audit_bsm.c revision 336207
1/* 2 * Copyright (c) 1999-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30#include <sys/cdefs.h> 31__FBSDID("$FreeBSD: stable/11/sys/security/audit/audit_bsm.c 336207 2018-07-11 19:39:56Z asomers $"); 32 33#include <sys/param.h> 34#include <sys/vnode.h> 35#include <sys/ipc.h> 36#include <sys/lock.h> 37#include <sys/malloc.h> 38#include <sys/mutex.h> 39#include <sys/socket.h> 40#include <sys/extattr.h> 41#include <sys/fcntl.h> 42#include <sys/user.h> 43#include <sys/systm.h> 44 45#include <bsm/audit.h> 46#include <bsm/audit_internal.h> 47#include <bsm/audit_record.h> 48#include <bsm/audit_kevents.h> 49 50#include <security/audit/audit.h> 51#include <security/audit/audit_private.h> 52 53#include <netinet/in_systm.h> 54#include <netinet/in.h> 55#include <netinet/ip.h> 56 57MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 58 59static void audit_sys_auditon(struct audit_record *ar, 60 struct au_record *rec); 61 62/* 63 * Initialize the BSM auditing subsystem. 64 */ 65void 66kau_init(void) 67{ 68 69 au_evclassmap_init(); 70} 71 72/* 73 * This call reserves memory for the audit record. Memory must be guaranteed 74 * before any auditable event can be generated. The au_record structure 75 * maintains a reference to the memory allocated above and also the list of 76 * tokens associated with this record. 77 */ 78static struct au_record * 79kau_open(void) 80{ 81 struct au_record *rec; 82 83 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 84 rec->data = NULL; 85 TAILQ_INIT(&rec->token_q); 86 rec->len = 0; 87 rec->used = 1; 88 89 return (rec); 90} 91 92/* 93 * Store the token with the record descriptor. 94 */ 95static void 96kau_write(struct au_record *rec, struct au_token *tok) 97{ 98 99 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 100 101 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 102 rec->len += tok->len; 103} 104 105/* 106 * Close out the audit record by adding the header token, identifying any 107 * missing tokens. Write out the tokens to the record memory. 108 */ 109static void 110kau_close(struct au_record *rec, struct timespec *ctime, short event) 111{ 112 u_char *dptr; 113 size_t tot_rec_size; 114 token_t *cur, *hdr, *trail; 115 struct timeval tm; 116 size_t hdrsize; 117 struct auditinfo_addr ak; 118 struct in6_addr *ap; 119 120 audit_get_kinfo(&ak); 121 hdrsize = 0; 122 switch (ak.ai_termid.at_type) { 123 case AU_IPv4: 124 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ? 125 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak); 126 break; 127 case AU_IPv6: 128 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0]; 129 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE : 130 AUDIT_HEADER_EX_SIZE(&ak); 131 break; 132 default: 133 panic("kau_close: invalid address family"); 134 } 135 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE; 136 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 137 138 tm.tv_usec = ctime->tv_nsec / 1000; 139 tm.tv_sec = ctime->tv_sec; 140 if (hdrsize != AUDIT_HEADER_SIZE) 141 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak); 142 else 143 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 144 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 145 146 trail = au_to_trailer(tot_rec_size); 147 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 148 149 rec->len = tot_rec_size; 150 dptr = rec->data; 151 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 152 memcpy(dptr, cur->t_data, cur->len); 153 dptr += cur->len; 154 } 155} 156 157/* 158 * Free a BSM audit record by releasing all the tokens and clearing the audit 159 * record information. 160 */ 161void 162kau_free(struct au_record *rec) 163{ 164 struct au_token *tok; 165 166 /* Free the token list. */ 167 while ((tok = TAILQ_FIRST(&rec->token_q))) { 168 TAILQ_REMOVE(&rec->token_q, tok, tokens); 169 free(tok->t_data, M_AUDITBSM); 170 free(tok, M_AUDITBSM); 171 } 172 173 rec->used = 0; 174 rec->len = 0; 175 free(rec->data, M_AUDITBSM); 176 free(rec, M_AUDITBSM); 177} 178 179/* 180 * XXX: May want turn some (or all) of these macros into functions in order 181 * to reduce the generated code size. 182 * 183 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 184 * caller are OK with this. 185 */ 186#define ATFD1_TOKENS(argnum) do { \ 187 if (ARG_IS_VALID(kar, ARG_ATFD1)) { \ 188 tok = au_to_arg32(argnum, "at fd 1", ar->ar_arg_atfd1); \ 189 kau_write(rec, tok); \ 190 } \ 191} while (0) 192 193#define ATFD2_TOKENS(argnum) do { \ 194 if (ARG_IS_VALID(kar, ARG_ATFD2)) { \ 195 tok = au_to_arg32(argnum, "at fd 2", ar->ar_arg_atfd2); \ 196 kau_write(rec, tok); \ 197 } \ 198} while (0) 199 200#define UPATH1_TOKENS do { \ 201 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 202 tok = au_to_path(ar->ar_arg_upath1); \ 203 kau_write(rec, tok); \ 204 } \ 205} while (0) 206 207#define UPATH2_TOKENS do { \ 208 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 209 tok = au_to_path(ar->ar_arg_upath2); \ 210 kau_write(rec, tok); \ 211 } \ 212} while (0) 213 214#define VNODE1_TOKENS do { \ 215 if (ARG_IS_VALID(kar, ARG_ATFD)) { \ 216 tok = au_to_arg32(1, "at fd", ar->ar_arg_atfd); \ 217 kau_write(rec, tok); \ 218 } \ 219 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 220 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 221 kau_write(rec, tok); \ 222 } \ 223} while (0) 224 225#define UPATH1_VNODE1_TOKENS do { \ 226 UPATH1_TOKENS; \ 227 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 228 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 229 kau_write(rec, tok); \ 230 } \ 231} while (0) 232 233#define VNODE2_TOKENS do { \ 234 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 235 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 