Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/security/audit/audit_bsm.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $FreeBSD: releng/6.2/sys/security/audit/audit_bsm.c 164286 2006-11-14 20:42:41Z cvs2svn $ 30 */ 31 32 #include <sys/param.h> 33 #include <sys/vnode.h> 34 #include <sys/ipc.h> 35 #include <sys/lock.h> 36 #include <sys/malloc.h> 37 #include <sys/mutex.h> 38 #include <sys/socket.h> 39 #include <sys/extattr.h> 40 #include <sys/fcntl.h> 41 #include <sys/user.h> 42 #include <sys/systm.h> 43 44 #include <bsm/audit.h> 45 #include <bsm/audit_internal.h> 46 #include <bsm/audit_record.h> 47 #include <bsm/audit_kevents.h> 48 49 #include <security/audit/audit.h> 50 #include <security/audit/audit_private.h> 51 52 #include <netinet/in_systm.h> 53 #include <netinet/in.h> 54 #include <netinet/ip.h> 55 56 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 57 58 /* 59 * Forward declares. 60 */ 61 static void audit_sys_auditon(struct audit_record *ar, 62 struct au_record *rec); 63 64 /* 65 * Initialize the BSM auditing subsystem. 66 */ 67 void 68 kau_init(void) 69 { 70 71 printf("BSM auditing present\n"); 72 au_evclassmap_init(); 73 } 74 75 /* 76 * This call reserves memory for the audit record. Memory must be guaranteed 77 * before any auditable event can be generated. The au_record structure 78 * maintains a reference to the memory allocated above and also the list of 79 * tokens associated with this record 80 */ 81 static struct au_record * 82 kau_open(void) 83 { 84 struct au_record *rec; 85 86 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 87 rec->data = NULL; 88 TAILQ_INIT(&rec->token_q); 89 rec->len = 0; 90 rec->used = 1; 91 92 return (rec); 93 } 94 95 /* 96 * Store the token with the record descriptor. 97 */ 98 static void 99 kau_write(struct au_record *rec, struct au_token *tok) 100 { 101 102 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 103 104 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 105 rec->len += tok->len; 106 } 107 108 /* 109 * Close out the audit record by adding the header token, identifying any 110 * missing tokens. Write out the tokens to the record memory. 111 */ 112 static void 113 kau_close(struct au_record *rec, struct timespec *ctime, short event) 114 { 115 u_char *dptr; 116 size_t tot_rec_size; 117 token_t *cur, *hdr, *trail; 118 struct timeval tm; 119 120 tot_rec_size = rec->len + AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE; 121 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 122 /* Create the header token */ 123 tm.tv_usec = ctime->tv_nsec / 1000; 124 tm.tv_sec = ctime->tv_sec; 125 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 126 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 127 128 trail = au_to_trailer(tot_rec_size); 129 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 130 131 /* Serialize token data to the record. */ 132 rec->len = tot_rec_size; 133 dptr = rec->data; 134 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 135 memcpy(dptr, cur->t_data, cur->len); 136 dptr += cur->len; 137 } 138 } 139 140 /* 141 * Free a BSM audit record by releasing all the tokens and clearing the audit 142 * record information. 143 */ 144 void 145 kau_free(struct au_record *rec) 146 { 147 struct au_token *tok; 148 149 /* Free the token list. */ 150 while ((tok = TAILQ_FIRST(&rec->token_q))) { 151 TAILQ_REMOVE(&rec->token_q, tok, tokens); 152 free(tok->t_data, M_AUDITBSM); 153 free(tok, M_AUDITBSM); 154 } 155 156 rec->used = 0; 157 rec->len = 0; 158 free(rec->data, M_AUDITBSM); 159 free(rec, M_AUDITBSM); 160 } 161 162 /* 163 * XXX May want turn some (or all) of these macros into functions in order 164 * to reduce the generated code sized. 165 * 166 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 167 * caller are OK with this. 168 */ 169 #define UPATH1_TOKENS do { \ 170 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 171 tok = au_to_path(ar->ar_arg_upath1); \ 172 kau_write(rec, tok); \ 173 } \ 174 } while (0) 175 176 #define UPATH2_TOKENS do { \ 177 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 178 tok = au_to_path(ar->ar_arg_upath2); \ 179 kau_write(rec, tok); \ 180 } \ 181 } while (0) 182 183 #define VNODE1_TOKENS do { \ 184 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 185 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 186 kau_write(rec, tok); \ 187 } \ 188 } while (0) 189 190 #define UPATH1_VNODE1_TOKENS do { \ 191 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 192 UPATH1_TOKENS; \ 193 } \ 194 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 195 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 196 kau_write(rec, tok); \ 197 } \ 198 } while (0) 199 200 #define VNODE2_TOKENS do { \ 201 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 202 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 203 kau_write(rec, tok); \ 204 } \ 205 } while (0) 206 207 #define FD_VNODE1_TOKENS do { \ 208 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 209 if (ARG_IS_VALID(kar, ARG_FD)) { \ 210 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 211 kau_write(rec, tok); \ 212 } \ 213 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 214 kau_write(rec, tok); \ 215 } else { \ 216 if (ARG_IS_VALID(kar, ARG_FD)) { \ 217 tok = au_to_arg32(1, "non-file: fd", \ 218 ar->ar_arg_fd); \ 219 kau_write(rec, tok); \ 220 } \ 221 } \ 222 } while (0) 223 224 #define PROCESS_PID_TOKENS(argn) do { \ 225 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 226 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 227 tok = au_to_process(ar->ar_arg_auid, \ 228 ar->ar_arg_euid, ar->ar_arg_egid, \ 229 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 230 ar->ar_arg_pid, ar->ar_arg_asid, \ 231 &ar->ar_arg_termid); \ 232 kau_write(rec, tok); \ 233 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 234 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 235 kau_write(rec, tok); \ 236 } \ 237 } while (0) \ 238 239 #define EXTATTR_TOKENS do { \ 240 if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 241 switch (ar->ar_arg_value) { \ 242 case EXTATTR_NAMESPACE_USER: \ 243 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 244 break; \ 245 case EXTATTR_NAMESPACE_SYSTEM: \ 246 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 247 break; \ 248 default: \ 249 tok = au_to_arg32(3, "attrnamespace", \ 250 ar->ar_arg_value); \ 251 break; \ 252 } \ 253 kau_write(rec, tok); \ 254 } \ 255 /* attrname is in the text field */ \ 256 if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 257 tok = au_to_text(ar->ar_arg_text); \ 258 kau_write(rec, tok); \ 259 } \ 260 } while (0) 261 262 /* 263 * Implement auditing for the auditon() system call. The audit tokens that 264 * are generated depend on the command that was sent into the auditon() 265 * system call. 266 */ 267 static void 268 audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 269 { 270 struct au_token *tok; 271 272 switch (ar->ar_arg_cmd) { 273 case A_SETPOLICY: 274 if (sizeof(ar->ar_arg_auditon.au_flags) > 4) 275 tok = au_to_arg64(1, "policy", 276 ar->ar_arg_auditon.au_flags); 277 else 278 tok = au_to_arg32(1, "policy", 279 ar->ar_arg_auditon.au_flags); 280 kau_write(rec, tok); 281 break; 282 283 case A_SETKMASK: 284 tok = au_to_arg32(2, "setkmask:as_success", 285 ar->ar_arg_auditon.au_mask.am_success); 286 kau_write(rec, tok); 287 tok = au_to_arg32(2, "setkmask:as_failure", 288 ar->ar_arg_auditon.au_mask.am_failure); 289 kau_write(rec, tok); 290 break; 291 292 case A_SETQCTRL: 293 tok = au_to_arg32(3, "setqctrl:aq_hiwater", 294 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 295 kau_write(rec, tok); 296 tok = au_to_arg32(3, "setqctrl:aq_lowater", 297 ar->ar_arg_auditon.au_qctrl.aq_lowater); 298 kau_write(rec, tok); 299 tok = au_to_arg32(3, "setqctrl:aq_bufsz", 300 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 301 kau_write(rec, tok); 302 tok = au_to_arg32(3, "setqctrl:aq_delay", 303 ar->ar_arg_auditon.au_qctrl.aq_delay); 304 kau_write(rec, tok); 305 tok = au_to_arg32(3, "setqctrl:aq_minfree", 306 ar->ar_arg_auditon.au_qctrl.aq_minfree); 307 kau_write(rec, tok); 308 break; 309 310 case A_SETUMASK: 311 tok = au_to_arg32(3, "setumask:as_success", 312 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 313 kau_write(rec, tok); 314 tok = au_to_arg32(3, "setumask:as_failure", 315 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 316 kau_write(rec, tok); 317 break; 318 319 case A_SETSMASK: 320 tok = au_to_arg32(3, "setsmask:as_success", 321 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 322 kau_write(rec, tok); 323 tok = au_to_arg32(3, "setsmask:as_failure", 324 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 325 kau_write(rec, tok); 326 break; 327 328 case A_SETCOND: 329 if (sizeof(ar->ar_arg_auditon.au_cond) > 4) 330 tok = au_to_arg64(3, "setcond", 331 ar->ar_arg_auditon.au_cond); 332 else 333 tok = au_to_arg32(3, "setcond", 334 ar->ar_arg_auditon.au_cond); 335 kau_write(rec, tok); 336 break; 337 338 case A_SETCLASS: 339 tok = au_to_arg32(2, "setclass:ec_event", 340 ar->ar_arg_auditon.au_evclass.ec_number); 341 kau_write(rec, tok); 342 tok = au_to_arg32(3, "setclass:ec_class", 343 ar->ar_arg_auditon.au_evclass.ec_class); 344 kau_write(rec, tok); 345 break; 346 347 case A_SETPMASK: 348 tok = au_to_arg32(2, "setpmask:as_success", 349 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 350 kau_write(rec, tok); 351 tok = au_to_arg32(2, "setpmask:as_failure", 352 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 353 kau_write(rec, tok); 354 break; 355 356 case A_SETFSIZE: 357 tok = au_to_arg32(2, "setfsize:filesize", 358 ar->ar_arg_auditon.au_fstat.af_filesz); 359 kau_write(rec, tok); 360 break; 361 362 default: 363 break; 364 } 365 } 366 367 /* 368 * Convert an internal kernel audit record to a BSM record and return a 369 * success/failure indicator. The BSM record is passed as an out parameter to 370 * this function. 