Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/security/audit/audit_bsm.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $FreeBSD$ 30 */ 31 32 #include <sys/param.h> 33 #include <sys/vnode.h> 34 #include <sys/ipc.h> 35 #include <sys/lock.h> 36 #include <sys/malloc.h> 37 #include <sys/mutex.h> 38 #include <sys/socket.h> 39 #include <sys/extattr.h> 40 #include <sys/fcntl.h> 41 #include <sys/user.h> 42 #include <sys/systm.h> 43 44 #include <bsm/audit.h> 45 #include <bsm/audit_internal.h> 46 #include <bsm/audit_record.h> 47 #include <bsm/audit_kevents.h> 48 49 #include <security/audit/audit.h> 50 #include <security/audit/audit_private.h> 51 52 #include <netinet/in_systm.h> 53 #include <netinet/in.h> 54 #include <netinet/ip.h> 55 56 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 57 58 static void audit_sys_auditon(struct audit_record *ar, 59 struct au_record *rec); 60 61 /* 62 * Initialize the BSM auditing subsystem. 63 */ 64 void 65 kau_init(void) 66 { 67 68 au_evclassmap_init(); 69 } 70 71 /* 72 * This call reserves memory for the audit record. Memory must be guaranteed 73 * before any auditable event can be generated. The au_record structure 74 * maintains a reference to the memory allocated above and also the list of 75 * tokens associated with this record 76 */ 77 static struct au_record * 78 kau_open(void) 79 { 80 struct au_record *rec; 81 82 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 83 rec->data = NULL; 84 TAILQ_INIT(&rec->token_q); 85 rec->len = 0; 86 rec->used = 1; 87 88 return (rec); 89 } 90 91 /* 92 * Store the token with the record descriptor. 93 */ 94 static void 95 kau_write(struct au_record *rec, struct au_token *tok) 96 { 97 98 KASSERT(tok != NULL, ("kau_write: tok == NULL")); 99 100 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 101 rec->len += tok->len; 102 } 103 104 /* 105 * Close out the audit record by adding the header token, identifying any 106 * missing tokens. Write out the tokens to the record memory. 107 */ 108 static void 109 kau_close(struct au_record *rec, struct timespec *ctime, short event) 110 { 111 u_char *dptr; 112 size_t tot_rec_size; 113 token_t *cur, *hdr, *trail; 114 struct timeval tm; 115 116 tot_rec_size = rec->len + AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE; 117 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 118 119 tm.tv_usec = ctime->tv_nsec / 1000; 120 tm.tv_sec = ctime->tv_sec; 121 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 122 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 123 124 trail = au_to_trailer(tot_rec_size); 125 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 126 127 rec->len = tot_rec_size; 128 dptr = rec->data; 129 TAILQ_FOREACH(cur, &rec->token_q, tokens) { 130 memcpy(dptr, cur->t_data, cur->len); 131 dptr += cur->len; 132 } 133 } 134 135 /* 136 * Free a BSM audit record by releasing all the tokens and clearing the audit 137 * record information. 138 */ 139 void 140 kau_free(struct au_record *rec) 141 { 142 struct au_token *tok; 143 144 /* Free the token list. */ 145 while ((tok = TAILQ_FIRST(&rec->token_q))) { 146 TAILQ_REMOVE(&rec->token_q, tok, tokens); 147 free(tok->t_data, M_AUDITBSM); 148 free(tok, M_AUDITBSM); 149 } 150 151 rec->used = 0; 152 rec->len = 0; 153 free(rec->data, M_AUDITBSM); 154 free(rec, M_AUDITBSM); 155 } 156 157 /* 158 * XXX: May want turn some (or all) of these macros into functions in order 159 * to reduce the generated code sized. 160 * 161 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 162 * caller are OK with this. 163 */ 164 #define UPATH1_TOKENS do { \ 165 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 166 tok = au_to_path(ar->ar_arg_upath1); \ 167 kau_write(rec, tok); \ 168 } \ 169 } while (0) 170 171 #define UPATH2_TOKENS do { \ 172 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 173 tok = au_to_path(ar->ar_arg_upath2); \ 174 kau_write(rec, tok); \ 175 } \ 176 } while (0) 177 178 #define VNODE1_TOKENS do { \ 179 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 180 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 181 kau_write(rec, tok); \ 182 } \ 183 } while (0) 184 185 #define UPATH1_VNODE1_TOKENS do { \ 186 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 187 UPATH1_TOKENS; \ 188 } \ 189 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 190 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 191 kau_write(rec, tok); \ 192 } \ 193 } while (0) 194 195 #define VNODE2_TOKENS do { \ 196 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 197 tok = au_to_attr32(&ar->ar_arg_vnode2); \ 198 kau_write(rec, tok); \ 199 } \ 200 } while (0) 201 202 #define FD_VNODE1_TOKENS do { \ 203 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 204 if (ARG_IS_VALID(kar, ARG_FD)) { \ 205 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 206 kau_write(rec, tok); \ 207 } \ 208 