236 kau_write(rec, tok); \ 237 } \ 238} while (0) 239 240#define FD_VNODE1_TOKENS do { \ 241 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 242 if (ARG_IS_VALID(kar, ARG_FD)) { \ 243 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 244 kau_write(rec, tok); \ 245 } \ 246 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 247 kau_write(rec, tok); \ 248 } else { \ 249 if (ARG_IS_VALID(kar, ARG_FD)) { \ 250 tok = au_to_arg32(1, "non-file: fd", \ 251 ar->ar_arg_fd); \ 252 kau_write(rec, tok); \ 253 } \ 254 } \ 255} while (0) 256 257#define PROCESS_PID_TOKENS(argn) do { \ 258 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 259 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 260 tok = au_to_process32_ex(ar->ar_arg_auid, \ 261 ar->ar_arg_euid, ar->ar_arg_egid, \ 262 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 263 ar->ar_arg_pid, ar->ar_arg_asid, \ 264 &ar->ar_arg_termid_addr); \ 265 kau_write(rec, tok); \ 266 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 267 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 268 kau_write(rec, tok); \ 269 } \ 270} while (0) 271 272#define EXTATTR_TOKENS(namespace_argnum) do { \ 273 if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 274 switch (ar->ar_arg_value) { \ 275 case EXTATTR_NAMESPACE_USER: \ 276 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 277 break; \ 278 case EXTATTR_NAMESPACE_SYSTEM: \ 279 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 280 break; \ 281 default: \ 282 tok = au_to_arg32((namespace_argnum), \ 283 "attrnamespace", ar->ar_arg_value); \ 284 break; \ 285 } \ 286 kau_write(rec, tok); \ 287 } \ 288 /* attrname is in the text field */ \ 289 if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 290 tok = au_to_text(ar->ar_arg_text); \ 291 kau_write(rec, tok); \ 292 } \ 293} while (0) 294 295/* 296 * Not all pointer arguments to system calls are of interest, but in some 297 * cases they reflect delegation of rights, such as mmap(2) followed by 298 * minherit(2) before execve(2), so do the best we can. 299 */ 300#define ADDR_TOKEN(argnum, argname) do { \ 301 if (ARG_IS_VALID(kar, ARG_ADDR)) { \ 302 if (sizeof(void *) == sizeof(uint32_t)) \ 303 tok = au_to_arg32((argnum), (argname), \ 304 (uint32_t)(uintptr_t)ar->ar_arg_addr); \ 305 else \ 306 tok = au_to_arg64((argnum), (argname), \ 307 (uint64_t)(uintptr_t)ar->ar_arg_addr); \ 308 kau_write(rec, tok); \ 309 } \ 310} while (0) 311 312 313/* 314 * Implement auditing for the auditon() system call. The audit tokens that 315 * are generated depend on the command that was sent into the auditon() 316 * system call. 317 */ 318static void 319audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 320{ 321 struct au_token *tok; 322 323 tok = au_to_arg32(3, "length", ar->ar_arg_len); 324 kau_write(rec, tok); 325 switch (ar->ar_arg_cmd) { 326 case A_OLDSETPOLICY: 327 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 328 tok = au_to_arg64(2, "policy", 329 ar->ar_arg_auditon.au_policy64); 330 kau_write(rec, tok); 331 break; 332 } 333 /* FALLTHROUGH */ 334 335 case A_SETPOLICY: 336 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy); 337 kau_write(rec, tok); 338 break; 339 340 case A_SETKMASK: 341 tok = au_to_arg32(2, "setkmask:as_success", 342 ar->ar_arg_auditon.au_mask.am_success); 343 kau_write(rec, tok); 344 tok = au_to_arg32(2, "setkmask:as_failure", 345 ar->ar_arg_auditon.au_mask.am_failure); 346 kau_write(rec, tok); 347 break; 348 349 case A_OLDSETQCTRL: 350 if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) { 351 tok = au_to_arg64(2, "setqctrl:aq_hiwater", 352 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater); 353 kau_write(rec, tok); 354 tok = au_to_arg64(2, "setqctrl:aq_lowater", 355 ar->ar_arg_auditon.au_qctrl64.aq64_lowater); 356 kau_write(rec, tok); 357 tok = au_to_arg64(2, "setqctrl:aq_bufsz", 358 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz); 359 kau_write(rec, tok); 360 tok = au_to_arg64(2, "setqctrl:aq_delay", 361 ar->ar_arg_auditon.au_qctrl64.aq64_delay); 362 kau_write(rec, tok); 363 tok = au_to_arg64(2, "setqctrl:aq_minfree", 364 ar->ar_arg_auditon.au_qctrl64.aq64_minfree); 365 kau_write(rec, tok); 366 break; 367 } 368 /* FALLTHROUGH */ 369 370 case A_SETQCTRL: 371 tok = au_to_arg32(2, "setqctrl:aq_hiwater", 372 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 373 kau_write(rec, tok); 374 tok = au_to_arg32(2, "setqctrl:aq_lowater", 375 ar->ar_arg_auditon.au_qctrl.aq_lowater); 376 kau_write(rec, tok); 377 tok = au_to_arg32(2, "setqctrl:aq_bufsz", 378 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 379 kau_write(rec, tok); 380 tok = au_to_arg32(2, "setqctrl:aq_delay", 381 ar->ar_arg_auditon.au_qctrl.aq_delay); 382 kau_write(rec, tok); 383 tok = au_to_arg32(2, "setqctrl:aq_minfree", 384 ar->ar_arg_auditon.au_qctrl.aq_minfree); 385 kau_write(rec, tok); 386 break; 387 388 case A_SETUMASK: 389 tok = au_to_arg32(2, "setumask:as_success", 390 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 391 kau_write(rec, tok); 392 tok = au_to_arg32(2, "setumask:as_failure", 393 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 394 kau_write(rec, tok); 395 break; 396 397 case A_SETSMASK: 398 tok = au_to_arg32(2, "setsmask:as_success", 399 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 400 kau_write(rec, tok); 401 tok = au_to_arg32(2, "setsmask:as_failure", 402 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 403 kau_write(rec, tok); 404 break; 405 406 case A_OLDSETCOND: 407 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) { 408 tok = au_to_arg64(2, "setcond", 409 ar->ar_arg_auditon.au_cond64); 410 kau_write(rec, tok); 411 break; 412 } 413 /* FALLTHROUGH */ 414 415 case A_SETCOND: 