371 * 372 * Return conditions: 373 * BSM_SUCCESS: The BSM record is valid 374 * BSM_FAILURE: Failure; the BSM record is NULL. 375 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 376 */ 377 int 378 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 379 { 380 struct au_token *tok, *subj_tok; 381 struct au_record *rec; 382 au_tid_t tid; 383 struct audit_record *ar; 384 int ctr; 385 386 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 387 388 *pau = NULL; 389 ar = &kar->k_ar; 390 rec = kau_open(); 391 392 /* Create the subject token */ 393 tid.port = ar->ar_subj_term.port; 394 tid.machine = ar->ar_subj_term.machine; 395 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 396 ar->ar_subj_cred.cr_uid, /* eff uid */ 397 ar->ar_subj_egid, /* eff group id */ 398 ar->ar_subj_ruid, /* real uid */ 399 ar->ar_subj_rgid, /* real group id */ 400 ar->ar_subj_pid, /* process id */ 401 ar->ar_subj_asid, /* session ID */ 402 &tid); 403 404 /* 405 * The logic inside each case fills in the tokens required for the 406 * event, except for the header, trailer, and return tokens. The 407 * header and trailer tokens are added by the kau_close() function. 408 * The return token is added outside of the switch statement. 409 */ 410 switch(ar->ar_event) { 411 case AUE_ACCEPT: 412 case AUE_BIND: 413 case AUE_CONNECT: 414 case AUE_RECV: 415 case AUE_RECVFROM: 416 case AUE_RECVMSG: 417 case AUE_SEND: 418 case AUE_SENDFILE: 419 case AUE_SENDMSG: 420 case AUE_SENDTO: 421 /* 422 * Socket-related events. 423 */ 424 if (ARG_IS_VALID(kar, ARG_FD)) { 425 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 426 kau_write(rec, tok); 427 } 428 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 429 tok = au_to_sock_inet((struct sockaddr_in *) 430 &ar->ar_arg_sockaddr); 431 kau_write(rec, tok); 432 } 433 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 434 tok = au_to_sock_unix((struct sockaddr_un *) 435 &ar->ar_arg_sockaddr); 436 kau_write(rec, tok); 437 UPATH1_TOKENS; 438 } 439 /* XXX Need to handle ARG_SADDRINET6 */ 440 break; 441 442 case AUE_SOCKET: 443 case AUE_SOCKETPAIR: 444 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 445 tok = au_to_arg32(1,"domain", 446 ar->ar_arg_sockinfo.so_domain); 447 kau_write(rec, tok); 448 tok = au_to_arg32(2,"type", 449 ar->ar_arg_sockinfo.so_type); 450 kau_write(rec, tok); 451 tok = au_to_arg32(3,"protocol", 452 ar->ar_arg_sockinfo.so_protocol); 453 kau_write(rec, tok); 454 } 455 break; 456 457 case AUE_SETSOCKOPT: 458 case AUE_SHUTDOWN: 459 if (ARG_IS_VALID(kar, ARG_FD)) { 460 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 461 kau_write(rec, tok); 462 } 463 break; 464 465 case AUE_ACCT: 466 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 467 UPATH1_VNODE1_TOKENS; 468 } else { 469 tok = au_to_arg32(1, "accounting off", 0); 470 kau_write(rec, tok); 471 } 472 break; 473 474 case AUE_SETAUID: 475 if (ARG_IS_VALID(kar, ARG_AUID)) { 476 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 477 kau_write(rec, tok); 478 } 479 break; 480 481 case AUE_SETAUDIT: 482 if (ARG_IS_VALID(kar, ARG_AUID)) { 483 tok = au_to_arg32(1, "setaudit:auid", 484 ar->ar_arg_auid); 485 kau_write(rec, tok); 486 tok = au_to_arg32(1, "setaudit:port", 487 ar->ar_arg_termid.port); 488 kau_write(rec, tok); 489 tok = au_to_arg32(1, "setaudit:machine", 490 ar->ar_arg_termid.machine); 491 kau_write(rec, tok); 492 tok = au_to_arg32(1, "setaudit:as_success", 493 ar->ar_arg_amask.am_success); 494 kau_write(rec, tok); 495 tok = au_to_arg32(1, "setaudit:as_failure", 496 ar->ar_arg_amask.am_failure); 497 kau_write(rec, tok); 498 tok = au_to_arg32(1, "setaudit:asid", 499 ar->ar_arg_asid); 500 kau_write(rec, tok); 501 } 502 break; 503 504 case AUE_SETAUDIT_ADDR: 505 break; /* XXX need to add arguments */ 506 507 case AUE_AUDITON: 508 /* 509 * For AUDITON commands without own event, audit the cmd. 510 */ 511 if (ARG_IS_VALID(kar, ARG_CMD)) { 512 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 513 kau_write(rec, tok); 514 } 515 /* fall thru */ 516 517 case AUE_AUDITON_GETCAR: 518 case AUE_AUDITON_GETCLASS: 519 case