok); 1618 } 1619 break; 1620 1621 case AUE_CAP_FCNTLS_LIMIT: 1622 FD_VNODE1_TOKENS; 1623 if (ARG_IS_VALID(kar, ARG_FCNTL_RIGHTS)) { 1624 tok = au_to_arg32(2, "fcntlrights", 1625 ar->ar_arg_fcntl_rights); 1626 kau_write(rec, tok); 1627 } 1628 break; 1629 1630 case AUE_CAP_ENTER: 1631 case AUE_CAP_GETMODE: 1632 break; 1633 1634 case AUE_NULL: 1635 default: 1636 printf("BSM conversion requested for unknown event %d\n", 1637 ar->ar_event); 1638 1639 /* 1640 * Write the subject token so it is properly freed here. 1641 */ 1642 if (jail_tok != NULL) 1643 kau_write(rec, jail_tok); 1644 kau_write(rec, subj_tok); 1645 kau_free(rec); 1646 return (BSM_NOAUDIT); 1647 } 1648 1649 if (jail_tok != NULL) 1650 kau_write(rec, jail_tok); 1651 kau_write(rec, subj_tok); 1652 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval); 1653 kau_write(rec, tok); /* Every record gets a return token */ 1654 1655 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1656 1657 *pau = rec; 1658 return (BSM_SUCCESS); 1659} 1660 1661/* 1662 * Verify that a record is a valid BSM record. This verification is simple 1663 * now, but may be expanded on sometime in the future. Return 1 if the 1664 * record is good, 0 otherwise. 1665 */ 1666int 1667bsm_rec_verify(void *rec) 1668{ 1669 char c = *(char *)rec; 1670 1671 /* 1672 * Check the token ID of the first token; it has to be a header 1673 * token. 1674 * 1675 * XXXAUDIT There needs to be a token structure to map a token. 1676 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1677 */ 1678 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1679 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1680 return (0); 1681 return (1); 1682} 1683