1 /*
2 * Copyright (c) 1999-2009 Apple Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 */
29
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD: releng/11.0/sys/security/audit/audit_bsm.c 301867 2016-06-13 09:22:20Z rwatson $");
32
33 #include <sys/param.h>
34 #include <sys/vnode.h>
35 #include <sys/ipc.h>
36 #include <sys/lock.h>
37 #include <sys/malloc.h>
38 #include <sys/mutex.h>
39 #include <sys/socket.h>
40 #include <sys/extattr.h>
41 #include <sys/fcntl.h>
42 #include <sys/user.h>
43 #include <sys/systm.h>
44
45 #include <bsm/audit.h>
46 #include <bsm/audit_internal.h>
47 #include <bsm/audit_record.h>
48 #include <bsm/audit_kevents.h>
49
50 #include <security/audit/audit.h>
51 #include <security/audit/audit_private.h>
52
53 #include <netinet/in_systm.h>
54 #include <netinet/in.h>
55 #include <netinet/ip.h>
56
57 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data");
58
59 static void audit_sys_auditon(struct audit_record *ar,
60 struct au_record *rec);
61
62 /*
63 * Initialize the BSM auditing subsystem.
64 */
65 void
66 kau_init(void)
67 {
68
69 au_evclassmap_init();
70 }
71
72 /*
73 * This call reserves memory for the audit record. Memory must be guaranteed
74 * before any auditable event can be generated. The au_record structure
75 * maintains a reference to the memory allocated above and also the list of
76 * tokens associated with this record.
77 */
78 static struct au_record *
79 kau_open(void)
80 {
81 struct au_record *rec;
82
83 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK);
84 rec->data = NULL;
85 TAILQ_INIT(&rec->token_q);
86 rec->len = 0;
87 rec->used = 1;
88
89 return (rec);
90 }
91
92 /*
93 * Store the token with the record descriptor.
94 */
95 static void
96 kau_write(struct au_record *rec, struct au_token *tok)
97 {
98
99 KASSERT(tok != NULL, ("kau_write: tok == NULL"));
100
101 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
102 rec->len += tok->len;
103 }
104
105 /*
106 * Close out the audit record by adding the header token, identifying any
107 * missing tokens. Write out the tokens to the record memory.
108 */
109 static void
110 kau_close(struct au_record *rec, struct timespec *ctime, short event)
111 {
112 u_char *dptr;
113 size_t tot_rec_size;
114 token_t *cur, *hdr, *trail;
115 struct timeval tm;
116 size_t hdrsize;
117 struct auditinfo_addr ak;
118 struct in6_addr *ap;
119
120 audit_get_kinfo(&ak);
121 hdrsize = 0;
122 switch (ak.ai_termid.at_type) {
123 case AU_IPv4:
124 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ?
125 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak);
126 break;
127 case AU_IPv6:
128 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0];
129 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE :
130 AUDIT_HEADER_EX_SIZE(&ak);
131 break;
132 default:
133 panic("kau_close: invalid address family");
134 }
135 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE;
136 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO);
137
138 tm.tv_usec = ctime->tv_nsec / 1000;
139 tm.tv_sec = ctime->tv_sec;
140 if (hdrsize != AUDIT_HEADER_SIZE)
141 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak);
142 else
143 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm);
144 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens);
145
146 trail = au_to_trailer(tot_rec_size);
147 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens);
148
149 rec->len = tot_rec_size;
150 dptr = rec->data;
151 TAILQ_FOREACH(cur, &rec->token_q, tokens) {
152 memcpy(dptr, cur->t_data, cur->len);
153 dptr += cur->len;
154 }
155 }
156
157 /*
158 * Free a BSM audit record by releasing all the tokens and clearing the audit
159 * record information.
160 */
161 void
162 kau_free(struct au_record *rec)
163 {
164 struct au_token *tok;
165
166 /* Free the token list. */
167 while ((tok = TAILQ_FIRST(&rec->token_q))) {
168 TAILQ_REMOVE(&rec->token_q, tok, tokens);
169 free(tok->t_data, M_AUDITBSM);
170 free(tok, M_AUDITBSM);
171 }
172
173 rec->used = 0;
174 rec->len = 0;
175 free(rec->data, M_AUDITBSM);
176 free(rec, M_AUDITBSM);
177 }
178
179 /*
180 * XXX: May want turn some (or all) of these macros into functions in order
181 * to reduce the generated code size.
182 *
183 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the
184 * caller are OK with this.
185 */
186 #define ATFD1_TOKENS(argnum) do { \
187 if (ARG_IS_VALID(kar, ARG_ATFD1)) { \
188 tok = au_to_arg32(argnum, "at fd 1", ar->ar_arg_atfd1); \
189 kau_write(rec, tok); \
190 } \
191 } while (0)
192
193 #define ATFD2_TOKENS(argnum) do { \
194 if (ARG_IS_VALID(kar, ARG_ATFD2)) { \
195 tok = au_to_arg32(argnum, "at fd 2", ar->ar_arg_atfd2); \
196 kau_write(rec, tok); \
197 } \
198 } while (0)
199
200 #define UPATH1_TOKENS do { \
201 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
202 tok = au_to_path(ar->ar_arg_upath1); \
203 kau_write(rec, tok); \
204 } \
205 } while (0)
206
207 #define UPATH2_TOKENS do { \
208 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \
209 tok = au_to_path(ar->ar_arg_upath2); \
210 kau_write(rec, tok); \
211 } \
212 } while (0)
213
214 #define VNODE1_TOKENS do { \
215 if (ARG_IS_VALID(kar, ARG_ATFD)) { \
216 tok = au_to_arg32(1, "at fd", ar->ar_arg_atfd); \
217 kau_write(rec, tok); \
218 } \
219 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
220 tok = au_to_attr32(&ar->ar_arg_vnode1); \
221 kau_write(rec, tok); \
222 } \
223 } while (0)
224
225 #define UPATH1_VNODE1_TOKENS do { \
226 UPATH1_TOKENS; \
227 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
228 tok = au_to_attr32(&ar->ar_arg_vnode1); \
229 kau_write(rec, tok); \
230 } \
231 } while (0)
232
233 #define VNODE2_TOKENS do { \
234 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \
235 tok = au_to_attr32(&ar->ar_arg_vnode2); \
236 kau_write(rec, tok); \
237 } \
238 } while (0)
239
240 #define FD_VNODE1_TOKENS do { \
241 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
242 if (ARG_IS_VALID(kar, ARG_FD)) { \
243 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \
244 kau_write(rec, tok); \
245 } \
246 tok = au_to_attr32(&ar->ar_arg_vnode1); \
247 kau_write(rec, tok); \
248 } else { \
249 if (ARG_IS_VALID(kar, ARG_FD)) { \
250 tok = au_to_arg32(1, "non-file: fd", \
251 ar->ar_arg_fd); \
252 kau_write(rec, tok); \
253 } \
254 } \
255 } while (0)
256
257 #define PROCESS_PID_TOKENS(argn) do { \
258 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \
259 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \
260 tok = au_to_process32_ex(ar->ar_arg_auid, \
261 ar->ar_arg_euid, ar->ar_arg_egid, \
262 ar->ar_arg_ruid, ar->ar_arg_rgid, \
263 ar->ar_arg_pid, ar->ar_arg_asid, \
264 &ar->ar_arg_termid_addr); \
265 kau_write(rec, tok); \
266 } else if (ARG_IS_VALID(kar, ARG_PID)) { \
267 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \
268 kau_write(rec, tok); \
269 } \
270 } while (0)
271
272 #define EXTATTR_TOKENS(namespace_argnum) do { \
273 if (ARG_IS_VALID(kar, ARG_VALUE)) { \
274 switch (ar->ar_arg_value) { \
275 case EXTATTR_NAMESPACE_USER: \
276 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\
277 break; \
278 case EXTATTR_NAMESPACE_SYSTEM: \
279 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\
280 break; \
281 default: \
282 tok = au_to_arg32((namespace_argnum), \
283 "attrnamespace", ar->ar_arg_value); \
284 break; \
285 } \
286 kau_write(rec, tok); \
287 } \
288 /* attrname is in the text field */ \
289 if (ARG_IS_VALID(kar, ARG_TEXT)) { \
290 tok = au_to_text(ar->ar_arg_text); \
291 kau_write(rec, tok); \
292 } \
293 } while (0)
294
295 /*
296 * Not all pointer arguments to system calls are of interest, but in some
297 * cases they reflect delegation of rights, such as mmap(2) followed by
298 * minherit(2) before execve(2), so do the best we can.