AUE_AUDITON_GETCOND: 520 case AUE_AUDITON_GETCWD: 521 case AUE_AUDITON_GETKMASK: 522 case AUE_AUDITON_GETSTAT: 523 case AUE_AUDITON_GPOLICY: 524 case AUE_AUDITON_GQCTRL: 525 case AUE_AUDITON_SETCLASS: 526 case AUE_AUDITON_SETCOND: 527 case AUE_AUDITON_SETKMASK: 528 case AUE_AUDITON_SETSMASK: 529 case AUE_AUDITON_SETSTAT: 530 case AUE_AUDITON_SETUMASK: 531 case AUE_AUDITON_SPOLICY: 532 case AUE_AUDITON_SQCTRL: 533 if (ARG_IS_VALID(kar, ARG_AUDITON)) 534 audit_sys_auditon(ar, rec); 535 break; 536 537 case AUE_AUDITCTL: 538 UPATH1_VNODE1_TOKENS; 539 break; 540 541 case AUE_EXIT: 542 if (ARG_IS_VALID(kar, ARG_EXIT)) { 543 tok = au_to_exit(ar->ar_arg_exitretval, 544 ar->ar_arg_exitstatus); 545 kau_write(rec, tok); 546 } 547 break; 548 549 case AUE_ADJTIME: 550 case AUE_CLOCK_SETTIME: 551 case AUE_AUDIT: 552 case AUE_DUP2: 553 case AUE_GETAUDIT: 554 case AUE_GETAUDIT_ADDR: 555 case AUE_GETAUID: 556 case AUE_GETCWD: 557 case AUE_GETFSSTAT: 558 case AUE_GETRESUID: 559 case AUE_GETRESGID: 560 case AUE_KQUEUE: 561 case AUE_LSEEK: 562 case AUE_MODLOAD: 563 case AUE_MODUNLOAD: 564 case AUE_MSGSYS: 565 case AUE_NFS_SVC: 566 case AUE_NTP_ADJTIME: 567 case AUE_PIPE: 568 case AUE_PROFILE: 569 case AUE_RTPRIO: 570 case AUE_SEMSYS: 571 case AUE_SHMSYS: 572 case AUE_SETPGRP: 573 case AUE_SETRLIMIT: 574 case AUE_SETSID: 575 case AUE_SETTIMEOFDAY: 576 case AUE_SYSARCH: 577 578 /* 579 * Header, subject, and return tokens added at end. 580 */ 581 break; 582 583 case AUE_MKFIFO: 584 if (ARG_IS_VALID(kar, ARG_MODE)) { 585 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 586 kau_write(rec, tok); 587 } 588 /* fall through */ 589 case AUE_ACCESS: 590 case AUE_CHDIR: 591 case AUE_CHROOT: 592 case AUE_EACCESS: 593 case AUE_GETATTRLIST: 594 case AUE_JAIL: 595 case AUE_LUTIMES: 596 case AUE_NFS_GETFH: 597 case AUE_LSTAT: 598 case AUE_PATHCONF: 599 case AUE_READLINK: 600 case AUE_REVOKE: 601 case AUE_RMDIR: 602 case AUE_SEARCHFS: 603 case AUE_SETATTRLIST: 604 case AUE_STAT: 605 case AUE_STATFS: 606 case AUE_SWAPON: 607 case AUE_SWAPOFF: 608 case AUE_TRUNCATE: 609 case AUE_UNDELETE: 610 case AUE_UNLINK: 611 case AUE_UTIMES: 612 UPATH1_VNODE1_TOKENS; 613 break; 614 615 case AUE_FHSTATFS: 616 case AUE_FHOPEN: 617 case AUE_FHSTAT: 618 /* XXXRW: Need to audit vnode argument. */ 619 break; 620 621 case AUE_CHFLAGS: 622 case AUE_LCHFLAGS: 623 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 624 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 625 kau_write(rec, tok); 626 } 627 UPATH1_VNODE1_TOKENS; 628 break; 629 630 case AUE_CHMOD: 631 case AUE_LCHMOD: 632 if (ARG_IS_VALID(kar, ARG_MODE)) { 633 tok = au_to_arg32(2, "new file mode", 634 ar->ar_arg_mode); 635 kau_write(rec, tok); 636 } 637 UPATH1_VNODE1_TOKENS; 638 break; 639 640 case AUE_CHOWN: 641 case AUE_LCHOWN: 642 if (ARG_IS_VALID(kar, ARG_UID)) { 643 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 644 kau_write(rec, tok); 645 } 646 if (ARG_IS_VALID(kar, ARG_GID)) { 647 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 648 kau_write(rec, tok); 649 } 650 UPATH1_VNODE1_TOKENS; 651 break; 652 653 case AUE_EXCHANGEDATA: 654 UPATH1_VNODE1_TOKENS; 655 UPATH2_TOKENS; 656 break; 657 658 case AUE_CLOSE: 659 if (ARG_IS_VALID(kar, ARG_FD)) { 660 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 661 kau_write(rec, tok); 662 } 663 UPATH1_VNODE1_TOKENS; 664 break; 665 666 case AUE_EXTATTRCTL: 667 UPATH1_VNODE1_TOKENS; 668 if (ARG_IS_VALID(kar, ARG_CMD)) { 669 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 670 kau_write(rec, tok); 671 } 672 /* extattrctl(2) filename parameter is in upath2/vnode2 */ 673 UPATH2_TOKENS; 674 VNODE2_TOKENS; 675 EXTATTR_TOKENS; 676 break; 677 678 case AUE_EXTATTR_GET_FILE: 679 case AUE_EXTATTR_SET_FILE: 680 case AUE_EXTATTR_LIST_FILE: 681 case AUE_EXTATTR_DELETE_FILE: 682 case AUE_EXTATTR_GET_LINK: 683 case AUE_EXTATTR_SET_LINK: 684 case AUE_EXTATTR_LIST_LINK: 685 case AUE_EXTATTR_DELETE_LINK: 686 UPATH1_VNODE1_TOKENS; 687 EXTATTR_TOKENS; 688 break; 689 690 case AUE_EXTATTR_GET_FD: 691 case AUE_EXTATTR_SET_FD: 692 case AUE_EXTATTR_LIST_FD: 693 case AUE_EXTATTR_DELETE_FD: 694 if (ARG_IS_VALID(kar, ARG_FD)) { 695 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 696 kau_write(rec, tok); 697 } 698 EXTATTR_TOKENS; 699 break; 700 701 case AUE_EXECVE: 702 if (ARG_IS_VALID(kar, ARG_ARGV)) { 703 tok = au_to_exec_args(ar->ar_arg_argv, 704 ar->ar_arg_argc); 705 kau_write(rec, tok); 706 } 707 if (ARG_IS_VALID(kar, ARG_ENVV)) { 708 tok = au_to_exec_env(ar->ar_arg_envv, 709 ar->ar_arg_envc); 710 kau_write(rec, tok); 711 } 712 UPATH1_VNODE1_TOKENS; 713 break; 714 715 case AUE_FCHMOD: 716 if (ARG_IS_VALID(kar, ARG_MODE)) { 717 