1 /*
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 1999-2009 Apple Inc.
5 * Copyright (c) 2016-2017 Robert N. M. Watson
6 * All rights reserved.
7 *
8 * Portions of this software were developed by BAE Systems, the University of
9 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
10 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
11 * Computing (TC) research program.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
22 * its contributors may be used to endorse or promote products derived
23 * from this software without specific prior written permission.
24 *
25 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
29 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
33 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
34 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
35 * POSSIBILITY OF SUCH DAMAGE.
36 */
37
38 #include <sys/cdefs.h>
39 __FBSDID("$FreeBSD$");
40
41 #include <sys/param.h>
42 #include <sys/vnode.h>
43 #include <sys/ipc.h>
44 #include <sys/lock.h>
45 #include <sys/malloc.h>
46 #include <sys/mutex.h>
47 #include <sys/socket.h>
48 #include <sys/extattr.h>
49 #include <sys/fcntl.h>
50 #include <sys/user.h>
51 #include <sys/systm.h>
52
53 #include <bsm/audit.h>
54 #include <bsm/audit_internal.h>
55 #include <bsm/audit_record.h>
56 #include <bsm/audit_kevents.h>
57
58 #include <security/audit/audit.h>
59 #include <security/audit/audit_private.h>
60
61 #include <netinet/in_systm.h>
62 #include <netinet/in.h>
63 #include <netinet/ip.h>
64
65 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data");
66
67 static void audit_sys_auditon(struct audit_record *ar,
68 struct au_record *rec);
69
70 /*
71 * Initialize the BSM auditing subsystem.
72 */
73 void
74 kau_init(void)
75 {
76
77 au_evclassmap_init();
78 au_evnamemap_init();
79 }
80
81 /*
82 * This call reserves memory for the audit record. Memory must be guaranteed
83 * before any auditable event can be generated. The au_record structure
84 * maintains a reference to the memory allocated above and also the list of
85 * tokens associated with this record.
86 */
87 static struct au_record *
88 kau_open(void)
89 {
90 struct au_record *rec;
91
92 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK);
93 rec->data = NULL;
94 TAILQ_INIT(&rec->token_q);
95 rec->len = 0;
96 rec->used = 1;
97
98 return (rec);
99 }
100
101 /*
102 * Store the token with the record descriptor.
103 */
104 static void
105 kau_write(struct au_record *rec, struct au_token *tok)
106 {
107
108 KASSERT(tok != NULL, ("kau_write: tok == NULL"));
109
110 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
111 rec->len += tok->len;
112 }
113
114 /*
115 * Close out the audit record by adding the header token, identifying any
116 * missing tokens. Write out the tokens to the record memory.
117 */
118 static void
119 kau_close(struct au_record *rec, struct timespec *ctime, short event)
120 {
121 u_char *dptr;
122 size_t tot_rec_size;
123 token_t *cur, *hdr, *trail;
124 struct timeval tm;
125 size_t hdrsize;
126 struct auditinfo_addr ak;
127 struct in6_addr *ap;
128
129 audit_get_kinfo(&ak);
130 hdrsize = 0;
131 switch (ak.ai_termid.at_type) {
132 case AU_IPv4:
133 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ?
134 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak);
135 break;
136 case AU_IPv6:
137 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0];
138 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE :
139 AUDIT_HEADER_EX_SIZE(&ak);
140 break;
141 default:
142 panic("kau_close: invalid address family");
143 }
144 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE;
145 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO);
146
147 tm.tv_usec = ctime->tv_nsec / 1000;
148 tm.tv_sec = ctime->tv_sec;
149 if (hdrsize != AUDIT_HEADER_SIZE)
150 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak);
151 else
152 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm);
153 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens);
154
155 trail = au_to_trailer(tot_rec_size);
156 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens);
157
158 rec->len = tot_rec_size;
159 dptr = rec->data;
160 TAILQ_FOREACH(cur, &rec->token_q, tokens) {
161 memcpy(dptr, cur->t_data, cur->len);
162 dptr += cur->len;
163 }
164 }
165
166 /*
167 * Free a BSM audit record by releasing all the tokens and clearing the audit
168 * record information.
169 */
170 void
171 kau_free(struct au_record *rec)
172 {
173 struct au_token *tok;
174
175 /* Free the token list. */
176 while ((tok = TAILQ_FIRST(&rec->token_q))) {
177 TAILQ_REMOVE(&rec->token_q, tok, tokens);
178 free(tok->t_data, M_AUDITBSM);
179 free(tok, M_AUDITBSM);
180 }
181
182 rec->used = 0;
183 rec->len = 0;
184 free(rec->data, M_AUDITBSM);
185 free(rec, M_AUDITBSM);
186 }
187
188 /*
189 * XXX: May want turn some (or all) of these macros into functions in order
190 * to reduce the generated code size.
191 *
192 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the
193 * caller are OK with this.
194 */
195 #define ATFD1_TOKENS(argnum) do { \
196 if (ARG_IS_VALID(kar, ARG_ATFD1)) { \
197 tok = au_to_arg32(argnum, "at fd 1", ar->ar_arg_atfd1); \
198 kau_write(rec, tok); \
199 } \
200 } while (0)
201
202 #define ATFD2_TOKENS(argnum) do { \
203 if (ARG_IS_VALID(kar, ARG_ATFD2)) { \
204 tok = au_to_arg32(argnum, "at fd 2", ar->ar_arg_atfd2); \
205 kau_write(rec, tok); \
206 } \
207 } while (0)
208
209 #define UPATH1_TOKENS do { \
210 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
211 tok = au_to_path(ar->ar_arg_upath1); \
212 kau_write(rec, tok); \
213 } \
214 } while (0)
215
216 #define UPATH2_TOKENS do { \
217 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \
218 tok = au_to_path(ar->ar_arg_upath2); \
219 kau_write(rec, tok); \
220 } \
221 } while (0)
222
223 #define VNODE1_TOKENS do { \
224 if (ARG_IS_VALID(kar, ARG_ATFD)) { \
225 tok = au_to_arg32(1, "at fd", ar->ar_arg_atfd); \
226 kau_write(rec, tok); \
227 } \
228 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
229 tok = au_to_attr32(&ar->ar_arg_vnode1); \
230 kau_write(rec, tok); \
231 } \
232 } while (0)
233
234 #define UPATH1_VNODE1_TOKENS do { \
235 UPATH1_TOKENS; \
236 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
237 tok = au_to_attr32(&ar->ar_arg_vnode1); \
238 kau_write(rec, tok); \
239 } \
240 } while (0)
241
242 #define VNODE2_TOKENS do { \
243 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \
244 tok = au_to_attr32(&ar->ar_arg_vnode2); \
245 kau_write(rec, tok); \
246 } \
247 } while (0)
248
249 #define FD_VNODE1_TOKENS do { \
250 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
251 if (ARG_IS_VALID(kar, ARG_FD)) { \
252 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \
253 kau_write(rec, tok); \
254 } \
255 tok = au_to_attr32(&ar->ar_arg_vnode1); \
256 kau_write(rec, tok); \
257 } else { \
258 if (ARG_IS_VALID(kar, ARG_FD)) { \
259 tok = au_to_arg32(1, "non-file: fd", \
260 ar->ar_arg_fd); \
261 kau_write(rec, tok); \
262 } \
263 } \
264 } while (0)
265
266 #define PROCESS_PID_TOKENS(argn) do { \
267 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \
268 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \
269 tok = au_to_process32_ex(ar->ar_arg_auid, \
270 ar->ar_arg_euid, ar->ar_arg_egid, \
271 ar->ar_arg_ruid, ar->ar_arg_rgid, \
272 ar->ar_arg_pid, ar->ar_arg_asid, \
273 &ar->ar_arg_termid_addr); \
274 kau_write(rec, tok); \
275 } else if (ARG_IS_VALID(kar, ARG_PID)) { \
276 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \
277 kau_write(rec, tok); \
278 } \
279 } while (0)
280
281 #define EXTATTR_TOKENS(namespace_argnum) do { \
282 if (ARG_IS_VALID(kar, ARG_VALUE)) { \
283 switch (ar->ar_arg_value) { \
284 case EXTATTR_NAMESPACE_USER: \
285 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\
286 break; \
287 case EXTATTR_NAMESPACE_SYSTEM: \
288 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\
289 break; \
290 default: \
291 tok = au_to_arg32((namespace_argnum), \
292 "attrnamespace", ar->ar_arg_value); \
293 break; \
294 } \
295 kau_write(rec, tok); \
296 } \
297 /* attrname is in the text field */ \
298 if (ARG_IS_VALID(kar, ARG_TEXT)) { \
299 tok = au_to_text(ar->ar_arg_text); \
300 kau_write(rec, tok); \
301 } \
302 } while (0)
303
304 /*
305 * Not all pointer arguments to system calls are of interest, but in some
306 * cases they reflect delegation of rights, such as mmap(2) followed by
307 * minherit(2) before execve(2), so do the best we can.