tok = au_to_attr32(&ar->ar_arg_vnode1); \ 209 kau_write(rec, tok); \ 210 } else { \ 211 if (ARG_IS_VALID(kar, ARG_FD)) { \ 212 tok = au_to_arg32(1, "non-file: fd", \ 213 ar->ar_arg_fd); \ 214 kau_write(rec, tok); \ 215 } \ 216 } \ 217 } while (0) 218 219 #define PROCESS_PID_TOKENS(argn) do { \ 220 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 221 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 222 tok = au_to_process32_ex(ar->ar_arg_auid, \ 223 ar->ar_arg_euid, ar->ar_arg_egid, \ 224 ar->ar_arg_ruid, ar->ar_arg_rgid, \ 225 ar->ar_arg_pid, ar->ar_arg_asid, \ 226 &ar->ar_arg_termid_addr); \ 227 kau_write(rec, tok); \ 228 } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 229 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 230 kau_write(rec, tok); \ 231 } \ 232 } while (0) \ 233 234 #define EXTATTR_TOKENS do { \ 235 if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 236 switch (ar->ar_arg_value) { \ 237 case EXTATTR_NAMESPACE_USER: \ 238 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 239 break; \ 240 case EXTATTR_NAMESPACE_SYSTEM: \ 241 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 242 break; \ 243 default: \ 244 tok = au_to_arg32(3, "attrnamespace", \ 245 ar->ar_arg_value); \ 246 break; \ 247 } \ 248 kau_write(rec, tok); \ 249 } \ 250 /* attrname is in the text field */ \ 251 if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 252 tok = au_to_text(ar->ar_arg_text); \ 253 kau_write(rec, tok); \ 254 } \ 255 } while (0) 256 257 /* 258 * Implement auditing for the auditon() system call. The audit tokens that 259 * are generated depend on the command that was sent into the auditon() 260 * system call. 261 */ 262 static void 263 audit_sys_auditon(struct audit_record *ar, struct au_record *rec) 264 { 265 struct au_token *tok; 266 267 switch (ar->ar_arg_cmd) { 268 case A_SETPOLICY: 269 if (sizeof(ar->ar_arg_auditon.au_flags) > 4) 270 tok = au_to_arg64(1, "policy", 271 ar->ar_arg_auditon.au_flags); 272 else 273 tok = au_to_arg32(1, "policy", 274 ar->ar_arg_auditon.au_flags); 275 kau_write(rec, tok); 276 break; 277 278 case A_SETKMASK: 279 tok = au_to_arg32(2, "setkmask:as_success", 280 ar->ar_arg_auditon.au_mask.am_success); 281 kau_write(rec, tok); 282 tok = au_to_arg32(2, "setkmask:as_failure", 283 ar->ar_arg_auditon.au_mask.am_failure); 284 kau_write(rec, tok); 285 break; 286 287 case A_SETQCTRL: 288 tok = au_to_arg32(3, "setqctrl:aq_hiwater", 289 ar->ar_arg_auditon.au_qctrl.aq_hiwater); 290 kau_write(rec, tok); 291 tok = au_to_arg32(3, "setqctrl:aq_lowater", 292 ar->ar_arg_auditon.au_qctrl.aq_lowater); 293 kau_write(rec, tok); 294 tok = au_to_arg32(3, "setqctrl:aq_bufsz", 295 ar->ar_arg_auditon.au_qctrl.aq_bufsz); 296 kau_write(rec, tok); 297 tok = au_to_arg32(3, "setqctrl:aq_delay", 298 ar->ar_arg_auditon.au_qctrl.aq_delay); 299 kau_write(rec, tok); 300 tok = au_to_arg32(3, "setqctrl:aq_minfree", 301 ar->ar_arg_auditon.au_qctrl.aq_minfree); 302 kau_write(rec, tok); 303 break; 304 305 case A_SETUMASK: 306 tok = au_to_arg32(3, "setumask:as_success", 307 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 308 kau_write(rec, tok); 309 tok = au_to_arg32(3, "setumask:as_failure", 310 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 311 kau_write(rec, tok); 312 break; 313 314 case A_SETSMASK: 315 tok = au_to_arg32(3, "setsmask:as_success", 316 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 317 kau_write(rec, tok); 318 tok = au_to_arg32(3, "setsmask:as_failure", 319 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 320 kau_write(rec, tok); 321 break; 322 323 case A_SETCOND: 324 if (sizeof(ar->ar_arg_auditon.au_cond) > 4) 325 tok = au_to_arg64(3, "setcond", 326 ar->ar_arg_auditon.au_cond); 327 else 328 tok = au_to_arg32(3, "setcond", 329 ar->ar_arg_auditon.au_cond); 330 kau_write(rec, tok); 331 break; 332 333 case A_SETCLASS: 334 tok = au_to_arg32(2, "setclass:ec_event", 335 ar->ar_arg_auditon.au_evclass.ec_number); 336 kau_write(rec, tok); 337 tok = au_to_arg32(3, "setclass:ec_class", 338 ar->ar_arg_auditon.au_evclass.ec_class); 339 kau_write(rec, tok); 340 break; 341 342 case A_SETPMASK: 343 tok = au_to_arg32(2, "setpmask:as_success", 344 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 345 kau_write(rec, tok); 346 tok = au_to_arg32(2, "setpmask:as_failure", 347 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 348 kau_write(rec, tok); 349 break; 350 351 case A_SETFSIZE: 352 tok = au_to_arg32(2, "setfsize:filesize", 353 ar->ar_arg_auditon.au_fstat.af_filesz); 354 kau_write(rec, tok); 355 break; 356 357 default: 358 break; 359 } 360 } 361 362 /* 363 * Convert an internal kernel audit record to a BSM record and return a 364 * success/failure indicator. The BSM record is passed as an out parameter to 365 * this function. 