299 */
300 #define ADDR_TOKEN(argnum, argname) do { \
301 if (ARG_IS_VALID(kar, ARG_ADDR)) { \
302 if (sizeof(void *) == sizeof(uint32_t)) \
303 tok = au_to_arg32((argnum), (argname), \
304 (uint32_t)(uintptr_t)ar->ar_arg_addr); \
305 else \
306 tok = au_to_arg64((argnum), (argname), \
307 (uint64_t)(uintptr_t)ar->ar_arg_addr); \
308 kau_write(rec, tok); \
309 } \
310 } while (0)
311
312
313 /*
314 * Implement auditing for the auditon() system call. The audit tokens that
315 * are generated depend on the command that was sent into the auditon()
316 * system call.
317 */
318 static void
319 audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
320 {
321 struct au_token *tok;
322
323 tok = au_to_arg32(3, "length", ar->ar_arg_len);
324 kau_write(rec, tok);
325 switch (ar->ar_arg_cmd) {
326 case A_OLDSETPOLICY:
327 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
328 tok = au_to_arg64(2, "policy",
329 ar->ar_arg_auditon.au_policy64);
330 kau_write(rec, tok);
331 break;
332 }
333 /* FALLTHROUGH */
334
335 case A_SETPOLICY:
336 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy);
337 kau_write(rec, tok);
338 break;
339
340 case A_SETKMASK:
341 tok = au_to_arg32(2, "setkmask:as_success",
342 ar->ar_arg_auditon.au_mask.am_success);
343 kau_write(rec, tok);
344 tok = au_to_arg32(2, "setkmask:as_failure",
345 ar->ar_arg_auditon.au_mask.am_failure);
346 kau_write(rec, tok);
347 break;
348
349 case A_OLDSETQCTRL:
350 if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) {
351 tok = au_to_arg64(2, "setqctrl:aq_hiwater",
352 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater);
353 kau_write(rec, tok);
354 tok = au_to_arg64(2, "setqctrl:aq_lowater",
355 ar->ar_arg_auditon.au_qctrl64.aq64_lowater);
356 kau_write(rec, tok);
357 tok = au_to_arg64(2, "setqctrl:aq_bufsz",
358 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz);
359 kau_write(rec, tok);
360 tok = au_to_arg64(2, "setqctrl:aq_delay",
361 ar->ar_arg_auditon.au_qctrl64.aq64_delay);
362 kau_write(rec, tok);
363 tok = au_to_arg64(2, "setqctrl:aq_minfree",
364 ar->ar_arg_auditon.au_qctrl64.aq64_minfree);
365 kau_write(rec, tok);
366 break;
367 }
368 /* FALLTHROUGH */
369
370 case A_SETQCTRL:
371 tok = au_to_arg32(2, "setqctrl:aq_hiwater",
372 ar->ar_arg_auditon.au_qctrl.aq_hiwater);
373 kau_write(rec, tok);
374 tok = au_to_arg32(2, "setqctrl:aq_lowater",
375 ar->ar_arg_auditon.au_qctrl.aq_lowater);
376 kau_write(rec, tok);
377 tok = au_to_arg32(2, "setqctrl:aq_bufsz",
378 ar->ar_arg_auditon.au_qctrl.aq_bufsz);
379 kau_write(rec, tok);
380 tok = au_to_arg32(2, "setqctrl:aq_delay",
381 ar->ar_arg_auditon.au_qctrl.aq_delay);
382 kau_write(rec, tok);
383 tok = au_to_arg32(2, "setqctrl:aq_minfree",
384 ar->ar_arg_auditon.au_qctrl.aq_minfree);
385 kau_write(rec, tok);
386 break;
387
388 case A_SETUMASK:
389 tok = au_to_arg32(2, "setumask:as_success",
390 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
391 kau_write(rec, tok);
392 tok = au_to_arg32(2, "setumask:as_failure",
393 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
394 kau_write(rec, tok);
395 break;
396
397 case A_SETSMASK:
398 tok = au_to_arg32(2, "setsmask:as_success",
399 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
400 kau_write(rec, tok);
401 tok = au_to_arg32(2, "setsmask:as_failure",
402 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
403 kau_write(rec, tok);
404 break;
405
406 case A_OLDSETCOND:
407 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
408 tok = au_to_arg64(2, "setcond",
409 ar->ar_arg_auditon.au_cond64);
410 kau_write(rec, tok);
411 break;
412 }
413 /* FALLTHROUGH */
414
415 case A_SETCOND:
416 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond);
417 kau_write(rec, tok);
418 break;
419
420 case A_SETCLASS:
421 kau_write(rec, tok);
422 tok = au_to_arg32(2, "setclass:ec_event",
423 ar->ar_arg_auditon.au_evclass.ec_number);
424 kau_write(rec, tok);
425 tok = au_to_arg32(2, "setclass:ec_class",
426 ar->ar_arg_auditon.au_evclass.ec_class);
427 kau_write(rec, tok);
428 break;
429
430 case A_SETPMASK:
431 tok = au_to_arg32(2, "setpmask:as_success",
432 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
433 kau_write(rec, tok);
434 tok = au_to_arg32(2, "setpmask:as_failure",
435 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
436 kau_write(rec, tok);
437 break;
438
439 case A_SETFSIZE:
440 tok = au_to_arg32(2, "setfsize:filesize",
441 ar->ar_arg_auditon.au_fstat.af_filesz);
442 kau_write(rec, tok);
443 break;
444
445 default:
446 break;
447 }
448 }
449
450 /*
451 * Convert an internal kernel audit record to a BSM record and return a
452 * success/failure indicator. The BSM record is passed as an out parameter to
453 * this function.