308 */
309 #define ADDR_TOKEN(argnum, argname) do { \
310 if (ARG_IS_VALID(kar, ARG_ADDR)) { \
311 if (sizeof(void *) == sizeof(uint32_t)) \
312 tok = au_to_arg32((argnum), (argname), \
313 (uint32_t)(uintptr_t)ar->ar_arg_addr); \
314 else \
315 tok = au_to_arg64((argnum), (argname), \
316 (uint64_t)(uintptr_t)ar->ar_arg_addr); \
317 kau_write(rec, tok); \
318 } \
319 } while (0)
320
321 /*
322 * Implement auditing for the auditon() system call. The audit tokens that
323 * are generated depend on the command that was sent into the auditon()
324 * system call.
325 */
326 static void
327 audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
328 {
329 struct au_token *tok;
330
331 tok = au_to_arg32(3, "length", ar->ar_arg_len);
332 kau_write(rec, tok);
333 switch (ar->ar_arg_cmd) {
334 case A_OLDSETPOLICY:
335 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
336 tok = au_to_arg64(2, "policy",
337 ar->ar_arg_auditon.au_policy64);
338 kau_write(rec, tok);
339 break;
340 }
341 /* FALLTHROUGH */
342
343 case A_SETPOLICY:
344 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy);
345 kau_write(rec, tok);
346 break;
347
348 case A_SETKMASK:
349 tok = au_to_arg32(2, "setkmask:as_success",
350 ar->ar_arg_auditon.au_mask.am_success);
351 kau_write(rec, tok);
352 tok = au_to_arg32(2, "setkmask:as_failure",
353 ar->ar_arg_auditon.au_mask.am_failure);
354 kau_write(rec, tok);
355 break;
356
357 case A_OLDSETQCTRL:
358 if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) {
359 tok = au_to_arg64(2, "setqctrl:aq_hiwater",
360 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater);
361 kau_write(rec, tok);
362 tok = au_to_arg64(2, "setqctrl:aq_lowater",
363 ar->ar_arg_auditon.au_qctrl64.aq64_lowater);
364 kau_write(rec, tok);
365 tok = au_to_arg64(2, "setqctrl:aq_bufsz",
366 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz);
367 kau_write(rec, tok);
368 tok = au_to_arg64(2, "setqctrl:aq_delay",
369 ar->ar_arg_auditon.au_qctrl64.aq64_delay);
370 kau_write(rec, tok);
371 tok = au_to_arg64(2, "setqctrl:aq_minfree",
372 ar->ar_arg_auditon.au_qctrl64.aq64_minfree);
373 kau_write(rec, tok);
374 break;
375 }
376 /* FALLTHROUGH */
377
378 case A_SETQCTRL:
379 tok = au_to_arg32(2, "setqctrl:aq_hiwater",
380 ar->ar_arg_auditon.au_qctrl.aq_hiwater);
381 kau_write(rec, tok);
382 tok = au_to_arg32(2, "setqctrl:aq_lowater",
383 ar->ar_arg_auditon.au_qctrl.aq_lowater);
384 kau_write(rec, tok);
385 tok = au_to_arg32(2, "setqctrl:aq_bufsz",
386 ar->ar_arg_auditon.au_qctrl.aq_bufsz);
387 kau_write(rec, tok);
388 tok = au_to_arg32(2, "setqctrl:aq_delay",
389 ar->ar_arg_auditon.au_qctrl.aq_delay);
390 kau_write(rec, tok);
391 tok = au_to_arg32(2, "setqctrl:aq_minfree",
392 ar->ar_arg_auditon.au_qctrl.aq_minfree);
393 kau_write(rec, tok);
394 break;
395
396 case A_SETUMASK:
397 tok = au_to_arg32(2, "setumask:as_success",
398 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
399 kau_write(rec, tok);
400 tok = au_to_arg32(2, "setumask:as_failure",
401 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
402 kau_write(rec, tok);
403 break;
404
405 case A_SETSMASK:
406 tok = au_to_arg32(2, "setsmask:as_success",
407 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
408 kau_write(rec, tok);
409 tok = au_to_arg32(2, "setsmask:as_failure",
410 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
411 kau_write(rec, tok);
412 break;
413
414 case A_OLDSETCOND:
415 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
416 tok = au_to_arg64(2, "setcond",
417 ar->ar_arg_auditon.au_cond64);
418 kau_write(rec, tok);
419 break;
420 }
421 /* FALLTHROUGH */
422
423 case A_SETCOND:
424 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond);
425 kau_write(rec, tok);
426 break;
427
428 case A_SETCLASS:
429 tok = au_to_arg32(2, "setclass:ec_event",
430 ar->ar_arg_auditon.au_evclass.ec_number);
431 kau_write(rec, tok);
432 tok = au_to_arg32(2, "setclass:ec_class",
433 ar->ar_arg_auditon.au_evclass.ec_class);
434 kau_write(rec, tok);
435 break;
436
437 case A_SETPMASK:
438 tok = au_to_arg32(2, "setpmask:as_success",
439 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
440 kau_write(rec, tok);
441 tok = au_to_arg32(2, "setpmask:as_failure",
442 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
443 kau_write(rec, tok);
444 break;
445
446 case A_SETFSIZE:
447 tok = au_to_arg32(2, "setfsize:filesize",
448 ar->ar_arg_auditon.au_fstat.af_filesz);
449 kau_write(rec, tok);
450 break;
451
452 default:
453 break;
454 }
455 }
456
457 /*
458 * Convert an internal kernel audit record to a BSM record and return a
459 * success/failure indicator. The BSM record is passed as an out parameter to
460 * this function.
461 *
462 * Return conditions:
463 * BSM_SUCCESS: The BSM record is valid
464 * BSM_FAILURE: Failure; the BSM record is NULL.
465 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL.
466 */
467 int
468 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
469 {
470 struct au_token *tok, *subj_tok, *jail_tok;
471 struct au_record *rec;
472 au_tid_t tid;
473 struct audit_record *ar;
474 int ctr;
475
476 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL"));
477
478 *pau = NULL;
479 ar = &kar->k_ar;
480 rec = kau_open();
481
482 /*
483 * Create the subject token. If this credential was jailed be sure to
484 * generate a zonename token.
