audit_bsm.c revision 180701
1155192Srwatson/* 2180701Srwatson * Copyright (c) 1999-2005 Apple Inc. 3155192Srwatson * All rights reserved. 4155192Srwatson * 5155192Srwatson * Redistribution and use in source and binary forms, with or without 6155192Srwatson * modification, are permitted provided that the following conditions 7155192Srwatson * are met: 8155192Srwatson * 1. Redistributions of source code must retain the above copyright 9155192Srwatson * notice, this list of conditions and the following disclaimer. 10155192Srwatson * 2. Redistributions in binary form must reproduce the above copyright 11155192Srwatson * notice, this list of conditions and the following disclaimer in the 12155192Srwatson * documentation and/or other materials provided with the distribution. 13180701Srwatson * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14155192Srwatson * its contributors may be used to endorse or promote products derived 15155192Srwatson * from this software without specific prior written permission. 16155192Srwatson * 17155192Srwatson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18155192Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19155192Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20155192Srwatson * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21155192Srwatson * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22155192Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23155192Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24155192Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25155192Srwatson * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26155192Srwatson * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27155192Srwatson * POSSIBILITY OF SUCH DAMAGE. 28155192Srwatson */ 29155192Srwatson 30178186Srwatson#include <sys/cdefs.h> 31178186Srwatson__FBSDID("$FreeBSD: head/sys/security/audit/audit_bsm.c 180701 2008-07-22 15:29:48Z rwatson $"); 32178186Srwatson 33155192Srwatson#include <sys/param.h> 34155192Srwatson#include <sys/vnode.h> 35155192Srwatson#include <sys/ipc.h> 36155192Srwatson#include <sys/lock.h> 37155192Srwatson#include <sys/malloc.h> 38155192Srwatson#include <sys/mutex.h> 39155192Srwatson#include <sys/socket.h> 40160136Swsalamon#include <sys/extattr.h> 41155192Srwatson#include <sys/fcntl.h> 42155192Srwatson#include <sys/user.h> 43155192Srwatson#include <sys/systm.h> 44155192Srwatson 45155192Srwatson#include <bsm/audit.h> 46155192Srwatson#include <bsm/audit_internal.h> 47155192Srwatson#include <bsm/audit_record.h> 48155192Srwatson#include <bsm/audit_kevents.h> 49155192Srwatson 50155192Srwatson#include <security/audit/audit.h> 51155192Srwatson#include <security/audit/audit_private.h> 52155192Srwatson 53155192Srwatson#include <netinet/in_systm.h> 54155192Srwatson#include <netinet/in.h> 55155192Srwatson#include <netinet/ip.h> 56155192Srwatson 57155192SrwatsonMALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 58155192Srwatson 59155192Srwatsonstatic void audit_sys_auditon(struct audit_record *ar, 60155192Srwatson struct au_record *rec); 61155192Srwatson 62155192Srwatson/* 63155192Srwatson * Initialize the BSM auditing subsystem. 64155192Srwatson */ 65155192Srwatsonvoid 66155192Srwatsonkau_init(void) 67155192Srwatson{ 68155192Srwatson 69155192Srwatson au_evclassmap_init(); 70155192Srwatson} 71155192Srwatson 72155192Srwatson/* 73156889Srwatson * This call reserves memory for the audit record. Memory must be guaranteed 74156889Srwatson * before any auditable event can be generated. The au_record structure 75156889Srwatson * maintains a reference to the memory allocated above and also the list of 76156889Srwatson * tokens associated with this record 77156889Srwatson */ 78156889Srwatsonstatic struct au_record * 79155192Srwatsonkau_open(void) 80156889Srwatson{ 81155192Srwatson struct au_record *rec; 82156889Srwatson 83155192Srwatson rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 84162466Srwatson rec->data = NULL; 85155192Srwatson TAILQ_INIT(&rec->token_q); 86155192Srwatson rec->len = 0; 87155192Srwatson rec->used = 1; 88155192Srwatson 89155192Srwatson return (rec); 90155192Srwatson} 91155192Srwatson 92155192Srwatson/* 93155192Srwatson * Store the token with the record descriptor. 94156889Srwatson */ 95155192Srwatsonstatic void 96155192Srwatsonkau_write(struct au_record *rec, struct au_token *tok) 97155192Srwatson{ 98155192Srwatson 99155192Srwatson KASSERT(tok != NULL, ("kau_write: tok == NULL")); 100155192Srwatson 101155192Srwatson TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 102155192Srwatson rec->len += tok->len; 103155192Srwatson} 104155192Srwatson 105155192Srwatson/* 106155192Srwatson * Close out the audit record by adding the header token, identifying any 107155192Srwatson * missing tokens. Write out the tokens to the record memory. 108155192Srwatson */ 109155192Srwatsonstatic void 110155192Srwatsonkau_close(struct au_record *rec, struct timespec *ctime, short event) 111155192Srwatson{ 112155192Srwatson u_char *dptr; 113155192Srwatson size_t tot_rec_size; 114155192Srwatson token_t *cur, *hdr, *trail; 115155192Srwatson struct timeval tm; 116156889Srwatson 117161635Srwatson tot_rec_size = rec->len + AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE; 118162466Srwatson rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 119170196Srwatson 120162466Srwatson tm.tv_usec = ctime->tv_nsec / 1000; 121162466Srwatson tm.tv_sec = ctime->tv_sec; 122162466Srwatson hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 123162466Srwatson TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 124155192Srwatson 125162466Srwatson trail = au_to_trailer(tot_rec_size); 126162466Srwatson TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 127155192Srwatson 128162466Srwatson rec->len = tot_rec_size; 129162466Srwatson dptr = rec->data; 130162466Srwatson TAILQ_FOREACH(cur, &rec->token_q, tokens) { 131162466Srwatson memcpy(dptr, cur->t_data, cur->len); 132162466Srwatson dptr += cur->len; 133155192Srwatson } 134155192Srwatson} 135155192Srwatson 136155192Srwatson/* 137156889Srwatson * Free a BSM audit record by releasing all the tokens and clearing the audit 138156889Srwatson * record information. 139155192Srwatson */ 140155192Srwatsonvoid 141155192Srwatsonkau_free(struct au_record *rec) 142155192Srwatson{ 143155192Srwatson struct au_token *tok; 144155192Srwatson 145156889Srwatson /* Free the token list. */ 146155192Srwatson while ((tok = TAILQ_FIRST(&rec->token_q))) { 147155192Srwatson TAILQ_REMOVE(&rec->token_q, tok, tokens); 148155192Srwatson free(tok->t_data, M_AUDITBSM); 149155192Srwatson free(tok, M_AUDITBSM); 150156889Srwatson } 151155192Srwatson 152155192Srwatson rec->used = 0; 153156889Srwatson rec->len = 0; 154155192Srwatson free(rec->data, M_AUDITBSM); 155155192Srwatson free(rec, M_AUDITBSM); 156155192Srwatson} 157155192Srwatson 158155192Srwatson/* 159170196Srwatson * XXX: May want turn some (or all) of these macros into functions in order 160155192Srwatson * to reduce the generated code sized. 