454 *
455 * Return conditions:
456 * BSM_SUCCESS: The BSM record is valid
457 * BSM_FAILURE: Failure; the BSM record is NULL.
458 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL.
459 */
460 int
461 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
462 {
463 struct au_token *tok, *subj_tok, *jail_tok;
464 struct au_record *rec;
465 au_tid_t tid;
466 struct audit_record *ar;
467 int ctr;
468
469 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL"));
470
471 *pau = NULL;
472 ar = &kar->k_ar;
473 rec = kau_open();
474
475 /*
476 * Create the subject token. If this credential was jailed be sure to
477 * generate a zonename token.
478 */
479 if (ar->ar_jailname[0] != '\0')
480 jail_tok = au_to_zonename(ar->ar_jailname);
481 else
482 jail_tok = NULL;
483 switch (ar->ar_subj_term_addr.at_type) {
484 case AU_IPv4:
485 tid.port = ar->ar_subj_term_addr.at_port;
486 tid.machine = ar->ar_subj_term_addr.at_addr[0];
487 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */
488 ar->ar_subj_cred.cr_uid, /* eff uid */
489 ar->ar_subj_egid, /* eff group id */
490 ar->ar_subj_ruid, /* real uid */
491 ar->ar_subj_rgid, /* real group id */
492 ar->ar_subj_pid, /* process id */
493 ar->ar_subj_asid, /* session ID */
494 &tid);
495 break;
496 case AU_IPv6:
497 subj_tok = au_to_subject32_ex(ar->ar_subj_auid,
498 ar->ar_subj_cred.cr_uid,
499 ar->ar_subj_egid,
500 ar->ar_subj_ruid,
501 ar->ar_subj_rgid,
502 ar->ar_subj_pid,
503 ar->ar_subj_asid,
504 &ar->ar_subj_term_addr);
505 break;
506 default:
507 bzero(&tid, sizeof(tid));
508 subj_tok = au_to_subject32(ar->ar_subj_auid,
509 ar->ar_subj_cred.cr_uid,
510 ar->ar_subj_egid,
511 ar->ar_subj_ruid,
512 ar->ar_subj_rgid,
513 ar->ar_subj_pid,
514 ar->ar_subj_asid,
515 &tid);
516 }
517
518 /*
519 * The logic inside each case fills in the tokens required for the
520 * event, except for the header, trailer, and return tokens. The
521 * header and trailer tokens are added by the kau_close() function.
522 * The return token is added outside of the switch statement.
523 */
524 switch(ar->ar_event) {
525 case AUE_ACCEPT:
526 case AUE_BIND:
527 case AUE_LISTEN:
528 case AUE_CONNECT:
529 case AUE_RECV:
530 case AUE_RECVFROM:
531 case AUE_RECVMSG:
532 case AUE_SEND:
533 case AUE_SENDFILE:
534 case AUE_SENDMSG:
535 case AUE_SENDTO:
536 /*
537 * Socket-related events.
538 */
539 if (ARG_IS_VALID(kar, ARG_FD)) {
540 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
541 kau_write(rec, tok);
542 }
543 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
544 tok = au_to_sock_inet((struct sockaddr_in *)
545 &ar->ar_arg_sockaddr);
546 kau_write(rec, tok);
547 }
548 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
549 tok = au_to_sock_unix((struct sockaddr_un *)
550 &ar->ar_arg_sockaddr);
551 kau_write(rec, tok);
552 UPATH1_TOKENS;
553 }
554 /* XXX Need to handle ARG_SADDRINET6 */
555 break;
556
557 case AUE_BINDAT:
558 case AUE_CONNECTAT:
559 ATFD1_TOKENS(1);
560 if (ARG_IS_VALID(kar, ARG_FD)) {
561 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
562 kau_write(rec, tok);
563 }
564 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
565 tok = au_to_sock_unix((struct sockaddr_un *)
566 &ar->ar_arg_sockaddr);
567 kau_write(rec, tok);
568 UPATH1_TOKENS;
569 }
570 break;
571
572 case AUE_SOCKET:
573 case AUE_SOCKETPAIR:
574 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
575 tok = au_to_arg32(1, "domain",
576 ar->ar_arg_sockinfo.so_domain);
577 kau_write(rec, tok);
578 tok = au_to_arg32(2, "type",
579 ar->ar_arg_sockinfo.so_type);
580 kau_write(rec, tok);
581 tok = au_to_arg32(3, "protocol",
582 ar->ar_arg_sockinfo.so_protocol);
583 kau_write(rec, tok);
584 }
585 break;
586
587 case AUE_SETSOCKOPT:
588 case AUE_SHUTDOWN:
589 if (ARG_IS_VALID(kar, ARG_FD)) {
590 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
591 kau_write(rec, tok);
592 }
593 break;
594
595 case AUE_ACCT:
596 if (ARG_IS_VALID(kar, ARG_UPATH1)) {
597 UPATH1_VNODE1_TOKENS;
598 } else {
599 tok = au_to_arg32(1, "accounting off", 0);
600 kau_write(rec, tok);
601 }
602 break;
603
604 case AUE_SETAUID:
605 if (ARG_IS_VALID(kar, ARG_AUID)) {
606 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid);
607 kau_write(rec, tok);
608 }
609 break;
610
611 case AUE_SETAUDIT:
612 if (ARG_IS_VALID(kar, ARG_AUID) &&
613 ARG_IS_VALID(kar, ARG_ASID) &&
614 ARG_IS_VALID(kar, ARG_AMASK) &&
615 ARG_IS_VALID(kar, ARG_TERMID)) {
616 tok = au_to_arg32(1, "setaudit:auid",
617 ar->ar_arg_auid);
618 kau_write(rec, tok);
619 tok = au_to_arg32(1, "setaudit:port",
620 ar->ar_arg_termid.port);
621 kau_write(rec, tok);
622 tok = au_to_arg32(1, "setaudit:machine",
623 ar->ar_arg_termid.machine);
624 kau_write(rec, tok);
625 tok = au_to_arg32(1, "setaudit:as_success",
626 ar->ar_arg_amask.am_success);
627 kau_write(rec, tok);
628 tok = au_to_arg32(1, "setaudit:as_failure",
629 ar->ar_arg_amask.am_failure);
630 kau_write(rec, tok);
631 tok = au_to_arg32(1, "setaudit:asid",
632 ar->ar_arg_asid);
633 kau_write(rec, tok);
634 }
635 break;
636
637 case AUE_SETAUDIT_ADDR:
638 if (ARG_IS_VALID(kar, ARG_AUID) &&
639 ARG_IS_VALID(kar, ARG_ASID) &&
640 ARG_IS_VALID(kar, ARG_AMASK) &&
641 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) {
642 tok = au_to_arg32(1, "setaudit_addr:auid",
643 ar->ar_arg_auid);
644 kau_write(rec, tok);
645 tok = au_to_arg32(1, "setaudit_addr:as_success",
646 ar->ar_arg_amask.am_success);
647 kau_write(rec, tok);
648 tok = au_to_arg32(1, "setaudit_addr:as_failure",
649 ar->ar_arg_amask.am_failure);
650 kau_write(rec, tok);
651 tok = au_to_arg32(1, "setaudit_addr:asid",
652 ar->ar_arg_asid);
653 kau_write(rec, tok);
654 tok = au_to_arg32(1, "setaudit_addr:type",
655 ar->ar_arg_termid_addr.at_type);
656 kau_write(rec, tok);
657 tok = au_to_arg32(1, "setaudit_addr:port",
658 ar->ar_arg_termid_addr.at_port);
659 kau_write(rec, tok);
660 if (ar->ar_arg_termid_addr.at_type == AU_IPv6)
661 tok = au_to_in_addr_ex((struct in6_addr *)
662 &ar->ar_arg_termid_addr.at_addr[0]);
663 if (ar->ar_arg_termid_addr.at_type == AU_IPv4)
664 tok = au_to_in_addr((struct in_addr *)
665 &ar->ar_arg_termid_addr.at_addr[0]);
666 kau_write(rec, tok);
667 }
668 break;
669
670 case AUE_AUDITON:
671 /*
672 * For AUDITON commands without own event, audit the cmd.
