1 /*
2 * Copyright (c) 1999-2005 Apple Computer, Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 *
29 * $FreeBSD: releng/6.2/sys/security/audit/audit_bsm.c 164286 2006-11-14 20:42:41Z cvs2svn $
30 */
31
32 #include <sys/param.h>
33 #include <sys/vnode.h>
34 #include <sys/ipc.h>
35 #include <sys/lock.h>
36 #include <sys/malloc.h>
37 #include <sys/mutex.h>
38 #include <sys/socket.h>
39 #include <sys/extattr.h>
40 #include <sys/fcntl.h>
41 #include <sys/user.h>
42 #include <sys/systm.h>
43
44 #include <bsm/audit.h>
45 #include <bsm/audit_internal.h>
46 #include <bsm/audit_record.h>
47 #include <bsm/audit_kevents.h>
48
49 #include <security/audit/audit.h>
50 #include <security/audit/audit_private.h>
51
52 #include <netinet/in_systm.h>
53 #include <netinet/in.h>
54 #include <netinet/ip.h>
55
56 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data");
57
58 /*
59 * Forward declares.
60 */
61 static void audit_sys_auditon(struct audit_record *ar,
62 struct au_record *rec);
63
64 /*
65 * Initialize the BSM auditing subsystem.
66 */
67 void
68 kau_init(void)
69 {
70
71 printf("BSM auditing present\n");
72 au_evclassmap_init();
73 }
74
75 /*
76 * This call reserves memory for the audit record. Memory must be guaranteed
77 * before any auditable event can be generated. The au_record structure
78 * maintains a reference to the memory allocated above and also the list of
79 * tokens associated with this record
80 */
81 static struct au_record *
82 kau_open(void)
83 {
84 struct au_record *rec;
85
86 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK);
87 rec->data = NULL;
88 TAILQ_INIT(&rec->token_q);
89 rec->len = 0;
90 rec->used = 1;
91
92 return (rec);
93 }
94
95 /*
96 * Store the token with the record descriptor.
97 */
98 static void
99 kau_write(struct au_record *rec, struct au_token *tok)
100 {
101
102 KASSERT(tok != NULL, ("kau_write: tok == NULL"));
103
104 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
105 rec->len += tok->len;
106 }
107
108 /*
109 * Close out the audit record by adding the header token, identifying any
110 * missing tokens. Write out the tokens to the record memory.
111 */
112 static void
113 kau_close(struct au_record *rec, struct timespec *ctime, short event)
114 {
115 u_char *dptr;
116 size_t tot_rec_size;
117 token_t *cur, *hdr, *trail;
118 struct timeval tm;
119
120 tot_rec_size = rec->len + AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE;
121 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO);
122 /* Create the header token */
123 tm.tv_usec = ctime->tv_nsec / 1000;
124 tm.tv_sec = ctime->tv_sec;
125 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm);
126 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens);
127
128 trail = au_to_trailer(tot_rec_size);
129 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens);
130
131 /* Serialize token data to the record. */
132 rec->len = tot_rec_size;
133 dptr = rec->data;
134 TAILQ_FOREACH(cur, &rec->token_q, tokens) {
135 memcpy(dptr, cur->t_data, cur->len);
136 dptr += cur->len;
137 }
138 }
139
140 /*
141 * Free a BSM audit record by releasing all the tokens and clearing the audit
142 * record information.
143 */
144 void
145 kau_free(struct au_record *rec)
146 {
147 struct au_token *tok;
148
149 /* Free the token list. */
150 while ((tok = TAILQ_FIRST(&rec->token_q))) {
151 TAILQ_REMOVE(&rec->token_q, tok, tokens);
152 free(tok->t_data, M_AUDITBSM);
153 free(tok, M_AUDITBSM);
154 }
155
156 rec->used = 0;
157 rec->len = 0;
158 free(rec->data, M_AUDITBSM);
159 free(rec, M_AUDITBSM);
160 }
161
162 /*
163 * XXX May want turn some (or all) of these macros into functions in order
164 * to reduce the generated code sized.
165 *
166 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the
167 * caller are OK with this.