161155192Srwatson * 162155192Srwatson * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 163155192Srwatson * caller are OK with this. 164155192Srwatson */ 165155192Srwatson#define UPATH1_TOKENS do { \ 166155192Srwatson if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 167155192Srwatson tok = au_to_path(ar->ar_arg_upath1); \ 168155192Srwatson kau_write(rec, tok); \ 169155192Srwatson } \ 170155192Srwatson} while (0) 171155192Srwatson 172155192Srwatson#define UPATH2_TOKENS do { \ 173155192Srwatson if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 174155192Srwatson tok = au_to_path(ar->ar_arg_upath2); \ 175155192Srwatson kau_write(rec, tok); \ 176155192Srwatson } \ 177155192Srwatson} while (0) 178155192Srwatson 179155192Srwatson#define VNODE1_TOKENS do { \ 180155192Srwatson if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 181155192Srwatson tok = au_to_attr32(&ar->ar_arg_vnode1); \ 182155192Srwatson kau_write(rec, tok); \ 183155192Srwatson } \ 184155192Srwatson} while (0) 185155192Srwatson 186155192Srwatson#define UPATH1_VNODE1_TOKENS do { \ 187155192Srwatson if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 188155192Srwatson UPATH1_TOKENS; \ 189155192Srwatson } \ 190155192Srwatson if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 191155192Srwatson tok = au_to_attr32(&ar->ar_arg_vnode1); \ 192155192Srwatson kau_write(rec, tok); \ 193155192Srwatson } \ 194155192Srwatson} while (0) 195155192Srwatson 196155192Srwatson#define VNODE2_TOKENS do { \ 197155192Srwatson if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 198155192Srwatson tok = au_to_attr32(&ar->ar_arg_vnode2); \ 199155192Srwatson kau_write(rec, tok); \ 200155192Srwatson } \ 201155192Srwatson} while (0) 202155192Srwatson 203155192Srwatson#define FD_VNODE1_TOKENS do { \ 204155192Srwatson if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 205155192Srwatson if (ARG_IS_VALID(kar, ARG_FD)) { \ 206155192Srwatson tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 207155192Srwatson kau_write(rec, tok); \ 208155192Srwatson } \ 209155192Srwatson tok = au_to_attr32(&ar->ar_arg_vnode1); \ 210155192Srwatson kau_write(rec, tok); \ 211155192Srwatson } else { \ 212155192Srwatson if (ARG_IS_VALID(kar, ARG_FD)) { \ 213156889Srwatson tok = au_to_arg32(1, "non-file: fd", \ 214156889Srwatson ar->ar_arg_fd); \ 215155192Srwatson kau_write(rec, tok); \ 216155192Srwatson } \ 217155192Srwatson } \ 218155192Srwatson} while (0) 219155192Srwatson 220155192Srwatson#define PROCESS_PID_TOKENS(argn) do { \ 221159277Srwatson if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 222159277Srwatson && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 223172915Scsjp tok = au_to_process32_ex(ar->ar_arg_auid, \ 224159277Srwatson ar->ar_arg_euid, ar->ar_arg_egid, \ 225159277Srwatson ar->ar_arg_ruid, ar->ar_arg_rgid, \ 226159277Srwatson ar->ar_arg_pid, ar->ar_arg_asid, \ 227172915Scsjp &ar->ar_arg_termid_addr); \ 228159277Srwatson kau_write(rec, tok); \ 229159277Srwatson } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 230159277Srwatson tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 231159277Srwatson kau_write(rec, tok); \ 232155192Srwatson } \ 233155192Srwatson} while (0) \ 234155192Srwatson 235160136Swsalamon#define EXTATTR_TOKENS do { \ 236160136Swsalamon if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 237160136Swsalamon switch (ar->ar_arg_value) { \ 238160136Swsalamon case EXTATTR_NAMESPACE_USER: \ 239160136Swsalamon tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 240160136Swsalamon break; \ 241160136Swsalamon case EXTATTR_NAMESPACE_SYSTEM: \ 242160136Swsalamon tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 243160136Swsalamon break; \ 244160136Swsalamon default: \ 245160136Swsalamon tok = au_to_arg32(3, "attrnamespace", \ 246160136Swsalamon ar->ar_arg_value); \ 247160136Swsalamon break; \ 248160136Swsalamon } \ 249160136Swsalamon kau_write(rec, tok); \ 250160136Swsalamon } \ 251160136Swsalamon /* attrname is in the text field */ \ 252160136Swsalamon if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 253160136Swsalamon tok = au_to_text(ar->ar_arg_text); \ 254160136Swsalamon kau_write(rec, tok); \ 255160136Swsalamon } \ 256160136Swsalamon} while (0) 257160136Swsalamon 258155192Srwatson/* 259155192Srwatson * Implement auditing for the auditon() system call. The audit tokens that 260155192Srwatson * are generated depend on the command that was sent into the auditon() 261155192Srwatson * system call. 262155192Srwatson */ 263155192Srwatsonstatic void 264155192Srwatsonaudit_sys_auditon(struct audit_record *ar, struct au_record *rec) 265155192Srwatson{ 266155192Srwatson struct au_token *tok; 267155192Srwatson 268155192Srwatson switch (ar->ar_arg_cmd) { 269156889Srwatson case A_SETPOLICY: 270155192Srwatson if (sizeof(ar->ar_arg_auditon.au_flags) > 4) 271156889Srwatson tok = au_to_arg64(1, "policy", 272156889Srwatson ar->ar_arg_auditon.au_flags); 273155192Srwatson else 274156889Srwatson tok = au_to_arg32(1, "policy", 275156889Srwatson ar->ar_arg_auditon.au_flags); 276155192Srwatson kau_write(rec, tok); 277155192Srwatson break; 278155192Srwatson 279156889Srwatson case A_SETKMASK: 280156889Srwatson tok = au_to_arg32(2, "setkmask:as_success", 281156889Srwatson ar->ar_arg_auditon.au_mask.am_success); 282155192Srwatson kau_write(rec, tok); 283156889Srwatson tok = au_to_arg32(2, "setkmask:as_failure", 284156889Srwatson ar->ar_arg_auditon.au_mask.am_failure); 285155192Srwatson kau_write(rec, tok); 286155192Srwatson break; 287155192Srwatson 288156889Srwatson case A_SETQCTRL: 289156889Srwatson tok = au_to_arg32(3, "setqctrl:aq_hiwater", 290156889Srwatson ar->ar_arg_auditon.au_qctrl.aq_hiwater); 291155192Srwatson kau_write(rec, tok); 292156889Srwatson tok = au_to_arg32(3, "setqctrl:aq_lowater", 293156889Srwatson ar->ar_arg_auditon.au_qctrl.aq_lowater); 294155192Srwatson kau_write(rec, tok); 295156889Srwatson tok = au_to_arg32(3, "setqctrl:aq_bufsz", 296156889Srwatson ar->ar_arg_auditon.au_qctrl.aq_bufsz); 297155192Srwatson kau_write(rec, tok); 298156889Srwatson tok = au_to_arg32(3, "setqctrl:aq_delay", 299156889Srwatson ar->ar_arg_auditon.au_qctrl.aq_delay); 300155192Srwatson kau_write(rec, tok); 301156889Srwatson tok = au_to_arg32(3, "setqctrl:aq_minfree", 302156889Srwatson ar->ar_arg_auditon.au_qctrl.aq_minfree); 303155192Srwatson kau_write(rec, tok); 304155192Srwatson break; 305155192Srwatson 306156889Srwatson case A_SETUMASK: 307156889Srwatson tok = au_to_arg32(3, "setumask:as_success", 308156889Srwatson ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 309155192Srwatson kau_write(rec, tok); 310156889Srwatson tok = au_to_arg32(3, "setumask:as_failure", 311156889Srwatson ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 312155192Srwatson kau_write(rec, tok); 313155192Srwatson break; 314155192Srwatson 315156889Srwatson case A_SETSMASK: 316156889Srwatson tok = au_to_arg32(3, "setsmask:as_success", 317156889Srwatson ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 318155192Srwatson kau_write(rec, tok); 319156889Srwatson tok = au_to_arg32(3, "setsmask:as_failure", 320156889Srwatson ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 321155192Srwatson kau_write(rec, tok); 322155192Srwatson break; 323155192Srwatson 324156889Srwatson case A_SETCOND: 325155192Srwatson if (sizeof(ar->ar_arg_auditon.au_cond) > 4) 326156889Srwatson tok = au_to_arg64(3, "setcond", 327156889Srwatson ar->ar_arg_auditon.au_cond); 328155192Srwatson else 329156889Srwatson tok = au_to_arg32(3, "setcond", 330156889Srwatson ar->ar_arg_auditon.au_cond); 331155192Srwatson kau_write(rec, tok); 332155192Srwatson break; 333155192Srwatson 334156889Srwatson case A_SETCLASS: 335155192Srwatson tok = au_to_arg32(2, "setclass:ec_event", 336156889Srwatson ar->ar_arg_auditon.au_evclass.ec_number); 337155192Srwatson kau_write(rec, tok); 338155192Srwatson tok = au_to_arg32(3, "setclass:ec_class", 339156889Srwatson ar->ar_arg_auditon.au_evclass.ec_class); 340155192Srwatson kau_write(rec, tok); 341155192Srwatson break; 342155192Srwatson 343156889Srwatson case A_SETPMASK: 344156889Srwatson tok = au_to_arg32(2, "setpmask:as_success", 345156889Srwatson ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 346155192Srwatson kau_write(rec, tok); 347156889Srwatson tok = au_to_arg32(2, "setpmask:as_failure", 348156889Srwatson ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 349155192Srwatson kau_write(rec, tok); 350155192Srwatson break; 351155192Srwatson 352156889Srwatson case A_SETFSIZE: 353156889Srwatson tok = au_to_arg32(2, "setfsize:filesize", 354156889Srwatson ar->ar_arg_auditon.au_fstat.af_filesz); 355155192Srwatson kau_write(rec, tok); 356155192Srwatson break; 357155192Srwatson 358155192Srwatson default: 359155192Srwatson break; 360155192Srwatson } 361155192Srwatson} 362155192Srwatson 363155192Srwatson/* 364156889Srwatson * Convert an internal kernel audit record to a BSM record and return a 365156889Srwatson * success/failure indicator. The BSM record is passed as an out parameter to 366156889Srwatson * this function. 