416 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond); 417 kau_write(rec, tok); 418 break; 419 420 case A_SETCLASS: 421 tok = au_to_arg32(2, "setclass:ec_event", 422 ar->ar_arg_auditon.au_evclass.ec_number); 423 kau_write(rec, tok); 424 tok = au_to_arg32(2, "setclass:ec_class", 425 ar->ar_arg_auditon.au_evclass.ec_class); 426 kau_write(rec, tok); 427 break; 428 429 case A_SETPMASK: 430 tok = au_to_arg32(2, "setpmask:as_success", 431 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 432 kau_write(rec, tok); 433 tok = au_to_arg32(2, "setpmask:as_failure", 434 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 435 kau_write(rec, tok); 436 break; 437 438 case A_SETFSIZE: 439 tok = au_to_arg32(2, "setfsize:filesize", 440 ar->ar_arg_auditon.au_fstat.af_filesz); 441 kau_write(rec, tok); 442 break; 443 444 default: 445 break; 446 } 447} 448 449/* 450 * Convert an internal kernel audit record to a BSM record and return a 451 * success/failure indicator. The BSM record is passed as an out parameter to 452 * this function. 453 * 454 * Return conditions: 455 * BSM_SUCCESS: The BSM record is valid 456 * BSM_FAILURE: Failure; the BSM record is NULL. 457 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 458 */ 459int 460kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 461{ 462 struct au_token *tok, *subj_tok, *jail_tok; 463 struct au_record *rec; 464 au_tid_t tid; 465 struct audit_record *ar; 466 int ctr; 467 468 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 469 470 *pau = NULL; 471 ar = &kar->k_ar; 472 rec = kau_open(); 473 474 /* 475 * Create the subject token. If this credential was jailed be sure to 476 * generate a zonename token. 477 */ 478 if (ar->ar_jailname[0] != '\0') 479 jail_tok = au_to_zonename(ar->ar_jailname); 480 else 481 jail_tok = NULL; 482 switch (ar->ar_subj_term_addr.at_type) { 483 case AU_IPv4: 484 tid.port = ar->ar_subj_term_addr.at_port; 485 tid.machine = ar->ar_subj_term_addr.at_addr[0]; 486 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 487 ar->ar_subj_cred.cr_uid, /* eff uid */ 488 ar->ar_subj_egid, /* eff group id */ 489 ar->ar_subj_ruid, /* real uid */ 490 ar->ar_subj_rgid, /* real group id */ 491 ar->ar_subj_pid, /* process id */ 492 ar->ar_subj_asid, /* session ID */ 493 &tid); 494 break; 495 case AU_IPv6: 496 subj_tok = au_to_subject32_ex(ar->ar_subj_auid, 497 ar->ar_subj_cred.cr_uid, 498 ar->ar_subj_egid, 499 ar->ar_subj_ruid, 500 ar->ar_subj_rgid, 501 ar->ar_subj_pid, 502 ar->ar_subj_asid, 503 &ar->ar_subj_term_addr); 504 break; 505 default: 506 bzero(&tid, sizeof(tid)); 507 subj_tok = au_to_subject32(ar->ar_subj_auid, 508 ar->ar_subj_cred.cr_uid, 509 ar->ar_subj_egid, 510 ar->ar_subj_ruid, 511 ar->ar_subj_rgid, 512 ar->ar_subj_pid, 513 ar->ar_subj_asid, 514 &tid); 515 } 516 517 /* 518 * The logic inside each case fills in the tokens required for the 519 * event, except for the header, trailer, and return tokens. The 520 * header and trailer tokens are added by the kau_close() function. 521 * The return token is added outside of the switch statement. 522 */ 523 switch(ar->ar_event) { 524 case AUE_ACCEPT: 525 case AUE_BIND: 526 case AUE_LISTEN: 527 case AUE_CONNECT: 528 case AUE_RECV: 529 case AUE_RECVFROM: 530 case AUE_RECVMSG: 531 case AUE_SEND: 532 case AUE_SENDFILE: 533 case AUE_SENDMSG: 534 case AUE_SENDTO: 535 /* 536 * Socket-related events. 537 */ 538 if (ARG_IS_VALID(kar, ARG_FD)) { 539 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 540 kau_write(rec, tok); 541 } 542 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 543 tok = au_to_sock_inet((struct sockaddr_in *) 544 &ar->ar_arg_sockaddr); 545 kau_write(rec, tok); 546 } 547 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 548 tok = au_to_sock_unix((struct sockaddr_un *) 549 &ar->ar_arg_sockaddr); 550 kau_write(rec, tok); 551 UPATH1_TOKENS; 552 } 553 /* XXX Need to handle ARG_SADDRINET6 */ 554 break; 555 556 case AUE_BINDAT: 557 case AUE_CONNECTAT: 558 ATFD1_TOKENS(1); 559 if (ARG_IS_VALID(kar, ARG_FD)) { 560 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 561 kau_write(rec, tok); 562 } 563 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 564 tok = au_to_sock_unix((struct sockaddr_un *) 565 &ar->ar_arg_sockaddr); 566 kau_write(rec, tok); 567 UPATH1_TOKENS; 568 } 569 break; 570 571 case AUE_SOCKET: 572 case AUE_SOCKETPAIR: 573 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 574 tok = au_to_arg32(1, "domain", 575 ar->ar_arg_sockinfo.so_domain); 576 kau_write(rec, tok); 577 tok = au_to_arg32(2, "type", 578 ar->ar_arg_sockinfo.so_type); 579 kau_write(rec, tok); 580 tok = au_to_arg32(3, "protocol", 581 ar->ar_arg_sockinfo.so_protocol); 582 kau_write(rec, tok); 583 } 584 break; 585 586 case AUE_SETSOCKOPT: 587 case AUE_SHUTDOWN: 588 if (ARG_IS_VALID(kar, ARG_FD)) { 589 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 590 kau_write(rec, tok); 591 } 592 break; 593 594 case AUE_ACCT: 595 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 596 UPATH1_VNODE1_TOKENS; 597 } else { 598 tok = au_to_arg32(1, "accounting off", 0); 599 kau_write(rec, tok); 600 } 601 break; 602 603 case AUE_SETAUID: 604 if (ARG_IS_VALID(kar, ARG_AUID)) { 605 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 606 kau_write(rec, tok); 607 } 608 break; 609 610 case AUE_SETAUDIT: 611 if (ARG_IS_VALID(kar, ARG_AUID) && 612 ARG_IS_VALID(kar, ARG_ASID) && 613 ARG_IS_VALID(kar, ARG_AMASK) && 614 ARG_IS_VALID(kar, ARG_TERMID)) { 615 tok = au_to_arg32(1, "setaudit:auid", 616 ar->ar_arg_auid); 617 kau_write(rec, tok); 618 tok = au_to_arg32(1, "setaudit:port", 619 ar->ar_arg_termid.port); 620 kau_write(rec, tok); 621 tok = au_to_arg32(1, "setaudit:machine", 622 ar->ar_arg_termid.machine); 623 