168 */
169 #define UPATH1_TOKENS do { \
170 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
171 tok = au_to_path(ar->ar_arg_upath1); \
172 kau_write(rec, tok); \
173 } \
174 } while (0)
175
176 #define UPATH2_TOKENS do { \
177 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \
178 tok = au_to_path(ar->ar_arg_upath2); \
179 kau_write(rec, tok); \
180 } \
181 } while (0)
182
183 #define VNODE1_TOKENS do { \
184 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
185 tok = au_to_attr32(&ar->ar_arg_vnode1); \
186 kau_write(rec, tok); \
187 } \
188 } while (0)
189
190 #define UPATH1_VNODE1_TOKENS do { \
191 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
192 UPATH1_TOKENS; \
193 } \
194 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
195 tok = au_to_attr32(&ar->ar_arg_vnode1); \
196 kau_write(rec, tok); \
197 } \
198 } while (0)
199
200 #define VNODE2_TOKENS do { \
201 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \
202 tok = au_to_attr32(&ar->ar_arg_vnode2); \
203 kau_write(rec, tok); \
204 } \
205 } while (0)
206
207 #define FD_VNODE1_TOKENS do { \
208 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
209 if (ARG_IS_VALID(kar, ARG_FD)) { \
210 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \
211 kau_write(rec, tok); \
212 } \
213 tok = au_to_attr32(&ar->ar_arg_vnode1); \
214 kau_write(rec, tok); \
215 } else { \
216 if (ARG_IS_VALID(kar, ARG_FD)) { \
217 tok = au_to_arg32(1, "non-file: fd", \
218 ar->ar_arg_fd); \
219 kau_write(rec, tok); \
220 } \
221 } \
222 } while (0)
223
224 #define PROCESS_PID_TOKENS(argn) do { \
225 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \
226 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \
227 tok = au_to_process(ar->ar_arg_auid, \
228 ar->ar_arg_euid, ar->ar_arg_egid, \
229 ar->ar_arg_ruid, ar->ar_arg_rgid, \
230 ar->ar_arg_pid, ar->ar_arg_asid, \
231 &ar->ar_arg_termid); \
232 kau_write(rec, tok); \
233 } else if (ARG_IS_VALID(kar, ARG_PID)) { \
234 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \
235 kau_write(rec, tok); \
236 } \
237 } while (0) \
238
239 #define EXTATTR_TOKENS do { \
240 if (ARG_IS_VALID(kar, ARG_VALUE)) { \
241 switch (ar->ar_arg_value) { \
242 case EXTATTR_NAMESPACE_USER: \
243 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\
244 break; \
245 case EXTATTR_NAMESPACE_SYSTEM: \
246 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\
247 break; \
248 default: \
249 tok = au_to_arg32(3, "attrnamespace", \
250 ar->ar_arg_value); \
251 break; \
252 } \
253 kau_write(rec, tok); \
254 } \
255 /* attrname is in the text field */ \
256 if (ARG_IS_VALID(kar, ARG_TEXT)) { \
257 tok = au_to_text(ar->ar_arg_text); \
258 kau_write(rec, tok); \
259 } \
260 } while (0)
261
262 /*
263 * Implement auditing for the auditon() system call. The audit tokens that
264 * are generated depend on the command that was sent into the auditon()
265 * system call.
266 */
267 static void
268 audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
269 {
270 struct au_token *tok;
271
272 switch (ar->ar_arg_cmd) {
273 case A_SETPOLICY:
274 if (sizeof(ar->ar_arg_auditon.au_flags) > 4)
275 tok = au_to_arg64(1, "policy",
276 ar->ar_arg_auditon.au_flags);
277 else
278 tok = au_to_arg32(1, "policy",
279 ar->ar_arg_auditon.au_flags);
280 kau_write(rec, tok);
281 break;
282
283 case A_SETKMASK:
284 tok = au_to_arg32(2, "setkmask:as_success",
285 ar->ar_arg_auditon.au_mask.am_success);
286 kau_write(rec, tok);
287 tok = au_to_arg32(2, "setkmask:as_failure",
288 ar->ar_arg_auditon.au_mask.am_failure);
289 kau_write(rec, tok);
290 break;
291
292 case A_SETQCTRL:
293 tok = au_to_arg32(3, "setqctrl:aq_hiwater",
294 ar->ar_arg_auditon.au_qctrl.aq_hiwater);
295 kau_write(rec, tok);
296 tok = au_to_arg32(3, "setqctrl:aq_lowater",
297 ar->ar_arg_auditon.au_qctrl.aq_lowater);
298 kau_write(rec, tok);
299 tok = au_to_arg32(3, "setqctrl:aq_bufsz",
300 ar->ar_arg_auditon.au_qctrl.aq_bufsz);
301 kau_write(rec, tok);
302 tok = au_to_arg32(3, "setqctrl:aq_delay",
303 ar->ar_arg_auditon.au_qctrl.aq_delay);
304 kau_write(rec, tok);
305 tok = au_to_arg32(3, "setqctrl:aq_minfree",
306 ar->ar_arg_auditon.au_qctrl.aq_minfree);
307 kau_write(rec, tok);
308 break;
309
310 case A_SETUMASK:
311 tok = au_to_arg32(3, "setumask:as_success",
312 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
313 kau_write(rec, tok);
314 tok = au_to_arg32(3, "setumask:as_failure",
315 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
316 kau_write(rec, tok);
317 break;
318
319 case A_SETSMASK:
320 tok = au_to_arg32(3, "setsmask:as_success",
321 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
322 kau_write(rec, tok);
323 tok = au_to_arg32(3, "setsmask:as_failure",
324 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
325 kau_write(rec, tok);
326 break;
327
328 case A_SETCOND:
329 if (sizeof(ar->ar_arg_auditon.au_cond) > 4)
330 tok = au_to_arg64(3, "setcond",
331 ar->ar_arg_auditon.au_cond);
332 else
333 tok = au_to_arg32(3, "setcond",
334 ar->ar_arg_auditon.au_cond);
335 kau_write(rec, tok);
336 break;
337
338 case A_SETCLASS:
339 tok = au_to_arg32(2, "setclass:ec_event",
340 ar->ar_arg_auditon.au_evclass.ec_number);
341 kau_write(rec, tok);
342 tok = au_to_arg32(3, "setclass:ec_class",
343 ar->ar_arg_auditon.au_evclass.ec_class);
344 kau_write(rec, tok);
345 break;
346
347 case A_SETPMASK:
348 tok = au_to_arg32(2, "setpmask:as_success",
349 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
350 kau_write(rec, tok);
351 tok = au_to_arg32(2, "setpmask:as_failure",
352 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
353 kau_write(rec, tok);
354 break;
355
356 case A_SETFSIZE:
357 tok = au_to_arg32(2, "setfsize:filesize",
358 ar->ar_arg_auditon.au_fstat.af_filesz);
359 kau_write(rec, tok);
360 break;
361
362 default:
363 break;
364 }
365 }
366
367 /*
368 * Convert an internal kernel audit record to a BSM record and return a
369 * success/failure indicator. The BSM record is passed as an out parameter to
370 * this function.