tok = au_to_arg32(2, "new file mode", 718 ar->ar_arg_mode); 719 kau_write(rec, tok); 720 } 721 FD_VNODE1_TOKENS; 722 break; 723 724 /* 725 * XXXRW: Some of these need to handle non-vnode cases as well. 726 */ 727 case AUE_FCHDIR: 728 case AUE_FPATHCONF: 729 case AUE_FSTAT: 730 case AUE_FSTATFS: 731 case AUE_FSYNC: 732 case AUE_FTRUNCATE: 733 case AUE_FUTIMES: 734 case AUE_GETDIRENTRIES: 735 case AUE_GETDIRENTRIESATTR: 736 case AUE_POLL: 737 case AUE_READ: 738 case AUE_READV: 739 case AUE_WRITE: 740 case AUE_WRITEV: 741 FD_VNODE1_TOKENS; 742 break; 743 744 case AUE_FCHOWN: 745 if (ARG_IS_VALID(kar, ARG_UID)) { 746 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 747 kau_write(rec, tok); 748 } 749 if (ARG_IS_VALID(kar, ARG_GID)) { 750 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 751 kau_write(rec, tok); 752 } 753 FD_VNODE1_TOKENS; 754 break; 755 756 case AUE_FCNTL: 757 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 758 ar->ar_arg_cmd == F_SETLKW) { 759 if (ARG_IS_VALID(kar, ARG_CMD)) { 760 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 761 kau_write(rec, tok); 762 } 763 FD_VNODE1_TOKENS; 764 } 765 break; 766 767 case AUE_FCHFLAGS: 768 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 769 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 770 kau_write(rec, tok); 771 } 772 FD_VNODE1_TOKENS; 773 break; 774 775 case AUE_FLOCK: 776 if (ARG_IS_VALID(kar, ARG_CMD)) { 777 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 778 kau_write(rec, tok); 779 } 780 FD_VNODE1_TOKENS; 781 break; 782 783 case AUE_RFORK: 784 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 785 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 786 kau_write(rec, tok); 787 } 788 /* fall through */ 789 case AUE_FORK: 790 case AUE_VFORK: 791 if (ARG_IS_VALID(kar, ARG_PID)) { 792 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 793 kau_write(rec, tok); 794 } 795 break; 796 797 case AUE_IOCTL: 798 if (ARG_IS_VALID(kar, ARG_CMD)) { 799 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 800 kau_write(rec, tok); 801 } 802 if (ARG_IS_VALID(kar, ARG_ADDR)) { 803 tok = au_to_arg32(1, "arg", 804 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 805 kau_write(rec, tok); 806 } 807 if (ARG_IS_VALID(kar, ARG_VNODE1)) 808 FD_VNODE1_TOKENS; 809 else { 810 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 811 tok = kau_to_socket(&ar->ar_arg_sockinfo); 812 kau_write(rec, tok); 813 } else { 814 if (ARG_IS_VALID(kar, ARG_FD)) { 815 tok = au_to_arg32(1, "fd", 816 ar->ar_arg_fd); 817 kau_write(rec, tok); 818 } 819 } 820 } 821 break; 822 823 case AUE_KILL: 824 case AUE_KILLPG: 825 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 826 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 827 kau_write(rec, tok); 828 } 829 PROCESS_PID_TOKENS(1); 830 break; 831 832 case AUE_KTRACE: 833 if (ARG_IS_VALID(kar, ARG_CMD)) { 834 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 835 kau_write(rec, tok); 836 } 837 if (ARG_IS_VALID(kar, ARG_VALUE)) { 838 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 839 kau_write(rec, tok); 840 } 841 PROCESS_PID_TOKENS(4); 842 UPATH1_VNODE1_TOKENS; 843 break; 844 845 case AUE_LINK: 846 case AUE_RENAME: 847 UPATH1_VNODE1_TOKENS; 848 UPATH2_TOKENS; 849 break; 850 851 case AUE_LOADSHFILE: 852 if (ARG_IS_VALID(kar, ARG_ADDR)) { 853 tok = au_to_arg32(4, "base addr", 854 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 855 kau_write(rec, tok); 856 } 857 UPATH1_VNODE1_TOKENS; 858 break; 859 860 case AUE_MKDIR: 861 if (ARG_IS_VALID(kar, ARG_MODE)) { 862 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 863 kau_write(rec, tok); 864 } 865 UPATH1_VNODE1_TOKENS; 866 break; 867 868 case AUE_MKNOD: 869 if (ARG_IS_VALID(kar, ARG_MODE)) { 870 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 871 kau_write(rec, tok); 872 } 873 if (ARG_IS_VALID(kar, ARG_DEV)) { 874 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 875 kau_write(rec, tok); 876 } 877 UPATH1_VNODE1_TOKENS; 878 break; 879 880 case AUE_MMAP: 881 case AUE_MUNMAP: 882 case AUE_MPROTECT: 883 case AUE_MLOCK: 884 case AUE_MUNLOCK: 885 case AUE_MINHERIT: 886 if (ARG_IS_VALID(kar, ARG_ADDR)) { 887 tok = au_to_arg32(1, "addr", 888 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 889 kau_write(rec, tok); 890 } 891 if (ARG_IS_VALID(kar, ARG_LEN)) { 892 tok = au_to_arg32(2, "len", ar->ar_arg_len); 893 kau_write(rec, tok); 894 } 895 if (ar->ar_event == AUE_MMAP) 896 FD_VNODE1_TOKENS; 897 if (ar->ar_event == AUE_MPROTECT) { 898 if (ARG_IS_VALID(kar, ARG_VALUE)) { 899 tok = au_to_arg32(3, "protection", 900 ar->ar_arg_value); 901 kau_write(rec, tok); 902 } 903 } 904 if (ar->ar_event == AUE_MINHERIT) { 