1 /*
2 * Copyright (c) 1999-2005 Apple Computer, Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 *
29 * $FreeBSD$
30 */
31
32 #include <sys/param.h>
33 #include <sys/vnode.h>
34 #include <sys/ipc.h>
35 #include <sys/lock.h>
36 #include <sys/malloc.h>
37 #include <sys/mutex.h>
38 #include <sys/socket.h>
39 #include <sys/extattr.h>
40 #include <sys/fcntl.h>
41 #include <sys/user.h>
42 #include <sys/systm.h>
43
44 #include <bsm/audit.h>
45 #include <bsm/audit_internal.h>
46 #include <bsm/audit_record.h>
47 #include <bsm/audit_kevents.h>
48
49 #include <security/audit/audit.h>
50 #include <security/audit/audit_private.h>
51
52 #include <netinet/in_systm.h>
53 #include <netinet/in.h>
54 #include <netinet/ip.h>
55
56 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data");
57
58 static void audit_sys_auditon(struct audit_record *ar,
59 struct au_record *rec);
60
61 /*
62 * Initialize the BSM auditing subsystem.
63 */
64 void
65 kau_init(void)
66 {
67
68 au_evclassmap_init();
69 }
70
71 /*
72 * This call reserves memory for the audit record. Memory must be guaranteed
73 * before any auditable event can be generated. The au_record structure
74 * maintains a reference to the memory allocated above and also the list of
75 * tokens associated with this record
76 */
77 static struct au_record *
78 kau_open(void)
79 {
80 struct au_record *rec;
81
82 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK);
83 rec->data = NULL;
84 TAILQ_INIT(&rec->token_q);
85 rec->len = 0;
86 rec->used = 1;
87
88 return (rec);
89 }
90
91 /*
92 * Store the token with the record descriptor.
93 */
94 static void
95 kau_write(struct au_record *rec, struct au_token *tok)
96 {
97
98 KASSERT(tok != NULL, ("kau_write: tok == NULL"));
99
100 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
101 rec->len += tok->len;
102 }
103
104 /*
105 * Close out the audit record by adding the header token, identifying any
106 * missing tokens. Write out the tokens to the record memory.
107 */
108 static void
109 kau_close(struct au_record *rec, struct timespec *ctime, short event)
110 {
111 u_char *dptr;
112 size_t tot_rec_size;
113 token_t *cur, *hdr, *trail;
114 struct timeval tm;
115
116 tot_rec_size = rec->len + AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE;
117 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO);
118
119 tm.tv_usec = ctime->tv_nsec / 1000;
120 tm.tv_sec = ctime->tv_sec;
121 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm);
122 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens);
123
124 trail = au_to_trailer(tot_rec_size);
125 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens);
126
127 rec->len = tot_rec_size;
128 dptr = rec->data;
129 TAILQ_FOREACH(cur, &rec->token_q, tokens) {
130 memcpy(dptr, cur->t_data, cur->len);
131 dptr += cur->len;
132 }
133 }
134
135 /*
136 * Free a BSM audit record by releasing all the tokens and clearing the audit
137 * record information.
138 */
139 void
140 kau_free(struct au_record *rec)
141 {
142 struct au_token *tok;
143
144 /* Free the token list. */
145 while ((tok = TAILQ_FIRST(&rec->token_q))) {
146 TAILQ_REMOVE(&rec->token_q, tok, tokens);
147 free(tok->t_data, M_AUDITBSM);
148 free(tok, M_AUDITBSM);
149 }
150
151 rec->used = 0;
152 rec->len = 0;
153 free(rec->data, M_AUDITBSM);
154 free(rec, M_AUDITBSM);
155 }
156
157 /*
158 * XXX: May want turn some (or all) of these macros into functions in order
159 * to reduce the generated code sized.
160 *
161 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the
162 * caller are OK with this.
163 */
164 #define UPATH1_TOKENS do { \
165 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
166 tok = au_to_path(ar->ar_arg_upath1); \
167 kau_write(rec, tok); \
168 } \
169 } while (0)
170
171 #define UPATH2_TOKENS do { \
172 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \
173 tok = au_to_path(ar->ar_arg_upath2); \
174 kau_write(rec, tok); \
175 } \
176 } while (0)
177
178 #define VNODE1_TOKENS do { \
179 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
180 tok = au_to_attr32(&ar->ar_arg_vnode1); \
181 kau_write(rec, tok); \
182 } \
183 } while (0)
184
185 #define UPATH1_VNODE1_TOKENS do { \
186 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
187 UPATH1_TOKENS; \
188 } \
189 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
190 tok = au_to_attr32(&ar->ar_arg_vnode1); \
191 kau_write(rec, tok); \
192 } \
193 } while (0)
194
195 #define VNODE2_TOKENS do { \
196 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \
197 tok = au_to_attr32(&ar->ar_arg_vnode2); \
198 kau_write(rec, tok); \
199 } \
200 } while (0)
201
202 #define FD_VNODE1_TOKENS do { \
203 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
204 if (ARG_IS_VALID(kar, ARG_FD)) { \
205 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \
206 kau_write(rec, tok); \
207 } \
208 tok = au_to_attr32(&ar->ar_arg_vnode1); \
209 kau_write(rec, tok); \
210 } else { \
211 if (ARG_IS_VALID(kar, ARG_FD)) { \
212 tok = au_to_arg32(1, "non-file: fd", \
213 ar->ar_arg_fd); \
214 kau_write(rec, tok); \
215 } \
216 } \
217 } while (0)
218
219 #define PROCESS_PID_TOKENS(argn) do { \
220 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \
221 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \
222 tok = au_to_process32_ex(ar->ar_arg_auid, \
223 ar->ar_arg_euid, ar->ar_arg_egid, \
224 ar->ar_arg_ruid, ar->ar_arg_rgid, \
225 ar->ar_arg_pid, ar->ar_arg_asid, \
226 &ar->ar_arg_termid_addr); \
227 kau_write(rec, tok); \
228 } else if (ARG_IS_VALID(kar, ARG_PID)) { \
229 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \
230 kau_write(rec, tok); \
231 } \
232 } while (0) \
233
234 #define EXTATTR_TOKENS do { \
235 if (ARG_IS_VALID(kar, ARG_VALUE)) { \
236 switch (ar->ar_arg_value) { \
237 case EXTATTR_NAMESPACE_USER: \
238 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\
239 break; \
240 case EXTATTR_NAMESPACE_SYSTEM: \
241 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\
242 break; \
243 default: \
244 tok = au_to_arg32(3, "attrnamespace", \
245 ar->ar_arg_value); \
246 break; \
247 } \
248 kau_write(rec, tok); \
249 } \
250 /* attrname is in the text field */ \
251 if (ARG_IS_VALID(kar, ARG_TEXT)) { \
252 tok = au_to_text(ar->ar_arg_text); \
253 kau_write(rec, tok); \
254 } \
255 } while (0)
256
257 /*
258 * Implement auditing for the auditon() system call. The audit tokens that
259 * are generated depend on the command that was sent into the auditon()
260 * system call.