673 */
674 if (ARG_IS_VALID(kar, ARG_CMD)) {
675 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
676 kau_write(rec, tok);
677 }
678 /* FALLTHROUGH */
679
680 case AUE_AUDITON_GETCAR:
681 case AUE_AUDITON_GETCLASS:
682 case AUE_AUDITON_GETCOND:
683 case AUE_AUDITON_GETCWD:
684 case AUE_AUDITON_GETKMASK:
685 case AUE_AUDITON_GETSTAT:
686 case AUE_AUDITON_GPOLICY:
687 case AUE_AUDITON_GQCTRL:
688 case AUE_AUDITON_SETCLASS:
689 case AUE_AUDITON_SETCOND:
690 case AUE_AUDITON_SETKMASK:
691 case AUE_AUDITON_SETSMASK:
692 case AUE_AUDITON_SETSTAT:
693 case AUE_AUDITON_SETUMASK:
694 case AUE_AUDITON_SPOLICY:
695 case AUE_AUDITON_SQCTRL:
696 if (ARG_IS_VALID(kar, ARG_AUDITON))
697 audit_sys_auditon(ar, rec);
698 break;
699
700 case AUE_AUDITCTL:
701 UPATH1_VNODE1_TOKENS;
702 break;
703
704 case AUE_EXIT:
705 if (ARG_IS_VALID(kar, ARG_EXIT)) {
706 tok = au_to_exit(ar->ar_arg_exitretval,
707 ar->ar_arg_exitstatus);
708 kau_write(rec, tok);
709 }
710 break;
711
712 case AUE_ADJTIME:
713 case AUE_CLOCK_SETTIME:
714 case AUE_AUDIT:
715 case AUE_DUP2:
716 case AUE_GETAUDIT:
717 case AUE_GETAUDIT_ADDR:
718 case AUE_GETAUID:
719 case AUE_GETCWD:
720 case AUE_GETFSSTAT:
721 case AUE_GETRESUID:
722 case AUE_GETRESGID:
723 case AUE_KQUEUE:
724 case AUE_MODLOAD:
725 case AUE_MODUNLOAD:
726 case AUE_MSGSYS:
727 case AUE_NTP_ADJTIME:
728 case AUE_PIPE:
729 case AUE_POSIX_OPENPT:
730 case AUE_PROFILE:
731 case AUE_RTPRIO:
732 case AUE_SEMSYS:
733 case AUE_SHMSYS:
734 case AUE_SETPGRP:
735 case AUE_SETRLIMIT:
736 case AUE_SETSID:
737 case AUE_SETTIMEOFDAY:
738 case AUE_SYSARCH:
739
740 /*
741 * Header, subject, and return tokens added at end.
742 */
743 break;
744
745 case AUE_CHDIR:
746 case AUE_CHROOT:
747 case AUE_FSTATAT:
748 case AUE_FUTIMESAT:
749 case AUE_GETATTRLIST:
750 case AUE_JAIL:
751 case AUE_LUTIMES:
752 case AUE_NFS_GETFH:
753 case AUE_LSTAT:
754 case AUE_LPATHCONF:
755 case AUE_PATHCONF:
756 case AUE_READLINK:
757 case AUE_READLINKAT:
758 case AUE_REVOKE:
759 case AUE_RMDIR:
760 case AUE_SEARCHFS:
761 case AUE_SETATTRLIST:
762 case AUE_STAT:
763 case AUE_STATFS:
764 case AUE_SWAPON:
765 case AUE_SWAPOFF:
766 case AUE_TRUNCATE:
767 case AUE_UNDELETE:
768 case AUE_UNLINK:
769 case AUE_UNLINKAT:
770 case AUE_UTIMES:
771 ATFD1_TOKENS(1);
772 UPATH1_VNODE1_TOKENS;
773 break;
774
775 case AUE_ACCESS:
776 case AUE_EACCESS:
777 case AUE_FACCESSAT:
778 ATFD1_TOKENS(1);
779 UPATH1_VNODE1_TOKENS;
780 if (ARG_IS_VALID(kar, ARG_VALUE)) {
781 tok = au_to_arg32(2, "mode", ar->ar_arg_value);
782 kau_write(rec, tok);
783 }
784 break;
785
786 case AUE_FHSTATFS:
787 case AUE_FHOPEN:
788 case AUE_FHSTAT:
789 /* XXXRW: Need to audit vnode argument. */
790 break;
791
792 case AUE_CHFLAGS:
793 case AUE_LCHFLAGS:
794 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
795 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
796 kau_write(rec, tok);
797 }
798 UPATH1_VNODE1_TOKENS;
799 break;
800
801 case AUE_CHMOD:
802 case AUE_LCHMOD:
803 if (ARG_IS_VALID(kar, ARG_MODE)) {
804 tok = au_to_arg32(2, "new file mode",
805 ar->ar_arg_mode);
806 kau_write(rec, tok);
807 }
808 UPATH1_VNODE1_TOKENS;
809 break;
810
811 case AUE_FCHMODAT:
812 ATFD1_TOKENS(1);
813 if (ARG_IS_VALID(kar, ARG_MODE)) {
814 tok = au_to_arg32(3, "new file mode",
815 ar->ar_arg_mode);
816 kau_write(rec, tok);
817 }
818 UPATH1_VNODE1_TOKENS;
819 break;
820
821 case AUE_CHOWN:
822 case AUE_LCHOWN:
823 if (ARG_IS_VALID(kar, ARG_UID)) {
824 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
825 kau_write(rec, tok);
826 }
827 if (ARG_IS_VALID(kar, ARG_GID)) {
828 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
829 kau_write(rec, tok);
830 }
831 UPATH1_VNODE1_TOKENS;
832 break;
833
834 case AUE_FCHOWNAT:
835 ATFD1_TOKENS(1);
836 if (ARG_IS_VALID(kar, ARG_UID)) {
837 tok = au_to_arg32(3, "new file uid", ar->ar_arg_uid);
838 kau_write(rec, tok);
839 }
840 if (ARG_IS_VALID(kar, ARG_GID)) {
841 tok = au_to_arg32(4, "new file gid", ar->ar_arg_gid);
842 kau_write(rec, tok);
843 }
844 UPATH1_VNODE1_TOKENS;
845 break;
846
847 case AUE_EXCHANGEDATA:
848 UPATH1_VNODE1_TOKENS;
849 UPATH2_TOKENS;
850 break;
851
852 case AUE_CLOSE:
853 if (ARG_IS_VALID(kar, ARG_FD)) {
854 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
855 kau_write(rec, tok);
856 }
857 UPATH1_VNODE1_TOKENS;
858 break;
859
860 case AUE_CLOSEFROM:
861 if (ARG_IS_VALID(kar, ARG_FD)) {
862 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
863 kau_write(rec, tok);
864 }
865 break;
866
867 case AUE_CORE:
868 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
869 tok = au_to_arg32(1, "signal", ar->ar_arg_signum);
870 kau_write(rec, tok);
871 }
872 UPATH1_VNODE1_TOKENS;
873 break;
874
875 case AUE_EXTATTRCTL:
876 UPATH1_VNODE1_TOKENS;
877 if (ARG_IS_VALID(kar, ARG_CMD)) {
878 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
879 kau_write(rec, tok);
880 }
881 /* extattrctl(2) filename parameter is in upath2/vnode2 */
882 UPATH2_TOKENS;
883 VNODE2_TOKENS;
884 EXTATTR_TOKENS(4);
885 break;
886
887 case AUE_EXTATTR_GET_FILE:
888 case AUE_EXTATTR_SET_FILE:
889 case AUE_EXTATTR_LIST_FILE:
890 case AUE_EXTATTR_DELETE_FILE:
891 case AUE_EXTATTR_GET_LINK:
892 case AUE_EXTATTR_SET_LINK:
893 case AUE_EXTATTR_LIST_LINK:
894 case AUE_EXTATTR_DELETE_LINK:
895 UPATH1_VNODE1_TOKENS;
896 EXTATTR_TOKENS(2);
897 break;
898
899 case AUE_EXTATTR_GET_FD:
900 case AUE_EXTATTR_SET_FD:
901 case AUE_EXTATTR_LIST_FD:
902 case AUE_EXTATTR_DELETE_FD:
903 if (ARG_IS_VALID(kar, ARG_FD)) {
904 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
905 kau_write(rec, tok);
906 }
907 EXTATTR_TOKENS(2);
908 break;
909
910 case AUE_FEXECVE:
911 if (ARG_IS_VALID(kar, ARG_FD)) {
912 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
913 kau_write(rec, tok);
914 }
915 /* FALLTHROUGH */
916
917 case AUE_EXECVE:
918 case AUE_MAC_EXECVE:
919 if (ARG_IS_VALID(kar, ARG_ARGV)) {
920 tok = au_to_exec_args(ar->ar_arg_argv,
921 ar->ar_arg_argc);
922 kau_write(rec, tok);
923 }
924 if (ARG_IS_VALID(kar, ARG_ENVV)) {
925 tok = au_to_exec_env(ar->ar_arg_envv,
926 ar->ar_arg_envc);
927 kau_write(rec, tok);
928 }
929 UPATH1_VNODE1_TOKENS;
930 break;
931
932 case AUE_FCHMOD:
933 if (ARG_IS_VALID(kar, ARG_MODE)) {
934 tok = au_to_arg32(2, "new file mode",
935 ar->ar_arg_mode);
936 kau_write(rec, tok);
937 }
938 FD_VNODE1_TOKENS;
939 break;
940
941 /*
942 * XXXRW: Some of these need to handle non-vnode cases as well.
943 */
944 case AUE_FCHDIR:
945 case AUE_FPATHCONF:
946 case AUE_FSTAT:
947 case AUE_FSTATFS:
948 case AUE_FSYNC:
949 case AUE_FTRUNCATE:
950 case AUE_FUTIMES:
951 case AUE_GETDIRENTRIES:
952 case AUE_GETDIRENTRIESATTR:
953 case AUE_LSEEK:
954 case AUE_POLL:
955 case AUE_PREAD:
956 case AUE_PWRITE:
957 case AUE_READ:
958 case AUE_READV:
959 case AUE_WRITE:
960 case AUE_WRITEV:
961 FD_VNODE1_TOKENS;
962 break;
963
964 case AUE_FCHOWN:
965 if (ARG_IS_VALID(kar, ARG_UID)) {
966 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
967 kau_write(rec, tok);
968 }
969 if (ARG_IS_VALID(kar, ARG_GID)) {
970 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
971 kau_write(rec, tok);
972 }
973 FD_VNODE1_TOKENS;
974 break;
975
976 case AUE_FCNTL:
977 if (ARG_IS_VALID(kar, ARG_CMD)) {
978 tok = au_to_arg32(2, "cmd",
979 au_fcntl_cmd_to_bsm(ar->ar_arg_cmd));
980 kau_write(rec, tok);
981 }
982 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK ||
983 ar->ar_arg_cmd == F_SETLKW) {
984 FD_VNODE1_TOKENS;
985 }
986 break;
987
988 case AUE_FCHFLAGS:
989 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
990 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
991 kau_write(rec, tok);
992 }
993 FD_VNODE1_TOKENS;
994 break;
995
996 case AUE_FLOCK:
997 if (ARG_IS_VALID(kar, ARG_CMD)) {
998 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd);
999 kau_write(rec, tok);
1000 }
1001 FD_VNODE1_TOKENS;
1002 break;
1003
1004 case AUE_RFORK:
1005 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1006 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags);
1007 kau_write(rec, tok);
1008 }
1009 /* FALLTHROUGH */
1010
1011 case AUE_FORK:
1012 case AUE_VFORK:
1013 if (ARG_IS_VALID(kar, ARG_PID)) {
1014 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
1015 kau_write(rec, tok);
1016 }
1017 break;
1018
1019 case AUE_IOCTL:
1020 if (ARG_IS_VALID(kar, ARG_CMD)) {
1021 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
1022 kau_write(rec, tok);
1023 }
1024 if (ARG_IS_VALID(kar, ARG_VNODE1))
1025 FD_VNODE1_TOKENS;
1026 else {
1027 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
1028 tok = kau_to_socket(&ar->ar_arg_sockinfo);
1029 kau_write(rec, tok);
1030 } else {
1031 if (ARG_IS_VALID(kar, ARG_FD)) {
1032 tok = au_to_arg32(1, "fd",
1033 ar->ar_arg_fd);
1034 kau_write(rec, tok);
1035 }
1036 }
1037 }
1038 break;
1039
1040 case AUE_KILL:
1041 case AUE_KILLPG:
1042 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
1043 tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
1044 kau_write(rec, tok);
1045 }
1046 PROCESS_PID_TOKENS(1);
1047 break;
1048
1049 case AUE_KTRACE:
1050 if (ARG_IS_VALID(kar, ARG_CMD)) {
1051 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd);
1052 kau_write(rec, tok);
1053 }
1054 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1055 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value);
1056 kau_write(rec, tok);
1057 }
1058 PROCESS_PID_TOKENS(4);
1059 UPATH1_VNODE1_TOKENS;
1060 break;
1061
1062 case AUE_LINK:
1063 case AUE_LINKAT:
1064 case AUE_RENAME:
1065 case AUE_RENAMEAT:
1066 ATFD1_TOKENS(1);
1067 UPATH1_VNODE1_TOKENS;
1068 ATFD2_TOKENS(3);
1069 UPATH2_TOKENS;
1070 break;
1071
1072 case AUE_LOADSHFILE:
1073 ADDR_TOKEN(4, "base addr");
1074 UPATH1_VNODE1_TOKENS;
1075 break;
1076
1077 case AUE_MKDIR:
1078 case AUE_MKDIRAT:
1079 case AUE_MKFIFO:
1080 case AUE_MKFIFOAT:
1081 ATFD1_TOKENS(1);
1082 if (ARG_IS_VALID(kar, ARG_MODE)) {
1083 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1084 kau_write(rec, tok);
1085 }
1086 UPATH1_VNODE1_TOKENS;
1087 break;
1088
1089 case AUE_MKNOD:
1090 case AUE_MKNODAT:
1091 ATFD1_TOKENS(1);
1092 if (ARG_IS_VALID(kar, ARG_MODE)) {
1093 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1094 kau_write(rec, tok);
1095 }
1096 if (ARG_IS_VALID(kar, ARG_DEV)) {
1097 tok = au_to_arg32(3, "dev", ar->ar_arg_dev);
1098 kau_write(rec, tok);
1099 }
1100 UPATH1_VNODE1_TOKENS;
1101 break;
1102
1103 case AUE_MMAP:
1104 case AUE_MUNMAP:
1105 case AUE_MPROTECT:
1106 case AUE_MLOCK:
1107 case AUE_MUNLOCK:
1108 case AUE_MINHERIT:
1109 ADDR_TOKEN(1, "addr");
1110 if (ARG_IS_VALID(kar, ARG_LEN)) {
1111 tok = au_to_arg32(2, "len", ar->ar_arg_len);
1112 kau_write(rec, tok);
1113 }
1114 if (ar->ar_event == AUE_MMAP)
1115 FD_VNODE1_TOKENS;
1116 if (ar->ar_event == AUE_MPROTECT) {
1117 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1118 tok = au_to_arg32(3, "protection",