905 if (ARG_IS_VALID(kar, ARG_VALUE)) { 906 tok = au_to_arg32(3, "inherit", 907 ar->ar_arg_value); 908 kau_write(rec, tok); 909 } 910 } 911 break; 912 913 case AUE_MOUNT: 914 case AUE_NMOUNT: 915 /* XXX Need to handle NFS mounts */ 916 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 917 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 918 kau_write(rec, tok); 919 } 920 if (ARG_IS_VALID(kar, ARG_TEXT)) { 921 tok = au_to_text(ar->ar_arg_text); 922 kau_write(rec, tok); 923 } 924 /* fall through */ 925 926 case AUE_UMOUNT: 927 UPATH1_VNODE1_TOKENS; 928 break; 929 930 case AUE_MSGCTL: 931 ar->ar_event = msgctl_to_event(ar->ar_arg_svipc_cmd); 932 /* Fall through */ 933 934 case AUE_MSGRCV: 935 case AUE_MSGSND: 936 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 937 kau_write(rec, tok); 938 if (ar->ar_errno != EINVAL) { 939 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 940 kau_write(rec, tok); 941 } 942 break; 943 944 case AUE_MSGGET: 945 if (ar->ar_errno == 0) { 946 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 947 tok = au_to_ipc(AT_IPC_MSG, 948 ar->ar_arg_svipc_id); 949 kau_write(rec, tok); 950 } 951 } 952 break; 953 954 case AUE_RESETSHFILE: 955 if (ARG_IS_VALID(kar, ARG_ADDR)) { 956 tok = au_to_arg32(1, "base addr", 957 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 958 kau_write(rec, tok); 959 } 960 break; 961 962 case AUE_OPEN_RC: 963 case AUE_OPEN_RTC: 964 case AUE_OPEN_RWC: 965 case AUE_OPEN_RWTC: 966 case AUE_OPEN_WC: 967 case AUE_OPEN_WTC: 968 case AUE_CREAT: 969 if (ARG_IS_VALID(kar, ARG_MODE)) { 970 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 971 kau_write(rec, tok); 972 } 973 /* fall through */ 974 975 case AUE_OPEN_R: 976 case AUE_OPEN_RT: 977 case AUE_OPEN_RW: 978 case AUE_OPEN_RWT: 979 case AUE_OPEN_W: 980 case AUE_OPEN_WT: 981 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 982 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 983 kau_write(rec, tok); 984 } 985 UPATH1_VNODE1_TOKENS; 986 break; 987 988 case AUE_PTRACE: 989 if (ARG_IS_VALID(kar, ARG_CMD)) { 990 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 991 kau_write(rec, tok); 992 } 993 if (ARG_IS_VALID(kar, ARG_ADDR)) { 994 tok = au_to_arg32(3, "addr", 995 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 996 kau_write(rec, tok); 997 } 998 if (ARG_IS_VALID(kar, ARG_VALUE)) { 999 tok = au_to_arg32(4, "data", ar->ar_arg_value); 1000 kau_write(rec, tok); 1001 } 1002 PROCESS_PID_TOKENS(2); 1003 break; 1004 1005 case AUE_QUOTACTL: 1006 if (ARG_IS_VALID(kar, ARG_CMD)) { 1007 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1008 kau_write(rec, tok); 1009 } 1010 if (ARG_IS_VALID(kar, ARG_UID)) { 1011 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1012 kau_write(rec, tok); 1013 } 1014 UPATH1_VNODE1_TOKENS; 1015 break; 1016 1017 case AUE_REBOOT: 1018 if (ARG_IS_VALID(kar, ARG_CMD)) { 1019 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1020 kau_write(rec, tok); 1021 } 1022 break; 1023 1024 case AUE_SEMCTL: 1025 ar->ar_event = semctl_to_event(ar->ar_arg_svipc_cmd); 1026 /* Fall through */ 1027 1028 case AUE_SEMOP: 1029 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1030 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1031 kau_write(rec, tok); 1032 if (ar->ar_errno != EINVAL) { 1033 tok = au_to_ipc(AT_IPC_SEM, 1034 ar->ar_arg_svipc_id); 1035 kau_write(rec, tok); 1036 } 1037 } 1038 break; 1039 1040 case AUE_SEMGET: 1041 if (ar->ar_errno == 0) { 1042 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1043 tok = au_to_ipc(AT_IPC_SEM, 1044 ar->ar_arg_svipc_id); 1045 kau_write(rec, tok); 1046 } 1047 } 1048 break; 1049 1050 case AUE_SETEGID: 1051 if (ARG_IS_VALID(kar, ARG_EGID)) { 1052 tok = au_to_arg32(1, "gid", ar->ar_arg_egid); 1053 kau_write(rec, tok); 1054 } 1055 break; 1056 1057 case AUE_SETEUID: 1058 if (ARG_IS_VALID(kar, ARG_EUID)) { 1059 tok = au_to_arg32(1, "uid", ar->ar_arg_euid); 1060 kau_write(rec, tok); 1061 } 1062 break; 1063 1064 case AUE_SETREGID: 1065 if (ARG_IS_VALID(kar, ARG_RGID)) { 1066 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1067 kau_write(rec, tok); 1068 } 1069 if (ARG_IS_VALID(kar, ARG_EGID)) { 1070 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1071 kau_write(rec, tok); 1072 } 1073 break; 1074 1075 case AUE_SETREUID: 1076 if (ARG_IS_VALID(kar, ARG_RUID)) { 1077 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1078 kau_write(rec, tok); 1079 } 1080 if (ARG_IS_VALID(kar, ARG_EUID)) { 1081 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1082 kau_write(rec, tok); 1083 } 1084 break; 1085 1086 case AUE_SETRESGID: 1087 if (ARG_IS_VALID(kar, ARG_RGID)) { 1088 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1089 