366 * 367 * Return conditions: 368 * BSM_SUCCESS: The BSM record is valid 369 * BSM_FAILURE: Failure; the BSM record is NULL. 370 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 371 */ 372 int 373 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 374 { 375 struct au_token *tok, *subj_tok; 376 struct au_record *rec; 377 au_tid_t tid; 378 struct audit_record *ar; 379 int ctr; 380 381 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 382 383 *pau = NULL; 384 ar = &kar->k_ar; 385 rec = kau_open(); 386 387 /* Create the subject token */ 388 switch (ar->ar_subj_term_addr.at_type) { 389 case AU_IPv4: 390 tid.port = ar->ar_subj_term_addr.at_port; 391 tid.machine = ar->ar_subj_term_addr.at_addr[0]; 392 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 393 ar->ar_subj_cred.cr_uid, /* eff uid */ 394 ar->ar_subj_egid, /* eff group id */ 395 ar->ar_subj_ruid, /* real uid */ 396 ar->ar_subj_rgid, /* real group id */ 397 ar->ar_subj_pid, /* process id */ 398 ar->ar_subj_asid, /* session ID */ 399 &tid); 400 break; 401 case AU_IPv6: 402 subj_tok = au_to_subject32_ex(ar->ar_subj_auid, 403 ar->ar_subj_cred.cr_uid, 404 ar->ar_subj_egid, 405 ar->ar_subj_ruid, 406 ar->ar_subj_rgid, 407 ar->ar_subj_pid, 408 ar->ar_subj_asid, 409 &ar->ar_subj_term_addr); 410 break; 411 default: 412 bzero(&tid, sizeof(tid)); 413 subj_tok = au_to_subject32(ar->ar_subj_auid, 414 ar->ar_subj_cred.cr_uid, 415 ar->ar_subj_egid, 416 ar->ar_subj_ruid, 417 ar->ar_subj_rgid, 418 ar->ar_subj_pid, 419 ar->ar_subj_asid, 420 &tid); 421 } 422 423 /* 424 * The logic inside each case fills in the tokens required for the 425 * event, except for the header, trailer, and return tokens. The 426 * header and trailer tokens are added by the kau_close() function. 427 * The return token is added outside of the switch statement. 428 */ 429 switch(ar->ar_event) { 430 case AUE_ACCEPT: 431 case AUE_BIND: 432 case AUE_LISTEN: 433 case AUE_CONNECT: 434 case AUE_RECV: 435 case AUE_RECVFROM: 436 case AUE_RECVMSG: 437 case AUE_SEND: 438 case AUE_SENDFILE: 439 case AUE_SENDMSG: 440 case AUE_SENDTO: 441 /* 442 * Socket-related events. 443 */ 444 if (ARG_IS_VALID(kar, ARG_FD)) { 445 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 446 kau_write(rec, tok); 447 } 448 if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 449 tok = au_to_sock_inet((struct sockaddr_in *) 450 &ar->ar_arg_sockaddr); 451 kau_write(rec, tok); 452 } 453 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 454 tok = au_to_sock_unix((struct sockaddr_un *) 455 &ar->ar_arg_sockaddr); 456 kau_write(rec, tok); 457 UPATH1_TOKENS; 458 } 459 /* XXX Need to handle ARG_SADDRINET6 */ 460 break; 461 462 case AUE_SOCKET: 463 case AUE_SOCKETPAIR: 464 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 465 tok = au_to_arg32(1,"domain", 466 ar->ar_arg_sockinfo.so_domain); 467 kau_write(rec, tok); 468 tok = au_to_arg32(2,"type", 469 ar->ar_arg_sockinfo.so_type); 470 kau_write(rec, tok); 471 tok = au_to_arg32(3,"protocol", 472 ar->ar_arg_sockinfo.so_protocol); 473 kau_write(rec, tok); 474 } 475 break; 476 477 case AUE_SETSOCKOPT: 478 case AUE_SHUTDOWN: 479 if (ARG_IS_VALID(kar, ARG_FD)) { 480 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 481 kau_write(rec, tok); 482 } 483 break; 484 485 case AUE_ACCT: 486 if (ARG_IS_VALID(kar, ARG_UPATH1)) { 487 UPATH1_VNODE1_TOKENS; 488 } else { 489 tok = au_to_arg32(1, "accounting off", 0); 490 kau_write(rec, tok); 491 } 492 break; 493 494 case AUE_SETAUID: 495 if (ARG_IS_VALID(kar, ARG_AUID)) { 496 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 497 kau_write(rec, tok); 498 } 499 break; 500 501 case AUE_SETAUDIT: 502 if (ARG_IS_VALID(kar, ARG_AUID) && 503 ARG_IS_VALID(kar, ARG_ASID) && 504 ARG_IS_VALID(kar, ARG_AMASK) && 505 ARG_IS_VALID(kar, ARG_TERMID)) { 506 tok = au_to_arg32(1, "setaudit:auid", 507 ar->ar_arg_auid); 508 kau_write(rec, tok); 509 tok = au_to_arg32(1, "setaudit:port", 510 ar->ar_arg_termid.port); 511 kau_write(rec, tok); 512 tok = au_to_arg32(1, "setaudit:machine", 513 ar->ar_arg_termid.machine); 514 kau_write(rec, tok); 515 tok = au_to_arg32(1, "setaudit:as_success", 516 ar->ar_arg_amask.am_success); 517 kau_write(rec, tok); 518 tok = au_to_arg32(1, "setaudit:as_failure", 519 ar->ar_arg_amask.am_failure); 520 kau_write(rec, tok); 521 tok = au_to_arg32(1, "setaudit:asid", 522 ar->ar_arg_asid); 523 kau_write(rec, tok); 524 } 525 break; 526 527 case AUE_SETAUDIT_ADDR: 528 if (ARG_IS_VALID(kar, ARG_AUID) && 529 ARG_IS_VALID(kar, ARG_ASID) && 530 ARG_IS_VALID(kar, ARG_AMASK) && 531 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) { 532 tok = au_to_arg32(1, "setaudit_addr:auid", 533 ar->ar_arg_auid); 534 kau_write(rec, tok); 535 tok = au_to_arg32(1, "setaudit_addr:as_success", 536 ar->ar_arg_amask.am_success); 537 kau_write(rec, tok); 538 tok = au_to_arg32(1, "setaudit_addr:as_failure", 539 ar->ar_arg_amask.am_failure); 540 kau_write(rec, tok); 541 tok = au_to_arg32(1, "setaudit_addr:asid", 