261 */
262 static void
263 audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
264 {
265 struct au_token *tok;
266
267 switch (ar->ar_arg_cmd) {
268 case A_SETPOLICY:
269 if (sizeof(ar->ar_arg_auditon.au_flags) > 4)
270 tok = au_to_arg64(1, "policy",
271 ar->ar_arg_auditon.au_flags);
272 else
273 tok = au_to_arg32(1, "policy",
274 ar->ar_arg_auditon.au_flags);
275 kau_write(rec, tok);
276 break;
277
278 case A_SETKMASK:
279 tok = au_to_arg32(2, "setkmask:as_success",
280 ar->ar_arg_auditon.au_mask.am_success);
281 kau_write(rec, tok);
282 tok = au_to_arg32(2, "setkmask:as_failure",
283 ar->ar_arg_auditon.au_mask.am_failure);
284 kau_write(rec, tok);
285 break;
286
287 case A_SETQCTRL:
288 tok = au_to_arg32(3, "setqctrl:aq_hiwater",
289 ar->ar_arg_auditon.au_qctrl.aq_hiwater);
290 kau_write(rec, tok);
291 tok = au_to_arg32(3, "setqctrl:aq_lowater",
292 ar->ar_arg_auditon.au_qctrl.aq_lowater);
293 kau_write(rec, tok);
294 tok = au_to_arg32(3, "setqctrl:aq_bufsz",
295 ar->ar_arg_auditon.au_qctrl.aq_bufsz);
296 kau_write(rec, tok);
297 tok = au_to_arg32(3, "setqctrl:aq_delay",
298 ar->ar_arg_auditon.au_qctrl.aq_delay);
299 kau_write(rec, tok);
300 tok = au_to_arg32(3, "setqctrl:aq_minfree",
301 ar->ar_arg_auditon.au_qctrl.aq_minfree);
302 kau_write(rec, tok);
303 break;
304
305 case A_SETUMASK:
306 tok = au_to_arg32(3, "setumask:as_success",
307 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
308 kau_write(rec, tok);
309 tok = au_to_arg32(3, "setumask:as_failure",
310 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
311 kau_write(rec, tok);
312 break;
313
314 case A_SETSMASK:
315 tok = au_to_arg32(3, "setsmask:as_success",
316 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
317 kau_write(rec, tok);
318 tok = au_to_arg32(3, "setsmask:as_failure",
319 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
320 kau_write(rec, tok);
321 break;
322
323 case A_SETCOND:
324 if (sizeof(ar->ar_arg_auditon.au_cond) > 4)
325 tok = au_to_arg64(3, "setcond",
326 ar->ar_arg_auditon.au_cond);
327 else
328 tok = au_to_arg32(3, "setcond",
329 ar->ar_arg_auditon.au_cond);
330 kau_write(rec, tok);
331 break;
332
333 case A_SETCLASS:
334 tok = au_to_arg32(2, "setclass:ec_event",
335 ar->ar_arg_auditon.au_evclass.ec_number);
336 kau_write(rec, tok);
337 tok = au_to_arg32(3, "setclass:ec_class",
338 ar->ar_arg_auditon.au_evclass.ec_class);
339 kau_write(rec, tok);
340 break;
341
342 case A_SETPMASK:
343 tok = au_to_arg32(2, "setpmask:as_success",
344 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
345 kau_write(rec, tok);
346 tok = au_to_arg32(2, "setpmask:as_failure",
347 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
348 kau_write(rec, tok);
349 break;
350
351 case A_SETFSIZE:
352 tok = au_to_arg32(2, "setfsize:filesize",
353 ar->ar_arg_auditon.au_fstat.af_filesz);
354 kau_write(rec, tok);
355 break;
356
357 default:
358 break;
359 }
360 }
361
362 /*
363 * Convert an internal kernel audit record to a BSM record and return a
364 * success/failure indicator. The BSM record is passed as an out parameter to
365 * this function.
366 *
367 * Return conditions:
368 * BSM_SUCCESS: The BSM record is valid
369 * BSM_FAILURE: Failure; the BSM record is NULL.
370 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL.