371 *
372 * Return conditions:
373 * BSM_SUCCESS: The BSM record is valid
374 * BSM_FAILURE: Failure; the BSM record is NULL.
375 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL.
376 */
377 int
378 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
379 {
380 struct au_token *tok, *subj_tok;
381 struct au_record *rec;
382 au_tid_t tid;
383 struct audit_record *ar;
384 int ctr;
385
386 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL"));
387
388 *pau = NULL;
389 ar = &kar->k_ar;
390 rec = kau_open();
391
392 /* Create the subject token */
393 tid.port = ar->ar_subj_term.port;
394 tid.machine = ar->ar_subj_term.machine;
395 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */
396 ar->ar_subj_cred.cr_uid, /* eff uid */
397 ar->ar_subj_egid, /* eff group id */
398 ar->ar_subj_ruid, /* real uid */
399 ar->ar_subj_rgid, /* real group id */
400 ar->ar_subj_pid, /* process id */
401 ar->ar_subj_asid, /* session ID */
402 &tid);
403
404 /*
405 * The logic inside each case fills in the tokens required for the
406 * event, except for the header, trailer, and return tokens. The
407 * header and trailer tokens are added by the kau_close() function.
408 * The return token is added outside of the switch statement.
409 */
410 switch(ar->ar_event) {
411 case AUE_ACCEPT:
412 case AUE_BIND:
413 case AUE_CONNECT:
414 case AUE_RECV:
415 case AUE_RECVFROM:
416 case AUE_RECVMSG:
417 case AUE_SEND:
418 case AUE_SENDFILE:
419 case AUE_SENDMSG:
420 case AUE_SENDTO:
421 /*
422 * Socket-related events.
423 */
424 if (ARG_IS_VALID(kar, ARG_FD)) {
425 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
426 kau_write(rec, tok);
427 }
428 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
429 tok = au_to_sock_inet((struct sockaddr_in *)
430 &ar->ar_arg_sockaddr);
431 kau_write(rec, tok);
432 }
433 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
434 tok = au_to_sock_unix((struct sockaddr_un *)
435 &ar->ar_arg_sockaddr);
436 kau_write(rec, tok);
437 UPATH1_TOKENS;
438 }
439 /* XXX Need to handle ARG_SADDRINET6 */
440 break;
441
442 case AUE_SOCKET:
443 case AUE_SOCKETPAIR:
444 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
445 tok = au_to_arg32(1,"domain",
446 ar->ar_arg_sockinfo.so_domain);
447 kau_write(rec, tok);
448 tok = au_to_arg32(2,"type",
449 ar->ar_arg_sockinfo.so_type);
450 kau_write(rec, tok);
451 tok = au_to_arg32(3,"protocol",
452 ar->ar_arg_sockinfo.so_protocol);
453 kau_write(rec, tok);
454 }
455 break;
456
457 case AUE_SETSOCKOPT:
458 case AUE_SHUTDOWN:
459 if (ARG_IS_VALID(kar, ARG_FD)) {
460 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
461 kau_write(rec, tok);
462 }
463 break;
464
465 case AUE_ACCT:
466 if (ARG_IS_VALID(kar, ARG_UPATH1)) {
467 UPATH1_VNODE1_TOKENS;
468 } else {
469 tok = au_to_arg32(1, "accounting off", 0);
470 kau_write(rec, tok);
471 }
472 break;
473
474 case AUE_SETAUID:
475 if (ARG_IS_VALID(kar, ARG_AUID)) {
476 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid);
477 kau_write(rec, tok);
478 }
479 break;
480
481 case AUE_SETAUDIT:
482 if (ARG_IS_VALID(kar, ARG_AUID)) {
483 tok = au_to_arg32(1, "setaudit:auid",
484 ar->ar_arg_auid);
485 kau_write(rec, tok);
486 tok = au_to_arg32(1, "setaudit:port",
487 ar->ar_arg_termid.port);
488 kau_write(rec, tok);
489 tok = au_to_arg32(1, "setaudit:machine",
490 ar->ar_arg_termid.machine);
491 kau_write(rec, tok);
492 tok = au_to_arg32(1, "setaudit:as_success",
493 ar->ar_arg_amask.am_success);
494 kau_write(rec, tok);
495 tok = au_to_arg32(1, "setaudit:as_failure",
496 ar->ar_arg_amask.am_failure);
497 kau_write(rec, tok);
498 tok = au_to_arg32(1, "setaudit:asid",
499 ar->ar_arg_asid);
500 kau_write(rec, tok);
501 }
502 break;
503
504 case AUE_SETAUDIT_ADDR:
505 break; /* XXX need to add arguments */
506
507 case AUE_AUDITON:
508 /*
509 * For AUDITON commands without own event, audit the cmd.