kau_write(rec, tok); 1090 } 1091 if (ARG_IS_VALID(kar, ARG_EGID)) { 1092 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1093 kau_write(rec, tok); 1094 } 1095 if (ARG_IS_VALID(kar, ARG_SGID)) { 1096 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1097 kau_write(rec, tok); 1098 } 1099 break; 1100 1101 case AUE_SETRESUID: 1102 if (ARG_IS_VALID(kar, ARG_RUID)) { 1103 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1104 kau_write(rec, tok); 1105 } 1106 if (ARG_IS_VALID(kar, ARG_EUID)) { 1107 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1108 kau_write(rec, tok); 1109 } 1110 if (ARG_IS_VALID(kar, ARG_SUID)) { 1111 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1112 kau_write(rec, tok); 1113 } 1114 break; 1115 1116 case AUE_SETGID: 1117 if (ARG_IS_VALID(kar, ARG_GID)) { 1118 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1119 kau_write(rec, tok); 1120 } 1121 break; 1122 1123 case AUE_SETUID: 1124 if (ARG_IS_VALID(kar, ARG_UID)) { 1125 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1126 kau_write(rec, tok); 1127 } 1128 break; 1129 1130 case AUE_SETGROUPS: 1131 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1132 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1133 { 1134 tok = au_to_arg32(1, "setgroups", ar->ar_arg_groups.gidset[ctr]); 1135 kau_write(rec, tok); 1136 } 1137 } 1138 break; 1139 1140 case AUE_SETLOGIN: 1141 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1142 tok = au_to_text(ar->ar_arg_text); 1143 kau_write(rec, tok); 1144 } 1145 break; 1146 1147 case AUE_SETPRIORITY: 1148 if (ARG_IS_VALID(kar, ARG_CMD)) { 1149 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1150 kau_write(rec, tok); 1151 } 1152 if (ARG_IS_VALID(kar, ARG_UID)) { 1153 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1154 kau_write(rec, tok); 1155 } 1156 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1157 tok = au_to_arg32(2, "priority", ar->ar_arg_value); 1158 kau_write(rec, tok); 1159 } 1160 break; 1161 1162 case AUE_SETPRIVEXEC: 1163 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1164 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1165 kau_write(rec, tok); 1166 } 1167 break; 1168 1169 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1170 case AUE_SHMAT: 1171 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1172 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1173 kau_write(rec, tok); 1174 /* XXXAUDIT: Does having the ipc token make sense? */ 1175 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1176 kau_write(rec, tok); 1177 } 1178 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1179 tok = au_to_arg32(2, "shmaddr", 1180 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1181 kau_write(rec, tok); 1182 } 1183 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1184 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1185 kau_write(rec, tok); 1186 } 1187 break; 1188 1189 case AUE_SHMCTL: 1190 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1191 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1192 kau_write(rec, tok); 1193 /* XXXAUDIT: Does having the ipc token make sense? */ 1194 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1195 kau_write(rec, tok); 1196 } 1197 switch (ar->ar_arg_svipc_cmd) { 1198 case IPC_STAT: 1199 ar->ar_event = AUE_SHMCTL_STAT; 1200 break; 1201 case IPC_RMID: 1202 ar->ar_event = AUE_SHMCTL_RMID; 1203 break; 1204 case IPC_SET: 1205 ar->ar_event = AUE_SHMCTL_SET; 1206 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1207 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1208 kau_write(rec, tok); 1209 } 1210 break; 1211 default: 1212 break; /* We will audit a bad command */ 1213 } 1214 break; 1215 1216 case AUE_SHMDT: 1217 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1218 tok = au_to_arg32(1, "shmaddr", 1219 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1220 kau_write(rec, tok); 1221 } 1222 break; 1223 1224 case AUE_SHMGET: 1225 /* This is unusual; the return value is in an argument token */ 1226 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1227 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1228 kau_write(rec, tok); 1229 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1230 kau_write(rec, tok); 1231 } 1232 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1233 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1234 kau_write(rec, tok); 1235 } 1236 break; 1237 1238 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1239 * and AUE_SEMUNLINK are Posix IPC */ 1240 case AUE_SHMOPEN: 1241 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1242 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1243 