1119 ar->ar_arg_value);
1120 kau_write(rec, tok);
1121 }
1122 }
1123 if (ar->ar_event == AUE_MINHERIT) {
1124 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1125 tok = au_to_arg32(3, "inherit",
1126 ar->ar_arg_value);
1127 kau_write(rec, tok);
1128 }
1129 }
1130 break;
1131
1132 case AUE_MOUNT:
1133 case AUE_NMOUNT:
1134 /* XXX Need to handle NFS mounts */
1135 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1136 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1137 kau_write(rec, tok);
1138 }
1139 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1140 tok = au_to_text(ar->ar_arg_text);
1141 kau_write(rec, tok);
1142 }
1143 /* FALLTHROUGH */
1144
1145 case AUE_NFS_SVC:
1146 if (ARG_IS_VALID(kar, ARG_CMD)) {
1147 tok = au_to_arg32(1, "flags", ar->ar_arg_cmd);
1148 kau_write(rec, tok);
1149 }
1150 break;
1151
1152 case AUE_UMOUNT:
1153 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1154 tok = au_to_arg32(2, "flags", ar->ar_arg_value);
1155 kau_write(rec, tok);
1156 }
1157 UPATH1_VNODE1_TOKENS;
1158 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1159 tok = au_to_text(ar->ar_arg_text);
1160 kau_write(rec, tok);
1161 }
1162 break;
1163
1164 case AUE_MSGCTL:
1165 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd);
1166 /* Fall through */
1167
1168 case AUE_MSGRCV:
1169 case AUE_MSGSND:
1170 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id);
1171 kau_write(rec, tok);
1172 if (ar->ar_errno != EINVAL) {
1173 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id);
1174 kau_write(rec, tok);
1175 }
1176 break;
1177
1178 case AUE_MSGGET:
1179 if (ar->ar_errno == 0) {
1180 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1181 tok = au_to_ipc(AT_IPC_MSG,
1182 ar->ar_arg_svipc_id);
1183 kau_write(rec, tok);
1184 }
1185 }
1186 break;
1187
1188 case AUE_RESETSHFILE:
1189 ADDR_TOKEN(1, "base addr");
1190 break;
1191
1192 case AUE_OPEN_RC:
1193 case AUE_OPEN_RTC:
1194 case AUE_OPEN_RWC:
1195 case AUE_OPEN_RWTC:
1196 case AUE_OPEN_WC:
1197 case AUE_OPEN_WTC:
1198 case AUE_CREAT:
1199 if (ARG_IS_VALID(kar, ARG_MODE)) {
1200 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1201 kau_write(rec, tok);
1202 }
1203 /* FALLTHROUGH */
1204
1205 case AUE_OPEN_R:
1206 case AUE_OPEN_RT:
1207 case AUE_OPEN_RW:
1208 case AUE_OPEN_RWT:
1209 case AUE_OPEN_W:
1210 case AUE_OPEN_WT:
1211 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1212 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1213 kau_write(rec, tok);
1214 }
1215 UPATH1_VNODE1_TOKENS;
1216 break;
1217
1218 case AUE_OPENAT_RC:
1219 case AUE_OPENAT_RTC:
1220 case AUE_OPENAT_RWC:
1221 case AUE_OPENAT_RWTC:
1222 case AUE_OPENAT_WC:
1223 case AUE_OPENAT_WTC:
1224 if (ARG_IS_VALID(kar, ARG_MODE)) {
1225 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1226 kau_write(rec, tok);
1227 }
1228 /* FALLTHROUGH */
1229
1230 case AUE_OPENAT_R:
1231 case AUE_OPENAT_RT:
1232 case AUE_OPENAT_RW:
1233 case AUE_OPENAT_RWT:
1234 case AUE_OPENAT_W:
1235 case AUE_OPENAT_WT:
1236 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1237 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1238 kau_write(rec, tok);
1239 }
1240 ATFD1_TOKENS(1);
1241 UPATH1_VNODE1_TOKENS;
1242 break;
1243
1244 case AUE_PTRACE:
1245 if (ARG_IS_VALID(kar, ARG_CMD)) {
1246 tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
1247 kau_write(rec, tok);
1248 }
1249 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1250 tok = au_to_arg32(4, "data", ar->ar_arg_value);
1251 kau_write(rec, tok);
1252 }
1253 PROCESS_PID_TOKENS(2);
1254 break;
1255
1256 case AUE_QUOTACTL:
1257 if (ARG_IS_VALID(kar, ARG_CMD)) {
1258 tok = au_to_arg32(2, "command", ar->ar_arg_cmd);
1259 kau_write(rec, tok);
1260 }
1261 if (ARG_IS_VALID(kar, ARG_UID)) {
1262 tok = au_to_arg32(3, "uid", ar->ar_arg_uid);
1263 kau_write(rec, tok);
1264 }
1265 if (ARG_IS_VALID(kar, ARG_GID)) {
1266 tok = au_to_arg32(3, "gid", ar->ar_arg_gid);
1267 kau_write(rec, tok);
1268 }
1269 UPATH1_VNODE1_TOKENS;
1270 break;
1271
1272 case AUE_REBOOT:
1273 if (ARG_IS_VALID(kar, ARG_CMD)) {
1274 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd);
1275 kau_write(rec, tok);
1276 }
1277 break;
1278
1279 case AUE_SEMCTL:
1280 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd);
1281 /* Fall through */
1282
1283 case AUE_SEMOP:
1284 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1285 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id);
1286 kau_write(rec, tok);
1287 if (ar->ar_errno != EINVAL) {
1288 tok = au_to_ipc(AT_IPC_SEM,
1289 ar->ar_arg_svipc_id);
1290 kau_write(rec, tok);
1291 }
1292 }
1293 break;
1294
1295 case AUE_SEMGET:
1296 if (ar->ar_errno == 0) {
1297 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1298 tok = au_to_ipc(AT_IPC_SEM,
1299 ar->ar_arg_svipc_id);
1300 kau_write(rec, tok);
1301 }
1302 }
1303 break;
1304
1305 case AUE_SETEGID:
1306 if (ARG_IS_VALID(kar, ARG_EGID)) {
1307 tok = au_to_arg32(1, "egid", ar->ar_arg_egid);
1308 kau_write(rec, tok);
1309 }
1310 break;
1311
1312 case AUE_SETEUID:
1313 if (ARG_IS_VALID(kar, ARG_EUID)) {
1314 tok = au_to_arg32(1, "euid", ar->ar_arg_euid);
1315 kau_write(rec, tok);
1316 }
1317 break;
1318
1319 case AUE_SETREGID:
1320 if (ARG_IS_VALID(kar, ARG_RGID)) {
1321 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1322 kau_write(rec, tok);
1323 }
1324 if (ARG_IS_VALID(kar, ARG_EGID)) {
1325 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1326 kau_write(rec, tok);