542 ar->ar_arg_asid); 543 kau_write(rec, tok); 544 tok = au_to_arg32(1, "setaudit_addr:type", 545 ar->ar_arg_termid_addr.at_type); 546 kau_write(rec, tok); 547 tok = au_to_arg32(1, "setaudit_addr:port", 548 ar->ar_arg_termid_addr.at_port); 549 kau_write(rec, tok); 550 if (ar->ar_arg_termid_addr.at_type == AU_IPv6) 551 tok = au_to_in_addr_ex((struct in6_addr *) 552 &ar->ar_arg_termid_addr.at_addr[0]); 553 if (ar->ar_arg_termid_addr.at_type == AU_IPv4) 554 tok = au_to_in_addr((struct in_addr *) 555 &ar->ar_arg_termid_addr.at_addr[0]); 556 kau_write(rec, tok); 557 } 558 break; 559 560 case AUE_AUDITON: 561 /* 562 * For AUDITON commands without own event, audit the cmd. 563 */ 564 if (ARG_IS_VALID(kar, ARG_CMD)) { 565 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 566 kau_write(rec, tok); 567 } 568 /* fall thru */ 569 570 case AUE_AUDITON_GETCAR: 571 case AUE_AUDITON_GETCLASS: 572 case AUE_AUDITON_GETCOND: 573 case AUE_AUDITON_GETCWD: 574 case AUE_AUDITON_GETKMASK: 575 case AUE_AUDITON_GETSTAT: 576 case AUE_AUDITON_GPOLICY: 577 case AUE_AUDITON_GQCTRL: 578 case AUE_AUDITON_SETCLASS: 579 case AUE_AUDITON_SETCOND: 580 case AUE_AUDITON_SETKMASK: 581 case AUE_AUDITON_SETSMASK: 582 case AUE_AUDITON_SETSTAT: 583 case AUE_AUDITON_SETUMASK: 584 case AUE_AUDITON_SPOLICY: 585 case AUE_AUDITON_SQCTRL: 586 if (ARG_IS_VALID(kar, ARG_AUDITON)) 587 audit_sys_auditon(ar, rec); 588 break; 589 590 case AUE_AUDITCTL: 591 UPATH1_VNODE1_TOKENS; 592 break; 593 594 case AUE_EXIT: 595 if (ARG_IS_VALID(kar, ARG_EXIT)) { 596 tok = au_to_exit(ar->ar_arg_exitretval, 597 ar->ar_arg_exitstatus); 598 kau_write(rec, tok); 599 } 600 break; 601 602 case AUE_ADJTIME: 603 case AUE_CLOCK_SETTIME: 604 case AUE_AUDIT: 605 case AUE_DUP2: 606 case AUE_GETAUDIT: 607 case AUE_GETAUDIT_ADDR: 608 case AUE_GETAUID: 609 case AUE_GETCWD: 610 case AUE_GETFSSTAT: 611 case AUE_GETRESUID: 612 case AUE_GETRESGID: 613 case AUE_KQUEUE: 614 case AUE_LSEEK: 615 case AUE_MODLOAD: 616 case AUE_MODUNLOAD: 617 case AUE_MSGSYS: 618 case AUE_NFS_SVC: 619 case AUE_NTP_ADJTIME: 620 case AUE_PIPE: 621 case AUE_PROFILE: 622 case AUE_RTPRIO: 623 case AUE_SEMSYS: 624 case AUE_SHMSYS: 625 case AUE_SETPGRP: 626 case AUE_SETRLIMIT: 627 case AUE_SETSID: 628 case AUE_SETTIMEOFDAY: 629 case AUE_SYSARCH: 630 631 /* 632 * Header, subject, and return tokens added at end. 633 */ 634 break; 635 636 case AUE_MKFIFO: 637 if (ARG_IS_VALID(kar, ARG_MODE)) { 638 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 639 kau_write(rec, tok); 640 } 641 /* fall through */ 642 case AUE_ACCESS: 643 case AUE_CHDIR: 644 case AUE_CHROOT: 645 case AUE_EACCESS: 646 case AUE_GETATTRLIST: 647 case AUE_JAIL: 648 case AUE_LUTIMES: 649 case AUE_NFS_GETFH: 650 case AUE_LSTAT: 651 case AUE_PATHCONF: 652 case AUE_READLINK: 653 case AUE_REVOKE: 654 case AUE_RMDIR: 655 case AUE_SEARCHFS: 656 case AUE_SETATTRLIST: 657 case AUE_STAT: 658 case AUE_STATFS: 659 case AUE_SWAPON: 660 case AUE_SWAPOFF: 661 case AUE_TRUNCATE: 662 case AUE_UNDELETE: 663 case AUE_UNLINK: 664 case AUE_UTIMES: 665 UPATH1_VNODE1_TOKENS; 666 break; 667 668 case AUE_FHSTATFS: 669 case AUE_FHOPEN: 670 case AUE_FHSTAT: 671 /* XXXRW: Need to audit vnode argument. */ 672 break; 673 674 case AUE_CHFLAGS: 675 case AUE_LCHFLAGS: 676 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 677 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 678 kau_write(rec, tok); 679 } 680 UPATH1_VNODE1_TOKENS; 681 break; 682 683 case AUE_CHMOD: 684 case AUE_LCHMOD: 685 if (ARG_IS_VALID(kar, ARG_MODE)) { 686 tok = au_to_arg32(2, "new file mode", 687 ar->ar_arg_mode); 688 kau_write(rec, tok); 689 } 690 UPATH1_VNODE1_TOKENS; 691 break; 692 693 case AUE_CHOWN: 694 case AUE_LCHOWN: 695 if (ARG_IS_VALID(kar, ARG_UID)) { 696 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 697 kau_write(rec, tok); 698 } 699 if (ARG_IS_VALID(kar, ARG_GID)) { 700 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 701 kau_write(rec, tok); 702 } 703 UPATH1_VNODE1_TOKENS; 704 break; 705 706 case AUE_EXCHANGEDATA: 707 UPATH1_VNODE1_TOKENS; 708 UPATH2_TOKENS; 709 break; 710 711 case AUE_CLOSE: 712 if (ARG_IS_VALID(kar, ARG_FD)) { 713 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 714 kau_write(rec, tok); 715 } 716 UPATH1_VNODE1_TOKENS; 717 break; 718 719 case AUE_EXTATTRCTL: 720 UPATH1_VNODE1_TOKENS; 721 if (ARG_IS_VALID(kar, ARG_CMD)) { 722 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 723 kau_write(rec, tok); 724 } 725 /* extattrctl(2) filename parameter is in upath2/vnode2 */ 726 UPATH2_TOKENS; 727 VNODE2_TOKENS; 728 EXTATTR_TOKENS; 729 break; 730 731 case AUE_EXTATTR_GET_FILE: 732 case AUE_EXTATTR_SET_FILE: 733 case AUE_EXTATTR_LIST_FILE: 734 case AUE_EXTATTR_DELETE_FILE: 735 case AUE_EXTATTR_GET_LINK: 736 case AUE_EXTATTR_SET_LINK: 737 case AUE_EXTATTR_LIST_LINK: 738 case AUE_EXTATTR_DELETE_LINK: 739 UPATH1_VNODE1_TOKENS; 