485 */
486 if (ar->ar_jailname[0] != '\0')
487 jail_tok = au_to_zonename(ar->ar_jailname);
488 else
489 jail_tok = NULL;
490 switch (ar->ar_subj_term_addr.at_type) {
491 case AU_IPv4:
492 tid.port = ar->ar_subj_term_addr.at_port;
493 tid.machine = ar->ar_subj_term_addr.at_addr[0];
494 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */
495 ar->ar_subj_cred.cr_uid, /* eff uid */
496 ar->ar_subj_egid, /* eff group id */
497 ar->ar_subj_ruid, /* real uid */
498 ar->ar_subj_rgid, /* real group id */
499 ar->ar_subj_pid, /* process id */
500 ar->ar_subj_asid, /* session ID */
501 &tid);
502 break;
503 case AU_IPv6:
504 subj_tok = au_to_subject32_ex(ar->ar_subj_auid,
505 ar->ar_subj_cred.cr_uid,
506 ar->ar_subj_egid,
507 ar->ar_subj_ruid,
508 ar->ar_subj_rgid,
509 ar->ar_subj_pid,
510 ar->ar_subj_asid,
511 &ar->ar_subj_term_addr);
512 break;
513 default:
514 bzero(&tid, sizeof(tid));
515 subj_tok = au_to_subject32(ar->ar_subj_auid,
516 ar->ar_subj_cred.cr_uid,
517 ar->ar_subj_egid,
518 ar->ar_subj_ruid,
519 ar->ar_subj_rgid,
520 ar->ar_subj_pid,
521 ar->ar_subj_asid,
522 &tid);
523 }
524
525 /*
526 * The logic inside each case fills in the tokens required for the
527 * event, except for the header, trailer, and return tokens. The
528 * header and trailer tokens are added by the kau_close() function.
529 * The return token is added outside of the switch statement.
530 */
531 switch(ar->ar_event) {
532 case AUE_ACCEPT:
533 if (ARG_IS_VALID(kar, ARG_FD)) {
534 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
535 kau_write(rec, tok);
536 }
537 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
538 tok = au_to_sock_inet((struct sockaddr_in *)
539 &ar->ar_arg_sockaddr);
540 kau_write(rec, tok);
541 }
542 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
543 tok = au_to_sock_unix((struct sockaddr_un *)
544 &ar->ar_arg_sockaddr);
545 kau_write(rec, tok);
546 UPATH1_TOKENS;
547 }
548 break;
549
550 case AUE_BIND:
551 case AUE_LISTEN:
552 case AUE_CONNECT:
553 case AUE_RECV:
554 case AUE_RECVFROM:
555 case AUE_RECVMSG:
556 case AUE_SEND:
557 case AUE_SENDMSG:
558 case AUE_SENDTO:
559 /*
560 * Socket-related events.
561 */
562 if (ARG_IS_VALID(kar, ARG_FD)) {
563 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
564 kau_write(rec, tok);
565 }
566 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
567 tok = au_to_sock_inet((struct sockaddr_in *)
568 &ar->ar_arg_sockaddr);
569 kau_write(rec, tok);
570 }
571 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
572 tok = au_to_sock_unix((struct sockaddr_un *)
573 &ar->ar_arg_sockaddr);
574 kau_write(rec, tok);
575 UPATH1_TOKENS;
576 }
577 /* XXX Need to handle ARG_SADDRINET6 */
578 break;
579
580 case AUE_BINDAT:
581 case AUE_CONNECTAT:
582 ATFD1_TOKENS(1);
583 if (ARG_IS_VALID(kar, ARG_FD)) {
584 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
585 kau_write(rec, tok);
586 }
587 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
588 tok = au_to_sock_unix((struct sockaddr_un *)
589 &ar->ar_arg_sockaddr);
590 kau_write(rec, tok);
591 UPATH1_TOKENS;
592 }
593 break;
594
595 case AUE_SENDFILE:
596 FD_VNODE1_TOKENS;
597 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
598 tok = au_to_sock_inet((struct sockaddr_in *)
599 &ar->ar_arg_sockaddr);
600 kau_write(rec, tok);
601 }
602 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
603 tok = au_to_sock_unix((struct sockaddr_un *)
604 &ar->ar_arg_sockaddr);
605 kau_write(rec, tok);
606 UPATH1_TOKENS;
607 }
608 /* XXX Need to handle ARG_SADDRINET6 */
609 break;
610
611 case AUE_SOCKET:
612 case AUE_SOCKETPAIR:
613 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
614 tok = au_to_arg32(1, "domain",
615 ar->ar_arg_sockinfo.so_domain);
616 kau_write(rec, tok);
617 tok = au_to_arg32(2, "type",
618 ar->ar_arg_sockinfo.so_type);
619 kau_write(rec, tok);
620 tok = au_to_arg32(3, "protocol",
621 ar->ar_arg_sockinfo.so_protocol);
622 kau_write(rec, tok);
623 }
624 break;
625
626 case AUE_SETSOCKOPT:
627 case AUE_SHUTDOWN:
628 if (ARG_IS_VALID(kar, ARG_FD)) {
629 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
630 kau_write(rec, tok);
631 }
632 break;
633
634 case AUE_ACCT:
635 if (ARG_IS_VALID(kar, ARG_UPATH1)) {
636 UPATH1_VNODE1_TOKENS;
637 } else {
638 tok = au_to_arg32(1, "accounting off", 0);
639 kau_write(rec, tok);
640 }
641 break;
642
643 case AUE_SETAUID:
644 if (ARG_IS_VALID(kar, ARG_AUID)) {
645 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid);
646 kau_write(rec, tok);
647 }
648 break;
649
650 case AUE_SETAUDIT:
651 if (ARG_IS_VALID(kar, ARG_AUID) &&
652 ARG_IS_VALID(kar, ARG_ASID) &&
653 ARG_IS_VALID(kar, ARG_AMASK) &&
654 ARG_IS_VALID(kar, ARG_TERMID)) {
655 tok = au_to_arg32(1, "setaudit:auid",
656 ar->ar_arg_auid);
657 kau_write(rec, tok);
658 tok = au_to_arg32(1, "setaudit:port",
659 ar->ar_arg_termid.port);
660 kau_write(rec, tok);
661 tok = au_to_arg32(1, "setaudit:machine",
662 ar->ar_arg_termid.machine);
663 kau_write(rec, tok);
664 tok = au_to_arg32(1, "setaudit:as_success",
665 ar->ar_arg_amask.am_success);
666 kau_write(rec, tok);
667 tok = au_to_arg32(1, "setaudit:as_failure",
668 ar->ar_arg_amask.am_failure);
669 kau_write(rec, tok);
670 tok = au_to_arg32(1, "setaudit:asid",
671 ar->ar_arg_asid);
672 kau_write(rec, tok);
673 }
674 break;
675
676 case AUE_SETAUDIT_ADDR:
677 if (ARG_IS_VALID(kar, ARG_AUID) &&
678 ARG_IS_VALID(kar, ARG_ASID) &&
679 ARG_IS_VALID(kar, ARG_AMASK) &&
680 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) {
681 tok = au_to_arg32(1, "setaudit_addr:auid",
682 ar->ar_arg_auid);
683 kau_write(rec, tok);
684 tok = au_to_arg32(1, "setaudit_addr:as_success",
685 ar->ar_arg_amask.am_success);
686 kau_write(rec, tok);
687 tok = au_to_arg32(1, "setaudit_addr:as_failure",
688 ar->ar_arg_amask.am_failure);
689 kau_write(rec, tok);
690 tok = au_to_arg32(1, "setaudit_addr:asid",
691 ar->ar_arg_asid);
692 kau_write(rec, tok);
693 tok = au_to_arg32(1, "setaudit_addr:type",
694 ar->ar_arg_termid_addr.at_type);
695 kau_write(rec, tok);
696 tok = au_to_arg32(1, "setaudit_addr:port",
697 ar->ar_arg_termid_addr.at_port);
698 kau_write(rec, tok);
699 if (ar->ar_arg_termid_addr.at_type == AU_IPv6)
700 tok = au_to_in_addr_ex((struct in6_addr *)
701 &ar->ar_arg_termid_addr.at_addr[0]);
702 if (ar->ar_arg_termid_addr.at_type == AU_IPv4)
703 tok = au_to_in_addr((struct in_addr *)
704 &ar->ar_arg_termid_addr.at_addr[0]);
705 kau_write(rec, tok);
706 }
707 break;
708
709 case AUE_AUDITON:
710 /*
711 * For AUDITON commands without own event, audit the cmd.