1327 }
1328 break;
1329
1330 case AUE_SETREUID:
1331 if (ARG_IS_VALID(kar, ARG_RUID)) {
1332 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1333 kau_write(rec, tok);
1334 }
1335 if (ARG_IS_VALID(kar, ARG_EUID)) {
1336 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1337 kau_write(rec, tok);
1338 }
1339 break;
1340
1341 case AUE_SETRESGID:
1342 if (ARG_IS_VALID(kar, ARG_RGID)) {
1343 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1344 kau_write(rec, tok);
1345 }
1346 if (ARG_IS_VALID(kar, ARG_EGID)) {
1347 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1348 kau_write(rec, tok);
1349 }
1350 if (ARG_IS_VALID(kar, ARG_SGID)) {
1351 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid);
1352 kau_write(rec, tok);
1353 }
1354 break;
1355
1356 case AUE_SETRESUID:
1357 if (ARG_IS_VALID(kar, ARG_RUID)) {
1358 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1359 kau_write(rec, tok);
1360 }
1361 if (ARG_IS_VALID(kar, ARG_EUID)) {
1362 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1363 kau_write(rec, tok);
1364 }
1365 if (ARG_IS_VALID(kar, ARG_SUID)) {
1366 tok = au_to_arg32(3, "suid", ar->ar_arg_suid);
1367 kau_write(rec, tok);
1368 }
1369 break;
1370
1371 case AUE_SETGID:
1372 if (ARG_IS_VALID(kar, ARG_GID)) {
1373 tok = au_to_arg32(1, "gid", ar->ar_arg_gid);
1374 kau_write(rec, tok);
1375 }
1376 break;
1377
1378 case AUE_SETUID:
1379 if (ARG_IS_VALID(kar, ARG_UID)) {
1380 tok = au_to_arg32(1, "uid", ar->ar_arg_uid);
1381 kau_write(rec, tok);
1382 }
1383 break;
1384
1385 case AUE_SETGROUPS:
1386 if (ARG_IS_VALID(kar, ARG_GROUPSET)) {
1387 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++)
1388 {
1389 tok = au_to_arg32(1, "setgroups",
1390 ar->ar_arg_groups.gidset[ctr]);
1391 kau_write(rec, tok);
1392 }
1393 }
1394 break;
1395
1396 case AUE_SETLOGIN:
1397 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1398 tok = au_to_text(ar->ar_arg_text);
1399 kau_write(rec, tok);
1400 }
1401 break;
1402
1403 case AUE_SETPRIORITY:
1404 if (ARG_IS_VALID(kar, ARG_CMD)) {
1405 tok = au_to_arg32(1, "which", ar->ar_arg_cmd);
1406 kau_write(rec, tok);
1407 }
1408 if (ARG_IS_VALID(kar, ARG_UID)) {
1409 tok = au_to_arg32(2, "who", ar->ar_arg_uid);
1410 kau_write(rec, tok);
1411 }
1412 PROCESS_PID_TOKENS(2);
1413 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1414 tok = au_to_arg32(3, "priority", ar->ar_arg_value);
1415 kau_write(rec, tok);
1416 }
1417 break;
1418
1419 case AUE_SETPRIVEXEC:
1420 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1421 tok = au_to_arg32(1, "flag", ar->ar_arg_value);
1422 kau_write(rec, tok);
1423 }
1424 break;
1425
1426 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */
1427 case AUE_SHMAT:
1428 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1429 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1430 kau_write(rec, tok);
1431 /* XXXAUDIT: Does having the ipc token make sense? */
1432 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1433 kau_write(rec, tok);
1434 }
1435 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1436 tok = au_to_arg32(2, "shmaddr",
1437 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1438 kau_write(rec, tok);
1439 }
1440 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1441 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1442 kau_write(rec, tok);
1443 }
1444 break;
1445
1446 case AUE_SHMCTL:
1447 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1448 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1449 kau_write(rec, tok);
1450 /* XXXAUDIT: Does having the ipc token make sense? */
1451 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1452 kau_write(rec, tok);
1453 }
1454 switch (ar->ar_arg_svipc_cmd) {
1455 case IPC_STAT:
1456 ar->ar_event = AUE_SHMCTL_STAT;
1457 break;
1458 case IPC_RMID:
1459 ar->ar_event = AUE_SHMCTL_RMID;
1460 break;
1461 case IPC_SET:
1462 ar->ar_event = AUE_SHMCTL_SET;
1463 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1464 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1465 kau_write(rec, tok);
1466 }
1467 break;
1468 default:
1469 break; /* We will audit a bad command */
1470 }
1471 break;
1472
1473 case AUE_SHMDT:
1474 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1475 tok = au_to_arg32(1, "shmaddr",
1476 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1477 kau_write(rec, tok);
1478 }
1479 break;
1480
1481 case AUE_SHMGET:
1482 /* This is unusual; the return value is in an argument token */
1483 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1484 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id);
1485 kau_write(rec, tok);
1486 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1487 kau_write(rec, tok);
1488 }
1489 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1490 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1491 kau_write(rec, tok);
1492 }
1493 break;
1494
1495 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE
1496 * and AUE_SEMUNLINK are Posix IPC */
1497 case AUE_SHMOPEN:
1498 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1499 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1500 kau_write(rec, tok);
1501 }
1502 if (ARG_IS_VALID(kar, ARG_MODE)) {
1503 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1504 kau_write(rec, tok);
1505 }
1506 /* FALLTHROUGH */
1507
1508 case AUE_SHMUNLINK:
1509 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1510 tok = au_to_text(ar->ar_arg_text);