367156889Srwatson * 368155192Srwatson * Return conditions: 369155192Srwatson * BSM_SUCCESS: The BSM record is valid 370155192Srwatson * BSM_FAILURE: Failure; the BSM record is NULL. 371156889Srwatson * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 372155192Srwatson */ 373155192Srwatsonint 374155192Srwatsonkaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 375155192Srwatson{ 376155192Srwatson struct au_token *tok, *subj_tok; 377155192Srwatson struct au_record *rec; 378155192Srwatson au_tid_t tid; 379155192Srwatson struct audit_record *ar; 380155192Srwatson int ctr; 381155192Srwatson 382155192Srwatson KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 383155192Srwatson 384155192Srwatson *pau = NULL; 385155192Srwatson ar = &kar->k_ar; 386155192Srwatson rec = kau_open(); 387155192Srwatson 388155192Srwatson /* Create the subject token */ 389168688Scsjp switch (ar->ar_subj_term_addr.at_type) { 390168688Scsjp case AU_IPv4: 391168688Scsjp tid.port = ar->ar_subj_term_addr.at_port; 392168688Scsjp tid.machine = ar->ar_subj_term_addr.at_addr[0]; 393168688Scsjp subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 394168688Scsjp ar->ar_subj_cred.cr_uid, /* eff uid */ 395168688Scsjp ar->ar_subj_egid, /* eff group id */ 396168688Scsjp ar->ar_subj_ruid, /* real uid */ 397168688Scsjp ar->ar_subj_rgid, /* real group id */ 398168688Scsjp ar->ar_subj_pid, /* process id */ 399168688Scsjp ar->ar_subj_asid, /* session ID */ 400168688Scsjp &tid); 401168688Scsjp break; 402168688Scsjp case AU_IPv6: 403168688Scsjp subj_tok = au_to_subject32_ex(ar->ar_subj_auid, 404168688Scsjp ar->ar_subj_cred.cr_uid, 405168688Scsjp ar->ar_subj_egid, 406168688Scsjp ar->ar_subj_ruid, 407168688Scsjp ar->ar_subj_rgid, 408168688Scsjp ar->ar_subj_pid, 409168688Scsjp ar->ar_subj_asid, 410168688Scsjp &ar->ar_subj_term_addr); 411168688Scsjp break; 412168688Scsjp default: 413168688Scsjp bzero(&tid, sizeof(tid)); 414168688Scsjp subj_tok = au_to_subject32(ar->ar_subj_auid, 415168688Scsjp ar->ar_subj_cred.cr_uid, 416168688Scsjp ar->ar_subj_egid, 417168688Scsjp ar->ar_subj_ruid, 418168688Scsjp ar->ar_subj_rgid, 419168688Scsjp ar->ar_subj_pid, 420168688Scsjp ar->ar_subj_asid, 421168688Scsjp &tid); 422168688Scsjp } 423155192Srwatson 424156889Srwatson /* 425156889Srwatson * The logic inside each case fills in the tokens required for the 426156889Srwatson * event, except for the header, trailer, and return tokens. The 427155192Srwatson * header and trailer tokens are added by the kau_close() function. 428155192Srwatson * The return token is added outside of the switch statement. 429156889Srwatson */ 430155192Srwatson switch(ar->ar_event) { 431155192Srwatson case AUE_ACCEPT: 432155192Srwatson case AUE_BIND: 433175455Scsjp case AUE_LISTEN: 434155192Srwatson case AUE_CONNECT: 435162990Srwatson case AUE_RECV: 436155192Srwatson case AUE_RECVFROM: 437156889Srwatson case AUE_RECVMSG: 438162990Srwatson case AUE_SEND: 439162990Srwatson case AUE_SENDFILE: 440155192Srwatson case AUE_SENDMSG: 441155192Srwatson case AUE_SENDTO: 442156889Srwatson /* 443156889Srwatson * Socket-related events. 444156889Srwatson */ 445155192Srwatson if (ARG_IS_VALID(kar, ARG_FD)) { 446155192Srwatson tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 447155192Srwatson kau_write(rec, tok); 448155192Srwatson } 449155192Srwatson if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 450156889Srwatson tok = au_to_sock_inet((struct sockaddr_in *) 451156889Srwatson &ar->ar_arg_sockaddr); 452155192Srwatson kau_write(rec, tok); 453155192Srwatson } 454155192Srwatson if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 455156889Srwatson tok = au_to_sock_unix((struct sockaddr_un *) 456156889Srwatson &ar->ar_arg_sockaddr); 457155192Srwatson kau_write(rec, tok); 458155192Srwatson UPATH1_TOKENS; 459155192Srwatson } 460155192Srwatson /* XXX Need to handle ARG_SADDRINET6 */ 461155192Srwatson break; 462155192Srwatson 463155192Srwatson case AUE_SOCKET: 464155192Srwatson case AUE_SOCKETPAIR: 465155192Srwatson if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 466155192Srwatson tok = au_to_arg32(1,"domain", 467155192Srwatson ar->ar_arg_sockinfo.so_domain); 468155192Srwatson kau_write(rec, tok); 469155192Srwatson tok = au_to_arg32(2,"type", 470155192Srwatson ar->ar_arg_sockinfo.so_type); 471155192Srwatson kau_write(rec, tok); 472155192Srwatson tok = au_to_arg32(3,"protocol", 473155192Srwatson ar->ar_arg_sockinfo.so_protocol); 474155192Srwatson kau_write(rec, tok); 475155192Srwatson } 476155192Srwatson break; 477155192Srwatson 478155192Srwatson case AUE_SETSOCKOPT: 479155192Srwatson case AUE_SHUTDOWN: 480155192Srwatson if (ARG_IS_VALID(kar, ARG_FD)) { 481155192Srwatson tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 482155192Srwatson kau_write(rec, tok); 483155192Srwatson } 484155192Srwatson break; 485155192Srwatson 486155192Srwatson case AUE_ACCT: 487155192Srwatson if (ARG_IS_VALID(kar, ARG_UPATH1)) { 488155192Srwatson UPATH1_VNODE1_TOKENS; 489155192Srwatson } else { 490155192Srwatson tok = au_to_arg32(1, "accounting off", 0); 491155192Srwatson kau_write(rec, tok); 492155192Srwatson } 493155192Srwatson break; 494155192Srwatson 495155192Srwatson case AUE_SETAUID: 496155192Srwatson if (ARG_IS_VALID(kar, ARG_AUID)) { 497155192Srwatson tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 498155192Srwatson kau_write(rec, tok); 499155192Srwatson } 500155192Srwatson break; 501155192Srwatson 502155192Srwatson case AUE_SETAUDIT: 503171066Scsjp if (ARG_IS_VALID(kar, ARG_AUID) && 504171066Scsjp ARG_IS_VALID(kar, ARG_ASID) && 505171066Scsjp ARG_IS_VALID(kar, ARG_AMASK) && 506171066Scsjp ARG_IS_VALID(kar, ARG_TERMID)) { 507156889Srwatson tok = au_to_arg32(1, "setaudit:auid", 508156889Srwatson ar->ar_arg_auid); 509155192Srwatson kau_write(rec, tok); 510156889Srwatson tok = au_to_arg32(1, "setaudit:port", 511156889Srwatson ar->ar_arg_termid.port); 512155192Srwatson kau_write(rec, tok); 513156889Srwatson tok = au_to_arg32(1, "setaudit:machine", 514156889Srwatson ar->ar_arg_termid.machine); 515155192Srwatson kau_write(rec, tok); 516156889Srwatson tok = au_to_arg32(1, "setaudit:as_success", 517156889Srwatson ar->ar_arg_amask.am_success); 518155192Srwatson kau_write(rec, tok); 519156889Srwatson tok = au_to_arg32(1, "setaudit:as_failure", 520156889Srwatson ar->ar_arg_amask.am_failure); 521155192Srwatson kau_write(rec, tok); 522156889Srwatson tok = au_to_arg32(1, "setaudit:asid", 523156889Srwatson ar->ar_arg_asid); 524155192Srwatson kau_write(rec, tok); 525155192Srwatson } 526155192Srwatson break; 