712 */
713 if (ARG_IS_VALID(kar, ARG_CMD)) {
714 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
715 kau_write(rec, tok);
716 }
717 /* FALLTHROUGH */
718
719 case AUE_AUDITON_GETCAR:
720 case AUE_AUDITON_GETCLASS:
721 case AUE_AUDITON_GETCOND:
722 case AUE_AUDITON_GETCWD:
723 case AUE_AUDITON_GETKMASK:
724 case AUE_AUDITON_GETSTAT:
725 case AUE_AUDITON_GPOLICY:
726 case AUE_AUDITON_GQCTRL:
727 case AUE_AUDITON_SETCLASS:
728 case AUE_AUDITON_SETCOND:
729 case AUE_AUDITON_SETKMASK:
730 case AUE_AUDITON_SETSMASK:
731 case AUE_AUDITON_SETSTAT:
732 case AUE_AUDITON_SETUMASK:
733 case AUE_AUDITON_SPOLICY:
734 case AUE_AUDITON_SQCTRL:
735 if (ARG_IS_VALID(kar, ARG_AUDITON))
736 audit_sys_auditon(ar, rec);
737 break;
738
739 case AUE_AUDITCTL:
740 UPATH1_VNODE1_TOKENS;
741 break;
742
743 case AUE_EXIT:
744 if (ARG_IS_VALID(kar, ARG_EXIT)) {
745 tok = au_to_exit(ar->ar_arg_exitretval,
746 ar->ar_arg_exitstatus);
747 kau_write(rec, tok);
748 }
749 break;
750
751 case AUE_ADJTIME:
752 case AUE_CLOCK_SETTIME:
753 case AUE_AUDIT:
754 case AUE_DUP2:
755 case AUE_GETAUDIT:
756 case AUE_GETAUDIT_ADDR:
757 case AUE_GETAUID:
758 case AUE_GETCWD:
759 case AUE_GETFSSTAT:
760 case AUE_GETRESUID:
761 case AUE_GETRESGID:
762 case AUE_KQUEUE:
763 case AUE_MODLOAD:
764 case AUE_MODUNLOAD:
765 case AUE_MSGSYS:
766 case AUE_NTP_ADJTIME:
767 case AUE_PIPE:
768 case AUE_POSIX_OPENPT:
769 case AUE_PROFILE:
770 case AUE_RTPRIO:
771 case AUE_SEMSYS:
772 case AUE_SETFIB:
773 case AUE_SHMSYS:
774 case AUE_SETPGRP:
775 case AUE_SETRLIMIT:
776 case AUE_SETSID:
777 case AUE_SETTIMEOFDAY:
778 case AUE_SYSARCH:
779
780 /*
781 * Header, subject, and return tokens added at end.
782 */
783 break;
784
785 case AUE_ACL_DELETE_FD:
786 case AUE_ACL_DELETE_FILE:
787 case AUE_ACL_CHECK_FD:
788 case AUE_ACL_CHECK_FILE:
789 case AUE_ACL_CHECK_LINK:
790 case AUE_ACL_DELETE_LINK:
791 case AUE_ACL_GET_FD:
792 case AUE_ACL_GET_FILE:
793 case AUE_ACL_GET_LINK:
794 case AUE_ACL_SET_FD:
795 case AUE_ACL_SET_FILE:
796 case AUE_ACL_SET_LINK:
797 if (ARG_IS_VALID(kar, ARG_VALUE)) {
798 tok = au_to_arg32(1, "type", ar->ar_arg_value);
799 kau_write(rec, tok);
800 }
801 ATFD1_TOKENS(1);
802 UPATH1_VNODE1_TOKENS;
803 break;
804
805 /*
806 * NB: We may want to verify that the appropriate
807 * audit args are being processed here, but I think
808 * a bit analysis is required.
809 *
810 * Process AUE_JAIL_SET in the next block so we can pickup any path
811 * related tokens that might exist.
812 */
813 case AUE_JAIL_GET:
814 case AUE_JAIL_ATTACH:
815 case AUE_JAIL_REMOVE:
816 break;
817
818 case AUE_JAIL_SET:
819 case AUE_CHDIR:
820 case AUE_CHROOT:
821 case AUE_FSTATAT:
822 case AUE_FUTIMESAT:
823 case AUE_GETATTRLIST:
824 case AUE_JAIL:
825 case AUE_LUTIMES:
826 case AUE_NFS_GETFH:
827 case AUE_LGETFH:
828 case AUE_LSTAT:
829 case AUE_LPATHCONF:
830 case AUE_PATHCONF:
831 case AUE_READLINK:
832 case AUE_READLINKAT:
833 case AUE_REVOKE:
834 case AUE_RMDIR:
835 case AUE_SEARCHFS:
836 case AUE_SETATTRLIST:
837 case AUE_STAT:
838 case AUE_STATFS:
839 case AUE_SWAPON:
840 case AUE_SWAPOFF:
841 case AUE_TRUNCATE:
842 case AUE_UNDELETE:
843 case AUE_UNLINK:
844 case AUE_UNLINKAT:
845 case AUE_UTIMES:
846 case AUE_REALPATHAT:
847 ATFD1_TOKENS(1);
848 UPATH1_VNODE1_TOKENS;
849 break;
850
851 case AUE_ACCESS:
852 case AUE_EACCESS:
853 case AUE_FACCESSAT:
854 ATFD1_TOKENS(1);
855 UPATH1_VNODE1_TOKENS;
856 if (ARG_IS_VALID(kar, ARG_VALUE)) {
857 tok = au_to_arg32(2, "mode", ar->ar_arg_value);
858 kau_write(rec, tok);
859 }
860 break;
861
862 case AUE_FHSTATFS:
863 case AUE_FHOPEN:
864 case AUE_FHSTAT:
865 /* XXXRW: Need to audit vnode argument. */
866 break;
867
868 case AUE_CHFLAGS:
869 case AUE_LCHFLAGS:
870 case AUE_CHFLAGSAT:
871 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
872 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
873 kau_write(rec, tok);
874 }
875 UPATH1_VNODE1_TOKENS;
876 break;
877
878 case AUE_CHMOD:
879 case AUE_LCHMOD:
880 if (ARG_IS_VALID(kar, ARG_MODE)) {
881 tok = au_to_arg32(2, "new file mode",
882 ar->ar_arg_mode);
883 kau_write(rec, tok);
884 }
885 UPATH1_VNODE1_TOKENS;
886 break;
887
888 case AUE_FCHMODAT:
889 ATFD1_TOKENS(1);
890 if (ARG_IS_VALID(kar, ARG_MODE)) {
891 tok = au_to_arg32(3, "new file mode",
892 ar->ar_arg_mode);
893 kau_write(rec, tok);
894 }
895 UPATH1_VNODE1_TOKENS;
896 break;
897
898 case AUE_CHOWN:
899 case AUE_LCHOWN:
900 if (ARG_IS_VALID(kar, ARG_UID)) {
901 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
902 kau_write(rec, tok);
903 }
904 if (ARG_IS_VALID(kar, ARG_GID)) {
905 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
906 kau_write(rec, tok);
907 }
908 UPATH1_VNODE1_TOKENS;
909 break;
910
911 case AUE_FCHOWNAT:
912 ATFD1_TOKENS(1);
913 if (ARG_IS_VALID(kar, ARG_UID)) {
914 tok = au_to_arg32(3, "new file uid", ar->ar_arg_uid);
915 kau_write(rec, tok);
916 }
917 if (ARG_IS_VALID(kar, ARG_GID)) {
918 tok = au_to_arg32(4, "new file gid", ar->ar_arg_gid);
919 kau_write(rec, tok);
920 }
921 UPATH1_VNODE1_TOKENS;
922 break;
923
924 case AUE_EXCHANGEDATA:
925 UPATH1_VNODE1_TOKENS;
926 UPATH2_TOKENS;
927 break;
928
929 case AUE_CLOSE:
930 if (ARG_IS_VALID(kar, ARG_FD)) {
931 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
932 kau_write(rec, tok);
933 }
934 UPATH1_VNODE1_TOKENS;
935 break;
936
937 case AUE_CLOSEFROM:
938 if (ARG_IS_VALID(kar, ARG_FD)) {
939 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
940 kau_write(rec, tok);
941 }
942 break;
943
944 case AUE_CLOSERANGE:
945 if (ARG_IS_VALID(kar, ARG_FD)) {
946 tok = au_to_arg32(1, "lowfd", ar->ar_arg_fd);
947 kau_write(rec, tok);
948 }
949 if (ARG_IS_VALID(kar, ARG_CMD)) {
950 tok = au_to_arg32(2, "highfd", ar->ar_arg_cmd);
951 kau_write(rec, tok);
952 }
953 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
954 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
955 kau_write(rec, tok);
956 }
957 break;
958
959 case AUE_CORE:
960 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
961 tok = au_to_arg32(1, "signal", ar->ar_arg_signum);
962 kau_write(rec, tok);
963 }
964 UPATH1_VNODE1_TOKENS;