371 */
372 int
373 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
374 {
375 struct au_token *tok, *subj_tok;
376 struct au_record *rec;
377 au_tid_t tid;
378 struct audit_record *ar;
379 int ctr;
380
381 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL"));
382
383 *pau = NULL;
384 ar = &kar->k_ar;
385 rec = kau_open();
386
387 /* Create the subject token */
388 switch (ar->ar_subj_term_addr.at_type) {
389 case AU_IPv4:
390 tid.port = ar->ar_subj_term_addr.at_port;
391 tid.machine = ar->ar_subj_term_addr.at_addr[0];
392 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */
393 ar->ar_subj_cred.cr_uid, /* eff uid */
394 ar->ar_subj_egid, /* eff group id */
395 ar->ar_subj_ruid, /* real uid */
396 ar->ar_subj_rgid, /* real group id */
397 ar->ar_subj_pid, /* process id */
398 ar->ar_subj_asid, /* session ID */
399 &tid);
400 break;
401 case AU_IPv6:
402 subj_tok = au_to_subject32_ex(ar->ar_subj_auid,
403 ar->ar_subj_cred.cr_uid,
404 ar->ar_subj_egid,
405 ar->ar_subj_ruid,
406 ar->ar_subj_rgid,
407 ar->ar_subj_pid,
408 ar->ar_subj_asid,
409 &ar->ar_subj_term_addr);
410 break;
411 default:
412 bzero(&tid, sizeof(tid));
413 subj_tok = au_to_subject32(ar->ar_subj_auid,
414 ar->ar_subj_cred.cr_uid,
415 ar->ar_subj_egid,
416 ar->ar_subj_ruid,
417 ar->ar_subj_rgid,
418 ar->ar_subj_pid,
419 ar->ar_subj_asid,
420 &tid);
421 }
422
423 /*
424 * The logic inside each case fills in the tokens required for the
425 * event, except for the header, trailer, and return tokens. The
426 * header and trailer tokens are added by the kau_close() function.
427 * The return token is added outside of the switch statement.
428 */
429 switch(ar->ar_event) {
430 case AUE_ACCEPT:
431 case AUE_BIND:
432 case AUE_LISTEN:
433 case AUE_CONNECT:
434 case AUE_RECV:
435 case AUE_RECVFROM:
436 case AUE_RECVMSG:
437 case AUE_SEND:
438 case AUE_SENDFILE:
439 case AUE_SENDMSG:
440 case AUE_SENDTO:
441 /*
442 * Socket-related events.
443 */
444 if (ARG_IS_VALID(kar, ARG_FD)) {
445 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
446 kau_write(rec, tok);
447 }
448 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
449 tok = au_to_sock_inet((struct sockaddr_in *)
450 &ar->ar_arg_sockaddr);
451 kau_write(rec, tok);
452 }
453 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
454 tok = au_to_sock_unix((struct sockaddr_un *)
455 &ar->ar_arg_sockaddr);
456 kau_write(rec, tok);
457 UPATH1_TOKENS;
458 }
459 /* XXX Need to handle ARG_SADDRINET6 */
460 break;
461
462 case AUE_SOCKET:
463 case AUE_SOCKETPAIR:
464 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
465 tok = au_to_arg32(1,"domain",
466 ar->ar_arg_sockinfo.so_domain);
467 kau_write(rec, tok);
468 tok = au_to_arg32(2,"type",
469 ar->ar_arg_sockinfo.so_type);
470 kau_write(rec, tok);
471 tok = au_to_arg32(3,"protocol",
472 ar->ar_arg_sockinfo.so_protocol);
473 kau_write(rec, tok);
474 }
475 break;
476
477 case AUE_SETSOCKOPT:
478 case AUE_SHUTDOWN:
479 if (ARG_IS_VALID(kar, ARG_FD)) {
480 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
481 kau_write(rec, tok);
482 }
483 break;
484
485 case AUE_ACCT:
486 if (ARG_IS_VALID(kar, ARG_UPATH1)) {
487 UPATH1_VNODE1_TOKENS;
488 } else {
489 tok = au_to_arg32(1, "accounting off", 0);
490 kau_write(rec, tok);
491 }
492 break;
493
494 case AUE_SETAUID:
495 if (ARG_IS_VALID(kar, ARG_AUID)) {
496 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid);
497 kau_write(rec, tok);
498 }
499 break;
500
501 case AUE_SETAUDIT:
502 if (ARG_IS_VALID(kar, ARG_AUID) &&
503 ARG_IS_VALID(kar, ARG_ASID) &&
504 ARG_IS_VALID(kar, ARG_AMASK) &&
505 ARG_IS_VALID(kar, ARG_TERMID)) {
506 tok = au_to_arg32(1, "setaudit:auid",
507 ar->ar_arg_auid);
508 kau_write(rec, tok);
509 tok = au_to_arg32(1, "setaudit:port",
510 ar->ar_arg_termid.port);
511 kau_write(rec, tok);
512 tok = au_to_arg32(1, "setaudit:machine",
513 ar->ar_arg_termid.machine);
514 kau_write(rec, tok);
515 tok = au_to_arg32(1, "setaudit:as_success",
516 ar->ar_arg_amask.am_success);
517 kau_write(rec, tok);
518 tok = au_to_arg32(1, "setaudit:as_failure",
519 ar->ar_arg_amask.am_failure);
520 kau_write(rec, tok);
521 tok = au_to_arg32(1, "setaudit:asid",
522 ar->ar_arg_asid);
523 kau_write(rec, tok);
524 }
525 break;
526
527 case AUE_SETAUDIT_ADDR:
528 if (ARG_IS_VALID(kar, ARG_AUID) &&
529 ARG_IS_VALID(kar, ARG_ASID) &&
530 ARG_IS_VALID(kar, ARG_AMASK) &&
531 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) {
532 tok = au_to_arg32(1, "setaudit_addr:auid",
533 ar->ar_arg_auid);
534 kau_write(rec, tok);
535 tok = au_to_arg32(1, "setaudit_addr:as_success",
536 ar->ar_arg_amask.am_success);
537 kau_write(rec, tok);
538 tok = au_to_arg32(1, "setaudit_addr:as_failure",
539 ar->ar_arg_amask.am_failure);
540 kau_write(rec, tok);
541 tok = au_to_arg32(1, "setaudit_addr:asid",
542 ar->ar_arg_asid);
543 kau_write(rec, tok);
544 tok = au_to_arg32(1, "setaudit_addr:type",
545 ar->ar_arg_termid_addr.at_type);
546 kau_write(rec, tok);
547 tok = au_to_arg32(1, "setaudit_addr:port",
548 ar->ar_arg_termid_addr.at_port);
549 kau_write(rec, tok);
550 if (ar->ar_arg_termid_addr.at_type == AU_IPv6)
551 tok = au_to_in_addr_ex((struct in6_addr *)
552 &ar->ar_arg_termid_addr.at_addr[0]);
553 if (ar->ar_arg_termid_addr.at_type == AU_IPv4)
554 tok = au_to_in_addr((struct in_addr *)
555 &ar->ar_arg_termid_addr.at_addr[0]);
556 kau_write(rec, tok);
557 }
558 break;
559
560 case AUE_AUDITON:
561 /*
562 * For AUDITON commands without own event, audit the cmd.