740 EXTATTR_TOKENS; 741 break; 742 743 case AUE_EXTATTR_GET_FD: 744 case AUE_EXTATTR_SET_FD: 745 case AUE_EXTATTR_LIST_FD: 746 case AUE_EXTATTR_DELETE_FD: 747 if (ARG_IS_VALID(kar, ARG_FD)) { 748 tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 749 kau_write(rec, tok); 750 } 751 EXTATTR_TOKENS; 752 break; 753 754 case AUE_EXECVE: 755 if (ARG_IS_VALID(kar, ARG_ARGV)) { 756 tok = au_to_exec_args(ar->ar_arg_argv, 757 ar->ar_arg_argc); 758 kau_write(rec, tok); 759 } 760 if (ARG_IS_VALID(kar, ARG_ENVV)) { 761 tok = au_to_exec_env(ar->ar_arg_envv, 762 ar->ar_arg_envc); 763 kau_write(rec, tok); 764 } 765 UPATH1_VNODE1_TOKENS; 766 break; 767 768 case AUE_FCHMOD: 769 if (ARG_IS_VALID(kar, ARG_MODE)) { 770 tok = au_to_arg32(2, "new file mode", 771 ar->ar_arg_mode); 772 kau_write(rec, tok); 773 } 774 FD_VNODE1_TOKENS; 775 break; 776 777 /* 778 * XXXRW: Some of these need to handle non-vnode cases as well. 779 */ 780 case AUE_FCHDIR: 781 case AUE_FPATHCONF: 782 case AUE_FSTAT: 783 case AUE_FSTATFS: 784 case AUE_FSYNC: 785 case AUE_FTRUNCATE: 786 case AUE_FUTIMES: 787 case AUE_GETDIRENTRIES: 788 case AUE_GETDIRENTRIESATTR: 789 case AUE_POLL: 790 case AUE_READ: 791 case AUE_READV: 792 case AUE_WRITE: 793 case AUE_WRITEV: 794 FD_VNODE1_TOKENS; 795 break; 796 797 case AUE_FCHOWN: 798 if (ARG_IS_VALID(kar, ARG_UID)) { 799 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 800 kau_write(rec, tok); 801 } 802 if (ARG_IS_VALID(kar, ARG_GID)) { 803 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 804 kau_write(rec, tok); 805 } 806 FD_VNODE1_TOKENS; 807 break; 808 809 case AUE_FCNTL: 810 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 811 ar->ar_arg_cmd == F_SETLKW) { 812 if (ARG_IS_VALID(kar, ARG_CMD)) { 813 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 814 kau_write(rec, tok); 815 } 816 FD_VNODE1_TOKENS; 817 } 818 break; 819 820 case AUE_FCHFLAGS: 821 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 822 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 823 kau_write(rec, tok); 824 } 825 FD_VNODE1_TOKENS; 826 break; 827 828 case AUE_FLOCK: 829 if (ARG_IS_VALID(kar, ARG_CMD)) { 830 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 831 kau_write(rec, tok); 832 } 833 FD_VNODE1_TOKENS; 834 break; 835 836 case AUE_RFORK: 837 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 838 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 839 kau_write(rec, tok); 840 } 841 /* fall through */ 842 case AUE_FORK: 843 case AUE_VFORK: 844 if (ARG_IS_VALID(kar, ARG_PID)) { 845 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 846 kau_write(rec, tok); 847 } 848 break; 849 850 case AUE_IOCTL: 851 if (ARG_IS_VALID(kar, ARG_CMD)) { 852 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 853 kau_write(rec, tok); 854 } 855 if (ARG_IS_VALID(kar, ARG_ADDR)) { 856 tok = au_to_arg32(1, "arg", 857 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 858 kau_write(rec, tok); 859 } 860 if (ARG_IS_VALID(kar, ARG_VNODE1)) 861 FD_VNODE1_TOKENS; 862 else { 863 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 864 tok = kau_to_socket(&ar->ar_arg_sockinfo); 865 kau_write(rec, tok); 866 } else { 867 if (ARG_IS_VALID(kar, ARG_FD)) { 868 tok = au_to_arg32(1, "fd", 869 ar->ar_arg_fd); 870 kau_write(rec, tok); 871 } 872 } 873 } 874 break; 875 876 case AUE_KILL: 877 case AUE_KILLPG: 878 if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 879 tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 880 kau_write(rec, tok); 881 } 882 PROCESS_PID_TOKENS(1); 883 break; 884 885 case AUE_KTRACE: 886 if (ARG_IS_VALID(kar, ARG_CMD)) { 887 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 888 kau_write(rec, tok); 889 } 890 if (ARG_IS_VALID(kar, ARG_VALUE)) { 891 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 892 kau_write(rec, tok); 893 } 894 PROCESS_PID_TOKENS(4); 895 UPATH1_VNODE1_TOKENS; 896 break; 897 898 case AUE_LINK: 899 case AUE_RENAME: 900 UPATH1_VNODE1_TOKENS; 901 UPATH2_TOKENS; 902 break; 903 904 case AUE_LOADSHFILE: 905 if (ARG_IS_VALID(kar, ARG_ADDR)) { 906 tok = au_to_arg32(4, "base addr", 907 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 908 kau_write(rec, tok); 909 } 910 UPATH1_VNODE1_TOKENS; 911 break; 912 913 case AUE_MKDIR: 914 if (ARG_IS_VALID(kar, ARG_MODE)) { 915 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 916 kau_write(rec, tok); 917 } 918 UPATH1_VNODE1_TOKENS; 919 break; 920 921 case AUE_MKNOD: 922 if (ARG_IS_VALID(kar, ARG_MODE)) { 923 tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 924 kau_write(rec, tok); 925 } 926 if (ARG_IS_VALID(kar, ARG_DEV)) { 927 tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 928 kau_write(rec, tok); 929 } 930 UPATH1_VNODE1_TOKENS; 931 break; 932 933 case AUE_MMAP: 934 case AUE_MUNMAP: 935 case AUE_MPROTECT: 936 case AUE_MLOCK: 937 case AUE_MUNLOCK: 938 case AUE_MINHERIT: 939 if (ARG_IS_VALID(kar, ARG_ADDR)) { 940 tok = au_to_arg32(1, "addr", 941 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 942 kau_write(rec, tok); 943 } 944 if (ARG_IS_VALID(kar, ARG_LEN)) { 945 tok = au_to_arg32(2, "len", ar->ar_arg_len); 946 kau_write(rec, tok); 947 } 948 if (ar->ar_event == AUE_MMAP) 949 FD_VNODE1_TOKENS; 950 if (ar->ar_event == AUE_MPROTECT) { 951 if (ARG_IS_VALID(kar, ARG_VALUE)) { 952 tok = au_to_arg32(3, "protection", 953 ar->ar_arg_value); 954 kau_write(rec, tok); 955 } 956 } 957 if (ar->ar_event == AUE_MINHERIT) { 958 if (ARG_IS_VALID(kar, ARG_VALUE)) { 959 tok = au_to_arg32(3, "inherit", 960 ar->ar_arg_value); 961 kau_write(rec, tok); 962 } 963 } 964 break; 965 966 case AUE_MOUNT: 967 case AUE_NMOUNT: 968 /* XXX Need to handle NFS mounts */ 969 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 970 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 971 kau_write(rec, tok); 972 } 973 if (ARG_IS_VALID(kar, ARG_TEXT)) { 974 tok = au_to_text(ar->ar_arg_text); 975 kau_write(rec, tok); 976 } 977 /* fall through */ 978 979 case AUE_UMOUNT: 980 UPATH1_VNODE1_TOKENS; 981 break; 982 983 case AUE_MSGCTL: 984 ar->ar_event = msgctl_to_event(ar->ar_arg_svipc_cmd); 985 /* Fall through */ 986 987 case AUE_MSGRCV: 988 case AUE_MSGSND: 989 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 990 kau_write(rec, tok); 991 if (ar->ar_errno != EINVAL) { 992 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 993 kau_write(rec, tok); 994 } 995 break; 996 997 case AUE_MSGGET: 998 if (ar->ar_errno == 0) { 999 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1000 tok = au_to_ipc(AT_IPC_MSG, 1001 ar->ar_arg_svipc_id); 1002 kau_write(rec, tok); 1003 } 1004 } 1005 break; 1006 1007 case AUE_RESETSHFILE: 1008 if (ARG_IS_VALID(kar, ARG_ADDR)) { 1009 tok = au_to_arg32(1, "base addr", 1010 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 1011 kau_write(rec, tok); 1012 } 1013 break; 1014 1015 case AUE_OPEN_RC: 1016 case AUE_OPEN_RTC: 1017 case AUE_OPEN_RWC: 1018 case AUE_OPEN_RWTC: 1019 case AUE_OPEN_WC: 1020 case AUE_OPEN_WTC: 1021 case AUE_CREAT: 1022 if (ARG_IS_VALID(kar, ARG_MODE)) { 1023 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1024 kau_write(rec, tok); 1025 } 1026 /* fall through */ 1027 1028 case AUE_OPEN_R: 1029 case AUE_OPEN_RT: 1030 case AUE_OPEN_RW: 1031 case AUE_OPEN_RWT: 1032 case AUE_OPEN_W: 1033 case AUE_OPEN_WT: 1034 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1035 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1036 kau_write(rec, tok); 1037 } 1038 UPATH1_VNODE1_TOKENS; 1039 break; 1040 1041 case AUE_PTRACE: 1042 if (ARG_IS_VALID(kar, ARG_CMD)) { 1043 tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1044 kau_write(rec, tok); 1045 } 1046 if (ARG_IS_VALID(kar, ARG_ADDR)) { 1047 tok = au_to_arg32(3, "addr", 1048 (u_int32_t)(uintptr_t)ar->ar_arg_addr); 1049 kau_write(rec, tok); 1050 } 1051 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1052 tok = au_to_arg32(4, "data", ar->ar_arg_value); 1053 kau_write(rec, tok); 1054 } 1055 PROCESS_PID_TOKENS(2); 1056 break; 1057 1058 case AUE_QUOTACTL: 1059 if (ARG_IS_VALID(kar, ARG_CMD)) { 1060 tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1061 kau_write(rec, tok); 1062 } 1063 if (ARG_IS_VALID(kar, ARG_UID)) { 1064 tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1065 kau_write(rec, tok); 1066 } 1067 UPATH1_VNODE1_TOKENS; 1068 break; 1069 1070 case AUE_REBOOT: 1071 if (ARG_IS_VALID(kar, ARG_CMD)) { 1072 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1073 kau_write(rec, tok); 1074 } 1075 break; 1076 1077 case AUE_SEMCTL: 1078 ar->ar_event = semctl_to_event(ar->ar_arg_svipc_cmd); 1079 /* Fall through */ 1080 1081 case AUE_SEMOP: 1082 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1083 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1084 kau_write(rec, tok); 1085 if (ar->ar_errno != EINVAL) { 1086 tok = au_to_ipc(AT_IPC_SEM, 1087 ar->ar_arg_svipc_id); 1088 kau_write(rec, tok); 1089 } 1090 } 1091 break; 1092 1093 case AUE_SEMGET: 1094 if (ar->ar_errno == 0) { 1095 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1096 tok = au_to_ipc(AT_IPC_SEM, 1097 ar->ar_arg_svipc_id); 1098 kau_write(rec, tok); 1099 } 1100 } 1101 break; 1102 1103 case AUE_SETEGID: 1104 if (ARG_IS_VALID(kar, ARG_EGID)) { 1105 tok = au_to_arg32(1, "gid", ar->ar_arg_egid); 1106 kau_write(rec, tok); 1107 } 1108 break; 1109 1110 case AUE_SETEUID: 1111 if (ARG_IS_VALID(kar, ARG_EUID)) { 1112 tok = au_to_arg32(1, "uid", ar->ar_arg_euid); 1113 kau_write(rec, tok); 1114 } 1115 break; 1116 1117 case AUE_SETREGID: 1118 if (ARG_IS_VALID(kar, ARG_RGID)) { 1119 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1120 kau_write(rec, tok); 1121 } 1122 if (ARG_IS_VALID(kar, ARG_EGID)) { 1123 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1124 kau_write(rec, tok); 1125 } 1126 break; 1127 