510 */
511 if (ARG_IS_VALID(kar, ARG_CMD)) {
512 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
513 kau_write(rec, tok);
514 }
515 /* fall thru */
516
517 case AUE_AUDITON_GETCAR:
518 case AUE_AUDITON_GETCLASS:
519 case AUE_AUDITON_GETCOND:
520 case AUE_AUDITON_GETCWD:
521 case AUE_AUDITON_GETKMASK:
522 case AUE_AUDITON_GETSTAT:
523 case AUE_AUDITON_GPOLICY:
524 case AUE_AUDITON_GQCTRL:
525 case AUE_AUDITON_SETCLASS:
526 case AUE_AUDITON_SETCOND:
527 case AUE_AUDITON_SETKMASK:
528 case AUE_AUDITON_SETSMASK:
529 case AUE_AUDITON_SETSTAT:
530 case AUE_AUDITON_SETUMASK:
531 case AUE_AUDITON_SPOLICY:
532 case AUE_AUDITON_SQCTRL:
533 if (ARG_IS_VALID(kar, ARG_AUDITON))
534 audit_sys_auditon(ar, rec);
535 break;
536
537 case AUE_AUDITCTL:
538 UPATH1_VNODE1_TOKENS;
539 break;
540
541 case AUE_EXIT:
542 if (ARG_IS_VALID(kar, ARG_EXIT)) {
543 tok = au_to_exit(ar->ar_arg_exitretval,
544 ar->ar_arg_exitstatus);
545 kau_write(rec, tok);
546 }
547 break;
548
549 case AUE_ADJTIME:
550 case AUE_CLOCK_SETTIME:
551 case AUE_AUDIT:
552 case AUE_DUP2:
553 case AUE_GETAUDIT:
554 case AUE_GETAUDIT_ADDR:
555 case AUE_GETAUID:
556 case AUE_GETCWD:
557 case AUE_GETFSSTAT:
558 case AUE_GETRESUID:
559 case AUE_GETRESGID:
560 case AUE_KQUEUE:
561 case AUE_LSEEK:
562 case AUE_MODLOAD:
563 case AUE_MODUNLOAD:
564 case AUE_MSGSYS:
565 case AUE_NFS_SVC:
566 case AUE_NTP_ADJTIME:
567 case AUE_PIPE:
568 case AUE_PROFILE:
569 case AUE_RTPRIO:
570 case AUE_SEMSYS:
571 case AUE_SHMSYS:
572 case AUE_SETPGRP:
573 case AUE_SETRLIMIT:
574 case AUE_SETSID:
575 case AUE_SETTIMEOFDAY:
576 case AUE_SYSARCH:
577
578 /*
579 * Header, subject, and return tokens added at end.
580 */
581 break;
582
583 case AUE_MKFIFO:
584 if (ARG_IS_VALID(kar, ARG_MODE)) {
585 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
586 kau_write(rec, tok);
587 }
588 /* fall through */
589 case AUE_ACCESS:
590 case AUE_CHDIR:
591 case AUE_CHROOT:
592 case AUE_EACCESS:
593 case AUE_GETATTRLIST:
594 case AUE_JAIL:
595 case AUE_LUTIMES:
596 case AUE_NFS_GETFH:
597 case AUE_LSTAT:
598 case AUE_PATHCONF:
599 case AUE_READLINK:
600 case AUE_REVOKE:
601 case AUE_RMDIR:
602 case AUE_SEARCHFS:
603 case AUE_SETATTRLIST:
604 case AUE_STAT:
605 case AUE_STATFS:
606 case AUE_SWAPON:
607 case AUE_SWAPOFF:
608 case AUE_TRUNCATE:
609 case AUE_UNDELETE:
610 case AUE_UNLINK:
611 case AUE_UTIMES:
612 UPATH1_VNODE1_TOKENS;
613 break;
614
615 case AUE_FHSTATFS:
616 case AUE_FHOPEN:
617 case AUE_FHSTAT:
618 /* XXXRW: Need to audit vnode argument. */
619 break;
620
621 case AUE_CHFLAGS:
622 case AUE_LCHFLAGS:
623 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
624 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
625 kau_write(rec, tok);
626 }
627 UPATH1_VNODE1_TOKENS;
628 break;
629
630 case AUE_CHMOD:
631 case AUE_LCHMOD:
632 if (ARG_IS_VALID(kar, ARG_MODE)) {
633 tok = au_to_arg32(2, "new file mode",
634 ar->ar_arg_mode);
635 kau_write(rec, tok);
636 }
637 UPATH1_VNODE1_TOKENS;
638 break;
639
640 case AUE_CHOWN:
641 case AUE_LCHOWN:
642 if (ARG_IS_VALID(kar, ARG_UID)) {
643 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
644 kau_write(rec, tok);
645 }
646 if (ARG_IS_VALID(kar, ARG_GID)) {
647 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
648 kau_write(rec, tok);
649 }
650 UPATH1_VNODE1_TOKENS;
651 break;
652
653 case AUE_EXCHANGEDATA:
654 UPATH1_VNODE1_TOKENS;
655 UPATH2_TOKENS;
656 break;
657
658 case AUE_CLOSE:
659 if (ARG_IS_VALID(kar, ARG_FD)) {
660 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
661 kau_write(rec, tok);
662 }
663 UPATH1_VNODE1_TOKENS;
664 break;
665
666 case AUE_EXTATTRCTL:
667 UPATH1_VNODE1_TOKENS;
668 if (ARG_IS_VALID(kar, ARG_CMD)) {
669 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
670 kau_write(rec, tok);
671 }
672 /* extattrctl(2) filename parameter is in upath2/vnode2 */
673 UPATH2_TOKENS;
674 VNODE2_TOKENS;
675 EXTATTR_TOKENS;
676 break;
677
678 case AUE_EXTATTR_GET_FILE:
679 case AUE_EXTATTR_SET_FILE:
680 case AUE_EXTATTR_LIST_FILE:
681 case AUE_EXTATTR_DELETE_FILE:
682 case AUE_EXTATTR_GET_LINK:
683 case AUE_EXTATTR_SET_LINK:
684 case AUE_EXTATTR_LIST_LINK:
685 case AUE_EXTATTR_DELETE_LINK:
686 UPATH1_VNODE1_TOKENS;
687 EXTATTR_TOKENS;
688 break;
689
690 case AUE_EXTATTR_GET_FD:
691 case AUE_EXTATTR_SET_FD:
692 case AUE_EXTATTR_LIST_FD:
693 case AUE_EXTATTR_DELETE_FD:
694 if (ARG_IS_VALID(kar, ARG_FD)) {
695 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
696 kau_write(rec, tok);
697 }
698 EXTATTR_TOKENS;
699 break;
700
701 case AUE_EXECVE:
702 if (ARG_IS_VALID(kar, ARG_ARGV)) {
703 tok = au_to_exec_args(ar->ar_arg_argv,
704 ar->ar_arg_argc);
705 kau_write(rec, tok);
706 }
707 if (ARG_IS_VALID(kar, ARG_ENVV)) {
708 tok = au_to_exec_env(ar->ar_arg_envv,
709 ar->ar_arg_envc);
710 kau_write(rec, tok);
711 }
712 UPATH1_VNODE1_TOKENS;
713 break;
714
715 case AUE_FCHMOD:
716 if (ARG_IS_VALID(kar, ARG_MODE)) {
717 tok = au_to_arg32(2, "new file mode",
718 ar->ar_arg_mode);
719 kau_write(rec, tok);
720 }
721 FD_VNODE1_TOKENS;
722 break;
723
724 /*
725 * XXXRW: Some of these need to handle non-vnode cases as well.