563 */
564 if (ARG_IS_VALID(kar, ARG_CMD)) {
565 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
566 kau_write(rec, tok);
567 }
568 /* fall thru */
569
570 case AUE_AUDITON_GETCAR:
571 case AUE_AUDITON_GETCLASS:
572 case AUE_AUDITON_GETCOND:
573 case AUE_AUDITON_GETCWD:
574 case AUE_AUDITON_GETKMASK:
575 case AUE_AUDITON_GETSTAT:
576 case AUE_AUDITON_GPOLICY:
577 case AUE_AUDITON_GQCTRL:
578 case AUE_AUDITON_SETCLASS:
579 case AUE_AUDITON_SETCOND:
580 case AUE_AUDITON_SETKMASK:
581 case AUE_AUDITON_SETSMASK:
582 case AUE_AUDITON_SETSTAT:
583 case AUE_AUDITON_SETUMASK:
584 case AUE_AUDITON_SPOLICY:
585 case AUE_AUDITON_SQCTRL:
586 if (ARG_IS_VALID(kar, ARG_AUDITON))
587 audit_sys_auditon(ar, rec);
588 break;
589
590 case AUE_AUDITCTL:
591 UPATH1_VNODE1_TOKENS;
592 break;
593
594 case AUE_EXIT:
595 if (ARG_IS_VALID(kar, ARG_EXIT)) {
596 tok = au_to_exit(ar->ar_arg_exitretval,
597 ar->ar_arg_exitstatus);
598 kau_write(rec, tok);
599 }
600 break;
601
602 case AUE_ADJTIME:
603 case AUE_CLOCK_SETTIME:
604 case AUE_AUDIT:
605 case AUE_DUP2:
606 case AUE_GETAUDIT:
607 case AUE_GETAUDIT_ADDR:
608 case AUE_GETAUID:
609 case AUE_GETCWD:
610 case AUE_GETFSSTAT:
611 case AUE_GETRESUID:
612 case AUE_GETRESGID:
613 case AUE_KQUEUE:
614 case AUE_LSEEK:
615 case AUE_MODLOAD:
616 case AUE_MODUNLOAD:
617 case AUE_MSGSYS:
618 case AUE_NFS_SVC:
619 case AUE_NTP_ADJTIME:
620 case AUE_PIPE:
621 case AUE_PROFILE:
622 case AUE_RTPRIO:
623 case AUE_SEMSYS:
624 case AUE_SHMSYS:
625 case AUE_SETPGRP:
626 case AUE_SETRLIMIT:
627 case AUE_SETSID:
628 case AUE_SETTIMEOFDAY:
629 case AUE_SYSARCH:
630
631 /*
632 * Header, subject, and return tokens added at end.
633 */
634 break;
635
636 case AUE_MKFIFO:
637 if (ARG_IS_VALID(kar, ARG_MODE)) {
638 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
639 kau_write(rec, tok);
640 }
641 /* fall through */
642 case AUE_ACCESS:
643 case AUE_CHDIR:
644 case AUE_CHROOT:
645 case AUE_EACCESS:
646 case AUE_GETATTRLIST:
647 case AUE_JAIL:
648 case AUE_LUTIMES:
649 case AUE_NFS_GETFH:
650 case AUE_LSTAT:
651 case AUE_PATHCONF:
652 case AUE_READLINK:
653 case AUE_REVOKE:
654 case AUE_RMDIR:
655 case AUE_SEARCHFS:
656 case AUE_SETATTRLIST:
657 case AUE_STAT:
658 case AUE_STATFS:
659 case AUE_SWAPON:
660 case AUE_SWAPOFF:
661 case AUE_TRUNCATE:
662 case AUE_UNDELETE:
663 case AUE_UNLINK:
664 case AUE_UTIMES:
665 UPATH1_VNODE1_TOKENS;
666 break;
667
668 case AUE_FHSTATFS:
669 case AUE_FHOPEN:
670 case AUE_FHSTAT:
671 /* XXXRW: Need to audit vnode argument. */
672 break;
673
674 case AUE_CHFLAGS:
675 case AUE_LCHFLAGS:
676 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
677 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
678 kau_write(rec, tok);
679 }
680 UPATH1_VNODE1_TOKENS;
681 break;
682
683 case AUE_CHMOD:
684 case AUE_LCHMOD:
685 if (ARG_IS_VALID(kar, ARG_MODE)) {
686 tok = au_to_arg32(2, "new file mode",
687 ar->ar_arg_mode);
688 kau_write(rec, tok);
689 }
690 UPATH1_VNODE1_TOKENS;
691 break;
692
693 case AUE_CHOWN:
694 case AUE_LCHOWN:
695 if (ARG_IS_VALID(kar, ARG_UID)) {
696 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
697 kau_write(rec, tok);
698 }
699 if (ARG_IS_VALID(kar, ARG_GID)) {
700 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
701 kau_write(rec, tok);
702 }
703 UPATH1_VNODE1_TOKENS;
704 break;
705
706 case AUE_EXCHANGEDATA:
707 UPATH1_VNODE1_TOKENS;
708 UPATH2_TOKENS;
709 break;
710
711 case AUE_CLOSE:
712 if (ARG_IS_VALID(kar, ARG_FD)) {
713 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
714 kau_write(rec, tok);
715 }
716 UPATH1_VNODE1_TOKENS;
717 break;
718
719 case AUE_EXTATTRCTL:
720 UPATH1_VNODE1_TOKENS;
721 if (ARG_IS_VALID(kar, ARG_CMD)) {
722 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
723 kau_write(rec, tok);
724 }
725 /* extattrctl(2) filename parameter is in upath2/vnode2 */
726 UPATH2_TOKENS;
727 VNODE2_TOKENS;
728 EXTATTR_TOKENS;
729 break;
730
731 case AUE_EXTATTR_GET_FILE:
732 case AUE_EXTATTR_SET_FILE:
733 case AUE_EXTATTR_LIST_FILE:
734 case AUE_EXTATTR_DELETE_FILE:
735 case AUE_EXTATTR_GET_LINK:
736 case AUE_EXTATTR_SET_LINK:
737 case AUE_EXTATTR_LIST_LINK:
738 case AUE_EXTATTR_DELETE_LINK:
739 UPATH1_VNODE1_TOKENS;
740 EXTATTR_TOKENS;
741 break;
742
743 case AUE_EXTATTR_GET_FD:
744 case AUE_EXTATTR_SET_FD:
745 case AUE_EXTATTR_LIST_FD:
746 case AUE_EXTATTR_DELETE_FD:
747 if (ARG_IS_VALID(kar, ARG_FD)) {
748 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
749 kau_write(rec, tok);
750 }
751 EXTATTR_TOKENS;
752 break;
753
754 case AUE_EXECVE:
755 if (ARG_IS_VALID(kar, ARG_ARGV)) {
756 tok = au_to_exec_args(ar->ar_arg_argv,
757 ar->ar_arg_argc);
758 kau_write(rec, tok);
759 }
760 if (ARG_IS_VALID(kar, ARG_ENVV)) {