1128 case AUE_SETREUID: 1129 if (ARG_IS_VALID(kar, ARG_RUID)) { 1130 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1131 kau_write(rec, tok); 1132 } 1133 if (ARG_IS_VALID(kar, ARG_EUID)) { 1134 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1135 kau_write(rec, tok); 1136 } 1137 break; 1138 1139 case AUE_SETRESGID: 1140 if (ARG_IS_VALID(kar, ARG_RGID)) { 1141 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1142 kau_write(rec, tok); 1143 } 1144 if (ARG_IS_VALID(kar, ARG_EGID)) { 1145 tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1146 kau_write(rec, tok); 1147 } 1148 if (ARG_IS_VALID(kar, ARG_SGID)) { 1149 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1150 kau_write(rec, tok); 1151 } 1152 break; 1153 1154 case AUE_SETRESUID: 1155 if (ARG_IS_VALID(kar, ARG_RUID)) { 1156 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1157 kau_write(rec, tok); 1158 } 1159 if (ARG_IS_VALID(kar, ARG_EUID)) { 1160 tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1161 kau_write(rec, tok); 1162 } 1163 if (ARG_IS_VALID(kar, ARG_SUID)) { 1164 tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1165 kau_write(rec, tok); 1166 } 1167 break; 1168 1169 case AUE_SETGID: 1170 if (ARG_IS_VALID(kar, ARG_GID)) { 1171 tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1172 kau_write(rec, tok); 1173 } 1174 break; 1175 1176 case AUE_SETUID: 1177 if (ARG_IS_VALID(kar, ARG_UID)) { 1178 tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1179 kau_write(rec, tok); 1180 } 1181 break; 1182 1183 case AUE_SETGROUPS: 1184 if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1185 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1186 { 1187 tok = au_to_arg32(1, "setgroups", ar->ar_arg_groups.gidset[ctr]); 1188 kau_write(rec, tok); 1189 } 1190 } 1191 break; 1192 1193 case AUE_SETLOGIN: 1194 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1195 tok = au_to_text(ar->ar_arg_text); 1196 kau_write(rec, tok); 1197 } 1198 break; 1199 1200 case AUE_SETPRIORITY: 1201 if (ARG_IS_VALID(kar, ARG_CMD)) { 1202 tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1203 kau_write(rec, tok); 1204 } 1205 if (ARG_IS_VALID(kar, ARG_UID)) { 1206 tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1207 kau_write(rec, tok); 1208 } 1209 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1210 tok = au_to_arg32(2, "priority", ar->ar_arg_value); 1211 kau_write(rec, tok); 1212 } 1213 break; 1214 1215 case AUE_SETPRIVEXEC: 1216 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1217 tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1218 kau_write(rec, tok); 1219 } 1220 break; 1221 1222 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1223 case AUE_SHMAT: 1224 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1225 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1226 kau_write(rec, tok); 1227 /* XXXAUDIT: Does having the ipc token make sense? */ 1228 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1229 kau_write(rec, tok); 1230 } 1231 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1232 tok = au_to_arg32(2, "shmaddr", 1233 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1234 kau_write(rec, tok); 1235 } 1236 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1237 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1238 kau_write(rec, tok); 1239 } 1240 break; 1241 1242 case AUE_SHMCTL: 1243 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1244 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1245 kau_write(rec, tok); 1246 /* XXXAUDIT: Does having the ipc token make sense? */ 1247 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1248 kau_write(rec, tok); 1249 } 1250 switch (ar->ar_arg_svipc_cmd) { 1251 case IPC_STAT: 1252 ar->ar_event = AUE_SHMCTL_STAT; 1253 break; 1254 case IPC_RMID: 1255 ar->ar_event = AUE_SHMCTL_RMID; 1256 break; 1257 case IPC_SET: 1258 ar->ar_event = AUE_SHMCTL_SET; 1259 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1260 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1261 kau_write(rec, tok); 1262 } 1263 break; 1264 default: 1265 break; /* We will audit a bad command */ 1266 } 1267 break; 1268 1269 case AUE_SHMDT: 1270 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1271 tok = au_to_arg32(1, "shmaddr", 1272 (int)(uintptr_t)ar->ar_arg_svipc_addr); 1273 kau_write(rec, tok); 1274 } 1275 break; 1276 1277 case AUE_SHMGET: 1278 /* This is unusual; the return value is in an argument token */ 1279 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1280 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1281 kau_write(rec, tok); 1282 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1283 kau_write(rec, tok); 1284 } 1285 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1286 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1287 kau_write(rec, tok); 1288 } 1289 break; 1290 1291 