527155192Srwatson 528155192Srwatson case AUE_SETAUDIT_ADDR: 529171066Scsjp if (ARG_IS_VALID(kar, ARG_AUID) && 530171066Scsjp ARG_IS_VALID(kar, ARG_ASID) && 531171066Scsjp ARG_IS_VALID(kar, ARG_AMASK) && 532171066Scsjp ARG_IS_VALID(kar, ARG_TERMID_ADDR)) { 533171066Scsjp tok = au_to_arg32(1, "setaudit_addr:auid", 534171066Scsjp ar->ar_arg_auid); 535171066Scsjp kau_write(rec, tok); 536171066Scsjp tok = au_to_arg32(1, "setaudit_addr:as_success", 537171066Scsjp ar->ar_arg_amask.am_success); 538171066Scsjp kau_write(rec, tok); 539171066Scsjp tok = au_to_arg32(1, "setaudit_addr:as_failure", 540171066Scsjp ar->ar_arg_amask.am_failure); 541171066Scsjp kau_write(rec, tok); 542171066Scsjp tok = au_to_arg32(1, "setaudit_addr:asid", 543171066Scsjp ar->ar_arg_asid); 544171066Scsjp kau_write(rec, tok); 545171066Scsjp tok = au_to_arg32(1, "setaudit_addr:type", 546171066Scsjp ar->ar_arg_termid_addr.at_type); 547171066Scsjp kau_write(rec, tok); 548171066Scsjp tok = au_to_arg32(1, "setaudit_addr:port", 549171066Scsjp ar->ar_arg_termid_addr.at_port); 550171066Scsjp kau_write(rec, tok); 551171066Scsjp if (ar->ar_arg_termid_addr.at_type == AU_IPv6) 552171066Scsjp tok = au_to_in_addr_ex((struct in6_addr *) 553171066Scsjp &ar->ar_arg_termid_addr.at_addr[0]); 554171066Scsjp if (ar->ar_arg_termid_addr.at_type == AU_IPv4) 555171066Scsjp tok = au_to_in_addr((struct in_addr *) 556171066Scsjp &ar->ar_arg_termid_addr.at_addr[0]); 557171066Scsjp kau_write(rec, tok); 558171066Scsjp } 559171066Scsjp break; 560155192Srwatson 561155192Srwatson case AUE_AUDITON: 562156889Srwatson /* 563156889Srwatson * For AUDITON commands without own event, audit the cmd. 564156889Srwatson */ 565155192Srwatson if (ARG_IS_VALID(kar, ARG_CMD)) { 566155192Srwatson tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 567155192Srwatson kau_write(rec, tok); 568155192Srwatson } 569155192Srwatson /* fall thru */ 570155192Srwatson 571155192Srwatson case AUE_AUDITON_GETCAR: 572155192Srwatson case AUE_AUDITON_GETCLASS: 573155192Srwatson case AUE_AUDITON_GETCOND: 574155192Srwatson case AUE_AUDITON_GETCWD: 575155192Srwatson case AUE_AUDITON_GETKMASK: 576155192Srwatson case AUE_AUDITON_GETSTAT: 577155192Srwatson case AUE_AUDITON_GPOLICY: 578155192Srwatson case AUE_AUDITON_GQCTRL: 579155192Srwatson case AUE_AUDITON_SETCLASS: 580155192Srwatson case AUE_AUDITON_SETCOND: 581155192Srwatson case AUE_AUDITON_SETKMASK: 582155192Srwatson case AUE_AUDITON_SETSMASK: 583155192Srwatson case AUE_AUDITON_SETSTAT: 584155192Srwatson case AUE_AUDITON_SETUMASK: 585155192Srwatson case AUE_AUDITON_SPOLICY: 586155192Srwatson case AUE_AUDITON_SQCTRL: 587156889Srwatson if (ARG_IS_VALID(kar, ARG_AUDITON)) 588155192Srwatson audit_sys_auditon(ar, rec); 589155192Srwatson break; 590156889Srwatson 591155192Srwatson case AUE_AUDITCTL: 592155192Srwatson UPATH1_VNODE1_TOKENS; 593155192Srwatson break; 594155192Srwatson 595155192Srwatson case AUE_EXIT: 596155192Srwatson if (ARG_IS_VALID(kar, ARG_EXIT)) { 597155192Srwatson tok = au_to_exit(ar->ar_arg_exitretval, 598155192Srwatson ar->ar_arg_exitstatus); 599155192Srwatson kau_write(rec, tok); 600155192Srwatson } 601155192Srwatson break; 602155192Srwatson 603155192Srwatson case AUE_ADJTIME: 604162990Srwatson case AUE_CLOCK_SETTIME: 605155192Srwatson case AUE_AUDIT: 606162990Srwatson case AUE_DUP2: 607155192Srwatson case AUE_GETAUDIT: 608155192Srwatson case AUE_GETAUDIT_ADDR: 609155192Srwatson case AUE_GETAUID: 610162990Srwatson case AUE_GETCWD: 611155192Srwatson case AUE_GETFSSTAT: 612162990Srwatson case AUE_GETRESUID: 613162990Srwatson case AUE_GETRESGID: 614162990Srwatson case AUE_KQUEUE: 615162990Srwatson case AUE_LSEEK: 616162990Srwatson case AUE_MODLOAD: 617162990Srwatson case AUE_MODUNLOAD: 618162990Srwatson case AUE_MSGSYS: 619162990Srwatson case AUE_NFS_SVC: 620162990Srwatson case AUE_NTP_ADJTIME: 621155192Srwatson case AUE_PIPE: 622162990Srwatson case AUE_PROFILE: 623162990Srwatson case AUE_RTPRIO: 624162990Srwatson case AUE_SEMSYS: 625162990Srwatson case AUE_SHMSYS: 626155192Srwatson case AUE_SETPGRP: 627155192Srwatson case AUE_SETRLIMIT: 628155192Srwatson case AUE_SETSID: 629155192Srwatson case AUE_SETTIMEOFDAY: 630162990Srwatson case AUE_SYSARCH: 631162990Srwatson 632156889Srwatson /* 633156889Srwatson * Header, subject, and return tokens added at end. 634156889Srwatson */ 635155192Srwatson break; 636155192Srwatson 637159278Srwatson case AUE_MKFIFO: 638159278Srwatson if (ARG_IS_VALID(kar, ARG_MODE)) { 639159278Srwatson tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 640159278Srwatson kau_write(rec, tok); 641159278Srwatson } 642159278Srwatson /* fall through */ 643155192Srwatson case AUE_ACCESS: 644155192Srwatson case AUE_CHDIR: 645155192Srwatson case AUE_CHROOT: 646155559Srwatson case AUE_EACCESS: 647155192Srwatson case AUE_GETATTRLIST: 648162990Srwatson case AUE_JAIL: 649162419Scsjp case AUE_LUTIMES: 650155192Srwatson case AUE_NFS_GETFH: 651155192Srwatson case AUE_LSTAT: 652155192Srwatson case AUE_PATHCONF: 653155192Srwatson case AUE_READLINK: 654155192Srwatson case AUE_REVOKE: 655155192Srwatson case AUE_RMDIR: 656155192Srwatson case AUE_SEARCHFS: 657155192Srwatson case AUE_SETATTRLIST: 658155192Srwatson case AUE_STAT: 659155192Srwatson case AUE_STATFS: 660162990Srwatson case AUE_SWAPON: 661162990Srwatson case AUE_SWAPOFF: 662155192Srwatson case AUE_TRUNCATE: 663155192Srwatson case AUE_UNDELETE: 664155192Srwatson case AUE_UNLINK: 665155192Srwatson case AUE_UTIMES: 666155192Srwatson UPATH1_VNODE1_TOKENS; 667155192Srwatson break; 668155192Srwatson 669162990Srwatson case AUE_FHSTATFS: 670162990Srwatson case AUE_FHOPEN: 671162990Srwatson case AUE_FHSTAT: 672162990Srwatson /* XXXRW: Need to audit vnode argument. */ 673162990Srwatson break; 674162990Srwatson 675155192Srwatson case AUE_CHFLAGS: 676155192Srwatson case AUE_LCHFLAGS: 677155192Srwatson if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 678155192Srwatson tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 679155192Srwatson kau_write(rec, tok); 680155192Srwatson } 681155192Srwatson UPATH1_VNODE1_TOKENS; 682155192Srwatson break; 683156889Srwatson 684155192Srwatson case AUE_CHMOD: 685155192Srwatson case AUE_LCHMOD: 686155192Srwatson if (ARG_IS_VALID(kar, ARG_MODE)) { 687156889Srwatson tok = au_to_arg32(2, "new file mode", 688156889Srwatson ar->ar_arg_mode); 689155192Srwatson kau_write(rec, tok); 690155192Srwatson } 691155192Srwatson UPATH1_VNODE1_TOKENS; 692155192Srwatson break; 693156889Srwatson 694155192Srwatson case AUE_CHOWN: 695155192Srwatson case AUE_LCHOWN: 696155192Srwatson if (ARG_IS_VALID(kar, ARG_UID)) { 697155192Srwatson tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 698155192Srwatson kau_write(rec, tok); 699155192Srwatson } 700155192Srwatson if (ARG_IS_VALID(kar, ARG_GID)) { 701155192Srwatson tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 702155192Srwatson kau_write(rec, tok); 703155192Srwatson } 704155192Srwatson UPATH1_VNODE1_TOKENS; 705155192Srwatson break; 706156889Srwatson 707155192Srwatson case AUE_EXCHANGEDATA: 708155192Srwatson UPATH1_VNODE1_TOKENS; 709155192Srwatson UPATH2_TOKENS; 710155192Srwatson break; 711155192Srwatson 712155192Srwatson case AUE_CLOSE: 713155192Srwatson if (ARG_IS_VALID(kar, ARG_FD)) { 714155192Srwatson tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 715155192Srwatson kau_write(rec, tok); 716155192Srwatson } 717155192Srwatson UPATH1_VNODE1_TOKENS; 718155192Srwatson break; 719155192Srwatson 720172995Scsjp case AUE_CORE: 721172995Scsjp if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 722172995Scsjp