965 break;
966
967 case AUE_EXTATTRCTL:
968 UPATH1_VNODE1_TOKENS;
969 if (ARG_IS_VALID(kar, ARG_CMD)) {
970 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
971 kau_write(rec, tok);
972 }
973 /* extattrctl(2) filename parameter is in upath2/vnode2 */
974 UPATH2_TOKENS;
975 VNODE2_TOKENS;
976 EXTATTR_TOKENS(4);
977 break;
978
979 case AUE_EXTATTR_GET_FILE:
980 case AUE_EXTATTR_SET_FILE:
981 case AUE_EXTATTR_LIST_FILE:
982 case AUE_EXTATTR_DELETE_FILE:
983 case AUE_EXTATTR_GET_LINK:
984 case AUE_EXTATTR_SET_LINK:
985 case AUE_EXTATTR_LIST_LINK:
986 case AUE_EXTATTR_DELETE_LINK:
987 UPATH1_VNODE1_TOKENS;
988 EXTATTR_TOKENS(2);
989 break;
990
991 case AUE_EXTATTR_GET_FD:
992 case AUE_EXTATTR_SET_FD:
993 case AUE_EXTATTR_LIST_FD:
994 case AUE_EXTATTR_DELETE_FD:
995 if (ARG_IS_VALID(kar, ARG_FD)) {
996 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
997 kau_write(rec, tok);
998 }
999 EXTATTR_TOKENS(2);
1000 break;
1001
1002 case AUE_FEXECVE:
1003 if (ARG_IS_VALID(kar, ARG_FD)) {
1004 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
1005 kau_write(rec, tok);
1006 }
1007 /* FALLTHROUGH */
1008
1009 case AUE_EXECVE:
1010 case AUE_MAC_EXECVE:
1011 if (ARG_IS_VALID(kar, ARG_ARGV)) {
1012 tok = au_to_exec_args(ar->ar_arg_argv,
1013 ar->ar_arg_argc);
1014 kau_write(rec, tok);
1015 }
1016 if (ARG_IS_VALID(kar, ARG_ENVV)) {
1017 tok = au_to_exec_env(ar->ar_arg_envv,
1018 ar->ar_arg_envc);
1019 kau_write(rec, tok);
1020 }
1021 UPATH1_VNODE1_TOKENS;
1022 break;
1023
1024 case AUE_FCHMOD:
1025 if (ARG_IS_VALID(kar, ARG_MODE)) {
1026 tok = au_to_arg32(2, "new file mode",
1027 ar->ar_arg_mode);
1028 kau_write(rec, tok);
1029 }
1030 FD_VNODE1_TOKENS;
1031 break;
1032
1033 /*
1034 * XXXRW: Some of these need to handle non-vnode cases as well.
1035 */
1036 case AUE_FCHDIR:
1037 case AUE_FPATHCONF:
1038 case AUE_FSTAT:
1039 case AUE_FSTATFS:
1040 case AUE_FSYNC:
1041 case AUE_FTRUNCATE:
1042 case AUE_FUTIMES:
1043 case AUE_GETDIRENTRIES:
1044 case AUE_GETDIRENTRIESATTR:
1045 case AUE_LSEEK:
1046 case AUE_POLL:
1047 case AUE_POSIX_FALLOCATE:
1048 case AUE_PREAD:
1049 case AUE_PWRITE:
1050 case AUE_READ:
1051 case AUE_READV:
1052 case AUE_WRITE:
1053 case AUE_WRITEV:
1054 FD_VNODE1_TOKENS;
1055 break;
1056
1057 case AUE_FCHOWN:
1058 if (ARG_IS_VALID(kar, ARG_UID)) {
1059 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
1060 kau_write(rec, tok);
1061 }
1062 if (ARG_IS_VALID(kar, ARG_GID)) {
1063 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
1064 kau_write(rec, tok);
1065 }
1066 FD_VNODE1_TOKENS;
1067 break;
1068
1069 case AUE_FCNTL:
1070 if (ARG_IS_VALID(kar, ARG_CMD)) {
1071 tok = au_to_arg32(2, "cmd",
1072 au_fcntl_cmd_to_bsm(ar->ar_arg_cmd));
1073 kau_write(rec, tok);
1074 }
1075 FD_VNODE1_TOKENS;
1076 break;
1077
1078 case AUE_FCHFLAGS:
1079 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1080 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1081 kau_write(rec, tok);
1082 }
1083 FD_VNODE1_TOKENS;
1084 break;
1085
1086 case AUE_FLOCK:
1087 if (ARG_IS_VALID(kar, ARG_CMD)) {
1088 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd);
1089 kau_write(rec, tok);
1090 }
1091 FD_VNODE1_TOKENS;
1092 break;
1093
1094 case AUE_FSPACECTL:
1095 if (ARG_IS_VALID(kar, ARG_CMD)) {
1096 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd);
1097 kau_write(rec, tok);
1098 }
1099 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1100 tok = au_to_arg32(4, "flags", ar->ar_arg_fflags);
1101 kau_write(rec, tok);
1102 }
1103 FD_VNODE1_TOKENS;
1104 break;
1105
1106 case AUE_RFORK:
1107 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1108 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags);
1109 kau_write(rec, tok);
1110 }
1111 /* FALLTHROUGH */
1112
1113 case AUE_FORK:
1114 case AUE_VFORK:
1115 if (ARG_IS_VALID(kar, ARG_PID)) {
1116 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
1117 kau_write(rec, tok);
1118 }
1119 break;
1120
1121 case AUE_IOCTL:
1122 if (ARG_IS_VALID(kar, ARG_CMD)) {
1123 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
1124 kau_write(rec, tok);
1125 }
1126 if (ARG_IS_VALID(kar, ARG_VNODE1))
1127 FD_VNODE1_TOKENS;
1128 else {
1129 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
1130 tok = kau_to_socket(&ar->ar_arg_sockinfo);
1131 kau_write(rec, tok);
1132 } else {
1133 if (ARG_IS_VALID(kar, ARG_FD)) {
1134 tok = au_to_arg32(1, "fd",
1135 ar->ar_arg_fd);
1136 kau_write(rec, tok);
1137 }
1138 }
1139 }
1140 break;
1141
1142 case AUE_KILL:
1143 case AUE_KILLPG:
1144 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
1145 tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
1146 kau_write(rec, tok);
1147 }
1148 PROCESS_PID_TOKENS(1);
1149 break;
1150
1151 case AUE_KTRACE:
1152 if (ARG_IS_VALID(kar, ARG_CMD)) {
1153 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd);
1154 kau_write(rec, tok);
1155 }
1156 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1157 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value);
1158 kau_write(rec, tok);
1159 }
1160 PROCESS_PID_TOKENS(4);
1161 UPATH1_VNODE1_TOKENS;
1162 break;
1163
1164 case AUE_LINK:
1165 case AUE_LINKAT:
1166 case AUE_RENAME:
1167 case AUE_RENAMEAT:
1168 ATFD1_TOKENS(1);
1169 UPATH1_VNODE1_TOKENS;
1170 ATFD2_TOKENS(3);
1171 UPATH2_TOKENS;
1172 break;
1173
1174 case AUE_LOADSHFILE:
1175 ADDR_TOKEN(4, "base addr");
1176 UPATH1_VNODE1_TOKENS;
1177 break;
1178
1179 case AUE_MKDIR:
1180 case AUE_MKDIRAT:
1181 case AUE_MKFIFO:
1182 case AUE_MKFIFOAT:
1183 ATFD1_TOKENS(1);
1184 if (ARG_IS_VALID(kar, ARG_MODE)) {
1185 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1186 kau_write(rec, tok);
1187 }
1188 UPATH1_VNODE1_TOKENS;
1189 break;
1190
1191 case AUE_MKNOD:
1192 case AUE_MKNODAT:
1193 ATFD1_TOKENS(1);
1194 if (ARG_IS_VALID(kar, ARG_MODE)) {
1195 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1196 kau_write(rec, tok);
1197 }
1198 if (ARG_IS_VALID(kar, ARG_DEV)) {
1199 tok = au_to_arg32(3, "dev", ar->ar_arg_dev);
1200 kau_write(rec, tok);
1201 }
1202 UPATH1_VNODE1_TOKENS;
1203 break;
1204
1205 case AUE_MMAP:
1206 case AUE_MUNMAP:
1207 case AUE_MPROTECT:
1208 case AUE_MLOCK:
1209 case AUE_MUNLOCK:
1210 case AUE_MINHERIT:
1211 ADDR_TOKEN(1, "addr");
1212 if (ARG_IS_VALID(kar, ARG_LEN)) {
1213 tok = au_to_arg32(2, "len", ar->ar_arg_len);
1214 kau_write(rec, tok);
1215 }
1216 if (ar->ar_event == AUE_MMAP)
1217 FD_VNODE1_TOKENS;
1218 if (ar->ar_event == AUE_MPROTECT) {
1219 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1220 tok = au_to_arg32(3, "protection",
1221 ar->ar_arg_value);
1222 kau_write(rec, tok);
1223 }
1224 }
1225 if (ar->ar_event == AUE_MINHERIT) {
1226 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1227 tok = au_to_arg32(3, "inherit",
1228 ar->ar_arg_value);
1229 kau_write(rec, tok);
1230 }
1231 }
1232 break;
1233
1234 case AUE_MOUNT:
1235 case AUE_NMOUNT:
1236 /* XXX Need to handle NFS mounts */
1237 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1238 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1239 kau_write(rec, tok);
1240 }
1241 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1242 tok = au_to_text(ar->ar_arg_text);
1243 kau_write(rec, tok);
1244 }
1245 /* FALLTHROUGH */
1246
1247 case AUE_NFS_SVC:
1248 if (ARG_IS_VALID(kar, ARG_CMD)) {
1249 tok = au_to_arg32(1, "flags", ar->ar_arg_cmd);
1250 kau_write(rec, tok);
1251 }
1252 break;
1253
1254 case AUE_UMOUNT:
1255 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1256 tok = au_to_arg32(2, "flags", ar->ar_arg_value);
1257 kau_write(rec, tok);
1258 }
1259 UPATH1_VNODE1_TOKENS;
1260 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1261 tok = au_to_text(ar->ar_arg_text);
1262 kau_write(rec, tok);
1263 }
1264 break;
1265
1266 case AUE_MSGCTL:
1267 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd);
1268 /* Fall through */
1269
1270 case AUE_MSGRCV:
1271 case AUE_MSGSND:
1272 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id);
1273 kau_write(rec, tok);
1274 if (ar->ar_errno != EINVAL) {
1275 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id);
1276 kau_write(rec, tok);
1277 }
1278 break;
1279
1280 case AUE_MSGGET:
1281 if (ar->ar_errno == 0) {
1282 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1283 tok = au_to_ipc(AT_IPC_MSG,
1284 ar->ar_arg_svipc_id);
1285 kau_write(rec, tok);
1286 }
1287 }
1288 break;
1289
1290 case AUE_RESETSHFILE:
1291 ADDR_TOKEN(1, "base addr");
1292 break;
1293
1294 case AUE_OPEN_RC:
1295 case AUE_OPEN_RTC:
1296 case AUE_OPEN_RWC:
1297 case AUE_OPEN_RWTC:
1298 case AUE_OPEN_WC:
1299 case AUE_OPEN_WTC:
1300 case AUE_CREAT:
1301 if (ARG_IS_VALID(kar, ARG_MODE)) {
1302 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1303 kau_write(rec, tok);
1304 }
1305 /* FALLTHROUGH */
1306
1307 case AUE_OPEN_R:
1308 case AUE_OPEN_RT:
1309 case AUE_OPEN_RW:
1310 case AUE_OPEN_RWT:
1311 case AUE_OPEN_W:
1312 case AUE_OPEN_WT:
1313 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1314 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1315 kau_write(rec, tok);
1316 }
1317 UPATH1_VNODE1_TOKENS;
1318 break;
1319
1320 case AUE_OPENAT_RC:
1321 case AUE_OPENAT_RTC:
1322 case AUE_OPENAT_RWC:
1323 case AUE_OPENAT_RWTC:
1324 case AUE_OPENAT_WC:
1325 case AUE_OPENAT_WTC:
1326 if (ARG_IS_VALID(kar, ARG_MODE)) {
1327 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1328 kau_write(rec, tok);
1329 }
1330 /* FALLTHROUGH */
1331
1332 case AUE_OPENAT_R:
1333 case AUE_OPENAT_RT:
1334 case AUE_OPENAT_RW:
1335 case AUE_OPENAT_RWT:
1336 case AUE_OPENAT_W:
1337 case AUE_OPENAT_WT:
1338 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1339 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1340 kau_write(rec, tok);
1341 }
1342 ATFD1_TOKENS(1);
1343 UPATH1_VNODE1_TOKENS;
1344 break;
1345
1346 case AUE_PDKILL:
1347 if (ARG_IS_VALID(kar, ARG_FD)) {
1348 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
1349 kau_write(rec, tok);
1350 }
1351 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
1352 tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
1353 kau_write(rec, tok);
1354 }
1355 PROCESS_PID_TOKENS(1);
1356 break;
1357 case AUE_PDFORK:
1358 if (ARG_IS_VALID(kar, ARG_PID)) {
1359 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
1360 kau_write(rec, tok);
1361 }
1362 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1363 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1364 kau_write(rec, tok);
1365 }
1366 if (ARG_IS_VALID(kar, ARG_FD)) {
1367 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
1368 kau_write(rec, tok);
1369 }
1370 break;
1371 case AUE_PDGETPID:
1372 if (ARG_IS_VALID(kar, ARG_FD)) {
1373 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
1374 kau_write(rec, tok);
1375 }
1376 break;
1377
1378 case AUE_PROCCTL:
1379 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1380 tok = au_to_arg32(1, "idtype", ar->ar_arg_value);
1381 kau_write(rec, tok);
1382 }
1383 if (ARG_IS_VALID(kar, ARG_CMD)) {
1384 tok = au_to_arg32(2, "com", ar->ar_arg_cmd);
1385 kau_write(rec, tok);
1386 }
1387 PROCESS_PID_TOKENS(3);
1388 break;
1389
1390 case AUE_PTRACE:
1391 if (ARG_IS_VALID(kar, ARG_CMD)) {
1392 tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
1393 kau_write(rec, tok);
1394 }
1395 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1396 tok = au_to_arg32(4, "data", ar->ar_arg_value);
1397 kau_write(rec, tok);
1398 }
1399 PROCESS_PID_TOKENS(2);
1400 break;
1401
1402 case AUE_QUOTACTL:
1403 if (ARG_IS_VALID(kar, ARG_CMD)) {
1404 tok = au_to_arg32(2, "command", ar->ar_arg_cmd);
1405 kau_write(rec, tok);
1406 }
1407 if (ARG_IS_VALID(kar, ARG_UID)) {
1408 tok = au_to_arg32(3, "uid", ar->ar_arg_uid);
1409 kau_write(rec, tok);
1410 }
1411 if (ARG_IS_VALID(kar, ARG_GID)) {
1412 tok = au_to_arg32(3, "gid", ar->ar_arg_gid);
1413 kau_write(rec, tok);
1414 }
1415 UPATH1_VNODE1_TOKENS;
1416 break;
1417
1418 case AUE_REBOOT:
1419 if (ARG_IS_VALID(kar, ARG_CMD)) {
1420 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd);
1421 kau_write(rec, tok);
1422 }
1423 break;
1424
1425 case AUE_SEMCTL:
1426 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd);
1427 /* Fall through */
1428
1429 case AUE_SEMOP:
1430 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1431 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id);