761 tok = au_to_exec_env(ar->ar_arg_envv,
762 ar->ar_arg_envc);
763 kau_write(rec, tok);
764 }
765 UPATH1_VNODE1_TOKENS;
766 break;
767
768 case AUE_FCHMOD:
769 if (ARG_IS_VALID(kar, ARG_MODE)) {
770 tok = au_to_arg32(2, "new file mode",
771 ar->ar_arg_mode);
772 kau_write(rec, tok);
773 }
774 FD_VNODE1_TOKENS;
775 break;
776
777 /*
778 * XXXRW: Some of these need to handle non-vnode cases as well.
779 */
780 case AUE_FCHDIR:
781 case AUE_FPATHCONF:
782 case AUE_FSTAT:
783 case AUE_FSTATFS:
784 case AUE_FSYNC:
785 case AUE_FTRUNCATE:
786 case AUE_FUTIMES:
787 case AUE_GETDIRENTRIES:
788 case AUE_GETDIRENTRIESATTR:
789 case AUE_POLL:
790 case AUE_READ:
791 case AUE_READV:
792 case AUE_WRITE:
793 case AUE_WRITEV:
794 FD_VNODE1_TOKENS;
795 break;
796
797 case AUE_FCHOWN:
798 if (ARG_IS_VALID(kar, ARG_UID)) {
799 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
800 kau_write(rec, tok);
801 }
802 if (ARG_IS_VALID(kar, ARG_GID)) {
803 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
804 kau_write(rec, tok);
805 }
806 FD_VNODE1_TOKENS;
807 break;
808
809 case AUE_FCNTL:
810 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK ||
811 ar->ar_arg_cmd == F_SETLKW) {
812 if (ARG_IS_VALID(kar, ARG_CMD)) {
813 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
814 kau_write(rec, tok);
815 }
816 FD_VNODE1_TOKENS;
817 }
818 break;
819
820 case AUE_FCHFLAGS:
821 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
822 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
823 kau_write(rec, tok);
824 }
825 FD_VNODE1_TOKENS;
826 break;
827
828 case AUE_FLOCK:
829 if (ARG_IS_VALID(kar, ARG_CMD)) {
830 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd);
831 kau_write(rec, tok);
832 }
833 FD_VNODE1_TOKENS;
834 break;
835
836 case AUE_RFORK:
837 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
838 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags);
839 kau_write(rec, tok);
840 }
841 /* fall through */
842 case AUE_FORK:
843 case AUE_VFORK:
844 if (ARG_IS_VALID(kar, ARG_PID)) {
845 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
846 kau_write(rec, tok);
847 }
848 break;
849
850 case AUE_IOCTL:
851 if (ARG_IS_VALID(kar, ARG_CMD)) {
852 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
853 kau_write(rec, tok);
854 }
855 if (ARG_IS_VALID(kar, ARG_ADDR)) {
856 tok = au_to_arg32(1, "arg",
857 (u_int32_t)(uintptr_t)ar->ar_arg_addr);
858 kau_write(rec, tok);
859 }
860 if (ARG_IS_VALID(kar, ARG_VNODE1))
861 FD_VNODE1_TOKENS;
862 else {
863 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
864 tok = kau_to_socket(&ar->ar_arg_sockinfo);
865 kau_write(rec, tok);
866 } else {
867 if (ARG_IS_VALID(kar, ARG_FD)) {
868 tok = au_to_arg32(1, "fd",
869 ar->ar_arg_fd);
870 kau_write(rec, tok);
871 }
872 }
873 }
874 break;
875
876 case AUE_KILL:
877 case AUE_KILLPG:
878 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
879 tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
880 kau_write(rec, tok);
881 }
882 PROCESS_PID_TOKENS(1);
883 break;
884
885 case AUE_KTRACE:
886 if (ARG_IS_VALID(kar, ARG_CMD)) {
887 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd);
888 kau_write(rec, tok);
889 }
890 if (ARG_IS_VALID(kar, ARG_VALUE)) {
891 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value);
892 kau_write(rec, tok);
893 }
894 PROCESS_PID_TOKENS(4);
895 UPATH1_VNODE1_TOKENS;
896 break;
897
898 case AUE_LINK:
899 case AUE_RENAME:
900 UPATH1_VNODE1_TOKENS;
901 UPATH2_TOKENS;
902 break;
903
904 case AUE_LOADSHFILE:
905 if (ARG_IS_VALID(kar, ARG_ADDR)) {
906 tok = au_to_arg32(4, "base addr",
907 (u_int32_t)(uintptr_t)ar->ar_arg_addr);
908 kau_write(rec, tok);
909 }
910 UPATH1_VNODE1_TOKENS;
911 break;
912
913 case AUE_MKDIR:
914 if (ARG_IS_VALID(kar, ARG_MODE)) {
915 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
916 kau_write(rec, tok);
917 }
918 UPATH1_VNODE1_TOKENS;
919 break;
920
921 case AUE_MKNOD:
922 if (ARG_IS_VALID(kar, ARG_MODE)) {
923 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
924 kau_write(rec, tok);
925 }
926 if (ARG_IS_VALID(kar, ARG_DEV)) {
927 tok = au_to_arg32(3, "dev", ar->ar_arg_dev);
928 kau_write(rec, tok);
929 }
930 UPATH1_VNODE1_TOKENS;
931 break;
932
933 case AUE_MMAP:
934 case AUE_MUNMAP:
935 case AUE_MPROTECT:
936 case AUE_MLOCK:
937 case AUE_MUNLOCK:
938 case AUE_MINHERIT:
939 if (ARG_IS_VALID(kar, ARG_ADDR)) {
940 tok = au_to_arg32(1, "addr",
941 (u_int32_t)(uintptr_t)ar->ar_arg_addr);
942 kau_write(rec, tok);
943 }
944 if (ARG_IS_VALID(kar, ARG_LEN)) {
945 tok = au_to_arg32(2, "len", ar->ar_arg_len);
946 kau_write(rec, tok);
947 }
948 if (ar->ar_event == AUE_MMAP)
949 FD_VNODE1_TOKENS;
950 if (ar->ar_event == AUE_MPROTECT) {
951 if (ARG_IS_VALID(kar, ARG_VALUE)) {