tok = au_to_arg32(0, "signal", ar->ar_arg_signum); 723172995Scsjp kau_write(rec, tok); 724172995Scsjp } 725172995Scsjp UPATH1_VNODE1_TOKENS; 726172995Scsjp break; 727172995Scsjp 728160136Swsalamon case AUE_EXTATTRCTL: 729160136Swsalamon UPATH1_VNODE1_TOKENS; 730160136Swsalamon if (ARG_IS_VALID(kar, ARG_CMD)) { 731160136Swsalamon tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 732160136Swsalamon kau_write(rec, tok); 733160136Swsalamon } 734160136Swsalamon /* extattrctl(2) filename parameter is in upath2/vnode2 */ 735160136Swsalamon UPATH2_TOKENS; 736160136Swsalamon VNODE2_TOKENS; 737160136Swsalamon EXTATTR_TOKENS; 738160136Swsalamon break; 739160136Swsalamon 740160136Swsalamon case AUE_EXTATTR_GET_FILE: 741160136Swsalamon case AUE_EXTATTR_SET_FILE: 742160136Swsalamon case AUE_EXTATTR_LIST_FILE: 743160136Swsalamon case AUE_EXTATTR_DELETE_FILE: 744160136Swsalamon case AUE_EXTATTR_GET_LINK: 745160136Swsalamon case AUE_EXTATTR_SET_LINK: 746160136Swsalamon case AUE_EXTATTR_LIST_LINK: 747160136Swsalamon case AUE_EXTATTR_DELETE_LINK: 748160136Swsalamon UPATH1_VNODE1_TOKENS; 749160136Swsalamon EXTATTR_TOKENS; 750160136Swsalamon break; 751160136Swsalamon 752160136Swsalamon case AUE_EXTATTR_GET_FD: 753160136Swsalamon case AUE_EXTATTR_SET_FD: 754160136Swsalamon case AUE_EXTATTR_LIST_FD: 755160136Swsalamon case AUE_EXTATTR_DELETE_FD: 756160136Swsalamon if (ARG_IS_VALID(kar, ARG_FD)) { 757160136Swsalamon tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 758160136Swsalamon kau_write(rec, tok); 759160136Swsalamon } 760160136Swsalamon EXTATTR_TOKENS; 761160136Swsalamon break; 762160136Swsalamon 763161813Swsalamon case AUE_EXECVE: 764161813Swsalamon if (ARG_IS_VALID(kar, ARG_ARGV)) { 765161813Swsalamon tok = au_to_exec_args(ar->ar_arg_argv, 766161813Swsalamon ar->ar_arg_argc); 767161813Swsalamon kau_write(rec, tok); 768161813Swsalamon } 769161813Swsalamon if (ARG_IS_VALID(kar, ARG_ENVV)) { 770161813Swsalamon tok = au_to_exec_env(ar->ar_arg_envv, 771161813Swsalamon ar->ar_arg_envc); 772161813Swsalamon kau_write(rec, tok); 773161813Swsalamon } 774161813Swsalamon UPATH1_VNODE1_TOKENS; 775161813Swsalamon break; 776161813Swsalamon 777155192Srwatson case AUE_FCHMOD: 778155192Srwatson if (ARG_IS_VALID(kar, ARG_MODE)) { 779156889Srwatson tok = au_to_arg32(2, "new file mode", 780156889Srwatson ar->ar_arg_mode); 781155192Srwatson kau_write(rec, tok); 782155192Srwatson } 783155192Srwatson FD_VNODE1_TOKENS; 784155192Srwatson break; 785156889Srwatson 786162990Srwatson /* 787162990Srwatson * XXXRW: Some of these need to handle non-vnode cases as well. 788162990Srwatson */ 789155192Srwatson case AUE_FCHDIR: 790155192Srwatson case AUE_FPATHCONF: 791162990Srwatson case AUE_FSTAT: 792155192Srwatson case AUE_FSTATFS: 793155192Srwatson case AUE_FSYNC: 794155192Srwatson case AUE_FTRUNCATE: 795155192Srwatson case AUE_FUTIMES: 796155192Srwatson case AUE_GETDIRENTRIES: 797155192Srwatson case AUE_GETDIRENTRIESATTR: 798162990Srwatson case AUE_POLL: 799162990Srwatson case AUE_READ: 800162990Srwatson case AUE_READV: 801162990Srwatson case AUE_WRITE: 802162990Srwatson case AUE_WRITEV: 803155192Srwatson FD_VNODE1_TOKENS; 804155192Srwatson break; 805156889Srwatson 806155192Srwatson case AUE_FCHOWN: 807155192Srwatson if (ARG_IS_VALID(kar, ARG_UID)) { 808155192Srwatson tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 809155192Srwatson kau_write(rec, tok); 810155192Srwatson } 811155192Srwatson if (ARG_IS_VALID(kar, ARG_GID)) { 812155192Srwatson tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 813155192Srwatson kau_write(rec, tok); 814155192Srwatson } 815155192Srwatson FD_VNODE1_TOKENS; 816155192Srwatson break; 817156889Srwatson 818155192Srwatson case AUE_FCNTL: 819155192Srwatson if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 820155192Srwatson ar->ar_arg_cmd == F_SETLKW) { 821155192Srwatson if (ARG_IS_VALID(kar, ARG_CMD)) { 822155192Srwatson tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 823155192Srwatson kau_write(rec, tok); 824155192Srwatson } 825155192Srwatson FD_VNODE1_TOKENS; 826155192Srwatson } 827155192Srwatson break; 828156889Srwatson 829155192Srwatson case AUE_FCHFLAGS: 830155192Srwatson if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 831155192Srwatson tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 832155192Srwatson kau_write(rec, tok); 833155192Srwatson } 834155192Srwatson FD_VNODE1_TOKENS; 835155192Srwatson break; 836156889Srwatson 837155192Srwatson case AUE_FLOCK: 838155192Srwatson if (ARG_IS_VALID(kar, ARG_CMD)) { 839155192Srwatson tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 840155192Srwatson kau_write(rec, tok); 841155192Srwatson } 842155192Srwatson FD_VNODE1_TOKENS; 843155192Srwatson break; 844156889Srwatson 845155192Srwatson case AUE_RFORK: 846155192Srwatson if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 847155192Srwatson tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 848155192Srwatson kau_write(rec, tok); 849155192Srwatson } 850155192Srwatson /* fall through */ 851155192Srwatson case AUE_FORK: 852155192Srwatson case AUE_VFORK: 853155192Srwatson if (ARG_IS_VALID(kar, ARG_PID)) { 854155192Srwatson tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 855155192Srwatson kau_write(rec, tok); 856155192Srwatson } 857155192Srwatson break; 858156889Srwatson 859155192Srwatson case AUE_IOCTL: 860155192Srwatson if (ARG_IS_VALID(kar, ARG_CMD)) { 861155192Srwatson tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 862155192Srwatson kau_write(rec, tok); 863155192Srwatson } 864155192Srwatson if (ARG_IS_VALID(kar, ARG_ADDR)) { 865155271Srwatson tok = au_to_arg32(1, "arg", 866155271Srwatson (u_int32_t)(uintptr_t)ar->ar_arg_addr); 867155192Srwatson kau_write(rec, tok); 868155192Srwatson } 869156889Srwatson if (ARG_IS_VALID(kar, ARG_VNODE1)) 870155192Srwatson FD_VNODE1_TOKENS; 871156889Srwatson else { 872155192Srwatson if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 873156889Srwatson tok = kau_to_socket(&ar->ar_arg_sockinfo); 874155192Srwatson kau_write(rec, tok); 875155192Srwatson } else { 876155192Srwatson if (ARG_IS_VALID(kar, ARG_FD)) { 877155192Srwatson tok = au_to_arg32(1, "fd", 878155192Srwatson ar->ar_arg_fd); 879155192Srwatson kau_write(rec, tok); 880155192Srwatson } 881155192Srwatson } 882155192Srwatson } 883155192Srwatson break; 884155192Srwatson 885155192Srwatson case AUE_KILL: 886162990Srwatson case AUE_KILLPG: 887155192Srwatson if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 888155192Srwatson tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 889155192Srwatson kau_write(rec, tok); 890155192Srwatson } 891155192Srwatson PROCESS_PID_TOKENS(1); 892155192Srwatson break; 893155192Srwatson 894155192Srwatson case AUE_KTRACE: 895155192Srwatson if (ARG_IS_VALID(kar, ARG_CMD)) { 896155192Srwatson tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 897155192Srwatson kau_write(rec, tok); 898155192Srwatson } 899155192Srwatson if (ARG_IS_VALID(kar, ARG_VALUE)) { 900155192Srwatson tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 901155192Srwatson kau_write(rec, tok); 902155192Srwatson } 903155192Srwatson PROCESS_PID_TOKENS(4); 904155192Srwatson UPATH1_VNODE1_TOKENS; 905155192Srwatson break; 906155192Srwatson 907155192Srwatson case AUE_LINK: 908155192Srwatson case AUE_RENAME: 909155192Srwatson UPATH1_VNODE1_TOKENS; 910155192Srwatson UPATH2_TOKENS; 911155192Srwatson break; 912155192Srwatson 913155192Srwatson case AUE_LOADSHFILE: 914155192Srwatson if (ARG_IS_VALID(kar, ARG_ADDR)) { 915155192Srwatson tok = au_to_arg32(4, "base