kau_write(rec, tok); 1244 } 1245 if (ARG_IS_VALID(kar, ARG_MODE)) { 1246 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1247 kau_write(rec, tok); 1248 } 1249 case AUE_SHMUNLINK: 1250 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1251 tok = au_to_text(ar->ar_arg_text); 1252 kau_write(rec, tok); 1253 } 1254 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1255 /* Create an ipc_perm token */ 1256 struct ipc_perm perm; 1257 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1258 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1259 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1260 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1261 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1262 perm.seq = 0; 1263 perm.key = 0; 1264 tok = au_to_ipc_perm(&perm); 1265 kau_write(rec, tok); 1266 } 1267 break; 1268 1269 case AUE_SEMOPEN: 1270 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1271 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1272 kau_write(rec, tok); 1273 } 1274 if (ARG_IS_VALID(kar, ARG_MODE)) { 1275 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1276 kau_write(rec, tok); 1277 } 1278 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1279 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1280 kau_write(rec, tok); 1281 } 1282 /* fall through */ 1283 1284 case AUE_SEMUNLINK: 1285 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1286 tok = au_to_text(ar->ar_arg_text); 1287 kau_write(rec, tok); 1288 } 1289 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1290 /* Create an ipc_perm token */ 1291 struct ipc_perm perm; 1292 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1293 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1294 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1295 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1296 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1297 perm.seq = 0; 1298 perm.key = 0; 1299 tok = au_to_ipc_perm(&perm); 1300 kau_write(rec, tok); 1301 } 1302 break; 1303 1304 case AUE_SEMCLOSE: 1305 if (ARG_IS_VALID(kar, ARG_FD)) { 1306 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1307 kau_write(rec, tok); 1308 } 1309 break; 1310 1311 case AUE_SYMLINK: 1312 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1313 tok = au_to_text(ar->ar_arg_text); 1314 kau_write(rec, tok); 1315 } 1316 UPATH1_VNODE1_TOKENS; 1317 break; 1318 1319 case AUE_SYSCTL: 1320 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1321 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1322 tok = au_to_arg32(1, "name", 1323 ar->ar_arg_ctlname[ctr]); 1324 kau_write(rec, tok); 1325 } 1326 } 1327 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1328 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1329 kau_write(rec, tok); 1330 } 1331 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1332 tok = au_to_text(ar->ar_arg_text); 1333 kau_write(rec, tok); 1334 } 1335 break; 1336 1337 case AUE_UMASK: 1338 if (ARG_IS_VALID(kar, ARG_MASK)) { 1339 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1340 kau_write(rec, tok); 1341 } 1342 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1343 kau_write(rec, tok); 1344 break; 1345 1346 case AUE_WAIT4: 1347 if (ARG_IS_VALID(kar, ARG_PID)) { 1348 tok = au_to_arg32(0, "pid", ar->ar_arg_pid); 1349 kau_write(rec, tok); 1350 } 1351 break; 1352 1353 case AUE_NULL: 1354 default: 1355 printf("BSM conversion requested for unknown event %d\n", 1356 ar->ar_event); 1357 /* Write the subject token so it is properly freed here. */ 1358 kau_write(rec, subj_tok); 1359 kau_free(rec); 1360 return (BSM_NOAUDIT); 1361 } 1362 1363 kau_write(rec, subj_tok); 1364 tok = au_to_return32((char)ar->ar_errno, ar->ar_retval); 1365 kau_write(rec, tok); /* Every record gets a return token */ 1366 1367 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1368 1369 *pau = rec; 1370 return (BSM_SUCCESS); 1371 } 1372 1373 /* 1374 * Verify that a record is a valid BSM record. This verification is simple 1375 * now, but may be expanded on sometime in the future. Return 1 if the 1376 * record is good, 0 otherwise. 1377 */ 1378 int 1379 bsm_rec_verify(void *rec) 1380 { 1381 char c = *(char *)rec; 1382 1383 /* 1384 * Check the token ID of the first token; it has to be a header 1385 * token. 1386 * 1387 * XXXAUDIT There needs to be a token structure to map a token. 1388 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1389 */ 1390 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1391 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1392 return (0); 1393 return (1); 1394 }
Cache object: 224d85537ba9748af82d638337bc6172
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]