952 tok = au_to_arg32(3, "protection",
953 ar->ar_arg_value);
954 kau_write(rec, tok);
955 }
956 }
957 if (ar->ar_event == AUE_MINHERIT) {
958 if (ARG_IS_VALID(kar, ARG_VALUE)) {
959 tok = au_to_arg32(3, "inherit",
960 ar->ar_arg_value);
961 kau_write(rec, tok);
962 }
963 }
964 break;
965
966 case AUE_MOUNT:
967 case AUE_NMOUNT:
968 /* XXX Need to handle NFS mounts */
969 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
970 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
971 kau_write(rec, tok);
972 }
973 if (ARG_IS_VALID(kar, ARG_TEXT)) {
974 tok = au_to_text(ar->ar_arg_text);
975 kau_write(rec, tok);
976 }
977 /* fall through */
978
979 case AUE_UMOUNT:
980 UPATH1_VNODE1_TOKENS;
981 break;
982
983 case AUE_MSGCTL:
984 ar->ar_event = msgctl_to_event(ar->ar_arg_svipc_cmd);
985 /* Fall through */
986
987 case AUE_MSGRCV:
988 case AUE_MSGSND:
989 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id);
990 kau_write(rec, tok);
991 if (ar->ar_errno != EINVAL) {
992 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id);
993 kau_write(rec, tok);
994 }
995 break;
996
997 case AUE_MSGGET:
998 if (ar->ar_errno == 0) {
999 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1000 tok = au_to_ipc(AT_IPC_MSG,
1001 ar->ar_arg_svipc_id);
1002 kau_write(rec, tok);
1003 }
1004 }
1005 break;
1006
1007 case AUE_RESETSHFILE:
1008 if (ARG_IS_VALID(kar, ARG_ADDR)) {
1009 tok = au_to_arg32(1, "base addr",
1010 (u_int32_t)(uintptr_t)ar->ar_arg_addr);
1011 kau_write(rec, tok);
1012 }
1013 break;
1014
1015 case AUE_OPEN_RC:
1016 case AUE_OPEN_RTC:
1017 case AUE_OPEN_RWC:
1018 case AUE_OPEN_RWTC:
1019 case AUE_OPEN_WC:
1020 case AUE_OPEN_WTC:
1021 case AUE_CREAT:
1022 if (ARG_IS_VALID(kar, ARG_MODE)) {
1023 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1024 kau_write(rec, tok);
1025 }
1026 /* fall through */
1027
1028 case AUE_OPEN_R:
1029 case AUE_OPEN_RT:
1030 case AUE_OPEN_RW:
1031 case AUE_OPEN_RWT:
1032 case AUE_OPEN_W:
1033 case AUE_OPEN_WT:
1034 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1035 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1036 kau_write(rec, tok);
1037 }
1038 UPATH1_VNODE1_TOKENS;
1039 break;
1040
1041 case AUE_PTRACE:
1042 if (ARG_IS_VALID(kar, ARG_CMD)) {
1043 tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
1044 kau_write(rec, tok);
1045 }
1046 if (ARG_IS_VALID(kar, ARG_ADDR)) {
1047 tok = au_to_arg32(3, "addr",
1048 (u_int32_t)(uintptr_t)ar->ar_arg_addr);
1049 kau_write(rec, tok);
1050 }
1051 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1052 tok = au_to_arg32(4, "data", ar->ar_arg_value);
1053 kau_write(rec, tok);
1054 }
1055 PROCESS_PID_TOKENS(2);
1056 break;
1057
1058 case AUE_QUOTACTL:
1059 if (ARG_IS_VALID(kar, ARG_CMD)) {
1060 tok = au_to_arg32(2, "command", ar->ar_arg_cmd);
1061 kau_write(rec, tok);
1062 }
1063 if (ARG_IS_VALID(kar, ARG_UID)) {
1064 tok = au_to_arg32(3, "uid", ar->ar_arg_uid);
1065 kau_write(rec, tok);
1066 }
1067 UPATH1_VNODE1_TOKENS;
1068 break;
1069
1070 case AUE_REBOOT:
1071 if (ARG_IS_VALID(kar, ARG_CMD)) {
1072 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd);
1073 kau_write(rec, tok);
1074 }
1075 break;
1076
1077 case AUE_SEMCTL:
1078 ar->ar_event = semctl_to_event(ar->ar_arg_svipc_cmd);
1079 /* Fall through */
1080
1081 case AUE_SEMOP:
1082 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1083 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id);
1084 kau_write(rec, tok);
1085 if (ar->ar_errno != EINVAL) {
1086 tok = au_to_ipc(AT_IPC_SEM,
1087 ar->ar_arg_svipc_id);
1088 kau_write(rec, tok);
1089 }
1090 }
1091 break;
1092
1093 case AUE_SEMGET:
1094 if (ar->ar_errno == 0) {
1095 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1096 tok = au_to_ipc(AT_IPC_SEM,
1097 ar->ar_arg_svipc_id);
1098 kau_write(rec, tok);
1099 }
1100 }
1101 break;
1102
1103 case AUE_SETEGID:
1104 if (ARG_IS_VALID(kar, ARG_EGID)) {
1105 tok = au_to_arg32(1, "gid", ar->ar_arg_egid);
1106 kau_write(rec, tok);
1107 }
1108 break;
1109
1110 case AUE_SETEUID:
1111 if (ARG_IS_VALID(kar, ARG_EUID)) {
1112 tok = au_to_arg32(1, "uid", ar->ar_arg_euid);
1113 kau_write(rec, tok);
1114 }
1115 break;
1116
1117 case AUE_SETREGID:
1118 if (ARG_IS_VALID(kar, ARG_RGID)) {
1119 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1120 kau_write(rec, tok);
1121 }
1122 if (ARG_IS_VALID(kar, ARG_EGID)) {
1123 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1124 kau_write(rec, tok);
1125 }
1126 break;
1127
1128 case AUE_SETREUID:
1129 if (ARG_IS_VALID(kar, ARG_RUID)) {
1130 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1131 kau_write(rec, tok);
1132 }
1133 if (ARG_IS_VALID(kar, ARG_EUID)) {
1134 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1135 kau_write(rec, tok);