addr", 916155271Srwatson (u_int32_t)(uintptr_t)ar->ar_arg_addr); 917155192Srwatson kau_write(rec, tok); 918155192Srwatson } 919155192Srwatson UPATH1_VNODE1_TOKENS; 920155192Srwatson break; 921156889Srwatson 922155192Srwatson case AUE_MKDIR: 923155192Srwatson if (ARG_IS_VALID(kar, ARG_MODE)) { 924155192Srwatson tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 925155192Srwatson kau_write(rec, tok); 926155192Srwatson } 927155192Srwatson UPATH1_VNODE1_TOKENS; 928155192Srwatson break; 929155192Srwatson 930155192Srwatson case AUE_MKNOD: 931155192Srwatson if (ARG_IS_VALID(kar, ARG_MODE)) { 932155192Srwatson tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 933155192Srwatson kau_write(rec, tok); 934155192Srwatson } 935155192Srwatson if (ARG_IS_VALID(kar, ARG_DEV)) { 936155192Srwatson tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 937155192Srwatson kau_write(rec, tok); 938155192Srwatson } 939155192Srwatson UPATH1_VNODE1_TOKENS; 940155192Srwatson break; 941155192Srwatson 942155192Srwatson case AUE_MMAP: 943155192Srwatson case AUE_MUNMAP: 944155192Srwatson case AUE_MPROTECT: 945155192Srwatson case AUE_MLOCK: 946155192Srwatson case AUE_MUNLOCK: 947155192Srwatson case AUE_MINHERIT: 948155192Srwatson if (ARG_IS_VALID(kar, ARG_ADDR)) { 949155192Srwatson tok = au_to_arg32(1, "addr", 950155271Srwatson (u_int32_t)(uintptr_t)ar->ar_arg_addr); 951155192Srwatson kau_write(rec, tok); 952155192Srwatson } 953155192Srwatson if (ARG_IS_VALID(kar, ARG_LEN)) { 954155192Srwatson tok = au_to_arg32(2, "len", ar->ar_arg_len); 955155192Srwatson kau_write(rec, tok); 956155192Srwatson } 957155192Srwatson if (ar->ar_event == AUE_MMAP) 958155192Srwatson FD_VNODE1_TOKENS; 959155192Srwatson if (ar->ar_event == AUE_MPROTECT) { 960155192Srwatson if (ARG_IS_VALID(kar, ARG_VALUE)) { 961155192Srwatson tok = au_to_arg32(3, "protection", 962155192Srwatson ar->ar_arg_value); 963155192Srwatson kau_write(rec, tok); 964155192Srwatson } 965155192Srwatson } 966155192Srwatson if (ar->ar_event == AUE_MINHERIT) { 967155192Srwatson if (ARG_IS_VALID(kar, ARG_VALUE)) { 968155192Srwatson tok = au_to_arg32(3, "inherit", 969155192Srwatson ar->ar_arg_value); 970155192Srwatson kau_write(rec, tok); 971155192Srwatson } 972155192Srwatson } 973155192Srwatson break; 974155192Srwatson 975155192Srwatson case AUE_MOUNT: 976162990Srwatson case AUE_NMOUNT: 977155192Srwatson /* XXX Need to handle NFS mounts */ 978155192Srwatson if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 979155192Srwatson tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 980155192Srwatson kau_write(rec, tok); 981155192Srwatson } 982155192Srwatson if (ARG_IS_VALID(kar, ARG_TEXT)) { 983155192Srwatson tok = au_to_text(ar->ar_arg_text); 984155192Srwatson kau_write(rec, tok); 985155192Srwatson } 986155192Srwatson /* fall through */ 987156889Srwatson 988155192Srwatson case AUE_UMOUNT: 989155192Srwatson UPATH1_VNODE1_TOKENS; 990155192Srwatson break; 991155192Srwatson 992155192Srwatson case AUE_MSGCTL: 993176565Srwatson ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd); 994155192Srwatson /* Fall through */ 995156889Srwatson 996155192Srwatson case AUE_MSGRCV: 997155192Srwatson case AUE_MSGSND: 998155192Srwatson tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 999155192Srwatson kau_write(rec, tok); 1000155192Srwatson if (ar->ar_errno != EINVAL) { 1001155192Srwatson tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 1002155192Srwatson kau_write(rec, tok); 1003155192Srwatson } 1004155192Srwatson break; 1005155192Srwatson 1006155192Srwatson case AUE_MSGGET: 1007155192Srwatson if (ar->ar_errno == 0) { 1008155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1009155192Srwatson tok = au_to_ipc(AT_IPC_MSG, 1010155192Srwatson ar->ar_arg_svipc_id); 1011155192Srwatson kau_write(rec, tok); 1012155192Srwatson } 1013155192Srwatson } 1014155192Srwatson break; 1015155192Srwatson 1016155192Srwatson case AUE_RESETSHFILE: 1017155192Srwatson if (ARG_IS_VALID(kar, ARG_ADDR)) { 1018155192Srwatson tok = au_to_arg32(1, "base addr", 1019155271Srwatson (u_int32_t)(uintptr_t)ar->ar_arg_addr); 1020155192Srwatson kau_write(rec, tok); 1021155192Srwatson } 1022155192Srwatson break; 1023156889Srwatson 1024155192Srwatson case AUE_OPEN_RC: 1025155192Srwatson case AUE_OPEN_RTC: 1026155192Srwatson case AUE_OPEN_RWC: 1027155192Srwatson case AUE_OPEN_RWTC: 1028155192Srwatson case AUE_OPEN_WC: 1029155192Srwatson case AUE_OPEN_WTC: 1030162990Srwatson case AUE_CREAT: 1031155192Srwatson if (ARG_IS_VALID(kar, ARG_MODE)) { 1032155192Srwatson tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1033155192Srwatson kau_write(rec, tok); 1034155192Srwatson } 1035155192Srwatson /* fall through */ 1036155192Srwatson 1037155192Srwatson case AUE_OPEN_R: 1038155192Srwatson case AUE_OPEN_RT: 1039155192Srwatson case AUE_OPEN_RW: 1040155192Srwatson case AUE_OPEN_RWT: 1041155192Srwatson case AUE_OPEN_W: 1042155192Srwatson case AUE_OPEN_WT: 1043155192Srwatson if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1044155192Srwatson tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1045155192Srwatson kau_write(rec, tok); 1046155192Srwatson } 1047155192Srwatson UPATH1_VNODE1_TOKENS; 1048155192Srwatson break; 1049155192Srwatson 1050155192Srwatson case AUE_PTRACE: 1051155192Srwatson if (ARG_IS_VALID(kar, ARG_CMD)) { 1052155192Srwatson tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1053155192Srwatson kau_write(rec, tok); 1054155192Srwatson } 1055155192Srwatson if (ARG_IS_VALID(kar, ARG_ADDR)) { 1056155192Srwatson tok = au_to_arg32(3, "addr", 1057155271Srwatson (u_int32_t)(uintptr_t)ar->ar_arg_addr); 1058155192Srwatson kau_write(rec, tok); 1059155192Srwatson } 1060155192Srwatson if (ARG_IS_VALID(kar, ARG_VALUE)) { 1061155192Srwatson tok = au_to_arg32(4, "data", ar->ar_arg_value); 1062155192Srwatson kau_write(rec, tok); 1063155192Srwatson } 1064155192Srwatson PROCESS_PID_TOKENS(2); 1065155192Srwatson break; 1066155192Srwatson 1067155192Srwatson case AUE_QUOTACTL: 1068155192Srwatson if (ARG_IS_VALID(kar, ARG_CMD)) { 1069155192Srwatson tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1070155192Srwatson kau_write(rec, tok); 1071155192Srwatson } 1072155192Srwatson if (ARG_IS_VALID(kar, ARG_UID)) { 1073155192Srwatson tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1074155192Srwatson kau_write(rec, tok); 1075155192Srwatson } 1076155192Srwatson UPATH1_VNODE1_TOKENS; 1077155192Srwatson break; 1078155192Srwatson 1079155192Srwatson case AUE_REBOOT: 1080155192Srwatson if (ARG_IS_VALID(kar, ARG_CMD)) { 1081155192Srwatson tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1082155192Srwatson kau_write(rec, tok); 1083155192Srwatson } 1084155192Srwatson break; 1085155192Srwatson 1086155192Srwatson case AUE_SEMCTL: 1087176565Srwatson ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd); 1088155192Srwatson /* Fall through */ 1089156889Srwatson 1090155192Srwatson case AUE_SEMOP: 1091155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1092155192Srwatson tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1093155192Srwatson kau_write(rec, tok); 1094155192Srwatson if (ar->ar_errno != EINVAL) { 1095155192Srwatson tok = au_to_ipc(AT_IPC_SEM, 1096155192Srwatson ar->ar_arg_svipc_id); 1097155192Srwatson kau_write(rec, tok); 1098155192Srwatson } 1099155192Srwatson } 1100155192Srwatson break; 1101156889Srwatson 1102155192Srwatson case AUE_SEMGET: 1103155192Srwatson if (ar->ar_errno == 0) { 1104155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1105155192Srwatson tok = au_to_ipc(AT_IPC_SEM, 