1432 kau_write(rec, tok);
1433 if (ar->ar_errno != EINVAL) {
1434 tok = au_to_ipc(AT_IPC_SEM,
1435 ar->ar_arg_svipc_id);
1436 kau_write(rec, tok);
1437 }
1438 }
1439 break;
1440
1441 case AUE_SEMGET:
1442 if (ar->ar_errno == 0) {
1443 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1444 tok = au_to_ipc(AT_IPC_SEM,
1445 ar->ar_arg_svipc_id);
1446 kau_write(rec, tok);
1447 }
1448 }
1449 break;
1450
1451 case AUE_SETEGID:
1452 if (ARG_IS_VALID(kar, ARG_EGID)) {
1453 tok = au_to_arg32(1, "egid", ar->ar_arg_egid);
1454 kau_write(rec, tok);
1455 }
1456 break;
1457
1458 case AUE_SETEUID:
1459 if (ARG_IS_VALID(kar, ARG_EUID)) {
1460 tok = au_to_arg32(1, "euid", ar->ar_arg_euid);
1461 kau_write(rec, tok);
1462 }
1463 break;
1464
1465 case AUE_SETREGID:
1466 if (ARG_IS_VALID(kar, ARG_RGID)) {
1467 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1468 kau_write(rec, tok);
1469 }
1470 if (ARG_IS_VALID(kar, ARG_EGID)) {
1471 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1472 kau_write(rec, tok);
1473 }
1474 break;
1475
1476 case AUE_SETREUID:
1477 if (ARG_IS_VALID(kar, ARG_RUID)) {
1478 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1479 kau_write(rec, tok);
1480 }
1481 if (ARG_IS_VALID(kar, ARG_EUID)) {
1482 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1483 kau_write(rec, tok);
1484 }
1485 break;
1486
1487 case AUE_SETRESGID:
1488 if (ARG_IS_VALID(kar, ARG_RGID)) {
1489 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1490 kau_write(rec, tok);
1491 }
1492 if (ARG_IS_VALID(kar, ARG_EGID)) {
1493 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1494 kau_write(rec, tok);
1495 }
1496 if (ARG_IS_VALID(kar, ARG_SGID)) {
1497 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid);
1498 kau_write(rec, tok);
1499 }
1500 break;
1501
1502 case AUE_SETRESUID:
1503 if (ARG_IS_VALID(kar, ARG_RUID)) {
1504 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1505 kau_write(rec, tok);
1506 }
1507 if (ARG_IS_VALID(kar, ARG_EUID)) {
1508 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1509 kau_write(rec, tok);
1510 }
1511 if (ARG_IS_VALID(kar, ARG_SUID)) {
1512 tok = au_to_arg32(3, "suid", ar->ar_arg_suid);
1513 kau_write(rec, tok);
1514 }
1515 break;
1516
1517 case AUE_SETGID:
1518 if (ARG_IS_VALID(kar, ARG_GID)) {
1519 tok = au_to_arg32(1, "gid", ar->ar_arg_gid);
1520 kau_write(rec, tok);
1521 }
1522 break;
1523
1524 case AUE_SETUID:
1525 if (ARG_IS_VALID(kar, ARG_UID)) {
1526 tok = au_to_arg32(1, "uid", ar->ar_arg_uid);
1527 kau_write(rec, tok);
1528 }
1529 break;
1530
1531 case AUE_SETGROUPS:
1532 if (ARG_IS_VALID(kar, ARG_GROUPSET)) {
1533 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++)
1534 {
1535 tok = au_to_arg32(1, "setgroups",
1536 ar->ar_arg_groups.gidset[ctr]);
1537 kau_write(rec, tok);
1538 }
1539 }
1540 break;
1541
1542 case AUE_SETLOGIN:
1543 if (ARG_IS_VALID(kar, ARG_LOGIN)) {
1544 tok = au_to_text(ar->ar_arg_login);
1545 kau_write(rec, tok);
1546 }
1547 break;
1548
1549 case AUE_SETLOGINCLASS:
1550 break;
1551
1552 case AUE_SETPRIORITY:
1553 if (ARG_IS_VALID(kar, ARG_CMD)) {
1554 tok = au_to_arg32(1, "which", ar->ar_arg_cmd);
1555 kau_write(rec, tok);
1556 }
1557 if (ARG_IS_VALID(kar, ARG_UID)) {
1558 tok = au_to_arg32(2, "who", ar->ar_arg_uid);
1559 kau_write(rec, tok);
1560 }
1561 PROCESS_PID_TOKENS(2);
1562 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1563 tok = au_to_arg32(3, "priority", ar->ar_arg_value);
1564 kau_write(rec, tok);
1565 }
1566 break;
1567
1568 case AUE_SETPRIVEXEC:
1569 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1570 tok = au_to_arg32(1, "flag", ar->ar_arg_value);
1571 kau_write(rec, tok);
1572 }
1573 break;
1574
1575 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */
1576 case AUE_SHMAT:
1577 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1578 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1579 kau_write(rec, tok);
1580 /* XXXAUDIT: Does having the ipc token make sense? */
1581 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1582 kau_write(rec, tok);
1583 }
1584 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1585 tok = au_to_arg32(2, "shmaddr",
1586 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1587 kau_write(rec, tok);
1588 }
1589 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1590 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1591 kau_write(rec, tok);
1592 }
1593 break;
1594
1595 case AUE_SHMCTL:
1596 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1597 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1598 kau_write(rec, tok);
1599 /* XXXAUDIT: Does having the ipc token make sense? */
1600 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1601 kau_write(rec, tok);
1602 }
1603 switch (ar->ar_arg_svipc_cmd) {
1604 case IPC_STAT:
1605 ar->ar_event = AUE_SHMCTL_STAT;
1606 break;
1607 case IPC_RMID:
1608 ar->ar_event = AUE_SHMCTL_RMID;
1609 break;
1610 case IPC_SET:
1611 ar->ar_event = AUE_SHMCTL_SET;
1612 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1613 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1614 kau_write(rec, tok);
1615 }
1616 break;
1617 default:
1618 break; /* We will audit a bad command */
1619 }
1620 break;
1621
1622 case AUE_SHMDT:
1623 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1624 tok = au_to_arg32(1, "shmaddr",
1625 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1626 kau_write(rec, tok);
1627 }
1628 break;
1629
1630 case AUE_SHMGET:
1631 /* This is unusual; the return value is in an argument token */
1632 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1633 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id);
1634 kau_write(rec, tok);
1635 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1636 kau_write(rec, tok);
1637 }
1638 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1639 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1640 kau_write(rec, tok);
1641 }
1642 break;
1643
1644 /* shm_rename is a non-Posix extension to the Posix shm implementation */
1645 case AUE_SHMRENAME:
1646 UPATH1_TOKENS;
1647 UPATH2_TOKENS;