kau_write(rec, tok); 624 tok = au_to_arg32(1, "setaudit:as_success", 625 ar->ar_arg_amask.am_success); 626 kau_write(rec, tok); 627 tok = au_to_arg32(1, "setaudit:as_failure", 628 ar->ar_arg_amask.am_failure); 629 kau_write(rec, tok); 630 tok = au_to_arg32(1, "setaudit:asid", 631 ar->ar_arg_asid); 632 kau_write(rec, tok); 633 } 634 break; 635 636 case AUE_SETAUDIT_ADDR: 637 if (ARG_IS_VALID(kar, ARG_AUID) && 638 ARG_IS_VALID(kar, ARG_ASID) && 639 ARG_IS_VALID(kar, ARG_AMASK) && 640 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) { 641 tok = au_to_arg32(1, "setaudit_addr:auid", 642 ar->ar_arg_auid); 643 kau_write(rec, tok); 644 tok = au_to_arg32(1, "setaudit_addr:as_success", 645 ar->ar_arg_amask.am_success); 646 kau_write(rec, tok); 647 tok = au_to_arg32(1, "setaudit_addr:as_failure", 648 ar->ar_arg_amask.am_failure); 649 kau_write(rec, tok); 650 tok = au_to_arg32(1, "setaudit_addr:asid", 651 ar->ar_arg_asid); 652 kau_write(rec, tok); 653 tok = au_to_arg32(1, "setaudit_addr:type", 654 ar->ar_arg_termid_addr.at_type); 655 kau_write(rec, tok); 656 tok = au_to_arg32(1, "setaudit_addr:port", 657 ar->ar_arg_termid_addr.at_port); 658 kau_write(rec, tok); 659 if (ar->ar_arg_termid_addr.at_type == AU_IPv6) 660 tok = au_to_in_addr_ex((struct in6_addr *) 661 &ar->ar_arg_termid_addr.at_addr[0]); 662 if (ar->ar_arg_termid_addr.at_type == AU_IPv4) 663 tok = au_to_in_addr((struct in_addr *) 664 &ar->ar_arg_termid_addr.at_addr[0]); 665 kau_write(rec, tok); 666 } 667 break; 668 669 case AUE_AUDITON: 670 /* 671 * For AUDITON commands without own event, audit the cmd. 672 */ 673 if (ARG_IS_VALID(kar, ARG_CMD)) { 674 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 675 kau_write(rec, tok); 676 } 677 /* FALLTHROUGH */ 678 679 case AUE_AUDITON_GETCAR: 680 case AUE_AUDITON_GETCLASS: 681 case AUE_AUDITON_GETCOND: 682 case AUE_AUDITON_GETCWD: 683 case AUE_AUDITON_GETKMASK: 684 case AUE_AUDITON_GETSTAT: 685 case AUE_AUDITON_GPOLICY: 686 case AUE_AUDITON_GQCTRL: 687 case AUE_AUDITON_SETCLASS: 688 case AUE_AUDITON_SETCOND: 689 case AUE_AUDITON_SETKMASK: 690 case AUE_AUDITON_SETSMASK: 691 case AUE_AUDITON_SETSTAT: 692 case AUE_AUDITON_SETUMASK: 693 case AUE_AUDITON_SPOLICY: 694 case AUE_AUDITON_SQCTRL: 695 if (ARG_IS_VALID(kar, ARG_AUDITON)) 696 audit_sys_auditon(ar, rec); 697 break; 698 699 case AUE_AUDITCTL: 700 UPATH1_VNODE1_TOKENS; 701 break; 702 703 case AUE_EXIT: 704 if (ARG_IS_VALID(kar, ARG_EXIT)) { 705 tok = au_to_exit(ar->ar_arg_exitretval, 706 ar->ar_arg_exitstatus); 707 kau_write(rec, tok); 708 } 709 break; 710 711 case AUE_ADJTIME: 712 case AUE_CLOCK_SETTIME: 713 case AUE_AUDIT: 714 case AUE_DUP2: 715 case AUE_GETAUDIT: 716 case AUE_GETAUDIT_ADDR: 717 case AUE_GETAUID: 718 case AUE_GETCWD: 719 case AUE_GETFSSTAT: 720 case AUE_GETRESUID: 721 case AUE_GETRESGID: 722 case AUE_KQUEUE: 723 case AUE_MODLOAD: 724 case AUE_MODUNLOAD: 725 case AUE_MSGSYS: 726 case AUE_NTP_ADJTIME: 727 case AUE_PIPE: 728 case AUE_POSIX_OPENPT: 729 case AUE_PROFILE: 730 case AUE_RTPRIO: 731 case AUE_SEMSYS: 732 case AUE_SHMSYS: 733 case AUE_SETPGRP: 734 case AUE_SETRLIMIT: 735 case AUE_SETSID: 736 case AUE_SETTIMEOFDAY: 737 case AUE_SYSARCH: 738 739 /* 740 * Header, subject, and return tokens added at end. 741 */ 742 break; 743 744 case AUE_CHDIR: 745 case AUE_CHROOT: 746 case AUE_FSTATAT: 747 case AUE_FUTIMESAT: 748 case AUE_GETATTRLIST: 749 case AUE_JAIL: 750 case AUE_LUTIMES: 751 case AUE_NFS_GETFH: 752 case AUE_LSTAT: 753 case AUE_LPATHCONF: 754 case AUE_PATHCONF: 755 case AUE_READLINK: 756 case AUE_READLINKAT: 757 case AUE_REVOKE: 758 case AUE_RMDIR: 759 case AUE_SEARCHFS: 760 case AUE_SETATTRLIST: 761 case AUE_STAT: 762 case AUE_STATFS: 763 case AUE_SWAPON: 764 case AUE_SWAPOFF: 765 case AUE_TRUNCATE: 766 case AUE_UNDELETE: 767 case AUE_UNLINK: 768 case AUE_UNLINKAT: 769 case AUE_UTIMES: 770 ATFD1_TOKENS(1); 771 UPATH1_VNODE1_TOKENS; 772 break; 773 774 case AUE_ACCESS: 775 case AUE_EACCESS: 776 case AUE_FACCESSAT: 777 ATFD1_TOKENS(1); 778 UPATH1_VNODE1_TOKENS; 779 if (ARG_IS_VALID(kar, ARG_VALUE)) { 780 tok = au_to_arg32(2, "mode", ar->ar_arg_value); 781 kau_write(rec, tok); 782 } 783 break; 784 785 case AUE_FHSTATFS: 786 case AUE_FHOPEN: 787 case AUE_FHSTAT: 788 /* XXXRW: Need to audit vnode argument. */ 789 break; 790 791 case AUE_CHFLAGS: 792 case AUE_LCHFLAGS: 793 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 794 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 795 kau_write(rec, tok); 796 } 797 UPATH1_VNODE1_TOKENS; 798 break; 799 800 case AUE_CHMOD: 801 case AUE_LCHMOD: 802 if (ARG_IS_VALID(kar, ARG_MODE)) { 803 tok = au_to_arg32(2, "new file mode", 804 ar->ar_arg_mode); 805 kau_write(rec, tok); 806 } 807 UPATH1_VNODE1_TOKENS; 808 break; 809 810 case AUE_FCHMODAT: 811 ATFD1_TOKENS(1); 812 if (ARG_IS_VALID(kar, ARG_MODE)) { 813 tok = au_to_arg32(3, "new file mode", 814 ar->ar_arg_mode); 815 kau_write(rec, tok); 816 } 817 UPATH1_VNODE1_TOKENS; 818 break; 819 820 case AUE_CHOWN: 821 case AUE_LCHOWN: 822 if (ARG_IS_VALID(kar, ARG_UID)) { 823 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 824 kau_write(rec, tok); 825 } 826 if (ARG_IS_VALID(kar, ARG_GID)) { 827 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 828 kau_write(rec, tok); 829 } 830 UPATH1_VNODE1_TOKENS; 831 break; 832 833 case AUE_FCHOWNAT: 834 ATFD1_TOKENS(1); 835 if (ARG_IS_VALID(kar, ARG_UID)) { 836 tok = au_to_arg32(3, "new file uid", ar->ar_arg_uid); 837 kau_write(rec, tok); 838 } 839 if (ARG_IS_VALID(kar, ARG_GID)) { 840 tok = au_to_arg32(4, "new file gid", ar->ar_arg_gid); 841 kau_write(rec, tok); 842 } 843 UPATH1_VNODE1_TOKENS; 844 break; 845 846 case AUE_EXCHANGEDATA: 847 UPATH1_VNODE1_TOKENS; 848 UPATH2_TOKENS; 849 break; 850 851 