1106155192Srwatson ar->ar_arg_svipc_id); 1107155192Srwatson kau_write(rec, tok); 1108155192Srwatson } 1109155192Srwatson } 1110155192Srwatson break; 1111156889Srwatson 1112155192Srwatson case AUE_SETEGID: 1113155192Srwatson if (ARG_IS_VALID(kar, ARG_EGID)) { 1114155192Srwatson tok = au_to_arg32(1, "gid", ar->ar_arg_egid); 1115155192Srwatson kau_write(rec, tok); 1116155192Srwatson } 1117155192Srwatson break; 1118156889Srwatson 1119155192Srwatson case AUE_SETEUID: 1120155192Srwatson if (ARG_IS_VALID(kar, ARG_EUID)) { 1121155192Srwatson tok = au_to_arg32(1, "uid", ar->ar_arg_euid); 1122155192Srwatson kau_write(rec, tok); 1123155192Srwatson } 1124155192Srwatson break; 1125156889Srwatson 1126155192Srwatson case AUE_SETREGID: 1127155192Srwatson if (ARG_IS_VALID(kar, ARG_RGID)) { 1128155192Srwatson tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1129155192Srwatson kau_write(rec, tok); 1130155192Srwatson } 1131155192Srwatson if (ARG_IS_VALID(kar, ARG_EGID)) { 1132155192Srwatson tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1133155192Srwatson kau_write(rec, tok); 1134155192Srwatson } 1135155192Srwatson break; 1136156889Srwatson 1137155192Srwatson case AUE_SETREUID: 1138155192Srwatson if (ARG_IS_VALID(kar, ARG_RUID)) { 1139155192Srwatson tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1140155192Srwatson kau_write(rec, tok); 1141155192Srwatson } 1142155192Srwatson if (ARG_IS_VALID(kar, ARG_EUID)) { 1143155192Srwatson tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1144155192Srwatson kau_write(rec, tok); 1145155192Srwatson } 1146155192Srwatson break; 1147156889Srwatson 1148155192Srwatson case AUE_SETRESGID: 1149155192Srwatson if (ARG_IS_VALID(kar, ARG_RGID)) { 1150155192Srwatson tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1151155192Srwatson kau_write(rec, tok); 1152155192Srwatson } 1153155192Srwatson if (ARG_IS_VALID(kar, ARG_EGID)) { 1154155192Srwatson tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1155155192Srwatson kau_write(rec, tok); 1156155192Srwatson } 1157155192Srwatson if (ARG_IS_VALID(kar, ARG_SGID)) { 1158155192Srwatson tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1159155192Srwatson kau_write(rec, tok); 1160155192Srwatson } 1161155192Srwatson break; 1162156889Srwatson 1163155192Srwatson case AUE_SETRESUID: 1164155192Srwatson if (ARG_IS_VALID(kar, ARG_RUID)) { 1165155192Srwatson tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1166155192Srwatson kau_write(rec, tok); 1167155192Srwatson } 1168155192Srwatson if (ARG_IS_VALID(kar, ARG_EUID)) { 1169155192Srwatson tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1170155192Srwatson kau_write(rec, tok); 1171155192Srwatson } 1172155192Srwatson if (ARG_IS_VALID(kar, ARG_SUID)) { 1173155192Srwatson tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1174155192Srwatson kau_write(rec, tok); 1175155192Srwatson } 1176155192Srwatson break; 1177156889Srwatson 1178155192Srwatson case AUE_SETGID: 1179155192Srwatson if (ARG_IS_VALID(kar, ARG_GID)) { 1180155192Srwatson tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1181155192Srwatson kau_write(rec, tok); 1182155192Srwatson } 1183155192Srwatson break; 1184156889Srwatson 1185155192Srwatson case AUE_SETUID: 1186155192Srwatson if (ARG_IS_VALID(kar, ARG_UID)) { 1187155192Srwatson tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1188155192Srwatson kau_write(rec, tok); 1189155192Srwatson } 1190155192Srwatson break; 1191156889Srwatson 1192155192Srwatson case AUE_SETGROUPS: 1193155192Srwatson if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1194155192Srwatson for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1195155192Srwatson { 1196175456Scsjp tok = au_to_arg32(1, "setgroups", 1197175456Scsjp ar->ar_arg_groups.gidset[ctr]); 1198155192Srwatson kau_write(rec, tok); 1199155192Srwatson } 1200155192Srwatson } 1201155192Srwatson break; 1202155192Srwatson 1203155192Srwatson case AUE_SETLOGIN: 1204155192Srwatson if (ARG_IS_VALID(kar, ARG_TEXT)) { 1205155192Srwatson tok = au_to_text(ar->ar_arg_text); 1206155192Srwatson kau_write(rec, tok); 1207155192Srwatson } 1208155192Srwatson break; 1209155192Srwatson 1210155192Srwatson case AUE_SETPRIORITY: 1211155192Srwatson if (ARG_IS_VALID(kar, ARG_CMD)) { 1212155192Srwatson tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1213155192Srwatson kau_write(rec, tok); 1214155192Srwatson } 1215155192Srwatson if (ARG_IS_VALID(kar, ARG_UID)) { 1216155192Srwatson tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1217155192Srwatson kau_write(rec, tok); 1218155192Srwatson } 1219155192Srwatson if (ARG_IS_VALID(kar, ARG_VALUE)) { 1220155192Srwatson tok = au_to_arg32(2, "priority", ar->ar_arg_value); 1221155192Srwatson kau_write(rec, tok); 1222155192Srwatson } 1223155192Srwatson break; 1224155192Srwatson 1225155192Srwatson case AUE_SETPRIVEXEC: 1226155192Srwatson if (ARG_IS_VALID(kar, ARG_VALUE)) { 1227155192Srwatson tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1228155192Srwatson kau_write(rec, tok); 1229155192Srwatson } 1230155192Srwatson break; 1231155192Srwatson 1232155192Srwatson /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1233155192Srwatson case AUE_SHMAT: 1234155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1235155192Srwatson tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1236155192Srwatson kau_write(rec, tok); 1237155192Srwatson /* XXXAUDIT: Does having the ipc token make sense? */ 1238155192Srwatson tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1239155192Srwatson kau_write(rec, tok); 1240155192Srwatson } 1241155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1242155192Srwatson tok = au_to_arg32(2, "shmaddr", 1243155271Srwatson (int)(uintptr_t)ar->ar_arg_svipc_addr); 1244155192Srwatson kau_write(rec, tok); 1245155192Srwatson } 1246155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1247155192Srwatson tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1248155192Srwatson kau_write(rec, tok); 1249155192Srwatson } 1250155192Srwatson break; 1251155192Srwatson 1252155192Srwatson case AUE_SHMCTL: 1253155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1254155192Srwatson tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1255155192Srwatson kau_write(rec, tok); 1256155192Srwatson /* XXXAUDIT: Does having the ipc token make sense? */ 1257155192Srwatson tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1258155192Srwatson kau_write(rec, tok); 1259155192Srwatson } 1260155192Srwatson switch (ar->ar_arg_svipc_cmd) { 1261155192Srwatson case IPC_STAT: 1262155192Srwatson ar->ar_event = AUE_SHMCTL_STAT; 1263155192Srwatson break; 1264155192Srwatson case IPC_RMID: 1265155192Srwatson ar->ar_event = AUE_SHMCTL_RMID; 1266155192Srwatson break; 1267155192Srwatson case IPC_SET: 1268155192Srwatson ar->ar_event = AUE_SHMCTL_SET; 1269155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1270155192Srwatson tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1271155192Srwatson kau_write(rec, tok); 1272155192Srwatson } 1273155192Srwatson break; 1274155192Srwatson default: 1275155192Srwatson break; /* We will audit a bad command */ 1276155192Srwatson } 1277155192Srwatson break; 1278155192Srwatson 1279155192Srwatson case AUE_SHMDT: 1280155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1281155192Srwatson tok = au_to_arg32(1, "shmaddr", 1282155271Srwatson (int)(uintptr_t)ar->ar_arg_svipc_addr); 1283155192Srwatson kau_write(rec, tok); 1284155192Srwatson } 1285155192Srwatson break; 1286155192Srwatson 1287155192Srwatson case AUE_SHMGET: 1288155192Srwatson /* This is unusual; the