726 */
727 case AUE_FCHDIR:
728 case AUE_FPATHCONF:
729 case AUE_FSTAT:
730 case AUE_FSTATFS:
731 case AUE_FSYNC:
732 case AUE_FTRUNCATE:
733 case AUE_FUTIMES:
734 case AUE_GETDIRENTRIES:
735 case AUE_GETDIRENTRIESATTR:
736 case AUE_POLL:
737 case AUE_READ:
738 case AUE_READV:
739 case AUE_WRITE:
740 case AUE_WRITEV:
741 FD_VNODE1_TOKENS;
742 break;
743
744 case AUE_FCHOWN:
745 if (ARG_IS_VALID(kar, ARG_UID)) {
746 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
747 kau_write(rec, tok);
748 }
749 if (ARG_IS_VALID(kar, ARG_GID)) {
750 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
751 kau_write(rec, tok);
752 }
753 FD_VNODE1_TOKENS;
754 break;
755
756 case AUE_FCNTL:
757 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK ||
758 ar->ar_arg_cmd == F_SETLKW) {
759 if (ARG_IS_VALID(kar, ARG_CMD)) {
760 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
761 kau_write(rec, tok);
762 }
763 FD_VNODE1_TOKENS;
764 }
765 break;
766
767 case AUE_FCHFLAGS:
768 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
769 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
770 kau_write(rec, tok);
771 }
772 FD_VNODE1_TOKENS;
773 break;
774
775 case AUE_FLOCK:
776 if (ARG_IS_VALID(kar, ARG_CMD)) {
777 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd);
778 kau_write(rec, tok);
779 }
780 FD_VNODE1_TOKENS;
781 break;
782
783 case AUE_RFORK:
784 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
785 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags);
786 kau_write(rec, tok);
787 }
788 /* fall through */
789 case AUE_FORK:
790 case AUE_VFORK:
791 if (ARG_IS_VALID(kar, ARG_PID)) {
792 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
793 kau_write(rec, tok);
794 }
795 break;
796
797 case AUE_IOCTL:
798 if (ARG_IS_VALID(kar, ARG_CMD)) {
799 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
800 kau_write(rec, tok);
801 }
802 if (ARG_IS_VALID(kar, ARG_ADDR)) {
803 tok = au_to_arg32(1, "arg",
804 (u_int32_t)(uintptr_t)ar->ar_arg_addr);
805 kau_write(rec, tok);
806 }
807 if (ARG_IS_VALID(kar, ARG_VNODE1))
808 FD_VNODE1_TOKENS;
809 else {
810 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
811 tok = kau_to_socket(&ar->ar_arg_sockinfo);
812 kau_write(rec, tok);
813 } else {
814 if (ARG_IS_VALID(kar, ARG_FD)) {
815 tok = au_to_arg32(1, "fd",
816 ar->ar_arg_fd);
817 kau_write(rec, tok);
818 }
819 }
820 }
821 break;
822
823 case AUE_KILL:
824 case AUE_KILLPG:
825 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
826 tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
827 kau_write(rec, tok);
828 }
829 PROCESS_PID_TOKENS(1);
830 break;
831
832 case AUE_KTRACE:
833 if (ARG_IS_VALID(kar, ARG_CMD)) {
834 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd);
835 kau_write(rec, tok);
836 }
837 if (ARG_IS_VALID(kar, ARG_VALUE)) {
838 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value);
839 kau_write(rec, tok);
840 }
841 PROCESS_PID_TOKENS(4);
842 UPATH1_VNODE1_TOKENS;
843 break;
844
845 case AUE_LINK:
846 case AUE_RENAME:
847 UPATH1_VNODE1_TOKENS;
848 UPATH2_TOKENS;
849 break;
850
851 case AUE_LOADSHFILE:
852 if (ARG_IS_VALID(kar, ARG_ADDR)) {
853 tok = au_to_arg32(4, "base addr",
854 (u_int32_t)(uintptr_t)ar->ar_arg_addr);
855 kau_write(rec, tok);
856 }
857 UPATH1_VNODE1_TOKENS;
858 break;
859
860 case AUE_MKDIR:
861 if (ARG_IS_VALID(kar, ARG_MODE)) {
862 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
863 kau_write(rec, tok);
864 }
865 UPATH1_VNODE1_TOKENS;
866 break;
867
868 case AUE_MKNOD:
869 if (ARG_IS_VALID(kar, ARG_MODE)) {
870 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
871 kau_write(rec, tok);
872 }
873 if (ARG_IS_VALID(kar, ARG_DEV)) {
874 tok = au_to_arg32(3, "dev", ar->ar_arg_dev);
875 kau_write(rec, tok);
876 }
877 UPATH1_VNODE1_TOKENS;
878 break;
879
880 case AUE_MMAP:
881 case AUE_MUNMAP:
882 case AUE_MPROTECT:
883 case AUE_MLOCK:
884 case AUE_MUNLOCK:
885 case AUE_MINHERIT:
886 if (ARG_IS_VALID(kar, ARG_ADDR)) {
887 tok = au_to_arg32(1, "addr",
888 (u_int32_t)(uintptr_t)ar->ar_arg_addr);
889 kau_write(rec, tok);
890 }
891 if (ARG_IS_VALID(kar, ARG_LEN)) {
892 tok = au_to_arg32(2, "len", ar->ar_arg_len);
893 kau_write(rec, tok);
894 }
895 if (ar->ar_event == AUE_MMAP)
896 FD_VNODE1_TOKENS;
897 if (ar->ar_event == AUE_MPROTECT) {
898 if (ARG_IS_VALID(kar, ARG_VALUE)) {
899 tok = au_to_arg32(3, "protection",
900 ar->ar_arg_value);
901 kau_write(rec, tok);
902 }
903 }
904 if (ar->ar_event == AUE_MINHERIT) {
905 if (ARG_IS_VALID(kar, ARG_VALUE)) {
906 tok = au_to_arg32(3, "inherit",
907 ar->ar_arg_value);
908 kau_write(rec, tok);
909 }
910 }