case AUE_CLOSE: 852 if (ARG_IS_VALID(kar, ARG_FD)) { 853 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 854 kau_write(rec, tok); 855 } 856 UPATH1_VNODE1_TOKENS; 857 break; 858 859 case AUE_CLOSEFROM: 860 if (ARG_IS_VALID(kar, ARG_FD)) { 861 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 862 kau_write(rec, tok); 863 } 864 break; 865 866 case AUE_CORE: 867 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 868 tok = au_to_arg32(1, "signal", ar->ar_arg_signum); 869 kau_write(rec, tok); 870 } 871 UPATH1_VNODE1_TOKENS; 872 break; 873 874 case AUE_EXTATTRCTL: 875 UPATH1_VNODE1_TOKENS; 876 if (ARG_IS_VALID(kar, ARG_CMD)) { 877 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 878 kau_write(rec, tok); 879 } 880 /* extattrctl(2) filename parameter is in upath2/vnode2 */ 881 UPATH2_TOKENS; 882 VNODE2_TOKENS; 883 EXTATTR_TOKENS(4); 884 break; 885 886 case AUE_EXTATTR_GET_FILE: 887 case AUE_EXTATTR_SET_FILE: 888 case AUE_EXTATTR_LIST_FILE: 889 case AUE_EXTATTR_DELETE_FILE: 890 case AUE_EXTATTR_GET_LINK: 891 case AUE_EXTATTR_SET_LINK: 892 case AUE_EXTATTR_LIST_LINK: 893 case AUE_EXTATTR_DELETE_LINK: 894 UPATH1_VNODE1_TOKENS; 895 EXTATTR_TOKENS(2); 896 break; 897 898 case AUE_EXTATTR_GET_FD: 899 case AUE_EXTATTR_SET_FD: 900 case AUE_EXTATTR_LIST_FD: 901 case AUE_EXTATTR_DELETE_FD: 902 if (ARG_IS_VALID(kar, ARG_FD)) { 903 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 904 kau_write(rec, tok); 905 } 906 EXTATTR_TOKENS(2); 907 break; 908 909 case AUE_FEXECVE: 910 if (ARG_IS_VALID(kar, ARG_FD)) { 911 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 912 kau_write(rec, tok); 913 } 914 /* FALLTHROUGH */ 915 916 case AUE_EXECVE: 917 case AUE_MAC_EXECVE: 918 if (ARG_IS_VALID(kar, ARG_ARGV)) { 919 tok = au_to_exec_args(ar->ar_arg_argv, 920 ar->ar_arg_argc); 921 kau_write(rec, tok); 922 } 923 if (ARG_IS_VALID(kar, ARG_ENVV)) { 924 tok = au_to_exec_env(ar->ar_arg_envv, 925 ar->ar_arg_envc); 926 kau_write(rec, tok); 927 } 928 UPATH1_VNODE1_TOKENS; 929 break; 930 931 case AUE_FCHMOD: 932 if (ARG_IS_VALID(kar, ARG_MODE)) { 933 tok = au_to_arg32(2, "new file mode", 934 ar->ar_arg_mode); 935 kau_write(rec, tok); 936 } 937 FD_VNODE1_TOKENS; 938 break; 939 940 /* 941 * XXXRW: Some of these need to handle non-vnode cases as well. 942 */ 943 case AUE_FCHDIR: 944 case AUE_FPATHCONF: 945 case AUE_FSTAT: 946 case AUE_FSTATFS: 947 case AUE_FSYNC: 948 case AUE_FTRUNCATE: 949 case AUE_FUTIMES: 950 case AUE_GETDIRENTRIES: 951 case AUE_GETDIRENTRIESATTR: 952 case AUE_LSEEK: 953 case AUE_POLL: 954 case AUE_PREAD: 955 case AUE_PWRITE: 956 case AUE_READ: 957 case AUE_READV: 958 case AUE_WRITE: 959 case AUE_WRITEV: 960 FD_VNODE1_TOKENS; 961 break; 962 963 case AUE_FCHOWN: 964 if (ARG_IS_VALID(kar, ARG_UID)) { 965 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 966 kau_write(rec, tok); 967 } 968 if (ARG_IS_VALID(kar, ARG_GID)) { 969 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 970 kau_write(rec, tok); 971 } 972 FD_VNODE1_TOKENS; 973 break; 974 975 case AUE_FCNTL: 976 if (ARG_IS_VALID(kar, ARG_CMD)) { 977 tok = au_to_arg32(2, "cmd", 978 au_fcntl_cmd_to_bsm(ar->ar_arg_cmd)); 979 kau_write(rec, tok); 980 } 981 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 982 ar->ar_arg_cmd == F_SETLKW) { 983 FD_VNODE1_TOKENS; 984 } 985 break; 986 987 case AUE_FCHFLAGS: 988 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 989 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 990 kau_write(rec, tok); 991 } 992 FD_VNODE1_TOKENS; 993 break; 994 995 case AUE_FLOCK: 996 if (ARG_IS_VALID(kar, ARG_CMD)) { 997 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 998 kau_write(rec, tok); 999 } 1000 FD_VNODE1_TOKENS; 1001 break; 1002 1003 case AUE_RFORK: 1004 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1005 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 1006 kau_write(rec, tok); 1007 } 1008 /* FALLTHROUGH */ 1009 1010 case AUE_FORK: 1011 case AUE_VFORK: 1012 if (ARG_IS_VALID(kar, ARG_PID)) { 1013 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 1014 kau_write(rec, tok); 1015 } 1016 break; 1017 1018 case AUE_IOCTL: 1019 if (ARG_IS_VALID(kar, ARG_CMD)) { 1020 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 1021 kau_write(rec, tok); 1022 } 1023 if (ARG_IS_VALID(kar, ARG_VNODE1)) 1024 FD_VNODE1_TOKENS; 1025 else { 1026 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 1027 tok = kau_to_socket(&ar->ar_arg_sockinfo); 1028 kau_write(rec, tok); 1029 } else { 1030 if (ARG_IS_VALID(kar, ARG_FD)) { 1031 tok = au_to_arg32(1, "fd", 1032 ar->ar_arg_fd); 1033 kau_write(rec, tok); 1034 } 1035 } 1036 } 1037 break; 1038 1039 case AUE_KILL: 1040 case AUE_KILLPG: 1041 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 1042 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 1043 kau_write(rec, tok); 1044 } 1045 PROCESS_PID_TOKENS(1); 1046 break; 1047 1048 case AUE_KTRACE: 1049 if (ARG_IS_VALID(kar, ARG_CMD)) { 1050 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 1051 kau_write(rec, tok); 1052 } 1053 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1054 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 1055 kau_write(rec, tok); 1056 } 1057 PROCESS_PID_TOKENS(4); 1058 UPATH1_VNODE1_TOKENS; 1059 break; 1060 1061 case AUE_LINK: 1062 case AUE_LINKAT: 1063 case AUE_RENAME: 1064 case AUE_RENAMEAT: 1065 ATFD1_TOKENS(1); 1066 UPATH1_VNODE1_TOKENS; 1067 ATFD2_TOKENS(3); 1068 UPATH2_TOKENS; 1069 break; 1070 1071 case AUE_LOADSHFILE: 1072 ADDR_TOKEN(4, "base addr"); 1073 UPATH1_VNODE1_TOKENS; 1074 break; 1075 1076 case AUE_MKDIR: 1077 case AUE_MKDIRAT: 1078 case AUE_MKFIFO: 1079 case AUE_MKFIFOAT: 1080 ATFD1_TOKENS(1); 1081 if (ARG_IS_VALID(kar, ARG_MODE)) { 1082 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1083 