1511 kau_write(rec, tok);
1512 }
1513 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1514 struct ipc_perm perm;
1515
1516 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1517 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1518 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1519 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1520 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1521 perm.seq = 0;
1522 perm.key = 0;
1523 tok = au_to_ipc_perm(&perm);
1524 kau_write(rec, tok);
1525 }
1526 break;
1527
1528 case AUE_SEMOPEN:
1529 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1530 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1531 kau_write(rec, tok);
1532 }
1533 if (ARG_IS_VALID(kar, ARG_MODE)) {
1534 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1535 kau_write(rec, tok);
1536 }
1537 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1538 tok = au_to_arg32(4, "value", ar->ar_arg_value);
1539 kau_write(rec, tok);
1540 }
1541 /* FALLTHROUGH */
1542
1543 case AUE_SEMUNLINK:
1544 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1545 tok = au_to_text(ar->ar_arg_text);
1546 kau_write(rec, tok);
1547 }
1548 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1549 struct ipc_perm perm;
1550
1551 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1552 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1553 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1554 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1555 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1556 perm.seq = 0;
1557 perm.key = 0;
1558 tok = au_to_ipc_perm(&perm);
1559 kau_write(rec, tok);
1560 }
1561 break;
1562
1563 case AUE_SEMCLOSE:
1564 if (ARG_IS_VALID(kar, ARG_FD)) {
1565 tok = au_to_arg32(1, "sem", ar->ar_arg_fd);
1566 kau_write(rec, tok);
1567 }
1568 break;
1569
1570 case AUE_SYMLINK:
1571 case AUE_SYMLINKAT:
1572 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1573 tok = au_to_text(ar->ar_arg_text);
1574 kau_write(rec, tok);
1575 }
1576 ATFD1_TOKENS(1);
1577 UPATH1_VNODE1_TOKENS;
1578 break;
1579
1580 case AUE_SYSCTL:
1581 case AUE_SYSCTL_NONADMIN:
1582 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) {
1583 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) {
1584 tok = au_to_arg32(1, "name",
1585 ar->ar_arg_ctlname[ctr]);
1586 kau_write(rec, tok);
1587 }
1588 }
1589 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1590 tok = au_to_arg32(5, "newval", ar->ar_arg_value);
1591 kau_write(rec, tok);
1592 }
1593 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1594 tok = au_to_text(ar->ar_arg_text);
1595 kau_write(rec, tok);
1596 }
1597 break;
1598
1599 case AUE_UMASK:
1600 if (ARG_IS_VALID(kar, ARG_MASK)) {
1601 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask);
1602 kau_write(rec, tok);
1603 }
1604 tok = au_to_arg32(0, "prev mask", ar->ar_retval);
1605 kau_write(rec, tok);
1606 break;
1607
1608 case AUE_WAIT4:
1609 PROCESS_PID_TOKENS(1);
1610 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1611 tok = au_to_arg32(3, "options", ar->ar_arg_value);
1612 kau_write(rec, tok);
1613 }
1614 break;
1615
1616 case AUE_CAP_RIGHTS_LIMIT:
1617 /*
1618 * XXXRW/XXXJA: Would be nice to audit socket/etc information.
1619 */
1620 FD_VNODE1_TOKENS;
1621 if (ARG_IS_VALID(kar, ARG_RIGHTS)) {
1622 tok = au_to_rights(&ar->ar_arg_rights);
1623 kau_write(rec, tok);
1624 }
1625 break;
1626
1627 case AUE_CAP_FCNTLS_GET:
1628 case AUE_CAP_IOCTLS_GET:
1629 case AUE_CAP_IOCTLS_LIMIT:
1630 case AUE_CAP_RIGHTS_GET:
1631 if (ARG_IS_VALID(kar, ARG_FD)) {
1632 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
1633 kau_write(rec, tok);
1634 }
1635 break;
1636
1637 case AUE_CAP_FCNTLS_LIMIT:
1638 FD_VNODE1_TOKENS;
1639 if (ARG_IS_VALID(kar, ARG_FCNTL_RIGHTS)) {
1640 tok = au_to_arg32(2, "fcntlrights",
1641 ar->ar_arg_fcntl_rights);
1642 kau_write(rec, tok);
1643 }
1644 break;
1645
1646 case AUE_CAP_ENTER:
1647 case AUE_CAP_GETMODE:
1648 break;
1649
1650 case AUE_NULL:
1651 default:
1652 printf("BSM conversion requested for unknown event %d\n",
1653 ar->ar_event);
1654
1655 /*
1656 * Write the subject token so it is properly freed here.
1657 */
1658 if (jail_tok != NULL)
1659 kau_write(rec, jail_tok);
1660 kau_write(rec, subj_tok);
1661 kau_free(rec);
1662 return (BSM_NOAUDIT);
1663 }
1664
1665 if (jail_tok != NULL)
1666 kau_write(rec, jail_tok);
1667 kau_write(rec, subj_tok);
1668 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval);
1669 kau_write(rec, tok); /* Every record gets a return token */
1670
1671 kau_close(rec, &ar->ar_endtime, ar->ar_event);
1672
1673 *pau = rec;
1674 return (BSM_SUCCESS);
1675 }
1676
1677 /*
1678 * Verify that a record is a valid BSM record. This verification is simple
1679 * now, but may be expanded on sometime in the future. Return 1 if the
1680 * record is good, 0 otherwise.
1681 */
1682 int
1683 bsm_rec_verify(void *rec)
1684 {
1685 char c = *(char *)rec;
1686
1687 /*
1688 * Check the token ID of the first token; it has to be a header
1689 * token.
1690 *
1691 * XXXAUDIT There needs to be a token structure to map a token.
1692 * XXXAUDIT 'Shouldn't be simply looking at the first char.
1693 */
1694 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) &&
1695 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX))
1696 return (0);
1697 return (1);
1698 }
Cache object: ac045c452826ab71ba233abbd703432e
|