911 break;
912
913 case AUE_MOUNT:
914 case AUE_NMOUNT:
915 /* XXX Need to handle NFS mounts */
916 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
917 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
918 kau_write(rec, tok);
919 }
920 if (ARG_IS_VALID(kar, ARG_TEXT)) {
921 tok = au_to_text(ar->ar_arg_text);
922 kau_write(rec, tok);
923 }
924 /* fall through */
925
926 case AUE_UMOUNT:
927 UPATH1_VNODE1_TOKENS;
928 break;
929
930 case AUE_MSGCTL:
931 ar->ar_event = msgctl_to_event(ar->ar_arg_svipc_cmd);
932 /* Fall through */
933
934 case AUE_MSGRCV:
935 case AUE_MSGSND:
936 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id);
937 kau_write(rec, tok);
938 if (ar->ar_errno != EINVAL) {
939 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id);
940 kau_write(rec, tok);
941 }
942 break;
943
944 case AUE_MSGGET:
945 if (ar->ar_errno == 0) {
946 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
947 tok = au_to_ipc(AT_IPC_MSG,
948 ar->ar_arg_svipc_id);
949 kau_write(rec, tok);
950 }
951 }
952 break;
953
954 case AUE_RESETSHFILE:
955 if (ARG_IS_VALID(kar, ARG_ADDR)) {
956 tok = au_to_arg32(1, "base addr",
957 (u_int32_t)(uintptr_t)ar->ar_arg_addr);
958 kau_write(rec, tok);
959 }
960 break;
961
962 case AUE_OPEN_RC:
963 case AUE_OPEN_RTC:
964 case AUE_OPEN_RWC:
965 case AUE_OPEN_RWTC:
966 case AUE_OPEN_WC:
967 case AUE_OPEN_WTC:
968 case AUE_CREAT:
969 if (ARG_IS_VALID(kar, ARG_MODE)) {
970 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
971 kau_write(rec, tok);
972 }
973 /* fall through */
974
975 case AUE_OPEN_R:
976 case AUE_OPEN_RT:
977 case AUE_OPEN_RW:
978 case AUE_OPEN_RWT:
979 case AUE_OPEN_W:
980 case AUE_OPEN_WT:
981 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
982 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
983 kau_write(rec, tok);
984 }
985 UPATH1_VNODE1_TOKENS;
986 break;
987
988 case AUE_PTRACE:
989 if (ARG_IS_VALID(kar, ARG_CMD)) {
990 tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
991 kau_write(rec, tok);
992 }
993 if (ARG_IS_VALID(kar, ARG_ADDR)) {
994 tok = au_to_arg32(3, "addr",
995 (u_int32_t)(uintptr_t)ar->ar_arg_addr);
996 kau_write(rec, tok);
997 }
998 if (ARG_IS_VALID(kar, ARG_VALUE)) {
999 tok = au_to_arg32(4, "data", ar->ar_arg_value);
1000 kau_write(rec, tok);
1001 }
1002 PROCESS_PID_TOKENS(2);
1003 break;
1004
1005 case AUE_QUOTACTL:
1006 if (ARG_IS_VALID(kar, ARG_CMD)) {
1007 tok = au_to_arg32(2, "command", ar->ar_arg_cmd);
1008 kau_write(rec, tok);
1009 }
1010 if (ARG_IS_VALID(kar, ARG_UID)) {
1011 tok = au_to_arg32(3, "uid", ar->ar_arg_uid);
1012 kau_write(rec, tok);
1013 }
1014 UPATH1_VNODE1_TOKENS;
1015 break;
1016
1017 case AUE_REBOOT:
1018 if (ARG_IS_VALID(kar, ARG_CMD)) {
1019 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd);
1020 kau_write(rec, tok);
1021 }
1022 break;
1023
1024 case AUE_SEMCTL:
1025 ar->ar_event = semctl_to_event(ar->ar_arg_svipc_cmd);
1026 /* Fall through */
1027
1028 case AUE_SEMOP:
1029 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1030 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id);
1031 kau_write(rec, tok);
1032 if (ar->ar_errno != EINVAL) {
1033 tok = au_to_ipc(AT_IPC_SEM,
1034 ar->ar_arg_svipc_id);
1035 kau_write(rec, tok);
1036 }
1037 }
1038 break;
1039
1040 case AUE_SEMGET:
1041 if (ar->ar_errno == 0) {
1042 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1043 tok = au_to_ipc(AT_IPC_SEM,
1044 ar->ar_arg_svipc_id);
1045 kau_write(rec, tok);
1046 }
1047 }
1048 break;
1049
1050 case AUE_SETEGID:
1051 if (ARG_IS_VALID(kar, ARG_EGID)) {
1052 tok = au_to_arg32(1, "gid", ar->ar_arg_egid);
1053 kau_write(rec, tok);
1054 }
1055 break;
1056
1057 case AUE_SETEUID:
1058 if (ARG_IS_VALID(kar, ARG_EUID)) {
1059 tok = au_to_arg32(1, "uid", ar->ar_arg_euid);
1060 kau_write(rec, tok);
1061 }
1062 break;
1063
1064 case AUE_SETREGID:
1065 if (ARG_IS_VALID(kar, ARG_RGID)) {
1066 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1067 kau_write(rec, tok);
1068 }
1069 if (ARG_IS_VALID(kar, ARG_EGID)) {
1070 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1071 kau_write(rec, tok);
1072 }
1073 break;
1074
1075 case AUE_SETREUID:
1076 if (ARG_IS_VALID(kar, ARG_RUID)) {
1077 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1078 kau_write(rec, tok);
1079 }
1080 if (ARG_IS_VALID(kar, ARG_EUID)) {
1081 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1082 kau_write(rec, tok);
1083 }
1084 break;
1085
1086 case AUE_SETRESGID:
1087 if (ARG_IS_VALID(kar, ARG_RGID)) {
1088 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1089 kau_write(rec, tok);
1090 }
1091 if (ARG_IS_VALID(kar, ARG_EGID)) {