kau_write(rec, tok); 1084 } 1085 UPATH1_VNODE1_TOKENS; 1086 break; 1087 1088 case AUE_MKNOD: 1089 case AUE_MKNODAT: 1090 ATFD1_TOKENS(1); 1091 if (ARG_IS_VALID(kar, ARG_MODE)) { 1092 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 1093 kau_write(rec, tok); 1094 } 1095 if (ARG_IS_VALID(kar, ARG_DEV)) { 1096 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 1097 kau_write(rec, tok); 1098 } 1099 UPATH1_VNODE1_TOKENS; 1100 break; 1101 1102 case AUE_MMAP: 1103 case AUE_MUNMAP: 1104 case AUE_MPROTECT: 1105 case AUE_MLOCK: 1106 case AUE_MUNLOCK: 1107 case AUE_MINHERIT: 1108 ADDR_TOKEN(1, "addr"); 1109 if (ARG_IS_VALID(kar, ARG_LEN)) { 1110 tok = au_to_arg32(2, "len", ar->ar_arg_len); 1111 kau_write(rec, tok); 1112 } 1113 if (ar->ar_event == AUE_MMAP) 1114 FD_VNODE1_TOKENS; 1115 if (ar->ar_event == AUE_MPROTECT) { 1116 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1117 tok = au_to_arg32(3, "protection", 1118 ar->ar_arg_value); 1119 kau_write(rec, tok); 1120 } 1121 } 1122 if (ar->ar_event == AUE_MINHERIT) { 1123 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1124 tok = au_to_arg32(3, "inherit", 1125 ar->ar_arg_value); 1126 kau_write(rec, tok); 1127 } 1128 } 1129 break; 1130 1131 case AUE_MOUNT: 1132 case AUE_NMOUNT: 1133 /* XXX Need to handle NFS mounts */ 1134 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1135 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 1136 kau_write(rec, tok); 1137 } 1138 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1139 tok = au_to_text(ar->ar_arg_text); 1140 kau_write(rec, tok); 1141 } 1142 /* FALLTHROUGH */ 1143 1144 case AUE_NFS_SVC: 1145 if (ARG_IS_VALID(kar, ARG_CMD)) { 1146 tok = au_to_arg32(1, "flags", ar->ar_arg_cmd); 1147 kau_write(rec, tok); 1148 } 1149 break; 1150 1151 case AUE_UMOUNT: 1152 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1153 tok = au_to_arg32(2, "flags", ar->ar_arg_value); 1154 kau_write(rec, tok); 1155 } 1156 UPATH1_VNODE1_TOKENS; 1157 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1158 tok = au_to_text(ar->ar_arg_text); 1159 kau_write(rec, tok); 1160 } 1161 break; 1162 1163 case AUE_MSGCTL: 1164 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd); 1165 /* Fall through */ 1166 1167 case AUE_MSGRCV: 1168 case AUE_MSGSND: 1169 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 1170 kau_write(rec, tok); 1171 if (ar->ar_errno != EINVAL) { 1172 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 1173 kau_write(rec, tok); 1174 } 1175 break; 1176 1177 case AUE_MSGGET: 1178 if (ar->ar_errno == 0) { 1179 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1180 tok = au_to_ipc(AT_IPC_MSG, 1181 ar->ar_arg_svipc_id); 1182 kau_write(rec, tok); 1183 } 1184 } 1185 break; 1186 1187 case AUE_RESETSHFILE: 1188 ADDR_TOKEN(1, "base addr"); 1189 break; 1190 1191 case AUE_OPEN_RC: 1192 case AUE_OPEN_RTC: 1193 case AUE_OPEN_RWC: 1194 case AUE_OPEN_RWTC: 1195 case AUE_OPEN_WC: 1196 case AUE_OPEN_WTC: 1197 case AUE_CREAT: 1198 if (ARG_IS_VALID(kar, ARG_MODE)) { 1199 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1200 kau_write(rec, tok); 1201 } 1202 /* FALLTHROUGH */ 1203 1204 case AUE_OPEN_R: 1205 case AUE_OPEN_RT: 1206 case AUE_OPEN_RW: 1207 case AUE_OPEN_RWT: 1208 case AUE_OPEN_W: 1209 case AUE_OPEN_WT: 1210 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1211 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1212 kau_write(rec, tok); 1213 } 1214 UPATH1_VNODE1_TOKENS; 1215 break; 1216 1217 case AUE_OPENAT_RC: 1218 case AUE_OPENAT_RTC: 1219 case AUE_OPENAT_RWC: 1220 case AUE_OPENAT_RWTC: 1221 case AUE_OPENAT_WC: 1222 case AUE_OPENAT_WTC: 1223 if (ARG_IS_VALID(kar, ARG_MODE)) { 1224 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1225 kau_write(rec, tok); 1226 } 1227 /* FALLTHROUGH */ 1228 1229 case AUE_OPENAT_R: 1230 case AUE_OPENAT_RT: 1231 case AUE_OPENAT_RW: 1232 case AUE_OPENAT_RWT: 1233 case AUE_OPENAT_W: 1234 case AUE_OPENAT_WT: 1235 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1236 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1237 kau_write(rec, tok); 1238 } 1239 ATFD1_TOKENS(1); 1240 UPATH1_VNODE1_TOKENS; 1241 break; 1242 1243 case AUE_PTRACE: 1244 if (ARG_IS_VALID(kar, ARG_CMD)) { 1245 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1246 kau_write(rec, tok); 1247 } 1248 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1249 tok = au_to_arg32(4, "data", ar->ar_arg_value); 1250 kau_write(rec, tok); 1251 } 1252 PROCESS_PID_TOKENS(2); 1253 break; 1254 1255 case AUE_QUOTACTL: 1256 if (ARG_IS_VALID(kar, ARG_CMD)) { 1257 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1258 kau_write(rec, tok); 1259 } 1260 if (ARG_IS_VALID(kar, ARG_UID)) { 1261 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1262 kau_write(rec, tok); 1263 } 1264 if (ARG_IS_VALID(kar, ARG_GID)) { 1265 tok = au_to_arg32(3, "gid", ar->ar_arg_gid); 1266 kau_write(rec, tok); 1267 } 1268 UPATH1_VNODE1_TOKENS; 1269 break; 1270 1271 case AUE_REBOOT: 1272 if (ARG_IS_VALID(kar, ARG_CMD)) { 1273 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1274 kau_write(rec, tok); 1275 } 1276 break; 1277 1278 case AUE_SEMCTL: 1279 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd); 1280 /* Fall through */ 1281 1282 case AUE_SEMOP: 1283 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1284 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1285 kau_write(rec, tok); 1286 if (ar->ar_errno != EINVAL) { 1287 tok = au_to_ipc(AT_IPC_SEM, 1288 ar->ar_arg_svipc_id); 1289 kau_write(rec, tok); 1290 } 1291 } 1292 break; 1293 1294 case AUE_SEMGET: 1295 if (ar->ar_errno == 0) { 1296 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1297 tok = au_to_ipc(AT_IPC_SEM, 1298 ar->ar_arg_svipc_id); 1299 