return value is in an argument token */ 1289155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1290155192Srwatson tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1291155192Srwatson kau_write(rec, tok); 1292155192Srwatson tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1293155192Srwatson kau_write(rec, tok); 1294155192Srwatson } 1295155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1296155192Srwatson tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1297155192Srwatson kau_write(rec, tok); 1298155192Srwatson } 1299155192Srwatson break; 1300155192Srwatson 1301156889Srwatson /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1302155192Srwatson * and AUE_SEMUNLINK are Posix IPC */ 1303155192Srwatson case AUE_SHMOPEN: 1304155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1305155192Srwatson tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1306155192Srwatson kau_write(rec, tok); 1307155192Srwatson } 1308155192Srwatson if (ARG_IS_VALID(kar, ARG_MODE)) { 1309155192Srwatson tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1310155192Srwatson kau_write(rec, tok); 1311155192Srwatson } 1312155192Srwatson case AUE_SHMUNLINK: 1313155192Srwatson if (ARG_IS_VALID(kar, ARG_TEXT)) { 1314155192Srwatson tok = au_to_text(ar->ar_arg_text); 1315155192Srwatson kau_write(rec, tok); 1316155192Srwatson } 1317155192Srwatson if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1318155192Srwatson /* Create an ipc_perm token */ 1319155192Srwatson struct ipc_perm perm; 1320155192Srwatson perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1321155192Srwatson perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1322155192Srwatson perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1323155192Srwatson perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1324155192Srwatson perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1325155192Srwatson perm.seq = 0; 1326155192Srwatson perm.key = 0; 1327155192Srwatson tok = au_to_ipc_perm(&perm); 1328155192Srwatson kau_write(rec, tok); 1329155192Srwatson } 1330155192Srwatson break; 1331155192Srwatson 1332155192Srwatson case AUE_SEMOPEN: 1333155192Srwatson if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1334155192Srwatson tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1335155192Srwatson kau_write(rec, tok); 1336155192Srwatson } 1337155192Srwatson if (ARG_IS_VALID(kar, ARG_MODE)) { 1338155192Srwatson tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1339155192Srwatson kau_write(rec, tok); 1340155192Srwatson } 1341155192Srwatson if (ARG_IS_VALID(kar, ARG_VALUE)) { 1342155192Srwatson tok = au_to_arg32(4, "value", ar->ar_arg_value); 1343155192Srwatson kau_write(rec, tok); 1344155192Srwatson } 1345155192Srwatson /* fall through */ 1346156889Srwatson 1347155192Srwatson case AUE_SEMUNLINK: 1348155192Srwatson if (ARG_IS_VALID(kar, ARG_TEXT)) { 1349155192Srwatson tok = au_to_text(ar->ar_arg_text); 1350155192Srwatson kau_write(rec, tok); 1351155192Srwatson } 1352155192Srwatson if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1353155192Srwatson /* Create an ipc_perm token */ 1354155192Srwatson struct ipc_perm perm; 1355155192Srwatson perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1356155192Srwatson perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1357155192Srwatson perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1358155192Srwatson perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1359155192Srwatson perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1360155192Srwatson perm.seq = 0; 1361155192Srwatson perm.key = 0; 1362155192Srwatson tok = au_to_ipc_perm(&perm); 1363155192Srwatson kau_write(rec, tok); 1364155192Srwatson } 1365155192Srwatson break; 1366155192Srwatson 1367155192Srwatson case AUE_SEMCLOSE: 1368155192Srwatson if (ARG_IS_VALID(kar, ARG_FD)) { 1369155192Srwatson tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1370155192Srwatson kau_write(rec, tok); 1371155192Srwatson } 1372155192Srwatson break; 1373155192Srwatson 1374155192Srwatson case AUE_SYMLINK: 1375155192Srwatson if (ARG_IS_VALID(kar, ARG_TEXT)) { 1376155192Srwatson tok = au_to_text(ar->ar_arg_text); 1377155192Srwatson kau_write(rec, tok); 1378155192Srwatson } 1379155192Srwatson UPATH1_VNODE1_TOKENS; 1380155192Srwatson break; 1381155192Srwatson 1382155192Srwatson case AUE_SYSCTL: 1383155192Srwatson if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1384155192Srwatson for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1385156889Srwatson tok = au_to_arg32(1, "name", 1386156889Srwatson ar->ar_arg_ctlname[ctr]); 1387156889Srwatson kau_write(rec, tok); 1388155192Srwatson } 1389155192Srwatson } 1390155192Srwatson if (ARG_IS_VALID(kar, ARG_VALUE)) { 1391155192Srwatson tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1392155192Srwatson kau_write(rec, tok); 1393155192Srwatson } 1394155192Srwatson if (ARG_IS_VALID(kar, ARG_TEXT)) { 1395155192Srwatson tok = au_to_text(ar->ar_arg_text); 1396155192Srwatson kau_write(rec, tok); 1397155192Srwatson } 1398155192Srwatson break; 1399155192Srwatson 1400155192Srwatson case AUE_UMASK: 1401155192Srwatson if (ARG_IS_VALID(kar, ARG_MASK)) { 1402155192Srwatson tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1403155192Srwatson kau_write(rec, tok); 1404155192Srwatson } 1405155192Srwatson tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1406155192Srwatson kau_write(rec, tok); 1407155192Srwatson break; 1408155192Srwatson 1409155192Srwatson case AUE_WAIT4: 1410155192Srwatson if (ARG_IS_VALID(kar, ARG_PID)) { 1411155192Srwatson tok = au_to_arg32(0, "pid", ar->ar_arg_pid); 1412155192Srwatson kau_write(rec, tok); 1413155192Srwatson } 1414155192Srwatson break; 1415155192Srwatson 1416162990Srwatson case AUE_NULL: 1417156889Srwatson default: 1418155192Srwatson printf("BSM conversion requested for unknown event %d\n", 1419156889Srwatson ar->ar_event); 1420155192Srwatson /* Write the subject token so it is properly freed here. */ 1421155192Srwatson kau_write(rec, subj_tok); 1422155192Srwatson kau_free(rec); 1423155192Srwatson return (BSM_NOAUDIT); 1424155192Srwatson } 1425155192Srwatson 1426156889Srwatson kau_write(rec, subj_tok); 1427155192Srwatson tok = au_to_return32((char)ar->ar_errno, ar->ar_retval); 1428155192Srwatson kau_write(rec, tok); /* Every record gets a return token */ 1429155192Srwatson 1430155192Srwatson kau_close(rec, &ar->ar_endtime, ar->ar_event); 1431155192Srwatson 1432155192Srwatson *pau = rec; 1433155192Srwatson return (BSM_SUCCESS); 1434155192Srwatson} 1435155192Srwatson 1436155192Srwatson/* 1437156889Srwatson * Verify that a record is a valid BSM record. This verification is simple 1438156889Srwatson * now, but may be expanded on sometime in the future. Return 1 if the 1439156889Srwatson * record is good, 0 otherwise. 1440155192Srwatson */ 1441155192Srwatsonint 1442155192Srwatsonbsm_rec_verify(void *rec) 1443155192Srwatson{ 1444155192Srwatson char c = *(char *)rec; 1445156889Srwatson 1446156889Srwatson /* 1447155192Srwatson * Check the token ID of the first token; it has to be a header 1448155192Srwatson * token. 1449156889Srwatson * 1450156889Srwatson * XXXAUDIT There needs to be a token structure to map a token. 1451155192Srwatson * XXXAUDIT 'Shouldn't be simply looking at the first char. 1452155192Srwatson */ 1453156889Srwatson if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1454156889Srwatson (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1455155192Srwatson return (0); 1456155192Srwatson return (1); 1457155192Srwatson} 1458