1092 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1093 kau_write(rec, tok);
1094 }
1095 if (ARG_IS_VALID(kar, ARG_SGID)) {
1096 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid);
1097 kau_write(rec, tok);
1098 }
1099 break;
1100
1101 case AUE_SETRESUID:
1102 if (ARG_IS_VALID(kar, ARG_RUID)) {
1103 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1104 kau_write(rec, tok);
1105 }
1106 if (ARG_IS_VALID(kar, ARG_EUID)) {
1107 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1108 kau_write(rec, tok);
1109 }
1110 if (ARG_IS_VALID(kar, ARG_SUID)) {
1111 tok = au_to_arg32(3, "suid", ar->ar_arg_suid);
1112 kau_write(rec, tok);
1113 }
1114 break;
1115
1116 case AUE_SETGID:
1117 if (ARG_IS_VALID(kar, ARG_GID)) {
1118 tok = au_to_arg32(1, "gid", ar->ar_arg_gid);
1119 kau_write(rec, tok);
1120 }
1121 break;
1122
1123 case AUE_SETUID:
1124 if (ARG_IS_VALID(kar, ARG_UID)) {
1125 tok = au_to_arg32(1, "uid", ar->ar_arg_uid);
1126 kau_write(rec, tok);
1127 }
1128 break;
1129
1130 case AUE_SETGROUPS:
1131 if (ARG_IS_VALID(kar, ARG_GROUPSET)) {
1132 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++)
1133 {
1134 tok = au_to_arg32(1, "setgroups", ar->ar_arg_groups.gidset[ctr]);
1135 kau_write(rec, tok);
1136 }
1137 }
1138 break;
1139
1140 case AUE_SETLOGIN:
1141 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1142 tok = au_to_text(ar->ar_arg_text);
1143 kau_write(rec, tok);
1144 }
1145 break;
1146
1147 case AUE_SETPRIORITY:
1148 if (ARG_IS_VALID(kar, ARG_CMD)) {
1149 tok = au_to_arg32(1, "which", ar->ar_arg_cmd);
1150 kau_write(rec, tok);
1151 }
1152 if (ARG_IS_VALID(kar, ARG_UID)) {
1153 tok = au_to_arg32(2, "who", ar->ar_arg_uid);
1154 kau_write(rec, tok);
1155 }
1156 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1157 tok = au_to_arg32(2, "priority", ar->ar_arg_value);
1158 kau_write(rec, tok);
1159 }
1160 break;
1161
1162 case AUE_SETPRIVEXEC:
1163 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1164 tok = au_to_arg32(1, "flag", ar->ar_arg_value);
1165 kau_write(rec, tok);
1166 }
1167 break;
1168
1169 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */
1170 case AUE_SHMAT:
1171 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1172 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1173 kau_write(rec, tok);
1174 /* XXXAUDIT: Does having the ipc token make sense? */
1175 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1176 kau_write(rec, tok);
1177 }
1178 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1179 tok = au_to_arg32(2, "shmaddr",
1180 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1181 kau_write(rec, tok);
1182 }
1183 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1184 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1185 kau_write(rec, tok);
1186 }
1187 break;
1188
1189 case AUE_SHMCTL:
1190 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1191 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1192 kau_write(rec, tok);
1193 /* XXXAUDIT: Does having the ipc token make sense? */
1194 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1195 kau_write(rec, tok);
1196 }
1197 switch (ar->ar_arg_svipc_cmd) {
1198 case IPC_STAT:
1199 ar->ar_event = AUE_SHMCTL_STAT;
1200 break;
1201 case IPC_RMID:
1202 ar->ar_event = AUE_SHMCTL_RMID;
1203 break;
1204 case IPC_SET:
1205 ar->ar_event = AUE_SHMCTL_SET;
1206 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1207 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1208 kau_write(rec, tok);
1209 }
1210 break;
1211 default:
1212 break; /* We will audit a bad command */
1213 }
1214 break;
1215
1216 case AUE_SHMDT:
1217 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1218 tok = au_to_arg32(1, "shmaddr",
1219 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1220 kau_write(rec, tok);
1221 }
1222 break;
1223
1224 case AUE_SHMGET:
1225 /* This is unusual; the return value is in an argument token */
1226 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1227 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id);
1228 kau_write(rec, tok);
1229 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1230 kau_write(rec, tok);
1231 }
1232 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1233 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1234 kau_write(rec, tok);
1235 }
1236 break;
1237
1238 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE
1239 * and AUE_SEMUNLINK are Posix IPC */
1240 case AUE_SHMOPEN:
1241 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1242 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1243 kau_write(rec, tok);
1244 }