kau_write(rec, tok); 1300 } 1301 } 1302 break; 1303 1304 case AUE_SETEGID: 1305 if (ARG_IS_VALID(kar, ARG_EGID)) { 1306 tok = au_to_arg32(1, "egid", ar->ar_arg_egid); 1307 kau_write(rec, tok); 1308 } 1309 break; 1310 1311 case AUE_SETEUID: 1312 if (ARG_IS_VALID(kar, ARG_EUID)) { 1313 tok = au_to_arg32(1, "euid", ar->ar_arg_euid); 1314 kau_write(rec, tok); 1315 } 1316 break; 1317 1318 case AUE_SETREGID: 1319 if (ARG_IS_VALID(kar, ARG_RGID)) { 1320 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1321 kau_write(rec, tok); 1322 } 1323 if (ARG_IS_VALID(kar, ARG_EGID)) { 1324 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1325 kau_write(rec, tok); 1326 } 1327 break; 1328 1329 case AUE_SETREUID: 1330 if (ARG_IS_VALID(kar, ARG_RUID)) { 1331 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1332 kau_write(rec, tok); 1333 } 1334 if (ARG_IS_VALID(kar, ARG_EUID)) { 1335 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1336 kau_write(rec, tok); 1337 } 1338 break; 1339 1340 case AUE_SETRESGID: 1341 if (ARG_IS_VALID(kar, ARG_RGID)) { 1342 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1343 kau_write(rec, tok); 1344 } 1345 if (ARG_IS_VALID(kar, ARG_EGID)) { 1346 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1347 kau_write(rec, tok); 1348 } 1349 if (ARG_IS_VALID(kar, ARG_SGID)) { 1350 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1351 kau_write(rec, tok); 1352 } 1353 break; 1354 1355 case AUE_SETRESUID: 1356 if (ARG_IS_VALID(kar, ARG_RUID)) { 1357 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1358 kau_write(rec, tok); 1359 } 1360 if (ARG_IS_VALID(kar, ARG_EUID)) { 1361 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1362 kau_write(rec, tok); 1363 } 1364 if (ARG_IS_VALID(kar, ARG_SUID)) { 1365 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1366 kau_write(rec, tok); 1367 } 1368 break; 1369 1370 case AUE_SETGID: 1371 if (ARG_IS_VALID(kar, ARG_GID)) { 1372 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1373 kau_write(rec, tok); 1374 } 1375 break; 1376 1377 case AUE_SETUID: 1378 if (ARG_IS_VALID(kar, ARG_UID)) { 1379 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1380 kau_write(rec, tok); 1381 } 1382 break; 1383 1384 case AUE_SETGROUPS: 1385 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1386 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1387 { 1388 tok = au_to_arg32(1, "setgroups", 1389 ar->ar_arg_groups.gidset[ctr]); 1390 kau_write(rec, tok); 1391 } 1392 } 1393 break; 1394 1395 case AUE_SETLOGIN: 1396 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1397 tok = au_to_text(ar->ar_arg_text); 1398 kau_write(rec, tok); 1399 } 1400 break; 1401 1402 case AUE_SETPRIORITY: 1403 if (ARG_IS_VALID(kar, ARG_CMD)) { 1404 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1405 kau_write(rec, tok); 1406 } 1407 if (ARG_IS_VALID(kar, ARG_UID)) { 1408 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1409 kau_write(rec, tok); 1410 } 1411 PROCESS_PID_TOKENS(2); 1412 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1413 tok = au_to_arg32(3, "priority", ar->ar_arg_value); 1414 kau_write(rec, tok); 1415 } 1416 break; 1417 1418 case AUE_SETPRIVEXEC: 1419 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1420 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1421 kau_write(rec, tok); 1422 } 1423 break; 1424 1425 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1426 case AUE_SHMAT: 1427 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1428 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1429 kau_write(rec, tok); 1430 /* XXXAUDIT: Does having the ipc token make sense? */ 1431 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1432 kau_write(rec, tok); 1433 } 1434 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1435 tok = au_to_arg32(2, "shmaddr", 1436 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1437 kau_write(rec, tok); 1438 } 1439 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1440 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1441 kau_write(rec, tok); 1442 } 1443 break; 1444 1445 case AUE_SHMCTL: 1446 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1447 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1448 kau_write(rec, tok); 1449 /* XXXAUDIT: Does having the ipc token make sense? */ 1450 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1451 kau_write(rec, tok); 1452 } 1453 switch (ar->ar_arg_svipc_cmd) { 1454 case IPC_STAT: 1455 ar->ar_event = AUE_SHMCTL_STAT; 1456 break; 1457 case IPC_RMID: 1458 ar->ar_event = AUE_SHMCTL_RMID; 1459 break; 1460 case IPC_SET: 1461 ar->ar_event = AUE_SHMCTL_SET; 1462 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1463 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1464 kau_write(rec, tok); 1465 } 1466 break; 1467 default: 1468 break; /* We will audit a bad command */ 1469 } 1470 break; 1471 1472 case AUE_SHMDT: 1473 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1474 tok = au_to_arg32(1, "shmaddr", 1475 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1476 kau_write(rec, tok); 1477 } 1478 break; 1479 1480 case AUE_SHMGET: 1481 /* This is unusual; the return value is in an argument token */ 1482 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1483 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1484 kau_write(rec, tok); 1485 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1486 kau_write(rec, tok); 1487 } 1488 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1489 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1490 kau_write(rec, tok); 1491 } 1492 break; 1493 1494 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1495 * and AUE_SEMUNLINK are Posix IPC */ 1496 case AUE_SHMOPEN: 1497 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1498 