1648 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1649 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1650 kau_write(rec, tok);
1651 }
1652 break;
1653
1654 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE
1655 * and AUE_SEMUNLINK are Posix IPC */
1656 case AUE_SHMOPEN:
1657 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1658 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1659 kau_write(rec, tok);
1660 }
1661 if (ARG_IS_VALID(kar, ARG_MODE)) {
1662 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1663 kau_write(rec, tok);
1664 }
1665 /* FALLTHROUGH */
1666
1667 case AUE_SHMUNLINK:
1668 UPATH1_TOKENS;
1669 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1670 struct ipc_perm perm;
1671
1672 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1673 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1674 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1675 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1676 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1677 perm.seq = 0;
1678 perm.key = 0;
1679 tok = au_to_ipc_perm(&perm);
1680 kau_write(rec, tok);
1681 }
1682 break;
1683
1684 case AUE_SEMOPEN:
1685 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1686 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1687 kau_write(rec, tok);
1688 }
1689 if (ARG_IS_VALID(kar, ARG_MODE)) {
1690 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1691 kau_write(rec, tok);
1692 }
1693 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1694 tok = au_to_arg32(4, "value", ar->ar_arg_value);
1695 kau_write(rec, tok);
1696 }
1697 /* FALLTHROUGH */
1698
1699 case AUE_SEMUNLINK:
1700 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1701 tok = au_to_text(ar->ar_arg_text);
1702 kau_write(rec, tok);
1703 }
1704 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1705 struct ipc_perm perm;
1706
1707 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1708 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1709 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1710 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1711 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1712 perm.seq = 0;
1713 perm.key = 0;
1714 tok = au_to_ipc_perm(&perm);
1715 kau_write(rec, tok);
1716 }
1717 break;
1718
1719 case AUE_SEMCLOSE:
1720 if (ARG_IS_VALID(kar, ARG_FD)) {
1721 tok = au_to_arg32(1, "sem", ar->ar_arg_fd);
1722 kau_write(rec, tok);
1723 }
1724 break;
1725
1726 case AUE_SYMLINK:
1727 case AUE_SYMLINKAT:
1728 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1729 tok = au_to_text(ar->ar_arg_text);
1730 kau_write(rec, tok);
1731 }
1732 ATFD1_TOKENS(1);
1733 UPATH1_VNODE1_TOKENS;
1734 break;
1735
1736 case AUE_SYSCTL:
1737 case AUE_SYSCTL_NONADMIN:
1738 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) {
1739 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) {
1740 tok = au_to_arg32(1, "name",
1741 ar->ar_arg_ctlname[ctr]);
1742 kau_write(rec, tok);
1743 }
1744 }
1745 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1746 tok = au_to_arg32(5, "newval", ar->ar_arg_value);
1747 kau_write(rec, tok);
1748 }
1749 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1750 tok = au_to_text(ar->ar_arg_text);
1751 kau_write(rec, tok);
1752 }
1753 break;
1754
1755 case AUE_UMASK:
1756 if (ARG_IS_VALID(kar, ARG_MASK)) {
1757 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask);
1758 kau_write(rec, tok);
1759 }
1760 tok = au_to_arg32(0, "prev mask", ar->ar_retval);
1761 kau_write(rec, tok);
1762 break;
1763
1764 case AUE_WAIT4:
1765 case AUE_WAIT6:
1766 PROCESS_PID_TOKENS(1);
1767 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1768 tok = au_to_arg32(3, "options", ar->ar_arg_value);
1769 kau_write(rec, tok);
1770 }
1771 break;
1772
1773 case AUE_CAP_RIGHTS_LIMIT:
1774 /*
1775 * XXXRW/XXXJA: Would be nice to audit socket/etc information.
1776 */
1777 FD_VNODE1_TOKENS;
1778 if (ARG_IS_VALID(kar, ARG_RIGHTS)) {
1779 tok = au_to_rights(&ar->ar_arg_rights);
1780 kau_write(rec, tok);
1781 }
1782 break;
1783
1784 case AUE_CAP_FCNTLS_GET:
1785 case AUE_CAP_IOCTLS_GET:
1786 case AUE_CAP_IOCTLS_LIMIT:
1787 case AUE_CAP_RIGHTS_GET:
1788 if (ARG_IS_VALID(kar, ARG_FD)) {
1789 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
1790 kau_write(rec, tok);
1791 }
1792 break;
1793
1794 case AUE_CAP_FCNTLS_LIMIT:
1795 FD_VNODE1_TOKENS;
1796 if (ARG_IS_VALID(kar, ARG_FCNTL_RIGHTS)) {
1797 tok = au_to_arg32(2, "fcntlrights",
1798 ar->ar_arg_fcntl_rights);
1799 kau_write(rec, tok);
1800 }
1801 break;
1802
1803 case AUE_CAP_ENTER:
1804 case AUE_CAP_GETMODE:
1805 break;
1806
1807 case AUE_THR_NEW:
1808 case AUE_THR_KILL:
1809 case AUE_THR_EXIT:
1810 break;
1811
1812 case AUE_NULL:
1813 default:
1814 printf("BSM conversion requested for unknown event %d\n",
1815 ar->ar_event);
1816
1817 /*
1818 * Write the subject token so it is properly freed here.
1819 */
1820 if (jail_tok != NULL)
1821 kau_write(rec, jail_tok);
1822 kau_write(rec, subj_tok);
1823 kau_free(rec);
1824 return (BSM_NOAUDIT);
1825 }
1826
1827 if (jail_tok != NULL)
1828 kau_write(rec, jail_tok);
1829 kau_write(rec, subj_tok);
1830 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval);
1831 kau_write(rec, tok); /* Every record gets a return token */
1832
1833 kau_close(rec, &ar->ar_endtime, ar->ar_event);
1834
1835 *pau = rec;
1836 return (BSM_SUCCESS);
1837 }
1838
1839 /*
1840 * Verify that a record is a valid BSM record. This verification is simple
1841 * now, but may be expanded on sometime in the future. Return 1 if the
1842 * record is good, 0 otherwise.
1843 */
1844 int
1845 bsm_rec_verify(void *rec)
1846 {
1847 char c = *(char *)rec;
1848
1849 /*
1850 * Check the token ID of the first token; it has to be a header
1851 * token.
1852 *
1853 * XXXAUDIT There needs to be a token structure to map a token.
1854 * XXXAUDIT 'Shouldn't be simply looking at the first char.
1855 */
1856 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) &&
1857 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX))
1858 return (0);
1859 return (1);
1860 }
Cache object: 177c64b2ea28473a06a7c77f44a1b537
|