1245 if (ARG_IS_VALID(kar, ARG_MODE)) {
1246 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1247 kau_write(rec, tok);
1248 }
1249 case AUE_SHMUNLINK:
1250 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1251 tok = au_to_text(ar->ar_arg_text);
1252 kau_write(rec, tok);
1253 }
1254 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1255 /* Create an ipc_perm token */
1256 struct ipc_perm perm;
1257 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1258 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1259 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1260 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1261 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1262 perm.seq = 0;
1263 perm.key = 0;
1264 tok = au_to_ipc_perm(&perm);
1265 kau_write(rec, tok);
1266 }
1267 break;
1268
1269 case AUE_SEMOPEN:
1270 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1271 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1272 kau_write(rec, tok);
1273 }
1274 if (ARG_IS_VALID(kar, ARG_MODE)) {
1275 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1276 kau_write(rec, tok);
1277 }
1278 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1279 tok = au_to_arg32(4, "value", ar->ar_arg_value);
1280 kau_write(rec, tok);
1281 }
1282 /* fall through */
1283
1284 case AUE_SEMUNLINK:
1285 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1286 tok = au_to_text(ar->ar_arg_text);
1287 kau_write(rec, tok);
1288 }
1289 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1290 /* Create an ipc_perm token */
1291 struct ipc_perm perm;
1292 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1293 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1294 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1295 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1296 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1297 perm.seq = 0;
1298 perm.key = 0;
1299 tok = au_to_ipc_perm(&perm);
1300 kau_write(rec, tok);
1301 }
1302 break;
1303
1304 case AUE_SEMCLOSE:
1305 if (ARG_IS_VALID(kar, ARG_FD)) {
1306 tok = au_to_arg32(1, "sem", ar->ar_arg_fd);
1307 kau_write(rec, tok);
1308 }
1309 break;
1310
1311 case AUE_SYMLINK:
1312 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1313 tok = au_to_text(ar->ar_arg_text);
1314 kau_write(rec, tok);
1315 }
1316 UPATH1_VNODE1_TOKENS;
1317 break;
1318
1319 case AUE_SYSCTL:
1320 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) {
1321 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) {
1322 tok = au_to_arg32(1, "name",
1323 ar->ar_arg_ctlname[ctr]);
1324 kau_write(rec, tok);
1325 }
1326 }
1327 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1328 tok = au_to_arg32(5, "newval", ar->ar_arg_value);
1329 kau_write(rec, tok);
1330 }
1331 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1332 tok = au_to_text(ar->ar_arg_text);
1333 kau_write(rec, tok);
1334 }
1335 break;
1336
1337 case AUE_UMASK:
1338 if (ARG_IS_VALID(kar, ARG_MASK)) {
1339 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask);
1340 kau_write(rec, tok);
1341 }
1342 tok = au_to_arg32(0, "prev mask", ar->ar_retval);
1343 kau_write(rec, tok);
1344 break;
1345
1346 case AUE_WAIT4:
1347 if (ARG_IS_VALID(kar, ARG_PID)) {
1348 tok = au_to_arg32(0, "pid", ar->ar_arg_pid);
1349 kau_write(rec, tok);
1350 }
1351 break;
1352
1353 case AUE_NULL:
1354 default:
1355 printf("BSM conversion requested for unknown event %d\n",
1356 ar->ar_event);
1357 /* Write the subject token so it is properly freed here. */
1358 kau_write(rec, subj_tok);
1359 kau_free(rec);
1360 return (BSM_NOAUDIT);
1361 }
1362
1363 kau_write(rec, subj_tok);
1364 tok = au_to_return32((char)ar->ar_errno, ar->ar_retval);
1365 kau_write(rec, tok); /* Every record gets a return token */
1366
1367 kau_close(rec, &ar->ar_endtime, ar->ar_event);
1368
1369 *pau = rec;
1370 return (BSM_SUCCESS);
1371 }
1372
1373 /*
1374 * Verify that a record is a valid BSM record. This verification is simple
1375 * now, but may be expanded on sometime in the future. Return 1 if the
1376 * record is good, 0 otherwise.
1377 */
1378 int
1379 bsm_rec_verify(void *rec)
1380 {
1381 char c = *(char *)rec;
1382
1383 /*
1384 * Check the token ID of the first token; it has to be a header
1385 * token.
1386 *
1387 * XXXAUDIT There needs to be a token structure to map a token.
1388 * XXXAUDIT 'Shouldn't be simply looking at the first char.
1389 */
1390 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) &&
1391 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX))
1392 return (0);
1393 return (1);
1394 }
Cache object: 224d85537ba9748af82d638337bc6172
|