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1292 * and AUE_SEMUNLINK are Posix IPC */ 1293 case AUE_SHMOPEN: 1294 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1295 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1296 kau_write(rec, tok); 1297 } 1298 if (ARG_IS_VALID(kar, ARG_MODE)) { 1299 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1300 kau_write(rec, tok); 1301 } 1302 case AUE_SHMUNLINK: 1303 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1304 tok = au_to_text(ar->ar_arg_text); 1305 kau_write(rec, tok); 1306 } 1307 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1308 /* Create an ipc_perm token */ 1309 struct ipc_perm perm; 1310 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1311 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1312 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1313 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1314 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1315 perm.seq = 0; 1316 perm.key = 0; 1317 tok = au_to_ipc_perm(&perm); 1318 kau_write(rec, tok); 1319 } 1320 break; 1321 1322 case AUE_SEMOPEN: 1323 if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1324 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1325 kau_write(rec, tok); 1326 } 1327 if (ARG_IS_VALID(kar, ARG_MODE)) { 1328 tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1329 kau_write(rec, tok); 1330 } 1331 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1332 tok = au_to_arg32(4, "value", ar->ar_arg_value); 1333 kau_write(rec, tok); 1334 } 1335 /* fall through */ 1336 1337 case AUE_SEMUNLINK: 1338 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1339 tok = au_to_text(ar->ar_arg_text); 1340 kau_write(rec, tok); 1341 } 1342 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1343 /* Create an ipc_perm token */ 1344 struct ipc_perm perm; 1345 perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1346 perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1347 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1348 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1349 perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1350 perm.seq = 0; 1351 perm.key = 0; 1352 tok = au_to_ipc_perm(&perm); 1353 kau_write(rec, tok); 1354 } 1355 break; 1356 1357 case AUE_SEMCLOSE: 1358 if (ARG_IS_VALID(kar, ARG_FD)) { 1359 tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1360 kau_write(rec, tok); 1361 } 1362 break; 1363 1364 case AUE_SYMLINK: 1365 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1366 tok = au_to_text(ar->ar_arg_text); 1367 kau_write(rec, tok); 1368 } 1369 UPATH1_VNODE1_TOKENS; 1370 break; 1371 1372 case AUE_SYSCTL: 1373 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1374 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1375 tok = au_to_arg32(1, "name", 1376 ar->ar_arg_ctlname[ctr]); 1377 kau_write(rec, tok); 1378 } 1379 } 1380 if (ARG_IS_VALID(kar, ARG_VALUE)) { 1381 tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1382 kau_write(rec, tok); 1383 } 1384 if (ARG_IS_VALID(kar, ARG_TEXT)) { 1385 tok = au_to_text(ar->ar_arg_text); 1386 kau_write(rec, tok); 1387 } 1388 break; 1389 1390 case AUE_UMASK: 1391 if (ARG_IS_VALID(kar, ARG_MASK)) { 1392 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1393 kau_write(rec, tok); 1394 } 1395 tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1396 kau_write(rec, tok); 1397 break; 1398 1399 case AUE_WAIT4: 1400 if (ARG_IS_VALID(kar, ARG_PID)) { 1401 tok = au_to_arg32(0, "pid", ar->ar_arg_pid); 1402 kau_write(rec, tok); 1403 } 1404 break; 1405 1406 case AUE_NULL: 1407 default: 1408 printf("BSM conversion requested for unknown event %d\n", 1409 ar->ar_event); 1410 /* Write the subject token so it is properly freed here. */ 1411 kau_write(rec, subj_tok); 1412 kau_free(rec); 1413 return (BSM_NOAUDIT); 1414 } 1415 1416 kau_write(rec, subj_tok); 1417 tok = au_to_return32((char)ar->ar_errno, ar->ar_retval); 1418 kau_write(rec, tok); /* Every record gets a return token */ 1419 1420 kau_close(rec, &ar->ar_endtime, ar->ar_event); 1421 1422 *pau = rec; 1423 return (BSM_SUCCESS); 1424 } 1425 1426 /* 1427 * Verify that a record is a valid BSM record. This verification is simple 1428 * now, but may be expanded on sometime in the future. Return 1 if the 1429 * record is good, 0 otherwise. 1430 */ 1431 int 1432 bsm_rec_verify(void *rec) 1433 { 1434 char c = *(char *)rec; 1435 1436 /* 1437 * Check the token ID of the first token; it has to be a header 1438 * token. 1439 * 1440 * XXXAUDIT There needs to be a token structure to map a token. 1441 * XXXAUDIT 'Shouldn't be simply looking at the first char. 1442 */ 1443 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1444 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1445 return (0); 1446 return (1); 1447 }
Cache object: 61c16118c545a82a450d000e3709b1c6
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]