1136 }
1137 break;
1138
1139 case AUE_SETRESGID:
1140 if (ARG_IS_VALID(kar, ARG_RGID)) {
1141 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1142 kau_write(rec, tok);
1143 }
1144 if (ARG_IS_VALID(kar, ARG_EGID)) {
1145 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1146 kau_write(rec, tok);
1147 }
1148 if (ARG_IS_VALID(kar, ARG_SGID)) {
1149 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid);
1150 kau_write(rec, tok);
1151 }
1152 break;
1153
1154 case AUE_SETRESUID:
1155 if (ARG_IS_VALID(kar, ARG_RUID)) {
1156 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1157 kau_write(rec, tok);
1158 }
1159 if (ARG_IS_VALID(kar, ARG_EUID)) {
1160 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1161 kau_write(rec, tok);
1162 }
1163 if (ARG_IS_VALID(kar, ARG_SUID)) {
1164 tok = au_to_arg32(3, "suid", ar->ar_arg_suid);
1165 kau_write(rec, tok);
1166 }
1167 break;
1168
1169 case AUE_SETGID:
1170 if (ARG_IS_VALID(kar, ARG_GID)) {
1171 tok = au_to_arg32(1, "gid", ar->ar_arg_gid);
1172 kau_write(rec, tok);
1173 }
1174 break;
1175
1176 case AUE_SETUID:
1177 if (ARG_IS_VALID(kar, ARG_UID)) {
1178 tok = au_to_arg32(1, "uid", ar->ar_arg_uid);
1179 kau_write(rec, tok);
1180 }
1181 break;
1182
1183 case AUE_SETGROUPS:
1184 if (ARG_IS_VALID(kar, ARG_GROUPSET)) {
1185 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++)
1186 {
1187 tok = au_to_arg32(1, "setgroups", ar->ar_arg_groups.gidset[ctr]);
1188 kau_write(rec, tok);
1189 }
1190 }
1191 break;
1192
1193 case AUE_SETLOGIN:
1194 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1195 tok = au_to_text(ar->ar_arg_text);
1196 kau_write(rec, tok);
1197 }
1198 break;
1199
1200 case AUE_SETPRIORITY:
1201 if (ARG_IS_VALID(kar, ARG_CMD)) {
1202 tok = au_to_arg32(1, "which", ar->ar_arg_cmd);
1203 kau_write(rec, tok);
1204 }
1205 if (ARG_IS_VALID(kar, ARG_UID)) {
1206 tok = au_to_arg32(2, "who", ar->ar_arg_uid);
1207 kau_write(rec, tok);
1208 }
1209 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1210 tok = au_to_arg32(2, "priority", ar->ar_arg_value);
1211 kau_write(rec, tok);
1212 }
1213 break;
1214
1215 case AUE_SETPRIVEXEC:
1216 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1217 tok = au_to_arg32(1, "flag", ar->ar_arg_value);
1218 kau_write(rec, tok);
1219 }
1220 break;
1221
1222 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */
1223 case AUE_SHMAT:
1224 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1225 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1226 kau_write(rec, tok);
1227 /* XXXAUDIT: Does having the ipc token make sense? */
1228 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1229 kau_write(rec, tok);
1230 }
1231 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1232 tok = au_to_arg32(2, "shmaddr",
1233 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1234 kau_write(rec, tok);
1235 }
1236 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1237 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1238 kau_write(rec, tok);
1239 }
1240 break;
1241
1242 case AUE_SHMCTL:
1243 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1244 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1245 kau_write(rec, tok);
1246 /* XXXAUDIT: Does having the ipc token make sense? */
1247 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1248 kau_write(rec, tok);
1249 }
1250 switch (ar->ar_arg_svipc_cmd) {
1251 case IPC_STAT:
1252 ar->ar_event = AUE_SHMCTL_STAT;
1253 break;
1254 case IPC_RMID:
1255 ar->ar_event = AUE_SHMCTL_RMID;
1256 break;
1257 case IPC_SET:
1258 ar->ar_event = AUE_SHMCTL_SET;
1259 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1260 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1261 kau_write(rec, tok);
1262 }
1263 break;
1264 default:
1265 break; /* We will audit a bad command */
1266 }
1267 break;
1268
1269 case AUE_SHMDT:
1270 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1271 tok = au_to_arg32(1, "shmaddr",
1272 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1273 kau_write(rec, tok);
1274 }
1275 break;
1276
1277 case AUE_SHMGET:
1278 /* This is unusual; the return value is in an argument token */
1279 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1280 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id);
1281 kau_write(rec, tok);
1282 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1283 kau_write(rec, tok);
1284 }
1285 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1286 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1287 kau_write(rec, tok);
1288 }
1289 break;
1290
1291 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE
1292 * and AUE_SEMUNLINK are Posix IPC */
1293 case AUE_SHMOPEN:
1294 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1295 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1296 kau_write(rec, tok);
1297 }
1298 if (ARG_IS_VALID(kar, ARG_MODE)) {
1299 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1300 kau_write(rec, tok);
1301 }
1302 case AUE_SHMUNLINK:
1303 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1304 tok = au_to_text(ar->ar_arg_text);
1305 kau_write(rec, tok);
1306 }
1307 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1308 /* Create an ipc_perm token */
1309 struct ipc_perm perm;
1310 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1311 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1312 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1313 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1314 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1315 perm.seq = 0;
1316 perm.key = 0;
1317 tok = au_to_ipc_perm(&perm);
1318 kau_write(rec, tok);
1319 }
1320 break;
1321
1322 case AUE_SEMOPEN:
1323 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1324 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1325 kau_write(rec, tok);
1326 }
1327 if (ARG_IS_VALID(kar, ARG_MODE)) {
1328 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1329 kau_write(rec, tok);
1330 }
1331 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1332 tok = au_to_arg32(4, "value", ar->ar_arg_value);
1333 kau_write(rec, tok);
1334 }
1335 /* fall through */
1336
1337 case AUE_SEMUNLINK:
1338 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1339 tok = au_to_text(ar->ar_arg_text);
1340 kau_write(rec, tok);
1341 }
1342 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1343 /* Create an ipc_perm token */
1344 struct ipc_perm perm;
1345 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1346 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1347 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1348 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1349 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1350 perm.seq = 0;
1351 perm.key = 0;
1352 tok = au_to_ipc_perm(&perm);
1353 kau_write(rec, tok);
1354 }
1355 break;
1356
1357 case AUE_SEMCLOSE:
1358 if (ARG_IS_VALID(kar, ARG_FD)) {
1359 tok = au_to_arg32(1, "sem", ar->ar_arg_fd);
1360 kau_write(rec, tok);
1361 }
1362 break;
1363
1364 case AUE_SYMLINK:
1365 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1366 tok = au_to_text(ar->ar_arg_text);
1367 kau_write(rec, tok);
1368 }
1369 UPATH1_VNODE1_TOKENS;
1370 break;
1371
1372 case AUE_SYSCTL:
1373 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) {
1374 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) {
1375 tok = au_to_arg32(1, "name",
1376 ar->ar_arg_ctlname[ctr]);
1377 kau_write(rec, tok);
1378 }
1379 }
1380 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1381 tok = au_to_arg32(5, "newval", ar->ar_arg_value);
1382 kau_write(rec, tok);
1383 }
1384 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1385 tok = au_to_text(ar->ar_arg_text);
1386 kau_write(rec, tok);
1387 }
1388 break;
1389
1390 case AUE_UMASK:
1391 if (ARG_IS_VALID(kar, ARG_MASK)) {
1392 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask);
1393 kau_write(rec, tok);
1394 }
1395 tok = au_to_arg32(0, "prev mask", ar->ar_retval);
1396 kau_write(rec, tok);
1397 break;
1398
1399 case AUE_WAIT4:
1400 if (ARG_IS_VALID(kar, ARG_PID)) {
1401 tok = au_to_arg32(0, "pid", ar->ar_arg_pid);
1402 kau_write(rec, tok);
1403 }
1404 break;
1405
1406 case AUE_NULL:
1407 default:
1408 printf("BSM conversion requested for unknown event %d\n",
1409 ar->ar_event);
1410 /* Write the subject token so it is properly freed here. */
1411 kau_write(rec, subj_tok);
1412 kau_free(rec);
1413 return (BSM_NOAUDIT);
1414 }
1415
1416 kau_write(rec, subj_tok);
1417 tok = au_to_return32((char)ar->ar_errno, ar->ar_retval);
1418 kau_write(rec, tok); /* Every record gets a return token */
1419
1420 kau_close(rec, &ar->ar_endtime, ar->ar_event);
1421
1422 *pau = rec;
1423 return (BSM_SUCCESS);
1424 }
1425
1426 /*
1427 * Verify that a record is a valid BSM record. This verification is simple
1428 * now, but may be expanded on sometime in the future. Return 1 if the
1429 * record is good, 0 otherwise.
1430 */
1431 int
1432 bsm_rec_verify(void *rec)
1433 {
1434 char c = *(char *)rec;
1435
1436 /*
1437 * Check the token ID of the first token; it has to be a header
1438 * token.
1439 *
1440 * XXXAUDIT There needs to be a token structure to map a token.
1441 * XXXAUDIT 'Shouldn't be simply looking at the first char.
1442 */
1443 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) &&
1444 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX))
1445 return (0);
1446 return (1);
1447 }
Cache object: 61c16118c545a82a450d000e3709b1c6
|