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1499 kau_write(rec, tok); 1500 } 1501 if (ARG_IS_VALID(kar, ARG_MODE)) { 1502 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1503 kau_write(rec, tok); 1504 } 1505 /* FALLTHROUGH */ 1506 1507 case AUE_SHMUNLINK: 1508 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1509 tok = au_to_text(ar->ar_arg_text); 1510 kau_write(rec, tok); 1511 } 1512 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1513 struct ipc_perm perm; 1514 1515 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1516 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1517 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1518 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1519 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1520 perm.seq = 0; 1521 perm.key = 0; 1522 tok = au_to_ipc_perm(&perm); 1523 kau_write(rec, tok); 1524 } 1525 break; 1526 1527 case AUE_SEMOPEN: 1528 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1529 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1530 kau_write(rec, tok); 1531 } 1532 if (ARG_IS_VALID(kar, ARG_MODE)) { 1533 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1534 kau_write(rec, tok); 1535 } 1536 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1537 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1538 kau_write(rec, tok); 1539 } 1540 /* FALLTHROUGH */ 1541 1542 case AUE_SEMUNLINK: 1543 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1544 tok = au_to_text(ar->ar_arg_text); 1545 kau_write(rec, tok); 1546 } 1547 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1548 struct ipc_perm perm; 1549 1550 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1551 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1552 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1553 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1554 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1555 perm.seq = 0; 1556 perm.key = 0; 1557 tok = au_to_ipc_perm(&perm); 1558 kau_write(rec, tok); 1559 } 1560 break; 1561 1562 case AUE_SEMCLOSE: 1563 if (ARG_IS_VALID(kar, ARG_FD)) { 1564 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1565 kau_write(rec, tok); 1566 } 1567 break; 1568 1569 case AUE_SYMLINK: 1570 case AUE_SYMLINKAT: 1571 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1572 tok = au_to_text(ar->ar_arg_text); 1573 kau_write(rec, tok); 1574 } 1575 ATFD1_TOKENS(1); 1576 UPATH1_VNODE1_TOKENS; 1577 break; 1578 1579 case AUE_SYSCTL: 1580 case AUE_SYSCTL_NONADMIN: 1581 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1582 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1583 tok = au_to_arg32(1, "name", 1584 ar->ar_arg_ctlname[ctr]); 1585 kau_write(rec, tok); 1586 } 1587 } 1588 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1589 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1590 kau_write(rec, tok); 1591 } 1592 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1593 tok = au_to_text(ar->ar_arg_text); 1594 kau_write(rec, tok); 1595 } 1596 break; 1597 1598 case AUE_UMASK: 1599 if (ARG_IS_VALID(kar, ARG_MASK)) { 1600 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1601 kau_write(rec, tok); 1602 } 1603 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1604 kau_write(rec, tok); 1605 break; 1606 1607 case AUE_WAIT4: 1608 PROCESS_PID_TOKENS(1); 1609 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1610 tok = au_to_arg32(3, "options", ar->ar_arg_value); 1611 kau_write(rec, tok); 1612 } 1613 break; 1614 1615 case AUE_CAP_RIGHTS_LIMIT: 1616 /* 1617 * XXXRW/XXXJA: Would be nice to audit socket/etc information. 1618 */ 1619 FD_VNODE1_TOKENS; 1620 if (ARG_IS_VALID(kar, ARG_RIGHTS)) { 1621 tok = au_to_rights(&ar->ar_arg_rights); 1622 kau_write(rec, tok); 1623 } 1624 break; 1625 1626 case AUE_CAP_FCNTLS_GET: 1627 case AUE_CAP_IOCTLS_GET: 1628 case AUE_CAP_IOCTLS_LIMIT: 1629 case AUE_CAP_RIGHTS_GET: 1630 if (ARG_IS_VALID(kar, ARG_FD)) { 1631 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 1632 kau_write(rec, tok); 1633 } 1634 break; 1635 1636 case AUE_CAP_FCNTLS_LIMIT: 1637 FD_VNODE1_TOKENS; 1638 if (ARG_IS_VALID(kar, ARG_FCNTL_RIGHTS)) { 1639 tok = au_to_arg32(2, "fcntlrights", 1640 ar->ar_arg_fcntl_rights); 1641 kau_write(rec, tok); 1642 } 1643 break; 1644 1645 case AUE_CAP_ENTER: 1646 case AUE_CAP_GETMODE: 1647 break; 1648 1649 case AUE_NULL: 1650 default: 1651 printf("BSM conversion requested for unknown event %d\n", 1652 ar->ar_event); 1653 1654 /* 1655 * Write the subject token so it is properly freed here. 1656 */ 1657 if (jail_tok != NULL) 1658 kau_write(rec, jail_tok); 1659 kau_write(rec, subj_tok); 1660 kau_free(rec); 1661 return (BSM_NOAUDIT); 1662 } 1663 1664 if (jail_tok != NULL) 1665 kau_write(rec, jail_tok); 1666 kau_write(rec, subj_tok); 1667 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval); 1668 kau_write(rec, tok); /* Every record gets a return token */ 1669 1670 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1671 1672 *pau = rec; 1673 return (BSM_SUCCESS); 1674} 1675 1676/* 1677 * Verify that a record is a valid BSM record. This verification is simple 1678 * now, but may be expanded on sometime in the future. Return 1 if the 1679 * record is good, 0 otherwise. 1680 */ 1681int 1682bsm_rec_verify(void *rec) 1683{ 1684 char c = *(char *)rec; 1685 1686 /* 1687 * Check the token ID of the first token; it has to be a header 1688 * token. 1689 * 1690 * XXXAUDIT There needs to be a token structure to map a token. 1691 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1692 */ 1693 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1694 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1695 return (0); 1696 return (1); 1697} 1698